Appendix: Questions and Answers | MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)

Appendix

Questions and Answers

Chapter 1: Group Policy
Lesson 1: Active Directory and Group Policy

Lesson Review Questions

To what must you link GPOs for them to take effect?

GPOs must be linked to Active Directory objects to take effect.
What are the types of Active Directory containers?

Domains, OUs, and sites are all Active Directory containers.
What does an Active Directory hierarchy usually model?

A business's organizational structure.
What are the two reasons for a business to use more than one domain?

Businesses use more than one domain if they are extremely large (more than 100,000 employees) or if they need especially strong security enforcement between business units.

Lesson 2: Configuring Group Policy

Exercise Question
Exercise 1: Creating GPOs

Type Domain Standard Desktop as the name of the GPO. Two GPOs have now been created.
Why would you want to create a separate GPO to manage settings at the same Active Directory level as an existing GPO, rather than simply modifying the existing object?

While it is good practice to minimize the number of GPOs, it is more important to separate GPOs by widely separated themes such as security and convenience, because you are highly like to change where these types of GPOs will be linked into the directory in the future.

Lesson Review Questions

From what management tool can you create GPOs?

From both the Active Directory Users And Computers management console and the Active Directory Sites And Services management console.
When you create a GPO, what is automatically created along with it?

A link to the Active Directory container from which you created the GPO.
What is the default application order for GPOs?

Local, site, domain, OU.
Group Policy is implemented by distinct components called what?

Group Policy client-side extensions.

Lesson 3: Configuring Client Computer Security Policy

Lesson Review Questions

What is the most important security feature of Group Policy?

The ability to restrict users to an allowed set of executables.
What is the easiest way to test how Group Policy will affect a class of users?

Create a test user account that is located in the same Active Directory container as the users you want to test.
What security component is required to truly secure users and computers from potentially harmful Internet content?

A security proxy server.
What should users be restricted from using to prevent them from mis-configuring their computers?

The MMC.
Why would you delete drive mappings prior to establishing them in a logon script?

Because mappings will be ignored if a drive mapping already exists with the same drive letter.

Lesson 4: Troubleshooting Group Policy Application

Lesson Review Questions

To which file does Windows log Group Policy application errors?

%systemroot%\Debug\userenv.log.
If a new Windows 2000 client computer can log on to the local domain controller, but no Group Policy is applied for the machine or user configurations, what is the most likely problem?

DNS is not configured correctly on the client.
If you log on to a Windows 2000 domain from a Windows NT 4 computer using a user account managed by Active Directory, how will Group Policy be applied?

The user configuration will come from Group Policy, and the machine configuration will come from system policy.

Lesson 5: Security Limitations

Lesson Review Questions

What are some of the ways that users could interfere with the application of Group Policy on their computers?

By changing DNS settings or by unplugging their computer's network cable during the logon phase.
If you disable access to the C drive in a Group Policy, what methods might a user use to regain access to it?

Using the command prompt or a third-party file manager, by connecting to the default share through the Network Neighborhood, or by using the DOS Subst command to map a different drive letter to it.
If you limit a client computer to running just a single program, how might a hacker run the program of their choice?

By renaming the program to have the same name as the allowed program.

Chapter 2: User Accounts and Security Groups
Lesson 1: Creating Local User Accounts and Security Groups

Lesson Review Questions

If a user account has been deleted, can you restore it by creating a user with the same name? Why or why not?

No, because the system identifies accounts by their SID, which would not be the same.
What happens to local accounts when a computer is joined to a domain?

Nothing. They remain available and active. However, local accounts are destroyed when a server is upgraded to domain controller status by installing Active Directory.
What is the difference between workgroup background authentication and domain authentication when a user accesses a resource on a remote computer?

Workgroup background authentication passes the user's account name and password to the remote computer, while domain authentication passes the user's SIDs between the computers involved.

Lesson 2: Working with Active Directory Domain Accounts and Security Groups

Lesson Review Questions

What is the difference between a global group and a domain local group?

