Security Architecture for CompTIA Security+

This page covers the Security Architecture domain of the CompTIA Security+ certification. Master Cybersecurity offers 124 practice questions in this domain, drawn from the same content we use across our timed exam simulations. Below are five sample questions with full answer explanations.

Sample Practice Questions

  1. Question 1

    A company prevented direct access from the database administrators’ workstations to the network segment that contains database servers. Which of the following should a database administrator use to access the database servers?
    1. A. Jump server
    2. B. RADIUS
    3. C. HSM
    4. D. Load balancer
    Explanation

    The correct answer is: A. Jump server.

    The right administrative-access architecture when DBAs are blocked from direct access to the database segment is a jump server. The jump server provides a controlled entry point that the DBAs authenticate to; the security team audits exactly what they do and onward access to the database segment flows through this single hardened hop. RADIUS is an authentication backend rather than an administrative gateway. An HSM stores key material and is unrelated to access architecture. A load balancer distributes traffic to backends but is not used for administrative access. The jump server is the SY0-701-named DBA-access pattern.

  2. Question 2

    An organization’s internet-facing website was compromised when an attacker exploited a buffer overflow. Which of the following should the organization deploy to best protect against similar attacks in the future?
    1. A. NGFW
    2. B. WAF
    3. C. TLS
    4. D. SD-WAN
    Explanation

    The correct answer is: B. WAF.

    The control best positioned to defend a public-facing website against buffer-overflow attacks is a web application firewall (WAF). A WAF inspects every HTTP request at layer 7 and blocks the malformed payloads that trigger buffer-overflow conditions in the underlying application before they reach the application code. An NGFW provides layer-3-to-7 inspection in general but typically does not deliver the deep web-app-specific protections that a WAF does. TLS protects confidentiality and integrity in transit but does not detect attack payloads. SD-WAN optimizes WAN paths. The WAF is the SY0-701-named control for web-application attack defense.

  3. Question 3

    An engineer needs to find a solution that creates an added layer of security by preventing unauthorized access to internal company resources. Which of the following would be the best solution?
    1. A. RDP server
    2. B. Jump server
    3. C. Proxy server
    4. D. Hypervisor
    Explanation

    The correct answer is: B. Jump server.

    The right way to add a hardened layer in front of internal resources is a jump server. The jump server mediates administrative or controlled access to internal systems through a single, heavily audited entry point; everything else is closed at the perimeter. An RDP server is a destination protocol rather than a hardened access layer. A proxy server forwards traffic and may cache content but is not the same primitive as a jump-server-style controlled hop. A hypervisor is the foundation of virtualization and is unrelated to administrative access. The jump server is the SY0-701-named access-layer control.

  4. Question 4

    A company’s web filter is configured to scan the URL for strings and deny access when matches are found. Which of the following search strings should an analyst employ to prohibit access to non-encrypted websites?
    1. A. encryption=off
    2. B. http://
    3. C. www.*.com
    4. D. :443
    Explanation

    The correct answer is: B. http://.

    The substring that uniquely identifies non-encrypted web traffic in a URL is `http://`. The `http://` scheme indicates a cleartext HTTP request, while `https://` indicates a TLS-protected request; a web filter that blocks URLs containing the cleartext scheme keeps users off non-encrypted pages and pushes them to encrypted equivalents. `encryption=off` is not a URL scheme. `www.*.com` is a wildcard match on host names and would also catch legitimate HTTPS sites. `:443` would match HTTPS, the encrypted variant, and would block the wrong traffic. Matching on the literal `http://` substring is the SY0-701 web-filter pattern for blocking cleartext browsing.

  5. Question 5

    A company needs to provide administrative access to internal resources while minimizing the traffic allowed through the security boundary. Which of the following methods is MOST secure?
    1. A. Implementing a bastion host
    2. B. Deploying a perimeter network
    3. C. Installing a WAF
    4. D. Utilizing single sign-on
    Explanation

    The correct answer is: A. Implementing a bastion host.

    The most secure way to provide administrative access to internal resources is a bastion host. The bastion host is a single, hardened, heavily monitored entry point through which administrators reach internal systems; every other administrative path is closed at the firewall, which collapses the attack surface to one tightly controlled gateway. A perimeter network exposes services to outside users and is not specifically an administrative-access pattern. A WAF protects web applications against application-layer attacks rather than gating administrative entry. Single sign-on simplifies authentication but does not by itself provide the network-traffic gate that a bastion does. The bastion host is the SY0-701-named control.

Other CompTIA Security+ domains

Practice all 124 Security Architecture questions · Browse CompTIA Security+