70 - 299=20
QUESTION NO: 1=20
You are the security administrator for TestKing. The=20
network consists of two segments named Segment=20
A and Segment B. The client computers on the network run=20
Windows XP Professional. The servers run=20
Windows Server 2003.=20
Segment A contains a single server named TestKing1.=20
Segment B contains all other computers, including=20
a server named TestKing2.=20
TestKing?s written security policy states that Segment B=20
must not be connected to the Internet. Segment=20
A is allowed to connect to the Internet. There is no=20
network connection between Segment A and Segment=20
B. You can copy files from Segment A to Segment B only by=20
using a CD-ROM to transport the files=20
between the two segments. The network topology is=20
displayed in the exhibit.=20
You are planning a patch management infrastructure. On=20
Segment B, you install Software Update=20
Services (SUS) on TestKing2. You configure Automatic=20
Updates on all computers in Segment B to use=20
http://TestKing2 and to install security patches.=20
You need to ensure that all computers in Segment B=20
automatically install security patches.=20
What should you do?=20
A. Install SUS on TestKing1.=20
Periodically copy the files in the Content folder and in=20
the SUS root folder from TestKing1 to=20
TestKing2.=20
B. Install SUS on TestKing1.=20
Periodically copy the files in the Content folder from=20
TestKing1 to TestKing2.=20
Copy the Approveditems.txt file from TestKing1 to the=20
Windows folder on TestKing2.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-3
70 - 299=20
C. On TestKing1, periodically connect to the Microsoft=20
Windows Update Catalog Web site and download=20
new security patches.=20
Copy the files to the Content folder on TestKing2.=20
D. On TestKing, configure Automatic Updates to use the=20
URL of the Microsoft Windows Update Web site.=20
Periodically copy the downloaded files and the=20
Mssecure.xml file to the Content folder on TestKing2.=20
Answer: A=20
Explanation:=20
Since the question does not address where approvals=20
should be done, we have to assume that the approvals are=20
done by the administrators at the Segment B site.=20
If SUS is used to approve updates, it retrieves the=20
Approveditems.txt file from the root of the IIS/SUS=20
default=20
website (http://server2) not the Windows folder.=20
If you do not install SUS on Server1 there will be no=20
Content folder (distribution point) on Server1.=20
Automatic Updates should not be turned on, on the SUS=20
servers.=20
SUS is a server component that, when installed on a=20
server running Windows 2000, allows small and medium=20
enterprises to bring critical updates from Windows Update=20
inside their firewalls to distribute to Windows 2000=20
and Windows XP computers. The same Automatic Updates=20
component that can direct Windows 2000 and=20
Windows XP computers to Windows Update can be directed to=20
a SUS server inside your firewall to install=20
critical updates.=20
Automatic Updates retrieves all critical updates and=20
Microsoft Security Response Center security updates that=20
are classified as moderate or important.=20
Automatic Updates scans only for critical updates, but if=20
its server that runs SUS contains updates other than=20
critical ones, Automatic Updates receives and applies=20
those as well. SUS receives critical and moderate=20
security=20
updates.=20
Creating Distribution Points=20
When you install a server that runs SUS, a distribution=20
point is created on that server. When you synchronize=20
the server with a parent server or with an external Web=20
site, all the content on the Web site is downloaded to=20
the=20
distribution point. If new updates are downloaded, this=20
distribution point is updated during every=20
synchronization. During Setup, the distribution point is=20
created in a virtual root (Vroot) named /Content.=20
If you choose to maintain content on the public Web site=20
instead of downloading the patches to the local server=20
running SUS, this distribution point is empty except for=20
the AUCatalog.cab file. AUCatalog.cab defines the=20
updates that have been approved for deployment to=20
clients.=20
You can also create a distribution point on a server that=20
is not running SUS. Such a server must be running IIS=20
5.0 or later. You can download and test packages on=20
servers running SUS, and then download approved and=20
tested packages to distribution points for client access.=20
If your SUS design includes distribution points, perform=20
the following tasks to create a distribution point:=20
1. Confirm that IIS is present.
2. Create a folder named \Content.
3. Copy allof the followingitems from the source server=20
running SUS to the newly created \Content=20
folder:
? <root of the SUS Web site>\Aucatalog1.cab
? <root of the SUS Web site>\Aurtf1.cab
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-4
70 - 299=20
? <root of the SUS Web site>\approveditems.txt=20
? All the files and folders under the \Content\cabs=20
4. Create an IIS Vroot called http://<Servername>/Content=20
that points to the \content folder.=20
QUESTION NO: 2=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
TestKing?s written security policy states that security=20
patches must be manually installed on servers by=20
administrators.=20
You need to configure the network to comply with the=20
written security policy. You need to maintain=20
security patches by using the minimum amount of=20
administrative effort.=20
What should you do?=20
A. Create a new organizational unit (OU) to contain all=20
server computers.=20
Create a new Group Policy object (GPO) and link it to the=20
OU.=20
Configure the GPO to disable Automatic Updates.=20
Allow only administrators to start Automatic Updates.=20
B. Create a new organizational unit (OU) to contain all=20
server computers.=20
Create a new Group Policy object (GPO) and link it to the=20
OU.=20
Configure the GPO to automatically download updates and=20
notify when they are ready to be installed.=20
C. Create a new organizational unit (OU) named Admins to=20
contain all administrators.=20
Create a second OU named Servers to contain all server=20
computers.=20
Create a new Group Policy object (GPO) and link it to the=20
Admins OU.=20
Configure the GPO to disable Automatic Updates.=20
D. Modify the Default Domain Policy Group Policy object=20
(GPO) to disable Windows Update and to=20
disable Automatic Updates.=20
Create a new organizational unit (OU) named Admins.=20
Place all administrator accounts in the Admins OU.=20
Block GPO inheritance on the Admins OU.=20
Answer: C=20
Explanation:
Administrators should not use Automatic updates to patch=20
the servers.=20
Security patches on the servers must be installed=20
manually.=20
A GPO at the domain level would block Automatic Updates=20
on all computers not just servers.
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-5
70 - 299=20
QUESTION NO: 3=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. The testking.com Active Directory=20
domain contains 150 Windows Server 2003=20
computers and 7,500 Windows XP Professional client=20
computers. The network is made up of 64 class C=20
IP subnets t hat range from 172.16.0.0 through=20
172.16.63.0.=20
The finance department uses 135 computers on the=20
172.16.9.0 /24 IP subnet. This subnet also contains=20
computers that belong to other departments in the=20
company. All finance department computers are=20
members of the testking.com Active Directory domain.=20
You need to produce a report that identifies which=20
Microsoft security patches are not installed on the=20
computers in the finance department. The report must=20
contain information about only the finance=20
department computers. You want to achieve this goal by=20
using the minimum amount of administrative=20
effort.=20
What should you do?=20
A. Run Mbsacli.exe on a finance department computer with=20
the option to scan computers in the Network=20
Neighborhood.=20
B. Run Mbsacli.exe on a finance department computer with=20
the option to scan computers by using a list of=20
individual IP addresses on the finance department=20
computers.=20
C. Run Mbsacli.exe on a finance department computer with=20
the option to scan computers on the finance=20
department IP subnet.=20
D. Run Mbsacli.exe on a finance department computer with=20
the option to scan computers in the=20
testking.com Active Directory domain.=20
Answer: B=20
Explanation:
Since there are non-accounting computers on the subnet,=20
the scan needs to be performed by individual IP.=20
Objective: Implementing, Managing, and Troubleshooting=20
Security for Network Communications=20
Sub-Objective: 3.4.1 Monitor IPSec policies by using IP=20
Security Monitor.=20
1. Planning a Host Name Resolution Strategy=20
MCSA/MCSE Self-Paced Training Kit (Exams 70-292 and 70-
296): Upgrading Your Certification to Microsoft=20
Windows Server 2003, Microsoft Press=20
Chapter 7,=20
The correct syntax is mbsacli /hf -fh hosts.txt. The -fh=20
flag causes the tool to scan the NetBIOS computer names=20
specified in the named text file. You must specify one=20
computer name on each line in the .txt file, up to a=20
maximum of 256 names.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-6
70 - 299=20
You should not use the mbsacli /hf -i hosts.txt syntax.=20
The -i flag is used to scan one or more Internet Protocol=20
(IP) addresses.=20
You should not use the mbsacli /hf -r hosts.txt syntax.=20
The -r flag is used to specify a range of IP addresses to=20
be=20
scanned.=20
Switches available with /hf flag=20
mbsacli /hf [-h hostmane] [-fh filename] [-i ipaddress] [-
fip filename] [-r ipaddressrange] [-d domainname] [-n]=20
[-sus SUS server|SUS filename] [-b] [-fq filename] [-s 1]=20
[-s 2] [-nosum] [-sum] [-z] [-v] [-history level] [-nvc]=20
[-o option] [-f filename] [-unicode] [-t] [-u username] [-
p password] [-x] [-?]=20
To Select Which Computer to Scan=20
-h hostname - Scans the named NetBIOS computer name. The=20
default location is the local host. To scan=20
multiple hosts, separate the host names with a comma (,).=20
-fh filename - Scans the NetBIOS computer names that are=20
specified in the text file that you named. Specify one=20
computer name on each line in the .txt file, to a maximum=20
of 256 names.=20
-i xxx.xxx.xxx.xxx - Scans the named IP address. To scan=20
multiple IP addresses, separate each IP address with a=20
comma.=20
-fip filename - Scans the IP addresses that you specified=20
in the text file that you named. Specify one IP address=20
on each line in the .txt file, with a maximum of 256 IP=20
addresses.=20
-r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx - Scans a specified=20
range of IP addresses.=20
Note You can use the previous switches in combination.=20
For example, you can use a command-line with the=20
following format:mbsacli /hf ?h hostname1,hostname2 -i=20
xxx.xxx.xxx.xxx -fip ipaddresses.txt -r=20
yyy.yyy.yyy.yyy-zzz.zzz.zzz.zzz=20
-d domainname - Scans a specified domain.=20
-n - Scans all the computers on the local network. All=20
computers from all domains in Network Neighborhood=20
(or My Network Places) are scanned=20
Reference: Microsoft Baseline Security Analyzer (MBSA)=20
version 1.2 is available, Microsoft Knowledge Base=20
Article ? 320454=20
QUESTION NO: 4=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
All client computers run Windows 2000=20
Professional. TestKing has a main office and 150 branch=20
offices located throughout the United States and=20
Canada. The company does not use disk-imaging software.=20
In the past, newly installed client computers were=20
exploited by malicious Internet worms before you=20
applied all security patches.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-7
70 - 299=20
You need to build and deploy client computers that will=20
always have the least service packs, updates, and=20
security patches. You want to achieve this goal by using=20
the minimum amount of administrative effort.=20
What should you do?=20
A. Install the operating system on the computers by using=20
the original installation media.=20
Use Windows Update immediately after the installation to=20
apply updates and security patches.=20
B. Install the operating system on the computers by using=20
the original installation media.=20
Configure Automatic Updates to immediately install=20
updates and security patches.=20
C. Create slipstream installation media that has the=20
latest service pack.=20
Install the operating system from the slipstream=20
installation media.=20
Implement a Software Update Services (SUS) server to=20
install approved updates and security patches on=20
client computers.=20
D. Create slipstream installation media that has the=20
latest service pack and includes Microsoft Baseline=20
Security Analyzer (MBSA).=20
Install the operating system form the slipstream=20
installation media.=20
Run MBSA immediately after installing the operating=20
system.=20
Answer: C=20
Explanation:
Using Windows Update on a Internet client prior to=20
patching can be exploited.=20
Unless there is a SUS server deployed, Automatic Updates=20
on a new Internet client can be exploited.=20
There is no reason to install MBSA on each client.=20
Objective: Implementing, Managing, and Troubleshooting=20
Patch Management Infrastructure=20
Sub-Objective: 2.3.1 Deploy service packs and hotfixes on=20
new servers and client computers. Considerations=20
include slipstreaming, custom scripts, and isolated=20
installation or test networks.=20
You should use Software Update Services (SUS) to deploy=20
the service packs and hotfixes. The most recent=20
version of SUS supports the distribution of service=20
packs. Microsoft SUS allows administrators to deploy=20
critical updates and Windows security roll-ups to Windows=20
2000 and Windows Server 2003 servers, and to=20
computers running Windows 2000 Professional or Windows XP=20
Professional. SUS is a free download.=20
You should not use Systems Management Server (SMS) to=20
deploy the service packs and hotfixes. SMS is a=20
separate product that is sold separately from Windows=20
Server 2003. While SMS includes a variety of features=20
for software distribution, and you could use SMS to=20
deploy the service packs and hotfixes, this solution=20
would=20
not avoid the purchase of additional software.=20
You should not use Group Policy to deploy service packs=20
and hotfixes. Software installation with Group Policy=20
has limitations such as problems scheduling installation,=20
consistently managing network bandwidth, and=20
providing feedback on the status of the installation.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-8
70 - 299=20
You should not use logon scripts to deploy service packs=20
and hotfixes. There is no way to determine whether=20
the update packages installed correctly or which=20
computers received the installation.=20
Objective: Implementing, Managing, and Troubleshooting=20
Patch Management Infrastructure=20
Sub-Objective: 2.3.2 Deploy service packs and hotfixes to=20
existing client and server computers.=20
QUESTION NO: 5=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
All client computers run Windows XP=20
Professional. All computers are members of the domain.=20
Testking has a main office and six branch offices. Each=20
branch office is connected to the main office by a=20
dedicated leased line. All offices are connected to the=20
Internet. Each office contains multiple servers and=20
hundreds of client computers.=20
You are planning a security patch management=20
infrastructure. You install a Software Update Services=20
(SUS) server in the main office and in each branch=20
office. You configure the main office SUS server to=20
store updates locally.=20
You need to ensure that all client computers=20
automatically install the latest security patches. You=20
want to=20
minimize the network traffic on the leased lines between=20
the offices and on the connections to the=20
Internet.=20
Which two actions should you perform? (Each correct=20
answer presents part of the solution. Choose two)=20
A. Configure the branch office SUS servers to maintain=20
updates on the Microsoft Windows Update servers.=20
B. Configure Automatic Updates on the branch office SUS=20
servers to use the main office SUS server.=20
C. Configure the branch office SUS servers to obtain=20
updates from the main office SUS server.=20
D. Configure Automatic Updates on the client computers to=20
use the SUS server in the local office.=20
E. Configure Automatic Updates on the client computers to=20
use the main office SUS server.=20
Answer: C, D=20
Explanation:=20
MCSA/MCSE Training Kit 70-299=20
5-20 Chapter: 5 Planning an Update Management=20
Infrastructure=20
Approval of updates using Software Update Services=20
SUS is designed to be used in large organizations. Almost=20
every aspect of the behavior can be customized. For=20
example, the SUS server can download updates from=20
Microsoft automatically, manually, or on a schedule=20
specified by an administrator. SUS servers can be tiered=20
as shown in Figure 5.4, with multiple SUS servers=20
synchronizing updates between each other. This optimizes=20
the use of your Internet connection by only requiring=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-9
70 - 299=20
each update to be downloaded once for the entire=20
organization. It also optimizes traffic on your wide area=20
networks by allowing clients to download updates from a=20
local SUS server.=20
QUESTION NO: 6=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. The network contains Windows Server=20
2003 computers and Windows XP=20
Professional client computers. The Active Directory=20
domain consists of 10 Active Directory sites. Each=20
Active Directory site contains a Windows Server 2003=20
computer that functions as a domain controller=20
and a DNS server.=20
A Windows Server 2003 computer named TestKing1 is a=20
member of the Active Directory domain.=20
TestKing1 is used to store confidential data in a=20
Microsoft SQL Server 2000 database. You set up IP=20
filters by using IPSec to control the types of inbound=20
and outbound IP traffic that are allowed to and=20
from TestKing1.=20
After you configure the IP filters, you cannot resolve=20
DNS names from TestKing1. The Addresses tab on=20
the IP Filter Properties dialog box is shown in the=20
exhibit.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-10
70 - 299=20
This is the only rule in the IPSec policy that is=20
relevant to DNS traffic.=20
You need to enable TestKing1 to resolve DNS names.=20
What should you do?=20
A. Create an additional rule that allows DNS responses=20
from the DNS servers to TestKing1.=20
B. Change the Source address list to Any IP Address.=20
C. Change the Destination Address list to A specific IP=20
Subnet and type the IP subnet address that=20
matches the IP subnet on TestKing1.=20
D. Change the Destination address list to A specific IP=20
Address and type an IP address of a DNS server=20
in the same IP subnet as TestKing1.=20
Answer: D=20
QUESTION NO: 7=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-11 -
70 - 299=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
You plan to deploy remote access to the network for users=20
that work from home.=20
TestKing?s written security policy states the following=20
remote access requirements:=20
Users are allowed to use remote access during the day=20
only.=20
Enterprise Admins are never allowed to use remote access.=20
Domain Admins are always allowed to use remote access.=20
iiiiiis=20
not allowed to use remote access.=20
You configure and enable Routing and Remote Access on a=20
member server named TestKing1. You delete=20
the predefined remote access polices. The remote access=20
permission for all user accounts in the domains is=20
set to use remote access polices.=20
You need to ensure that the remote access polices on=20
TestKing1 comply with the written security policy.=20
What should you do?=20
liliililiFiliiiiliiil lill iiill=20
boxes.=20
Answer:=20
A user who s a member of both the Enter pr se Admns gr=20
oup and the Domans Admns gr oup=20
To answer , dr ag the r emote access pocy that shoud=20
appear fr st n the r emote access pocy st to the=20
r st Pocy box. Contnue dr aggng the appr opr ate r emote=20
access poces to the cor r espondng=20
number ed boxes untyou st ar equr ed n the cor r ect or=20
der . You mght not need to use anumber ed=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-12
70 - 299=20
Explanation:
The most restrictive policy is checked first then=20
decreasing in restrictiveness.=20
Members of the Enterprise Admins group are always blocked=20
by the first policy; this will include Domain=20
Admins who are in the Enterprise Admins group, but not=20
those who are only Domain Admins.=20
QUESTION NO: 8=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All client computers run Windows XP=20
Professional. All servers run Windows Server=20
2003. All computers on the network are members of the=20
domain.=20
Traffic on the network is encrypted by IPSec. The domain=20
contains a custom IPSec policy named Lan=20
Security that applies to all computers in the domain. The=20
Lan Security policy does not allow unsecured=20
communication with non-IPSec-aware computers.=20
TestKing?s written security policy states that the=20
configuration of the domain and the configuration of the=20
Lan Security policy must not be changed.=20
The domain contains a multihomed server named TestKing1.=20
TestKing1 is connected to the company=20
network, and TestKing1 is also connected to a test=20
network. Currently, the Lan Security IPSec policy=20
applies to the network traffic on both network adapters=20
on TestKing1.=20
You need to configure TestKing1 so that it communicates=20
on the test network without IPSec security.=20
TestKing1 must still use the Lan Security policy when it=20
communicates on the company network.=20
How should you configure TestKing1?
