The 80 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. Write down your answers on a separate sheet of paper so that you can take this exam again if necessary. Compare your answers against the answer key that follows this exam. Read through the explanations and also the incorrect answers very carefully. If there are any concepts that you don’t understand, go back and study them more.
1. Which of the following commands will display the MAC address of a computer?
A. ping
B. netstat
C. ipconfig /all
D. ipconfig /renew
2. You want to perform a network installation of Windows. Which of the following must be supported by the client computer?
A. PCIe
B. PXE
C. BitLocker
D. Multiboot
3. Which command is used to list the contents of a directory in the Command Prompt?
A. CD
B. Dir
C. Ping
D. Ver
4. One of your customers runs Windows on a laptop. A new security flaw and fix has been published regarding Windows. Which of the following can prevent exploitation?
A. Encrypting the hard drive
B. Training the customer
C. Implementing a patching policy
D. Configuring screen locks
5. Your company has multiple users who work with the same commercial software. What is the best type of license to purchase so that it is in compliance with the EULA?
A. Seat license
B. Commercial license
C. Enterprise license
D. Open source license
6. Which of the following is a risk of implementing BYOD?
A. Encryption mismatches
B. Higher risk of phishing attacks
C. Introduction of malware onto the network
D. DHCP failures
7. One of your co-workers tells you that whenever she returns to her desk she has to type her username and password to unlock the computer. She says she cannot modify the screensaver. After analyzing the system, you notice that the screensaver and the screen lock options are indeed grayed out. Which of the following is the most likely reason for this?
A. Incorrect local-level user policies
B. Domain-level group policies
C. Antivirus domain-level policies
D. Corrupted registry
8. Which of the following features in Windows allows the following command to run? (Select the two best answers.)
$PSVersionTable
A. Compatibility mode
B. OneDrive
C. Windows Firewall
D. PowerShell
E. ISE
9. You have been tasked with printing a group policy configuration report to an HTML file for offline review. Which of the following commands will enable you to do this?
A. gpresult
B. gpupdate
C. gpedit.msc
D. secpol.msc
10. Which of the following tasks is automatically added to the Windows Task Scheduler to improve hard disk performance?
A. cleanmgr
B. defrag
C. diskpart
D. chkdsk
11. Which of the following is the maximum addressable RAM limit for a system running a 32-bit version of Windows?
A. no limit
B. 4 GB
C. 8 GB
D. 32 GB
E. 256 TB
12. One of the users in your company frequently leaves her workstation and wants to make sure that her confidential data is not accessed by anyone else. However, the user does not want to turn off the computer when she leaves work in the evening. Which of the following is the best solution for securing the workstation?
A. Implement a password and fingerprint lock for after-hours login.
B. Set a strong password that requires a renewal every 30 days.
C. Apply a screen lock after 5 minutes of non-use and set login time restrictions for after hours.
D. Run a screensaver after one minute of nonuse and a fingerprint lock for after hours.
13. A manager suspects that a user has obtained movies and other copyright-protected materials through the use of a bit torrent client. The incident response tech confirms the suspicion, and as such, the user is in violation of company policy. What should the incident response technician do next?
A. Immediately delete all unauthorized materials.
B. Secure the workstation in a limited access facility.
C. Reprimand the user and apply a content filter to the user’s profile.
D. Document the incident and purge all policy violating materials.
14. A new user in your company has been given permission to connect to the corporate network with a smartphone that he owns. Which of the following should you perform before configuring the smartphone for actual access to the network?
A. Check the phone for unauthorized root access.
B. Erase all personal data from the phone.
C. Check the phone for location tracking.
D. Disable Bluetooth.
15. You work for an organization that uses various permissions for individual user accounts. One of the managers with a restricted user account receives the following message:
Windows Update cannot currently check for updates because the service is not running.
The manager contacts your organization’s help desk to report the error. You connect to the manager’s computer and identify the problem. What action should you take next to quickly resolve the problem?
A. Reboot the computer
B. Roll back the device drivers
C. Restart the network services
D. Rebuild the Windows profile
16. Which of the following usually incorporates an 8-digit code that can be found on the bottom of a SOHO router?
A. Port forwarding
B. WPS
C. Wireless encryption
D. Port triggering
17. You have been asked to set up a new networking closet and you notice that the humidity level in the room is very low. Which of the following tasks should be done before rack-mounting any networking equipment?
A. Install grounding bars.
B. Set up a dehumidifier.
C. Use an ESD strap.
D. Implement a fire suppression system.
18. Which of the following security techniques is most closely related to when a user enters a username and password once for multiple applications?
A. Propagation
B. MFA
C. SSO
D. Inheritance
19. Jason from accounting reports that when pressing Ctrl + Alt + Del to log on to a Windows workstation he is asked for a PIN. Which of the following should you tell Jason?
A. “Enter all the passwords that you have used previously.”
B. “Reboot the computer.”
C. “Check the network cable.”
D. “Please verify that you are using your smart card.”
20. A surge suppressor safeguards connected equipment by directing surges to the:
A. path of least resistance.
B. path of shortest conductance.
C. path of lowest inductance.
D. path of highest voltage.
21. By default, a file or folder will receive its NTFS permissions from the parent folder. This process is known as which of the following terms?
A. Permission propagation
B. Single sign-on (SSO)
C. Client-side virtualization
D. Proxy settings
E. Recovery image
F. Inheritance
22. Which of the following are examples of physical security? (Select the two best answers)
A. Directory permissions
B. OTP hardware tokens
C. Principle of least privilege
D. Privacy filters
23. You have been given technical documentation from the network administrator which details the switch ports that you will need to use for an upcoming network upgrade. Which of the following documents did you receive?
A. Logical topology diagram
B. Process diagram
C. Physical network diagram
D. fiber backbone diagram
24. Which of the following will help to protect an organization from further data exposure after a list of passwords has already been leaked due to a policy breach? (Select the two best answers.)
A. Require strong passwords.
B. Use multifactor authentication.
C. Educate end users.
D. Enable file encryption.
E. Restrict user permissions.
25. A user is reporting that his web browser is not going to the site he is trying to access. Which of the following statements describes the best way to resolve this?
A. Ensure the user is not utilizing a proxy server
B. Remove all Internet shortcuts
C. Delete all Internet cookies
D. Clear all Internet cache
26. Which of the following Windows features has undergone the most significant changes from Windows 7 to Windows 10 and has also greatly simplified the OS installation process?
A. Metro interface
B. User Account Control
C. Driver detection
D. PXE installation
27. Which of the following terms best describes the Apple utility used with iOS devices for synchronizing and upgrading?
A. Safari
B. iMac
C. iTunes
D. Bluetooth
28. Which of the following is a way to remove data from a hard drive through destruction? (Select the two best answers)
A. Disabling ports
B. Shredding
C. Drilling
D. Using low-level formatting
E. Purging
29. Which of the following Internet Options tabs should you access to enable TLS 1.2 in Internet Explorer?
A. Security
B. Privacy
C. Advanced
D. Connections
30. You are attempting to install a Windows 10 64-bit OS within a VM but you keep receiving errors. The specifications for the VM include:
• Two 1 GHz CPUs
• 2 GB of RAM
• 15 GB hard drive space
• 800 x 600 screen resolution
Which of the following should you do to resolve this issue?
A. Increase the number of CPUs
B. Increase the amount of memory
C. Increase the amount of hard drive space
D. Increase the screen resolution
31. Your organization's network consists of 25 computers. Your boss is interested in employing a file server with network shares and a print server. Which of the following Windows network setups should you recommend?
A. Workgroup
B. Ad hoc
C. Star
D. Domain
32. Which of the following is the best example of the use of chain of custody?
A. The technician notes the date, time, and who was given the computer.
B. The technician remembers when and who he or she gave the computer to.
C. The technician uses a third-party to hand over the computer to the proper authorities.
D. The technician calls the supervisor after the computer has been transferred.
33. You just installed a new updated driver for a network interface card (NIC). Now you want to test its data transfer rate. What tool should you use to run your test?
A. Device Manager
B. Local Security Policy
C. Performance Monitor
D. Component Services
34. You just got your first IT job working at a help desk. You get a call from a user about an issue you have never seen before, and you are not sure where to begin troubleshooting. What is the first course of action you should take?
A. Tell the customer that this is the first time you have encountered this problem and to please be patient.
B. Tell the customer that the problem needs to be escalated to a higher tier technician.
C. Tell the customer to please hold while a senior technician is consulted regarding the problem.
D. Ask the customer if he or she would mind holding for no more than two minutes to check resources.
35. One of your users just purchased an Android smartphone and is attempting to access a public hotspot. The user receives a message that a page cannot be displayed. The user notices a question mark (?) in the radio icon in the toolbar. The user has activated Bluetooth, and verified that airplane mode is off. Tethering is turned on. The user is using the smartphone to call in to the help desk for assistance. Which of the following is the most likely issue?
A. The user has exceeded the data allowance.
B. There is unauthenticated wireless connectivity.
C. It is an un-rooted smartphone.
D. The SIM card is not activated.
E. The smartphone is only 3G capable.
F. A data plan was not purchased.
36. Which Windows utility can be used to see which user is currently logged on?
A. Msconfig
B. Disk Management
C. Task Manager
D. Administrative Tools
37. Which of the following tools are commonly used to remove dust from the inside of a computer? (Select the two best answers)
A. Compressed air
B. Cotton and alcohol
C. Feather duster
D. Anti-bacterial surface cleaner
E. Vacuum
38. You have been tasked with installing Windows 10 on 100 computers to a new subnet on your network. You are required to remove system-specific identifiers. Which of the following should be used to accomplish this?
A. System Preparation tool
B. Windows Deployment Services
C. Remote Installation Services
D. Unattended installation
39. Which of the following is a common symptom of a problem that can occur while starting up the Windows operating system?
