1. You are the network administrator for Alecnet .com. The network consists of a single Active Directory domain Alecnet .com. The network contains two Windows Server 2003 domain controllers, two Windows 2000 Server domain controllers, and two Windows NT Server 4.0 domain controllers.
All file servers for the finance department are located in an organizational unit (OU) named Finance Servers. All file servers for the payroll department are located in an OU named Payroll Servers. The Payroll Servers OU is a child OU of the Finance Servers OU.
Alecnet 's written security policy for the finance department states that departmental servers must have security settings that are enhanced from the default settings. The written security policy for the payroll department states that departmental servers must have enhanced security settings from the default settings, and auditing must be enabled for file or folder deletion.
You need to plan the security policy settings for the finance and payroll departments.
What should you do?
A. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and
link it to the Finance Servers OU.
Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the
Payroll Servers OU.
B. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects, and
link it to the Finance Servers OU.
Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the
Payroll Servers OU.
C. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and
link it to the Finance Servers OU.
Create a second GPO to apply the Hisecws.inf security template to computer objects, and link it to the Payroll
Servers OU.
D. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects, and
link it to the Finance Servers and to the Payroll Servers OUs.
Create a second GPO to enable the
Audit object access audit policy on computer objects, and link it to the Payroll Servers OU.
Answer: B
|
2. You are the network admin for Alecnet . Your network contains 50 application servers that run Windows Server 2003.
The security configuration of the application servers is not uniform. The application servers were
deployed by local administrators who configured the setting for each of the application servers
differently based on their knowledge and skill. The application servers are configured with different authentication methods, audit settings and account policy settings.
The security team recently completed a new network security design. The design includes a baseline configuration for security settings on all servers. The baseline security settings use the hisecws.inf predefined security template. The design also requires modified settings for servers in an application server role. These settings include system service startup requirements, renaming the administrator account, and more stringent account lockout policies. The security team created a security template named application.inf that contains the required settings.
You need to plan the deployment of the new security design. You need to ensure that all security settings for the application servers are standardized, and that after the deployment, the security settings on all application servers meet the design requirements. What should you do?
A. Apply the setup security.inf template first, the hisecws.inf template next, and then the application.inf
template
B. Apply the Application.inf template and then the Hisecws.inf template.
C. Apply the Application.inf template first, then setup.inf template next, and then the hisecws.inf template
D. Apply the Setup.inf template and then the application.inf template
Answer: A.
|
3. Your network contains Terminal servers that host legacy applications that require users to be members of the Power Users group in order to run them.
A new company policy states that the Power Users Group must be empty on all servers. You need to maintain the ability to run legacy applications on your servers when the new security requirement is enabled. What should you do?
A. Add the domain users global group to the Remote Desktop Users built-in group in the domain
B. Add the domain users global group to the Remote Desktop Users local group on each terminal server
C. Modify the compatws.inf security template settings to allow members of the local users group to run the
applications. Import the security settings into the default Domain Controllers Group Policy Object.
D. Modify the compatws.inf security template settings to allow members of the local users group to run the
applications. Apply the modified template to each terminal server
Answer: D
|
4. You are the network administrator for Alecnet .com. The network consists of a single Active Directory domain named Alecnet .com. The functional level of the domain is Windows Server 2003. The domain contains an organizational unit (OU) named Servers that contains all of Alecnet 's Windows Server 2003 resource servers. The domain also contains an OU named Workstations that contains all of Alecnet 's Windows XP Professional client computers.
You configure a baseline security template for resource servers named Server.inf and a baseline security template for client computers named Workstation.inf. The Server.inf template contains hundreds of settings, including file and registry permission settings that have inheritance propagation enabled. The Workstation.inf template contains 20 security settings, none of which contain file or registry permissions settings.
The resource servers operate at near capacity during business hours.
You need to apply the baseline security templates so that the settings will be periodically enforced. You need to accomplish this task by using the minimum amount of administrative effort and while minimizing the performance impact on the resource servers.
What should you do?
A. Create a Group Policy object (GPO) and link it to the domain.
Import both the Server.inf and the Workstation.inf templates into the GPO.
B. Import both the Server.inf and the Workstation.inf templates into the Default Domain Policy Group Policy
object (GPO).
C. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak
hours by using the secedit command.
Create a Group Policy object (GPO) and link it to the Workstations OU.
Import the Workstation.inf template into the GPO.
D. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak
hours by using the secedit command.
Import the Workstation.inf template into the Default Domain Policy Group Policy object (GPO).
Answer: C
|
5. You are a network administrator for Alecnet . The network consists of a single Active Directory domain named Alecnet .com. The network contains 80 Web servers that run Windows 2000 Server. The IIS ockdown Wizard is run on all Web servers as they are deployed.
Alecnet is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an organizational unit (OU) named Web Servers.
You are planning a baseline security configuration for the Web servers. The company's written security policy states that all unnecessary services must be disabled on servers. Testing shows that the server upgrade process leaves the following unnecessary services enabled:
1. SMTP
2. Telnet
Your plan for the baseline security configuration for Web servers must comply with the written security
policy.
You need to ensure that unnecessary services are always disabled on the Web servers.
What should you do?
A. Create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services.
Link the GPO to the Web Servers OU.
B. Create a Group Policy object (GPO) and import the Hisecws.inf security template.
Link the GPO to the Web Servers OU.
C. Create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled.
Link the GPO to the Web Servers OU.
D. Create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services.
Link the GPO to the Web Servers OU.
Answer: C
|
6. You are the network admin for Alecnet . All servers run Windows Server 2003.
Every week, you run the mbsacli.exe /hf command to ensure that all servers have the latest critical
updates installed. You run the mbsaclie.exe /hf command from a server named server1.
When you scan a server named Alecnet B you receive the following error message stating Error 200,
System not found, Scan failed.
When you ping Alecnet B you receive a reply.
You need to ensure that you can scan Alecnet B by using the mbsacli.exe /hf.
What should you do?
A. Copy the latest version of the Mssecure.xml to the program files\microsoft baseline security analyzer folder
on server1
B. Ensure that the Server service is running on Alecnet B
C. Install IIS common files on Server1
D. Install the latest version of IE on Alecnet B
Answer: B
|
|
8.You are the network administrator for Alecnet . The network consists of a single Active Directory domain named Alecnet .com. The network contains 10 application servers that run Windows Server 2003.
The application servers are accessed from the Alecnet network and from the Internet. The network design requires that the application servers must have specifically configured security settings, including the password policy, audit policies, and security options settings. You create a security template named App.inf that contains the security settings required by the network design.
You are concerned that an unauthorized user will modify the configuration and gain access to the
application servers. You want to capture any changes made to the security settings of the application servers.
You need to generate a report that compares the current settings of each application server with the required settings every 24 hours.
What should you do?
A. Use a Group Policy startup script to run the secedit command in analysis mode with the App.inf template,
and set the Group Policy refresh interval for computers to 24 hours.
B. Import the App.inf template into Group Policy, and set the Group Policy refresh interval for computers to 24
hours.
C. Use Task Scheduler to run the gpresult command in verbose mode every 24 hours.
D. Use a custom script in Task Scheduler to run the secedit command in analysis mode with the App.inf
template
every 24 hours.
Answer: D
|
9. You are the network administrator for Alecnet 's Active Directory domain. Alecnet 's written security
policy was updated and now requires a minimum of NTLM v2 for LAN manager authentication.
You need to identify which Operating Systems on your network do not meet the new requirement
Which OS would require an upgrade to the OS or software to meet the requirement?
A. Windows 2000 Professional
B. Windows Server 2003
C. Windows XP Professional
D. Windows NT Workstation with service pack 5
E. Windows 95
Answer: E.
|
10. You are a network administrator for Alecnet Inc. The network consists of a single Active Directory forest as shown in the exhibit.
Alecnet 's written security policy requires that all domain controllers in the child1. Alecnet .com domain.
start a domain controller to the Domain Admins group.
You need to configure the domain controllers in the child1. Alecnet .com domain to meet the new security requirements.
Which two actions should you take? (Each correct answer presents part of the solution. Choose two)
A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group Policy object
(GPO) on the child1. Alecnet .com domain.
B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object (GPO) in the
child1. Alecnet .com domain.
C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group Policy object
(GPO) in the child1. Alecnet .com domain.
