CompTIA Security+ (SY0-601) — Question 559

A security audit of an organization revealed that most of the IT staff members have domain administrator credentials and do not change the passwords regularly. Which of the following solutions should the security team propose to resolve the findings in the most complete way?

Answer options

• A. Creating group policies to enforce password rotation on domain administrator credentials
• B. Reviewing the domain administrator group, removing all unnecessary administrators, and rotating all passwords
• C. Integrating the domain administrator's group with an IdP and requiring SSO with MFA for all access
• D. Securing domain administrator credentials in a PAM vault and controlling access with role-based access control

Correct answer: D

Explanation

The correct answer is D because securing domain administrator credentials in a PAM vault provides a high level of security and control, ensuring that only authorized personnel have access. Options A and B address password management but do not provide the same level of security and oversight. Option C, while adding security through SSO and MFA, does not address the issue of credential storage and management.