REAL QUESTIONS SUBMIT MATERIAL ADVERTISE
Braindumps

Microsoft

Cisco

Citrix

CIW

CompTia

CWNA

Apple

Adobe

HP

Legato

Exin

Filemaker

Brocade

Ericsson

TIA

Veritas

ISEB

SCP

IISFA

ISM

OMG

Apc

Mile2

Foundry

Huawei

McData

Symantec

TeraData

RedHat

Solar Winds

Blue Coat

Riverbed

 

 
 
Click on name of dumper to view the dump
 
Karissa Horgeshimer
 
 

Braindumps of 70-299
Implementing and Administering Security in a
Microsoft Windows Server 2003 Network

Exam Questions, Answers, Braindumps (70-299)

Completed my paper, It was bcuz of www.exams.ws . All the questions in the exam are from their study guide.
Goodluck to u too.
I have managed some questions.

QUESTION NO: 1
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Several client computers are configured as kiosk computers that visitors and employees use. The kiosk computers are managed by usingGPOs. TheGPOsenforce a secure configuration. Multiple users log on to these computers every day. You review the results of a security audit. You discover that when some users log on the secure configuration is removed. You need to ensure that the secure configuration is enforced at all times. What should you do?
A.Apply theSecurews.infsecurity template to the kiosk computers.
B.Configure the default user profile on kiosk computers as a mandatory user profile.
C.Edit the GPO that manages kiosk computers. Disable the Secondary Logon service.
D.Edit the GPO that manages kiosk computers. Enable loopback processing.
Answer: D
QUESTION NO: 2
DRAG DROP
You are a security administrator for Abc.com. The network consists of a single Active Directory forest named abc.com. All servers run either Windows Server 2003 or Windows 2000 Server. All domain controllers Windows Server 2003. All client computers run Windows XP Professional. Abc.com uses a Microsoft Exchange Server 2003 computer. Users on the internal network connect to Exchange Server 2003 by using Microsoft Outlook. Abc.com currently does not allow users to exchange e-mail with customers via the Internet. To improve communication with customers, management decides to allow e-mail communication via the Internet. Your company updates its written security policy with the following requirements regarding the placement of Exchange Server 2003 computers:
1.Customers on the Internet must not be able to connect directly to any computer on the internal network.
2.The number of ports and protocols that are allowed to pass through firewall devices must be minimized.
You need to place computers to meet the company's written security policy.

Answer:
<m x1="39" x2="125" y1="324" y2="469" ss="0" a="0"></m><m x1="345" x2="428" y1="325" y2="466" ss="0" a="1"></m><m x1="137" x2="221" y1="1" y2="145" ss="1" a="0"></m><m x1="136" x2="220" y1="148" y2="287" ss="1" a="1"></m><m x1="342" x2="425" y1="1" y2="146" ss="1" a="2"></m><m x1="344" x2="424" y1="147" y2="287" ss="1" a="3"></m><m x1="534" x2="618" y1="12" y2="158" ss="1" a="4"></m><m x1="533" x2="619" y1="161" y2="300" ss="1" a="5"></m><c start="0" stop="2"></c>
Explanation:

