New Update for #70-299

Discussion in 'MCSE' started by Steven Mark, Aug 20, 2004.

  1. Steven Mark

    Steven Mark Guest

    70 - 299
    QUESTION NO: 1
    You are the security administrator for TestKing. The
    network consists of two segments named Segment
    A and Segment B. The client computers on the network run
    Windows XP Professional. The servers run
    Windows Server 2003.
    Segment A contains a single server named TestKing1.
    Segment B contains all other computers, including
    a server named TestKing2.
    TestKing?s written security policy states that Segment B
    must not be connected to the Internet. Segment
    A is allowed to connect to the Internet. There is no
    network connection between Segment A and Segment
    B. You can copy files from Segment A to Segment B only by
    using a CD-ROM to transport the files
    between the two segments. The network topology is
    displayed in the exhibit.
    You are planning a patch management infrastructure. On
    Segment B, you install Software Update
    Services (SUS) on TestKing2. You configure Automatic
    Updates on all computers in Segment B to use
    http://TestKing2 and to install security patches.
    You need to ensure that all computers in Segment B
    automatically install security patches.
    What should you do?
    A. Install SUS on TestKing1.
    Periodically copy the files in the Content folder and in
    the SUS root folder from TestKing1 to
    TestKing2.
    B. Install SUS on TestKing1.
    Periodically copy the files in the Content folder from
    TestKing1 to TestKing2.
    Copy the Approveditems.txt file from TestKing1 to the
    Windows folder on TestKing2.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -3

    70 - 299
    C. On TestKing1, periodically connect to the Microsoft
    Windows Update Catalog Web site and download
    new security patches.
    Copy the files to the Content folder on TestKing2.
    D. On TestKing, configure Automatic Updates to use the
    URL of the Microsoft Windows Update Web site.
    Periodically copy the downloaded files and the
    Mssecure.xml file to the Content folder on TestKing2.
    Answer: A
    Explanation:
    Since the question does not address where approvals
    should be done, we have to assume that the approvals are
    done by the administrators at the Segment B site.
    If SUS is used to approve updates, it retrieves the
    Approveditems.txt file from the root of the IIS/SUS
    default
    website (http://server2) not the Windows folder.
    If you do not install SUS on Server1 there will be no
    Content folder (distribution point) on Server1.
    Automatic Updates should not be turned on, on the SUS
    servers.
    SUS is a server component that, when installed on a
    server running Windows 2000, allows small and medium
    enterprises to bring critical updates from Windows Update
    inside their firewalls to distribute to Windows 2000
    and Windows XP computers. The same Automatic Updates
    component that can direct Windows 2000 and
    Windows XP computers to Windows Update can be directed to
    a SUS server inside your firewall to install
    critical updates.
    Automatic Updates retrieves all critical updates and
    Microsoft Security Response Center security updates that
    are classified as moderate or important.
    Automatic Updates scans only for critical updates, but if
    its server that runs SUS contains updates other than
    critical ones, Automatic Updates receives and applies
    those as well. SUS receives critical and moderate
    security
    updates.
    Creating Distribution Points
    When you install a server that runs SUS, a distribution
    point is created on that server. When you synchronize
    the server with a parent server or with an external Web
    site, all the content on the Web site is downloaded to
    the
    distribution point. If new updates are downloaded, this
    distribution point is updated during every
    synchronization. During Setup, the distribution point is
    created in a virtual root (Vroot) named /Content.
    If you choose to maintain content on the public Web site
    instead of downloading the patches to the local server
    running SUS, this distribution point is empty except for
    the AUCatalog.cab file. AUCatalog.cab defines the
    updates that have been approved for deployment to
    clients.
    You can also create a distribution point on a server that
    is not running SUS. Such a server must be running IIS
    5.0 or later. You can download and test packages on
    servers running SUS, and then download approved and
    tested packages to distribution points for client access.
    If your SUS design includes distribution points, perform
    the following tasks to create a distribution point:
    1. Confirm that IIS is present.
    2. Create a folder named \Content.
    3. Copy allof the followingitems from the source server
    running SUS to the newly created \Content
    folder:
    ? <root of the SUS Web site>\Aucatalog1.cab
    ? <root of the SUS Web site>\Aurtf1.cab
    Leading the way in IT testing and certification tools,
    www.testking.com
    -4

    70 - 299
    ? <root of the SUS Web site>\approveditems.txt
    ? All the files and folders under the \Content\cabs
    4. Create an IIS Vroot called http://<Servername>/Content
    that points to the \content folder.
    QUESTION NO: 2
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    TestKing?s written security policy states that security
    patches must be manually installed on servers by
    administrators.
    You need to configure the network to comply with the
    written security policy. You need to maintain
    security patches by using the minimum amount of
    administrative effort.
    What should you do?
    A. Create a new organizational unit (OU) to contain all
    server computers.
    Create a new Group Policy object (GPO) and link it to the
    OU.
    Configure the GPO to disable Automatic Updates.
    Allow only administrators to start Automatic Updates.
    B. Create a new organizational unit (OU) to contain all
    server computers.
    Create a new Group Policy object (GPO) and link it to the
    OU.
    Configure the GPO to automatically download updates and
    notify when they are ready to be installed.
    C. Create a new organizational unit (OU) named Admins to
    contain all administrators.
    Create a second OU named Servers to contain all server
    computers.
    Create a new Group Policy object (GPO) and link it to the
    Admins OU.
    Configure the GPO to disable Automatic Updates.
    D. Modify the Default Domain Policy Group Policy object
    (GPO) to disable Windows Update and to
    disable Automatic Updates.
    Create a new organizational unit (OU) named Admins.
    Place all administrator accounts in the Admins OU.
    Block GPO inheritance on the Admins OU.
    Answer: C
    Explanation:
    Administrators should not use Automatic updates to patch
    the servers.
    Security patches on the servers must be installed
    manually.
    A GPO at the domain level would block Automatic Updates
    on all computers not just servers.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -5

    70 - 299
    QUESTION NO: 3
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. The testking.com Active Directory
    domain contains 150 Windows Server 2003
    computers and 7,500 Windows XP Professional client
    computers. The network is made up of 64 class C
    IP subnets t hat range from 172.16.0.0 through
    172.16.63.0.
    The finance department uses 135 computers on the
    172.16.9.0 /24 IP subnet. This subnet also contains
    computers that belong to other departments in the
    company. All finance department computers are
    members of the testking.com Active Directory domain.
    You need to produce a report that identifies which
    Microsoft security patches are not installed on the
    computers in the finance department. The report must
    contain information about only the finance
    department computers. You want to achieve this goal by
    using the minimum amount of administrative
    effort.
    What should you do?
    A. Run Mbsacli.exe on a finance department computer with
    the option to scan computers in the Network
    Neighborhood.
    B. Run Mbsacli.exe on a finance department computer with
    the option to scan computers by using a list of
    individual IP addresses on the finance department
    computers.
    C. Run Mbsacli.exe on a finance department computer with
    the option to scan computers on the finance
    department IP subnet.
    D. Run Mbsacli.exe on a finance department computer with
    the option to scan computers in the
    testking.com Active Directory domain.
    Answer: B
    Explanation:
    Since there are non-accounting computers on the subnet,
    the scan needs to be performed by individual IP.
    Objective: Implementing, Managing, and Troubleshooting
    Security for Network Communications
    Sub-Objective: 3.4.1 Monitor IPSec policies by using IP
    Security Monitor.
    1. Planning a Host Name Resolution Strategy
    MCSA/MCSE Self-Paced Training Kit (Exams 70-292 and 70-
    296): Upgrading Your Certification to Microsoft
    Windows Server 2003, Microsoft Press
    Chapter 7,
    The correct syntax is mbsacli /hf -fh hosts.txt. The -fh
    flag causes the tool to scan the NetBIOS computer names
    specified in the named text file. You must specify one
    computer name on each line in the .txt file, up to a
    maximum of 256 names.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -6

    70 - 299
    You should not use the mbsacli /hf -i hosts.txt syntax.
    The -i flag is used to scan one or more Internet Protocol
    (IP) addresses.
    You should not use the mbsacli /hf -r hosts.txt syntax.
    The -r flag is used to specify a range of IP addresses to
    be
    scanned.
    Switches available with /hf flag
    mbsacli /hf [-h hostmane] [-fh filename] [-i ipaddress] [-
    fip filename] [-r ipaddressrange] [-d domainname] [-n]
    [-sus SUS server|SUS filename] [-b] [-fq filename] [-s 1]
    [-s 2] [-nosum] [-sum] [-z] [-v] [-history level] [-nvc]
    [-o option] [-f filename] [-unicode] [-t] [-u username] [-
    p password] [-x] [-?]
    To Select Which Computer to Scan
    -h hostname - Scans the named NetBIOS computer name. The
    default location is the local host. To scan
    multiple hosts, separate the host names with a comma (,).
    -fh filename - Scans the NetBIOS computer names that are
    specified in the text file that you named. Specify one
    computer name on each line in the .txt file, to a maximum
    of 256 names.
    -i xxx.xxx.xxx.xxx - Scans the named IP address. To scan
    multiple IP addresses, separate each IP address with a
    comma.
    -fip filename - Scans the IP addresses that you specified
    in the text file that you named. Specify one IP address
    on each line in the .txt file, with a maximum of 256 IP
    addresses.
    -r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx - Scans a specified
    range of IP addresses.
    Note You can use the previous switches in combination.
    For example, you can use a command-line with the
    following format:mbsacli /hf ?h hostname1,hostname2 -i
    xxx.xxx.xxx.xxx -fip ipaddresses.txt -r
    yyy.yyy.yyy.yyy-zzz.zzz.zzz.zzz
    -d domainname - Scans a specified domain.
    -n - Scans all the computers on the local network. All
    computers from all domains in Network Neighborhood
    (or My Network Places) are scanned
    Reference: Microsoft Baseline Security Analyzer (MBSA)
    version 1.2 is available, Microsoft Knowledge Base
    Article ? 320454
    QUESTION NO: 4
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    All client computers run Windows 2000
    Professional. TestKing has a main office and 150 branch
    offices located throughout the United States and
    Canada. The company does not use disk-imaging software.
    In the past, newly installed client computers were
    exploited by malicious Internet worms before you
    applied all security patches.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -7

    70 - 299
    You need to build and deploy client computers that will
    always have the least service packs, updates, and
    security patches. You want to achieve this goal by using
    the minimum amount of administrative effort.
    What should you do?
    A. Install the operating system on the computers by using
    the original installation media.
    Use Windows Update immediately after the installation to
    apply updates and security patches.
    B. Install the operating system on the computers by using
    the original installation media.
    Configure Automatic Updates to immediately install
    updates and security patches.
    C. Create slipstream installation media that has the
    latest service pack.
    Install the operating system from the slipstream
    installation media.
    Implement a Software Update Services (SUS) server to
    install approved updates and security patches on
    client computers.
    D. Create slipstream installation media that has the
    latest service pack and includes Microsoft Baseline
    Security Analyzer (MBSA).
    Install the operating system form the slipstream
    installation media.
    Run MBSA immediately after installing the operating
    system.
    Answer: C
    Explanation:
    Using Windows Update on a Internet client prior to
    patching can be exploited.
    Unless there is a SUS server deployed, Automatic Updates
    on a new Internet client can be exploited.
    There is no reason to install MBSA on each client.
    Objective: Implementing, Managing, and Troubleshooting
    Patch Management Infrastructure
    Sub-Objective: 2.3.1 Deploy service packs and hotfixes on
    new servers and client computers. Considerations
    include slipstreaming, custom scripts, and isolated
    installation or test networks.
    You should use Software Update Services (SUS) to deploy
    the service packs and hotfixes. The most recent
    version of SUS supports the distribution of service
    packs. Microsoft SUS allows administrators to deploy
    critical updates and Windows security roll-ups to Windows
    2000 and Windows Server 2003 servers, and to
    computers running Windows 2000 Professional or Windows XP
    Professional. SUS is a free download.
    You should not use Systems Management Server (SMS) to
    deploy the service packs and hotfixes. SMS is a
    separate product that is sold separately from Windows
    Server 2003. While SMS includes a variety of features
    for software distribution, and you could use SMS to
    deploy the service packs and hotfixes, this solution
    would
    not avoid the purchase of additional software.
    You should not use Group Policy to deploy service packs
    and hotfixes. Software installation with Group Policy
    has limitations such as problems scheduling installation,
    consistently managing network bandwidth, and
    providing feedback on the status of the installation.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -8

    70 - 299
    You should not use logon scripts to deploy service packs
    and hotfixes. There is no way to determine whether
    the update packages installed correctly or which
    computers received the installation.
    Objective: Implementing, Managing, and Troubleshooting
    Patch Management Infrastructure
    Sub-Objective: 2.3.2 Deploy service packs and hotfixes to
    existing client and server computers.
    QUESTION NO: 5
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    All client computers run Windows XP
    Professional. All computers are members of the domain.
    Testking has a main office and six branch offices. Each
    branch office is connected to the main office by a
    dedicated leased line. All offices are connected to the
    Internet. Each office contains multiple servers and
    hundreds of client computers.
    You are planning a security patch management
    infrastructure. You install a Software Update Services
    (SUS) server in the main office and in each branch
    office. You configure the main office SUS server to
    store updates locally.
    You need to ensure that all client computers
    automatically install the latest security patches. You
    want to
    minimize the network traffic on the leased lines between
    the offices and on the connections to the
    Internet.
    Which two actions should you perform? (Each correct
    answer presents part of the solution. Choose two)
    A. Configure the branch office SUS servers to maintain
    updates on the Microsoft Windows Update servers.
    B. Configure Automatic Updates on the branch office SUS
    servers to use the main office SUS server.
    C. Configure the branch office SUS servers to obtain
    updates from the main office SUS server.
    D. Configure Automatic Updates on the client computers to
    use the SUS server in the local office.
    E. Configure Automatic Updates on the client computers to
    use the main office SUS server.
    Answer: C, D
    Explanation:
    MCSA/MCSE Training Kit 70-299
    5-20 Chapter: 5 Planning an Update Management
    Infrastructure
    Approval of updates using Software Update Services
    SUS is designed to be used in large organizations. Almost
    every aspect of the behavior can be customized. For
    example, the SUS server can download updates from
    Microsoft automatically, manually, or on a schedule
    specified by an administrator. SUS servers can be tiered
    as shown in Figure 5.4, with multiple SUS servers
    synchronizing updates between each other. This optimizes
    the use of your Internet connection by only requiring
    Leading the way in IT testing and certification tools,
    www.testking.com
    -9

    70 - 299
    each update to be downloaded once for the entire
    organization. It also optimizes traffic on your wide area
    networks by allowing clients to download updates from a
    local SUS server.
    QUESTION NO: 6
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. The network contains Windows Server
    2003 computers and Windows XP
    Professional client computers. The Active Directory
    domain consists of 10 Active Directory sites. Each
    Active Directory site contains a Windows Server 2003
    computer that functions as a domain controller
    and a DNS server.
    A Windows Server 2003 computer named TestKing1 is a
    member of the Active Directory domain.
    TestKing1 is used to store confidential data in a
    Microsoft SQL Server 2000 database. You set up IP
    filters by using IPSec to control the types of inbound
    and outbound IP traffic that are allowed to and
    from TestKing1.
    After you configure the IP filters, you cannot resolve
    DNS names from TestKing1. The Addresses tab on
    the IP Filter Properties dialog box is shown in the
    exhibit.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -10

    70 - 299
    This is the only rule in the IPSec policy that is
    relevant to DNS traffic.
    You need to enable TestKing1 to resolve DNS names.
    What should you do?
    A. Create an additional rule that allows DNS responses
    from the DNS servers to TestKing1.
    B. Change the Source address list to Any IP Address.
    C. Change the Destination Address list to A specific IP
    Subnet and type the IP subnet address that
    matches the IP subnet on TestKing1.
    D. Change the Destination address list to A specific IP
    Address and type an IP address of a DNS server
    in the same IP subnet as TestKing1.
    Answer: D
    QUESTION NO: 7
    Leading the way in IT testing and certification tools,
    www.testking.com
    -11 -

    70 - 299
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    You plan to deploy remote access to the network for users
    that work from home.
    TestKing?s written security policy states the following
    remote access requirements:
    Users are allowed to use remote access during the day
    only.
    Enterprise Admins are never allowed to use remote access.
    Domain Admins are always allowed to use remote access.
    iiiiiis
    not allowed to use remote access.
    You configure and enable Routing and Remote Access on a
    member server named TestKing1. You delete
    the predefined remote access polices. The remote access
    permission for all user accounts in the domains is
    set to use remote access polices.
    You need to ensure that the remote access polices on
    TestKing1 comply with the written security policy.
    What should you do?
    liliililiFiliiiiliiil lill iiill
    boxes.
    Answer:
    A user who s a member of both the Enter pr se Admns gr
    oup and the Domans Admns gr oup
    To answer , dr ag the r emote access pocy that shoud
    appear fr st n the r emote access pocy st to the
    r st Pocy box. Contnue dr aggng the appr opr ate r emote
    access poces to the cor r espondng
    number ed boxes untyou st ar equr ed n the cor r ect or
    der . You mght not need to use anumber ed
    Leading the way in IT testing and certification tools,
    www.testking.com
    -12

