Chapter 11: Planning, Implementing, and Maintaining a Security Framework


Planning and Implementing Active Directory Security

1.

You have instituted new security policies for the IT department. One important rule is to never log on as Administrator unless it is absolutely necessary. To enhance security, you want everyone to use their regular user accounts for everyday tasks so you can maintain security as much as possible. A junior administrator comes to you and says he does not wish to log on to the server with an administrative account, but he needs to use a program that requires administrative privileges. What can he do?

  1. If running the program requires administrative privileges, he cannot run it unless he logs off and logs back on as Administrator.

  2. He can open the Computer Management console and use the Set password option.

  3. He can right-click the program he wants to run, select Properties, click the Advanced button, and configure the program to run without administrative privileges.

  4. He can right-click the program, choose the Run as command, and enter the Administrator account name and password.

 d . best security practice is to log on with a regular user account, and then use the run as option (which uses the secondary logon service) to run programs that require administrative privileges. a , b , c . answer a is incorrect because, beginning with windows 2000, microsoft has provided a way to run programs with administrative credentials, even though you are not logged on as administrator. answer b is incorrect because the set password option in the computer management console is used to change your password; it does not affect the privileges with which you run a program. answer c is incorrect because the advanced button in the properties sheet of a program allows you to compress or encrypt the program file and set archiving attributes. it does not provide any way for configuring the program to run without administrative privileges.

2.

You have been hired as the network administrator for a small law firm. The first thing you want to do when you take over the job is increase the security on the network. You evaluate the current security level and find it lacking. You decide that you need to secure account passwords using strong encryption on domain controllers. Which utility should you use?

  1. System Key Utility

  2. Secedit

  3. MBSA

  4. SUS

 a . the system key utility (syskey) will provide strong encryption techniques so account password information remains strong. this provides an extra line of defense against attacks by password-cracking software that targets the directory services for stored passwords. b , c , d . answer b is incorrect because secedit is a command-line tool that is used to configure and analyze system security by comparing the current configuration with one or more templates. answer c is incorrect because the microsoft baseline security analyzer (mbsa) tool is used to analyze and correct security; it is not used to encrypt passwords on domain controllers. answer d is incorrect because the software update services (sus) utility is used to apply administrator-approved security fixes and patches.

3.

You have recently hired a new junior administrator to assist you in running the network for a medium-sized manufacturing company. You are explaining to your new assistant that AD objects are assigned security descriptors to allow you to implement access control. You tell your assistant that the security descriptor contains several different components. Which of the following are contained in the security descriptor for an object? (Select all that apply.)

  1. Discretionary access control list

  2. System access control list

  3. Dynamic access control list

  4. Ownership information

 a , b , d . the security descriptor contains the discretionary access control list (dacl), which has information about which groups and users are allowed or denied access to the object. the security descriptor also includes a system access control list (sacl), which specifies which events should be audited for this object if auditing is enabled. the third component of the security descriptor is the ownership information that identifies who owns the object. c . this answer is incorrect because windows server 2003 does not support dynamic access controls, which allows access information to be changed on the fly and access granted based on the information at the time the request is made, instead of requiring that a user log off and back on before group membership changes take effect.

4.

You are attempting to troubleshoot some problems with access that you think can be traced back to membership in multiple groups. You want to ensure that all administrative accounts are able to perform the tasks they need to accomplish, but you want to remove the built-in accounts from all groups to which they’ve been added by another administrator, and give them only the access they had by default. You are a little confused because you know that the built-in accounts already belong to some groups at installation, and you don’t want to remove them from groups they are supposed to belong to. To which groups does the Domain Administrator account belong in Windows Server 2003 by default? (Select all that apply.)

  1. Schema Admins

  2. Enterprise Admins

  3. Group Policy Creator Owners

  4. Backup Operators

 a , b , c . the domain administrator account has total control over every function of the domain and network by default. this account belongs to the administrator, schema admins, enterprise admins, and group policy creator owners groups. d . the backup operators group is used to give some users limited privileges so they can back up and restore data without having additional administrative permissions. the domain administrator account already has the proper permissions to back up and restore all data, so it doesn t need to be a member of the backup operators group.

