CompTIA Cloud+ (CV0-004) — Question 98

A company’s cybersecurity team receives the following alert that a production VM was deleted from the virtual network:

21 September 09:19:08 (GMT-5)
Resource with ID: PROD-WEB001 was deleted by User: Logging

Service -

The console to manage virtual network resources uses directory authentication. Only users in a particular directory group can interactively access the virtual network management console. The logging service account is not part of this group and requires some local administration privileges to aggregate logs from various resources. The cybersecurity team discovers that the logging service account was previously given full directory administration privileges and they see the following entry:

21 September 09:10:55 (GMT-5)
User with ID: Logging Service was added to the Group: VNet
Console Administrators by actor: Logging Service.

The cybersecurity team removes the compromised service account from the directory group. Which of the following should the cybersecurity team do next to prevent repeat instances of this issue?

Answer options

• A. Enable two-factor authentication on the virtual network console.
• B. Reset the logging service account to use a long and complex password.
• C. Disable RDP on the production virtual machines.
• D. Create a scoped administrative role for the logging service account.

Correct answer: D

Explanation

Creating a scoped administrative role for the logging service account will limit its permissions to only what is necessary, reducing the risk of unauthorized actions. Enabling two-factor authentication and resetting the password are good security practices but do not specifically address the underlying issue of excessive permissions. Disabling RDP on production VMs does not relate directly to the management of the logging service account.