QUESTION NO: 3
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Terminal Services is running on four Windows Server 2003 computers. Members of a group named Remote Application need to access applications by using Terminal Services. You assigned the Remote Application group the appropriate NTFS permissions for the application folder and the appropriate RDP-Tcpconnection permissions on the terminal servers. Currently no users have the right to connect to the terminal servers. You need to assign users in the Remote Application group the minimum rights necessary to access the applications. What should you do to configure the terminal servers?
A.Apply a security template that assigns theAccess this computer from the networkright to the Remote Application group.
B.Apply a security template that assigns theAllow log on locallyright to the Remote Application group.
C.Apply a security template that assigns theLog on as a serviceright to the Remote Application group.
D.Apply a security template that assigns theAllow log on through Terminal Servicesright to the Remote Application group.
Answer: D
Explanation:
Allow log on through TerminalServicesDescription
This security setting determines which users or groups have permission to log on as a Terminal Services client.
Default:
On workstation and servers: Administrators, Remote Desktop Users.
On domain controllers: Administrators.
Configuring this security setting
You can configure this security setting by opening the appropriate policy and expanding the console tree as such:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
For specific instructions about how to configure security policy settings, see To edit a security setting on a Group Policy object..
This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
For more information, see:
Deny logon through Terminal Services
User rights assignment
To assign user rights for your local computer
Security Configuration Manager Tools
Accessing Terminal Services Using New User Rights Options
SUMMARY
This article describes new options that you can use to assign user rights in Windows that affect the Terminal Services feature.
MORE INFORMATION
You can use these options to change the set of permissions a user must have to establish a Terminal Services session.
Services To grant a user these permissions, start the Group Policy snap-in, open the Local Security Policy or the appropriate Group Policy, and then navigate to the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
To grant a user these permissions, start either the Active Directory Users and Computers snap-in or the Local Users
And Groups snap-in, open the user's properties, click the Terminal Services Profile tab, and then click to select the Allow logon to Terminal Server check box.
To grant guests Logon rights to the RDP-TCP connection, start the Terminal Services Configuration snap-in, edit the RDP-TCP so that the guest has at least Logon rights.
The pivotal difference between Windows 2000 and Windows Server 2003 is the "Allow logon through Terminal
Services" user right. When you grant this user right, you no longer have to grant the user the Log on locally right (this was a requirement in Windows 2000). In Windows Server 2003, it is possible for a user to establish a Terminal Services session to a particular server, but not be able to log on to the console of that same server.
QUESTION NO: 4
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. The abc.com domain contains Windows Server 2003 computers and Windows XP Professional client computers. All computers are members of the domain. A Windows Server 2003 computer named Abc3 runs Certificate Services. Abc3 is an enterprise subordinate certification authority (CA). A Windows Server 2003 computer named Abc2 runs IIS. Abc2 hosts an internal human resources web site for employees. You want to ensure that the personal data of the employees is not exposed while in transit over the network. You decide to use SSL on Abc2. You need to ensure that employees do not receive a certificate-related security alert when they use SSL to connect to this Web site. You want to achieve this goal without spending money to purchase this certificate unless it is necessary to do so. What should you do?
A.Use IIS to submit a certificate request to a commercial CA.
B.Use IIS to submit a certificate request to Abc3.
C.Use the Certificates console to submit a Client certificate request to a commercial CA.
D.Use the Certificates console to submit a Client certificate request to Abc3.
Answer: B
Explanation:
Using Client Certificate Authentication with IIS 6.0 Web Sites
Request a User Certificate from the Web Enrollment Site
The client computer must present a user certificate to the Web server before the Web server will accept the user's credentials. Users can log on to the Web enrollment site and request a user certificate. The user does not need to be an administrator in the domain or on the Certificate Server computer. The user only needs to have legitimate user credentials that the enterprise CA recognizes.
Perform the following steps on the client computer to obtain the user certificate"
1. On the Web client computer, open Internet Explorer and enter http://10.0.0.2/certsrv in the address bar, where 10.0.0.2 is the IP address of the Certificate Server. Press ENTER.
2. In the log on dialog box, enter the credentials of a non-administrator user. This will demonstrate that a non-admin can obtain a user certificate. Click OK.
3. On the Welcome page of the Web enrollment site, click the Request a certificate link.
4. On the Request a Certificate page, click the User Certificate link.
5. On the User Certificate - Identifying Information page, click Submit..
6. Click Yes on the Potential Scripting Violation dialog box informing you that the Web site is requesting a certificate on your behalf.
7. On the Certificate Issued page, click the Install this certificate link.
8. Click Yes on the Potential Scripting Violation page informing you that the Web site is adding a certificate to the machine.
9. Close Internet Explorer after you see the Certificate Installed page.
Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0
The Certificate Wizard that comes with Internet Information Services (IIS) 5.0 makes managing server certificates easier than ever before. This article describes how to create a certificate request file using the wizard. The first step you will...
