Apply Your Knowledge


You need to master a variety of user and group configuration techniques that directly affect how security functions on your computer. These skills include

  • Adding new users and groups

  • Configuring user rights

  • Auditing security on the computer

  • Troubleshooting cached credentials

  • Applying local computer policy

The exercise that follows is geared to help you master local group policy configuration. To supplement this exercise, you can practice user and group configuration, rights assignment, security auditing, and cached credential troubleshooting on a Windows XP Professional computer configured as a stand-alone member of a workgroup. For the cached credential troubleshooting, you should also have one or more network computers that prompt for an ID and password when accessing a shared resource from the Windows XP computer.

Exercises

13.1 Configuring Local Group Policy

Estimated time: 15 minutes.

1.

Log on to the computer as an administrator.

2.

Click Start, Run, type mmc in the Open text box, and press Enter.

3.

From the File menu, select Add\Remove snap-in.

4.

Click the Add button.

5.

Select Group Policy from the resulting dialog box and click Add.

6.

In the Select Group Policy Object Wizard, you are prompted for the location of the Group Policy. If Local Computer is not displayed in the Group Policy Object list, click the Browse button and select the This Computer option button. Click OK when finished.

7.

Click Finished and then click OK to return to the console, which is depicted in Figure 13.14.

Figure 13.14. The Group Policy Editor is the console that displays group policies applied to the Local Computer.


8.

To change a policy setting, navigate the tree to the container that holds the policy. Double-click it and change the policy settings; optionally, you may need to click the Action menu or right-click the details pane to create a new policy. The remaining steps in this exercise walk you through the process of prohibiting users from enabling the Internet Connection Firewall (ICF). The firewall doesn't need to be enabled when a desktop computer sits on a private network behind a firewall, and can cause additional problems if it is enabled.

9.

Navigate the Computer Configuration node to the Administrative Templates container, then to the Network container, and finally click the Network Connections container. You see the screen shown in Figure 13.15.

Figure 13.15. You can restrict users from implementing ICF through a group policy setting.


10.

In the Network Connections container, you can see two policies that appear to be identical, and both of which seem to apply to the task at hand. However, when you click on them you should note that the description of the policy states that one requires Windows 2000 and the other requires Windows XP. Group policies include the policy settings applicable to both Windows 2000 and Windows XP computers, although for the Local Computer you should use only those applicable to Windows XP.

11.

Double-click the Prohibit Use of Internet Connection Firewall on Your DNS Domain Networkthe one that is applicable to Windows XP. The dialog box shown in Figure 13.16 opens.

Figure 13.16. Many policies provide for configuration only as Enabled, Disabled, or Not Configured.


12.

Click Enabled, and then click OK.

Review Questions

1.

How can you help a local user gain access to a website that requires a .NET Passport?

2.

When you want to configure auditing on a printer, can you audit the access that users have on its documents only?

3.

Why would you grant a user the Take Ownership right to a folder and its contents, but no other rights?

4.

When a laptop computer is a member of a domain, and a person logs on to the computer with a local user account, will the computer process group policies that are connected to the cached credentials of that person's domain account?

5.

You have configured a user named Larson as a member of three groupsBacon, Eggs, and Sausage. You have granted the Bacon group advanced rights for the Traverse Folder\Execute File and List Folder\Read Data rights, plus the Create Files\Write Data rights to the C:\BRUNCH folder, and granted the Eggs group the Full Control rights to the C:\BRUNCH folder, and for the Sausage group you have applied the Deny right for the Delete, Create Files\Write Data and Take Ownership rights to the C:\BRUNCH folder. If Larson wants to move the C:\BRUNCH\OJ.txt file to F:\BREAKFAST, will he be able to? Hint: Diagram the folder structure to help determine the answer.

Exam Questions

1.

You are a desktop administrator for the Cor2 Corporation, which has an Active Directory forest consisting of a single domain. All computers are installed with Windows XP Professional and configured as domain member computers. Your company has discovered that a user named Joe had logged on to a kiosk in the lobby, after which Joe's account was disabled; however, Joe's account was still able to access corporate records from that computer. Management has demanded that this should never happen again on any computer in the network. What can you do that will satisfy management's new security policy?

A.

Change the kiosk so that it uses a touch-screen instead of a keyboard.

B.

On the domain controller's local computer policy, enable the Require Domain Controller to Unlock policy.

C.

On the domain, configure the Number of Previous Logons to Cache policy to equal zero (0).

D.

On the kiosk's local computer policy, configure the Access This Computer from the Network policy under User Rights Assignment so that there are no user accounts listed.

E.

On the domain, configure the Access This Computer from the Network policy under User Rights Assignment so that there are no user accounts listed.

F.

On the kiosk's local computer policy, configure the Number of Previous Logons to Cache policy to equal zero (0).


