What should you do?
A. Create a new user account in the bar.biz Active Directory domain for each customer.
Create a universal group in the bar.biz domain. Add the new customer domain user
accounts as members of the new universal group. Assign this group permissions to access
the databases.
B. Create a new user account in the bar.biz Active Directory domain for each customer.
Create a global group in the bar.biz domain. Add the new customer domain user accounts
as members of the new global group. Assign this group permissions to access the
databases.
C. Create a new user account in the testking.com Active Directory domain for each
customer. Create a global group in the testking.com domain. Add the new customer
domain user accounts as members of the new global group. Assign this group permissions
to access the databases.
D. Create a new user account in the testking.com Active Directory domain for each
customer. Create a global group in the testking.com domain. Add the new customer
domain user accounts as members of the new global group. Assign this group permissions
to access the databases.
Answer: B
QUESTION NO: 6 DRAG DROP
You are the security administrator for TestKing. The network consists of a single
Active Directory domain named testking.com. Four Windows Server 2003
computers run IIS and serve as Web servers on the Internet.
TestKing's written security policy states that computers that are accessible from the
Internet must be hardened against attacks. The procedure for hardening computers
includes disabling unnecessary services. You evaluate which services are necessary
by using the following information about the Web servers:
1. Customers and business partners access Web content on the Web servers after
they authenticate by using a user name and password.
To access certain parts of the site, some of these connections use the SSL protocol.
1. All software is installed locally on the Web servers by using removable media,
except for service packs and security patches.
2. The Web servers automatically download service packs and security patches from
an internal computer that runs Software Update Services (SUS).
3. The Web servers are not functioning as any other roles.
Leading the way in IT testing and certification tools,
www.testking.com
- 19 -
You need to create a security template for the Web servers that disables
unnecessary services and allows necessary services to operate.
What should you do?
To answer, drag the appropriate service startup types to the correct locations in the
work area.
Answer:
Explanation:
Leading the way in IT testing and certification tools,
www.testking.com
- 20 -
IIS ServicesIIS provides the basic services that publish information, transfer files, support
user communication, and update the data stores upon which these services depend. This
section introduces the services that IIS 6.0 provides.
The following table lists the IIS services, as well as their primary components and service
hosts.
Service Primary Component Hosted by
World Wide Web Publishing Iisw3adm.dll Svchost.exe
Service (WWW service)
File Transfer Protocol Ftpsvc2.dll Inetinfo.exe
Service (FTP service)
Simple Mail Transfer Protocol Smtpsvc.dll Inetinfo.exe
Leading the way in IT testing and certification tools,
www.testking.com
- 21 -
Service (SMTP service)
Network News Transfer Protocol Nntpsvc.dll Inetinfo.exe
Service (NNTP service)
IIS Admin service Iisadmin.dll Inetinfo.exe
World Wide Web Publishing Service
World Wide Web Publishing Service (WWW service) provides Web publishing to IIS
end users, connecting client HTTP requests to Web sites that are running in IIS. WWW
service manages the IIS core components that process HTTP requests and that configure
and manage Web applications. WWW service runs as Iisw3adm.dll and is hosted by
Svchost.exe.
File Transfer Protocol Service
Through the File Transfer Protocol service (FTP service), IIS provides full support for
managing and serving files. The service uses the Transmission Control Protocol (TCP),
which ensures that file transfers are complete and that the data transferred is accurate.
This version of FTP supports isolating users at the site level to help administrators secure
and commercialize their Internet sites. FTP service runs as Ftpsvc2.dll and is hosted by
Inetinfo.exe.
Simple Mail Transfer Protocol Service
IIS can send or receive e-mail by using the Simple Mail Transfer Protocol service (SMTP
service). For example, you can program the server to send mail automatically in response
to events, in order to confirm successful forms submissions by users. Also, you can use
the SMTP service to receive messages that collect feedback from Web site customers.
SMTP service does not provide full e-mail services. To deliver full e-mail services, use
Microsoft®Exchange Server. SMTP service runs as Smtpsvc.dll and is hosted by
Inetinfo.exe.
Network News Transfer Protocol Service
You can use the Network News Transfer Protocol service (NNTP service) to host NNTP
local discussion groups on a single computer. Because this feature complies fully with the
NNTP protocol, users can use any news reader client to participate in the newsgroup
discussions. Through the Rfeed script, found in the inetsrv folder, the IIS NNTP service
now supports newsfeeds. NNTP service does not support replication. To employ news
feeds or to replicate a newsgroup across multiple computers, use Exchange Server. NNTP
service runs as Nntpsvc.dll and is hosted by Inetinfo.exe.
