Answers to Exam Prep Questions

B. IP Security Monitor can be used to gather and monitor IPSec statistics. The Active Policy container will tell you which IPSec policy is currently being used. Answer A is incorrect because Network Monitor is used to capture and analyze IP packets. The results will not indicate which policy is in effect. Answer C is incorrect because Resultant Set of Policy will not tell you which IPSec policy is currently being used. This tool can be used to identify existing policy settings. Answer D is incorrect because IP Security Policy Management is used only to create and manage IP Security policies.

D. Software Updates Services requires that the system partition be formatted with NTFS along with the partition on which the software will be installed. Answer A is incorrect because no service pack is required to install SUS. Answer B is incorrect because the partition on which SUS is installed must be NTFS as well. Answer C is incorrect because IIS 5.0 is required.

C. To deploy the Automatic Updates settings using a group policy, the ADM file must first be loaded. If it's not, the Automatic Updates settings will not be available within a group policy object. Answer A is incorrect because the scenario already states that you are an administrator. Answer B is incorrect because installing the SUS software does not automatically add the Automatic Updates settings into a group policy object. Answer D is incorrect because settings can be configured locally or through a group policy.

D and E. The updated version of the Automatic Updates software can be installed on Windows 2000 platforms and later. Therefore, the remaining answers are incorrect.

B. The Security Configuration and Analysis tool can be used to analyze the current security settings of a computer and compare them against the settings within an existing template. Answer A is incorrect because the Resultant Set of Policy tool is used for troubleshooting and planning policy settings. It cannot be used to compare existing settings to those in a security template. Answer C is incorrect because IP Security Monitor is used to monitor and troubleshoot IPSec communications. Answer D is incorrect because the Security Templates snap-in is used to configure existing templates and create new ones.

B. You can use the Security Templates snap-in to create a new template with the required security settings. The template can then be imported into a GPO. Answer A is incorrect. Although this is a viable solution, it is not the most efficient one. It requires configuring the same settings on each server. Answer C is incorrect because this tool cannot be used to create new templates. Answer D is incorrect because SUS is used to deploy software updates to clients.

C. To specify which server a client will download the updates from, you must configure the WUServer value. Answer A is incorrect because it only enabled Automatic Updates to use an SUS server. Answer B is incorrect because this option is used to specify how updates are downloaded and installed. Answer D is incorrect because there is no such option.

D. The netsh command-line utility can be used to configure IPSec. It can be used with scripting, making it easier to deploy changes to multiple servers. Answer A is incorrect because this command-line utility is no longer used to configure IPSec. Answer B is incorrect because this command is used to launch the IP Security Monitor in Windows 2000. Answer C is incorrect because it would be easier to deploy the changes using a script instead of making the configuration change on each server. You can also not use the IPSec Policy Management console to specify default traffic exemptions.

C. As long as auditing of policy changes has been enabled, you can monitor when changes are made to an IPSec policy using the Event Viewer. Audited events are written to the Security log. Therefore answers A, B, and D are incorrect because these tools cannot be used to monitor whether an IPSec policy change was made. The ipsecpol command is used in Windows 2000 to configure IPSec policies, filters, and filter actions.

B. The IP Security Monitor included with Windows Server 2003 cannot be used to monitor computers running Windows 2000. Therefore answers A, C, and D are incorrect.