Domain local groups are not added to a user's TGT or session tickets. They are added to access tokens when the access tokens are created by the server on which the session is established.
Are access tokens ever transmitted across the network?

No. Access tokens are created for each unique session on every server to which a client attaches. Security identifiers are transmitted over the network in TGT and session tickets.
What are universal groups?

Universal groups are security groups that are valid throughout the Active Directory forest for very common security group categories.
What is the purpose of separating groups into user groups and resource groups, when you can use the same groups for both purposes?

The purpose is to reduce the amount of network traffic required to create an access token. By securing a resource only with groups that are local to the domain, servers do not need to create extra inter-domain network traffic to check permissions.

Chapter 3: Restricting Accounts, Users, and Groups
Lesson 1: Understanding Account Policies

Lesson Review Questions

How many logon attempts can hackers perpetrate against a Windows 2000 server in one hour?

Over 4 million.
What is the shortest recommended length for a password for a network connected to the Internet?

At least 12 characters.
What is the default maximum time difference between a client and a server before Kerberos tickets can no longer be decrypted?

Five minutes.

Lesson 2: Managing User Rights

Lesson Review Questions

How are user rights managed?

Through Group Policy Objects linked to Active Directory containers.
At what level in the Active Directory are user rights applied?

User rights can be linked to any Group Policy container.
What is the typical use of user rights?

Applications typically modify the user rights of their service accounts during installation to properly perform their function.
How often do user rights need to be modified by administrators?

Administrators rarely need to modify user rights directly.

Lesson 3: Controlling Access Through Restricted Groups

Lesson Review Questions

What is the primary purpose of restricted groups?

To enforce control over group membership in large domains where administrative authority has been delegated widely.
What subtle difference exists between the way that restricted groups handle members and the way they handle being members of another group?

The restricted groups feature adds and removes members, and creates memberships in other groups for the restricted group, but it does not remove the restricted group from the membership of other groups.
How should you create members of a restricted group?

Add the group to the membership list of the restricted group and let Group Policy make the membership change.

Lesson 4: Administering Security Templates

Exercise Question
Exercise 6: Using the Security Configuration and Analysis Management Console

In the management console, expand Security Configuration and Analysis, Account Policy, Password Policy, and select Maximum Password Age.

Notice that the effective setting does not match the policy that was just applied.

Why have the settings on this domain controller not taken effect?

Because the local GPO settings have been overriden by the domain GPO, which has different settings.

Exercise Question
Exercise 8: Using SecEdit.exe

Click OK to close the User Defined Templates Properties dialog box.

Why does this exercise specify reducing security and using the Everyone group, rather than using a more secure group such as Domain Users?

Because the security templates in this share will be accessed by startup scripts. Startup scripts run in the user context of a computer's local system account, so they are not a part of any typical security group. Everyone access is required to allow these types of machine accounts to access files prior to a user log on.

Lesson Review Questions

What is the easiest way to deploy security templates?

By importing them into Group Policy Objects.
What is the primary purpose of the Security Configuration And Analysis snap-in?

To compare a computer's effective security configuration to a security template baseline.
When would it be appropriate to use the SecEdit.exe tool?

Whenever you cannot accomplish your deployment goals using Group Policy Objects.
In what format are security templates stored?

As text files.

Chapter 4: Account-Based Security
Lesson 1: Managing File System Permissions

Lesson Review Questions

What does Windows attach to a secured resource to manage permissions?

A security descriptor containing an access control list.
What is an access control list?

A list of access control entries that specifies the actions that security principals are allowed to take on the secured resource.
If a user has Read and Write permission because of a membership in one group, has Full Control because of membership in a second group, and has a Deny Write ACE because of membership in a third group, what are the user's effective permissions?

All actions except Write will be allowed for this user.
If a resource has no ACL, what are the effective permissions?

Full Control for all users; resources without ACLs cannot be secured.

