Self Test

1. 

One of the advantages of Windows 2000 Active Directory over previous versions of Windows NT is that two-way transitive trusts are automatically created between which objects? (Choose all correct answers.)

1. Between root domains in an Active Directory forest

2. Between parent domains and child domains

3. Between child domains at the same level within the tree

4. Between Windows 2000 and Windows NT 4.0 domains

2. 

The schema serves what function in Active Directory?

1. Provides a listing, or index, of all the objects within Active Directory

2. Defines the types of objects that can be stored in Active Directory

3. Organizes objects, such as users or computers, into a location designed for easier management and assignment of permissions

4. Provides for name resolution on the network

1. 

þA, B. Windows 2000 automatically creates two-way transitive trusts between root domains in the forest. Additionally, two-way transitive trusts are created between parent and child domains in Windows 2000.

ý C, D. Two transitive trusts are not automatically created between child domains or between Windows 2000 domains and Windows NT 4.0 domains, although you can manually create a shortcut trust if you desire. (See Chapter 8 for a full discussion on Windows 2000 trusts.) Thus Answers C and D are incorrect.

2. 

þB. The schema defines the types of objects that can be stored in Active Directory as well as the attributes each object is allowed to possess.

ý A, C, D. The Global Catalog (GC) provides an easily searchable index of all objects contained within Active Directory, thus Answer A is incorrect. Organizational Units (OUs) are used to organize objects for easier management, thus Answer C is incorrect. Domain Naming System (DNS) and Windows Internet Naming System (WINS) are the commonly used name resolution services on Windows networks, thus Answer D is incorrect.

3. 

Hannah wants to increase the security on the member servers in her network, but she does not want to interfere with the normal network communications between the servers and other computers on the network. What would be the best security template for her to apply to these member servers?

1. hisecdc.inf

2. securews.inf

3. basicsv.inf

4. securedc.inf

4. 

You are the network administrator for a medium-sized company. The HR department has asked you to help interview candidates for the position of assistant security administrator for your Windows 2000 network. During the interview of one of the candidates, you ask the following question: "What can the secedit.exe utility be used for?" What answers do you expect to hear? (Choose all that apply.)

1. It can be used to list the current Group Policy in effect for a specific user and computer.

2. It can be used to analyze the security settings of a system.

3. It can be used to refresh the applied security settings of a system.

4. It can be used to validate the syntax of chosen security template.

5. It can be used to edit group membership and permissions for a user or group.

6. It can be used to remotely monitor privilege use.

7. It can be used to configure system security settings.

8. It can be used to export the values stored in a database to a .inf file.

5. 

Andrew must increase the security on the workstations in his network at any cost, preferably achieving the most secure configuration possible. What would be the best template to apply to his workstations the to provide maximum amount of security, and what negative side effects can he expect to see from the application of the chosen template? (Chose two correct answers.)

1. hisecdc.inf

2. securews.inf

3. basicsv.inf

4. securedc.inf

5. hisecws.inf

6. He should expect no adverse effects to occur except for potentially increased login and logoff times due to extra policy processing invoked by the more secure template.

7. He should expect to lose network connectivity with all other computers that do not support IPSec.

8. He should expect to have to configure Active Directory integrated zones for his DNS servers to support the newly configured workstations.

6. 

You are preparing to deploy some custom security templates across your organization in an effort to increase the overall security of the network. You plan to deploy your security templates via Group Policy. What is the correct processing order for Group Policy in Windows 2000?

1. Local, domain, site, Organizational Unit

2. Local, site, domain, Organizational Unit

3. Site, domain, Organizational Unit, local

4. Domain, site, Organizational Unit, local

3. 

þB. The secure templates increase the level of security for Account Policy, certain Registry keys, and Auditing. Permissions for file system objects are not affected by this configuration. Two secure templates are provided: securedc.inf for domain controllers and securews.inf for workstations and member servers. The secure templates provide a medium level of security, stricter than the basic templates but not as secure as the highly secure templates.

ý A, C, D. The hisecdc.inf template is a highly secure template for domain controllers, thus Answer A is incorrect. The basicsv.inf template is the default template for member servers (and is mostly likely the currently installed template on these servers), thus Answer C is incorrect. The securedc.inf template is the secure template for domain controllers, not member servers, thus Answer D is incorrect..

4. 

