| Braindumps
of 70-299
Implementing and Administering Security in a
Microsoft Windows Server 2003 Network
Exam Questions, Answers, Braindumps
(70-299)
Completed my paper, It was
bcuz of www.exams.ws . All the questions in the exam
are from their study guide.
Goodluck to u too.
I have managed some questions.
QUESTION NO: 1
You are a security administrator for Abc.com. The
network consists of a single Active Directory domain
named abc.com. All servers run Windows Server 2003.
All client computers run Windows XP Professional.
Several client computers are configured as kiosk computers
that visitors and employees use. The kiosk computers
are managed by usingGPOs. TheGPOsenforce a secure
configuration. Multiple users log on to these computers
every day. You review the results of a security audit.
You discover that when some users log on the secure
configuration is removed. You need to ensure that
the secure configuration is enforced at all times.
What should you do?
A.Apply theSecurews.infsecurity template to the kiosk
computers.
B.Configure the default user profile on kiosk computers
as a mandatory user profile.
C.Edit the GPO that manages kiosk computers. Disable
the Secondary Logon service.
D.Edit the GPO that manages kiosk computers. Enable
loopback processing.
Answer: D
QUESTION NO: 2
DRAG DROP
You are a security administrator for Abc.com. The
network consists of a single Active Directory forest
named abc.com. All servers run either Windows Server
2003 or Windows 2000 Server. All domain controllers
Windows Server 2003. All client computers run Windows
XP Professional. Abc.com uses a Microsoft Exchange
Server 2003 computer. Users on the internal network
connect to Exchange Server 2003 by using Microsoft
Outlook. Abc.com currently does not allow users to
exchange e-mail with customers via the Internet. To
improve communication with customers, management decides
to allow e-mail communication via the Internet. Your
company updates its written security policy with the
following requirements regarding the placement of
Exchange Server 2003 computers:
1.Customers on the Internet must not be able to connect
directly to any computer on the internal network.
2.The number of ports and protocols that are allowed
to pass through firewall devices must be minimized.
You need to place computers to meet the company's
written security policy.
Answer:
<m x1="39" x2="125" y1="324"
y2="469" ss="0" a="0"></m><m
x1="345" x2="428" y1="325"
y2="466" ss="0" a="1"></m><m
x1="137" x2="221" y1="1"
y2="145" ss="1" a="0"></m><m
x1="136" x2="220" y1="148"
y2="287" ss="1" a="1"></m><m
x1="342" x2="425" y1="1"
y2="146" ss="1" a="2"></m><m
x1="344" x2="424" y1="147"
y2="287" ss="1" a="3"></m><m
x1="534" x2="618" y1="12"
y2="158" ss="1" a="4"></m><m
x1="533" x2="619" y1="161"
y2="300" ss="1" a="5"></m><c
start="0" stop="2"></c>
Explanation:
QUESTION NO: 3
You are a security administrator for Abc.com. The
network consists of a single Active Directory domain
named abc.com. All servers run Windows Server 2003.
All client computers run Windows XP Professional.
Terminal Services is running on four Windows Server
2003 computers. Members of a group named Remote Application
need to access applications by using Terminal Services.
You assigned the Remote Application group the appropriate
NTFS permissions for the application folder and the
appropriate RDP-Tcpconnection permissions on the terminal
servers. Currently no users have the right to connect
to the terminal servers. You need to assign users
in the Remote Application group the minimum rights
necessary to access the applications. What should
you do to configure the terminal servers?
A.Apply a security template that assigns theAccess
this computer from the networkright to the Remote
Application group.
B.Apply a security template that assigns theAllow
log on locallyright to the Remote Application group.
C.Apply a security template that assigns theLog on
as a serviceright to the Remote Application group.
D.Apply a security template that assigns theAllow
log on through Terminal Servicesright to the Remote
Application group.
Answer: D
Explanation:
Allow log on through TerminalServicesDescription
This security setting determines which users or groups
have permission to log on as a Terminal Services client.
