Quiz: Privileged Access Management

DataField.Dev

Quiz: Privileged Access Management

A 26-question self-check covering the chapter's vocabulary, the escalation ladder, and the PAM control set. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] An account that can administer other accounts, change security settings, or control infrastructure is best called a: A. service account B. privileged account C. orphaned account D. federated account

2. [Sec+] Storing privileged credentials in a secured, audited repository and brokering access so a human need not know a password to use it is called: A. password rotation B. credential vaulting C. tiered administration D. single sign-on

3. The technique by which an attacker authenticates to a new machine by replaying a stolen credential without knowing or cracking the password is: A. password spraying B. pass-the-hash C. credential stuffing D. phishing

4. [CISSP] Granting a privileged role only for a bounded window and removing it automatically, so no standing privileged access exists by default, is: A. just-in-time access B. least functionality C. mandatory access control D. federation

5. In the §19.1 escalation ladder, the step that directly enables lateral movement is: A. initial foothold B. domain dominance C. credential harvesting D. business email compromise

6. [Sec+] A dedicated, hardened computer used only for privileged administration (no email, no web) is a: A. jump host B. bastion host C. privileged access workstation (PAW) D. domain controller

7. In the classic three-tier administration model, domain controllers and the identity/control plane belong to: A. Tier 2 B. Tier 1 C. Tier 0 D. the DMZ

8. [CISSP] The core rule of tiered administration is: A. all admins share one powerful account B. higher-tier credentials are never exposed on lower tiers C. credentials may flow upward but not sideways D. only Tier 2 uses MFA

9. Check-in (one-time) rotation rotates a privileged credential: A. once a year B. immediately after each session ends C. only when an admin leaves D. only after a breach

10. [Sec+] A highly privileged account reserved for emergencies (e.g., when the PAM system or MFA is down), stored offline and alerting on any use, is a: A. service account B. break-glass account C. shared mailbox D. machine identity

11. The single most valuable detection that PAM creates (that did not exist before) is: A. failed-password alerting B. a privileged logon with no matching vault checkout C. antivirus signature hits D. DNS tunneling detection

12. Microsoft LAPS most directly defeats which lateral-movement enabler? A. weak domain admin passwords B. a shared/identical local Administrator password across machines C. missing MFA on email D. open firewall ports

13. [CISSP] Requiring a second person's approval before a high-risk privileged role can be activated is an application of: A. defense in depth B. separation of duties C. fail-safe defaults D. non-repudiation

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

14. "Because privileged actions are rare and significant, privileged-account detections tend to be higher-fidelity than detections on ordinary user activity."

15. [Sec+] "If our admins all have strong, unique passwords, pass-the-hash is not a concern."

16. "Just-in-time access reduces risk by reducing the scope of what a privileged role can do."

17. "A break-glass account should be exempt from monitoring and rotation, since it is only for emergencies."

18. [CISSP] "Tiering that exists only as a written policy, with no operating-system enforcement, is effectively no control at all against a determined or rushed admin."

19. "Session recording of privileged sessions raises no privacy or legal considerations and can be deployed without disclosure."

Section 3 — Fill in the blank (1 pt each)

20. The escalation ladder runs: foothold → local privilege escalation → credential _ → _ movement → domain admin → domain dominance.

21. [Sec+] Automatically changing a privileged credential on a schedule or after each use, to shorten the useful life of any stolen credential, is called password __.

22. A __ account is a non-human account that runs an application or scheduled task, often with elevated rights — introduced in this chapter and treated fully in Chapter 20.

23. The deepest payoff of PAM is that, by forcing all privileged access through a narrow instrumented path, it makes the misuse of privilege __ (i.e., easy to detect).

Section 4 — Short answer (2 pts each)

24. [CISSP] In two or three sentences, explain how tiered administration with enforced logon restrictions prevents a compromised user workstation from leading to domain admin — even after the attacker becomes local administrator of that workstation.

25. A board member asks, "We already have multi-factor authentication on admin logins. Why spend more on this PAM thing?" In two or three sentences, explain what PAM adds beyond login MFA, referencing standing access and credential harvesting.

