REAL QUESTIONS SUBMIT MATERIAL ADVERTISE

Microsoft

Cisco

Oracle

Citrix

CIW

CompTia

CWNA

Apple

Adobe

Sun

HP

Legato

Exin

Filemaker

Brocade

Ericsson

TIA

Veritas

ISEB

SCP

IISFA

ISM

OMG

Apc

Mile2

Foundry

Huawei

McData

Symantec

TeraData

RedHat

 

 
 
Click on name of dumper to view the dump
 
Karissa Horgeshimer
 
 

Braindumps of 70-299
Implementing and Administering Security in a
Microsoft Windows Server 2003 Network

Exam Questions, Answers, Braindumps (70-299)

Completed my paper, It was bcuz of www.exams.ws . All the questions in the exam are from their study guide.
Goodluck to u too.
I have managed some questions.

QUESTION NO: 1
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Several client computers are configured as kiosk computers that visitors and employees use. The kiosk computers are managed by usingGPOs. TheGPOsenforce a secure configuration. Multiple users log on to these computers every day. You review the results of a security audit. You discover that when some users log on the secure configuration is removed. You need to ensure that the secure configuration is enforced at all times. What should you do?
A.Apply theSecurews.infsecurity template to the kiosk computers.
B.Configure the default user profile on kiosk computers as a mandatory user profile.
C.Edit the GPO that manages kiosk computers. Disable the Secondary Logon service.
D.Edit the GPO that manages kiosk computers. Enable loopback processing.
Answer: D
QUESTION NO: 2
DRAG DROP
You are a security administrator for Abc.com. The network consists of a single Active Directory forest named abc.com. All servers run either Windows Server 2003 or Windows 2000 Server. All domain controllers Windows Server 2003. All client computers run Windows XP Professional. Abc.com uses a Microsoft Exchange Server 2003 computer. Users on the internal network connect to Exchange Server 2003 by using Microsoft Outlook. Abc.com currently does not allow users to exchange e-mail with customers via the Internet. To improve communication with customers, management decides to allow e-mail communication via the Internet. Your company updates its written security policy with the following requirements regarding the placement of Exchange Server 2003 computers:
1.Customers on the Internet must not be able to connect directly to any computer on the internal network.
2.The number of ports and protocols that are allowed to pass through firewall devices must be minimized.
You need to place computers to meet the company's written security policy.

Answer:
<m x1="39" x2="125" y1="324" y2="469" ss="0" a="0"></m><m x1="345" x2="428" y1="325" y2="466" ss="0" a="1"></m><m x1="137" x2="221" y1="1" y2="145" ss="1" a="0"></m><m x1="136" x2="220" y1="148" y2="287" ss="1" a="1"></m><m x1="342" x2="425" y1="1" y2="146" ss="1" a="2"></m><m x1="344" x2="424" y1="147" y2="287" ss="1" a="3"></m><m x1="534" x2="618" y1="12" y2="158" ss="1" a="4"></m><m x1="533" x2="619" y1="161" y2="300" ss="1" a="5"></m><c start="0" stop="2"></c>
Explanation:

