Que.MCSA.MCSE.10070.100270.Exam.Prep.2.Windows.XP.Professional [Electronic resources] نسخه متنی

Apply Your Knowledge

When you take the 70-270 exam, you are expected to understand how to enable and configure a computer to use EFS, know how to apply local security policies, understand how local security policies will function in a domain environment, and know how to configure Internet Explorer's security settings. You should not only be able to manage the security in Windows XP Professional, you should also be able to troubleshoot problems with it.

The following exercise will help you master security concepts and management by establishing a password policy. A small network consisting of an Active Directory domain controller, a Windows XP Professional client, and an Internet connection are all you need to test the security settings discussed in this chapter and extend your capabilities.

Exercises

12.1 Establishing a Password Policy

Estimated Time: 15 minutes.

John Brown was so pleased with the results of the EFS implementation described in the Challenge exercise that he has called you for additional security configuration. John had read an article that stated that most users create passwords that are easy to guess, and in doing a short survey of five people, he discovered that two of them used their user ID as their password. One had used the same password on the computer for nearly two years, and when prompted to change the password, that user would change it right back to the old password. One had no password at all. And the last person logs on to the computer with another user's ID and password because he forgot his own. In addition, one user says that he is looking forward to having a system where he is sure someone else hasn't been using his ID and password because he caught the soda machine vendor trying to guess his password on one of the shared computers one day because the vendor wanted to check his personal Internet email before going to his next appointment. John is absolutely certain that without a solid password policy, the data on his network will not be secure.

1. What other security policy should you propose that John Brown implements at Brown Taxes?

2. Click Start, Control Panel, Performance and Maintenance, Administrative Tools and then open Local Security Policy. If Brown Taxes upgraded its server to an Active Directory domain controller, where would you implement password policies? If using a domain, should you still implement Local Security Policies?

3. You navigate to Password Policies and you change the Maximum Password Age to 30 days, the Minimum Password Length to 8, and Enforce Password History to 4. Which other two policies should you configure?

4. You then navigate to Account Lockout Policy. Which policy do you configure first? What happens right after you configure it?

Review Questions

1.What must happen before a user can share an encrypted file?

2.What happens when a user encrypts a file and then tries to access the file directly, using a Windows application such as Word?

3.Which Local Security Policy allows you to protect a computer by preventing users from running executables from an Internet zone?

4.Brad creates a path rule in Software Restrictions to prevent users from running the \\server\share\myfile.exe program. Karen creates a hash rule in Software Restrictions using the same file. Which rule is more easily broken?

5.How can you make certain that you have full access to the web resources shared through IIS in your workgroup but be secured from outside websites?

Exam Questions

1.You are the network administrator for Bones, LLC, a retail pet store conglomerate. The company has grown quickly and you find yourself deploying networks in warehouse-like stores around the country. Company policy requires that every workstation is secured with local policy settings as well as group policies. Your manager has developed a security file called BoneSec.inf. He has asked you to apply the settings in the file to all the new workstations at your next location rather than personally configure each one to see whether it will save time. You import the file into a database named \\server\share\bonesec.sdb. Which of the following can you use to apply the settings? (Choose two.)

Open the Security Configuration and Analysis MMC. Right-click and select Configure the Computer Now.

Open the Security Configuration and Analysis MMC. Right-click and select Analyze Computer Now.

Open the Security Configuration and Analysis MMC. Right-click and select Open Database.

Run the copy \\server\share\bonesec.inf c:\windows\security\templates command.

Run the copy \\server\share\bonesec.sdb c:\windows\security\templates command.

Run the secedit /configure /db \\server\share\bonesec.sdb command.

Run the secedit /refresh /db \\server\share\bonesec.sdb command.

Run the secedit /configure /inf path\bonesec.inf command.

2.You are the administrator for Grapevines Magazine, a small company of 10 administrative users and 4 reporters. All the network computers run Windows XP Professional as members of a workgroup. One user has purchased a used re-writeable optical disk from an Internet auction site as a money-saving measure. The user already has an appropriate drive, but when the user inserts the media into the drive, the user cannot save data to it. You go to the user's desk, insert the optical disk into the drive, and try to copy a file to it. Windows XP displays a prompt to reformat the disk. You see an Access Denied message when you attempt to format the disk. Which local security setting must be enabled for the user to be able to use the optical disk?

Enable the Unrestricted policy under Security Levels for Software Restrictions.

Enable the Devices: Allowed to Format and Eject Removable Media policy under Security Options in Local Policies.

Enable the Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders policy under Security Options in Local Policies.

Add the user to the Perform Volume Maintenance Tasks policy in User Rights Assignment in the Local Policies.

3.You are a help desk administrator for Blastoff. Your company has recently deployed Windows XP Professional throughout the network as upgrades to Windows 98SE. The accounting department has deployed a new custom application. The application stores private information in a file called Info.ini at the root of the C: drive. This is a plaintext file. The Accounting manager calls up as soon as he discovers this privacy flaw in the application and asks what he can do to secure the data. What do you tell him to do? (Choose all that apply.)

Run the convert c: /fs:ntfs command.

Run the convert c: /fs:fat32 command.

Run the secedit /configure /db info.ini command.

Run the secedit /e /a C:\info.ini command.

Run the cipher /e /a c:\info.ini command.

