Chapter 2: Advanced Security Template and Group Policy Issues

Configuring Role-Based Server Security

  1. Chris is having difficulty getting the securews.inf template to apply properly on a client workstation. She suspects that the computer was an upgrade from a previous installation of Windows NT 4.0. What two things can she do to correct this problem?

    1. Perform another upgrade installation of Windows 2000; the first one must not have taken properly.

    2. Apply the setup security.inf template to the computer.

    3. Perform a clean installation of Windows 2000 on the computer.

    4. Enforce the desired security settings using a System Policy.

    þ B, D. Although it is generally preferred to perform a clean installation (upgrade installations are known to have many and varied problems), sometimes that is not an option. In these cases, applying the setup security.inf template should correct the problem with the Windows NT 4.0 style Registry and File System ACLs that are most likely blocking the application of the security template Chris is trying to deploy.

    ý Performing another upgrade installation will not correct the problem, so Answer A is incorrect. Applying the security settings via a System Policy, although possible, does not solve the problem in an effective manner, so Answer C is also incorrect.

  2. Rob is responsible for six Windows 2000 IIS servers in his organization. What can Rob do to harden his Windows 2000 IIS servers and prevent their vulnerability to attack? (Choose all that apply.)

    1. Use the IIS Lockdown tool to remove unnecessary IIS settings and configuration options.

    2. Use the Movetree tool to set security settings on the IIS server.

    3. Install the URLScan ISAPI filter to prevent certain types of HTTP requests from being served by the IIS server.

    4. Remove his IIS servers from the Active Directory domain and make them standalone member servers.

    þ A, C, D. Rob should use the IIS Lockdown tool and install the URLScan ISAPI filter to help harden his IIS servers. Additionally, he should consider using the MBSA tool and the HFNetChk tool as well as implementing a stronger security template to these IIS servers. By removing member servers from the Active Directory domain, you can mitigate the risk to your network should the IIS server be compromised.

    ý The Movetree tool is for Active Directory migration and management and is not applicable here, thus Answer B is incorrect.

  3. Jeff has just performed a default installation of the URLScan ISAPI filter on his IIS server. Looking at the site that corresponds to his Web site, he cannot see the filter in place. What is the most likely problem?

    1. ISAPI filters are only installed on domain controllers running IIS. Jeff will need to install the ISAPI filter there.

    2. ISAPI filters can only be seen by IIS Admin; Jeff's user account is probably not a member of the IIS Admins group.

    3. Jeff must not have Domain Admin privileges on the network; Domain Admin privileges are required to install any ISAPI filter.

    4. The URLScan ISAPI filter is applied at the global level and is thus not shown at the site level.

    þ D. The URLScan ISAPI filter is applied at the global level, thus applying it to all sites on the server, and it will not be seen on each individual site on the server.

    ý ISAPI filters are not installed only on domain controllers; they are installed on the IIS servers that require them, thus Answer A is incorrect. Being the IIS Admin is not a requirement to be able to see the applied ISAPI filters, thus Answer B is incorrect. Possessing Domain Admin privileges is not required to be able to see the applied ISAPI filters, thus Answer C is incorrect.

  4. Andrea is responsible for 25 client workstations and five servers in her Windows 2000 network. Her servers consist of two domain controllers, one Exchange server, and two file and print servers. How many different security configurations should she have on her network, at the minimum?

    1. 30

    2. 5

    3. 4

    4. 2

    þ C. Andrea should ideally have a minimum of four different security configurations: one for her desktop clients, one for her domain controllers, one for her Exchange server, and one for her file and printer servers. The general rule is that you should have a security policy in effect for each type of role that a computer performs. In this case, Andrea has four distinctly different roles on the network. She could configure more security configurations if warranted, such as if some of her client computers are in kiosks in the lobby of the company or otherwise open to anonymous users.

    ý Since Andrea has four different groups of computers for which to configure security, Answers A, B, and D are all incorrect.

