QUESTION NO: 1
You are a security administrator for TestKing.com. The network consists of a single
Active Directory domain named testking.com. All servers run Windows Server
2003. All client computers run Windows XP Professional.
Several client computers are configured as kiosk computers that visitors and
employees use. The kiosk computers are managed by using GPOs. The GPOs
enforce a secure configuration. Multiple users log on to these computers every day.
You review the results of a security audit. You discover that when some users log on
the secure configuration is removed.
You need to ensure that the secure configuration is enforced at all times.
What should you do?
A. Apply the Securews.inf security template to the kiosk computers.
B. Configure the default user profile on kiosk computers as a mandatory user profile.
C. Edit the GPO that manages kiosk computers. Disable the Secondary Logon service.
D. Edit the GPO that manages kiosk computers. Enable loopback processing.
Answer: D
QUESTION NO: 2 DRAG DROP
You are a security administrator for TestKing.com. The network consists of a single
Active Directory forest named testking.com. All servers run either Windows Server
2003 or Windows 2000 Server. All domain controllers Windows Server 2003. All
client computers run Windows XP Professional.
Leading the way in IT testing and certification tools,
www.testking.com
- 8 -
TestKing.com uses a Microsoft Exchange Server 2003 computer. Users on the
internal network connect to Exchange Server 2003 by using Microsoft Outlook.
TestKing.com currently does not allow users to exchange e-mail with customers via
the Internet.
To improve communication with customers, management decides to allow e-mail
communication via the Internet. Your company updates its written security policy
with the following requirements regarding the placement of Exchange Server 2003
computers:
1. Customers on the Internet must not be able to connect directly to any computer
on the internal network.
2. The number of ports and protocols that are allowed to pass through firewall
devices must be minimized.
You need to place computers to meet the company's written security policy.
Leading the way in IT testing and certification tools,
www.testking.com
- 9 -
Answer:
Explanation:
Leading the way in IT testing and certification tools,
www.testking.com
- 10 -
QUESTION NO: 3
You are a security administrator for TestKing.com. The network consists of a single
Active Directory domain named testking.com. All servers run Windows Server
2003. All client computers run Windows XP Professional.
Leading the way in IT testing and certification tools,
www.testking.com
- 11 -
Terminal Services is running on four Windows Server 2003 computers. Members of
a group named Remote Application need to access applications by using Terminal
Services. You assigned the Remote Application group the appropriate NTFS
permissions for the application folder and the appropriate RDP-Tcp connection
permissions on the terminal servers. Currently no users have the right to connect to
the terminal servers.
You need to assign users in the Remote Application group the minimum rights
necessary to access the applications.
What should you do to configure the terminal servers?
A. Apply a security template that assigns the Access this computer from the network right
to the Remote Application group.
B. Apply a security template that assigns the Allow log on locally right to the Remote
Application group.
C. Apply a security template that assigns the Log on as a service right to the Remote
Application group.
D. Apply a security template that assigns the Allow log on through Terminal Services
right to the Remote Application group.
Answer: D
Explanation:
Allow log on through Terminal ServicesDescription
This security setting determines which users or groups have permission to log on as a
Terminal Services client.
Default:
On workstation and servers: Administrators, Remote Desktop Users.
On domain controllers: Administrators.
Configuring this security setting
You can configure this security setting by opening the appropriate policy and expanding
the console tree as such: Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment\
For specific instructions about how to configure security policy settings, see To edit a
security setting on a Group Policy object.
Leading the way in IT testing and certification tools,
www.testking.com
- 12 -
This setting does not have any effect on Windows 2000 computers that have not been
updated to Service Pack 2.
For more information, see:
Deny logon through Terminal Services
User rights assignment
To assign user rights for your local computer
Security Configuration Manager Tools
Accessing Terminal Services Using New User Rights Options
SUMMARY
This article describes new options that you can use to assign user rights in Windows that
affect the Terminal Services feature.
MORE INFORMATION
through Terminal Services
You can use these options to change the set of permissions a user must have to establish a
Terminal Services session.
Allow logon through Terminal Services To grant a user these permissions, start the Group
Policy snap-in, open the Local Security Policy or the appropriate Group Policy, and then
navigate to the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights
Assignment
To grant a user these permissions, start either the Active Directory Users and Computers
snap-in or the Local Users And Groups snap-in, open the user's properties, click the
Terminal Services Profile tab, and then click to select the Allow logon to Terminal Server
check box.
