CompTIA Security+ (SY0-701) — Question 453

A penetration test has demonstrated that domain administrator accounts were vulnerable to pass-the-hash attacks. Which of the following would have been the best strategy to prevent the threat actor from using domain administrator accounts?

Answer options

• A. Audit each domain administrator account weekly for password compliance.
• B. Implement a privileged access management solution.
• C. Create IDS policies to monitor domain controller access.
• D. Use Group Policy to enforce password expiration.

Correct answer: B

Explanation

The correct answer, B, suggests implementing a privileged access management solution, which can effectively manage and secure access to sensitive accounts, reducing the risk of pass-the-hash attacks. The other options, while beneficial for overall security, do not specifically address the vulnerabilities associated with domain administrator accounts in the context of such attacks.