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-13
70 - 299=20
A. Configure a packet filter for the network adapter on=20
the test network to block the Internet Key Exchange=20
(IKE) port.=20
B. Configure the network adapter on the test network to=20
disable IEEE 802.1x authentication.=20
C. Configure the network adapter on the test network to=20
enable TCP/IP filtering, and them permit all traffic.=20
D. Use the netsh command to assign a persistent IPSec=20
policy that permits all traffic on the network=20
adapter on the test network.=20
E. Assign an IPSec policy in the local computer policy=20
that permits all traffic on the network adapter on the=20
test network.=20
Answer: D=20
Explanation:=20
Assigning IPSec Policies LocallyEach computer running=20
Windows Server 2003 has one local GPO, which is=20
also known as the local computer policy. When this local=20
GPO is used, Group Policy settings can be stored on=20
individual computers regardless of whether they are=20
members of an Active Directory domain. The local GPO=20
can be overridden by GPOs assigned to sites, domains, or=20
OUs in an Active Directory environment that have=20
higher precedence. On a network without an Active=20
Directory domain (that is, a domain that does not have a=20
domain controller running Windows 2000 or Windows Server=20
2003), the local GPO settings determine IPSec=20
behavior because they are not overridden by other GPOs.=20
Local policy assignment is a way to enable IPSec for=20
computers that are not members of a domain.=20
You can also create and assign persistent IPSec policy,=20
which secures a computer even if a local IPSec policy or=20
an Active Directory?based IPSec policy cannot be applied.=20
This policy adds to or overrides the local or Active=20
Directory policy, and remains in effect regardless of=20
whether other policies are applied or not. Persistent=20
IPSec=20
policies enhance security by providing a secure=20
transition from computer startup to IPsec policy=20
enforcement.=20
Persistent policy also provides backup security in the=20
event of an IPSec policy corruption, or if errors occur=20
during the application of local or domain-based IPSec=20
policy. To configure persistent policies, you must use=20
the=20
netsh ipsec static set store location=3Dpersistent command.=20
When designing persistent IPSec policy, it is important=20
to consider the potential impact of persistent policy on=20
remote management. If local or domain-based IPSec policy=20
is not applied and the persistent IPSec policy is the=20
only policy that is applied, attempts to remotely=20
diagnose an issue might be blocked by the persistent=20
IPSec=20
policy. To allow for remote management in case=20
troubleshooting is required, it is recommended that you=20
create=20
appropriate permit filters when configuring persistent=20
IPSec policy.=20
QUESTION NO: 9=20
You are the security administrator of your network. The=20
network consists of an Active Directory domain.=20
All computers on the network are in the domain. The=20
domain controllers and file servers on the network=20
run Windows Server 2003. The client computers run Windows=20
XP Professional.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-14
70 - 299=20
The file servers use a custom IPSec policy named Server=20
Traffic. The Server Traffic policy contains rules=20
to encrypt Telnet and SNMP traffic, as shown in the=20
exhibit.=20
All client computers use the Client (Respond Only) IPSec=20
policy. The default exemptions to IPSec=20
filtering are disabled on the client computer.=20
You want to configure the network so that Telnet, SNMP,=20
and Kerberos traffic is encrypted by IPSec.=20
You do not want to encrypt other network protocols.=20
What should you do? (Each correct answer presents part of=20
the solution. Choose two)=20
A. On the client computers, enable the default exemptions=20
to IPSec filtering.=20
B. On the file servers, enable the default exemptions to=20
IPSec filtering.=20
C. On the file servers, configure the IPSec policy in the=20
local computer policy to encrypt Kerberos traffic.=20
D. Add a new rule to the Server Traffic policy to encrypt=20
Kerberos traffic.=20
E. Configure the Server Traffic policy to enable the=20
Default Response rule.=20
F. Configure the rules in the Server Traffic policy to=20
use an authentication method other than Kerberos.=20
Answer: B, E=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-15
70 - 299=20
Explanation:
If you want to use IPSec to protect SNMP messages, you=20
must configure all SNMP - enabled systems to use=20
IPSec, or the communications will fail. If you can't=20
configure all SNMP-enabled systems to use IPSec, at a=20
minimum, you must configure the IPSec policies of the=20
systems that are SNMP- enabled so that they can send=20
cleartext (unencrypted) information. However, this=20
somewhat defeats the idea of trying to secure messages=20
because all communications will be unsecured.=20
IP Security does not automatically encrypt the SNMP=20
protocol. You must create filter specifications in the=20
appropriate IP filter list for traffic between the=20
management systems and SNMP agents. The filter=20
specification=20
must include two sets of settings.=20
The first set of filter specifications are for typical=20
SNMP traffic (SNMP messages) between the management=20
system and the SNMP agents:=20
Mirrored: enabled=20
Protocol Type: TCP=20
Source and Destination Ports: 161=20
Mirrored: enabled=20
Protocol Type: UDP=20
Source and Destination Ports: 161=20
The second set of filter specifications are for SNMP trap=20
messages sent to the management system from the=20
SNMP agents:=20
Mirrored: enabled=20
Protocol Type: TCP=20
Source and Destination Ports: 162=20
Mirrored: enabled=20
Protocol Type: UDP=20
Source and Destination Ports: 162=20
References: http://support.microsoft.com/default.aspx?
scid=3D811832=20
IPSec Default Exemptions Can Be Used to Bypass IPsec=20
Protection in Some Scenarios=20
http://support.microsoft.com/default.aspx?scid=3Dkb;EN-
US;253169=20
Traffic That Can--and Cannot--Be Secured by IPSec=20
http://www.microsoft.com/windows2000...nfo/reskit/en-
us/default.asp?url=3D/windows2000/techinfo/reskit/en-
us/cnet/cneb_snp_jxku.asp=20
Simple Network Management Protocol=20
QUESTION NO: 10=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-16
70 - 299=20
You are a security administrator for TestKing. TestKing=20
consists of two divisions. One division is named=20
TestKing Winery and is located in San Francisco. The=20
other division is named TestKing Vineyard and is=20
located in Paris. Each division is connected to the=20
Internet by a 1.544 Mbps WAN connection.=20
TestKing Winery consists of a single Active Directory=20
forest named testkingwinery.com. All servers run=20
Windows Server 2003. All client computers run Windows XP=20
Professional. TestKing Winery has a=20
Microsoft SQL Server 2000 database that contains customer=20
information. The SQL Server 2000 database=20
is hosted on a Windows Server 2003 computer named=20
TestKing1.=20
TestKing Vineyard consists of a single Active Directory=20
forest named testkingvineyard.com. All servers=20
run Windows 2000 Server. All client computers run Windows=20
2000 Professional or Windows NT=20
Workstation. All computers run the latest service packs.=20
To enable data replication, you configure a new Windows=20
Server 2003 computer named TestKing2 in the=20
testkingvineyard.com forest. You install SQL Server 2000=20
on TestKing2. Your database administrator=20
configures the database on TestKing1 to replicate to=20
TestKing2 every night.=20
Management reports that a competitor acquired=20
confidential customer data. You determine that the=20
competitor intercepted customer data as it replicated=20
from TestKing1 to TestKing2. You device to use=20
IPSec to protect customer data as it replicated.=20
You need to configure an IPSec policy to protect customer=20
data as it replicates.=20
What should you do?=20
A. Configure the IPSec policy to use Authentication=20
Header (AH) in transport mode with Kerberos=20
authentication.
B. Configure the IPSec policy to use Encapsulating=20
Security Payload (ESP) with certificate-based=20
authentication in tunnel mode.=20
C. Configure the IPSec policy to use Authentication=20
Header (AH) with certificate-based authentication in=20
transport mode.=20
D. Configure the IPSec policy to use Encapsulating=20
Security Payload (ESP) with Kerberos authentication in=20
tunnel mode.=20
Answer: B=20
Explanation:=20
IPSec can operate in two different modes: transport mode=20
and tunnel mode. Typically, you should use transport=20
mode to protect host-to-host communications. In transport=20
mode, IPSec tunnels traffic starting at the transport=20
layer, also known as layer 4. Therefore, IPSec in=20
transport mode can encrypt the User Datagram=20
Protocol/Transmission Control Protocol (UDP/TCP) protocol=20
header and the original data, but the IP header=20
itself cannot be protected. IPSec transports an=20
application?s data by adding an IPSec header and trailer=20
to=20
outgoing packets. Depending on the IPSec protocol used,=20
the original contents of the outgoing packets will be=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-17
70 - 299=20
encrypted. IPSec?s position in the packet when=20
functioning in transport mode is shown in Figure 8.1. The=20
diagram shows IPSec using the ESP protocol. ESP is the=20
most common of the two IPSec protocols because it=20
provides both authentication and encryption=20
When you protect traffic sent directly between two hosts,=20
you will almost always use IPSec transport mode.=20
When you protect traffic between a host and a network, or=20
between two networks, you must use IPSec tunnel=20
mode. Although transport mode stores the UDP/TCP header=20
and the application data between an IPSec header=20
and trailer, tunnel mode stores the entire original=20
packet.=20
The IP header, including the source and destination=20
addresses, must be stored within the IPSec packet because=20
the traffic is destined for a computer other than the=20
computer to which the IPSec connection was established.=20
If hosts on two networks are communicating across the=20
Internet and all clients are IPSec enabled, transport=20
mode can be used to encrypt traffic between individual=20
hosts, or tunnel mode can be used to encrypt all traffic=20
sent between the two networks.=20
Naturally, tunnel mode is more convenient because it=20
doesn?t require every host to have IPSec enabled?but=20
which is more secure? Tunnel mode is more secure than=20
transport mode, in theory.=20
Use transport mode when you communicate with one=20
computer, and use tunnel mode when you communicate=20
with an entire network, so when the decision calls for=20
encapsulating or tunneling the IP header, use tunnel=20
mode.=20
QUESTION NO: 11=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
All client computers run Windows XP=20
Professional. You use Group Policy objects (GPOs) to=20
manage client computers.=20
TestKing has a wireless LAN (WLAN) that 50 employees who=20
have portable computers use. Management=20
reports that an additional 500 employees will receive=20
portable computers in the next six months. These=20
employees will have access to the WLAN. To address=20
security concerns, management requires that=20
portable computer users use smart cards to log on.=20
You need to plan a WAN implementation to meet management=20
requirements. You want to achieve this=20
goal without affecting the application of Group Policy.=20
Which three actions should you perform? (Each correct=20
answer presents part of the solution. Choose=20
three)=20
A. Deploy WLAN hardware that supports IEEE 802.1x.=20
B. Deploy WLAN hardware that supports 128-bit Wired=20
Equivalent Privacy (WEP) keys.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-18
70 - 299=20
C. Implement an Internet Authentication Service (IAS)=20
infrastructure.=20
D. Implement a public key infrastructure (PKI).=20
E. Implement a Routing and Remote Access infrastructure.=20
F. Implement IPSec on all portable computers.=20
Answer: C, D, E=20
Explanation:
From the question there is no wireless infrastructure or=20
PKI in place, since it is not mentioned. Most modern=20
laptops come with wireless built-in or can easily be=20
configure with a wireless card and most of them are WEP,=20
Wi-Fi (WPA) ready as well as support 802.1x. Windows XP=20
support all current wireless technologies.=20
802.1X is an IEEE standard for authenticated network=20
access to wired Ethernet networks and wireless 802.11=20
networks. IEEE 802.1X supports centralized user=20
identification, authentication, dynamic key management,=20
and=20
accounting. 802.1X supports these EAP authentication=20
methods for wireless clients and servers: EAP-TLS,=20
EAP, EAP-MS-CHAP v2, and PEAP.=20
You must use the Extensible Authentication Protocol (EAP)-
Transport Level Security (EAP-TLS)=20
authentication method to support the use of smart cards=20
for remote access authentication. EAP-TLS is an EAP=20
type utilized in certificate-based security environments.=20
EAP-TLS provides mutual authentication, negotiation=20
of the encryption method, and encrypted key determination=20
between the remote access client and the=20
authenticator. EAP-TLS provides the strongest=20
authentication and key determination method.=20
Objective: Planning, Configuring and Troubleshooting=20
Authentication, Authorization and PKI=20
Sub-Objective: 4.1.3 Plan and configure multifactor=20
authentication=20
http://www.microsoft.com/technet/Sec...odtech/win2003
/pkiwire/build/swlanbg4.mspx#XSLTsection1221
21120120
Securing Wireless LANs - A Windows Server 2003=20
Certificate Services Solution: Build Guide=20
Chapter 4 - Implementing Wireless LAN Security Using=20
802.1X=20
Preparing the Environment for a Secure WLAN=20
You must optimize supporting infrastructure in your=20
environment prior to implementing 802.1X?based secure=20
wireless networking. Supporting infrastructure includes=20
Active Directory and DHCP servers. For thorough=20
WLAN planning guidance, see the Deploying a Wireless LAN=20
chapter of the Windows Server 2003=20
Deployment Kit and other resources listed in the More=20
Information section at the end of this chapter.=20
Creating Active Directory Groups Required for WLAN Access=20
You must run the following script as a user which has=20
permission to create Active Directory security groups.=20
This script creates the required groups for wireless=20
authentication certificate enrollment, remote access=20
policy,=20
and wireless network Group Policy:=20
Cscript //job:CreateWirelessGroups=20
C:\MSSScripts\wl_tools.wsf=20
This script creates the following Active Directory?based=20
security groups that are used throughout the rest of this=20
guidance:
? AutoEnroll Client Authentication ? User Certificate=20
? AutoEnroll Client Authentication ? Computer Certificate=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-19
70 - 299=20
? AutoEnroll RAS and IAS Server Authentication=20
Certificate=20
? Remote Access Policy - Wireless Users=20
? Remote Access Policy - Wireless Computers=20
? Remote Access Policy - Wireless Access=20
? Wireless Network Policy ? Computer=20
For a multi-domain forest, you should create these groups=20
in the same domain as the wireless users. Although=20
this is not essential, since they are created as global=20
groups, this is assumed in the remainder of this=20
guidance.=20
Configuring Wireless APs for 802.1X Networking=20
The procedure for configuring wireless APs varies=20
dramatically depending on the make and model of the=20
device. However, wireless AP vendors will generally=20
provide instruction for configuring the device with:=20
? 802.1X networking settings.=20
? IP address of the primary RADIUS authentication server.=20
? IP address of the primary RADIUS accounting server.=20
? RADIUS secret shared with the primary RADIUS server.=20
? IP address of the secondary RADIUS authentication=20
server.=20
? IP address of the secondary RADIUS accounting server.=20
? RADIUS secret shared with the secondary RADIUS server.=20
See your vendor specific documentation for information=20
about configuring wireless APs for 802.1X.=20
If users in your environment are currently utilizing=20
wireless APs with no security settings or static WEP=20
settings, you will need to develop a migration plan. For=20
more information about migration from an existing=20
wireless network, please consult Chapter 6, "Designing=20
Wireless LAN Security Using 802.1X," of the Planning=20
Guide. Although providing instruction for configuring=20
various vendors' wireless APs is outside the scope of=20
this=20
guidance, discussion of security topics related to=20
wireless APs can be found in this same chapter.=20
Configuring WLAN Access Infrastructure=20
You must configure your primary IAS server with remote=20
access policy and connection request settings that=20
determine authentication and authorization of wireless=20
users and computers to the WLAN. These settings=20
should then be replicated to additional IAS servers with=20
a similar role by using the netsh command as described=20
in the RADIUS Build Guide or the Operations Guide. In=20
addition, each IAS server must be uniquely configured=20
to accept connections from RADIUS clients such as=20
wireless APs. Wireless APs must then be configured to=20
utilize IAS servers as the source of authentication and=20
accounting for 802.1X networking.=20
Creating an IAS Remote Access Policy for WLAN=20
Perform the following steps by using the Internet=20
Authentication Service MMC snap-in to configure IAS with=20
a=20
remote access policy for wireless networking.=20
To create a remote access policy in IAS=20
1. Right-click the Remote Access Policies folder, and=20
then select Create New Remote Access Policy.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-20
70 - 299=20
2. Name the policy Allow Wireless Access and instruct the=20
wizard to set up A typical policy for a common=20
scenario.=20
3. Choose Wireless for the access method.=20
4. Grant access based on group, and use the Remote Access=20
Policy - Wireless Access=20
(WOODGROVEBANK\Remote Access Policy - Wireless Access)=20
security group.=20
5. Choose Smart Card or Other Certificate for the=20
Extensible Authentication Protocol (EAP) type, and then=20
select the server authentication certificate installed=20
