A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries.
The consultant will be using a service account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to the account and pivot throughout the global network.
Which of the following would be BEST to help mitigate this concern?
A.
Create different accounts for each region, each configured with push MFA notifications. B.
Create one global administrator account and enforce Kerberos authentication. C.
Create different accounts for each region, limit their logon times, and alert on risky logins. D.
Create a guest account for each region, remember the last ten passwords, and block password reuse.
A.
A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries.
The consultant will be using a service account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to the account and pivot throughout the global network.
Which of the following would be BEST to help mitigate this concern?
A.
Create different accounts for each region, each configured with push MFA notifications.
B.
Create one global administrator account and enforce Kerberos authentication.
C.
Create different accounts for each region, limit their logon times, and alert on risky logins.
D.
Create a guest account for each region, remember the last ten passwords, and block password reuse.
A.
Option A, creating different accounts for each region and configuring them with push MFA notifications, is the best choice to help mitigate the concern that hackers could gain access to the service account and pivot throughout the global network.
Here's why:
Option B, creating one global administrator account and enforcing Kerberos authentication, is not the best choice because if a hacker gains access to the account, they would have complete access to the entire global network.
Option C, creating different accounts for each region, limiting their logon times, and alerting on risky logins, is a good choice but not as effective as option A because it doesn't provide an additional layer of security like MFA.
Option D, creating a guest account for each region, remembering the last ten passwords, and blocking password reuse, is not a good choice because guest accounts typically have limited privileges and remembering the last ten passwords doesn't provide any additional security. Additionally, blocking password reuse could lead to weak passwords being used.
In summary, option A, creating different accounts for each region and configuring them with push MFA notifications, is the best choice to help mitigate the concern that hackers could gain access to the service account and pivot throughout the global network. This approach provides an additional layer of security beyond just a username and password and limits the scope of access for each account.