Apply Your Knowledge


When you take the 70-270 exam, you are expected to understand how to enable and configure a computer to use EFS, know how to apply local security policies, understand how local security policies will function in a domain environment, and know how to configure Internet Explorer's security settings. You should not only be able to manage the security in Windows XP Professional, you should also be able to troubleshoot problems with it.

The following exercise will help you master security concepts and management by establishing a password policy. A small network consisting of an Active Directory domain controller, a Windows XP Professional client, and an Internet connection are all you need to test the security settings discussed in this chapter and extend your capabilities.

Exercises

12.1 Establishing a Password Policy

Estimated Time: 15 minutes.

John Brown was so pleased with the results of the EFS implementation described in the Challenge exercise that he has called you for additional security configuration. John had read an article that stated that most users create passwords that are easy to guess, and in doing a short survey of five people, he discovered that two of them used their user ID as their password. One had used the same password on the computer for nearly two years, and when prompted to change the password, that user would change it right back to the old password. One had no password at all. And the last person logs on to the computer with another user's ID and password because he forgot his own. In addition, one user says that he is looking forward to having a system where he is sure someone else hasn't been using his ID and password because he caught the soda machine vendor trying to guess his password on one of the shared computers one day because the vendor wanted to check his personal Internet email before going to his next appointment. John is absolutely certain that without a solid password policy, the data on his network will not be secure.

1.

What other security policy should you propose that John Brown implements at Brown Taxes?

2.

Click Start, Control Panel, Performance and Maintenance, Administrative Tools and then open Local Security Policy. If Brown Taxes upgraded its server to an Active Directory domain controller, where would you implement password policies? If using a domain, should you still implement Local Security Policies?

3.

You navigate to Password Policies and you change the Maximum Password Age to 30 days, the Minimum Password Length to 8, and Enforce Password History to 4. Which other two policies should you configure?

4.

You then navigate to Account Lockout Policy. Which policy do you configure first? What happens right after you configure it?

Review Questions

1.

What must happen before a user can share an encrypted file?

2.

What happens when a user encrypts a file and then tries to access the file directly, using a Windows application such as Word?

3.

Which Local Security Policy allows you to protect a computer by preventing users from running executables from an Internet zone?

4.

Brad creates a path rule in Software Restrictions to prevent users from running the \\server\share\myfile.exe program. Karen creates a hash rule in Software Restrictions using the same file. Which rule is more easily broken?

5.

How can you make certain that you have full access to the web resources shared through IIS in your workgroup but be secured from outside websites?

Exam Questions

1.

You are the network administrator for Bones, LLC, a retail pet store conglomerate. The company has grown quickly and you find yourself deploying networks in warehouse-like stores around the country. Company policy requires that every workstation is secured with local policy settings as well as group policies. Your manager has developed a security file called BoneSec.inf. He has asked you to apply the settings in the file to all the new workstations at your next location rather than personally configure each one to see whether it will save time. You import the file into a database named \\server\share\bonesec.sdb. Which of the following can you use to apply the settings? (Choose two.)

A.

Open the Security Configuration and Analysis MMC. Right-click and select Configure the Computer Now.

B.

Open the Security Configuration and Analysis MMC. Right-click and select Analyze Computer Now.

C.

Open the Security Configuration and Analysis MMC. Right-click and select Open Database.

D.

Run the copy \\server\share\bonesec.inf c:\windows\security\templates command.

E.

Run the copy \\server\share\bonesec.sdb c:\windows\security\templates command.

F.

Run the secedit /configure /db \\server\share\bonesec.sdb command.

G.

Run the secedit /refresh /db \\server\share\bonesec.sdb command.

H.

Run the secedit /configure /inf path\bonesec.inf command.


2.

You are the administrator for Grapevines Magazine, a small company of 10 administrative users and 4 reporters. All the network computers run Windows XP Professional as members of a workgroup. One user has purchased a used re-writeable optical disk from an Internet auction site as a money-saving measure. The user already has an appropriate drive, but when the user inserts the media into the drive, the user cannot save data to it. You go to the user's desk, insert the optical disk into the drive, and try to copy a file to it. Windows XP displays a prompt to reformat the disk. You see an Access Denied message when you attempt to format the disk. Which local security setting must be enabled for the user to be able to use the optical disk?

A.

Enable the Unrestricted policy under Security Levels for Software Restrictions.

B.