2.

You are the desktop administrator for the Cor2 Corporation network. The Sales department uses laptop computers and often shares files with clients from their laptops when on the road. You want to make certain that the Sales members are able to configure shared files and folders. Which of the following groups are granted this right automatically? (Select all that apply)

A.

Administrators

B.

Power Users

C.

Backup Operators

D.

Guests

E.

Users

F.

Interactive

G.

Authenticated Users

H.

Everyone


3.

You are the network administrator for Babble On, a cellular telephone manufacturer. A member of the marketing department, Kelly, uses a laptop computer that has been configured with a local user account. Over the past two months, Kelly has intermittently had trouble logging on to the network. Each time you have discovered that the Windows Firewall for the LAN connection for the computer has been enabled. How do you prevent this from continuing to happen?

A.

Add Kelly's local user account to the Guests group

B.

Enable the local computer policy to Prohibit Enabling/Disabling Components of a LAN Connection

C.

Enable the local computer policy to Prohibit Viewing of Status for an Active Connection

D.

Enable the local computer policy to Prohibit Use of Internet Connection Firewall on Your DNS Domain


4.

You are a help desk administrator for Help Desks, Inc., and you manage multiple Active Directory networks for different companies. A network technician named Ellen calls up and tells you she is a new member of the G Company technicians, which has a policy that requires that only users who are authenticated by a domain controller can log on to their computers or unlock the computer's screensaver. Ellen has a laptop computer that is currently disconnected from the G Company network, and she claims that she can unlock the screensaver's password dialog on the laptop using her domain user account. Ellen wants to know how to configure the laptops on the network so that they will conform to corporate policy. What can she do?

A.

Enable the Require Domain Controller Authentication to Unlock Workstation policy

B.

Disable the Do Not Require CTRL+ALT+DEL policy

C.

Enable the Allow System to Be Shut Down Without Having to Log On policy.

D.

Configure the Number of Previous Logons to Cache policy to be equal to 0.


5.

You are the enterprise administrator for Babble On, a cellular telephone company. You have several telecommuters who connect to the network from portable laptop computers through dialup connections to remote access servers. All users are required to log on to the domain when they dial in. Laura is a telecommuter whose local user account is a member of the local Power User's group. Laura's main job function is to test cellular telephone accessories that connect to Windows XP computers. You have recently made changes to the GPO attached to the domain and you have removed all configuration from Local Group policies to better manage policies from a central location. You have also configured local user accounts to be members of the Local Administrators group. Laura calls to complain that she is no longer allowed to install equipment on her local computer. Laura has attempted to install the equipment as a local administrator of the computer. What do you need to do?

A.

You should add Laura's account to the Domain Administrators group

B.

You should remove Laura's account from the Local Administrator's group

C.

You should edit the GPO on Laura's local computer and configure the Code Signing for Device Drivers policy so that it warns the user, rather than blocks the driver from being installed.

D.

You should edit the GPO on the domain-attached GPO and configure the Code Signing for Device Drivers policy so that it warns the user, rather than blocks the driver from being installed.


6.

You are a new user at G company and you have a Windows XP Professional laptop computer. You have been given a laptop computer that was used by Patrick, who trains you on his last day and now has left the company. The network administrator tells you that she has disabled Patrick's user account on your computer and that company policy is to rename the Administrator account so that only administrators can use the account to log on. You have been told that you will be required to perform the same functions that Patrick performed. During the second week of work, you attempt to back up the files on your hard drive to a removable media device. The Windows Backup program gives you an Access Denied error. What do you need to do?

A.

Log on as Patrick.

B.

Log on as an administrator.

C.

Have the administrator add your user account to the Users group.

D.

Have an administrator add your user account to the Backup Operators group.


7.

You and Sam are network administrators for NVestRs, a financial investment firm. Sam is executing a project to deploy an application that encompasses multiple locations. All network administrators are members of the domain Administrators group. Sam brings a small print device that is always attached to his laptop computer, and he shares the printer on the network. The laptop computer is a member of the domain, and includes a local group named NetAdmins. You want to make certain that only the members of the NetAdmins group are able to print to the print device or manage the printed documents. What should you do? (Choose two.)

A.

Make Sam a member of the NetAdmins group.

B.

Make the NetAdmins group a member of the domain Administrators group.

C.

Make the domain Administrators group a member of the NetAdmins group.

D.

Grant the Allow Print and Allow Manage documents permissions to the domain Administrators group.

E.

Grant the Allow Print and Allow Manage documents permissions to the NetAdmins group.


8.

You have recently performed an upgrade on a computer in your network. The old operating system is Windows 98SE. Your boss has asked you to enable him to see which users attempt to access files on the local hard disk of the computer, and which applications users are launching when they log on locally to the computer so that he can determine the security vulnerabilities of the upgrade prior to deploying any further computers. Which of the following do you perform? (Choose all that apply.)