A. Spontaneous shutdown/restart
B. Invalid boot disk
C. WinRE won't start
D. The optical disc failed
E. The emergency repair disk doesn't boot
F. REGSVR32 has failed
40. Which of the following are possible symptoms of malware? (Select all that apply.)
A. Security alerts
B. Windows Update failures
C. Pre-installation environment
D. Renamed system files
E. Rogue antivirus
F. User error
41. One of your users complains that his smartphone is making shutter noises even when he is not taking pictures. What should you do first to determine the cause of the problem?
A. Update all applications on the smartphone
B. Run OS updates
C. Uninstall the camera installation
D. Check the application permissions
E. Reset the phone to factory settings
42. You are troubleshooting a Windows system suffering from poor performance. The Event Viewer states that the file system is corrupt. What should you do next?
A. Reload the OS using FAT32 instead of NTFS.
B. Run chkdsk with the /R option and reboot the system.
C. Open the defrag utility and run the drive analysis.
D. Change the drive from basic to dynamic.
43. Which type of fire extinguishing technology should be used during an electrical fire?
A. Overhead sprinkler systems
B. Water-based fire extinguishers
C. Class B fire extinguishers
D. Non water-based fire extinguishers
44. You attempt to install a legacy application on a computer running Windows 8. You receive an error that says the application cannot be installed because the OS is not supported. Which of the following describes the first step you should take to continue installing the application?
A. Install the latest service pack.
B. Install the application in Safe Mode.
C. Install the application in compatibility mode.
D. Install the latest security updates.
45. A user tells you that his new smartphone is suffering from poor battery life. The user has been using the phone for a short time and has installed several apps lately. Which of the following is the most likely cause of the problem?
A. Unauthorized root access
B. Battery needs to be replaced
C. Defective SD card
D. Signal drop or weak signal
E. Slow data speeds
46. You have been tasked with setting up a SOHO wireless network in a small healthcare office that cannot afford a server. The wireless users require the highest level of security available, and various other levels of desktop authentication for access to cloud-based resources. Which of the following protocols and authentication methods should you implement? (Select the two best answers.)
A. WEP
B. WPA
C. WPA2
D. TKIP
E. RADIUS
F. TACACS
G. SSO
H. Multifactor
47. A customer calls to report that when she walks away from her laptop for an extended period of time, she has to reconnect to wireless upon her return. Which of the following will most likely correct this issue?
A. Replace the wireless card.
B. Install a higher capacity battery.
C. Adjust the power settings.
D. Disable the screensaver.
48. You are required to remove the ability for standard users to shut down or restart a shared computer. Which command should be used to accomplish this task?
A. shutdown.exe
B. bootrec.exe
C. gpedit.msc
D. services.msc
49. Which of the following commands should be used to search for a specific string in a filename?
A. sudo
B. grep
C. chmod
D. wget
50. You are working on a computer that is displaying a black screen. You restart the computer but the operating system will not load. After inquiring with the user, you find out that the operating system was patched the previous evening. Which of the following should you attempt next?
A. Repair the Windows registry.
B. Configure boot options in the BIOS.
C. Reboot into Safe Mode and roll back the updates.
D. Disable Windows services.
51. You are required to replace a desktop power supply. Which of the following tasks should be performed first?
A. Remove your watch and jewelry.
B. Review local regulations for disposal procedures.
C. Read the MSDS.
D. Check for environmental concerns.
52. Your customer has a computer (named comp112) that has been infected by a worm. The worm has propagated to at least 30 other computers on the network. Which of the following tasks should be performed before attempting to remove the worm from the comp112 computer?
A. Log the user off the system.
B. Boot the system in Safe Mode.
C. Run a full virus scan.
D. Disconnect the network cable from the computer.
53. You are working at a computer and see the following syntax in the beginning of a script:
#!/bin/bash
What type of system are you working at?
A. Windows
B. Linux
C. iOS
D. jscript
54. Which of the following tools will allow you to change the number of CPU cores that Windows uses?
A. perfmon
B. dxdiag
C. msconfig
D. taskmgr
55. A user is unable to view office network files while working from home. Which of the following is the most likely cause of the problem?
A. Outdated anti-malware protection
B. Inactive VPN
C. MDM policies
D. Untrusted software
56. One of your co-workers is attempting to access a file on a share located on a remote computer. The file's share permissions are set to allow the user full control; however, the NTFS permissions allow the user to have read access. Which of the following will be the user's resulting access level for the file?
A. Read
B. Write
C. Modify
D. Full Control
57. You are installing a 32-bit program on a 64-bit version of Windows. Where does the program get installed to?
A. C:\
B. C:\Program Files
C. C:\Windows
D. C:\Program Files (x86)
58. A home user needs to reinstall Windows on a home computer but cannot find the operating system disc that came with the computer. Which of the following would allow the home user to install the operating system?
A. System Restore
B. Recovery partition
C. Linux rescue boot disc
D. Primary partition
59. You have been tasked with running updates on a Windows computer. Some of the updates go through fine, but another fails. While troubleshooting, you restart the computer and attempt to install the failed update, but it continues to fail. Which of the following should you do first?
A. Analyze the Event Viewer for more information about the failures.
B. Download the failed updates to install it manually.
C. Visit the Microsoft Update website to see if there is an issue with a specific update.
D. Look up the error number associated with the failed update.
60. You are working on a client computer and receive a message that says the trust relationship to the domain has been broken. Which of the following steps should be taken to resolve this problem from the client computer?
A. Update the BIOS using the latest version.
B. Run CHKDSK.
C. Re-join the computer to the domain.
D. Reboot the PC as the domain will automatically rebuild the relationship.
61. You are configuring a friend's iPad. He needs to access his work e-mail. In order to do this, you require information from the IT department. Which information should you ask for?
A. Server and gateway
B. IP address and domain
C. IP address and DNS
D. Server and domain
62. Which of the following file formats does Android use for application installation?
A. .api
B. .exe
C. .ipa
D. .apk
E. .sdk
63. A coworker has asked for a solution that will prevent file corruption by ensuring a graceful shutdown in the case of a power outage. The user would like at least one hour of uptime if the power goes out. Which of the following should you recommend?
A. Surge protector
B. Power strip
C. Uninterruptible power supply
D. Power distribution unit
64. Which command in Windows can initiate CHKDSK at boot time?
A. CONVERT
B. IPCONFIG
C. CHKNTFS
D. NETDOM
65. A customer reports to you that a file shared on her computer for another user is not accessible to that third party. The customer says that the third party was given Allow rights for Read and Write access to the file. Which of the following could be a reason as to why the third party cannot access the file?
A. The parent folder has explicit Allow rights set for the third-party user.
B. The parent folder has explicit Deny rights set for the third-party user.
C. The user forgot to share the parent folder and only shared the specific file.
D. The parent folder likely has the archive attribute enabled.
66. Which of the following tools is used to type recovery commands into a Linux box?
A. Backup/Time Machine
B. Shell/Terminal
C. Restore/Snapshot
D. Command/CMD
67. You are part of a security team that is auditing an organization’s server room. You find that a USB drive was previously inserted into three of the servers. There were many attempts to login that were successfully performed using common login information. What should you do to prevent the vulnerability from being exploited again? (Select the two best answers.)
A. Remove admin permissions
B. Modify the AutoRun settings
C. Install a software-based firewall
D. Disable the guest account
E. Change default credentials
F. Run operating system security updates
68. Which Windows command can stop a single process from the command-line?
A. Taskkill
B. Shutdown
C. Tasklist
D. DEL
69. In a SOHO wireless network, which of the following prevents unauthorized users from accessing confidential data?
A. Enabling MAC filtering
B. Changing the SSID name
C. Setting encryption
D. Reducing broadcast power
70. Which CP utility is best used to remove a Windows application?
A. Disk Cleanup
B. Administrative Tools
C. Folder Options
D. Programs and Features
71. You receive a tech support call from a user on your corporate network about an Internet connection that is not working. You analyze the system and find out that the user’s system has a valid IP address, can connect to network shares, and can view local intranet pages in her web browser. However, when you attempt to access a public website, the connection times out. Which of the following should you investigate next?
A. Proxy settings
B. IPv6 settings
C. Hosts file
D. DNS server
72. You have been tasked with setting up an AP in a small office that is in the middle of a crowded building. What should you do to increase the security of the wireless network? (Select the two best answers.)
A. Configure WPA encryption
B. Disable the DHCP server
C. Reduce the transmit power
D. Reduce channel availability
E. Enable QoS management
F. Disable the SSID broadcast
73. A computer has been infected with multiple viruses and spyware. Which of the following tasks should be performed before removing this malware?
A. Disable System Restore
B. Disable network cards
C. Run Windows Update
D. Run the CHKDSK /R command
74. One of your customers has set up a perimeter firewall and has implemented up-to-date AV software. She asks you what else she can do to improve security. Which of the following will have the greatest impact on her network security? (Select the two best answers)
A. Conduct a daily security audit.
B. Use strong passwords.
C. Install additional antivirus software.
D. Assign security rights based on job roles.
E. Disable screen savers.
75. Which of the following statements describe how to demonstrate professionalism when dealing with a customer? (Select the three best answers)
A. Avoid distractions.
B. Retain a chain of custody.
C. Avoid being judgmental.
D. Leave documentation to the customer.
E. Meet expectations that the customer sets for you.
76. You previously installed a new application for a customer, adding three new services. Today, the customer informs you that the application will not start. You find out that one of the three new services has failed to start and manual attempts to start it fail. Where should you look next for information? (Select the two best answers)
A. Registry
B. Event Viewer
C. %systemroot%\System32\Drivers
D. Log files for the new application
E. Task Manager
77. Your organization has hired a new IT firm to manage its switches and routers. The IT firm is out of state and will need to be able to remote access the devices. Which of the following should be implemented to provide secure access from the IT firm to the switches and routers?
A. RDP
B. Telnet
C. SSH
D. VNC
78. Which of the following is the best way to maintain data security for a mobile device that has been lost or stolen?
A. Passcode lock
B. GPS
C. Remote wipe
D. Login attempt restrictions
79. Look at the following syntax:
net use Z: \\servername\sharename
Which of the following file types would you expect that syntax to be located in?
