12/10/24, 5:24 PM Practice Labs | Print

CompTIA | 220-1102: CompTIA A+

Implementing Network Security Measures
Exercises
Introduction
Lab Topology
Exercise 1 - Logical Security
Review

Introduction
Tags: A+ Multifactor Authentication (MFA) Principle of Least Privilege
Access Control Lists (ACL) Hard Tokens Soft Tokens Short Message Service (SMS)

Welcome to the Implementing Network Security Measures Practice Lab. In

this module, you will be provided with the instructions and devices needed to
develop your hands-on skills.

Learning Outcomes
In this module, you will complete the following exercises:

Exercise 1 - Logical Security

After completing this module, you should be able to:

Know about the Principle of Least Privilege

Explain the Uses of Access Control Lists (ACL)
Configure Email Security

After completing this module, you should have further knowledge of:

Multifactor Authentication (MFA)

Using a Hard Token
Using a Soft Token
Short Message Service (SMS)
Voice Call
Authenticator Application

https://www.practice-labs.com/app/platform/print.aspx 1/48
12/10/24, 5:24 PM Practice Labs | Print

Exam Objectives
The following exam objectives are covered in this module:

2.1 Summarize various security measures and their purposes

Logical security

Lab Duration
It will take approximately 1 hour to complete this lab.

Help and Support

For more information on using Practice Labs, please see our Help and Support
page. You can also raise a technical support ticket from this page.

Click Next to view the Lab topology used in this module.

https://www.practice-labs.com/app/platform/print.aspx 2/48
12/10/24, 5:24 PM Practice Labs | Print

Lab Topology
During your session, you will have access to the following lab configuration.

Depending on the exercises, you may or may not use all of the devices, but they
are shown here in the layout to get an overall understanding of the topology of
the lab.

PLABDC01 - (Windows Server 2019 - Domain Controller)

PLABWIN10 - (Windows 10 - Domain Member Workstation)
PLABWIN11 - (Windows 11 - Domain Member Workstation)
PLABSUSE - (SUSE - Standalone Server)
PLABUBUNTU - (Ubuntu - Standalone Server)
PLABANDROID - (Android OS - Android Device)

Click Next to proceed to the first exercise.

https://www.practice-labs.com/app/platform/print.aspx 3/48
12/10/24, 5:24 PM Practice Labs | Print

Exercise 1 - Logical Security

The three main types of security controls are Administrative, Logical (or
technical), and Physical. Administrative controls include policies, procedures,
rules, standards, regulations, and frameworks. Physical security controls include
doors, locks, fences, lighting, cameras, etc. Logical controls are typically
software-based and are often found in endpoints, servers, networking devices,
and security appliances such as firewalls, proxy servers, intrusion detection and
prevention systems, and SIEM systems.

In this exercise, logical network security controls will be discussed.

Learning Outcomes
After completing this exercise, you should be able to:

Know about the Principle of Least Privilege

Explain the Uses of Access Control Lists (ACL)
Configure Email Security

After completing this exercise, you should have further knowledge of:

Multifactor Authentication (MFA)

Using a Hard Token
Using a Soft Token
Short Message Service (SMS)
Voice Call
Authenticator Application

Your Devices
You will be using the following devices in this lab. Please power these on now.

PLABDC01 - (Windows Server 2019 - Domain Controller)

PLABWIN10 - (Windows 10 - Domain Member Workstation)

Task 1 - Principle Of Least Privilege

Principle of Least Privilege is the foundation for all access control systems and
methods. The principle of least privilege requires users, devices, and applications
to be given only the minimum level of privileges that are necessary to complete
the task. The least privilege does not apply only to human users but also to
systems and applications.

https://www.practice-labs.com/app/platform/print.aspx 4/48
12/10/24, 5:24 PM Practice Labs | Print

There is a closely related security control called Need to Know. In high security
operations, especially in military and government systems, users or subjects are
given clearance. Resources or objects are given a classification. Clearance,
classification, and need to know are used to assign privileges in this type of
environment.

In a Windows Workgroup, privileges are assigned using Local Users and

Groups. This is suitable for small network operations but can be difficult to
manage. Each user needs to be given permission on every system they have
access to. There is no central administrative console for the configuration of all
systems.