þB, C, D, G, H. The secedit.exe utility can be used to analyze system security, configure system security, refresh security settings, export security settings, and validate the syntax of a security template. Refer back to the "Using Secedit.exe" section in this chapter for a thorough review of the functions and switches of the secedit.exe tool.

ý A, E, F. The secedit.exe utility does not list current Group Policy settings that have been applied to a user or computer. That can be done using the gpresult.exe tool, thus Answer A is incorrect. Group membership and permissions for users and groups is not done using the secedit.exe utility, thus Answer E is incorrect. Furthermore, secedit does not perform remote monitoring of privilege usage, therefore Answer F is also incorrect.

5. 

þ E, G. Highly secure configurations add security to network communications. IPSec will be configured for these machines and will be required for communications. Two highly secure templates are provided: hisecdc.inf for domain controllers and hisecws.inf for workstations and member servers. The highly secure templates provide the highest level of preconfigured security available but will cause communications problems with legacy clients due the requirement of IPSec for network communications.

ý A, B, C, D, F, H. The hisecdc.inf security template is for domain controllers, thus Answer A is incorrect. The securews.inf security template is for workstations and member servers, thus Answer B is incorrect. The basicsv.inf security template is the default template for member servers, thus Answer C is incorrect. The securedc.inf security template is for applying the Secure settings to domain controllers, thus Answer D is incorrect. As noted, the primary effect of applying highly secure templates will be a loss of network connectivity to computers that are not running IPSec, so it is essential that all computers requiring communications be configured for IPSec, such as domain controllers and member servers that the IPSec configured workstations will be contacting, thus Answers F and H are also incorrect.

6. 

þ B. The correct Group Policy application order in Windows 2000 is local, site, domain, Organizational Unit. Remember that later Group Policy objects overwrite GPOs that have been applied earlier.

ý A, C, D. The correct Group Policy application order in Windows 2000 is local, site, domain, Organizational Unit, thus Answers A, C, and D are incorrect.

7. 

Chris wants to configure her network so that users attempting to log on by guessing passwords will be prevented from gaining access to the system. She proposes to perform the following actions. Which actions will have a positive effect on preventing password-guessing users from gaining access to her network? (Choose all that apply.)

1. Set the Minimum Password Length to 10 characters.

2. Set the Account Lockout Threshold to 0 invalid login attempts.

3. Set the Account Lockout Duration to 60 minutes.

4. Set the Enforce Password History to 25 passwords.

8. 

Jon, the CTO of your company, asks you what can be done to protect certain areas of the Registry from modification by unauthorized users. What do you tell him?

1. Use the secedit.exe utility with the /validate switch to set security settings on the Registry keys of concern.

2. Use the regedit application to set security settings on the Registry keys of concern.

3. Use the Security templates and Security Configuration and Analysis snap-ins to configure, analyze, and implement security settings on the Registry keys of concern.

4. Use Windows Explorer to mark the Registry files as read only.

5. Use Windows Explorer to set NTFS permissions on the Registry files so that only authorized users may access them.

9. 

You want to configure auditing for the workstations in a specific OU in your network. You have opened Security Configuration and Analysis and selected the basicwk.inf template. What section of the template contains the options that you need to configure to enable auditing?

1. Local Policies

2. Account Policies

3. Event Log

4. Registry

7. 

þ A, C, D. Setting the Minimum Password Length to 10 characters will make passwords longer (and thus more complex), which in turn makes a password much more difficult to guess. Setting the Account Lockout duration to a value such as 60 minutes (or even higher) will prevent that user account from being used again for the time value configured. This serves to deter password guessing, because the user needs to know a username in order to guess a password to gain access to the network. Configuring the Enforce Password History will increase overall network security by forcing users to not reuse a password that has been recently used, thus making it much more difficult for a password-guessing individual to gain access by attempting passwords that might be preferred by users. Additionally, you can configure the Password Must Meet Complexity Requirements setting to make passwords stronger by forcing them to contain a mixture of letters, numbers, and characters. The Account Lockout Duration and Reset Account Lockout After settings are configured by default when you configure the Account Lockout Threshold setting.

ý B. Setting the Account Lockout Threshold to 0 invalid attempts in effect disables this setting, thus preventing the system from locking out the user account when a series of incorrect passwords have been entered, thus Answer B is incorrect.

8. 

þ C. You use the Security templates snap-in to edit the settings of a template and configure the security settings you require. You can then use the Security Configuration and Analysis snap-in to analyze and deploy the settings.

