70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Comments: webmaster@freemcsebraindumps.com
Copyright 2000-2005, Free MCSE Brain dumps .com
The material on this web site is not sponsored by, endorsed by or affiliated with
Microsoft or the MCSE certification or with any vendor such as Cisco, Oracle, Sun etc.
They own trademarks to their certifications. We use them to display information as a fair use
of the names.

QUESTION 1:
You are a security administrator for Alecnet .com. The network consists of a single Active Directory
domain named Alecnet .com. All servers run Windows Server 2003. All client computers run Windows
XP Professional.
Several client computers are configured as kiosk computers that visitors and employees use. The kiosk
computers are managed by using GPOs. The GPOs enforce a secure configuration. Multiple users log on
to these computers every day.
You review the results of a security audit. You discover that when some users log on the secure
configuration is removed.
You need to ensure that the secure configuration is enforced at all times.
What should you do?
A. Apply the Securews.inf security template to the kiosk computers.
B. Configure the default user profile on kiosk computers as a mandatory user profile.
C. Edit the GPO that manages kiosk computers. Disable the Secondary Logon service.
D. Edit the GPO that manages kiosk computers. Enable loop back processing.
Answer: D
QUESTION 2:
You are a security administrator for Alecnet .com. The network consists of a single Active Directory
forest named Alecnet .com. All servers run either Windows Server 2003 or Windows 2000 Server. All
domain controllers Windows Server 2003. All client computers run Windows XP Professional.
Alecnet .com uses a Microsoft Exchange Server 2003 computer. Users on the internal network connect
to Exchange Server 2003 by using Microsoft Outlook. Alecnet .com currently does not allow users to
exchange e-mail with customers via the Internet.
To improve communication with customers, management decides to allow e-mail communication via the
Internet. Your company updates its written security policy with the following requirements regarding the
placement of Exchange Server 2003 computers:
1. Customers on the Internet must not be able to connect directly to any computer on the internal
network.
2. The number of ports and protocols that are allowed to pass through firewall devices must be
minimized.
You need to place computers to meet the company's written security policy.

Actualtests.com - The Power of Knowing
Answer:
Explanation:
QUESTION 3:
You are a security administrator for Alecnet .com. The network consists of a single
Active Directory domain named Alecnet .com. All servers run Windows Server
2003. All client computers run Windows XP Professional.
Terminal Services is running on four Windows Server 2003 computers. Members of

Actualtests.com - The Power of Knowing
a group named Remote Application need to access applications by using Terminal
Services. You assigned the Remote Application group the appropriate NTFS
permissions for the application folder and the appropriate RDP-Tcp connection
permissions on the terminal servers. Currently no users have the right to connect to
the terminal servers.
You need to assign users in the Remote Application group the minimum rights
necessary to access the applications.
What should you do to configure the terminal servers?
A. Apply a security template that assigns the Access this computer from the network
right to the Remote Application group.
B. Apply a security template that assigns the Allow log on locally right to the Remote
Application group.
C. Apply a security template that assigns the Log on as a service right to the Remote
Application group.
D. Apply a security template that assigns the Allow log on through Terminal Services
right to the Remote Application group.
Answer: D
Explanation:
Allow log on through Terminal ServicesDescription
This security setting determines which users or groups have permission to log on as a
Terminal Services client.
Default:
On workstation and servers: Administrators, Remote Desktop Users.
On domain controllers: Administrators.
Configuring this security setting
You can configure this security setting by opening the appropriate policy and expanding
the console tree as such: Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment\
For specific instructions about how to configure security policy settings, see To edit a
security setting on a Group Policy object.
This setting does not have any effect on Windows 2000 computers that have not been
updated to Service Pack 2.
For more information, see:
Deny logon through Terminal Services
User rights assignment
To assign user rights for your local computer
Security Configuration Manager Tools
Accessing Terminal Services Using New User Rights Options
SUMMARY
This article describes new options that you can use to assign user rights in Windows that
affect the Terminal Services feature.
MORE INFORMATION
through Terminal Services

