Try 10 focused CompTIA Server+ SK0-006 questions on Security and Compliance, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Server+ SK0-006 on Web View full CompTIA Server+ SK0-006 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Server+ SK0-006 |
| Topic area | Security and Compliance |
| Blueprint weight | 24% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security and Compliance for CompTIA Server+ SK0-006. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 24% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Security and Compliance
A server engineer is reviewing a hardening checklist before placing newly racked virtualization hosts into production. Based on the access finding, what is the best next action?
Exhibit: Access finding
Hosts: HV-01, HV-02
Location: shared colocation cage
BMC/iLO network: reachable from admin VLAN
BMC login test: vendor default admin account accepted
UEFI setup: no setup password configured
OS image: current baseline applied
Options:
A. Disable the admin VLAN until patching completes
B. Change BMC defaults and set a UEFI setup password
C. Reinstall the OS image from trusted media
D. Enable only full-disk encryption on the hosts
Best answer: B
Explanation: Server hardening must include firmware and out-of-band management controls, not only the installed OS. A baseboard management controller such as iLO, iDRAC, or IPMI can power-cycle a server, mount virtual media, view consoles, and change settings. If vendor default credentials still work, anyone with network reachability could gain privileged hardware access. An unset UEFI/BIOS setup password also leaves firmware configuration exposed, especially in a shared facility. The OS baseline is already current, so the immediate gap is to replace default account credentials and protect firmware setup access.
Topic: Security and Compliance
A company is preparing a security review before deploying a new database server that will store confidential HR data. Reviewers need evidence that the server placement supports segmentation and that only required systems can communicate with it. Which network diagram is the best evidence to include?
Options:
A. Asset spreadsheet listing hostnames, serial numbers, and warranties
B. Physical cabling map showing switch ports and patch panels
C. Rack elevation showing server U positions and power feeds
D. Logical diagram with subnets, VLANs, trust boundaries, and allowed flows
Best answer: D
Explanation: For operational and security review, a network diagram should show the relationships needed to validate the design decision. A logical diagram that includes subnets, VLANs, trust boundaries, security zones, key server roles, and allowed traffic flows lets reviewers confirm that the HR database is placed in the correct segment and exposed only to approved systems. It can also support firewall rule review, change planning, audit evidence, and incident response. Physical diagrams and asset records are useful, but they do not prove whether the server is logically segmented or whether communication paths match the security requirement.
Topic: Security and Compliance
A company recently hardened directory authentication for a file-indexing server. Since the change, the application can no longer authenticate its service account. Security policy requires encrypted authentication and prohibits re-enabling legacy protocols. Monitoring shows the directory servers are reachable and healthy.
Exhibit: Access symptoms
Application log: LDAP bind failed: strongerAuthRequired
Directory audit: cleartext simple bind rejected
Network trace: app server -> directory server TCP/389
Vendor note: application supports LDAPS when a trusted CA chain is installed
Which action is the BEST professional decision?
Options:
A. Add the application server IP to the directory server hosts file
B. Grant the service account domain administrator privileges
C. Re-enable cleartext LDAP binds for the service account
D. Configure the application for LDAPS and install the trusted CA chain
Best answer: D
Explanation: The core issue is an authentication protocol mismatch, not a directory outage or permissions failure. The application is attempting a simple LDAP bind over TCP/389, while the directory policy now requires stronger, encrypted authentication. Because the vendor note confirms LDAPS support, the operationally sound fix is to configure the application to use LDAPS and trust the issuing CA chain. This restores access while preserving the hardening requirement and avoids creating an exception for a legacy protocol.
Re-enabling cleartext binds would violate the stated security policy and weaken Zero Trust controls. Privilege escalation or name-resolution changes do not address the visible protocol rejection.
