This is my last exam before I’m MCSE, so what I have done is:
1. Read the Microsoft 70-214 book (do the same – don’t cheat!)
2. Merged all the questions I have read over the last two years and selected just ones that related to topics in the 70-214 book.
Notes:
Sorry the pictures are missing, but most q’s are still useful.
If there are any questions listed which have nothing to do with security, then sorry about that – just an oversight!
If any answers seem wrong, or the explanations seem strange, then believe in yourself – I disagree with some of this stuff too!
Good luck all, from Creature ;)
1. You are using Windows 2000 professional at home with a smart card installed. You want to connect to you RAS server to pick up e-mail. What protocol will you need?
A. EAP
B. PPTP
C. IPSec
D. NETBEUI
Ans: A
2. You want to provide Internet access for the clients on your network. You decide to use Network Address Translation (NAT). You have a Windows 2000 computer you try to establish a secure Virtual Private Networking session with. You try connecting to the Remote Windows 2000 computer using L2TP. You are unable to establish a connection with the remote node using L2TP. You are able to make a connection with another computer in your same office.
Why are you unable to make a connection to the remote location?
A. NAT not allow for remote networking.
B. L2TP does not work with Windows 2000 computers.
C. You cannot establish a L2TP connection behind a computer running NAT. The L2TP session fails because the IP Security packets become corrupted.
D. You have not configured the NAT server to translate the IP Security packets.
Answer: C
Reason for answer: TechNet (259335)
- If the Virtual Private Network (VPN) client is behind any network device performing Network Address Translation (NAT), the L2TP session fails because encrypted IPSec Encapsulating Security Payload (ESP) packets become corrupted. If the VPN client is on the same node as Windows 2000 Integrated Circuits/Network Address Translation, the client is most likely able to establish an L2TP session because NAT does not perform any IP address or Port translation when packets originate from its own node.
3. You are the administrator of a Windows 2000 network. Recently, your network security was compromised and confidential data was lost. You are now implementing a stricter network security policy. You want to require encrypted TCP/IP communication on your network.
What should you do?
A. Create a GPO for the domain, and configure it to assign the Secure Server IPSec Policy.
B. Create a GPO for the domain, and configure it to assign the Server IPSec Policy and to enable Secure channel: Require strong session key.
C. Implement TCP/IP packet filtering, and open only the ports required for your network services.
D. Edit the local security policies on the servers and client computers and enable Digitally signed client and server communications.
Answer: A ( correct )
By default, Windows 2000 includes three predefined policies: Client, Secure Server, and Server. The first task is to decide if any of the default policies will apply or if it will be necessary to create a custom policy to meet your needs. None of the pre-configured policies are active by default. The policies are as follows:
Client (Respond Only) - allows the client to respond to other computers requesting security according to the settings in the default response rule. With this policy active, the client will never request security, but will negotiate IPSec based on the connecting host. This would allow you to configure client computers to respond to requests for secure communications, but without initiating the request.
Secure Server (Require Security) - allows the server to require IPSec negotiation prior to allowing a connection. This policy will allow unsecured incoming communications, but outgoing traffic will always be secured. This policy could be implemented in scenarios where data must always be secured.
Server (Request Security) - allows the server to request IPSec negotiation, but will allow unsecured communications if the other computer is not IPSec aware. You could use this policy to implement security between IPSec enabled computers without sacrificing interoperability with non-IPSec-enabled computers.
4. You want to provide Internet access for the clients on your network. You decide to use Network Address Translation (NAT). You have a Windows 2000 computer you try to establish a secure Virtual Private Networking session with. You try connecting to the Remote Windows 2000 computer using L2TP. You are unable to establish a connection with the remote node using L2TP. You are able to make a connection with another computer in your same office.
Why are you unable to make a connection to the remote location?
A. NAT does not allow for remote networking.
B. L2TP does not work with Windows 2000 computers.
C. You cannot establish a L2TP connection behind a computer running NAT. The L2TP session fails because the IP Security packets become corrupted.
D. You have not configured the NAT server to translate the IP Security packets.
Ans: C
5. You want to install windows2000 professional on 30 PXE-compliant computers and 35 non-PXE-compliant computers. All 65 computers are included on the current hardware compatibility list (HCL). You create a RIS image. You load the Image on the RIS server. You then start the 65 computers. You find that the 30 PXE-Compliant computers can connect to the RIS server. However, the 35 non-PXE-compliant computers have to connect to the RIS server. What should you do?