In a Windows Domain, permissions are handled centrally on a Domain Controller

server, using Active Directory and Group Policy.

In this task, you will view the policies that can be configured in a Windows
WorkGroup and Windows Domain.

Step 1
Connect to PLABWIN10.

Click the Start charm and type:

control panel

Select Control Panel from the Best match pop-up menu.

https://www.practice-labs.com/app/platform/print.aspx 5/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.1 Screenshot of PLABWIN10: Displaying selecting Control Panel from the Best match pop-up
menu.

Step 2
In the Control Panel window, select User Accounts.

https://www.practice-labs.com/app/platform/print.aspx 6/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.2 Screenshot of PLABWIN10: Displaying selecting User Accounts in the Control Panel window.

Step 3
In the User Accounts window, click the Change account type link.

https://www.practice-labs.com/app/platform/print.aspx 7/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.3 Screenshot of PLABWIN10: Displaying clicking the Change account type link in the User
Accounts window.

Step 4
In the User Accounts - Users tab, you can add or remove a user's access to the
device. You can also change the admin password by clicking the Reset Password
button.

Select the Advanced tab.

https://www.practice-labs.com/app/platform/print.aspx 8/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.4 Screenshot of PLABWIN10: Displaying the User Accounts - Users tab with the Advanced tab
highlighted.

Step 5
In the User Accounts - Advanced tab, you can manage passwords, as well as
perform advanced user management tasks using Local Users and Groups. You
can also enable secure sign-in by ticking the checkbox next to the Require users
to press Ctrl+Alt+Delete field.

Click OK.

https://www.practice-labs.com/app/platform/print.aspx 9/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.5 Screenshot of PLABWIN10: Displaying the User Accounts - Advanced tab with the Advanced
tab highlighted.

Step 6
Back on the User Accounts window, select the Control Panel Home link on the
left pane.

https://www.practice-labs.com/app/platform/print.aspx 10/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.6 Screenshot of PLABWIN10: Displaying selecting the Control Panel Home link on the User
Accounts window.

Step 7
Click the Category drop-down next to the View by field and select Small icons.

https://www.practice-labs.com/app/platform/print.aspx 11/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.7 Screenshot of PLABWIN10: Displaying selecting Small icons from the View by drop-down menu.

Step 8
In the All Control Panel Items window, select Administrative Tools.

https://www.practice-labs.com/app/platform/print.aspx 12/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.8 Screenshot of PLABWIN10: Displaying selecting Administrative Tools in the All Control Panel
Items window.

Step 9
From the Administrative Tools window, double-click Local Security Policy.

https://www.practice-labs.com/app/platform/print.aspx 13/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.9 Screenshot of PLABWIN10: Displaying selecting Local Security Policy in the Administrative
Tools window.

Step 10
In the Local Security Policy window, expand Account Policies on the left pane.

Click Password Policy.

In the right details pane, the different Password policies that can be configured
are displayed.

Double-click on each of the policies to view more information about their

settings.

https://www.practice-labs.com/app/platform/print.aspx 14/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.10 Screenshot of PLABWIN10: Displaying selecting Password Policy in the Local Security Policy
window.

Step 11
Next, select Account Lockout Policy on the left pane.

The following Policies can be configured:

Account lockout duration

Account lockout threshold
Reset account lockout counter after

Double-click on each of the policies to view more information about their

settings.

https://www.practice-labs.com/app/platform/print.aspx 15/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.11 Screenshot of PLABWIN10: Displaying selecting Account Lockout Policy in the Local Security
Policy window.

Note: In a Windows Workgroup, these changes need to be made to each

system individually and consequently can be difficult to configure and
manage.

Step 12
Close the Local Security Policy window.

Close all open windows.

https://www.practice-labs.com/app/platform/print.aspx 16/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.12 Screenshot of PLABWIN10: Displaying closing the Local Security Policy window.

Step 13
Next, you will view how permissions can be managed using Active Directory
and Group Policy.

Connect to PLABDC01.

Minimize the Server Manager window.

Click the Start charm and type:

control panel

Select Control Panel from the Best match pop-up menu.

https://www.practice-labs.com/app/platform/print.aspx 17/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.13 Screenshot of PLABDC01: Displaying selecting Control Panel from the Best match pop-up
menu.

