CompTIA Security+ Question L-22

Users are unable to connect to the web server at IP 192.168.0.20. Which of the following can be inferred of a firewall that is configured ONLY with the following ACL?
PERMIT TCP ANY HOST 192.168.0.10 EQ 80
PERMIT TCP ANY HOST 192.168.0.10 EQ 443

A. It implements stateful packet filtering.
B. It implements bottom-up processing.
C. It failed closed.
D. It implements an implicit deny.

Answer: D

Explanation:
Implicit deny is the default security stance that says if you aren’t specifically granted access or privileges for a resource, you’re denied access by default. Implicit deny is the default response when an explicit allow or deny isn’t present.

CompTIA Security+ Question K-81

A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interface.
PERMIT TCP ANY ANY 80
PERMIT TCP ANY ANY 443
Which of the following rules would accomplish this task? (Select TWO).

A. Change the firewall default settings so that it implements an implicit deny
B. Apply the current ACL to all interfaces of the firewall
C. Remove the current ACL
D. Add the following ACL at the top of the current ACL DENY TCP ANY ANY 53
E. Add the following ACL at the bottom of the current ACL DENY ICMP ANY ANY 53
F. Add the following ACL at the bottom of the current ACL DENY IP ANY ANY 53

Answer: A,F

Explanation:
Implicit deny is the default security stance that says if you aren’t specifically granted access or privileges for a resource, you’re denied access by default. Implicit deny is the default response when an explicit allow or deny isn’t present.

DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers, special manual queries, or used when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries.

CompTIA Security+ Question I-23

Which of the following security concepts can prevent a user from logging on from home during the weekends?

A. Time of day restrictions
B. Multifactor authentication
C. Implicit deny
D. Common access card

Answer: A

Explanation:
Time of day restrictions limit when users can access specific systems based on the time of day or week. It can limit access to sensitive environments to normal business hours when oversight and monitoring can be performed to prevent fraud, abuse, or intrusion.

CompTIA Security+ Question E-63

A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application. The security administrator notices that the new application uses a port typically monopolized by a virus. The security administrator denies the request and suggests a new port or service be used to complete the application’s task. Which of the following is the security administrator practicing in this example?

A. Explicit deny
B. Port security
C. Access control lists
D. Implicit deny

Answer: C

Explanation:
Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.

CompTIA Security+ Question E-42

A security administrator implements access controls based on the security classification of the data and need-to-know information. Which of the following BEST describes this level of access control?

A. Implicit deny
B. Role-based Access Control
C. Mandatory Access Controls
D. Least privilege

Answer: C

Explanation:
Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.

CompTIA Security+ Question D-48

Which of the following allows a network administrator to implement an access control policy based on individual user characteristics and NOT on job function?

A. Attributes based
B. Implicit deny
C. Role based
D. Rule based

Answer: A

Explanation:
Attribute-based access control allows access rights to be granted to users via policies, which combine attributes together. The policies can make use of any type of attributes, which includes user attributes, resource attributes and environment attributes.

CompTIA Security+ Question D-35

The Human Resources department has a parent shared folder setup on the server. There are two groups that have access, one called managers and one called staff. There are many sub folders under the parent shared folder, one is called payroll. The parent folder access control list propagates all subfolders and all subfolders inherit the parent permission. Which of the following is the quickest way to prevent the staff group from gaining access to the payroll folder?

A. Remove the staff group from the payroll folder
B. Implicit deny on the payroll folder for the staff group
C. Implicit deny on the payroll folder for the managers group
D. Remove inheritance from the payroll folder

Answer: B

Explanation:
Implicit deny is the default security stance that says if you aren’t specifically granted access or privileges for a resource, you’re denied access by default.

CompTIA Security+ Question C-62

The security administrator needs to manage traffic on a layer 3 device to support FTP from a new remote site. Which of the following would need to be implemented?

A. Implicit deny
B. VLAN management
C. Port security
D. Access control lists

Answer: D

Explanation:
In the OSI model, IP addressing and IP routing are performed at layer 3 (the network layer). In this question we need to configure routing. When configuring routing, you specify which IP range (in this case, the IP subnet of the remote site) is allowed to route traffic through the router to the FTP server.

Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.

CompTIA Security+ Question A-92

Users report that they are unable to access network printing services. The security technician checks the router access list and sees that web, email, and secure shell are allowed. Which of the following is blocking network printing?

A. Port security
B. Flood guards
C. Loop protection
D. Implicit deny

Answer: D

Explanation:
Implicit deny says that if you aren’t explicitly granted access or privileges for a resource, you’re denied access by default. The scenario does not state that network printing is allowed in the router access list, therefore, it must be denied by default.

CompTIA Security+ Question A-65

Which of the following is best practice to put at the end of an ACL?

A. Implicit deny
B. Time of day restrictions
C. Implicit allow
D. SNMP string

Answer: A

Explanation:
An implicit deny clause is implied at the end of each ACL. This implies that if you aren’t specifically granted access or privileges for a resource, you’re denied access by default. The implicit deny clause is set by the system.