Objective 1.1: Questions

 < Day Day Up > 



1. 

You are in the process of planning the development of a security template that will be applied to the 35 domain controllers that are used to support your organization’s nationwide domain. All domain controllers run Windows Server 2003, Standard Edition. Your company has 15 branch sites, each with two domain controllers for the purpose of redundancy. Your headquarters site hosts five domain controllers to cope with the increased load in addition to roles such as schema master and global catalog server. Out of the 15 branch sites, the largest eight also have one of their domain controllers serving the global catalog server role. Each of the domain controllers is also able to respond to host name lookup requests in addition to processing host name updates.

Which of the following system services can be disabled in the security template to be applied to the organization’s 35 domain controllers?

  1. distributed file system (DFS)

  2. Kerberos Key Distribution Center (KDC)

  3. Distributed Transaction Coordinator

  4. intersite messaging

 correct answers: d a. incorrect the active directory system volume (sysvol) requires that the dfs service be running. b. incorrect the question text indicates that all of the domain controllers are functioning in active directory integrated mode. this means that dns duties are distributed across the domain with any domain controller server being able to respond to requests or process updates. c. incorrect the kdc service is required to allow security accounts to log on to the network. a non-functional kdc service means that logon authentication cannot complete. d. correct this service is not used by domain controllers. it is used on servers such as database servers for coordinating transactions that are distributed across multiple systems. e. incorrect intersite messaging is used by the active directory replication processes and is hence a service that must be active on a domain controller.

2. 

You are planning a security template that is to be applied to an organizational unit that hosts a group of computers running Windows Server 2003 on which Exchange Server 2003 is to be installed. Your domain is running at the Windows Server 2003 functional level. You need to ensure that Exchange Server 2003 can be installed when the security template is imported to a GPO that is applied to the OU that holds the member systems running Windows Server 2003. Which of the following services do you need to enable in the security template? (Select all that apply.)

  1. World Wide Web publishing service

  2. Simple Mail Transfer Protocol (SMTP) service

  3. Terminal Services

  4. Telnet service

  5. Network News Transfer Protocol (NTTP) service

 correct answers: a, b, and e a. correct to install exchange server 2003, the world wide web publishing service, the nntp service, and the smtp service must be installed and enabled. if these services are not enabled, exchange server 2003 will not install. b. correct to install exchange server 2003, the world wide web publishing service, the nntp service, and the smtp service must be installed and enabled. if these services are not enabled, exchange server 2003 will not install. c. incorrect terminal services does not need to be installed for the exchange server 2003 setup program to function correctly. to install exchange server 2003, the world wide web publishing service, the nntp service, and the smtp service must be installed and enabled. if these services are not enabled, exchange server 2003 will not install. d. incorrect the telnet service does not need to be functional for the exchange server 2003 setup program to execute. to install exchange server 2003, the world wide web publishing service, the nntp service, and the smtp service must be installed and enabled. if these services are not enabled, exchange server 2003 will not install. e. correct to install exchange server 2003, the world wide web publishing service, the nntp service, and the smtp service must be installed and enabled. if these services are not enabled, exchange server 2003 will not install.

3. 

Rooslan is planning a security template for several domain controllers in his organization, Tailspin Toys. Rooslan has a set of goals that the security template he is planning must meet. These goals are divided into primary and secondary goals, and are as follows:

Primary Goal: Allow members of the Backup Operators group to log on by means of Terminal Services to restore files and directories on the domain controllers.

Secondary Goal 1: Allow only members of the Administrators and Server Operators groups to shut down the domain controller.

Secondary Goal 2: Ensure that the next time a user changes his or her password, the domain controller does not store the LAN Manager hash value for the new password.

Using the Security Templates add-in on a custom MMC, Rooslan configures the following policies in a new security template called RooslanDC:

Allow log on through Terminal Services: Administrators, Backup Operators

Enable computer and user accounts to be trusted for delegation: Administrators

Restore files and directories: Administrators, Server Operators

Shut down the system: Administrators, Server Operators, Backup Operators

Network security: Do not store LAN Manager hash value on next password change

When the RooslanDC template is imported into the default domain controllers GPO, which of Rooslan’s primary and secondary goals will be met?