Topic: Security and Compliance
A company completed a business impact analysis (BIA) and has budget to improve recovery for only one server service this quarter. Which recovery planning decision best aligns with the BIA findings?
| Service | Maximum tolerable downtime | Maximum tolerable data loss | Impact |
|---|---|---|---|
| Order processing | 30 minutes | 5 minutes | Revenue stops |
| Intranet portal | 8 hours | 4 hours | Internal delay |
| Dev wiki | 24 hours | 12 hours | Low productivity impact |
Options:
A. Prioritize cold-site recovery for order processing
B. Prioritize replicated standby recovery for the dev wiki
C. Prioritize daily backup recovery for the intranet portal
D. Prioritize replicated standby recovery for order processing
Best answer: D
Explanation: BIA connects business impact to recovery objectives. The service with the most severe business impact and the shortest acceptable outage and data-loss windows should drive the recovery design and funding priority. In this case, order processing has a 30-minute maximum tolerable downtime and a 5-minute maximum tolerable data loss, while the other services can tolerate much longer interruptions. A replicated standby design is more appropriate for a short RTO and short RPO than a cold-site or daily-backup-only approach. The key is to match recovery investment to business impact, not to treat all servers equally.
Topic: Security and Compliance
A server administrator is reviewing a network diagram during an audit of a payment application environment. The baseline requires the database tier to accept application traffic only from the application tier.
Exhibit: Current connectivity diagram
Internet -> FW1 -> DMZ VLAN 20: WEB01, WEB02
DMZ VLAN 20 -> FW3 -> Data VLAN 40: DB01 (TCP 1433 allowed)
App VLAN 30: APP01 -> FW3 -> Data VLAN 40: DB01 (TCP 1433 allowed)
Mgmt VLAN 10: ADMIN01 -> all servers (SSH/RDP allowed)
Which interpretation is best supported by the exhibit?
Options:
A. The web servers should be moved into the data VLAN
B. The database tier lacks approved administrative access
C. A segmentation exception exists between the DMZ and database tier
D. The diagram proves database traffic is unencrypted
Best answer: C
Explanation: Network diagrams can serve as operational and security evidence during audits because they show intended or discovered connectivity between server tiers. In this exhibit, the baseline says the database tier should accept application traffic only from the application tier. The diagram shows the expected APP01-to-DB01 path, but it also shows a direct DMZ VLAN 20-to-DB01 path on TCP 1433. That is a segmentation variance that should be validated against firewall rules, change records, and risk approvals.
The key takeaway is to interpret what the diagram actually proves: a permitted network path, not encryption status or a required server relocation.
Topic: Security and Compliance
A server team must apply a critical firmware and driver bundle to a clustered database host pair. The vendor release notes list the exact controller model as supported, but the database has a 15-minute RTO and the change must be auditable. Which action is the BEST professional decision before applying the patches?
Options:
A. Skip testing because the controller is vendor-supported
B. Test on matching hardware and document a verified rollback plan
C. Patch both hosts immediately during business hours
D. Patch one host and create backups afterward
Best answer: B
Explanation: Patch preparation should reduce operational risk before production changes. For system, driver, firmware, or application patches, the team should test in a representative environment when feasible, confirm compatibility with the hardware and workload, schedule the change within an approved window, and verify rollback steps such as snapshots, image backups, configuration exports, or vendor-supported downgrade procedures. The 15-minute RTO makes rollback readiness especially important because an untested recovery path may exceed the allowed outage. Auditability also requires documented test results, approvals, implementation steps, and validation criteria. Vendor support is useful evidence, but it does not replace local testing and rollback planning.
Topic: Security and Compliance
A server team must apply a vendor-rated critical security patch to a customer-facing web cluster. The service has an approved maintenance window Sunday 01:00-03:00, but exploit activity is being reported in the wild. The cluster is load balanced, has a tested rollback snapshot process, and supports draining one node at a time. Which patch plan is the best professional decision?