Step 14
Click the Category drop-down next to the View by field and select Small icons.

Select Administrative Tools.

https://www.practice-labs.com/app/platform/print.aspx 18/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.14 Screenshot of PLABDC01: Displaying selecting Administrative Tools in the All Control Panel
Items window.

Step 15
In the Administrative Tools window, double-click Active Directory Users and
Computers.

https://www.practice-labs.com/app/platform/print.aspx 19/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.15 Screenshot of PLABDC01: Displaying selecting Active Directory Users and Computers in the
Administrative Tools window.

Step 16
In the Active Directory Users and Computers window, notice that you have two
users on the right pane Administrator - User and Guest - User.

Everything else is standard Windows Security Group. Active Directory works

with Group Policy as follows: Permissions are assigned to Groups, then users are
added to one or more Groups. The User inherits their permissions from the
Groups they belong to.

Here you can create a new user and assign the user to a group.

Close the Active Directory Users and Computers window.

https://www.practice-labs.com/app/platform/print.aspx 20/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.16 Screenshot of PLABDC01: Displaying the Active Directory Users and Computers window. Close
icon on the top-right corner of the window is selected.

Step 17
Back on the Administrative Tools window, double-click Group Policy
Management.

https://www.practice-labs.com/app/platform/print.aspx 21/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.17 Screenshot of PLABDC01: Displaying selecting Group Policy Management in the Administrative
Tools window.

Step 18
In the Group Policy Management window, select Default Domain Policy on the
left pane.

https://www.practice-labs.com/app/platform/print.aspx 22/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.18 Screenshot of PLABDC01: Displaying selecting Default Domain Policy in the Group Policy
Management window.

Step 19
Select the Settings tab on the Default Domain Policy pane on the right.

https://www.practice-labs.com/app/platform/print.aspx 23/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.19 Screenshot of PLABDC01: Displaying selecting the Settings tab on the Default Domain Policy
pane.

Step 20
Expand the Security Settings Policy.

Notice that you have password and account policies similar to the local
computer password policies you viewed in the Local Security Policy window in
PLABWIN10.

Please browse the Default Domain Policy window for a few minutes.

Expand each policy by clicking the Show link to view the different Policy settings
that can be configured.

https://www.practice-labs.com/app/platform/print.aspx 24/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.20 Screenshot of PLABDC01: Displaying the Default Domain Policy pane in the Group Policy
Management window.

Close all open windows.

Task 2 - Access Control Lists (ACL)

An Access Control List is a list of permissions associated with an object or
resource. The ACL specifies which users or system processes are allowed to
access the resource. For instance, if Amy has permissions to read/write and Bob
only has permissions to read, Amy’s permissions are higher than Bob’s.

Access control lists are used in many places on a network. One of the most
common is a network firewall. In firewalls, access control lists are commonly
known as firewall rules. Firewall rules are written in order and are applied from
the first rule to the last. If the first rule matches the traffic, all the other rules will
be overridden. The rules will specifically ALLOW connections based on attributes
such as Source IP address, Destination IP address, Source Port Number, and
Destination Port Number. The final rule is the DENY REST rule. It blocks all
traffic that is not specifically allowed in earlier rules.

https://www.practice-labs.com/app/platform/print.aspx 25/48
12/10/24, 5:24 PM Practice Labs | Print

Other resources that may use access control lists include file systems (read,
write, modify, execute, delete), Active Directory and LDAP directories (user and
group permissions, role-based access controls (RBAC)), network devices such as
firewalls, routers, and switches (rules), and relational databases (permissions).

Step 1
Connect to PLABWIN10.

Click the Start charm and type:

control panel

Select Control Panel from the Best match pop-up menu.

Figure 1.21 Screenshot of PLABWIN10: Displaying selecting Control Panel from the Best match pop-up
menu.

Step 2
In the Control Panel window, select System and Security.

https://www.practice-labs.com/app/platform/print.aspx 26/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.22 Screenshot of PLABWIN10: Displaying selecting System and Security in the Control Panel
window.

