Apply Your Knowledge

You are trying to explain to your CIO why using security templates to configure security is a better idea than directly configuring a GPO. What are some reasons that you might present to him to support your position?

You have just completed an analysis of one of your Windows Server 2003 computers using the secedit.exe command. How can you now most easily view the analysis output produced?

Security templates in Windows Server 2003 have what file extension?

You are the administrator of a Windows Server 2003 Active Directory network. Your network consists of 1,500 Windows XP Professional client computers spread out over 15 OUs with approximately 100 computers each. Your network also has 300 Windows Server 2003 servers fulfilling various roles, including domain controllers, file servers, print servers, IIS servers, and Certificate Services servers. You have just finished creating a customized security template that specifies the Account Policy and auditing settings that are required by your organization's corporate policy for specific departments. What is the best way for you to apply this template to only the Sales, Marketing, Production, and Engineering OUs?

1. Import the security template at the domain level into a GPO.

2. Import the security template into each required OU by using a GPO.

3. Script the secedit.exe command to apply the security template to the required computers.

4. Manually apply the security template to each of the computers.

You are the network administrator for Just Right Tops, LLC. Your network consists of three geographically distant sites that function as three different domains. No site has a direct link to any other site. You have recently completed the creation of two custom security templates that are to be applied to all computers in all three sites of your company network. How can you most easily deploy these security templates at all three sites?

1. Create and configure a new domain controller for each remote site. Apply the security templates to the domain controllers. Place a new domain controller in each site and allow Active Directory to replicate.

2. Export the security templates into .inf files by using the Security Configuration and Analysis snap-in. Deliver the security templates to the remote location and import them into the appropriate GPOs.

3. Establish connectivity between all sites and force the remote site domain controllers to perform replication with the local site domain controllers after implementing the new security templates.

4. Re-create the security templates at each remote site and then import them into the appropriate GPOs.

You are the network administrator of the Gidget's Widgets, LLC, corporate network. You have instructed Andrea, your assistant administrator, to configure file access auditing for all files in the CorpDocs folder on your file server. In which node of the Group Policy Editor will Andrea find the auditing options?

1. Account Policies

2. Local Policies

3. Restricted Groups

4. File System

You are the network administrator for Sunbrew Dairy Farms, Inc. You are currently interviewing a candidate for the position of assistant network administrator. You have asked Christopher, the candidate, what the secedit.exe command can be used for. Which of the following answers that Christopher gives you are correct? (Choose all that apply.)

1. secedit.exe can be used to analyze the current security settings.

2. secedit.exe can be used to apply new security settings to a computer.

3. secedit.exe can be used to apply new security settings to a GPO.

4. secedit.exe can be scripted, allowing it to be run on many computers across the entire network.

You are interviewing Austin for the position of assistant network security administrator. When you ask him what the best uses for an Organizational Unit are, what correct answers do you expect to hear from him? (Choose two correct answers.)

1. OUs can be used to group together objects for simplified network administration.

2. OUs can be used to create child domains within the DNS namespace.

3. OUs can be used to create child domains with the Active Directory forest environment.

4. OUs can be used to apply role-specific settings to groups of like objects.

In a Windows Server 2003 Active Directory environment, what constitutes the security boundary?

1. The domain

2. The Organizational Unit

3. The forest

4. The security principal

Austin is the network administrator for the Eternal Light Group, LLC. He is attempting to perform an analysis of a computer by using the Security Configuration and Analysis snap-in. What is the correct order of performance of the following steps? (Delete any steps that are not needed.)

1. Select the security template to be used in the analysis.

2. Right-click Security Configuration and Analysis and then select Analyze Computer Now.

3. Select the log file to be used in the analysis.

4. Right-click Security Configuration and Analysis and then select Open Database.

5. Right-click Security Configuration and Analysis and then select Configure Computer Now.

6. Select the database to be used in the analysis.

1. 2, 1, 3, 4, 6, 5

2. 4, 1, 6, 2, 5, 3

3. 4, 6, 1, 2, 3

4. 2, 6, 1, 3, 4

You have just completed an analysis of a computer by using the Security Configuration and Analysis snap-in. When you examine the results, you notice several items that have red circle with white X icons next to them. What do they indicate ?

1. The item is not defined in the analysis database and was not examined on the computer.

2. The item is defined in the analysis database and on the computer, and it matches the currently configured setting.

3. The item is defined in the analysis database but not on the computer.

4. The item is defined in the analysis database and on the computer, but it does not match the currently configured setting.