Lesson 2: Implementing Share Service Security

Exercise Question
Exercise 2: Managing Share Security

In the Allow column, clear the Change permission check box.

What is the effective difference between clearing the Allow check box and selecting the Deny check box?

Clearing the Allow check box doesn't permit Information Technology users to change files, but membership in another group may allow the same user Change access. The Deny check box will prevent any member of Information Technology Users from changing files in this share, regardless of their membership in other groups.

Lesson Review Questions

If you set NTFS permissions on a shared folder that allow Full Control to the Domain Admins group and no other permissions, but the share security settings allow Full Control to the Everyone group, what are the effective permissions for the folder?

The effective permissions would be Full Control for the Domain Admins group. The most restrictive permissions are the effective permissions when NTFS and share permissions conflict.
Why is it important to rely on NTFS permissions for share security?

Because there are many ways to circumvent share security by accessing files through other mechanisms, such as FTP or local disk access.
Why should you set share permissions when NTFS permissions can perform the same security function on an NTFS volume?

Because the additional security might prevent unauthorized access in the event that NTFS permissions are incorrectly set.

Lesson 3: Using Audit Policies

Lesson Review Questions

Why should you be judicious in your use of auditing rather than audit all possible events?

Excessive auditing puts the system under unnecessary load and creates numerous unimportant security log entries that can make it difficult to find high-priority activities.
How would you use auditing to determine if hackers are attempting to run a password list against the administrative account of a computer attached to the Internet?

By enabling the account logon audit policy and searching the security log for numerous failed logon events in a short period of time.
How would you use auditing to determine if an employee has been changing the reported hours worked in a Microsoft Excel spreadsheet after the accounting department has left at 5:00 P.M.?

By enabling object access auditing, creating an SACL entry on the work hours spreadsheet to record successful write and append operations on the file, and then searching for audit events associated with the user's account that occur after 5:00 P.M.
How does auditing prevent users from damaging files to which they have access?

Auditing does not prevent users from damaging files to which they have access. It can only record that the activity occurred.

Lesson 4: Including Registry Security

Lesson Review Questions

What security mechanism is used to provide security for registry keys?

ACL-based permissions.

How are registry permissions problems in Windows 2000 normally dealt with?

Through the hotfixes and service packs developed by Microsoft.

What tool is used to modify registry permissions in Windows?

RegEdt32.

Chapter 5: Certificate Authorities
Lesson 1: Understanding Certificates

Lesson Review Questions

What is the difference between a symmetrical algorithm and an asymmetrical algorithm?

Symmetrical algorithms use the same key for encryption and decryption, whereas asymmetrical algorithms use different keys for each purpose.
How does a digital signature system differ from a public key cryptosystem?

In a public key system, the encryption key is made public. In a digital signature system, the decryption key is made public.
How does a certificate authority sign a document?

By performing a checksum operation on the document and embedding the result in an encrypted digital signature that is appended to the document.
How does a CA certify another CA?

By digitally signing that CA's certificate.

Lesson 2: Installing Windows 2000 Certificate Services

Lesson Review Questions

What is the strongest standard CSP provided by Microsoft?

Microsoft Enhanced CSP.
How are certificates normally requested from a stand-alone CA?

Through the Web service at http://localhost/certsrv.
What is the primary difference between an enterprise CA and a stand-alone CA?

Enterprise CAs can issue Windows 2000 domain-specific certificates.
How many certificate authorities can a single server host?

One.

Lesson 3: Maintaining Certificate Authorities

Exercise Question
Exercise 2: Managing the CRL

When the Certificate Revocation List dialog box appears, click the Revocation List tab. Verify that the CRL is empty.

Why does the CRL appear to be empty when certificates have been revoked?

Because the CRL publication interval has not yet expired, so changes the CRL have not yet been published.

Lesson Review Questions

What are the two mechanisms through which a certificate can be rendered invalid?