To grant guests Logon rights to the RDP-TCP connection, start the Terminal Services
Configuration snap-in, edit the RDP-TCP so that the guest has at least Logon rights.
The pivotal difference between Windows 2000 and Windows Server 2003 is the "Allow
logon through Terminal Services" user right. When you grant this user right, you no
longer have to grant the user the Log on locally right (this was a requirement in Windows
2000). In Windows Server 2003, it is possible for a user to establish a Terminal Services
session to a particular server, but not be able to log on to the console of that same server.
Leading the way in IT testing and certification tools,
www.testking.com
- 13 -
Section 1, Plan security templates based on computer role.
Computer roles include SQL Server computer, Microsoft Exchange
Server computer, domain controller, Internet Authentication
Service (IAS) server, and Internet Information Services (IIS) server
(9 questions)
QUESTION NO: 1
You are a security administrator for TestKing.com. The network consists of a single
Active Directory domain named testking.com. The testking.com domain contains
Windows Server 2003 computers and Windows XP Professional client computers.
All computers are members of the domain.
A Windows Server 2003 computer named TestKing3 runs Certificate Services.
TestKing3 is an enterprise subordinate certification authority (CA). A Windows
Server 2003 computer named TestKing2 runs IIS. TestKing2 hosts an internal
human resources web site for employees. You want to ensure that the personal data
of the employees is not exposed while in transit over the network. You decide to use
SSL on TestKing2.
You need to ensure that employees do not receive a certificate-related security alert
when they use SSL to connect to this Web site. You want to achieve this goal without
spending money to purchase this certificate unless it is necessary to do so.
What should you do?
A. Use IIS to submit a certificate request to a commercial CA.
B. Use IIS to submit a certificate request to TestKing3.
C. Use the Certificates console to submit a Client certificate request to a commercial CA.
D. Use the Certificates console to submit a Client certificate request to TestKing3.
Answer: B
Explanation:
Using Client Certificate Authentication with IIS 6.0 Web Sites
Request a User Certificate from the Web Enrollment Site
The client computer must present a user certificate to the Web server before the Web
server will accept the user's credentials. Users can log on to the Web enrollment site and
request a user certificate. The user does not need to be an administrator in the domain or
on the Certificate Server computer. The user only needs to have legitimate user
credentials that the enterprise CA recognizes.
Leading the way in IT testing and certification tools,
www.testking.com
- 14 -
Perform the following steps on the client computer to obtain the user certificate"
1. On the Web client computer, open Internet Explorer and enter
http://10.0.0.2/certsrv in
the address bar, where 10.0.0.2 is the IP address of the Certificate Server. Press ENTER.
2. In the log on dialog box, enter the credentials of a non-administrator user. This will
demonstrate that a non-admin can obtain a user certificate. Click OK.
3. On the Welcome page of the Web enrollment site, click the Request a certificate link.
4. On the Request a Certificate page, click the User Certificate link.
5. On the User Certificate - Identifying Information page, click Submit.
6. Click Yes on the Potential Scripting Violation dialog box informing you that the Web
site is requesting a certificate on your behalf.
7. On the Certificate Issued page, click the Install this certificate link.
8. Click Yes on the Potential Scripting Violation page informing you that the Web site is
adding a certificate to the machine.
9. Close Internet Explorer after you see the Certificate Installed page.
Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0
The Certificate Wizard that comes with Internet Information Services (IIS) 5.0 makes
managing server certificates easier than ever before. This article describes how to create a
certificate request file using the wizard. The first step you will...
QUESTION NO: 2
You are a security administrator for TestKing.com. The network consists of a single
Active Directory domain named testking.com. All servers run Windows Server
2003. All servers are in an OU named Servers, or in OUs contained within the
Servers OU.
Based in information in recent security bulletins, you want to apply settings from a
security template named Messenger.info to all servers on which the Messenger
service is started. You do not want to apply these settings to servers on which the
Messenger service is not started. You also do not want to move servers to outer OUs.
You need to apply the Messenger.inf security template to the appropriate servers.
What should you do?
A. Import the Messenger.info security template into a GPO, and link the GPO to the
Servers OU. Configure Administrative Templates filtering in the GPO.
Leading the way in IT testing and certification tools,
www.testking.com
- 15 -
B. Import the Messenger.info security template into a GPO, and link the GPO to the
Servers OU. Configure a Windows Management Instrumentation (WMI) filter for the
GPO.