Enable the Devices: Allowed to Format and Eject Removable Media policy under Security Options in Local Policies.

C.

Enable the Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders policy under Security Options in Local Policies.

D.

Add the user to the Perform Volume Maintenance Tasks policy in User Rights Assignment in the Local Policies.


3.

You are a help desk administrator for Blastoff. Your company has recently deployed Windows XP Professional throughout the network as upgrades to Windows 98SE. The accounting department has deployed a new custom application. The application stores private information in a file called Info.ini at the root of the C: drive. This is a plaintext file. The Accounting manager calls up as soon as he discovers this privacy flaw in the application and asks what he can do to secure the data. What do you tell him to do? (Choose all that apply.)

A.

Run the convert c: /fs:ntfs command.

B.

Run the convert c: /fs:fat32 command.

C.

Run the secedit /configure /db info.ini command.

D.

Run the secedit /e /a C:\info.ini command.

E.

Run the cipher /e /a c:\info.ini command.

F.

Run the cipher /d /a c:\info.ini command.


4.

You are a desktop administrator for your company. The marketing department uses portable computers with Windows XP Professional installed on them. Users connect to web folders on the intranet, as well as on the Internet, and to resources supplied by a vendor on the vendor's extranet. Recently, a group policy was created that strengthened security settings applicable to Internet websites. Corporate policy prevents you from changing these settings. However, all the users in the marketing department have reported that they can no longer use the vendor's application and that it is impacting their sales process. What can you do to fix this problem?

A.

You can apply a local security setting because it overrides group policies.

B.

You can configure exceptions, even though it violates company policy.

C.

You can add the vendor's website to the Trusted sites zone.

D.

You can ask the vendor to copy the web application to your intranet server.


5.

You are a desktop administrator for your company, which consists of 200 users and computers in three sites. Each site is configured with its own Active Directory domain. You have created a security template file for each type of computer on the network. Most computers are running Windows XP Professional, although you have one group that has not yet upgraded from Windows NT 4.0. This group executes a legacy application on their computers that provides for reversible encryption of passwords. The company has determined that only two of the users need to run the application; the others can simply use a different application to view reports. One other computer on the network has a security configuration that will work with reversible encryption of passwords. Which of the following computer's security templates do you select?

A.

The domain controller at Site 1

B.

The print server at Site 2

C.

The remote access Server at Site 1

D.

The enterprise CA at Site 3


6.

You are the web administrator for your company, in which all users run Windows XP Professional on desktop computers. You have a secure intranet website at myintranet.com, plus you run an Internet website at myinternet.com. One user calls you to report that she cannot access the myintranet.com website. Whenever she types the URL into Internet Explorer, she receives an error that says the certificate is not trusted. She has no problem accessing the myinternet.com website. Which of the following can you do to fix this problem without compromising security?

A.

Copy the intranet website to myinternet.com.

B.

Restart IIS.

C.

Enable the routers to allow TCP port 443 traffic used for SSL to pass through both incoming and outgoing.

D.

In Internet Explorer, move the myintranet.com website to the Internet zone.

E.

In Internet Explorer, open Internet Options and click the Content tab. Click Certificates. Import a copy of the certificate from myintranet.com into Trusted Publishers.


7.

You are the web administrator for your company and all users are running Windows XP Professional on their computers. You have a group of researchers who want to use IIS to share scripted data with each other. They each implement IIS on their computers, create a website, and configure the data. However, when they try to access any other computer's intranet site, they are denied access for downloading the scripts. Each person can access the data on his or her own drive using Internet Explorer and a UNC share name. None can use DNS names or IP addresses. What can you do to configure the computers to function?

A.

Edit the Account Lockout policies.

B.

Edit the Security Options policies.

C.

Execute a cipher command on each website.

D.

Import each computer's certificate into the other computers' Internet Options.

E.

Add the website addresses used to the Local Intranet zone.


8.

You have a Windows XP Professional laptop computer on which you store large amounts of research data for your company in a single folder on the local hard disk. You have been given a new corporate policy that requires you to encrypt the data on your hard disk. The memo listing the policy states that encrypted files must also be shared with each person's manager and states that everyone in the company will be implementing EFS. You want to be able to compress the data on the drive as well as encrypt it. What should you do? (Choose three.)

A.

In the Advanced Attributes dialog box, select the Compress Contents to Save Disk Space check box.

B.

Purchase a compression software program from a third party.

C.

