| Braindumps of 70-298
Designing Security for a MS Windows Server 2003 Network
Exam Questions, Answers, Braindumps (70-298)
70-298 cleared, thanks to www.exams.ws . The guide
from this site was based on actual exam questions.
QUESTION 1
You need to design an access control strategy that
meets business and security requirements. Your solution
must minimize forestwide replication. What should
you do?
A. Create a global group for each department and a
global group for each location.
Add users to their respective departmental groups
as members.
Place the departmental global groups within the location
global groups.
Assign the location global groups to file and printer
resources in their respective domains, and then assign
permissions for the file and printer resources by
using the location global groups.
B. Create a global group for each department, and
add the respective users as members.
Create domain local groups for file and printer resources.
Add the global groups to the respective domain local
groups.
Then, assign permissions to the file and printer resources
by using the domain local groups.
C. Create a local group on each server and add the
authorized users as members.
Assign appropriate permissions for the file and printer
resources to the local groups.
D. Create a universal group for each location, and
add the respective users as members.
Assign the universal groups to file and printer resources.
Then, assign permissions by using the universal groups.
Answer: B
Explanation:
A global group is a type of group used to organize
users who have similar network access requirements.
It is simply a container of users and global groups
(in native mode) from the local domain.
Domain local groups are used to assign permissions
to resources. Domain local groups can contain user
accounts, universal groups, and global groups from
any domain in the tree or forest. A domain local group
can also contain other domain local groups from its
own local domain. Microsoft recommends that global
groups be added to domain local groups in a single
domain environment and that universal groups are added
to the domain local group in a multi-domain environment.
You would need to make use of a global group for each
department and add the respective users as its members,
create domain local groups for file and printer resources.
After which you should add the global groups to the
respective domain local groups and then assign permissions
using the domain local groups for the different resources.
This should comply with security requirements while
servicing business operational requirements.
All customer information must be kept confidential.
All access to customer information must be tracked.
We must use our existing infrastructure's security
features to meet our security needs. Also, we suspect
that unauthorized users are attempting to delete files.
Therefore, we need to review which users have access
to company resources periodically.
Incorrect answers:
A: This option will result in unnecessary replication
taking place.
C: A local group is a group that is stored on the
local computer's accounts database. This is not the
answer in this scenario.
D: Creating universal groups would be creating a special
type of group used to logically organize global groups
and appear in the Global Catalog (a search engine
that contains limited information about every object
in the Active Directory). Universal groups can contain
users (not recommended) from anywhere in the domain
tree or forest, other universal groups, and global
groups. This will obviously result in forest wide
replication which should be kept to a minimum.
Reference:
Lisa Donald, Suzan Sage London & James Chellis,
MCSA/MCSE: Windows (r) Server 2003 Environment Management
and Maintenance Study Guide, p. 167
QUESTION 2
You need to design a remote administration solution
for servers on the internal network. Your solution
must meet business and security requirements. What
should you do?
A. Permit administrators to use an HTTP interface
to manage servers remotely.
B. Permit only administrators to connect to the servers'
Telnet service.
C. Permit administrators to manage the servers by
using Microsoft NetMeeting.
D. Require administrators to use Remote Desktop for
Administration connections to manage the servers.
Answer: B
Explanation:
Telnet is a very powerful remote administration tool
that allows an administrator to use command-line utilities
from a text-based command-line window. Because it
is infrequently used as an administrative tool and
typically passes credentials using clear text, Telnet
is disabled by default on all Windows Server 2003
machines. You should enable the Telnet service only
if you see a real need for it, especially since the
other administrative tools at your disposal offer
more features and far better security. The Telnet
service should remain disabled unless a need arises
that requires it. Thus you need to permit the administrators
only to connect to the servers' Telnet service. This
scenario necessitates the administrators' need to
make use of the Telnet service.
All remote server administration must be conducted
over an encrypted channel.
Remote Desktop for Administration cannot be used to
connect to servers on the perimeter network.
Incorrect answers:
A: Making use of HTTP interface to manage servers
remotely will not comply with company security policy.
C: Having the administrators managing the servers
with Microsoft NetMeeting does not meet with business
requirements.
D: Compelling administrators to use RDA connections
to manage the servers is not the answer since it is
mentioned pertinently that "Remote Desktop for
Administration cannot be used to connect to servers
on the perimeter network."
Reference:
Elias N. Khnaser, Susan Snedak, Chris Peiris and Rob
Amini, MCSE Designing Security for a Windows Server
2003 Network Exam 70-298 Study Guide, Chapter 4, p.
208
QUESTION 3
You need to design a method to encrypt confidential
data. Your solution must address the concerns of the
chief information officer. What should you do?
A. Encrypt customer information when it is stored
and when it is being transmitted.
B. Require encrypted connections to the public Web
site, which is hosted on the Web server on the perimeter
network.
C. Encrypt all marketing information on file servers
and client computers.
