Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

Sign inSign in with Facebook
Sign inSign in with Google

Take the CompTIA Security+ SY0-201 Practice Quiz and Test Your Knowledge

Ready for Security+ quiz questions on configuration baselines? Dive in and start scoring!

Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art cybersecurity shield checklist and gears on coral background for CompTIA Security plus SY0-201 practice quiz

Use this CompTIA Security+ SY0-201 practice quiz to practice configuration baseline concepts and related controls. You'll answer focused, exam-style questions so you can spot gaps before the test and build confident recall. When you're done, check your next steps with a deeper systems security assessment .

What is a configuration baseline in security management?
A backup of user data for disaster recovery
A performance benchmark for server CPU usage
A set of minimum security settings to maintain system integrity
A network topology diagram for baselining traffic
A configuration baseline defines the minimum acceptable security settings for systems to maintain integrity and consistency across an environment. It serves as a reference point for monitoring and controlling configuration changes. Without a baseline, unauthorized or insecure changes can go undetected.
Which command in Linux displays active processes and can help verify baseline compliance?
netstat -a
chmod 755
ifconfig
ps -aux
The ps -aux command lists all active processes on a Linux system and is useful for comparing running services to an approved baseline. Network commands like netstat focus on connections, while ifconfig shows interfaces. File permission commands do not list processes.
What is the principle of least privilege when establishing baselines?
Rotating all privileges among users daily
Granting users only the permissions they need to perform their duties
Allowing users to request any privilege without justification
Giving all users full administrative rights by default
The principle of least privilege ensures users receive only the permissions necessary for their tasks, reducing the attack surface. Overly broad privileges can lead to accidental or malicious misuse. Proper baselining enforces strict role-based access control.
Why is disabling unnecessary services part of baseline hardening?
To increase system performance only, security is unaffected
To comply with software licensing terms
To reduce potential attack vectors and minimize vulnerabilities
To make systems more user-friendly
Disabling unused services removes software that could be exploited by attackers, thereby reducing the system's attack surface. While performance may improve, the primary security benefit comes from fewer potential vulnerabilities. Baseline configurations list only required services.
What is hardening in the context of baseline configuration?
Applying security measures to reduce vulnerabilities
Increasing disk space on a server
Updating graphical user interfaces
Encrypting user data only
Hardening is the process of applying security controls - such as patching, removing default passwords, and disabling unused services - to strengthen a system. It directly supports maintaining a secure baseline. Simply encrypting data or GUI updates are narrower tasks.
Which port is typically used by SSH, which should be included in a baseline firewall policy?
22
21
23
80
SSH uses TCP port 22 by default, and including it in a baseline firewall policy ensures secure remote administration. Port 21 is FTP, 23 is Telnet, and 80 is HTTP. Accurate port definitions are critical for baseline alignment.
What is an approved application list in baseline management?
A list of banned applications
A whitelist of software authorized for use on systems
A log of all installed hardware
A directory of user account names
An approved application list (whitelist) specifies software permitted for installation, helping enforce consistency and security. Banned software lists are blacklists, which are less effective. Hardware logs and user directories are unrelated to application control.
Why should default passwords be changed according to baseline best practices?
Because default passwords are too complex
Because it improves network throughput
Because default credentials are widely known and easily exploited
Because users prefer their own passwords
Default passwords are public knowledge and pose a critical security risk if not changed. Baseline configurations mandate updating or removing defaults to prevent unauthorized access. Network performance is unrelated to password policies.
What is the primary purpose of version control in baseline configuration?
To track and restore approved configurations over time
To encrypt data at rest
To speed up network traffic
To manage physical asset inventory
Version control systems like Git allow administrators to track configuration changes, revert to known-good baselines, and audit history. This underpins consistency and rollback capabilities. It does not directly affect traffic speeds or encryption.
What is a configuration drift?
Encrypted network traffic
A performance optimization process
Changes that deviate from the established baseline over time
A backup snapshot of a system
Configuration drift refers to undocumented changes that cause systems to diverge from the approved baseline, potentially creating security gaps. Regular auditing and automated tools help detect drift. It is not a backup or performance process.
Which file-hashing algorithm is commonly used to verify integrity against a baseline?
AES-128
RC4
SHA-256
DES
SHA-256 is a secure cryptographic hash used for verifying file integrity against a known baseline. DES and RC4 are encryption algorithms, not suited for hashing. AES is also a cipher rather than a hash function. https://csrc.nist.gov/Projects/Hash-Functions
What role does patch management play in maintaining a secure baseline?
It monitors network bandwidth
It ensures systems remain up to date against known vulnerabilities
It encrypts email communications
It backs up user data daily
Patch management updates software to remediate vulnerabilities, keeping systems aligned with the security baseline. Without regular patching, systems drift into insecure states. Data backup and encryption are separate controls.
Which tool can automate baseline compliance checks on Windows systems?
Microsoft Security Compliance Toolkit
Nmap
Putty
Wireshark
The Microsoft Security Compliance Toolkit includes tools and templates for assessing system configurations against recommended baselines. Wireshark and Nmap are network scanners, while PuTTY is an SSH client.
Why is monitoring baseline deviations important in security operations?
To reduce disk fragmentation
To allocate more IP addresses
To improve graphical display performance
To detect unauthorized or risky changes promptly
Monitoring baseline deviations allows security teams to identify and investigate unauthorized or potentially malicious changes, maintaining integrity. Other choices are unrelated to security baselining. Prompt detection supports rapid remediation.
What is the purpose of an integrity check in baseline management?
To increase network speed
To backup the system disk
To verify that files match expected cryptographic hashes
To measure system CPU load
Integrity checks use hash comparisons to ensure that files have not been altered outside of approved changes, protecting the baseline. CPU load, backups, and network speed are not related to file integrity verification.
What is a master image in the context of baseline deployment?
A backup of network device configs
A user's personal desktop configuration
A set of log files for auditing
A standardized, preconfigured system template used for new deployments
A master image is a gold-standard system image containing approved OS settings, patches, and applications. It ensures consistency when deploying new systems. Personal configs, backups, or logs are different artifacts.
What is configuration drift and how is it typically detected?
Network latency spikes, detected by ping tests
Hardware failures, detected by SMART logs
User password resets, detected by helpdesk tickets
Undocumented changes from the baseline, detected by automated auditing tools
Configuration drift occurs when systems diverge from their approved baselines due to undocumented changes. Tools like SCC or Chef audit current settings against the baseline to detect drift. Network latency and hardware logs are unrelated.
Which standard provides benchmarks for secure baseline configurations?
ISO 9001
COBIT
ITIL
CIS Benchmarks
Center for Internet Security (CIS) Benchmarks offer industry-recognized best practices for secure configuration baselines across platforms. ISO 9001 focuses on quality management, COBIT on governance, and ITIL on service management.
In a baseline management program, what is an exception procedure?
A user request for additional privileges
A report on network performance
An automated rollback to factory defaults
A documented process for approving deviations from the baseline
An exception procedure allows for formally documented and approved deviations from the baseline, ensuring changes are tracked and justified. Automated rollbacks and privilege requests are separate processes.
Which feature of a configuration management database (CMDB) supports baseline tracking?
Real-time user chat logs
Versioning of configuration items over time
Email archives
VPN connection records
A CMDB's versioning capability records changes to configuration items, making it possible to compare current states to baselines. Chat logs, email, and VPN records are unrelated to configuration tracking.
How often should critical security baselines be reviewed?
Only when an incident occurs
Once every five years
At least quarterly or after major changes
Never, once set they remain static
Critical baselines should be reviewed quarterly or after significant system or threat environment changes to ensure they remain effective. Leaving baselines static or reviewing too infrequently can lead to outdated controls.
What differentiates patch management from configuration management?
There is no difference
Patch management focuses on software updates; configuration management covers broader system settings
Patch management handles hardware inventory only
Configuration management is only for network devices
Patch management specifically applies software updates to remediate vulnerabilities, while configuration management encompasses the full range of system and settings control. They are distinct but complementary processes.
Which tool can detect unauthorized registry changes on Windows as part of baseline monitoring?
Snort
Zenmap
Tripwire for Windows
OpenVAS
Tripwire for Windows can monitor and alert on unauthorized changes to the registry by comparing current states to a secure baseline. Zenmap is a network mapper, Snort an IDS, and OpenVAS a vulnerability scanner.