A. .vbs
B. .bat
C. .js
D. .py
80. One of your customers connected a tablet computer to her personal mobile hotspot device for Internet access to be used in a public location. The device running the hotspot shows that there are two connections instead of just one. Which of the following actions can she perform to prevent this unauthorized access to the device immediately? (Select the two best answers)
A. Access the intruder’s device and shut it down.
B. Add the intruding device to a blocked access list.
C. Set up a Wi-Fi analyzer to identify the intruding device.
D. Change the SSID to a different broadcast name.
E. Shut down the device until the intruder is no longer in the area.
1. C
2. B
3. B
4. C
5. C
6. C
7. B
8. D and E
9. A
10. B
11. B
12. C
13. B
14. A
15. C
16. B
17. A
18. C
19. D
20. A
21. F
22. B and D
23. C
24. B and C
25. A
26. C
27. C
28. B and C
29. C
30. C
31. D
32. A
33. C
34. D
35. B
36. C
37. A and E
38. A
39. B
40. A, B, and D
41. D
42. B
43. D
44. C
45. A
46. C and H
47. C
48. C
49. B
50. C
51. A
52. D
53. B
54. C
55. B
56. A
57. D
58. B
59. D
60. C
61. D
62. D
63. C
64. C
65. B
66. B
67. B and D
68. A
69. C
70. D
71. A
72. C and F
73. A
74. B and D
75. A, C, and E
76. B and D
77. C
78. C
79. B
80. B and D
1. Explanation: ipconfig /all will display the MAC address of a computer. Whereas a simple ipconfig will show the IP address, subnet mask and gateway address; an ipconfig /all gives you more information: the MAC address (called the Physical Address), the DNS server IP address, whether or not DHCP is enabled, and additional information. See Chapter 25, “Microsoft Command-Line Tools,” for more information.
Incorrect answers: ping is used to test whether other computers are available on the network. netstat displays all the network sessions to remote computers. ipconfig /renew is used with /release to reissue DHCP-obtained IP addresses.
2. Explanation: To perform a network installation, a network adapter in the target computer must be PXE-compliant. Also, there must be some type of server acting as a repository for the Windows installation files. See Chapter 24, “Operating System Installation,” for more information.
Incorrect answers: PCIe is an expansion bus. The network adapter will make use of this expansion bus if it is an actual card (NIC) or if it is embedded in the motherboard. BitLocker is a full drive encryption feature included with select editions of Windows. Multiboot technology means that the computer can boot to two or more operating systems.
3. Explanation: Dir is used to list the contents of a directory in the Command Prompt. You might also use the tree command to show the tree of directories. See Chapter 25, “Microsoft Command-Line Tools,” for more information.
Incorrect answers: CD is short for change directory and is used to navigate. Ping is used to verify if another computer is available on the network. Ver shows the version number of the Windows operating system (though winver gives more information in a graphical format).
4. Explanation: Every company should have a patching policy and a plan for how to implement patches for security fixes. The policy will dictate what a technician should do in the event of a published security fix. By patching the laptop, you decrease the chances of exploitation. See Chapter 27, “Microsoft Operating System Features and Tools, Part 2,” for more information.
Incorrect answers: Hard drive encryption and user training are also excellent ideas, but they won't necessarily help with this particular security flaw. Screen locks can help to deter a user who would attempt to use another user's computer, but again, they have little to do with the new security flaw.
5. Explanation: You would want to get an enterprise license. This allows multiple users to install the software on their systems, and each can accept the end user licensing agreement (EULA) individually. See Chapter 41, “Incident Response, Communication, and Professionalism,” for more information.
Incorrect answers: The terms “seat” and “commercial” licensing might be used for other types of licenses, but generally, the term “enterprise” is widely used when there are many end user licenses required (for example, when you are dealing with Microsoft operating system and Office software). An open source license doesn’t require a purchase. It can be downloaded and freely modified, based on the rules of the open source licensing agreement.
6. Explanation: The most common issue when implementing bring your own device (BYOD) as a policy to your organization is the possibility that malware from someone’s smartphone, tablet, or laptop could be introduced to the network and spread to other systems. So, every BYOD device needs to be equipped with anti-malware software and kept up to date. Also, it would be wise to remotely administer these devices with a mobile device management (MDM) solution so that anti-malware updates can be streamed from a central source. See Chapter 34, “Mobile Device Security,” for more information.
Incorrect answers: If you implement the system correctly, encryption of company-owned data can be the same across the board, and should be. Devices in general will probably become more secure because they are initiated into a corporate BYOD network, so the level of phishing attacks should be the same or be reduced. DHCP failures should not increase unless your IP scope (range of IP addresses) can’t handle the additional devices on the network. As always, you should consult your network documentation and see if your DHCP server’s IP scope can handle all the clients that you plan to introduce onto the network.
7. Explanation: The most likely reason for this is that domain-level group policies have been implemented by the administrator. This is by design so that end users cannot enable screensavers. This cannot be changed by the end user. See Chapter 31, “Physical and Logical Security,” for more information.
Incorrect answers: As mentioned, these are by design; they are not incorrect policies, although it is possible to implement a similar security feature with the local computer policy of a system. Antivirus policies that are instituted at the domain level would affect the antivirus software of a group of systems on the network but should not affect Windows settings. A corrupted registry could cause problems with the logon, but what is happening in the scenario is a specific setting designed to secure the workstations on the domain.
8. Explanation: PowerShell—and the PowerShell Integrated Scripting Environment (ISE)—is an advanced command line in Windows that goes beyond the Command Prompt. It is designed for administrators so that they can run scripts, batch commands, snippets, and save the work as .PS1 files (by default). The command $PSVersionTable will tell you the version of PowerShell, Windows version, and more. The “PS” in the command stands for “PowerShell”! See Chapter 42, “Basic Scripting and Remote Access Technologies,” for more information.
Incorrect answers: Compatibility mode is a mode in Windows that allows you to run older programs within newer versions of Windows. OneDrive is Microsoft’s cloud service. The Windows Firewall is the built-in software-based firewall that blocks unwanted intrusion.
9. Explanation: Use the gpresult command; this allows you to view the results of the Microsoft Group Policy configuration and print it to various file formats if you wish. See Chapter 25, “Microsoft Command-Line Tools,” for more information.
Incorrect answers: gpupdate takes care of updating settings on a computer regarding the computer policy configuration. gpedit.msc opens the Local Group Policy Editor window. secpol.msc opens the Local Security Policy window.
10. Explanation: The defrag.exe utility (which is the Disk Defragmenter otherwise known as Optimize Drives) can be automatically added to the Task Scheduler in Windows in an effort to improve hard disk performance. Chapter 27, “Microsoft Operating System Features and Tools, Part 2,” for more information.
Incorrect answers: Cleanmgr.exe is the Disk Cleanup program. Diskpart is the text-based Command Prompt version of the Disk Administrator utility. Chkdsk is short for check disk, another text-based Command Prompt utility used to check whether the drive is healthy. Any programs (executables) can be added to the Task Scheduler. However, the more programs you add (and the more often they run), the more resources your system will use, so make sure you use the Task Scheduler sparingly, and make sure that the defrag option is not run too often; that will use a lot of resources and could damage the drive if run too much.
11. Explanation: The maximum amount of RAM that any 32-bit operating system can use is 4 GB, because 32-bit CPUs can only address 4 GB of RAM. That’s why the bulk of the systems that you will work with will be 64-bit. See Chapter 23, “Operating System Types and Windows Versions,” for more information.
Incorrect answers: “No limit” is not a possibility when it comes to a computer’s RAM at this time. To have, and use, more than 4 GB, a 64-bit CPU, and a 64-bit version of Windows would be required. 32 GB is common for workstations as of the writing of this book (2019) but the amount of RAM that computers can use is always on the rise! 256 TB is the typical maximum amount of RAM that a 64-bit system can address, though we rarely come anywhere close to that.
12. Explanation: The screen lock and login time restrictions is your best bet. This way, the computer will lock after 5 minutes, even if the user forgets to lock it manually (with a quick Windows + L on the keyboard if you wish). Set the login restriction hours within the system or on the domain so that no one can log in after a certain time (such as 5 p.m.). See Chapter 33, “Windows Security Settings and Best Practices,” for more information.
Incorrect answers: Every system should have a password, but by default, that is only needed when the computer is first turned on or if the person logs off and logs back on. To avoid logging off and losing work, use the screen lock option. That will require the password when the user comes back to the computer. A strong password is important but does not meet the requirements when it comes to the person leaving the workstation frequently and the issue of not turning off the computer. A screensaver is not enough because this does not necessarily require a password. The screen lock is a much more secure method in general.
13. Explanation: The incident response technician should secure the workstation in a limited access storage facility until the matter is sorted out. A company can be liable for what its employees download, so the workstation should be securely stored and not disturbed until the matter has been investigated thoroughly. The incident response technician should also contact the network administrator (or network security administrator) and inform him or her that the user was able to download a bit torrent client and figure out a way to block the usage of those. See Chapter 41, “Incident Response, Communication and Professionalism,” for more information.
Incorrect answers: Because there are legal ramifications (for the user and for the company), the incident response tech should not delete anything and should store the computer securely for the time being. At some point, the tech will probably be called upon to image the drive, from which investigation can then be carried out. Reprimanding the user is up to the manager, but applying a content filter would probably be done for the entire network, not just that individual user’s profile. The tech should definitely document the incident—that is of utmost importance—but the tech should not purge the downloaded materials. Instead, quarantine the computer in a safe location until the investigation is complete. If the user was working with a bit torrent client, there is the chance that the user was performing other illegal acts, so the computer should be thoroughly analyzed, and the hard drive should be stored indefinitely in a secure place for future reference.
14. Explanation: Before actually giving access to a smartphone (or any other BYOD device) to the computer network, make sure that it has not been rooted or jailbroken. When this is done to a mobile device, it makes it much more susceptible to malicious attack—which could spread to the rest of the network. In fact, the simple fact that the device is rooted could mean that it was already infected, as is often the case. See Chapter 34, “Mobile Device Security,” for more information.