D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object (GPO) in the
child1. Alecnet .com domain.
E. Run the system key utility (syskey) on each domain controller in the child1. Alecnet .com domain.
In the Account Database Key dialog box, select the Password Startup option.
F. Run the system key utility (syskey) on each domain controller in the child1. Alecnet .com domain.
In the Account Database Key dialog box, select the Store Startup Key Locally option.
Answer: C, E |
11. You are a network administrator for Alecnet . The network consists of a single Active Directory forest.
All domain controllers run Windows Server 2003.
The bank decides to provide access to its mortgage application services from a real estate agency that has offices throughout the country. You install a Alecnet domain controller in each real estate agency office.
You need to further protect the domain controllers' user account databases from unauthorized access.
You want to achieve this goal by using the minimum amount of administrative effort.
Which two actions should you take? (Each correct answer presents part of the solution. Choose two)
A. Use the system key utility (syskey) with the most secure security level on the domain controllers.
B. Create a Group Policy object (GPO), import the Securedc.inf security template, and apply the GPO to the
domain controllers.
C. Create a Group Policy object (GPO), configure the Network security: LAN Manager authentication level
security option to the Send NTLMv2 response only\refuse LM setting, and apply the GPO to the domain
controllers.
D. Create a Group Policy object (GPO), import the DC security.inf security template, and apply the GPO to the
domain controllers.
Answer: A, B |
12. You are the network administrator for Alecnet . The network consists of a single Active Directory domain Alecnet .com. All domain controllers run Windows Server 2003. All client computers run Windows XP Professional.
Alecnet has legacy applications that run on UNIX servers. The legacy applications use the LDAP protocol to query Active Directory for employee information.
The domain controllers are currently configured with the default security settings. You need to configure enhanced security for the domain controllers. In particular, you want to configure stronger password settings, audit settings, and lockout settings. You want to minimize interference with the proper functioning of the legacy applications.
You decide to use the predefined security templates. You need to choose the appropriate predefined security template to apply to the domain controllers.
What should you do?
A. Apply the Setup security.inf template to the domain controllers.
B. Apply the DC security.inf template to the domain controllers.
C. Apply the Securedc.inf template to the domain controllers.
D. Apply the Rootsec.inf template to the domain controllers.
Answer: C |
13. You are the administrator of the Alecnet company network. The network consists of a single active directory domain named Alecnet .com. The network includes 20 servers running Windows Server 2003 and 200 client computers running Windows XP Professional.
The company purchases 10 new servers to function as file servers for the domain.
You install Windows Server 2003 on the new servers. The computer accounts for the file servers are located on an OU named File Servers. A security expert configures one of the servers named CKFile1 with various security settings. You need to apply and maintain the same security settings on the remaining 9 servers. You need to do this by using the minimum amount of administrative effort.
What should you do? (Choose two)
A. Use disk imaging software to take an image of CKFile1. Apply the disk image to the remaining 9 servers.
B. Use gpedit.msc to create a new Group Policy object (GPO). Manually configure the GPO with the same
security settings as CKFile1. Link the GPO to the File Servers OU.
C. Use gpedit.msc to create a new Group Policy object (GPO). Import the security template into the Security
Settings of the Computer Configuration section of the GPO. Link the GPO to the File Servers OU.
D. On the PDC Emulator, use Security Configuration and Analysis to export the security settings to a security
template.
E. On CKFile1, use Security Configuration and Analysis to export the security settings to a security template.
Answer: C, E
|
14. You are the administrator of the Alecnet company network. The network consists of a single Active Directory domain Alecnet .com. The network includes 30 servers running Windows Server 2003 and 2000 client computers running Windows XP Professional.
20 member servers are located in an organisational unit (OU) named Servers. 10 domain controllers are in the default Domain Controllers container. All 2000 client computers are located in an organisational unit (OU) named Clients.
The member servers are configured with the following security settings:
1. Logon events must be audited.
2. System events must be audited.
3. Passwords for local user accounts must meet complexity requirements.
4. Passwords must be changed every 30 days.
5. Password history must be enforced.
6. Connections to the servers must be encrypted.
The written security policy states that you need to be able to verify the custom security settings during audits. You need to deploy and refresh the custom security settings on a routine basis.