Options:
A. Disable the public service until Sunday and patch during the window
B. Patch all nodes immediately without notice to remove exposure fastest
C. Wait for the next monthly window to avoid service risk
D. Patch nodes one at a time after change approval and customer notice
Best answer: D
Explanation: Critical patches with active exploitation should be prioritized, but production changes still need operational controls. In this scenario, the cluster can remain available by draining and patching one node at a time. The team should follow the emergency or expedited change process, communicate expected impact, validate each node after patching, and keep the tested rollback snapshot available. This addresses the security urgency without unnecessary downtime or unmanaged change risk.
The key takeaway is to reduce exposure quickly while preserving service availability and change discipline.
Topic: Security and Compliance
A server administrator is reviewing a data protection finding and must classify the needed encryption control. Which remediation addresses data in transit based on the exhibit?
Exhibit: Data handling findings
| Finding | Data state |
|---|---|
| VM backup repository on NAS | Stored on disk |
| Database volume on SSD | Stored on local storage |
| Admin portal uses HTTP | Moving between browser and server |
| Monthly archive on tape | Stored on removable media |
Options:
A. Enable TLS for the admin portal
B. Encrypt the monthly archive tapes
C. Encrypt the NAS backup volume
D. Enable database volume encryption
Best answer: A
Explanation: Encryption in transit protects data while it is being transmitted between systems, such as browser-to-server, server-to-server, or client-to-service communication. In the exhibit, the admin portal using HTTP is the only finding where the data is moving across a network without transport protection. TLS would protect credentials and session data during that communication. The other findings involve data stored on disks, volumes, or removable media, which are encryption-at-rest use cases.
Topic: Security and Compliance
A team manages six application servers that should have identical hardening settings. After two emergency fixes, audit findings show different firewall rules and local service settings across the servers. The manager wants future changes to be controlled and configuration drift reduced. Which implementation choice is best?
Options:
A. Disable drift alerts until all emergency fixes are completed
B. Replace the current baseline with the settings from the least-reported server
C. Allow administrators to update each server directly during maintenance windows
D. Compare servers to an approved baseline and route deviations through change control
Best answer: D
Explanation: Configuration baselines define the approved state for servers, such as firewall rules, services, versions, and hardening settings. Comparing systems to that baseline helps detect drift, while change records document why an approved deviation exists and who authorized it. In this scenario, the problem is not just that settings differ, but that emergency fixes created unmanaged variation. The best implementation is to use the approved baseline as the reference point, document proposed changes, review them through change control, and update the baseline only after approval. That keeps the environment consistent without blocking legitimate changes.
Topic: Security and Compliance
A server administrator cannot access a management portal after a Zero Trust policy update. Use the exhibit to choose the best next IAM troubleshooting action.
Exhibit: Access finding
Resource: https://mgmt.example.com
Symptom: Access denied after successful MFA
Policy requires: verified identity, trusted device,
AdminOps role, admin VPN path,
trusted TLS certificate
Findings: password and MFA succeeded
device compliance not checked
AdminOps role changed yesterday
VPN connected; source path unverified
portal certificate renewed yesterday
Options:
A. Disable certificate validation temporarily and retry the portal login
B. Correlate IAM logs, device compliance, RBAC, VPN path, and certificate validation
C. Reset the administrator password and require MFA re-enrollment
D. Add the administrator directly to the server local administrators group
Best answer: B
Explanation: A Zero Trust IAM failure should be validated across all enforced conditions, not treated as a simple password or permission issue. The exhibit shows identity proof succeeded, but device compliance, RBAC membership, network path, and the renewed certificate are still possible failure points. The best next action is to correlate the IAM policy decision or sign-in logs with the device trust status, role assignment, VPN/source path, and TLS certificate chain. That confirms which control denied access and avoids unnecessary privilege changes. A narrow fix may hide the real cause or introduce new risk.
Use the CompTIA Server+ SK0-006 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Server+ SK0-006 on Web View CompTIA Server+ SK0-006 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.