Questions and Answers

1.

What is the advantage of using RPC over HTTP to allow a MAPI client such as Outlook to connect to Exchange through a firewall?

2.

What TCP ports do you need to open on a firewall to allow HTTP, SMTP, and HTTP over SSL traffic? (Select all that apply.)

1. Port 21

2. Port 25

3. Port 80

4. Port 110

5. Port 119

6. Port 143

7. Port 443

8. Port 563

1.

Configuring RPC over HTTP eliminates the need for a VPN connection when a user is accessing Exchange information. Users running Outlook can connect directly to an Exchange server over the Internet by using HTTP, even if both the Exchange server and Outlook are behind firewalls and located on different networks.

2.

The correct answers are b, c, and g.

1.

What is the difference between a virus and a worm?

2.

How does a Trojan horse spread?

3.

Which Microsoft utility checks for missing patches, blank or weak passwords, and operating system vulnerabilities?

1. SMS

2. SUS

3. MBSA

4. Security Notification Service

1.

Unlike a virus, a worm does not require a host program and can replicate itself automatically whenever an application or the operating system transfers or copies files.

2.

A Trojan horse cannot replicate itself. It relies on users to spread the program through e-mail.

3.

The correct answer is c.

1.

How does Exchange Server 2003 filtering work, and what do you need to configure in order to use it?

2.

An e-mail message has an SCL value of 3. Which of the following statements is true?

1. The sender was found on the Deny list.

2. The sender was found on the Accept list.

3. The message probably is not junk e-mail.

4. The message probably is junk e-mail.

1.

Exchange Server 2003 filtering examines e-mail headers and checks them against established filter rules. To use the Exchange filtering features, you must first configure the properties of the global Message Delivery object to create global filters. Then you need to configure SMTP virtual servers to use these global filters.

2.

The correct answer is d.

1.

Which PKI component defines the content and purpose of a certificate?

1. Certificate template

2. CA

3. CRL

4. Certificate publication point

2.

Don Hall sends an encrypted message to Kim Akers. How does Don encrypt it, and how does Kim read it?

3.

Kim Akers wants to send a message to Don Hall, but Don needs to be certain that the message really is from Kim. How can he verify this?

1.

The correct answer is a.

2.

Don encrypts the message using Kim's public key. Kim decrypts it using her private key.

3.

Kim signs the message using her private key. Don decrypts the signature using Kim's public key. This assures him that the message is from Kim and that it has not been intercepted and altered by a third party.

1.

You use Exchange System Manager to delegate control of an administration group to Don Hall. The administration group contains three Exchange Server 2003 servers called Server A, Server B, and Server C. You give Don the Exchange Administrator role. Don reports that he is unable to carry out any administration on the servers. What do you need to do?

2.

You want to grant advanced permissions on an administration group. You make the necessary registry changes, then try to add the ASDI edit snap-in to the Microsoft Management Console. ASDI Edit is not on the list of snap-ins. What have you forgotten to do?

3.

You create a new routing group and find that the group inherits permissions from the administrative group in which it was created. You want different permissions applied to the new routing group object. What do you do?

1.

You need to make Don a local administrator on Server A, Server B, and Server C.

2.

You have forgotten to install the Windows Server 2003 support tools.

3.

Access the routing group object's Properties box and use the Advanced option on the Security tab to block permission inheritance.

1.

You are considering disabling Microsoft Exchange Management on a front-end Exchange server. Can you disable this service? What other considerations do you need to take into account?

2.

Which of the following services are required to administer Exchange Server 2003? (Select all that apply.)

1. Microsoft Exchange System Attendant

2. Microsoft Exchange Management

3. NNTP

4. Windows Management Instrumentation

5. Exchange MTA Stacks

6. IPSEC Services

3.

What is the default log file format for SMTP?

1. W3C Extended log file format

2. ODBC format

3. Microsoft IIS log file format

4. NCSA log file format

1.

You can disable this service without affecting the core functionality of Exchange. However, the service is also required for message tracking, which you may need to audit Exchange functionality.

2.

The correct answers are a, b, and d.

3.

The correct answer is a.

1.

You have been asked to find an antivirus software package that will protect your organization. This software must be fully compatible with Exchange Server 2003. Commercial antivirus software that was previously installed on the system has been found to be unsatisfactory. You need to identify a reputable company that can provide a professional product. How do you proceed?

2.

Your chief information officer (CIO) wants to ensure that viruses never enter the intranet. She wants you to block them at the firewall. Therefore, she sees no need for antivirus software on the servers or clients. Do you agree with her? Why or why not?