Expiration and certificate revocation.
What are the two methods by which the CRL is published in Windows 2000?

In the Active Directory database and in a text file stored in a shared file.
What is the best way to back up a CA?

By using the standard Windows 2000 Backup tool or a third-party server backup solution.

Chapter 6: Managing a Public Key Infrastructure
Lesson 1: Working with Computer Certificates

Lesson Review Questions

What is the primary purpose for computer certificates in Windows 2000?

Computer certificates are used primarily for encrypting communications using IPSec.
When would you choose to use manual computer certificate deployment?

When you have a limited number of computers that require certificates and you don't want to encumber your certificate authority with requests from numerous computers.
When would you choose to use automatic computer certificate deployment?

When you want to deploy computer certificates throughout your organization.
What tool do you use to perform manual deployment?

The Certificates management console.
What tool do you use to perform automatic deployment?

Group Policy.

Lesson 2: Deploying User Certificates

Lesson Review Questions

Can administrators create user certificates on behalf of users without knowing their account user name and password?

No. User certificates are designed to be individually requested by the user.
For which purposes can user certificates be used?

To encrypt files, authenticate with Web sites, and secure e-mail.
Where is a user's certificate store permanently stored?

In the user's profile.
What is the recommended method for moving certificate stores when a user changes workstations?

Enable roaming profiles to allow the profile to move with the user.
Which certificate format is used to export and import user certificates?

PKCS #12.
Which type of certificates can be exported without being explicitly marked as exportable?

Certificates automatically generated for EFS.

Lesson 3: Using Smart Card Certificates

Lesson Review Questions

What is a smart card?

A device containing a microprocessor and permanent memory, some of which is designated as a private store and is available only to the onboard microprocessor.
Are there any types of computers that cannot support smart card readers?

No. All computers contain the necessary hardware to support smart card readers.
For what purposes are smart cards used in Windows 2000?

For log on, e-mail security, and disk encryption.
What does an administrator do to authorize a smart card to function in the domain?

Sign it with an enrollment agent certificate.
What program is used to deploy smart cards?

Smart cards are deployed by using the Smart Card Enrollment Station page on the CertSrv Web site.

Lesson 4: Deploying S/MIME Certificates

Lesson Review Questions

Why can't you use user certificates in many e-mail clients to sign and encrypt e-mail?

Because they don't contain the user's e-mail address in the Identity field.
Why is an e-mail address usually required in the Identity field of an S/MIME certificate?

To guarantee that mail is being delivered from the e-mail address claimed in the certificate. The mail client program can ensure that the address in the certificate is the same as the address configured in the client, so there's no possibility of fraudulently stating a different e-mail address than the certificate specifies.
Why don't user certificates contain e-mail addresses?

Because e-mail addresses are not necessarily entered in Active Directory, and user certificates are optimized for automatic issuance.
Why does Outlook accept user certificates if they don't contain an e-mail address?

Because it trusts that the certificate was generated by an enterprise CA, which required a legitimate domain log on to authenticate the user.

Chapter 7: Increasing Authentication Security
Lesson 1: Supporting Earlier Versions of Windows Clients

Lesson Review Questions

What are the four types of authentication supported by Windows 2000 to support current and earlier versions of Windows clients?

LAN Manager, NTLM, NTLM version 2, and Kerberos.
Which two authentication protocols are considered the most secure?

NTLM version 2 and Kerberos.
What components must be installed in Windows 98 to use NTLM version 2?

The latest version of Internet Explorer and the Directory Services client.
What encryption strength is used to secure NTLM version 2 passwords?

128-bit encryption.

Lesson 2: Supporting Macintosh Clients

Lesson Review Questions

What server component is used to provide the Apple File Service?

Services for Macintosh.
Is AppleTalk required to provide service to Macintosh clients?

No. All recent versions of the Mac OS can use TCP/IP as their network layer transport.
What client component provides NTLM version 2 authentication for Macintosh computers?

