REAL QUESTIONS SUBMIT MATERIAL ADVERTISE
Braindumps

Microsoft

Cisco

Citrix

CIW

CompTia

CWNA

Apple

Adobe

HP

Legato

Exin

Filemaker

Brocade

Ericsson

TIA

Veritas

ISEB

SCP

IISFA

ISM

OMG

Apc

Mile2

Foundry

Huawei

McData

Symantec

TeraData

RedHat

Solar Winds

Blue Coat

Riverbed

 

 
 
Click on name of dumper to view the dump
 
Vaishali Parker
 
 

 

Braindumps of 70-214
Implementing and Administering Security in a
Microsoft Windows 2000 Network

Exam Questions, Answers, Braindumps (70-214)

I prepared it from www.exams.ws. All the exam questions were in their guide, I feel that some book and the study of the guide from exams.ws is sufficient to pass certification exam.

QUESTION 1
You are the network administrator for Abc. The network consists of a Windows 2000 Active Directory domain. The network contains two Windows 2000 Server computers configured as domain controllers and 1,500 Windows 2000 Professional client computers. Abc has three departments: research, sales, and operations. Each department has a separate organizational unit (OU) in the domain that contains all user and group accounts for that department. Abc policy prevents configuration of Block Policy inheritance on the OUs. You scan the domain controllers with the Microsoft Baseline Security Analyzer (MBSA) and receive the following message:
Computer is running with Restrict Anonymous = 0. This level prevents basic enumeration of user accounts, account policies, and system information. Set Restrict Anonymous = 2 to ensure maximum security. Your manager tells you to use a security template to apply the MBSA-recommended setting to the domain controllers. You are not allowed to modify the configuration of other computers on the domain. You create a new security template based on the existing configuration of your domain controllers. What should you do next?
A. In the template, set the Additional Restrictions for Anonymous Connections policy to No access without explicit anonymous permission. Import this template into the Domain Controller Security Policy.
B. In the template, configure the Workstation service for Manual startup and deny Write access to the Anonymous Logon group. Import this template in the Domain Controller Security Policy.
C. In the template, set the Additional Restrictions for Anonymous Connections policy to Do not allow enumeration of SAM accounts and shares. Import this template into the Domain Security Policy.
D. In the template, configure the Workstation service for Manual startup and deny Read access to the Anonymous Logon group. Import this template into the Domain Security Policy.
Answer: A
Explanation: MBSA shows that the computer runs with Restrict Anonymous=0. The Restrict Anonymous numbers correspond to the following settings:
0 None. Rely on default permissions
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions The Restrict Anonymous=0 setting is a security risk and it allow hackers to probe machine from the Internet for a list of the Users (SAM Accounts) and Shares (Shared folders and Printers). We can change this setting to 2, which is the recommendation from MBSA, y Enabling "Additional restrictions for anonymous connections" (see picture).

And then set this policy to No access without explicit anonymous permission.
Note: Microsoft Baseline Security Analyzer (MBSA) scans for missing hotfixes and vulnerabilities in Windows, IIS, SQL Server, Internet Explorer, and MS Office.
Reference: How to Use the Restrict Anonymous Registry Value in Windows 2000, Microsoft Knowledge Base Article - Q246261 Microsoft Baseline Security Analyzer (MBSA) Version 1.0 Is Available. Microsoft Knowledge Base Article - Q320454
Incorrect Answers
B, D: Manual startup of the workstation service would be awkward for the users. They would not be able to browse the network without this service.
C: This option would improve security, but security would be even better even we choose the No access without explicit anonymous permission. instead of Do not allow enumeration of SAM accounts and shares. This is also the recommendation of MBSA.
QUESTION 2
You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Active Directory domain named Abc.com. The domain contains Windows 2000 Server computers and Windows 2000 Professional client computers. The client computers are in an organizational unit (OU) named Clients. You use Group Policy objects (GPOs) to administer the configuration of the Windows 2000 Professional client computers. To increase the security of the client computers, you want to ensure that the configuration settings in the client computers are always corrected whenever a user changes these settings manually. What should you do?
A. Configure the Task Scheduler on the client computers to periodically run the secedit /refreshpolicy machine_policy and the secedit /refreshpolicy user_policy commands.
B. Configure the Default Domain Group Policy object (GPO) to enable Group Policy refresh interval for computers settings and a Group Policy refresh interval for users setting.
C. Create a GPO and link it to the Domain Controllers OU. Configure the GPO to enable the User Group Policy loopback processing mode in merge mode.
D. Create a GPO and link it to the Clients OU. Configure the GPO to enable the settings to process policies even if the GPOs have not changed.
E. Create a GPO and link it to the Clients OU. Configure the GPO to disable the Enforce Show Policies Only setting.
Answer: D
Explanation: The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.

Reference: HOW TO: How to Modify the Default Group Policy Refresh Interval, Microsoft Knowledge Base Article - Q203607
Incorrect Answers
A: This is an awkward indirect way of applying security templates. Also most of the time users do not have enough permissions to use the secedit command.
B: The Group Policy refresh interval for computers is used to modify the refresh and offset intervals settings. Is not used to enable a setting.
C: Loopback processing mode is used to establish machine-specific settings, so that the computer's client settings take precedence. It does not fit in this scenario.
E: The Enforce Show Policies Only policy prevents administrators from viewing or using Group Policy preferences. If we disable it administrators will be able to view and use Group Policy preferences. This does not address the problem at hand.
QUESTION 3
You are the network administrator for Abc. The network consists of a Windows 2000 Active Directory domain. The domain includes two organizational units (OU) named Manufacturing and Sales. The network contains two Windows 2000 Server computers configured as domain controllers and 1,500 Windows 2000 Professional client computers. All user accounts are located in the Manufacturing OU and Sales OU. Your manager wants you to ensure that the domain Account Policies are no less secure than the Account Polices in the Securedc.inf template. You run the Security Configuration and Analysis console on a network domain controller, and you use Securedc.inf to analyze the computer. You review the Password Policy portion of the analysis, which the following table shows.

