CompTIA Security+ (SY0-501) — Question 247

A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure.
Given the requirement, which of the following should the security analyst do to MINIMIZE the risk?

Answer options

• A. Enable CHAP
• B. Disable NTLM
• C. Enable Kerebos
• D. Disable PAP

Correct answer: B

Explanation

Disabling NTLM is crucial because it is susceptible to pass-the-hash attacks, thus minimizing the risk associated with credential theft. Enabling CHAP or Kerberos may enhance security but does not directly address the pass-the-hash vulnerability. Disabling PAP is unrelated to this specific issue.