|
plz add it new dump
|
Question 1. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named ITCertKeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. At ITCertKeys.com there are two Routing and Remote Access servers named ITCertKeys-SR12 and ITCertKeys-SR21. There is also an Internet Authentication Services server named ITCertKeys-SR15. The IAS server is set to provide accounting and centralized authentication of users connecting via ITCertKeys-SR12 and ITCertKeys-SR21. There are certain ITCertKeys.com network users who need to work from home. They will all require 24 hour access 7 days a week. It is your responsibility to create the appropriate remote access policies for ITCertKeys.com. To accommodate all the Remote access users you create a remote access policy that is configured to allow the Remote Users group the appropriate access to the VPN. For a while the network operated normally but certain remote users started complaining about not being able to access the VPN. You investigate and discover all the successfully connected users connected using a local user account located on ITCertKeys-SR15. You need to ensure that remote access is available whilst using the least amount of administrative effort. What should you do? A. Check whether ITCertKeys-SR12 and ITCertKeys-SR21 are set to support RADIUS accounting and authentication B. Add ITCertKeys-SR12 and ITCertKeys-SR21 to the RAS and IAS Servers group in Active Directory C. Promote the IAS server ITCertKeys-SR15 to a domain controller D. Add ITCertKeys-SR15 to the RAS and IAS Server group in Active Directory Answer: D Explanation: The IAS server requires being able to read all user objects attributes which can be achieved by adding ITCertKeys-SR15 to the RAS and IAS Servers group in Active Directory. Incorrect Answers: A: The scenario states that some users connect successfully. Thus it means that the Routing and Remote Access servers are configured properly. B: These servers do not require being added to the RAS and IAS Servers group as they do not actually authenticate the user accounts. C: This option will also achieve the scenario objective but requires too much administrative effort. Question 2. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named ITCertKeys.com. All servers on the ITCertKeys.com network run Windows Server 2003. Half the client computers are portable computers, and the rest are desktop computers. The client computers are running a mix of Windows 2000 Professional Windows XP Professional. There are many ITCertKeys.com Sales department users that work out of the office due to the nature of their job description. These Sales department users require access to resources on ITCertKeys.com when out of the office. It is your responsibility to provide the Sales department users with access to the network. To this end you have five servers that are running with Routing and Remote Access services configured for VPN connectivity. All these servers are configured with the same remote access policy. A new written security policy has recently been issued by the ITCertKeys.com management and consequently you had to reconfigure the policies on each of these servers. Because of the policy changes you received instruction to centralize the remote access policies to ensure that any future changes to the policies can be made once and applied to all remote access servers. What should you do? A. A Domain Group Policy to apply any changes should be configured. B. The Routing and Remote Access servers must be configured to use Internet Authentication Services (IAS). C. An application directory partition must be implemented. D. Extensible Authentication Protocol (EAP) should be configured on all the Routing and Remote Access servers. Answer: B Explanation: IAS makes use of Remote Authentication Dial-In User Service (RADIUS) to centralize policies, logging, and authentication services from a single location. This would be ideal under the circumstances of ever-changing policy application. Incorrect answers: A: Remote policies are not stored in group policies. Thus configuring a Domain Group policy will not centralize the policies. C: Implementing an application directory partition will not centralize remote access policies. These partitions are used to create a section of the Active Directory database for application specific data to control replication and not for centralization of remote policies. D: EAP is an authentication protocol and is not used to centralize remote access policies. Question 3. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named ITCertKeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and some run Windows 2000 Server and all client computers are laptop computers that run Windows XP Professional. At ITCertKeys.com there are two Routing and Remote Access servers named ITCertKeys-SR02 and ITCertKeys-SR05 respectively. The Routing and Remote Access servers are configured to accept connection requests through VPN and dial-up connections. The laptop client computers of the ITCertKeys.com domain currently make use of the MS-CHAP v2 protocol for authenticating to the network. A new ITCertKeys.com written security policy requires centralized remote connection authentications. The policy further states that all remote connections to the ITCertKeys.com corporate network authenticate using smart cards ensuring the data is encrypted with L2TP with IPSec. To this end you have received instruction from the CIO to comply with the security policy. You thus need to plan a new design for both VPN and dial-up connections. What should you do? A. An IAS server and VPN server must be added to the domain. ITCertKeys-SR02 and ITCertKeys-SR05 and the new VPN server must be configured to use the IAS server for authentication and make use of the EAP-TLS protocol for authentication on the IAS server B. An additional VPN server must be added to the domain. ITCertKeys-SR02 and ITCertKeys- SR05 must be configured to use the new VPN server for authentication and make use of the EAP-TLS protocol for authentication on the VPN server. C. An additional IAS server and VPN