Quiz: Operating System Security

DataField.Dev

Quiz: Operating System Security

A 26-question self-check covering host hardening across Windows, Linux, and macOS, endpoint protection, and patch management. Questions tagged [Sec+] map to a CompTIA Security+ objective and [CISSP] to an (ISC)² CISSP domain, so certification candidates can self-assess. Answers and one-line explanations are at the end — attempt the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] The deliberate process of reducing a system's attack surface by disabling unneeded services, removing software, and tightening configuration is best called: A. patching B. hardening C. encryption D. provisioning

2. A server is fully patched but ships with SMBv1 enabled, the local Administrator active, and no PowerShell logging. The most accurate statement is: A. it is secure B. it is current but not hardened C. it is hardened but not patched D. it has a CVE

3. [Sec+] A detailed, consensus-developed configuration standard for a specific platform, published by the Center for Internet Security, is a: A. STIG B. CVE C. CIS Benchmark D. security baseline GPO

4. Which Windows mechanism centrally enforces configuration across all domain-joined machines and re-applies it on a schedule, correcting drift? A. LAPS B. Group Policy C. Windows Defender D. AppLocker

5. [Sec+] LAPS primarily defends against: A. phishing emails B. unpatched vulnerabilities C. lateral movement using a shared local-admin password D. denial-of-service attacks

6. The chief advantage of EDR over signature-based antivirus is that EDR: A. is cheaper B. detects behavior/techniques and catches novel and fileless attacks C. requires no agent D. only scans on a schedule

7. [CISSP] Mandatory access control (e.g., SELinux/AppArmor) differs from discretionary access control because the policy: A. is set by each file's owner B. can be overridden by root C. is system-wide and not overridable by file owners or root D. applies only to network traffic

8. Application allowlisting enforces which posture for program execution? A. default-allow, block known-bad B. default-deny, permit only approved C. signature matching only D. block nothing, log everything

9. [Sec+] Secure Boot primarily prevents: A. weak passwords B. malicious code from running before the OS loads (boot/rootkits) C. SQL injection D. data exfiltration over DNS

10. A TPM is best described as: A. a firewall appliance B. a hardware chip that stores keys and boot measurements as a root of trust C. an antivirus engine D. a patch-management server

11. [CISSP] SELinux left in permissive mode in production means: A. policy violations are blocked B. policy violations are logged but allowed — containment is effectively off C. the system is most secure D. SSH is disabled

12. The patch-management practice of deploying to a small pilot population, then the broad fleet, then critical systems last, is called: A. risk acceptance B. deployment rings C. virtual patching D. tamper protection

13. [Sec+] Which is the strongest reason a freshly internet-connected, unconfigured server is at risk even with no specific attacker interest? A. it has a TPM B. default installs expose services/accounts that indiscriminate automated scanning will find C. it runs EDR D. Group Policy has not refreshed

14. seccomp restricts a process's: A. file owners B. network routes C. system calls to the kernel D. user password length

15. On macOS, the feature that ensures only signed/notarized applications run by default is: A. FileVault B. Gatekeeper C. XProtect D. Time Machine

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

16. "A fully patched system is, by definition, hardened."

17. [Sec+] "Removing an unused package is strictly stronger than merely disabling its service, from an attack-surface standpoint."

18. "Because macOS is secure by default, enterprise Macs do not need MDM, EDR, or central monitoring."

19. "Reporting that a critical patch was deployed to the fleet is equivalent to confirming it was installed on every machine."

20. [CISSP] "Disabling SELinux because an application was denied an access is an appropriate troubleshooting step in production."

Section 3 — Fill in the blank (1 pt each)

21. The system-level sibling of least privilege — running only the software and services a host's role requires — is the principle of least ______.

22. [Sec+] Microsoft Defender __ ____ rules block whole classes of malicious behavior (e.g., Office apps spawning child processes) rather than specific signatures. (two words)

23. Host patch deployment timelines that are fastest for flaws that are critical, internet-facing, and actively exploited are called ______-based timelines.

Section 4 — Short answer (2 pts each)

24. [CISSP] Explain, in two or three sentences, why "patched" and "hardened" are different security properties and why a host needs both. Give one example of a dangerous default that patching does not fix.

25. A public-facing web service running as a dedicated non-root user is exploited. Discretionary file permissions already limit that user. In two sentences, explain what an enforcing SELinux/AppArmor policy adds, and why that is "least privilege applied to programs."

