Free GDSA Zero Trust Endpoints and Host Hardening Practice Test 2026 — GIAC Defensible Security Architect Questions

This free GDSA Zero Trust Endpoints and Host Hardening practice test covers Zero Trust endpoints, host hardening, EDR, application control, host firewalls, and privileged access management. Each question includes a detailed explanation with defensible-architecture context — perfect for GDSA exam prep.

Key Topics in GDSA Zero Trust Endpoints and Host Hardening

6 Free GDSA Zero Trust Endpoints and Host Hardening Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius GDSA question bank for the Zero Trust Endpoints and Host Hardening domain (10% of the exam).

Sample Question 1 — Zero Trust Endpoints and Host Hardening

A hybrid enterprise patched operating systems monthly but experienced two initial-access incidents through an outdated browser component and a document viewer on remote laptops. Leadership wants one program change that will most directly reduce similar compromises without waiting for users to return to the office. Which change is best?

  1. A. Automate patching for operating systems and common third-party applications on remote endpoints (Correct answer)
  2. B. Patch operating systems more often and leave third-party applications to manual updates
  3. C. Require all remote users to reconnect to VPN each morning before starting work
  4. D. Increase email phishing simulations and keep the current endpoint update process

Correct answer: A

Explanation: Correct answer (A): The incidents came through non-OS software, so the strongest corrective action is automated patch management that covers both operating systems and commonly exploited third-party applications. Remote and hybrid work increases the importance of endpoint-native maintenance because users are often outside direct enterprise network visibility. Broadening patch coverage closes a common initial-access path more effectively than VPN process changes or awareness alone. Why the other options are wrong: - Option B: Improving only OS patch speed still leaves a major exposed surface, since browsers and document tools were the actual initial-access vectors. - Option C: VPN use may help with routing or policy delivery, but it does not remediate vulnerable applications already running on the laptop. - Option D: User awareness can reduce some risky behavior, but it does not correct known exploitable software exposure on endpoints.

Sample Question 2 — Zero Trust Endpoints and Host Hardening

A company relies heavily on office network firewalls, but most employees now work from home or travel. Security reviews found laptops were accepting unnecessary inbound connections on public and home networks, and east-west traffic between user devices was not consistently filtered. Which endpoint-focused architecture change best addresses this gap?

  1. A. Enforce centrally managed host firewall policies on laptops for all network locations (Correct answer)
  2. B. Require users to connect to VPN before opening any corporate application each day
  3. C. Deploy additional perimeter firewalls at headquarters to inspect more employee traffic
  4. D. Increase vulnerability scanning frequency for remote laptops from monthly to weekly

Correct answer: A

Explanation: Correct answer (A): Host firewalls provide local traffic enforcement wherever the device operates, including home, hotel, and other untrusted networks. They also help control east-west communication that may bypass traditional perimeter controls. In a hybrid workforce, centrally enforced host firewall policy is a direct answer to the problem of laptops accepting unnecessary connections outside corporate network boundaries. Why the other options are wrong: - Option B: VPN may route some corporate traffic, but it does not inherently block unnecessary local inbound traffic when the laptop is on untrusted networks. - Option C: More perimeter firewalls help only when traffic crosses headquarters boundaries; they do not protect laptops operating away from the office. - Option D: Scanning can identify weaknesses, but it does not provide the local traffic enforcement needed to reduce the current exposure.

Sample Question 3 — Zero Trust Endpoints and Host Hardening

An organization has endpoint agents that generate local alerts for suspicious activity, but incident responders cannot reliably reconstruct user actions across thousands of laptops because logs remain on each host and are often lost after reimaging. The security architect wants the single most important improvement for investigation and enterprise-scale response. Which option is best?

  1. A. Send endpoint logs and telemetry to a centralized platform with scalable retention and analysis (Correct answer)
  2. B. Increase the sensitivity of local host prevention rules so more events are blocked automatically
  3. C. Replace endpoint logging with more frequent perimeter IDS tuning for outbound traffic
  4. D. Ask desktop support to manually collect logs from affected systems during each incident

Correct answer: A

Explanation: Correct answer (A): Host-based alerts and controls are not substitutes for centralized collection. Without scalable aggregation, retention, and analysis, responders cannot efficiently investigate, correlate, or contain incidents across a large endpoint population. Centralized endpoint logging directly improves detection visibility and response capability, which is essential in a defensible architecture. Why the other options are wrong: - Option B: More blocking may prevent some activity, but it does not solve the stated investigation and evidence retention problem across thousands of hosts. - Option C: Perimeter tuning may add some visibility, but the scenario specifically describes missing host-side evidence needed for reconstruction and response. - Option D: Manual collection does not scale, loses data after reimaging, and delays response during active incidents.

