SY0-501 Question #125: Real Exam Question with Answer & Explanation

Question

As part of a new industry regulation, companies are required to utilize secure, standardized OS settings. A technician must ensure the OS settings are hardened. Which of the following is the BEST way to do this?

Options

• AUse a vulnerability scanner.
• BUse a configuration compliance scanner.
• CUse a passive, in-line scanner.
• DUse a protocol analyzer.

Explanation

OS Hardening and Configuration Compliance

Using a configuration compliance scanner is the best choice because it is specifically designed to compare system settings against established security benchmarks and standards (such as CIS Benchmarks or STIG guidelines), ensuring OS configurations meet the required hardened state - directly addressing the regulation's requirement for standardized, secure settings.

Why the distractors are wrong:

• A (Vulnerability Scanner): Identifies known vulnerabilities and weaknesses, but doesn't verify whether specific configuration settings meet a compliance standard
• C (Passive, In-line Scanner): Monitors network traffic passively and cannot assess OS configuration settings at all
• D (Protocol Analyzer): Captures and inspects network packets/protocols, which has nothing to do with OS hardening compliance

🧠 Memory Tip: Think of it this way - "Compliance scanner checks compliance." When a regulation demands standardized settings, the tool with "compliance" in its name is your answer. The keyword chain is: regulation → standards → configuration compliance scanner.

No community discussion yet for this question.