Questions and Answers

 < Day Day Up > 



Lesson 1 Review

Page
2-16

1. 

Sam is a member of both the IT group and the Administrators group. Sam is attempting to access a file with the following permissions:

  • Administrators: Grant Full Control

  • IT: Grant Modify

What are Sam's effective privileges to the file?

  1. Full Control

  2. Modify

  3. Read & Execute

  4. Read

  5. Write

  6. None

a. sam has full control over the file because he is a member of the administrators group, and nothing has overridden the ace assigning full control privileges to the administrators group.

2. 

Sam is a member of both the IT group and the Administrators group. Sam is attempting to access a file with the following permissions:

  • Administrators: Grant Full Control

  • IT: Deny Full Control

What are Sam's effective privileges to the file?

  1. Full Control

  2. Modify

  3. Read & Execute

  4. Read

  5. Write

  6. None

f. sam will be denied access to the file because sam is a member of the it group. the deny ace assigned to the it group overrides all aces that grant privileges.

3. 

Which of the following is a standard permission for a file or folder?

  1. Read Attributes

  2. Delete

  3. Read & Execute

  4. Take Ownership

c. read & execute is a standard file and folder permission. the other options are valid special permissions.

Answers

1. 

a. Sam has Full Control over the file because he is a member of the Administrators group, and nothing has overridden the ACE assigning Full Control privileges to the Administrators group.

2. 

f. Sam will be denied access to the file because Sam is a member of the IT group. The Deny ACE assigned to the IT group overrides all ACEs that grant privileges.

3. 

c. Read & Execute is a standard file and folder permission. The other options are valid special permissions.

Lesson 2 Review

Page
2-35

1. 

Which of the following built-in groups is present on a domain controller?

  1. Administrators

  2. Power Users

  3. DHCP Users

  4. Backup Operators

c. dhcp users is a domain group. all the other options exist in the local user database of standalone or member servers.

2. 

Which of the following special groups could you assign to an ACL to prevent access from unauthenticated users?

  1. Everyone

  2. Anonymous Logon

  3. Authenticated Users

  4. Interactive

b. the anonymous logon special group contains members who have not been authenticated.

3. 

Which of the following are not available at the Windows 2000 native domain functional level?

  1. Universal groups

  2. Nesting groups

  3. Converting groups

  4. Renaming domain controllers

  5. SID history

d. renaming domain controllers is not an option when using the windows 2000 native domain functional level.

4. 

Which of the following group types could be nested within a universal group?

  1. Local group

  2. Domain local group

  3. Global group

  4. Distribution group

c. global groups can be nested within universal groups.

Answers

1. 

c. DHCP Users is a domain group. All the other options exist in the local user database of standalone or member servers.

2. 

b. The Anonymous Logon special group contains members who have not been authenticated.

3. 

d. Renaming domain controllers is not an option when using the Windows 2000 native domain functional level.

4. 

c. Global groups can be nested within universal groups.

The following table provides the answers.

Table Group Naming Exercise-Answer Key

Existing group name

Description

Recommended group name

Sales-Main

Sales global group for all sales personnel

GG Sales All

Sales-Mgr

Sales global group for sales managers

GG Sales Managers

Sales-Main Office

Sales global group for sales personnel located in the main office

GG Sales Main Office

Sales-Brn

Sales global group for personnel located in branch offices

GG Sales Branch Offices

Sales-Prnt Mngr

Domain local group of sales personnel who can manage the printer located in building 25

DL Sales Bldg25 Print Managers

Sales-Prnt User

Domain local group of sales personnel who can print to the printer located in building 25

DL Sales Bldg25 Print Users

Lesson 3 Review

Page
2-45

1. 

Which of the following group names was created with an effective group naming strategy?

  1. HR

  2. GG BOS HR

  3. Cohowinery Global Group Boston Human Resources

  4. Resources Human

b. the naming strategy used to create this group name produced a short but descriptive group name.

2. 

Is the User/ACL or the Account Group/ACL method more effective in large enterprises?

  1. Account Group/ACL. This method of assigning rights scales more effectively in large enterprises.

  2. Which of the following describes the principle of least privilege?

  1. Ensure that users have the minimal privileges necessary to do their jobs.

  2. Ensure that users have no permissions unless they have authenticated with both a password and a smart card.

  3. Create users with administrator privileges and then gradually reduce their privileges to the lowest level possible that allows applications to still function.

  4. Unauthenticated users must have the lowest level of privileges on the network.

a. the principle of least privilege states that only the minimal rights required by users should be assigned.

Answers

1. 

b. The naming strategy used to create this group name produced a short but descriptive group name.

2. 

a. The principle of least privilege states that only the minimal rights required by users should be assigned.

Lesson 4 Review

Page
2-54

1. 

John is a member of both the IT and Finance groups. When John attempts to edit a file, he is denied access. Which of the following scenarios are potential causes of this problem? (Choose all that apply.)

  1. The IT group has the Deny Read & Execute file permission assigned, and the Finance Group has the Grant Modify permission assigned.

  2. The IT group has the Grant Modify permission assigned, and the Finance group has no permissions assigned.

  3. Neither the IT group, the Finance group, nor John's user account have permissions to the object explicitly assigned.

  4. The IT group has the Grant Modify permission assigned, and the Finance group has the Deny Change Permission special permissions assigned.

a, c. both of these scenarios describe situations in which john cannot edit the file, either because one of his group memberships is explicitly denied access or because he has no permissions to the file.