IIS Admin Service
Leading the way in IT testing and certification tools,
www.testking.com
- 22 -
IIS Admin service manages the IIS metabase and updates the Microsoft Windows®
operating system registry for the WWW service, FTP service, SMTP service, and NNTP
service. The metabase is a data store that holds IIS configuration data. IIS Admin service
exposes the metabase to other applications, including the core components of IIS,
applications that are built on IIS, and third-party applications that are independent of IIS,
such as management or monitoring tools. IIS Admin service runs as Iisadmin.dll and is
hosted by Inetinfo.exe
Reference:
HOW TO: Disable or Remove Unnecessary IIS Services
Note: Application Management
The application management service process advertises applications on the user's desktop
or on the Start menu.
The Application Management system service provides software installation services such
as Assign, Publish, and Remove. This service processes requests to enumerate, install,
and remove applications deployed via a corporate network. When you click Add in
Add/Remove Programs control panel on a computer joined to a domain, the program calls
this service to retrieve the list of your deployed applications. The service is also called
when you use Add/Remove Programs to install or remove an application, and in cases
when a component, such as the shell or COM, makes an install request for an application
to handle a file extension, Component Object Model (COM) class, or ProgID that is not
present on the computer. The service is started by the first call made to it-it does not
terminate once started.
Note: For more information about COM, COM class, or ProgID, see the Software
Development Kit (SDK) information in the MSDN® developer program Library on the
Web Resources page at:
http://www.microsoft.com/windows/reskits/webresources.
If the Application Management service is stopped or disabled, users will be unable to
install, remove, or enumerate applications deployed in the Microsoft Active Directory
service through Microsoft IntelliMirror® management technologies. If this service is
disabled, it will not retrieve deployed application information nor will this information
appear in the Add New Programs section of the Add/Remove Programs control panel.
The Add programs from your network dialog box will display the following message:
No programs are available on the network.
Stopping this service is not possible once started. If you do not require this service, you
must disable it to prevent it from starting.
Automatic Updates
Leading the way in IT testing and certification tools,
www.testking.com
- 23 -
The Automatic Updates system service enables the download and installation of critical
Windows updates. This service automatically provides your computer with the latest
updates, drivers and enhancements. You no longer have to manually search for critical
The operating system recognizes when you are online and uses your Internet connection
to search for applicable updates from the Windows Update service. Depending on your
configuration settings, the service will either notify you before download, before
installation, or the service will automatically install updates for you.
You can turn off the Automatic Update feature through the Systems setting in the Control
Panel, or by right-clicking the My Computer icon, and then clicking Properties.
You can also use the Microsoft Management Console (MMC) Group Policy Object
Editor snap-in administrative template to configure an intranet server that is configured
with the Software Update Services to host updates from the Microsoft Update Web sites.
This setting lets you specify a server on your network to function as an internal update
service. The Automatic Updates client will search this service for updates that apply to
the computers on your network.
For more information about Software Update Services, see the Software Update Services
Web site at:
http://www.microsoft.com/windows ... te/sus/default.asp.
If the Automatic Updates service is stopped or disabled, no critical updates will be
downloaded to the computer automatically. Searching for, downloading and installing
applicable critical fixes will have to be done by going to the Windows Update Web site
at:
http://v4.windowsupdate.microsoft.com/en/default.asp.
Internet Authentication Service
The Internet Authentication Service performs centralized authentication, authorization,
auditing, and accounting of users connecting to a network - either LAN or remote - using
VPN equipment, Remote Access Equipment (RAS), or 802.1x Wireless and
Ethernet/Switch Access Points.
IAS implements the Internet Engineering Task Force (IETF) standard RADIUS protocol,
which enables heterogeneous network access equipment. If IAS is disabled or stopped,
authentication requests will failover to a backup IAS server, if it is available. If no backup
IAS servers are available, users will not be able to connect to the network. If this service
is disabled, any services that explicitly depend on this service will not start.
World Wide Web Publishing Service
World Wide Web Publishing Service provides Web connectivity and administration of
Web sites through the IIS snap-in. World Wide Web Publishing provides HTTP services
for applications on the Windows platform. The service contains a process manager and a
configuration manager. The process manager controls the processes in which custom
applications and simple Web sites reside. The configuration manager reads the stored
system configuration and ensures that Windows is configured to route HTTP requests to
the appropriate application pools or operating system processes.
Leading the way in IT testing and certification tools,
www.testking.com
- 24 -
This service can monitor the processes that house custom applications and provide
recycling services for these applications. Recycling is a configuration property of an
application pool and can be done on the basis of memory limits, request limits, processing
time, or time of day. The service will queue HTTP requests if custom applications stop
responding, and will also attempt to restart custom applications.