Section 5 — Applied scenario (5 pts)

26. [Sec+] Meridian's incident team finds that an attacker moved laterally across 40 servers using a single recovered local Administrator password, transferred tools over SMBv1, ran encoded PowerShell the team cannot reconstruct, and disabled Defender before acting. (a) Name the one control that would have stopped the lateral movement, and explain how. (b) Name the control that would have removed the SMBv1 path and the one that would have recorded the PowerShell. (c) Which single control, deployed fleet-wide, would most reduce the blast radius, and why?

Answer Key

Click to reveal answers and explanations

1. **B** — hardening is deliberate attack-surface reduction. 2. **B** — current (patched) is not hardened; the dangerous surface is intended, unswitched-off behavior. 3. **C** — CIS Benchmark. 4. **B** — Group Policy enforces and re-applies, correcting drift. 5. **C** — LAPS gives each host a unique, rotated local-admin password, killing shared-credential lateral movement. 6. **B** — EDR detects behavior/ techniques, catching novel and fileless attacks. 7. **C** — MAC policy is system-wide and not overridable by owners or root. 8. **B** — allowlisting is default-deny, permit only approved. 9. **B** — Secure Boot verifies the signed boot chain, blocking pre-OS malware. 10. **B** — a TPM is a hardware root of trust storing keys and boot measurements. 11. **B** — permissive logs but allows violations; containment is off. 12. **B** — deployment rings. 13. **B** — default installs expose surface that indiscriminate automated scanning finds. 14. **C** — seccomp filters system calls. 15. **B** — Gatekeeper. 16. **F** — patching fixes known code flaws; hardening governs configuration (services, accounts, protocols, logging), which can be fully default on a patched box. 17. **T** — a removed package leaves no binary/library to abuse, while a disabled service's code is still present and can be re-enabled or invoked. 18. **F** — an unmanaged, unmonitored Mac with cloud SSO is a soft, high-value target; Macs need MDM, EDR, and central visibility like any endpoint. 19. **F** — "deployed/sent" ≠ "installed"; offline, failed, and excepted machines leave a tail that is exactly where attackers go. 20. **F** — disabling MAC because it denied an access removes the host's strongest containment; the fix is to grant the specific legitimate access via audit logs/`audit2allow` and leave everything else enforcing. 21. functionality. 22. Attack Surface (Reduction) — "Attack Surface" (Reduction) rules. 23. risk. 24. Patching closes *known code vulnerabilities*; hardening closes *exposed functionality working as designed* (services, accounts, protocols, logging). Both are needed because a fully patched box can still run SMBv1, share a local-admin password, and log nothing — none of which is a patchable CVE. Example of a dangerous default patching does not fix: SMBv1 enabled / local Administrator active / no PowerShell logging. 25. MAC confines the process to an explicit allow-list of files, ports, and capabilities defined by system policy that the process cannot override even if it gains more privilege, so reads/writes/ connections outside policy (e.g., reading `/etc/shadow`, opening a reverse shell) are denied at the kernel; that is least privilege applied to the *program* (only what its role needs), not just to the user. 26. (a) **LAPS** — unique, random, rotated local-admin password per host, so a credential recovered from one host does not authenticate to another; lateral movement via shared credential dies at the first hop. (b) Disabling **SMBv1** (via Group Policy) removes the lateral protocol; **PowerShell script-block logging (4104) + process-creation auditing (4688) / Sysmon** would have recorded the encoded PowerShell. (c) Reasonable strong answers: **LAPS** (directly kills the fleet-wide lateral path that created the 40-server blast radius) — also defensible: **Group Policy enforcing the hardening baseline** (turns off SMBv1, enables logging, and enforces Defender/tamper protection across the fleet at once). Full credit for a defended choice; LAPS is the tightest single answer to *blast radius* specifically. **Topics to review by question:** missed 1–3, 16, 24 → §11.1; 4, 5, 22, 26 → §11.2; 7, 11, 14, 20, 25 → §11.3; 15, 18 → §11.4; 6, 8, 20(EDR/AV) → §11.5; 12, 19, 23 → §11.6; 9, 10, 13 → §11.1 + §11.6 (Secure Boot/TPM); 17, 21 → §11.1/§11.3.