Chapter 9: Securing Network Resources | MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298

1.	You have been asked to design an access control strategy for your firm and it must be done as soon as possible. The company currently has about 85 employees, each of whom has a desktop or laptop computer. There are four servers functioning in various roles. The departments are Finance, Administration, Customer Service, Trucking, Warehouse Operations, Purchasing, and IT. Your company plans to expand operations in the next one to two years , adding about 28 new employees in that period of time. There is fairly high turnover in the Trucking and Purchasing departments. Seasonal help comes in during the holidays to assist with warehouse operations, and some seasonal staff have computer access. There are a number of staff that change from one department to another based on external business drivers and internal staffing skills. There have never been any attacks on the network and most users have fairly basic computer skills. All systems are Windows Server 2003, Windows 2000 native mode, and Windows XP. Most users have the ability to use e-mail, word processing, and spreadsheet programs. About 10 employees , including those in the IT department, have advanced skills, and the IT department is comprised of five people, three of whom have advanced programming skills. Based on this information, which access control model is best suited to your organization? Role-based Access group/ resource group Access group/ACL User /ACL
2.	You ve been looking at users and groups on your network and have decided there are a lot of groups that are probably no longer used. Several key projects have wrapped up and there were several groups created just for those projects. After examining these groups, you decide they re no longer in use and you delete them. During the next hour , you receive phone calls complaining that users can no longer access network resources. What is your best course of action in this situation? Use the Undo command to undo the action and restore the deleted groups. Use the Restore command to undo the action and restore the deleted groups. Recreate the deleted groups using the same names . The groups will inherit the same permissions as the deleted groups if Active Directory has not been replicated in between deleting the groups and recreating the groups. Recreate the deleted groups and assign users and permissions to restore access to users.
3.	Your company is upgrading to Windows Server 2003 and Windows XP across the board. You re using Active Directory in all domains. Your current structure consists of three domains: somecompany.com, admin.somecompany.com, and sales.somecompany.com. In the sales.somecompany.com domain, there are four domain local groups called Managers, Sales, Service, and Tech. Members of the Managers group should have the same permissions as the Executive global group in the admin.somecompany.com domain. What is the best way to give Managers the same privileges as Executives? Add the Managers group to the Executive group. Add the Executive group to the Managers group. Create a universal group named ExecMgr and add both the Executive and Manager groups. Create a nested group under Executives called ExecMgr and add members of the Managers group to this new group.
4.	You look in Event Viewer and notice an odd series of events that were logged last night beginning at 11:36 p.m. The events are as listed. Your company runs Monday through Friday, 7 a.m. to 7 p.m., but there are a number of managers who sometimes work late to monitor Web orders and other end-commerce functions. These managers sometimes log in from home and have no restrictions on time-of-day access. Other users have time-of-day restrictions and can only log on between 6:30 a.m. and 7:30 p.m. Four employees are currently on vacation, and two other employees were recently terminated . Based on these events, what is the most likely explanation for what s happening? 11:36pm 531: Logon failure. A logon attempt was made using a disabled account. 11:37pm 540: A user successfully logged on. 11:37pm 531: Logon failure. A logon attempt was made using a disabled account. 11:37pm 531: Logon failure. A logon attempt was made using a disabled account. 11:39pm 529: Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. 11:43pm 540: A user successfully logged on. 11:43pm 529: Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. 11:44pm 551: A user initiated the log off process. 11:44pm 529: Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. 11:47pm 551: A user initiated the log off process. 11:47pm 539: Logon failure. The account was locked out at the time the logon attempt was made. It appears that one of the managers was attempting to log in and mistyped his or her password or username. Someone is attempting a brute force attack. One of the former employees gained unauthorized access to the system. Two attacks might be in progress: one by a former employee and one by an outsider.
5.	Your company recently sent out an e-mail to an employee distribution list that consisted of all managers and all members of the Research department. The e-mail requested that all employees receiving the e-mail immediately begin encrypting all files related to a particular high-profile client. The e-mail suggested that there had been recent attempts to compromise the network and gain access to these sensitive files. The e-mail outlined steps for using EFS to encrypt these sensitive files. Lisa is a corporate executive who works with this high-profile client. She was on a business trip visiting this client when she received the e-mail. While she was waiting for her flight at the airport, she followed the instructions in the e-mail to encrypt sensitive files. Based on this information, what type of encryption certificate does Lisa have? An EFS self-signed certificate. An EFS certificate based on cached login credentials. A certificate issued by the corporate CA. A temporary EFS certificate to be used until a more reliable certificate is obtained.
