Self Test

1.  

You are the network administrator for a small network that has 40 computers on a network. You have two Windows Server 2003 computers, one of which is a DC and the other is providing remote access to users who travel throughout the United States. The computer running the remote access services also runs DHCP, DNS, and WINS for your firm. There are two file and application servers running Windows 2000, and you have client computers running Windows XP, Windows 2000, and Windows 98. Your applications are all the latest versions, although one was originally written for Windows 95 and another was developed in-house about six years ago. Based on this information, applying which predefined template might cause disruptions on the network?

1. Secure*.inf

2. Hisec*.inf

3. Compat*.inf

4. Setup security.inf

2.  

In the MMC snap-in Security Configuration and Analysis, you open a new database you call Test1. You select the securedc.inf template and click OK. At this point, what is the state of the security on the computer you re working on?

1. The settings from the computer and the securedc.inf template have been merged.

2. The settings from the securedc.inf template have been applied.

3. The settings from the database, including the imported securedc.inf template, have been applied.

4. The settings on the local computer have not changed.

3.  

You have opened the securedc.inf template via the MMC snap-in Security Templates. You expand the nodes in the left pane until you find the Account Policies. You select Kerberos Policy and notice that all the policies are Not Defined. What step do you need to take in order to define any one of those policies?

1. None. If a policy is not defined in a predefined security template, you cannot modify it.

2. None. You should never modify the settings in a predefined security template.

3. Double-click the policy, modify the settings, check the box to Define this policy setting in the template, and click OK.

4. Right-click the policy, check the box to Define this policy setting in the template, and click OK.

4.  

After upgrading a computer from Windows 2000 to Windows Server 2003, you notice that some of the settings in the USER_RIGHTS area of security are not exactly as you d like them. You d like to use the settings for USER_RIGHTS found in the secure*.inf template. What is the best way to apply the settings for USER_RIGHTS from the secure*.inf template to the local computer?

1. Use the secedit.exe /configure command using the /cfg switch to specify the securews.inf template, the /overwrite switch to clear the existing database settings, and the /area switch to specify USER_RIGHTS.

2. Use the secedit.exe /analyze command to analyze the difference between the USER_RIGHTS on the local computer and the USER_RIGHTS settings in the securews.inf template.

3. Use the secedit.exe /cfg /USER_RIGHTS command to configure the USER_RIGHTS area of the current security template.

4. Use the secedit.exe /analyze command with the /db switch to specify which database should be analyzed . You do not need the /cfg switch to analyze the settings in the configuration stored in the current database.

5.  

You ve just completed a security audit and determined that you should tighten up password security settings on one of your Active Directory sites. Currently, the minimum password length is not defined, meaning that users could elect to use a blank password. To rectify this situation, you assign the task of modifying this to one of the junior network administrators. He implements the policy for the site through Active Directory Sites and Services, but the policy does not take effect. When he comes back to you to report the problem, what can you tell him about this problem?

1. A local policy might be overwriting this new policy. Check local policy settings.

2. Active Directory Sites and Services does not support applying security policies.

3. You must use the gpupdate command-line tool to refresh the policy in order to see the policy in place.

4. Password and account policies are applied at the domain level.

6.  

You ve performed an analysis of your server s current security configuration as the first step in identifying the security settings you want to use for your application servers throughout the domain. The analysis results are as shown in Figure 2.22. (Results of the analysis that are typically listed under the Database Setting and Computer Setting have intentionally been removed.) Based on the data in this screenshot, what statements can you make about the results?

Figure 2.22: Security Analysis Results

1. The Account lockout duration and Reset account lockout counter after were not analyzed because they did not exist on the local system.

2. The Account lockout duration and Reset account lockout counter after were not analyzed because they did not exist in the analysis database.

3. The Account lockout duration and Reset account lockout counter after were analyzed but the database settings did not match the local computer settings.

4. The Account lockout duration and Reset account lockout counter after were analyzed but the database did not contain definitions for these settings.

1.  

B

2.  

D

3.  

D

4.  

A

5.  

D

6.  

B

7.  

