Questions and Answers

1. 

By default, where do MBSA and MBSACLI store security reports?

1. C:\MBSA

2. C:\Documents and Settings\username\

3. C:\Documents and Settings\username\Security Scans\

4. C:\Documents and Settings\username\My Documents\Security Scans\

2. 

Which of the following commands would scan the subnet 192.168.5.0?

1. mbsa -n 192.168.5.0

2. mbsacli -i 192.168.5.1-192.168.5.255

3. mbsacli -n 192.168.5.1-192.168.5.255

4. mbsacli -r 192.168.5.1-192.168.5.255

1. 

c. MBSA and MBSACLI store reports in C:\Documents and Settings\username\Security Scans\ by default.

2. 

d. MBSACLI's -r parameter scans a range of IP addresses.

1. 

Which of the following commands would slipstream a service pack named sp1.exe into an installation folder named D:\W2003\ that had been created by copying the contents of the Windows Server 2003 installation CD?

1. sp1.exe -i:D:\W2003\

2. sp1.exe -s:D:\W2003\

3. sp1.exe -i:D:\W2003\i386\

4. sp1.exe -s:D:\W2003\i386\

2. 

Which section of an answer file would you modify to automatically run updates after the installation completed?

1. [Components]

2. [RemoteInstall]

3. [GuiRunOnce]

4. [Shell]

1. 

b. The -s parameter is the correct parameter for creating an integrated installation. You should specify the folder that corresponds to the root of the setup CD; you do not need to specify the i386 directory.

2. 

c. The [GuiRunOnce] section of the answer file contains a list of applications to be run after setup is completed.

1. 

Which command-line parameter would configure an update so that it won't store copies of files that it replaces?

1. /n

2. /passive

3. /o

4. /extract

2. 

Which of the following tools can be used to identify the Automatic Updates client's configuration, in addition to the GPO that defined that configuration? (Choose all that apply.)

1. Resultant Set Of Policy

2. Help And Support Center

3. Gpresult

4. Gpupdate

5. Active Directory Users And Computers

6. Group Policy Object Editor

3. 

Which registry key would you edit to configure the local computer's Automatic Updates client settings?

1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate

2. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate

4. HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate

4. 

Which of the following might provide you with useful information about a problem you are experiencing with downloading updates from an SUS server?

1. The Security event log on the SUS server

2. The System event log on the SUS server

3. The Application event log on the SUS server

4. The Security event log on the client computer

5. The System event log on the client computer

6. The Application event log on the client computer

7. The IIS usage log

1. 

a. The /n parameter saves disk space by not backing up replaced files.

2. 

a and c. RSoP and Gpresult will show current policy settings and the GPO that defined them.

3. 

b. The Automatic Updates client takes its configuration information from the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate registry key and its subkeys.

4. 

b, e, and g. The SUS server will add relevant events to the System event log on the SUS server. The Automatic Updates client adds events to the client's System event log. Details about individual requests to the SUS server from the Automatic Updates client are contained in the IIS usage log.

1. 

What method will you implement to deploy updates?

1. Provide detailed instructions to end users on how to download and install updates from the Microsoft Web site as they become available.

2. Configure the Automatic Updates client to download and install updates from Windows Update when they become available.

3. Deploy an SUS server at each location, and configure the Automatic Updates client to download and install updates from the local SUS server.

4. Deploy updates using the Software Installation functionality built into GPOs.

2. 

How will you configure the Automatic Updates client?

1. Provide detailed instructions to end users, instructing them to right-click My Computer, click Properties, click the Automatic Updates tab, and then specify the configuration settings.

2. Provide detailed instructions to end users, instructing them to use the registry editor to modify the registry values to configure the Automatic Updates client.

3. Use GPOs to deploy a .reg file containing registry values to configure the Automatic Updates client.

4. Use GPOs to configure the Windows Update administrative template to configure the Automatic Updates client.

3. 

How will you ensure that newly installed computers are updated?

4. 

How will you determine whether clients are being successfully updated?

1. Provide detailed instructions to end users, instructing them to use Add/ Remove Programs to identify updates that have been installed and compare that list against the list of available updates on Windows Update.

2. Visit random computers, and view the version numbers of system files to verify that updates have been applied.

3. Use the graphical MBSA console to scan when you have free time available. Configure MBSA to check only the updates that have been approved on SUS servers.

4. Schedule the command-line MBSACLI utility to scan all of Wide World Importers subnets once per week, and examine the reports the following morning. Use the /sus command-line parameter to force MBSACLI to check only those updates approved on your SUS servers.

1. 

c. For this environment, SUS is the best way to deploy updates.

2. 

d. In an Active Directory environment, GPOs are the most efficient way to configure the Automatic Updates client.

3. 

You should create an integrated installation of all operating systems that are currently being deployed to new computers. For each operating system, include security updates, critical updates, and any important updates provided by your original equipment manufacturer (OEM) or required by non-Microsoft applications. If possible, assign an administrator to regularly update the integrated installation with newly released updates. If various people within your organization will be deploying new computers, do your best to educate them about the importance of installing computers with the integrated installation. To further reduce the risk of new computers being infected, use MBSA and MBSACLI to scan every IP address in your organization for new computers.

4. 

d. Of these options, the best choice is to schedule the MBSACLI utility. This reduces the burden on you and on end users. It is a less than perfect plan, however, because computers not accessible on the network when the scan runs will not be detected.

1. 

What is the source of the problem?

2. 

How would you troubleshoot the problem?

1. 

The problem is that the client computer does not have sufficient permissions to request updates from the SUS server. IIS usage logs can be difficult to interpret, but this is an important part of troubleshooting problems related to SUS. The sc-status field contains the Hypertext Transfer Protocol (HTTP) status code that IIS returned to the client. If the request could be successfully filled, the status code would be 200. However, in all of the requests shown in this scenario, the response code is 401. The HTTP status code 401 indicates that the client is unauthorized for the type of request. For more information about HTTP status codes, refer to RFC 2616.

2. 

You should use IIS Manager to check the permissions for the Web site and the virtual directories used by SUS. Additionally, you should check the file permissions on the Web site root. The root of the Web site, and all SUS content, should be configured to allow anonymous requests.