Objective 1.5 Questions

 < Day Day Up > 



1. 

You are configuring a workstation running Windows XP Professional to work as an information kiosk at the local shopping mall. You want to limit the functionality so that teenagers who regularly visit the mall cannot hijack the system and use it for purposes other than for providing information to mall patrons about the services available. The information is provided by means of a custom Web application that runs off a computer running Windows Server 2003 and IIS that is located in the shopping mall’s administrative section. Which of the following lockdown options cannot be applied by means of the Windows XP Professional local GPO?

  1. Security Zones: Do not allow users to add/delete sites.

  2. Security Zones: Do not allow users to change policies.

  3. Enable/Disable image caching.

  4. Make proxy settings per machine (rather than per user).

 correct answers: c a. incorrect this policy can be applied at the local gpo level. this policy is found in the computer configuration\administrative templates\internet explorer node of the local gpo. b. incorrect this policy can be applied at the local gpo level. this policy is found in the computer configuration\administrative templates\internet explorer node of the local gpo. c. correct this option is configured by editing the registry; it cannot be configured by means of the local gpo. this key can be found at hkey_local_machine\software\microsoft\internet explorer\image caching. although you are not expected to be familiar with the windows registry for the security exam, you are expected to be knowledgeable about the policies that can be applied by means of local and non-local group policy objects. the other settings in this question are all reasonably obvious policies; this one should be the only one that stands out as unusual. d. incorrect this policy can be applied at the local gpo level. this policy is found in the computer configuration\administrative templates\internet explorer node of the local gpo.

2. 

You want to lock down Microsoft Internet Explorer as much as possible for computers located in a student laboratory at the local college. You have the following goals:

Primary Goal: The students are allowed to run only specific applications, such as Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. This is to stop the students from running unauthorized programs such as network games.

First Secondary Goal: The students are prevented from accessing the command prompt. Students should also be prevented locking the computer by using Ctrl+Alt+Del. This is so that students do not lock the screen when they leave the laboratory, denying access to other students.

Second Secondary Goal: The students are prevented from accessing the registry editing tools. The students are also restricted from running the programs chat.exe and strategy.exe from Windows Help. This is because some enterprising students found a way to create Help files to launch these particular applications.

You perform the following tasks:

Create an organizational unit called LAB MACHINES and move all of the computer accounts into this organizational unit. Create another organizational unit called LAB STUDENTS and move all of the user accounts of students that use the lab into this organizational unit. Create a Group Policy object with the following settings:

User Configuration\Administrative Templates\System

\Ctrl+Alt+Del Options\Remove Change Password: Configured

\Ctrl+Alt+Del Options\Remove Task Manager: Configured

\Run only allowed Windows applications

\Prevent access to the command prompt: Configured

\Restrict these programs from being launched from help: Configured

\Prevent access to the command prompt: Configured

\Prevent access to registry editing tools: Configured

You edit the “Restrict these programs from being launched from help” policy and add chat.exe and strategy.exe. After you have performed all of the listed tasks, which of your goals have you achieved?

  1. The primary goal and both secondary goals are achieved.

  2. The primary goal and one secondary goal are achieved.

  3. The primary goal is achieved. No secondary goals are achieved.

  4. The primary goal is not achieved. Both secondary goals are achieved.

  5. The primary goal is not achieved. One secondary goal is achieved.

 correct answers: e a. incorrect the primary goal is not achieved because, although the run only allowed windows applications policy was configured, the specific programs word, excel, and powerpoint were not added. a hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of help were added. the first secondary goal is not achieved because the lock workstation option was not configured in group policy. the second secondary goal is achieved. b. incorrect the primary goal is not achieved because, although the run only allowed windows applications policy was configured, the specific programs word, excel, and powerpoint were not added. a hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of help were added. the first secondary goal is not achieved because the lock workstation option was not configured in group policy. the second secondary goal is achieved. c. incorrect the primary goal is not achieved because, although the run only allowed windows applications policy was configured, the specific programs word, excel, and powerpoint were not added. a hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of help were added. the first secondary goal is not achieved because the lock workstation option was not configured in group policy. the second secondary goal is achieved. d. incorrect the primary goal is not achieved because, although the run only allowed windows applications policy was configured, the specific programs word, excel, and powerpoint were not added. a hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of help were added. the first secondary goal is not achieved because the lock workstation option was not configured in group policy. the second secondary goal is achieved. e. incorrect the primary goal is not achieved because, although the run only allowed windows applications policy was configured, the specific programs word, excel, and powerpoint were not added. a hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of help were added. the first secondary goal is not achieved because the lock workstation option was not configured in group policy. the second secondary goal is achieved.