  5. Christopher is making preparations to deploy the hisecdc.inf template to his domain controllers. What things should Christopher do before he deploys this template on his production network? (Choose all that apply.)

    1. Christopher should ensure that he understands the implications and effects of deploying this template on his network.

    2. Christopher should perform a complete backup of his domain controllers.

    3. Christopher should develop a deployment plan that details how the template deployment process will work.

    4. Christopher should write down a list of all administrative usernames and passwords.

    þ A, B, C. Christopher will want to ensure that he completely understands the effects and implications of applying the template to his domain controllers. It would not do to simply rush into the deployment and create new problems. Furthermore, Christopher should ensure that a recent backup of the System State exists, because a backup can be used to restore a domain controller if the deployment does not go well and causes problems that cannot be fixed otherwise. Using a deployment plan will help ensure that the template is installed properly and in a controlled manner, which can help prevent problems from occurring.

    ý Recording the usernames and passwords of all administrator accounts is not a wise idea and certainly will not help Christopher deploy the hisecdc.inf template, thus Answer D is incorrect.

  6. Crazy Mike, your assistant security administrator, has been given the task of installing the URLScan ISAPI filter on all of your organization's IIS servers. What two ways are available to install the URLScan ISAPI filter?

    1. Extract the URLScan files from the IIS Lockdown Wizard with the iislockd /c command and then executing URLScan setup.

    2. Install the URLScan ISAPI filter using the MBSA tool.

    3. Install the URLScan ISAPI filter by downloading it from Windows Update.

    4. Install the URLScan ISAPI filter from within the IIS Lockdown Wizard.

    þ A, D. URLScan can be installed with or without using the IIS Lockdown Wizard.

    ý The MBSA tool does not install URLScan, thus Answer B is incorrect. Windows Update does not provide you with a means to install the URLScan ISAPI filter, thus Answer C is incorrect.

  7. You are the network administrator for your organization. You have been charged with creating and implementing a strong network security plan for all your servers and client workstations. How should you go about configuring security for your network? You plan on configuring and testing security templates and their applications in a test environment that mimics your production environment. (Choose all that apply.)

    1. Configure very specific security templates for use on each Organizational Unit that contains a specific group of member servers, such as the Exchange Server OU and the SQL Server OU.

    2. Configure a basic domain-level security template that provides basic security needs such as password and account policies across the entire domain.

    3. Configure a specific security template for the client computers in your network and apply it to a workstation-specific OU, such as Workstations OU.

    4. Configure one security template for all member servers, such as Exchange and SQL servers, and apply it to each OU that contains any of these member servers.

    þ A, B, C. Configuring a security template that is specific to each type of role on the network is the best course of action. In this case, you would want to configure and properly deploy templates for domain controllers, Exchange servers, SQL servers, and client computers.

    ý Attempting to use a security template for multiple types of computer roles (such as SQL Server, Exchange Server, etc.) is not a good practice, because each type of server has its own unique needs and vulnerabilities that must be addressed, thus Answer D is incorrect.

Creating Secure Workstations

  1. Lyman has a portable Windows 2000 computer that he travels with to various customer locations and sales presentations. In the event that Lyman's computer is stolen, what can you as the administrator do to prevent someone decrypting his EFS encrypted files?

    1. Remove the Data Recovery Agent certificate from the portable computer.

    2. Do not allow Lyman to place any sensitive information on the portable
      computer.

    3. Only allow L2TP connections when Lyman dials into the VPN server for remote access.

    4. Force Lyman to use a password that is extremely complex, consisting of numbers, letters, and characters and that is at least 42 characters long.

    þ A. Removing the Data Recovery Agent certificate and keys from the portable computer will prevent anyone from using them to decrypt any EFS encrypted documents on the portable computer's hard drive, should it become lost or stolen. This practice is helpful because, in many instances, it is easier to gain access to the built-in local administrative account on the computer than any other account. The default Data Recovery Agent for a computer is the local administrative account.