In the Advanced Attributes dialog box, select the Encrypt Contents to Secure Data check box.

D.

Purchase an encryption software package.

E.

After encrypting the folder, open the Advanced Attributes dialog box and click Details. Add your manager's certificate to the folder.


9.

You have been hired by Widget Midgets to deploy Windows XP Professional throughout its network, which consists of Windows NT 4.0 primary domain controllers, backup domain controllers, several Windows 2000 member servers, and client computers of Windows 98 and Windows NT 4.0. You have upgraded a pilot group of computers. Sally, one of the pilot users, is the also the manager of her group. She is concerned about file security on the hard disks of her group's computers. She asks you about encrypting the contents of various folders on the computers. You explain about Windows XP's Encrypting File System. Sally calls you later and tells you that she has opened the Advanced Attributes dialog for a folder on her computer, but that the Encrypt the Contents of This Folder option is not available. What should you do?

A.

Tell Sally to open the Certificates console and request a certificate, using the Basic EFS template.

B.

Tell Sally to use the cipher /e /a path command at the command prompt.

C.

Tell Sally to decompress the contents of the folder before attempting to encrypt it.

D.

Tell Sally to use the convert c: /fs:ntfs command at the command prompt.


10.

You are an enterprise administrator for SecureSystems, a company that stores removable media archives for other large companies in a secure, controlled environment. SecureSystems is deploying a new live file archival system that uses Encrypting File System on NTFS shared folders. They want to allow their client companies' administrators to transmit data for storage to specific shared folders where the client has sole access over VPN links. They want to ensure that only the network administrators of their respective client companies will be able to store and retrieve data from the shared folders. Which of the following actions should you take? (Choose three.)

A.

Configure a CA server that grants individual certificates to each client's network administrator.

B.

Configure a separate data recovery agent for each client that represents an individual at each client company.

C.

Configure EFS to use self-signed certificates.

D.

Configure yourself as a data recovery agent so that you can help any company retrieve private data.

E.

Train each client company administrator to run the cipher command on his respective data directory.

F.

Log on to the share root of the server sharing the archival file system and execute the cipher command.


Answers to Review Questions

1.

The user can share encrypted files with any other user who has already been issued an EFS certificate. If certificates are provided by a CA, the Basic EFS or User certificate must be requested before other users can share encrypted data with him. If certificates are self-signed, the user must have encrypted at least one file because EFS automatically generates a self-signed certificate at that point. For more information, see the sections "Using EFS with a Certification Authority (CA)" and "Allowing EFS to Self-Sign Certificates."

2.

A user who encrypts a file is granted an EFS certificate. If that user tries to open the file from within an application, Windows XP uses the user's EFS certificate to decrypt the file and then passes the data directly to the application. The entire process is transparent to the user. For more information, see the section "Encrypting File System Basics."

3.

You can configure Software Restrictions\Additional Rules to create an Internet Zone rule that disallows executables to be run, depending upon the type of zone from which they are installed. For more information, see the section "Software Restriction Policies."

4.

The path rule is more easily broken because a user can either move the file to another path or rename the executable and then it can be executed. The hash rule does not allow the file to be executed simply because it has been moved or renamed. For more information, see the section "Software Restriction Policies."

5.

You can establish different security settings applicable to the type of Internet zone. For the public websites, create much stricter settings, and for the local intranet, be more liberal with security settings. For more information, see the section "Software Restriction Policies."

Answers to Exam Questions

1.

A, F. The two ways to configure the computer so that the Bonesec.inf settings are applied to it is to either open the Security Configuration and Analysis MMC, right-click, and select Configure the Computer Now from the shortcut menu, or to execute the command-line utility secedit /configure /db path\bonesec.sdb. All other answers are incorrect procedures. For more information, see the section "Configuring, Managing, and Troubleshooting a Security Configuration and Local Security Policy."

2.

B. The correct answer is to enable the user to format and eject removable media. By default, this right is granted to only Administrators. Answers A, C, and D are incorrect because none of those policies affect the way a removable media drive behaves under Windows XP. For more information, see the section "Software Restriction Policies."

3.

A, E. The correct process is to first convert the hard drives to NTFS (they would be FAT if they were upgraded from Windows 98), and then to encrypt the file on each computer. Answer B is incorrect because you cannot convert a file system to FAT32. Answers C and D are incorrect because you cannot use Secedit to convert the file system to NTFS or encrypt the Info.ini file. Secedit is used to analyze or configure general security settings on the computer. F is incorrect because the /d switch decrypts files and you will want to encrypt them. For more information, see the section "Preparing a Disk for EFS."

