Chapter 4: Securing the Network Management Process


1.  

Your forest is structured according to the illustration in Figure 4.15. You have a group of developers in the east.fixed-wing.airplanes.com domain who need to access files in the development.central.biplanes.airplanes.com domain on a regular basis. The users are complaining that accessing the files in the development domain is taking an unacceptably long time. What can you do to improve their response time?

click to expand
Figure 4.15: Figure for Question 1
  1. Create a domain local group in the development domain and add the developers user accounts to it.

  2. Create a shortcut trust between the east.fixed-wing.airplanes.com domain and the development.central.biplanes.airplanes.com domain.

  3. Place the resources in the development domain into an OU. Use the Delegation of Control Wizard to grant the users in the east.fixed-wing.airplanes.com domain the appropriate permissions.

  4. Create an external trust between the fixed-wing.airplanes.com domain and the biplanes.airplanes.com domain.

 b . a shortcut trust will allow logon and resource requests to process more quickly by bypassing the usual traversal of domain trusts. x answer a is incorrect because creating a domain local group will not speed the logon request process. answer c is incorrect because grouping the resources into a separate ou will not improve logon requests from other domains in the network. answer d is incorrect because an external trust is used to establish a trust relationship between a windows server 2003 active directory forest and a windows nt4 or 2000 domain. in this case, the two domains in question are part of the same windows server 2003 forest.

2.  

You are the network administrator for a medical research facility running Windows Server 2003. Your firm is beginning a joint research operation with a major university, and many of your users will need to access files and folders on the university s network. The university that you are partnering with uses a UNIX Kerberos environment. Your company s resources should not be accessible by the university staff. How can you accomplish this using the least administrative effort?

  1. Create a two-way realm trust between your network and the UNIX network.

  2. Create a one-way: outgoing external trust between your network and the UNIX network.

  3. Create a one-way: incoming realm trust between your network and the UNIX network.

  4. Create a one-way: outgoing realm trust between your network and the UNIX network.

 c . a one-way, incoming realm trust will allow users from your network to access files on the unix kerberos network while not allowing the unix users to browse any of your network resources. x answer a is incorrect because it will allow users on the unix network to access your network resources. answer b is incorrect because an external trust is used to establish a trust relationship with a windows nt or 2000 forest, not a unix kerberos realm. answer d will create the trust in the incorrect direction; the unix users would be able to access information on your network, but your users would not be able to browse resources in the kerberos realm.

3.  

You have a critical software update that needs to be installed for the Payroll OU of your Windows Server 2003 domain. You create a new GPO and assign the MSI package to the Computer Configuration section and then link the new GPO to the Payroll OU with the appropriate security filtering permissions. You send an e-mail to the members of the payroll department instructing them to log off their workstations and log back in to prompt the software installation to begin. You run the MBSA utility to verify installation of the patch, but you discover that it has not been installed, even after you ask the payroll users to log off and onto their workstations several times. What is the most likely reason that the software update has not been installed?

  1. The workstations in the payroll department need to be rebooted before the software update will be installed.

  2. Software installation packages can only be assigned at the domain level.

  3. The software can be installed using the Add New Programs section of the Add/Remove Programs Control Panel applet.

  4. Logon scripts are running asynchronously; they must be reconfigured to run synchronously.

 a . when a software installation package is assigned through the computer configuration section of a gpo, it will only be installed when the computer starts up. the logoff/logon process is not sufficient to launch the installation process. x answer b is incorrect because software installation packages can be published or assigned at the site, domain, or ou. answer c is incorrect because only published software packages are available through add/remove programs; this package was assigned . answer d is incorrect because the software will be installed at startup, not logon.

4.  

Hope Pharmaceuticals is a large organization that is headquartered in Chicago, Illinois. The company has six other locations in North America and Europe. In North America, the company has locations in Chicago, New York, and Arizona. In Europe, it has locations in Paris, London, and Rome. The Active Directory infrastructure consists of two forests: one for North America and one for Europe. Recently, the Chicago location and the Paris location have been working together closely on deals and possible mergers. Users have started to complain of slow response times in authenticating and accessing resources in either domain. What would be the best way to improve authentication performance between Chicago and Paris?

