MCSE Designing Security for a Windows Server 2003 Network [Electronic resources] : Exam 70-298 Study Guide

1.

You are the network administrator for the Blue Sky, LTD, airplane manufacturer. The vice president of the Finance department has reported that some technically savvy users within the department have been attempting to access confidential information by browsing the available network shares from the Network Connections desktop icon. He has requested that users within subdepartments of the Finance area not be able to map network drives or browse network shares that they have not been explicitly granted access to. However, you have assigned a word processing application to the entire organization using a default GPO, and you do not want to reconfigure this portion of the Active Directory structure. In response to the VP’s request, you have configured your Active Directory environment as shown in Figure 10.13. (Please note that, in the illustration, “Enforce” means that the “Enforce settings” property has been applied to the GPO in question.) Which setting(s) will be applied to a workstation in the Collections OU? (Choose all that apply.)

Figure 10.13: Question 1 Illustration

The desktop publishing package will be assigned.

The Network Connections applet will be hidden.

The Network Connections applet will be visible.

The Run line will be hidden.

2.

You are the administrator for a Windows Server 2003 domain. Your network consists of five locations connected by high-speed Internet connections. Your network servers are running solely Windows Server 2003, but you are supporting network clients that are a mixture of Windows XP Professional, Windows 2000, and Windows NT 4.0 Workstation. Because of the recent spate of critical security updates that have been released by Microsoft, you need to design a strategy to apply security updates to all of your workstations in a quick and efficient manner. Given the current environment, what option can you use to roll out updates for all of your network clients?

Install an internal SUS server and use Group Policy to configure clients to download approved updates from the SUS server.

Configure all workstations to prompt end users when downloads are available from the Windows Update site.

Use the software installation section of Group Policy to manually deploy software updates at the domain level.

Invest in a third-party patch management utility such as SMS.

3.

You are the network administrator for a Windows Server 2003 network with Windows XP Professional desktops. Your help desk has been inundated with support calls from users who have intentionally or accidentally altered their system settings in such a way that they have lost network connectivity or some other form of functionality. You create a new Group Policy Object (GPO) that restricts access to the Control Panel for all of your network users and link it to the domain level. You notice after several weeks that support calls have greatly diminished except for the Communications department. Upon further investigation, you discover that this department is contained within its own OU, and the OU has another GPO applied to it that explicitly grants access to the Control Panel, along with several other settings that the department manager insists are critical for his employees to perform their job functions. How can you enforce the Control Panel lockout without otherwise adversely affecting the Communications department?

Delete the GPO that is linked to the Communications OU.

Configure the “Control Panel lockout” GPO with the Enforce setting.

Configure the Communications OU to Block Inheritance so that the existing GPO will no longer be applied to it.

Merge the Communications OU GPO settings into the default domain GPO.

1.

A, B, D

2.

D

3.

B

4.

You are the network administrator for a medical research facility running Windows Server 2003. Your firm is beginning a joint research operation with a major university, and many of your users will need to access files and folders on the university’s network. The university that you are collaborating with is operating using a UNIX Kerberos environment with UNIX clients at each desktop. Your company’s resources should also be accessible by the university staff. How can you accomplish this with the least administrative effort?

Create a realm trust between your network and the UNIX network, and create account mappings in Active Directory for the UNIX clients.

Create separate accounts for the clients on the UNIX network.

Mandate the use of NTLMv2 authentication on the Windows network.

Mandate the use of MS-CHAP from the UNIX clients.

5.

You are the network administrator for a large e-commerce site. Your Web developers have created a Web application to share information on the company intranet; this application relies on Digest Authentication to allow users to log on. For some reason, employees seem to be unable to access the new application. You check the account properties of one of the user accounts and see the screen shown in Figure 10.14. What is the most likely reason why your users cannot authenticate?

Figure 10.14: Administrator Properties Sheet

When logging on using Digest Authentication, the Windows username is case sensitive.

To use Digest Authentication, users must be running Internet Explorer version 6.

Your users’ passwords are set to expire every 60 days, which is causing Digest Authentication to fail.

You must enforce the Store passwords using reversible encryption setting for all users who need to authenticate using Digest Authentication.

4.

A

5.

D

6.

You are a local administrator within a large, multinational corporation. You would like to offer remote access capabilities for the users on your Windows Server 2003 domain. However, your corporation’s security policies dictate that all remote access authentication needs to be processed by several UNIX-based RADIUS servers located at various points within the company’s global infrastructure. How can you establish remote access authentication for your users that adheres to the corporation’s security policies?

Use IAS as a RADIUS proxy to forward user authentication requests to the corporate RADIUS servers.

Create a realm trust between your Windows Server 2003 domain and the UNIX domain containing the RADIUS servers.

Ask the administrator of the corporate RADIUS servers to enable the Guest account on the RADIUS server.

Enable Digest Authentication for your domain users.

7.

You are the network administrator for Blue Collar, Inc. clothing manufacturers. You have just installed a high-speed Internet connection at the corporate office, and you are designing a remote access scheme that will allow your branch offices and remote users to connect to the corporate LAN to access file shares and other resources. You create a single remote access policy that allows incoming VPN connections between 9 a.m. and 9 p.m., Monday through Friday. You have left all other policy settings at their default values. Most users are connecting to the VPN without issue, but your graphics designer who works from her home office is unable to connect to the VPN using her Macintosh desktop. What is the most likely reason why this is occurring?

You need to allow CHAP authentication within the remote access policy.

The graphics designer is not a member of the appropriate Active Directory group that is enabled for remote access.

The RAS server needs to have the AppleTalk protocol installed.

The clock setting on the graphics designer’s computer is inaccurate.

8.

You are the network administrator for a multisite Active Directory-based network. Your current network infrastructure consists of the following server machines:

MAX-DC1

Windows Server 2003 DC

Dual Pentium III 733MHz processors

1GB RAM

20GB free disk space on a RAID-5 disk array

MAX-DC2

Windows Server 2003 DC

Dual Pentium 4 1.0GHz processors

1GB RAM

20GB free disk space on a RAID-5 disk array

MAX-FPS1

Windows Server 2003 member server

Pentium 4 2.04GHz processor

512MB RAM

25GB free disk space on a RAID-5 disk array

MAX-FPS2

Windows NT 4 member server

Pentium III 600MHz processor

512MB RAM

50GB free disk space on a single disk

MAX-APP1

Windows 2000 Advanced Server member server

Pentium III 833MHz processor

256MB RAM

50GB free disk space on a RAID-5 array

Your network contains over 1,000 users on Windows 2000 and XP Professional workstations belonging to a single Windows Server 2003 domain. The load on the DCs is fairly high, with processor utilization spiking to over 90 percent at several points during the day, especially first thing in the morning and close to 5 p.m. MAX-APP1 is a dedicated application development server that receives similar processor-heavy requests from your department of application developers. With the recent spate of software vulnerabilities, you would like to implement a patch management solution for the clients and servers on your network. Because of some sensitive development environments and documents on your network, you want to be able to test any updates before you apply them to your network servers and clients. You do not have any available budget for new hardware upgrades or purchases. What would be your best course of action in this scenario? (Choose all that apply.)

Install SUS on MAX-FPS1.

Install SUS on MAX-APP1.

Install SUS on MAX-DC2.

Configure a GPO to point your clients to the internal SUS server.

Create a logon script to modify client Registry entries to point to the internal SUS server.

Configure a GPO to point your clients to the Windows Update site.

6.

A

7.

A

8.

A, D