A recent online password audit has identified that stale accounts are at risk to brute force attacks.
Which the following controls would best mitigate this risk?
A.
Password length
B.
Account disablement
C.
Account lockouts
D.
Password complexity
Explanation:
I think account disablement is the better choice. It would be impossible to log in to a disabled account.
With account lockouts, if the lockout threshold is 10, for example, and the lockout duration is 30 minutes, then attacker has a much better chance at accessing the account.
0
0
I can’t see a reason why a stale account would be active and available for attack. Most of these types of attacks are after you steal the security account manager (SAM) database so the account lockout would have no value. Complexity and length would be useful to stop/delay a SAM attack. But if it is a stale account, it should be disabled or deleted. I agree with B
0
0
I feel both B and C are correct. But the link gives more info:
http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
The idea here to mitigate brute-force rather concentrating on the account type specified, whic just a trick.
0
0
B, stale account must be disabled
0
0
I would go with B. If an account is stale then that means its inactive. Which you would want to disable. If the account is active then you would enforce account lockouts.
0
0
I chose B
0
0
It is a question of reading the question properly. We are not speaking about bog-standard, day-to-day accounts (which should be locked at the 3rd failed attempt for example)
We are talking as already pointed out about STALE accounts.
As mentioned, there is no reason at all why STALE accounts should be enabled. They should have all been disabled to begging with, rendering any form of password brute attack obsolete, as it Is not possible to login to a disabled account.
If inactive accounts pile up in Active Directory, it becomes difficult for administrators to manage them. Therefore, it is important that administrators keep track of these inactive accounts at all times. IT Administrators are supposed to have a well-defined plan that defines when an unused user or computer becomes an inactive one, and what actions are to be taken once that happens.
The period after which unused user and computer accounts become inactive varies from organization to organization, but it is usually around 15 to 30 days.
Follow the below steps within the specific time-intervals in your organization will help you deal with these obsolete account.
Step 1: List Inactive Accounts
Step 2: Reset User Account Password
Step 3: Disable the Inactive Accounts
Step 4: Move the account to an Organizational unit
Step 5: Delete the inactive accounts.
The Security+ questions as a rule advise against deleting accounts. They always suggest disabling them.
So the correct answers is most definitively B- Account disablementuestion of reading the question properly. We are not speaking about bog-standard, day-to-day accounts (which should be locked at the 3rd failed attempt for example)
We are talking as already pointed out about STALE accounts.
As mentioned, there is no reason at all why STALE accounts should be enabled. They should have all been disabled to begging with, rendering any form of password brute attack obsolete, as it Is not possible to login to a disabled account.
If inactive accounts pile up in Active Directory, it becomes difficult for administrators to manage them. Therefore, it is important that administrators keep track of these inactive accounts at all times. IT Administrators are supposed to have a well-defined plan that defines when an unused user or computer becomes an inactive one, and what actions are to be taken once that happens.
The period after which unused user and computer accounts become inactive varies from organization to organization, but it is usually around 15 to 30 days.
Follow the below steps within the specific time-intervals in your organization will help you deal with these obsolete account.
Step 1: List Inactive Accounts
Step 2: Reset User Account Password
Step 3: Disable the Inactive Accounts
Step 4: Move the account to an Organizational unit
Step 5: Delete the inactive accounts.
The Security+ questions as a rule advise against deleting accounts. They always suggest disabling them.
So the correct answers is most definitively B- Account disablement
0
0