  1. Create a shortcut trust between the Chicago office and the Paris office.

  2. Create a realm trust between the Chicago and Paris offices.

  3. There is nothing you can do to improve performance.

  4. Move the Paris domain into the North America forest.

 a . a shortcut trust is the ideal trust for this scenario. to improve performance and to avoid having authentication travel across thee entire domain trees before it authenticates against the correct domain, a shortcut trust allows the chicago domain users and the paris domain users to authenticate directly against the chicago and paris domains. x answer b is incorrect because realm trusts are used to connect windows-based domains with a different realm or technology such as unix. answer c is incorrect because you can use a shortcut trust to improve performance for your network users. answer d is technically correct, but it is not the best solution, since reorganizing your forest and domain structure should be done only as a last resort.

5.  

You are the IT manager for an organization with three locations in Fresno, San Francisco, and La Jolla, running Windows Server 2003 on the server side and Windows XP Professional on the client side. To cut down on Internet bandwidth usage from the Windows Update client, you have installed an SUS server in each of the three locations. The SUS server is configured as the master SUS server, and Fresno and La Jolla s servers are configured as child servers. Microsoft releases a critical security update, and a few hours later you learn that a hacker group from Eastern Europe has already released an Internet worm to take advantage of any unpatched machines. You quickly download the new patch to your SUS server in San Francisco and approve the patch for distribution. Your CEO asks if your network is protected from this new threat, and you assure him that your patch management solution is up to the task. Unfortunately, you receive several calls toward the end of the day from users in Fresno who report that their machines are rebooting without warning and that network response time is almost nonexistent. On further investigation, you discover that the machines in Fresno and La Jolla were not updated with the new Microsoft patch and became victims of this new Internet worm. Your workstations and servers in the San Francisco office have received the patch. Why did SUS fail to update the machines in your two remote locations?

  1. You did not install the SUS client on your client workstations.

  2. The Internet connection between the Fresno and La Jolla offices did not permit the SUS traffic to pass.

  3. The SUS servers in Fresno and La Jolla had not received the new update yet.

  4. The security update was incompatible with your client workstations.

 c . child sus servers synchronize with master servers on a set schedule. most administrators configure this synchronization to take place during off-hours, when bandwidth utilization will be affected as little as possible. in this scenario, the most likely explanation for your remote offices not getting patched is that their sus servers had not yet received the update from the master sus server. x answer a is incorrect because windows xp professional has the sus client installed by default; it only needs to be configured via group policy. answer b is incorrect because there is nothing in the scenario to suggest that you are filtering any type of internet traffic that would prevent sus from functioning. answer d is incorrect because the sus administrative page will allow you to download patches appropriate to each operating system, and the sus client will automatically download the appropriate patch to the client workstation.

6.  

Your network is experiencing massive Internet bandwidth consumption from external sources. On investigating, you discover that a new Internet worm has been created that exploits a newly discovered vulnerability in Microsoft s Internet Information Service. You have seven IIS servers in your organization that are colocated in various cities across the United States to provide load balancing for your Web applications. Within Active Directory, all your Web servers are contained within a single OU. What is the quickest way to efficiently patch all your company s IIS servers against this new vulnerability while minimizing downtime for your Web server applications?

  1. Force the SUS server to immediately update all machines in the domain.

  2. Manually install the patch on each Web server.

  3. Create a GPO within the Computer Configuration Software Installation settings. Link it to the Web Server OU. Reboot each Web server in turn so that the update can be applied.

  4. Create a GPO within the User Configuration Software Installation settings. Link it to the Web Server OU. Perform a logout/login on each Web server so that the update can be applied.

 d . software settings applied to the user configuration section of a group policy object will take effect when a user logs in. by applying the gpo to the user configuration instead of the computer configuration, you will not need to reboot the web servers for the update to be applied. x answer a is incorrect because there is no way to manually force sus to update any clients; it is designed to take place in the background. answer b is incorrect because it would not be an efficient way to patch your servers, especially since they are located in various parts of the country, where you might or might not have an administrator on site. answer c is incorrect because assigning the software installation to the computer configuration will require the machine to reboot before the installation takes effect. while the presence of seven servers in a load-balancing configuration will minimize the effects of these reboots, this solution will still create unnecessary downtime for your web servers.