The Microsoft User Authentication Module (UAM).
Does the NTLM version 2 compatible Microsoft UAM require reversible encryption to support Macintosh clients?

No. Reversible encryption is required for earlier UAMs and plaintext passwords only.

Lesson 3: Trust Relationships

Exercise Question
Exercise: Establishing a Trust Relationship

Type \\GDI-DC1-01\Fabrikam as the name of the network place, and click Next.

What would you type as the name of the server if the two servers were not on the same network?

Gdi-dc1-01.extranet.graphicdesigninstitute.com or the server's IP address.

Lesson Review Questions

What are the three reasons why you would explicitly modify trust relationships?

To establish trust with a Windows NT 4 server, to establish trust with an external server, and to create a trust shortcut in a complex forest.
What is the difference between transitive and non-transitive trust?

Transitive trust stipulates that if domain A trusts domain B, and domain B trusts domain C, then domain A trusts domain C.
What is the difference between one-way and two-way trust relationships?

One-way trust relationships allow one domain to trust accounts in another, but not vice versa. Two-way trust relationships are reciprocal.
What type of trust relationship results when you manually create a trust relationship?

A one-way non-transitive trust relationship.
What type of trust relationship is automatically created when a domain is added to a forest?

A two-way transitive trust relationship.

Chapter 8: IP Security
Lesson 1: Configuring IPSec Within a Domain

Lesson Review Questions

What are the two primary methods IPSec uses to authenticate and encrypt IP packets?

Authenticated Headers (AH) and Encapsulating Security Payload (ESP).
What are the two encrypted payload modes that IPSec supports?

Transport mode and tunnel mode.
Explain the difference between transport mode and tunnel mode.

Transport mode encrypts the packet payload. Tunnel mode encrypts the entire packet and creates a new header to transport it.
How does IKE determine whether to trust the participants when it establishes a security association?

By the presence of the same shared secret on both systems.
How is IPSec managed in Windows 2000?

By using Group Policy.
What mechanism would you use to distribute secret keys automatically in a domain?

Kerberos secret keys can be used with minimal administrative effort.

Lesson 2: Configuring IPSec Between Untrusted Networks

Lesson Review Questions

Which methods are available to distribute IKE secret keys in Windows 2000?

Kerberos, manual keying, and certificates.
When would you use manual keying rather than Kerberos or certificates?

When servers do not participate in a domain trust relationship and do not have an IPSec compatible certificate from the same certificate authority in common.
How is IPSec policy defined in Windows 2000?

By using filter lists containing filters that specify the hosts, networks, or ports that should trigger filter actions.
Name the types of traffic that are never secured by IPSec.

Broadcast, multicast, IKE, Kerberos, or QOS.

Lesson 3: Configuring IPSec on Internet Servers

Lesson Review Questions

When would it be appropriate to use certificates to distribute IKE secrets?

Whenever no domain trust relationship exists and certificates are available for use.
What are the two requirements for certificates to work correctly for IKE negotiation?

They must be rooted in the same trusted CA, and they must contain a private key.
What two portions of a GPO apply to certificate deployment?

The IP Security portion allows you to create and apply IPSec policies, and the Automatic Certificate Request portion allows you to automatically create and deploy certificates that are compatible with IPSec to computers in a domain or OU.

Lesson 4: Troubleshooting IPSec Configuration

Lesson Review Questions

What IPSec problem could have the most serious consequences?

Thinking that data flowing between end systems is secured when it isn't.
What utility is used to refresh Group Policy on a computer that receives its IPSec configuration from a domain GPO?

Secedit.
What utility is used to enable IKE logging?

The Registry Editor.
What's the easiest way to eliminate IKE as a potential problem source?

Use manual keying.
What problems might cause certificate-based IKE negotiations to fail?

Certificates lack a private key or are not rooted in the same certificate authority.

Chapter 9: Remote Access and VPN
Lesson 1: Securing RRAS Servers

Lesson Review Questions

Which utility do you use to manage most of Windows 2000's RRAS settings?