Step 3
In the System and Security window, select Windows Defender Firewall.

https://www.practice-labs.com/app/platform/print.aspx 27/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.23 Screenshot of PLABWIN10: Displaying selecting Windows Defender Firewall in the System and
Security window.

Step 4
From the Windows Defender Firewall window, click the Advanced Settings link
on the left pane.

https://www.practice-labs.com/app/platform/print.aspx 28/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.24 Screenshot of PLABWIN10: Displaying selecting the Advanced Settings link in the Windows
Defender Firewall window.

Step 5
In the Windows Defender Firewall with Advanced Security window, select
Inbound Rules on the left pane.

Notice the various Inbound firewall rules in the middle pane.

Select New Rule in the Actions pane.

https://www.practice-labs.com/app/platform/print.aspx 29/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.25 Screenshot of PLABWIN10: Displaying selecting Inbound Rules in the Windows Defender
Firewall window.

Step 6
In the New Inbound Rule Wizard - Rule Type page, leave the default selection
Program.

Click Next.

https://www.practice-labs.com/app/platform/print.aspx 30/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.26 Screenshot of PLABWIN10: Displaying the New Inbound Rule Wizard - Rule Type page with
the default option selected and the Next button highlighted.

Step 7
On the Program page, ensure This program path option is selected, and type
the following path:

%ProgramFiles%\application\application.exe

Click Next.

https://www.practice-labs.com/app/platform/print.aspx 31/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.27 Screenshot of PLABWIN10: Displaying the Program page with the required settings performed
and the Next button highlighted.

Step 8
On the Action page, ensure Allow the connection is selected.

Click Next.

https://www.practice-labs.com/app/platform/print.aspx 32/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.28 Screenshot of PLABWIN10: Displaying the Action page with the required settings performed
and the Next button highlighted.

Step 9
On the Profile page, click Next.

https://www.practice-labs.com/app/platform/print.aspx 33/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.29 Screenshot of PLABWIN10: Displaying the Profile page with the Next button highlighted.

Step 10
On the Name page, type the following for the Name field:

Test Rule

Click Finish.

https://www.practice-labs.com/app/platform/print.aspx 34/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.30 Screenshot of PLABWIN10: Displaying the Name page with the required Name typed in and
the Finish button highlighted.

Step 11
Restore the Windows Defender Firewall with Advanced Security window from
the Taskbar.

https://www.practice-labs.com/app/platform/print.aspx 35/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.31 Screenshot of PLABWIN10: Displaying restoring the Windows Defender Firewall with Advanced
Security window from the Taskbar.

Step 12
Notice Test Rule now appears in the Inbound Rules pane.

Close the Windows Defender Firewall with Advanced Security window.

https://www.practice-labs.com/app/platform/print.aspx 36/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.32 Screenshot of PLABWIN10: Displaying the Windows Defender Firewall with Advanced Security
window with the newly created Inbound rule. Close icon on the top-right corner of the window is selected.

Close all open windows.

Multifactor Authentication (MFA)

In the beginning, if you were logging in to a system, resource, or network, all you
needed was a user ID and password. Now, due to the threat of passwords being
hacked using methods such as Brute Force and Dictionary attacks, a password
on its own is not a very good form of security. Passwords need to be at least 15
characters to be able to withstand automated password cracking. But if you give
your password away as the result of phishing or social engineering exploits, the
length won’t matter.

Current solutions to this problem include “passwordless” and multifactor

authentication. Multifactor authentication requires two or more different types
of authentication from the list below. Two authentication methods from the same
category are not considered to be valid. For instance, a password and a PIN
number are both from the authentication type of something you know.

https://www.practice-labs.com/app/platform/print.aspx 37/48
12/10/24, 5:24 PM Practice Labs | Print

2FA and MFA require factors from two or more of the following categories:

Knowledge-based - Something you know, such as a password, PIN, or

challenge questions and answers.
Possession-based or physical device - Something you have, such as an ID
card or badge, smart card, digital certificate, phone app, or RSA token or
fob.
Biometrics or bodily characteristics - Something you are, such as a
fingerprint, palm print, hand geometry, retina scan, iris scan, facial scan, or
voice recognition.
Location - Somewhere you are, as determined by GPS devices, including a
smartphone, IP address, MAC address, and machine name or Fully Qualified
Domain Name (FQDN).
Behavioral - Something you do, such as keyboard typing cadence, mouse
dynamics, EUBA or end-user behavior analytics, or even a written signature.