QUESTION NO: 3
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Terminal Services is running on four Windows Server 2003 computers. Members of a group named Remote Application need to access applications by using Terminal Services. You assigned the Remote Application group the appropriate NTFS permissions for the application folder and the appropriate RDP-Tcpconnection permissions on the terminal servers. Currently no users have the right to connect to the terminal servers. You need to assign users in the Remote Application group the minimum rights necessary to access the applications. What should you do to configure the terminal servers?
A.Apply a security template that assigns theAccess this computer from the networkright to the Remote Application group.
B.Apply a security template that assigns theAllow log on locallyright to the Remote Application group.
C.Apply a security template that assigns theLog on as a serviceright to the Remote Application group.
D.Apply a security template that assigns theAllow log on through Terminal Servicesright to the Remote Application group.
Answer: D
Explanation:
Allow log on through TerminalServicesDescription
This security setting determines which users or groups have permission to log on as a Terminal Services client.
Default:
On workstation and servers: Administrators, Remote Desktop Users.
On domain controllers: Administrators.
Configuring this security setting
You can configure this security setting by opening the appropriate policy and expanding the console tree as such:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
For specific instructions about how to configure security policy settings, see To edit a security setting on a Group Policy object..
This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
For more information, see:
Deny logon through Terminal Services
User rights assignment
To assign user rights for your local computer
Security Configuration Manager Tools
Accessing Terminal Services Using New User Rights Options
SUMMARY
This article describes new options that you can use to assign user rights in Windows that affect the Terminal Services feature.
MORE INFORMATION
You can use these options to change the set of permissions a user must have to establish a Terminal Services session.
Services To grant a user these permissions, start the Group Policy snap-in, open the Local Security Policy or the appropriate Group Policy, and then navigate to the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
To grant a user these permissions, start either the Active Directory Users and Computers snap-in or the Local Users
And Groups snap-in, open the user's properties, click the Terminal Services Profile tab, and then click to select the Allow logon to Terminal Server check box.
To grant guests Logon rights to the RDP-TCP connection, start the Terminal Services Configuration snap-in, edit the RDP-TCP so that the guest has at least Logon rights.
The pivotal difference between Windows 2000 and Windows Server 2003 is the "Allow logon through Terminal
Services" user right. When you grant this user right, you no longer have to grant the user the Log on locally right (this was a requirement in Windows 2000). In Windows Server 2003, it is possible for a user to establish a Terminal Services session to a particular server, but not be able to log on to the console of that same server.
QUESTION NO: 4
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. The abc.com domain contains Windows Server 2003 computers and Windows XP Professional client computers. All computers are members of the domain. A Windows Server 2003 computer named Abc3 runs Certificate Services. Abc3 is an enterprise subordinate certification authority (CA). A Windows Server 2003 computer named Abc2 runs IIS. Abc2 hosts an internal human resources web site for employees. You want to ensure that the personal data of the employees is not exposed while in transit over the network. You decide to use SSL on Abc2. You need to ensure that employees do not receive a certificate-related security alert when they use SSL to connect to this Web site. You want to achieve this goal without spending money to purchase this certificate unless it is necessary to do so. What should you do?
A.Use IIS to submit a certificate request to a commercial CA.
B.Use IIS to submit a certificate request to Abc3.
C.Use the Certificates console to submit a Client certificate request to a commercial CA.
D.Use the Certificates console to submit a Client certificate request to Abc3.
Answer: B
Explanation:
Using Client Certificate Authentication with IIS 6.0 Web Sites
Request a User Certificate from the Web Enrollment Site
The client computer must present a user certificate to the Web server before the Web server will accept the user's credentials. Users can log on to the Web enrollment site and request a user certificate. The user does not need to be an administrator in the domain or on the Certificate Server computer. The user only needs to have legitimate user credentials that the enterprise CA recognizes.
Perform the following steps on the client computer to obtain the user certificate"
1. On the Web client computer, open Internet Explorer and enter http://10.0.0.2/certsrv in the address bar, where 10.0.0.2 is the IP address of the Certificate Server. Press ENTER.
2. In the log on dialog box, enter the credentials of a non-administrator user. This will demonstrate that a non-admin can obtain a user certificate. Click OK.
3. On the Welcome page of the Web enrollment site, click the Request a certificate link.
4. On the Request a Certificate page, click the User Certificate link.
5. On the User Certificate - Identifying Information page, click Submit..
6. Click Yes on the Potential Scripting Violation dialog box informing you that the Web site is requesting a certificate on your behalf.
7. On the Certificate Issued page, click the Install this certificate link.
8. Click Yes on the Potential Scripting Violation page informing you that the Web site is adding a certificate to the machine.
9. Close Internet Explorer after you see the Certificate Installed page.
Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0
The Certificate Wizard that comes with Internet Information Services (IIS) 5.0 makes managing server certificates easier than ever before. This article describes how to create a certificate request file using the wizard. The first step you will...
QUESTION NO: 5
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. All servers run Windows Server 2003. All servers are in an OU named Servers, or inOUscontained within the Servers OU. Based in information in recent security bulletins, you want to apply settings from a security template named Messenger.infoto all servers on which the Messenger service is started. You do not want to apply these settings to servers on which the Messenger service is not started. You also do not want to move servers to outerOUs. You need to apply theMessenger.infsecurity template to the appropriate servers. What should you do?