Incorrect answers: You have no authority to erase personal data from a user’s phone. You might also want to check your policy for GPS and location tracking before giving the phone access. Regardless, if your BYOD environment is being properly controlled by an MDM, you would be able to set whether GPS or location tracking is enabled by way of group policy and disable it remotely within the MDM. Bluetooth might be necessary to the user, so there is no reason to disable it unless your organization’s policy expressly forbids it.
15. Explanation: It is likely that the Windows Update service stopped. It can be restarted (along with RPC which it is dependent on) within the Services console window in Computer Management (or Run > services.msc), or within the Command Prompt by typing net start wuauserv. However, it might be that Windows Update was disabled on purpose as part of company policy. Always check your organization’s policies and procedures first before starting services. See Chapter 34, “Mobile Device Security,” for more information. See Chapter 27, “Microsoft Operating System Features and Tools, Part 2,” for more information.
Incorrect answers: Rebooting the computer will most likely result in the same issue later on when Windows Update needs to update the OS. There are no device drivers that will affect the Windows Update service. Rebuilding the user profile is also not necessary here; plus, it is a lengthy process, and definitely not a quick solution.
16. Explanation: Wi-Fi Protected Setup (WPS) is a standard used by many router manufacturers to make connecting to a wireless network easier for the user. It usually consists of an 8 to 10-digit PIN and is located on the bottom of the router. It can also be viewed within the router's firmware. There have been several problems with WPS and most manufacturers recommend that you disable it within the firmware. See Chapter 35, “Data Destruction and SOHO Security,” for more information.
Incorrect answers: Port forwarding forwards an external network port to an internal IP address and port. Wireless encryption is a method of rearranging wirelessly transferred data so that it is hard to decode. Examples include WPA and WPA2. Port triggering enables you to specify outgoing ports that your computer uses for special applications; their corresponding inbound ports will be opened automatically when the sessions are established.
17. Explanation: All networking racks should be grounded, either to grounding bars, an I-beam in the ceiling, or other methods of grounding. This should be done before installing any equipment to the racks in order to prevent any damage from ESD. See Chapter 40, “Safety Procedures and Environmental Controls,” for more information.
Incorrect answers: A dehumidifier would make the problem worse by removing additional humidity from the air. An ESD strap will provide some protection to the devices while you work on them but it won't help once you disconnect. Fire suppression systems are important but they won't protect against ESD.
18. Explanation: Single sign-on (SSO) is when a user account’s username and password can be used to gain access to multiple applications, systems or networks; instead of the user having to memorize multiple passwords. It is often used within a federated identity management system. See Chapter 33, “Windows Security Settings and Best Practices,” for more information.
Incorrect answers: Propagation and inheritance have to deal with NTFS permissions. By default, child objects (such as sub-folders) inherit their NTFS permissions from the parent folder—conversely, the parent folder propagates those permissions to the child folder. MFA stands for multi-factor authentication; for example, when a user is required to logon with two types of identification such as a password and a fingerprint.
19. Explanation: You should tell Jason to make sure he is using his smart card. In a multifactor authentication system, you might have a combination of a physical smart card requiring that a personal identification number (PIN) be typed, and then the password. So, you want to make sure that users are swiping (or inserting) their smart card before entering the PIN code. Of course, all this depends on the type of authentication (or multifactor authentication) system that is in place. In this scenario, and with the answers listed, verification of the user’s smart card is the best answer. See Chapter 31, “Physical and Logical Security,” for more information.
Incorrect answers: The user probably hasn’t gotten to the authentication stage where the password needs to be entered, but regardless, it is not a good idea to suggest entering all past passwords. Rebooting the computer can fix many problems, but in situations such as these it will simply result in the same issue. The network connection shouldn’t play into the PIN requirement.
20. Explanation: Surge suppressors (otherwise known as surge protectors) safeguard the equipment that is connected to them by directing surges to the path of least resistance. Electrical resistance is the measure of difficulty to pass an electric current through a conductor and is measured in Ohms (Ω). It will usually mean redirecting the current to ground. So, the metal oxide varistor (MOV) within the surge suppressor will normally redirect to the ground wire of the AC circuit because there is no resistance on that wire. See Chapter 40, “Safety Procedures and Environmental Controls,” for more information.
Incorrect answers: Electrical conductance deals with current and how easily it flows; it is the inverse quantity of resistance. Inductance deals with changes in current flowing through a circuit. The path of highest voltage is just that—for example, the hot wire of an AC circuit (120 V). You would not want a surge to be redirected to high-voltage areas, and you should always redirect surges and spikes to the ground.
21. Explanation: Inheritance is when a file or folder receives its NTFS permissions from the parent folder. It is the default setting of the Advanced configuration dialog box within the Security tab of a file or folder. In Windows, it is shown as a button that can enable or disable inheritance (also described as “Include inheritable permissions from this object's parent.” In older versions of Windows.) See Chapter 33, “Windows Security Settings and Best Practices,” for more information.
Incorrect answers: This is different than permission propagation in that propagation is when a parent folder forces the permissions to the subfolder. It can be initiated by the user, is a separate configuration, and is not necessarily configured to work by default. SSO is a type of authentication method where a single username/password combination (or other single authentication scheme) is used to gain access to multiple different resources. Client-side virtualization is when a client operating system (such as Windows 10) is run in a virtual machine. The virtual software applications that house virtual machines have their own set of requirements, as do the virtual machines themselves. For example, Windows running within a virtual machine will not require as many resources as Windows running on a physical computer in a standard installation. Proxy settings are Internet connectivity settings that are set up on a computer running an OS such as Windows. The proxy setting is usually an IP address of a special computer on the network that acts as a go-between for the client computer and the Internet. It stores web information so that the client computer can gain access to the information faster while conserving Internet bandwidth. A recovery image is an image file that can recover an operating system. It is created by the manufacturer or by the user as a form of preventive maintenance in the event of a system crash and can be saved to an optical disc, to a USB flash drive, or to a special partition on the hard drive.
22. Explanation: One-time password (OPT) tokens are usually implemented as hardware-based tokens that a person carries with them. The passcode changes periodically (for instance, every 60 seconds). A privacy filter is a filter placed in front of a monitor to reduce the viewing angle and make it more difficult for shoulder surfers (social engineers) to discern information from the screen. Another example is an RSA token. An RSA token can be a physical device, either located within a smart card or a key fob. This is intelligent technology that communicates with the security system, transferring information such as identification, dynamic passcodes, and more, allowing for a more secure authentication method. See Chapter 31, “Physical and Logical Security,” for more information.
Incorrect answers: Directory permissions are the rights granted to users within Windows, allowing them (or denying them) access to files, folders, printers, and other resources. The principle of least privilege is a technical term that states that a person should only have access to what is absolutely necessary; the concept “need to know” is part of this principle.
23. Explanation: A physical network diagram will show switches and their individual ports (among other things.) This documentation is designed to help describe where computers and other networking equipment should connect, on a port to port basis. See Chapter 39, “Documentation, Change Management, and Disaster Recovery,” for more information.
Incorrect answers: A logical topology diagram is a network diagram also, but it usually shows things on more of a high-level; for example, the IP addresses used by a LAN and what device that group of computers connects to. A process diagram is one that shows a step-by-step procedure, or troubleshooting process. A fiber backbone diagram is one that shows high-speed connections, often from one network to another. It wouldn’t be required for the upgrade that concerns switch ports, which most likely implies standard 1 Gbps switches.
24. Explanation: You should implement a multifactor authentication system (such as one that uses usernames/passwords and also a smart card). You should also educate end users as to company policies regarding the usage and storage of files and databases that can include passwords and PII. See Chapter 31, “Physical and Logical Security,” for more information.
Incorrect answers: The strength of the password was not the problem here. The organization might have already instituted a policy that requires complex passwords; it’s the password file or database that was leaked (most likely by an employee, possibly a malicious insider). But strong passwords are nonetheless important. File encryption is also a good idea, but it won’t help with authentication strength. Restricting user permissions is important, too, but if the password list that was leaked includes administrator passwords, well then, game over. You would need to implement an organization-wide password reset (and right away).
25. Explanation: Make sure the user is not using a proxy server within the browser before attempting anything else. A proxy address (whether added by malware or by the user himself) can redirect the browser to unwanted websites (often malicious in nature.) See Chapter 29, “Windows Networking and Application Installation,” for more information.
Incorrect answers: Internet shortcuts that were added without the user's knowledge could also be a culprit, so these should be checked and the browser should also be cleared of cookies and cache if necessary. But check that proxy setting first!
26. Explanation: Of the listed answers, driver detection has undergone the most significant changes from Windows 7 to Windows 10, and has simplified the OS installation process. This is usually the case when it comes to new versions of an OS—they can “see” new hardware better. See Chapter 23, “Operating System Types and Windows Versions,” for more information on Windows versions.
Incorrect answers: The Metro interface was incorporated into Windows 8 and 8.1, but was removed for Windows 10. User Account Control (UAC) has been around since before Windows 7, but has worked essentially the same way over the years, plus it doesn’t play into the installation process. PXE installation means that you are installing an OS over the network. PXE is something that a network adapter must be compliant with to do this; it is outside of the Windows install process.
27. Explanation: iTunes is used with Apple iOS devices to synchronize them with a computer, upgrade them, or restore them to factory defaults. See Chapter 30, “Linux and macOS Tools,” for more information and Chapter 4, “Smartphones, Tablets and Other Mobile Devices, Part 1”.
Incorrect answers: Safari is the iOS web browser. iMac is Apple's desktop/laptop computer. Bluetooth is a way of transmitting data wirelessly between devices and smartphones or PCs. Apple iOS devices generally synchronize to computers via USB or Wi-Fi.