You are the network administrator for Gidget's Widgets, LLC. You are trying to explain to one of your assistant administrators, Hannah, how the secedit.exe command can be used to apply security templates to computers. Which of the following additional switches do you need to make sure she uses with the secedit /configure command? (Choose all that apply.)

1. /analyze

2. /db

3. /log

4. /cfg

Chris is creating a security plan for her network that will be using a role-based approach. If her domain has the following types of servers, how many different security policies should she plan on using?

• Domain Controllers

• File Servers

• Print Servers

• IIS Servers

• DHCP Servers

1. 5

2. 6

3. 7

4. 8

Chris is creating a security plan for her network that will be using a role-based approach. What is the first step in implementing a role-based security configuration for her Active Directory network?

1. Implementing a Domain Baseline Security Policy

2. Implementing a Domain Controller Baseline Security Policy

3. Implementing a Member Server Baseline Security Policy

4. Implementing role-specific security policies for her different member servers

Christopher is preparing to implement a role-based security solution on his Windows Server 2003 Active Directory network. He, however, does not know the starting configuration of his workstation clients . He proposes that he will just apply the Setup Security.inf security template located on each computer to that computer to restore the settings to a known state with all settings being the same across all client workstations. What is wrong with his proposal?

1. The Setup Security.inf security template is found only on domain controllers.

2. The Setup Security.inf security template is specific to the specific computer and can vary from one computer to the next.

3. The Setup Security.inf security template is found only on computers that are upgraded from a previous operating system.

4. The Setup Security.inf security template cannot actually be used to apply security settings to a computer; it is only a record of the initial security configuration the computer had.

Where can you find the preconfigured security templates that are installed with Windows Server 2003?

1. %systemroot%\templates

2. %systemroot%\security\templates

3. %systemroot%\security\

4. %systemroot%\security\default\templates

What limitation of the Security Configuration and Analysis snap-in can you get around by using Group Policy Objects?

1. Security Configuration and Analysis cannot be used to implement security policies on a computer.

2. Security Configuration and Analysis cannot be used to implement security policies at the domain level.

3. Security Configuration and Analysis cannot be used to determine the current security configuration of a computer.

4. Security Configuration and Analysis has no command-line equivalent.

Christopher is preparing to use the secedit.exe command to analyze the security on one of his member servers. If Christopher is using the secure workstation security template as his comparison point and needs to ensure that the analysis database is clear before importing the security template, which of the following choices represents the correct command that Christopher should enter to perform the analysis?

1. [View full width]

    
    [View full width] 
    secedit /analyze /overwrite /db c:\sectst\sectst1.sdb /cfg C:\WINDOWS\security\templates  \securedc.inf /log c:\sectst\sectst1.log 

2. [View full width]

    
    [View full width] 
    secedit /configure /db c:\sectst\sectst1.sdb /cfg C:\WINDOWS\security\templates\securedc  .inf /log c:\sectst\sectst1.log 

3. [View full width]

    
    [View full width] 
    secedit /analyze /db c:\sectst\sectst1.sdb /cfg C:\WINDOWS\security\templates\securews.inf  /log c:\sectst\sectst1.log 

4. [View full width]

    
    [View full width] 
    secedit /analyze /overwrite /db c:\sectst\sectst1.sdb /cfg C:\WINDOWS\security\templates  \securews.inf /log c:\sectst\sectst1.log 

By using security templates, you can perform configuration and testing on a computer that will not result in changes being applied across the network until they are ready. In addition, by using a security template, you are in effect using a script: You can ensure that all changes will be identical to all computers they are applied to, even if they are in different OUs or domains. For more information, see the section "The Windows Server 2003 Security Templates."

Although secedit.exe allows you to analyze and configure computers throughout the network from the command line, you cannot easily view the analysis reports created from it except through Security Configuration and Analysis. Although you can view the log file in a text editor, such as Notepad, accurately determining the results of the analysis is not easy. For more information, see the section "The Security Configuration and Analysis Snap-in."

Security templates are flat text files that have the .inf file extension. For more information, see the section "The Windows Server 2003 Security Templates."

B. The best way to apply the settings to only computers that require them is to import the template into a GPO associated with each OU that requires the settings. Importing the security template into the domain-level GPO would apply the settings to all computers in the domain, most likely with unwanted side effects. For more information, see the section "Group Policy Security Extensions."