    70 - 299
    Explanation:
    The most restrictive policy is checked first then
    decreasing in restrictiveness.
    Members of the Enterprise Admins group are always blocked
    by the first policy; this will include Domain
    Admins who are in the Enterprise Admins group, but not
    those who are only Domain Admins.
    QUESTION NO: 8
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All client computers run Windows XP
    Professional. All servers run Windows Server
    2003. All computers on the network are members of the
    domain.
    Traffic on the network is encrypted by IPSec. The domain
    contains a custom IPSec policy named Lan
    Security that applies to all computers in the domain. The
    Lan Security policy does not allow unsecured
    communication with non-IPSec-aware computers.
    TestKing?s written security policy states that the
    configuration of the domain and the configuration of the
    Lan Security policy must not be changed.
    The domain contains a multihomed server named TestKing1.
    TestKing1 is connected to the company
    network, and TestKing1 is also connected to a test
    network. Currently, the Lan Security IPSec policy
    applies to the network traffic on both network adapters
    on TestKing1.
    You need to configure TestKing1 so that it communicates
    on the test network without IPSec security.
    TestKing1 must still use the Lan Security policy when it
    communicates on the company network.
    How should you configure TestKing1?
    Leading the way in IT testing and certification tools,
    www.testking.com
    -13

    70 - 299
    A. Configure a packet filter for the network adapter on
    the test network to block the Internet Key Exchange
    (IKE) port.
    B. Configure the network adapter on the test network to
    disable IEEE 802.1x authentication.
    C. Configure the network adapter on the test network to
    enable TCP/IP filtering, and them permit all traffic.
    D. Use the netsh command to assign a persistent IPSec
    policy that permits all traffic on the network
    adapter on the test network.
    E. Assign an IPSec policy in the local computer policy
    that permits all traffic on the network adapter on the
    test network.
    Answer: D
    Explanation:
    Assigning IPSec Policies LocallyEach computer running
    Windows Server 2003 has one local GPO, which is
    also known as the local computer policy. When this local
    GPO is used, Group Policy settings can be stored on
    individual computers regardless of whether they are
    members of an Active Directory domain. The local GPO
    can be overridden by GPOs assigned to sites, domains, or
    OUs in an Active Directory environment that have
    higher precedence. On a network without an Active
    Directory domain (that is, a domain that does not have a
    domain controller running Windows 2000 or Windows Server
    2003), the local GPO settings determine IPSec
    behavior because they are not overridden by other GPOs.
    Local policy assignment is a way to enable IPSec for
    computers that are not members of a domain.
    You can also create and assign persistent IPSec policy,
    which secures a computer even if a local IPSec policy or
    an Active Directory?based IPSec policy cannot be applied.
    This policy adds to or overrides the local or Active
    Directory policy, and remains in effect regardless of
    whether other policies are applied or not. Persistent
    IPSec
    policies enhance security by providing a secure
    transition from computer startup to IPsec policy
    enforcement.
    Persistent policy also provides backup security in the
    event of an IPSec policy corruption, or if errors occur
    during the application of local or domain-based IPSec
    policy. To configure persistent policies, you must use
    the
    netsh ipsec static set store location=persistent command.
    When designing persistent IPSec policy, it is important
    to consider the potential impact of persistent policy on
    remote management. If local or domain-based IPSec policy
    is not applied and the persistent IPSec policy is the
    only policy that is applied, attempts to remotely
    diagnose an issue might be blocked by the persistent
    IPSec
    policy. To allow for remote management in case
    troubleshooting is required, it is recommended that you
    create
    appropriate permit filters when configuring persistent
    IPSec policy.
    QUESTION NO: 9
    You are the security administrator of your network. The
    network consists of an Active Directory domain.
    All computers on the network are in the domain. The
    domain controllers and file servers on the network
    run Windows Server 2003. The client computers run Windows
    XP Professional.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -14

    70 - 299
    The file servers use a custom IPSec policy named Server
    Traffic. The Server Traffic policy contains rules
    to encrypt Telnet and SNMP traffic, as shown in the
    exhibit.
    All client computers use the Client (Respond Only) IPSec
    policy. The default exemptions to IPSec
    filtering are disabled on the client computer.
    You want to configure the network so that Telnet, SNMP,
    and Kerberos traffic is encrypted by IPSec.
    You do not want to encrypt other network protocols.
    What should you do? (Each correct answer presents part of
    the solution. Choose two)
    A. On the client computers, enable the default exemptions
    to IPSec filtering.
    B. On the file servers, enable the default exemptions to
    IPSec filtering.
    C. On the file servers, configure the IPSec policy in the
    local computer policy to encrypt Kerberos traffic.
    D. Add a new rule to the Server Traffic policy to encrypt
    Kerberos traffic.
    E. Configure the Server Traffic policy to enable the
    Default Response rule.
    F. Configure the rules in the Server Traffic policy to
    use an authentication method other than Kerberos.
    Answer: B, E
    Leading the way in IT testing and certification tools,
    www.testking.com
    -15

    70 - 299
    Explanation:
    If you want to use IPSec to protect SNMP messages, you
    must configure all SNMP - enabled systems to use
    IPSec, or the communications will fail. If you can't
    configure all SNMP-enabled systems to use IPSec, at a
    minimum, you must configure the IPSec policies of the
    systems that are SNMP- enabled so that they can send
    cleartext (unencrypted) information. However, this
    somewhat defeats the idea of trying to secure messages
    because all communications will be unsecured.
    IP Security does not automatically encrypt the SNMP
    protocol. You must create filter specifications in the
    appropriate IP filter list for traffic between the
    management systems and SNMP agents. The filter
    specification
    must include two sets of settings.
    The first set of filter specifications are for typical
    SNMP traffic (SNMP messages) between the management
    system and the SNMP agents:
    Mirrored: enabled
    Protocol Type: TCP
    Source and Destination Ports: 161
    Mirrored: enabled
    Protocol Type: UDP
    Source and Destination Ports: 161
    The second set of filter specifications are for SNMP trap
    messages sent to the management system from the
    SNMP agents:
    Mirrored: enabled
    Protocol Type: TCP
    Source and Destination Ports: 162
    Mirrored: enabled
    Protocol Type: UDP
    Source and Destination Ports: 162
    References: http://support.microsoft.com/default.aspx?
    scid=811832
    IPSec Default Exemptions Can Be Used to Bypass IPsec
    Protection in Some Scenarios
    http://support.microsoft.com/default.aspx?scid=kb;EN-
    US;253169
    Traffic That Can--and Cannot--Be Secured by IPSec
    http://www.microsoft.com/windows2000/techinfo/reskit/en-
    us/default.asp?url=/windows2000/techinfo/reskit/en-
    us/cnet/cneb_snp_jxku.asp
    Simple Network Management Protocol
    QUESTION NO: 10
    Leading the way in IT testing and certification tools,
    www.testking.com
    -16

    70 - 299
    You are a security administrator for TestKing. TestKing
    consists of two divisions. One division is named
    TestKing Winery and is located in San Francisco. The
    other division is named TestKing Vineyard and is
    located in Paris. Each division is connected to the
    Internet by a 1.544 Mbps WAN connection.
    TestKing Winery consists of a single Active Directory
    forest named testkingwinery.com. All servers run
    Windows Server 2003. All client computers run Windows XP
    Professional. TestKing Winery has a
    Microsoft SQL Server 2000 database that contains customer
    information. The SQL Server 2000 database
    is hosted on a Windows Server 2003 computer named
    TestKing1.
    TestKing Vineyard consists of a single Active Directory
    forest named testkingvineyard.com. All servers
    run Windows 2000 Server. All client computers run Windows
    2000 Professional or Windows NT
    Workstation. All computers run the latest service packs.
    To enable data replication, you configure a new Windows
    Server 2003 computer named TestKing2 in the
    testkingvineyard.com forest. You install SQL Server 2000
    on TestKing2. Your database administrator
    configures the database on TestKing1 to replicate to
    TestKing2 every night.
    Management reports that a competitor acquired
    confidential customer data. You determine that the
    competitor intercepted customer data as it replicated
    from TestKing1 to TestKing2. You device to use
    IPSec to protect customer data as it replicated.
    You need to configure an IPSec policy to protect customer
    data as it replicates.
    What should you do?
    A. Configure the IPSec policy to use Authentication
    Header (AH) in transport mode with Kerberos
    authentication.
    B. Configure the IPSec policy to use Encapsulating
    Security Payload (ESP) with certificate-based
    authentication in tunnel mode.
    C. Configure the IPSec policy to use Authentication
    Header (AH) with certificate-based authentication in
    transport mode.
    D. Configure the IPSec policy to use Encapsulating
    Security Payload (ESP) with Kerberos authentication in
    tunnel mode.
    Answer: B
    Explanation:
    IPSec can operate in two different modes: transport mode
    and tunnel mode. Typically, you should use transport
    mode to protect host-to-host communications. In transport
    mode, IPSec tunnels traffic starting at the transport
    layer, also known as layer 4. Therefore, IPSec in
    transport mode can encrypt the User Datagram
    Protocol/Transmission Control Protocol (UDP/TCP) protocol
    header and the original data, but the IP header
    itself cannot be protected. IPSec transports an
    application?s data by adding an IPSec header and trailer
    to
    outgoing packets. Depending on the IPSec protocol used,
    the original contents of the outgoing packets will be
    Leading the way in IT testing and certification tools,
    www.testking.com
    -17

    70 - 299
    encrypted. IPSec?s position in the packet when
    functioning in transport mode is shown in Figure 8.1. The
    diagram shows IPSec using the ESP protocol. ESP is the
    most common of the two IPSec protocols because it
    provides both authentication and encryption
    When you protect traffic sent directly between two hosts,
    you will almost always use IPSec transport mode.
    When you protect traffic between a host and a network, or
    between two networks, you must use IPSec tunnel
    mode. Although transport mode stores the UDP/TCP header
    and the application data between an IPSec header
    and trailer, tunnel mode stores the entire original
    packet.
    The IP header, including the source and destination
    addresses, must be stored within the IPSec packet because
    the traffic is destined for a computer other than the
    computer to which the IPSec connection was established.
    If hosts on two networks are communicating across the
    Internet and all clients are IPSec enabled, transport
    mode can be used to encrypt traffic between individual
    hosts, or tunnel mode can be used to encrypt all traffic
    sent between the two networks.
    Naturally, tunnel mode is more convenient because it
    doesn?t require every host to have IPSec enabled?but
    which is more secure? Tunnel mode is more secure than
    transport mode, in theory.
    Use transport mode when you communicate with one
    computer, and use tunnel mode when you communicate
    with an entire network, so when the decision calls for
    encapsulating or tunneling the IP header, use tunnel
    mode.
    QUESTION NO: 11
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    All client computers run Windows XP
    Professional. You use Group Policy objects (GPOs) to
    manage client computers.
    TestKing has a wireless LAN (WLAN) that 50 employees who
    have portable computers use. Management
    reports that an additional 500 employees will receive
    portable computers in the next six months. These
    employees will have access to the WLAN. To address
    security concerns, management requires that
    portable computer users use smart cards to log on.
    You need to plan a WAN implementation to meet management
    requirements. You want to achieve this
    goal without affecting the application of Group Policy.
    Which three actions should you perform? (Each correct
    answer presents part of the solution. Choose
    three)
    A. Deploy WLAN hardware that supports IEEE 802.1x.
    B. Deploy WLAN hardware that supports 128-bit Wired
    Equivalent Privacy (WEP) keys.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -18

    70 - 299
    C. Implement an Internet Authentication Service (IAS)
    infrastructure.
    D. Implement a public key infrastructure (PKI).
    E. Implement a Routing and Remote Access infrastructure.
    F. Implement IPSec on all portable computers.
    Answer: C, D, E
    Explanation:
    From the question there is no wireless infrastructure or
    PKI in place, since it is not mentioned. Most modern
    laptops come with wireless built-in or can easily be
    configure with a wireless card and most of them are WEP,
    Wi-Fi (WPA) ready as well as support 802.1x. Windows XP
    support all current wireless technologies.
    802.1X is an IEEE standard for authenticated network
    access to wired Ethernet networks and wireless 802.11
    networks. IEEE 802.1X supports centralized user
    identification, authentication, dynamic key management,
    and
    accounting. 802.1X supports these EAP authentication
    methods for wireless clients and servers: EAP-TLS,
    EAP, EAP-MS-CHAP v2, and PEAP.
    You must use the Extensible Authentication Protocol (EAP)-
    Transport Level Security (EAP-TLS)
    authentication method to support the use of smart cards
    for remote access authentication. EAP-TLS is an EAP
    type utilized in certificate-based security environments.
    EAP-TLS provides mutual authentication, negotiation
    of the encryption method, and encrypted key determination
    between the remote access client and the
    authenticator. EAP-TLS provides the strongest
    authentication and key determination method.
    Objective: Planning, Configuring and Troubleshooting
    Authentication, Authorization and PKI
    Sub-Objective: 4.1.3 Plan and configure multifactor
    authentication
    http://www.microsoft.com/technet/Security/prodtech/win2003
    /pkiwire/build/swlanbg4.mspx#XSLTsection1221
    21120120
    Securing Wireless LANs - A Windows Server 2003
    Certificate Services Solution: Build Guide
    Chapter 4 - Implementing Wireless LAN Security Using
    802.1X
    Preparing the Environment for a Secure WLAN
    You must optimize supporting infrastructure in your
    environment prior to implementing 802.1X?based secure
    wireless networking. Supporting infrastructure includes
    Active Directory and DHCP servers. For thorough
    WLAN planning guidance, see the Deploying a Wireless LAN
    chapter of the Windows Server 2003
    Deployment Kit and other resources listed in the More
    Information section at the end of this chapter.
    Creating Active Directory Groups Required for WLAN Access
    You must run the following script as a user which has
    permission to create Active Directory security groups.
    This script creates the required groups for wireless
    authentication certificate enrollment, remote access
    policy,
    and wireless network Group Policy:
    Cscript //job:CreateWirelessGroups
    C:\MSSScripts\wl_tools.wsf
    This script creates the following Active Directory?based
    security groups that are used throughout the rest of this
    guidance:
    ? AutoEnroll Client Authentication ? User Certificate
    ? AutoEnroll Client Authentication ? Computer Certificate
    Leading the way in IT testing and certification tools,
    www.testking.com
    -19

    70 - 299
    ? AutoEnroll RAS and IAS Server Authentication
    Certificate
    ? Remote Access Policy - Wireless Users
    ? Remote Access Policy - Wireless Computers
    ? Remote Access Policy - Wireless Access
    ? Wireless Network Policy ? Computer
    For a multi-domain forest, you should create these groups
    in the same domain as the wireless users. Although
    this is not essential, since they are created as global
    groups, this is assumed in the remainder of this
    guidance.
    Configuring Wireless APs for 802.1X Networking
    The procedure for configuring wireless APs varies
    dramatically depending on the make and model of the
    device. However, wireless AP vendors will generally
    provide instruction for configuring the device with:
    ? 802.1X networking settings.
    ? IP address of the primary RADIUS authentication server.
    ? IP address of the primary RADIUS accounting server.
    ? RADIUS secret shared with the primary RADIUS server.
    ? IP address of the secondary RADIUS authentication
    server.
    ? IP address of the secondary RADIUS accounting server.
    ? RADIUS secret shared with the secondary RADIUS server.
    See your vendor specific documentation for information
    about configuring wireless APs for 802.1X.
    If users in your environment are currently utilizing
    wireless APs with no security settings or static WEP
    settings, you will need to develop a migration plan. For
    more information about migration from an existing
    wireless network, please consult Chapter 6, "Designing
    Wireless LAN Security Using 802.1X," of the Planning
    Guide. Although providing instruction for configuring
    various vendors' wireless APs is outside the scope of
    this
    guidance, discussion of security topics related to
    wireless APs can be found in this same chapter.
    Configuring WLAN Access Infrastructure
    You must configure your primary IAS server with remote
    access policy and connection request settings that
    determine authentication and authorization of wireless
    users and computers to the WLAN. These settings
    should then be replicated to additional IAS servers with
    a similar role by using the netsh command as described
    in the RADIUS Build Guide or the Operations Guide. In
    addition, each IAS server must be uniquely configured
    to accept connections from RADIUS clients such as
    wireless APs. Wireless APs must then be configured to
    utilize IAS servers as the source of authentication and
    accounting for 802.1X networking.
    Creating an IAS Remote Access Policy for WLAN
    Perform the following steps by using the Internet
    Authentication Service MMC snap-in to configure IAS with
    a
    remote access policy for wireless networking.
    To create a remote access policy in IAS
    1. Right-click the Remote Access Policies folder, and
    then select Create New Remote Access Policy.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -20

    70 - 299
    2. Name the policy Allow Wireless Access and instruct the
    wizard to set up A typical policy for a common
    scenario.
    3. Choose Wireless for the access method.
    4. Grant access based on group, and use the Remote Access
    Policy - Wireless Access
    (WOODGROVEBANK\Remote Access Policy - Wireless Access)
    security group.
    5. Choose Smart Card or Other Certificate for the
    Extensible Authentication Protocol (EAP) type, and then
    select the server authentication certificate installed
    for IAS. Finish and exit the wizard.
    Note: The new Allow Wireless Access policy can coexist
    with other user-created remote access policies or the
    default remote access policies. However, ensure that any
    default remote access policies are either deleted or
    listed after the Allow Wireless Access policy in the
    Remote Access Policies folder
    QUESTION NO: 12
    You are a security administrator for TestKing. The
    network contains a Windows Server 2003 computer
    that runs IIS. You use this server to host an Internet
    Web site for customer product purchasing. You
    plan to use SSL on this computer. You do not want
    customer to receive a certificate-related security alert
    when they use SSL to connect to your Web site.
    You need to select an appropriate certification authority
    (CA) to server as the issuer for your Web server
    SSL certificate.
    What should you do?
    A. Use an online enterprise root CA.
    B. Use an online stand-alone root CA.
    C. Use a commercial CA.
    D. Use an offline stand-alone root CA.
    Answer: C
    Explanation:
    Overview of Secure Sockets Layer (SSL) 11-5 - Used
    primarily for Internet communications
    Obtaining SSL Certificates
    To use SSL, the server must have a suitable public key
    certificate. Additionally, some SSL scenarios allow or
    require the client to use a public key certificate. SSL
    is one of the most common uses for public key
    certificates,
    and, as a result, you can obtain SSL certificates from a
    wide variety of places. Any organization with a
    computer running Windows Server 2003 can deploy
    Certificate Services to issue SSL certificates without
    any
    additional cost. These certificates are suitable for
    intranet scenarios, in which both the servers and the
    clients are
    controlled by a single organization. These certificates
    should not be used for communications that cross
    organizations, however.
    As with any public key infrastructure (PKI), SSL
    certificates can only be trusted if the root
    certification
    authority (CA) is trusted. You can use Group Policy
    objects (GPOs) to add your CA to the list of trusted root
    Leading the way in IT testing and certification tools,
    www.testking.com
    -21