A. Run Rbfg.exe to create a Non-PXE-compliant startup disk
B. Run Riprep.exe to create a non-PXE complaint startup disk
C. Grant the everyone group NTFS Read permission for the RIS image
D. Grant the Administrators group NTFS Read permission for the RIS image
Ans: A
6. You are the administrator of your company's network. Your network has 75 windows 2000 professional computers and eight Windows 2000 Server computers. Users on the network drive save their work files in home folders on a network server. The NTFS partition that contains the home folders has Encrypting File System (EFS) enabled. The partition also has disk quotas defined. A user named Candy reports that she cannot save any files to her home folder. She also cannot update files in her home folder. When she attempts to save files to the folder she receives the following error message "insufficient disk space". Other users are not experiencing this problem with their home folders. You want to enable Candy to save files in her home folder. What should you do?
A. Log on to the network as a Recovery Agent. Decrypt all of candy's files in her home folder.
B. Log on to the network by using the domain Administrator account. Grant Candy Full control permission to her home folder.
C. Use Windows Backup to archive and remove old files on the server.
D. Increase the server a disk quota entry for Candy to accommodate the additional files.
ANS: D
7. You encrypt three files to ensure the security of the files. You want to make a backup copy of the three files and maintain security setting. You have the option of backing up to either the network or a floppy disk. What should you do?
A. Copy the files to a network share on a NTFS volume. Do nothing further.
B. Copy the files to a network share on a FAT32 volume. Do nothing further.
C. Copy the files to a floppy disk that has been formatted by using Windows 2000 Professional. Do nothing further.
D. Place the files in an encrypted folder. Then copy the folder to a floppy disk.
ANS: A (Only NTFS keeps encryption)
8. Kevin, the Software Developer of Perfect Solution Inc., recently left the job. The company's Administrator moves all of his home folder files to his Manager's home folder. The NTFS partition that contains the home folders has the Encrypting File System (EFS) enabled. When the Manager attempts to open Kevin's files, he is denied access. What should be done, so that the Manager can access those files with least administrative burden?
A. Grant the Manager NTFS Full Control (FC) permission to the files.
B. Grant the Manager the NTFS Take Ownership (TO) permission to the files.
C. Logon to the network as a Recovery Agent. Decrypt the files for the Manager.
D. Logon to the network as a member of Backup Operators group. Decrypt the files for the Manager.
ANS: C
(Why? Because only the user that created the EFS file or the Recovery agent can decrypt EFS files. Nobody else, it doesn't matter if you give them FC or TO)
9. You have a PC with one drive and one volume, which has a NTFS folder called Sales, which is compressed. You also have a folder called CORP, which is not compressed. You want to place Sales under Corp, still compressed, and have a backup of Sales in case something goes wrong. What should you do?
A. Backup the sales folder to an NTFS volume, and move Sales under Corp. (One more option they had given -- Move sales under Corp in the NTFS vol. - but backup not mentioned)
Ans: A
10. You want to install Win2K PRO on X new computers on your company's network. You first install Win2K PRO on one of the new computers. You log on to the computer by using local admin account. You install MS Office 97, a virus scanner, and other company standard applications. You then create a RIS image of the computer you configured. You want to configure the RIS image so that the standard applications will be accessible to the user when the user first logs on to the network. What should you do?
a) Run RBFG.exe before installing the standard apps
b) Run RIPREP.exe before installing the standard apps
c) Copy the ALL USERS profile to the DEFAULT users profile
d) Copy the LOCAL ADMINISTRATOR account profile to the DEFAULT user profile
Ans: D
Correct answer is D, when you set up the apps as a Local Administrator, depending on the apps, some shortcuts will be placed on the All Users profile (like MS Office 97) and others will be placed only in the Local Administrator profile. If you copy the Local Administrator profile, the custom settings (shortcuts) installed under this profile will be copied to the Default Users Profile, and thus available when new user are setup on the PC's. Use Control Panel --> System --> User profiles tab to copy the profile. The copied files will inherit the permissions setting for Default User folder. Remember the only things that you are providing here are shortcuts; you are NOT providing permissions or rights here. Those are controlled by NTFS permissions and group rights assignments. The All Users Profile is just that what it says for "ALL USERS", so it will be saved on the RIS image and deployed to the new PC's, this will include all the shortcuts associated with it. Check the study guide for W2KPRo on BrainBuzz.com, also look on (assuming C is your W2KPro drive) C\:Documents and Settings and check the different entries for the standards profiles. Especially on the Start Menu --> Programs area.
