| | |
| A1: | A, D. By using the Secure templates ( securews.inf for member servers and workstations and securedc.inf for domain controllers), you can increase the baseline security of your servers and still allow for increasing security later (if you want) through the use of the Highly Secure templates. For more information, see Chapter 1. |
| | |
| A2: | B. MAC addresses are not assigned; they come by default burned into the network device. A physical address is a 48-bit alphanumeric number that denotes the host's physical address. Also called a Media Access Control (MAC) address, the physical address is unique to the device it is assigned to. For instance, your PC has a MAC address of 00-08-74-97-0B-26; this is unique to that one device's NIC card. For more information, see Chapter 2. |
| | |
| A3: | A. The clowncollege.net namespace represents a unique DNS namespace. clowncollege.net would thus become the root of the Active Directory forest and domain structure. Unique DNS namespaces should, typically, be similar to the original namespace, in this case clowncollege.com . For more information, see Chapter 3. |
| | |
| A4: | D. Use pathping to trace the route to the destination and then look at the calculations of latency times in milliseconds on each hop through the network. Then find the problem link. For more information, see Chapter 4. |
| | |
| A5: | C. Clustering is accomplished when you take a group of independent servers and group them together into one collective entity that is accessed as if it were a single system. For more information, see Chapter 5. |
| | |
| A6: | C. A Normal backup ensures that all selected data is backed up and sets the archive bit, indicating the data has been backed up. Normal backups are typically used in combination with Incremental or Differential backups . For more information, see Chapter 6. |
| | |
| A7: | B. To use WEP to perform WLAN authentication, you need to select the Network Authentication (Shared mode) option. The Data Encryption (WEP enabled) option specifies that WEP is to be used to encrypt data placed on the WLAN; thus, answer A is incorrect. The option titled The key is provided to me automatically specifies that the key is dynamically assigned from a key server, such as a RADIUS server; thus, answer C is incorrect. The Transmit per IEEE 802.1x option is used to configure how the EAPOL-start message is sent and has nothing to do with WEP; thus, answer D is incorrect. For more information, see Chapter 7. |
| | |
| A8: | C. Creating an Intermediary CA allows the Root CA to be taken offline and secured. The Intermediary server would then issue certificates to other CAs. For more information, see Chapter 8. |
| | |
| A9: | B. The best way to apply the settings to only those computers that require them is to import the template into a Group Policy Object associated with each OU that requires the settings. Importing the security template into the domain-level GPO would apply the settings to all computers in the domain, most likely with unwanted side effects. For more information, see Chapter 1. |
| | |
| A10: | A. Pete should implement a new Layer 3 switch. In today's networks, the line has blurred between what a switch is and what a router is. For this exam (at this level), you should already know what a router is and what a switch is, but if you do not, you need to know that a switch operates on the first layer of the DoD model. A switch keeps a memory database of which device is plugged into which port on the switch. The memory in the switch can show via a table which MAC address (from the NIC) is plugged into which port, so when a device needs to communicate with another device, it doesn't need to broadcast across the whole network to find it; the switch makes the port-to-port connection and keeps traffic down to a minimum, as well as speeds up the transmission. Most devices on a segment can communicate via MAC addresses kept in their ARP cache. The Address Resolution Protocol maps IP addresses to MAC addresses, and the ARP cache is kept in just about every network device with TCP/IP installed. A router works at the Internet layer of the DoD model and basically forwards packets from one segment to another via a routing table kept in the router's memory. Because routers keep ARP caches, and switches can have routers installed in them, you basically blur the lines, combine the two devices, and have a layer 3 switch. For more information, see Chapter 2. |
| | |
| A11: | C. The FQDN filesvr042.production.uk.helperhal.com represents the best designed DNS namespace. This FQDN allows you to quickly and accurately determine the location of the host within the network. Also, this DNS namespace is designed intelligently by using countries as the second-level domains and departments as the third-level domains. Alternatively, the helperhal.com domain could be delegated to create a corp.helperhal.com domain, with the countries becoming third-level domains and the departments becoming fourth-level domains. For more information, see Chapter 3. |
| | |
| A12: | D. The routing table does not accurately show the route to the destination subnet in question; Pete should use the route print command to verify. All other answers are incorrect. For more information, see Chapter 4. |
| | |
| A13: | A. Network load balancing distributes all incoming connection requests using a mathematical algorithm to members of the NLB cluster. For more information, see Chapter 5. |