QUESTION NO: 5
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. All servers run Windows Server 2003. All servers are in an OU named Servers, or inOUscontained within the Servers OU. Based in information in recent security bulletins, you want to apply settings from a security template named Messenger.infoto all servers on which the Messenger service is started. You do not want to apply these settings to servers on which the Messenger service is not started. You also do not want to move servers to outerOUs. You need to apply theMessenger.infsecurity template to the appropriate servers. What should you do?
A.Import theMessenger.infosecurity template into a GPO, and link the GPO to the Servers OU. Configure Administrative Templates filtering in the GPO.
B.Import theMessenger.infosecurity template into a GPO, and link the GPO to the Servers OU. Configure a Windows Management Instrumentation (WMI) filter for the GPO.
C.Configure a logon script in a GPO, and link the GPO to the Servers OU. Configure the script to run thegpupdate command if the Messenger service is running.
D.Edit theMessenger.infosecurity template to set the Messenger service startup mode toAutomatic,and then run the secedit/refreshpolicycommand..
Answer: B.
QUESTION NO: 6
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Eight Windows 2003 computers are members of the domain. These computers are used to store confidential files. They reside in a data center that only IT administration personnel have physical access to. You need to restrict members of a group named Contractors from connecting to the filer server computers. All other employees require to these computers. What should you do?
A.Apply a security template to the filer server computers that assigns theAccess this computer from the networkright to the Domain Users group.
B.Apply a security template to the filer server computers that assigns theDeny access to this computer from the networkright to the Contractors group.
C.Apply a security template to the filer server computers that assigns theAllow log on locallyright to the Domain Users group.
D.Apply a security template to the filer server computers that assigns theDeny log on locallyright to the Contractors group.
Answer: B
Explanation:
Deny access to this computer from the network Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Description Determines which users are prevented from accessing a computer over the network.
QUESTION NO:7
You are a security administrator for Abc.com. The network consists of a single Active Directory domain named abc.com. The abc.com domain contains Windows Server 2003 computers and Windows XP Professional client computers. All computers are members of the domain. The employee user accounts in the Abc.com company are members of the Administratorsclocalgroup on client computers. You occasionally experience problems managing client computers because an employee removes the Domain Admins global group from the Administration local group on the computer. You need to prevent employees from removing the Domains Admins global group from the Administrators local group on client computers. What should you do?
A.Apply a security template to the client computers that establishes the Domain Admins global group as a member of the Administrators local group by using the Restricted Groups policy.
B.Apply a security template to the domain controller computers that establishes the Domain Admins global group as a member of the Administrators domain local group by using the Restricted Groups policy.
C.Modify the Domain Admins global group by assigning theAllow - Full Controlpermission to the Domain Admins global group.
D.Modify the Domain Admins global group by assigning theDeny - Full Controlpermission to the Domain Admins global group.
Answer: A
Explanation:
Description of Group Policy Restricted Groups
View products that this article applies to.
This article was previously published underQ279301
SUMMARY: This article provides a description of Group Policy Restricted groups.
Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups:
Members
Member Of
The "Members" list defines who should and should not belong to the restricted group. The "Member Of" listspecifies which other groups the restricted group should belong to.
Using the "Members" Restricted Group Portion of Policy
When a Restricted Group policy is enforced, any current member of a restricted group that is not on the "Members" list is removed with the exception of administrator in the Administrators group. Any user on the "Members" list which is not currently a member of the restricted group is added.
Using the "Member Of" Restricted Group Portion of Policy
Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted Group is not removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box..
QUESTION NO: 8
You are a security administrator for Abc.com. The network consists of two Active Directory domains. These domains each belong to separate Active Directory forests. The domain abc.com is used primarily to support company employees. The domain namedbar.bizis used to support company customers. The functional level of all domains is Windows Server 2003 interim mode. A one-way external trust relationship exists in which the abc.com domain trusts the bar.bizdomain. A Windows Server 2003 computer named Abc3 is a member of thebar.bizdomain. Abc3 provides customers access to a Microsoft SQL Server 2000 database. The user accounts used by customers reside in the local account database on Abc3. All of the customer user accounts belong to a local computer group named Customers. SQL Server is configure to use Windows Integrated authentication. Abc.com has additional SQL Server 2000 database that reside on three Windows Server 2003 computers. These computers are members of the abc.com domain. Abc's written security policy states that customer user accounts must reside on computers in the bar.bizdomain. You need to plan a strategy for providing customers with access to the additional databases. You want to achieve this goal by using the minimal amount of administrative effort. What should you do?
A.Create a new user account in thebar.bizActive Directory domain for each customer. Create a universal group in the bar.bizdomain. Add the new customer domain user accounts as members of the new universal group. Assign this group permissions to access the databases.