What is the benefit of using snapshots in virtual environments for baselining?
Improve CPU performance
Quickly revert to a known-good configuration state
Increase storage capacity
Encrypt virtual disk files
Snapshots capture the exact state of a VM at a point in time, allowing administrators to revert systems to a secure baseline quickly after misconfiguration or compromise. They do not inherently boost CPU or disk capacities.
How can a SIEM system aid in baseline configuration monitoring?
By patching vulnerabilities automatically
By managing user passwords
By aggregating logs and alerting on deviations from baseline events
By encrypting network traffic
SIEM systems collect and correlate logs from devices, detecting events that deviate from established baselines and triggering alerts. They do not directly patch systems, encrypt traffic, or manage passwords.
In baseline management, what is rollback planning?
Removing default services
A strategy to restore systems to the last known-good configuration
A backup of user profiles only
Increasing system logging
Rollback planning involves preparing procedures and tools to revert changes that break functionality or security controls, restoring the previous baseline. It is more comprehensive than simple data backups or logging adjustments.
Which protocol is most appropriate for securely transmitting baseline configuration files to remote devices?
SFTP
Telnet
TFTP
HTTP
SFTP uses SSH to encrypt files in transit, protecting baseline configurations from interception. TFTP is unencrypted, HTTP is insecure, and Telnet is not a file transfer protocol.
What is the first step in developing a secure configuration baseline?
Inventory all hardware and software assets
Install endpoint antivirus
Deploy firewalls on every system
Encrypt all data at rest
Before defining a baseline, you must know exactly which hardware and software exist so you can tailor configurations appropriately. Deploying firewalls or encryption should follow after inventory and risk assessment.
Why is documenting baseline configurations crucial for compliance audits?
It hides vulnerabilities from auditors
It improves the speed of system backups
It lowers bandwidth usage
It provides evidence of approved settings and control enforcement
Documentation of baseline configurations demonstrates to auditors that security controls are defined, approved, and enforced. It does not affect backup speed or network bandwidth and certainly does not conceal vulnerabilities.
What is automated remediation in baseline management?
Network performance tuning
Manual patch review
Real-time user password resets
Automatic correction of deviations back to the approved baseline
Automated remediation uses scripts or management tools to detect and correct configuration deviations, ensuring systems quickly return to the approved baseline. It is distinct from manual processes or unrelated tasks.
How can Infrastructure as Code (IaC) tools like Terraform support baseline consistency?
By manually tracking hardware serial numbers
By defining and enforcing infrastructure settings in version-controlled code
By performing real-time vulnerability scans
By encrypting network traffic
IaC tools codify infrastructure configurations, ensuring environments are automatically provisioned to match approved baselines. Version control enables auditing changes. This differs from manual asset tracking or scanning tasks.
What challenge does group policy inheritance present when maintaining baselines?
It only affects Linux systems
It replaces all local firewall rules
Unintended policies may apply to child objects without explicit review
Group policy never updates once set
Group Policy inheritance can cause policies from parent OUs to apply to children, potentially introducing settings outside the intended baseline. Administrators must carefully review GPO links and inheritance blocking. It applies to Windows domain environments.
In a DevSecOps pipeline, how is baseline configuration enforced?
By manually reviewing each commit
By storing passwords in plain text
By integrating automated configuration tests into CI/CD workflows
By disabling all testing environments
DevSecOps pipelines embed configuration checks and policy tests into continuous integration and delivery, ensuring baseline compliance before deployment. Manual reviews alone cannot scale effectively. Secure credential handling and testing environments are essential.
Which SCAP component defines specific configuration checks for baselines?
XCCDF
NTP
VPN
SNORT
The Extensible Configuration Checklist Description Format (XCCDF) is part of SCAP and contains the checklists and benchmarks for assessing configurations against baselines. SNORT is an IDS, NTP a time protocol, and VPN is a tunneling technology.
What is a key benefit of storing baselines in a version control system like Git?
Track changes, enable rollbacks, and support audit trails
Automatically patch operating systems
Monitor network bandwidth
Encrypt user credentials
Version control systems record history of baseline changes, allowing rollback to previous known-good states and providing transparent audit trails for compliance. They do not inherently patch OS or monitor networks.
How does a Security Content Automation Protocol (SCAP) scanner improve baseline validation?
By preventing phishing emails
By routing network traffic
By encrypting data at rest
By automatically checking systems against standardized configuration benchmarks