Actualtests.com - The Power of Knowing
You can use these options to change the set of permissions a user must have to establish a
Terminal Services session.
Allow logon through Terminal Services To grant a user these permissions, start the
Group Policy snap-in, open the Local Security Policy or the appropriate Group Policy,
and then navigate to the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights
Assignment
To grant a user these permissions, start either the Active Directory Users and Computers
snap-in or the Local Users And Groups snap-in, open the user's properties, click the
Terminal Services Profile tab, and then click to select the Allow logon to Terminal
Server check box.
To grant guests Logon rights to the RDP-TCP connection, start the Terminal Services
Configuration snap-in, edit the RDP-TCP so that the guest has at least Logon rights.
The pivotal difference between Windows 2000 and Windows Server 2003 is the "Allow
logon through Terminal Services" user right. When you grant this user right, you no
longer have to grant the user the Log on locally right (this was a requirement in Windows
2000). In Windows Server 2003, it is possible for a user to establish a Terminal Services
session to a particular server, but not be able to log on to the console of that same server.
Section: Section 1, Plan security templates based on computer role.
Computer roles include SQL Server computer, Microsoft
Exchange Server computer, domain controller, Internet
Authentication Service (IAS) server, and Internet Information
Services (IIS) server (9 questions)
QUESTION 4:
You are a security administrator for Alecnet .com. The network consists of a single Active Directory
domain named Alecnet .com. The Alecnet .com domain contains Windows Server 2003 computers and
Windows XP Professional client computers. All computers are members of the domain.
A Windows Server 2003 computer named Alecnet 3 runs Certificate Services. Alecnet 3 is an
enterprise subordinate certification authority (CA). A Windows Server 2003 computer named Alecnet 2
runs IIS. Alecnet 2 hosts an internal human resources web site for employees. You want to ensure that
the personal data of the employees is not exposed while in transit over the network. You decide to use
SSL on Alecnet 2.
You need to ensure that employees do not receive a certificate-related security alert when they use SSL to
connect to this Web site. You want to achieve this goal without spending money to purchase this
certificate unless it is necessary to do so.
What should you do?
A. Use IIS to submit a certificate request to a commercial CA.
B. Use IIS to submit a certificate request to Alecnet 3.
C. Use the Certificates console to submit a Client certificate request to a commercial CA.
D. Use the Certificates console to submit a Client certificate request to Alecnet 3.
Answer: B

Actualtests.com - The Power of Knowing
Explanation:
Using Client Certificate Authentication with IIS 6.0 Web Sites
Request a User Certificate from the Web Enrollment Site
The client computer must present a user certificate to the Web server before the Web server will accept the
user's credentials. Users can log on to the Web enrollment site and request a user certificate. The user does not
need to be an administrator in the domain or on the Certificate Server computer. The user only needs to have
legitimate user credentials that the enterprise CA recognizes.
Perform the following steps on the client computer to obtain the user certificate"
1. On the Web client computer, open Internet Explorer and enter http://10.0.0.2/certsrv in the address bar, where
10.0.0.2 is the IP address of the Certificate Server. Press ENTER.
2. In the log on dialog box, enter the credentials of a non-administrator user. This will demonstrate that a
non-admin can obtain a user certificate. Click OK.
3. On the Welcome page of the Web enrollment site, click the Request a certificate link.
4. On the Request a Certificate page, click the User Certificate link.
5. On the User Certificate - Identifying Information page, click Submit.
6. Click Yes on the Potential Scripting Violation dialog box informing you that the Web site is requesting a
certificate on your behalf.
7. On the Certificate Issued page, click the Install this certificate link.
8. Click Yes on the Potential Scripting Violation page informing you that the Web site is adding a certificate to
the machine.
9. Close Internet Explorer after you see the Certificate Installed page.
Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0
The Certificate Wizard that comes with Internet Information Services (IIS) 5.0 makes managing server
certificates easier than ever before. This article describes how to create a certificate request file using the
wizard. The first step you will...
QUESTION 5:
You are a security administrator for Alecnet .com. The network consists of a single Active Directory
domain named Alecnet .com. All servers run Windows Server 2003. All servers are in an OU named
Servers, or in OUs contained within the Servers OU.
Based in information in recent security bulletins, you want to apply settings from a security template
named Messenger.info to all servers on which the Messenger service is started. You do not want to apply
these settings to servers on which the Messenger service is not started. You also do not want to move
servers to outer OUs.
You need to apply the Messenger.inf security template to the appropriate servers.
What should you do?
A. Import the Messenger.info security template into a GPO, and link the GPO to the Servers OU. Configure
Administrative Templates filtering in the GPO.
B. Import the Messenger.info security template into a GPO, and link the GPO to the Servers OU. Configure a
Windows Management Instrumentation (WMI) filter for the GPO.
C. Configure a logon script in a GPO, and link the GPO to the Servers OU. Configure the script to run the
gpupdate command if the Messenger service is running.

Actualtests.com - The Power of Knowing
D. Edit the Messenger.info security template to set the Messenger service startup mode to Automatic, and then
run the secedit /refreshpolicy command..
Answer: B
QUESTION 6:
You are a security administrator for Alecnet .com. The network consists of a single Active Directory
domain named Alecnet .com. All servers run Windows Server 2003. All client computers run Windows
XP Professional.
Eight Windows 2003 computers are members of the domain. These computers are used to store
confidential files. They reside in a data center that only IT administration personnel have physical access
to.
You need to restrict members of a group named Contractors from connecting to the filer server
computers. All other employees require to these computers.
What should you do?
A. Apply a security template to the filer server computers that assigns the Access this computer from the
network right to the Domain Users group.
B. Apply a security template to the filer server computers that assigns the Deny access to this computer from
the network right to the Contractors group.
C. Apply a security template to the filer server computers that assigns the Allow log on locally right to the
Domain Users group.
D. Apply a security template to the filer server computers that assigns the Deny log on locally right to the
Contractors group.
Answer: B
Explanation:
Deny access to this computer from the network Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment Description Determines which users are prevented from
accessing a computer over the network.
QUESTION 7:
You are a security administrator for Alecnet .com. The network consists of a single Active Directory
domain named Alecnet .com. The Alecnet .com domain contains Windows Server 2003 computers and
Windows XP Professional client computers. All computers are members of the domain.
The employee user accounts in the Alecnet .com company are members of the Administrators clocal
group on client computers. You occasionally experience problems managing client computers because an
employee removes the Domain Admins global group from the Administration local group on the
computer.
You need to prevent employees from removing the Domains Admins global group from the
Administrators local group on client computers.

Actualtests.com - The Power of Knowing
What should you do?
A. Apply a security template to the client computers that establishes the Domain Admins global group as a
member of the Administrators local group by using the Restricted Groups policy.
B. Apply a security template to the domain controller computers that establishes the Domain Admins global
group as a member of the Administrators domain local group by using the Restricted Groups policy.
C. Modify the Domain Admins global group by assigning the Allow - Full Control permission to the Domain
Admins global group.
D. Modify the Domain Admins global group by assigning the Deny - Full Control permission to the Domain
Admins global group.
Answer: A
Explanation:
http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
Description of Group Policy Restricted Groups
View products that this article applies to.
This article was previously published under Q279301
SUMMARY: This article provides a description of Group Policy Restricted groups.
Restricted groups allow an administrator to define the following two properties for security-sensitive
(restricted) groups:
Members
Member Of
The "Members" list defines who should and should not belong to the restricted group. The "Member Of" list
specifies which other groups the restricted group should belong to.
Using the "Members" Restricted Group Portion of Policy
When a Restricted Group policy is enforced, any current member of a restricted group that is not on the
"Members" list is removed with the exception of administrator in the Administrators group. Any user on the
"Members" list which is not currently a member of the restricted group is added.
Using the "Member Of" Restricted Group Portion of Policy
Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted Group is not removed
from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member
Of dialog box.
QUESTION 8:
You are a security administrator for Alecnet .com. The network consists of two Active Directory
domains. These domains each belong to separate Active Directory forests. The domain Alecnet .com is
used primarily to support company employees. The domain named bar.biz is used to support company
customers. The functional level of all domains is Windows Server 2003 interim mode. A one-way external
trust relationship exists in which the Alecnet .com domain trusts the bar.biz domain.
A Windows Server 2003 computer named Alecnet 3 is a member of the bar.biz domain. Alecnet 3
provides customers access to a Microsoft SQL Server 2000 database. The user accounts used by
customers reside in the local account database on Alecnet 3. All of the customer user accounts belong to
a local computer group named Customers. SQL Server is configure to use Windows Integrated

Actualtests.com - The Power of Knowing
authentication.
Alecnet .com has additional SQL Server 2000 database that reside on three Windows Server 2003
computers. These computers are members of the Alecnet .com domain. Alecnet 's written security policy
states that customer user accounts must reside on computers in the bar.biz domain.
You need to plan a strategy for providing customers with access to the additional databases. You want to
achieve this goal by using the minimal amount of administrative effort.
What should you do?
A. Create a new user account in the bar.biz Active Directory domain for each customer. Create a universal
group in the bar.biz domain. Add the new customer domain user accounts as members of the new universal
group. Assign this group permissions to access the databases.
B. Create a new user account in the bar.biz Active Directory domain for each customer. Create a global group
in the bar.biz domain. Add the new customer domain user accounts as members of the new global group.
Assign this group permissions to access the databases.
C. Create a new user account in the Alecnet .com Active Directory domain for each customer. Create a global
group in the Alecnet .com domain. Add the new customer domain user accounts as members of the new
global
group. Assign this group permissions to access the databases.
D. Create a new user account in the Alecnet .com Active Directory domain for each customer. Create a global
group in the Alecnet .com domain. Add the new customer domain user accounts as members of the new
global
group. Assign this group permissions to access the databases.
Answer: B
QUESTION 9:
You are the security administrator for Alecnet . The network consists of a single Active Directory
domain named Alecnet .com. Four Windows Server 2003 computers run IIS and serve as Web servers on
the Internet.
Alecnet 's written security policy states that computers that are accessible from the Internet must be
hardened against attacks. The procedure for hardening computers includes disabling unnecessary
services. You evaluate which services are necessary by using the following information about the Web
servers:
1. Customers and business partners access Web content on the Web servers after they authenticate by
using a user name and password.
To access certain parts of the site, some of these connections use the SSL protocol.
1. All software is installed locally on the Web servers by using removable media, except for service packs
and security patches.
2. The Web servers automatically download service packs and security patches from an internal
computer that runs Software Update Services (SUS).
3. The Web servers are not functioning as any other roles.
You need to create a security template for the Web servers that disables unnecessary services and allows
necessary services to operate.
What should you do?

Actualtests.com - The Power of Knowing
To answer, drag the appropriate service startup types to the correct locations in the work area.
Answer:
Explanation:
IIS ServicesIIS provides the basic services that publish information, transfer files, support user communication,
and update the data stores upon which these services depend. This section introduces the services that IIS 6.0
provides.
The following table lists the IIS services, as well as their primary components and service hosts.
Service Primary Component Hosted by
World Wide Web Publishing Iisw3adm.dll Svchost.exe
Service (WWW service)
File Transfer Protocol Ftpsvc2.dll Inetinfo.exe
Service (FTP service)

Actualtests.com - The Power of Knowing
Simple Mail Transfer Protocol Smtpsvc.dll Inetinfo.exe
Service (SMTP service)
Network News Transfer Protocol Nntpsvc.dll Inetinfo.exe
Service (NNTP service)
IIS Admin service Iisadmin.dll Inetinfo.exe
World Wide Web Publishing Service
World Wide Web Publishing Service (WWW service) provides Web publishing to IIS end users, connecting
client HTTP requests to Web sites that are running in IIS. WWW service manages the IIS core components that
process HTTP requests and that configure and manage Web applications. WWW service runs as Iisw3adm.dll
and is hosted by Svchost.exe.
File Transfer Protocol Service
Through the File Transfer Protocol service (FTP service), IIS provides full support for managing and serving
files. The service uses the Transmission Control Protocol (TCP), which ensures that file transfers are complete
and that the data transferred is accurate. This version of FTP supports isolating users at the site level to help
administrators secure and commercialize their Internet sites. FTP service runs as Ftpsvc2.dll and is hosted by
Inetinfo.exe.
Simple Mail Transfer Protocol Service
IIS can send or receive e-mail by using the Simple Mail Transfer Protocol service (SMTP service). For
example, you can program the server to send mail automatically in response to events, in order to confirm
successful forms submissions by users. Also, you can use the SMTP service to receive messages that collect
feedback from Web site customers. SMTP service does not provide full e-mail services. To deliver full e-mail
services, use Microsoft(r)Exchange Server. SMTP service runs as Smtpsvc.dll and is hosted by Inetinfo.exe.
Network News Transfer Protocol Service
You can use the Network News Transfer Protocol service (NNTP service) to host NNTP local discussion
groups on a single computer. Because this feature complies fully with the NNTP protocol, users can use any
news reader client to participate in the newsgroup discussions. Through the Rfeed script, found in the inetsrv
folder, the IIS NNTP service now supports newsfeeds. NNTP service does not support replication. To employ
news feeds or to replicate a newsgroup across multiple computers, use Exchange Server. NNTP service runs as
Nntpsvc.dll and is hosted by Inetinfo.exe.
IIS Admin Service
IIS Admin service manages the IIS metabase and updates the Microsoft Windows(r) operating system registry
for the WWW service, FTP service, SMTP service, and NNTP service. The metabase is a data store that holds
IIS configuration data. IIS Admin service exposes the metabase to other applications, including the core
components of IIS, applications that are built on IIS, and third-party applications that are independent of IIS,
such as management or monitoring tools. IIS Admin service runs as Iisadmin.dll and is hosted by Inetinfo.exe
Reference:
http://support.microsoft.com/default.aspx?scid=kb;en-us;321141
HOW TO: Disable or Remove Unnecessary IIS Services
Note: Application Management
The application management service process advertises applications on the user's desktop or on the Start menu.
The Application Management system service provides software installation services such as Assign, Publish,
and Remove. This service processes requests to enumerate, install, and remove applications deployed via a
corporate network. When you click Add in Add/Remove Programs control panel on a computer joined to a
domain, the program calls this service to retrieve the list of your deployed applications. The service is also
called when you use Add/Remove Programs to install or remove an application, and in cases when a
component, such as the shell or COM, makes an install request for an application to handle a file extension,

Actualtests.com - The Power of Knowing
Component Object Model (COM) class, or ProgID that is not present on the computer. The service is started by
the first call made to it-it does not terminate once started.
Note: For more information about COM, COM class, or ProgID, see the Software Development Kit (SDK)
information in the MSDN(r) developer program Library on the Web Resources page at:
http://www.microsoft.com/windows/reskits/webresources.
If the Application Management service is stopped or disabled, users will be unable to install, remove, or
enumerate applications deployed in the Microsoft Active Directory service through Microsoft IntelliMirror(r)
management technologies. If this service is disabled, it will not retrieve deployed application information nor
will this information appear in the Add New Programs section of the Add/Remove Programs control panel. The
Add programs from your network dialog box will display the following message:
No programs are available on the network.
Stopping this service is not possible once started. If you do not require this service, you must disable it to
prevent it from starting.
Automatic Updates
The Automatic Updates system service enables the download and installation of critical Windows updates. This
service automatically provides your computer with the latest updates, drivers and enhancements. You no longer
have to manually search for critical updates and information; the operating system delivers them directly
your computer. The operating system recognizes when you are online and uses your Internet connection to
search for applicable updates from the Windows Update service. Depending on your configuration settings, the
service will either notify you before download, before installation, or the service will automatically install
updates for you.
You can turn off the Automatic Update feature through the Systems setting in the Control Panel, or by
right-clicking the My Computer icon, and then clicking Properties.
You can also use the Microsoft Management Console (MMC) Group Policy Object Editor snap-in
administrative template to configure an intranet server that is configured with the Software Update Services to
host updates from the Microsoft Update Web sites. This setting lets you specify a server on your network to
function as an internal update service. The Automatic Updates client will search this service for updates that
apply to the computers on your network.
For more information about Software Update Services, see the Software Update Services Web site at:
http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp.
If the Automatic Updates service is stopped or disabled, no critical updates will be downloaded to the computer
automatically. Searching for, downloading and installing applicable critical fixes will have to be done by going
to the Windows Update Web site at: http://v4.windowsupdate.microsoft.com/en/default.asp.
Internet Authentication Service
The Internet Authentication Service performs centralized authentication, authorization, auditing, and accounting
of users connecting to a network - either LAN or remote - using VPN equipment, Remote Access Equipment
(RAS), or 802.1x Wireless and Ethernet/Switch Access Points.
IAS implements the Internet Engineering Task Force (IETF) standard RADIUS protocol, which enables
heterogeneous network access equipment. If IAS is disabled or stopped, authentication requests will failover to
a backup IAS server, if it is available. If no backup IAS servers are available, users will not be able to connect
to the network. If this service is disabled, any services that explicitly depend on this service will not start.
World Wide Web Publishing Service
World Wide Web Publishing Service provides Web connectivity and administration of Web sites through the
IIS snap-in. World Wide Web Publishing provides HTTP services for applications on the Windows platform.
The service contains a process manager and a configuration manager. The process manager controls the
processes in which custom applications and simple Web sites reside. The configuration manager reads the

Actualtests.com - The Power of Knowing
stored system configuration and ensures that Windows is configured to route HTTP requests to the appropriate
application pools or operating system processes.
This service can monitor the processes that house custom applications and provide recycling services for these
applications. Recycling is a configuration property of an application pool and can be done on the basis of
memory limits, request limits, processing time, or time of day. The service will queue HTTP requests if custom
applications stop responding, and will also attempt to restart custom applications.
The service depends on the IIS administration service and kernel TCP/IP support.
If World Wide Web Publishing Service is stopped, the Windows Server 2003 operating system will not be able
to serve any form of Web request. If this service is disabled, any services that explicitly depend on this service
will not start.
QUESTION 10:
You are a security administrator for Alecnet .com. The network consists of a single Active Directory
domain named Alecnet .com. All servers run Windows Server 2003. All client computers run Windows
XP Professional.
All computers are configured to use Automatic Updates to install updates without user intervention.
Updates are scheduled to occur during off-peak hours.
During a security audit, you notice some client computers are not receiving updates on a regular basis.
You verify that Automatic Updates is running on all client computers, and you verify that users cannot
modify the Automatic Updates settings.
You need to ensure that computers on your network receive all updates.
What should you do?
A. Enable the No auto-restart for scheduled Automatic Updates Installations settings.
B. Disable the Specify intranet Microsoft update service location setting.
C. Enable the Remove access to use all Windows Update features setting.
D. Enable the Reschedule Automatic Updates scheduled installations setting.
Answer: D
QUESTION 11:
You are a security administrator for Alecnet . The network consists of seven Active Directory domains.
These domains are in the same Active Directory forest. All seven Active Directory domains operate at a
Windows Server 2003 domain functional level.
Each domain contains an internal Web site that is used to publish information to the Alecnet managers.
Access to the information on these Web site must not be restricted to managers. An existing global group
in each domain contains the management user accounts that exist in that domain.
You need to restrict access to the internal Web sites to Alecnet managers. You want to achieve this goal
by using the minimum amount of administrative effort.
What should you do?
A. Create a universal group in one of the Active Directory domains.

Actualtests.com - The Power of Knowing
Add the existing management global groups as members of the universal group.
Assign only this universal group permissions to access the Web sites.
B. Create a global group in one of the Active Directory domains.
Add the existing management global groups as members of the global group.
Assign only this global group permissions to access the Web sites.
C. Create a domain local group in one of the Active Directory domains.
Add the existing management global groups as members of the domain local group.
Assign only this domain local group permissions to access the Web sites.
D. Assign only the existing management global permissions to access the Web sites.
Answer: A
Explanation:
The members that each type of security group scope can have depends on the domain functional level. When
the domain functional level is set to Windows 2000 native mode or higher, each type of group can contain the
following members:
Universal: accounts from any domain, global groups from any domain, and universal groups from any domain
Global: accounts from the same domain, and global groups from the same domain
Domain local: accounts from any domain, global groups from any domain, universal groups from any domain,
and domain local groups from the same domain
Objective: Planning, Configuring and Troubleshooting Authentication, Authorization and PKI
Sub-Objective: 4.2.2 Plan security group scope.
Domain Migration Cookbook
Chapter 2: Domain Upgrade
Global Groups
Windows 2000 global groups are effectively the same as Windows NT global groups. In terms of membership,
they have domain-wide scope, but can be granted permissions in any domain, even in other forests and earlier
version domains as long as a trust relationship exists.
Universal Groups
Universal groups can contain members from any Windows 2000 domain in the forest, but cannot contain
members from outside the forest. You can grant universal groups permissions in any domain, even in other
forests, as long as a trust relationship exists. Although universal groups can have members from mixed mode
domains in the same forest, the universal group will not be added to the access token of these members because
universal groups are not available in mixed mode.

QUESTION 12:
You are a security administrator for Alecnet . The network consists of two Active


Directory forest named Alecnet .com and public. Alecnet .com. All servers run
Windows Server 2003. All client computers run Windows XP Professional.
The network consists of an IEEE 802.11b wireless LAN (WLAN). Employees and
external users use the WLAN. User accounts for employees are located in the
Alecnet .com forest. User accounts for external users are located in the
public. Alecnet .com forest. External users' computers do not have computer
accounts in the public. Alecnet .com forest.
To increase security, you upgrade the network hardware to support IEEE 802.1x.
You configure a public key infrastructure (PKI). You issue Client Authentication
certificates to employees, to client computers used by employees, and to external
users.
You need to configure the WLAN to authenticate employees and external users.
What should you do?
A. Configure each wireless access point to forward RADIUS requests to a server running
Internet Authentication Service (IAS).
Configure the IAS server to use a connection request policy to forward the requests to
the appropriate forest.
B. Configure each wireless access point to forward requests to an Internet Authentication
Service (IAS) server in the Alecnet .com forest.
Configure the IAS server in the Alecnet .com forest to use the Tunnel-Server-Endpt
attribute.
C. Use the Connection Manager Administration Kit (CMAK).
Configure one connection profile for external users.
Configure a second connection profile for employees.
D.
Establish a forest trust relationship between the Alecnet .com forest and the
public. Alecnet .com forest.
Answer: A
Explanation:
Connection request policies
Connection request policies are sets of conditions and profile settings that give network
administrators flexibility in configuring how incoming authentication and accounting
request messages are handled by the IAS server. With connection request policies, you
can create a series of policies so that some RADIUS request messages sent from
RADIUS clients are processed locally (IAS is being used as a RADIUS server) and other
types of messages are forwarded to another RADIUS server (IAS is being used as a
RADIUS proxy). This capability allows IAS to be deployed in many new RADIUS
scenarios.
With connection request policies, you can use IAS as a RADIUS server or as a RADIUS
proxy, based on the time of day and day of the week, by the realm name in the request,
by the type of connection being requested, by the IP address of the RADIUS client, and
so on.
It is important to remember that with connection request policies, a RADIUS request