Answers

1.

D. Best security practice is to log on with a regular user account, and then use the Run as option (which uses the secondary logon service) to run programs that require administrative privileges.

A, B, C. Answer A is incorrect because, beginning with Windows 2000, Microsoft has provided a way to run programs with administrative credentials, even though you are not logged on as Administrator. Answer B is incorrect because the Set Password option in the Computer Management console is used to change your password; it does not affect the privileges with which you run a program. Answer C is incorrect because the Advanced button in the Properties sheet of a program allows you to compress or encrypt the program file and set archiving attributes. It does not provide any way for configuring the program to run without administrative privileges.

2.

A. The System Key Utility (syskey) will provide strong encryption techniques so account password information remains strong. This provides an extra line of defense against attacks by password-cracking software that targets the directory services for stored passwords.

B, C, D. Answer B is incorrect because Secedit is a command-line tool that is used to configure and analyze system security by comparing the current configuration with one or more templates. Answer C is incorrect because the Microsoft Baseline Security Analyzer (MBSA) tool is used to analyze and correct security; it is not used to encrypt passwords on domain controllers. Answer D is incorrect because the Software Update Services (SUS) utility is used to apply administrator-approved security fixes and patches.

3.

A, B, D. The security descriptor contains the discretionary access control list (DACL), which has information about which groups and users are allowed or denied access to the object. The security descriptor also includes a system access control list (SACL), which specifies which events should be audited for this object if auditing is enabled. The third component of the security descriptor is the ownership information that identifies who owns the object.

C. This answer is incorrect because Windows Server 2003 does not support dynamic access controls, which allows access information to be changed “on the fly” and access granted based on the information at the time the request is made, instead of requiring that a user log off and back on before group membership changes take effect.

4.

A, B, C. The Domain Administrator account has total control over every function of the domain and network by default. This account belongs to the Administrator, Schema Admins, Enterprise Admins, and Group Policy Creator Owners groups.

D. The Backup Operators group is used to give some users limited privileges so they can back up and restore data without having additional administrative permissions. The Domain Administrator account already has the proper permissions to back up and restore all data, so it doesn’t need to be a member of the Backup Operators group.

Planning and Implementing Wireless Security

5.

You want to allow wireless clients the ability to change their passwords after they authenticate on the network. Which method of authentication should you implement for these clients?

  1. EAP-TLS

  2. EAP

  3. PEAP

  4. EAP-MS-CHAP v2

 d . eap-ms-chapv2 is the authentication method to use when you wish to allow clients to change their passwords after they have been authenticated on the network. a , b , c . eap-tls does not support the ability for clients to change their passwords, so answer a is incorrect. eap also does not support the ability for clients to change their passwords, so answer b is incorrect. answer c is incorrect because peap also does not support the ability of clients to change their passwords.

6.

You are implementing a new wireless network and need to change the default settings for the equipment on the WLAN. What information should you change? (Select all that apply.)

  1. SSID password

  2. SSID network name

  3. Domain Administrator password

  4. Domain Administrator account should be renamed

 a , b . because so many wireless manufacturers deliver their equipment preconfigured with the same ssid password and network name on all devices, it is imperative that you change this information before you use the wireless network in a live environment. it is also a good idea to disable ssid broadcasting so hackers won t be able to so easily discover the ssid, although they can still use a sniffer to capture packets being transmitted and determine the ssid from that. c , d . answer c is incorrect because the domain administrator password is not a default setting for the wireless equipment, although it is important that you change it frequently since the domain administrator account has full control over your network. answer d is incorrect because the domain administrator name is a default setting for windows server 2003 but is not a default setting for wlan equipment. however, renaming this account is a good idea, since hackers know of its existence. if you leave it at the default, hackers will have half the information they need (username and password) to gain control of your network.