Section 5 — Applied scenario (5 pts)

26. [Sec+] Meridian discovers a domain admin account (DOMAIN\da-legacy) that is a standing member of Domain Admins, has a password unchanged for 14 months, is shared by three engineers, is not in the PAM vault, and has logged on to ordinary user laptops to "fix things." (a) Identify every PAM control this account violates. (b) Walk the §19.1 escalation ladder to explain the worst-case blast radius if this account's credential is harvested from one of those laptops. (c) Propose the specific remediation for each violation, naming the control from this chapter. (d) State one detection you would add to catch future misuse of this (or any) privileged account.

Answer Key

Click to reveal answers and explanations

1. **B** — a privileged account exceeds ordinary permissions in ways that can compromise systems. 2. **B** — vaulting stores and brokers credentials so humans need not know them. 3. **B** — pass-the-hash replays the credential without cracking it. 4. **A** — JIT grants time-bounded privilege with automatic removal. 5. **C** — harvesting a credential is what makes the next-machine logon (lateral movement) possible. 6. **C** — a PAW is the dedicated, hardened administration machine. 7. **C** — the identity/control plane is Tier 0. 8. **B** — credentials never flow downward to lower tiers. 9. **B** — check-in rotation changes the credential right after the session. 10. **B** — break-glass / emergency access account. 11. **B** — an out-of-band privileged logon (no vault checkout) is anomalous by construction once PAM is in place. 12. **B** — LAPS gives each machine a unique, rotated local admin password, killing the shared-local-admin path. 13. **B** — approval by a second person is separation of duties. 14. **T** — privileged activity has a low, predictable baseline, so deviations stand out. 15. **F** — pass-the-hash replays the credential and does not require cracking, so strength alone does not stop it; unique-per-machine and rotation do. 16. **F** — JIT reduces the *time/duration* dimension, not the permission scope; the role's permissions are unchanged. 17. **F** — break-glass must be *more* monitored (alert on every use) and rotated/tested; exempting it makes it a backdoor. 18. **T** — unenforced tiering is violated under pressure; it must be enforced by logon restrictions and monitored. 19. **F** — it captures employee actions and must be disclosed, scoped to privileged access, and the recordings protected. 20. harvesting; lateral. 21. rotation. 22. service. 23. loud / visible / detectable. 24. With enforced tiering, Tier 0/1 (privileged) credentials are never used on Tier 2 workstations, so a compromised laptop has no privileged credential to harvest; the attacker who becomes local admin finds only Tier 2 credentials, which administer other laptops but cannot reach the domain — the downward-flow rule severs the harvesting → lateral-movement → escalation chain. 25. Login MFA protects the moment of authentication, but PAM removes *standing* privilege (so a stolen account is usually unarmed), shortens credential life via vaulting/rotation, prevents harvesting via tiering/PAWs, and makes misuse detectable — addressing the post-authentication escalation that MFA alone does not. 26. (a) Violates: vaulting (not vaulted), JIT/no-standing (standing membership), rotation (14 months), accountability (shared without recording), and tiering (used on Tier 2 laptops). (b) An attacker who phishes one of those laptops → becomes local admin → harvests `da-legacy`'s credential (present because it logged on there) → replays it to reach servers and the domain controller → domain admin → fleet-wide ransomware/data theft — the full ladder, enabled by tiering violation. (c) Vault the account + check-in rotation; make it JIT-eligible, not standing; rotate the credential immediately; enable session recording for accountability; enforce tiering so it can never be used on Tier 2 again (or replace it with a properly tiered Tier 0 account). (d) Out-of-band privileged logon (privileged auth with no vault checkout), or a Tier 0/1 credential appearing on a Tier 2 host. **Topics to review by question:** missed 1–3, 20 → §19.1; 2, 9, 12, 21 → §19.2; 4, 13, 16 → §19.3; 6–8, 18, 24 → §19.4; 19 → §19.5; 5, 11, 14, 23 → §19.6; 10, 17, 22 → §19.2/§19.1; 25–26 → whole chapter.