Figure 1.33: Displaying a two-step authentication.

Task 3 - Configure Email Security

Email is the exchange of messages between two users using different systems
over a network. Early email used File Transfer Protocol (FTP). The Simple Mail
Transfer Protocol (SMTP) was invented in 1983. By 1995 the current suite of
email protocols SMTP, Post Office Protocol (POP), and Internet Message

https://www.practice-labs.com/app/platform/print.aspx 38/48
12/10/24, 5:24 PM Practice Labs | Print

Access Protocol (IMAP) was being used to send (SMTP) and receive (POP or
IMAP) email messages. Later on, Hypertext Transport Protocol (HTTP) became
another way to display email or what we call webmail or email on a web
browser on services such as AOL, Yahoo, Hotmail, and Gmail.

As security became more important, new secure protocols were developed. Many
security tools were developed for email. Security tools include message
encryption, email sender identification and authentication, spam and phishing
email filters, and email anti-malware scanners. Most of these security controls
run on top of the older insecure protocols, so email security still has issues.

Let’s start with email message encryption. Here is a table of the email ports and
protocols. These protocols establish secure communications using Transport
Layer Security (TLS) in the same manner that a browser connects to an HTTPS
website.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

S/MIME is a secure encryption protocol used to send emails with end-to-end

encryption. It is supported by most email services and applications. S/MIME
requires the use of Digital Certificates and Public Key Infrastructure (PKI). The
contents of the email are encrypted, but the metadata contained in the email
headers is sent in plain text.

Pretty Good Privacy (PGP) and OpenPGP

PGP and its more commonly used open-source variation OpenPGP is an

encryption protocol used for sending highly secure end-to-end-encrypted (E2EE)
emails. It’s popular for both email encryption and file encryption.

Email Sender Identification and Authentication Methods

Sender Policy Framework (SPF) is an authentication method used in emails

to prevent threat actors from replicating a sender's email address. This was
designed to stop spammers from sending messages that spoofed somebody
else's domain and block phishing and malware attachments.
DomainKeys Identified Mail (DKIM) is another authentication method to
block spoofed sender addresses. DKIM allows an email server to ensure the
sender is legitimate. This helps DKIM to block spam and phishing emails.
DKIM signs an email with a digital signature, which can be verified and
authenticated, to prevent spoofing.
Domain-Based Message Authentication, Reporting & Conformance
(DMARC) is an email authentication protocol that works together with DKIM
https://www.practice-labs.com/app/platform/print.aspx 39/48
12/10/24, 5:24 PM Practice Labs | Print

and SPF. DMARC can only be used when both SPF and DKIM have been
correctly configured. DMARC provides analysis and reporting about who is
sending emails from a given domain.

In this task, you will use the Mail application in PLABWIN10. You will view how
an email account can be configured to use secure ports and protocols.

Step 1
Connect to PLABWIN10.

Click the Start charm and type:

Mail

Select Mail from the Best match pop-up menu.

Figure 1.34 Screenshot of PLABWIN10: Displaying selecting Mail from the Best match pop-up menu.

Step 2
https://www.practice-labs.com/app/platform/print.aspx 40/48
12/10/24, 5:24 PM Practice Labs | Print

In the Add an account window, select Advanced setup.

Figure 1.35 Screenshot of PLABWIN10: Displaying selecting Advanced setup in the Add an account
window.

Step 3
From the Advanced setup window, select Internet email.

https://www.practice-labs.com/app/platform/print.aspx 41/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.36 Screenshot of PLABWIN10: Displaying selecting Advanced setup in the Add an account
window.

Step 4
In the Internet email account window, you can enter your Email address, User
name, Password and Account name.

Send your messages using this name allows you to place your first and/or last
name ahead of your email address on the From: or sender line.

Scroll down the window.

https://www.practice-labs.com/app/platform/print.aspx 42/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.37 Screenshot of PLABWIN10: Displaying the Internet email account window.