7.  

You have 12 servers at various locations that you want to manage remotely. You have read about Emergency Management Services and believe this is a good solution for your environment. You review the hardware for each of the servers in question and determine that the firmware on all of them supports console redirection. Your servers are already running Windows Server 2003 and are x86-based systems. What is your next step in implementing EMS for these servers?

  1. Use the EMS Special Administration Console to install EMS for the remote computer. Configure console redirection via the server firmware after EMS is installed.

  2. Reinstall Windows Server 2003 from the installation CD. EMS configures itself during a bootable CD installation if the computer supports firmware console redirection and the Serial Port Console Redirection (SPCR) table.

  3. Reboot the computer into Safe mode. Install EMS from the Run line, and then reboot to enable EMS.

  4. Use Bootcfg.exe to edit the Boot.ini file located on the system partition root to enable Windows loader console redirection and the SAC.

 d . if windows server 2003 is already installed, you can configure ems by editing the boot.ini file. the bootcfg.exe utility is used to edit the boot.ini file. this will allow you to instruct windows loader (ntldr) to redirect the console output to an out-of-band connection and will enable the special administration console. x answer a is incorrect because t he special administration console is available only after you ve enabled ems. once you ve installed ems, sac and !sac become available. answer b is incorrect because you do not need to reinstall windows server 2003 in order to implement ems after the operating system has already been installed. instead, you can edit the boot.ini file using the bootcfg.exe utility. however, if you were installing a fresh installation of windows server 2003, the statements are all true. installing from the bootable cd will configure ems if the computer s firmware supports console redirection and the serial port console redirection (spcr) table. answer c is incorrect because you do not need to run in safe mode nor can you install emergency management services from the run line.

8.  

You are the network administrator for a large, multinational corporation. Your Active Directory tree is configured with one domain for North America, one for Europe, and one for Asia. Each office on each continent has been configured with its own OU, and an administrative assistant in each office has been delegated the authority to reset user passwords within each OU. You have a single global group in each domain that contains the user accounts for the central help desk for each domain. To assist the local administrators with troubleshooting issues, you have distributed instructions concerning the use of the Remote Assistance feature in Windows XP and Windows Server 2003. After a server outage in the Dresden office, you discover that a local administrator was having a network issue and sent a Remote Assistance request to a friend of hers, who uploaded a virus-infected executable to the Dresden network, thinking that it was a diagnostic utility. What is the most efficient way to prevent this situation from recurring on your network? (Choose all that apply.)

  1. Use Group Policy to restrict to whom your users can send Remote Assistance requests .

  2. Use PGP encryption to encrypt the Remote Assistance e-mail request.

  3. Disable Remote Assistance on all client workstations. Manually re-enable it as needed.

  4. Create a network security policy forbidding Remote Assistance requests to any users other than central IT staff.

 a , d . using group policy, you can configure your network clients so that they can send remote assistance requests to only specific users or groups, in this case the central it staff. therefore, answer a is correct. in combination with this step, you should explain the importance of this policy to your distributed staff so that they understand why it is critical to the security of the corporate network. therefore, answer d is correct. x answer b is incorrect because although pgp encryption will secure the contents of an ra e-mail message, it will do nothing to prevent to whom those messages are sent. answer c is incorrect because it would be an inefficient solution, especially in a large enterprise.

Answers

1.  

¾ B . A shortcut trust will allow logon and resource requests to process more quickly by bypassing the usual traversal of domain trusts.

x Answer A is incorrect because creating a domain local group will not speed the logon request process. Answer C is incorrect because grouping the resources into a separate OU will not improve logon requests from other domains in the network. Answer D is incorrect because an external trust is used to establish a trust relationship between a Windows Server 2003 Active Directory forest and a Windows NT4 or 2000 domain. In this case, the two domains in question are part of the same Windows Server 2003 forest.

2.  

¾ C . A one-way, incoming realm trust will allow users from your network to access files on the UNIX Kerberos network while not allowing the UNIX users to browse any of your network resources.

x Answer A is incorrect because it will allow users on the UNIX network to access your network resources. Answer B is incorrect because an external trust is used to establish a trust relationship with a Windows NT or 2000 forest, not a UNIX Kerberos realm. Answer D will create the trust in the incorrect direction; the UNIX users would be able to access information on your network, but your users would not be able to browse resources in the Kerberos realm.

