A security analyst discovers a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities. Which of the following is the BEST action for the security analyst to take?
A security analyst discovers a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities. Which of the following is the BEST action for the security analyst to take?
The best action for the security analyst to take when a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities is to remove the user's permissions from the various system executables. This approach directly addresses the issue by revoking access to these critical tools and ensures that the standard user cannot misuse them. This method aligns with the principle of least privilege, ensuring that users only have the permissions necessary for their role.
The BEST action for the security analyst to take when a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities is to use AppLocker to create a set of whitelist and blacklist rules specific to group membership. Therefore, the correct answer is B. AppLocker is a Windows feature that enables organizations to specify which applications are allowed to run on a computer system. By creating a set of whitelist and blacklist rules specific to group membership, the security analyst can restrict access to command prompt, PowerShell, and other system utilities for the standard user. This will help to prevent unauthorized access and misuse of these tools.
the question is talking about an (just one) standard user with "extra" access to system assets, so by disabling that will do, so its D
How about new users? isn't this involve manually configuring for each alert generated? rather than automating the process?
It did not specify ONE standard user. Standard user is also a group.
A is correct
the question is talking about an (just one) standard user with "extra" access to system assets, so by disabling that will do, so its D
The question states that the user is a "standard user", not an administrator account, with extra permissions. Disabling the settings in the administrative template (A) will not affect a standard user unless they are part of the administrative group. D is the only answer that makes sense.
tandard user permissions can also be set using administrative templates in Group Policy Objects (GPOs). These templates can be used to configure settings for standard users just like they can be used to configure settings for privileged users. For example, an organization can use administrative templates to configure security settings, software installation and maintenance settings, and settings for specific applications for standard users. It's important to note that while standard users may not have the ability to modify GPO settings themselves, the administrative templates can be used by a privileged user, such as an administrator, to configure settings for standard users. These templates can be used to restrict access to certain features or applications for standard users, or to configure settings that will enforce specific policies for standard users. It's important to review and test the changes made by GPO for standard users, to ensure that the changes do not negatively impact their daily work.
This should D. The problem states the user has been given excessive permissions violating the principle of least privilege, removing the user's access to stated executables will correct the user's permission. Changing settings in the group policy is excessive and is actually needed for admin roles, the question also didn't state the use of Group Policies to apply user permissions.
D it is.
For me, the keyword here is 'unauthorised access'. If we are to use GPO or whitelist/blacklist, it means currently he is authorised albeit by mistake only, but authorised. So I am going with D as that removes the user's access to executables and brings reinstates his account to authorised accesses only.
B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership. AppLocker is a security feature in Windows that allows you to create policies to control which applications are allowed to run on a system. In this scenario, using AppLocker to create a set of whitelist rules specific to group membership would be the best action. This approach would allow the security analyst to specify which applications (such as the command prompt, PowerShell, and other system utilities) are allowed to run based on the user's group membership.
AppLocker is a Microsoft Windows feature that allows administrators to create policies to control which applications are allowed to run on a system. In this scenario, using AppLocker to create a set of rules specific to group membership would be an effective way to control and restrict the unauthorized access to command prompt, PowerShell, and other system utilities.
Applocker? who mentioned anything about using Windows?
Powershell is windows native scripting tool
This will prevent the standard user from accessing the command prompt, PowerShell, and other system utilities, regardless of their permissions to the individual executables. Group Policy can be used to enforce a wide variety of administrative rules. It's the best administrative option from my perspective.
Disabling the appropriate settings in the administrative template of the Group Policy can help restrict access to command prompt, PowerShell, and other system utilities for standard users.
Remove the user's permissions from the various system executables is the BEST action for the security analyst to take.
Based on the scenario, there is a malicious event happened to a standard user which has access to system utilities beyond the set permission. Ofcourse, first we will isolate it. Why not A? because it may affect other legitimate users as well. Just my thoughts on the question.