Step 5
You have the following fields:

The Incoming email server will be in the following format:

mail.mydomain.com, pop.mydomain.com, or imap.mydomain.com.
For the Account type, you can select POP3 or IMAP4 from the drop-down
menu.
The Outgoing mail server will be in the following format:
mail.mydomain.com or smtp.mydomain.com.

Scroll down further.

https://www.practice-labs.com/app/platform/print.aspx 43/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.38 Screenshot of PLABWIN10: Displaying the Internet email account window.

Step 6
The four fields have checkboxes enabled by default. The first two fields ensure
there’s proper authentication when sending emails.

Requires SSL for incoming and outgoing emails; when enabled, will use
encryption for the email account.

Click Cancel.

Close all open windows.

https://www.practice-labs.com/app/platform/print.aspx 44/48
12/10/24, 5:24 PM Practice Labs | Print

Figure 1.39 Screenshot of PLABWIN10: Displaying the Internet email account window.

Using a Hard Token

A Hard Token or hardware token is a physical device used for authentication.
They are commonly known as key fobs, security tokens or USB tokens. RSA key
fobs are a common example of a hard token.

It may be used as a single form of authentication or as part of a two-factor or

multifactor authentication system. As part of MFA, it would be a possession-
based or something-you-have authentication method.

There are two main types of hard tokens, synchronous and asynchronous. A
synchronous token is synchronized with an authentication server. The token
generates a six-digit one-time password (OTP) which needs to be entered into
the login screen flow. An asynchronous token uses a series of challenge/response
entries to authenticate.

Using a Soft Token

A Soft Token or software token is similar to a hard token. Typically, a hard token
is associated with a specific hardware device. A soft token is a software
https://www.practice-labs.com/app/platform/print.aspx 45/48
12/10/24, 5:24 PM Practice Labs | Print

application that can be installed on different devices such as smartphones,

tablets, laptops, or other computer systems. These software applications
generate a synchronous six-digit OTP code that has to be entered in the logon
screen flow within a short period of time, usually 30 or 60 seconds.

Short Message Service (SMS)

Another way to deliver a one-time password (OTP) is via Short Message Service
(SMS) or smartphone text message. This is a fairly common method, even
though they are not considered very secure. SMS does not use an encrypted
channel and can be intercepted as plaintext. As such, it is susceptible to SIM
cloning attacks.

Voice Call
Voice call or call-back has been an authentication method used as far back as
with early RADIUS authentication servers. A user attempting to dial into the
company’s analog dial-up modem pool and connect to the network is often
authenticated and then waits for the system to call back. Then an analog dial-up
connection is made.

This system is still used to send OTP codes to users. To complete the
authentication, the system calls you back with an automated message that
includes the OTP.

A telephone call can also be used to verify the sender of an email and any
contents, such as file attachments. This can be used to avoid falling for
suspicious phishing emails. Some banks make a telephone call to confirm wire
transfers or EFT requests before committing to the funds being transferred.

Authenticator Application
It is a specific type of soft token that is available for smartphone platforms and
includes smartphone apps such as Google Authenticator, Authy, LastPass
Authenticator, or Microsoft Authenticator. These software applications also
generate a synchronous six-digit OTP code that has to be entered in the logon
screen flow within a short period of time, usually 30 or 60 seconds.

Keep all devices that you have powered on in their current state and
proceed to the review section.

https://www.practice-labs.com/app/platform/print.aspx 46/48
12/10/24, 5:24 PM Practice Labs | Print

Review
Well done, you have completed the Implementing Network Security Measures
Practice Lab.

Summary
You completed the following exercises:

Exercise 1 - Logical Security

You should now be able to:

Know about the Principle of Least Privilege

Explain the Uses of Access Control Lists (ACL)
Configure Email Security

You should now have further knowledge of:

Multifactor Authentication (MFA)

Using a Hard Token
Using a Soft Token
Short Message Service (SMS)
Voice Call
Authenticator Application

Feedback
Shutdown all virtual machines used in this lab. Alternatively, you can log out
of the lab platform.

https://www.practice-labs.com/app/platform/print.aspx 47/48
12/10/24, 5:24 PM Practice Labs | Print

https://www.practice-labs.com/app/platform/print.aspx 48/48