Review Questions

1.

You are the lead Active Directory architect for a large-scale network. You need to define a strategy that prevents computers from launching applications that are explicitly prohibited by the corporate policy. You need to prevent users from moving or renaming files in order to bypass the defined policy. What should you do? (Choose all that apply.)

1. Define a software restriction policy and leave the security level as Unrestricted.

2. Create a path rule for each application that you want to allow.

3. Create a hash rule for each application that you want to prevent.

4. Create a path rule for each application that you want to prevent.

5. Create a hash rule for each application that you want to allow.

6. Define a software restriction policy and change the security level to Disallowed.

2.

You are the administrator of medium-sized network and you need to prevent users from changing the configuration of their computers. Which of the following can be used to accomplish this? (Choose all that apply.)

1. Administrative Templates settings in Group Policy

2. Microsoft Baseline Security Analyzer

3. Software Update Services

4. Removing users from local Administrators or Power Users groups on their computers

5. Software restriction policy

3.

You are the network architect of a large electronics manufacturer that has just opened a new sales office in Alaska. The main office is located in Miami, Florida; both offices have a direct connection to the Internet. There is a complete SUS infrastructure that is already designed in the Miami office and that handles over 5,000 computers and servers. There are 10 client computers and 2 servers in the Alaska site. You need to make sure that, because the new office is so remote from the main office, updates are installed often and automatically. No approval is necessary because there is no custom software running in the Alaska office that could conflict with any portion of the operating system. You need to make sure that all of the computers in the Alaska office get all of the updates that Microsoft releases with the least amount of administrative effort. The Alaskan office needs to be able to retrieve updates even if it cannot connect to the Miami office. What should you do?

1. Install SUS on one of the servers in the Alaska site and configure the other computers to use it.

2. Configure all of the computers in the Alaska site to use the SUS infrastructure already configured in Miami.

3. Configure all of the computers to use the Microsoft Windows Update site.

4. Manually download and install the patches and service packs as they become available.

4.

You need to audit your security patch strategy to verify its effectiveness. You want this auditing to occur on a semi-regular basis, with the least amount of administrative effort. What utility should you use for this functionality?

1. On a regular basis launch the Microsoft Baseline Security Analyzer (MBSA) and evaluate the resulting report.

2. Use the intranet administration web application for Software Update Services, SUSAdmin, to generate and schedule its reporting features.

3. Create and schedule a script that uses the Microsoft Baseline Security Analyzer commandline utility (MBSACLI.EXE ).

4. Define and enable a patch policy in a Group Policy object (GPO) and link it to the domain container.

5.

You are the administrator for a medium-sized organization that manufacturers transparent aluminum. The CIO tells you that the HR managers need to be able to manage one of the printers that is located on the HR server, which is a member server in the TranAlum.LAN domain. You need to grant the HR managers, who are all members of the HR Managers global group, this ability without giving them more rights than they require, and you should do this with the least amount of administrative effort. What should you do?

1. Add the HR Managers group to the Administrators local group on the HR server.

2. Add the HR Managers group to the Print Operators group of the HR server.

3. Add the HR Managers group to the Power Users group of the HR server.

4. Create a custom local group on the HR server, grant it the ability to manage the HR printer, and add the HR Managers global group to the newly created local group.

6.

You are the administrator responsible for updating the workstations and servers for your company. You need to be able to apply software patches and adjust the configuration of the computers to make them more secure. You need to select a solution that meets both these requirements. Which of the following methods can be used to deploy patches as well as modify the configuration of the computer? (Choose all that apply.)

1. Microsoft Windows Update site

2. Software Update Services (SUS) version 1

3. Systems Management Server with SUS feature pack

4. Security Configuration And Analysis MMC snap-in

5. Group Policy

7.

You are the administrator responsible for updating all 8,000 client computers in the Philadelphia region. The computers are running Windows NT 4, Windows 2000, and Windows XP Professional and are configured as members of a large Windows Server 2003 Active Directory domain. What software patch distribution solution should you choose?

1. Software Update Services (SUS) version 1

2. Systems Management Server 2003 with SUS feature pack

3. Group Policy

4. Microsoft Baseline Security Analyzer (MBSA)

8.

You have just installed and configured a SUS server in your organization and created a schedule to download updates from the Internet. You now need to configure the 2,500 workstations and servers in your environment. You need to make sure that all of the clients are updated to use the SUS server to download the updates. Which of the following techniques can be used to configure the SUS clients? (Choose all that apply.)

1. Modify the Registry of each computer to point it to the newly installed SUS server.

2. Create a custom script on each computer that runs the MBSACLI.EXE utility to configure the SUS information.

3. Create a GPO that configures the SUS information on each computer and link it to the appropriate container.

4. Use the Security Configuration And Analysis MMC snap-in and apply its template to all of the computers that need to be updated with the SUS server information.

9.

You are the security architect of a multinational exporter with offices across the U.S. and Europe. The two main offices are New York and Paris. All U.S. sites connect to the Internet through the New York site, and all European offices connect to the Internet through Paris. Each office in the U.S. connects to New York with a dedicated 256k line and each office in Europe connects to Paris with a dedicated 256k line. You need to design a patch management solution that distributes and applies security patches to workstations and servers on both continents. Your solution must minimize WAN bandwidth. What should you do?

1. In each office, use one new SUS server that will download all of the security patches. Configure the computers in each office to use their respective SUS server.

2. Use one new SUS server in New York and one in Paris to download all security patches. Configure the U.S. offices to use the SUS server in New York and the European offices to use the SUS server in Paris.