| | |
| A14: | C, E. You should perform a Normal backup once a week during nonworking hours to set the initial state for the critical data that is being backed up. Each night, a Differential backup should be run to back up all the data that has been modified since that last Normal backup. Although Differential backups take slightly longer to perform each night than Daily backups, they provide the benefit of a two-tape restoration using the last Normal backup and the last Differential backup. For more information, see Chapter 6. |
| | |
| A15: | B, D. Of the given options, the most likely problems are that the Novice is not allowing you to take control, or the remote computer is not configured to allow you to take remote control. Your local computer is not an issue in the case of not being able to take remote control of an existing Remote Assistance session; thus, answer A is incorrect. Because you already have an existing Remote Assistance connection, the firewall is not the source of your problem; thus, answer C is incorrect. For more information, see Chapter 7. |
| | |
| A16: | B. The Audit System Events option configures auditing for certain system events, such as computer restarts and shutdowns. For more information, see Chapter 8. |
| | |
| A17: | B. The Local Policies node of the Group Policy Editor contains three subnodes: Audit Policy, User Rights Assignment, and Security Options. The Audit Policy subnode is the place where Andrea can find the auditing items she needs to configure. For more information, see Chapter 1. |
| | |
| A18: | B. Sally needs to add the default gateway address to the server. The IP address of the closest router on your network segment that can either route you off that segment or to another segment on the network is your default gateway. This makes a routing decision for you to a remote site, which is what Sally needed to make happen. If Sally enters the gateway address, the packets sent to 172.16.2.0 will be sent to the router, which will then forward the request to that host. Without a gateway address, the packet destined for the remote LAN will not be sent anywhere . For more information, see Chapter 2. |
| | |
| A19: | D. Active Directory “integrated DNS zones store the zone data within the Active Directory database itself, thus allowing for greatly increased security, manageability, and redundancy. When Active Directory “integrated zones are used, all DNS servers operate in a multimaster arrangement, allowing any DNS server to make changes to the zone data. If you have multiple DNS servers that are allowed to manage the zone data, dynamic updates are also more redundant because the failure of a single DNS server will not prevent dynamic updates from occurring. For more information, see Chapter 3. |
| | |
| A20: | D. Network Monitor is the tool you use to capture packets sent to and from this server. The version of Network Monitor included with Windows Server 2003 records only packets sent to and from this server and the LAN. For more information, see Chapter 4. |
| | |
| A21: | C. Convergence is the process by which NLB clustering hosts determine a new, stable state among themselves and elect a new default host after the failure of one or more cluster nodes. For more information, see Chapter 5. |
| | |
| A22: | C. To perform the restoration, you first need to use your last Normal backup (the Saturday tape) and then your last Differential backup (the Wednesday tape). For more information, see Chapter 6. |
| | |
| A23: | D. Selecting the Authenticate as computer when computer information is available option forces the computer to authenticate itself to the network as soon as the wireless network connection is made. If the computer cannot authenticate, no authentication is performed. The Authenticate as guest when user or computer information is unavailable option allows the computer to authenticate using the Guest account if it cannot authenticate using its computer account; thus, answer A is incorrect. The Transmit per IEEE 802.1x option is used to configure how the EAPOL-start message is sent and has nothing to do with WEP; thus, answer B is incorrect. The Data Encryption (WEP enabled) option specifies that WEP is to be used to encrypt data placed on the WLAN; thus, answer C is incorrect. For more information, see Chapter 7. |
| | |
| A24: | C. To track failed logon attempts, Andrea needs to configure failure auditing to occur for the Audit Logon Events option. For more information, see Chapter 8. |
| | |
| A25: | A. By applying the Secure template, securews.inf , you can increase the security of the client workstations without adversely affecting network communications. For more information, see Chapter 1. |
| | |
| A26: | C. The subnet mask is the other 32-bit set of numbers you place with an IP address to denote where the network starts and ends and the host-based addressing starts and ends. In other words, if you have a 10.1.1.0 /24 network, this really means you have a subnet mask of 255.255.255.0 assigned to the 10.1.1.0 IP address network. The network is 10.1.1 (24 bits mask it with 255.255.255.0), and the last octet, which is simply a zero, is assignable to hosts. For more information, see Chapter 2. |
| | |