A.

Add your boss's domain account to the local Guests group.

B.

Add your boss's domain account to the local Administrators group.

C.

Open the command prompt and run the convert c: /fs:ntfs command.

D.

Open Local Security Policy and enable the Audit policies for Audit Process Tracking.

E.

Open Local Security Policy and enable the Audit policies for Audit Object Access.

F.

Configure the Audit tab in the Advanced Security Options tab of the C: drive's Properties dialog box to audit the success and failure of all files and subfolders of the hard disk for the local Authenticated Users group.


9.

You are the remote access administrator for your company. You have telecommuters who access the network in three contiguous shifts of eight hours per day. Each computer used by the telecommuter group has a folder named Tele at the root of the hard drive. All telecommuters use local users and groups only. You have the following objectives:

  1. You want to enable the telecommuters' computers to keep each user's information separate from the others.

  2. You want to configure local accounts for each telecommuter.

  3. You want to make certain that each user can read files in a folder called C:\TELE.

  4. You want to be able to copy a file into the TELE folder whenever you have notices to send to telecommuters.

Which of the following do you perform? (Choose all that apply.)

A.

Create a single local user account named REMOTE on each local computer.

B.

Create local user accounts named with the user's first initial, middle initial, and six letters of the last name on each computer.

C.

Add each user account as a member of the Administrators group.

D.

Add each user account as a member of the Telecommute group.

E.

Add your own user account as a member of the Administrators group.

F.

Create the C:\TELE folder and Grant Read access to the Telecommute group.


10.

You are the network administrator for ChicChicks, a poultry farm organization. Because the group consists of multiple participants, your network includes workstations that run Windows NT 4.0, Windows 2000 Professional, and Windows XP Professional. The ChicChicks company has hired a public relations firm and they have installed their own computers and hooked them up to your network, which consists of a single Active Directory domain. Sandra, a PR rep, calls you to report that she is not able to log on remotely to a Windows XP computer that shares folders and printers on the network, and she receives consistent Access Denied errors. No other users report this problem. Sandra tells you that when she installed her Windows XP computer, she selected all the default permissions. What do you need to do to correct the error? (Choose two.)

A.

Add a password to Sandra's account.

B.

Configure a user account for Sandra that is local.

C.

Configure a user account for Sandra on the domain.

D.

Require that Sandra's password meet complexity requirements.


Answers to Review Questions

1.

You can open the User Accounts applet in Control Panel, change the user account, and add the .NET Passport to the local user account. For more information, see the section "Configuring, Managing, and Troubleshooting Account Settings."

2.

Yes. When you configure auditing, you can specify an object such as a folder or a printer, or you can specify just its contents, such as the files and subfolders in a folder, or the documents printed to the printer, or you can specify both the containing object and its contents. For more information, see the section "Configuring, Managing, and Troubleshoot Auditing."

3.

The purpose of explicitly granting a user only the Take Ownership right is for administrative purposes. When a user has the Take Ownership right for a folder and its contents, the user can become the owner at some future date, and at that future date will be able to do whatever is necessary to the files. For example, if Joe leaves his company, then Carol, who has Take Ownership right to all of Joe's documents, can read, move, copy, or delete any files from the computer as needed. However, in the meantime, the user does not have any rights to the file (aside from those granted to any groups that the user is also a member of). For more information, see the section "Configuring, Managing, and Troubleshooting User and Group Rights."

4.

When a user logs on to the local computer with a local user account, the only Group Policy that applies is the Local Computer Policy. That person's cached credentials are not applied because the user's domain account is not logged on. For more information, see the section "Configure, Manage, and Troubleshoot Account Policy."

5.

No. Larson was denied the right to delete files as a member of the Sausage group. Every move file operation is completed with a delete operation when the file is moved to another drive, so Larson cannot move the file. For more information, see the section "Configuring and Managing Local Groups."

Answers to Exam Questions

1.

C. Because you were asked to make certain that no computer on the entire network, which is a single domain, ever has this problem, you must configure a domain GPO. The correct policy setting is to change the number of previous logons to cache to 0, rather than the default of 10. Answer A is wrong because a touch-screen or a keyboard is still unsecure, plus it is not a change that would apply to the entire domain. Answer B is wrong because this policy still uses cached credentials for the initial logon. Answer D is wrong because you have selected to apply the policy only to the local kiosk and it is the wrong policy. Answer E is wrong because the Access This Computer from the Network policy does not prevent a local logon from using cached credentials. Answer F is wrong because the policy is applied to only the kiosk's local computer policy, not to the entire domain. For more information, see the section "Troubleshooting Cached Credentials."

2.