28. Explanation: A hard drive shredder or drill can be used to physically tear the drive into multiple pieces or to make holes in the platters of a hard drive, thus making it inoperable. It can then be disposed of according to municipal guidelines. It is one of several types of ways to physically destroy a hard drive and is only performed when the drive has met the end of its lifecycle, is not going to be recycled within the organization, and is to be disposed of. However, shredding (or pulverizing) is the best way to do this; vendors offer services to perform this work and provide a certificate of destruction when complete. See Chapter 35, “Data Destruction and SOHO Security,” for more information.
Incorrect answers: Disabling ports is done on a firewall or SOHO router to block access into (or out of) the network. A low-level format is a type of formatting procedure done in the UEFI/BIOS of a system (on older drives), through the use of special removable media, or is done at the manufacturer. It removes more data than a standard operating system format but does not destroy the drive (though it can cause damage to particular sectors if performed too often.) Many technicians also refer to data wiping as a method of low-level formatting.
29. Explanation: Use the Advanced tab to enable TLS 1.2 (and other security protocols) within Internet Explorer. See Chapter 28, “Windows Control Panel Utilities,” for more information.
Incorrect answers: This was a bit of a trick question. At first glance, you would think that TLS 1.2 is a security feature; and while it is, the Security tab deals more with zone security, not specific protocol-based security options. The Privacy tab deals with blocking cookies. The Connections tab concerns setting up Internet connections, VPNs, and proxy server connections.
30. Explanation: Window 10 64-bit installations require 32 GB of hard drive space. 15 GB is not enough for that or for 32-bit installations which require 16 GB of space. This holds true for physical installations and virtual installations. The virtual machine (VM) installation will fail until the VM’s hard drive space is increased. In fact, 15 GB is not enough for Windows 8 or Windows 7 either. See Chapter 23, “Operating System Types and Windows Versions,” for more information.
Incorrect answers: Windows 10 64-bit requires a 1 GHz CPU, 2 GB of RAM, and at least 800 x 600 resolution, so the rest of the answers are incorrect because they do meet the minimum requirements.
31. Explanation: You should recommend the Microsoft Domain setup. This means installing a server that acts as a domain controller where all logon authentication is centralized. This way, all access to network shares and print servers is also centralized. A domain controller is a server that is running a version of the Windows Server operating system and has Active Directory Domain Services running. See Chapter 29, “Windows Networking and Application Installation,” for more information.
Incorrect answers: A workgroup is a good choice for networks with 20 computers or less. Once you exceed 20 computers, it becomes wise to configure a domain. The main reason for this is that a single Windows 10/8/7 client computer can handle only 20 connections simultaneously. Storing all your data on one computer for every user to access is fine for networks with 10 to 15 computers. But as you increase your network to 20 computers or more, you are forced to store resources on multiple computers, which can create confusion. Ad hoc means that no one computer is in control; this especially applies to wireless networks and is sufficient for a few systems but definitely not for 25 computers. Star refers to the network topology or how computers are connected. This isn't covered in the A+ objectives but it essentially means that the computers are wired in such a way that all of them physically connect to a central connecting device (such as a switch) or wirelessly connect to a wireless access point. This is easily the most common way that computers connect to the network. While you could recommend this as well, it is basically accepted that this will be the network configuration in the vast majority of scenarios. The question was assessing your understanding of the Windows solution for how the data will be shared.
32. Explanation: Chain of custody is the chronological documentation (written) of evidence pertaining to a computer or other technical device that has prohibited content or has been confiscated. The technician should write (or type) the date, time, and who took custody of the computer next. It's important for the technician to adhere to the chain of custody rules when storing the computer or data. It's also important to verify that the chain of custody remains intact, so as to ensure evidence is admissible in legal proceedings. See Chapter 41, “Incident Response, Communication and Professionalism,” for more information.
Incorrect answers: Committing such important facts to memory is not enough; this will not stand up in court as evidence. A “third-party” will break the chain of custody. Calling the supervisor is part of first response; it's not part of chain of custody.
33. Explanation: Use the Performance Monitor (Run > perfmon.exe) to analyze a device. In this example, you can find out how many bits per second the NIC can transfer—the data transfer rate—. You can also use this tool to monitor all of the other devices (objects) on the system and save and report on those findings in a variety of ways. See Chapter 26, “Microsoft Operating System Features and Tools, Part 1” for more information.
Incorrect answers: Device Manager is where you would go to install or uninstall a device, or rollback the driver for that device. Local Security Policy (Run > secpol.msc) is where you would go to enable or disable rules (policies) on a Windows client computer. Component Services is used to configure COM elements (such as ActiveX controls) and DTC (for example, working with .NET).
34. Explanation: Most help desks’ standard policy is to have their techs research new problems for a couple minutes before escalating them to higher level techs. Oftentimes this proves to be the right course because the technician is often able to find the answer within two or three minutes. Of course, if you do place the customer on hold, watch the time (I suggest a timer app), and be sure to get back to that person when that time is up. See Chapter 41, “Incident Response, Communication, and Professionalism,” for more information.
Incorrect answers: It’s better to tell the customer that you are checking resources than to tell the person that you have never encountered the problem before because it instills more confidence. If you can’t find the answer in two minutes, then inform the customer that you will have to escalate the problem.
35. Explanation: The question mark (?) on the icon or elsewhere in the wireless connection properties will normally indicate an unauthenticated connection, meaning that the user is connecting to an “open” public hotspot; which in turn means that the user did not have to log on, and might not be using any encryption to connect via Wi-Fi. When this is the case, certain web pages and sites may not open. For example, if the user was trying to connect to the company VPN or something similar, the company’s infrastructure might see that the smartphone does not have an authenticated connection, and deny access. The same can happen with some websites. See Chapter 32, “Wireless Security, Malware and Social Engineering,” for more information.
Incorrect answers: Data allowance has to do with a cellular connection, not a Wi-Fi connection. In addition, many providers offer “unlimited” data transfer, which really means that you can send and receive x amount of data (for instance 20 GB) before the connection is throttled down—but again, that is based on cellular connectivity, not Wi-Fi connectivity. Un-rooted is what we want! That is a normally functioning phone. A rooted phone on the other hand is one that has been configured to gain root-level access in order to run certain programs and make changes to the phone. However, that shouldn’t affect data usage or connectivity (unless the rooting lead to a hack). If the SIM card was not activated, then the user would not have been able to call in to the help desk. 3G, is a cellular data technology, not Wi-Fi. A user can’t normally purchase a smartphone without a data plan, but even if the user could, that plan deals with cellular data, not Wi-Fi connections. As you can see, most of the incorrect answers concern cellular data, but the scenario refers to a Wi-Fi connection.
36. Explanation: In Windows, the Task Manager > Users tab will show any currently logged on users and their status. The Windows 10 Task Manager will show the percentage of resources that are being used by each user. See Chapter 26, “Microsoft Operating System Features and Tools, Part 1” for more information.
Incorrect answers: Msconfig is used to change boot settings and disable services. Disk Management is used to monitor the status of drives and to work with partitioning/formatting. Administrative Tools is a collective group of tools used to configure the OS but it does not offer a quick way to see which users are logged in to the system.
37. Explanation: Compressed air and a vacuum are common tools used to remove dust and debris from inside a computer. Of course, when you use compressed air, consider doing this outside because the dust and dirt will fly all over the place. Use a vacuum to clean up after you are done. If you do use a vacuum inside the computer, make sure it is an antistatic, computer-ready vacuum, and more importantly, don’t touch any of the components inside the system! See Chapter 40, “Safety Procedures and Environmental Controls,” for more information.
Incorrect answers: Cotton and alcohol (or a 50/50 mix of alcohol and water) might be used to clean a printer's rubber rollers, the bottom of an ink cartridge (if it is very dirty), or a display. A feather duster would cause ESD and should be avoided; it is not a good tool for the job. Anti-bacterial surface cleaner should only be used on the outside of a computer case.
38. Explanation: You should use the System Preparation tool (sysprep) to remove system-specific identifiers (IDs). Chances are you are cloning a system or running the installations over the network from a single image. By default, that image will have a Security Identifier (SID), which will be copied to each system. That will cause conflicts, which you don’t want; therefore, use the sysprep tool to eliminate the problem, giving different SIDs to each computer. Chances are that you are using Windows Deployment Services (WDS) if you are imaging 100 computers with Windows; it requires Windows Server 2008 or higher. See Chapter 24, “Operating System Installation,” for more information.
Incorrect answers: Remote Installation Services (RIS) was used with older versions of Windows Server and is deprecated in favor of WDS. You most likely are doing an unattended installation (or installations) and have probably created the answer files already, during which time you would use the sysprep tool. But just having a single answer file alone (without using sysprep) would result in all computers receiving the same SID.
39. Explanation: An invalid boot disk error is a common symptom of a problem loading the Windows operating system. It could be caused by removable media inserted into the computer (an optical disc or USB flash drive) that is not bootable. This could be avoided by setting the hard drive to first in the BIOS boot order. Another possible symptom of problems loading the operating system would be if a RAID array was not detected during boot up or during installation of the OS. Either way, the hard drive, or RAID array of hard drives, should be inspected for faulty connections. See Chapter 36, “Troubleshooting Microsoft Windows,” for more information.
Incorrect answers: A spontaneous shutdown and restart indicates either a problem with the power supply or the possibility of malware on the system. Note that the question referred to “starting up” Windows; a shutdown or restart can only happen when the system has already booted. WinRE is the Windows Recovery Environment, which includes System Recovery Options such as Startup Repair and System Restore. This is not performed during a routine bootup of Windows but can be initiated by booting from the Windows DVD or from a special partition on the hard drive or by booting from a USB flash drive. If it won't start, there could be a problem with the DVD, the DVD drive, the boot order, or how it was installed to the partition on the hard drive. If the optical disc fails, it shouldn't stop the startup of Windows because Windows will most likely be located on the hard drive. An emergency repair disk (or disc) should only be booted to in the event that there is a problem with Windows. It's not a common symptom of a problem starting Windows, but we might use a recovery disc to fix the problem. REGSVR32 (sometimes misrepresented as REGSRV32) is a tool used in the Command Prompt to activate or deactivate ActiveX controls, none of which should stop Windows from booting.