Default:
On workstation and servers: Administrators, Remote
Desktop Users.
On domain controllers: Administrators.
Configuring this security setting
You can configure this security setting by opening
the appropriate policy and expanding the console tree
as such:
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\
For specific instructions about how to configure security
policy settings, see To edit a security setting on
a Group Policy object..
This setting does not have any effect on Windows 2000
computers that have not been updated to Service Pack
2.
For more information, see:
Deny logon through Terminal Services
User rights assignment
To assign user rights for your local computer
Security Configuration Manager Tools
Accessing Terminal Services Using New User Rights
Options
SUMMARY
This article describes new options that you can use
to assign user rights in Windows that affect the Terminal
Services feature.
MORE INFORMATION
You can use these options to change the set of permissions
a user must have to establish a Terminal Services
session.
Services To grant a user these permissions, start
the Group Policy snap-in, open the Local Security
Policy or the appropriate Group Policy, and then navigate
to the following location:
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment
To grant a user these permissions, start either the
Active Directory Users and Computers snap-in or the
Local Users
And Groups snap-in, open the user's properties, click
the Terminal Services Profile tab, and then click
to select the Allow logon to Terminal Server check
box.
To grant guests Logon rights to the RDP-TCP connection,
start the Terminal Services Configuration snap-in,
edit the RDP-TCP so that the guest has at least Logon
rights.
The pivotal difference between Windows 2000 and Windows
Server 2003 is the "Allow logon through Terminal
Services" user right. When you grant this user
right, you no longer have to grant the user the Log
on locally right (this was a requirement in Windows
2000). In Windows Server 2003, it is possible for
a user to establish a Terminal Services session to
a particular server, but not be able to log on to
the console of that same server.
QUESTION NO: 4
You are a security administrator for Abc.com. The
network consists of a single Active Directory domain
named abc.com. The abc.com domain contains Windows
Server 2003 computers and Windows XP Professional
client computers. All computers are members of the
domain. A Windows Server 2003 computer named Abc3
runs Certificate Services. Abc3 is an enterprise subordinate
certification authority (CA). A Windows Server 2003
computer named Abc2 runs IIS. Abc2 hosts an internal
human resources web site for employees. You want to
ensure that the personal data of the employees is
not exposed while in transit over the network. You
decide to use SSL on Abc2. You need to ensure that
employees do not receive a certificate-related security
alert when they use SSL to connect to this Web site.
You want to achieve this goal without spending money
to purchase this certificate unless it is necessary
to do so. What should you do?
A.Use IIS to submit a certificate request to a commercial
CA.
B.Use IIS to submit a certificate request to Abc3.
C.Use the Certificates console to submit a Client
certificate request to a commercial CA.
D.Use the Certificates console to submit a Client
certificate request to Abc3.
Answer: B
Explanation:
Using Client Certificate Authentication with IIS 6.0
Web Sites
Request a User Certificate from the Web Enrollment
Site
The client computer must present a user certificate
to the Web server before the Web server will accept
the user's credentials. Users can log on to the Web
enrollment site and request a user certificate. The
user does not need to be an administrator in the domain
or on the Certificate Server computer. The user only
needs to have legitimate user credentials that the
enterprise CA recognizes.
Perform the following steps on the client computer
to obtain the user certificate"
1. On the Web client computer, open Internet Explorer
and enter http://10.0.0.2/certsrv in the address bar,
where 10.0.0.2 is the IP address of the Certificate
Server. Press ENTER.
2. In the log on dialog box, enter the credentials
of a non-administrator user. This will demonstrate
that a non-admin can obtain a user certificate. Click
OK.
3. On the Welcome page of the Web enrollment site,
click the Request a certificate link.
4. On the Request a Certificate page, click the User
Certificate link.
5. On the User Certificate - Identifying Information
page, click Submit..
6. Click Yes on the Potential Scripting Violation
dialog box informing you that the Web site is requesting
a certificate on your behalf.