B. Because you created custom security templates using the Security Configuration and Analysis snap-in, you can simply export them into .inf files and transfer them to the remote sites via any available means. When they are at the remote sites, the security templates can be imported to the appropriate GPOs, thus placing them into effect. For more information, see the section "Group Policy Security Extensions."

B. The Local Policies node of the Group Policy Editor contains three subnodes: Audit Policy, User Rights Assignment, and Security Options. Andrea will find the auditing items she will need to configure in the Audit Policy subnode. For more information, see the section "The Security Configuration and Analysis Snap-in."

A, B, D. The secedit.exe command can be used to analyze a computer, configure a computer, export a computer's security settings to a template, import the settings from a template, validate the context of a template, and create a rollback template. Because secedit.exe is a command-line tool, you can script it and use it on many computers across an entire network. For more information, see the section "secedit.exe."

A, D. Organizational Units can be used, very efficiently in fact, to group together objects that are similar in nature for easier administration. As well, you can apply security and other configuration settings to an OU to quickly have these settings applied to the objects within the OU itself. OUs should not be thought of as just containers to hold objects for the sake of better organizing Active Directory from a visual standpoint; they are actually very powerful administrative tools when properly used. Permissions to perform administrative functions can be assigned through delegation to nonadministrators at the OU level as well, further enhancing the administrative benefit of OUs. For more information, see the section "Implementing Enterprise Security."

C. Contrary to the popular belief in the past, the forest is the only absolute security boundary in a Windows Server 2003 Active Directory domain. Domains are only administrative boundaries: A user with Domain Admin credentials in one domain could possibly gain domain administrative credentials in other domains through unscrupulous actions. For more information, see the section "Implementing Enterprise Security."

C. The correct steps to be used to perform an analysis of a computer with the Security Configuration and Analysis snap-in are as follows: Select Open Database, select the database, select the security template, select Analyze Computer, and select the log file. For more information, see the section "The Security Configuration and Analysis Snap-in."

D. A red circle with white X icon next to an item in the Security Configuration and Analysis snap-in results indicates that the item is present in both the database and the computer but does not match the currently configured setting. For more information, see the section "The Security Configuration and Analysis Snap-in."

B, C, D. The /db switch specifies the pathname and filename of the database to be used, the /log switch specifies the pathname and filename of the error log to be used during the process, and the /cfg switch specifies the pathname and filename of the security template to be loaded into the database. For more information, see the section "secedit.exe."

C. Chris should be using seven (7) different security policies as follows: Domain Baseline Policy, Domain Controllers OU Policy, Member Servers OU Baseline Policy, File Servers OU Policy, Print Servers OU Policy, IIS Servers OU Policy, and DHCP Servers OU Policy. Each type of server has specific security requirements that necessitate different security policies. The domain itself needs a Baseline Security Policy that takes care of things such as password and account lockout policies. Also, the Member Servers OU needs a Baseline Security Policy to configure items that apply to all member servers such as auditing and user rights assignments. For more information, see the section "Using Role-Based Security Templates."

A. The first step to successfully implementing a role-based security solution is to create the baselinethe starting point. Thus, Chris needs to implement a Domain Baseline Security Policy before she moves on. For more information, see the section "Implementing Enterprise Security."

B. Christopher's mistake is in the fact that he proposes to use the Setup Security.inf security template located on each client workstation to apply the same settings across all his workstations. The Setup Security.inf security template is created during the installation of Windows on the computereither clean or upgradeand varies from one computer to the next. For more information, see the section "The Windows Server 2003 Security Templates."

B. The preconfigured security templates that install with Windows Server 2003 can be found in the %systemroot%\security\templates directory. Typically, this is C:\WINDOWS\security\templates . For more information, see the section "Planning and Implementing Role-Based Security Using Security Templates."

B. The only real failing in Security Configuration and Analysis is that it cannot be used to analyze or configure security on anything other than the local computer. It does not have the capability to be targeted at a remote computer like some of the other MMC snap-ins. For more information, see the section "The Security Configuration and Analysis Snap-in."

D. Only option D meets all the specified requirements that Christopher has for performing this analysis: He must use the secure template for a member server ( securews.inf ), and he must ensure that the database is cleared prior to importing the security template. Response C appears to meet these requirements but does not provide for clearing the database before importing the security template. For more information, see the section "secedit.exe."