SY0-401 CompTIA Security+ Certification

Page 1   
Question 1

A network technician is on the phone with the system administration team. Power to the
server room was lost and servers need to be restarted. The DNS services must be the first
to be restarted. Several machines are powered off. Assuming each server only provides
one service, which of the following should be powered on FIRST to establish DNS

  • A. Bind server
  • B. Apache server
  • C. Exchange server
  • D. RADIUS server

Answer : A

Explanation: BIND (Berkeley Internet Name Domain) is the most widely used Domain Name System (DNS) software on the Internet. It includes the DNS server component contracted for name daemon. This is the only option that directly involves DNS.

Question 2

Which of the following protocols is used by IPv6 for MAC address resolution?

  • A. NDP
  • B. ARP
  • C. DNS
  • D. NCP

Answer : A

Explanation: The Neighbor Discovery Protocol (NDP) is a protocol in the Internet protocol suite used with Internet Protocol Version 6 (IPv6).

Question 3

A computer is put into a restricted VLAN until the computers virus definitions are up-to-
Which of the following BEST describes this system type?

  • A. NAT
  • B. NIPS
  • C. NAC
  • D. DMZ

Answer : C

Explanation: Network Access Control (NAC) means controlling access to an environment through strict adherence to and implementation of security policies. The goals of NAC are to prevent/reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control.

Question 4

A database administrator contacts a security administrator to request firewall changes for a
connection to a new internal application. The security administrator notices that the new
application uses a port typically monopolized by a virus. The security administrator denies
the request and suggests a new port or service be used to complete the applications task.
Which of the following is the security administrator practicing in this example?

  • A. Explicit deny
  • B. Port security
  • C. Access control lists
  • D. Implicit deny

Answer : C

Explanation: Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.

Question 5

The security administrator has installed a new firewall which implements an implicit DENY
policy by default. Click on the firewall and configure it to allow ONLY the following
1. The Accounting workstation can ONLY access the web server on the public network
over the default HTTPS port. The accounting workstation should not access other
2. The HR workstation should be restricted to communicate with the Financial server
ONLY, over the default SCP port
3. The Admin workstation should ONLY be able to access the servers on the secure
network over the default TFTP port.
Instructions: The firewall will process the rules in a top-down manner in order as a first
match The port number must be typed in and only one port number can be entered per rule
Type ANY for all ports. The original firewall configuration can be reset at any time by
pressing the reset button. Once you have met the simulation requirements, click save and
then Done to submit.

Answer :


Implicit deny is the default security stance that says if you arent specifically granted access or privileges for a resource, youre denied access by default. Rule #1 allows the Accounting workstation to ONLY access the web server on the public network over the default HTTPS port, which is TCP port 443. Rule #2 allows the HR workstation to ONLY communicate with the Financial server over the default SCP port, which is TCP Port 22 Rule #3 & Rule #4 allow the Admin workstation to ONLY access the Financial and Purchasing servers located on the secure network over the default TFTP port, which is Port 69. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 26, 44

Question 6

A small company can only afford to buy an all-in-one wireless router/switch. The company
has 3 wireless BYOD users and 2 web servers without wireless access. Which of the
following should the company configure to protect the servers from the user devices?
(Select TWO).

  • A. Deny incoming connections to the outside router interface.
  • B. Change the default HTTP port
  • C. Implement EAP-TLS to establish mutual authentication
  • D. Disable the physical switch ports
  • E. Create a server VLAN
  • F. Create an ACL to access the server

Answer : E,F

Explanation: We can protect the servers from the user devices by separating them into separate VLANs (virtual local area networks). The network device in the question is a router/switch. We can use the router to allow access from devices in one VLAN to the servers in the other VLAN. We can configure an ACL (Access Control List) on the router to determine who is able to access the server. In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN. This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port level (if at all), so sharing VLANs across devices requires running dedicated cabling for each VLAN. More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs. Grouping hosts with a common set of requirements regardless of their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if they are not on the same network switch. The network described in this question is a DMZ, not a VLAN.

Question 7

A security administrator must implement a network authentication solution which will
ensure encryption of user credentials when users enter their username and password to
authenticate to the network.
Which of the following should the administrator implement?

