|
Braindumps
of 70-214
Implementing and Administering Security in a
Microsoft Windows 2000 Network
Exam
Questions, Answers, Braindumps (70-214)
I
prepared it from www.exams.ws. All the exam questions
were in their guide, I feel that some book and the
study of the guide from exams.ws is sufficient to
pass certification exam.
QUESTION
1
You are the network administrator for Abc. The network
consists of a Windows 2000 Active Directory domain.
The network contains two Windows 2000 Server computers
configured as domain controllers and 1,500 Windows
2000 Professional client computers. Abc has three
departments: research, sales, and operations. Each
department has a separate organizational unit (OU)
in the domain that contains all user and group accounts
for that department. Abc policy prevents configuration
of Block Policy inheritance on the OUs. You scan the
domain controllers with the Microsoft Baseline Security
Analyzer (MBSA) and receive the following message:
Computer is running with Restrict Anonymous = 0. This
level prevents basic enumeration of user accounts,
account policies, and system information. Set Restrict
Anonymous = 2 to ensure maximum security. Your manager
tells you to use a security template to apply the
MBSA-recommended setting to the domain controllers.
You are not allowed to modify the configuration of
other computers on the domain. You create a new security
template based on the existing configuration of your
domain controllers. What should you do next?
A. In the template, set the Additional Restrictions
for Anonymous Connections policy to No access without
explicit anonymous permission. Import this template
into the Domain Controller Security Policy.
B. In the template, configure the Workstation service
for Manual startup and deny Write access to the Anonymous
Logon group. Import this template in the Domain Controller
Security Policy.
C. In the template, set the Additional Restrictions
for Anonymous Connections policy to Do not allow enumeration
of SAM accounts and shares. Import this template into
the Domain Security Policy.
D. In the template, configure the Workstation service
for Manual startup and deny Read access to the Anonymous
Logon group. Import this template into the Domain
Security Policy.
Answer: A
Explanation: MBSA shows that the computer runs with
Restrict Anonymous=0. The Restrict Anonymous numbers
correspond to the following settings:
0 None. Rely on default permissions
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions
The Restrict Anonymous=0 setting is a security risk
and it allow hackers to probe machine from the Internet
for a list of the Users (SAM Accounts) and Shares
(Shared folders and Printers). We can change this
setting to 2, which is the recommendation from MBSA,
y Enabling "Additional restrictions for anonymous
connections" (see picture).
And then set this policy to No access without explicit
anonymous permission.
Note: Microsoft Baseline Security Analyzer (MBSA)
scans for missing hotfixes and vulnerabilities in
Windows, IIS, SQL Server, Internet Explorer, and MS
Office.
Reference: How to Use the Restrict Anonymous Registry
Value in Windows 2000, Microsoft Knowledge Base Article
- Q246261 Microsoft Baseline Security Analyzer (MBSA)
Version 1.0 Is Available. Microsoft Knowledge Base
Article - Q320454
Incorrect Answers
B, D: Manual startup of the workstation service would
be awkward for the users. They would not be able to
browse the network without this service.
C: This option would improve security, but security
would be even better even we choose the No access
without explicit anonymous permission. instead of
Do not allow enumeration of SAM accounts and shares.
This is also the recommendation of MBSA.
QUESTION 2
You are the administrator of a Windows 2000 network.
The network consists of a Windows 2000 Active Directory
domain named Abc.com. The domain contains Windows
2000 Server computers and Windows 2000 Professional
client computers. The client computers are in an organizational
unit (OU) named Clients. You use Group Policy objects
(GPOs) to administer the configuration of the Windows
2000 Professional client computers. To increase the
security of the client computers, you want to ensure
that the configuration settings in the client computers
are always corrected whenever a user changes these
settings manually. What should you do?
A. Configure the Task Scheduler on the client computers
to periodically run the secedit /refreshpolicy machine_policy
and the secedit /refreshpolicy user_policy commands.
B. Configure the Default Domain Group Policy object
(GPO) to enable Group Policy refresh interval for
computers settings and a Group Policy refresh interval
for users setting.
C. Create a GPO and link it to the Domain Controllers
OU. Configure the GPO to enable the User Group Policy
loopback processing mode in merge mode.
D. Create a GPO and link it to the Clients OU. Configure
the GPO to enable the settings to process policies
even if the GPOs have not changed.
E. Create a GPO and link it to the Clients OU. Configure
the GPO to disable the Enforce Show Policies Only
setting.
Answer: D
Explanation: The "Process even if the Group Policy
objects have not changed" option updates and
reapplies the policies even if the policies have not
changed. Many policy implementations specify that
they are updated only when changed. However, you might
want to update unchanged policies, such as reapplying
a desired setting in case a user has changed it.
Reference: HOW TO: How to Modify the Default Group
Policy Refresh Interval, Microsoft Knowledge Base
Article - Q203607
Incorrect Answers
A: This is an awkward indirect way of applying security
templates. Also most of the time users do not have
enough permissions to use the secedit command.
B: The Group Policy refresh interval for computers
is used to modify the refresh and offset intervals
settings. Is not used to enable a setting.
C: Loopback processing mode is used to establish machine-specific
settings, so that the computer's client settings take
precedence. It does not fit in this scenario.
E: The Enforce Show Policies Only policy prevents
administrators from viewing or using Group Policy
preferences. If we disable it administrators will
be able to view and use Group Policy preferences.