The Routing And Remote Access management console.
If you select automatic IP address assignment for an RRAS server, where do IP addresses come from?

From a DHCP server if available, otherwise from the RRAS server's static address pool.
What is the easiest way to set up an RRAS server on a Windows 2000 Server computer?

Using the Routing And Remote Access Server Setup Wizard.
How can you change the settings of a server, such as its IP addressing, after configuring RRAS?

Using the server Properties dialog box in the Routing And Remote Access management console.
How can you allow a user to connect to RRAS without using remote access policies?

Using the dial-in properties for the user account.

Lesson 2: Managing RRAS Authentication

Exercise Question
Exercise 1: Selecting Windows Authentication Methods

Select the MS-CHAP v2 check box, and clear the other check boxes.

Why would you limit authentication options rather than simply select them all?

To prevent users from authenticating with less secure protocols that could present their credentials in a form that is easy to intercept.

Lesson Review Questions

Which RRAS authentication type can be used with an RRAS server to provide centralized authentication?

RADIUS authentication.
Which Windows authentication method uses completely unencrypted passwords?

PAP (Password Authentication Protocol).
What Windows authentication method would you use to support smart card authentication?

EAP (Extensible Authentication Protocol).
How do you manage authentication and security policy settings for an RRAS server when RADIUS authentication is in use?

Using the Internet Authentication Service (IAS) management console.
In a network using an IAS server to provide centralized management of dial-in authentication for several RRAS servers, to which machine do dial-up clients send authentication requests?

Their local RRAS server, which then sends a request to the IAS server for authentication.

Lesson 3: Securing Remote Clients

Lesson Review Questions

When RADIUS is not in use, what tool do you use to manage remote access policies?

The Routing And Remote Access management console.
If a user is connecting to an RRAS server and matches several remote access policies, which policy will be used for the connection?

The first policy that matches, based on the order set in the console.
How would you restrict the session length for a remote access policy?

From the Edit Dial-In Profile dialog box in the policy Properties dialog box.
When you answer the questions in the Connection Manager Administration Kit Wizard, where are the answers saved?

In a service profile, stored in a .cms file.
What happens if an incoming connection matches a remote access policy and the policy is set to deny access?

The user is denied access, unless the user account is explicitly granted permission in its properties.

Lesson 4: Securing Communications Using a VPN

Lesson Review Questions

Which of the VPN protocols supported by Windows 2000 Server is considered more secure?

L2TP (using IPsec encryption).
Which utility can quickly configure an RRAS server to act as a VPN server?

The Routing And Remote Access Server Setup Wizard.
Where do you add a VPN connection from a Windows 2000 Professional client?

From the Network And Dial-up Connections window.
Which VPN protocol requires certificate-based authentication?

L2TP.
What information is required from a client to connect to a remote VPN?

The VPN server's IP address, and possibly specific protocols or encryption levels.

Chapter 10: Wireless Security
Lesson 1: Setting Up a Wireless Network

Lesson Review Questions

What is the most common variant of the 802.11 protocol?

802.11b.
How does adding wireless capability to your network affect security?

Wireless capability significantly degrades security unless strict compensating measures are taken.
What is WEP?

Wired Equivalent Privacy (WEP), a data link layer encryption protocol used to prevent snooping and unauthorized access.
What is the most common method used to prevent WLANs from allowing access to a private network?

Placing WAPs outside the firewall boundary and treating them as if they were Internet clients.
What is wardriving?

The practice of searching for unsecured WLANs that provide Internet access.

Lesson 2: Securing Wireless Networks

Exercise Question
Exercise 1: Configuring Security on a Wireless Access Point

When a Restart Access Point message appears, click OK.

You will find that you are unable to reload the management page. Why?

Because the WAP now requires WEP encryption to connect.

Lesson Review Questions

What does WEP stand for, and why was that name chosen?