3. 

You are configuring an IIS system that runs on Windows Server 2003. For the purposes of security, you want to limit the installed components to only those that are critical for the operation of the system. The system only serves up static Web pages in HTML format. It provides no dynamic Web pages, nor does it provide any type of Web application or Web service. The server will be patched manually and will not use the Windows Update or Software Update Service. Given this information, which of the following components in the Application Server dialog box or the Internet Information Services dialog box, located in the Add/Remove Windows Components section of Add/Remove Programs, do not need to be installed on this server for it to be able to complete its function? (Select all that apply.)

  1. Enable network COM+ access.

  2. Message Queuing

  3. Background Intelligent Transfer Service (BITS) server extension

  4. Microsoft FrontPage 2002 Server Extensions

  5. common files

 correct answers: b, c, and d a. incorrect this component is required for the world wide web service and iis manager to function. b. correct this particular service does not need to be enabled for the functions described in the question to be performed. c. correct this service is required if the computer running windows server 2003 will be automatically updated with patches and hotfixes. because this is to be done manually in this case, this component does not need to be installed. d. correct frontpage 2002 server extensions need to be enabled only if they are actually used. because the question makes no mention of frontpage 2002 extensions, it is safe to assume that this component does not need to be installed. e. incorrect iis requires the common files to run. without them, iis is unable to function.

4. 

Recently, your security audits have shown repeated brute force dictionary attacks occurring against the local administrator accounts on computers running Windows XP Professional, Windows NT 4.0 Workstation, and Windows Server 2003 on your network. Your network is made up of a forest of three domains. The root domain, tailspintoys.com, is made up entirely of computers running Windows Server 2003. The child domain, structured.tailspintoys.com, is made up of computers running Windows Server 2003 and Windows XP Professional. The child domain, legacy.tailspintoys.com, is made up of computers running Windows Server 2003 and Windows NT 4.0 Workstation. The attack appears unsophisticated in that it only targets the Administrator account and does not try to gain access to other accounts. With this in mind, you decide to change the name of the Administrator account on all computers in your forest to Sysmanager. Because the attack is singling out the Administrator account specifically, it will not have any chance of success after the name is changed to Sysmanager. Which of the following represents a method of changing the name of the Administrator account to Sysmanager on all computers in the forest?

  1. Create a new GPO and apply it to the tailspintoys.com domain. In this GPO, configure the Accounts: Rename Administrator Account policy to rename the administrator account to Sysmanager. Run GPUPDATE /FORCE on the schema master to propagate this change throughout the forest.

  2. Create a new GPO and apply it to the tailspintoys.com domain. In this GPO, configure the Accounts: Rename Administrator Account policy to rename the administrator account to Sysmanager. Perform the same action on the two child domains. Run GPUPDATE /FORCE in all three domains to propagate this change.

  3. Create a new GPO and apply it to the tailspintoys.com domain. In this GPO, configure the Accounts: Rename Administrator Account policy to rename the administrator account to Sysmanager. Perform the same action on the structured.tailspintoys.com child domain. Run GPUPDATE /FORCE in both domains to propagate this change. In the legacy.tailspintoys.com domain, manually rename the local administrator account to Sysmanager on each of the computers running Windows NT 4.0 Workstation and Windows Server 2003.

  4. Create a new GPO and apply it to the tailspintoys.com domain. In this GPO, configure the Accounts: Rename Administrator Account policy to rename the administrator account to Sysmanager. Perform the same action on the legacy.tailspintoys.com child domain. Run GPUPDATE /FORCE in both domains to propagate this change. In the structured.tailspintoys.com domain, manually rename the local administrator account to Sysmanager on each of the computers running Windows NT 4.0 Workstation and Windows Server 2003.

 correct answers: c a. incorrect this will only rename the administrator account in the root domain. the two child domains will retain their original settings. b. incorrect although this will rename the administrator account on all of the computers running windows server 2003 and windows xp professional, it will not rename the administrator account on the computers running windows nt 4.0 workstation. c. correct performing these actions will achieve your goals. workstations running windows nt 4.0 cannot have their administrator accounts renamed by means of group policy as they are not group policy aware. d. incorrect this solution will not work because the workstations running windows nt 4.0 are located in the legacy.tailspintoys.com domain, not the structured.tailspintoys.com domain.