    70 - 299
    CAs on clients on an intranet, but it is much more
    difficult to configure clients on the public Internet.
    For this
    reason, if you do not control the client computers, you
    should obtain an SSL certificate from a public CA that is
    trusted by the client applications that will be
    establishing a connection to your server. If the server
    is a Web
    server, your clients will be Web browsers. Microsoft
    Internet Explorer is configured by default to trust a
    large
    number of public CAs.
    Comparing SSL with IPSec
    IPSec is commonly used to provide the same services as
    SSL: authentication, privacy, and message integrity.
    However, the approach IPSec takes is different from that
    of SSL. IPSec is implemented by the operating system
    and is completely transparent to the applications that
    use IPSec. As a result, IPSec can be used to protect
    almost
    any type of network communication. IPSec also provides a
    flexible authentication scheme. The Microsoft
    Windows implementation of IPSec allows clients and
    servers to authenticate each other by using either public
    key certificates or a shared secret. SSL, on the other
    hand, must be implemented by individual applications.
    Therefore, you cannot use SSL to encrypt all
    communications between two hosts. Additionally, SSL is
    less
    flexible than IPSec because it only supports
    authentication by means of public key certificates. SSL
    does
    provide several distinct advantages, however. Most
    significantly, SSL is supported by a wide variety of
    servers
    and clients, and the maturity of the standard has
    practically eliminated interoperability problems.
    Additionally,
    SSL allows one-way authentication, while IPSec requires
    both sides of a connection to authenticate. One-way
    authentication allows SSL to be used to authenticate the
    server without placing the burden of registering for a
    public key certificate on the client. This enables SSL to
    be used to encrypt communications with public Web
    sites while protecting the privacy of the end user by not
    revealing the details of a user certificate to the Web
    server.
    The other selections are for highly secure/internally
    controlled environments, primarily use for intranet and
    extranets.
    QUESTION NO: 13
    You are a security administrator for TestKing. The
    network consists of two Active Directory forest
    named testking.com and public.testking.com. All servers
    run Windows Server 2003. All client computers
    run Windows XP Professional.
    The network consists of an IEEE 802.11b wireless LAN
    (WLAN). Employees and external users use the
    WLAN. User accounts for employees are located in the
    testking.com forest. User accounts for external
    users are located in the public.testking.com forest.
    External users? computers do not have computer
    accounts in the public.testking.com forest.
    To increase security, you upgrade the network hardware to
    support IEEE 802.1x. You configure a public
    key infrastructure (PKI). You issue Client Authentication
    certificates to employees, to client computers
    used by employees, and to external users.
    You need to configure the WLAN to authenticate employees
    and external users.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -22

    70 - 299
    What should you do?
    A. Configure each wireless access point to forward RADIUS
    requests to a server running Internet
    Authentication Service (IAS).
    Configure the IAS server to use a connection request
    policy to forward the requests to the appropriate
    forest.
    B. Configure each wireless access point to forward
    requests to an Internet Authentication Service (IAS)
    server in the testking.com forest.
    Configure the IAS server in the testking.com forest to
    use the Tunnel-Server-Endpt attribute.
    C. Use the Connection Manager Administration Kit (CMAK).
    Configure one connection profile for external users.
    Configure a second connection profile for employees.
    D. Establish a forest trust relationship between the
    testking.com forest and the public.testking.com forest.
    Answer: A
    Explanation:
    Connection request policiesConnection request policies
    are sets of conditions and profile settings that give
    network administrators flexibility in configuring how
    incoming authentication and accounting request messages
    are handled by the IAS server. With connection request
    policies, you can create a series of policies so that
    some
    RADIUS request messages sent from RADIUS clients are
    processed locally (IAS is being used as a RADIUS
    server) and other types of messages are forwarded to
    another RADIUS server (IAS is being used as a RADIUS
    proxy). This capability allows IAS to be deployed in many
    new RADIUS scenarios.
    With connection request policies, you can use IAS as a
    RADIUS server or as a RADIUS proxy, based on the
    time of day and day of the week, by the realm name in the
    request, by the type of connection being requested,
    by the IP address of the RADIUS client, and so on.
    It is important to remember that with connection request
    policies, a RADIUS request message is processed only
    if the settings of the incoming RADIUS request message
    match at least one of the connection request policies.
    For example, if the settings of an incoming RADIUS Access-
    Request message do not match at least one of the
    connection request policies, an Access-Reject message is
    sent.
    For more information about how incoming RADIUS request
    messages from RADIUS clients are processed, see
    Processing a connection request.
    Authentication
    You can set the following authentication options that are
    used for RADIUS Access-Request messages:
    Authenticate requests on this server.
    Use a Windows NT 4.0 domain or the Active Directory
    directory service, or the local Security Account
    Manager (SAM) on Windows Server 2003, Standard Edition;
    Windows Server 2003, Enterprise Edition; or
    Windows Server 2003, Datacenter Edition; for both
    authentication and the matching remote access policy and
    user account dial-in properties for authorization. In
    this case, the IAS server is being used as a RADIUS
    server.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -23

    70 - 299
    Forward requests to another RADIUS server in a remote
    RADIUS server group.
    Forward the Access-Request message to another RADIUS
    server in a specified remote RADIUS server group.
    If the IAS server receives a valid Access-Accept message
    that corresponds to the Access-Request message, the
    connection attempt is considered authenticated and
    authorized. In this case, the IAS server is being used as
    a
    RADIUS proxy.
    Accept the connection attempt without performing
    authentication or authorization.
    Do not check authentication of the user credentials and
    authorization of the connection attempt. An Access-
    Accept message is immediately sent to the RADIUS client.
    This setting is used for some types of compulsory
    tunneling where the access client is tunneled before the
    user's credentials are authenticated. For more
    information, see IAS and tunnels.
    This authentication option cannot be used when the access
    client?s authentication protocol
    authentication protocol
    The protocol by which an entity on a network proves its
    identity to a remote entity. Typically, identity is
    proved
    with the use of a secret key, such as a password, or with
    a stronger key, such as the key on a smart card. Some
    authentication protocols also implement mechanisms to
    share keys between client and server to provide
    message integrity or privacy.is MS-CHAP v2 or EAP-TLS,
    both of which provide mutual authentication. In
    mutual authentication, the access client proves that it
    is a valid access client to the authenticating server
    (the
    IAS server), and the authenticating server proves that it
    is a valid authenticating server to the access client.
    When this authentication option is used, the Access-
    Accept message is returned. However, the authenticating
    server does not provide validation to the access client
    and mutual authentication fails.
    802.1x authentication
    For enhanced security, you can enable IEEE 802.1x
    authentication. IEEE 802.1x authentication provides
    authenticated access to 802.11 wireless networks and to
    wired Ethernet networks. IEEE 802.1x minimizes
    wireless network security risks, such as unauthorized
    access to network resources and eavesdropping, by
    providing user and computer identification, centralized
    authentication, and dynamic key management. IEEE
    802.1x supports Internet Authentication Service (IAS),
    which implements the Remote Authentication Dial-In
    User Service (RADIUS) protocol. Under this
    implementation, a wireless access point that is
    configured as a
    RADIUS client sends a connection request and accounting
    messages to a central RADIUS server. The central
    RADIUS server processes the request and grants or rejects
    the connection request. If the request is granted, the
    client is authenticated, and unique keys (from which the
    WEP key is derived) can be generated for that session,
    depending on the authentication method chosen. The
    support that IEEE 802.1x provides for Extensible
    Authentication Protocol (EAP) security types allows you
    to use authentication methods such as smart cards,
    certificates, and the Message Digest 5 (MD5) algorithm.
    With IEEE 802.1x authentication, you can specify whether
    the computer attempts authentication to the network
    if the computer requires access to network resources
    whether a user is logged on or not. For example, data
    center operators who manage remotely administered servers
    can specify that the servers should attempt
    authentication to access the network resources. You can
    also specify whether the computer attempts
    authentication to the network if user or computer
    information is not available. For example, Internet
    service
    providers (ISPs) can use this authentication option to
    allow users access to free Internet services, or to
    Internet
    Leading the way in IT testing and certification tools,
    www.testking.com
    -24

    70 - 299
    services that can be purchased. A corporation can grant
    visitors with limited guest access, so that they can
    access the Internet, but not confidential network
    resources.
    Understanding 802.1x authenticationIEEE 802.1x is a draft
    standard for port-based network access control,
    which provides authenticated network access to 802.11
    wireless networks and to wired Ethernet networks. Port-
    based network access control uses the physical
    characteristics of a switched local area network (LAN)
    infrastructure to authenticate devices that are attached
    to a LAN port and to prevent access to that port in cases
    where the authentication process fails.
    During a port-based network access control interaction, a
    LAN port adopts one of two roles: authenticator or
    supplicant. In the role of authenticator, a LAN port
    enforces authentication before it allows user access to
    the
    services that can be accessed through that port. In the
    role of supplicant, a LAN port requests access to the
    services that can be accessed through the authenticator's
    port. An authentication server, which can either be a
    separate entity or co-located with the authenticator,
    checks the supplicant's credentials on behalf of the
    authenticator. The authentication server then responds to
    the authenticator, indicating whether the supplicant is
    authorized to access the authenticator's services.
    The authenticator?s port-based network access control
    defines two logical access points to the LAN, through
    one physical LAN port. The first logical access point,
    the uncontrolled port, allows data exchange between the
    authenticator and other computers on the LAN, regardless
    of the computer's authorization state. The second
    logical access point, the controlled port, allows data
    exchange between an authenticated LAN user and the
    authenticator.
    IEEE 802.1x uses standard security protocols, such as
    RADIUS, to provide centralized user identification,
    authentication, dynamic key management, and accounting.
    For an example of wireless access using the Internet
    Authentication Service (IAS) as a RADIUS server, see
    Wireless access example
    If you want to configure IAS for wireless access, see
    Checklist: Configuring IAS for wireless access
    If you want to configure IAS as a RADIUS server in a
    wireless environment, see Checklist: Wireless access
    To set up 802.1x authentication
    Open Network Connections
    Right-click the connection for which you want to enable
    or disable IEEE 802.1x authentication, and then click
    Properties.
    On the Authentication tab, do one of the following:
    To enable IEEE 802.1x authentication for this connection,
    select the Network access control using IEEE 802.1X
    check box. This check box is selected by default.
    To disable IEEE 802.1x authentication for this
    connection, clear the Network access control using IEEE
    802.1X
    check box.
    In EAP type, click the Extensible Authentication Protocol
    type to be used with this connection.
    If you select Smart Card or other Certificate in EAP
    type, you can configure additional properties if you
    click
    Properties and, in Smart Card or other Certificate
    Properties, do the following:
    To use the certificate that resides on your smart card
    for authentication, click Use my smart card.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -25

    70 - 299
    To use the certificate that resides in the certificate
    store on your computer for authentication, click Use a
    certificate on this computer.
    To verify that the server certificate presented to your
    computer is still valid, select the Validate server
    certificate
    check box, specify whether to connect only if the server
    resides within a particular domain, and then specify the
    trusted root certification authority.
    To use a different user name when the user name in the
    smart card or certificate is not the same as the user
    name in the domain to which you are logging on, select
    the Use a different user name for the connection check
    box.
    To specify whether the computer should attempt
    authentication to the network if a user is not logged on
    and/or
    if the computer or user information is not available, do
    the following:
    To specify that the computer attempt authentication to
    the network if a user is not logged on, select the
    Authenticate as computer when computer information is
    available check box.
    To specify that the computer attempt authentication to
    the network if user information or computer information
    is not available, select the Authenticate as guest when
    user or computer information is unavailable check box.
    This check box is selected by default.
    QUESTION NO: 14
    You are the security administrator for TestKing. The
    network consists of a single Active Directory
    domain named testking.com. Servers on the network run
    Windows Server 2003. All computers are in the
    domain.
    You enable Remote Desktop for Administration on a member
    server named TestKing1.
    You want to allow members of a domain global group named
    Server Managers to create a Remote
    Desktop connection to TestKing1. The members of the
    Server Managers group are not in the
    Administrators group on TestKing1.
    What should you do?
    A. Grant the Server Managers group Read permission on the
    Terminal Services service.
    B. Grant the Server Managers group Connect permission on
    the RDP-Tcp connection.
    C. Assign the Allow log on locally right to the Server
    Managers group.
    D. Add the Server Managers group to the Remote Desktop
    Users group.
    Answer: D
    Explanation:
    To add users to the Remote Desktop Users group
    Open Computer Management.
    In the console tree, click the Local Users and Groups
    node.
    In the details pane, double-click the Groups folder.
    Double-click Remote Desktop Users, and then click Add....
    Leading the way in IT testing and certification tools,
    www.testking.com
    -26

    70 - 299
    On the Select Users dialog box, click Locations... to
    specify the search location.
    Click Object Types... to specify the types of objects you
    want to search for.
    Type the name you want to add in the Enter the object
    names to select (examples): box.
    Click Check Names.
    When the name is located, click OK.
    Note:
    By default, the Remote Desktop Users group is not
    populated. You must decide which users and groups should
    have permission to log on remotely, and then manually add
    them to the group.
    To open Computer Management, click Start, and then click
    Control Panel. Click Performance and Maintenance,
    click Administrative Tools, and then double-click
    Computer Management.
    Related Topics
    QUESTION NO: 15
    You are a security administrator for TestKing. The
    network consists of seven Active Directory domains.
    These domains are in the same Active Directory forest.
    All seven Active Directory domains operate at a
    Windows Server 2003 domain functional level.
    Each domain contains an internal Web site that is used to
    publish information to the TestKing managers.
    Access to the information on these Web site must not be
    restricted to managers. An existing global group
    in each domain contains the management user accounts that
    exist in that domain.
    You need to restrict access to the internal Web sites to
    TestKing managers. You want to achieve this goal
    by using the minimum amount of administrative effort.
    What should you do?
    A. Create a universal group in one of the Active
    Directory domains.
    Add the existing management global groups as members of
    the universal group.
    Assign only this universal group permissions to access
    the Web sites.
    B. Create a global group in one of the Active Directory
    domains.
    Add the existing management global groups as members of
    the global group.
    Assign only this global group permissions to access the
    Web sites.
    C. Create a domain local group in one of the Active
    Directory domains.
    Add the existing management global groups as members of
    the domain local group.
    Assign only this domain local group permissions to access
    the Web sites.
    D. Assign only the existing management global permissions
    to access the Web sites.
    Answer: A
    Leading the way in IT testing and certification tools,
    www.testking.com
    -27

    70 - 299
    Explanation:
    The members that each type of security group scope can
    have depends on the domain functional level. When
    the domain functional level is set to Windows 2000 native
    mode or higher, each type of group can contain the
    following members:
    Universal: accounts from any domain, global groups from
    any domain, and universal groups from any domain
    Global: accounts from the same domain, and global groups
    from the same domain
    Domain local: accounts from any domain, global groups
    from any domain, universal groups from any domain,
    and domain local groups from the same domain
    Objective: Planning, Configuring and Troubleshooting
    Authentication, Authorization and PKI
    Sub-Objective: 4.2.2 Plan security group scope.
    Domain Migration Cookbook
    Chapter 2: Domain Upgrade
    Global Groups
    Windows 2000 global groups are effectively the same as
    Windows NT global groups. In terms of membership,
    they have domain-wide scope, but can be granted
    permissions in any domain, even in other forests and
    earlier
    version domains as long as a trust relationship exists.
    Universal Groups
    Universal groups can contain members from any Windows
    2000 domain in the forest, but cannot contain
    members from outside the forest. You can grant universal
    groups permissions in any domain, even in other
    forests, as long as a trust relationship exists. Although
    universal groups can have members from mixed mode
    domains in the same forest, the universal group will not
    be added to the access token of these members because
    universal groups are not available in mixed mode.
    You can add users to a universal group, but it is
    recommended that you restrict universal group membership
    to
    global groups. Universal groups are available only in
    native mode domains.
    Use of Universal Groups
    Universal groups have a number of important
    characteristics. You can use universal groups to build
    groups that
    perform a common function within an enterprise. One
    example might be virtual teams. The membership of such
    teams in a large company would probably be nationwide or
    even worldwide, and almost certainly forest-wide,
    with the team resources being similarly distributed.
    Universal groups could be used as a container in these
    circumstances to hold global groups from each subsidiary
    or department, with a single access control entry
    (ACE) for the universal group to protect the team
    resources.
    In using universal groups, an important factor to
    consider is that while global and domain local groups are
    listed
    in the global catalog (GC), their members are not,
    whereas universal groups and their members are listed, a
    fact
    that has implications for GC replication traffic.
    Exercise care in the use of universal groups. As a guide,
    if your
    entire network has high-speed connectivity, you can
    simply use universal groups for all of your groups and
    benefit from not having to bother with managing global
    groups and domain local groups. If, however, your
    network spans wide area networks (WANs), you can improve
    performance in several ways by using global
    groups and domain local groups. If you use global groups
    and domain local groups, you can also designate any
    widely used groups that are seldom changed as universal
    groups.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -28