A, B. The Administrators and the Power Users groups are automatically granted the right to share files and folders on the network. Answers C, D, and E are wrong because these groups are not granted this right. Answers F, G, and H are incorrect because these groups are not granted the right to share folders, plus these groups are populated by people based on how the people accessed the computer, not by who was made a member of the group. For more information, see the section "Configuring and Managing Local Groups."

3.

D. You can configure the policy on the local computer to prohibit the use of the Internet Connection Firewall (Windows Firewall) on a specific DNS domain. This policy is intelligent enough to know when the computer has been placed on a different DNS domain, so when Kelly does enable the Windows Firewall on a local LAN connection for another network, it will be disabled on your own network. Answer A is incorrect because the Guests group has restricted privileges. Answer B is incorrect because it prevents Kelly from making changes to the computer. Answer C is incorrect because it prevents Kelly from viewing the status of a network connection. For more information, see the section "Configuring, Managing, and Troubleshooting Local User and Group Accounts."

4.

A. The problem that Ellen describes is one in which cached credentials are used for unlocking the screensaver. To require a domain controller to authenticate the user, you should enable this policy. Answers B, C, and D are incorrect because none will disable cached credentials for unlocking a workstation with a password-protected screensaver. For more information, see the section "Troubleshooting Cached Credentials."

5.

D. Because you removed the settings in the Local Computer Policy, and added settings in the Domain GPO, what has happened is that a setting in the Domain GPO was configured and has rewritten the Local Computer Policy's value. It has probably done so because unsigned device drivers have been blocked. You do want to apply the new setting to the domain-attached GPO. Answers A and B are incorrect because the user account is not the problem. Answer C is incorrect because applying the new setting to the Local Computer Policy will result in the domain policy overwriting it. For more information, see the section "Configure, Manage, and Troubleshoot Account Policy."

6.

D. To be able to back up files and folders, you need to have the permissions granted to the Backup Operators group, or to be a member of the Backup Operators, the Power Users, or the Administrators groups. Answer A is incorrect because the Patrick user account has been disabled. Answer B is incorrect because the Administrator account has been renamed to some other name. Answer C is incorrect because the Users group does not have sufficient rights to back up files and folders. For more information, see the section "Configuring and Managing Local Groups."

7.

C, E. You can make the domain Administrators group a member of the local netAdmins group. You can then apply the permissions to the local group, which should be the Allow Print and Allow Manage Documents permissions. Answer A is incorrect because Sam is already a member of the domain Administrators group. Answer B is wrong because you cannot make a local group the member of a domain global group. Answer D is incorrect because you should apply all permissions to local groups, not global groups. For more information, see the section "Configuring and Managing Local Groups."

8.

C, D, E, and F. To configure the two audit policies, you need to convert the hard disk to NTFS (because it was upgraded from Windows 98 Second Edition, and with default installation values, is using the FAT file system) and then enable the policies. For object access, you must configure the hard disk C:\ to log security events whenever a user accesses a file or subfolder of C:\. Answers A and B are incorrect because changing the boss's group membership will not help in configuring the audit policies. For more information, see the section "Configuring, Managing, and Troubleshoot Auditing."

9.

B, D, E, and F. You need to create local user accounts for each individual telecommuter and add them to the Telecommute group. You need to add your own user account to the Administrators group, which should provide you with sufficient access rights. For more information, see the section "Configuring and Managing Local Groups."

10.

A, C. If Sandra installed Windows XP Professional using only default options, she does not have a password nor does she have a domain account. Answer B is incorrect because local accounts are automatically created for Administrator and Guest when Windows XP Professional is installed. Answer D is incorrect because complexity requirements will either be provided already for domain user accounts, or unnecessary for local user accounts for Sandra to log on. For more information, see the section "Configuring, Managing, and Troubleshooting Account Settings."

Suggested Readings and Resources

The following are some recommended readings on the subject of Managing Files and Folders under Windows XP Professional:

  1. Microsoft Official Curriculum course 2285: Installing, Configuring, and Administering Microsoft Windows XP Professional. Information available at http://www.microsoft.com/learning/syllabi/en-us/2285Afinal.mspx

  2. Websites:

    • How to configure and use Automatic Updates in Windows XP, at http://support.microsoft.com/kb/306525?FR=1

    • How to configure automatic updates by using Group Policy or registry settings, at http://support.microsoft.com/default.aspx?scid=kb;en-us;328010&FR=1&PA=1&SD=HSCH

    • A Discussion About the Availability of the Fast User Switching Feature, at http://support.microsoft.com/default.aspx?scid=kb;en-us;294739

    • Managing Files and Folders, at http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prde_ffs_rljk.asp



Exam Prep 2. Windows XP Professional
MCSA/MCSE 70-270 Exam Prep 2: Windows XP Professional
ISBN: 0789733633
EAN: 2147483647
Year: 2004
Pages: 193

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net