11. You load NT 4 on C and W2kp on D. You do not want users to save files to D in either operating system, but you do want them to be able to access D. You implement user quotas in W2kp so that users cannot save files to D. When you restart the PC and go into NT4, users can still write to D. What to do?
a. Use NT4 NTFS permissions to deny users write access to D:
b. Enable EFS on D:
c. Format the NT 4 partition and reload NT 4
Ans: A
12. You are the administrator of your company's network. You receive a request from Stephen's manager to disable Stephen's access to a network share named Financial. Stephen's user account is the only member in a group named Reports. The Reports group has Full Control permission to the Financial share. You delete the Reports group. You later find out that the manager was in error and that Stephen should have his access to Financial share restored. What should you do?
A. Re-create Reports and re-create Stephen's user account. Use existing NTFS permissions.
B. Re-Create Reports and grant Reports NTFS Full Control permission to Financial. Stephen's user account will still be a member of Reports.
C. Re-create Reports and grant Reports Full Control permission to Financial. Add Stephen's user account to Reports.
D. Re-Create Reports and add Stephen's existing user account to Reports. Use existing NTFS permissions.
ANS: C
13. You work for an accounting firm. Currently all developers are running Windows 98. The company wants to go to Windows 2000 Professional. Programmers are going to need to code in both a Windows 98 environment and a Windows 2000 environment. What platform can you install that will optimize the availability of code to both environments?
A. FAT16
B. FAT32
C. NTFS
D. HPFS
Ans: B
14. Which of the following volume Property dialog box tabs do you see for FAT32 partitions in the Disk Management utility? Choose all that apply.
A. General
B. Sharing
C. Security
D. Quota
Ans: A, B
The Security and Quota tabs are only available for NTFS partitions.
15. You have acquired a new Pentium III computer with two blank hard drives, a 40X CD Rom drive, an AGP display adapter, and a fast Ethernet network adapter. All hardware is on the HCL. You want to achieve these result:
Install win2000pro on the computer
Minimize the time required to install win2000pro
Choose a file system to enable maximum security of data on the computer
Have the computer join your domain
Your proposed solution is to start the computer, access the Bios, set the computer to boot from the CD Rom drive, save changes, and restart the computer. When Setup runs, complete the necessary tasks and specify the NTFS partition type. After restarting the computer again, restore the original boot disk configuration in the Bios. When prompted specify the appropriate domain name.
Which result does the proposed solution? (Choose 3)
A. Win 2000 pro is installed on computer
Then specify file system enable security
Have the computer join your domain
Ans: A
16. You are the administrator of your company's network. Your network has 200 windows 2000 Professional computers and 15 windows 2000 server computers. Users on the network save their work files in home folders on a network server. The NTFS partition that contains the home folders has Encrypting File System (EFS) enabled. A user named John leaves the company. You move all of the files from John's home folder to his manager's folder. When the manager attempts to open any of the files, she receives the following error message; "Access denied." You want the manager to be able to access the files. What should you do?
a. Grant the manager NTFS Full control permission to the files.
b. Grant the manager NTFS Take Ownership permission the files.
c. Log on to the network as a Recovery Agent. Decrypt the files for the manager.
d. Log on to the network as a member of the Backup Operators Group. Decrypt the fields for the manger.
17. You are the administrator of your company's network. Your network has 75 windows 2000 professional computers and eight Windows 2000 Server computers. Users on the network drive save their work files in home folders on a network server. The NTFS partition that contains the home folders has Encrypting File System (EFS) enabled. The partition also has disk quotas defined. A user named Candy reports that she cannot save any files to her home folder. She also cannot update files in her home folder. When she attempts to save files to the folder she receives the following error message "insufficient disk space". Other users are not experiencing this problem with their home folders. You want to enable Candy to save files in her home folder. What should you do?
A. Log on to the network as a Recovery Agent. Decrypt all of candy's files in her home folder.
B. Log on to the network by using the domain Administrator account. Grant Candy Full control permission to her home folder.
C. Use Windows Backup to archive and remove old files on the server.
D. Increase the server a disk quota entry for Candy to accommodate the additional files.
ANS: D
18. Each user in your network has his/her own user directory. Jane copies a file to her user directory and receives the message "insufficient space." She finds that she cannot even add data to a file and save it. Others are not having any problems. What should you do?
a. Increase the Quota Limit for Jane
b. Defragment the hard drive
c. Confirm that NTFS compression has been enabled
d. Add Jane to the domain users group e. Confirm that backup is not running
ANS: A
19. Julie is trying to save a file that is 2MB in size. When she tries to save the file, she gets an error message that the disk is out of space. When the administrator checks available disk space, it is determined that there is more than 4GB of free disk space. What is the most likely cause?