The service depends on the IIS administration service and kernel TCP/IP support.
If World Wide Web Publishing Service is stopped, the Windows Server 2003 operating
system will not be able to serve any form of Web request. If this service is disabled, any
services that explicitly depend on this service will not start.
QUESTION NO: 7
You are a security administrator for TestKing.com. The network consists of a single
Active Directory domain named testking.com. All servers run Windows Server
2003. All client computers run Windows XP Professional.
All computers are configured to use Automatic Updates to install updates without
user intervention. Updates are scheduled to occur during off-peak hours.
During a security audit, you notice some client computers are not receiving updates
on a regular basis. You verify that Automatic Updates is running on all client
computers, and you verify that users cannot modify the Automatic Updates settings.
You need to ensure that computers on your network receive all updates.
What should you do?
A. Enable the No auto-restart for scheduled Automatic Updates Installations settings.
B. Disable the Specify intranet Microsoft update service location setting.
C. Enable the Remove access to use all Windows Update features setting.
D. Enable the Reschedule Automatic Updates scheduled installations setting.
Answer: D
QUESTION NO: 8
Leading the way in IT testing and certification tools,
www.testking.com
- 25 -
You are a security administrator for TestKing. The network consists of seven Active
Directory domains. These domains are in the same Active Directory forest. All seven
Active Directory domains operate at a Windows Server 2003 domain functional
level.
Each domain contains an internal Web site that is used to publish information to the
TestKing managers. Access to the information on these Web site must not be
restricted to managers. An existing global group in each domain contains the
management user accounts that exist in that domain.
You need to restrict access to the internal Web sites to TestKing managers. You
want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Create a universal group in one of the Active Directory domains.
Add the existing management global groups as members of the universal group.
Assign only this universal group permissions to access the Web sites.
B. Create a global group in one of the Active Directory domains.
Add the existing management global groups as members of the global group.
Assign only this global group permissions to access the Web sites.
C. Create a domain local group in one of the Active Directory domains.
Add the existing management global groups as members of the domain local group.
Assign only this domain local group permissions to access the Web sites.
D. Assign only the existing management global permissions to access the Web sites.
Answer: A
Explanation:
The members that each type of security group scope can have depends on the domain
functional level. When the domain functional level is set to Windows 2000 native mode
or higher, each type of group can contain the following members:
Universal: accounts from any domain, global groups from any domain, and universal
groups from any domain
Global: accounts from the same domain, and global groups from the same domain
Domain local: accounts from any domain, global groups from any domain, universal
groups from any domain, and domain local groups from the same domain
Objective: Planning, Configuring and Troubleshooting Authentication, Authorization and
PKI
Sub-Objective: 4.2.2 Plan security group scope.
Domain Migration Cookbook
Leading the way in IT testing and certification tools,
www.testking.com
- 26 -
Chapter 2: Domain Upgrade
Global Groups
Windows 2000 global groups are effectively the same as Windows NT global groups. In
terms of membership, they have domain-wide scope, but can be granted permissions in
any domain, even in other forests and earlier version domains as long as a trust
relationship exists.
Universal Groups
Universal groups can contain members from any Windows 2000 domain in the forest, but
cannot contain members from outside the forest. You can grant universal groups
permissions in any domain, even in other forests, as long as a trust relationship exists.
Although universal groups can have members from mixed mode domains in the same
forest, the universal group will not be added to the access token of these members
because universal groups are not available in mixed mode.
You can add users to a universal group, but it is recommended that you restrict universal
group membership to global groups. Universal groups are available only in native mode
domains.
Use of Universal Groups
Universal groups have a number of important characteristics. You can use universal
groups to build groups that perform a common function within an enterprise. One
example might be virtual teams. The membership of such teams in a large company
would probably be nationwide or even worldwide, and almost certainly forest-wide, with
the team resources being similarly distributed. Universal groups could be used as a
container in these circumstances to hold global groups from each subsidiary or
department, with a single access control entry (ACE) for the universal group to protect
the team resources.
In using universal groups, an important factor to consider is that while global and domain
local groups are listed in the global catalog (GC), their members are not, whereas
universal groups and their members are listed, a fact that has implications for GC
replication traffic. Exercise care in the use of universal groups. As a guide, if your entire
network has high-speed connectivity, you can simply use universal groups for all of your
groups and benefit from not having to bother with managing global groups and domain
local groups. If, however, your network spans wide area networks (WANs), you can
improve performance in several ways by using global groups and domain local groups. If
you use global groups and domain local groups, you can also designate any widely used
groups that are seldom changed as universal groups.