A.Import theMessenger.infosecurity template into a GPO, and link the GPO to the Servers OU. Configure Administrative Templates filtering in the GPO.
B.Import theMessenger.infosecurity template into a GPO, and link the GPO to the Servers OU. Configure a Windows Management Instrumentation (WMI) filter for the GPO.
C.Configure a logon script in a GPO, and link the GPO to the Servers OU. Configure the script to run thegpupdate command if the Messenger service is running.
D.Edit theMessenger.infosecurity template to set the Messenger service startup mode toAutomatic,and then run the secedit/refreshpolicycommand..
Answer: B.
QUESTION NO: 6
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Eight Windows 2003 computers are members of the domain. These computers are used to store confidential files. They reside in a data center that only IT administration personnel have physical access to. You need to restrict members of a group named Contractors from connecting to the filer server computers. All other employees require to these computers. What should you do?
A.Apply a security template to the filer server computers that assigns theAccess this computer from the networkright to the Domain Users group.
B.Apply a security template to the filer server computers that assigns theDeny access to this computer from the networkright to the Contractors group.
C.Apply a security template to the filer server computers that assigns theAllow log on locallyright to the Domain Users group.
D.Apply a security template to the filer server computers that assigns theDeny log on locallyright to the Contractors group.
Answer: B
Explanation:
Deny access to this computer from the network Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Description Determines which users are prevented from accessing a computer over the network.
QUESTION NO:7
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. The abc.com domain contains Windows Server 2003 computers and Windows XP Professional client computers. All computers are members of the domain. The employee user accounts in the Abc.com company are members of the Administratorsclocalgroup on client computers. You occasionally experience problems managing client computers because an employee removes the Domain Admins global group from the Administration local group on the computer. You need to prevent employees from removing the Domains Admins global group from the Administrators local group on client computers. What should you do?
A.Apply a security template to the client computers that establishes the Domain Admins global group as a member of the Administrators local group by using the Restricted Groups policy.
B.Apply a security template to the domain controller computers that establishes the Domain Admins global group as a member of the Administrators domain local group by using the Restricted Groups policy.
C.Modify the Domain Admins global group by assigning theAllow - Full Controlpermission to the Domain Admins global group.
D.Modify the Domain Admins global group by assigning theDeny - Full Controlpermission to the Domain Admins global group.
Answer: A
Explanation:
Description of Group Policy Restricted Groups
View products that this article applies to.
This article was previously published underQ279301
SUMMARY: This article provides a description of Group Policy Restricted groups.
Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups:
Members
Member Of
The "Members" list defines who should and should not belong to the restricted group. The "Member Of" listspecifies which other groups the restricted group should belong to.
Using the "Members" Restricted Group Portion of Policy
When a Restricted Group policy is enforced, any current member of a restricted group that is not on the "Members" list is removed with the exception of administrator in the Administrators group. Any user on the "Members" list which is not currently a member of the restricted group is added.
Using the "Member Of" Restricted Group Portion of Policy
Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted Group is not removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box..
QUESTION NO: 8
You are a security administrator for Abc.com. The network consists of two Active Directory domains. These domains each belong to separate Active Directory forests. The domain abc.com is used primarily to support company employees. The domain namedbar.bizis used to support company customers. The functional level of all domains is Windows Server 2003 interim mode. A one-way external trust relationship exists in which the abc.com domain trusts the bar.bizdomain. A Windows Server 2003 computer named Abc3 is a member of thebar.bizdomain. Abc3 provides customers access to a Microsoft SQL Server 2000 database. The user accounts used by customers reside in the local account database on Abc3. All of the customer user accounts belong to a local computer group named Customers. SQL Server is configure to use Windows Integrated authentication. Abc.com has additional SQL Server 2000 database that reside on three Windows Server 2003 computers. These computers are members of the abc.com domain. Abc's written security policy states that customer user accounts must reside on computers in the bar.bizdomain. You need to plan a strategy for providing customers with access to the additional databases. You want to achieve this goal by using the minimal amount of administrative effort. What should you do?
A.Create a new user account in thebar.bizActive Directory domain for each customer. Create a universal group in the bar.bizdomain. Add the new customer domain user accounts as members of the new universal group. Assign this group permissions to access the databases.
B.Create a new user account in thebar.bizActive Directory domain for each customer. Create a global group in the bar.bizdomain. Add the new customer domain user accounts as members of the new global group. Assign this group permissions to access the databases.
C.Create a new user account in the abc.com Active Directory domain for each customer. Create a global group in the abc.com domain. Add the new customer domain user accounts as members of the new global group. Assign this group permissions to access the databases.
D.Create a new user account in the abc.com Active Directory domain for each customer. Create a global group in the abc.com domain. Add the new customer domain user accounts as members of the new global group. Assign this group permissions to access the databases.
Answer: B
QUESTION NO: 9
You are a security administrator for Abc. The network consists of two Active Directory forest named abc.com and public.abc.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network consists of an IEEE 802.11b wireless LAN (WLAN). Employees and external users use the WLAN. User accounts for employees are located in the abc.com forest. User accounts for external users are located in the public.abc.com forest. External users' computers do not have computer accounts in the public.abc.com forest. To increa