for IAS. Finish and exit the wizard.=20
Note: The new Allow Wireless Access policy can coexist=20
with other user-created remote access policies or the=20
default remote access policies. However, ensure that any=20
default remote access policies are either deleted or=20
listed after the Allow Wireless Access policy in the=20
Remote Access Policies folder=20
QUESTION NO: 12=20
You are a security administrator for TestKing. The=20
network contains a Windows Server 2003 computer=20
that runs IIS. You use this server to host an Internet=20
Web site for customer product purchasing. You=20
plan to use SSL on this computer. You do not want=20
customer to receive a certificate-related security alert=20
when they use SSL to connect to your Web site.=20
You need to select an appropriate certification authority=20
(CA) to server as the issuer for your Web server=20
SSL certificate.=20
What should you do?=20
A. Use an online enterprise root CA.=20
B. Use an online stand-alone root CA.=20
C. Use a commercial CA.=20
D. Use an offline stand-alone root CA.=20
Answer: C=20
Explanation:=20
Overview of Secure Sockets Layer (SSL) 11-5 - Used=20
primarily for Internet communications=20
Obtaining SSL Certificates=20
To use SSL, the server must have a suitable public key=20
certificate. Additionally, some SSL scenarios allow or=20
require the client to use a public key certificate. SSL=20
is one of the most common uses for public key=20
certificates,=20
and, as a result, you can obtain SSL certificates from a=20
wide variety of places. Any organization with a=20
computer running Windows Server 2003 can deploy=20
Certificate Services to issue SSL certificates without=20
any=20
additional cost. These certificates are suitable for=20
intranet scenarios, in which both the servers and the=20
clients are=20
controlled by a single organization. These certificates=20
should not be used for communications that cross=20
organizations, however.=20
As with any public key infrastructure (PKI), SSL=20
certificates can only be trusted if the root=20
certification=20
authority (CA) is trusted. You can use Group Policy=20
objects (GPOs) to add your CA to the list of trusted root=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-21
70 - 299=20
CAs on clients on an intranet, but it is much more=20
difficult to configure clients on the public Internet.=20
For this=20
reason, if you do not control the client computers, you=20
should obtain an SSL certificate from a public CA that is=20
trusted by the client applications that will be=20
establishing a connection to your server. If the server=20
is a Web=20
server, your clients will be Web browsers. Microsoft=20
Internet Explorer is configured by default to trust a=20
large=20
number of public CAs.=20
Comparing SSL with IPSec=20
IPSec is commonly used to provide the same services as=20
SSL: authentication, privacy, and message integrity.=20
However, the approach IPSec takes is different from that=20
of SSL. IPSec is implemented by the operating system=20
and is completely transparent to the applications that=20
use IPSec. As a result, IPSec can be used to protect=20
almost=20
any type of network communication. IPSec also provides a=20
flexible authentication scheme. The Microsoft=20
Windows implementation of IPSec allows clients and=20
servers to authenticate each other by using either public=20
key certificates or a shared secret. SSL, on the other=20
hand, must be implemented by individual applications.=20
Therefore, you cannot use SSL to encrypt all=20
communications between two hosts. Additionally, SSL is=20
less=20
flexible than IPSec because it only supports=20
authentication by means of public key certificates. SSL=20
does=20
provide several distinct advantages, however. Most=20
significantly, SSL is supported by a wide variety of=20
servers=20
and clients, and the maturity of the standard has=20
practically eliminated interoperability problems.=20
Additionally,=20
SSL allows one-way authentication, while IPSec requires=20
both sides of a connection to authenticate. One-way=20
authentication allows SSL to be used to authenticate the=20
server without placing the burden of registering for a=20
public key certificate on the client. This enables SSL to=20
be used to encrypt communications with public Web=20
sites while protecting the privacy of the end user by not=20
revealing the details of a user certificate to the Web=20
server.=20
The other selections are for highly secure/internally=20
controlled environments, primarily use for intranet and=20
extranets.=20
QUESTION NO: 13=20
You are a security administrator for TestKing. The=20
network consists of two Active Directory forest=20
named testking.com and public.testking.com. All servers=20
run Windows Server 2003. All client computers=20
run Windows XP Professional.=20
The network consists of an IEEE 802.11b wireless LAN=20
(WLAN). Employees and external users use the=20
WLAN. User accounts for employees are located in the=20
testking.com forest. User accounts for external=20
users are located in the public.testking.com forest.=20
External users? computers do not have computer=20
accounts in the public.testking.com forest.=20
To increase security, you upgrade the network hardware to=20
support IEEE 802.1x. You configure a public=20
key infrastructure (PKI). You issue Client Authentication=20
certificates to employees, to client computers=20
used by employees, and to external users.=20
You need to configure the WLAN to authenticate employees=20
and external users.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-22
70 - 299=20
What should you do?=20
A. Configure each wireless access point to forward RADIUS=20
requests to a server running Internet=20
Authentication Service (IAS).=20
Configure the IAS server to use a connection request=20
policy to forward the requests to the appropriate=20
forest.=20
B. Configure each wireless access point to forward=20
requests to an Internet Authentication Service (IAS)=20
server in the testking.com forest.=20
Configure the IAS server in the testking.com forest to=20
use the Tunnel-Server-Endpt attribute.=20
C. Use the Connection Manager Administration Kit (CMAK).=20
Configure one connection profile for external users.=20
Configure a second connection profile for employees.=20
D. Establish a forest trust relationship between the=20
testking.com forest and the public.testking.com forest.=20
Answer: A=20
Explanation:=20
Connection request policiesConnection request policies=20
are sets of conditions and profile settings that give=20
network administrators flexibility in configuring how=20
incoming authentication and accounting request messages=20
are handled by the IAS server. With connection request=20
policies, you can create a series of policies so that=20
some=20
RADIUS request messages sent from RADIUS clients are=20
processed locally (IAS is being used as a RADIUS=20
server) and other types of messages are forwarded to=20
another RADIUS server (IAS is being used as a RADIUS=20
proxy). This capability allows IAS to be deployed in many=20
new RADIUS scenarios.=20
With connection request policies, you can use IAS as a=20
RADIUS server or as a RADIUS proxy, based on the=20
time of day and day of the week, by the realm name in the=20
request, by the type of connection being requested,=20
by the IP address of the RADIUS client, and so on.=20
It is important to remember that with connection request=20
policies, a RADIUS request message is processed only=20
if the settings of the incoming RADIUS request message=20
match at least one of the connection request policies.=20
For example, if the settings of an incoming RADIUS Access-
Request message do not match at least one of the=20
connection request policies, an Access-Reject message is=20
sent.=20
For more information about how incoming RADIUS request=20
messages from RADIUS clients are processed, see=20
Processing a connection request.=20
Authentication=20
You can set the following authentication options that are=20
used for RADIUS Access-Request messages:=20
Authenticate requests on this server.=20
Use a Windows NT 4.0 domain or the Active Directory=20
directory service, or the local Security Account=20
Manager (SAM) on Windows Server 2003, Standard Edition;=20
Windows Server 2003, Enterprise Edition; or=20
Windows Server 2003, Datacenter Edition; for both=20
authentication and the matching remote access policy and=20
user account dial-in properties for authorization. In=20
this case, the IAS server is being used as a RADIUS=20
server.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-23
70 - 299=20
Forward requests to another RADIUS server in a remote=20
RADIUS server group.
Forward the Access-Request message to another RADIUS=20
server in a specified remote RADIUS server group.=20
If the IAS server receives a valid Access-Accept message=20
that corresponds to the Access-Request message, the=20
connection attempt is considered authenticated and=20
authorized. In this case, the IAS server is being used as=20
a=20
RADIUS proxy.=20
Accept the connection attempt without performing=20
authentication or authorization.
Do not check authentication of the user credentials and=20
authorization of the connection attempt. An Access-
Accept message is immediately sent to the RADIUS client.=20
This setting is used for some types of compulsory=20
tunneling where the access client is tunneled before the=20
user's credentials are authenticated. For more=20
information, see IAS and tunnels.=20
This authentication option cannot be used when the access=20
client?s authentication protocol
authentication protocol=20
The protocol by which an entity on a network proves its=20
identity to a remote entity. Typically, identity is=20
proved=20
with the use of a secret key, such as a password, or with=20
a stronger key, such as the key on a smart card. Some=20
authentication protocols also implement mechanisms to=20
share keys between client and server to provide=20
message integrity or privacy.is MS-CHAP v2 or EAP-TLS,=20
both of which provide mutual authentication. In=20
mutual authentication, the access client proves that it=20
is a valid access client to the authenticating server=20
(the=20
IAS server), and the authenticating server proves that it=20
is a valid authenticating server to the access client.=20
When this authentication option is used, the Access-
Accept message is returned. However, the authenticating=20
server does not provide validation to the access client=20
and mutual authentication fails.=20
802.1x authentication=20
For enhanced security, you can enable IEEE 802.1x=20
authentication. IEEE 802.1x authentication provides=20
authenticated access to 802.11 wireless networks and to=20
wired Ethernet networks. IEEE 802.1x minimizes=20
wireless network security risks, such as unauthorized=20
access to network resources and eavesdropping, by=20
providing user and computer identification, centralized=20
authentication, and dynamic key management. IEEE=20
802.1x supports Internet Authentication Service (IAS),=20
which implements the Remote Authentication Dial-In=20
User Service (RADIUS) protocol. Under this=20
implementation, a wireless access point that is=20
configured as a=20
RADIUS client sends a connection request and accounting=20
messages to a central RADIUS server. The central=20
RADIUS server processes the request and grants or rejects=20
the connection request. If the request is granted, the=20
client is authenticated, and unique keys (from which the=20
WEP key is derived) can be generated for that session,=20
depending on the authentication method chosen. The=20
support that IEEE 802.1x provides for Extensible=20
Authentication Protocol (EAP) security types allows you=20
to use authentication methods such as smart cards,=20
certificates, and the Message Digest 5 (MD5) algorithm.=20
With IEEE 802.1x authentication, you can specify whether=20
the computer attempts authentication to the network=20
if the computer requires access to network resources=20
whether a user is logged on or not. For example, data=20
center operators who manage remotely administered servers=20
can specify that the servers should attempt=20
authentication to access the network resources. You can=20
also specify whether the computer attempts=20
authentication to the network if user or computer=20
information is not available. For example, Internet=20
service=20
providers (ISPs) can use this authentication option to=20
allow users access to free Internet services, or to=20
Internet=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-24
70 - 299=20
services that can be purchased. A corporation can grant=20
visitors with limited guest access, so that they can=20
access the Internet, but not confidential network=20
resources.=20
Understanding 802.1x authenticationIEEE 802.1x is a draft=20
standard for port-based network access control,=20
which provides authenticated network access to 802.11=20
wireless networks and to wired Ethernet networks. Port-
based network access control uses the physical=20
characteristics of a switched local area network (LAN)=20
infrastructure to authenticate devices that are attached=20
to a LAN port and to prevent access to that port in cases=20
where the authentication process fails.=20
During a port-based network access control interaction, a=20
LAN port adopts one of two roles: authenticator or=20
supplicant. In the role of authenticator, a LAN port=20
enforces authentication before it allows user access to=20
the=20
services that can be accessed through that port. In the=20
role of supplicant, a LAN port requests access to the=20
services that can be accessed through the authenticator's=20
port. An authentication server, which can either be a=20
separate entity or co-located with the authenticator,=20
checks the supplicant's credentials on behalf of the=20
authenticator. The authentication server then responds to=20
the authenticator, indicating whether the supplicant is=20
authorized to access the authenticator's services.=20
The authenticator?s port-based network access control=20
defines two logical access points to the LAN, through=20
one physical LAN port. The first logical access point,=20
the uncontrolled port, allows data exchange between the=20
authenticator and other computers on the LAN, regardless=20
of the computer's authorization state. The second=20
logical access point, the controlled port, allows data=20
exchange between an authenticated LAN user and the=20
authenticator.=20
IEEE 802.1x uses standard security protocols, such as=20
RADIUS, to provide centralized user identification,=20
authentication, dynamic key management, and accounting.
For an example of wireless access using the Internet=20
Authentication Service (IAS) as a RADIUS server, see=20
Wireless access example=20
If you want to configure IAS for wireless access, see=20
Checklist: Configuring IAS for wireless access=20
If you want to configure IAS as a RADIUS server in a=20
wireless environment, see Checklist: Wireless access=20
To set up 802.1x authentication=20
Open Network Connections
Right-click the connection for which you want to enable=20
or disable IEEE 802.1x authentication, and then click=20
Properties.
On the Authentication tab, do one of the following:
To enable IEEE 802.1x authentication for this connection,=20
select the Network access control using IEEE 802.1X=20
check box. This check box is selected by default.=20
To disable IEEE 802.1x authentication for this=20
connection, clear the Network access control using IEEE=20
802.1X=20
check box.
In EAP type, click the Extensible Authentication Protocol=20
type to be used with this connection.
If you select Smart Card or other Certificate in EAP=20
type, you can configure additional properties if you=20
click=20
Properties and, in Smart Card or other Certificate=20
Properties, do the following:
To use the certificate that resides on your smart card=20
for authentication, click Use my smart card.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-25
70 - 299=20
To use the certificate that resides in the certificate=20
store on your computer for authentication, click Use a=20
certificate on this computer.=20
To verify that the server certificate presented to your=20
computer is still valid, select the Validate server=20
certificate=20
check box, specify whether to connect only if the server=20
resides within a particular domain, and then specify the=20
trusted root certification authority.=20
To use a different user name when the user name in the=20
smart card or certificate is not the same as the user=20
name in the domain to which you are logging on, select=20
the Use a different user name for the connection check=20
box.=20
To specify whether the computer should attempt=20
authentication to the network if a user is not logged on=20
and/or=20
if the computer or user information is not available, do=20
the following:=20
To specify that the computer attempt authentication to=20
the network if a user is not logged on, select the=20
Authenticate as computer when computer information is=20
available check box.=20
To specify that the computer attempt authentication to=20
the network if user information or computer information=20
is not available, select the Authenticate as guest when=20
user or computer information is unavailable check box.=20
This check box is selected by default.=20
QUESTION NO: 14=20
You are the security administrator for TestKing. The=20
network consists of a single Active Directory=20
domain named testking.com. Servers on the network run=20
Windows Server 2003. All computers are in the=20
domain.=20
You enable Remote Desktop for Administration on a member=20
server named TestKing1.=20
You want to allow members of a domain global group named=20
Server Managers to create a Remote=20
Desktop connection to TestKing1. The members of the=20
Server Managers group are not in the=20
Administrators group on TestKing1.=20
What should you do?=20
A. Grant the Server Managers group Read permission on the=20
Terminal Services service.=20
B. Grant the Server Managers group Connect permission on=20
the RDP-Tcp connection.=20
C. Assign the Allow log on locally right to the Server=20
Managers group.=20
D. Add the Server Managers group to the Remote Desktop=20
Users group.=20
Answer: D=20
Explanation:
To add users to the Remote Desktop Users group=20
Open Computer Management.=20
In the console tree, click the Local Users and Groups=20
node.