    70 - 299
    Universal Groups and Access Tokens
    The previous discussion of universal group membership
    touched on the fact that universal groups can contain
    members from mixed mode domains, but that such members
    will not have the universal group's SID in their
    access token. This is a consequence of the way access
    tokens are created in Windows 2000. When a user logs
    on to a Windows 2000 native mode domain and has been
    authenticated, the Local Security Authority (LSA) on
    the domain controller where the user was authenticated
    retrieves the user's global group memberships. The LSA
    then passes this information down to the workstation,
    where it is used to build the user's access token. At the
    same time, the LSA queries the GC for the user's
    universal group memberships, which it also passes to the
    workstation. If a user is a member of a universal group,
    the SID of that group is included in the access token on
    the workstation, and is added to the authorization data
    in the TGT issued by the KDC. Universal groups are not
    added to access tokens at any other timefor example, when
    impersonation tokens are created at member servers.
    As a consequence, if the universal group SID is not
    available when the user logs onfor example, where the
    user
    is logging on to a mixed mode domainit will not be added
    subsequently.
    Nesting Groups
    It is recommended that you do not create groups with more
    than 5,000 members. This guideline is based on the
    fact that updates to the Active Directory store have to
    be capable of being made in a single transaction. Because
    group memberships are stored in a single multivalue
    attribute, a change to the membership would result in the
    whole attributein other words, the whole membership
    listhaving to be updated in a single transaction.
    Microsoft
    has tested and supports group memberships of up to 5,000
    members. You can get around this limitation by
    nesting groups to increase the effective number of
    members. A further consequence is that you also reduce
    the
    replication traffic caused by replication of group
    membership changes. Your nesting options depend on
    whether the domain is in native mode or mixed mode. The
    following list describes what can be contained in a
    group that exists in a native mode domain. These rules
    are determined by the scope of the group.
    ? Universal groups can contain user accounts, computer
    accounts, other universal groups, and global groups
    from any domain.
    ? Global groups can contain user accounts from the same
    domain and other global groups from the same
    domain.
    ? Domain local groups can contain user accounts,
    universal groups, and global groups from any domain. They
    also can contain other domain local groups from within
    the same domain.
    This list describes what security groups in a mixed mode
    domain can contain:
    ? Local groups can contain global groups and user
    accounts from trusted domains.
    ? Global groups can contain only user accounts.
    References:
    http://support.microsoft.com/default.aspx?scid=kb;en-
    us;326265
    Description of the Group Scopes That You Can Use to Help
    Secure Active Directory Objects
    http://support.microsoft.com/default.aspx?scid=kb;en-
    us;318862
    Universal Group Scope Is Incorrectly Documented in
    Windows 2000 Help
    Leading the way in IT testing and certification tools,
    www.testking.com
    -29

    70 - 299
    QUESTION NO: 16
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All domain controllers run Windows
    Server 2003. All client computers run
    Windows XP Professional.
    Users store files on a server named TestKing1. These
    files are confidential and must be encrypted at all
    times while on TestKing1.
    You configure a new certification authority (CA) and
    issue certificate that support Encrypting File
    System (EFS) to all users. Users report that they cannot
    encrypt files that are stored on TestKing1. They
    report that they can encrypt files that are stored
    locally on their client computers.
    You need to ensure that users can encrypt files that are
    stored on TestKing1.
    What should you do?
    A. Enroll TestKing1 for a Computer certificate that
    supports file encryption.
    B. Configure a new EFS recovery agent.
    Deploy the EFS recovery agent by using Active Directory.
    C. Configure the TestKing1 computer account to be trusted
    for delegation.
    D. Enroll each client computer for a Computer certificate
    that supports file encryption.
    Answer: C
    Explanation:
    Unable to Encrypt Files
    If you find that you are unable to encrypt files or
    folders, one of the following might be the cause:
    The file is not an NTFS volume.
    You do not have Write access to the file.
    If you are having trouble encrypting a remote file, check
    to see that your user profile is available for EFS to use
    on that computer (this typically means having a roaming
    user profile), make sure the remote computer is trusted
    for delegation, and make sure your account is configured
    to enable delegation. Sensitive accounts are not
    enabled for delegation by default, so users like
    Enterprise Administrator might not be able to encrypt or
    decrypt
    files remotely.
    Note: Sometimes users think that a file is not encrypted
    because they can open it and read the file. You can
    verify whether a file is encrypted by checking the file's
    attributes. For more information about formatting
    volumes as NTFS, see Windows XP Professional Help and
    Support Center. For more information about the
    encryption process, requirements, and procedures,
    see "Encrypting and Decrypting By Using EFS" earlier in
    this chapter.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -30

    70 - 299
    For more information about remote EFS operations,
    see "Remote EFS Operations in a File Share Environment"
    earlier in this chapter.
    Unable to Decrypt Remote Files
    The following are the major causes of and solutions for
    remote decryption failure (usually indicated by an
    "Access is denied" message):
    The computer on which the encrypted file is stored is not
    trusted for delegation. Every computer that stores
    encrypted files for remote access must be trusted for
    delegation. To check a computer's delegation status, open
    the computer's properties sheet in the Active Directory
    Users and Computers snap-in.
    The user account that EFS needs to impersonate cannot be
    delegated. To check a user's delegation status, open
    the user's Properties sheet in the Active Directory Users
    and Computers snap-in.
    The user's profile is not available. Using roaming user
    profiles is the solution for this problem.
    One of the user's profiles is available, but it does not
    contain the correct private key. Using roaming user
    profiles is the solution for this problem.
    For more information about the decryption process,
    requirements, and procedures, see "Encrypting and
    Decrypting By Using EFS" earlier in this chapter.
    For more information about remote EFS operations,
    see "Remote EFS Operations in a File Share Environment"
    earlier in this chapter.
    QUESTION NO: 17
    You are a security administrator for TestKing. The
    network consists of a single Active Directory forest
    that contains three domains in a single domain tree. All
    servers run Windows Server 2003. All computers
    are members of the domains. The functional level of the
    forest is Windows 2000. The functional level of
    each domain is Windows Server 2003.
    All users in the forest are in the root domain. The two
    child domains contain client computers accounts
    and server accounts. Only the root domain contains global
    catalog servers.
    TestKing uses an application that stores data in a custom
    application directory partition. The application
    runs on domain controllers in all three domains.
    You add the users that manage the data in the custom
    application directory partition to a global group
    named App Managers. You add the App Managers group to a
    domain local group named App Data. You
    assign the App Data group the Allow ? Modify permission
    for all objects in the custom application
    directory partition.
    Some users in the App Managers group report that they
    receive an Access Denied message when they
    attempt to access the application data. Other users in
    the App Managers group can successfully access
    the application data in the application directory
    partition.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -31

    70 - 299
    You need to ensure that all users in the App Managers
    group can access the application data successfully.
    What should you do?
    A. Raise the functional level of the forest to Windows
    Server 2003.
    B. Change the scope of the App Data group to universal.
    C. Install a global catalog server in the two child
    domains.
    D. Create a two-way shortcut trust relationship between
    the two child domains.
    E. Assign the App Managers group the Allow ? Allowed to
    Authenticate permission on all domain
    controllers that run the application.
    Answer: B
    Explanation:
    The members that each type of security group scope can
    have depends on the domain functional level. When
    the domain functional level is set to Windows 2000 native
    mode or higher, each type of group can contain the
    following members:
    Universal: accounts from any domain, global groups from
    any domain, and universal groups from any domain
    Global: accounts from the same domain, and global groups
    from the same domain
    Domain local: accounts from any domain, global groups
    from any domain, universal groups from any domain,
    and domain local groups from the same domain
    Objective: Planning, Configuring and Troubleshooting
    Authentication, Authorization and PKI
    Sub-Objective: 4.2.2 Plan security group scope.
    http://www.microsoft.com/technet/prodtechnol/windows2000se
    rv/deploy/cookbook/cookchp2.mspx
    Domain Migration Cookbook
    Chapter 2: Domain Upgrade
    Global Groups
    Windows 2000 global groups are effectively the same as
    Windows NT global groups. In terms of membership,
    they have domain-wide scope, but can be granted
    permissions in any domain, even in other forests and
    earlier
    version domains as long as a trust relationship exists.
    Universal Groups
    Universal groups can contain members from any Windows
    2000 domain in the forest, but cannot contain
    members from outside the forest. You can grant universal
    groups permissions in any domain, even in other
    forests, as long as a trust relationship exists. Although
    universal groups can have members from mixed mode
    domains in the same forest, the universal group will not
    be added to the access token of these members because
    universal groups are not available in mixed mode.
    You can add users to a universal group, but it is
    recommended that you restrict universal group membership
    to
    global groups. Universal groups are available only in
    native mode domains.
    Use of Universal Groups
    Universal groups have a number of important
    characteristics. You can use universal groups to build
    groups that
    perform a common function within an enterprise. One
    example might be virtual teams. The membership of such
    Leading the way in IT testing and certification tools,
    www.testking.com
    -32

    70 - 299
    teams in a large company would probably be nationwide or
    even worldwide, and almost certainly forest-wide,
    with the team resources being similarly distributed.
    Universal groups could be used as a container in these
    circumstances to hold global groups from each subsidiary
    or department, with a single access control entry
    (ACE) for the universal group to protect the team
    resources.
    In using universal groups, an important factor to
    consider is that while global and domain local groups are
    listed
    in the global catalog (GC), their members are not,
    whereas universal groups and their members are listed, a
    fact
    that has implications for GC replication traffic.
    Exercise care in the use of universal groups. As a guide,
    if your
    entire network has high-speed connectivity, you can
    simply use universal groups for all of your groups and
    benefit from not having to bother with managing global
    groups and domain local groups. If, however, your
    network spans wide area networks (WANs), you can improve
    performance in several ways by using global
    groups and domain local groups. If you use global groups
    and domain local groups, you can also designate any
    widely used groups that are seldom changed as universal
    groups.
    Universal Groups and Access Tokens
    The previous discussion of universal group membership
    touched on the fact that universal groups can contain
    members from mixed mode domains, but that such members
    will not have the universal group's SID in their
    access token. This is a consequence of the way access
    tokens are created in Windows 2000. When a user logs
    on to a Windows 2000 native mode domain and has been
    authenticated, the Local Security Authority (LSA) on
    the domain controller where the user was authenticated
    retrieves the user's global group memberships. The LSA
    then passes this information down to the workstation,
    where it is used to build the user's access token. At the
    same time, the LSA queries the GC for the user's
    universal group memberships, which it also passes to the
    workstation. If a user is a member of a universal group,
    the SID of that group is included in the access token on
    the workstation, and is added to the authorization data
    in the TGT issued by the KDC. Universal groups are not
    added to access tokens at any other timefor example, when
    impersonation tokens are created at member servers.
    As a consequence, if the universal group SID is not
    available when the user logs onfor example, where the
    user
    is logging on to a mixed mode domainit will not be added
    subsequently.
    Nesting Groups
    It is recommended that you do not create groups with more
    than 5,000 members. This guideline is based on the
    fact that updates to the Active Directory store have to
    be capable of being made in a single transaction. Because
    group memberships are stored in a single multivalue
    attribute, a change to the membership would result in the
    whole attributein other words, the whole membership
    listhaving to be updated in a single transaction.
    Microsoft
    has tested and supports group memberships of up to 5,000
    members. You can get around this limitation by
    nesting groups to increase the effective number of
    members. A further consequence is that you also reduce
    the
    replication traffic caused by replication of group
    membership changes. Your nesting options depend on
    whether the domain is in native mode or mixed mode. The
    following list describes what can be contained in a
    group that exists in a native mode domain. These rules
    are determined by the scope of the group.
    ? Universal groups can contain user accounts, computer
    accounts, other universal groups, and global groups
    from any domain.
    ? Global groups can contain user accounts from the same
    domain and other global groups from the same
    domain.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -33

    70 - 299
    ? Domain local groups can contain user accounts,
    universal groups, and global groups from any domain. They
    also can contain other domain local groups from within
    the same domain.
    This list describes what security groups in a mixed mode
    domain can contain:
    ? Local groups can contain global groups and user
    accounts from trusted domains.
    ? Global groups can contain only user accounts.
    References:
    http://support.microsoft.com/default.aspx?scid=kb;en-
    us;326265
    Description of the Group Scopes That You Can Use to Help
    Secure Active Directory Objects
    http://support.microsoft.com/default.aspx?scid=kb;en-
    us;318862
    Universal Group Scope Is Incorrectly Documented in
    Windows 2000 Help
    QUESTION NO: 18
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. The network contains Windows XP
    Professional client computers and Windows
    Server 2003 computers.
    You install Certificate Services to issue certificates to
    employees for secure e-mail encryption and Web
    site authentication. You revoke the certificates used by
    an employee when that employee leaves the
    company. Several thousand certificates are currently
    revoked, and multiple revocations occur daily.
    TestKing e-mail and Web applications already use strong
    revocation checking of certificates.
    You need to reduce the time it takes for client computers
    to find out about certificate revocations and to
    process certificate revocation information. You also need
    to limit the negative impact that this change will
    have on network performance.
    What should you do?
    A. In the Certification Authority console, open the
    Revoked Certificates properties.
    Set the Delta Certificate Revocation List (CRL)
    publication interval to one hour.
    B. In the Certification Authority console, open the
    Revoked Certificates properties.
    Set the full Certificate Revocation List (CRL)
    publication interval to one hour.
    C. In the Certification Authority console, highlight
    Revoked Certificates, and then select the option to
    publish a full CRL after you revoke a certificate.
    D. In the Certification Authority console, highlight
    Revoked Certificates, and then select the Refresh
    option.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -34

    70 - 299
    Answer: A
    Explanation:
    Certificate revocation
    A certificate has a specified lifetime, but CAs can
    reduce this lifetime by the process known as certificate
    revocation. The CA publishes a certificate revocation
    list (CRL) that lists serial numbers of certificates that
    it
    regards as no longer valid. The specified lifetime of
    CRLs is typically much shorter than that of a
    certificate.
    The CA might also include in the CRL the reason the
    certificate has been revoked. A revocation might occur
    because a private key has been compromised, because a
    certificate has been superseded, or because an
    employee has left the company. The CRL also includes the
    date the certificate was revoked. During signature
    verification, applications can check the CRL to determine
    whether a given certificate and key pair are still
    trustworthy. Applications can also determine whether the
    reason or date of the revocation affects the use of the
    certificate in question. If the certificate is being used
    to verify a signature, and the date on the signature
    precedes the date of the revocation of the certificate by
    the CA, the signature can still be considered valid. Off
    the Record: Most applications do not analyze the reason
    code. If a certificate is revoked, it?s revoked. The
    reason code just isn?t that important. To reduce the
    number of requests sent to the CA, the CRL is generally
    cached by the client, which can use it until it expires.
    If a CA publishes a new CRL, applications that have a
    valid CRL do not usually use the new CRL until the one
    they have expires.
    Installing, Configuring, and Managing Certification
    Services - Off the Record: The CRL contains the reason
    code you select for revoking the certificate. Before you
    select the reason code, think about whether you really
    want everyone who can access the CRL to know why you
    revoked it. If you did have a key compromise or a
    CA compromise, are you ready for that to be public
    information? If not, just select Unspecified. Clients
    discover that a certificate has been revoked by
    retrieving the certificate revocation list (CRL). There
    are two
    kinds of CRLs: full CRLs, which contain a complete list
    of all of a CA?s revoked certificates, and delta CRLs.
    Delta CRLs are shorter lists of certificates that have
    been revoked since the last full CRL was published. After
    a
    client retrieves a full CRL, the client can download the
    shorter delta CRL to discover newly revoked
    certificates. See Also: For detailed information about
    CRLs, read the white paper ?Troubleshooting Certificate
    http://www.microsoft.com/technet/prodtechnol/winxppro/supp
    ort/tshtcrl.mspx
    Troubleshooting Certificate Status and Revocation
    Optimizing Delta CRLs
    While in itself, Delta CRLs optimize the revocation
    checking process, you can further optimize the Delta CRL
    process by reducing the number of Base CRL fetches. This
    means that any client who has that oldest Base CRL
    will not be forced to download a new Base CRL until it
    expires. This minimizes the number of times a Base
    CRL is retrieved by the client, but increases the size of
    the Delta CRL. The Windows .NET Certificate
    Authority is primarily configured to ensure that the
    smallest Delta CRL sizes are used. If it is desired to
    optimize Base CRL usage, longer lifetimes should be
    applied to the BaseCRL publication period.
    http://www.microsoft.com/technet/security/topics/crypto/ts
    htcrl.mspx?#i
    Troubleshooting Certificate Status and Revocation
    Delta CRLs
    One of the biggest decisions faced by a CA administrator
    is determining the publication schedule for CRLs. If a
    CA publishes a complete CRL frequently, then clients are
    aware of a newly revoked certificate very quickly.
    However, this causes higher amounts of network traffic
    due to the more frequent downloading of the updated
    Leading the way in IT testing and certification tools,
    www.testking.com
    -35

