MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure [Electronic resources]: Exam 70-293 Study Guide

1.

You have instituted new security policies for the IT department. One important rule is to never log on as Administrator unless it is absolutely necessary. To enhance security, you want everyone to use their regular user accounts for everyday tasks so you can maintain security as much as possible. A junior administrator comes to you and says he does not wish to log on to the server with an administrative account, but he needs to use a program that requires administrative privileges. What can he do?

If running the program requires administrative privileges, he cannot run it unless he logs off and logs back on as Administrator.

He can open the Computer Management console and use the Set password option.

He can right-click the program he wants to run, select Properties, click the Advanced button, and configure the program to run without administrative privileges.

He can right-click the program, choose the Run as command, and enter the Administrator account name and password.

2.

You have been hired as the network administrator for a small law firm. The first thing you want to do when you take over the job is increase the security on the network. You evaluate the current security level and find it lacking. You decide that you need to secure account passwords using strong encryption on domain controllers. Which utility should you use?

System Key Utility

Secedit

MBSA

SUS

3.

You have recently hired a new junior administrator to assist you in running the network for a medium-sized manufacturing company. You are explaining to your new assistant that AD objects are assigned security descriptors to allow you to implement access control. You tell your assistant that the security descriptor contains several different components. Which of the following are contained in the security descriptor for an object? (Select all that apply.)

Discretionary access control list

System access control list

Dynamic access control list

Ownership information

4.

You are attempting to troubleshoot some problems with access that you think can be traced back to membership in multiple groups. You want to ensure that all administrative accounts are able to perform the tasks they need to accomplish, but you want to remove the built-in accounts from all groups to which they’ve been added by another administrator, and give them only the access they had by default. You are a little confused because you know that the built-in accounts already belong to some groups at installation, and you don’t want to remove them from groups they are supposed to belong to. To which groups does the Domain Administrator account belong in Windows Server 2003 by default? (Select all that apply.)

Schema Admins

Enterprise Admins

Group Policy Creator Owners

Backup Operators

5.

You want to allow wireless clients the ability to change their passwords after they authenticate on the network. Which method of authentication should you implement for these clients?

EAP-TLS

EAP

PEAP

EAP-MS-CHAP v2

6.

You are implementing a new wireless network and need to change the default settings for the equipment on the WLAN. What information should you change? (Select all that apply.)

SSID password

SSID network name

Domain Administrator password

Domain Administrator account should be renamed

7.

You have a number of users who need to be able to roam through the building with their laptop computers and still stay connected to the network. Because of the nature of their work, it is important that they have relatively fast access for transferring a lot of very large data files over the network. You need to implement a wireless network that can connect devices up to 54 Mbps and a minimum of 24 Mbps. Which IEEE standard should you choose?

802.15

802.11a

802.11b

802.1x

8.

You have hired a consultant to help set up wireless access points on your network. He tells you that you should turn on WEP for the wireless network to help protect it from intruders. You tell him that you have heard that WEP has many flaws and you think additional security measures should be implemented. He assures you that WEP works fine. What do you tell him are some of the problems with WEP?

WEP does not use encryption.

WEP uses a short (24 bit) initialization vector (IV).

WEP can use only a 40-bit key.

WEP uses a public key algorithm.

9.

Your junior administrator wants to change the name of a user account, but he is worried that if he does so, the user will have problems accessing resources that she had previously been given permissions for. The administrator doesn’t want to need to re-create all the group memberships for the newly named account. You tell him there is no need to worry; he can go ahead and change the name, and all the account properties will remain intact. What enables an account to retain its password, profile, group membership, user rights, and membership information?

Group membership of the account

Domain the account belongs as a member

Password encryption method

Security identifier (SID)

10.

You suspect that one of your users has been trying to access data in a folder to which he is not supposed to have permission. You are trying to set auditing on this folder so you can see if there are any failed events in the log indicating that the user did try to open the folder. You enable object auditing in the domain’s Group Policy Object. However, when you go to add this user to be audited for access to the folder, you find that the folder’s property pages do not contain a Security tab. What could be the problem?

Auditing is not set via the Security tab for folders because they don’t have such a tab.

You cannot audit folder access for a particular user.

The folder is not on an NTFS partition.

You must share the folder before you can audit it.

11.

You need to configure Kerberos policies because you want to force user logon restrictions. You go to the computer of the user on whom you want to enforce these policies and access the Local Security Policy. However, in the GPO Editor, you cannot find Kerberos policies in the Security Settings node under Computer Configuration, under Windows Settings. What is the problem?

You are looking in the wrong section; Kerberos policies are located in the User Configuration node.

You cannot set Kerberos policies through the Local Security Policy console.

You must first raise the domain functional level before Kerberos can be used and this option will appear in the GPO.

Another administrator has deleted the Kerberos policies node from the GPO.

12.

You have been analyzing all of your security configuration information as part of a new project that requires you to provide a detailed report on your network’s security to management. Toward that end, you need to evaluate the security database test.sdb at the command prompt. What command can you use to do this?

secedit /validate test.sdb

secedit /analyze test.sdb

secedit /configure test.sdb

secedit /export test.sdb

13.

You want to set up auditing on several folders that contain important and sensitive information. There are other folders within the specified folders that contain less sensitive information, so you don’t want to audit them, because you want to put as little overhead burden on the network as you can. What happens to subfolders and files within a parent folder if auditing has been enabled?

Subfolders only are audited

Files only are audited; special access must be turned on for the folders to be audited

Subfolders and files are audited

No auditing is performed

14.

A parent folder has auditing enabled. Two folders, Applications and Phone Listings, are listed under this parent folder. You need to have the Phone Listings folder audited but not the Applications folder. How can this be accomplished?

It cannot; all subfolders are audited when the parent folder has auditing enabled.

Right-click the Applications folder, and click the Properties tab, select the Security tab, and click Advanced. Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects. Include these with entries explicitly defined here.

Right-click the Phone Listings folder, click the Properties tab, select the Security tab, and click Advanced. Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects. Audit entries defined here.

Right-click the Phone Listings folder, click the Security tab, and click Advanced. Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects. Include these with entries explicitly defined here option.

15.

You need to install the Microsoft Software Update Services (SUS) within your domain to update security information on client computers. What are the minimum requirements that you should use for hardware for the server?

Pentium III, 256MB RAM, NTFS with a minimum of 50MB for the installation folder and 6GB for SUS updates and Active Directory installed

Pentium III, 512MB RAM, NTFS with a minimum of 100MB for the installation folder and 6GB for SUS updates without Active Directory installed

Pentium III, 256MB RAM, NTFS with a minimum of 25MB for the installation folder and 6GB for SUS updates without Active Directory installed

Pentium III, 512MB RAM, NTFS with a minimum of 50MB for the installation folder and 5GB for SUS updates and Active Directory installed