In the details pane, double-click the Groups folder.=20
Double-click Remote Desktop Users, and then click Add....=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-26
70 - 299=20
On the Select Users dialog box, click Locations... to=20
specify the search location.=20
Click Object Types... to specify the types of objects you=20
want to search for.=20
Type the name you want to add in the Enter the object=20
names to select (examples): box.=20
Click Check Names.=20
When the name is located, click OK.=20
Note:=20
By default, the Remote Desktop Users group is not=20
populated. You must decide which users and groups should=20
have permission to log on remotely, and then manually add=20
them to the group.=20
To open Computer Management, click Start, and then click=20
Control Panel. Click Performance and Maintenance,=20
click Administrative Tools, and then double-click=20
Computer Management.=20
Related Topics=20
QUESTION NO: 15=20
You are a security administrator for TestKing. The=20
network consists of seven Active Directory domains.=20
These domains are in the same Active Directory forest.=20
All seven Active Directory domains operate at a=20
Windows Server 2003 domain functional level.=20
Each domain contains an internal Web site that is used to=20
publish information to the TestKing managers.=20
Access to the information on these Web site must not be=20
restricted to managers. An existing global group=20
in each domain contains the management user accounts that=20
exist in that domain.=20
You need to restrict access to the internal Web sites to=20
TestKing managers. You want to achieve this goal=20
by using the minimum amount of administrative effort.=20
What should you do?
A. Create a universal group in one of the Active=20
Directory domains.=20
Add the existing management global groups as members of=20
the universal group.=20
Assign only this universal group permissions to access=20
the Web sites.=20
B. Create a global group in one of the Active Directory=20
domains.=20
Add the existing management global groups as members of=20
the global group.=20
Assign only this global group permissions to access the=20
Web sites.=20
C. Create a domain local group in one of the Active=20
Directory domains.=20
Add the existing management global groups as members of=20
the domain local group.=20
Assign only this domain local group permissions to access=20
the Web sites.=20
D. Assign only the existing management global permissions=20
to access the Web sites.=20
Answer: A=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-27
70 - 299=20
Explanation:=20
The members that each type of security group scope can=20
have depends on the domain functional level. When=20
the domain functional level is set to Windows 2000 native=20
mode or higher, each type of group can contain the=20
following members:=20
Universal: accounts from any domain, global groups from=20
any domain, and universal groups from any domain=20
Global: accounts from the same domain, and global groups=20
from the same domain=20
Domain local: accounts from any domain, global groups=20
from any domain, universal groups from any domain,=20
and domain local groups from the same domain=20
Objective: Planning, Configuring and Troubleshooting=20
Authentication, Authorization and PKI=20
Sub-Objective: 4.2.2 Plan security group scope.=20
Domain Migration Cookbook=20
Chapter 2: Domain Upgrade=20
Global Groups=20
Windows 2000 global groups are effectively the same as=20
Windows NT global groups. In terms of membership,=20
they have domain-wide scope, but can be granted=20
permissions in any domain, even in other forests and=20
earlier=20
version domains as long as a trust relationship exists.=20
Universal Groups=20
Universal groups can contain members from any Windows=20
2000 domain in the forest, but cannot contain=20
members from outside the forest. You can grant universal=20
groups permissions in any domain, even in other=20
forests, as long as a trust relationship exists. Although=20
universal groups can have members from mixed mode=20
domains in the same forest, the universal group will not=20
be added to the access token of these members because=20
universal groups are not available in mixed mode.=20
You can add users to a universal group, but it is=20
recommended that you restrict universal group membership=20
to=20
global groups. Universal groups are available only in=20
native mode domains.=20
Use of Universal Groups=20
Universal groups have a number of important=20
characteristics. You can use universal groups to build=20
groups that=20
perform a common function within an enterprise. One=20
example might be virtual teams. The membership of such=20
teams in a large company would probably be nationwide or=20
even worldwide, and almost certainly forest-wide,=20
with the team resources being similarly distributed.=20
Universal groups could be used as a container in these=20
circumstances to hold global groups from each subsidiary=20
or department, with a single access control entry=20
(ACE) for the universal group to protect the team=20
resources.=20
In using universal groups, an important factor to=20
consider is that while global and domain local groups are=20
listed=20
in the global catalog (GC), their members are not,=20
whereas universal groups and their members are listed, a=20
fact=20
that has implications for GC replication traffic.=20
Exercise care in the use of universal groups. As a guide,=20
if your=20
entire network has high-speed connectivity, you can=20
simply use universal groups for all of your groups and=20
benefit from not having to bother with managing global=20
groups and domain local groups. If, however, your=20
network spans wide area networks (WANs), you can improve=20
performance in several ways by using global=20
groups and domain local groups. If you use global groups=20
and domain local groups, you can also designate any=20
widely used groups that are seldom changed as universal=20
groups.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-28
70 - 299=20
Universal Groups and Access Tokens=20
The previous discussion of universal group membership=20
touched on the fact that universal groups can contain=20
members from mixed mode domains, but that such members=20
will not have the universal group's SID in their=20
access token. This is a consequence of the way access=20
tokens are created in Windows 2000. When a user logs=20
on to a Windows 2000 native mode domain and has been=20
authenticated, the Local Security Authority (LSA) on=20
the domain controller where the user was authenticated=20
retrieves the user's global group memberships. The LSA=20
then passes this information down to the workstation,=20
where it is used to build the user's access token. At the=20
same time, the LSA queries the GC for the user's=20
universal group memberships, which it also passes to the=20
workstation. If a user is a member of a universal group,=20
the SID of that group is included in the access token on=20
the workstation, and is added to the authorization data=20
in the TGT issued by the KDC. Universal groups are not=20
added to access tokens at any other timefor example, when=20
impersonation tokens are created at member servers.=20
As a consequence, if the universal group SID is not=20
available when the user logs onfor example, where the=20
user=20
is logging on to a mixed mode domainit will not be added=20
subsequently.=20
Nesting Groups=20
It is recommended that you do not create groups with more=20
than 5,000 members. This guideline is based on the=20
fact that updates to the Active Directory store have to=20
be capable of being made in a single transaction. Because=20
group memberships are stored in a single multivalue=20
attribute, a change to the membership would result in the=20
whole attributein other words, the whole membership=20
listhaving to be updated in a single transaction.=20
Microsoft=20
has tested and supports group memberships of up to 5,000=20
members. You can get around this limitation by=20
nesting groups to increase the effective number of=20
members. A further consequence is that you also reduce=20
the=20
replication traffic caused by replication of group=20
membership changes. Your nesting options depend on=20
whether the domain is in native mode or mixed mode. The=20
following list describes what can be contained in a=20
group that exists in a native mode domain. These rules=20
are determined by the scope of the group.=20
? Universal groups can contain user accounts, computer=20
accounts, other universal groups, and global groups=20
from any domain.=20
? Global groups can contain user accounts from the same=20
domain and other global groups from the same=20
domain.=20
? Domain local groups can contain user accounts,=20
universal groups, and global groups from any domain. They=20
also can contain other domain local groups from within=20
the same domain.=20
This list describes what security groups in a mixed mode=20
domain can contain:=20
? Local groups can contain global groups and user=20
accounts from trusted domains.=20
? Global groups can contain only user accounts.=20
References:=20
http://support.microsoft.com/default.aspx?scid=3Dkb;en-
us;326265=20
Description of the Group Scopes That You Can Use to Help=20
Secure Active Directory Objects=20
http://support.microsoft.com/default.aspx?scid=3Dkb;en-
us;318862=20
Universal Group Scope Is Incorrectly Documented in=20
Windows 2000 Help=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-29
70 - 299=20
QUESTION NO: 16=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All domain controllers run Windows=20
Server 2003. All client computers run=20
Windows XP Professional.=20
Users store files on a server named TestKing1. These=20
files are confidential and must be encrypted at all=20
times while on TestKing1.=20
You configure a new certification authority (CA) and=20
issue certificate that support Encrypting File=20
System (EFS) to all users. Users report that they cannot=20
encrypt files that are stored on TestKing1. They=20
report that they can encrypt files that are stored=20
locally on their client computers.=20
You need to ensure that users can encrypt files that are=20
stored on TestKing1.=20
What should you do?=20
A. Enroll TestKing1 for a Computer certificate that=20
supports file encryption.=20
B. Configure a new EFS recovery agent.=20
Deploy the EFS recovery agent by using Active Directory.=20
C. Configure the TestKing1 computer account to be trusted=20
for delegation.=20
D. Enroll each client computer for a Computer certificate=20
that supports file encryption.=20
Answer: C=20
Explanation:=20
Unable to Encrypt Files=20
If you find that you are unable to encrypt files or=20
folders, one of the following might be the cause:=20
The file is not an NTFS volume.=20
You do not have Write access to the file.=20
If you are having trouble encrypting a remote file, check=20
to see that your user profile is available for EFS to use=20
on that computer (this typically means having a roaming=20
user profile), make sure the remote computer is trusted=20
for delegation, and make sure your account is configured=20
to enable delegation. Sensitive accounts are not=20
enabled for delegation by default, so users like=20
Enterprise Administrator might not be able to encrypt or=20
decrypt=20
files remotely.=20
Note: Sometimes users think that a file is not encrypted=20
because they can open it and read the file. You can=20
verify whether a file is encrypted by checking the file's=20
attributes. For more information about formatting=20
volumes as NTFS, see Windows XP Professional Help and=20
Support Center. For more information about the=20
encryption process, requirements, and procedures,=20
see "Encrypting and Decrypting By Using EFS" earlier in=20
this chapter.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-30
70 - 299=20
For more information about remote EFS operations,=20
see "Remote EFS Operations in a File Share Environment"=20
earlier in this chapter.=20
Unable to Decrypt Remote Files=20
The following are the major causes of and solutions for=20
remote decryption failure (usually indicated by an=20
"Access is denied" message):=20
The computer on which the encrypted file is stored is not=20
trusted for delegation. Every computer that stores=20
encrypted files for remote access must be trusted for=20
delegation. To check a computer's delegation status, open=20
the computer's properties sheet in the Active Directory=20
Users and Computers snap-in.=20
The user account that EFS needs to impersonate cannot be=20
delegated. To check a user's delegation status, open=20
the user's Properties sheet in the Active Directory Users=20
and Computers snap-in.=20
The user's profile is not available. Using roaming user=20
profiles is the solution for this problem.=20
One of the user's profiles is available, but it does not=20
contain the correct private key. Using roaming user=20
profiles is the solution for this problem.=20
For more information about the decryption process,=20
requirements, and procedures, see "Encrypting and=20
Decrypting By Using EFS" earlier in this chapter.=20
For more information about remote EFS operations,=20
see "Remote EFS Operations in a File Share Environment"=20
earlier in this chapter.=20
QUESTION NO: 17=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory forest=20
that contains three domains in a single domain tree. All=20
servers run Windows Server 2003. All computers=20
are members of the domains. The functional level of the=20
forest is Windows 2000. The functional level of=20
each domain is Windows Server 2003.=20
All users in the forest are in the root domain. The two=20
child domains contain client computers accounts=20
and server accounts. Only the root domain contains global=20
catalog servers.=20
TestKing uses an application that stores data in a custom=20
application directory partition. The application=20
runs on domain controllers in all three domains.=20
You add the users that manage the data in the custom=20
application directory partition to a global group=20
named App Managers. You add the App Managers group to a=20
domain local group named App Data. You=20
assign the App Data group the Allow ? Modify permission=20
for all objects in the custom application=20
directory partition.=20
Some users in the App Managers group report that they=20
receive an Access Denied message when they=20
attempt to access the application data. Other users in=20
the App Managers group can successfully access=20
the application data in the application directory=20
partition.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-31
70 - 299=20
You need to ensure that all users in the App Managers=20
group can access the application data successfully.=20
What should you do?=20
A. Raise the functional level of the forest to Windows=20
Server 2003.=20
B. Change the scope of the App Data group to universal.=20
C. Install a global catalog server in the two child=20
domains.=20
D. Create a two-way shortcut trust relationship between=20
the two child domains.=20
E. Assign the App Managers group the Allow ? Allowed to=20
Authenticate permission on all domain=20
controllers that run the application.=20
Answer: B=20
Explanation:=20
The members that each type of security group scope can=20
have depends on the domain functional level. When=20
the domain functional level is set to Windows 2000 native=20
mode or higher, each type of group can contain the=20
following members:=20
Universal: accounts from any domain, global groups from=20
any domain, and universal groups from any domain=20
Global: accounts from the same domain, and global groups=20
from the same domain=20
Domain local: accounts from any domain, global groups=20
from any domain, universal groups from any domain,=20
and domain local groups from the same domain=20
Objective: Planning, Configuring and Troubleshooting=20
Authentication, Authorization and PKI=20
Sub-Objective: 4.2.2 Plan security group scope.=20
http://www.microsoft.com/technet/pro.../windows2000se
rv/deploy/cookbook/cookchp2.mspx=20
Domain Migration Cookbook=20
Chapter 2: Domain Upgrade=20
Global Groups=20
Windows 2000 global groups are effectively the same as=20
Windows NT global groups. In terms of membership,=20
they have domain-wide scope, but can be granted=20
permissions in any domain, even in other forests and=20
earlier=20
version domains as long as a trust relationship exists.=20
Universal Groups=20
Universal groups can contain members from any Windows=20
2000 domain in the forest, but cannot contain=20
members from outside the forest. You can grant universal=20
groups permissions in any domain, even in other=20
forests, as long as a trust relationship exists. Although=20
universal groups can have members from mixed mode=20
domains in the same forest, the universal group will not=20
be added to the access token of these members because=20
universal groups are not available in mixed mode.=20
You can add users to a universal group, but it is=20
recommended that you restrict universal group membership=20
to=20
global groups. Universal groups are available only in=20
native mode domains.=20
Use of Universal Groups=20
Universal groups have a number of important=20
characteristics. You can use universal groups to build=20
groups that=20
perform a common function within an enterprise. One=20
example might be virtual teams. The membership of such=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-32
70 - 299=20
teams in a large company would probably be nationwide or=20
even worldwide, and almost certainly forest-wide,=20
with the team resources being similarly distributed.=20
Universal groups could be used as a container in these=20
circumstances to hold global groups from each subsidiary=20
or department, with a single access control entry=20
(ACE) for the universal group to protect the team=20
resources.=20
In using universal groups, an important factor to=20
consider is that while global and domain local groups are=20
listed=20
in the global catalog (GC), their members are not,=20
whereas universal groups and their members are listed, a=20
fact=20
that has implications for GC replication traffic.=20
Exercise care in the use of universal groups. As a guide,=20
if your=20
entire network has high-speed connectivity, you can=20
simply use universal groups for all of your groups and=20
benefit from not having to bother with managing global=20
groups and domain local groups. If, however, your=20
network spans wide area networks (WANs), you can improve=20
performance in several ways by using global=20
groups and domain local groups. If you use global groups=20
and domain local groups, you can also designate any=20
widely used groups that are seldom changed as universal=20
groups.=20
Universal Groups and Access Tokens=20
The previous discussion of universal group membership=20
touched on the fact that universal groups can contain=20
members from mixed mode domains, but that such members=20
will not have the universal group's SID in their=20
access token. This is a consequence of the way access=20
tokens are created in Windows 2000. When a user logs=20
on to a Windows 2000 native mode domain and has been=20
authenticated, the Local Security Authority (LSA) on=20
the domain controller where the user was authenticated=20
retrieves the user's global group memberships. The LSA=20
then passes this information down to the workstation,=20
where it is used to build the user's access token. At the=20
same time, the LSA queries the GC for the user's=20
universal group memberships, which it also passes to the=20
workstation. If a user is a member of a universal group,=20
the SID of that group is included in the access token on=20
the workstation, and is added to the authorization data=20
in the TGT issued by the KDC. Universal groups are not=20
added to access tokens at any other timefor example, when=20
impersonation tokens are created at member servers.=20
As a consequence, if the universal group SID is not=20
available when the user logs onfor example, where the=20
user=20
is logging on to a mixed mode domainit will not be added=20
subsequently.=20
Nesting Groups=20
It is recommended that you do not create groups with more=20
than 5,000 members. This guideline is based on the=20
fact that updates to the Active Directory store have to=20
be capable of being made in a single transaction. Because=20
group memberships are stored in a single multivalue=20
attribute, a change to the membership would result in the=20
whole attributein other words, the whole membership=20
listhaving to be updated in a single transaction.=20
Microsoft=20
has tested and supports group memberships of up to 5,000=20
members. You can get around this limitation by=20
nesting groups to increase the effective number of=20
members. A further consequence is that you also reduce=20
the=20
replication traffic caused by replication of group=20
membership changes. Your nesting options depend on=20
whether the domain is in native mode or mixed mode. The=20
following list describes what can be contained in a=20
group that exists in a native mode domain. These rules=20
are determined by the scope of the group.=20
? Universal groups can contain user accounts, computer=20
accounts, other universal groups, and global groups=20
from any domain.=20
? Global groups can contain user accounts from the same=20
domain and other global groups from the same=20
domain.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-33
70 - 299=20
? Domain local groups can contain user accounts,=20
universal groups, and global groups from any domain. They=20
also can contain other domain local groups from within=20
the same domain.=20
This list describes what security groups in a mixed mode=20
domain can contain:=20
? Local groups can contain global groups and user=20
accounts from trusted domains.=20
? Global groups can contain only user accounts.=20
References:=20
http://support.microsoft.com/default.aspx?scid=3Dkb;en-
us;326265
Description of the Group Scopes That You Can Use to Help=20
Secure Active Directory Objects=20
http://support.microsoft.com/default.aspx?scid=3Dkb;en-
us;318862
Universal Group Scope Is Incorrectly Documented in=20
Windows 2000 Help=20
QUESTION NO: 18=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. The network contains Windows XP=20
Professional client computers and Windows=20
Server 2003 computers.=20
You install Certificate Services to issue certificates to=20
employees for secure e-mail encryption and Web=20
site authentication. You revoke the certificates used by=20
an employee when that employee leaves the=20
company. Several thousand certificates are currently=20
revoked, and multiple revocations occur daily.=20
TestKing e-mail and Web applications already use strong=20
revocation checking of certificates.=20
You need to reduce the time it takes for client computers=20
to find out about certificate revocations and to=20
process certificate revocation information. You also need=20
to limit the negative impact that this change will=20
have on network performance.=20
What should you do?