  • A. WPA2 over EAP-TTLS
  • B. WPA-PSK
  • C. WPA2 with WPS
  • D. WEP over EAP-PEAP

Answer : D

Explanation: D: Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network. WEP has vulnerabilities and isnt considered highly secure. Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks. Among the five EAP types adopted by the WPA/ WPA2 standard are EAP-TLS, EAP-PSK, EAP-MD5, as well as LEAP and PEAP. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.

Question 8

A UNIX administrator would like to use native commands to provide a secure way of
connecting to other devices remotely and to securely transfer files. Which of the following
protocols could be utilized? (Select TWO).

  • A. RDP
  • B. SNMP
  • C. FTP
  • D. SCP
  • E. SSH

Answer : D,E

Explanation: SSH is used to establish a command-line, text-only interface connection with a server, router, switch, or similar device over any distance. Secure Copy Protocol (SCP) is a secure file-transfer facility based on SSH and Remote Copy Protocol (RCP). SCP is commonly used on Linux and Unix platforms.

Question 9

A company has implemented PPTP as a VPN solution. Which of the following ports would
need to be opened on the firewall in order for this VPN to function properly? (Select TWO).

  • A. UDP 1723
  • B. TCP 500
  • C. TCP 1723
  • D. UDP 47
  • E. TCP 47

Answer : C,D

Explanation: A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer. The PPTP GRE packet format is non-standard, including an additional acknowledgement field replacing the typical routing field in the GRE header. However, as in a normal GRE connection, those modified GRE packets are directly encapsulated into IP packets, and seen as IP protocol number 47.

Question 10

The network security engineer just deployed an IDS on the network, but the Chief
Technical Officer (CTO) has concerns that the device is only able to detect known
anomalies. Which of the following types of IDS has been deployed?

  • A. Signature Based IDS
  • B. Heuristic IDS
  • C. Behavior Based IDS
  • D. Anomaly Based IDS

Answer : A

Explanation: A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats.

Question 11

A security analyst has been tasked with securing a guest wireless network. They
recommend the company use an authentication server but are told the funds are not
available to set this up.
Which of the following BEST allows the analyst to restrict user access to approved

  • A. Antenna placement
  • B. Power level adjustment
  • C. Disable SSID broadcasting
  • D. MAC filtering

Answer : D

Explanation: A MAC filter is a list of authorized wireless client interface MAC addresses that is used by a WAP to block access to all unauthorized devices.

Question 12

Which of the following means of wireless authentication is easily vulnerable to spoofing?

  • A. MAC Filtering
  • B. WPA - LEAP
  • C. WPA - PEAP
  • D. Enabled SSID

Answer : A

Explanation: Each network interface on your computer or any other networked device has a unique MAC address. These MAC addresses are assigned in the factory, but you can easily change, or spoof, MAC addresses in software. Networks can use MAC address filtering, only allowing devices with specific MAC addresses to connect to a network. This isnt a great security tool because people can spoof their MAC addresses.

Question 13

Ann, a security administrator, has concerns regarding her companys wireless network. The
network is open and available for visiting prospective clients in the conference room, but
she notices that many more devices are connecting to the network than should be.
Which of the following would BEST alleviate Anns concerns with minimum disturbance of
current functionality for clients?

  • A. Enable MAC filtering on the wireless access point.
  • B. Configure WPA2 encryption on the wireless access point.
  • C. Lower the antenna‚Äôs broadcasting power.
  • D. Disable SSID broadcasting.

Answer : C

Explanation: Some access points include power level controls that allow you to reduce the amount of output provided if the signal is traveling too far.

Question 14

Which of the following ports is used for SSH, by default?

  • A. 23
  • B. 32
  • C. 12
  • D. 22

Answer : D

Explanation: Secure Shell (SSH) is a cryptographic network protocol for securing data communication. It establishes a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login, remote command execution, but any network service can be secured with SSH. SSH uses port 22.

Question 15

Which of the following would the security engineer set as the subnet mask for the servers
below to utilize host addresses on separate broadcast domains?
Server 1:
Server 2:
Server 3:

  • A. /24
  • B. /27
  • C. /28
  • D. /29
  • E. /30

Answer : D

Explanation: Using this option will result in all three servers using host addresses on different broadcast domains.

Page 1