|
thanks
|
Question 1. You need to start configuring the data stored on the file servers. You are required to reconfigure the NTFS permissions on the shared folders located on the file servers to restrict access to the data. What should you do? (Choose all that apply.) A. You should remove the Everyone group and add the BUsers group and assign the group Full Control NTFS permission B. You should remove the Everyone group and add the ATUsers group and assign the group Full Control permission C. You should remove the Everyone group and add the ATUsers group and assign the group Modify permission D. You should remove the Everyone group and add the BUsers group and assign the group Modify permission E. You should remove the Everyone group and add the AUsers group and assign the group Modify permission Answer: C, D, E Explanation: You should consider taking the actions in the answers in the scenario because currently the effective permissions allow users to connect from all locations remotely and modify the contents of the shared folders. 1. The IT administrator of the City Central Utilities network wants access to the shared folders in each location to be secure. This requires non-administrative users only to be granted access to the files located on their local file server. The users in their respective locations should be able to edit files in the local shared folder but should not be able to take ownership or change permission of user files Incorrect Answers: A, B: You should not consider the actions used in these options in the scenario as you would be granting the users the ability to take ownership of the files giving them to much administrative privileges. Question 2. You need to design the security solution for the internal Web site. You are required to ensure that only authorized network users in the domain are able to access the internal Web site. You are also required to select how to configure access to the site. What should you do? (Each correct answer presents part of the solution. Choose TWO.) A. You should enable Digest authentication B. You should enable Web site connection limits C. You should enable Integrated Windows authentication D. You should disable Anonymous authentication Answer: C, D Explanation: In the scenario you should disable the Anonymous authentication and enable the Integrated Windows authentication because the Anonymous authentication allows the users to establish connections to the Web site using an Anonymous account or guest account. 1. City Central Utilities wants all the attempts by unauthorized users to access the data folders on the file server to be monitored. City Central Utilities Also wants the users to be required to authenticate using their Active Directory user account credentials when accessing the intranet Web site. The authentication will be required to be automatic requiring no user intervention during the authentication process Incorrect Answers: A: This option should not be used in the scenario because it requires a realm to be configured ad is more suited for authentication passing through a firewall. B: This option should not be used in the scenario as this will not stop unauthorized access to the internal Web site. Question 3. You need to modify the Default Domain Policy GPO. You should stop the ability of the network users to install any application which is not approved. Your solution is required to prevent the network users of the City Central Utilities network from being able to install unauthorized software. What should you do? A. You should enable the Disable Windows Installer policy with a setting of For non-managed apps only B. You should add a Software Installation Policy which assigns approved applications to domain users C. You should Enable the Disable Windows Installer policy with a setting of Always D. You should Disable the Windows Installer policy Answer: A Explanation: In the scenario you should consider making these configuration changes as this will allow you to control the applications that the users are capable of installing thereby stopping unauthorized applications from being installed. 1. The Chief Security Officer also wants to have a consistent set of programs and applications to be defined and deployed. The City Central Utilities Domain users should not be able to update or install any software components other than those approved by members of the CCUAdmin group. Incorrect Answers: B: In the scenario you should not use this option because this will not prevent the users from installing unauthorized application but will simply assign or publish the applications to the users. C, D: You should not take this action in the scenario because this allows the users to install Windows Installer-based applications at will be it unauthorized or not. Question 4. You need to design a solution for the client computers in the Brisbane office. The solution you are designing should configure the client computers to meet the requirements of the network Chief Security Officer. What should you do? A. The users connecting to CCU-SR05 should be required to use smart card-authenticated terminal services connections B. Secure Sockets Layer (SSL) should be required for connections between the Brisbane clients and CCU-SR05 C. The Brisbane network uses should be required to connect to CCU-SR05 using Integrated Windows authentication D. IPSec-encrypted connections should be required between the Brisbane clients and CCU-SR05 Answer: A Explanation: In the scenario you are required to provide two-factor authentication on the network for communicating with CCU-SR05. The configuration used in the answer successfully implements the required configuration and meets the requirements. 