C. Configure a logon script in a GPO, and link the GPO to the Servers OU. Configure the
script to run the gpupdate command if the Messenger service is running.
D. Edit the Messenger.info security template to set the Messenger service startup mode to
Automatic, and then run the secedit /refreshpolicy command..
Answer: B
QUESTION NO: 3
You are a security administrator for TestKing.com. The network consists of a single
Active Directory domain named testking.com. All servers run Windows Server
2003. All client computers run Windows XP Professional.
Eight Windows 2003 computers are members of the domain. These computers are
used to store confidential files. They reside in a data center that only IT
administration personnel have physical access to.
You need to restrict members of a group named Contractors from connecting to the
filer server computers. All other employees require to these computers.
What should you do?
A. Apply a security template to the filer server computers that assigns the Access this
computer from the network right to the Domain Users group.
B. Apply a security template to the filer server computers that assigns the Deny access to
this computer from the network right to the Contractors group.
C. Apply a security template to the filer server computers that assigns the Allow log on
locally right to the Domain Users group.
D. Apply a security template to the filer server computers that assigns the Deny log on
locally right to the Contractors group.
Answer: B
Explanation:
Deny access to this computer from the network Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment Description Determines
which users are prevented from accessing a computer over the network.
Leading the way in IT testing and certification tools,
www.testking.com
- 16 -
QUESTION NO: 4
You are a security administrator for TestKing.com. The network consists of a single
Active Directory domain named testking.com. The testking.com domain contains
Windows Server 2003 computers and Windows XP Professional client computers.
All computers are members of the domain.
The employee user accounts in the TestKing.com company are members of the
Administrators clocal group on client computers. You occasionally experience
problems managing client computers because an employee removes the Domain
Admins global group from the Administration local group on the computer.
You need to prevent employees from removing the Domains Admins global group
from the Administrators local group on client computers.
What should you do?
A. Apply a security template to the client computers that establishes the Domain Admins
global group as a member of the Administrators local group by using the Restricted
Groups policy.
B. Apply a security template to the domain controller computers that establishes the
Domain Admins global group as a member of the Administrators domain local group by
using the Restricted Groups policy.
C. Modify the Domain Admins global group by assigning the Allow - Full Control
permission to the Domain Admins global group.
D. Modify the Domain Admins global group by assigning the Deny - Full Control
permission to the Domain Admins global group.
Answer: A
Explanation:
Description of Group Policy Restricted Groups
View products that this article applies to.
This article was previously published under Q279301
SUMMARY: This article provides a description of Group Policy Restricted groups.
Restricted groups allow an administrator to define the following two properties for
security-sensitive (restricted) groups:
Members
Leading the way in IT testing and certification tools,
www.testking.com
- 17 -
Member Of
The "Members" list defines who should and should not belong to the restricted group.
The "Member Of" list specifies which other groups the restricted group should belong to.
Using the "Members" Restricted Group Portion of Policy
When a Restricted Group policy is enforced, any current member of a restricted group
that is not on the "Members" list is removed with the exception of administrator in the
Administrators group. Any user on the "Members" list which is not currently a member of
the restricted group is added.
Using the "Member Of" Restricted Group Portion of Policy
Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted
Group is not removed from other groups. It makes sure that the restricted group is a
member of groups that are listed in the Member Of dialog box.
QUESTION NO: 5
You are a security administrator for TestKing.com. The network consists of two
Active Directory domains. These domains each belong to separate Active Directory
forests. The domain testking.com is used primarily to support company employees.
The domain named bar.biz is used to support company customers. The functional
level of all domains is Windows Server 2003 interim mode. A one-way external trust
relationship exists in which the testking.com domain trusts the bar.biz domain.
A Windows Server 2003 computer named TestKing3 is a member of the bar.biz
domain. TestKing3 provides customers access to a Microsoft SQL Server 2000
database. The user accounts used by customers reside in the local account database
on TestKing3. All of the customer user accounts belong to a local computer group
named Customers. SQL Server is configure to use Windows Integrated
authentication.
TestKing.com has additional SQL Server 2000 database that reside on three
Windows Server 2003 computers. These computers are members of the testking.com
domain. TestKing's written security policy states that customer user accounts must
reside on computers in the bar.biz domain.
You need to plan a strategy for providing customers with access to the additional
databases. You want to achieve this goal by using the minimal amount of
administrative effort.
