| In this chapter, you have learned about getting and keeping your Windows Server 2003 computer secure. In the following exercises, you will practice some of the concepts and methods discussed in this chapter. Exercises 5.1. Analyzing a Local Computer's Security Settings In this exercise, you will use the Security Configuration and Analysis snap-in to perform an analysis of the local computer's security. Estimated Time: 15 minutes Open your custom security console or create one that contains the Security Configuration and Analysis snap-in. Right-click the Security Configuration and Analysis node and select Open Database from the context menu. Create a new database by entering the name securitydb. Select the security template you are loading into the database for this exercise. Right-click the Security Configuration and Analysis node and select Analyze Computer Now to start the analysis. Provide an error log name and pathname and click OK to start the analysis process. After the analysis is complete, you are returned to the Security Configuration and Analysis snap-in. Compare the database settings to those of the local computer. How are they different? How are they the same? What do you need to change to implement the required security?
5.2. Importing a Security Template into Group Policy In this exercise, you will import a security template into a Group Policy object. Estimated Time: 15 minutes Open the Active Directory Users and Computers console. Locate the domain or OU to which you want to apply the security template. Right-click the appropriate OU or domain and select Properties from the context menu. The Properties dialog box appears. Select the Group Policy tab. To create a new GPO, click the New button. Supply a name for the new GPO and press Enter. Click the Edit button to open the Group Policy Editor for the selected GPO. Expand the nodes as follows: Computer Configuration, Windows Settings, Security Settings. Right-click the Security Settings node and select Import Policy from the context menu. Select the template to be imported.
5.3. Implementing Auditing In this exercise, you will implement auditing of a file object. Estimated Time: 15 minutes Open the Active Directory Users and Computers console. Locate the domain or OU for which you want to perform auditing. Right-click the appropriate OU or domain and select Properties from the context menu. The Properties dialog box appears. Select the Group Policy tab. To create a new GPO, click the New button. Supply a name for the new GPO and press Enter. Navigate to the Audit Policies node. Configure success and failure auditing for the Audit Object Access option. Close the Group Policy Editor and the Active Directory Users and Computers console. Locate the file for which you want to configure auditing in Windows Explorer. Right-click the file and select Properties from the context menu. The Properties dialog box appears. Select the Security tab and click the Advanced button to open the Advanced Security Settings dialog box. Select the Auditing tab. Click the Add button to open the Select User or Group dialog box. After you have configured the desired users and groups, click OK to continue. In the Auditing Entry dialog box, you can select what success or failure events you want to audit for on the selected object. After you make your selections, click OK to confirm them. Close the remaining dialog boxes, and you are done configuring auditing.
Exam Questions | 1. | You are the systems administrator of a Windows Server 2003 Active Directory network. Your network consists of 1,500 Windows XP Professional client computers spread out over 15 OUs with approximately 100 computers each. You have just finished creating a customized security template that specifies the Account Policy and auditing settings that are required by your organization's corporate policy for specific departments. What is the best way for you to apply this template to only the Sales, Marketing, Production, and Engineering OUs? 
| A. | Import the security template at the domain level into a GPO. |
| B. | Import the security template into each required OU by using a GPO. |
| C. | Script the secedit.exe command to apply the security template to the required computers. |
| D. | Manually apply the security template to each of the computers. |
| | | | 2. | You are the systems administrator for Just Right Tops, LLC. Your network consists of three geographically distant sites that function as three different domains. No site has a direct link to any other site. You have recently completed the creation of two custom security templates that are to be applied to all computers in all three sites of your company network. How can you most easily deploy these security templates at all three sites?
| A. | Create and configure a new DC for each remote site. Apply the security templates to the DCs. Place a new DC in each site and allow Active Directory to replicate. |
| B. | Export the security templates into .inf files by using the Security Configuration and Analysis snap-in. Deliver the security templates to the remote location and import them into the appropriate GPOs. |
| C. | Establish connectivity between all sites and force the remote site DCs to perform replication with the local site DCs after implementing the new security templates. |
| D. | Re-create the security templates at each remote site and then import them into the appropriate GPOs. |
| | 3. | You are the systems administrator of the corporate network for Gidget's Widgets, LLC. You have instructed Andrea, your assistant administrator, to configure file access auditing for all files in the CorpDocs folder on your file server. In which node of the Group Policy Editor will Andrea find the auditing options?
| A. | Account Policies |
| B. | Local Policies |
| C. | Restricted Groups |
| D. | File System |
| | 4. | You are the systems administrator for Sunbrew Dairy Farms, Inc. You are currently interviewing a candidate for the position of assistant systems administrator. You have asked Christopher, the candidate, for what the secedit.exe command can be used. Which of the following answers that Christopher gives you is correct? (Choose all that apply.)