    ý Not allowing Lyman to place any sensitive data on the computer would not make good business sense and does not have any effect on preventing decryption of his encrypted files, thus Answer B is incorrect. Allowing only L2TP (with IPSec) VPN connections is a great security measure but is not applicable in this instance, thus Answer C is incorrect. Forcing Lyman to use a 42-character password that consists of numbers, letters, and characters still does nothing to prevent the issue of the local administrative account being used to decrypt EFS encrypted files-it will most likely serve to upset Lyman to some degree, however, thus Answer D is also incorrect.

  2. Austin is seeking to export the certificate and private keys for his portable computer to a removable storage medium. When he opens the Local Security Console and starts the procedure to export the certificate and keys, he cannot select the Yes, export the private key option because it is grayed out and unavailable for selection. Austin is using the Administrator account. What is the most likely reason for this issue?

    1. He does not have the required permissions because he is not a part of the Administrators group.

    2. He does not have the required permissions because he is not a part of the Domain Admins group.

    3. He is logged into the domain instead of the local computer.

    4. He is logged into the local computer instead of the domain.

    þ C. In order to export the Data Recovery Agent certificate, you must be logged in using the built-in Administrator account on the local computer. In 99 percent of the cases where this option is grayed out, you are probably logged into the domain instead of the local computer or trying to use another account that is a member of the Administrators group instead of the built-in administrator account.

    ý Being a member of the Administrators group will not help you complete this action, since you must be using the built-in Administrator account, thus Answer A is incorrect. Being a member of the Domain Admins group will not automatically grant you the required permissions; you must be using the local built-in Administrator account, thus Answer B is incorrect. Being logged into the local computer is the desired effect when attempting to export the local computer Data Recovery Agent certificate and private keys, thus Answer D is also incorrect.

  3. Matt travels extensively with his Windows 2000 portable computer. What things can you easily do to enhance the security of his portable computer? (Choose all that apply.)

    1. Install Windows 98 on the portable computer.

    2. Remove the default Data Recovery Agent certificate and private key.

    3. Enforce strong passwords for user accounts on the portable computer.

    4. Rename the built-in Administrator account and remove it from the Administrators group.

    þ B, C, D. Removing the default Data Recovery Agent certificate and private key will prevent the decryption of EFS encrypted files and folders on the computer, should it become lost or stolen. Enforcing strong passwords on all accounts on the portable computer will make it more resistant to brute-force hacking attempts. Renaming the built-in administrator account and removing it from the Administrators group will also enhance security of the portable computer. (Note that you cannot remove the built-in administrative account.)

    ý Installing Windows 98 on Matt's portable computer will most definitely not increase security on it-it would greatly decrease the security of the computer, thus Answer A is incorrect.

Security Template Application Issues

  1. Hannah is confused as to why the security settings she has configured for the computers in her domain are not being applied to five computers. The five computers are a mixture of Windows NT 4.0 Workstation and Windows 98 clients. What is the most likely reason for this problem?

    1. She has not installed the Directory Services Client onto these five legacy computers.

    2. Legacy computers cannot receive Group Policy object settings. Hannah will need to configure the settings she requires via System Policies.

    3. The computers are not located in the correct Organizational Unit.

    4. The computers are not located in her domain but are in another domain instead.

    þ B. Legacy client computers cannot receive Group Policy settings.

    ý Although these computers can participate in Active Directory, in a very limited way, by using the Directory Services Client, Group Policy is still not available to them, thus Answer A is incorrect. Because these computers cannot receive Group Policy, their OU placement will not cause this type of problem, thus Answer C is incorrect. The domain location of these computers is not an issue since they cannot receive Group Policy, thus Answer D is also incorrect.