A. The disk needs to be defragmented.
B. Julie does not have the NTFS permissions she needs to access the folder where she is trying to save the file.
C. Julie has exceeded her disk quota.
D. The folder is encrypted and Julie does not have the key required to write to the folder.
Answer: C
If Julie is getting "out of space" errors and the disk has free space, it is likely that the disk has disk quotas applied and Julie has exceeded her quota limitation.
20. You are the administrator of a Windows 2000 network. Users in the engineering department run Windows 2000 Professional on their desktop Computers. The size of the department has recently expanded from five users to 10 users. Users need to be able to update files in a shared folder named CommonData. The folder is stored on a FAT 16 partition on one of the Windows 2000 Professional Computers on the network. The files in CommonData are published in the Active Directory so that other users in the company can refer to them. The network also uses Distributed File System (DFS) to simplify access to its user data. Users in the engineering department report that when they try to access CommonData, they receive the following error message: "CommonData is not accessible. No more connections can be made to this remote Computer at this time." You want to ensure that users can access the files. What should you do?
A. Move CommonData to FAT32 partition on the host Computer, and share it again.
B. Move CommonData to an NTFS partition on the host computer, and share it again.
C. Increase the user limit on the network share to the maximum allowed.
D. Increase the Clients Cache this DFS referral value on the DFS leaf node that describes the data.
ANS: D
21. You are administrator of a Windows 2000 network. The network includes a Windows 2000 Server computer that is used as a file server. More than 800 of your company client computer are connected to this server. A shared folder named DATA on server is on an NTFS partition. The data folder contains more than 200 files. The permissions for the data folder are shown in the following table. TYPE OF PERMISSION ACCOUNT PERMISSION DATA Share Permissions Users: Change
DATA NTFS Permissions Users: Full Control You discovers that users are connected to the DATA folder. You have an immediate need to prevent 10 of the files in the DATA folder from being modified. You want your actions to have the smallest possible effects on the users who are using other files on the server.
What TWO actions should you take?
A. Modify the NTFS permissions for the ten files.
B. Modify the NTFS permissions for the DATA folder.
C. Modify the shared permissions for the DATA folder.
D. Log off the users from the network.
E. Disconnect all Users from the DATA folder.
Answer: A, E
22. Your windows 2000 professional computer has 10-shared folders that are available to other network users. A user reports that he cannot access a shared folder named Share A. You want to respond to the user's problem as quickly as possible by using an administrative tool. However, you cannot remember the server location of Share A. What should you do?
a. Use windows explorer to display the file paths of your shared folders.
b. Use storage in computer management to view local drive properties.
c. Use event viewer in computer management to search for shared folder error messages.
d. Use System tools in computer management to display the file paths of your shared folders.
Answer: D
23. Which of the following options is not an event type logged in the
Windows 2000 Professional Event Viewer utility?
A. Information
B. Critical
C. Warning
D. Error
Answer: B
The event types logged in Event Viewer are Information, Warning, and Error. Success Audit and Failure Audit events are also logged when events have been audited for success or failure. There is no event called Critical
24. Your company has a Routing and Remote Access server at its main office. One of the company's branch offices also runs Routing and Remote Access on a server that has one modem. This server is configured to use demand-dial routing to connect to the main office. This server is part of the company's Active Directory domains. The domain runs in native mode.
Some employees at this branch office use the branch office same to access their files from here. The manager of the branch office reports that sometimes none of the user in the office can connect to the main office. When you examine the event log on the branch office server to find that users have been connecting to the server during working hours.
The manager wants users to be able to dial in to the server between 6:00p.m. and 8:00a.m. However, the manager still wants users to be able to log on at any time when connected directly to the LAN.
A. Change the logon hours for user’s accounts to deny between 8:00a.m. and 6:00p.m.
B. Set the remote access policy to deny connection between 8:00a.m. and 6:00p.m.
C. Create one batch file to start Remote Access Connections Manager server, and create another batch file to stop it. Schedule the stop batch file to run at 8:00a.m. every day and the start batch file to run at 6:00 p.m. every day.
D. Create two user accounts for each user. Grant dial-in permission for an account and deny dial-in permission to second account. Change the login hour for the dial-in accounts to de logon between 8:00 a.m. and 6:00p.m.
Answer: B
25. Your are experiencing system errors on your Windows 2000 Server computer. Microsoft enterprise technical support has requested a dump of system memory to a file. You have configured a system-paging file on your boot partition that is larger than the total amount of system RAM.
