Windows Server 2003 Network Security Design Study Guide (Exam 70-298) [Electronic resources]

Brian Reisman, Mitch Ruebush

نسخه متنی -صفحه : 168/ 65

Review Questions

Which part of the security descriptor is used to grant or deny users and groups access to an object?

Discretionary access control list (DACL)

System access control list (SACL)

Access token

Security ID (SID)

Following best practices, put the following tasks in the order that they should be completed when designing a security group strategy.

	Place Accounts in Global groups.
	Assign Permissions to Domain Local groups.
	Nest your Global groups.
	Put the Universal group in the Domain Local group.
	Place Global groups in a Universal group.

Which of the following permissions are a part of the standard NTFS permissions? (Choose all that apply.)

Full Control

Modify

Read & Execute

Open

Change

What are the default permissions on a share when it is created?

Users Allow-Read

Everyone Deny-Full Control

Everyone Allow-Full Control

Users Allow-Full Control

Everyone Allow-Read

Which of the following Active Directory features can you use to minimize the number of individuals who are granted administrative permissions?

Impersonation

Delegation

Microsoft Baseline Security Analyzer (MBSA)

Group Policy

Many of the users in your organization use laptops that are running Windows XP Professional and take them out of the office. There is some confidential information that is stored on the laptops, and you need to make sure that if the laptops get lost or stolen, the data is not compromised. What should you do?

Enable the Encrypting File System (EFS) on the folder that the files are stored in.

Use NTFS to secure the folder that the files are stored in.

Configure IPSec to encrypt the data on the disk.

Configure SSL to encrypt the data on the disk.

You are administering a folder that all of the users in the Accountants groups use. The users need to be able to create, modify, and delete files in the AcctData folder. What permissions should you add to the ACL for the Accountants group when you grant them access to the AcctData folder? (Choose all that apply.)

Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

Which of the following users can assign permissions on a file by default? (Choose all that apply.)

An administrator

The last user to modify the file

The Users group

The creator/owner of the file

You are a member of the security group name AcctGroup. The AcctGroup has been granted Full Control to the AcctData share. The AcctData share contains a folder, named MonthlyData, to which the AcctGroup has been assigned the Modify NTFS permission. When accessing files over the network, what permissions do you have? (Choose all that apply.)

Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

10.

You are a member of the Administrators group and the Employees group. The Employees group has been granted the Change permission to the EmpData share. The EmpData share contains a folder, named VacationData, to which the Employee group has been assigned the Read and List Folder Contents NTFS permission. The Administrators group was removed from the ACL on the share. When accessing files over the network using the EmpData share, what permissions do you have? (Choose all that apply.)

Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

Answers

A. The DACL is the part of the security descriptor that is used to grant or deny specific users and groups access to the object. The SACL is used to determine which events are to be audited for specific users or groups. An access token contains the information regarding a logged-on user. The Security ID (SID) is used to uniquely identify objects in Active Directory.

Place Accounts in Global groups.

Nest your Global groups.

Place Global groups in a Universal group.

Assign Permissions to Domain Local groups.

Put the Universal group in the Domain Local group.

Follow the AG(G)UDLP method, but the placement of the Universal group in the Domain Local group should be last. By doing this task last, you prevent anyone from accessing the resources until they have been completely secured.

C. When a share is created by default, the Everyone group is granted Full Control through the share.

B. Rather than making a user such as a help desk technician a member of the Administrators or Domain Administrators group, you can use delegation to grant the user or group control over an object or an entire Active Directory container, thus minimizing the number of users or groups who require membership in the administrative groups.

A. EFS is the technology that should be used to secure the data on disk. NTFS will not prevent access to the files and folders if the disk is physically obtained by someone else. IPSec and SSL are used to encrypt data over the network, not on disk.

B, C, D, E, F. The only permission that you should not assign to the Accountants group is Full Control because it includes the ability to change permissions and take ownership, which is not required in the scenario presented in the question.

A, D. By default, an administrator and the creator/owner of the file would have the Full Control permission, which includes the Change Permissions special permission.

B, C, D, E, F. You will have the Modify permission across the network. Full Control is not granted at the folder level; therefore, it will never propagate through the share.

10.

B, C, D, E, F. By default, the Everyone group is granted the Read permission on a share. The scenario states that the Employees group is granted the Change permission on the share. When combining Share and NTFS permissions, the most restrictive is what is effective. Administrators have, by default, the Full Control NTFS permission on all folders. When combined with the Change permission on the share, Change is the only permission granted to the Administrators group when accessing files and folders through the share.