| A27: | D. If the local DNS server is not authoritative for the requested domain and does not have the answer in its local cache, it will perform an iterative query to a root name server if it is configured as a forwarder. The root name server will likely not know the IP address of the host but will be able to provide the local DNS server with the IP address of another DNS server that is authoritative for the quepublishing.com domain. This DNS server then can provide the requested name resolution service for the local DNS server. For more information, see Chapter 3. |
| | |
| A28: | A. The connection attempt goes into quarantine until verified. Here's the actual process: When a remote computer attempts to connect to the Remote Access Server, the computer is assigned an IP address with which to participate on the network. Then the user credentials are verified and authenticated, but the connection will stay in quarantine until the remote computer is verified against the script. A script runs, and when it is completed, the server hosting quarantine will release the connection from quarantine after this information is verified . This is just one of the newest features of Remote Access Security provided by default with Windows Server 2003. For more information, see Chapter 4. |
| | |
| A29: | A. Port rules can be used to allow traffic only on specific ports to be load-balanced. If you configure explicit allow rules for specific ports and an explicit deny rule dropping all other traffic, only the desired traffic will be load-balanced . For more information, see Chapter 5. |
| | |
| A30: | D. By using the volume shadow copy feature of Windows Backup, you can back up all files ”even the ones that are open and in use at the time of the backup. Open files are backed up in a closed state as of the time of the backup. This allows you to back up open files without closing them for the backup as previously required. For more information, see Chapter 6. |
| | |
| A31: | D. The easiest way to allow an expired request to be answered is to resend it again. This way, some of the information that was originally entered can be saved from the expired request. Creating a new request is not the easiest way to solve this problem; thus, answer A is incorrect. When a request has expired, it can only be deleted or resent ; thus, answer B is incorrect. Deleting the request does not cause it be automatically re-created; thus, answer C is incorrect. For more information, see Chapter 7. |
| | |
| A32: | D. To participate in SUS, the Windows 2000 computers need to be updated to at least Service Pack 3, and any Windows XP computers need to be updated to Service Pack 1. You can, alternatively, install an updated version of the Automatic Updates client to achieve the same effect. For more information, see Chapter 8. |
| | |
| A33: | C. The easiest way to accomplish this task is to create a script that runs the secedit/analyze command on the computers and collects the results in a central network location. For more information, see Chapter 1. |
| | |
| A34: | B. Network Address Translation (NAT) turns one IP address into another, and the device that performs this NAT will keep a table of which IP addresses given from the NAT pool map to the one that was distributed. For more information, see Chapter 2. |
| | |
| A35: | C. A new feature in Windows Server 2003, conditional forwarding, allows you to configure a DNS forwarder with multiple forwarding IP addresses. As an example, you could have all name resolution requests for the bigcorp.com domain sent to one IP address and all other name requests sent to a second, completely different, IP address. This way, you can provide for both internal and external name resolution from within the internal network. For more information, see Chapter 3. |
| | |
| A36: | D. Pete should ping 10.10.1.10, ping 10.10.2.1 (default gateway), and then have a remote user ping 10.10.1.1 (default gateway). For more information, see Chapter 4. |
| | |
| A37: | A. Setting the affinity setting to None results in an inbound client request being sent to all nodes within the cluster. This type of affinity results in increased speed but is suitable only for providing static content to clients , such as static Web sites and FTP downloads. Typically, no cookies are generated by the applications running on the cluster that is configured for this type of affinity. For more information, see Chapter 5. |
| | |
| A38: | D. When enabled with its default settings, volume shadow copy will create a shadow copy twice daily. Volume shadow copy is limited to a maximum of 64 copies; thus, the maximum number of days to retrieve the historical data is 32 days. For more information, see Chapter 6. |
| | |
| A39: | B, D, E. The Windows Server 2003 IPSec implementation can use Kerberos v5, digital certificates, or shared secrets to perform user authentication. NTLM v2 is used for network authentication with Windows 2000 and Windows Server 2003; thus, answer A is incorrect. The Encrypting File System (EFS) is used to encrypt files and folders to add extra security to them; thus, answer C is incorrect. WEP is used as both an encryption and authentication method on wireless LANs; thus, answer F is incorrect. For more information, see Chapter 7. |
| | |
| A40: | B, C, D. For SUS to operate, the SUS server must be provided to the Automatic Updates client computers via the Specify Intranet Microsoft Update Server Location option. In addition, you need to configure the schedule by using the Configure Automatic Updates option and configure for restarting by using the No Auto-Restart for Scheduled Automatic Updates Installations option. For more information, see Chapter 8. |