| A. | secedit.exe can be used to analyze the current security settings. |
| B. | secedit.exe can be used to apply new security settings to a computer. |
| C. | secedit.exe can be used to apply new security settings to a GPO. |
| D. | secedit.exe can be scripted, allowing it to be run on many computers across the entire network. |
| | | | 5. | You are the systems administrator for Good Faith Enterprises, LLC. You want to increase the security of your client workstations, which are all Windows 2000 Professional computers, without causing any adverse effect on network communications between computers. Which security template should you use to accomplish your goal?
| A. | securews.inf |
| B. | securedc.inf |
| C. | compatws.inf |
| D. | hisecws.inf |
| | 6. | You are an assistant systems administrator for the Nimbus Flying Broom corporation. You are responsible for 75 Windows XP Professional workstations and 5 Windows Server 2003 member server computers. You have been directed to perform a security analysis on each computer, comparing its settings to those contained in the hisecws.inf template. How can you accomplish your assigned task with the least amount of administrative effort and trips to remote computers?
| A. | The only way to perform this analysis is to physically visit each computer and use the Security Configuration and Analysis snap-in. |
| B. | You can create a script that runs the Security Configuration and Analysis snap-in on each computer and collects the results in a central location for later viewing. |
| C. | You can create a script that runs the secedit /analyze command on each computer and collects the results in a central location for later viewing. |
| D. | You can analyze remote computers from the Security Configuration and Analysis snap-in by targeting it at the desired computer. |
| | 7. | Austin is the systems administrator for the Eternal Light Group, LLC. He is attempting to perform an analysis of a computer by using the Security Configuration and Analysis snap-in. What is the correct order of performance of the following steps? (Ignore any steps that are not needed.) Select the security template to be used in the analysis. Right-click Security Configuration and Analysis and then select Analyze Computer Now. Select the log file to be used in the analysis. Right-click Security Configuration and Analysis and then select Open Database. Right-click Security Configuration and Analysis and then select Configure Computer Now. Select the database to be used in the analysis.
| A. | 2, 1, 3, 4, 6, 5 |
| B. | 4, 1, 6, 2, 5, 3 |
| C. | 4, 6, 1, 2, 3 |
| D. | 2, 6, 1, 3, 4 |
| | | | 8. | You have just completed an analysis of a computer by using the Security Configuration and Analysis snap-in. When you examine the results, you notice several items that have red X icons next to them. What does this indicate?
| A. | The item is not defined in the analysis database and was not examined on the computer. |
| B. | The item is defined in the analysis database and on the computer, and it matches the currently configured setting. |
| C. | The item is defined in the analysis database but not on the computer. |
| D. | The item is defined in the analysis database and on the computer, but it does not match the currently configured setting. |
| | 9. | You are the systems administrator for Gidget's Widgets, LLC. You are trying to explain to one of your assistant administrators, Hannah, how the secedit.exe command can be used to apply security templates to computers. Which of the following additional switches do you need to make sure she uses with the secedit /configure command? (Choose all that apply.)
| A. | /analyze |
| B. | /db |
| C. | /log |
| D. | /cfg |
| | 10. | You are the systems administrator for Fast Sloth Enterprises. You need to increase the security of your Windows XP Professional client computers and Windows Server 2003 servers. Which security template should you apply to your workstations to ensure that they have the most secure configuration?
| A. | securews.inf |
| B. | hisecdc.inf |
| C. | hisecws.inf |
| D. | rootsec.inf |
| | 11. | You are the systems administrator for Fast Sloth Enterprises. After increasing the security of your network client computers, you need to implement an auditing system to keep track of when computers are restarted and shut down. Which of the following options should you configure to track these events?
| A. | Audit Process Tracking |
| B. | Audit System Events |
| C. | Audit Object Access |
| D. | Audit Privilege Use |
| | | | 12. | Allison is the systems administrator for the Never Crash Software Company. She is attempting to configure auditing for access to files in the SecretDocs folder on her file server. She has configured the Audit Object Access option for both success and failure audit events in the domain GPO, but after two weeks, she doesn't see in the security log any audit entries related to her auditing. What is the most likely reason for this occurrence?
| A. | Allison does not have the correct domain privileges to configure auditing of this type. |
| B. | Allison has not forced her modifications to the domain GPO to replicate to the rest of the DCs. |
| C. | The file server on which the SecretDocs folder is located is offline. |
| D. | Allison has not configured auditing actions on the SecretDocs folder on the file server. |
| | 13. | Andrea is the systems administrator for the Think Pink Bike Company. She has recently finished implementing an auditing solution for her Windows Server 2003 network. Andrea wants to track unauthorized access attempts to the company network. After two weeks, she has not found any authorized access attempts, even though she tried password guessing several users' accounts just this morning. What is the most likely reason for the problem that Andrea is experiencing?