1. Another concern of the Chief Security Officer is that user access to the inventory tracking application on CCU-SR05 be secured by using certificate-based authentication. The Chief Security Officer also wants auditing enabled on CCU-SR05 to monitor all users accessing this application. You should then be able to verify who is logged on to the application and who the owner of the user account is Incorrect Answers: B: You should not consider using SSL in the scenario because SSL requires machine certificates in order to establish a secure channel. C: In the scenario the users shared there credentials so making this configuration will not adhere to the requirements of the Chief Security Officer. D: You should not consider using IPSec in the scenario because IPSec will identify the two computers and you are required to identify the users. Question 5. You need to design an authentication method for the portable computer used on the network. The solution you are designing should be employed to provide for the desired level of security the remote portable computer? A. MS-CHAP v2. B. Two-factor authentication. C. IPSec authentication. D. 802.1x authentication. Answer: B Explanation: When two-factor authentication is implemented, users will be required to swipe smart card into a smart card reader and then enter a PIN to authenticate to the computer. Before a smart card is used, the user's logon certificate, public key, and private key must be programmed on the smart card. You can program the smart card using a Smart Card Enrollment station, which is integrated with certificate services. You can use the EAP-TLS protocol for certificate and smart card authentication. 1. The management of City Central Utilities has decided to continue issuing portable computers to the Brisbane users but the authentication to the wireless portion of the City Central Utilities network should be strictly controlled. City Central Utilities should ensure that user credentials for portable computers and desktop computers are tightly controlled using two-factor authentication Incorrect Answers: A: MS-CHAP v2 does not support smart cards and does not provide the required two-factor authentication. C: IPSec is used to generate keys for encrypting data during PPTP and L2TP tunneling transmissions. It is not a user authentication protocol. D: IEEE 802.1x authentication is a certificate-based standard that supports authenticated network access to wired Ethernet networks from 802.11 networks which is wireless. This method will provide support for centralized user identification, authentication, dynamic key management and accounting. This is ideal for wireless LAN implementations. Question 6. You need to design an authentication strategy that will be used to strengthen the current network security. The solution you are designing must ensure you meet the requirements of City Central Utilities. What should you do? (Each correct answer represents a part of the solution. Choose TWO.) A. Configure all computers in the Finance department to use PEAP authentication. B. Issue smart cards and smart card readers to all users and computers. C. Install user certificates on all computers. D. Configure the domain to require smart cards during logon for all users. E. Configure the domain to respond to requests for IPSec encryption. F. Configure the domain to require NTLMv2 authentication. Answer: B, D Explanation: Following are the relevant information regarding an authentication strategy for the tightening of network security as described in the case study: 1. In response to this City Central Utilities wants the network design to be modified to increase the security and resolve the issues specified in the audit. City Central Utilities also wants any configurations to be centrally defined and applied to the network domain controllers and network server as well as client computers when possible. Smart cards provide a secure method of logging on to a Windows Server 2003 domain. It is a credit-card-sized device that is used to securely store public and private keys, passwords, and other types of personal information. To use a smart card, you need a smart card reader attached to the computer and a personal identification number (PIN) for the smart card. In Windows Server 2003, you can use smart cards to enable certificate-based authentication and SSO to the enterprise. The smart cards "force" the employee to use the asymmetric key and a PIN to authenticate. Making use of smart cards and smart card readers and configuring the domain to require smart cards during logon implementing two-factor authentication as is required in the case study. Incorrect Answers: A: Protected EAP authentication doesn't provide any authentication itself. Instead, it relies on external third-party authentication methods that you can retrofit to your existing servers. This is not what is required. C: Making use of user certificates is not going to enforce two-factor authentication. E: Configuring all computers to respond to requests for IPSec encryption is not going to enforce two-factor authentication. F: Depending on the operating system in use, the clients might not be able to use the NTLM v2 authentication protocol. If they cannot and there is an account on the secured server that the down-level client needs to access, it will be unable to do so. Reference: Elias N. Khnaser, Susan Snedak, Chris Peiris and Rob Amini, MCSE Designing Security for a Windows Server 2003 Network Exam 70-298 Study Guide, Chapter 2, p. 74 Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter & Will Schmied, MCSA/MCSE: Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, pp. 283 Question 7. You need to design an authentication solution for the wireless network. The solution you are designing should adhere to the security requirements of City Central Utilities. You are required to select which protocol is suitable for use on the portable computers with wireless technology. What should you do? A. The wireless network should be configured to use Wired Equivalent Privacy (WEP). B. An Internet Authentication Service (IAS) server should be installed and configured C. IEEE 802.1x authentication should be configured with smart cards. D. Wireless VPNs using L2TP/IPSec should be created between the client computers to the wireless access point. Answer: A Explanation: You should consider making use of the WEP protocol in the scenario because using this protocol ensures that you adhere to the security policy of City Central Utilities. 