B.Create a new user account in thebar.bizActive Directory domain for each customer. Create a global group in the bar.bizdomain. Add the new customer domain user accounts as members of the new global group. Assign this group permissions to access the databases.
C.Create a new user account in the abc.com Active Directory domain for each customer. Create a global group in the abc.com domain. Add the new customer domain user accounts as members of the new global group. Assign this group permissions to access the databases.
D.Create a new user account in the abc.com Active Directory domain for each customer. Create a global group in the abc.com domain. Add the new customer domain user accounts as members of the new global group. Assign this group permissions to access the databases.
Answer: B
QUESTION NO: 9
You are a security administrator for Abc. The network consists of two Active Directory forest named abc.com and public.abc.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network consists of an IEEE 802.11b wireless LAN (WLAN). Employees and external users use the WLAN. User accounts for employees are located in the abc.com forest. User accounts for external users are located in the public.abc.com forest. External users' computers do not have computer accounts in the public.abc.com forest. To increase security, you upgrade the network hardware to support IEEE 802.1x. You configure a public key infrastructure (PKI). You issue Client Authentication certificates to employees, to client computers used by employees, and to external users. You need to configure the WLAN to authenticate employees and external users. What should you do?
A. Configure each wireless access point to forward RADIUS requests to a server running Internet Authentication Service (IAS).
Configure the IAS server to use a connection request policy to forward the requests to the appropriate forest.
B. Configure each wireless access point to forward requests to an Internet Authentication Service (IAS) server in the abc.com forest.
Configure the IAS server in the abc.com forest to use theTunnel-Server-Endptattribute.
C. Use the Connection Manager Administration Kit (CMAK).
Configure one connection profile for external users.
Configure a second connection profile for employees.
D .Establish a forest trust relationship between the abc.com forest and the public.abc.com forest.
Answer: A
Explanation:
Connection request policies
Connection request policies are sets of conditions and profile settings that give network administrators flexibility in configuring how incoming authentication and accounting request messages are handled by the IAS server. With connection request policies, you can create a series of policies so that some RADIUS request messages sent from RADIUS clients are processed locally (IAS is being used as a RADIUS server) and other types of messages are forwarded to another RADIUS server (IAS is being used as a RADIUS proxy). This capability allows IAS to be deployed in many new RADIUS scenarios.
With connection request policies, you can use IAS as a RADIUS server or as a RADIUS proxy, based on the time of day and day of the week, by the realm name in the request, by the type of connection being requested, by the IP address of the RADIUS client, and so on.
It is important to remember that with connection request policies, a RADIUS request message is processed only if the settings of the incoming RADIUS request message match at least one of the connection request policies. For example, if the settings of an incoming RADIUS Access-Request message do not match at least one of the connection request policies, an Access-Reject message is sent.
For more information about how incoming RADIUS request messages from RADIUS clients are processed, see Processing a connection request.
Authentication
You can set the following authentication options that are used for RADIUS Access-Request messages:
Authenticate requests on this server.
Use a Windows NT 4.0 domain or the Active Directorydirectoryservice, or the local Security Account Manager properties for authorization. In this case, the IAS server is being used as a RADIUS server.
Forward requests to another RADIUS server in a remote RADIUS server group..
Forward the Access-Request message to another RADIUS server in a specified remote RADIUS server group. If the IAS server receives a valid Access-Accept message that corresponds to the Access-Request message, the connection attempt is considered authenticated and authorized. In this case, the IAS server is being used as a RADIUS proxy.
Accept the connection attempt without performing authentication or authorization.
Do not check authentication of the user credentials and authorization of the connection attempt. An Access-Accept message is immediately sent to the RADIUS client. This setting is used for some types of compulsory tunneling where the access client is tunneled before the user's credentials are authenticated. For more information, see IAS and tunnels.
This authentication option cannot be used when the access client's authentication protocol
authentication protocol The protocol by which an entity on a network proves its identity to a remote entity. Typically, identity is proved with the use of a secret key, such as a password, or with a stronger key, such as the key on a smart card. Some authentication protocols also implement mechanisms to share keys between client and server to provide message integrity orprivacy.is MS-CHAP v2 or EAP-TLS, both of which provide mutual authentication. In mutual authentication, the access client proves that it is a valid access client to the authenticating server (the IAS server), and the authenticating server proves that it is a valid authenticating server to the access client. When this authentication option is used, the Access-Accept message is returned. However, the authenticating server does not provide validation to the access client and mutual authentication fails.
802.1x authentication