40. Explanation: Malware can have many symptoms. Viruses are especially prevalent in today's society; there are millions of different kinds. Fake security alerts, failure to update Windows, and renamed system files are all possible symptoms of malware—more specifically, symptoms of a virus. See Chapter 37, “Troubleshooting PC Security Issues and Malware Removal,” for more information.
Incorrect answers: Windows has a pre-installation environment known as Windows PE or simply WinPE; this is a lightweight version of Windows that is often used to deploy the operating system. It can be booted from optical disc, USB flash drive, over the network via PXE or by the hard drive. It is an add-on to Windows available with the Windows Automated Installation Kit (WAIK.) It can be used to run recovery tools such as Windows RE, and for running drive-cloning utilities. Rogue antivirus programs are not symptoms of malware; they are malware! A rogue antivirus program can often be something that appears to be a legitimate when it is not. Or it could be a part of a rogue security software suite, which deceives the user into paying for fake malware protection. User error is not a symptom of malware but it could very well be the cause. If a user surfs to a malicious website or opens an unknown e-mail attachment without verifying the source of the e-mail first, malware could be—and often is—the result. Educate the end user when it comes to screening e-mails and surfing the web. Show the user how to be responsible when accessing online information.
41. Explanation: It could be that another program (quite possibly malicious) is using the camera on its own without user intervention. So, the first best thing to do is to check the application permissions. For example, in Android a typical navigational path would be: General > Apps & Notifications > App permissions. From there you will see the Camera app; tap it to find out which applications are using it. Then, you can deselect whichever apps you need to. You might also find a malicious or unwanted program is on the list and enabled for camera usage—if so, it should be removed. See Chapter 38, “Troubleshooting Mobile Operating Systems,” for more information.
Note
You can also check for permissions programmatically (via ADB), by calling the ContextCompat.checkSelfPermission(…) code snippet using an if statement. If you are interested in Android development, check out this link:
https://developer.android.com/training/permissions/requesting
Incorrect answers: Updating all applications is a bit premature. You may want to do that at some point though, as long as company policy allows it. OS updates should be checked as well at some point, but not first, it’s not getting to the root of the problem. Uninstalling the camera application won’t change how other apps can use the camera. You will simply be preventing the user from using the camera. Resetting the phone is one of the last options, but it could be a reality if the smartphone has been compromised, which is a distinct possibility in this scenario. If resetting is necessary, an organization might also require a few overwrites of data first.
42. Explanation: The only option that would help the situation would be to run the chkdsk command with the /R option. /R locates bad sectors and recovers readable information, which is the only option listed that might fix the file system corruption (keyword might). /R implies /F as well, which fixes basic errors on the drive. See Chapter 25, “Microsoft Command-Line Tools,” for more information.
Incorrect answers: Reloading the OS would wipe all data (on the system partition at least), so it is not recommended. In addition, you wouldn’t normally go from NTFS to FAT32; it’s recommended to use NTFS. Plus, if the file system was corrupt, a reinstall of the OS (using NTFS again) would fix those issues. Opening the defrag utility and running a drive analysis doesn’t really change the drive; it simply tells you if the drive is fragmented. Changing the drive from basic to dynamic is done so that you can resize partitions.
43. Explanation: Non water-based fire extinguishers should be used during an electrical fire. This could be a CO2-based fire extinguisher such as a Class C extinguisher, a Halotron fire extinguisher, or an FM-200 overhead system. See Chapter 40, “Safety Procedures and Environmental Controls,” for more information.
Incorrect answers: Standard overhead sprinkler systems use water. They should not be present where expensive computer equipment is located (for example, in server rooms). Regular water-based fire extinguishers should not be used. Class B extinguishers are meant for burning gases and liquids, whereas Class C are meant for electrical fire (think “C” for “copper,” like the copper inside electrical wiring).
44. Explanation: Attempt to install legacy (older) applications in compatibility mode. Select the older OS that the application was originally written for. See Chapter 28, “Windows Control Panel Utilities,” for more information.
Incorrect answers: It is less likely that updates or the latest service pack (SP) will help in this situation. In fact, Windows 8 and higher don't use service packs, but it is wise to update to Windows 8.1. Service packs are used in Windows 7 and earlier. Security updates probably won't have an effect on this scenario either.
45. Explanation: The most likely cause in this scenario is that there has been unauthorized root access. Whether this was done by the user on purpose or without his knowledge by one of the newly installed apps is still something you need to discover. Unauthorized root access by an app or by a user could cause the phone to perform unwanted actions, which would most likely drain the battery quickly. See Chapter 38, “Troubleshooting Mobile Operating Systems,” for more information.
Incorrect answers: It is unlikely that the battery needs to be replaced seeing as how it is a new phone, but it is something you can investigate after checking if the phone has been rooted. A defective SD card probably won’t affect the battery. Weak signal could cause a battery drain (especially if the user is in a basement or other unfavorable wireless location), but short battery life is more likely caused by root access, by powerful apps pulling too much power, or by a bright display that has been configured to not shut off. Slow data speeds are an annoyance, but they’re not something that should cause the battery to drain quickly.
46. Explanation: For the highest level of wireless security, use WPA2 (and AES). For authentication, select multifactor authentication (MFA). Many healthcare providers are required to log on with a username/password and a smart card (or biometric). See Chapter 32, “Wireless Security, Malware, and Social Engineering,” for more information.
Incorrect answers: Out of WEP, WPA, and WPA2, WPA2 is the most secure. WEP is especially vulnerable. TKIP is an outdated example of an encryption protocol; AES is a much better choice. RADIUS and TACACS are example of authentication servers—the scenario mentioned that the company cannot afford a server. It is unknown what the cloud contains; who knows, there is probably an authentication server there (connected to via secure VPN), but it is not something that you would implement at the SOHO office. Also, it is more likely that a company would use TACACS+, not the older TACACS. SSO stands for single-sign on, and it quite possibly is already set up in the cloud, as it is very common in the healthcare industry.
47. Explanation: Try adjusting the power settings so that wireless connections will not time out as quickly. This can be done in Windows by accessing Control Panel > Hardware and Sound > Power Options > Edit Plan Settings. In the Power Options dialog box, go to Advanced settings and modify the Wireless Adapter Settings. See Chapter 28, “Windows Control Panel Utilities,” for more information.
Incorrect answers: If the wireless card was faulty, the customer would never be able to get onto a wireless network, so there is no reason to replace the wireless card. The capacity of the battery will not affect wireless connections. Disabling the screensaver will also not affect the wireless connection; however, you can get to some of the power options necessary to solve the wireless problem indirectly from the screensaver window.
48. Explanation: Use gpedit.msc in the Run prompt or the Command Prompt. This will display the Local Group Policy Editor window, where you can make changes to the OS, such as remove the Shut Down button. See Chapter 31, “Physical and Logical Security,” for more information.
Incorrect answers: shutdown.exe is used to shut down the computer automatically or modify programmatically how the computer shuts down. bootrec.exe is a tool used to repair problems such as an error in the boot sector (fixing this requires the syntax bootrec /fixboot.) Services.msc can be executed from the Run prompt; it brings up the Services window, where you can start/stop services.
49. Explanation: Grep is the Linux command used to search for matching information in a file, files, or filename. See Chapter 30, “Linux and macOS Tools,” for more information.
Incorrect answers: Other Linux commands include sudo, which is used to allow a user to execute a command as another user (for example, an administrator); chmod, which is used to change the permissions of a file or folder; and wget, which retrieves content from web servers (as opposed to the get command, which is often used to obtain files from an FTP server).
50. Explanation: Chances are that the update caused an issue with the computer; perhaps the video driver or another driver was updated, resulting in the black screen. Booting into Safe Mode can help to figure out the problem. If Safe Mode displays properly than you can be fairly certain that there is a video driver issue (which can then be rolled back) or some other driver issue. If you aren’t sure what was affected, you can roll back the entire update. See Chapter 36, “Troubleshooting Microsoft Windows,” for more information.
Incorrect answers: The registry is rarely the first place to go when troubleshooting problems, and definitely not in this case. That is where you go to make advanced configuration changes to the OS. Many times, when you take exams, two answers will look plausible; that’s the case here with “Configure boot options in the BIOS”. Often, if there is a black screen, it might be accompanied by a message, such as “invalid boot device”, or “No OS found”. If that is the case, then it could very well be that the BIOS boot priority needs to be changed. However, in the scenario, there is no mention of a message of any sort (it could be that the video card is simply displaying a black screen), but you did get information that there was an update the night before. Disabling Windows services is a possibility, but we would want to boot into Safe Mode first and diagnose the system further before we had a reason to disable any services.
51. Explanation: Remove watches, jewelry, and any other metals when working on a computer so they are out of the way and do not pose any threats while working on the computer. See Chapter 40, “Safety Procedures and Environmental Controls,” for more information.
Incorrect answers: You should review local regulations and check for environmental concerns when disposing of hard drives, batteries, and toner cartridges. Read the MSDS (material safety data sheet) when you encounter a fluid spill or other unknown chemical.
52. Explanation: Before you do anything else, disconnect the network cable from comp112. This can help to isolate the problem. You might also decide to disconnect the network cables from any other systems that were infected by this worm. Sometimes, it is easier to do this at the server room. See Chapter 37, “Troubleshooting PC Security Issues and Malware Removal” for more information.
Incorrect answers: After the network cable is disconnected, the computer should be shut down (which will log off the user anyway) and rebooted into Safe Mode. Then the worm should be isolated and quarantined. Finally, a full virus scan should be run. This, of course, is just a quick example; you probably need to do more to resolve this problem on all computers concerned.
53. Explanation: This is a Linux, Unix, or macOS system. When it comes to Linux and Unix and similar systems, a lot of technicians simply refer to them as *nix, meaning anything ending in “nix”. Linux uses the Bash shell by default. This is where scripts are run. This default line tells the system the path and how to interpret the upcoming script. See Chapter 42, “Basic Scripting and Remote Access Technologies” for more information.