7. On the Certificate Issued page, click the Install
this certificate link.
8. Click Yes on the Potential Scripting Violation
page informing you that the Web site is adding a certificate
to the machine.
9. Close Internet Explorer after you see the Certificate
Installed page.
Generating a Certificate Request File Using the Certificate
Wizard in IIS 5.0
The Certificate Wizard that comes with Internet Information
Services (IIS) 5.0 makes managing server certificates
easier than ever before. This article describes how
to create a certificate request file using the wizard.
The first step you will...
QUESTION NO: 5
You are a security administrator for Abc.com. The
network consists of a single Active Directory domain
named abc.com. All servers run Windows Server 2003.
All servers are in an OU named Servers, or inOUscontained
within the Servers OU. Based in information in recent
security bulletins, you want to apply settings from
a security template named Messenger.infoto all servers
on which the Messenger service is started. You do
not want to apply these settings to servers on which
the Messenger service is not started. You also do
not want to move servers to outerOUs. You need to
apply theMessenger.infsecurity template to the appropriate
servers. What should you do?
A.Import theMessenger.infosecurity template into a
GPO, and link the GPO to the Servers OU. Configure
Administrative Templates filtering in the GPO.
B.Import theMessenger.infosecurity template into a
GPO, and link the GPO to the Servers OU. Configure
a Windows Management Instrumentation (WMI) filter
for the GPO.
C.Configure a logon script in a GPO, and link the
GPO to the Servers OU. Configure the script to run
thegpupdate command if the Messenger service is running.
D.Edit theMessenger.infosecurity template to set the
Messenger service startup mode toAutomatic,and then
run the secedit/refreshpolicycommand..
Answer: B.
QUESTION NO: 6
You are a security administrator for Abc.com. The
network consists of a single Active Directory domain
named abc.com. All servers run Windows Server 2003.
All client computers run Windows XP Professional.
Eight Windows 2003 computers are members of the domain.
These computers are used to store confidential files.
They reside in a data center that only IT administration
personnel have physical access to. You need to restrict
members of a group named Contractors from connecting
to the filer server computers. All other employees
require to these computers. What should you do?
A.Apply a security template to the filer server computers
that assigns theAccess this computer from the networkright
to the Domain Users group.
B.Apply a security template to the filer server computers
that assigns theDeny access to this computer from
the networkright to the Contractors group.
C.Apply a security template to the filer server computers
that assigns theAllow log on locallyright to the Domain
Users group.
D.Apply a security template to the filer server computers
that assigns theDeny log on locallyright to the Contractors
group.
Answer: B
Explanation:
Deny access to this computer from the network Computer
Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment Description Determines
which users are prevented from accessing a computer
over the network.
QUESTION NO:7
You are a security administrator for Abc.com. The
network consists of a single Active Directory domain
named abc.com. The abc.com domain contains Windows
Server 2003 computers and Windows XP Professional
client computers. All computers are members of the
domain. The employee user accounts in the Abc.com
company are members of the Administratorsclocalgroup
on client computers. You occasionally experience problems
managing client computers because an employee removes
the Domain Admins global group from the Administration
local group on the computer. You need to prevent employees
from removing the Domains Admins global group from
the Administrators local group on client computers.
What should you do?
A.Apply a security template to the client computers
that establishes the Domain Admins global group as
a member of the Administrators local group by using
the Restricted Groups policy.
B.Apply a security template to the domain controller
computers that establishes the Domain Admins global
group as a member of the Administrators domain local
group by using the Restricted Groups policy.
C.Modify the Domain Admins global group by assigning
theAllow - Full Controlpermission to the Domain Admins
global group.
D.Modify the Domain Admins global group by assigning
theDeny - Full Controlpermission to the Domain Admins
global group.
Answer: A
Explanation:
Description of Group Policy Restricted Groups
View products that this article applies to.
