A penetration tester is able to move laterally throughout a domain with minimal roadblocks after compromising a single workstation. Which of the following mitigation strategies would be BEST to recommend in the report? (Select THREE).
A.
Randomize local administrator credentials for each machine.
B.
Disable remote logons for local administrators.
C.
Require multifactor authentication for all logins.
D.
Increase minimum password complexity requirements.
E.
Apply additional network access control.
F.
Enable full-disk encryption on every workstation.
A. Randomize local administrator credentials for each machine: This will make it harder for an attacker to move laterally if they compromise a single workstation since the credentials will be different for each machine.
C. Require multifactor authentication for all logins: This will add an extra layer of security to the login process, making it harder for attackers to gain unauthorized access to the network.
G. Segment each host into its own VLAN: This will prevent an attacker from easily moving laterally throughout the network, as they will need to compromise each host individually to gain access to other parts of the network.
ACE
plase don't give answers uless you are sure, cause you only cause more confusion
A. Randomize local administrator credentials for each machine. - good, LAPS "Local Admin Password Solution"
B. Disable remote logons for local administrators. - wrong, netadmins always need access and thats why you have LAPS
C. Require multifactor authentication for all logins. - good, direct counter
D. Increase minimum password complexity requirements. - wrong, once password is known its complexity doesn't matter
E. Apply additional network access control. - good, similarly to MFA
F. Enable full-disk encryption on every workstation. - wrong, protects only data at rest
G. Segment each host into its own VLAN. - ridicules
A. Randomize local administrator credentials for each machine. - Good aswer - there are tools which allow to manage randomizing administrator credentials.
B. Disable remote logons for local administrators. - Wrong answer - administrators needs remote access
C. Require multifactor authentication for all logins. - Good answer
D. Increase minimum password complexity requirements. - Wrong answer - there is nothing about password in question. Usually access to other system is granted by grabbing hashes.
E. Apply additional network access control. - Not sure, but I think that this answer is correct.
F. Enable full-disk encryption on every workstation. - Wrong answer - disk encryption would help when PC is off, not when it is in network
G. Segment each host into its own VLAN. - Wrong answer - too much effort
I disagree about B. Best practice is to disable remote login for local admins and restrict it to domain admin. Also disable local login for domain admin. But I don't have a source for that being the CompTIA answer, however it is the NIST recommendation for system hardening.
As you prepare for the exam, keep these findings and recommended
remediation strategies in mind. There are many ways that you can mitigate
each of the findings described next, but you should remember that the
mitigation strategies discussed in this chapter are the preferred methods
identified by CompTIA. For example, if you see an exam question asking
you the “best” way to mitigate a finding, you should definitely look first for
the CompTIA recommended strategy among the answer choices!
So guys, what Comptia recommends is to look at people, process and technology and decide which answer suits the best rather than going on line and searching for mitigation strategies.
Comptia has a whole objective 5.3 Given a scenario, recommend mitigation
strategies for discovered vulnerabilities dedicated to this and read this
Possible Mitigations/Solutions for a Shared Local Administrator
Finding
People :Train support staff not to reuse passwords across account wherever possible
Process: Require randomization of passwords using password generation algorithms for privileged accounts
Technology :Implement technology such as LAPS,SHIPS or other password management technology to ensure that passwords are not shared across endpoints.
Comptia pentest + passport book
In the industry, solutions are popularly divided into three categories: people, process,
and technology. The driving logic is that all solutions involve each of these categories
together. While the documentation included in reports does not necessarily need to
follow this convention exactly, it is helpful when thinking about how to research and
recommend solutions.
Generally, people-based solutions focus on culture and the capabilities of people
rather than technology or business practices.
Process-based solutions focus on policies, procedures, and processes—or how
people and technology work, rather than their capabilities.
Technology-based solutions are those that drive or are driven by the implementation
of technology.
B, C, E
the local admin passwords can be used for pass the hash on other devices that have the same local password.
source:
https://docs.microsoft.com/en-us/troubleshoot/sql/security/block-remote-use-local-accounts
Everyone seems to be in agrement on C, E
My two pennies worth:
If we are all in agreement about C and D (I can't see how anyone would think that A and B would be the BEST options. Try telling local IT to administer their network without the fall-back of local admin accounts...) then it's E, F or G.
Again, could anyone suggest to management that putting EVERY host into its own VLAN. The complexity created would be a nightmare to administer and would really create its own security hole
I can't agree with the full-disk encryption idea if we agree that the idea is that the data is encrypted at rest. If you're in the box then the hashes are going to be accessed via the OS, so not encrypted
Answer E is a bit vague but I think covers enough stuff not to be wrong.
So it's CDE for me.
And here's a good article that I found helpful
https://www.ncsc.gov.uk/guidance/preventing-lateral-movement
Man this one is tough. There is just so much missing info. C and D are definitely correct. I could see A being correct, because it says the adversary is able to move laterally with minimal issue. Could be a common local admin account that he is exploiting... E could be correct, as it would add another password that would need to be broken for access. I could also see G being correct (Zero trust model would micro-segment the network to help stop lateral movement of malware/etc.) ------- With all that said, I would lean towards the Sybex answer, as they obviously had a play in crafting this question.
After looking at this again, I don't think D is the answer it is looking for. It says he already has access, and is now able to move laterally without issue. Nothing here points to password complexity as being part of the issue. I think it's possible that the local admin username is being re-used.
With that said, I believe A, C, and F are correct. For the same reasons I stated in my last post. (Where I said E above, I meant F... adding full disk encryption would require another key for access. Thus hardening access.)
G is not a good answer at all. Putting a host on a VLAN doesn't make it more secure due to intervlan routing, unless all the VLANs are trunked to a firewall with the default gateway existing for each vlan on the firewall. It also increases your networks exponentially. Each VLAN needs to have its own subnet. So 50 hosts now becomes 50 networks which could become 50 static routes. It's a ridiculous answer.
I would go with C, D, G. I believe that the reason the attacker was able to move laterally without any obstacles is because all the hosts were on the same network. It takes more work to move laterally if these compromised hosts were on different networks. To accomplish such a task, a virtual LAN (VLAN) needs to be implemented. This would make each host look like they are on they own separate network. Thus, when the attacker compromises the initial host, the others won't be readily available or seen.
I think I have a change of heart on this one. I would go for CDE. Implementing a VLAN for each host in that ONE domain is a bit extreme for a recommendation. The easier approach would be additional network access controls which would apply to all hosts within that domain.
This section is not available anymore. Please use the main Exam Page.PT0-001 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
someguy1393
Highly Voted 4 years, 4 months agoEZPASS
Highly Voted 4 years, 4 months agokloug
Most Recent 2 years, 2 months agomiabe
2 years, 9 months agoklosinskil
3 years, 5 months agohmcbq
3 years, 8 months agoJustAnotherDave
3 years, 8 months agosmalltech
3 years, 9 months agosmalltech
3 years, 9 months agosmalltech
3 years, 9 months agoCapCrunch
3 years, 9 months agoversun
3 years, 10 months agoboyladdudeman
4 years, 1 month agoRedbyNight
4 years, 2 months agoTheThreatGuy
4 years, 3 months agoTheThreatGuy
4 years, 3 months ago[Removed]
4 years, 8 months agonovac1111
4 years, 7 months agoAcidscars
4 years, 4 months agodyers
3 years, 12 months agoLeonar
4 years, 9 months agokabwitte
4 years, 9 months agokabwitte
4 years, 9 months ago