Wired Equivalent Privacy, because the security was intended to be as good as the security of a typical wired network.
What types of authentication are supported?

Open, which is not authenticated, and Shared Key, which implements shared secret key authentication.
What encryption algorithm is used to encrypt WEP payloads?

RC4 stream encryption.
What common key lengths are available for use with WEP?

40-bit, 128-bit, 154-bit, and 256-bit key lengths.
Is there a standard protocol used to establish WEP secret keys among all WAPs in an enterprise?

No standard method exists.

Lesson 3: Configuring Clients for Wireless Security

Lesson Review Questions

What is the most difficult security problem that wireless networks cause?

The illicit attachment of uncontrolled wireless equipment to your network.
What security measure is required to prevent the illicit attachment of uncontrolled wireless equipment, and what protocol was developed to solve it?

Authentication of attached equipment at the data-link layer, 802.1x.
How does 802.1x work?

It blocks all but authentication traffic from clients until an authentication server informs the WAP that the client has been authenticated.
Which component of Windows 2000 is used to implement authentication for 802.1x?

Internet Authentication Server (IAS).
What is the primary problem with 802.1x that will prevent its adoption in the near term?

All data-link layer infrastructure equipment must support the protocol for it to solve the illicit WAP attachment problem.

Chapter 11: Public Application Server Security
Lesson 1: Providing Internet Security

Lesson Review Questions

Why is it difficult to protect public servers?

Because you must allow anonymous users to connect to them while preventing those users from performing any activity that might damage the system.
Are all hacking attempts serious?

No. Automated attacks and random target-of-opportunity attacks are common. Once your network has been secured against them, they are of little consequence.
What is the most important attack vector to defend against and why?

The Internet, because other access points can be placed outside the network and treated like the Internet.
What is a perimeter network?

A security zone between the public Internet and the private network where public servers that are trusted but might be exploited are located.
What are the primary types of firewalls that are available?

Firewall routers and security proxies.

Lesson 2: Configuring Microsoft SQL Server for Internet Security

Exercise Question
Exercise 3: Verifying SQL Connectivity Through the Firewall

In the SQL Server box, type 10.0.0.90.

Why do you enter the IP address of the ISA server rather than the IP Address of the SQL server in the SQL Server box?

Because the ISA server is publishing (proxying) the SQL server's SQL Service port on its own external IP address and forwarding requests.

Lesson Review Questions

Which public security problem represents more risk for most businesses: the exploitation of a Web server or the exploitation of a database server?

Database server, because it stores proprietary and sensitive information.
What is the proper security zone for a database server in a typical network architecture?

Inside the private network.
How does ISA Server secure Microsoft SQL Server database servers?

By proxying the TCP/IP SQL protocol.
How does SQL Server ensure that only specific clients can connect to it?

By requiring SSL with certificates rooted in the same certificate authority as the server.

Lesson 3: Securing Microsoft Exchange Server for the Internet

Lesson Review Questions

What are the two primary problems affecting e-mail on the Internet?

Lack of authentication and lack of secure communication.
How does Exchange Server solve these problems?

By using SSL to secure communications.
Why is it unwise to place an Exchange server in the perimeter network?

Because Exchange 2000 servers must participate heavily in Active Directory and therefore communicate a considerable amount of private information that is difficult to securely transmit through a firewall.
What are common methods used to secure an Exchange 2000 server inside a private network?

Relaying mail through an SMTP relay in the perimeter network or using a strong security proxy like ISA Server to proxy e-mail protocols.
What method of encryption does Exchange Server support for passing credentials?

Secure Sockets Layer (SSL).

Chapter 12: Web Service Security
Lesson 1: Securing Public Web Servers

Lesson Review Questions

What component provides Web services in Windows 2000 Server?

Internet Information Services (IIS).
What type of authentication is normally used for public Internet Web sites?

Anonymous access.
Which tab in the Properties dialog box for a Web site includes most security options?