    70 - 299
    CRL to all clients. If a CRL publishes CRLs less often,
    this reduces the amount of network traffic, but increases
    the latency before a client is aware of a newly revoked
    certificate.
    If a CA revokes a large number of certificates, the size
    of the base CRL can grow to be larger than 1 MB in size
    if large numbers of certificates are revoked. If the CRL
    is published at frequent intervals, this can result in
    problems for clients connecting over slow connections.
    Alternatively, if the base CRL is published at longer
    intervals, this can result in the CRL information being
    out of date and reducing the validity of the CRL
    information.
    Delta CRLS, defined in RFC 2459, address these problems,
    by publishing changes to a Base CRL (bCRL), in a
    smaller file known as a Delta CRL (sCRL). When Delta CRLs
    are implemented, a client can download a Base
    CRL at longer intervals, and then download smaller Delta
    CRLS at shorter intervals to validate any presented
    certificates. The Delta CRLs can be published at very
    short intervals, such as once an hour, to increase the
    confidence in the certificates being validated. All of
    the time information stored in CRLs is stored as UTC.
    Note: This does not eliminate the requirement to download
    the larger Base CRLs. The Base CRL must be
    downloaded initially and when the previous Base CRL
    expires. The Delta CRL can force the client to retrieve a
    more recent Base CRL even though the current Base CRL is
    still time valid. This is achieved by having the
    Delta CRL point to a higher number Base CRL.
    When Delta CRLs are implemented, only changes from a Base
    CRL are published in a Delta CRL, resulting in
    a reduction in the size of the CRLs downloaded to the
    clients. This reduction in size allows for more frequent
    publishing of the CRL with both a minimal impact on the
    network infrastructure, and an improvement on the
    up-to-datedness of CRL information.
    Publishing CRLs
    If you need to download a file from a server, you might
    access the file in several different ways. If you?re
    logged onto the computer locally, you would use Windows
    Explorer to navigate to the folder containing the file.
    If you were on a different computer on the same network,
    you might map a drive to the server and download the
    file from a shared folder. If the server was behind a
    firewall and running IIS, you could open a Web browser to
    retrieve the file.
    Having multiple ways to retrieve a file from a server is
    important, especially when the server will be accessed
    by a variety of different clients. Certificate Services
    enables clients to retrieve CRLs by using a wide variety
    of
    different protocols: shared folders, Hypertext Transfer
    Protocol (HTTP), File Transfer Protocol (FTP), and
    Lightweight
    Directory Access Protocol (LDAP). By default, CRLs are
    published in three different locations. For clients
    accessing the CRL from a shared folder, they are located
    in the \\Server\CertEnroll\ share, which is created
    automatically when Certificate Services is installed.
    Clients who need to retrieve the CRL by using LDAP can
    access it from CN=CAName,CN=CAComputer-
    Name,CN=CDP,CN=Public Key
    Services,CN=Services,CN=Configuration,DC=Forest-
    RootNameDN. Web clients can retrieve the CRLs from
    http://Server/certenroll/. Though the default locations
    are sufficient for most organizations, you can add
    locations if you need to. In particular, you must add a
    location if you are using an offline root CA, since the
    CA
    will not be accessible by clients under normal
    circumstances. Additionally, if certificates are used
    outside your
    Leading the way in IT testing and certification tools,
    www.testking.com
    -36

    70 - 299
    private network but your CA is behind a firewall, you
    should publish your CRL to a publicly accessible
    location.
    QUESTION NO: 19
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    All client computers run Windows XP
    Professional.
    TestKing hosts Web applications for customers. Each
    customer is a company that has multiple employees
    who require access to the Web application. Each customer
    has one Web application. Each Web
    application is configured as a virtual directory. You
    configure a user account for each customer. You
    assign this account permission to read the virtual
    directory that contains the customer?s Web application.
    You need to ensure that employees can access only their
    company?s Web application. You must
    accomplish this task without requiring customers to
    disclose passwords.
    What should you do?
    A. Configure anonymous access for each virtual directory.
    Configure each virtual directory to use the customer?s
    assigned user account.
    Leave the password assigned to the user account blank.
    B. Configure Microsoft .NET Passport authentication for
    each virtual directory.
    Instruct each employee of each customer that requires
    access to the Web site to enroll for a new .NET
    Passport.
    C. Configure a certification authority (CA).
    Issue certificates to each employee of each customer that
    requires access to the Web site.
    Configure many-to-one certificate mapping.
    D. Acquire a Server Authentication digital certificate
    from a public certification authority (CA).
    Configure the Web server to use this certificate and to
    require SSL.
    Distribute a copy of the Server Authentication
    certificate to each employee of each customer that
    requires access to the Web site.
    Answer: C
    Explanation:
    Anonymous would allow access to any of the websites.
    Microsoft .NET Passport would have the user use
    passwords.
    11 Deploying, Configuring, and
    Managing SSL Certificates
    IIS cannot process client certificates unless you have
    previously installed a server certificate and enabled
    HTTPS.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -37

    70 - 299
    There are two ways to improve the security of client
    certificates. First, you can use client certificate
    mapping to
    restrict access to users with specific certificates. (You
    can also use client certificate mapping to control
    authorization by mapping the certificates to existing
    user accounts.) Second, you can configure a certificate
    trust
    list (CTL) to reduce the number of root CAs that can
    issue certificates to your users. One-to-one client
    certificate mapping
    Client certificate mapping has two modes: one-to-one and
    many-to-one. One-to-one certificate mapping relates
    a single exported certificate to an Active Directory user
    account. When Web users present the certificate, they
    will be authenticated as if they had presented a valid
    user name and password.
    Many-to-one client certificate mapping
    Many-to-one certificate mapping uses wildcard matching
    rules that verify whether a client certificate contains
    specific information, such as the issuer or subject. This
    mapping does not identify individual client certificates;
    it accepts all client certificates fulfilling the
    specific criteria. If a client gets another certificate
    containing all the
    same user information, the existing mapping will still
    work. Certificates do not need to be exported for use in
    many-to-one mappings. To add many-to-one certificate
    mappings, follow this procedure:
    1. View the properties for the Web site, and then click
    the Directory Security tab.
    2. Click the Edit button in the Secure Communications
    box.
    3. Select the Enable Client Certificate Mapping check
    box, and then click the Edit button.
    4. Click the Many-1 tab, and then click the Add button.
    5. On the General page, type a name for the rule in the
    Description box. Click Next.
    6. On the Rules page, click New to add a rule. Editing
    rule properties for many-to-one client certificate
    mappings
    7. In the Edit Rule Element dialog box, click the
    Certificate Field list to choose either Issuer or
    Subject. Select
    Issuer to filter based on the CA that issued the
    certificate. Choose Subject to filter based on who the
    certificate
    was issued to. After completing the rule element, click
    OK. Security Alert When creating certificate mapping
    rules, keep in mind how easy it is to create your own
    root CA. Attackers could easily create their own root CA
    using your domain names. To prevent this type of
    impersonation, use certificate mapping along with a
    certificate trust list.
    8. To add an additional rule, return to step 6.
    9. Click Next.
    10. On the Mapping page, click Refuse Access to reject
    logons that match the criteria, or click Accept This
    Certificate For Logon Authentication to map matching
    certificates to a user account. If you choose to accept
    the
    certificate, complete the Account and Password boxes.
    Click Finish. If prompted, confirm the password and
    then click OK. Before you can authenticate users with
    client certificates, you must issue client certificates.
    If the
    users are members of an Active Directory domain and you
    are using an enterprise CA, auto-enrollment is the
    most efficient way to enroll users. Web servers are often
    used to communicate with users outside of your
    organization, however. For these users, you should use
    Web enrollment. The exercise at the end of this lesson
    demonstrates the process of enrolling a user certificate
    by using Web enrollment and then authenticating that
    user to IIS.
    QUESTION NO: 20
    Leading the way in IT testing and certification tools,
    www.testking.com
    -38

    70 - 299
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. The network contains Windows Server
    2003 computers and Windows XP
    Professional client computers.
    You install Certificate Services on two Windows Server
    2003 computers named TestKing1 and
    TestKing2. TestKing1 is the root certification authority
    (CA) and TestKing2 is the subordinate CA. You
    configure the root CA certificate with a validity period
    of eight years. You configure the subordinate CA
    certificate with a validity period of two years.
    You create a custom User certificate type that has a
    validity period of three years. You allow employees
    to enroll for this user certificate by using TestKing2.
    You discover that all issued certificates do not
    remain valid for three years as expected.
    You need to ensure that the custom User certificates are
    issued with validity period of three years.
    What should you do?
    A. Generate a new CA certificate for TestKing1 with a
    validity period of three years.
    B. Generate a new CA certificate for TestKing2 with a
    validity period of four years.
    C. Create a new custom User certificate type with a
    validity period of four years.
    D. Create a new custom Administration certificate type
    with a validity period of three years.
    Answer: B
    Explanation:
    Validity and renewal periodsCertificate-based
    cryptography uses public-key cryptography to protect and
    sign
    data. Over time, evildoers can obtain data protected with
    the public key and attempt to derive the private key
    from it. Given enough time and resources, this private
    key could be compromised, effectively rendering all
    protected data unprotected. Also, over time, the names
    guaranteed by a certificate may need to be changed.
    Because a certificate is a binding between a name and a
    public key, when either of these change, the certificate
    should be renewed.
    Validity periods
    Certificates are enabled for a specific length of time,
    which is the validity period. This time is expressed in a
    length of time beginning from when a certificate is
    issued. When that length of time is reached, the
    certificate is
    no longer valid and cannot be trusted. Because an expired
    certificate can cause problems, certificates can be
    renewed to extend their validity period.
    Renewal periods
    A renewal period is the amount of time prior to the end
    of the validity period when the subject will renew the
    certificate using autoenrollment. Renewing the
    certificate during this interval ensures that last-minute
    requests
    for certificate renewal can be serviced before
    certificate expiration to allow uninterrupted use of the
    certificate.
    ation:
    Leading the way in IT testing and certification tools,
    www.testking.com
    -39

    70 - 299
    Validity and renewal periodsCertificate-based
    cryptography uses public-key cryptography to protect and
    sign
    data. Over time, evildoers can obtain data protected with
    the public key and attempt to derive the private key
    from it. Given enough time and resources, this private
    key could be compromised, effectively rendering all
    protected data unprotected. Also, over time, the names
    guaranteed by a certificate may need to be changed.
    Because a certificate is a binding between a name and a
    public key, when either of these change, the certificate
    should be renewed.
    Validity periods
    Certificates are enabled for a specific length of time,
    which is the validity period. This time is expressed in a
    length of time beginning from when a certificate is
    issued. When that length of time is reached, the
    certificate is
    no longer valid and cannot be trusted. Because an expired
    certificate can cause problems, certificates can be
    renewed to extend their validity period.
    Renewal periods
    A renewal period is the amount of time prior to the end
    of the validity period when the subject will renew the
    certificate using autoenrollment. Renewing the
    certificate during this interval ensures that last-minute
    requests
    for certificate renewal can be serviced before
    certificate expiration to allow uninterrupted use of the
    certificate.
    QUESTION NO: 21
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. The network contains Windows Server
    2003 computers and Windows XP
    Professional client computers.
    A Windows Server 2003 computer named TestKing1 is a
    member of a workgroup. TestKing1 hosts a
    knowledge management application that is accessed from
    the network.
    Contract employees require access to the knowledge
    management application. However, you do not want
    contract employees to have the right to create other user
    accounts on TestKing1.
    You need to assign the contract employees appropriate
    permissions to use the application on TestKing1.
    What should you do?
    A. Create the user accounts in the Active Directory
    domain.
    Place the user accounts in the default Authenticated
    Users group in the Active Directory domain, and
    then assign this group appropriate permissions on
    TestKing1.
    B. Create the user accounts in the Active Directory
    domain.
    Place the user accounts in the default Domain Users group
    in the Active Directory domain, and then
    assign this group appropriate permissions on TestKing1.
    C. Create the user accounts in the local accounts
    database on TestKing1.
    Place the user accounts in the default Users group on
    TestKing1, and then assign this group appropriate
    permissions on TestKing1.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -40

    70 - 299
    D. Create the user accounts in the local accounts
    database on TestKing1.
    Place the user accounts in the default Power Users group
    on TestKing1, and then assign this group
    appropriate permissions on TestKing1.
    Answer: C
    Explanation:
    Since this server in not in a domain, access can only be
    granted by using the local SAM database. Access can be
    granted by using the default Users group even though
    Power Users would also work. However, Power User is
    probably more permissions than is needed to run the
    application. Of course this would depend on how the
    application was written. However, this multiple users
    will be accessing this server the question does not
    mention that the users will need the ?Access this
    computer from the network? right.
    The Principle of Least Privilege
    In the real world, the built-in groups are often misused.
    It?s a common practice to add users to the Power Users
    group so that an application that won?t run with regular
    User privileges will work as expected. While this is
    better than adding the user to the Administrators group,
    there is a risk associated with this practice?the risk
    that the user will be granted unnecessary rights that
    will later be misused. Even if the user would never
    intentionally misuse the elevated privileges of the Power
    Users group, a virus or Trojan horse might take
    advantage of the additional privileges without the user
    being aware.
    QUESTION NO: 22
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. Servers run either Windows Server
    2003 or Windows 2000 Server. All client
    computers run Windows XP Professional.
    TestKing?s written security policy states that user
    accounts must be locked if an unauthorized user
    attempts to guess the users? passwords.
    The current account policy locks out a user after two
    invalid password attempts in five minutes. The user
    remains locked out until the account is reset by the
    administrator. Users frequently call the help desk to
    have their account unlocked. Calls related to account
    lockout constitute 25 percent of help desk calls.
    You need to reduce the number of help desk calls related
    to account lockout.
    What should you do?
    A. Modify the Default Domain Controllers Policy Group
    Policy object (GPO).
    Increase the maximum lifetime for service tickets.
    B. Modify the Default Domain Policy Group Policy object
    (GPO).
    Configure an account lockout threshold of 10.
    C. Modify the Default Domain Controllers Policy Group
    Policy object (GPO).
    Leading the way in IT testing and certification tools,
    www.testking.com
    -41

    70 - 299
    Disable the enforcement of user logon restrictions.
    D. Modify the Default Domain Policy Group Policy object
    (GPO).
    Increase the maximum password age.
    Answer: B
    Explanation:
    Deploying and Troubleshooting Security Templates
    Account Lockout Policy. Determines the circumstances and
    length of time that an account will be locked out of
    the system. Security Alert Enabling account lockout doesn?
    t necessarily increase security. In fact, it actually
    creates a new vulnerability. An attacker who knows valid
    user names can guess incorrect passwords for users
    and lock legitimate users out, creating a denial-of-
    service attack.
    QUESTION NO: 23
    You are a security administrator for TestKing. The
    network consists of a single Active Directory forest
    that contains three domains in a single domain tree. All
    servers run Windows Server 2003. All computers
    are members of the domains. The functional level of the
    forest is Windows 2000. The functional level of
    each domain is Windows Server 2003.
    TestKing has a main office and five branch offices. Each
    branch office is configured as a separate Active
    Directory site. One domain controller for each of the
    three domains in each site. Only the main office
    contains global catalog servers.
    Users report that logging on in the branch office takes
    much longer than logging on in the main office.
    You need to ensure that the logon process in the branch
    offices completes more quickly. You do not want
    to install additional global catalog servers in the
    branch office, and you do not want to increase the
    bandwidth between the branch offices and the main office.
    What should you do?
    A. Raise the functional level of the forest to Windows
    Server 2003.
    B. Create a two-way shortcut trust between the two child
    domains.
    C. Enable universal group membership caching.
    D. Convert all universal groups in the three domains to
    domain local groups or global groups.
    E. Increase the maximum lifetime for Kerberos user
    tickets.
    Answer: B
    Explanation:
    When to create a shortcut trustShortcut trusts
    Shortcut trusts
    Leading the way in IT testing and certification tools,
    www.testking.com
    -42

    70 - 299
    A trust that is manually created between two domains in
    the same forest. The purpose of a shortcut trust is to
    optimize the interdomain authentication process by
    shortening the trust path. Shortcut trusts are transitive
    and
    can be one-way or two-way.are one-way or two-way,
    transitive trusts transitive trusts A trust relationship
    that
    flows throughout a set of domains, such as a domain tree,
    and forms a relationship between a domain and all
    domains that trust that domain. For example, if domain A
    has a transitive trust with domain B, and domain B
    trusts domain C, then domain A trusts domain C.
    Transitive trusts can be one-way or two-way, and they are
    required for Kerberos-based authentication and Active
    Directory replication.that can be used when
    administrators need to optimize the authentication
    authentication
    The process for verifying that an entity or object is who
    or what it claims to be. Examples include confirming
    the source and integrity of information, such as
    verifying a digital signature or verifying the identity
    of a user or
    computer.process. Authentication requests must first
    travel a trust path trust path A series of trust
    relationships
    that authentication requests must follow between domains.
    Domain controllers determine the trust path for all
    authentication requests between a domain controller in
    the trusting domain and a domain controller in the
    trusted domain.between domain trees domain trees In DNS,
    the inverted hierarchical tree structure that is used
    to index domain names. Domain trees are similar in
    purpose and concept to the directory trees used by
    computer filing systems for disk storage. For example,
    when numerous files are stored on disk, directories can
    be used to organize the files into logical collections.
    When a domain tree has one or more branches, each branch
    can organize domain names used in the namespace into
    logical collections. In Active Directory, a hierarchical
    structure of one or more domains, connected by
    transitive, bidirectional trusts, that forms a contiguous
    namespace. Multiple domain trees can belong to the same
    forest. , and in a complex forest this can take time,
    which can be reduced with shortcut trusts. A trust path
    is the series of domain trust relationships trust
    relationships A logical relationship established between
    domains to allow pass-through authentication, in which
    a trusting domain honors the logon authentications of a
    trusted domain. User accounts and global groups
    defined in a trusted domain can be given rights and
    permissions in a trusting domain, even though the user
    accounts or groups don't exist in the trusting domain's
    directory.that must be traversed in order to pass
    authentication requests between any two domains. For more
    information about trust paths, see Trust direction.
    Shortcut trusts are necessary when many users in a domain
    regularly log on to other domains in a forest. For
    example, using the following figure as an example, you
    could form a shortcut trust between domain B and
    domain D or domain A and domain 1 and so on.
    Shortcut trusts effectively shorten the path traveled for
    authentication's made between domains located in two
    separate trees. For more information about how to create
    a shortcut trust, see To create a shortcut trust.
    Using one-way trusts
    Leading the way in IT testing and certification tools,
    www.testking.com
    -43