server must be added to the domain. ITCertKeys-SR02 and ITCertKeys-SR05 and the new VPN server must be configured to use the IAS server for authentication and make use of the MS-CHAP v2 protocol for authentication on the IAS server. D. An additional VPN server must be added to the domain. ITCertKeys-SR02 and ITCertKeys- SR05 must be configured to use the new VPN server for authentication and make use of the MS-CHAP v2 protocol for authentication on the VPN server. Answer: A Explanation: In the scenario you are required to use smartcards authentication and this will be achieved by adding the additional IAS server to the domain and configuring your Routing and Remote Access Service servers to use the added IAS server which should be configured to use EAP-TLS for authentication as this protocol supports the use of smartcards. Incorrect Answers: B: The problem with this implementation is that the authentication will not be centralized as the scenario state it is imperative authentication is centralized. C: There is only one problem in this option and that's the use of MS-CHAP v2 as this protocol does not support smartcard authentication. D: The problem with this implementation is that the authentication will not be centralized as the scenario state it is imperative authentication is centralized. Question 4. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named ITCertKeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. ITCertKeys.com has its headquarters in Chicago and a branch office in Dallas. You are responsible for the management of the Routing and Remote Access services at ITCertKeys.com. You enable Routing and Remote Access on a server named ITCertKeys-SR05. You received a list of telephone numbers of those that are allowed to connect to the ITCertKeys.com network via remote access together with instruction from the CIO to configure ITCertKeys-SR05 to accept only connections from those numbers. You need to configure ITCertKeys-SR05 to support Automatic Number Identification/Calling Line Identification (ANI/CLI). You then create a user account for each of the phone numbers on the list from which calls will be accepted. You then create a remote access policy to support these ANI/CLI connections. Now you just need to apply the policy. What should you do? A. Enable the Unencrypted authentication option on the Authentication tab of the remote access profile for the policy. B. Enable the Unauthenticated access option on the Authentication tab of the remote access profile for the policy. C. Enable the Encrypted authentication option on the Authentication tab of the remote access profile for the policy. D. Enable the MD5-challenge authentication option on the Authentication tab of the remote access profile for the policy. Answer: B Explanation: Because a user name and password are not going to be sent when an ANI/CLI connection is made, you need to allow unauthenticated access. Thus you should enable support for unauthenticated access on the Authentication tab of the remote access policy profile for the policy. Alternative you could also configure the User Identity setting for remote access policies in the registry to direct ITCertKeys-SR05 or IAS server to use the number from which the user is calling as the user identity. Incorrect answers: A: If you enable unencrypted authentication support then you will be allowing support for clients that use the Password Authentication Protocol (PAP) and this is not what is required in this scenario. C: You enable encrypted authentication support to allow support for clients that use CHAP and MS-CHAP. This is not what is required in this scenario. D: You do not need to enable support for MD5-challenge authentication. Question 5. You work as the network domain administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory forest named ITCertKeys.com. The ITCertKeys.com network contains ten Windows Server 2003 Standard Edition computers and 1,200 client computers running Windows XP Professional. You are responsible for the management of security related settings and computer accounts in the domain. You need to define a custom security template to manage configuration settings for the computers. This custom security template will have to be imported into a Group Policy Object (GPO) that is linked to the domain. Which of the following Group Policy Object categories' related configuration settings can be managed using a security template? (Choose all that apply.) A. Account policies B. Disk Quotas C. Event Log D. File System E. Windows File Protection F. Local Policies G. Registry H. Group Policy I. Restricted Groups J. System Services Answer: A, C, D, F, G, I, J Explanation: You can make use of a security template to manage the configuration settings for the following categories: Account policies, Event Log, File System, Local Policies, Registry, Restricted Groups, and System Services Incorrect answers: B: Disk Quotas management: i.e. defining and setting is done using the System\Disk Quotas portion of Administrative Template. E: Windows File Protection enabling and management of its cache is done using the System\Windows File Protection portion of Administrative Template. H: Group Policy is managed using the System\Group Policy portion of Administrative Template Question 6. You work as the network domain administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory forest named ITCertKeys.com. The ITCertKeys.com network contains several Windows Server 2003 Standard Edition computers and 1,500 client computers running Windows XP Professional. You are responsible for the management of security related settings and computer accounts in the domain. You need to configure settings that are related to passwords, account lockout, and Kerberos. This custom security template will be imported into a Group Policy Object (GPO) that is linked to the domain. You must thus make use a of a security template node to accomplish the task. What should you do? A. Use the Event Log security template node. B. Use the Local Policies security template node. C. Use the Account Policies security template node. D. Use the Restricted Groups security template node. Answer: C Explanation: The Account Policies node of the Security template is used to configure password- account lockout-, and Kerberos settings. Incorrect answers: A: The Event Log node is used to configure settings for the application, security and system event logs and not to configure passwords, account lockouts or Kerberos. B: The Local Policies node is used to configure auditing, user rights and other security-related options and not passwords, accounts lockouts or Kerberos settings. D: The Restricted Groups node is used to configure and manage the membership for specific security groups. Question 7. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory forest that contains three domains named ITCertKeys.com, us. ITCertKeys.com and, uk. ITCertKeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. The ITCertKeys.com domain and organizational unit (OU) structure is illustrated by the following Exhibit. Exhibit: Accounts department employees have user accounts in the us.ITCertKeys.com domain, Research and Development employees have user accounts in the uk.ITCertKeys.com domain, and all other users have user accounts in the ITCertKeys.com domain. Each domain has an OU named DC_OU that only contains the computer accounts of the domain controllers in that particular domain. A new ITCertKeys.com security policy requires the following: 1. All Accounting department users must use complex passwords with a minimum length of ten characters. 2. These password restrictions should only affect the Accounting department users. You thus need to ensure that these requirements are successfully achieved. What should you do? A. Create a GPO named PWRestrict. Link it to the DC_OU OU in the uk. ITCertKeys.com domain. B. Create a GPO named PWRestrict. Link it to the ITK_Users OU in the ITCertKeys.com domain. C. Create a GPO named PWRestrict. Link it to the DC_OU OU in the ITCertKeys.com domain. D. Modify the appropriate password policy settings in the Default Domain Policy GPO. E. Create a GPO named PWRestrict. Link it to the R&D OU in the uk. ITCertKeys.com domain. F. Create a GPO named PWRestrict. Link it to the DC_OU OU in the us. ITCertKeys.com domain. G. Create a GPO named PWRestrict. Link it to the Accounts OU in the us. ITCertKeys.com domain. Answer: D Explanation: Three domain-wide account policy settings (Password Policy, Account Lockout Policy and Kerberos Policy) should be unique to the domain and should always be defined at the domain level. These settings are enforced by the domain controller computers in the domain, regardless of the container holding the domain controllers or the OU structure in the domain. Therefore, all domain controllers always retrieve the values of these user account policy settings from the Default Domain Policy GPO. Incorrect Answers: A, C, F: If you use these options, the settings you have configured will be overridden by those in the Default Domain Policy GPO. B: Using this option would only apply the settings to users in this OU. Also, the settings you have configured will be overridden by those in the Default Domain Policy GPO. E: There are no members of the Accounting department added to the RandD OU. This GPO will not affect these users. G: The password policy settings are enforced on the domain controllers. While settings in a GPO linked at the OU level will apply to users or computers in the container, password policies should always be applied at the domain level so that the policy will be applied to all domain computers. Question 8. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named ITCertKeys.com with sites All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. All users and computers belong to the ITCertKeys.com domain. All file servers reside in an organizational unit (OU) named FileServers. Each file server hosts several shared folders, some of which contain confidential financial data. All domain users have permissions to access the information in the shared folders. You suspect that a domain user account has been used by a hacker to access confidential financial information stored on a file server named ITCertKeys-SR16. You need to determine which user account has been compromised. You plan to use auditing to track which users are logging on to the domain. However, your desire is not to examine large volumes of information to view logon attempts to domain resources. You want to use the least amount of disk space when you audit access to domain resources. What should you do? A. Configure a Group Policy Object (GPO) that enables the Logon Events audit policy for failure auditing and success auditing. Link the GPO to the Active Directory container that contains your domain controllers. B. Configure a Group Policy Object (GPO) that enables the Logon Events audit policy for success auditing. Link the GPO to the Active Directory container that contains your domain controllers. C. Configure a Group Policy Object (GPO) that enables the Account Logon Events audit policy for success auditing. Link the GPO to the Active Directory container that contains your domain controllers D. Configure a Group Policy Object (GPO) that enables the Account Logon Events audit policy for failure auditing. Link the GPO to the Active Directory container that contains your domain controllers. Answer: C Explanation: The Account Logon Events policy setting is used to track which users are logging on to your domain. The Account Logon Events policy is enabled on domain controllers. Enabling success auditing will result in an entry being placed in the security log whenever a user makes a successful attempt to log on to the ITCertKeys.com domain by using a domain user account. Incorrect Answers A: The Logon Events audit policy is used to audit logon attempts using local computer accounts. This policy will only log an event when a user logs on to a domain controller. B: The Logon Events audit policy is used to audit logon attempts using local computer accounts. This policy will only log an event when a user logs on to a domain controller. D: Enabling failure auditing will result in an entry being placed in the security log whenever a user makes an unsuccessful attempt to log on to the ITCertKeys.com domain by using a domain user account. You suspect that a domain user account is already being used to access domain resources. Question 9. You work as the senior network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named ITCertKeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. You have noticed that some unauthorized changes have been made to the registry of several computers. You suspect that one of your junior network administrators is changing the registry. You decide to: 1. Enable auditing to log all changes being made to the registry. 