What should you do?
A. Create a custom security template and apply it by using a Group Policy linked to the Servers OU.
B. Create a custom security template and apply it by using a Group Policy linked to the domain.
C. Create and apply a custom Administrative Template.
D. Create a custom application server image and deploy it by using RIS.
Answer: A |
15. Alecnet has a single active directory domain named Alecnet .com.
The company's written security policy requires that computers in a file server role must have a minimum file size for event log settings. In the past, logged events were lost because the size of the event log files was too small. You want to ensure that the event log files are large enough to hold history. You also want the security event log to be cleared manually to ensure that no security information is lost. The application log must clear events as needed.
You create a security template named fileserver.inf to meet the requirements. You need to test each file server and take the appropriate corrective action if needed. You audit a file server by using fileserver.inf
and receive the results shown in the exhibit.
You want to make only the changes that are required to meet the requirements. Which two actions
should you take?
A. Correct the maximum application log size setting on the file server
B. Correct the maximum security log size setting on the file server
C. Correct the maximum system log size setting on the file server
D. Correct the retention method for application log setting on the file server
E. Correct the retention method for the security log setting on the file server
F. Correct the retention method for the system log setting for the file server
Answer: B, E.
|
16. You are the network administrator for Alecnet . The network consists of a single Active Directory domain named Alecnet .com. Alecnet 's perimeter network contains 50 Web servers that host the company's public Internet site. The Web servers are not members of the domain.
The network design team completed a new design specification for the security of servers in specific roles.
The network design requires that security settings must be applied to Web servers. These settings include password restrictions, audit settings, and automatic update settings.
You need to comply with the design requirements for securing the Web servers. You also want to be able to verify the security settings and generate a report during routine maintenance. You want to achieve these goals by using the minimum amount of administrative effort.
What should you do?
A. Create a custom security template named Web.inf that contains the required security settings.
Create a new organizational unit (OU) named WebServers and move the Web servers into the new OU.
Apply Web.inf to the WebServers OU.
B. Create a custom security template named Web.inf that contains the required security settings, and deploy
Web.inf to each Web server by using Security Configuration and Analysis.
C. Create an image of a Web server that has the required security settings, and replicate the image to each Web
server.
D. Manually configure the required security settings on each Web server.
Answer: B |
17. You are the network administrator for Alecnet . The network consists of a single Active Directory domain named Alecnet .com.
The company plans to deploy 120 Windows Server 2003 member servers as file servers in the domain.
The new file servers will be located in a single organizational unit (OU) named File Servers.
The security department provides you with a security template that must be applied to the new file servers.
You need to apply and maintain the security settings contained in the security template to the new file servers. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. On a reference computer, use the Local Security Settings console to import the security template.
Use imaging technology to install and configure the new file servers based on the configuration of the reference
computer.
B. On a reference computer, run the secedit command to apply the security template.
Make use of imaging technology to install and configure the new file serves based on the configuration of the
reference computer.
C. Create a new Group Policy object (GPO).
Import the security template into the Security Settings of the Computer Configuration section of the GPO.
Link the GPO to the File Servers OU.
D. On the PDC emulator master in the domain, run the secedit command to apply the security template.
Answer: C |
18. You are the network administrator for Alecnet . Alecnet is deploying a public Web server farm on Windows Server 2003 computers. This Web server farm will allow the public to view company information. The Web servers in the Web server farm will be placed in Alecnet 's perimeter network, which uses a public Internet address space.
Alecnet wants to reduce the probability of external unauthorized users breaking into the public Web servers.
You need to make the Web servers less vulnerable to attack. You also want to ensure that the public will be able to view information that is placed in Alecnet 's perimeter network.
What should you do?
A. Configure each Web server's IP address to a private reserved Internet address.
B. Configure the Web servers to allow only IPSec communications.
C. Disable any unneeded services on the Web servers.
D. Disable TCP/IP filtering on all adapters in the Web servers.
Answer: C
|
19. You are the network administrator for Alecnet . The network consists of a single Active Directory domain named Alecnet .com. The network contains 10 domain controllers and 50 servers in application server roles. All servers run Windows Server 2003.
The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication.