7.

You have a number of users who need to be able to roam through the building with their laptop computers and still stay connected to the network. Because of the nature of their work, it is important that they have relatively fast access for transferring a lot of very large data files over the network. You need to implement a wireless network that can connect devices up to 54 Mbps and a minimum of 24 Mbps. Which IEEE standard should you choose?

  1. 802.15

  2. 802.11a

  3. 802.11b

  4. 802.1x

 b . the 802.11a standard can handle up to 54 mbps. it is used to connect schools and business with wireless technology and is especially appropriate in cases where faster access is required. however, its range is shorter than 802.11b, so you will need to place more access points closer together throughout the building. a , c , d . 802.15 is used for bluetooth technology. it can travel only about 10 meters and could not handle the minimum 24 mbps, so answer a is incorrect. 802.11b is a standard widely in use today, but it can handle only up to 22 mbps, so answer c is incorrect. answer d is incorrect because 802.1x is a wireless security standard.

8.

You have hired a consultant to help set up wireless access points on your network. He tells you that you should turn on WEP for the wireless network to help protect it from intruders. You tell him that you have heard that WEP has many flaws and you think additional security measures should be implemented. He assures you that WEP works fine. What do you tell him are some of the problems with WEP?

  1. WEP does not use encryption.

  2. WEP uses a short (24 bit) initialization vector (IV).

  3. WEP can use only a 40-bit key.

  4. WEP uses a public key algorithm.

 b . the 24-bit iv makes wep especially vulnerable because, even when a longer key is used in conjunction with it, the short iv ensures that the key stream will be reused. a hacker can capture multiple packets, analyze them, and perform an xor operation to discover the plaintext and break the encryption, or use software such as wepcrack. a , c , d . answer a is incorrect because wep does use encryption, but it uses weak encryption. the rc4 algorithm is a secret key (symmetric) method and the same key is shared among all clients. answer c is incorrect because wep can use either a 40- or 104-bit key, but it uses the same 24-bit iv, regardless of the key length. answer d is incorrect because wep does not use a public key (asymmetric) algorithm, which would be more secure. with a public key algorithm, there is no secret key shared among all the clients.

Answers

5.

D. EAP-MS-CHAPv2 is the authentication method to use when you wish to allow clients to change their passwords after they have been authenticated on the network.

A, B, C. EAP-TLS does not support the ability for clients to change their passwords, so Answer A is incorrect. EAP also does not support the ability for clients to change their passwords, so Answer B is incorrect. Answer C is incorrect because PEAP also does not support the ability of clients to change their passwords.

6.

A, B. Because so many wireless manufacturers deliver their equipment preconfigured with the same SSID password and network name on all devices, it is imperative that you change this information before you use the wireless network in a live environment. It is also a good idea to disable SSID broadcasting so hackers won’t be able to so easily discover the SSID, although they can still use a sniffer to capture packets being transmitted and determine the SSID from that.

C, D. Answer C is incorrect because the Domain Administrator password is not a default setting for the wireless equipment, although it is important that you change it frequently since the Domain Administrator account has full control over your network. Answer D is incorrect because the Domain Administrator name is a default setting for Windows Server 2003 but is not a default setting for WLAN equipment. However, renaming this account is a good idea, since hackers know of its existence. If you leave it at the default, hackers will have half the information they need (username and password) to gain control of your network.

7.

B. The 802.11a standard can handle up to 54 Mbps. It is used to connect schools and business with wireless technology and is especially appropriate in cases where faster access is required. However, its range is shorter than 802.11b, so you will need to place more access points closer together throughout the building.

A, C, D. 802.15 is used for Bluetooth technology. It can travel only about 10 meters and could not handle the minimum 24 Mbps, so Answer A is incorrect. 802.11b is a standard widely in use today, but it can handle only up to 22 Mbps, so Answer C is incorrect. Answer D is incorrect because 802.1x is a wireless security standard.

8.