6.	You use execute the following command in a command prompt window: cipher /r:financedra and then you open the MMC, add the Group Policy Editor snap-in, and add to the FinanceOU policy. You expand the nodes until you locate the Encrypting File System node. You click Add Data Recovery Agent and specify financedra.cer . What have you just accomplished? You have imported a recovery agent that can be used for all computers and users in the FinanceOU. You have imported a recovery agent for the local computer that is part of the FinanceOU. You cannot import this file via the Group Policy Editor snap-in into the Encrypting File System policy. Instead, use the Certificates snap-in and import the financedra.cer file. Although you used the cipher command, the /r switch will only create the recovery agent. You must create the private keys and certificate using additional parameters in the cipher command.
7.	Your company has four critical servers located in one server room. The first server holds various data files, including all users files stored on the network. The second server is a proxy server. The third and fourth servers provide critical network functions, including DC and DNS server. You have standard (default) installations of Windows Server 2003 on all servers. You perform incremental backups each night and a full backup on Sundays at 11:30 p.m. for each server. On Monday morning around 9:40 a.m., a brand new virus attacks the proxy server and disables the computer. You re able to download a just-released update for your virus signature file and install it on the proxy server to remove the virus. However, the system is not operational and it appears much of the data has been corrupted. Users cannot reach the Internet and the help desk is suddenly flooded with calls and e- mails . You send out a global e-mail in response and let people know that you expect to have the system up by 11 a.m. What recovery method will best restore the system to a functional state? Reformat the hard drive on the proxy server, reinstall the operating system, and restore the data files. Use the Automated System Recovery set generated with the backups to restore both system state and data files. Use the Emergency Management Services to redirect the console to a remote machine, view the kernel log, and then restore the parts of the system affected by the virus. Use the Recovery Console option to restore the system to its original state, and then use the backups to restore data files.
8.	You have previously installed Windows Server 2003 on seven servers. On four of these servers you ve enabled Emergency Management Services. One of these servers experiences a Stop message. You are not sure what s causing the problem, but you notice that the prompt is shown as !SAC. You assumed that you would be able to use the Special Administration Console (SAC) for monitoring, reviewing, and repairing a wide range of problems, but it is not available. The system won t boot in safe mode and you are unable to determine the nature of the problem. What is the most likely cause of the SAC not being available? !SAC is always available before SAC. Once you ve determined the nature of the problem via !SAC commands, you can resolve the problem and use SAC to restore the system to its functional state. Stop messages typically invoke SAC. In this case, however, because the system cannot start in Safe mode, !SAC was called by the Recovery Console. SAC is not available because some system component failed causing the Stop message. If the server is stopped and restarted via Emergency Management Services using console redirection on an out-of- band connection, it will restart in the !SAC mode by default.

Answers

1.	¾ C . The Access group/ACL model appears to be most suited to the organization based on the given parameters. From the information, we know that there are 85 employees and will be 113 total in two years. However, there is a fair amount of change both in terms of group membership and changing permissions. Since employees move around, it mighty be difficult to manage access control using other methods . Adding users to access groups and adding those groups to ACLs is the easiest method to implement and manage in this small-to- medium- sized business. The access group/ACL model is scalable and easier to administer if groups require similar permissions. It s useful if permissions require frequent changing. x Answer A is incorrect. Role-based access control is only supported in Windows Server 2003 and must be supported by the applications running it. This is a specialized model that would not be appropriate in this scenario because no data was presented that supports this. Answer B is incorrect. The access group/resource group is a good solution for large organizations, but it requires more administrative overhead initially. It does not work well when permissions change frequently, as it appears they do in the organization. Moreover, although it can be used in native mode, the AG/RG model is suitable for a mixed environment. These indicate that although you could implement the AG/RG model, it s not the best solution for your organization. Answer D is incorrect. Although you can add users to the ACL for various objects, this is not the most efficient or secure solution. If a user moves into a new department or leaves the company, you must locate all the objects to which the user has permissions and change them. Using an account group method (AG/ACL or AG/RG) allows you to remove the user from the group and the user no longer has permission to access resources. From a security and administrative standpoint, the User/ACL method is limited and is not the best answer for this situation.