This does not address the problem at hand.
QUESTION 3
You are the network administrator for Abc. The network
consists of a Windows 2000 Active Directory domain.
The domain includes two organizational units (OU)
named Manufacturing and Sales. The network contains
two Windows 2000 Server computers configured as domain
controllers and 1,500 Windows 2000 Professional client
computers. All user accounts are located in the Manufacturing
OU and Sales OU. Your manager wants you to ensure
that the domain Account Policies are no less secure
than the Account Polices in the Securedc.inf template.
You run the Security Configuration and Analysis console
on a network domain controller, and you use Securedc.inf
to analyze the computer. You review the Password Policy
portion of the analysis, which the following table
shows.
Your manager does not want to r educe the existing
security level. You must increase the security of
the Password Policy in all areas in which it is less
restrictive than the Securedc.inf template. What should
you do?
A. Import Securedc.inf template into the Domain Security
Policy.
B. Create a new Group Policy object (GPO) and link
it to the Sales and Manufacturing OUs. Import the
Securedc.inf template into the new GPO.
C. Create a new security template. Set Enforce password
history to 24 passwords, Maximum password age to 42
days, and Minimum password age to 4 days. Import the
new template to the Domain Security Policy.
D. Create a new Group Policy object (GPO) and link
it to the Sales and Manufacturing OUs.Create a new
security template. Set Enforce password history to
24 passwords, Maximum password age to 0, and Minimum
password age to 4 days. Import the new template to
the new GPO.
Answer: C
Explanation: We must create a new security template
that is at least restrictive as the current settings.
This ensures that security only improves and not decreases.
Incorrect Answers
A: When merging security templates the last one imported,
Securedc.inf, takes precedence when there is contention.
Importing the Securedc.inf security templates would
therefore decrease Minimum password age and disable
Store password using reversible encryption. This is
not acceptable.
B, D: Windows 2000 only allows one domain account
policy: the account policy applied to the root domain
of the domain tree.
QUESTION 4
You are the network administrator for Abc. The network
consists of a Windows 2000 Active Directory domain.
The network contains two Windows 2000 Server computers
configured as domain controllers, 100 Windows 2000
Professional client computers, and 100 Windows 98
client computers, All Windows 98 Second Edition client
computers have the Microsoft Directory Services Client
installed and are configured with the appropriate
LMCompatibilityLevel registry value. Abc has three
departments:
research, sales, and operations. Each department has
a separate organizational unit (OU) in the domain
that contains all user and group accounts for that
department. The written security policy for Abc requires
that domain controllers authenticate user logons only
by using the most secure Microsoft authentication
method available to all clients on the network. You
review the Security Options portion of the security
template for the domain. The following table shows
the relevant Security Options settings in the template.
You must ensure that no Windows 98 client computer
can authenticate with the domain controller by using
anything less than the most secure authentication
method available. What should you do?
A. Configure the LAN Manager Authentication Level
on the security template to Not defined. Import the
template into the Domain Controllers Security Policy.
B. Configure the LAN Manager Authentication Level
on the security template to Send NTLMv2 response only\refuse
LM & NTLM. Import the template into the Domain
Security Policy.
C. Configure the Default Domain Policy Group Policy
object (GPO) to enable the Digitally encrypt secure
channel data (when possible) setting in the Secure
Options policy.
D. Configure the Default Domain Controllers Policy
Group Policy object (GPO) to enable the Digitally
encrypt or sign secure channel data (always) setting
in the Secure Options policy.
Answer: B
Explanation:
NTLM 2 is the most secure LAN Manager authentication
level. NTLM2 support to Windows 95 and Windows 98
can be added by installing the Directory Services
Client from the Windows 2000 CD-ROM. This step has
been taken in this scenario. By enforcing use of NTLMv2
we would ensure that the most secure authentication
method is available.
Note: The LAN Manager authentication level determines
which challenge/response authentication protocol is
used for network logons. This choice affects the level
of authentication protocol used by clients, the level
of session security negotiated, and the level of authentication
accepted by servers. The NTLM authentication package
in Windows 2000 supports three methods of challenge/response
authentication: LAN Manager (LM) which is least secure,
NTLM version 1, NTLM version 2 which is the most secure.
By default, all three challenge/response mechanisms
are enabled. You can disable authentication using
weaker variants by setting the LAN Manager authentication
level security option in local security policy for
the computer.
Reference: How to Enable NTLM 2 Authentication for
Windows 95/98/2000 and NT, Microsoft Knowledge Base
Article - Q239869
Incorrect Answers
A: A LAN Manager Authentication Level of Not defined
would enable LAN Manager (LM) authentication which
is least secure authentication method..
C: The Digitally encrypt secure channel data (when
possible) setting is enabled, it ensures that all
secure channel traffic is encrypted if the partner
domain controller is also capable of encrypting all
secure channel traffic. However, it allows unencrypted
data. Furthermore it only applies to communication
between domain controllers.
D: The Digitally encrypt or sign secure channel data
(always) setting determines whether a secure channel
can be established with a domain controller that is
not capable of signing or encrypting all secure channel
traffic. If this setting is enabled, a secure channel
cannot be established with any domain controller that
cannot sign or encrypt all secure channel data. It
only applies to communication between domain controllers
and is therefore useless in this scenario.
70-214
|