| A. | Andrea has not configured success audits for the Audit Account Logon Events option. |
| B. | Andrea has not configured failure audits for the Audit Account Management option. |
| C. | Andrea has not configured failure audits for the Audit Logon Events option. |
| D. | Andrea has not configured success audits for the Audit Policy Change option. |
| | 14. | You are the systems administrator for the Sunbrew Dairy Farms, Inc. corporate network. You have just completed the installation and configuration of WSUS for your network. Your client computers are all running Windows 2000 Professional SP2, and your servers are all Windows Server 2003 computers. After a week has passed, you notice that none of your clients have received any updates that are available from your WSUS server. What is the most likely reason for this problem?
| A. | Your WSUS server has lost network connectivity to the Internet and has not downloaded any updates from the Windows Update Web servers. |
| B. | You have not correctly configured the Group Policy options for Automatic Updates. |
| C. | The GPO in which you configured the Automatic Updates changes has not been replicated to the rest of the network. |
| D. | Your client computers are not using the correct version of the Automatic Updates client software. |
| | | | 15. | You are the systems administrator for the Wing Walkers, Inc. corporate network. You are configuring WSUS for your network's client computers, which are all running Windows XP Professional SP1. You want all client computers to automatically download from your WSUS server and install any required updates each night at 11:30 p.m. After the updates have been installed, you want the client computers to restart so that the updates can fully install and the computers will be ready for work the next morning. What must you do to ensure that updates will be installed each night and the computers will be restarted after the updates are installed? (Choose all that apply.)
| A. | You must configure the Automatic Updates client options on each of your Windows XP Professional SP1 client computers to download and install updates nightly. |
| B. | You must set the Configure Automatic Updates option in Group Policy to Enabled and set option 4. You then need to configure a schedule for nightly updates at 11:30 p.m. |
| C. | You must set the No Auto-Restart for Scheduled Automatic Updates Installations option in Group Policy to Disabled. |
| D. | You must set the Specify Intranet Microsoft Update Server Location option in Group Policy to Enabled and enter the URL of your WSUS server. |
|
Answers to Exam Questions | 1. | B. The best way to apply the settings to only those computers that require them is to import the template into a GPO associated with each OU that requires the settings. Importing the security template into the domain-level GPO would apply the settings to all computers in the domain, most likely with unwanted side effects; thus Answer A is incorrect. Applying the template via the secedit.exe command or manually using the Security Configuration and Analysis snap-in is possible, but is not efficient; thus Answers C and D are incorrect. For more information, see the section "Group Policy Security Extensions." | | 2. | B. Because you created custom security templates using the Security Configuration and Analysis snap-in, you can simply export them into .inf files and transfer them to the remote sites via any available means. When they are at the remote sites, the security templates can be imported to the appropriate GPOs, thus placing them into effect. There is no need to create a new Domain Controller based on the information presented; thus Answer A is incorrect. Security templates are replicated as part of Active Directory replication; thus Answer C is not correct. Re-creating the security templates is not efficient and is error prone; thus Answer D is incorrect. For more information, see the section "The Security Configuration and Analysis Snap-in." | | 3. | B. The Local Policies node of the Group Policy Editor contains three subnodes: Audit Policy, User Rights Assignment, and Security Options. The Audit Policy subnode is where Andrea will find the auditing items she will need to configure. The Account Policies node contains items that control user accounts; thus Answer A is incorrect. The Restricted Groups node allows you to permanently configure which users are allowed to be members of specific groups; thus Answer C is incorrect. The File System node allows you to set folder and file NTFS permissions; thus Answer D is incorrect. For more information, see the section "The Security Configuration and Analysis Snap-in." | | | | 4. | A, B, D. The secedit.exe command can be used to analyze a computer, configure a computer, export a computer's security settings to a template, import the settings from a template, validate the context of a template, and create a rollback template. Because secedit.exe is a command-line tool, you can script it and use it on many computers across an entire network, but you cannot use it to apply settings directly to a GPO; thus Answer C is incorrect. For more information, see the section "secedit.exe." | | 5. | A. By applying the Secure template, securews.inf, you can increase the security of the client workstations without adversely affecting network communications. The securedc.inf template is to be used only for Domain Controllers; thus Answer B is incorrect. The compatws.inf template will actually lower security on the computer it applied to; thus Answer C is incorrect. The hisecws.inf template will likely cause problems for client communications after it has been applied; thus Answer D is incorrect. For more information, see the section "The Windows Server 2003 Security Templates." | | 6. | C. The easiest way to accomplish this task is to create a script that runs the secedit / analyze command on the computers and collects the results in a central network location. There is no need to visit each computer; thus Answer A is