This article was previously published underQ279301
SUMMARY: This article provides a description of Group
Policy Restricted groups.
Restricted groups allow an administrator to define
the following two properties for security-sensitive
(restricted) groups:
Members
Member Of
The "Members" list defines who should and
should not belong to the restricted group. The "Member
Of" listspecifies which other groups the restricted
group should belong to.
Using the "Members" Restricted Group Portion
of Policy
When a Restricted Group policy is enforced, any current
member of a restricted group that is not on the "Members"
list is removed with the exception of administrator
in the Administrators group. Any user on the "Members"
list which is not currently a member of the restricted
group is added.
Using the "Member Of" Restricted Group Portion
of Policy
Only inclusion is enforced in this portion of a Restricted
Group policy. The Restricted Group is not removed
from other groups. It makes sure that the restricted
group is a member of groups that are listed in the
Member Of dialog box..
QUESTION NO: 8
You are a security administrator for Abc.com. The
network consists of two Active Directory domains.
These domains each belong to separate Active Directory
forests. The domain abc.com is used primarily to support
company employees. The domain namedbar.bizis used
to support company customers. The functional level
of all domains is Windows Server 2003 interim mode.
A one-way external trust relationship exists in which
the abc.com domain trusts the bar.bizdomain. A Windows
Server 2003 computer named Abc3 is a member of thebar.bizdomain.
Abc3 provides customers access to a Microsoft SQL
Server 2000 database. The user accounts used by customers
reside in the local account database on Abc3. All
of the customer user accounts belong to a local computer
group named Customers. SQL Server is configure to
use Windows Integrated authentication. Abc.com has
additional SQL Server 2000 database that reside on
three Windows Server 2003 computers. These computers
are members of the abc.com domain. Abc's written security
policy states that customer user accounts must reside
on computers in the bar.bizdomain. You need to plan
a strategy for providing customers with access to
the additional databases. You want to achieve this
goal by using the minimal amount of administrative
effort. What should you do?
A.Create a new user account in thebar.bizActive Directory
domain for each customer. Create a universal group
in the bar.bizdomain. Add the new customer domain
user accounts as members of the new universal group.
Assign this group permissions to access the databases.
B.Create a new user account in thebar.bizActive Directory
domain for each customer. Create a global group in
the bar.bizdomain. Add the new customer domain user
accounts as members of the new global group. Assign
this group permissions to access the databases.
C.Create a new user account in the abc.com Active
Directory domain for each customer. Create a global
group in the abc.com domain. Add the new customer
domain user accounts as members of the new global
group. Assign this group permissions to access the
databases.
D.Create a new user account in the abc.com Active
Directory domain for each customer. Create a global
group in the abc.com domain. Add the new customer
domain user accounts as members of the new global
group. Assign this group permissions to access the
databases.
Answer: B
QUESTION NO: 9
You are a security administrator for Abc. The network
consists of two Active Directory forest named abc.com
and public.abc.com. All servers run Windows Server
2003. All client computers run Windows XP Professional.
The network consists of an IEEE 802.11b wireless LAN
(WLAN). Employees and external users use the WLAN.
User accounts for employees are located in the abc.com
forest. User accounts for external users are located
in the public.abc.com forest. External users' computers
do not have computer accounts in the public.abc.com
forest. To increase security, you upgrade the network
hardware to support IEEE 802.1x. You configure a public
key infrastructure (PKI). You issue Client Authentication
certificates to employees, to client computers used
by employees, and to external users. You need to configure
the WLAN to authenticate employees and external users.
What should you do?
A. Configure each wireless access point to forward
RADIUS requests to a server running Internet Authentication
Service (IAS).
Configure the IAS server to use a connection request
policy to forward the requests to the appropriate
forest.
B. Configure each wireless access point to forward
requests to an Internet Authentication Service (IAS)
server in the abc.com forest.
Configure the IAS server in the abc.com forest to
use theTunnel-Server-Endptattribute.