D. Require encrypted connections to all file servers.
Answer: A
Explanation:
The Chief information officer is concerned about customer
data that is leaked to the public. You thus need to
encrypt this information when stored as well as when
it is being transmitted.
Recently, confidential customer information was released
to the public. Also, we suspect that unauthorized
users are attempting to delete files. Therefore, we
need to review which users have access to company
resources periodically. We must avoid increasing expenses,
so we must use our existing infrastructure's security
features to meet our security needs.
Incorrect answers:
B: Encrypted connections to the public Web site hosted
on the Web server on the perimeter network will not
work in this scenario.
C: You need to keep the customer information confidential.
Marketing information is for public consumption.
"Marketing information and service offering literature
is available to the public. Humongous Insurance must
track unauthorized modification of the marketing information
only."
D: Encrypted connections to all the file servers will
also render information other than the confidential
data encrypted. This is not what is needed.
Reference:
Elias N. Khnaser, Susan Snedak, Chris Peiris and Rob
Amini, MCSE Designing Security for a Windows Server
2003 Network Exam 70-298 Study Guide, Chapter 9, pp.
571-576
QUESTION 4
You need to design a method to update the content
on the Web server. Your solution must meet business
and security requirements. What are two possible ways
to achieve this goal? (Each correct answer presents
a complete solution. Choose two)
A. Use SSH to encrypt content as it is transferred
to the Web server on the perimeter network.
B. Install the Microsoft FrontPage Server Extensions,
and use FrontPage to update content.
C. Use Web Distributed Authoring and Versioning (WebDAV)
over and SSL connection to the Web server to update
content.
D. Use FTP over an IPSec connection to transfer content
to the Web server.
E. Use Telnet to connect to the Web server, and then
perform content changes directly on the server.
Answer: C, D
Explanation:
C: WebDAV is a file sharing protocol that is commonly
used in Windows Internet-related applications. It
is a secure file transfer protocol over intranets
and the Internet. You can download, upload, and manage
files on remote computers across the Internet and
intranets using WebDAV. WebDAV is similar to FTP.
WebDAV always uses password security and data encryption
on file transfers (FTP does not support these tasks).
Thus making use of WebDAV over SSL connection should
comply with the company's security requirements.
D: The File Transfer Protocol (FTP) is a valuable
component of IIS 6.0. FTP is used to "swap"
or "share" files between servers and clients.
This could be dangerous practice for businesses with
sensitive information. Most large organization firewalls
will block FTP access. We need to implement FTP communication
over a secure channel like VPN. VPNs use the Point-to-Point
Tunneling Protocol (PPTP) or Secure Internet Protocol
(IPSec) to encrypt data and facilitate secure FTP
communication. We can also use SSL encryption on WebDAV
supported directories for the same purpose.
Incorrect answers:
A: SSH is independent of the operating system and
is therefore suitable for use in a mixed operating
system environment. However, not all terminal concentrators
provide built-in security functions, so you'll need
to consult with the vendor's documentation to see
what, if any, security is provided. Thus this option
is a security risk.
B: Making use of Microsoft FrontPage Server Extensions
and updating the content with FrontPage will not comply
with security requirements.
E: You should enable the Telnet service only if you
see a real need for it, especially since the other
administrative tools at your disposal offer more features
and far better security. The Telnet service should
remain disabled unless a need arises that requires
it. In this instance it would be unnecessary.
Reference:
Elias N. Khnaser, Susan Snedak, Chris Peiris and Rob
Amini, MCSE Designing Security for a Windows Server
2003 Network Exam 70-298 Study Guide, Chapters 4 &
6, pp. 208, 383-384, 386
QUESTION 5
You need to design a monitoring strategy for the folders
that contain customer information, which are shown
in the Customer Data window
What should you do?
A. Audit success and failures for object access on
the Customer Data folder and all subfolders.
B. Audit failure of object access on only the Customer
Data folder.
C. Use Security Configuration and Analysis to enable
auditing on only the Customer Data folder.
D. Audit directory access failures.
Answer: A
Explanation:
Audit object access If enabled, this setting triggers
auditing of user access to objects such as files,
folders, Registry keys, and so forth. As with the
other audit policies, you can either monitor the success
or failure of these actions. To be able to track all
the access to customer information you will need to
audit both success and failures for object access
on the folder in question.
All customer information must be kept confidential.
All access to customer information must be tracked.
Incorrect answers:
B: Auditing failure of object access only will only
constitute half of the tracking that is needed as
per the company's written security policy.
C: The Security Configuration and Analysis tool is
used to analyze and to help configure a computer's
local security settings. Security Configuration and
Analysis works by comparing the computer's actual
security configuration to a security database configured
with the desired settings. This is not the same as
tracking all access to the Customer data folders and
subfolders.
D: Auditing directory access failures will not work
in this scenario where more is expected.
Reference:
Elias N. Khnaser, Susan Snedak, Chris Peiris and Rob
Amini, MCSE Designing Security for a Windows Server
2003 Network Exam 70-298 Study Guide, Chapters 2 &
8, pp. 64-66, 481-485
70-298
|