  1. Rooslan’s primary goal and both secondary goals will be met.

  2. Rooslan’s primary goal and one secondary goal will be met.

  3. Rooslan’s primary goal will be met, but no secondary goals will be met.

  4. Rooslan’s primary goal will not be met, but both secondary goals will be met.

  5. Rooslan will only meet one secondary goal.

 correct answers: e a. incorrect rooslan s primary goal is not met because the backup operators group, while being able to log on to each domain controller via terminal services, does not have the right to restore files. the first secondary goal is not met because members of the backup operators group do have the right to shut down the server, and this right should be limited only to administrators and server operators. the second secondary goal is met because the next time a user changes his or her password, the lan manager hash value will not be stored. b. incorrect rooslan s primary goal is not met because the backup operators group, while being able to log on to each domain controller via terminal services, does not have the right to restore files. the first secondary goal is not met because members of the backup operators group do have the right to shut down the server, and this right should be limited only to administrators and server operators. the second secondary goal is met because the next time a user changes his or her password, the lan manager hash value will not be stored. c. incorrect rooslan s primary goal is not met because the backup operators group, while being able to log on to each domain controller via terminal services, does not have the right to restore files. the first secondary goal is not met because members of the backup operators group do have the right to shut down the server, and this right should be limited only to administrators and server operators. the second secondary goal is met because the next time a user changes his or her password, the lan manager hash value will not be stored. d. incorrect rooslan s primary goal is not met because the backup operators group, while being able to log on to each domain controller via terminal services, does not have the right to restore files. the first secondary goal is not met because members of the backup operators group do have the right to shut down the server, and this right should be limited only to administrators and server operators. the second secondary goal is met because the next time a user changes his or her password, the lan manager hash value will not be stored. e. correct rooslan s primary goal is not met because the backup operators group, while being able to log on to each domain controller via terminal services, does not have the right to restore files. the first secondary goal is not met because members of the backup operators group do have the right to shut down the server, and this right should be limited only to administrators and server operators. the second secondary goal is met because the next time a user changes his or her password, the lan manager hash value will not be stored.

4. 

You are planning a security template for an Internet Authentication Service (IAS) server that is to be located on your company’s perimeter network (also known as DMZ, demilitarized zone, and screened subnet) LAN. Users will authenticate against the server with their domain accounts. The internal firewall has been configured to allow necessary traffic between the IAS server and the organization’s domain controllers. At present, you are considering which services the template should start automatically. The template will be configured so that all services that are not critical to the function of the IAS server will be disabled. Which of the following services is critical for the function of an IAS server? (Select all that apply.)

  1. Certificate Services

  2. Background Intelligent Transfer Service

  3. Distributed Link Tracking Server

  4. Netlogon

  5. IAS service

 correct answers: d and e a. incorrect certificate services is critical for the function of a certificate server, but not for an ias server. b. incorrect the background intelligent transfer service is not used by an ias server. c. incorrect distributed link tracking server is used for tracking linked files across ntfs drives and has nothing to do with running an ias server. d. correct netlogon maintains a secure channel between the ias server and a domain controller so that authentication can occur against domain accounts. e. correct the ias service forms the core of an ias server s functions, and hence is mandatory in any security template supporting the ias server role.

5. 

You are configuring a baseline security policy for two computers running Windows Server 2003 that run Internet Information Services (IIS). The servers are used to display sensitive information to authenticated users via a secure HTTP connection. You are deciding which services should be disabled on the server in the security template that will eventually be imported into the Group Policy that is applied to the OU in which the servers reside. Which of the following services should not be disabled on these two particular servers? (Select all that apply.)

  1. HTTP Secure Sockets Layer (SSL)

  2. IIS Admin Service

  3. IAS service

  4. Certificate Services

  5. World Wide Web publishing service

 correct answers: a, b, and e a. correct http ssl allows windows server 2003 systems running iis to respond to ssl traffic. given that the servers are used to display sensitive information to authenticated users via secure http, this service must not be disabled. b. correct the iis admin service allows the administration of all areas of iis. if this service is disabled, web requests will fail. c. incorrect the ias service is used for remote authentication dial-in user service (radius) servers, not for iis servers authenticating clients. d. incorrect this service is used by windows when it is installed as a certification authority (ca). although authentication can be carried out with a certificate, this service is not necessary on a system running windows server 2003 that is working as described in the scenario. e. correct this service must be running for web pages to be served up by the systems running windows server 2003.

Answers

1. 

Correct Answers: D

  1. Incorrect The Active Directory System Volume (Sysvol) requires that the DFS service be running.

  2. Incorrect The question text indicates that all of the domain controllers are functioning in Active Directory integrated mode. This means that DNS duties are distributed across the domain with any domain controller server being able to respond to requests or process updates.

  3. Incorrect The KDC service is required to allow security accounts to log on to the network. A non-functional KDC service means that logon authentication cannot complete.

  4. Correct This service is not used by domain controllers. It is used on servers such as database servers for coordinating transactions that are distributed across multiple systems.