2. All attempts made to change the registry keys to be logged. 3. No other type of event to be included in your auditing effort. 4. Use Event Viewer to view all logged event entries. You open the domain audit security policy and navigate to the audit policy settings under the Security Settings node. You then enable the Audit object access audit policy setting for failed events. When viewing the logged events, you discover though that there are no events logged for any successful changes made to the Registry. You want all events to be logged, and not only failed attempts to change the Registry. How should you configure the audit policy settings of the domain audit security policy? A. Configure the Audit privilege use audit policy setting so that successful and failed events are logged. B. Configure the Audit directory service access audit policy setting so that successful and failed events are logged. C. Configure the Audit Policy change audit policy setting so that successful and failed events are logged. D. Configure the Audit object access audit policy setting so that successful and failed events are logged Answer: D Explanation: While you have enabled the correct audit policy setting in the Security Settings node, you have specified that only failed attempts to change the Registry be logged. You SHOULD configure the Audit object access setting if you want to track and log when a user accesses operating system components such as files, folders or registry keys. Because you need both successful and failed events logged, you should reconfigure the Audit object access audit policy setting so that both successful and failed events are logged. Incorrect Answers: A: You would configure the Audit privilege use audit policy setting to log when a user affects a user right. B: The Audit directory service access policy audit policy setting logs events that pertain to when users access Active Directory objects which have system access control lists (SACLs). The Registry is not an Active Directory object. You should regard it as being computer specific. C: The Audit Policy change audit policy setting is used to log changes that are made to the security configuration settings of the computer. Question 10. You work as the network administrator at ITCertKeys.com. The ITCertKeys.com network consists of a single Active Directory domain named ITCertKeys.com. All servers on the ITCertKeys.com network run Windows Server 2003 and all client computers run Windows XP Professional. Clive Wilson is a manager in the Human Resources department. Clive Wilson frequently accesses files that contain confidential information on ITCertKeys.com's employees. The files reside in several shared folders on his Windows XP Professional computer. Both Dean and employees working in the Human Resources department modify these files. Clive Wilson complains that this morning, when he attempted to access a file in one of the shared folders, the shared folders and files were deleted. You decide to use last nights backup to restore the files. You successfully restore the latest available backup of these files. You must immediately determine who the culprit is that deleted the files. You suspect that someone deleted Clive's files from across the network. You log on to Clive Wilson's computer. You want to configure local security policy, so that you can determine who connected to Clive's computer and deleted the files. You want to use Event Viewer to produce a listing of all logged entries. What should you do? (Choose the two actions which you should perform. Each correct answer presents only part of the complete solution. Choose two answers that apply.) A. Enable the Privilege Use - Success audit policy on Clive Wilson's computer. Use Event Viewer to configure a filter that will list all entries produced by the audit policy. B. Enable the Logon Events - Success audit policy on Clive Wilson's computer. Use Event Viewer to configure a filter that will list all entries produced by the audit policy. C. Enable the Account Logon Events - Success audit policy on Clive Wilson's computer. Use Event Viewer to configure a filter that will list all entries produced by the audit policy. D. Enable the Object Access - Success audit policy on Clive Wilson's computer. Use Event Viewer to configure a filter that will list all entries produced by the audit policy. Answer: A, D Explanation: The Privilege Use - Success audit policy will allow you to see who deleted the files from Clive Wilson's computer, and also when these files were deleted. The Object Access - Success audit policy will let you know when an individual successfully accessed Clive Wilson's files. You can then use Event Viewer to configure a filter that will list all entries produced by the audit policy. Incorrect Answers: C: The Logon Events - Success and Account Logon Events - Success audit policies would not work because the question states that Clive Wilson's files were deleted from over the network. These policies would inform you on who logged on to the local computer, and whether a user account was compromised. B: The Logon Events - Success and Account Logon Events - Success audit policies would not work because the question states that Clive Wilson's files were deleted from over the network. These policies would inform you on who logged on to the local computer, and whether a user account was compromised.
Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.