Answers

1. 

Correct Answers: C

  1. Incorrect This policy can be applied at the local GPO level. This policy is found in the Computer Configuration\Administrative Templates\Internet Explorer node of the local GPO.

  2. Incorrect This policy can be applied at the local GPO level. This policy is found in the Computer Configuration\Administrative Templates\Internet Explorer node of the local GPO.

  3. Correct This option is configured by editing the registry; it cannot be configured by means of the local GPO. This key can be found at HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\IMAGE CACHING. Although you are not expected to be familiar with the Windows registry for the security exam, you are expected to be knowledgeable about the policies that can be applied by means of local and non-local Group Policy objects. The other settings in this question are all reasonably obvious policies; this one should be the only one that stands out as unusual.

  4. Incorrect This policy can be applied at the local GPO level. This policy is found in the Computer Configuration\Administrative Templates\Internet Explorer node of the local GPO.

2. 

Correct Answers: E

  1. Incorrect The primary goal is not achieved because, although the “Run only allowed Windows applications” policy was configured, the specific programs Word, Excel, and PowerPoint were not added. A hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of Help were added. The first secondary goal is not achieved because the lock workstation option was not configured in Group Policy. The second secondary goal is achieved.

  2. Incorrect The primary goal is not achieved because, although the “Run only allowed Windows applications” policy was configured, the specific programs Word, Excel, and PowerPoint were not added. A hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of Help were added. The first secondary goal is not achieved because the lock workstation option was not configured in Group Policy. The second secondary goal is achieved.

  3. Incorrect The primary goal is not achieved because, although the “Run only allowed Windows applications” policy was configured, the specific programs Word, Excel, and PowerPoint were not added. A hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of Help were added. The first secondary goal is not achieved because the lock workstation option was not configured in Group Policy. The second secondary goal is achieved.

  4. Incorrect The primary goal is not achieved because, although the “Run only allowed Windows applications” policy was configured, the specific programs Word, Excel, and PowerPoint were not added. A hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of Help were added. The first secondary goal is not achieved because the lock workstation option was not configured in Group Policy. The second secondary goal is achieved.

  5. Incorrect The primary goal is not achieved because, although the “Run only allowed Windows applications” policy was configured, the specific programs Word, Excel, and PowerPoint were not added. A hint to the fact that this had not occurred was given in that the specific programs that were restricted from running by means of Help were added. The first secondary goal is not achieved because the lock workstation option was not configured in Group Policy. The second secondary goal is achieved.

3. 

Correct Answers: B, C, and D

  1. Incorrect This component is required for the World Wide Web Service and IIS Manager to function.

  2. Correct This particular service does not need to be enabled for the functions described in the question to be performed.

  3. Correct This service is required if the computer running Windows Server 2003 will be automatically updated with patches and hotfixes. Because this is to be done manually in this case, this component does not need to be installed.

  4. Correct FrontPage 2002 Server Extensions need to be enabled only if they are actually used. Because the question makes no mention of FrontPage 2002 Extensions, it is safe to assume that this component does not need to be installed.

  5. Incorrect IIS requires the common files to run. Without them, IIS is unable to function.

4. 

Correct Answers: C

  1. Incorrect This will only rename the administrator account in the root domain. The two child domains will retain their original settings.

  2. Incorrect Although this will rename the administrator account on all of the computers running Windows Server 2003 and Windows XP Professional, it will not rename the administrator account on the computers running Windows NT 4.0 Workstation.

  3. Correct Performing these actions will achieve your goals. Workstations running Windows NT 4.0 cannot have their administrator accounts renamed by means of Group Policy as they are not Group Policy aware.

  4. Incorrect This solution will not work because the workstations running Windows NT 4.0 are located in the legacy.tailspintoys.com domain, not the structured.tailspintoys.com domain.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net