2.	¾ D . The only way to recover when you ve deleted groups is to recreate the groups, add users to those groups, and assign whatever permissions to the group needed to restore user access to its prior state. A deleted group cannot be recovered. x Answer A is incorrect. There is no Undo command available. Once a group is deleted, it cannot be recovered. Answer B is incorrect. There is no Restore command to recover a deleted group. You can perform a system restore if you recently performed a backup, assuming the backup included system state data such as Active Directory data and not just data files. However, to restore these groups means that you ll lose whatever data was on changed between the time of the last backup and the restore, which is likely not a reasonable solution. However, there is no Restore command, per se. Answer C is incorrect. You can recreate the deleted groups using the same names. However, permissions will not be inherited. They must be recreated based on group membership.
3.	¾ C . A universal group can include groups and accounts from any domain in the domain tree or forest. These universal groups can be assigned permissions in any domain. To grant Managers from one domain the same permissions as Executives in another domain, you would have to use a universal group. x Answer A is incorrect. Managers is a domain local group in the sales.somecompany.com domain. Executives is a global group in the admin.somecompany.com domain. You cannot add groups from other domains to a global group. Answer B is incorrect. It would not serve any purpose to add the global group Executive to the domain local group Managers. The problem is how to grant Managers the same privileges as the Executive group, not how to give the Executive group the privileges granted to the Managers group. Answer D is incorrect. Even as a nested group, the Executive group can only contain groups or members from the same domain; therefore, this is basically the same answer as A and is incorrect.
4.	¾ D . The pattern here suggests possibly two different attacks. The first event is someone attempting to log in to a disabled account. This could be one of the recently terminated employees or one of the employees on vacation (whose account you temporarily disabled for security purposes) attempting to log in. It s not clear based only on the first event. The next event indicates a successful logon. Since a user will not be able to log in to a disabled account, this success event indicates use of a different account. Without additional information or evidence, it would be reasonable to assume that this might have been a legitimate access by one of the managers. The next two events indicate someone was trying to access a disabled account. Again, this could be a terminated employee (attack) or an employee on vacation ( benign event). However, the next event, 529, indicates someone attempted to log on with the wrong username or password. If this were an employee on vacation, this event would likely not occur. If a former employee was trying to gain access, this might be evidence of an attack. The next event, 540, indicates a successful logon. This could indicate another manager successfully logged on or that the attacker was successful at guessing a username/password combination to gain access to the network. The next event is another 529 logon failure. It would indicate that the prior successful logon might have been a legitimate user and the attacker is still trying different combinations. The 551 event indicates a user logged off, probably one of the managers who had successfully gained access. The next event, another 529 failure, indicates a possible attack. The 551 indicates a user logged off, which could be associated with the one of the successful logons . Finally, the 539 event indicates that the account was locked out and someone tried to access it. This could indicate an attacker who guessed wrong three times and was locked out. Although this could be an employee on vacation (not understanding his or her account would be disabled during vacation), it could also be an outsider trying to guess at usernames and passwords. Therefore, there is the possibility of two attacks occurring here: one by a former employee and one by an outside attacker. x Answer A is incorrect. A manager might have accidentally mistyped his or her username and password, but it is unlikely that it would occur four times and cause the account to be locked out. This is not the most likely cause of this string of events, although you would need to look at the details of the events to be absolutely sure this was not the case. Answer B is incorrect. A brute force attack occurs when someone is attempting to guess passwords through repeated attempts. This might be the case evidenced by the series of 529 logon failure events. However, this is probably not all that is going on since someone also attempted to use a disabled account. It is unlikely that an attacker would successfully guess the username on a disabled account. Although this is part of what might be occurring, it is not the best explanation for all events listed. Answer C is incorrect. As with Answer B , this is probably only one part of the explanation. The attempts to log in to a disabled account indicate that either an employee on vacation or a recently terminated employee is trying to gain access to the network. Without knowing the company s policy on terminated employees (are accounts disabled immediately and deleted later or simply deleted immediately?), it is impossible to tell. However, there are two different types of access being attempted: indicating possibly two different attacks.