You ve recently been tasked with upgrading several Windows 2000-based file and print servers to Windows Server 2003. You ve already installed Windows Server 2003 on four other servers in the organization, two of which are located in another city connected by a high-speed Internet-based connection. What can you do to ensure that all Windows Server 2003-based file and print servers have exactly the same default settings on their drives ?

1. Apply the Setup security.inf template to all servers to set a baseline.

2. Apply the DC secure.inf template to all servers to set a baseline.

3. Apply the rootsec.inf template to all servers to set a baseline.

4. Apply the securedc.inf template to all servers to set a baseline.

8.  

You work at a software company that sells an accounting software package to large institutions, including governmental organizations and school systems. The software package requires the use of SQL Server, and the company has found over the course of several years that this requirement has made selling the product more difficult. In a recent meeting, you suggest running the SQL Server-based application on the company s servers and providing access to the software package to client via Terminal Server. In talking with clients , you ve discovered that most of them are running Windows 95, Windows 98, or Windows XP clients. The VP of Client Services asks you about security, knowing that governmental agencies and school districts might be quite averse to transmitting financial data across the Internet to your company. You tell the VP you ve devised a security plan to address just those questions. What elements does your plan include for the highest possible security?

1. The Terminal Server computer will run only the application for clients. It will use NTFS on the file system and will use Full Security. Clients will be able to access the application only via a secure connection. The computer will be in a controlled-access location and you ll disable drive redirection. You also require Client Compatible encryption and limit the number of user logon attempts and connection times.

2. The Terminal Server computer will run only the application for clients. It will use NTFS on the file system and will have the Notssid.inf template applied to remove unnecessary Terminal Server SIDs. Strong passwords will be required. The computer will be in a controlled-access location, and CD and floppy drive access will be restricted to the Remote Desktop Users group .

3. The Terminal Server computer will use NTFS on the file system, and additional security will be placed on the file system and Registry via the hisecws.inf template. Auditing the Remote Desktop Users group for unsuccessful logons will ensure only authorized users can make a connection. Strong passwords will be required. You will disable drive redirection and require encryption.

4. The Terminal Server computer will use NTFS on the file system. It will be placed in a secure location, and CD and floppy drive access will be restricted to Administrators. You limit the number of user logons and restrict connection times. You also set the encryption requirement to High so that data to and from the Terminal server is encrypted using 128-bit encryption.

9.  

Your network consists of four OUs located in three separate cities. Some clients require the use of WINS, so you ve set up four WINS servers, two with static IP addresses. In two particular locations, computer names change frequently. Since replication takes place across a WAN and you re concerned with security, you ve implemented the requirement to secure all replication data using IPSec. Based on this information, what is the most likely result?

1. Using IPSec will cause a significant problem with the WINS replication process, because IPSec cannot be used to secure WINS data across a WAN.

2. Name changes will be replicated across the WAN only during off-peak hours. Other WINS data will not be replicated unless there are changes made to the WINS database.

3. If you implement IPSec to encrypt the WINS replication data, logging of all WINS events is enabled by default, which can decrease network performance.

4. The replication time might be significantly increased and users might complain both of slower network connection times across the WAN and the inability to reach resources.

10.  

You have configured one of your servers to provide streaming media services to internal users. However, you want to make sure the data on the server is secure. You ve formatted the server drive with NTFS to be able to manage file and folder permissions on the system. You also want to apply additional file system security to the server. You ve previously created a security template based on the secure*.inf template, named securesv.inf, and you want to apply the permissions from that template to this server. The server s current security database is named winmedia.sdb. What is the easiest way to accomplish this task?

1. secedit.exe /import /db securesv.inf /cfg winmedia.sdb /FILESYSTEM /quiet

2. secedit /db winmedia.sdb /cfg securesv.inf /overwrite /FILESYSTEM

3. secedit /configure /db winmedia.sdb /cfg securesv.inf /overwrite /FILESTORE

4. secedit /import /db winmedia.sdb /cfg securesv.inf /FILESTORE /quiet

7.  

C

8.  

A

9.  

D

10.  

C