Incorrect answers: Windows uses the PowerShell, saved scripts (as .ps1 files) don’t need this type of line to identify the shell interpreter. iOS doesn’t use Bash or Terminal the way that macOS or Linux does. Jscript is short for JavaScript, which is not a system at all, it is a type of scripting language, often used in conjunction with websites.
54. Explanation: The System Configuration utility (msconfig) can be used to change the total CPU cores used by Windows. This can be found in the Boot tab > Advanced options button. From there, checkmark the “Number of processors:” checkbox and select the number of CPU cores (or actual number of CPUs if you have more than one). This is usually done to troubleshoot the CPU or Windows; in most cases, Windows will use all CPU cores available to it by default. See Chapter 26, “Microsoft Operating System Features and Tools, Part 1” for more information.
Incorrect answers: The Performance Monitor (perfmon.exe) is used to analyze system performance and can view each core in real time, as can the Task Manager (taskmgr.exe). The DirectX Diagnostics tool (dxdiag.exe) is used to analyze audio and video DirectX components in the system.
55. Explanation: The most likely cause (of the listed answers) is an inactive VPN connection. If the user did not log in through the VPN, or if the VPN session timed out, then the user will not be able to get access to the files stored at the office LAN. See Chapter 31, “Physical and Logical Security,” for more information.
Incorrect answers: Outdated anti-malware protection could possibly allow a virus to get into the system; a symptom of which might be missing or renamed files on the local computer. Mobile device management (MDM) policies are designed to configure or restrict mobile devices. However, we don’t know what type of computer the person is using from home, but we can guess it is a laptop, and not a smartphone or tablet. Untrusted software is any application that an organization does not trust, and does not want installed to systems. It’s possible that untrusted software could cause the VPN connection to fail, but it is less likely as an indirect cause of the problem.
56. Explanation: The user will have only read access to the file. Remember that the more restrictive permissions take precedence, so in this case, the NTFS “Read” permission level takes effect. See Chapter 33, “Windows Security Settings and Best Practices,” for more information.
Incorrect answers: It is possible for the user to get write, modify, or full control access, but only if the NTFS permissions are configured to allow the user to do so. As it stands, the user only has read access.
57. Explanation: The program would be installed to C:\Program Files (x86). This is the default folder for 32-bit programs when installed to a 64-bit version of Windows. This works in the same manner in Windows 7, 8, and 10. See Chapter 23, “Operating System Types and Windows Versions,” for more information.
Incorrect answers: 64-bit programs are installed to the C:\Program Files folder. The operating system is installed to C:\Windows. Finally, C:\ is the root of the hard drive. A few system files are placed in the root, but otherwise the OS and applications are installed to folders within the root. x86 is the general term applied to 32-bit computers, whereas x86-64 (or simply x64) is the term applied to 64-bit computers.
58. Explanation: If the computer has a recovery partition, then the reinstallation of Windows can be accomplished from there. This is often a partition that was placed on the hard drive by the computer manufacturer for just this type of scenario. See Chapter 24, “Operating System Installation,” for more information.
Incorrect answers: System Restore is an example of Windows functionality that can bring the system back to an earlier point in time but does not reinstall the entire OS. A Linux rescue boot disc might work, but only if a Windows image is available somewhere, so the answer is not specific enough. (You might also use a flash drive with Windows image.) The primary partition is where Windows is installed to. It will not normally contain recovery data or a recovery Windows image.
59. Explanation: The first thing you should do is look up the error number. If an item fails during Windows Update, an error log called WindowsUpdate.log should be written to the %systemroot%; usually C:\Windows. An example of an error code is 0x80243FFF which is a user interface error. (It might show up in the log without the “0x”.) You might also need to access the CBS.log file which is located in %systemroot%\Logs. See Chapter 27, “Microsoft Operating System Features and Tools, Part 2,” for more information.
Note
Here’s a link to a list of Windows Update error codes:
https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference
Incorrect answers: While the Event Viewer can be very handy for analyzing system file, application, and security issues, it is not the first and best place to go when troubleshooting Windows Update errors. The Event Viewer is more generic (problem-wise), whereas the WindowsUpdate.log and CBS.log files are very specific. Download the failed update and installing it manually will probably result in the same error. We need to dig deep and find out what the real cause of the problem is. You do want to visit the Microsoft website, but you will most likely be going to support.microsoft.com or docs.microsoft.com (or both); there is no Update website per se (as of the writing of this book.
60. Explanation: You must rejoin the computer to the domain. This can be done by navigating to the Computer Name tab of the System Properties dialog box, which is accessed from the Advanced settings link from the System window or by executing systempropertiescomputername.exe at the Run prompt. You might also use the netdom command in the Command Prompt if you have Remote Server Administration Tools (RSAT) installed to the Windows client or are working directly on a Windows server. See Chapter 29, “Windows Networking and Application Installation,” for more information.
Incorrect answers: Updating the BIOS to the latest version will help with any firmware issues but won't have any effect on trust relationships within Windows. Running CHKDSK will check for errors on the hard drive. Rebooting the PC will not automatically rebuild the relationship; you must manually re-join the computer to the domain.
61. Explanation: Your friend might have an address such as thomasR@abc-company.com. To enable the iPad access to this e-mail account, you'll need the server that handles e-mail (be it SMTP, POP3, IMAP, or an Exchange server) and the domain name that the server resides on. Often, this will be the same domain name as the e-mail address, but not always. An example of an SMTP mail server might be mail.abc-company.com. A POP3 server might be pop.abc-company.com. See Chapter 38, “Troubleshooting Mobile Operating Systems,” for more information.
Incorrect answers: IP addresses aren't necessary when configuring an e-mail account within an iPad, an Android device, a PC, or any computer, really. This is because the e-mail account software will automatically attempt to resolve the mail server name to IP address, in the same manner a web browser does when you type in a web address. The gateway address and DNS server are only necessary when attempting to connect a device to the Internet. This most likely won't be an issue with an iPad, but it can be configured in the networking settings if necessary.
62. Explanation: Android uses the extension .apk for application installations and upgrades. It loosely stands for Android application package. See Chapter 30, “Linux and macOS Tools,” for more information.
Incorrect answers: An API is an application program interface, which the .apk would go through; it’s not normally used as an extension. .exe is short for executable, the most commonly used application extension in Windows. .ipa is an iOS application archive file. An SDK is a software development kit. You would use this, for example, if you wanted to program or analyze an Android device or if you wanted to build applications for Windows. SDK is not normally used as a file extension, although you might see it used with less common computer-aided drafting software.
63. Explanation: You should recommend an uninterruptible power supply (UPS). This meets both requirements: 1. That the system gracefully shuts down in the case of a power outage, which protects files from corruption; and 2. Can provide an hour of uptime (though that will require a fairly powerful UPS of at least 1500 VA). See Chapter 40, “Safety Procedures and Environmental Controls,” for more information.
Incorrect answers: A surge protector and power strip don’t meet either of the two requirements. A power strip simply allows for more outlets, while a surge protector can help protect a computer with surges or spikes. A power distribution unit (PDU) is a device with multiple outlets that can come in many forms including as a strip; however, it is much more than a power strip in that it can be monitored and controlled; they are often used in data centers and server rooms and are also known as main distribution units (MDU).
64. Explanation: Chkntfs is the command utility that can be used to initiate chkdsk at bootup. For example, chkntfs /d will check drives at boot time. If a drive is judged to be “dirty,” chkdsk is run automatically on that drive. A “dirty” drive is one that causes a system hang or has open files. For more information on chkntfs, type chkntfs /?. See Chapter 25, “Microsoft Command-Line Tools,” for more information.
Incorrect answers: convert enables a partition change from FAT32 to NTFS without losing data. Ipconfig is used to analyze the configuration of a network adapter. Netdom enables administrators to manage active directory domains and trust relationships from the Command Prompt. For example, it could be used to join a Windows 7 computer to a domain. It is used primarily on Windows Server operating systems.
65. Explanation: The best answer listed is that the parent folder has explicit Deny rights set for the third-party user. If this is the case, then by default, that permission will propagate to any sub folders and files within the parent. This can also be expressed as the default action for a sub folder (also known as a child folder) to inherit its permissions from the parent. Basically, you should remember two things: one, that a folder inherits its permissions from the parent; and two, that Deny rights will always override Allow rights. See Chapter 33, “Windows Security Settings and Best Practices,” for more information.
Incorrect answers: If the folder was set with Allow rights, the third party should be able to access the data. If the user forgot to share the folder, the third party would not be able access the data. However, it's the second part of that answer that is impossible because you can't share a specific file; you can only share folders. The archive attribute would simply create a backup copy of a file or folder. Permissions questions can be some of the toughest on the A+ exam, but if you remember a few basic rules (such as the ones mentioned here), you should survive them!
66. Explanation: The most common Linux shell program is the Terminal utility which uses the Bash shell. (This is also available in macOS.) This utility allows the user to enter commands of all types—including recovery commands—to be executed by Linux. See Chapter 30, “Linux and macOS Tools,” for more information.
Incorrect answers: The equivalent of this in Windows is the Command Prompt, often referred to as CMD or cmd because it can be opened with the cmd.exe executable. Backup and restoration programs, such as macOS’s Time Machine, Windows System Restore, and so on, cannot have recovery commands typed into them. You require some kind of text interface to do so.
67. Explanation: Modify the AutoRun settings and disable the guest account. Modify AutoPlay/AutoRun by disabling it in the Group Policy Editor. (Also, the use of USB drives and other removable media should be disabled in the UEFI/BIOS.) Disable the Guest account within Local Users and Groups (or within Active Directory Users and Computers if on a domain). The problem with the Guest account is that it has no password by default. It could be used to attempt privilege escalation. See Chapter 33, “Windows Security Settings and Best Practices,” for more information.