3. Use one new SUS server in New York and one in Paris to download all security patches. In the U.S., configure a SUS server in each office to synchronize the content from the SUS server in New York. In Europe, configure a server in each office to synchronize the content from the SUS server in Paris. Configure the clients in each office to use the SUS server in their respective office.

4. Configure all clients to download the patches from the Microsoft Windows Update site.

10.

You are the security architect of a large law firm, and consultants sometimes temporarily have access to certain network resources. The attorneys often store confidential client-related data on their workstations, and you need to make sure that only attorneys can access the data over the network. Which of the following security techniques should you use to prevent the consultants from accessing the attorney’s workstations?

1. Security templates

2. Software restriction policies

3. Administrative templates

4. MBSA script

1.

A, C. In this question, only the software that is explicitly stated in the corporate policy as being prevented should be kept from executing. Therefore, you should enable software restriction and leave the security level set to Unrestricted. Thus, option F is incorrect. Because an Unrestricted security level allows all software not explicitly defined in a rule to execute, you do not specify rules for applications to be allowed, so options B and E are incorrect. A path rule can be bypassed, which is why option D is incorrect. Creating a hash rule for the applications that are to explicitly be denied from executing is the best answer in this situation, which is why options A and C are correct.

2.

A, D. To prevent a user from making configuration changes to the operating system of their workstation, you can use Administrative Templates settings in a Group Policy object (GPO), you can manually edit the Windows Registry, you can use custom scripts or third-party applications, or you can simply remove the users from the Power Users or Administrators group on the workstation. The Microsoft Baseline Security Analyzer (MBSA) is used to audit the security patches and configuration on a computer or group of computers. Therefore, option B is incorrect. Software Update Services (SUS) is used to apply patches and service packs, not restrict operating system features, which is why option C is incorrect. Option E is incorrect because a software restriction policy is used to define which applications can or can’t be executed; it is not able to prevent a user from making changes to operating system functionality.

3.

C. Option A is incorrect because it requires that updates be approved in order to be distributed to the computers in Alaska. Option B is incorrect because it requires that the Alaskan office communicate with the Miami server, and allows only the approved updates, as defined in Miami, to be deployed to the computers in Alaska. Option D is incorrect because it requires a significant amount of administrative effort, which would be decreased by configuring the computers to get the information directly from Microsoft. Answer C is correct because it requires the least amount of administrative effort by not requiring any administrator to approve updates.

4.

C. The MBSA command-line interface can and should be scheduled in a script to facilitate the requirements defined in the question. Therefore, option C is correct. The Microsoft Baseline Security Analyzer (MBSA) is the utility that produces the desired functionality; however, the interactive version cannot be scheduled, which is why option A is incorrect. Software Update Services does not include a reporting element. Therefore, option B is incorrect. There is no such thing as a patch policy. Therefore, option D is incorrect.

5.

D. The only solution that doesn’t give the HR managers more rights than they require is D. Adding the HR Managers group to the Administrators local group on the HR member server will allow them do to almost anything on the server, which is significantly more rights than they require. Therefore option A is incorrect. Adding the HR managers to the Print Operators group will give them the ability to manage the printer on the HR member server; however, it will also give them the right to manage all of the printers on the server, not just the one printer that they need to manage. Therefore, option B is incorrect. Adding the HR managers to the Power Users local group would also allow them to manage all of the printers, which is too many rights based on the requirements stated in the question. Therefore, option C is incorrect.

6.

C, E. Both SMS 2003 with the SUS feature pack and Group Policy can be used to deploy patches as well as make configuration changes. Therefore, options C and E are correct. Both the Microsoft Windows Update site and Software Update Services version 1 can be used only to deploy software patches, not make configuration changes. Therefore, options A and B are incorrect. The Security Configuration And Analysis MMC snap-in can only make configuration changes, not deploy software patches, which is why option D is incorrect.

7.

B. Only Systems Management Server (SMS) 2003 with SUS feature pack can deploy patches to Windows NT 4 clients. SUS version 1 and Group Policy require Windows 2000 and higher; they do not support Windows NT 4 clients. Therefore, options A and C are incorrect. The MBSA tool is used to audit the security of a computer or group of computers. It will not distribute software patches, which is why option D is incorrect.

8.

A, C. You can configure the computers by using a GPO or by manually editing the Registry of each computer, which is why options A and C are correct. The MBSACLI.EXE utility is the command-line interface of the Microsoft Baseline Security Analyzer utility that is used to audit and report on the security configuration and applied patches of computers; it will not configure a computer to use a specific SUS server. Therefore, option B is incorrect. The Security Configuration And Analysis MMC snap-in can be used to apply security templates to computers; however, it will not configure the computers to use a specific SUS server. Therefore, option D is incorrect.

9.

C. Option C is correct because it is the only solution that allows for all of the computers to receive the updates and minimizes WAN traffic. Option A is incorrect because it causes too much WAN traffic by having each office download updates from the Internet. Option B is incorrect because there would be, from each workstation and server retrieving the updates, too much traffic across the U.S. going to the N.Y. SUS server and too much traffic in Europe going to the Paris SUS server. Option D causes each client to generate too much WAN traffic by downloading the updates directly from the Microsoft Windows Update site.

10.

A. You would define a security template that enables Deny Access To This Computer From The Network for the users not in the Attorneys group. Software restriction policies are used to prevent a user from running software, not from accessing network resources. Therefore, option B is incorrect. Administrative templates are used to restrict a user’s access to the operating system of the computer that they are logged on to, not accessing remotely. Therefore, option C is incorrect. The MBSA is used for auditing and reporting on security configuration; it doesn’t change the configuration. Therefore, option D is incorrect.