| | |
| A41: | C. Of the given choices, the hisecws.inf template will provide the most secure configuration to your Windows XP Professional clients. For more information, see Chapter 1. |
| | |
| A42: | D. A proxy server is a server-based application that serves as a go-between for the internal LAN clients and the public Internet. If you do not want all your internal hosts accessing the Internet and perhaps exposing all the internal IP addressing information to the world, you could put in a proxy server to act as the middleman when searching the Internet. A proxy server also caches the pages so that Internet response seems faster to internal clients. For more information, see Chapter 2. |
| | |
| A43: | A. If you configure the other three internal DNS servers to forward name resolution queries to the DNS server with IP address 192.168.100.133, only that one specific DNS server will make external DNS queries. For more information, see Chapter 3. |
| | |
| A44: | A. You should try a Tracert to the remote server. For more information, see Chapter 4. |
| | |
| A45: | B. The reason, and advantage, to having two network adapters installed in any cluster host is that this setup allows you to separate the load-balanced traffic from the administrative traffic by placing the adapters in different IP subnets. This increases security of the administrative traffic by not exposing it to the load-balanced front end and also improves the performance of the host by allowing more load-balanced traffic to be passed over its front-end load balancing network adapter. |
| | |
| A46: | D. Shadow copies can be viewed only when connecting to the shared folder over the network using My Network Places or locally on the server using My Network Places. On a Windows Server 2003 computer, you do not need to install the Previous Versions Client software to view shadow copies. For more information, see Chapter 6. |
| | |
| A47: | A. The Remote Desktops console can be used to connect to the console session if it is configured correctly. When you are creating the new connection, ensure that you select the Connect to Console option. The Web Interface for Remote Administration, the Remote Desktop Web utility, and the Remote Desktop Connection utility do not provide access to the console session on a remote server; thus, answers B, C, and D are incorrect. For more information, see Chapter 7. |
| | |
| A48: | A. The Account Lockout Policy node contains three items that can be used to limit the number of incorrect logon attempts over a specified amount of time. The Account Lockout Threshold setting can be configured to specify how many failed logon attempts should be allowed before that user account is locked out. The Account Lockout Duration setting specifies how long the account is to be locked out (barring an administrator unlocking the account early). The Reset Account Lockout Counter After option specifies how much time must pass before failed logon attempts are no longer counted against the Account Lockout Threshold setting. These policies are typically applied at a high level in the organization, such as the root of a domain to cause them to apply to all users within the domain. For more information, see Chapter 8. |
| | |
| A49: | C. Although, in a sense, all the answers will produce some or all the results that Hannah needs, only by using Group Policy can Hannah quickly, accurately, and efficiently apply the securews.inf template to all the computers (member servers and workstations alike) located in the Engineering OU. To apply these settings to the computers located in the Engineering OU, Hannah will need to import the securews.inf template into an existing or new Group Policy Object. For more information, see Chapter 1. |
| | |
| A50: | D. A firewall is a device that protects the internal network from the external Internet, WAN, business partner, or anything else you may want to protect against. There are many different kinds, but you will be responsible for only the most basic information listed here for the exam. Make sure that you understand what a firewall is because exam questions may have the term added into the scenario, but you need to know little other than that. For more information, see Chapter 2. |
| | |
| A51: | D. If Andrea does not know what the current security configuration is, she should apply the default security template to the computer. Each computer has its own default security template that is created at the time of Windows Server 2003 installation for workstations and member servers and at the time of promotion for domain controllers. Andrea should not apply the default security template from one computer to any other computer. After the security configuration is reset back to a known state by using the default template, the secure templates can be successfully applied to create the desired level of security. Recall that security templates are incremental and only build on the security configuration already configured; they do not reset the computer's security configuration back to the default settings before making any changes. For more information, see Chapter 1. |
| | |
| A52: | B. Sally should set up IGMP routing so that her server can forward multicast traffic up- and downstream to other multicast routers on the network. Windows Server 2003 does not support a multicast routing protocol, only a forwarding service. For more information, see Chapter 4. |