3.  

¾ A . When a software installation package is assigned through the Computer Configuration section of a GPO, it will only be installed when the computer starts up. The logoff /logon process is not sufficient to launch the installation process.

x Answer B is incorrect because software installation packages can be published or assigned at the site, domain, or OU. Answer C is incorrect because only published software packages are available through Add/Remove Programs; this package was assigned . Answer D is incorrect because the software will be installed at startup, not logon.

4.  

¾ A . A shortcut trust is the ideal trust for this scenario. To improve performance and to avoid having authentication travel across thee entire domain trees before it authenticates against the correct domain, a shortcut trust allows the Chicago domain users and the Paris domain users to authenticate directly against the Chicago and Paris domains.

x Answer B is incorrect because realm trusts are used to connect Windows-based domains with a different realm or technology such as UNIX. Answer C is incorrect because you can use a shortcut trust to improve performance for your network users. Answer D is technically correct, but it is not the best solution, since reorganizing your forest and domain structure should be done only as a last resort.

5.  

¾ C . Child SUS servers synchronize with master servers on a set schedule. Most administrators configure this synchronization to take place during off-hours, when bandwidth utilization will be affected as little as possible. In this scenario, the most likely explanation for your remote offices not getting patched is that their SUS servers had not yet received the update from the master SUS server.

x Answer A is incorrect because Windows XP Professional has the SUS client installed by default; it only needs to be configured via Group Policy. Answer B is incorrect because there is nothing in the scenario to suggest that you are filtering any type of Internet traffic that would prevent SUS from functioning. Answer D is incorrect because the SUS administrative page will allow you to download patches appropriate to each operating system, and the SUS client will automatically download the appropriate patch to the client workstation.

6.  

¾ D . Software Settings applied to the User Configuration section of a Group Policy Object will take effect when a user logs in. By applying the GPO to the User Configuration instead of the Computer Configuration, you will not need to reboot the Web servers for the update to be applied.

x Answer A is incorrect because there is no way to manually force SUS to update any clients ; it is designed to take place in the background. Answer B is incorrect because it would not be an efficient way to patch your servers, especially since they are located in various parts of the country, where you might or might not have an administrator on site. Answer C is incorrect because assigning the Software Installation to the Computer Configuration will require the machine to reboot before the installation takes effect. While the presence of seven servers in a load-balancing configuration will minimize the effects of these reboots, this solution will still create unnecessary downtime for your Web servers.

7.  

¾ D . If Windows Server 2003 is already installed, you can configure EMS by editing the Boot.ini file. The Bootcfg.exe utility is used to edit the Boot.ini file. This will allow you to instruct Windows loader (Ntldr) to redirect the console output to an out-of- band connection and will enable the Special Administration Console.

x Answer A is incorrect because t he Special Administration Console is available only after you ve enabled EMS. Once you ve installed EMS, SAC and !SAC become available. Answer B is incorrect because you do not need to reinstall Windows Server 2003 in order to implement EMS after the operating system has already been installed. Instead, you can edit the Boot.ini file using the Bootcfg.exe utility. However, if you were installing a fresh installation of Windows Server 2003, the statements are all true. Installing from the bootable CD will configure EMS if the computer s firmware supports console redirection and the Serial Port Console Redirection (SPCR) table. Answer C is incorrect because you do not need to run in Safe mode nor can you install Emergency Management Services from the Run line.

8.  

¾ A , D . Using Group Policy, you can configure your network clients so that they can send Remote Assistance requests to only specific users or groups, in this case the central IT staff. Therefore, Answer A is correct. In combination with this step, you should explain the importance of this policy to your distributed staff so that they understand why it is critical to the security of the corporate network. Therefore, Answer D is correct.

x Answer B is incorrect because although PGP encryption will secure the contents of an RA e-mail message, it will do nothing to prevent to whom those messages are sent. Answer C is incorrect because it would be an inefficient solution, especially in a large enterprise.




MCSE Designing Security for a Windows Server 2003 Network. Exam 70-298
MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298
ISBN: 1932266550
EAN: 2147483647
Year: 2003
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net