Run the cipher /d /a c:\info.ini command.

4.You are a desktop administrator for your company. The marketing department uses portable computers with Windows XP Professional installed on them. Users connect to web folders on the intranet, as well as on the Internet, and to resources supplied by a vendor on the vendor's extranet. Recently, a group policy was created that strengthened security settings applicable to Internet websites. Corporate policy prevents you from changing these settings. However, all the users in the marketing department have reported that they can no longer use the vendor's application and that it is impacting their sales process. What can you do to fix this problem?

You can apply a local security setting because it overrides group policies.

You can configure exceptions, even though it violates company policy.

You can add the vendor's website to the Trusted sites zone.

You can ask the vendor to copy the web application to your intranet server.

5.You are a desktop administrator for your company, which consists of 200 users and computers in three sites. Each site is configured with its own Active Directory domain. You have created a security template file for each type of computer on the network. Most computers are running Windows XP Professional, although you have one group that has not yet upgraded from Windows NT 4.0. This group executes a legacy application on their computers that provides for reversible encryption of passwords. The company has determined that only two of the users need to run the application; the others can simply use a different application to view reports. One other computer on the network has a security configuration that will work with reversible encryption of passwords. Which of the following computer's security templates do you select?

The domain controller at Site 1

The print server at Site 2

The remote access Server at Site 1

The enterprise CA at Site 3

6.You are the web administrator for your company, in which all users run Windows XP Professional on desktop computers. You have a secure intranet website at myintranet.com, plus you run an Internet website at myinternet.com. One user calls you to report that she cannot access the myintranet.com website. Whenever she types the URL into Internet Explorer, she receives an error that says the certificate is not trusted. She has no problem accessing the myinternet.com website. Which of the following can you do to fix this problem without compromising security?

Copy the intranet website to myinternet.com.

Restart IIS.

Enable the routers to allow TCP port 443 traffic used for SSL to pass through both incoming and outgoing.

In Internet Explorer, move the myintranet.com website to the Internet zone.

In Internet Explorer, open Internet Options and click the Content tab. Click Certificates. Import a copy of the certificate from myintranet.com into Trusted Publishers.

7.You are the web administrator for your company and all users are running Windows XP Professional on their computers. You have a group of researchers who want to use IIS to share scripted data with each other. They each implement IIS on their computers, create a website, and configure the data. However, when they try to access any other computer's intranet site, they are denied access for downloading the scripts. Each person can access the data on his or her own drive using Internet Explorer and a UNC share name. None can use DNS names or IP addresses. What can you do to configure the computers to function?

Edit the Account Lockout policies.

Edit the Security Options policies.

Execute a cipher command on each website.

Import each computer's certificate into the other computers' Internet Options.

Add the website addresses used to the Local Intranet zone.

8.You have a Windows XP Professional laptop computer on which you store large amounts of research data for your company in a single folder on the local hard disk. You have been given a new corporate policy that requires you to encrypt the data on your hard disk. The memo listing the policy states that encrypted files must also be shared with each person's manager and states that everyone in the company will be implementing EFS. You want to be able to compress the data on the drive as well as encrypt it. What should you do? (Choose three.)

In the Advanced Attributes dialog box, select the Compress Contents to Save Disk Space check box.

Purchase a compression software program from a third party.

In the Advanced Attributes dialog box, select the Encrypt Contents to Secure Data check box.

Purchase an encryption software package.

After encrypting the folder, open the Advanced Attributes dialog box and click Details. Add your manager's certificate to the folder.

9.You have been hired by Widget Midgets to deploy Windows XP Professional throughout its network, which consists of Windows NT 4.0 primary domain controllers, backup domain controllers, several Windows 2000 member servers, and client computers of Windows 98 and Windows NT 4.0. You have upgraded a pilot group of computers. Sally, one of the pilot users, is the also the manager of her group. She is concerned about file security on the hard disks of her group's computers. She asks you about encrypting the contents of various folders on the computers. You explain about Windows XP's Encrypting File System. Sally calls you later and tells you that she has opened the Advanced Attributes dialog for a folder on her computer, but that the Encrypt the Contents of This Folder option is not available. What should you do?

Tell Sally to open the Certificates console and request a certificate, using the Basic EFS template.

Tell Sally to use the cipher /e /a path command at the command prompt.

Tell Sally to decompress the contents of the folder before attempting to encrypt it.

Tell Sally to use the convert c: /fs:ntfs command at the command prompt.

10.You are an enterprise administrator for SecureSystems, a company that stores removable media archives for other large companies in a secure, controlled environment. SecureSystems is deploying a new live file archival system that uses Encrypting File System on NTFS shared folders. They want to allow their client companies' administrators to transmit data for storage to specific shared folders where the client has sole access over VPN links. They want to ensure that only the network administrators of their respective client companies will be able to store and retrieve data from the shared folders. Which of the following actions should you take? (Choose three.)

Configure a CA server that grants individual certificates to each client's network administrator.

Configure a separate data recovery agent for each client that represents an individual at each client company.

Configure EFS to use self-signed certificates.

Configure yourself as a data recovery agent so that you can help any company retrieve private data.

Train each client company administrator to run the cipher command on his respective data directory.

Log on to the share root of the server sharing the archival file system and execute the cipher command.