A. In the Certification Authority console, open the=20
Revoked Certificates properties.=20
Set the Delta Certificate Revocation List (CRL)=20
publication interval to one hour.=20
B. In the Certification Authority console, open the=20
Revoked Certificates properties.=20
Set the full Certificate Revocation List (CRL)=20
publication interval to one hour.=20
C. In the Certification Authority console, highlight=20
Revoked Certificates, and then select the option to=20
publish a full CRL after you revoke a certificate.=20
D. In the Certification Authority console, highlight=20
Revoked Certificates, and then select the Refresh=20
option.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-34
70 - 299=20
Answer: A=20
Explanation:=20
Certificate revocation=20
A certificate has a specified lifetime, but CAs can=20
reduce this lifetime by the process known as certificate=20
revocation. The CA publishes a certificate revocation=20
list (CRL) that lists serial numbers of certificates that=20
it=20
regards as no longer valid. The specified lifetime of=20
CRLs is typically much shorter than that of a=20
certificate.=20
The CA might also include in the CRL the reason the=20
certificate has been revoked. A revocation might occur=20
because a private key has been compromised, because a=20
certificate has been superseded, or because an=20
employee has left the company. The CRL also includes the=20
date the certificate was revoked. During signature=20
verification, applications can check the CRL to determine=20
whether a given certificate and key pair are still=20
trustworthy. Applications can also determine whether the=20
reason or date of the revocation affects the use of the=20
certificate in question. If the certificate is being used=20
to verify a signature, and the date on the signature=20
precedes the date of the revocation of the certificate by=20
the CA, the signature can still be considered valid. Off=20
the Record: Most applications do not analyze the reason=20
code. If a certificate is revoked, it?s revoked. The=20
reason code just isn?t that important. To reduce the=20
number of requests sent to the CA, the CRL is generally=20
cached by the client, which can use it until it expires.=20
If a CA publishes a new CRL, applications that have a=20
valid CRL do not usually use the new CRL until the one=20
they have expires.=20
Installing, Configuring, and Managing Certification=20
Services - Off the Record: The CRL contains the reason=20
code you select for revoking the certificate. Before you=20
select the reason code, think about whether you really=20
want everyone who can access the CRL to know why you=20
revoked it. If you did have a key compromise or a=20
CA compromise, are you ready for that to be public=20
information? If not, just select Unspecified. Clients=20
discover that a certificate has been revoked by=20
retrieving the certificate revocation list (CRL). There=20
are two=20
kinds of CRLs: full CRLs, which contain a complete list=20
of all of a CA?s revoked certificates, and delta CRLs.=20
Delta CRLs are shorter lists of certificates that have=20
been revoked since the last full CRL was published. After=20
a=20
client retrieves a full CRL, the client can download the=20
shorter delta CRL to discover newly revoked=20
certificates. See Also: For detailed information about=20
CRLs, read the white paper ?Troubleshooting Certificate=20
http://www.microsoft.com/technet/pro.../winxppro/supp
ort/tshtcrl.mspx=20
Troubleshooting Certificate Status and Revocation=20
Optimizing Delta CRLs=20
While in itself, Delta CRLs optimize the revocation=20
checking process, you can further optimize the Delta CRL=20
process by reducing the number of Base CRL fetches. This=20
means that any client who has that oldest Base CRL=20
will not be forced to download a new Base CRL until it=20
expires. This minimizes the number of times a Base=20
CRL is retrieved by the client, but increases the size of=20
the Delta CRL. The Windows .NET Certificate=20
Authority is primarily configured to ensure that the=20
smallest Delta CRL sizes are used. If it is desired to=20
optimize Base CRL usage, longer lifetimes should be=20
applied to the BaseCRL publication period.=20
http://www.microsoft.com/technet/sec...pics/crypto/ts
htcrl.mspx?#i=20
Troubleshooting Certificate Status and Revocation=20
Delta CRLs=20
One of the biggest decisions faced by a CA administrator=20
is determining the publication schedule for CRLs. If a=20
CA publishes a complete CRL frequently, then clients are=20
aware of a newly revoked certificate very quickly.=20
However, this causes higher amounts of network traffic=20
due to the more frequent downloading of the updated=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-35
70 - 299=20
CRL to all clients. If a CRL publishes CRLs less often,=20
this reduces the amount of network traffic, but increases=20
the latency before a client is aware of a newly revoked=20
certificate.=20
If a CA revokes a large number of certificates, the size=20
of the base CRL can grow to be larger than 1 MB in size=20
if large numbers of certificates are revoked. If the CRL=20
is published at frequent intervals, this can result in=20
problems for clients connecting over slow connections.=20
Alternatively, if the base CRL is published at longer=20
intervals, this can result in the CRL information being=20
out of date and reducing the validity of the CRL=20
information.=20
Delta CRLS, defined in RFC 2459, address these problems,=20
by publishing changes to a Base CRL (bCRL), in a=20
smaller file known as a Delta CRL (sCRL). When Delta CRLs=20
are implemented, a client can download a Base=20
CRL at longer intervals, and then download smaller Delta=20
CRLS at shorter intervals to validate any presented=20
certificates. The Delta CRLs can be published at very=20
short intervals, such as once an hour, to increase the=20
confidence in the certificates being validated. All of=20
the time information stored in CRLs is stored as UTC.=20
Note: This does not eliminate the requirement to download=20
the larger Base CRLs. The Base CRL must be=20
downloaded initially and when the previous Base CRL=20
expires. The Delta CRL can force the client to retrieve a=20
more recent Base CRL even though the current Base CRL is=20
still time valid. This is achieved by having the=20
Delta CRL point to a higher number Base CRL.=20
When Delta CRLs are implemented, only changes from a Base=20
CRL are published in a Delta CRL, resulting in=20
a reduction in the size of the CRLs downloaded to the=20
clients. This reduction in size allows for more frequent=20
publishing of the CRL with both a minimal impact on the=20
network infrastructure, and an improvement on the=20
up-to-datedness of CRL information.=20
Publishing CRLs=20
If you need to download a file from a server, you might=20
access the file in several different ways. If you?re=20
logged onto the computer locally, you would use Windows=20
Explorer to navigate to the folder containing the file.=20
If you were on a different computer on the same network,=20
you might map a drive to the server and download the=20
file from a shared folder. If the server was behind a=20
firewall and running IIS, you could open a Web browser to=20
retrieve the file.=20
Having multiple ways to retrieve a file from a server is=20
important, especially when the server will be accessed=20
by a variety of different clients. Certificate Services=20
enables clients to retrieve CRLs by using a wide variety=20
of=20
different protocols: shared folders, Hypertext Transfer=20
Protocol (HTTP), File Transfer Protocol (FTP), and=20
Lightweight=20
Directory Access Protocol (LDAP). By default, CRLs are=20
published in three different locations. For clients=20
accessing the CRL from a shared folder, they are located=20
in the \\Server\CertEnroll\ share, which is created=20
automatically when Certificate Services is installed.=20
Clients who need to retrieve the CRL by using LDAP can=20
access it from CN=3DCAName,CN=3DCAComputer-
Name,CN=3DCDP,CN=3DPublic Key=20
Services,CN=3DServices,CN=3DConfiguration,DC=3DFor est-
RootNameDN. Web clients can retrieve the CRLs from=20
http://Server/certenroll/. Though the default locations=20
are sufficient for most organizations, you can add=20
locations if you need to. In particular, you must add a=20
location if you are using an offline root CA, since the=20
CA=20
will not be accessible by clients under normal=20
circumstances. Additionally, if certificates are used=20
outside your=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-36
70 - 299=20
private network but your CA is behind a firewall, you=20
should publish your CRL to a publicly accessible=20
location.=20
QUESTION NO: 19=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
All client computers run Windows XP=20
Professional.=20
TestKing hosts Web applications for customers. Each=20
customer is a company that has multiple employees=20
who require access to the Web application. Each customer=20
has one Web application. Each Web=20
application is configured as a virtual directory. You=20
configure a user account for each customer. You=20
assign this account permission to read the virtual=20
directory that contains the customer?s Web application.=20
You need to ensure that employees can access only their=20
company?s Web application. You must=20
accomplish this task without requiring customers to=20
disclose passwords.=20
What should you do?=20
A. Configure anonymous access for each virtual directory.=20
Configure each virtual directory to use the customer?s=20
assigned user account.=20
Leave the password assigned to the user account blank.=20
B. Configure Microsoft .NET Passport authentication for=20
each virtual directory.=20
Instruct each employee of each customer that requires=20
access to the Web site to enroll for a new .NET=20
Passport.=20
C. Configure a certification authority (CA).=20
Issue certificates to each employee of each customer that=20
requires access to the Web site.=20
Configure many-to-one certificate mapping.=20
D. Acquire a Server Authentication digital certificate=20
from a public certification authority (CA).=20
Configure the Web server to use this certificate and to=20
require SSL.=20
Distribute a copy of the Server Authentication=20
certificate to each employee of each customer that=20
requires access to the Web site.=20
Answer: C=20
Explanation:
Anonymous would allow access to any of the websites.=20
Microsoft .NET Passport would have the user use=20
passwords.=20
11 Deploying, Configuring, and=20
Managing SSL Certificates=20
IIS cannot process client certificates unless you have=20
previously installed a server certificate and enabled=20
HTTPS.
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-37
70 - 299=20
There are two ways to improve the security of client=20
certificates. First, you can use client certificate=20
mapping to=20
restrict access to users with specific certificates. (You=20
can also use client certificate mapping to control=20
authorization by mapping the certificates to existing=20
user accounts.) Second, you can configure a certificate=20
trust=20
list (CTL) to reduce the number of root CAs that can=20
issue certificates to your users. One-to-one client=20
certificate mapping=20
Client certificate mapping has two modes: one-to-one and=20
many-to-one. One-to-one certificate mapping relates=20
a single exported certificate to an Active Directory user=20
account. When Web users present the certificate, they=20
will be authenticated as if they had presented a valid=20
user name and password.=20
Many-to-one client certificate mapping=20
Many-to-one certificate mapping uses wildcard matching=20
rules that verify whether a client certificate contains=20
specific information, such as the issuer or subject. This=20
mapping does not identify individual client certificates;=20
it accepts all client certificates fulfilling the=20
specific criteria. If a client gets another certificate=20
containing all the=20
same user information, the existing mapping will still=20
work. Certificates do not need to be exported for use in=20
many-to-one mappings. To add many-to-one certificate=20
mappings, follow this procedure:=20
1. View the properties for the Web site, and then click=20
the Directory Security tab.=20
2. Click the Edit button in the Secure Communications=20
box.=20
3. Select the Enable Client Certificate Mapping check=20
box, and then click the Edit button.=20
4. Click the Many-1 tab, and then click the Add button.=20
5. On the General page, type a name for the rule in the=20
Description box. Click Next.=20
6. On the Rules page, click New to add a rule. Editing=20
rule properties for many-to-one client certificate=20
mappings=20
7. In the Edit Rule Element dialog box, click the=20
Certificate Field list to choose either Issuer or=20
Subject. Select=20
Issuer to filter based on the CA that issued the=20
certificate. Choose Subject to filter based on who the=20
certificate=20
was issued to. After completing the rule element, click=20
OK. Security Alert When creating certificate mapping=20
rules, keep in mind how easy it is to create your own=20
root CA. Attackers could easily create their own root CA=20
using your domain names. To prevent this type of=20
impersonation, use certificate mapping along with a=20
certificate trust list.=20
8. To add an additional rule, return to step 6.=20
9. Click Next.=20
10. On the Mapping page, click Refuse Access to reject=20
logons that match the criteria, or click Accept This=20
Certificate For Logon Authentication to map matching=20
certificates to a user account. If you choose to accept=20
the=20
certificate, complete the Account and Password boxes.=20
Click Finish. If prompted, confirm the password and=20
then click OK. Before you can authenticate users with=20
client certificates, you must issue client certificates.=20
If the=20
users are members of an Active Directory domain and you=20
are using an enterprise CA, auto-enrollment is the=20
most efficient way to enroll users. Web servers are often=20
used to communicate with users outside of your=20
organization, however. For these users, you should use=20
Web enrollment. The exercise at the end of this lesson=20
demonstrates the process of enrolling a user certificate=20
by using Web enrollment and then authenticating that=20
user to IIS.=20
QUESTION NO: 20=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-38
70 - 299=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. The network contains Windows Server=20
2003 computers and Windows XP=20
Professional client computers.=20
You install Certificate Services on two Windows Server=20
2003 computers named TestKing1 and=20
TestKing2. TestKing1 is the root certification authority=20
(CA) and TestKing2 is the subordinate CA. You=20
configure the root CA certificate with a validity period=20
of eight years. You configure the subordinate CA=20
certificate with a validity period of two years.=20
You create a custom User certificate type that has a=20
validity period of three years. You allow employees=20
to enroll for this user certificate by using TestKing2.=20
You discover that all issued certificates do not=20
remain valid for three years as expected.=20
You need to ensure that the custom User certificates are=20
issued with validity period of three years.=20
What should you do?=20
A. Generate a new CA certificate for TestKing1 with a=20
validity period of three years.=20
B. Generate a new CA certificate for TestKing2 with a=20
validity period of four years.=20
C. Create a new custom User certificate type with a=20
validity period of four years.=20
D. Create a new custom Administration certificate type=20
with a validity period of three years.=20
Answer: B=20
Explanation:=20
Validity and renewal periodsCertificate-based=20
cryptography uses public-key cryptography to protect and=20
sign=20
data. Over time, evildoers can obtain data protected with=20
the public key and attempt to derive the private key=20
from it. Given enough time and resources, this private=20
key could be compromised, effectively rendering all=20
protected data unprotected. Also, over time, the names=20
guaranteed by a certificate may need to be changed.=20
Because a certificate is a binding between a name and a=20
public key, when either of these change, the certificate=20
should be renewed.=20
Validity periods=20
Certificates are enabled for a specific length of time,=20
which is the validity period. This time is expressed in a=20
length of time beginning from when a certificate is=20
issued. When that length of time is reached, the=20
certificate is=20
no longer valid and cannot be trusted. Because an expired=20
certificate can cause problems, certificates can be=20
renewed to extend their validity period.=20
Renewal periods=20
A renewal period is the amount of time prior to the end=20
of the validity period when the subject will renew the=20
certificate using autoenrollment. Renewing the=20
certificate during this interval ensures that last-minute=20
requests=20
for certificate renewal can be serviced before=20
certificate expiration to allow uninterrupted use of the=20
certificate.=20
ation:=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-39
70 - 299=20
Validity and renewal periodsCertificate-based=20
cryptography uses public-key cryptography to protect and=20
sign=20
data. Over time, evildoers can obtain data protected with=20
the public key and attempt to derive the private key=20
from it. Given enough time and resources, this private=20
key could be compromised, effectively rendering all=20
protected data unprotected. Also, over time, the names=20
guaranteed by a certificate may need to be changed.=20
Because a certificate is a binding between a name and a=20
public key, when either of these change, the certificate=20
should be renewed.=20
Validity periods=20
Certificates are enabled for a specific length of time,=20
which is the validity period. This time is expressed in a=20
length of time beginning from when a certificate is=20
issued. When that length of time is reached, the=20
certificate is=20
no longer valid and cannot be trusted. Because an expired=20
certificate can cause problems, certificates can be=20
renewed to extend their validity period.=20
Renewal periods=20
A renewal period is the amount of time prior to the end=20
of the validity period when the subject will renew the=20
certificate using autoenrollment. Renewing the=20
certificate during this interval ensures that last-minute=20
requests=20
for certificate renewal can be serviced before=20
certificate expiration to allow uninterrupted use of the=20
certificate.=20
QUESTION NO: 21=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. The network contains Windows Server=20
2003 computers and Windows XP=20
Professional client computers.=20
A Windows Server 2003 computer named TestKing1 is a=20
member of a workgroup. TestKing1 hosts a=20
knowledge management application that is accessed from=20
the network.=20
Contract employees require access to the knowledge=20
management application. However, you do not want=20
contract employees to have the right to create other user=20
accounts on TestKing1.=20
You need to assign the contract employees appropriate=20
permissions to use the application on TestKing1.=20
What should you do?=20
A. Create the user accounts in the Active Directory=20
domain.=20
Place the user accounts in the default Authenticated=20
Users group in the Active Directory domain, and=20
then assign this group appropriate permissions on=20
TestKing1.=20
B. Create the user accounts in the Active Directory=20
domain.=20
Place the user accounts in the default Domain Users group=20
in the Active Directory domain, and then=20
assign this group appropriate permissions on TestKing1.=20
C. Create the user accounts in the local accounts=20
database on TestKing1.=20
Place the user accounts in the default Users group on=20
TestKing1, and then assign this group appropriate=20
permissions on TestKing1.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-40
70 - 299=20
D. Create the user accounts in the local accounts=20
database on TestKing1.=20
Place the user accounts in the default Power Users group=20
on TestKing1, and then assign this group=20
appropriate permissions on TestKing1.=20
Answer: C=20
Explanation:=20
Since this server in not in a domain, access can only be=20
granted by using the local SAM database. Access can be=20
granted by using the default Users group even though=20
Power Users would also work. However, Power User is=20
probably more permissions than is needed to run the=20
application. Of course this would depend on how the=20
application was written. However, this multiple users=20
will be accessing this server the question does not=20
mention that the users will need the ?Access this=20
computer from the network? right.=20
The Principle of Least Privilege=20
In the real world, the built-in groups are often misused.=20
It?s a common practice to add users to the Power Users=20
group so that an application that won?t run with regular=20
User privileges will work as expected. While this is=20
better than adding the user to the Administrators group,=20
there is a risk associated with this practice?the risk=20
that the user will be granted unnecessary rights that=20
will later be misused. Even if the user would never=20
intentionally misuse the elevated privileges of the Power=20
Users group, a virus or Trojan horse might take=20
advantage of the additional privileges without the user=20
being aware.=20
QUESTION NO: 22=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. Servers run either Windows Server=20
2003 or Windows 2000 Server. All client=20
computers run Windows XP Professional.=20
TestKing?s written security policy states that user=20
accounts must be locked if an unauthorized user=20
attempts to guess the users? passwords.=20
The current account policy locks out a user after two=20
invalid password attempts in five minutes. The user=20
remains locked out until the account is reset by the=20
administrator. Users frequently call the help desk to=20
have their account unlocked. Calls related to account=20
lockout constitute 25 percent of help desk calls.=20
You need to reduce the number of help desk calls related=20
to account lockout.=20
What should you do?=20
A. Modify the Default Domain Controllers Policy Group=20
Policy object (GPO).=20
Increase the maximum lifetime for service tickets.=20
B. Modify the Default Domain Policy Group Policy object=20
(GPO).=20
Configure an account lockout threshold of 10.=20
C. Modify the Default Domain Controllers Policy Group=20
Policy object (GPO).=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-41
70 - 299=20
Disable the enforcement of user logon restrictions.=20
D. Modify the Default Domain Policy Group Policy object=20
(GPO).=20
Increase the maximum password age.=20
Answer: B=20
Explanation:=20
Deploying and Troubleshooting Security Templates=20
Account Lockout Policy. Determines the circumstances and=20
length of time that an account will be locked out of=20
the system. Security Alert Enabling account lockout doesn?