5.	¾ A . Since the question gave no indication that the company already uses certificates for other security functions, and since Lisa is not connected to the corporate network, she must have a self-signed EFS certificate. When no CA exists, EFS will create a certificate for file encryption. x Answer B is incorrect. EFS will not use cached credentials, per se. EFS will generate a certificate for the user. If the user logged on to the laptop using cached credentials, those cached credentials will be used to create a security access ID token for the user. EFS will generate a certificate based on a legitimate user, but the certificate is not specifically linked to cached credentials. Even if the user were logged on to a network and no CA were available, EFS would generate a self-signed certificate for the authenticated user. Answer C is incorrect. EFS will look for a CA when first enabled. In this case, one was not available and EFS created a self-signed certificate. Answer D is incorrect. EFS will not create a temporary certificate; it will generate a self-signed certificate. This self-signed certificate will have an expiration date, as do other certificates, but it will not be any shorter than the normal duration. It is not considered temporary.
6.	¾ A . Using these steps, you ve added a recovery agent via the Group Policy Editor snap-in. This will be applied to whatever object you ve chosen ”local computer, domain, OU, and so forth. In this case, you ve selected a policy for the FinanceOU. By Adding Data Recovery Agent and importing the .CER file, you create a data recovery agent that can be used to decrypt files for the FinanceOU. x Answer B is incorrect. You have imported the .CER file and created a data recovery agent. However, it is not just for use on the local computer; it is for use within the FinanceOU. If the computer is part of the FinanceOU, then the DRA will be available. Answer C is incorrect. You can use this method to import the financedra.cer file for the local computer or for your account (default). However, this will not create a Data Recovery Agent for the FinanceOU. Answer D is incorrect. The /r switch for the recovery agent creates two files, the .PFX file and the .CER file. The .PFX file contains the private keys and the certificate, and the .CER file contains only the certificate data. Once you use the cipher /r:filename command, you create both the filename .PFX and filename .CER files.
7.	¾ B . If you generate an Automated System Recovery set with your backups, you will save system state data, including Active Directory database (if applicable ), the Registry, and other system information. ASR does not restore data files, so it is used in conjunction with backups. These are sets that capture the system in a given state, and the ASR set must be used with its associated backup set. x Answer A is incorrect. You might need to restore the operating system, but reformatting the hard drive is a drastic step that should not be taken unless it is clear there is an issue with drive formatting. While this might be the appropriate step if evidence points to a deep problem on the hard drive caused by the virus that cannot be resolved in any other manner, this is not the best answer. Answer C is incorrect. There might be no need for remote management capabilities since the server is in a server room in one building and the company is not very large (based on the fact it has only four critical servers). If you have not installed any additional services, you have not implemented Emergency Management Services. Therefore, this will not be an option. Answer D is incorrect. As with Answer C , if you have not installed the Recovery Console, it is not an available option for you. By default, Emergency Management Services and Recovery Console are not installed or implemented. The Recover Console can be launched from the installation media, but the Recovery Console is most useful if you need to copy a file from floppy or CD-ROM to the hard disk or if you need to reconfigure a service that is causing problems. Since data was corrupted, your best option is to restore from a backup.
8.	¾ C . If there is a serious problem and system components are compromised, the system might not be able to boot in safe mode. After a specific failure point is reached, Emergency Management Services components shift from SAC to !SAC. !SAC becomes available automatically if SAC fails to load or is not functioning. In this case, you received a Stop message, the most likely cause for SAC not being available. x Answer A is incorrect. Just the opposite is true ”SAC is always available after Emergency Management Services is installed. If SAC is unavailable, it is because one of the components that supports SAC has failed. When this occurs, !SAC is invoked. !SAC is a subset of SAC functionality that can be used to view Stop messages or to restart the computer. Answer B is incorrect. Stop messages typically disable SAC and cause the system to use !SAC. When the system cannot start in Safe mode, !SAC is typically called by the system so you can restart the system or view a Stop message. !SAC is never invoked by the Recovery Console. You can enable Emergency Management Services console redirection via the Recovery Console. !SAC is only invoked when SAC fails. Answer D is incorrect. If the server is stopped and restarted via Emergency Management Services, it is done either via SAC (when possible) of !SAC, if SAC is unavailable due to system component failures. !SAC is not a default mode for Emergency Management Services; it is a failsafe option if SAC fails.