| | |
| A53: | C. If you want to troubleshoot remote problems on a multihop network, you need to use tracert . This tool can find latency and network holes that span more than a couple of router hops. For more information, see Chapter 4. |
| | |
| A54: | A. For your clients to be able to view and work with shadow copies, you need to install the Previous Versions Client software. For more information, see Chapter 6. |
| | |
| A55: | A, E. The Windows Server 2003 IPSec implementation uses DES and 3DES for data encryption. The Windows Server 2003 IPSec implementation uses SHA1 and MD5 for data hashing; thus, answers B and C are incorrect. Advanced Encryption Standard (AES) is not used in IPSec; thus, answer D is incorrect. For more information, see Chapter 7. |
| | |
| A56: | C. The quickest way to configure Captain Bob's network to prevent smart cards from being used to log in to Terminal Services servers is to configure the Do Not Allow Smart Card Device Redirection option, located in the Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Client/Server data redirection node of the Group Policy Editor. For more information, see Chapter 8. |
| | |
| A57: | D. An X icon next to an item in the Security Configuration and Analysis results indicates that the item is present in both the database and the computer, but does not match the current configured setting. For more information, see Chapter 1. |
| | |
| A58: | D. The subnet mask is the other 32-bit set of numbers you place with an IP address to denote where the network starts and ends and the host-based addressing starts and ends. In other words, if you have a 10.1.1.0/24 network, this really means you have a subnet mask of 255.255.255.0 assigned to the 10.1.1.0 IP address network. The network is 10.1.1 (24 bits mask it with 255.255.255.0), and the last octet, which is simply a zero, is assignable to hosts. For more information, see Chapter 2. |
| | |
| A59: | B. You can locate the preconfigured security templates in the %systemroot%\security\templates folder. For a clean installation of Windows Server 2003 on volume C of a computer, this would be c:\windows\security\templates . For more information, see Chapter 1. |
| | |
| A60: | A, B. For Andrea to make her smart card self-enrollment solution work efficiently and securely, she needs to ensure that all required users get a blank smart card. To increase the security of the solution, Andrea should configure her CAs so that they do not issue smart card user certificates automatically, but to instead place them into the Pending Requests folder awaiting manual administrative approval. Andrea should also take time to properly educate her users in the procedures to be followed to request a smart card certificate and to enroll the approved certificate. Also, all users will require training on the proper use, storage, and handling of their smart cards to prevent loss or damage. For more information, see Chapter 8. |
| | |
| A61: | C. If the Negotiate Security Action is selected, both computers must make an agreement on the security parameters to be used, meaning that they both must support at least one common set of security parameters from those in the list. The list entries are processed in order of preference from top to bottom. The first security method shared by both computers is used. The Permit option passes the traffic without the requirement for security; thus, Answer A is incorrect. This action is appropriate if you never want to secure traffic to which a rule applies. The Block Action silently blocks all traffic from computers specified in the IP filter list; thus, answer B is incorrect. There is no Open filter action; thus, answer D is incorrect. For more information, see Chapter 7. |
| | |
| A62: | A, E, I. The three preconfigured IPSec policies in Windows Server 2003 are Client (Respond Only), Server (Request Security), and Secure Server (Require Security); thus, answers B, C, D, F, G, and H are incorrect. For more information, see Chapter 7. |
| | |
| A63: | B, C. The Windows Server 2003 IPSec implementation uses SHA1 and MD5 for data hashing. The Windows Server 2003 IPSec implementation uses DES and 3DES for data encryption; thus, answers A and E are incorrect. Advanced Encryption Standard (AES) is not used in IPSec; thus, answer D is incorrect. For more information, see Chapter 7. |
| | |
| A64: | B, D. You should revoke Sam's certificate to prevent him from accessing any network resources. After the certificate has been revoked , you should publish the CRL to all CRL Distribution Points to ensure that all locations have the most up-to-date CRL. For more information, see Chapter 8. |
| | |
| A65: | A, B. Although all four of these options can be used to achieve the desired results, the creation of a new security template and the modification of an existing security template represent the best options available. You can opt to configure the settings using the Local Security Policy console, but this approach requires that you make the same changes on all member servers. You could also make the changes directly in Group Policy, but this approach does not give you the opportunity to test your configuration in a lab environment, thus locating problems before they have a chance to occur on the production network. For more information, see Chapter 1. |