    70 - 299
    A one-way, shortcut trust established between two domains
    located in separate domain trees can reduce the time
    needed to fulfill authentication requests, but in only
    one direction. For example, when a one-way, shortcut
    trust
    is established between domain A and domain B,
    authentication requests made in domain A to domain B can
    utilize the new one-way trust path. However,
    authentication requests made in domain B to domain A will
    still
    need to travel the longer trust path.
    Using two-way trusts
    A two-way, shortcut trust established between two domains
    located in separate domain trees will reduce the
    time needed to fulfill authentication requests
    originating in either domain. For example, when a two-way
    trust is
    established between domain A and domain B, authentication
    requests made from either domain to the other can
    utilize the new, two-way trust path.
    QUESTION NO: 24
    You are the security administrator for TestKing. The
    network consists of a single Active Directory
    domain named testking.com. Four Windows Server 2003
    computers run IIS and serve as Web servers on
    the Internet.
    TestKing?s written security policy states that computers
    that are accessible from the Internet must be
    hardened against attacks. The procedure for hardening
    computers includes disabling unnecessary
    services. You evaluate which services are necessary by
    using the following information about the Web
    servers:
    Customers and business partners access Web content on the
    Web servers after they authenticate
    by using a user name and password.
    To access certain parts of the site, some of these
    connections use the SSL protocol.
    All software is installed locally on the Web servers by
    using removable media, except for service
    packs and security patches.
    The Web servers automatically download service packs and
    security patches from an internal
    computer that runs Software Update Services (SUS).
    The Web servers are not functioning as any other roles.
    You need to create a security template for the Web
    servers that disables unnecessary services and allows
    necessary services to operate.
    What should you do?
    To answer, drag the appropriate service startup types to
    the correct locations in the work area.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -44

    70 - 299
    Answer:
    Leading the way in IT testing and certification tools,
    www.testking.com
    -45

    70 - 299
    Explanation:
    IIS ServicesIIS provides the basic services that publish
    information, transfer files, support user communication,
    and update the data stores upon which these services
    depend. This section introduces the services that IIS 6.0
    provides.
    The following table lists the IIS services, as well as
    their primary components and service hosts.
    Service Primary Component Hosted by
    World Wide Web Publishing Iisw3adm.dll Svchost.exe
    Service (WWW service)
    File Transfer Protocol Ftpsvc2.dll Inetinfo.exe
    Service (FTP service)
    Simple Mail Transfer Protocol Smtpsvc.dll Inetinfo.exe
    Service (SMTP service)
    Network News Transfer Protocol Nntpsvc.dll Inetinfo.exe
    Service (NNTP service)
    IIS Admin service Iisadmin.dll Inetinfo.exe
    World Wide Web Publishing Service
    World Wide Web Publishing Service (WWW service) provides
    Web publishing to IIS end users, connecting
    client HTTP requests to Web sites that are running in
    IIS. WWW service manages the IIS core components that
    process HTTP requests and that configure and manage Web
    applications. WWW service runs as Iisw3adm.dll
    and is hosted by Svchost.exe.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -46

    70 - 299
    File Transfer Protocol Service
    Through the File Transfer Protocol service (FTP service),
    IIS provides full support for managing and serving
    files. The service uses the Transmission Control Protocol
    (TCP), which ensures that file transfers are complete
    and that the data transferred is accurate. This version
    of FTP supports isolating users at the site level to help
    administrators secure and commercialize their Internet
    sites. FTP service runs as Ftpsvc2.dll and is hosted by
    Inetinfo.exe.
    Simple Mail Transfer Protocol Service
    IIS can send or receive e-mail by using the Simple Mail
    Transfer Protocol service (SMTP service). For
    example, you can program the server to send mail
    automatically in response to events, in order to confirm
    successful forms submissions by users. Also, you can use
    the SMTP service to receive messages that collect
    feedback from Web site customers. SMTP service does not
    provide full e-mail services. To deliver full e-mail
    services, use Microsoft®Exchange Server. SMTP service
    runs as Smtpsvc.dll and is hosted by Inetinfo.exe.
    Network News Transfer Protocol Service
    You can use the Network News Transfer Protocol service
    (NNTP service) to host NNTP local discussion
    groups on a single computer. Because this feature
    complies fully with the NNTP protocol, users can use any
    news reader client to participate in the newsgroup
    discussions. Through the Rfeed script, found in the
    inetsrv
    folder, the IIS NNTP service now supports newsfeeds. NNTP
    service does not support replication. To employ
    news feeds or to replicate a newsgroup across multiple
    computers, use Exchange Server. NNTP service runs as
    Nntpsvc.dll and is hosted by Inetinfo.exe.
    IIS Admin Service
    IIS Admin service manages the IIS metabase and updates
    the Microsoft Windows® operating system registry
    for the WWW service, FTP service, SMTP service, and NNTP
    service. The metabase is a data store that holds
    IIS configuration data. IIS Admin service exposes the
    metabase to other applications, including the core
    components of IIS, applications that are built on IIS,
    and third-party applications that are independent of IIS,
    such as management or monitoring tools. IIS Admin service
    runs as Iisadmin.dll and is hosted by Inetinfo.exe
    Reference: http://support.microsoft.com/default.aspx?
    scid=kb;en-us;321141
    HOW TO: Disable or Remove Unnecessary IIS Services
    QUESTION NO: 25
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All domain controllers and servers
    run Windows Server 2003. All computers are
    members of the domain.
    The domain contains 12 database servers. The database
    servers are in an organizational unit (OU) named
    DBServers. The domain controllers and the database
    servers are in the same Active Directory site.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -47

    70 - 299
    You receive a security report that requires you to apply
    a security template named Lockdown.inf ti all
    database servers as quickly as possible. You import
    Lockdown.inf into a Group Policy object (GPO) that
    is linked to the DBServers OU.
    You need to ensure that the settings in the Lockdown.info
    security template are applied to all database
    servers as quickly as possible.
    What should you do?
    A. On each database server, run the repadmin /replicate
    command.
    B. On each database server, run the gpupdate command.
    C. On each database server, run the
    secedit /refreshpolicy command.
    D. On each database server, open Local Computer Policy,
    select Security Settings, and then use the
    Reload command.
    E. On each database server, open Resultant Set of Policy,
    and then use the Refresh Query command.
    Answer: B
    Explanation:
    Repadmin.exe is a command-line tool from the Windows 2000
    Resource Kit that is included in the Support
    Tools folder on the Windows 2000 CD-ROM. Repadmin is a
    command-line tool that report failures on a
    replication link between two replication partners. The
    following repadmin example displays the replication
    partners and any replication link failures for Server1 on
    the microsoft.com domain:
    repadmin /showreps server1.microsoft.com
    For a complete list of repadmin options, use the ?
    option:
    repadmin /?
    Using secedit /refreshpolicy option is no longer
    available with Windows 2003.
    GpupdateRefreshes local and Active Directory-based Group
    Policy settings, including security settings. This
    command supersedes the now obsolete /refreshpolicy option
    for the secedit command.
    Syntax: gpupdate [/target:{computer|user}] [/force]
    [/wait:value] [/logoff] [/boot]
    Reloading the local policy updates the effective policy
    in the user interface. Depending on domain or OU
    password policies that are in effect, the effective
    policy may or may not have changed on your computer.
    Resultant Set of Policy
    The Resultant Set of Policy (RSoP) snap-in (Rsop.msc)
    enables you to poll and evaluate the cumulative effect
    that local, site, domain, and organizational unit Group
    Policy objects (GPOs) have on computers and users.
    Resultant Set of Policy enables you to check for GPOs
    that might affect your troubleshooting. For example, a
    GPO setting can cause startup programs to run after you
    log on to the computer.
    Use this snap-in to evaluate the effects of existing GPOs
    on your computer. This information is helpful for
    diagnosing deployment or security problems. Rsop.msc
    reports individual Group Policy settings specific to one
    or more users and computers, including advertised and
    assigned applications.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -48

    70 - 299
    QUESTION NO: 26
    You are a security administrator for TestKing. The
    network consists of as single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    All client computers run Windows XP
    Professional. You manage client computers by using Group
    Policy.
    Some of the administrators in TestKing are responsible
    for managing network connectivity and TCP/IP.
    These administrators are known as infrastructure
    engineers and are members of a global group named
    Infra_Engineers. The infrastructure engineers must be
    able to configure and troubleshoot TCP/IP
    settings on severs and client computers.
    You need to reconfigure a Restricted Groups policy that
    ensures that only infrastructure engineers are
    members of the Network. Configuration Operators local
    group on all client computers. You want to
    achieve this goal without granting unnecessary
    permissions to the infrastructure engineers.
    What should you do?
    To answer, drag the appropriate group or groups to the
    correct list or lists in the dialog box in the work
    area.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -49

    70 - 299
    Answer:
    Leading the way in IT testing and certification tools,
    www.testking.com
    -50

    70 - 299
    Explanation:
    Description of Group Policy Restricted Groups
    SUMMARY: This article provides a description of Group
    Policy Restricted groups.
    Restricted groups allow an administrator to define the
    following two properties for security-sensitive
    (restricted)
    groups:
    Members
    Member Of
    The "Members" list defines who should and should not
    belong to the restricted group. The "Member Of" list
    specifies which other groups the restricted group should
    belong to.
    Using the "Members" Restricted Group Portion of Policy
    When a Restricted Group policy is enforced, any current
    member of a restricted group that is not on the
    "Members" list is removed with the exception of
    administrator in the Administrators group. Any user on
    the
    "Members" list which is not currently a member of the
    restricted group is added.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -51

    70 - 299
    Using the "Member Of" Restricted Group Portion of Policy
    Only inclusion is enforced in this portion of a
    Restricted Group policy. The Restricted Group is not
    removed
    from other groups. It makes sure that the restricted
    group is a member of groups that are listed in the Member
    Of dialog box.
    Planning and Configuring an Authorization Strategy
    Creating Restricted Groups Policy
    you can use security policies to control local group
    memberships on domain member computers.
    Windows Server 2003 includes a security policy setting
    called Restricted Groups that allows you to control
    group membership. By using the Restricted Groups policy,
    you can specify the membership of a group
    anywhere in your Active Directory domain. For example,
    you can create a Restricted Groups policy to limit the
    access on an OU that
    contains computers containing sensitive data. The
    Restricted Groups policy would remove domain users from
    the local users group and thereby limit the number of
    users who can log on to the computer. Group members
    that are not specified in the policy are removed when the
    Group Policy setting is applied or refreshed to the
    computer or OU. The Restricted Groups policy settings
    include two properties: Members and Member Of. The
    Members property defines who belongs and who does not
    belong to the restricted group. The Member Of
    property specifies the other groups to which the
    restricted group can belong. When a Restricted Groups
    policy is
    enforced, any current member of a restricted group that
    is not on the Members list is removed. Members who
    can be removed include Administrators. Any user on the
    Members list who is not currently a member of the
    restricted group is added. In addition, each restricted
    group is a member of only those groups that are specified
    in the Member Of column. The shows Restricted Groups
    being used to add the Infra_Engineers group from the
    domainname.com domain to the Network Configuration
    Operators local group on all client computers. For
    example, use Restricted Groups to control group
    membership on domain members. Note: The security setting
    is
    located in a security policy object in the Restricted
    Groups node.
    Planning and Configuring an Authorization Strategy
    You can apply a Restricted Groups policy in the following
    ways:
    Define the policy in a security template, which will be
    applied during configuration
    on your local computer.
    Define the setting directly on a Group Policy object
    (GPO). Defining the setting in
    this way will ensure that the operating system
    continually enforces the restricted
    groups.
    To create a Restricted Groups policy:
    1. Open a security policy tool, such as the Domain
    Security Policy console.
    2. In the console tree, right-click Restricted Groups,
    and then click Add Group.
    3. In the Group field, type the name of the group to
    which you want to restrict membership, and then click OK.
    4. On the properties dialog box, click Add beside the
    This Group Is A Member Of field.
    5. Under Group Membership, type the name of the group you
    want to add to this group, and then click OK.
    6. Click OK again.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -52

    70 - 299
    QUESTION NO: 27
    Administrators in TestKing use scripts to perform
    administrative tasks when they troubleshoot problems
    on client computes. They connect to the Telnet service on
    client computers when they run these scripts.
    For security reasons, all Telnet traffic is encrypted by
    using an IPSec policy. In addition, the Telnet
    service is configured for manual startup on all client
    computers. Administrators manually start and stop
    the Telnet service when they perform administrative
    tasks.
    Administrators report that they sometimes cannot start
    the Telnet service on client computers. You
    examine several client computers and discover that the
    Telnet service is disabled.
    You need to ensure that administrators can troubleshoot
    problems on client computers at all times.
    What should you do?
    A. Use a Restricted Groups policy in a new Group Policy
    object (GPO) to add the Domain Admins group
    to the Power Users group on each client computer.
    B. Use a Restricted Groups policy in a new Group Policy
    object (GPO) to ensure that the Power Users
    group on each client computer contains no members.
    C. Use a System Services policy in a new Group Policy
    object (GPO) to ensure that only Domain Admins
    can manage the Telnet service.
    D. Use an Administrative Template setting to prevent
    local users from starting the Services snap-in.
    Answer: C
    Explanation:
    The first item is not needed as they are Administrators
    and they have full control.
    This would work as long as the user was not part of the
    local Administrators group and the question does not
    say what the user permissions are, by default local
    Administrators can manage this service.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -53

    70 - 299
    QUESTION NO: 28
    You are a security administrator for TestKing. TestKing
    has offices in two cities. The network consists of
    a single Active Directory forest that contains two trees.
    The trees are named testking.com and
    fabrikam.com and are located in separate cites. All
    servers run Windows Server 2003. All client
    computers run Windows XP Professional. The network is
    configured as shown in the Network Diagram
    exhibit.
    Each office maintains a DNS server. The DNS server
    contains a primary zone for the local tree and a
    secondary zone for the tree in the other office. DNS
    zones are configured a shown in the Properties
    exhibit.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -54

    70 - 299
    You examine the logs for your firewall and discover a
    large number of attempted connections to internal
    servers. You find out that external users have access to
    the DNS information used by your internal
    networks.
    You need to prevent external users from accessing
    internal DNS information.
    What should you do?
    A. Replace the primary zones with stub zones.
    B. Implement an IPSec policy that uses Encapsulating
    Payload (ESP) when replicating secondary zones.
    C. Implement an IPSec policy that uses Encapsulating
    Security Payload (ESP) when resolving DNS names
    stored in primary zones.
    D. Configure the zones to replicate to known DNS servers
    only.
    Answer: D
    Explanation:
    Stub zones are used for name resolution;, this will not
    prevent others from getting DNS information.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -55

    70 - 299
    ESP is used to encrypt data in transmission and has
    nothing to do with zone transfers; this will not prevent
    others from getting DNS information.
    http://www.microsoft.com/resources/documentation/msa/edc/a
    ll/solution/en-us/pak/build/edcbld06.mspx
    Configuring Zone Transfer Security on All Zones
    All zone transfers should be sent only to known DNS
    servers. This practice prevents a malicious user from
    dumping the entire zone file using a tool such as
    nslookup. Use the information in the following table to
    configure the zones to perform zone transfers only with
    known name servers.
    1. On each <domain_controller> (where computer_name is a
    domain controller from the following table),
    launch an instance of the MMC DNS snap-in.
    2. Right-click each <zone_name> (where zone_name is a
    zone from Table 18) and select Properties.
    3. On the Name Servers page, ensure that all
    <name_servers> in the table below are associated with the
    zone.
    Add any missing name servers by clicking Add, typing the
    name of the server, clicking Resolve, and then OK.
    Repeat as necessary.
    4. On the Zone Transfers page, select Only to servers
    listed on the Name Servers tab, click OK.
    QUESTION NO: 29
    You are a security administrator for TestKing. The
    network consists of two Active Directory domains.
    All servers run Windows Server 2003. Client computers run
    either Windows XP Professional or
    Windows 2000 Professional. All domain controllers in both
    Active Directory domains are Windows
    Server 2003 computers. All computers are Active Directory
    domain members.
    During a security assessment, you discover that you can
    extract LAN Manager and NTLM password
    hashes from domain controller computers. You are able to
    guess many user account passwords within a
    short time by using a password cracking program. This
    poses an unacceptable security risk for TestKing.
    You need to increase the time required to guess user
    account passwords. You increase the minimum user
    account password length to nine characters, enable the
    Password must meet complexity requirements
    setting, and require all domain users to change their
    password at the next logon.
    What else should you do?
    A. Apply a security template to all domain controller
    computers that enables the Domain member:
    Require strong (Windows 2000 or later) session key
    setting.
    B. Apply a security template to all domain controller
    computers that establishes the Network security:
    LAN Manager authentication level setting at Send NTLMv2
    response only.
    C. Apply a security template to all domain controller
    computers that enables the Network security: Do not
    store LAN Manager hash value on next password change
    setting.
    D. Apply a security template to all domain controller
    computers that enables the System Cryptography:
    Use FIPS compliant algorithms for encryption, hashing,
    and signing setting.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -56