t necessarily increase security. In fact, it actually=20
creates a new vulnerability. An attacker who knows valid=20
user names can guess incorrect passwords for users=20
and lock legitimate users out, creating a denial-of-
service attack.=20
QUESTION NO: 23=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory forest=20
that contains three domains in a single domain tree. All=20
servers run Windows Server 2003. All computers=20
are members of the domains. The functional level of the=20
forest is Windows 2000. The functional level of=20
each domain is Windows Server 2003.=20
TestKing has a main office and five branch offices. Each=20
branch office is configured as a separate Active=20
Directory site. One domain controller for each of the=20
three domains in each site. Only the main office=20
contains global catalog servers.=20
Users report that logging on in the branch office takes=20
much longer than logging on in the main office.=20
You need to ensure that the logon process in the branch=20
offices completes more quickly. You do not want=20
to install additional global catalog servers in the=20
branch office, and you do not want to increase the=20
bandwidth between the branch offices and the main office.=20
What should you do?=20
A. Raise the functional level of the forest to Windows=20
Server 2003.=20
B. Create a two-way shortcut trust between the two child=20
domains.=20
C. Enable universal group membership caching.=20
D. Convert all universal groups in the three domains to=20
domain local groups or global groups.=20
E. Increase the maximum lifetime for Kerberos user=20
tickets.=20
Answer: B=20
Explanation:=20
When to create a shortcut trustShortcut trusts=20
Shortcut trusts=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-42
70 - 299=20
A trust that is manually created between two domains in=20
the same forest. The purpose of a shortcut trust is to=20
optimize the interdomain authentication process by=20
shortening the trust path. Shortcut trusts are transitive=20
and=20
can be one-way or two-way.are one-way or two-way,=20
transitive trusts transitive trusts A trust relationship=20
that=20
flows throughout a set of domains, such as a domain tree,=20
and forms a relationship between a domain and all=20
domains that trust that domain. For example, if domain A=20
has a transitive trust with domain B, and domain B=20
trusts domain C, then domain A trusts domain C.=20
Transitive trusts can be one-way or two-way, and they are=20
required for Kerberos-based authentication and Active=20
Directory replication.that can be used when=20
administrators need to optimize the authentication=20
authentication=20
The process for verifying that an entity or object is who=20
or what it claims to be. Examples include confirming=20
the source and integrity of information, such as=20
verifying a digital signature or verifying the identity=20
of a user or=20
computer.process. Authentication requests must first=20
travel a trust path trust path A series of trust=20
relationships=20
that authentication requests must follow between domains.=20
Domain controllers determine the trust path for all=20
authentication requests between a domain controller in=20
the trusting domain and a domain controller in the=20
trusted domain.between domain trees domain trees In DNS,=20
the inverted hierarchical tree structure that is used=20
to index domain names. Domain trees are similar in=20
purpose and concept to the directory trees used by=20
computer filing systems for disk storage. For example,=20
when numerous files are stored on disk, directories can=20
be used to organize the files into logical collections.=20
When a domain tree has one or more branches, each branch=20
can organize domain names used in the namespace into=20
logical collections. In Active Directory, a hierarchical=20
structure of one or more domains, connected by=20
transitive, bidirectional trusts, that forms a contiguous=20
namespace. Multiple domain trees can belong to the same=20
forest. , and in a complex forest this can take time,=20
which can be reduced with shortcut trusts. A trust path=20
is the series of domain trust relationships trust=20
relationships A logical relationship established between=20
domains to allow pass-through authentication, in which=20
a trusting domain honors the logon authentications of a=20
trusted domain. User accounts and global groups=20
defined in a trusted domain can be given rights and=20
permissions in a trusting domain, even though the user=20
accounts or groups don't exist in the trusting domain's=20
directory.that must be traversed in order to pass=20
authentication requests between any two domains. For more=20
information about trust paths, see Trust direction.=20
Shortcut trusts are necessary when many users in a domain=20
regularly log on to other domains in a forest. For=20
example, using the following figure as an example, you=20
could form a shortcut trust between domain B and=20
domain D or domain A and domain 1 and so on.=20
Shortcut trusts effectively shorten the path traveled for=20
authentication's made between domains located in two=20
separate trees. For more information about how to create=20
a shortcut trust, see To create a shortcut trust.=20
Using one-way trusts=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-43
70 - 299=20
A one-way, shortcut trust established between two domains=20
located in separate domain trees can reduce the time=20
needed to fulfill authentication requests, but in only=20
one direction. For example, when a one-way, shortcut=20
trust=20
is established between domain A and domain B,=20
authentication requests made in domain A to domain B can=20
utilize the new one-way trust path. However,=20
authentication requests made in domain B to domain A will=20
still=20
need to travel the longer trust path.=20
Using two-way trusts=20
A two-way, shortcut trust established between two domains=20
located in separate domain trees will reduce the=20
time needed to fulfill authentication requests=20
originating in either domain. For example, when a two-way=20
trust is=20
established between domain A and domain B, authentication=20
requests made from either domain to the other can=20
utilize the new, two-way trust path.=20
QUESTION NO: 24=20
You are the security administrator for TestKing. The=20
network consists of a single Active Directory=20
domain named testking.com. Four Windows Server 2003=20
computers run IIS and serve as Web servers on=20
the Internet.=20
TestKing?s written security policy states that computers=20
that are accessible from the Internet must be=20
hardened against attacks. The procedure for hardening=20
computers includes disabling unnecessary=20
services. You evaluate which services are necessary by=20
using the following information about the Web=20
servers:=20
Customers and business partners access Web content on the=20
Web servers after they authenticate=20
by using a user name and password.=20
To access certain parts of the site, some of these=20
connections use the SSL protocol.=20
All software is installed locally on the Web servers by=20
using removable media, except for service=20
packs and security patches.=20
The Web servers automatically download service packs and=20
security patches from an internal=20
computer that runs Software Update Services (SUS).=20
The Web servers are not functioning as any other roles.=20
You need to create a security template for the Web=20
servers that disables unnecessary services and allows=20
necessary services to operate.=20
What should you do?=20
To answer, drag the appropriate service startup types to=20
the correct locations in the work area.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-44
70 - 299=20
Answer:=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-45
70 - 299=20
Explanation:
IIS ServicesIIS provides the basic services that publish=20
information, transfer files, support user communication,=20
and update the data stores upon which these services=20
depend. This section introduces the services that IIS 6.0=20
provides.
The following table lists the IIS services, as well as=20
their primary components and service hosts.=20
Service Primary Component Hosted by=20
World Wide Web Publishing Iisw3adm.dll Svchost.exe=20
Service (WWW service)=20
File Transfer Protocol Ftpsvc2.dll Inetinfo.exe=20
Service (FTP service)=20
Simple Mail Transfer Protocol Smtpsvc.dll Inetinfo.exe=20
Service (SMTP service)=20
Network News Transfer Protocol Nntpsvc.dll Inetinfo.exe=20
Service (NNTP service)=20
IIS Admin service Iisadmin.dll Inetinfo.exe=20
World Wide Web Publishing Service=20
World Wide Web Publishing Service (WWW service) provides=20
Web publishing to IIS end users, connecting=20
client HTTP requests to Web sites that are running in=20
IIS. WWW service manages the IIS core components that=20
process HTTP requests and that configure and manage Web=20
applications. WWW service runs as Iisw3adm.dll=20
and is hosted by Svchost.exe.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-46
70 - 299=20
File Transfer Protocol Service=20
Through the File Transfer Protocol service (FTP service),=20
IIS provides full support for managing and serving=20
files. The service uses the Transmission Control Protocol=20
(TCP), which ensures that file transfers are complete=20
and that the data transferred is accurate. This version=20
of FTP supports isolating users at the site level to help=20
administrators secure and commercialize their Internet=20
sites. FTP service runs as Ftpsvc2.dll and is hosted by=20
Inetinfo.exe.=20
Simple Mail Transfer Protocol Service=20
IIS can send or receive e-mail by using the Simple Mail=20
Transfer Protocol service (SMTP service). For=20
example, you can program the server to send mail=20
automatically in response to events, in order to confirm=20
successful forms submissions by users. Also, you can use=20
the SMTP service to receive messages that collect=20
feedback from Web site customers. SMTP service does not=20
provide full e-mail services. To deliver full e-mail=20
services, use Microsoft=AEExchange Server. SMTP service=20
runs as Smtpsvc.dll and is hosted by Inetinfo.exe.=20
Network News Transfer Protocol Service=20
You can use the Network News Transfer Protocol service=20
(NNTP service) to host NNTP local discussion=20
groups on a single computer. Because this feature=20
complies fully with the NNTP protocol, users can use any=20
news reader client to participate in the newsgroup=20
discussions. Through the Rfeed script, found in the=20
inetsrv=20
folder, the IIS NNTP service now supports newsfeeds. NNTP=20
service does not support replication. To employ=20
news feeds or to replicate a newsgroup across multiple=20
computers, use Exchange Server. NNTP service runs as=20
Nntpsvc.dll and is hosted by Inetinfo.exe.=20
IIS Admin Service=20
IIS Admin service manages the IIS metabase and updates=20
the Microsoft Windows=AE operating system registry=20
for the WWW service, FTP service, SMTP service, and NNTP=20
service. The metabase is a data store that holds=20
IIS configuration data. IIS Admin service exposes the=20
metabase to other applications, including the core=20
components of IIS, applications that are built on IIS,=20
and third-party applications that are independent of IIS,=20
such as management or monitoring tools. IIS Admin service=20
runs as Iisadmin.dll and is hosted by Inetinfo.exe=20
Reference: http://support.microsoft.com/default.aspx?
scid=3Dkb;en-us;321141=20
HOW TO: Disable or Remove Unnecessary IIS Services=20
QUESTION NO: 25=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All domain controllers and servers=20
run Windows Server 2003. All computers are=20
members of the domain.=20
The domain contains 12 database servers. The database=20
servers are in an organizational unit (OU) named=20
DBServers. The domain controllers and the database=20
servers are in the same Active Directory site.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-47
70 - 299=20
You receive a security report that requires you to apply=20
a security template named Lockdown.inf ti all=20
database servers as quickly as possible. You import=20
Lockdown.inf into a Group Policy object (GPO) that=20
is linked to the DBServers OU.=20
You need to ensure that the settings in the Lockdown.info=20
security template are applied to all database=20
servers as quickly as possible.=20
What should you do?=20
A. On each database server, run the repadmin /replicate=20
command.=20
B. On each database server, run the gpupdate command.=20
C. On each database server, run the=20
secedit /refreshpolicy command.=20
D. On each database server, open Local Computer Policy,=20
select Security Settings, and then use the=20
Reload command.=20
E. On each database server, open Resultant Set of Policy,=20
and then use the Refresh Query command.=20
Answer: B=20
Explanation:
Repadmin.exe is a command-line tool from the Windows 2000=20
Resource Kit that is included in the Support=20
Tools folder on the Windows 2000 CD-ROM. Repadmin is a=20
command-line tool that report failures on a=20
replication link between two replication partners. The=20
following repadmin example displays the replication=20
partners and any replication link failures for Server1 on=20
the microsoft.com domain:=20
repadmin /showreps server1.microsoft.com=20
For a complete list of repadmin options, use the ?=20
option:=20
repadmin /?=20
Using secedit /refreshpolicy option is no longer=20
available with Windows 2003.=20
GpupdateRefreshes local and Active Directory-based Group=20
Policy settings, including security settings. This=20
command supersedes the now obsolete /refreshpolicy option=20
for the secedit command.=20
Syntax: gpupdate [/target:{computer|user}] [/force]=20
[/wait:value] [/logoff] [/boot]=20
Reloading the local policy updates the effective policy=20
in the user interface. Depending on domain or OU=20
password policies that are in effect, the effective=20
policy may or may not have changed on your computer.=20
Resultant Set of Policy=20
The Resultant Set of Policy (RSoP) snap-in (Rsop.msc)=20
enables you to poll and evaluate the cumulative effect=20
that local, site, domain, and organizational unit Group=20
Policy objects (GPOs) have on computers and users.=20
Resultant Set of Policy enables you to check for GPOs=20
that might affect your troubleshooting. For example, a=20
GPO setting can cause startup programs to run after you=20
log on to the computer.=20
Use this snap-in to evaluate the effects of existing GPOs=20
on your computer. This information is helpful for=20
diagnosing deployment or security problems. Rsop.msc=20
reports individual Group Policy settings specific to one=20
or more users and computers, including advertised and=20
assigned applications.
