Objective 1.2: Questions

1. 

You are configuring a new security template for a computer running Windows Server 2003. The computer will be running IIS. The server will be accessed only by users who have specific log on names and passwords. The new security template is called IIS- SERVERS. You have configured the Audit Policy section so that the “Audit account logon events” and “Audit logon events” sections will audit success and failure.

You are currently editing the Event Log settings of the template. The editing window is displayed in the figure below. You want to ensure that the log that records the user’s name and the location that they are coming from remains recorded until the relevant log is manually cleared. You also want to set the maximum log size of the relevant log to 16,385 KB. Which policies from this figure should you configure by using the security template? (Select two.)

1. maximum application log size

2. maximum security log size

3. maximum system log size

4. retention method for application log

5. retention method for security log

6. retention method for system log

2. 

You have created a domain local security group named IISADMINS in the single domain that is used at your organization. This group will be assigned special permissions and rights on your organization’s Web servers. You want to limit the membership of that group to four users: Orin, Oksana, Kasia, and Shan. The computers running Windows Server 2003 that host the organization’s Web Servers have all been placed in an organizational unit named IISSERV. IISSERV is a child OU of the MEMBERSERV OU. There are three sites at your company: HQ, Branch One, and Branch Two. Two IIS servers are located at Branch One, three are located at HQ, and one is located at Branch Two. You have configured the restricted groups node of a security template as shown in the figure below. The IISADMINS group has been assigned permissions only on the servers that are located within the IISSERV OU. Which of the following methods represents the best way of using this security template to meet your goal of limiting the membership of the IISADMINS group to the specified users?

1. Import the Restricted-Group-IISADMINS security template into the Default Domain GPO.

2. Import the Restricted-Group-IISADMINS security template into a GPO which you then apply to the IISSERV OU.

3. Create a GPO, import the Restricted-Group-IISADMINS security template, and apply the GPO to the IISADMINS group.

4. Log on to each IIS server locally and import the Restricted-Group-IISADMINS security template into the local Group Policy object.

3. 

Rooslan is the senior systems administrator at Tailspin Toys. There is a group of developers at the company who need to be given access to modify the HKEY_LOCAL_MACHINE hive on member systems running Microsoft Windows XP Professional and Windows Server 2003. These member systems are located within the EASTDEV organizational unit. All of the developers’ user accounts are also located in the EASTDEV organizational unit. Which of the following courses of action should Rooslan take to ensure that only the developers get the required access to the HKEY_LOCAL_MACHINE hive, and that they get access only to the specified computers?

1. Rooslan should create a security template and add the registry key MACHINE. In the Database Security dialog box, he should change the security setting of the USERS group to Full Control: Allow. He should then select the permissions to Propagate Inheritable Permissions To All Subkeys. He should save the security template as TST-DEV. He should create a GPO and import the security template. He should then apply the GPO to the EASTDEV OU.

2. Rooslan should create a security template and add the registry key MACHINE. In the Database Security dialog box, he should change the security setting of the USERS group to Full Control: Allow. He should then select the permissions to Propagate Inheritable Permissions To All Subkeys. He should save the security template as TST-DEV. He should create a GPO and import the security template. He should then apply the GPO to the Domain that hosts the EASTDEV OU.

3. Rooslan should create a security template and add the registry key MACHINE. He should add the user accounts of all of the developers that require this access to a universal security group named DEVREG. In the Database Security dialog box, he should add the DEVREG group and set its security setting to Full Control: Allow. He should then select the permissions to Propagate Inheritable Permissions To All Subkeys. He should save the security template as TST-DEV. He should create a GPO and import the security template. He should then apply the GPO to the EASTDEV OU.

4. Rooslan should create a security template and add the registry key MACHINE. He should add the user accounts of all of the developers that require this access to a universal security group named DEVREG. In the Database Security dialog box, he should add the DEVREG group and set its security setting to Full Control: Allow. He should then select the permissions to Propagate Inheritable Permissions to All Subkeys. He should save the security template as TST-DEV. He should create a GPO and import the security template. He should then apply the GPO to the domain that hosts the EASTDEV OU.

5. Rooslan should create a security template and add the registry key CLASSES_ROOT. He should add the user accounts of all of the developers that require this access to a universal security group named DEVREG. In the Database Security dialog box, he should add the DEVREG group and set its security setting to Full Control: Allow. He should then select the permissions to Propagate Inheritable Permissions To All Subkeys. He should save the security template as TST- DEV. He should create a GPO and import the security template. He should then apply the GPO to the EASTDEV OU.

4. 

Rooslan works for a medium-sized enterprise that has a single Windows Server 2003 functional level domain. Rooslan has the following goals for the security configuration of a group of workstations running Windows XP Professional that belong to members of the DEVELOPERS security group.

Primary Goal: That the IPSEC Services, the Error Reporting Service, the Indexing Service, and the Smart Card service can all be started, stopped, and paused by members of the DEVELOPERS security group.

First Secondary Goal: That members of the DEVELOPERS group be given full control over the HKEY_LOCAL_MACHINE\HARDWARE, HKEY_LOCAL_MACHINE\SOFTWARE, and HKEY_LOCAL_MACHINE\SYSTEM hives of the registry on their workstations running Windows XP Professional.

Second Secondary Goal: That the right to debug programs, adjust memory quotas for a process, and increase scheduling priority be assigned to members of the DEVELOPERS group.

Which of these goals can Rooslan achieve by configuring a security template and importing it into a GPO that is applied to an organizational unit in which the workstations running Windows XP Professional belonging to members of the DEVELOPERS security group reside? (Select one.)

1. The primary and both secondary goals can be accomplished by configuring a security template and importing it into the GPO applied to the OU housing the workstations running Windows XP Professional.