4.

C. Your best option is to add the vendor's website address into the Trusted Sites zone in the Internet Options Security Settings. If necessary, you can adjust the settings for the Trusted Sites zone. Answer A is incorrect because local security policies are applied before all other Group Policy settings and cannot override the subsequent settings. Answer B is incorrect because violating security policy is an unacceptable condition. Answer D is incorrect because copying the website brings with it problems such as applying updates, and potential security breaches. For more information, see the section "Software Restriction Policies."

5.

C. You need to apply the security configuration file that you used for the remote access server. The two types of applications that will ever use reversible encryption for passwords, which is a password policy, are Remote Access Services for the Challenge Handshake Authentication Protocol, or Digest Authentication for IIS. Answers A, B, and D are incorrect because these server types do not require a security file including reversible encryption of passwords. For more information, see the section "Account Policies."

6.

E. The error indicates that the computer did not find a matching certificate in its certificate stores for Trusted Publishers. You can import a copy of this certificate to ensure that the user can access the intranet website. Answers A, B, and C are incorrect because none of these options provide a certificate trust relationship. Answer D is incorrect because the Internet zone is one of the least secure zone sites. For more information, see the section "Software Restriction Policies."

7.

E. To fix this error you can add the website URLs to each computer's Local Intranet zone. The Local Intranet zone has the lowest security settings that will enable scripts to be executed. Answer A is incorrect because Account Lockout policies do not include website access. Answer B is incorrect because the Security Options policies do not include script downloading. Answer C is incorrect because encryption is not an issue for the website. Answer D is incorrect because a missing certificate would result in a specific error related to certificates or trusted publishers. For more information, see the section "Software Restriction Policies."

8.

B, C, E. You can have compression and encryption on the same disk if you use a third-party software for one of the two. In this case, because encryption is supposed to be shared and everyone else is using EFS, you must purchase the compression software package. Also, you must first encrypt the folder, and then after it has been encrypted, you can go back into the Advanced Attributes dialog box and add the manager's certificate to share the encrypted file. Answer A is incorrect because compressed files cannot be encrypted. Answer D is incorrect because EFS does not require an additional encryption software package. For more information, see the section "Troubleshooting EFS."

9.

D. Although the compression and encryption attributes cannot be used simultaneously, they are only grayed out and unavailable when the file system on the hard disk does not support EFS. Because the deployment scenario upgrades Windows operating systems that likely used the FAT32 file system, and the only file system that supports EFS is NTFS, you need to change the file system on the hard disk. The Convert C: /fs:NTFS command changes the hard disk file system to NTFS. Answers A, B, and C are incorrect because the basic file system is not NTFS, which is required to support encryption. For more information, see the section "Troubleshooting EFS."

10.

A, B, E. To ensure that each client company encrypts its own files and can recover its own files, you need to configure a CA server to grant certificates to the client administrator and a designated data recovery agent. You should also train the clients to use the cipher command to encrypt the data in their own folders. Answer C is incorrect because the business requirements described in the problem require a centrally managed certificate authority. Answer D is incorrect because each company is supposed to manage its own security. Answer F is incorrect because the cipher command must be executed by each company. For more information, see the section "Using EFS with a Certification Authority (CA)."

Suggested Readings and Resources

The following are some recommended readings on the subject of Windows XP Professional security:

  1. Microsoft Official Curriculum course 2285: Installing, Administering and Configuring Microsoft Windows XP Professional. Information available at http://www.microsoft.com/learning/syllabi/en-us/2285Afinal.mspx

  2. Websites:

    • What's New in Security for Windows XP Professional and Windows XP Home Edition, at http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xpsec.mspx#ECAA

    • 5-Minute Security AdvisorUsing the Encrypting File System, at http://www.microsoft.com/technet/community/columns/5min/5min-202.mspx

    • How To Cancel NTFS Conversion After Running CONVERT.EXE, at http://support.microsoft.com/default.aspx?scid=kb;en-us;130913

    • Simple Sharing and ForceGuest, at http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prde_ffs_ypuh.asp



Exam Prep 2. Windows XP Professional
MCSA/MCSE 70-270 Exam Prep 2: Windows XP Professional
ISBN: 0789733633
EAN: 2147483647
Year: 2004
Pages: 193

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net