Your manager does not want to r educe the existing security level. You must increase the security of the Password Policy in all areas in which it is less restrictive than the Securedc.inf template. What should you do?
A. Import Securedc.inf template into the Domain Security Policy.
B. Create a new Group Policy object (GPO) and link it to the Sales and Manufacturing OUs. Import the Securedc.inf template into the new GPO.
C. Create a new security template. Set Enforce password history to 24 passwords, Maximum password age to 42 days, and Minimum password age to 4 days. Import the new template to the Domain Security Policy.
D. Create a new Group Policy object (GPO) and link it to the Sales and Manufacturing OUs.Create a new security template. Set Enforce password history to 24 passwords, Maximum password age to 0, and Minimum password age to 4 days. Import the new template to the new GPO.
Answer: C
Explanation: We must create a new security template that is at least restrictive as the current settings. This ensures that security only improves and not decreases.
Incorrect Answers
A: When merging security templates the last one imported, Securedc.inf, takes precedence when there is contention. Importing the Securedc.inf security templates would therefore decrease Minimum password age and disable Store password using reversible encryption. This is not acceptable.
B, D: Windows 2000 only allows one domain account policy: the account policy applied to the root domain of the domain tree.
QUESTION 4
You are the network administrator for Abc. The network consists of a Windows 2000 Active Directory domain. The network contains two Windows 2000 Server computers configured as domain controllers, 100 Windows 2000 Professional client computers, and 100 Windows 98 client computers, All Windows 98 Second Edition client computers have the Microsoft Directory Services Client installed and are configured with the appropriate LMCompatibilityLevel registry value. Abc has three departments:
research, sales, and operations. Each department has a separate organizational unit (OU) in the domain that contains all user and group accounts for that department. The written security policy for Abc requires that domain controllers authenticate user logons only by using the most secure Microsoft authentication method available to all clients on the network. You review the Security Options portion of the security template for the domain. The following table shows the relevant Security Options settings in the template.

You must ensure that no Windows 98 client computer can authenticate with the domain controller by using anything less than the most secure authentication method available. What should you do?
A. Configure the LAN Manager Authentication Level on the security template to Not defined. Import the template into the Domain Controllers Security Policy.
B. Configure the LAN Manager Authentication Level on the security template to Send NTLMv2 response only\refuse LM & NTLM. Import the template into the Domain Security Policy.
C. Configure the Default Domain Policy Group Policy object (GPO) to enable the Digitally encrypt secure channel data (when possible) setting in the Secure Options policy.
D. Configure the Default Domain Controllers Policy Group Policy object (GPO) to enable the Digitally encrypt or sign secure channel data (always) setting in the Secure Options policy.
Answer: B
Explanation:
NTLM 2 is the most secure LAN Manager authentication level. NTLM2 support to Windows 95 and Windows 98 can be added by installing the Directory Services Client from the Windows 2000 CD-ROM. This step has been taken in this scenario. By enforcing use of NTLMv2 we would ensure that the most secure authentication method is available.

Note: The LAN Manager authentication level determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The NTLM authentication package in Windows 2000 supports three methods of challenge/response authentication: LAN Manager (LM) which is least secure, NTLM version 1, NTLM version 2 which is the most secure. By default, all three challenge/response mechanisms are enabled. You can disable authentication using weaker variants by setting the LAN Manager authentication level security option in local security policy for the computer.
Reference: How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT, Microsoft Knowledge Base Article - Q239869
Incorrect Answers
A: A LAN Manager Authentication Level of Not defined would enable LAN Manager (LM) authentication which is least secure authentication method..
C: The Digitally encrypt secure channel data (when possible) setting is enabled, it ensures that all secure channel traffic is encrypted if the partner domain controller is also capable of encrypting all secure channel traffic. However, it allows unencrypted data. Furthermore it only applies to communication between domain controllers.
D: The Digitally encrypt or sign secure channel data (always) setting determines whether a secure channel can be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If this setting is enabled, a secure channel cannot be established with any domain controller that cannot sign or encrypt all secure channel data. It only applies to communication between domain controllers and is therefore useless in this scenario.

70-214


 

 

Braindumps Real exam questions and verified answers - 100% passing guarantee - cheap prices.

 

Free brain dumps Braindumps, notes, books for free

 

Braindumps and Exams - Instant download real exam questions - Passing guarantee.

Follow us on FaceBook
Braindumps on Facebook
 
 
 
 
 

CheckPoint

Linux

Novell

DB/2

Network Appliance

EC-Council

Nortel

McAfee

Juniper

ISACA

PMI

Sybase

EMC

HDI

SNIA

ISC

Sair

IBM

Lotus

Exam Express

3COM

BICSI

DeLL

Enterasys

Extreme Networks

Guidance Software

Computer Associates

Network General

SAS Institute

Alcatel Lucent

SeeBeyond

TruSecure

Polycom

Hyperion

Hitachi

Nokia

Fortinet

Vmware

Fujitsu

Tibco

Intel

PostgreSQLCE

BusinessObjects

RESSoftware

BlackBerry

AccessData

ICDL

Isilon

SAP

The Open Group

ACSM

Altiris

Avaya

Cognos

F5

Genesys

SDI

ACI

ASQ

Google

H3C

HIPAA

HRCI

SOA

IIBA

Zend