message is processed only if the settings of the incoming RADIUS request message
match at least one of the connection request policies. For example, if the settings of an
incoming RADIUS Access-Request message do not match at least one of the connection
request policies, an Access-Reject message is sent.
For more information about how incoming RADIUS request messages from RADIUS
clients are processed, see Processing a connection request.
Authentication
You can set the following authentication options that are used for RADIUS
Access-Request messages:
Authenticate requests on this server.
Use a Windows NT 4.0 domain or the Active Directory directory service, or the local
authentication and the matching remote access policy and user account dial-in properties
for authorization. In this case, the IAS server is being used as a RADIUS server.
Forward requests to another RADIUS server in a remote RADIUS server group.
Forward the Access-Request message to another RADIUS server in a specified remote
RADIUS server group. If the IAS server receives a valid Access-Accept message that
corresponds to the Access-Request message, the connection attempt is considered
authenticated and authorized. In this case, the IAS server is being used as a RADIUS
proxy.
Accept the connection attempt without performing authentication or authorization.
Do not check authentication of the user credentials and authorization of the connection
attempt. An Access-Accept message is immediately sent to the RADIUS client. This
setting is used for some types of compulsory tunneling where the access client is tunneled
before the user's credentials are authenticated. For more information, see IAS and
tunnels.
This authentication option cannot be used when the access client's authentication protocol
authentication protocol
The protocol by which an entity on a network proves its identity to a remote entity.
Typically, identity is proved with the use of a secret key, such as a password, or with a
stronger key, such as the key on a smart card. Some authentication protocols also
implement mechanisms to share keys between client and server to provide message
integrity or privacy.is MS-CHAP v2 or EAP-TLS, both of which provide mutual
authentication. In mutual authentication, the access client proves that it is a valid access
client to the authenticating server (the IAS server), and the authenticating server proves
that it is a valid authenticating server to the access client. When this authentication option
is used, the Access-Accept message is returned. However, the authenticating server does
not provide validation to the access client and mutual authentication fails.
802.1x authentication
For enhanced security, you can enable IEEE 802.1x authentication. IEEE 802.1x
authentication provides authenticated access to 802.11 wireless networks and to wired
Ethernet networks. IEEE 802.1x minimizes wireless network security risks, such as
unauthorized access to network resources and eavesdropping, by providing user and
computer identification, centralized authentication, and dynamic key management. IEEE
802.1x supports Internet Authentication Service (IAS), which implements the Remote
Authentication Dial-In User Service (RADIUS) protocol. Under this implementation, a
wireless access point that is configured as a RADIUS client sends a connection request


and accounting messages to a central RADIUS server. The central RADIUS server
processes the request and grants or rejects the connection request. If the request is
granted, the client is authenticated, and unique keys (from which the WEP key is derived)
can be generated for that session, depending on the authentication method chosen. The
support that IEEE 802.1x provides for Extensible Authentication Protocol (EAP) security
types allows you to use authentication methods such as smart cards, certificates, and the
Message Digest 5 (MD5) algorithm.
With IEEE 802.1x authentication, you can specify whether the computer attempts
authentication to the network if the computer requires access to network resources
whether a user is logged on or not. For example, data center operators who manage
remotely administered servers can specify that the servers should attempt authentication
to access the network resources. You can also specify whether the computer attempts
authentication to the network if user or computer information is not available. For
example, Internet service providers (ISPs) can use this authentication option to allow
users access to free Internet services, or to Internet services that can be purchased. A
corporation can grant visitors with limited guest access, so that they can access the
Internet, but not confidential network resources.
Understanding 802.1x authenticationIEEE 802.1x is a draft standard for port-based
network access control, which provides authenticated network access to 802.11 wireless
networks and to wired Ethernet networks. Port-based network access control uses the
physical characteristics of a switched local area network (LAN) infrastructure to
authenticate devices that are attached to a LAN port and to prevent access to that port in
cases where the authentication process fails.
During a port-based network access control interaction, a LAN port adopts one of two
roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces
authentication before it allows user access to the services that can be accessed through
that port. In the role of supplicant, a LAN port requests access to the services that can be
accessed through the authenticator's port. An authentication server, which can either be a
separate entity or co-located with the authenticator, checks the supplicant's credentials on
behalf of the authenticator. The authentication server then responds to the authenticator,
indicating whether the supplicant is authorized to access the authenticator's services.
The authenticator?s port-based network access control defines two logical access points
to the LAN, through one physical LAN port. The first logical access point, the
uncontrolled port, allows data exchange between the authenticator and other computers
on the LAN, regardless of the computer's authorization state. The second logical access
point, the controlled port, allows data exchange between an authenticated LAN user and
the authenticator.
IEEE 802.1x uses standard security protocols, such as RADIUS, to provide centralized
user identification, authentication, dynamic key management, and accounting.

Go Back to the Braindumps Page

Go Back to the Braindumps Page