incorrect. The Security Configuration and Analysis snap-in cannot be scripted. Thus you would use secedit; therefore Answer B is incorrect. You cannot target remote computers using the Security Configuration and Analysis snap-in; thus Answer D is incorrect. For more information, see the section "secedit.exe." | | 7. | C. The correct steps to be used to perform an analysis of a computer with the Security Configuration and Analysis snap-in are as follows: Select Open Database, select the database, select the security template, select Analyze Computer, and select the log file. Since no configuration is needed, only an analysis, Answers A and B are incorrect. Answer D presents the required actions in the wrong order. For more information, see the section "The Security Configuration and Analysis Snap-in." | | 8. | D. A red X icon next to an item in the Security Configuration and Analysis snap-in results indicates that the item is present in both the database and the computer, but does not match the currently configured setting. A question mark indicates that the item is not defined in the analysis database and was not examined on the computer; thus Answer A is incorrect. A green check mark indicates that the item is defined in the analysis database and on the computer and matches the currently configured setting; thus Answer B is incorrect. An exclamation point indicates that the item is defined in the analysis database but not on the computer; thus Answer C is incorrect. For more information, see the section "The Security Configuration and Analysis Snap-in." | | 9. | B, C, D. The /db switch specifies the pathname and filename of the database to be used, the /log switch specifies the pathname and filename of the error log to be used during the process, and the /cfg switch specifies the pathname and filename of the security template to be loaded into the database. The /analyze switch would only be used if you were analyzing the computer; thus Answer A is incorrect. For more information, see the section "secedit.exe." | | | | 10. | C. Of the given choices, the hisecws.inf template provides the most secure configuration to Windows XP Professional clients. The securews.inf template would not provide the most secure workstation; thus Answer A is incorrect. The hisecdc.inf template is to be used only for Domain Controllers; thus Answer B is incorrect. The rootsec.inf template defines the root permissions for the root of the system volume, and is not appropriate for this scenario; thus Answer D is incorrect. For more information, see the section "The Windows Server 2003 Security Templates." | | 11. | B. The Audit System Events option configures auditing for certain system events, such as computer restarts and shutdowns. The Audit Process Tracking option configures auditing to occur for events such as program activation, process exit, handle duplication, and indirect object access; thus Answer A is incorrect. The Audit Object Access option configures auditing to occur upon each user access of an object, such as a file, folder, printer, or registry key that has its own SACL configured; thus Answer C is incorrect. The Audit Privilege Use option configures auditing to occur upon every occurrence of a user exercising a user right; thus Answer D is incorrect. For more information, see the section "Configuring Auditing." | | 12. | D. The most likely cause of the problems that Allison is having is that she had not yet configured auditing actions on the folder itself. If Allison did not have the required permissions, she would not have been able to configure the auditing in the first place; thus Answer A is incorrect. Replication is nearly instantaneous within a site and occurs four times per hour, by default, between sites, so after two weeks this is likely not a problem unless Active Directory has larger issues; thus Answer B is incorrect. While a server being offline would definitely preventing auditing on its contents from occurring, this is certainly not the most likely cause of the problem; thus Answer C is incorrect. For more information, see the section "Configuring Auditing." | | 13. | C. In order to track failed logon attempts, Andrea needs to configure failure auditing to occur for the Audit Logon Events option. Auditing for successful account logons is not going to help with monitoring failed attempts to login; thus Answer A is incorrect. Auditing for account management or policy change will not help in tracking failed logins; thus Answers B and D are incorrect. For more information, see the section "Configuring Auditing." | | 14. | D. In order to participate in WSUS, the Windows 2000 computers will need to be updated to at least SP3, although you should update them fully to SP4. While it is possible that your WSUS has lost Internet connectivity, it's not the most likely problem in this scenario; thus Answer A is incorrect. If you've followed the configuration process for WSUS, then you've configured group policy; thus Answer B is not likely the cause of your problem. When using WSUS, as opposed to using SUS previously, there is no need to download and install a special Automatic Updates clientyou only need to ensure that clients to be updated meet the required operating system and service pack levels listed; thus Answer C is incorrect. For more information, see the section "Implementing Windows Server Update Services (WSUS)." | | 15. | B, C, D. In order for WSUS to operate, the WSUS server must be provided to the Automatic Updates client computers via the Specify Intranet Microsoft Update Server Location option. In addition, you need to configure the schedule by using the Configure Automatic Updates option and configure for restarting by using the No Auto-Restart for Scheduled Automatic Updates Installations option. When you're using WSUS with group policy, you won't be able to configure the options locally on each client computer; thus Answer A is incorrect. For more information, see the section "Implementing Windows Server Update Services (WSUS)." |
|