Universal Groups and Access Tokens
Leading the way in IT testing and certification tools,
www.testking.com
- 27 -
The previous discussion of universal group membership touched on the fact that universal
groups can contain members from mixed mode domains, but that such members will not
have the universal group's SID in their access token. This is a consequence of the way
access tokens are created in Windows 2000. When a user logs on to a Windows 2000
native mode domain and has been authenticated, the Local Security Authority (LSA) on
the domain controller where the user was authenticated retrieves the user's global group
memberships. The LSA then passes this information down to the workstation, where it is
used to build the user's access token. At the same time, the LSA queries the GC for the
user's universal group memberships, which it also passes to the workstation. If a user is a
member of a universal group, the SID of that group is included in the access token on the
workstation, and is added to the authorization data in the TGT issued by the KDC.
Universal groups are not added to access tokens at any other timefor example, when
impersonation tokens are created at member servers. As a consequence, if the universal
group SID is not available when the user logs onfor example, where the user is logging on
to a mixed mode domainit will not be added subsequently.
Nesting Groups
It is recommended that you do not create groups with more than 5,000 members. This
guideline is based on the fact that updates to the Active Directory store have to be capable
of being made in a single transaction. Because group memberships are stored in a single
multivalue attribute, a change to the membership would result in the whole attributein
other words, the whole membership listhaving to be updated in a single transaction.
Microsoft has tested and supports group memberships of up to 5,000 members. You can
get around this limitation by nesting groups to increase the effective number of members.
A further consequence is that you also reduce the replication traffic caused by replication
of group membership changes. Your nesting options depend on whether the domain is in
native mode or mixed mode. The following list describes what can be contained in a
group that exists in a native mode domain. These rules are determined by the scope of the
group.
groups, and global groups from any domain.
groups from the same domain.
from any domain. They also can contain other domain local groups from within the same
domain.
This list describes what security groups in a mixed mode domain can contain:
Leading the way in IT testing and certification tools,
www.testking.com
- 28 -
References:
Description of the Group Scopes That You Can Use to Help Secure Active Directory
Objects
Universal Group Scope Is Incorrectly Documented in Windows 2000 Help
QUESTION NO: 9
You are a security administrator for TestKing. The network consists of two Active
Directory forest named testking.com and public.testking.com. All servers run
Windows Server 2003. All client computers run Windows XP Professional.
The network consists of an IEEE 802.11b wireless LAN (WLAN). Employees and
external users use the WLAN. User accounts for employees are located in the
testking.com forest. User accounts for external users are located in the
public.testking.com forest. External users' computers do not have computer
accounts in the public.testking.com forest.
To increase security, you upgrade the network hardware to support IEEE 802.1x.
You configure a public key infrastructure (PKI). You issue Client Authentication
certificates to employees, to client computers used by employees, and to external
users.
You need to configure the WLAN to authenticate employees and external users.
What should you do?
A. Configure each wireless access point to forward RADIUS requests to a server running
Internet Authentication Service (IAS).
Configure the IAS server to use a connection request policy to forward the requests to the
appropriate forest.
B. Configure each wireless access point to forward requests to an Internet Authentication
Service (IAS) server in the testking.com forest.
Configure the IAS server in the testking.com forest to use the Tunnel-Server-Endpt
attribute.
C. Use the Connection Manager Administration Kit (CMAK).
Configure one connection profile for external users.
Configure a second connection profile for employees.
D.
Leading the way in IT testing and certification tools,
www.testking.com
- 29 -
Establish a forest trust relationship between the testking.com forest and the
public.testking.com forest.
Answer: A
Explanation:
Connection request policies
Connection request policies are sets of conditions and profile settings that give network
administrators flexibility in configuring how incoming authentication and accounting
request messages are handled by the IAS server. With connection request policies, you
can create a series of policies so that some RADIUS request messages sent from RADIUS
clients are processed locally (IAS is being used as a RADIUS server) and other types of
messages are forwarded to another RADIUS server (IAS is being used as a RADIUS
proxy). This capability allows IAS to be deployed in many new RADIUS scenarios.
With connection request policies, you can use IAS as a RADIUS server or as a RADIUS
proxy, based on the time of day and day of the week, by the realm name in the request, by
the type of connection being requested, by the IP address of the RADIUS client, and so
on.
It is important to remember that with connection request policies, a RADIUS request
message is processed only if the settings of the incoming RADIUS request message
match at least one of the connection request policies. For example, if the settings of an
incoming RADIUS Access-Request message do not match at least one of the connection
request policies, an Access-Reject message is sent.
For more information about how incoming RADIUS request messages from RADIUS
clients are processed, see Processing a connection request.
Authentication
You can set the following authentication options that are used for RADIUS
Access-Request messages:
