Chapter 2: Securing Servers Based on Function

Previous page
Table of content
Next page

1.  

You are the network administrator for a small network that has 40 computers on a network. You have two Windows Server 2003 computers, one of which is a DC and the other is providing remote access to users who travel throughout the United States. The computer running the remote access services also runs DHCP, DNS, and WINS for your firm. There are two file and application servers running Windows 2000, and you have client computers running Windows XP, Windows 2000, and Windows 98. Your applications are all the latest versions, although one was originally written for Windows 95 and another was developed in-house about six years ago. Based on this information, applying which predefined template might cause disruptions on the network?

  1. Secure*.inf

  2. Hisec*.inf

  3. Compat*.inf

  4. Setup security.inf

b . the hisec*.inf security settings are not compatible with down-level clients, including windows 98. since you have clients running this operating system, you would need to review and modify the settings in the hisec*.inf template or install the directory service client for the windows 98 computers. the hisec*.inf template rejects the lan manager authentication protocol. client computers are required to respond with ntlm v2 if they do not support other more advanced authentication. windows 98 cannot respond with ntlm v2 without installing the directory service. otherwise, windows 98 computers might not be able to connect to needed resources, including wins and dhcp as well as other domain services. x answer a is incorrect because the secure*.inf template requests the use of stronger security functions but does not require them. for example, it will use ntlm v2 if the client supports it but it will accept a response from a client that cannot use ntlm v2. therefore, this answer is not the best answer. answer c is incorrect. the compat*.inf template is used to provide access to certain system and registry areas needed by older applications. you might need to use this template in this scenario because of the two older applications you re running. this template would not cause disruption, but it might create security holes that should be monitored closely. answer d is incorrect. the setup security.inf template is the default template applied to all computers that have windows server 2003 installed as a clean installation. these security settings, by default, are much tighter than previous versions of the operating system, but should not cause problems with down-level clients.

2.  

In the MMC snap-in Security Configuration and Analysis, you open a new database you call Test1. You select the securedc.inf template and click OK. At this point, what is the state of the security on the computer you re working on?

  1. The settings from the computer and the securedc.inf template have been merged.

  2. The settings from the securedc.inf template have been applied.

  3. The settings from the database, including the imported securedc.inf template, have been applied.

  4. The settings on the local computer have not changed.

d . the settings on the local computer have not changed. the security configuration and analysis snap-in allows you to test (configure and analyze) security settings before applying them. this snap-in is used to test various scenarios and analyze settings compared to local computer settings, but settings are not applied unless you select the configure computer now option in the snap-in. x answer a is incorrect. the security settings are typically merged when a template is applied to a system. however, the security configuration and analysis snap-in allows you to test configurations in a virtual manner without applying them to your local computer. since you opened a new database, the template settings were the only settings present. answer b is incorrect. the settings from securedc.inf have been imported and will be used only if configure computer now is selected. answer c is incorrect. the settings from the database, test1, and the securedc.inf template will be merged if applied to the local computer. however, the test1 database is a blank database with no settings; therefore, if applied, the settings would be the default securedc.inf settings along with the local computers existing security settings.

3.  

You have opened the securedc.inf template via the MMC snap-in Security Templates. You expand the nodes in the left pane until you find the Account Policies. You select Kerberos Policy and notice that all the policies are Not Defined. What step do you need to take in order to define any one of those policies?

  1. None. If a policy is not defined in a predefined security template, you cannot modify it.

  2. None. You should never modify the settings in a predefined security template.

  3. Double-click the policy, modify the settings, check the box to Define this policy setting in the template, and click OK.

  4. Right-click the policy, check the box to Define this policy setting in the template, and click OK.

d . you must check the box define this policy setting in the template before you can actually modify any policy settings that are not defined. when you click the check box, the policy setting options are enabled (no longer grayed out) and you can set the options. even if you choose to disable an option, you must define it before you can assign it a value. x answer a is incorrect. predefined security templates are simply a way to manage a wide range of security settings across the enterprise. predefined settings can be modified via the security templates snap-in to the mmc. answer b is incorrect. it is true that you should not modify the predefined security templates. however, to use the settings provided in a predefined security template as a baseline and make modifications from that point, you can make the modifications and then right-click the predefined security template node in the left pane and select save as to save the predefined template with a custom name so that you preserve the original template files. answer c is incorrect.one way to access the policy settings dialog is to right-click; another is to double-click the policy. however, you will be unable to modify the settings until you select define this policy setting in the template. if the policy setting is already defined, you can simply double-click the policy and modify the settings.

4.  

After upgrading a computer from Windows 2000 to Windows Server 2003, you notice that some of the settings in the USER_RIGHTS area of security are not exactly as you d like them. You d like to use the settings for USER_RIGHTS found in the secure*.inf template. What is the best way to apply the settings for USER_RIGHTS from the secure*.inf template to the local computer?

  1. Use the secedit.exe /configure command using the /cfg switch to specify the securews.inf template, the /overwrite switch to clear the existing database settings, and the /area switch to specify USER_RIGHTS.

  2. Use the secedit.exe /analyze command to analyze the difference between the USER_RIGHTS on the local computer and the USER_RIGHTS settings in the securews.inf template.

  3. Use the secedit.exe /cfg /USER_RIGHTS command to configure the USER_RIGHTS area of the current security template.

  4. Use the secedit.exe /analyze command with the /db switch to specify which database should be analyzed . You do not need the /cfg switch to analyze the settings in the configuration stored in the current database.

a . the task here is to set the user_rights security settings according to the user_rights settings area of the secure*.inf template. the recommended method is via the secedit.exe command-line tool. in this case, you want to configure current database settings with the user_rights settings. this command would use the following syntax: secedit /configure /db oldsecurews.dbs /cfg securews.inf /overwrite /user_rights /log oldsecurews.log x answer b is incorrect. analyzing the difference in user_rights in the current configuration, and the securews.inf template is certainly a good step to take to understand the difference in the settings. however, you ve already determined that the settings are not as you want them. therefore, the next step is not to analyze the difference, but to import the settings from this one security area of a predefined template, secure*.inf. answer c is also incorrect. the /cfg switch in the secedit command-line tool is a switch that defines which security template you will use. however, you must first specify which action you want to take. in this case, you want to configure, so you would need to specify the /configure action before using the /cfg switch. you must also specify which template to use, and you cannot use the /cfg switch without a filename. answer d is incorrect. you need to configure, not analyze, your settings, so using the /analyze command will not accomplish your task. in addition, you must specify both the database you want to configure (required parameter) and which security template settings (/cfg filename parameter) you want to use.

5.  

You ve just completed a security audit and determined that you should tighten up password security settings on one of your Active Directory sites. Currently, the minimum password length is not defined, meaning that users could elect to use a blank password. To rectify this situation, you assign the task of modifying this to one of the junior network administrators. He implements the policy for the site through Active Directory Sites and Services, but the policy does not take effect. When he comes back to you to report the problem, what can you tell him about this problem?

  1. A local policy might be overwriting this new policy. Check local policy settings.

  2. Active Directory Sites and Services does not support applying security policies.

  3. You must use the gpupdate command-line tool to refresh the policy in order to see the policy in place.

  4. Password and account policies are applied at the domain level.

d . password and account policies are always applied and managed at the domain level. setting them at the site level will have no effect. the domain policies will take precedence over site settings for password and account policies. x answer a is incorrect. in some cases, local policy can overwrite other policies since policies are applied in this priority: ou, domain then local computer. domain password account policies will always take precedence. answer b is incorrect. you can apply security policies via the active directory sites and services interface. by selecting the properties for the selected site, you can link to group policies and review or edit security settings via the group policy and security tabs, respectively. answer c is incorrect. if the policy has not yet updated, using the gpudate command will force a refresh. however, in this case, the problem is not the refresh interval but the fact that password and account policies are applied at the domain level, not the site level.

6.  

You ve performed an analysis of your server s current security configuration as the first step in identifying the security settings you want to use for your application servers throughout the domain. The analysis results are as shown in Figure 2.22. (Results of the analysis that are typically listed under the Database Setting and Computer Setting have intentionally been removed.) Based on the data in this screenshot, what statements can you make about the results?

click to expand
Figure 2.22: Security Analysis Results

  1. The Account lockout duration and Reset account lockout counter after were not analyzed because they did not exist on the local system.

  2. The Account lockout duration and Reset account lockout counter after were not analyzed because they did not exist in the analysis database.

  3. The Account lockout duration and Reset account lockout counter after were analyzed but the database settings did not match the local computer settings.

  4. The Account lockout duration and Reset account lockout counter after were analyzed but the database did not contain definitions for these settings.

b . the policy with the icon containing the question mark indicates that the setting was not defined in the analysis database and was not analyzed. x answer a is incorrect. the icon with the question mark does indicate the setting was not analyzed, but because it was not defined in the database, not the local system. if the setting were not analyzed because it did not exist on the local computer, you would have seen an exclamation point icon. answer c is incorrect. the question mark icon denotes the setting on the local computer was not analyzed. if the settings were analyzed and did not match, the icon would include the red x as shown with the account lockout threshold policy shown in figure 2.22 . answer d is incorrect. if the database did not contain certain settings, those settings could not be analyzed. if the settings were not analyzed, the icon might have had no flag or a question mark

7.  

You ve recently been tasked with upgrading several Windows 2000-based file and print servers to Windows Server 2003. You ve already installed Windows Server 2003 on four other servers in the organization, two of which are located in another city connected by a high-speed Internet-based connection. What can you do to ensure that all Windows Server 2003-based file and print servers have exactly the same default settings on their drives ?

  1. Apply the Setup security.inf template to all servers to set a baseline.

  2. Apply the DC secure.inf template to all servers to set a baseline.

  3. Apply the rootsec.inf template to all servers to set a baseline.

  4. Apply the securedc.inf template to all servers to set a baseline.

c . to establish default settings for the root of the system drive, you would apply the rootsec.inf template. this template defines permissions for the root of the drive and can be used to reset values to defaults or to ensure drives all have the same default baseline settings. x answer a is incorrect. the setup security.inf template is used to set all security settings for a system. although it might be appropriate to use this template to establish baseline settings for upgraded systems, the question specifically asked about drive settings. this is not the best answer for this scenario. answer b is incorrect. the dc security.inf template is created when a server is promoted to a dc. it does set file, registry, and system service defaults. however, these computers are not being promoted to dcs, but are being used as file and print servers. therefore, this template is not applicable. answer d is incorrect. the secure*.inf template-in this case the securedc.inf template-would be applied to dcs on which you want to establish tighter security. this template would not establish a baseline because templates are applied and their settings are cumulative. in addition, this template would not be used for file and print servers that were not also dcs.

8.  

You work at a software company that sells an accounting software package to large institutions, including governmental organizations and school systems. The software package requires the use of SQL Server, and the company has found over the course of several years that this requirement has made selling the product more difficult. In a recent meeting, you suggest running the SQL Server-based application on the company s servers and providing access to the software package to client via Terminal Server. In talking with clients , you ve discovered that most of them are running Windows 95, Windows 98, or Windows XP clients. The VP of Client Services asks you about security, knowing that governmental agencies and school districts might be quite averse to transmitting financial data across the Internet to your company. You tell the VP you ve devised a security plan to address just those questions. What elements does your plan include for the highest possible security?

  1. The Terminal Server computer will run only the application for clients. It will use NTFS on the file system and will use Full Security. Clients will be able to access the application only via a secure connection. The computer will be in a controlled-access location and you ll disable drive redirection. You also require Client Compatible encryption and limit the number of user logon attempts and connection times.

  2. The Terminal Server computer will run only the application for clients. It will use NTFS on the file system and will have the Notssid.inf template applied to remove unnecessary Terminal Server SIDs. Strong passwords will be required. The computer will be in a controlled-access location, and CD and floppy drive access will be restricted to the Remote Desktop Users group .

  3. The Terminal Server computer will use NTFS on the file system, and additional security will be placed on the file system and Registry via the hisecws.inf template. Auditing the Remote Desktop Users group for unsuccessful logons will ensure only authorized users can make a connection. Strong passwords will be required. You will disable drive redirection and require encryption.

  4. The Terminal Server computer will use NTFS on the file system. It will be placed in a secure location, and CD and floppy drive access will be restricted to Administrators. You limit the number of user logons and restrict connection times. You also set the encryption requirement to High so that data to and from the Terminal server is encrypted using 128-bit encryption.

a . by configuring terminal server to host only the application users need, you reduce the number of people who will be accessing the server, thereby increasing security. formatting the system drive with ntfs secures the data on the drive. setting terminal server to use full security will provide set security defaults to the highest possible settings while still allowing normal terminal server functions to occur. older applications often cannot run in the full security mode because they must be written to run in the context of an ordinary user. however, because your firm is the developer of the application, you can make any modifications needed to ensure the application runs in the full security mode. physically securing the system is always a good security measure when you are concerned about internal security. disabling drive redirection will prevent users from redirecting data on the terminal server to their own computer. although using client compatible encryption will not provide the strongest encryption possible, it will allow legacy users to connect. although not discussed in this scenario, a better security solution (not necessarily better for your firm s clients) is to require users to run terminal server clients that can use the high 128-bit encryption, or upgrade clients to enable the use of fips compliant encryption, which meets government standards. limiting user connections and connection times can also help prevent unauthorized connections and usage. although there are other steps that can be taken to secure terminal server, these steps are a good starting point. x answer b is incorrect. running only the client application, using ntfs, using strong passwords, and controlling access to the server are all good security measures. restricting access to cds and floppy drives to the remote desktop users group would be an unusual setting, since the remote desktop users group is empty by default and the answer does not address group membership. however, applying the notssid.inf template does not improve security. this template is used to remove terminal server sids and is typically used on computers that will not be running as terminal servers. answer c is incorrect. using the ntfs format is a good way to secure data on the hard drive. however, using the hisecws.inf template places restrictions on a number of security areas, not just the file system and registry, and will likely cause problems with users and connectivity, especially because you have legacy clients. auditing the remote desktop users group for unsuccessful logons will not improve security. that group is empty by default and the answer does not discuss group membership. using strong passwords, disabling drive redirection, and requiring encryption can all help in creating a secure environment. answer d is incorrect.using ntfs as the file system format is an important security element, as is placing the server in a secure location and restricting access to cds and floppy drives. these protect the data on the terminal server. limiting the number of user logons and connection times can also help protect against unauthorized use. however, when you require high encryption, only clients that can handle 128-bit encryption will be able to connect. if you believe that security needs to be heightened, you would first need to work with your customers to upgrade their clients to enable 128-bit encryption.

9.  

Your network consists of four OUs located in three separate cities. Some clients require the use of WINS, so you ve set up four WINS servers, two with static IP addresses. In two particular locations, computer names change frequently. Since replication takes place across a WAN and you re concerned with security, you ve implemented the requirement to secure all replication data using IPSec. Based on this information, what is the most likely result?

  1. Using IPSec will cause a significant problem with the WINS replication process, because IPSec cannot be used to secure WINS data across a WAN.

  2. Name changes will be replicated across the WAN only during off-peak hours. Other WINS data will not be replicated unless there are changes made to the WINS database.

  3. If you implement IPSec to encrypt the WINS replication data, logging of all WINS events is enabled by default, which can decrease network performance.

  4. The replication time might be significantly increased and users might complain both of slower network connection times across the WAN and the inability to reach resources.

d . microsoft recommends encrypting wins replication traffic that travels across a public network. in this scenario, the data is traveling across a wan and therefore should be secured. however, implementing the ipsec protocol requires more system resources for encrypting and decrypting data, and this can affect performance, especially across slower wan links. in addition, replication across wan links is usually performed less often than replication across faster connections to avoid further degradation of performance. as a result, if computer names change frequently, users in other locations might not be able to locate resources until replication has occurred. this could result in users reporting they are often unable to locate resources in other locations. x answer a is incorrect. ipsec might cause replication problems across the wan but not because it is not supported. in fact, ipsec is frequently used across wans because it encrypts data from one end to the other. answer b is incorrect. when and how frequently wins database changes are replicated are a function of the wins server settings. although both of these might be ideal settings for this scenario, this would not be the most likely result of using ipsec to secure wins replication data. answer c is incorrect. logging of wins events is not enabled by default. in fact, wins logging should only be used during troubleshooting because the logging activities are very resource intensive and the logged events could quickly exceed your system event log limits.

10.  

You have configured one of your servers to provide streaming media services to internal users. However, you want to make sure the data on the server is secure. You ve formatted the server drive with NTFS to be able to manage file and folder permissions on the system. You also want to apply additional file system security to the server. You ve previously created a security template based on the secure*.inf template, named securesv.inf, and you want to apply the permissions from that template to this server. The server s current security database is named winmedia.sdb. What is the easiest way to accomplish this task?

  1. secedit.exe /import /db securesv.inf /cfg winmedia.sdb /FILESYSTEM /quiet

  2. secedit /db winmedia.sdb /cfg securesv.inf /overwrite /FILESYSTEM

  3. secedit /configure /db winmedia.sdb /cfg securesv.inf /overwrite /FILESTORE

  4. secedit /import /db winmedia.sdb /cfg securesv.inf /FILESTORE /quiet

c . the secedit command used with the /configure switch will use a database or configuration file to configure settings on the local computer. in this case, we specified the configuration file, securesv.inf, the security template created earlier based on the secure*.inf template. by specifying the area to be configured, the changed values were limited to those in the filestore section of the template. these apply only to file system permissions on the local file storage system. the /overwrite switch is used to ensure that all settings in the filestore area of the current database are overwritten with those in the securesv.inf file, which is what the scenario specified as the desired result. x answer a is incorrect. the secedit command s filename is secedit.exe, but it does not require the use of the extension to run properly. the /import switch is used to import settings that can be used to configure or analyze the security settings. however, the database file uses the .sdb extension, and the configuration file uses the .inf extension. answer b is incorrect. this secedit command is missing the primary parameter telling secedit what action to take. this command requires the /configure parameter to be specified before it will run properly. answer d is incorrect. the /import switch will pull in settings from the specified configuration file. however, without the /overwrite switch, the settings will be merged, leaving you with unspecified security settings. to ensure the settings are exactly as configured in the securesv.inf filestore section, you should use the /overwrite option.

Answers

1.  

¾ B . The Hisec*.inf security settings are not compatible with down-level clients, including Windows 98. Since you have clients running this operating system, you would need to review and modify the settings in the hisec*.inf template or install the Directory Service client for the Windows 98 computers. The hisec*.inf template rejects the LAN Manager authentication protocol. Client computers are required to respond with NTLM v2 if they do not support other more advanced authentication. Windows 98 cannot respond with NTLM v2 without installing the Directory Service. Otherwise, Windows 98 computers might not be able to connect to needed resources, including WINS and DHCP as well as other domain services.

x Answer A is incorrect because the secure*.inf template requests the use of stronger security functions but does not require them. For example, it will use NTLM v2 if the client supports it but it will accept a response from a client that cannot use NTLM v2. Therefore, this answer is not the best answer. Answer C is incorrect. The Compat*.inf template is used to provide access to certain system and registry areas needed by older applications. You might need to use this template in this scenario because of the two older applications you re running. This template would not cause disruption, but it might create security holes that should be monitored closely. Answer D is incorrect. The Setup security.inf template is the default template applied to all computers that have Windows Server 2003 installed as a clean installation. These security settings, by default, are much tighter than previous versions of the operating system, but should not cause problems with down-level clients.

2.  

¾ D . The settings on the local computer have not changed. The Security Configuration and Analysis snap-in allows you to test (configure and analyze) security settings before applying them. This snap-in is used to test various scenarios and analyze settings compared to local computer settings, but settings are not applied unless you select the Configure Computer Now option in the snap-in.

x Answer A is incorrect. The security settings are typically merged when a template is applied to a system. However, the Security Configuration and Analysis snap-in allows you to test configurations in a virtual manner without applying them to your local computer. Since you opened a new database, the template settings were the only settings present. Answer B is incorrect. The settings from securedc.inf have been imported and will be used only if Configure Computer Now is selected. Answer C is incorrect. The settings from the database, Test1, and the securedc.inf template will be merged if applied to the local computer. However, the Test1 database is a blank database with no settings; therefore, if applied, the settings would be the default securedc.inf settings along with the local computers existing security settings.

3.  

¾ D . You must check the box Define this policy setting in the template before you can actually modify any policy settings that are Not Defined. When you click the check box, the policy setting options are enabled (no longer grayed out) and you can set the options. Even if you choose to disable an option, you must define it before you can assign it a value.

x Answer A is incorrect. Predefined security templates are simply a way to manage a wide range of security settings across the enterprise. Predefined settings can be modified via the Security Templates snap-in to the MMC. Answer B is incorrect. It is true that you should not modify the predefined security templates. However, to use the settings provided in a predefined security template as a baseline and make modifications from that point, you can make the modifications and then right-click the predefined security template node in the left pane and select Save As to save the predefined template with a custom name so that you preserve the original template files. Answer C is incorrect. One way to access the policy settings dialog is to right-click; another is to double-click the policy. However, you will be unable to modify the settings until you select Define this policy setting in the template. If the policy setting is already defined, you can simply double-click the policy and modify the settings.

4.  

¾ A . The task here is to set the USER_RIGHTS security settings according to the USER_RIGHTS settings area of the secure*.inf template. The recommended method is via the secedit.exe command-line tool. In this case, you want to configure current database settings with the USER_RIGHTS settings. This command would use the following syntax: secedit /configure /db oldsecurews.dbs /cfg securews.inf /overwrite /USER_RIGHTS /log oldsecurews.log

x Answer B is incorrect. Analyzing the difference in USER_RIGHTS in the current configuration, and the securews.inf template is certainly a good step to take to understand the difference in the settings. However, you ve already determined that the settings are not as you want them. Therefore, the next step is not to analyze the difference, but to import the settings from this one security area of a predefined template, secure*.inf. Answer C is also incorrect. The /cfg switch in the secedit command-line tool is a switch that defines which security template you will use. However, you must first specify which action you want to take. In this case, you want to configure, so you would need to specify the /configure action before using the /cfg switch. You must also specify which template to use, and you cannot use the /cfg switch without a filename. Answer D is incorrect. You need to configure, not analyze, your settings, so using the /analyze command will not accomplish your task. In addition, you must specify both the database you want to configure (required parameter) and which security template settings (/cfg filename parameter) you want to use.

5.  

¾ D . Password and account policies are always applied and managed at the domain level. Setting them at the site level will have no effect. The domain policies will take precedence over site settings for password and account policies.

x Answer A is incorrect. In some cases, local policy can overwrite other policies since policies are applied in this priority: OU, domain then local computer. Domain password account policies will always take precedence. Answer B is incorrect. You can apply security policies via the Active

Directory Sites and Services interface. By selecting the properties for the selected site, you can link to group policies and review or edit security settings via the Group Policy and Security tabs, respectively. Answer C is incorrect. If the policy has not yet updated, using the gpudate command will force a refresh. However, in this case, the problem is not the refresh interval but the fact that password and account policies are applied at the domain level, not the site level.

6.  

¾ B . The policy with the icon containing the question mark indicates that the setting was not defined in the analysis database and was not analyzed.

x Answer A is incorrect. The icon with the question mark does indicate the setting was not analyzed, but because it was not defined in the database, not the local system. If the setting were not analyzed because it did not exist on the local computer, you would have seen an exclamation point icon. Answer C is incorrect. The question mark icon denotes the setting on the local computer was not analyzed. If the settings were analyzed and did not match, the icon would include the red X as shown with the Account lockout threshold policy shown in Figure 2.22. Answer D is incorrect. If the database did not contain certain settings, those settings could not be analyzed. If the settings were not analyzed, the icon might have had no flag or a question mark

7.  

¾ C . To establish default settings for the root of the system drive, you would apply the rootsec.inf template. This template defines permissions for the root of the drive and can be used to reset values to defaults or to ensure drives all have the same default baseline settings.

x Answer A is incorrect. The Setup security.inf template is used to set all security settings for a system. Although it might be appropriate to use this template to establish baseline settings for upgraded systems, the question specifically asked about drive settings. This is not the best answer for this scenario. Answer B is incorrect. The DC security.inf template is created when a server is promoted to a DC. It does set file, Registry, and system service defaults. However, these computers are not being promoted to DCs, but are being used as file and print servers. Therefore, this template is not applicable . Answer D is incorrect. The secure*.inf template ”in this case the securedc.inf template ”would be applied to DCs on which you want to establish tighter security. This template would not establish a baseline because templates are applied and their settings are cumulative. In addition, this template would not be used for file and print servers that were not also DCs.

8.  

¾ A . By configuring Terminal Server to host only the application users need, you reduce the number of people who will be accessing the server, thereby increasing security. Formatting the system drive with NTFS secures the data on the drive. Setting Terminal Server to use Full Security will provide set security defaults to the highest possible settings while still allowing normal Terminal Server functions to occur. Older applications often cannot run in the Full Security mode because they must be written to run in the context of an ordinary user. However, because your firm is the developer of the application, you can make any modifications needed to ensure the application runs in the Full Security mode. Physically securing the system is always a good security measure when you are concerned about internal security. Disabling drive redirection will prevent users from redirecting data on the Terminal server to their own computer. Although using Client Compatible encryption will not provide the strongest encryption possible, it will allow legacy users to connect. Although not discussed in this scenario, a better security solution (not necessarily better for your firm s clients) is to require users to run Terminal Server clients that can use the High 128-bit encryption, or upgrade clients to enable the use of FIPS Compliant encryption, which meets government standards. Limiting user connections and connection times can also help prevent unauthorized connections and usage. Although there are other steps that can be taken to secure Terminal Server, these steps are a good starting point.

x Answer B is incorrect. Running only the client application, using NTFS, using strong passwords, and controlling access to the server are all good security measures. Restricting access to CDs and floppy drives to the Remote Desktop Users group would be an unusual setting, since the Remote Desktop Users group is empty by default and the answer does not address group membership. However, applying the Notssid.inf template does not improve security. This template is used to remove Terminal Server SIDs and is typically used on computers that will not be running as Terminal servers. Answer C is incorrect. Using the NTFS format is a good way to secure data on the hard drive. However, using the hisecws.inf template places restrictions on a number of security areas, not just the file system and Registry, and will likely cause problems with users and connectivity, especially because you have legacy clients. Auditing the Remote Desktop Users group for unsuccessful logons will not improve security. That group is empty by default and the answer does not discuss group membership. Using strong passwords, disabling drive redirection, and requiring encryption can all help in creating a secure environment. Answer D is incorrect. Using NTFS as the file system format is an important security element, as is placing the server in a secure location and restricting access to CDs and floppy drives. These protect the data on the Terminal server. Limiting the number of user logons and connection times can also help protect against unauthorized use. However, when you require High encryption, only clients that can handle 128-bit encryption will be able to connect. If you believe that security needs to be heightened, you would first need to work with your customers to upgrade their clients to enable 128-bit encryption.

9.  

¾ D . Microsoft recommends encrypting WINS replication traffic that travels across a public network. In this scenario, the data is traveling across a WAN and therefore should be secured. However, implementing the IPSec protocol requires more system resources for encrypting and decrypting data, and this can affect performance, especially across slower WAN links. In addition, replication across WAN links is usually performed less often than replication across faster connections to avoid further degradation of performance. As a result, if computer names change frequently, users in other locations might not be able to locate resources until replication has occurred. This could result in users reporting they are often unable to locate resources in other locations.

x Answer A is incorrect. IPSec might cause replication problems across the WAN but not because it is not supported. In fact, IPSec is frequently used across WANs because it encrypts data from one end to the other. Answer B is incorrect. When and how frequently WINS database changes are replicated are a function of the WINS server settings. Although both of these might be ideal settings for this scenario, this would not be the most likely result of using IPSec to secure WINS replication data. Answer C is incorrect. Logging of WINS events is not enabled by default. In fact, WINS logging should only be used during troubleshooting because the logging activities are very resource intensive and the logged events could quickly exceed your system event log limits.

10.  

¾ C . The secedit command used with the /configure switch will use a database or configuration file to configure settings on the local computer. In this case, we specified the configuration file, securesv.inf, the security template created earlier based on the secure*.inf template. By specifying the area to be configured, the changed values were limited to those in the FILESTORE section of the template. These apply only to file system permissions on the local file storage system. The /overwrite switch is used to ensure that all settings in the FILESTORE area of the current database are overwritten with those in the securesv.inf file, which is what the scenario specified as the desired result.

x Answer A is incorrect. The secedit command s filename is secedit.exe, but it does not require the use of the extension to run properly. The /import switch is used to import settings that can be used to configure or analyze the security settings. However, the database file uses the .sdb extension, and the configuration file uses the .inf extension. Answer B is incorrect. This secedit command is missing the primary parameter telling secedit what action to take. This command requires the /configure parameter to be specified before it will run properly. Answer D is incorrect. The /import switch will pull in settings from the specified configuration file. However, without the /overwrite switch, the settings will be merged, leaving you with unspecified security settings. To ensure the settings are exactly as configured in the securesv.inf FILESTORE section, you should use the /overwrite option.



Previous page
Table of content
Next page
MCSE Designing Security for a Windows Server 2003 Network. Exam 70-298
MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298
ISBN: 1932266550
EAN: 2147483647
Year: 2003
Pages: 122
Authors: Elias Khasner, Laura E. Hunter
BUY ON AMAZON
Beginning Cryptography with Java
Image Processing with LabVIEW and IMAQ Vision
Building Web Applications with UML (2nd Edition)
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Extending and Embedding PHP
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy