Which of the following should a company deploy to prevent the execution of some types of malicious code?

I think of this question numerous times. I am skeptical choice B is not the correct answer.

Choice A – Least privilege accounts basically means non-administrative accounts or simply the standard user accounts. Those accounts would have NO right to run executable file. It is what exactly the question asking “prevent the execution of some types of malicious code.”

Choice B – A host-based firewall is designed to protect the host from network based attack by using filters to limit the network traffic that is allowed to enter or leave the host. The action of a filter is to allow, deny, or log the network packet. Allow enables the packet to continue toward its destination. Deny blocks the packet from going any further and effectively discarding it. Log records information about the packet into a log file. Filters can be based on protocol and ports. By blocking protocols and ports that are not required, other potentially compromised application services would be prevented from being exploited across the network.
Note: It helps preventing the malicious code ENTERING to the system. However, it does NOT prevent the execution of some types of malicious code if the user has administrative right.

Choice C is definitely wrong because it is intrusion DETECTION system, not intrusion PREVENTION system.

Choice D – Application white listing provides the similar function as host-based firewall (choice B( in this situation. It helps preventing the malicious code ENTERING to the system. However, it does NOT prevent the execution of some types of malicious code if the user has administrative right.

I read a Microsoft book long time ago. The main difference between admin and standard user account is running executable files. I think A makes more sense. Let me put it this way, if you choose B be the right answer, why choice D is incorrect?

it’s D

https://www.asd.gov.au/publications/protect/application_whitelisting.htm