2. The primary and one secondary goal can be accomplished by configuring a security template and importing it into the GPO applied to the OU housing the workstations running Windows XP Professional.

3. The primary goal, but no secondary goals, can be accomplished by configuring a security template and importing it into the GPO applied to the OU housing the workstations running Windows XP Professional.

4. Both secondary goals can be accomplished by configuring a security template and importing it into the GPO applied to the OU housing the workstations running Windows XP Professional. The primary goal cannot be accomplished by this method.

5. One secondary goal can be accomplished by configuring a security template and importing it into the GPO applied to the OU housing the workstations running Windows XP Professional. The primary goal cannot be accomplished by this method.

5. 

Part of understanding the benefits of security templates is understanding what the limitations of those templates are. Which of the following policies can be configured by importing a security template? (Select all that apply.)

1. registry permissions

2. wireless network (IEEE 802.11) policies

3. disk quotas

4. folder redirection

5. event log policies

6. 

Which tool would you use to configure policy files for clients running Windows NT Workstation 4.0 that are located in a Windows Server 2003 mixed mode domain?

1. POLEDIT.EXE

2. REGEDIT.EXE

3. REGEDT32.EXE

4. Security Templates snap-in for the MMC

1. 

Correct Answers: B and E

1. Incorrect The application log does not store this information. The security log stores the information that you are interested in.

2. Correct The security log stores the relevant information. By setting the maximum log size of the security log to 16,385 KB and ensuring that the log must be cleared manually, you will meet the goal of this scenario.

3. Incorrect The system log does not store this information. The security log stores the information that you are interested in.

4. Incorrect The security log, rather than the application log, is the log of interest in this scenario.

5. Correct This policy will need to be set to “Do not overwrite events (clear log manually)” to meet the conditions of the scenario.

6. Incorrect The security log, rather than the system log, is the log of interest in this scenario.

2. 

Correct Answers: B

1. Incorrect Unless there is good reason to do otherwise, try to be as specific as possible when importing security templates. Because this template influences only servers in the IISSERV OU, this OU is the best place to apply a GPO that has had this template imported.

2. Correct This answer follows the principle of applying Group Policy objects as specifically as possible. Rather than all computers in the domain having to process this policy when it isn’t relevant, only member systems in the IISSERV OU will have to process it.

3. Incorrect Group Policy objects cannot be applied to groups. They can be applied only to organizational units, sites, and domains.

4. Incorrect The Restricted Groups node is not available in local Group Policy objects. This security template can only be used on policies applied at the site, domain, or organizational unit level.

3. 

Correct Answers: C

1. Incorrect Performing these steps will give all users, not just the developers, full control permission to the HKEY_LOCAL_MACHINE hive of computer objects within the EASTDEV OU.

2. Incorrect Performing these steps will give all users in the domain full control permission to the HKEY_LOCAL_MACHINE hive of the registry on every computer object within the domain.

3. Correct Performing this set of steps will provide Rooslan with the desired outcome. He has limited the permissions to only those developers that require them. He has applied the GPO with the requisite security settings to the correct OU, meaning that only computer objects within that OU will fall under its influence.

4. Incorrect This particular sequence gives the developers access to the HKEY_LOCAL_MACHINE hive of the registry to all computer objects in the domain.

5. Incorrect Performing these steps will give the required permissions to the wrong hive of the registry. This sequence will grant allow full control to HKEY_CLASSES_ROOT rather than HKEY_LOCAL_MACHINE.

4. 

Correct Answers: A

1. Correct All of Rooslan’s goals with respect to security policy can be configured by importing a properly configured security template.

2. Incorrect All of Rooslan’s goals with respect to security policy can be configured by importing a properly configured security template.

3. Incorrect All of Rooslan’s goals with respect to security policy can be configured by importing a properly configured security template.

4. Incorrect All of Rooslan’s goals with respect to security policy can be configured by importing a properly configured security template.

5. Incorrect All of Rooslan’s goals with respect to security policy can be configured by importing a properly configured security template.

5. 

Correct Answers: A and E

1. Correct Registry permissions are located under the Windows Components | Security Settings node of the Computer Configuration section of Group Policy. Registry permissions can be configured by importing a security template.

2. Incorrect Although wireless network policies are located under the Windows Components | Security Settings node of the Computer Configuration section of Group Policy, wireless network policies cannot be configured by importing a security template.

3. Incorrect Disk quota policies are not located within the Security Settings node and hence cannot be configured by importing a security template.

4. Incorrect Folder redirection policies are not located within the Security Settings node and hence cannot be configured by importing a security template.

5. Correct Event log policies are located under the Windows Components | Security Settings node of the Computer Configuration section of Group Policy. Event log policies can be configured by importing a security template.

6. 

Correct Answers: A

1. Correct POLEDIT.EXE is used to configure policies for computers running Windows NT Workstation 4.0 and Windows NT Server 4.0. Policies are used to secure computers running Windows NT Workstation 4.0 and Windows NT Server 4.0 because they are not able to be fully configured using Active Directory technology, which made its debut with Windows 2000.

2. Incorrect REGEDIT.EXE is used to edit the registry of computers running Windows. Although many settings can be configured in the registry, it is not used to configure policy files for clients running Windows NT Workstation 4.0.

3. Incorrect REGEDT32.EXE is used to edit the registry of computers running Windows. Although many settings can be configured in the registry, it is not used to configure policy files for clients running Windows NT Workstation 4.0.

4. Incorrect The Security Templates snap-in interfaces with Group Policy objects. It cannot be used to configure policy files for clients running Windows NT Workstation 4.0 in a Windows Server 2003 mixed mode domain.