SCAP scanners apply standardized security benchmarks (like XCCDF and OVAL) to automatically assess system configurations against baselines. They do not handle encryption, email security, or traffic routing.
What is change window scheduling in configuration management?
Random intervals for emergency patches
Permanent change freezes
Predefined times when approved changes can be applied
Daily system shutdowns
A change window defines scheduled maintenance periods during which validated changes to baselines can be safely applied, minimizing impact. Random or emergency changes lack planning, and permanent freezes hinder necessary updates.
How can containerization (e.g., Docker) simplify baseline enforcement?
By increasing hardware resource usage
By packaging applications with their exact configuration dependencies
By replacing firewalls
By encrypting network packets
Containers bundle applications with their specific runtime and configuration, ensuring environments consistently match the approved baseline across hosts. They do not handle encryption or firewall functions directly.
What is impact analysis in the context of baseline changes?
Measuring network latency
Assessing potential effects of proposed configuration changes before implementation
Generating user account reports
Backing up data after changes
Impact analysis evaluates how changes to a baseline may affect security, performance, and availability before applying them. This helps prevent unintended disruptions. Backup and monitoring tasks are separate.
Which baseline consideration is unique for IoT devices?
They use standard enterprise Active Directory
They always support full disk encryption
Limited resources require lightweight configurations
They never need software updates
IoT devices often have constrained CPU, memory, and storage, necessitating minimalistic and efficient baselines. They still require updates and may not integrate with enterprise directories or support full disk encryption.
How does cloud orchestration tools (e.g., Ansible) help maintain baselines?
By increasing physical server counts
By managing user support tickets
By automating configuration deployment and enforcement across hosts
By automatically detecting phishing
Tools like Ansible use playbooks to consistently apply and enforce baseline configurations across multiple systems, reducing manual errors. They do not handle ticketing or phishing detection.
What is continuous monitoring in baseline management?
Monthly antivirus scheduling
Quarterly patch review
Ongoing assessment of system configurations to detect deviations in real time
Once-a-year security audit
Continuous monitoring uses automated tools to check live system configurations against baselines, allowing immediate detection and response to unauthorized changes. Periodic audits or patch reviews are not continuous.
How does Zero Trust architecture influence baseline management?
Removes all baseline requirements
Requires strict, identity-based baselines with continuous validation
Automatically trusts internal traffic
Only uses perimeter firewalls
Zero Trust mandates never trusting and always verifying, so baselines must enforce granular, identity-aware controls and continuous validation. Traditional perimeter-based models do not suffice.
In PCI DSS environments, what baseline requirement is critical for cardholder data protection?
Allowing default vendor settings
Disabling all logging
Using Telnet for remote management
Implementing secure configuration standards for all system components
PCI DSS Requirement 2 mandates removing default settings and implementing strong, vendor-specified baselines to protect cardholder data. Default credentials and insecure protocols violate these standards.
What advanced technique uses policy-as-code to enforce baselines automatically?
Manual firewall rule updates
Weekly system reboots
Monthly paperwork audits
OPA (Open Policy Agent) integrated with IaC pipelines
OPA allows defining and enforcing compliance policies in code, which can be integrated into IaC pipelines for automatic baseline validation. Manual updates or paper audits do not scale in modern DevOps environments.
How can microservices architectures affect baseline security strategies?
One baseline for the entire monolithic stack is sufficient
Only database servers need baselines
Each service requires its own minimal, immutable baseline configuration
Baselines are unnecessary in microservices
Microservices break applications into discrete components, each needing its own lightweight, immutable baseline to ensure uniform security posture. A single monolithic baseline cannot adequately cover diverse services.
Which practice best supports automated baseline enforcement in cloud-native environments?
Static spreadsheets for tracking
Manual approval via email
Weekly manual firewall audits
Using Kubernetes admission controllers with policy frameworks
Kubernetes admission controllers can enforce policies at deploy time, automatically rejecting non-compliant resources and maintaining cloud-native baselines. Manual or spreadsheet-based processes are error-prone and not scalable.
0
{"name":"What is a configuration baseline in security management?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What is a configuration baseline in security management?, Which command in Linux displays active processes and can help verify baseline compliance?, What is the principle of least privilege when establishing baselines?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Understand Configuration Baseline Concepts -