1. The City Central Utilities network CIO has recently said that their network is not a high-security industry but an inconsistent revenue cycle requires City Central Utilities to increase and decrease staffing levels on a regular basis. These actions have caused City Central Utilities to be more vigilant protecting network access. Question 8. You need to design a solution for network users using the Web content security zones. The solution you are designing should be used to prevent the network users from making changes to the settings for Web content security zones. What should you do? (Each correct answer presents part of the solution. Choose TWO.) A. A new GPO should be created and enable the Security Zones: Do not allow users to add/delete sites policy B. The new GPO should be linked to each CCUCA OU C. The new GPO should be linked to the Atlanta, Brisbane and Auckland OU D. The new GPO should be linked to the domain level Answer: A, B Explanation: In the scenario you are required to configure the settings to allow the network users only to view approved sites. By making these configurations you completely adhere to the requirements in the scenario. 1. The Chief Security Officer wants the users to be allowed to only view approved Internet Web sites. The Chief Security Officer also wants only the administrators to be allowed to add and remove sites from the list of approved Web sites. The City Central Utilities network users should not be allowed to override these restrictions by modifying the Internet security settings in Control Panel. Incorrect Answers: C: The GPO should not be linked to the parent OU as the OUs contain the client computer accounts in each location. D: You should not take this action on the domain as this will affect all the network users and that is not required in the scenario. Question 9. You need to design an auditing solution. The auditing solution you are designing should meet the requirements for the file server of the City Central Utilities network. You are required to select which of the following to audit? A. Audit success and failures events for logon events. B. Audit success and failure events for object access. C. Audit failures events for privilege use. D. Audit success and failures events for privilege use. Answer: B Explanation: Auditing object access audits user access to objects such as files, folders, registry keys, and so forth. As with the other audit policies, you can either monitor the success or failure of these actions. 1. City Central Utilities wants all the attempts by unauthorized users to access the data folders on the file server to be monitored. City Central Utilities Also wants the users to be required to authenticate using their Active Directory user account credentials when accessing the intranet Web site. The authentication will be required to be automatic requiring no user intervention during the authentication process Incorrect Answers: A: In the scenario you should not audit logon events because each instance of a user logging onto or off from the network. The policy will audit events where the logon occurs. C, D: Auditing privilege use tracks events when a user exercises a right. Question 10. You need to design a solution for the desktop computers. The solution you are designing should ensure that the user's desktop is protected when they leave their computers unattended. Your solution should require the least amount of administrative effort. What should you do? A. A security template should be used that configures all computers to automatically log off users when their logon time expires. The new template should be imported into the local security policy on all domain controllers B. An administrative template should be created and enable and password protect a screen saver. You should then import thee new template into the Default Domain Policy GPO C. All computers should be configured to automatically log off users when their logon time expires in the Default Domain Controller Policy GPO D. You should enable a screen saver and password protect it in the Default Domain Policy GPO Answer: D Explanation: In the scenario you should consider enabling a screen saver and protect it with a password. By making this configuration you ensure that all the computers on the domain require a password to log on if the computer is left unattended for a period of time defined. 1. City Central Utilities does not apply security patches consistently to the network computers. Because of this some network computers were recently infected by a virus which could have been avoided if the security patches were up-to-date. Most of the City Central Utilities network users do not lock their computers when leaving it unattended over extended periods of time. This action has recently caused contents of a sensitive document to me made public because it was left open on the user portable computer. An unauthorized user has viewed the documents while delivering files to the office Incorrect Answers: A, C: These options should not be used in the scenario because the option is used to have users disconnected from the local computer when logging on outside their valid logon hours. B: This option should not be used in the scenario because you are required to use the least administrative effort. This option involves to much administrative effort.
Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.