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-48
70 - 299=20
QUESTION NO: 26=20
You are a security administrator for TestKing. The=20
network consists of as single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
All client computers run Windows XP=20
Professional. You manage client computers by using Group=20
Policy.=20
Some of the administrators in TestKing are responsible=20
for managing network connectivity and TCP/IP.=20
These administrators are known as infrastructure=20
engineers and are members of a global group named=20
Infra_Engineers. The infrastructure engineers must be=20
able to configure and troubleshoot TCP/IP=20
settings on severs and client computers.=20
You need to reconfigure a Restricted Groups policy that=20
ensures that only infrastructure engineers are=20
members of the Network. Configuration Operators local=20
group on all client computers. You want to=20
achieve this goal without granting unnecessary=20
permissions to the infrastructure engineers.=20
What should you do?=20
To answer, drag the appropriate group or groups to the=20
correct list or lists in the dialog box in the work=20
area.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-49
70 - 299=20
Answer:=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-50
70 - 299=20
Explanation:=20
Description of Group Policy Restricted Groups=20
SUMMARY: This article provides a description of Group=20
Policy Restricted groups.=20
Restricted groups allow an administrator to define the=20
following two properties for security-sensitive=20
(restricted)=20
groups:=20
Members=20
Member Of=20
The "Members" list defines who should and should not=20
belong to the restricted group. The "Member Of" list=20
specifies which other groups the restricted group should=20
belong to.=20
Using the "Members" Restricted Group Portion of Policy=20
When a Restricted Group policy is enforced, any current=20
member of a restricted group that is not on the=20
"Members" list is removed with the exception of=20
administrator in the Administrators group. Any user on=20
the=20
"Members" list which is not currently a member of the=20
restricted group is added.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-51
70 - 299=20
Using the "Member Of" Restricted Group Portion of Policy=20
Only inclusion is enforced in this portion of a=20
Restricted Group policy. The Restricted Group is not=20
removed=20
from other groups. It makes sure that the restricted=20
group is a member of groups that are listed in the Member=20
Of dialog box.=20
Planning and Configuring an Authorization Strategy=20
Creating Restricted Groups Policy=20
you can use security policies to control local group=20
memberships on domain member computers.=20
Windows Server 2003 includes a security policy setting=20
called Restricted Groups that allows you to control=20
group membership. By using the Restricted Groups policy,=20
you can specify the membership of a group=20
anywhere in your Active Directory domain. For example,=20
you can create a Restricted Groups policy to limit the=20
access on an OU that=20
contains computers containing sensitive data. The=20
Restricted Groups policy would remove domain users from=20
the local users group and thereby limit the number of=20
users who can log on to the computer. Group members=20
that are not specified in the policy are removed when the=20
Group Policy setting is applied or refreshed to the=20
computer or OU. The Restricted Groups policy settings=20
include two properties: Members and Member Of. The=20
Members property defines who belongs and who does not=20
belong to the restricted group. The Member Of=20
property specifies the other groups to which the=20
restricted group can belong. When a Restricted Groups=20
policy is=20
enforced, any current member of a restricted group that=20
is not on the Members list is removed. Members who=20
can be removed include Administrators. Any user on the=20
Members list who is not currently a member of the=20
restricted group is added. In addition, each restricted=20
group is a member of only those groups that are specified=20
in the Member Of column. The shows Restricted Groups=20
being used to add the Infra_Engineers group from the=20
domainname.com domain to the Network Configuration=20
Operators local group on all client computers. For=20
example, use Restricted Groups to control group=20
membership on domain members. Note: The security setting=20
is=20
located in a security policy object in the Restricted=20
Groups node.=20
Planning and Configuring an Authorization Strategy=20
You can apply a Restricted Groups policy in the following=20
ways:=20
Define the policy in a security template, which will be=20
applied during configuration=20
on your local computer.=20
Define the setting directly on a Group Policy object=20
(GPO). Defining the setting in=20
this way will ensure that the operating system=20
continually enforces the restricted=20
groups.=20
To create a Restricted Groups policy:=20
1. Open a security policy tool, such as the Domain=20
Security Policy console.=20
2. In the console tree, right-click Restricted Groups,=20
and then click Add Group.=20
3. In the Group field, type the name of the group to=20
which you want to restrict membership, and then click OK.=20
4. On the properties dialog box, click Add beside the=20
This Group Is A Member Of field.=20
5. Under Group Membership, type the name of the group you=20
want to add to this group, and then click OK.=20
6. Click OK again.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-52
70 - 299=20
QUESTION NO: 27=20
Administrators in TestKing use scripts to perform=20
administrative tasks when they troubleshoot problems=20
on client computes. They connect to the Telnet service on=20
client computers when they run these scripts.=20
For security reasons, all Telnet traffic is encrypted by=20
using an IPSec policy. In addition, the Telnet=20
service is configured for manual startup on all client=20
computers. Administrators manually start and stop=20
the Telnet service when they perform administrative=20
tasks.=20
Administrators report that they sometimes cannot start=20
the Telnet service on client computers. You=20
examine several client computers and discover that the=20
Telnet service is disabled.=20
You need to ensure that administrators can troubleshoot=20
problems on client computers at all times.=20
What should you do?=20
A. Use a Restricted Groups policy in a new Group Policy=20
object (GPO) to add the Domain Admins group=20
to the Power Users group on each client computer.=20
B. Use a Restricted Groups policy in a new Group Policy=20
object (GPO) to ensure that the Power Users=20
group on each client computer contains no members.=20
C. Use a System Services policy in a new Group Policy=20
object (GPO) to ensure that only Domain Admins=20
can manage the Telnet service.=20
D. Use an Administrative Template setting to prevent=20
local users from starting the Services snap-in.=20
Answer: C=20
Explanation:
The first item is not needed as they are Administrators=20
and they have full control.=20
This would work as long as the user was not part of the=20
local Administrators group and the question does not=20
say what the user permissions are, by default local=20
Administrators can manage this service.
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-53
70 - 299=20
QUESTION NO: 28=20
You are a security administrator for TestKing. TestKing=20
has offices in two cities. The network consists of=20
a single Active Directory forest that contains two trees.=20
The trees are named testking.com and=20
fabrikam.com and are located in separate cites. All=20
servers run Windows Server 2003. All client=20
computers run Windows XP Professional. The network is=20
configured as shown in the Network Diagram=20
exhibit.=20
Each office maintains a DNS server. The DNS server=20
contains a primary zone for the local tree and a=20
secondary zone for the tree in the other office. DNS=20
zones are configured a shown in the Properties=20
exhibit.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-54
70 - 299=20
You examine the logs for your firewall and discover a=20
large number of attempted connections to internal=20
servers. You find out that external users have access to=20
the DNS information used by your internal=20
networks.=20
You need to prevent external users from accessing=20
internal DNS information.=20
What should you do?=20
A. Replace the primary zones with stub zones.=20
B. Implement an IPSec policy that uses Encapsulating=20
Payload (ESP) when replicating secondary zones.=20
C. Implement an IPSec policy that uses Encapsulating=20
Security Payload (ESP) when resolving DNS names=20
stored in primary zones.=20
D. Configure the zones to replicate to known DNS servers=20
only.=20
Answer: D=20
Explanation:
Stub zones are used for name resolution;, this will not=20
prevent others from getting DNS information.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-55
70 - 299=20
ESP is used to encrypt data in transmission and has=20
nothing to do with zone transfers; this will not prevent=20
others from getting DNS information.=20
http://www.microsoft.com/resources/d...tion/msa/edc/a
ll/solution/en-us/pak/build/edcbld06.mspx=20
Configuring Zone Transfer Security on All Zones=20
All zone transfers should be sent only to known DNS=20
servers. This practice prevents a malicious user from=20
dumping the entire zone file using a tool such as=20
nslookup. Use the information in the following table to=20
configure the zones to perform zone transfers only with=20
known name servers.=20
1. On each <domain_controller> (where computer_name is a=20
domain controller from the following table),=20
launch an instance of the MMC DNS snap-in.=20
2. Right-click each <zone_name> (where zone_name is a=20
zone from Table 18) and select Properties.=20
3. On the Name Servers page, ensure that all=20
<name_servers> in the table below are associated with the=20
zone.=20
Add any missing name servers by clicking Add, typing the=20
name of the server, clicking Resolve, and then OK.=20
Repeat as necessary.=20
4. On the Zone Transfers page, select Only to servers=20
listed on the Name Servers tab, click OK.=20
QUESTION NO: 29=20
You are a security administrator for TestKing. The=20
network consists of two Active Directory domains.=20
All servers run Windows Server 2003. Client computers run=20
either Windows XP Professional or=20
Windows 2000 Professional. All domain controllers in both=20
Active Directory domains are Windows=20
Server 2003 computers. All computers are Active Directory=20
domain members.=20
During a security assessment, you discover that you can=20
extract LAN Manager and NTLM password=20
hashes from domain controller computers. You are able to=20
guess many user account passwords within a=20
short time by using a password cracking program. This=20
poses an unacceptable security risk for TestKing.=20
You need to increase the time required to guess user=20
account passwords. You increase the minimum user=20
account password length to nine characters, enable the=20
Password must meet complexity requirements=20
setting, and require all domain users to change their=20
password at the next logon.=20
What else should you do?=20
A. Apply a security template to all domain controller=20
computers that enables the Domain member:=20
Require strong (Windows 2000 or later) session key=20
setting.=20
B. Apply a security template to all domain controller=20
computers that establishes the Network security:=20
LAN Manager authentication level setting at Send NTLMv2=20
response only.=20
C. Apply a security template to all domain controller=20
computers that enables the Network security: Do not=20
store LAN Manager hash value on next password change=20
setting.=20
D. Apply a security template to all domain controller=20
computers that enables the System Cryptography:=20
Use FIPS compliant algorithms for encryption, hashing,=20
and signing setting.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-56
70 - 299=20
Answer: C=20
Explanation:=20
How to prevent Windows from storing a LAN manager hash of=20
your password in Active Directory and local=20
SAM databases=20
Network security: Do not store LAN Manager hash value on=20
next password changeDescription=20
This security setting determines if, at the next password=20
change, the LAN Manager (LM) hash value for the new=20
password is stored. The LM hash is relatively weak and=20
prone to attack, as compared with the cryptographically=20
stronger Windows NT hash. Since the LM hash is stored on=20
the local computer in the security database the=20
passwords can be compromised if the security database is=20
attacked. For more information on cryptographic=20
hashes of passwords, see Microsoft NTLM .=20
Default: Disabled.=20
Configuring this security setting=20
You can configure this security setting by opening the=20
appropriate policy and expanding the console tree as=20
such: Computer Configuration\Windows Settings\Security=20
Settings\Local Policies\Security Options\=20
For specific instructions about how to configure security=20
policy settings, see To edit a security setting on a=20
Group Policy object.=20
Important=20
Windows 2000 Service Pack 2 (SP2) and above offer=20
compatibility with authentication to previous versions of=20
Windows, such as Microsoft Windows NT 4.0.=20
This setting can affect the ability of computers running=20
Windows 2000 Server, Windows 2000 Professional,=20
Windows XP, and the Windows Server 2003 family to=20
communicate with computers running Windows 95 and=20
Windows 98.=20
For more information, see:=20
Security Configuration Manager Tools=20
QUESTION NO: 30=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
All client computers run Windows 2000=20
Professional.=20
TestKing?s written security policy states the following=20
requirements:=20
All access to files must be audited.=20
File servers must be able to record all security events.=20
You create a new Group Policy object (GPO) and filter it=20
to apply to only file servers. You configure an=20
audit policy to audit files and folders on file servers.=20
You configure a system access control list (SACL) to=20
audit the appropriate files.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-57
70 - 299=20
You need to ensure that the GPO enforces the written=20
security policy.=20
Which two additional actions should you perform to=20
configure the GPO? (Each correct answer presents=20
part of the solution. Choose two)=20
A. Set a manual retention method for the security log.=20
B. Set the security log to retain entries for 7 days.=20
C. Set the maximum security log size to the maximum=20
allowed size.=20
D. Configure the GPO to shut down the computer of it is=20
unable to log security audits.=20
E. Ensure that users who are responsible for reviewing=20
audit log data are granted the right to manage the=20
security log.=20
Answer: A, D=20
Explanation:=20
HOW TO: Use the Event Log Management Script Tool=20
(Eventlog.pl) to Manage Event Logs in Windows 2000=20
This article describes how to use the Event Log=20
Management Script tool (Eventlog.pl) to manage Event=20
Viewer=20
logs of Windows 2000-based computers.=20
An event is any significant occurrence in the computer or=20
in a program that requires either users to be notified=20
or an entry added to a log. The Event Log Service records=20
events to the Application, Security, and System logs=20
in Event Viewer. Additionally, events are written to the=20
Directory Service and File Replication Service logs on=20
domain controllers and the DNS Server log on DNS servers.=20
You can use Event Viewer to obtain information=20
about your hardware, software, and system components, and=20
to monitor security events on a local or remote=20
computer. You can use event logs to identify and diagnose=20
the source of current computer problems or to help=20
you predict potential computer problems.=20
Eventlog.pl is available in the Windows 2000 Resource Kit=20
Supplement 1. You can use this script tool to=20
perform the following event log management tasks:=20
Change the properties of event logs.=20
Back up (save) event logs.=20
Export event lists to text files.=20
Clear (delete) all events from event logs.=20
Query the properties of event logs.=20
IMPORTANT: Do not use Eventlog.pl if you use Group Policy=20
to specify event log settings. Eventlog.pl can=20
violate Event log policies so that the following Group=20
Policy settings for domains, organizational units, and=20
sites may become ineffective:=20
Maximum LogName log size=20
Retain LogName log=20
Retention method for LogName log=20
Threats and Countermeasures Guide=20
Event Log=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-58
70 - 299=20
The Event log records events on the system. The Security=20
log records audit events. The Event log container of=20
Group Policy is used to define attributes related to the=20
application, security, and system event logs, such as=20
maximum log size, access rights for each log, and=20
retention settings and methods. The Microsoft=AE Excel=20
workbook called Windows Default Security and Services=20
Configuration included with this guide that=20
documents the default Event log settings.=20
The Event log settings can be configured in the following=20
location within the Group Policy Object Editor:=20
Shut down system immediately if unable to log security=20
audits=20
Computer Configuration\Windows Settings\Security=20
Settings\Local Policies\Security Options=20
Description
Determines whether the system should shut down if it is=20
unable to log security events.=20
If this policy is enabled, it causes the system to halt=20
if a security audit cannot be logged for any reason.=20
Typically, an event will fail to be logged when the=20
security audit log is full and the retention method=20
specified=20
for the security log is either Do Not Overwrite Events or=20
Overwrite Events by Days.=20
If the security log is full and an existing entry cannot=20
be overwritten and this security option is enabled, the=20
following blue screen error will occur:=20
STOP: C0000244 {Audit Failed}
An attempt to generate a security audit failed.=20
To recover, an administrator must log on, archive the log=20
(if desired), clear the log, and reset this option as=20
desired.=20
By default, this policy is disabled.=20
QUESTION NO: 31=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
All client computers run Windows XP=20
Professional.