B. The 24-bit IV makes WEP especially vulnerable because, even when a longer key is used in conjunction with it, the short IV ensures that the key stream will be reused. A hacker can capture multiple packets, analyze them, and perform an XOR operation to discover the plaintext and break the encryption, or use software such as WEPCrack.

A, C, D. Answer A is incorrect because WEP does use encryption, but it uses weak encryption. The RC4 algorithm is a secret key (symmetric) method and the same key is shared among all clients. Answer C is incorrect because WEP can use either a 40- or 104-bit key, but it uses the same 24-bit IV, regardless of the key length. Answer D is incorrect because WEP does not use a public key (asymmetric) algorithm, which would be more secure. With a public key algorithm, there is no secret key shared among all the clients.

Monitoring and Optimizing Security

9.

Your junior administrator wants to change the name of a user account, but he is worried that if he does so, the user will have problems accessing resources that she had previously been given permissions for. The administrator doesn’t want to need to re-create all the group memberships for the newly named account. You tell him there is no need to worry; he can go ahead and change the name, and all the account properties will remain intact. What enables an account to retain its password, profile, group membership, user rights, and membership information?

  1. Group membership of the account

  2. Domain the account belongs as a member

  3. Password encryption method

  4. Security identifier (SID)

 d . the sid enables an account to retain all of its information such as password, profile, group membership, and user rights. even if the account is renamed, the sid does not change and the account still retains all of this information. a , b , c . none of these answers has any effect on an account s ability to retain its network information. the group membership of the account affects only rights and permissions, the domain membership information gives the account access to domain specific information, and the method by which the password is encrypted has no bearing on the user account.

10.

You suspect that one of your users has been trying to access data in a folder to which he is not supposed to have permission. You are trying to set auditing on this folder so you can see if there are any failed events in the log indicating that the user did try to open the folder. You enable object auditing in the domain’s Group Policy Object. However, when you go to add this user to be audited for access to the folder, you find that the folder’s property pages do not contain a Security tab. What could be the problem?

  1. Auditing is not set via the Security tab for folders because they don’t have such a tab.

  2. You cannot audit folder access for a particular user.

  3. The folder is not on an NTFS partition.

  4. You must share the folder before you can audit it.

 c . ntfs is required for auditing. if a folder is on a fat or fat32 partition, you cannot set security permissions or configure auditing because no security tab will appear in the folder s properties. you can move the folder to an ntfs partition or you can use the convert command to upgrade the file system of the partition to ntfs without losing any data (however, this is a one-way process). a , b , d . answer a is incorrect because folders on ntfs partitions do have a security tab in their properties, and this is where you configure auditing for them, using the advanced button. answer b is incorrect because you can audit folder access for a user or a group, as long as object auditing has been enabled in group policy and the partition is formatted with ntfs. answer d is incorrect because you can set auditing on any folder on ntfs partition when object auditing is enabled; it does not need to be shared (however, if it isn t shared, remote users will not be able to access it; you ll only be auditing access by users logged on locally).

Answers

9.

D. The SID enables an account to retain all of its information such as password, profile, group membership, and user rights. Even if the account is renamed, the SID does not change and the account still retains all of this information.

A, B, C. None of these answers has any effect on an account’s ability to retain its network information. The group membership of the account affects only rights and permissions, the domain membership information gives the account access to domain specific information, and the method by which the password is encrypted has no bearing on the user account.

10.

C. NTFS is required for auditing. If a folder is on a FAT or FAT32 partition, you cannot set security permissions or configure auditing because no Security tab will appear in the folder’s properties. You can move the folder to an NTFS partition or you can use the Convert command to upgrade the file system of the partition to NTFS without losing any data (however, this is a one-way process).

A, B, D. Answer A is incorrect because folders on NTFS partitions do have a Security tab in their properties, and this is where you configure auditing for them, using the Advanced button. Answer B is incorrect because you can audit folder access for a user or a group, as long as object auditing has been enabled in Group Policy and the partition is formatted with NTFS. Answer D is incorrect because you can set auditing on any folder on NTFS partition when object auditing is enabled; it does not need to be shared (however, if it isn’t shared, remote users will not be able to access it; you’ll only be auditing access by users logged on locally).