    70 - 299
    Answer: C
    Explanation:
    How to prevent Windows from storing a LAN manager hash of
    your password in Active Directory and local
    SAM databases
    Network security: Do not store LAN Manager hash value on
    next password changeDescription
    This security setting determines if, at the next password
    change, the LAN Manager (LM) hash value for the new
    password is stored. The LM hash is relatively weak and
    prone to attack, as compared with the cryptographically
    stronger Windows NT hash. Since the LM hash is stored on
    the local computer in the security database the
    passwords can be compromised if the security database is
    attacked. For more information on cryptographic
    hashes of passwords, see Microsoft NTLM .
    Default: Disabled.
    Configuring this security setting
    You can configure this security setting by opening the
    appropriate policy and expanding the console tree as
    such: Computer Configuration\Windows Settings\Security
    Settings\Local Policies\Security Options\
    For specific instructions about how to configure security
    policy settings, see To edit a security setting on a
    Group Policy object.
    Important
    Windows 2000 Service Pack 2 (SP2) and above offer
    compatibility with authentication to previous versions of
    Windows, such as Microsoft Windows NT 4.0.
    This setting can affect the ability of computers running
    Windows 2000 Server, Windows 2000 Professional,
    Windows XP, and the Windows Server 2003 family to
    communicate with computers running Windows 95 and
    Windows 98.
    For more information, see:
    Security Configuration Manager Tools
    QUESTION NO: 30
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    All client computers run Windows 2000
    Professional.
    TestKing?s written security policy states the following
    requirements:
    All access to files must be audited.
    File servers must be able to record all security events.
    You create a new Group Policy object (GPO) and filter it
    to apply to only file servers. You configure an
    audit policy to audit files and folders on file servers.
    You configure a system access control list (SACL) to
    audit the appropriate files.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -57

    70 - 299
    You need to ensure that the GPO enforces the written
    security policy.
    Which two additional actions should you perform to
    configure the GPO? (Each correct answer presents
    part of the solution. Choose two)
    A. Set a manual retention method for the security log.
    B. Set the security log to retain entries for 7 days.
    C. Set the maximum security log size to the maximum
    allowed size.
    D. Configure the GPO to shut down the computer of it is
    unable to log security audits.
    E. Ensure that users who are responsible for reviewing
    audit log data are granted the right to manage the
    security log.
    Answer: A, D
    Explanation:
    HOW TO: Use the Event Log Management Script Tool
    (Eventlog.pl) to Manage Event Logs in Windows 2000
    This article describes how to use the Event Log
    Management Script tool (Eventlog.pl) to manage Event
    Viewer
    logs of Windows 2000-based computers.
    An event is any significant occurrence in the computer or
    in a program that requires either users to be notified
    or an entry added to a log. The Event Log Service records
    events to the Application, Security, and System logs
    in Event Viewer. Additionally, events are written to the
    Directory Service and File Replication Service logs on
    domain controllers and the DNS Server log on DNS servers.
    You can use Event Viewer to obtain information
    about your hardware, software, and system components, and
    to monitor security events on a local or remote
    computer. You can use event logs to identify and diagnose
    the source of current computer problems or to help
    you predict potential computer problems.
    Eventlog.pl is available in the Windows 2000 Resource Kit
    Supplement 1. You can use this script tool to
    perform the following event log management tasks:
    Change the properties of event logs.
    Back up (save) event logs.
    Export event lists to text files.
    Clear (delete) all events from event logs.
    Query the properties of event logs.
    IMPORTANT: Do not use Eventlog.pl if you use Group Policy
    to specify event log settings. Eventlog.pl can
    violate Event log policies so that the following Group
    Policy settings for domains, organizational units, and
    sites may become ineffective:
    Maximum LogName log size
    Retain LogName log
    Retention method for LogName log
    Threats and Countermeasures Guide
    Event Log
    Leading the way in IT testing and certification tools,
    www.testking.com
    -58

    70 - 299
    The Event log records events on the system. The Security
    log records audit events. The Event log container of
    Group Policy is used to define attributes related to the
    application, security, and system event logs, such as
    maximum log size, access rights for each log, and
    retention settings and methods. The Microsoft® Excel
    workbook called Windows Default Security and Services
    Configuration included with this guide that
    documents the default Event log settings.
    The Event log settings can be configured in the following
    location within the Group Policy Object Editor:
    Shut down system immediately if unable to log security
    audits
    Computer Configuration\Windows Settings\Security
    Settings\Local Policies\Security Options
    Description
    Determines whether the system should shut down if it is
    unable to log security events.
    If this policy is enabled, it causes the system to halt
    if a security audit cannot be logged for any reason.
    Typically, an event will fail to be logged when the
    security audit log is full and the retention method
    specified
    for the security log is either Do Not Overwrite Events or
    Overwrite Events by Days.
    If the security log is full and an existing entry cannot
    be overwritten and this security option is enabled, the
    following blue screen error will occur:
    STOP: C0000244 {Audit Failed}
    An attempt to generate a security audit failed.
    To recover, an administrator must log on, archive the log
    (if desired), clear the log, and reset this option as
    desired.
    By default, this policy is disabled.
    QUESTION NO: 31
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    All client computers run Windows XP
    Professional.
    You manage the network by using a combination of Group
    Policy objects (GPOs) and scripts. File names
    for scripts have the .vbs file name extension. Scripts
    are stored in a shared folder named Scripts on a
    server named TestKing1.
    Users report that they accidentally run scripts that are
    received through e-mail and the Internet. They
    further reports that these scripts cause problems with
    their client computers and often delete or change
    files. You discover that these scripts
    have .wsh, .wsf, .vbs, or .vbe file name extensions. You
    decide to use
    software restriction policies to prevent the use of
    unauthorized scripts.
    You need to configure a software restriction policy for
    your network. You want to achieve this goal
    without affecting management of your network.
    Which three rules should you include in your software
    restriction policy? (Each correct answer presents
    part of the solution. Choose three)
    Leading the way in IT testing and certification tools,
    www.testking.com
    -59

    70 - 299
    A. A path rule that disallows *.vb? files.
    B. A path rule that disallows *.ws? files.
    C. A trusted sites rule that allows the local intranet
    zone.
    D. A trusted sites rule that disallows the Internet zone.
    E. A path rule that allows \\testking1\scripts\*.vb?
    files.
    Answer: A, B, E
    Explanation:
    Software Restriction Policy
    By using the software restriction policy, you allow
    unknown code, which might contain viruses or code that
    conflicts with currently installed programs, to run only
    in a constrained environment (often called a sandbox)
    where it is disallowed from accessing any security-
    sensitive user privileges. For example, an e-mail
    attachment
    that contains a worm would be prohibited from
    automatically accessing your address book and therefore
    could
    not propagate itself. If the e-mail attachment contained
    a virus, the software restriction policy would restrict
    its
    ability to damage your system because it would be allowed
    to run only in a constrained environment.
    The software restriction policy depends on assigning
    trust levels to the code that can run on a system.
    Currently,
    two trust levels exist: Unrestricted and Disallowed. Code
    that has an Unrestricted trust level is given
    unrestricted access to the user's privileges, so this
    trust level should be applied only to fully trusted code.
    Code
    with a Disallowed trust level is disallowed from
    accessing any security-sensitive user privileges and can
    run
    only in a sandbox so that Unrestricted code cannot load
    the Disallowed code into its address space.
    Configuring the software restriction policy for a system
    is done through the Local Security Policy
    administrative tool, while the restriction policy
    configuration of individual COM+ applications is done
    either
    programmatically or through the Component Services
    administrative tool. If the restriction policy trust
    level is
    not specified for a COM+ application, the systemwide
    settings are used to determine the application's trust
    level.
    HOW TO: Use Software Restriction Policies in Windows
    Server 2003
    SUMMARY
    This article describes how to use software restriction
    policies in Windows Server 2003. When you use software
    restriction policies, you can identify and specify the
    software that is allowed to run so that you can protect
    your
    computer environment from untrusted code. When you use
    software restriction policies, you can define a
    default security level of Unrestricted or Disallowed for
    a Group Policy object (GPO) so that software is either
    allowed or not allowed to run by default. To create
    exceptions to this default security level, you can create
    rules
    for specific software. You can create the following types
    of rules:
    Hash rules
    Certificate rules
    Path rules
    Internet zone rules
    How to Create a Path Rule
    Leading the way in IT testing and certification tools,
    www.testking.com
    -60

    70 - 299
    Click Start, click Run, type mmc, and then click OK.
    Open Software Restriction Policies.
    In either the console tree or the details pane, right-
    click Additional Rules, and then click New Path Rule.
    In the Path box, type a path or click Browse to find a
    file or folder.
    In the Security level box, click either Disallowed or
    Unrestricted.
    In the Description box, type a description for this rule,
    and then click OK.IMPORTANT: On certain folders,
    such as the Windows folder, setting the security level to
    Disallowed can adversely affect the operation of your
    operating system. Make sure that you do not disallow a
    crucial component of the operating system or one of its
    dependent programs.
    NOTES:
    You may have to create a new software restriction policy
    setting for this GPO if you have not already done so.
    If you create a path rule for a program with a security
    level of Disallowed, a user can still run the software by
    copying it to another location.
    The wildcard characters that are supported by the path
    rule are the asterisk (*) and the question mark (?).
    You can use environment variables, such as %programfiles%
    or %systemroot%, in your path rule.
    To create a path rule for software when you do not know
    where it is stored on a computer but you have its
    registry key, you can create a registry path rule.
    To prevent users from running e-mail attachments, you can
    create a path rule for your mail program's
    attachment folder that prevents users from running e-mail
    attachments.
    The only file types that are affected by path rules are
    those that are listed in Designated file types. There is
    one
    list of designated file types that is shared by all
    rules.
    For software restriction policies to take effect, users
    must update policy settings by logging off from and then
    logging on to their computers.
    When more than one rule is applied to policy settings,
    there is a precedence of rules for handling conflicts.
    Configuring the Software Restriction PolicyWhen you
    explicitly set the software restriction trust levels of a
    COM+ application, you are overriding the default
    systemwide settings for the software restriction policy.
    This
    is often necessary for COM+ server applications because
    the systemwide restriction policy is set the same for
    all server applications (because they all run in the same
    file, dllhost.exe).
    Note When you set the trust level of a COM+ library
    application, you are affecting the systemwide software
    restriction policy for that application. For an overview
    of how to use the software restriction policy in COM+,
    see Software Restriction Policy.
    To set the software restriction policy
    Right-click the COM+ application for which you are
    setting the restriction policy, and then click Properties.
    In the application properties dialog box, click the
    Security tab.
    Under Software Restriction Policy, select the Apply
    software restriction policy check box to enable setting
    the
    trust level; clearing the check box causes COM+ to use
    the systemwide software restriction policy for the
    application.
    In the Restriction Level box, select the appropriate
    level. The levels are as follows, ordered from least to
    most
    trusted:
    Disallowed The application is disallowed from using the
    full privileges of the user. Components with any
    restriction policy trust level can be loaded into it.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -61

    70 - 299
    Unrestricted The application has unrestricted access to
    the user's privileges. Only components with an
    Unrestricted trust level can be loaded into it.
    Click OK.
    The trust level you select takes effect the next time the
    application is started.
    QUESTION NO: 32
    You are a security administrator for TestKing. TestKing
    has offices in New York, San Francisco, and
    Toronto. The network consists of a single Active
    Directory domain named testking.com. Each office is
    configured as an Active Directory site. All servers run
    Windows Server 2003. All client computers run
    Windows XP Professional.
    Users in the Toronto office work in the research
    department. User objects for users who work in the
    research department are stored in an organizational unit
    (OU) named Toronto. Users in other offices
    frequently travel to the Toronto office for meeting and
    training.
    TestKing?s written security policy requires that the
    following settings be enforced on computers at the
    Toronto office:
    A warning message that reminds users to protect TestKing
    information must be displayed before
    users log on.
    Domain controller authentication is required when users
    unlock client computers.
    The highest possible level of authentication must be used
    on the network at all times.
    You create a new Group Policy object (GPO) named
    TorontoSecurity to meet the requirements of the
    written security policy.
    Users who travel to the Toronto office report that they
    are not presented with the warning message and
    that their screen savers do not require a password to
    deactivate.
    You need to ensure that the written security policy is
    enforced for other users only when they travel to
    the Toronto office. You want to achieve this goal by
    using the minimum amount of administrative effort.
    What should you do?
    A. Link the TorontoSecurity GPO to the Toronto OU.
    B. Link the TorontoSecurity GPO to the domain.
    C. Configure a logon script to apply a custom security
    template when users travel to the Toronto office.
    D. Link the TorontoSecurity GPO to the Toronto site.
    Answer: A
    Explanation:
    Leading the way in IT testing and certification tools,
    www.testking.com
    -62

    70 - 299
    Deploying and Troubleshooting Security Templates
    If multiple Group Policy objects are linked to a single
    domain, site, or OU, verify that the
    order the policies are applied is correct. If there are
    conflicting settings in different policies,
    the higher policy in the list has higher precedence and
    will overwrite conflicting settings
    from other policies.
    Standard Group Policy inheritance
    In general, Group Policy is passed down from parent to
    child containers within a
    domain. Group Policy is not inherited from parent to
    child domains. For example,
    Deploying Security Templates
    Group Policy is not inherited from cohowinery.com to
    accounting.cohowinery.com.
    However, if you assign a specific Group Policy setting to
    a high-level parent container,
    that Group Policy setting applies to all containers
    beneath the parent container, including
    the user and computer objects in each container. If a
    policy setting is defined for a
    parent organizational unit and the same policy setting is
    not defined for a child organizational
    unit, the child inherits the parent?s enabled or disabled
    policy setting. If you
    explicitly specify a Group Policy setting for a child
    container, the child container?s
    Group Policy setting overrides the parent container?s
    setting. When multiple GPOs
    apply, and they do not have a parent/child relationship,
    the policies are processed in
    this order: local, site, domain, organizational unit.
    If a policy setting that is applied to a parent
    organizational unit and a policy setting that
    is applied to a child organizational unit are compatible,
    the child organizational unit
    inherits the parent policy setting, and the child?s
    setting is also applied. If a policy setting
    that is configured for a parent organizational unit is
    incompatible with the same
    policy setting that is configured for a child
    organizational unit (because the setting is
    enabled in one case and disabled in the other), the child
    does not inherit the policy setting
    from the parent. The policy setting in the child is
    applied.
    You can block policy inheritance at the domain or OU
    level by opening the properties
    dialog box for the domain or organizational unit and
    selecting the Block Policy Inheritance
    check box. You can enforce policy inheritance by setting
    the No Override
    option on a GPO link. When you select the No Override
    check box, you force all child
    policy containers to inherit the parent?s policy, even if
    that policy conflicts with the
    child?s policy and even if Block Inheritance has been set
    for the child. You can set No
    Override on a GPO link by opening the properties dialog
    box for the site, domain, or
    organizational unit and making sure that the No Override
    check box is selected.
    Exam Tip Policies that are set to No Override cannot be
    blocked?know this for the exam!
    Group Policy inheritance with security groups
    You cannot link Group Policy objects directly to a
    security group. You can, however,
    use security group membership to allow or disallow
    members of the group from applying
    a Group Policy object. In this way, you can control which
    users receive a Group
    Policy object by placing them into specific groups.
    By default, all Authenticated Users are authorized to
    apply a Group Policy object.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -63

    70 - 299
    Therefore, to allow only specific groups to apply a GPO,
    you must first remove the
    default permissions for Authenticated Users, and then
    grant permissions for the specific
    groups to apply the GPO.
    !
    HOW TO: Administer GPOs in Windows 2000
    How to Link a GPO to a Site, a Domain, or an
    Organizational Unit
    To link a GPO to a domain or an organizational unit,
    click Start, point to Programs, point to Administrative
    Tools, and then click Active Directory Users and
    Computers.
    Alternatively, to link a GPO to a site, click Start,
    point to Programs, point to Administrative Tools, and
    then
    click Active Directory Sites and Services.
    Right-click the site, the domain, or the organizational
    unit to which the GPO should be linked.
    Click Properties, and then click the Group Policy tab.
    To add the GPO to the Group Policy object Links list,
    click Add.
    Click the All tab, click the GPO that you want to add,
    click OK, and then click OK.
    NOTE: You link a GPO to specify that its settings apply
    to users and computers in the site, the domain, or the
    organizational unit, and to users and computers in Active
    Directory containers that inherit data from the site, the
    domain, or the organizational unit.
    QUESTION NO: 33
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    All servers are members of the domain.
    TestKing plans to deploy a new application named App1.
    The application runs on servers. To test the
    compatibility between App1 and other applications that
    run on the servers, you need to change several
    file and registry permissions in the Windows folder on
    the servers. A security template named TestPerms
    contains the file and registry permissions that need to
    be set for the application testing.
    You create a new Group Policy object (GPO) named TestApp.
    You import the TestPerms security
    template into the TestApp GPO. You link the TestApp GPO
    to an organizational unit (OU) that contains
    only the servers that are used for the test.
    You need to ensure that the file and registry permissions
    are set up to the permission in the TestPerms
    security template only during application testing.
    What should you do when the application testing ends?
    A. Disable the computer configuration settings in the
    TestApp GPO.
    B. Disable the TestApp GPO link to the OU.
    C. Unlink the TestApp GPO from the OU.
    D. Delete the TestApp GPO, and then run the
    gpupdate.exe /sync command.
    E. Delete the TestApp GPO, and then apply a security
    template that contains the original permissions.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -64