You manage the network by using a combination of Group=20
Policy objects (GPOs) and scripts. File names=20
for scripts have the .vbs file name extension. Scripts=20
are stored in a shared folder named Scripts on a=20
server named TestKing1.=20
Users report that they accidentally run scripts that are=20
received through e-mail and the Internet. They=20
further reports that these scripts cause problems with=20
their client computers and often delete or change=20
files. You discover that these scripts=20
have .wsh, .wsf, .vbs, or .vbe file name extensions. You=20
decide to use=20
software restriction policies to prevent the use of=20
unauthorized scripts.=20
You need to configure a software restriction policy for=20
your network. You want to achieve this goal=20
without affecting management of your network.=20
Which three rules should you include in your software=20
restriction policy? (Each correct answer presents=20
part of the solution. Choose three)
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-59
70 - 299=20
A. A path rule that disallows *.vb? files.=20
B. A path rule that disallows *.ws? files.=20
C. A trusted sites rule that allows the local intranet=20
zone.=20
D. A trusted sites rule that disallows the Internet zone.=20
E. A path rule that allows \\testking1\scripts\*.vb?=20
files.=20
Answer: A, B, E=20
Explanation:=20
Software Restriction Policy=20
By using the software restriction policy, you allow=20
unknown code, which might contain viruses or code that=20
conflicts with currently installed programs, to run only=20
in a constrained environment (often called a sandbox)=20
where it is disallowed from accessing any security-
sensitive user privileges. For example, an e-mail=20
attachment=20
that contains a worm would be prohibited from=20
automatically accessing your address book and therefore=20
could=20
not propagate itself. If the e-mail attachment contained=20
a virus, the software restriction policy would restrict=20
its=20
ability to damage your system because it would be allowed=20
to run only in a constrained environment.=20
The software restriction policy depends on assigning=20
trust levels to the code that can run on a system.=20
Currently,=20
two trust levels exist: Unrestricted and Disallowed. Code=20
that has an Unrestricted trust level is given=20
unrestricted access to the user's privileges, so this=20
trust level should be applied only to fully trusted code.=20
Code=20
with a Disallowed trust level is disallowed from=20
accessing any security-sensitive user privileges and can=20
run=20
only in a sandbox so that Unrestricted code cannot load=20
the Disallowed code into its address space.=20
Configuring the software restriction policy for a system=20
is done through the Local Security Policy=20
administrative tool, while the restriction policy=20
configuration of individual COM+ applications is done=20
either=20
programmatically or through the Component Services=20
administrative tool. If the restriction policy trust=20
level is=20
not specified for a COM+ application, the systemwide=20
settings are used to determine the application's trust=20
level.=20
HOW TO: Use Software Restriction Policies in Windows=20
Server 2003=20
SUMMARY=20
This article describes how to use software restriction=20
policies in Windows Server 2003. When you use software=20
restriction policies, you can identify and specify the=20
software that is allowed to run so that you can protect=20
your=20
computer environment from untrusted code. When you use=20
software restriction policies, you can define a=20
default security level of Unrestricted or Disallowed for=20
a Group Policy object (GPO) so that software is either=20
allowed or not allowed to run by default. To create=20
exceptions to this default security level, you can create=20
rules=20
for specific software. You can create the following types=20
of rules:=20
Hash rules=20
Certificate rules=20
Path rules=20
Internet zone rules=20
How to Create a Path Rule=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-60
70 - 299=20
Click Start, click Run, type mmc, and then click OK.=20
Open Software Restriction Policies.=20
In either the console tree or the details pane, right-
click Additional Rules, and then click New Path Rule.=20
In the Path box, type a path or click Browse to find a=20
file or folder.
In the Security level box, click either Disallowed or=20
Unrestricted.=20
In the Description box, type a description for this rule,=20
and then click OK.IMPORTANT: On certain folders,=20
such as the Windows folder, setting the security level to=20
Disallowed can adversely affect the operation of your=20
operating system. Make sure that you do not disallow a=20
crucial component of the operating system or one of its=20
dependent programs.=20
NOTES:=20
You may have to create a new software restriction policy=20
setting for this GPO if you have not already done so.=20
If you create a path rule for a program with a security=20
level of Disallowed, a user can still run the software by=20
copying it to another location.
The wildcard characters that are supported by the path=20
rule are the asterisk (*) and the question mark (?).=20
You can use environment variables, such as %programfiles%=20
or %systemroot%, in your path rule.=20
To create a path rule for software when you do not know=20
where it is stored on a computer but you have its=20
registry key, you can create a registry path rule.=20
To prevent users from running e-mail attachments, you can=20
create a path rule for your mail program's=20
attachment folder that prevents users from running e-mail=20
attachments.=20
The only file types that are affected by path rules are=20
those that are listed in Designated file types. There is=20
one=20
list of designated file types that is shared by all=20
rules.=20
For software restriction policies to take effect, users=20
must update policy settings by logging off from and then=20
logging on to their computers.=20
When more than one rule is applied to policy settings,=20
there is a precedence of rules for handling conflicts.=20
Configuring the Software Restriction PolicyWhen you=20
explicitly set the software restriction trust levels of a=20
COM+ application, you are overriding the default=20
systemwide settings for the software restriction policy.=20
This=20
is often necessary for COM+ server applications because=20
the systemwide restriction policy is set the same for=20
all server applications (because they all run in the same=20
file, dllhost.exe).=20
Note When you set the trust level of a COM+ library=20
application, you are affecting the systemwide software=20
restriction policy for that application. For an overview=20
of how to use the software restriction policy in COM+,=20
see Software Restriction Policy.=20
To set the software restriction policy=20
Right-click the COM+ application for which you are=20
setting the restriction policy, and then click Properties.
In the application properties dialog box, click the=20
Security tab.=20
Under Software Restriction Policy, select the Apply=20
software restriction policy check box to enable setting=20
the=20
trust level; clearing the check box causes COM+ to use=20
the systemwide software restriction policy for the=20
application.
In the Restriction Level box, select the appropriate=20
level. The levels are as follows, ordered from least to=20
most=20
trusted:=20
Disallowed The application is disallowed from using the=20
full privileges of the user. Components with any=20
restriction policy trust level can be loaded into it.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-61
70 - 299=20
Unrestricted The application has unrestricted access to=20
the user's privileges. Only components with an=20
Unrestricted trust level can be loaded into it.=20
Click OK.
The trust level you select takes effect the next time the=20
application is started.
QUESTION NO: 32=20
You are a security administrator for TestKing. TestKing=20
has offices in New York, San Francisco, and=20
Toronto. The network consists of a single Active=20
Directory domain named testking.com. Each office is=20
configured as an Active Directory site. All servers run=20
Windows Server 2003. All client computers run=20
Windows XP Professional.=20
Users in the Toronto office work in the research=20
department. User objects for users who work in the=20
research department are stored in an organizational unit=20
(OU) named Toronto. Users in other offices=20
frequently travel to the Toronto office for meeting and=20
training.=20
TestKing?s written security policy requires that the=20
following settings be enforced on computers at the=20
Toronto office:=20
A warning message that reminds users to protect TestKing=20
information must be displayed before=20
users log on.=20
Domain controller authentication is required when users=20
unlock client computers.=20
The highest possible level of authentication must be used=20
on the network at all times.=20
You create a new Group Policy object (GPO) named=20
TorontoSecurity to meet the requirements of the=20
written security policy.=20
Users who travel to the Toronto office report that they=20
are not presented with the warning message and=20
that their screen savers do not require a password to=20
deactivate.=20
You need to ensure that the written security policy is=20
enforced for other users only when they travel to=20
the Toronto office. You want to achieve this goal by=20
using the minimum amount of administrative effort.=20
What should you do?
A. Link the TorontoSecurity GPO to the Toronto OU.=20
B. Link the TorontoSecurity GPO to the domain.=20
C. Configure a logon script to apply a custom security=20
template when users travel to the Toronto office.=20
D. Link the TorontoSecurity GPO to the Toronto site.=20
Answer: A=20
Explanation:=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-62
70 - 299=20
Deploying and Troubleshooting Security Templates=20
If multiple Group Policy objects are linked to a single=20
domain, site, or OU, verify that the=20
order the policies are applied is correct. If there are=20
conflicting settings in different policies,=20
the higher policy in the list has higher precedence and=20
will overwrite conflicting settings=20
from other policies.=20
Standard Group Policy inheritance=20
In general, Group Policy is passed down from parent to=20
child containers within a=20
domain. Group Policy is not inherited from parent to=20
child domains. For example,=20
Deploying Security Templates=20
Group Policy is not inherited from cohowinery.com to=20
accounting.cohowinery.com.=20
However, if you assign a specific Group Policy setting to=20
a high-level parent container,=20
that Group Policy setting applies to all containers=20
beneath the parent container, including=20
the user and computer objects in each container. If a=20
policy setting is defined for a=20
parent organizational unit and the same policy setting is=20
not defined for a child organizational=20
unit, the child inherits the parent?s enabled or disabled=20
policy setting. If you=20
explicitly specify a Group Policy setting for a child=20
container, the child container?s=20
Group Policy setting overrides the parent container?s=20
setting. When multiple GPOs=20
apply, and they do not have a parent/child relationship,=20
the policies are processed in=20
this order: local, site, domain, organizational unit.=20
If a policy setting that is applied to a parent=20
organizational unit and a policy setting that=20
is applied to a child organizational unit are compatible,=20
the child organizational unit=20
inherits the parent policy setting, and the child?s=20
setting is also applied. If a policy setting=20
that is configured for a parent organizational unit is=20
incompatible with the same=20
policy setting that is configured for a child=20
organizational unit (because the setting is=20
enabled in one case and disabled in the other), the child=20
does not inherit the policy setting=20
from the parent. The policy setting in the child is=20
applied.=20
You can block policy inheritance at the domain or OU=20
level by opening the properties=20
dialog box for the domain or organizational unit and=20
selecting the Block Policy Inheritance=20
check box. You can enforce policy inheritance by setting=20
the No Override=20
option on a GPO link. When you select the No Override=20
check box, you force all child=20
policy containers to inherit the parent?s policy, even if=20
that policy conflicts with the=20
child?s policy and even if Block Inheritance has been set=20
for the child. You can set No=20
Override on a GPO link by opening the properties dialog=20
box for the site, domain, or=20
organizational unit and making sure that the No Override=20
check box is selected.=20
Exam Tip Policies that are set to No Override cannot be=20
blocked?know this for the exam!=20
Group Policy inheritance with security groups=20
You cannot link Group Policy objects directly to a=20
security group. You can, however,=20
use security group membership to allow or disallow=20
members of the group from applying=20
a Group Policy object. In this way, you can control which=20
users receive a Group=20
Policy object by placing them into specific groups.=20
By default, all Authenticated Users are authorized to=20
apply a Group Policy object.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-63
70 - 299=20
Therefore, to allow only specific groups to apply a GPO,=20
you must first remove the=20
default permissions for Authenticated Users, and then=20
grant permissions for the specific=20
groups to apply the GPO.=20
!
HOW TO: Administer GPOs in Windows 2000=20
How to Link a GPO to a Site, a Domain, or an=20
Organizational Unit=20
To link a GPO to a domain or an organizational unit,=20
click Start, point to Programs, point to Administrative=20
Tools, and then click Active Directory Users and=20
Computers.=20
Alternatively, to link a GPO to a site, click Start,=20
point to Programs, point to Administrative Tools, and=20
then=20
click Active Directory Sites and Services.=20
Right-click the site, the domain, or the organizational=20
unit to which the GPO should be linked.=20
Click Properties, and then click the Group Policy tab.=20
To add the GPO to the Group Policy object Links list,=20
click Add.
Click the All tab, click the GPO that you want to add,=20
click OK, and then click OK.=20
NOTE: You link a GPO to specify that its settings apply=20
to users and computers in the site, the domain, or the=20
organizational unit, and to users and computers in Active=20
Directory containers that inherit data from the site, the=20
domain, or the organizational unit.=20
QUESTION NO: 33=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
All servers are members of the domain.=20
TestKing plans to deploy a new application named App1.=20
The application runs on servers. To test the=20
compatibility between App1 and other applications that=20
run on the servers, you need to change several=20
file and registry permissions in the Windows folder on=20
the servers. A security template named TestPerms=20
contains the file and registry permissions that need to=20
be set for the application testing.=20
You create a new Group Policy object (GPO) named TestApp.=20
You import the TestPerms security=20
template into the TestApp GPO. You link the TestApp GPO=20
to an organizational unit (OU) that contains=20
only the servers that are used for the test.=20
You need to ensure that the file and registry permissions=20
are set up to the permission in the TestPerms=20
security template only during application testing.=20
What should you do when the application testing ends?
A. Disable the computer configuration settings in the=20
TestApp GPO.=20
B. Disable the TestApp GPO link to the OU.=20
C. Unlink the TestApp GPO from the OU.=20
D. Delete the TestApp GPO, and then run the=20
gpupdate.exe /sync command.=20
E. Delete the TestApp GPO, and then apply a security=20
template that contains the original permissions.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-64
70 - 299=20
Answer: C=20
Explanation:=20
Real World: Application is an iterative process, which=20
means it will be done again, so if the GPO is deleted, it=20
will need to be recreated again.=20
Best practices for Group Policy objects=20
Do not process policy settings that are not configured.=20
If a Group Policy object Group Policy object=20
A collection of Group Policy settings. GPOs are=20
essentially the documents created by the Group Policy=20
Object=20
Editor. GPOs are stored at the domain level, and they=20
affect users and computers that are contained in sites,=20
domains, and organizational units. In addition, each=20
computer has exactly one group of policy settings stored=20
locally, called the local Group Policy object.contains=20
only settings that are set to Not Configured, you can=20
avoid=20
processing these settings by disabling User Configuration=20
or Computer Configuration. This expedites the startup=20
and logon processes for those users and computers that=20
are subject to the Group Policy object. For more=20
information, see To disable the User Configuration=20
settings in a Group Policy object, To disable the=20
Computer=20
Configuration settings in a Group Policy object, User=20
Configuration and Computer Configuration.=20
To prevent an entire Group Policy object from affecting a=20
site, domain, or organizational unit, see To unlink a=20
Group Policy object from a site, domain, or=20
organizational unit and To disable a Group Policy object=20
link. With=20
these procedures, you can enable or re-link the Group=20
Policy object.=20
If you never want to use a certain Group Policy object=20
again, see To delete a Group Policy object.=20
QUESTION NO: 34=20
You are a security administrator for TestKing. The=20
network is configured a shown in the following=20
diagram.=20
TestKing uses a Web application named App1 that is hosted=20
on a Windows Server 2003 computer named=20
Web1. App1 is accessed by users on the Internet. App1=20
allows users to enter data in an HTML form. The=20
form then saves the data in a Microsoft SQL Server 2000=20
database hosted on a Windows Server 2003=20
computer named SQL1. WEB1 requires that all HTTP=20
connections use SSL.=20
TestKing uses a firewall that automatically allows=20
replies to established connections.=20
You need to configure the firewall to allow users to=20
access App1. You must ensure that network security=20
remains as strong as possible. You want to achieve this=20
goal by using the minimum number of rules.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-65
70 - 299=20
How should you configure the firewall?=20
To answer, drag the appropriate firewall rule element or=20
elements to the correct location or locations in=20
the work area.=20
Answer:=20
Explanation:=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-66
70 - 299=20
Client port to TCP 443 Client (from any client) to Web1=20
(over SSL/HTTPS)=20
TCP 135 to TCP 1433 Web1(RPC since we assume SQL=20
does not have certificate and not configured for SSL) to=20
SQL=20
TCP 1443 to TCP 135 SQL (RPC, because SQLis not using=20
http to connect) to Web1=20
TCP 443 to client port Web1(SSL/HTTPS) to Client (to the=20
specific client, since the original connection was=20
via SSL/HTTPS)=20
QUESTION NO: 35=20
You are a security administrator for TestKing. The=20
network consists of a single Active Directory domain=20
named testking.com. All servers run Windows Server 2003.=20
All client computers run Windows XP=20
Professional.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-67
70 - 299=20
One thousand users in the company use an application=20
named App1. App1 is installed on each users?=20
client computer. App1 uses a configuration file named=20
App1.Config,inf. This file is stored in the=20
Systemroot\Program Files\App1 folder on each client=20
computer. Users report that when they attempt to=20
make configuration changes to App1, they sometimes=20
receives an Access Denied messages. You examine=20
the properties of the App1Config.inf file on one client=20
computer. The file is configured as shown in the=20
exhibit.=20
You need to ensure that users can make configuration=20
changes to App1. You want to achieve this goal by=20
using the minimum amount of administrative effort.=20
What should you do?=20
A. On each client computer, assign the TESTKING\Domain=20
Users group the Allow ? Write permission for=20
the App1Config.inf file.=20
B. Modify the Default Domain Policy Group Policy object=20
(GPO).=20
Create a new File System security policy entry that=20
assign the TESTKING\Domain Users group the=20
Allow ? Write permission for the App1Config.inf file.=20
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-68
70 - 299=20
C. Modify the Default Domain Controllers Policy Group=20
Policy object (GPO).=20
Create a new File System security policy entry that=20
assigns the TESTKING\Domain Users group the=20
Allow ? Write permission for the App1Config.inf file.=20
D. Create a new logon script that runs the Xcacls.exe=20
command.=20
Use this command to assign the TESTKING\Domain Users=20
group the Allow ? Write permission for the=20
App1Config.inf file.=20
Include the logon script in the Default Domain Policy=20
Group Policy object (GPO).=20
Answer: B=20
Explanation:
App1 is installed on the user?s computer, applying a GPO=20
at the DCs will not help.=20
Creating a new logon script or assigning a new group to=20
adjust perms on a single file is administrative=20
prohibitive.
Leading the way in IT testing and certification tools,=20
www.testking.com=20
-69
Cell Phones reviews
08-20-04, 10:06 AM
New Update for #70-299
Linear Mode