  2. Mei Ling has just applied a new template to her Group Policy object. She then forced Group Policy replication through the domain. What event ID should she hope to see that would indicate that the settings in Group Policy were applied correctly without any problems?

    1. 680

    2. 1704

    3. 612

    4. 520

    þ B. Event ID 1704 will occur when the Group Policy has been successfully applied.

    ý Event ID 680 pertains to the auditing of logon events, thus Answer A is incorrect. Event ID 612 pertains to the auditing of policy changes, thus Answer C is incorrect. Event ID 520 pertains to system evens, thus Answer D is incorrect.

  3. It has been noted in your organization that sometimes problems occur when administrators attempt to apply incremental security templates to Windows 2000 computers that have been upgraded from Windows NT 4.0. What options do you have to remedy this situation so that you can apply the security templates? (Choose all that apply.)

    1. Revert all computers back to Windows NT 4.0.

    2. Perform clean installations of Windows 2000 instead of upgrades.

    3. Apply the Setup Security.inf template to the upgraded computers before attempting to apply any other incremental template.

    4. Remove the default Data Recovery Agent certificate and private key from each upgraded computer.

    þ B, C. In this case, you will be best off to simply perform a clean installation of Windows 2000. A clean installation will completely prevent this from being an issue. If this is not possible, you might be able to get around the problem by applying the Setup Security.inf template, which should correct the ACL problems associated with the upgrade process.

    ý Reverting all computers back to Windows NT 4.0 will not allow you to apply the incremental security templates, thus Answer A is incorrect. Removing the default Data Recovery Agent, although a good idea, will not help you out in this situation, thus Answer D is also incorrect.

Securing Server Message Block Traffic

  1. Andrea is configuring SMB signing for her network. Which of the following configuration settings will result in client computers being able to connect to servers and use SMB signing? (Choose all that apply.)

    1. Digitally sign client communication (when possible): Not defined
      Digitally sign client communication (always): Not defined
      Digitally sign server communication (when possible): Enabled
      Digitally sign server communication (always): Enabled

    2. Digitally sign client communication (when possible): Enabled
      Digitally sign client communication (always): Enabled
      Digitally sign server communication (when possible): Enabled
      Digitally sign server communication (always): Enabled

    3. Digitally sign client communication (when possible): Disabled
      Digitally sign client communication (always): Enabled
      Digitally sign server communication (when possible): Enabled
      Digitally sign server communication (always): Disabled

    4. Digitally sign client communication (when possible): Disabled
      Digitally sign client communication (always): Disabled
      Digitally sign server communication (when possible): Disabled
      Digitally sign server communication (always): Disabled

    þ B, D. In order for a client to make a connection to a server using SMB signing, they must both be configured for at least the same minimum setting. If SMB signing is enabled on a server, clients that are also enabled for SMB signing (or require it) will be able to establish a communications session with that server. If SMB signing is required on a server, a client will not be able to establish a session unless it, at the minimum, has SMB signing enabled.

    ý The combinations presented in answers A and C will not result in communications due to a mismatch in SMB signing settings, thus Answers A and C are incorrect.

  2. Bruno is attempting to configure SMB signing for his network servers and clients. Which of the following statements is true about configuring SMB signing?

    1. As long as all computers have the same maximum configuration level assigned, they will be able to communicate securely using SMB.

    2. As long as all computers have the same minimum configuration level assigned, they will be able to communicate securely using SMB.

    3. Servers should be set for Enabled and clients should be set for Not Defined on the Always options to be able to communicate securely using SMB.

    4. Servers should be set for Not Defined and clients should be set for Enabled on the When Possible options to be able to communicate securely using SMB.

    þ B. As long as all computers have the same minimum configuration level assigned, they will be able to communicate securely using SMB.

    ý All computes require the same minimum configuration level to ensure SMB signed communications occur, thus Answer A is incorrect. If any computers have the Not Defined setting, they will not be configured for SMB signing, thus answers C and D are incorrect.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net