You need to deploy and refresh the custom security settings on a routine basis. You also need to be able to verify the custom security settings during audits.
What should you do?
A. Create a custom security template and apply it by using Group Policy.
B. Create a custom IPSec policy and assign it by using Group Policy.
C. Create and apply a custom Administrative Template.
D. Create a custom application server image and deploy it by using RIS.
Answer: A |
20. Alecnet is a network administrator for Alecnet . The network consists of a single Active Directory domain Alecnet .com. The network contains 12 domain controllers and 50 servers in the application server roles. All servers run Windows Server 2003.
The application servers are configured with custom security settings that are specific to their roles as application servers. Applications servers are required to audit account logon events, object access events, and system events. Application servers required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication.
Jack needs to deploy and refresh the custom security settings on a routine basis. She also needs to be able
to verify the customer security settings during audits.
What actions should Alecnet take?
A. She should create a custom security template and apply it by using Group Policy.
B. She should create a customer IPSec policy and assign it by using Group Policy.
C. She should create and apply a custom Administrative Template.
D. She should create a custom application server image and deploy it by using RIS.
Answer: A
|
21. You are the network administrator for Alecnet . The network consists of a single Active Directory domain Alecnet .com. Alecnet has an internal network and a perimeter network. The internal network is protected by a firewall. Application servers on the perimeter network are accessible from the Internet.
You are deploying 10 Windows Server 2003 computers in application server roles. The servers will be located in the perimeter network and will not be members of the domain. The servers will host only publicly available Web pages.
The network design requires that custom security settings must be applied to the application servers.
These custom security settings must be automatically refreshed every day to ensure compliance with the design.
You create a custom security template named Baseline1.inf for the application servers. You need to comply with the design requirements.
What should you do?
A. Import Baseline1.inf into the Default Domain Policy Group Policy object (GPO).
B. Create a task on each application server that runs Security and Configuration Analysis with Baseline1.inf
every day.
C. Create a task on each application server that runs the secedit command with Baseline1.inf every day.
D. Create a startup script in the Default Domain Policy Group Policy object (GPO) that runs the secedit
command with Baseline1.inf.
Answer: C
|
|
|
22. You are a consultant for several different companies. You design the security policies for the computers running Windows 2003 Server and Windows 2000 Professional in your customers' networks.
You use these security policies to configure a server named Server1. You want to deploy the security configuration on Server1 to computers in your customer's networks by using the least amount of administrative effort.
What should you do first?
A. Create a Group Policy Object (GPO) that configures the security settings for all computers to match the
settings on Server1, and then link the GPO to the domain.
Export the console list to a file.
B. In the Security Configuration and Analysis snap-in, analyze Server1 and export the security template in a
file.
C. In the System Information snap-in, save the system summary as a system information file.
D. In the Security Templates snap-in, export the console list to a file.
Answer: B |
23. You are the network administrator for Alecnet .com. Alecnet has 20,000 users in 20 physical locations worldwide. Alecnet is expecting to grow by 50 percent the next five years. Alecnet recently became a subsidiary of Humongous Insurance. Humongous Insurance has five other subsidiaries. Humongous Insurance has 100,000 users in 100 physical locations worldwide. Humongous Insurance uses the 10.0.0.0/8 network and requires that all subsidiaries integrate into this network.
The network design team at Alecnet provides you with a network design for integrating into the
Humongous Insurance network. The design specifies that Alecnet will use a single block of IP network numbers to assign IP addresses to its network.
You need to plan the IP address space to meet the design specification. You need to request a block of IP addresses from Humongous Insurance that will accommodate all Alecnet users. To reduce the difficulty of obtaining the addresses and to conserve the Humongous Insurance address space, you want to request the smallest block of IP addresses that meets the design specification.
What should you do?
A. Request a 10.0.0.0 block of IP addresses with an 8-bit subnet mask from Humongous Insurance.
B. Request a 10.0.0.0 block of IP addresses with a 16-bit subnet mask from Humongous Insurance.
C. Request a 10.0.0.0 block of IP addresses with a 24-bit subnet mask from Humongous Insurance.
D. Request a 10.0.0.0 block of IP addresses with a 32-bit subnet mask from Humongous Insurance.
Answer: B
|