3.

A user reports that a self-extracting zip file that was e-mailed to him as an attachment did not unzip. When a zip file that was not self-extracting was sent to him, he was able to unzip it without any problems. How do you explain this to him, and what action (if any) do you take to remedy this situation?

1.

You access http://www.microsoft.com/exchange/partners/antivirus.asp. Although Microsoft makes no warranties or representations with regard to these products or services, it is likely that an organization on the list will provide a professional product. If the supplier permits, download a trial version of the software. Test the software against criteria such as whether it is compatible with Exchange Server 2003, whether it updates its virus signatures automatically, how often it does so, and whether it blocks viruses, worms, and Trojan horses.

2.

The CIO is mistaken. Antivirus software installed at the firewall can stop viruses entering or leaving your intranet. However, the front-end servers in the DMZ also need to be protected because employees are allowed to do corporate work on laptops at home. Although an employee is supposed to work on files downloaded while at work, there is nothing to stop him or her plugging an external modem into the laptop and connecting it to the Internet. If the machine is unprotected, it can pick up a worm, which can then affect your intranet when the laptop is connected to it. Therefore, antivirus software needs to be installed on the firewall, on servers, and on client machines.

3.

Client e-mail software such as Outlook filters out certain types of files as potential risks. In particular, exploitable file types, such as .bat, .com, .scr, .vbs, and embedded HTML scripts are often either deleted or converted to text files. Self-extracting zip files are .exe files. While possibly less of a risk than the other file types mentioned, .exe files are executable code and can be used to transmit viruses. In the environment described in the scenario, where security is paramount, it is unwise to alter any settings that would allow .exe files to be sent to your users. You should instead inform users (and management) about known exploitable file types and explain why they cannot receive them as e-mail attachments.

1.

You have a block-list service provider configured, but you continue to receive unsolicited commercial e-mail from several senders. You have identified nwtraders.com and treyresearch.com as junk mail senders. They are not on your RBL. How can you block the messages coming from them?

2.

You have shown your chief executive officer (CEO) how he can configure Outlook 2003 on his client machine to filter out junk mail from a known sender. He is now concerned about the amount of time that needs to be spent configuring Outlook on all the client machines and listing all possible junk e-mail sources. What do you tell him to put his mind at rest?

1.

RBLs cannot completely prevent unsolicited commercial e-mail because domains will always exist that are not included or that have been created subsequent to the block list. You need to be vigilant about monitoring your incoming e-mail and add any domains that are identified as junk mail senders to the junk mail list on the Connection tab of your SMTP virtual servers' Properties dialog boxes.

2.

Although users may want to configure Outlook to block particular junk mail sources on their client computers, particularly if they are also using these computers at home, the bulk of the junk e-mail sent to your organization can be blocked at the Exchange Server 2003 servers by configuring the SMTP virtual servers. Commercially available RBLs contain the domain names of most e-mail servers, and you need only add new sources as necessary rather than needing to generate a block list from scratch.

1.

Given the scenario described, what ports need to be open on your firewall?

2.

What services should you disable on your front-end servers? List only the services that are definitely not required, rather than the ones which can optionally be disabled.

1.

You need to open TCP port 25 for SMTP. The scenario does not state whether your users access the Internet, but it would be unusual if TCP port 80 were not opened for HTTP. It is likely that your secure Web server is behind your firewall, so TCP port 443 needs to be opened for HTTP using SSL. The Exchange Server 2003 servers in your DMZ will use Active Directory, so TCP port 389 needs to be opened for LDAP. If RPC is blocked, nothing much else works, so TCP port 135 needs to be opened. Note that strict filtering conditions should be applied to all open ports.

There is no indication that Kerberos authentication will be needed across the firewall or that an X.400 connector is used. NNTP is not mentioned in the scenario. There are no IMAP4 clients, and it is not clear whether POP3 clients require access through the firewall. Nor is it certain that global catalog look-ups across the firewall are required. Therefore, TCP ports 88, 102, 110, 119, 143, 563, 636, 993, 995, 3268, and 3269 should be closed initially. They can be opened (and strictly filtered), if required.

2.

You can disable the following services in this scenario:

• Microsoft Exchange IMAP4—You have no IMAP4 clients.

• Microsoft Exchange Information Store—This service can be disabled because your front-end servers do not contain user data.

• NNTP—The scenario does not specify any newsgroup functionality.

• Outlook Mobile Access—The scenario does not specify that you require Outlook Mobile Access.