Free GSEC Windows Security Practice Test 2026 — GIAC Security Essentials Questions

This free GSEC Windows Security practice test covers Active Directory, Group Policy, PowerShell hardening, Windows event log analysis, and endpoint protection. Each question includes a detailed explanation written from a hands-on security practitioner's perspective — perfect for building your open-book index for the real GIAC Security Essentials exam.

Key Topics in GSEC Windows Security

6 Free GSEC Windows Security Practice Questions with Answers

Sample Question 1 — Windows Security

You are a system administrator tasked with securing a Windows Server 2019 environment. Which of the following actions would best protect against unauthorized access to sensitive system files?

  1. A. Disable the Guest account and rename the Administrator account.
  2. B. Enable BitLocker encryption on all system drives. (Correct answer)
  3. C. Implement a Group Policy to prevent access to the Command Prompt.
  4. D. Set NTFS permissions to allow full control for the Everyone group.

Correct answer: B

Explanation: The question asks which action would BEST protect against unauthorized access to sensitive system files on a Windows Server 2019 system. Under GSEC concepts, protection of system files considers both logical and physical/offline attack vectors. Option A (disable Guest and rename Administrator) is a good hardening step for account security, but it does not directly control access to system files once any valid account is used or in an offline-boot scenario. Option B (enable BitLocker on all system drives) enforces full-disk encryption, which prevents unauthorized access to system files from offline attacks (e.g., stolen drive, booting from alternate OS), aligning strongly with GSEC principles for protecting data at rest. Option C (block Command Prompt) is weak protection, since system files can still be accessed via other tools (Explorer, PowerShell, third‑party utilities). Option D (full control for Everyone) clearly undermines security and is the opposite of best practice. Therefore, the BEST answer in the context of GSEC Windows security is enabling BitLocker encryption (B).

Sample Question 2 — Windows Security

A company uses Windows Defender Firewall with Advanced Security. Which rule type should be configured to ensure only authorized applications can communicate over the network?

  1. A. Inbound rule
  2. B. Outbound rule (Correct answer)
  3. C. Connection security rule
  4. D. AppLocker rule

Correct answer: B

Explanation: The question is scoped specifically to "Windows Defender Firewall with Advanced Security," whose rule types are inbound, outbound, and connection security rules. Inbound rules (A) control unsolicited traffic coming *into* the host and can be app-specific, but they do not comprehensively ensure only authorized applications can communicate, since outbound traffic remains largely unrestricted by default. Outbound rules (B) are explicitly designed to control which applications on the host are allowed to initiate network connections, which directly addresses the goal of allowing only authorized applications to communicate over the network. Connection security rules (C) relate to IPsec—authenticating and securing connections—not to selecting which applications may communicate. AppLocker rules (D) are part of application whitelisting, not Windows Defender Firewall, and they control which applications can run at all rather than specifically managing network communication. Under GSEC’s Windows security perspective, the best match within Windows Defender Firewall is an outbound rule.

Sample Question 3 — Windows Security

Which Windows tool can be used to monitor real-time changes to the file system, registry, and process activity to help detect unauthorized modifications?

  1. A. Event Viewer
  2. B. Process Explorer
  3. C. Sysmon (Correct answer)
  4. D. Task Manager

Correct answer: C

Explanation: Sysmon is a Windows system service and device driver that logs system activity to the Windows event log, providing detailed information about process creations, network connections, and changes to file creation time. Event Viewer (A) is used to view logs but does not monitor real-time changes. Process Explorer (B) provides detailed information about processes but not file system or registry changes. Task Manager (D) shows running processes and system performance but lacks detailed monitoring capabilities.

Sample Question 4 — Windows Security

An organization wants to ensure that all Windows systems are compliant with the latest security patches. Which tool would be most appropriate for managing and deploying updates across the network?

  1. A. Windows Update
  2. B. Microsoft Baseline Security Analyzer (MBSA)
  3. C. Windows Server Update Services (WSUS) (Correct answer)
  4. D. Group Policy Management Console (GPMC)

Correct answer: C

Explanation: Windows Server Update Services (WSUS) is designed to manage the distribution of updates released through Microsoft Update to computers on a network. Windows Update (A) is used for individual systems, not for managing updates across a network. MBSA (B) is a tool for scanning systems for missing security updates, not for managing deployment. GPMC (D) is used to manage Group Policy, not specifically for update deployment.

Sample Question 5 — Windows Security

To enhance security on a Windows network, an administrator decides to use audit policies. Which of the following audit settings would provide the most insight into potential unauthorized access attempts?

  1. A. Audit Logon Events (Correct answer)
  2. B. Audit Object Access
  3. C. Audit Policy Change
  4. D. Audit Process Tracking

Correct answer: A

Explanation: Audit Logon Events helps track successful and failed logon attempts, providing critical insight into unauthorized access attempts. Audit Object Access (B) tracks access to specific files and folders, which is useful but not as directly related to logon attempts. Audit Policy Change (C) monitors changes to audit policies, not access attempts. Audit Process Tracking (D) is more relevant to tracking process creation and termination, not specifically logon events.

Sample Question 6 — Windows Security

You are a security analyst reviewing Windows event logs to investigate a potential security incident. You notice multiple failed login attempts followed by a successful login from an unfamiliar IP address. Which of the following actions should you prioritize to secure the system?

  1. A. Disable the user account associated with the login attempts. (Correct answer)
  2. B. Block the unfamiliar IP address at the firewall.
  3. C. Initiate a full antivirus scan on the system.
  4. D. Review group policy settings for misconfigurations.

Correct answer: A

Explanation: Disabling the user account associated with the login attempts is the most immediate action to prevent further unauthorized access. Blocking the IP address might be useful but does not address the potential compromise of the user account itself. Initiating a full antivirus scan is important but not as immediate as disabling the account. Reviewing group policy settings is a preventive measure, not an immediate response to an active incident.

How to Study GSEC Windows Security

Drill these GSEC Windows Security practice questions repeatedly and update your study index after each session. Focus on building a fast lookup path from the GIAC term to your book page — this is what separates passing and failing GSEC scores. Pair this practice test with hands-on labs whenever possible; GSEC validates real-world skills, not just memorization.

About the GSEC Exam

Other GSEC Topic Areas

Start the free GSEC Windows Security practice test now | 10-question quick start | All GSEC topic areas | GSEC Cheat Sheet