    70 - 299
    Answer: C
    Explanation:
    Real World: Application is an iterative process, which
    means it will be done again, so if the GPO is deleted, it
    will need to be recreated again.
    Best practices for Group Policy objects
    Do not process policy settings that are not configured.
    If a Group Policy object Group Policy object
    A collection of Group Policy settings. GPOs are
    essentially the documents created by the Group Policy
    Object
    Editor. GPOs are stored at the domain level, and they
    affect users and computers that are contained in sites,
    domains, and organizational units. In addition, each
    computer has exactly one group of policy settings stored
    locally, called the local Group Policy object.contains
    only settings that are set to Not Configured, you can
    avoid
    processing these settings by disabling User Configuration
    or Computer Configuration. This expedites the startup
    and logon processes for those users and computers that
    are subject to the Group Policy object. For more
    information, see To disable the User Configuration
    settings in a Group Policy object, To disable the
    Computer
    Configuration settings in a Group Policy object, User
    Configuration and Computer Configuration.
    To prevent an entire Group Policy object from affecting a
    site, domain, or organizational unit, see To unlink a
    Group Policy object from a site, domain, or
    organizational unit and To disable a Group Policy object
    link. With
    these procedures, you can enable or re-link the Group
    Policy object.
    If you never want to use a certain Group Policy object
    again, see To delete a Group Policy object.
    QUESTION NO: 34
    You are a security administrator for TestKing. The
    network is configured a shown in the following
    diagram.
    TestKing uses a Web application named App1 that is hosted
    on a Windows Server 2003 computer named
    Web1. App1 is accessed by users on the Internet. App1
    allows users to enter data in an HTML form. The
    form then saves the data in a Microsoft SQL Server 2000
    database hosted on a Windows Server 2003
    computer named SQL1. WEB1 requires that all HTTP
    connections use SSL.
    TestKing uses a firewall that automatically allows
    replies to established connections.
    You need to configure the firewall to allow users to
    access App1. You must ensure that network security
    remains as strong as possible. You want to achieve this
    goal by using the minimum number of rules.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -65

    70 - 299
    How should you configure the firewall?
    To answer, drag the appropriate firewall rule element or
    elements to the correct location or locations in
    the work area.
    Answer:
    Explanation:
    Leading the way in IT testing and certification tools,
    www.testking.com
    -66

    70 - 299
    Client port to TCP 443 Client (from any client) to Web1
    (over SSL/HTTPS)
    TCP 135 to TCP 1433 Web1(RPC since we assume SQL
    does not have certificate and not configured for SSL) to
    SQL
    TCP 1443 to TCP 135 SQL (RPC, because SQLis not using
    http to connect) to Web1
    TCP 443 to client port Web1(SSL/HTTPS) to Client (to the
    specific client, since the original connection was
    via SSL/HTTPS)
    QUESTION NO: 35
    You are a security administrator for TestKing. The
    network consists of a single Active Directory domain
    named testking.com. All servers run Windows Server 2003.
    All client computers run Windows XP
    Professional.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -67

    70 - 299
    One thousand users in the company use an application
    named App1. App1 is installed on each users?
    client computer. App1 uses a configuration file named
    App1.Config,inf. This file is stored in the
    Systemroot\Program Files\App1 folder on each client
    computer. Users report that when they attempt to
    make configuration changes to App1, they sometimes
    receives an Access Denied messages. You examine
    the properties of the App1Config.inf file on one client
    computer. The file is configured as shown in the
    exhibit.
    You need to ensure that users can make configuration
    changes to App1. You want to achieve this goal by
    using the minimum amount of administrative effort.
    What should you do?
    A. On each client computer, assign the TESTKING\Domain
    Users group the Allow ? Write permission for
    the App1Config.inf file.
    B. Modify the Default Domain Policy Group Policy object
    (GPO).
    Create a new File System security policy entry that
    assign the TESTKING\Domain Users group the
    Allow ? Write permission for the App1Config.inf file.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -68

    70 - 299
    C. Modify the Default Domain Controllers Policy Group
    Policy object (GPO).
    Create a new File System security policy entry that
    assigns the TESTKING\Domain Users group the
    Allow ? Write permission for the App1Config.inf file.
    D. Create a new logon script that runs the Xcacls.exe
    command.
    Use this command to assign the TESTKING\Domain Users
    group the Allow ? Write permission for the
    App1Config.inf file.
    Include the logon script in the Default Domain Policy
    Group Policy object (GPO).
    Answer: B
    Explanation:
    App1 is installed on the user?s computer, applying a GPO
    at the DCs will not help.
    Creating a new logon script or assigning a new group to
    adjust perms on a single file is administrative
    prohibitive.
    Leading the way in IT testing and certification tools,
    www.testking.com
    -69
    Steven Mark, Aug 20, 2004
    #1
    1. Advertising

  2. Steven Mark

    catwalker63 Guest

    =====================
    = A.S.S.F.U.C.K.E.R =
    =====================




    --
    Catwalker
    aka Pu$$y Feet
    BS, MCP

    "Need a Dial up for DOS. And also a Internet Explorer for DOS. Needs to
    run on a 286 with 4 MB RAM."
    catwalker63, Aug 20, 2004
    #2
    1. Advertising

  3. Steven,
    35 seperate questions in a single post is not likely to get the answers you
    are wanting. Please try posting each question seperately. You are more
    likely to get an answer that way.

    "Steven Mark" wrote:

    > 70 - 299
    > QUESTION NO: 1
    > You are the security administrator for TestKing. The
    > network consists of two segments named Segment
    > A and Segment B. The client computers on the network run
    > Windows XP Professional. The servers run
    > Windows Server 2003.
    > Segment A contains a single server named TestKing1.
    > Segment B contains all other computers, including
    > a server named TestKing2.
    > TestKing?s written security policy states that Segment B
    > must not be connected to the Internet. Segment
    > A is allowed to connect to the Internet. There is no
    > network connection between Segment A and Segment
    > B. You can copy files from Segment A to Segment B only by
    > using a CD-ROM to transport the files
    > between the two segments. The network topology is
    > displayed in the exhibit.
    > You are planning a patch management infrastructure. On
    > Segment B, you install Software Update
    > Services (SUS) on TestKing2. You configure Automatic
    > Updates on all computers in Segment B to use
    > http://TestKing2 and to install security patches.
    > You need to ensure that all computers in Segment B
    > automatically install security patches.
    > What should you do?
    > A. Install SUS on TestKing1.
    > Periodically copy the files in the Content folder and in
    > the SUS root folder from TestKing1 to
    > TestKing2.
    > B. Install SUS on TestKing1.
    > Periodically copy the files in the Content folder from
    > TestKing1 to TestKing2.
    > Copy the Approveditems.txt file from TestKing1 to the
    > Windows folder on TestKing2.
    > Leading the way in IT testing and certification tools,
    > www.testking.com
    > -3
    >
    > 70 - 299
    > C. On TestKing1, periodically connect to the Microsoft
    > Windows Update Catalog Web site and download
    > new security patches.
    > Copy the files to the Content folder on TestKing2.
    > D. On TestKing, configure Automatic Updates to use the
    > URL of the Microsoft Windows Update Web site.
    > Periodically copy the downloaded files and the
    > Mssecure.xml file to the Content folder on TestKing2.
    > Answer: A
    > Explanation:
    > Since the question does not address where approvals
    > should be done, we have to assume that the approvals are
    > done by the administrators at the Segment B site.
    > If SUS is used to approve updates, it retrieves the
    > Approveditems.txt file from the root of the IIS/SUS
    > default
    > website (http://server2) not the Windows folder.
    > If you do not install SUS on Server1 there will be no
    > Content folder (distribution point) on Server1.
    > Automatic Updates should not be turned on, on the SUS
    > servers.
    > SUS is a server component that, when installed on a
    > server running Windows 2000, allows small and medium
    > enterprises to bring critical updates from Windows Update
    > inside their firewalls to distribute to Windows 2000
    > and Windows XP computers. The same Automatic Updates
    > component that can direct Windows 2000 and
    > Windows XP computers to Windows Update can be directed to
    > a SUS server inside your firewall to install
    > critical updates.
    > Automatic Updates retrieves all critical updates and
    > Microsoft Security Response Center security updates that
    > are classified as moderate or important.
    > Automatic Updates scans only for critical updates, but if
    > its server that runs SUS contains updates other than
    > critical ones, Automatic Updates receives and applies
    > those as well. SUS receives critical and moderate
    > security
    > updates.
    > Creating Distribution Points
    > When you install a server that runs SUS, a distribution
    > point is created on that server. When you synchronize
    > the server with a parent server or with an external Web
    > site, all the content on the Web site is downloaded to
    > the
    > distribution point. If new updates are downloaded, this
    > distribution point is updated during every
    > synchronization. During Setup, the distribution point is
    > created in a virtual root (Vroot) named /Content.
    > If you choose to maintain content on the public Web site
    > instead of downloading the patches to the local server
    > running SUS, this distribution point is empty except for
    > the AUCatalog.cab file. AUCatalog.cab defines the
    > updates that have been approved for deployment to
    > clients.
    > You can also create a distribution point on a server that
    > is not running SUS. Such a server must be running IIS
    > 5.0 or later. You can download and test packages on
    > servers running SUS, and then download approved and
    > tested packages to distribution points for client access.
    > If your SUS design includes distribution points, perform
    > the following tasks to create a distribution point:
    > 1. Confirm that IIS is present.
    > 2. Create a folder named \Content.
    > 3. Copy allof the followingitems from the source server
    > running SUS to the newly created \Content
    > folder:
    > ? <root of the SUS Web site>\Aucatalog1.cab
    > ? <root of the SUS Web site>\Aurtf1.cab
    > Leading the way in IT testing and certification tools,
    > www.testking.com
    > -4
    >
    > 70 - 299
    > ? <root of the SUS Web site>\approveditems.txt
    > ? All the files and folders under the \Content\cabs
    > 4. Create an IIS Vroot called http://<Servername>/Content
    > that points to the \content folder.
    > QUESTION NO: 2
    > You are a security administrator for TestKing. The
    > network consists of a single Active Directory domain
    > named testking.com. All servers run Windows Server 2003.
    > TestKing?s written security policy states that security
    > patches must be manually installed on servers by
    > administrators.
    > You need to configure the network to comply with the
    > written security policy. You need to maintain
    > security patches by using the minimum amount of
    > administrative effort.
    > What should you do?
    > A. Create a new organizational unit (OU) to contain all
    > server computers.
    > Create a new Group Policy object (GPO) and link it to the
    > OU.
    > Configure the GPO to disable Automatic Updates.
    > Allow only administrators to start Automatic Updates.
    > B. Create a new organizational unit (OU) to contain all
    > server computers.
    > Create a new Group Policy object (GPO) and link it to the
    > OU.
    > Configure the GPO to automatically download updates and
    > notify when they are ready to be installed.
    > C. Create a new organizational unit (OU) named Admins to
    > contain all administrators.
    > Create a second OU named Servers to contain all server
    > computers.
    > Create a new Group Policy object (GPO) and link it to the
    > Admins OU.
    > Configure the GPO to disable Automatic Updates.
    > D. Modify the Default Domain Policy Group Policy object
    > (GPO) to disable Windows Update and to
    > disable Automatic Updates.
    > Create a new organizational unit (OU) named Admins.
    > Place all administrator accounts in the Admins OU.
    > Block GPO inheritance on the Admins OU.
    > Answer: C
    > Explanation:
    > Administrators should not use Automatic updates to patch
    > the servers.
    > Security patches on the servers must be installed
    > manually.
    > A GPO at the domain level would block Automatic Updates
    > on all computers not just servers.
    > Leading the way in IT testing and certification tools,
    > www.testking.com
    > -5
    >
    > 70 - 299
    > QUESTION NO: 3
    > You are a security administrator for TestKing. The
    > network consists of a single Active Directory domain
    > named testking.com. The testking.com Active Directory
    > domain contains 150 Windows Server 2003
    > computers and 7,500 Windows XP Professional client
    > computers. The network is made up of 64 class C
    > IP subnets t hat range from 172.16.0.0 through
    > 172.16.63.0.
    > The finance department uses 135 computers on the
    > 172.16.9.0 /24 IP subnet. This subnet also contains
    > computers that belong to other departments in the
    > company. All finance department computers are
    > members of the testking.com Active Directory domain.
    > You need to produce a report that identifies which
    > Microsoft security patches are not installed on the
    > computers in the finance department. The report must
    > contain information about only the finance
    > department computers. You want to achieve this goal by
    > using the minimum amount of administrative
    > effort.
    > What should you do?
    > A. Run Mbsacli.exe on a finance department computer with
    > the option to scan computers in the Network
    > Neighborhood.
    > B. Run Mbsacli.exe on a finance department computer with
    > the option to scan computers by using a list of
    > individual IP addresses on the finance department
    > computers.
    > C. Run Mbsacli.exe on a finance department computer with
    > the option to scan computers on the finance
    > department IP subnet.
    > D. Run Mbsacli.exe on a finance department computer with
    > the option to scan computers in the
    > testking.com Active Directory domain.
    > Answer: B
    > Explanation:
    > Since there are non-accounting computers on the subnet,
    > the scan needs to be performed by individual IP.
    > Objective: Implementing, Managing, and Troubleshooting
    > Security for Network Communications
    > Sub-Objective: 3.4.1 Monitor IPSec policies by using IP
    > Security Monitor.
    > 1. Planning a Host Name Resolution Strategy
    > MCSA/MCSE Self-Paced Training Kit (Exams 70-292 and 70-
    > 296): Upgrading Your Certification to Microsoft
    > Windows Server 2003, Microsoft Press
    > Chapter 7,
    > The correct syntax is mbsacli /hf -fh hosts.txt. The -fh
    > flag causes the tool to scan the NetBIOS computer names
    > specified in the named text file. You must specify one
    > computer name on each line in the .txt file, up to a
    > maximum of 256 names.
    > Leading the way in IT testing and certification tools,
    > www.testking.com
    > -6
    >
    > 70 - 299
    > You should not use the mbsacli /hf -i hosts.txt syntax.
    > The -i flag is used to scan one or more Internet Protocol
    > (IP) addresses.
    > You should not use the mbsacli /hf -r hosts.txt syntax.
    > The -r flag is used to specify a range of IP addresses to
    > be
    > scanned.
    > Switches available with /hf flag
    > mbsacli /hf [-h hostmane] [-fh filename] [-i ipaddress] [-
    > fip filename] [-r ipaddressrange] [-d domainname] [-n]
    > [-sus SUS server|SUS filename] [-b] [-fq filename] [-s 1]
    > [-s 2] [-nosum] [-sum] [-z] [-v] [-history level] [-nvc]
    > [-o option] [-f filename] [-unicode] [-t] [-u username] [-
    > p password] [-x] [-?]
    > To Select Which Computer to Scan
    > -h hostname - Scans the named NetBIOS computer name. The
    > default location is the local host. To scan
    > multiple hosts, separate the host names with a comma (,).
    > -fh filename - Scans the NetBIOS computer names that are
    > specified in the text file that you named. Specify one
    > computer name on each line in the .txt file, to a maximum
    > of 256 names.
    > -i xxx.xxx.xxx.xxx - Scans the named IP address. To scan
    > multiple IP addresses, separate each IP address with a
    > comma.
    > -fip filename - Scans the IP addresses that you specified
    > in the text file that you named. Specify one IP address
    > on each line in the .txt file, with a maximum of 256 IP
    > addresses.
    > -r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx - Scans a specified
    > range of IP addresses.
    > Note You can use the previous switches in combination.
    > For example, you can use a command-line with the
    > following format:mbsacli /hf ?h hostname1,hostname2 -i
    > xxx.xxx.xxx.xxx -fip ipaddresses.txt -r
    > yyy.yyy.yyy.yyy-zzz.zzz.zzz.zzz
    > -d domainname - Scans a specified domain.
    > -n - Scans all the computers on the local network. All
    > computers from all domains in Network Neighborhood
    > (or My Network Places) are scanned
    > Reference: Microsoft Baseline Security Analyzer (MBSA)
    > version 1.2 is available, Microsoft Knowledge Base
    > Article ? 320454
    > QUESTION NO: 4
    > You are a security administrator for TestKing. The
    > network consists of a single Active Directory domain
    > named testking.com. All servers run Windows Server 2003.
    > All client computers run Windows 2000
    > Professional. TestKing has a main office and 150 branch
    > offices located throughout the United States and
    > Canada. The company does not use disk-imaging software.
    > In the past, newly installed client computers were
    > exploited by malicious Internet worms before you
    > applied all security patches.
    > Leading the way in IT testing and certification tools,
    > www.testking.com
    > -7
    >
    > 70 - 299
    > You need to build and deploy client computers that will
    > always have the least service packs, updates, and
    > security patches. You want to achieve this goal by using
    > the minimum amount of administrative effort.
    > What should you do?
    > A. Install the operating system on the computers by using
    > the original installation media.
    > Use Windows Update immediately after the installation to
    > apply updates and security patches.
    > B. Install the operating system on the computers by using
    > the original installation media.
    > Configure Automatic Updates to immediately install
    > updates and security patches.
    > C. Create slipstream installation media that has the
    > latest service pack.
    =?Utf-8?B?SmFtbWVy?=, Jul 7, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Snarkes

    70-299

    Snarkes, Nov 6, 2003, in forum: Microsoft Certification
    Replies:
    3
    Views:
    552
    MCSE World
    Nov 11, 2003
  2. Mark

    Exam 70-299 Prep.

    Mark, Nov 17, 2003, in forum: Microsoft Certification
    Replies:
    1
    Views:
    499
    andreo
    Nov 19, 2003
  3. Steven Mark

    New Update for #70-299

    Steven Mark, Aug 20, 2004, in forum: MCSE
    Replies:
    3
    Views:
    1,148
    TechGeekPro
    Aug 20, 2004
  4. Giuen
    Replies:
    0
    Views:
    679
    Giuen
    Sep 12, 2008
  5. Lawrence D'Oliveiro

    Update On The Windows Phone 7 Update Update

    Lawrence D'Oliveiro, Feb 24, 2011, in forum: NZ Computing
    Replies:
    2
    Views:
    544
    Another Me
    Feb 25, 2011
Loading...

Share This Page