ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-744 All Questions

View all questions & answers for the 70-744 exam
Go to Exam

Exam 70-744 topic 1 question 13 discussion

Actual exam question from Microsoft's 70-744
Question #: 13
Topic #: 1
[All 70-744 Questions]

Your network contains an Active Directory domain named contoso.com. The domain contains 1,000 client computers that run Windows 10.
A security audit reveals that the network recently experienced a Pass-the-Hash attack. The attack was initiated from a client computer and accessed Active
Directory objects restricted to the members of the Domain Admins group.
You need to minimize the impact of another successful Pass-the-Hash attack on the domain.
What should you recommend?

  • A. Instruct all users to sign in to a client computer by using a Microsoft account.
  • B. Move the computer accounts of all the client computers to a new organizational unit (OU). Remove the permissions to the new OU from the Domain Admins group.
  • C. Instruct all administrators to use a local Administrators account when they sign in to a client computer.
  • D. Move the computer accounts of the domain controllers to a new organizational unit (OU). Remove the permissions to the new OU from the Domain Admins group.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
References:
https://en.wikipedia.org/wiki/Pass_the_hash#Mitigations
by Eric1234 at Sept. 3, 2019, 5:58 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ArchBishop
Highly Voted 5 years, 8 months ago
Technically what they are referring to is found here and called "Restricted Admin Mode:" https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard In this scenario: Pass-the-Hash was used to, in a way, capture DOMAIN Administrator Credentials that had been cached on the Client's machine. As a part of Kerberos, when a user logs onto a device with domain credentials, a hash is generated and stored in the cache of the device. This means that, in this scenario, an Admin accessed the client device using their Domain Admin Credentials; which would have then been stored as a hash in the client device's cache. The Attacker then "Passed the Hash" to access further domain resources on the network. If the Admin accessed the device using the Local Admin Credentials of that device instead of their domain credentials, the Pass-the-Hash attack would have only affected the local device, rather than the entire domain. This method of authentication is referred to as "Restricted Admin Mode;" where admins only log onto client machines using a (or THE) device's Local Admin Account.
upvoted 14 times
V1980
4 years, 5 months ago
You just became the coleman of 70-744. A great Honor.
upvoted 4 times
Yebubbleman
4 years, 5 months ago
Nah man, coleman was freakin' everywhere and on every question.
upvoted 1 times
...
...
...
SamsOtro
Most Recent 4 years, 6 months ago
Going with C
upvoted 2 times
...
dumpmaster
5 years, 2 months ago
It's right. This is a very old MS recomendations for Windows network
upvoted 2 times
...
Nhan
5 years, 3 months ago
The given answer is correct
upvoted 3 times
...
Ario
5 years, 4 months ago
Answer is correct
upvoted 3 times
...
Paz
5 years, 8 months ago
I believe C is the correct answer but the reference is not correct. LAPS is listed on the exam for content and I believe they are having us use the local admin so that we can use LAPS https://blog.stealthbits.com/running-laps-in-the-race-to-security/
upvoted 2 times
...
Eric1234
5 years, 9 months ago
I guess this makes the most sense. I think the answer is correct.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel