Home » Microsoft » What should you do?
You have a computer named Computer1 that runs Windows 10.
You deploy an application named Application1 to Computer1.
You need to assign credentials to Application1.
You need to meet the following requirements:
Ensure that the credentials for Application1 cannot be used by any user to log on to Computer1. Ensure that the principle of least privilege is maintained.
What should you do?
A. Configure Application1 to sign in as the Local System account and select the Allow service to interact with desktop check box.
B. Create a user account for Application1 and assign that user account the Deny log on locally user right
C. Create a user account for Application1 and assign that user account the Deny log on as a service user right
D. Configure Application1 to sign in as the Local Service account and select the Allow service to interact with desktop check box.
Correct Answer: B
Explanation/Reference:
By using the Service1 account as the identity used by Application1, we are applying the principle of least privilege as required in this question.
However, the Service1 account could be used by a user to sign in to the desktop on the computer. To sign in to the desktop on the computer, an account needs the log on locally right which all user accounts have by default. Therefore, we can prevent this by assigning Service1 the deny log on locally user right.
Incorrect Answers:
A: Configuring Application1 to sign in as the Local System account would ensure that the identity used by Application1 cannot be used by a user to sign in to the desktop on Computer1. However, this does not use the principle of least privilege. The Local System account has full access to the system. Therefore, this solution does not meet the goal.
C: A service account needs the log on as a service user right. When you assign an account to be used by a service, that account is granted the log on as a service user right. Therefore, assigning Service1 the deny log on as a service user right would mean the service would not function.
D: The Local Service Account is a predefined local account used by the service control manager.
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-locally
Download Printable PDF. VALID exam to help you PASS.
|
|