Planning a Change and Configuration Management Framework

11.

You need to configure Kerberos policies because you want to force user logon restrictions. You go to the computer of the user on whom you want to enforce these policies and access the Local Security Policy. However, in the GPO Editor, you cannot find Kerberos policies in the Security Settings node under Computer Configuration, under Windows Settings. What is the problem?

  1. You are looking in the wrong section; Kerberos policies are located in the User Configuration node.

  2. You cannot set Kerberos policies through the Local Security Policy console.

  3. You must first raise the domain functional level before Kerberos can be used and this option will appear in the GPO.

  4. Another administrator has deleted the Kerberos policies node from the GPO.

 b . kerberos policies can be set for domains only, not for local computers. you must edit a domain gpo to find the kerberos policies option. to access these policies, expand computer configuration, then windows settings, then security settings. a , c , d . answer a is incorrect because the kerberos policies are located in the node in which you are looking, but in a different gpo (one that is applied to a domain instead of a local computer). answer c is incorrect because the domain functional level does not affect the appearance of this option in the gpo; all windows 2000 and 2003 domains use kerberos authentication. answer d is incorrect because an administrator cannot remove the kerberos policies from a local security policy gpo-it was never there to begin with.

12.

You have been analyzing all of your security configuration information as part of a new project that requires you to provide a detailed report on your network’s security to management. Toward that end, you need to evaluate the security database test.sdb at the command prompt. What command can you use to do this?

  1. secedit /validate test.sdb

  2. secedit /analyze test.sdb

  3. secedit /configure test.sdb

  4. secedit /export test.sdb

 b . the secedit /analyze test.sdb command is the appropriate command to use to analyze the test.sdb security database. you must use the valid switch after the command, as well as the name of the security database. a , c , d . the secedit /validate test.sdb command is used to validate security settings with the secedit command, so answer a is incorrect. the secedit /configure test.sdb command is used to configure the security database, so answer c is incorrect. the secedit /export test.sdb command is used to export the security database, so answer d is incorrect.

13.

You want to set up auditing on several folders that contain important and sensitive information. There are other folders within the specified folders that contain less sensitive information, so you don’t want to audit them, because you want to put as little overhead burden on the network as you can. What happens to subfolders and files within a parent folder if auditing has been enabled?

  1. Subfolders only are audited

  2. Files only are audited; special access must be turned on for the folders to be audited

  3. Subfolders and files are audited

  4. No auditing is performed

 c . by default, if auditing is turned on for a parent folder, all subfolders and files within that folder are audited as well. this option can be changed by using the apply onto box in the auditing entry for file or folder dialog box and choosing this folder only . a , b , d . answer a is incorrect because subfolders and files are both audited when the parent folder has auditing enabled. answer b is incorrect because no special access needs to be turned on for folders to be audited when the parent folder has auditing enabled. answer d is incorrect because, by default, the files and folders in the parent folder will automatically be audited.

14.

A parent folder has auditing enabled. Two folders, Applications and Phone Listings, are listed under this parent folder. You need to have the Phone Listings folder audited but not the Applications folder. How can this be accomplished?

  1. It cannot; all subfolders are audited when the parent folder has auditing enabled.

  2. Right-click the Applications folder, and click the Properties tab, select the Security tab, and click Advanced. Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects. Include these with entries explicitly defined here.

  3. Right-click the Phone Listings folder, click the Properties tab, select the Security tab, and click Advanced. Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects. Audit entries defined here.

  4. Right-click the Phone Listings folder, click the Security tab, and click Advanced. Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects. Include these with entries explicitly defined here option.

 b . this is the correct procedure to use to turn off auditing for the applications folder while leaving the phone listings folder with auditing inherited from its parent folder. a , c , d . answer a is incorrect because, although by default subfolders inherit the audit setting of the parent folder, this can be changed. answers c and d are incorrect because neither of these procedures will provide the desired result.