The Directory Security tab.
What additional mechanisms should you use to enhance security besides IIS service-specific security options?

IP filtering and NTFS permissions.
Which services can IIS provide along with HTTP?

FTP, SMTP, and NNTP.

Lesson 2: Web Authentication

Lesson Review Questions

Which are the two least secure authentication methods?

Basic authentication and digest authentication.
Which authentication method uses Windows user accounts?

Integrated Windows authentication.
Which authentication method supports client and server certificates?

Secure Sockets Layer (SSL).
Which dialog box includes options to enable authentication methods and anonymous access?

The Authentication Methods dialog box accessed from the Directory Security tab in the Web site Properties dialog box.
For which IIS resources can you select authentication methods?

Web sites, folders, and virtual directories.

Lesson 3: Using Secure Sockets Layer

Lesson Review Questions

What is required to enable SSL on an IIS server?

A computer certificate and client browsers that support SSL.
Which feature allows you to connect user accounts with particular client certificates?

Client certificate mapping.
When a CTL is in use, which clients are allowed access?

Clients with a certificate issued by a trusted certificate authority (CA) on the certificate trust list (CTL).
Which option do you enable to prevent clients from accessing a site without a client certificate?

Require Client Certificates.
What are the two types of client certificate mapping?

One-to-one and many-to-one.

Chapter 13: Intrusion Detection and Event Monitoring
Lesson 1: Establishing Intrusion Detection for Public Servers

Lesson Review Questions

Which type of attack attempts to log on with a user's password?

An impersonation attack.
What type of attacks cannot be detected using a decoy server?

Access to legitimate public ports and services.
What is the purpose of saving event logs after an attack?

To preserve evidence of the attack.
Where in the network should a decoy server be placed?

In the perimeter network, with public servers.
What tool recognizes intrusion attempts through URLs on a Web server?

URLScan.

Lesson 2: Event Monitoring in the Private Network

Lesson Review Questions

What should you do after detecting intrusion on a system?

Back up the event logs if possible, and shut down the server if it was damaged.
What are the three basic log files used in Windows 2000?

Application Log, System Log, Security Log.
Where can you manage log retention settings?

In the Group Policy properties for the domain.
Which utility allows you to search for events in logs across a network?

EventComb.
Where does EventComb store its results?

In a text file it creates.

Chapter 14: Software Maintenance
Lesson 1: Working with Service Packs and Hotfixes

Lesson Review Questions

Which utility displays a summary of service pack and hotfix levels for a computer?

Qfecheck.exe.
Which type of update is not affected by other software updates?

Service packs.
What is the name for the process of adding updates to a set of operating system installation files?

Slipstreaming.
From what two sources can Remote Installation Services (RIS) create an installation image?

A computer with the operating system installed, or a set of installation files.
What are the requirements for the disk used to store a RIS installation image?

NTFS format, and must not be the system volume.

Lesson 2: Automating Updates with Microsoft Software Update Services

Lesson Review Questions

Which Windows Update feature notifies users of critical updates and optionally installs updates automatically?

Automatic Updates.
What two sources can be used to obtain the latest updates using Automatic Updates?

Microsoft Windows Update servers or a local Software Update Services (SUS) server.
What service provides a local version of the Windows Update service?

Microsoft Software Update Services (SUS).
How can clients be configured to update using an SUS server?

Using Group Policy.
Where are notification settings for Automatic Updates managed?

In the Automatic Updates dialog box you access through Control Panel.

Lesson 3: Deploying Updates in the Enterprise

Lesson Review Questions

Which file format does Group Policy support for installation files?

Windows Installer .msi packages.
What is the package file name for a service pack?

Update.msi.
Are user or computer policies better for deploying service packs?

Computer policies.
What is the purpose of the Qchain.exe utility?

To allow the installation of multiple hotfixes without rebooting.
For which hotfixes is Qchain.exe required?

For anything prior to Windows 2000 Service Pack 3 or Windows XP.