Sample Question 4 — Zero Trust Endpoints and Host Hardening

A company supports employees on managed laptops and contractors on unmanaged personal devices. Both groups need access to collaboration tools, but only employees should reach internal engineering applications that contain sensitive source code. Leadership wants a Zero Trust approach that reflects endpoint security state rather than network location. Which design is best?

  1. A. Use identity plus device posture checks, granting broader access only to managed compliant devices (Correct answer)
  2. B. Require VPN and MFA for all users, then provide the same application access to both groups
  3. C. Allow unmanaged devices onto the internal network after they complete a security awareness course
  4. D. Grant access based mainly on source IP ranges because contractors usually connect from known regions

Correct answer: A

Explanation: Correct answer (A): Zero Trust endpoint decisions should include both identity and device security posture. Managed devices provide greater confidence in patching, configuration, logging, and incident response support, so they can appropriately receive broader access. Unmanaged devices should not receive equivalent trust simply because the user authenticated successfully or came from an expected location. Why the other options are wrong: - Option B: VPN and MFA strengthen authentication and transport, but they do not establish equal device trust between managed and unmanaged endpoints. - Option C: Awareness training does not provide assurance of patch status, configuration, logging coverage, or response capability on personal devices. - Option D: Source location is not a reliable basis for endpoint trust and conflicts with Zero Trust principles described in the scenario.

Sample Question 5 — Zero Trust Endpoints and Host Hardening

System administrators manage identity infrastructure and critical servers from their everyday laptops, which they also use for email, web browsing, and document editing. The company already requires VPN and MFA for administrative sessions, but red-team exercises repeatedly capture admin session tokens after phishing on those same laptops. Which architecture change most directly reduces this risk?

  1. A. Separate privileged accounts and move admin tasks to hardened admin workstations or controlled jump paths (Correct answer)
  2. B. Keep the current admin workflow and require more frequent password rotation for all administrators
  3. C. Keep the current admin workflow and increase phishing training for administrative staff each quarter
  4. D. Keep the current admin workflow and require full-disk encryption on all administrator laptops

Correct answer: A

Explanation: Correct answer (A): The core problem is exposure of privileged activity on general-purpose systems used for risky user functions like browsing and email. Separating privileged accounts and performing administration from hardened admin workstations or tightly controlled jump paths reduces credential theft and session hijacking risk by isolating sensitive actions from common phishing exposure. MFA and VPN do not eliminate token theft on a compromised endpoint. Why the other options are wrong: - Option B: Password rotation does not address token theft or endpoint compromise on the same workstation used for email and browsing. - Option C: Training may reduce click rates, but it does not provide the isolation needed when a workstation used for privileged access becomes compromised. - Option D: Disk encryption protects data at rest, not active admin sessions or tokens on a live compromised system.

Sample Question 6 — Zero Trust Endpoints and Host Hardening

An enterprise improved endpoint prevention by disabling unnecessary services and restricting script execution on user laptops. Six months later, a ransomware event still spread for several hours because the SOC lacked timely host telemetry and had no rapid workflow to isolate affected systems. Leadership asks for the next architectural priority. Which option is best?

  1. A. Add centralized endpoint telemetry and a tested host isolation response process across the fleet (Correct answer)
  2. B. Add more restrictive local execution controls and delay telemetry improvements until next year
  3. C. Expand phishing simulations and keep the current endpoint monitoring and response model
  4. D. Increase perimeter blocking rules and keep endpoint response actions as manual ticket requests

Correct answer: A

Explanation: Correct answer (A): The organization already improved prevention, but the failure occurred in detection and response. A defensible endpoint architecture balances all three functions. Centralized telemetry provides the visibility needed to identify scope and timeline, while a tested host isolation process improves containment speed during active ransomware spread. This directly addresses the operational weakness described in the incident. Why the other options are wrong: - Option B: Additional preventive controls may help somewhat, but they do not solve the demonstrated inability to detect and isolate affected hosts quickly. - Option C: Awareness activities are not the primary weakness here; the incident showed missing telemetry and slow response execution. - Option D: Perimeter controls and manual tickets do not provide the host-level speed and scale needed to contain ransomware moving across endpoints.

How to Study GDSA Zero Trust Endpoints and Host Hardening

Combine these GDSA Zero Trust Endpoints and Host Hardening practice questions with hands-on lab work and the SANS SEC530 course. The GDSA exam emphasizes practical defensible-architecture decisions, so always ask which option is most defensible, most resilient, and aligned with Zero Trust principles.

About the GDSA Exam

Other GDSA Domains

Start the free GDSA Zero Trust Endpoints and Host Hardening practice test now | 10-question quick start | All GDSA domains | All Sample Tests