2. 

The Effective Permissions tool can be used to discover which of the following pieces of information? (Choose all that apply.)

  1. That the user John is a member of the Interactive special group

  2. That the user John is a member of the Finance security group

  3. That the Finance security group has been denied access to a folder

  4. That the user John will be denied access to a file because access is denied to a group of which John is a member

c, d. the effective permissions tool is capable of showing what permissions a user or group has to an object. it cannot, however, enumerate group memberships.

Answers

1. 

a, c. Both of these scenarios describe situations in which John cannot edit the file, either because one of his group memberships is explicitly denied access or because he has no permissions to the file.

2. 

c, d. The Effective Permissions tool is capable of showing what permissions a user or group has to an object. It cannot, however, enumerate group memberships.

Design Activity: Case Scenario Exercise

Page
2-55

1. 

Which of the following group names is most fitting to an appropriate naming strategy?

  1. Accounts Payable

  2. Boston AP

  3. GG Accounts Payable

  4. GG Ithaca Accounts Payable

  5. GG Ithaca New York Accounts Payable

c. given fabrikam s requirements, an appropriate group naming strategy would include the group scope and a concise description of the group. you do not need to include the location of the group in the name. even though some resources will only be assigned to users in specific locations, the group design does not require that business groups be divided by location. separate groups can be created for each of the three locations, and employees in each location can be added to those groups.

2. 

How will you recommend that Fabrikam enforce the group naming conventions?

although windows server 2003 does not include a way to enforce group naming conventions at the time a group is created, auditing works wonders to enforce standards. ideally, you would recommend that fabrikam s security team audit group names on a weekly or monthly basis to ensure conformance with the naming conventions.

3. 

Will you recommend the User/ACL, Account Group/ACL, or Account Group/ Resource Group authorization method?

fabrikam has 600 users, so the user/acl authorization method would be impossible to manage. the account group/resource group authorization model is probably the most appropriate choice here, though account group/acl is also a valid choice.

Answers

1. 

c. Given Fabrikam's requirements, an appropriate group naming strategy would include the group scope and a concise description of the group. You do not need to include the location of the group in the name. Even though some resources will only be assigned to users in specific locations, the group design does not require that business groups be divided by location. Separate groups can be created for each of the three locations, and employees in each location can be added to those groups.

2. 

Although Windows Server 2003 does not include a way to enforce group naming conventions at the time a group is created, auditing works wonders to enforce standards. Ideally, you would recommend that Fabrikam's security team audit group names on a weekly or monthly basis to ensure conformance with the naming conventions.

3. 

Fabrikam has 600 users, so the User/ACL authorization method would be impossible to manage. The Account Group/Resource Group authorization model is probably the most appropriate choice here, though Account Group/ACL is also a valid choice.

Design Activity: Troubleshooting Lab

Page
2-57

1. 

What is the best way to quickly determine what access Mary has to the file?

you can use the effective permissions tool to determine mary s user account permissions. you could also look up mary s group memberships and manually calculate her effective permissions. however, this would be time-consuming.

2. 

What permissions does Mary have to the file?

mary has no permission to the file.

3. 

How can you identify the user membership that is causing Mary to be denied access to the file?

first, view mary s user account properties to determine the list of groups to which she belongs. then use the effective permissions tool to test the permissions of each group. using effective permissions is more effective than manually reviewing the list of permissions because groups can be nested, and it is not always obvious which groups a user belongs to.

4. 

What access control entry is responsible for Mary's access being denied?

the deny accounting group access control entry is responsible, because mary is a member of accounting.

5. 

What should you do before modifying the permissions to grant Mary access?

you should determine why the accounting group was initially denied access to the file. there is probably a legitimate reason for denying mary access. if not, you must decide whether the entire accounting group should have access to the file, or just mary. if the entire accounting group should have access to the file, grant the accounting group access by removing the appropriate deny permissions for the file. if only mary should have access, you can add an explicit permission that will override the inherited deny permission. additionally, you must determine what level of access the accounting group or mary should have to the file.

Answers

1. 

You can use the Effective Permissions tool to determine Mary's user account permissions. You could also look up Mary's group memberships and manually calculate her effective permissions. However, this would be time-consuming.

2. 

Mary has no permission to the file.

3. 

First, view Mary's user account properties to determine the list of groups to which she belongs. Then use the Effective Permissions tool to test the permissions of each group. Using Effective Permissions is more effective than manually reviewing the list of permissions because groups can be nested, and it is not always obvious which groups a user belongs to.

4. 

The Deny Accounting group access control entry is responsible, because Mary is a member of Accounting.

5. 

You should determine why the Accounting group was initially denied access to the file. There is probably a legitimate reason for denying Mary access. If not, you must decide whether the entire Accounting group should have access to the file, or just Mary. If the entire Accounting group should have access to the file, grant the Accounting group access by removing the appropriate Deny permissions for the file. If only Mary should have access, you can add an explicit permission that will override the inherited Deny permission. Additionally, you must determine what level of access the Accounting group or Mary should have to the file.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net