ý A, B, D, E. Using secedit with the /validate switch instructs secedit to perform a validation of a template before importing it onto a computer, thus Answer A is incorrect. Using the regedit application will not allow you to protect the keys from modification, thus Answer B is incorrect. Marking the Registry files as read only or changing their NTFS permissions will most likely cause your computer to operate erratically or stop functioning properly altogether and is not recommended, thus Answers D and E are also incorrect.

9. 

þ A. The Local Policies node contains three areas, one of which is the Audit Policies area. Inside the Audit Policies area is where you will configure audit options in this template.

ý B, C, D. The Account Policies node pertains to account issues such as password aging and length, thus Answer B is incorrect. The Event Log node contains settings that allow you to configure the Event Log, thus Answer C is incorrect. The Registry node contains settings that allow you set key-level security settings in the Registry, thus Answer D is incorrect.

10. 

Austin has been delegated administrative responsibility for several OUs in his department. How can he most easily make the same changes to the security settings applied to his OUs?

1. Austin should configure and test a template on a local machine using Security Configuration and Analysis. When he gets the configuration established that he requires, he should export the template and then import it into the specific OU Group Policy objects he is responsible for.

2. Austin should use the Security Configuration and Analysis snap-in and target it at the specific OU he wants to work with to make the changes.

3. Austin should edit the Group Policy objects directly for each of the OUs he is responsible for.

4. Austin should ask a domain administrator to apply the desired settings at the domain level and let them propagate down to his OUs.

11. 

You have configured and tested two custom security templates for use on your corporate network, corpserver.inf and corpdesktop.inf. Your network is running all Windows 2000 computers and is fragmented into three distinct sections due to the extremely high cost of establishing WAN links between your three geographical locations. You do have dial-up connectivity between the sites using standard plain old telephone service (POTS) lines, but these lines have proven unreliable at best. How can you deploy these templates to the other two sites in your network?

1. You need to deploy them to two extra domain controllers and then ship one each to your other two sites.

2. You need to export them from Security Configuration and Analysis and send the .inf files to your other two remote sites. Once there, the other two sites can import them into the required Group Policy object.

3. You need to establish a Frame Relay connection between all three sites at the same time and push the templates across the WAN link.

4. You need to make a RDP connection to each domain controller in the remote sites and apply the template to them.

10. 

þ A. The best way to ensure that the changes Austin makes are identical on all his OUs is for him to configure and analyze an incremental security template using the Security Configuration and Analysis snap-in. Once he has gotten the required settings configured to his liking, he can export the security template and subsequently import it into a Group Policy object in each of the OUs he is responsible for.

ý B, C, D. The Security Configuration and Analysis snap-in cannot be targeted at any level other than the local machine, so using it and targeting it toward an OU is not possible, thus Answer B is incorrect. Although editing the Group Policy object for each OU he is responsible for is a viable solution, this solution introduces the possibility of making different configuration settings in the various OUs, thus making this a bad choice for Austin, so Answer C is incorrect. Applying the settings at the domain level is unnecessary since Austin only needs the settings applied to his specific OUs. Additionally, settings applied at the domain level may be overwritten by Group Policy objects that are at the OU level, thus Answer D is also incorrect.

11. 

þ B. By exporting the templates from Security Configuration and Analysis, you can send them by any available means to a remote location for application on the network.

ý A, C, D. Shipping fully functional domain controllers is not a very good idea for a number of reasons, not limited to damage or theft, thus Answer A is incorrect. Establishing a Frame Relay WAN link just for the purpose of applying a couple of extremely small security templates is an extremely large waste of resources that can be avoided. Additionally, you still need to apply the templates to the other sites in the same fashion, regardless of how you get them there, so Answer C is incorrect. Making a Remote Desktop Protocol (RDP) connection to each remote site does not seem likely, since we were never told about having this capability as well as the fact that connectivity does not appear to exist, thus Answer D is incorrect.

12. 

Andrea is the network administrator of 55 workstations, 10 member servers, and four domain controllers. She would like to perform a security analysis on all her computers without having to physically visit each one. How can Andrea accomplish this task?

1. This cannot be done at the current time. Andrea will need to sit in front of each machine and use the Security Configuration and Analysis snap-in to perform the analysis.

2. Andrea can target a remote computer by right-clicking Security Configuration and Analysis and selecting Connect to another computer.

3. Andrea can create a script or batch file using the secedit.exe utility with the /analyze switch that has an entry for each computer that she wants to analyze.