Incorrect answers: Removing admin permissions is somewhat vague. An administrative account has administrative permissions for a reason; so that the admin can access the server. Removing a user from the administrators group would result in a standard user account, which is great from a principle of least privilege perspective, but that person could no longer log into the server, making it pointless. A software-based firewall would not have prevented this exploit because the user was local (behind the firewall) using a USB stick. You could change the default credentials of the guest account but it is better to do so, giving it a strong password, but more importantly disabling the account. OS security updates should be run on a regular basis, but this is an issue that goes beyond updates.
68. Explanation: Taskkill is the command in Windows that can stop a single process from the command-line. See Chapter 25, “Microsoft Command-Line Tools,” for more information.
Incorrect answers: Shutdown is a command used to shut down the entire system either right away or at a designated time. Tasklist provides a list of all processes running in the command-line. It associates each process with an ID. This is integral when running the taskkill command—you need to know the executable or the process ID (PID) of the task you want to stop. DEL is short for the delete command, which is used to delete files.
69. Explanation: Encryption (for example, WPA2 with AES) will prevent unauthorized users from accessing confidential data that is transmitted over the wireless network. One of the best ways to protect confidentiality of data in general is through encryption. Use the highest level of encryption possible on a SOHO wireless network to eliminate this threat. See Chapter 35, “Data Destruction and SOHO Security,” for more information.
Incorrect answers: Enabling MAC filtering looks like a good answer. However, this is used to stop unauthorized computers from accessing the wireless network. While a good idea, it does nothing to protect the actual data itself. Plus, a good hacker can get past MAC filtering. If that happens, encryption is going to be the savior anyway. While anything is hackable, the AES cipher will require a powerful computer and a long time to break. Changing the SSID name only modifies the name of the wireless network. However, by default, the SSID is broadcast from most SOHO routers, which is easily found by various wireless scanning software packages. Reducing the broadcast power is a smart idea as well, but this simply reduces the distance the SOHO router sends its wireless signal. If the hacker is within this range, they will have access to the network. The key here is confidential. To protect confidentiality, use encryption.
70. Explanation: Programs and Features is the place to go in the Control Panel (CP) to remove an application in Windows. You can also open this by entering appwiz.cpl in the Command Prompt. See Chapter 28, “Windows Control Panel Utilities,” for more information.
Incorrect answers: Disk Cleanup is used to remove temporary files; it's not used to remove applications. Administrative Tools is a group of tools, such as Computer Management and the Task Scheduler. Folder Options is where you can go to change how folders are displayed.
71. Explanation: Check the proxy server settings in the browser. Many large networks use a proxy server to facilitate the caching of web pages—often this is for external, or public, websites only. It could be that the proxy server was not configured properly or wasn’t configured at all. In Internet Explorer, the proxy server settings can be accessed by going to the Internet Properties dialog box (either from the browser menu bar or from Control Panel > Internet Options), navigating to Connections > LAN settings, and configuring the bottom half of the window where it says Proxy server. It is done in a similar fashion in other browsers. See Chapter 29, “Windows Networking and Application Installation,” for more information.
Incorrect answers: You shouldn’t have to modify the IPv6 settings because in the question it said the system had a valid IP address. The hosts file is an older text file used to statically resolve hostnames to IP addresses. Although this file still exists in some versions of Windows, it is rarely used, except for malicious purposes. If it was used for malicious purposes, the browser probably wouldn’t be able to connect to any websites, be they external or internal. A DNS server performs domain name to IP address resolutions; if other pages are working on the Intranet, then chances are that the DNS server is not the issue.
72. Explanation: Of the listed answers, you should reduce the transmitting power of the AP and disable the SSID broadcast. Reducing the power prevents signal bleed to other offices; usually this can be set to “low” or something similar. Disabling the SSID or network name of the AP makes it so a typical user cannot scan for and locate the wireless network. Other smart ideas are to put a strong password on the admin account, use WPA2/AES, implement MAC filtering, and disable WPS. See Chapter 35, “Data Destruction and SOHO Security,” for more information.
Incorrect answers: WPA is generally avoided as WPA2 is better. Disabling the DHCP server won’t do much for security, but it will hamper availability, because most end-users’ computers will obtain IP addresses automatically. Most SOHO routers can modify the channel width, but can’t reduce the channel availability. Users can either connect or not. When enabled, Quality of Service (QoS) can help to prioritize traffic from specific computers or applications.
73. Explanation: In order for proper quarantining and removal of malware, you will usually have to disable System Restore first because it can get in the way of the anti-malware scanning and removal processes. See Chapter 37, “Troubleshooting PC Security Issues and Malware Removal,” for more information.
Incorrect answers: You might ask, “Well, what about disabling the network cards so that the malware doesn't spread?” While this might work, the best way is to physically disconnect the computer from the wired network and turn off any wireless on/off switches if at all possible. Or remove the wireless antenna from the computer. It's just impossible to tell if a virus or other type of malware is playing tricks on the Windows option to disable a networking card. Windows Update should be run after quarantining and removal processes are complete. CHKDSK /R can be run to locate bad sectors and recover readable information, if necessary, after the malware removal is complete.
74. Explanation: Among other things, you should recommend strong passwords and assigning security rights based on job roles. Strong passwords are important on routers, wireless devices, switches, computers, and anything else that can be logged into. Role-based access control is when rights and permissions are assigned based on the person's job in a company: accounting, marketing, and so on. See Chapter 33, “Windows Security Settings and Best Practices,” for more information.
Incorrect answers: Daily security audits might be a good idea, but they do not increase security; they only determine whether there is a threat or vulnerability that needs to be attended to. The customer already said that her AV software is up-to-date, so additional AV software should not be necessary. In fact, you shouldn't run any more than one type of AV software because they can have conflicting results that can slow down the system. Disabling screen savers doesn't really increase the security of the network, but setting up a password lock within the screen saver can make the individual systems more secure.
75. Explanation: Professionalism comes in many forms. When dealing with a customer, you should avoid distractions, avoid being judgmental, and meet expectations that are set. Also, avoid arguing, talking to co-workers, and personal interruptions. Be positive and listen to the customer. See Chapter 41, “Incident Response, Communication and Professionalism,” for more information.
Incorrect answers: It is important to retain a chain of custody, but this has more to do with tracking evidence and less to do with professionalism. Documentation is important as well and should be developed by you as the technician; it should not be left to the customer.
76. Explanation: You should look in the Event Viewer (Application log) and look for any other log files that are created by that new application. These might contain clues as to why the service won't start. Perhaps the service is dependent on another service or perhaps a particular file needs to be replaced. See Chapter 26, “Microsoft Operating System Features and Tools, Part 1” for more information.
Incorrect answers: The registry contains all of the parameters of the operating system but it won't give you error information. %systemroot%\System32\Drivers contains drivers for hardware. Who knows, the log file might lead you to believe that a driver needs to be replaced, but it isn't the first place you should look. Task Manager shows the performance of the CPU and RAM and shows what services are running. You might have attempted to start the service from there (or the Services Console) as part of the scenario.
77. Explanation: The Secure Shell (SSH) is the best of the listed answers. It allows for secure sessions from a client to a server or to a network device. SSH will need to be installed and enabled on the switches and routers, and then the IT firm employees will need to connect with a secure SSH client (such as PuTTY or something similar). See Chapter 42, “Basic Scripting and Remote Access Technologies,” for more information.
Incorrect answers: RDP stands for Remote Desktop Protocol—it is a commonly used term to refer to Microsoft’s Remote Desktop Connection program—which can only be used to connect to Windows clients and servers. Telnet is an insecure protocol that was the predecessor to SSH. It is disabled on most client systems, and some switches and routers don’t incorporate its functionality at all. Virtual Network Computing (VNC) is used most often to connect to remote client computers such as Windows, macOS, Linux and Android, but SSH is the preferred method for connecting to network devices such as switches and routers.
78. Explanation: The best answer to maintain data security is to initiate a remote wipe on a device that has been lost or stolen. That will delete the data and make it very difficult to reconstruct. See Chapter 38, “Troubleshooting Mobile Operating Systems,” for more information.
Incorrect answers: Passcode locks and login attempt restrictions will only hamper a hacker who has appropriated the device. GPS (or location services) can help to find the device; however, if a device has been stolen or lost, time is of the essence, and the data should be remote wiped right away.
79. Explanation: The syntax shown is one way of mapping a network drive in Windows. Net use is the command, the drive letter to be used is Z: and the path to the share is \\servername\sharename. This type of command would historically be found in a batch file in Windows; it uses the .bat extension. However, PowerShell is the newer, and better tool to work with—it uses the .ps1 file extension by default. See Chapter 42, “Basic Scripting and Remote Access Technologies,” for more information.
Incorrect answers: .vbs means Visual Basic script, which can be used in Windows, but is not necessary for basic networking procedures such as mapping network drives. .js is JavaScript which is often used within websites. .py is Python which is used for a variety of things, but again, is not necessary for mapping network drives.
80. Explanation: To immediately prevent unauthorized access from the intruder, you could add the intruding device to a blocked access list. This might be done by IP or MAC address and can be accomplished within some mobile devices directly within the hotspot configuration settings or with a third-party app. The other correct answer is to change the SSID. By changing the SSID, the other user will be disconnected in a short period of time. However, that other user could always scan for networks and try to connect again. So, the best thing to do is to require encryption (WPA2 and AES) and use a strong password (although this will take more time). You could also disable the SSID broadcast altogether on some devices. This would stop the average user from connecting, but if the person has a Wi-Fi analyzer, he or she might still be able to connect. In addition, disabling the SSID can have unforeseen consequences. For example, your own mobile device that is connecting to the hotspot might be kicked off, and then you would have to reconnect it manually. See Chapter 35, “Data Destruction and SOHO Security,” for more information.
Incorrect answers: Accessing the intruder’s device and shutting it down is not a good idea for a variety of reasons, especially if the intruder is malicious or experienced with technology. Also, it is not an immediate solution. Neither is setting up a Wi-Fi analyzer to identify the intruding device; in fact, that might not be a solution at all. Shutting down the device is not a solution because now you, the user, have lost access as well. However, if you find you are in a situation in which you can’t block the intruder, even with strong encryption, then shutting down the device might be your only option.