    Clarify which of the following best describes a configuration baseline and why it's essential for maintaining consistent, secure system settings.

  2. Analyze Security+ Configuration Baseline Scenarios -

    Examine real-world examples to identify and assess baseline configurations that align with best practices in threat prevention.

  3. Apply CompTIA Security+ SY0-201 Quiz Strategies -

    Use proven techniques to tackle CompTIA SY0-201 practice questions effectively and boost your confidence on exam day.

  4. Evaluate Quiz Performance with Instant Feedback -

    Review results and insights immediately to pinpoint weaknesses and focus your study plan on high-impact areas.

  5. Reinforce Security Fundamentals for Certification Readiness -

    Strengthen your understanding of core topics and prepare thoroughly for the Security+ certification exam.

Cheat Sheet

  1. Definition of a Configuration Baseline -

    A configuration baseline is a documented set of system settings that serve as a trusted reference point (NIST SP 800-128). Remember the mnemonic "SPARTA" (Security Policy And Required Trusted Assets) to recall baseline components: OS, apps, and security settings. Mastering this concept is vital for CompTIA Security+ SY0-201 quiz success and helps answer "which of the following best describes a configuration baseline."

  2. Creating and Documenting Baselines -

    Follow a structured process: inventory assets, capture default configurations, and record deviations (SANS Institute guidelines). Use a table or spreadsheet to log baseline values and tools used, reinforcing accuracy. This framework aids in both real-world deployments and CompTIA SY0-201 practice questions on documentation standards.

  3. Change Management Integration -

    Incorporate configuration baselines into a formal change control workflow (ITIL or ISO/IEC 20000) to track approved modifications. A simple change model - Request, Review, Approve, Implement - can be remembered by the acronym "RR-AI." This approach is frequently tested in Security+ quiz questions about maintaining integrity.

  4. Automated Baseline Assessment Tools -

    Leverage industry tools like CIS-CAT, SCAP-compliant scanners, and Microsoft SCCM to compare live configurations against your baseline (CIS Benchmarks). Automating scans reduces manual effort and improves consistency when preparing for the CompTIA Security+ SY0-201 quiz. Hands-on practice with these tools enhances your ability to troubleshoot configuration drift.

  5. Continuous Monitoring and Auditing -

    Establish recurring audits and real-time alerts using SIEM solutions (e.g., Splunk, ELK) to detect deviations from your Security+ configuration baseline. Track metrics such as patch compliance rates and configuration drift over time to spot trends. This ongoing vigilance is key to acing CompTIA SY0-201 practice questions on monitoring.

Powered by: Quiz Maker