4. Andrea can create a script or batch file using the secedit.exe utility with the /analyze switch that calls on a prepopulated text file containing the list of computers to be analyzed.

13. 

Christopher is an assistant network administrator working for Andrea. Christopher has been given the task of examining the results of the secedit /analyze script that Andrea ran over the network the previous night. How can Christopher most easily examine the analysis results to determine items that require a follow-up?

1. Christopher must visit each computer locally and view the database contents using the Security Configuration and Analysis snap-in.

2. Christopher must use the gpresult.exe tool from the Windows 2000 Resource Kit to be able to easily examine the analysis results.

3. Christopher can read through the text log from the analysis and identify any mismatches as areas requiring a follow-up.

4. Christopher can load each database file into the Security Configuration and Analysis snap-in that is running on his computer and identify any mismatches as areas requiring a follow-up.

14. 

Luanda is attempting to use the Security Configuration and Analysis snap-in to perform an analysis of one of her member servers. The member server is currently configured with the default settings. She wants to compare its settings with those in the securewk.inf security template. What is the correct order of steps to perform the analysis?Step 1: Right-click Security Configuration and Analysis and select Analyze computer now.Step 2: Right-click Security Configuration and Analysis and select Open database.Step 3: Select the security template to be used in the analysis.Step 4: Select the log file to be used in the analysis.Step 5: Right-click Security Configuration and Analysis and select Configure computer now.Step 6: Select the database to be used in the analysis.

1. 2, 1, 3, 6, 4

2. 1, 6, 4, 5, 3

3. 2, 6, 4, 3, 1

4. 2, 6, 3, 1, 4

5. 1, 6, 3, 2, 4

15. 

You have just completed an analysis of your local computer using Security Configuration and Analysis. Looking at the analysis results, you notice several icons have a green check mark on them. You are concerned that your settings do not match those of the template you compared your computer to. What do icons with green check marks mean?

1. A discrepancy exists between the database settings and the computer setting.

2. No analysis was performed for this item because it was not configured in the database.

3. The database setting and the computer setting match.

4. No analysis was performed for this item because it is not applicable to the computer.

12. 

þ C. The easiest way to perform the analysis on a large number of remote computers is to create a custom script or batch file using secedit /analyze. There should be an entry in the file for each computer that is to be configured, including the database to use or create, the template to use, and the log file to use or create. Each entry should specify an absolute location using UNC file locations; it is recommended to create the database and log files in a central location for easier viewing later.

ý A, B, D. Andrea will be able to perform the required security analysis easily using the secedit tool, thus Answer A is incorrect. The Connect to another computer option, available in tools such as the Computer Management console, is not available for use in the Security Configuration and Analysis snap-in, thus Answer B is incorrect. Secedit cannot use an external text file that contains the scan parameters, thus Answer D is incorrect.

13. 

þ D. The easiest method of examining the analysis results is to load each database into the Security Configuration and Analysis snap-in and look for mismatches using the GUI.

ý A, B, C. Visiting each computer locally to perform the examination is also a valid solution, but it does meet the requirement of needing the least effort, thus Answer A is incorrect. The gpresult.exe tool is not used in this fashion but instead provides you with information on applied Group Policy objects, the last time policy was applied, and several other user and computer statistics, thus Answer B is incorrect. You can sift through the text file and even use a search tool such as Windows Grep, but the text file method is not as indicative or intuitive as using the GUI, thus Answer C is also incorrect.

14. 

þ D. The correct order to perform a security analysis using the Security Configuration and Analysis snap-in is select Open database, select the database to be used, select the security template to be used, select Analyze computer now, and select the log file to be used. You do not need to select Configure computer now until you are ready to apply the database settings to the computer.

ý A, B, C, E. The correct order to perform a security analysis using the Security Configuration and Analysis snap-in is select Open database, select the database to be used, select the security template to be used, select Analyze computer now, and select the log file to be used. You do not need to select Configure computer now until you are ready to apply the database settings to the computer. Thus, Answers A, B, C, and E are incorrect.

15. 

þ C. A green check mark indicates the database setting and the computer setting match.

ý A, B, D. A discrepancy between the database and the computer settings is marked with a red X, thus Answer A is incorrect. When an analysis is not performed because no settings were configured in the database, a generic icon is displayed, thus Answer B is incorrect. When an analysis is not performed because the setting is not applicable to the computer, an exclamation point or question mark is displayed, thus Answer D is incorrect.