SY0-501 · Question #107
SY0-501 Question #107: Real Exam Question with Answer & Explanation
The correct answer is A: Vulnerability scanning. The scenario describes a passive, non-exploitative assessment using a non-domain account to identify unpatched systems without actively compromising them, which defines vulnerability scanning.
Question
A company hires a consulting firm to crawl its Active Directory network with a non-domain account looking for unpatched systems. Actively taking control of systems is out of scope, as is the creation of new administrator accounts. For which of the following is the company hiring the consulting firm?
Options
- AVulnerability scanning
- BPenetration testing
- CApplication fuzzing
- DUser permission
Explanation
The scenario describes a passive, non-exploitative assessment using a non-domain account to identify unpatched systems without actively compromising them, which defines vulnerability scanning.
Common mistakes.
- B. Penetration testing goes beyond identification and involves actively exploiting vulnerabilities to take control of systems, which is explicitly stated to be out of scope in this scenario.
- C. Application fuzzing is a technique used to test software applications by inputting malformed or random data to discover coding bugs or vulnerabilities, which is unrelated to crawling an Active Directory network for unpatched systems.
- D. User permission (or permission auditing) focuses on reviewing access rights and privileges assigned to accounts, not on identifying unpatched or vulnerable systems across a network.
Concept tested. Distinguishing vulnerability scanning from penetration testing
Reference. https://learn.microsoft.com/en-us/security/benchmark/azure/security-control-vulnerability-management
Community Discussion
No community discussion yet for this question.