For enhanced security, you can enable IEEE 802.1x authentication. IEEE 802.1x authentication provides authenticated access to 802.11 wireless networks and to wired Ethernet networks. IEEE 802.1x minimizes wireless network security risks, such as unauthorized access to network resources and eavesdropping, by providing user and computer identification, centralized authentication, and dynamic key management. IEEE 802.1x supports Internet Authentication Service (IAS), which implements the Remote Authentication Dial-In User Service (RADIUS) protocol. Under this implementation, a wireless access point that is configured as a RADIUS client sends a connection request and accounting messages to a central RADIUS server. The central RADIUS server processes the request and grants or rejects the connection request. If the request is granted, the client is authenticated, and unique keys (from which the WEP key is derived) can be generated for that session, depending on the authentication method chosen. The support that IEEE 802.1x provides for Extensible Authentication Protocol (EAP) security types allows you to use authentication methods such as smart cards, certificates, and the Message Digest 5 (MD5) algorithm.
With IEEE 802.1x authentication, you can specify whether the computer attempts authentication to the network if the computer requires access to network resources whether a user is logged on or not. For example, data center operators who manage remotely administered servers can specify that the servers should attempt authentication to access the network resources. You can also specify whether the computer attempts authentication to the network if user or computer information is not available. For example, Internet service providers (ISPs) can use this authentication option to allow users access to free Internet services, or to Internet services that can be purchased. A corporation can grant visitors with limited guest access, so that they can access the Internet, but not confidential network resources.
Understanding 802.1xauthenticationIEEE802.1x is a draft standard for port-based network access control, which provides authenticated network access to 802.11 wireless networks and to wired Ethernet networks. Port-based network access control uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port in cases where the authentication process fails.
During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it allows user access to the services that can be accessed through that port. In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port. An authentication server, which can either be a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.
Theauthenticator?sport-based network access control defines two logical access points to the LAN, through one physical LAN port. The first logical access point, the uncontrolled port, allows data exchange between the authenticator and other computers on the LAN, regardless of the computer's authorization state. The second logical access point, the controlled port, allows data exchange between an authenticated LAN user and the authenticator.
IEEE 802.1x uses standard security protocols, such as RADIUS, to provide centralized user identification, authentication, dynamic key management, and accounting.
For an example of wireless access using the Internet Authentication Service (IAS) as a RADIUS server, see Wireless access example
If you want to configure IAS for wireless access, see Checklist: Configuring IAS for wireless access If you want to configure IAS as a RADIUS server in a wireless environment, see Checklist: Wireless access To set up 802.1x authentication
Open Network Connections
Right-click the connection for which you want to enable or disable IEEE 802.1x authentication, and then click Properties.
On the Authentication tab, do one of the following:.
To enable IEEE 802.1x authentication for this connection, select the Network access control using IEEE 802.1X check box. This check box is selected by default.
To disable IEEE 802.1x authentication for this connection, clear the Network access control using IEEE 802.1X check box.
In EAP type, click the Extensible Authentication Protocol type to be used with this connection.
If you select Smart Card or other Certificate in EAP type, you can configure additional properties if you click Properties and, in Smart Card or other Certificate Properties, do the following:
To use the certificate that resides on your smart card for authentication, click Use my smart card.
To use the certificate that resides in the certificate store on your computer for authentication, click Use a certificate on this computer.
To verify that the server certificate presented to your computer is still valid, select the Validate server certificate check box, specify whether to connect only if the server resides within a particular domain, and then specify the trusted root certification authority.
To use a different user name when the user name in the smart card or certificate is not the same as the user name in the domain to which you are logging on, select the Use a different user name for the connection check box.
To specify whether the computer should attempt authentication to the network if a user is not logged on and/or if the computer or user information is not available, do the following:
To specify that the computer attempt authentication to the network if a user is not logged on, select the Authenticate as computer when computer information is available check box.
To specify that the computer attempt authentication to the network if user information or computer information is not available, select the Authenticate as guest when user or computer information is unavailable check box. This check box is selected by default.

70-299


 

 

Braindumps Real exam questions and verified answers - 100% passing guarantee - cheap prices.

 

Free brain dumps Braindumps, notes, books for free

 

Braindumps and Exams - Instant download real exam questions - Passing guarantee.

Follow us on FaceBook
Braindumps on Facebook
 
 
 
 
 

CheckPoint

Linux

Novell

DB/2

Network Appliance

EC-Council

Nortel

McAfee

Juniper

ISACA

PMI

Sybase

EMC

HDI

SNIA

ISC

Sair

IBM

Lotus

Exam Express

3COM

BICSI

DeLL

Enterasys

Extreme Networks

Guidance Software

Computer Associates

Network General

SAS Institute

Alcatel Lucent

SeeBeyond

TruSecure

Polycom

Hyperion

Hitachi

Nokia

Fortinet

Vmware

Fujitsu

Tibco

Intel

PostgreSQLCE

BusinessObjects

RESSoftware

BlackBerry

AccessData

ICDL

Isilon

SAP

The Open Group

ACSM

Altiris

Avaya

Cognos

F5

Genesys

SDI

ACI

ASQ

Google

H3C

HIPAA

HRCI

SOA

IIBA

Zend