  5. Incorrect Intersite messaging is used by the Active Directory replication processes and is hence a service that must be active on a domain controller.

2. 

Correct Answers: A, B, and E

  1. Correct To install Exchange Server 2003, the World Wide Web publishing service, the NNTP service, and the SMTP service must be installed and enabled. If these services are not enabled, Exchange Server 2003 will not install.

  2. Correct To install Exchange Server 2003, the World Wide Web publishing service, the NNTP service, and the SMTP service must be installed and enabled. If these services are not enabled, Exchange Server 2003 will not install.

  3. Incorrect Terminal Services does not need to be installed for the Exchange Server 2003 setup program to function correctly. To install Exchange Server 2003, the World Wide Web publishing service, the NNTP service, and the SMTP service must be installed and enabled. If these services are not enabled, Exchange Server 2003 will not install.

  4. Incorrect The Telnet service does not need to be functional for the Exchange Server 2003 setup program to execute. To install Exchange Server 2003, the World Wide Web publishing service, the NNTP service, and the SMTP service must be installed and enabled. If these services are not enabled, Exchange Server 2003 will not install.

  5. Correct To install Exchange Server 2003, the World Wide Web publishing service, the NNTP service, and the SMTP service must be installed and enabled. If these services are not enabled, Exchange Server 2003 will not install.

3. 

Correct Answers: E

  1. Incorrect Rooslan’s primary goal is not met because the Backup Operators group, while being able to log on to each domain controller via Terminal Services, does not have the right to restore files. The first secondary goal is not met because members of the Backup Operators group do have the right to shut down the server, and this right should be limited only to Administrators and Server Operators. The second secondary goal is met because the next time a user changes his or her password, the LAN Manager hash value will not be stored.

  2. Incorrect Rooslan’s primary goal is not met because the Backup Operators group, while being able to log on to each domain controller via Terminal Services, does not have the right to restore files. The first secondary goal is not met because members of the Backup Operators group do have the right to shut down the server, and this right should be limited only to Administrators and Server Operators. The second secondary goal is met because the next time a user changes his or her password, the LAN Manager hash value will not be stored.

  3. Incorrect Rooslan’s primary goal is not met because the Backup Operators group, while being able to log on to each domain controller via Terminal Services, does not have the right to restore files. The first secondary goal is not met because members of the Backup Operators group do have the right to shut down the server, and this right should be limited only to Administrators and Server Operators. The second secondary goal is met because the next time a user changes his or her password, the LAN Manager hash value will not be stored.

  4. Incorrect Rooslan’s primary goal is not met because the Backup Operators group, while being able to log on to each domain controller via Terminal Services, does not have the right to restore files. The first secondary goal is not met because members of the Backup Operators group do have the right to shut down the server, and this right should be limited only to Administrators and Server Operators. The second secondary goal is met because the next time a user changes his or her password, the LAN Manager hash value will not be stored.

  5. Correct Rooslan’s primary goal is not met because the Backup Operators group, while being able to log on to each domain controller via Terminal Services, does not have the right to restore files. The first secondary goal is not met because members of the Backup Operators group do have the right to shut down the server, and this right should be limited only to Administrators and Server Operators. The second secondary goal is met because the next time a user changes his or her password, the LAN Manager hash value will not be stored.

4. 

Correct Answers: D and E

  1. Incorrect Certificate Services is critical for the function of a Certificate Server, but not for an IAS server.

  2. Incorrect The Background Intelligent Transfer Service is not used by an IAS server.

  3. Incorrect Distributed Link Tracking Server is used for tracking linked files across NTFS drives and has nothing to do with running an IAS server.

  4. Correct Netlogon maintains a secure channel between the IAS server and a domain controller so that authentication can occur against domain accounts.

  5. Correct The IAS Service forms the core of an IAS server’s functions, and hence is mandatory in any security template supporting the IAS server role.

5. 

Correct Answers: A, B, and E

  1. Correct HTTP SSL allows Windows Server 2003 systems running IIS to respond to SSL traffic. Given that the servers are used to display sensitive information to authenticated users via secure HTTP, this service must not be disabled.

  2. Correct The IIS Admin Service allows the administration of all areas of IIS. If this service is disabled, Web requests will fail.

  3. Incorrect The IAS service is used for Remote Authentication Dial-in User Service (RADIUS) servers, not for IIS servers authenticating clients.

  4. Incorrect This service is used by Windows when it is installed as a certification authority (CA). Although authentication can be carried out with a certificate, this service is not necessary on a system running Windows Server 2003 that is working as described in the scenario.

  5. Correct This service must be running for Web pages to be served up by the systems running Windows Server 2003.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net