C. Use the Connection Manager Administration Kit (CMAK).
Configure one connection profile for external users.
Configure a second connection profile for employees.
D .Establish a forest trust relationship between the
abc.com forest and the public.abc.com forest.
Answer: A
Explanation:
Connection request policies
Connection request policies are sets of conditions
and profile settings that give network administrators
flexibility in configuring how incoming authentication
and accounting request messages are handled by the
IAS server. With connection request policies, you
can create a series of policies so that some RADIUS
request messages sent from RADIUS clients are processed
locally (IAS is being used as a RADIUS server) and
other types of messages are forwarded to another RADIUS
server (IAS is being used as a RADIUS proxy). This
capability allows IAS to be deployed in many new RADIUS
scenarios.
With connection request policies, you can use IAS
as a RADIUS server or as a RADIUS proxy, based on
the time of day and day of the week, by the realm
name in the request, by the type of connection being
requested, by the IP address of the RADIUS client,
and so on.
It is important to remember that with connection request
policies, a RADIUS request message is processed only
if the settings of the incoming RADIUS request message
match at least one of the connection request policies.
For example, if the settings of an incoming RADIUS
Access-Request message do not match at least one of
the connection request policies, an Access-Reject
message is sent.
For more information about how incoming RADIUS request
messages from RADIUS clients are processed, see Processing
a connection request.
Authentication
You can set the following authentication options that
are used for RADIUS Access-Request messages:
Authenticate requests on this server.
Use a Windows NT 4.0 domain or the Active Directorydirectoryservice,
or the local Security Account Manager properties for
authorization. In this case, the IAS server is being
used as a RADIUS server.
Forward requests to another RADIUS server in a remote
RADIUS server group..
Forward the Access-Request message to another RADIUS
server in a specified remote RADIUS server group.
If the IAS server receives a valid Access-Accept message
that corresponds to the Access-Request message, the
connection attempt is considered authenticated and
authorized. In this case, the IAS server is being
used as a RADIUS proxy.
Accept the connection attempt without performing authentication
or authorization.
Do not check authentication of the user credentials
and authorization of the connection attempt. An Access-Accept
message is immediately sent to the RADIUS client.
This setting is used for some types of compulsory
tunneling where the access client is tunneled before
the user's credentials are authenticated. For more
information, see IAS and tunnels.
This authentication option cannot be used when the
access client's authentication protocol
authentication protocol The protocol by which an entity
on a network proves its identity to a remote entity.
Typically, identity is proved with the use of a secret
key, such as a password, or with a stronger key, such
as the key on a smart card. Some authentication protocols
also implement mechanisms to share keys between client
and server to provide message integrity orprivacy.is
MS-CHAP v2 or EAP-TLS, both of which provide mutual
authentication. In mutual authentication, the access
client proves that it is a valid access client to
the authenticating server (the IAS server), and the
authenticating server proves that it is a valid authenticating
server to the access client. When this authentication
option is used, the Access-Accept message is returned.
However, the authenticating server does not provide
validation to the access client and mutual authentication
fails.
802.1x authentication
For enhanced security, you can enable IEEE 802.1x
authentication. IEEE 802.1x authentication provides
authenticated access to 802.11 wireless networks and
to wired Ethernet networks. IEEE 802.1x minimizes
wireless network security risks, such as unauthorized
access to network resources and eavesdropping, by
providing user and computer identification, centralized
authentication, and dynamic key management. IEEE 802.1x
supports Internet Authentication Service (IAS), which
implements the Remote Authentication Dial-In User
Service (RADIUS) protocol. Under this implementation,
a wireless access point that is configured as a RADIUS
client sends a connection request and accounting messages
to a central RADIUS server. The central RADIUS server
processes the request and grants or rejects the connection
request. If the request is granted, the client is
authenticated, and unique keys (from which the WEP
key is derived) can be generated for that session,
depending on the authentication method chosen. The
support that IEEE 802.1x provides for Extensible Authentication
Protocol (EAP) security types allows you to use authentication
methods such as smart cards, certificates, and the
Message Digest 5 (MD5) algorithm.
