|
Prepared for exam using itcertkeys study guide. Guide work great, all questions from guide. Passed the exam.
|
Question 1. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory forest. The functional level of the forest is set at Windows Server 2003. The ITCertKeys.com network contains a file server named ITCertKeys-SR07 that hosts a shared folder in a child domain in ITCertKeys.com's forest. ITCertKeys.com has a sister company that has its own Active Directory forest. You need to ensure that users, who belong to a child domain in the sister company's Active Directory forest, are provided with access to the shared folder in the child domain in ITCertKeys.com's Active Directory forest. You also need to ensure that these users are unable to access any other resources in ITCertKeys.com's forest. What should you do? A. You have to create an external trust, and configure it with the selective authentication option. B. You have to create a forest trust, and configure it with the domain-wide authentication option. C. You have to create an external trust, and configure it with the domain-wide authentication option. D. You have to create a forest trust, and configure it with the selective authentication option. Answer: A Explanation: An external trust is always nontransitive, and can be either one-way or two-way. This type of trust is used to create a relationship between a Windows Server 2003 domain and one running Windows NT 4.0. It can also be used to connect two domains that are in different forests, and don't have a forest trust connecting them. In this scenario, you have to create outgoing external trust from the domain where the file server is located to the sister company's domain where the users require access to a resource in ITCertKeys.com's forest. This will allow users from the sister company's domain to authenticate directly to ITCertKeys.com's resource domain. Selective authentication allows users from a trusted domain to authenticate only to those resources to which they are explicitly allowed to authenticate. Incorrect Answers: B, D: A forest trust is appropriate when users from multiple domains in one forest require access to resources in multiple domains in another forest. C: Configuring Domain-wide authentication would provide users from trusted domains the same level of access to local resources that local users have. Question 2. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named ITCertKeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. A new ITCertKeys.com security policy requires that all user passwords expire every 45 days. You configure a password policy that meets this requirement in a new Group Policy object (GPO) linked to the ITCertKeys.com domain. Users are now prompted to change their passwords on a regular basis. While performing a maintenance procedure on a domain controller three months later, you restart the domain controller in Directory Services Restore Mode (DSRM) and discover that the old administrative password still works. You need to ensure that DSRM password is changed on this domain controller. What should you do? A. You have to configure the password policy in the Default Domain Controllers Policy GPO in normal mode. B. You should reset the password for the local Administrator account in normal mode using Computer Management. C. You have to configure the password policy in the Default Domain Policy GPO in normal mode. D. You should reset the DSRM password in normal mode using the Ntdsutil utility. Answer: D Explanation: When you restart a domain controller in DSRM, the Active Directory service is not activated and the domain controller will act as a stand alone server. To log on to a computer in DSRM and to comply with the security policy, you need to set a password by using the Ntdsutil utility when the domain controller is operating in DSRM. Incorrect Answers: A, C: If the password policies were configured in the GPOs, it will not affect DSRM passwords on domain controllers. B: You will not find any local user accounts on a domain controller. Question 3. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory network named itcertkeys.com. ITCertKeys.com has headquarters in London and branch office in Paris. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. ITCertKeys.com contains a Sales department. The headquarters in London contains a Windows Server 2003 computer named ITCERTKEYS-SR03 that hosts the ITCertKeys.com public Web site. The public Web site consists of the goods that are advertised by the Sales department. ITCERTKEYS-SR03 is running IIS 6.0. Due to the demand on the public Web site, you installed a new ASP.NET-based application on the public Web site. A ITCertKeys.com manager named Andy Reid is responsible for updating the public Web site on a regular basis. After the installation of the new ASP.NET-based application, Andy Reid access the public Web site, however, he received an error message stating that the page cannot be found. Andy Reid needs to access the public Web site to update the data. You need to ensure that the new ASP.NET-based application works. What should you do? A. You need to select support for Active Server Pages. B. You should assign the proper permissions to the Authenticated Users group for the new ASP.NET-based application. C. You need to acquire a server certificate from your corporate certification authority and install the certificate. D. You need to select only the required Web service extensions. Answer: D Explanation: By default, in Windows Server 2003, the Internet Information Services (IIS) has only static HTML content. You will only receive an HTTP error 404 if dynamic content is requested. You need to enable the support for the appropriate Web service extensions in IIS Manager to provide dynamic content. Incorrect Answers: A: Since ASP and ASP.NET are different, there is no need to support ASP. B: It is unlikely that the Authenticated Users group needs to be assigned any permission to access. public Web site allow anonymous access. C: The scenario does not state that the new application requires a certificate for SSL encryption or for another purpose, and even if it did, a certificate issued would not be trusted by the general public. Question 4. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named itcertkeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. ITCertKeys.com contains a Finance department. ITCertKeys.com contains a domain controller named ITCERTKEYS-DC01 which resides in the Finance department. Due to the confidential information of the data that reside on the domain controller, you need to make sure that the security is established at all time on ITCERTKEYS-DC01. You then access the Security Configuration and Analysis (SCA) MMC snap-in, and receive the following database log file as seen in the exhibit. Exhibit: You need to ensure that security is established on the ITCertKeys.com network around the clock. What should you do? A. Reconfigure the "Minimum Password Length" security policy. B. Reconfigure the "Lockout Duration" security policy. C. Reconfigure the "Password Must Meet Complexity Requirements" security policy. D. Reconfigure the "Minimum Password Age" security policy. Answer: A Explanation: The Security Configuration and Analysis (SCA) Microsoft Management Console (MMC) snap-in is used to evaluate a computer's security settings with a predefined security template. The exhibit shows that disparity exists between the value of the " Minimum Password Length" setting on ITCERTKEYS-DC01 and the setting's value that is configured in the currently loaded security template. Incorrect Answers: B, C, D: The Lockout Duration, Password Must Meet Complexity Requirements, and Minimum Password Age settings are marked as Not Configured. Reconfiguring these would result in inconsistent security on the ITCertKeys.com network as only ITCERTKEYS-DC01 will be configured with these settings. Question 5. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named itcertkeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. ITCertKeys.com is a relatively new company and at present has to share premises with other companies. Consequently there are added security risks and as a precautionary measure all the itcertkeys.com servers are located and maintained in a strong room and kept under lock and key. As a further precautionary measure you also applied the securedc.inf and the securews.inf security templates to the relative computers. There is however still the threat that unauthorized physical access could still be possible in lieu of the shared premises and unauthorized attempts at guessing the itcertkeys.com user's passwords. You received instructions from the CIO to ensure that added security measures are implemented to minimize the possibility of user passwords being at risk. What should you do? A. On all the domain controllers, you need to apply the hisecdc.inf predefined security template. B. You need to generate a system key with the Syskey utility, and then specify that this system key be stored locally. C. On all the member servers, you need to apply the hisecws.inf predefined security template. D. You need to generate a system key with the Syskey utility, and then specify that this system key be stored on a floppy disk. Answer: D Explanation: To provide protection to user passwords, you need to use the Syskey utility. This will allow you to generate a system key that is used to encrypt passwords. The three levels of protection that is offered by the Syskey utility are as follows: 1. Store the system key locally on a computer, which is not secure. 2. Use an administrative-assign password or 3. Store the system key on a floppy disk, which is required at startup. Incorrect Answers: A, C: Hisecdc.inf and hisecws.inf are more secure than securedc.inf and securews.inf, however, it will not stop the unauthorized user to guess passwords. B: Storing the system key locally on the computer is the least secure option. Question 6. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named itcertkeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. ITCertKeys.com contains a Sales department. The ITCertKeys.com network contains a file server named ITCERTKEYS-SR13. ITCERTKEYS-SR13 hosts a shared folder which keeps the latest goods which the users needs to access. A ITCertKeys.com employee named Andy Booth works in the Sales department. One morning Andy Booth complains that the performance of ITCERTKEYS-SR13 is very slow. To avoid that employees contact you regarding the performance of the file server, you are going to set counters to alarm you if any bottlenecks occur on ITCERTKEYS-SR13. . You then create a counter, and choose the following monitoring counters. 1. PhysicalDisk: %Disk Time 2. Processor: % Processor Time 3. Network Interface: Bytes Total/sec. What should your next step be? A. You should specify the threshold values for performance counters, which will produce a message to your workstation when reached. B. Navigate to the System performance object, and select a ProcessorQueue Length counter. C. Use the CSV format and configure a trace log that runs always, export the performance data to a spreadsheet manually. D. Use the CSV format and configure a counter log that record performance data on a constant basis. Answer: A Explanation: Alerts can be configured when thresholds are reached. This will allow you to receive a message when the threshold values are reached. Incorrect Answers: B: To find a bottleneck in a subsystem, the ProcessorQueue Length counter is used. This will not help you in defining an alert. C: If you want to record selected system application events, you should use the Trace logs. D: Although using this option will gather the required performance data for bottleneck detection, it would not enable you to configure an alert. Question 7. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named itcertkeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. ITCertKeys.com consists of a Research department. The ITCertKeys.com network contains a domain controller named ITCERTKEYS-DC03. ITCERTKEYS-DC03 is used to communicate with other companies which form part of the alliances. You do not want ITCERTKEYS-DC03 to slack in performance, because it will influence the tasks of the employees in ITCertKeys.com. You want to forward a network message to your client computer in your office when CPU utilization goes beyond 80 percent. You thus need to configure ITCERTKEYS-DC03 to forward a network message to your client computer when CPU utilization goes beyond 80 percent. What should you do? A. On ITCERTKEYS-DC03 configure a network message to be sent to your client computer, by using the Services MMC snap-in. B. On ITCERTKEYS-DC03 configure a network message to be sent to your client computer, by using the Performance Logs and Alerts MMC snap-in. C. On ITCERTKEYS-DC03 configure a network message to be sent to your client computer, by using the Network Monitor. D. On ITCERTKEYS-DC03 configure a network message to be sent to your client computer, by using the System Monitor. Answer: B Explanation: The Performance Logs and Alerts Microsoft Management Console (MMC) snap-in can be used to configure alerts that trigger an action. Incorrect Answers: A: The Services MMC snap-in can be used to view and modify system and network services that are installed on a Windows Server 2003 computer. You need to set alerts. C: Network Monitor is not the tool to be used in this case as it is usually used to capture and decode incoming an outgoing network packets. D: System Monitor is used to view real-time hardware and software performance data, but in this case you require the Performance Logs and Alerts Microsoft Management Console.. Question 8. You work as a network administrator for ITCertKeys.com. The network consists of a single Active Directory domain named ITCertKeys.com. ITCertKeys.com contains six domain controllers of which two each is configured to run Windows Server 2003, Windows 2000 Server, and Windows NT Server 4.0 The ITCertKeys.com departments are organized into organizational units (OUs). As such the Administration OU is named ITK_ADMIN, and the OU is named the ITK_SALES. All file servers for all departments are located in their respective OUs. The ITK_SALES OU is a child OU of the ITK_ADMIN OU. A new ITCertKeys.com written security policy states that the Administration department servers must be configured with security settings that are enhanced from the default settings. The ITCertKeys.com written security policy further also states that the Sales department servers must be configured with security settings that are enhanced from the default settings, and auditing should be enables for file and folder deletion. Your instructions are to plan the security policy settings of the Administration and Sales departments to ensure compliance with the written security policy. To this end you decide to make use of a Group Policy Objects (GPO) for each of these departments. What should you do next? A. One GPO must apply the Compatws.inf security template to computer objects. Link this GPO to the ITK_ADMIN OU. The second GPO must enable the Audit object access audit policy on computer objects. Link this GPO to the ITK_SALES OU. B. One GPO must apply the Securews.inf security template to computer objects. Link this GPO to the ITK_ADMIN OU. The second GPO must enable the Audit object access audit policy on computer objects. Link this GPO to the ITK_SALES OU. C. One GPO must apply to the Compatws.inf security template to computer objects. Link this GPO to the ITK_ADMIN OU. The second GPO must apply the Hisecws.inf security template to computer objects. Link this GPO to the ITK_SALES OU. D. One GPO must apply the Securews.inf security template to computer objects. Link this GPO to both the ITK_ADMIN and the ITK_SALES OUs. The second GPO must enable the Audit object access audit policy on computer objects. Link this GPO to the ITK_SALES OU. Answer: B Explanation: The Securews.inf template contains policy settings that increase the security on a workstation or member server to a level that remains compatible with most functions and applications. The template includes many of the same account and local policy settings as Securedc.inf, and implements digitally signed communications and greater anonymous user restrictions. Audit Object Access A user accesses an operating system element such as a file, folder, or registry key. To audit elements like these, you must enable this policy and you must enable auditing on the resource that you want to monitor. For example, to audit user accesses of a particular file or folder, you display its Properties dialog box with the Security tab active, navigate to the Auditing tab in the Advanced Security Settings dialog box for that file or folder, and then add the users or groups whose access to that file or folder you want to audit. Incorrect Answers: A, C: The Compatws.inf security template is designed for Windows NT compatible applications that require lower security settings in order to run. These settings are lower than the default settings. D: The ITK_SALES OU is a child OU of the ITK_ADMIN OU. GPO settings applied to parent OUs are inherited by child OUs; therefore we do not need to link the GPO to both the ITK_ADMIN OU and the ITK_SALES OU. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapters 9 and 10 Question 9. You work as the network administrator for ITCertKeys.com. The ITCertKeys.com network contains 50 application servers that are configured with Windows Server 2003. At present the security configuration of the ITCertKeys.com is not uniformly applied. Local administrators, based on their different knowledge and skill levels, were responsible for the configuration of the security settings on each of the application servers. This resulted in a wide variety of authentication methods, audit settings and account policy settings. ITCertKeys.com thus appointed a security team to complete a new network security design. Included in the design is a baseline configuration for the security settings on all servers. The baseline security settings use the hisecws.inf predefined security template. The design also requires modified settings for servers in an application server role. These settings include system service startup requirements, renaming the administrator account, and more stringent account lockout policies. The security team created a security template named application.inf that contains the required settings. You received instruction to plan the deployment of the new security design. Your plan must ensure that all application servers' security settings are standardized, and that after the security settings on all application servers comply with the design requirements. What should you do? A. First apply the setup security.inf template, and then apply the hisecws.inf template, and then the application.inf template. B. First apply the Application.inf template and then the Hisecws.inf template. C. First apply the Application.inf template, and then apply the setup.inf template, and then the hisecws.inf template. D. First apply the Setup.inf template and then the application.inf template Answer: A. Explanation: The servers currently have different security settings. Before applying our modified settings, we should reconfigure the servers with their default settings. This is what the security.inf template does. Now that our servers have the default settings, we can apply our baseline settings specified in the hisecws.inf template. Now we can apply our custom settings using the application.inf template. Incorrect Answers: B: The hisecws.inf template would overwrite the custom application.inf template. C: The setup.inf security template doesn't exist. To return a system to its default security settings, we use the security.inf template. D: The setup.inf security template doesn't exist. To return a system to its default security settings, we use the security.inf template. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:62 David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 8 Question 10. You work as a network administrator for ITCertKeys.com. The ITCertKeys.com network contains Terminal servers that host legacy applications. Only ITCertKeys.com users that have Power Users group membership can run these legacy applications. A new ITCertKeys.com security policy states that the Power Users Group must be empty on all servers. You are thus required to ensure that the legacy applications will be available to users on the servers when the new security requirement is enabled. What should you do? A. In the domain, the Domain Users Global group should be added to the Remote Desktop Users built-in group in the domain. B. On each terminal server, the Domain Users Global group should be added to the Remote Desktop Users local group. C. Allow the Local Users group to run the legacy applications my modifying the compatws.inf security template settings. Import the security settings into the default Domain Controllers Group Policy Object. D. Allow the Local Users group to run the legacy applications by modifying the compatws.inf security template settings. Apply the modified template to each terminal server. Answer: D Explanation: The default Windows 2000 security configuration gives members of the local Users group strict security settings, while members of the local Power Users group have security settings that are compatible with Windows NT 4.0 user assignments. This default configuration enables certified Windows 2000 applications to run in the standard Windows environment for Users, while still allowing applications that are not certified for Windows 2000 to run successfully under the less secure Power Users configuration. However, if Windows 2000 users are members of the Power Users group in order to run applications not certified for Windows 2000, this may be too insecure for some environments. Some organizations may find it preferable to assign users, by default, only as members of the Users group and then decrease the security privileges for the Users group to the level where applications not certified for Windows 2000 run successfully. The compatible template (compatws.inf) is designed for such organizations. By lowering the security levels on specific files, folders, and registry keys that are commonly accessed by applications, the compatible template allows most applications to run successfully under a User context. In addition, since it is assumed that the administrator applying the compatible template does not want users to be Power Users, all members of the Power Users group are removed. Incorrect Answers: A, B: Global group is a group that is available domain-wide in any domain functional level, so why would you add to another group. C: The Compatws.inf template is not intended for domain controllers, so you should not link it to a site, to the domain, or to the Domain Controllers OU Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8:5 Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Chapter 9
Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.