SANS 401 ACTUAL PRACTICE EXAM 2026-2027\LATEST
UPDATE WITH COMPLETE QUESTIONS AND CORRECT
DETAILED (RATIONALES) ANSWERS \GRADED A+
Which IPSec Authentication Header protocol mechanism provides
authentication?
Verification of packet's destination address - Confirmation via the
packets' sequence numbers - Credentials within the IPSec header -
Comparison of Integrity Check Value hash values
Comparison of Integrity Check Value hash values
( Explanation )
To provide authentication a shared key is used to create the Integrity Check
Value hash. The key used is negotiated between the sender and recipient prior to
the start of communications. The IDV hash value can only be recreated using the
same key. Thus, if a recipient can re-compute the hash using the key previously
agreed upon with the sender, then the message has been authenticated as
originating from that sender.
,2/14/26, 9:32 AM SANS 401 Practice Exam
What could a systems administrator do to protect data in a virtualized cloud
environment?
Build on third party application programming interfaces - Encrypt the
snapshots of the virtual machines - Avoid using data fragmentation for public
servers - Apply the same security patches to the hypervisor and virtual
machines
Encrypt the snapshots of the virtual machines
( Explanation )
Encrypting VM snapshots helps prevent them from being stolen or cloned. If an
attacker is able to access a snapshot, he would have access to the data for that
particular VM. Depending upon the security of an API, and then building upon it,
increases risk and is not a sound security practice. Oftentimes in a virtual
environment, the hypervisor is running a different OS than the virtual machines.
In that case, and administrator could not apply the same patches to different
OSes.
Data fragmentation in a cloud environment is splitting a file over multiple
locations so that a user (or attacker) has to get a certain number of file
fragments in order to read the file. This is a security enhancement.
In which directory can executable programs that are part of the operating
system be found?
(/) (/var) (/lib) (/dev) (/usr/bin) (/home)
INCORRECT ON PT
/usr/bin
2/107
,2/14/26, 9:32 AM SANS 401 Practice Exam
The Windows Firewall (WF) provides a popup when a new service attempts
to listen on your machine. Which of the following should you train users to
select from a security perspective if they are unsure of which option to
select?
(Keep Blocking) (Increase Security Level) (Safe Mode) (Send Request to
Administrator)
Keep Blocking
( Explanation
)
The three available options for Windows Firewall are Keep Blocking, Unblock
and Ask Me Later. Keep Block does not allow the program to acquire a listening
port. You should train your users to choose this option when there is any doubt
as to what they should do. There are no Safe Mode or Send Request to Admin
options.
3/107
, 2/14/26, 9:32 AM SANS 401 Practice Exam
Which Threat will be reduced when avoiding system calls from within a web app?
OS command injection
( Explanation )
The primary way to avoid OS command injection attacks is to avoid system calls
from your web application, especially when the system call is built based on
user input. In most cases, you should be able to find a function or library within
your
programming language that can perform the same action.
How often by default does Windows Group Policy check for updated policies?
(Once a day) (Within 30 minutes of an applied policy change) (Every quarter
hour) (Every 90-120 minutes)
INCORRECT ON PT
Every 90-120
minutes (
Explanation )
When a computer boots up, it downloads the GPO's assigned to it and executes
them automatically. Every 90-120 minutes thereafter, the computer checks
that none of the GPO's assigned to it have changed, if any have, those are
downloaded and run automatically even if the computer has not rebooted. 0-
30minutes, 30-60 minutes and 120-180 minutes are durations a group policy could
possibly be modified to use, the standard duration used by Group Policy is 90-
120 minutes.
4/107
UPDATE WITH COMPLETE QUESTIONS AND CORRECT
DETAILED (RATIONALES) ANSWERS \GRADED A+
Which IPSec Authentication Header protocol mechanism provides
authentication?
Verification of packet's destination address - Confirmation via the
packets' sequence numbers - Credentials within the IPSec header -
Comparison of Integrity Check Value hash values
Comparison of Integrity Check Value hash values
( Explanation )
To provide authentication a shared key is used to create the Integrity Check
Value hash. The key used is negotiated between the sender and recipient prior to
the start of communications. The IDV hash value can only be recreated using the
same key. Thus, if a recipient can re-compute the hash using the key previously
agreed upon with the sender, then the message has been authenticated as
originating from that sender.
,2/14/26, 9:32 AM SANS 401 Practice Exam
What could a systems administrator do to protect data in a virtualized cloud
environment?
Build on third party application programming interfaces - Encrypt the
snapshots of the virtual machines - Avoid using data fragmentation for public
servers - Apply the same security patches to the hypervisor and virtual
machines
Encrypt the snapshots of the virtual machines
( Explanation )
Encrypting VM snapshots helps prevent them from being stolen or cloned. If an
attacker is able to access a snapshot, he would have access to the data for that
particular VM. Depending upon the security of an API, and then building upon it,
increases risk and is not a sound security practice. Oftentimes in a virtual
environment, the hypervisor is running a different OS than the virtual machines.
In that case, and administrator could not apply the same patches to different
OSes.
Data fragmentation in a cloud environment is splitting a file over multiple
locations so that a user (or attacker) has to get a certain number of file
fragments in order to read the file. This is a security enhancement.
In which directory can executable programs that are part of the operating
system be found?
(/) (/var) (/lib) (/dev) (/usr/bin) (/home)
INCORRECT ON PT
/usr/bin
2/107
,2/14/26, 9:32 AM SANS 401 Practice Exam
The Windows Firewall (WF) provides a popup when a new service attempts
to listen on your machine. Which of the following should you train users to
select from a security perspective if they are unsure of which option to
select?
(Keep Blocking) (Increase Security Level) (Safe Mode) (Send Request to
Administrator)
Keep Blocking
( Explanation
)
The three available options for Windows Firewall are Keep Blocking, Unblock
and Ask Me Later. Keep Block does not allow the program to acquire a listening
port. You should train your users to choose this option when there is any doubt
as to what they should do. There are no Safe Mode or Send Request to Admin
options.
3/107
, 2/14/26, 9:32 AM SANS 401 Practice Exam
Which Threat will be reduced when avoiding system calls from within a web app?
OS command injection
( Explanation )
The primary way to avoid OS command injection attacks is to avoid system calls
from your web application, especially when the system call is built based on
user input. In most cases, you should be able to find a function or library within
your
programming language that can perform the same action.
How often by default does Windows Group Policy check for updated policies?
(Once a day) (Within 30 minutes of an applied policy change) (Every quarter
hour) (Every 90-120 minutes)
INCORRECT ON PT
Every 90-120
minutes (
Explanation )
When a computer boots up, it downloads the GPO's assigned to it and executes
them automatically. Every 90-120 minutes thereafter, the computer checks
that none of the GPO's assigned to it have changed, if any have, those are
downloaded and run automatically even if the computer has not rebooted. 0-
30minutes, 30-60 minutes and 120-180 minutes are durations a group policy could
possibly be modified to use, the standard duration used by Group Policy is 90-
120 minutes.
4/107
