CompTIA Security+ (SY0-501) — Question 934

An organization prefers to apply account permissions to groups and not individual users, but allows for exceptions that are justified. Some systems require a machine-to-machine data exchange and an associated account to perform this data exchange. One particular system has data in a folder that must be modified by another system. No user requires access to this folder; only the other system needs access to this folder. Which of the following is the BEST account management practice?

Answer options

• A. Create a service account and apply the necessary permissions directly to the service account itself
• B. Create a service account group, place the service account in the group, and apply the permissions on the group
• C. Create a guest account and restrict the permissions to only the folder with the data
• D. Create a generic account that will only be used for accessing the folder, but disable the account until it is needed for the data exchange
• E. Create a shared account that administrators can use to exchange the data, but audit the shared account activity

Correct answer: A

Explanation

The best account management practice is to create a service account and apply the necessary permissions directly to it, as this allows for precise control and security specific to the task of data exchange. The other options either introduce unnecessary complexity, such as using groups or shared accounts, or pose security risks by allowing broader access than needed.