Answers

11.

B. Kerberos policies can be set for domains only, not for local computers. You must edit a domain GPO to find the Kerberos policies option. To access these policies, expand Computer Configuration, then Windows Settings, then Security Settings.

A, C, D. Answer A is incorrect because the Kerberos policies are located in the node in which you are looking, but in a different GPO (one that is applied to a domain instead of a local computer). Answer C is incorrect because the domain functional level does not affect the appearance of this option in the GPO; all Windows 2000 and 2003 domains use Kerberos authentication. Answer D is incorrect because an administrator cannot remove the Kerberos policies from a Local Security Policy GPO—it was never there to begin with.

12.

B. The secedit /analyze test.sdb command is the appropriate command to use to analyze the test.sdb security database. You must use the valid switch after the command, as well as the name of the security database.

A, C, D. The secedit /validate test.sdb command is used to validate security settings with the secedit command, so Answer A is incorrect. The secedit /configure test.sdb command is used to configure the security database, so Answer C is incorrect. The secedit /export test.sdb command is used to export the security database, so Answer D is incorrect.

13.

C. By default, if auditing is turned on for a parent folder, all subfolders and files within that folder are audited as well. This option can be changed by using the Apply Onto box in the Auditing Entry for File or Folder dialog box and choosing This folder only.

A, B, D. Answer A is incorrect because subfolders and files are both audited when the parent folder has auditing enabled. Answer B is incorrect because no special access needs to be turned on for folders to be audited when the parent folder has auditing enabled. Answer D is incorrect because, by default, the files and folders in the parent folder will automatically be audited.

14.

B. This is the correct procedure to use to turn off auditing for the Applications folder while leaving the Phone Listings folder with auditing inherited from its parent folder.

A, C, D. Answer A is incorrect because, although by default subfolders inherit the audit setting of the parent folder, this can be changed. Answers C and D are incorrect because neither of these procedures will provide the desired result.

Planning a Security Update Infrastructure

15.

You need to install the Microsoft Software Update Services (SUS) within your domain to update security information on client computers. What are the minimum requirements that you should use for hardware for the server?

  1. Pentium III, 256MB RAM, NTFS with a minimum of 50MB for the installation folder and 6GB for SUS updates and Active Directory installed

  2. Pentium III, 512MB RAM, NTFS with a minimum of 100MB for the installation folder and 6GB for SUS updates without Active Directory installed

  3. Pentium III, 256MB RAM, NTFS with a minimum of 25MB for the installation folder and 6GB for SUS updates without Active Directory installed

  4. Pentium III, 512MB RAM, NTFS with a minimum of 50MB for the installation folder and 5GB for SUS updates and Active Directory installed

 b . at a minimum, the hardware requirements should be pentium iii, 512mb ram, ntfs with a minimum of 100mb for the installation folder and 6gb for sus updates. if your hardware does not meet these requirements, you could have trouble running the software. a , c , d . answer a is incorrect because the memory level is too low, the install folder is too small, and active directory cannot be installed on a server on which you need to install sus. answer c is incorrect because the installation folder is too small and the amount of ram is too low. answer d is incorrect because there is not enough disk space for either the installation folder or the sus updates.

Answers

15.

B. At a minimum, the hardware requirements should be Pentium III, 512MB RAM, NTFS with a minimum of 100MB for the installation folder and 6GB for SUS updates. If your hardware does not meet these requirements, you could have trouble running the software.

A, C, D. Answer A is incorrect because the memory level is too low, the install folder is too small, and Active Directory cannot be installed on a server on which you need to install SUS. Answer C is incorrect because the installation folder is too small and the amount of RAM is too low. Answer D is incorrect because there is not enough disk space for either the installation folder or the SUS updates.




MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure. Exam 70-293 Study Guide and DVD Training System
MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System
ISBN: 1931836930
EAN: 2147483647
Year: 2003
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net