With IEEE 802.1x authentication, you can specify whether
the computer attempts authentication to the network
if the computer requires access to network resources
whether a user is logged on or not. For example, data
center operators who manage remotely administered
servers can specify that the servers should attempt
authentication to access the network resources. You
can also specify whether the computer attempts authentication
to the network if user or computer information is
not available. For example, Internet service providers
(ISPs) can use this authentication option to allow
users access to free Internet services, or to Internet
services that can be purchased. A corporation can
grant visitors with limited guest access, so that
they can access the Internet, but not confidential
network resources.
Understanding 802.1xauthenticationIEEE802.1x is a
draft standard for port-based network access control,
which provides authenticated network access to 802.11
wireless networks and to wired Ethernet networks.
Port-based network access control uses the physical
characteristics of a switched local area network (LAN)
infrastructure to authenticate devices that are attached
to a LAN port and to prevent access to that port in
cases where the authentication process fails.
During a port-based network access control interaction,
a LAN port adopts one of two roles: authenticator
or supplicant. In the role of authenticator, a LAN
port enforces authentication before it allows user
access to the services that can be accessed through
that port. In the role of supplicant, a LAN port requests
access to the services that can be accessed through
the authenticator's port. An authentication server,
which can either be a separate entity or co-located
with the authenticator, checks the supplicant's credentials
on behalf of the authenticator. The authentication
server then responds to the authenticator, indicating
whether the supplicant is authorized to access the
authenticator's services.
Theauthenticator?sport-based network access control
defines two logical access points to the LAN, through
one physical LAN port. The first logical access point,
the uncontrolled port, allows data exchange between
the authenticator and other computers on the LAN,
regardless of the computer's authorization state.
The second logical access point, the controlled port,
allows data exchange between an authenticated LAN
user and the authenticator.
IEEE 802.1x uses standard security protocols, such
as RADIUS, to provide centralized user identification,
authentication, dynamic key management, and accounting.
For an example of wireless access using the Internet
Authentication Service (IAS) as a RADIUS server, see
Wireless access example
If you want to configure IAS for wireless access,
see Checklist: Configuring IAS for wireless access
If you want to configure IAS as a RADIUS server in
a wireless environment, see Checklist: Wireless access
To set up 802.1x authentication
Open Network Connections
Right-click the connection for which you want to enable
or disable IEEE 802.1x authentication, and then click
Properties.
On the Authentication tab, do one of the following:.
To enable IEEE 802.1x authentication for this connection,
select the Network access control using IEEE 802.1X
check box. This check box is selected by default.
To disable IEEE 802.1x authentication for this connection,
clear the Network access control using IEEE 802.1X
check box.
In EAP type, click the Extensible Authentication Protocol
type to be used with this connection.
If you select Smart Card or other Certificate in EAP
type, you can configure additional properties if you
click Properties and, in Smart Card or other Certificate
Properties, do the following:
To use the certificate that resides on your smart
card for authentication, click Use my smart card.
To use the certificate that resides in the certificate
store on your computer for authentication, click Use
a certificate on this computer.
To verify that the server certificate presented to
your computer is still valid, select the Validate
server certificate check box, specify whether to connect
only if the server resides within a particular domain,
and then specify the trusted root certification authority.
To use a different user name when the user name in
the smart card or certificate is not the same as the
user name in the domain to which you are logging on,
select the Use a different user name for the connection
check box.
To specify whether the computer should attempt authentication
to the network if a user is not logged on and/or if
the computer or user information is not available,
do the following:
To specify that the computer attempt authentication
to the network if a user is not logged on, select
the Authenticate as computer when computer information
is available check box.
To specify that the computer attempt authentication
to the network if user information or computer information
is not available, select the Authenticate as guest
when user or computer information is unavailable check
box. This check box is selected by default.
70-299
|