How should you configure the Windows 2000 Server computer to generate the required dump file?
A. Configure the eventlog service to start automatically
B. Configure Dr. Watson for Win NT to create a crash dump file
C. Configure system recovery to write an event to the system log
D. Configure system recovery to write debugging information to %system root%\memory dump
Ans: D
26. Your Windows 2000 Server computer contains four 16GB hard disks. Disk0 is configured as a basic disk. Disk0 has a single 16GB partition that contains the boot and system files. Disk 1, 2 and 3 are configured as dynamic disks in a RAID5 volume. The entire server is backed up to a tape drive each night. During your daily review of the servers event logs, you discover that Disk1 has failed. You shut down the server and replace Disk1 with a new hard disk. When you restart the server Windows 2000 starts normally, but the data on the RAID5 volume is inaccessible. Disk Management indicates that Disk2 has failed too. You replace Disk2 with a new hard disk. Now you need to recover the data on the RAID5 volume as quickly as possible.
What should you do?
A. Use Disk Manager to rebuild RAID5 partition.
B. Delete and recreate the RAID5 partition. Restore the contents of RAID5 partition from the most recent tape backup.
C. Use Windows 2000 backup to restore the contents of Disk2. Use Disk Manager to rebuild the RAID5 partition on Disk1.
D. Delete and recreate the RAID5 partition. Restart the server by using Windows 2000 Setup CD, and select repair option.
Answer: B
27. How will you create a memory dump file to record the memory contents in case of Stop errors?
A. Use Startup/Shutdown tab in System applet of Control panel
B. Use Dr. Watson
C. Turn on auditing using User manager for Domains.
D. Edit the registry.
Ans: A
28. You install the Routing and Remote Access service on a Windows 2000 Server computer in your network. Your network is not directly connected to the Internet and uses the private IP address range 192.168.0.0. When you use Routing and Remote Access to dial in to the server, your computer connects successfully, but you are unable to access any resources. When you try to ping servers by using their IP addresses, you receive the following message: "Request timed out." When you run the ipconfig command, it shows that your dial-up connection has been given the IP address 169.254.75.182.
What should you do to resolve the problem?
A. Configure the remote access server with the address of a DHCP server.
B. Authorize the remote access server to receive multiple addresses from a DHCP server.
C. Configure the remote access server to act as a DHCP Relay Agent.
D. Ensure that the remote access server is able to connect to a DHCP server that has a scope for its subnet.
Answer: A
Reason for answer: TechNet (Q197197), (Q232703), (Q216805)
"IP address 169.254.75.182 is assigned by windows when one can not be found" C may seem like the right answer, but you got the 169 address because it did not find a DHCP server with a correct scope, you can not ping because you do not have a default gateway assigned, adding a DHCP relay agent may be part of the solution to answer D, but if the DHCP server is not configured with the scope it still will not work. This could be a two-answer question. I chose D and so does Troytec.
DHCP clients located across a router from a DHCP server require that the router be configured to forward DHCP traffic to a DHCP server on a remote subnet. This traffic is broadcast traffic and routers do not normally forward broadcast traffic unless configured to do so. A network router can be a hardware-based router, such as those manufactured by the Cisco Corporation or software-based such as Microsoft's Routing and Remote Access Services (RRAS). In either case, you need to configure the router to relay DHCP traffic to designated DHCP servers. The DHCP server IP addresses are configured on the router on a per-interface basis using IP helper functionality, or in the case of RRAS, using the DHCP relay agent.
The RemoteAcess Service will generate the following event:
Event 20169
Source RemoteAccess
Type Warning
Description:
Unable to contact a DHCP server. The Automatic Private IP Address will be assigned to dial-in clients. Clients may be unable to access resources on the network.
You can now use the DHCP Relay agent with RAS to provide DHCP scope options to RAS clients. The RAS client continues to receive an IP address from the RAS server, but may use DHCPInform packets to obtain WINS addresses, DNS addresses, domain names, or other DHCP options. DHCPInform messages are used to obtain DHCP scope option information without getting an IP address.
29. You are the administrator of a Windows 2000 Server network. You configure two sites: one for your New York office and one for your Paris office. You configure two organization units (OUs) named New York and Paris. In each of these OUs, you create subordinate OUs named Sales, Marketing, and Research. You place user accounts, stand-alone member servers, and Windows 2000 Professional computers in their appropriate subordinate OUs. You suspect that someone is trying to log on to your domain by guessing user account names and passwords. You want to fine out which computers are being used for these logon attempts.
What should you do?
A. Edit the Default Domain Controllers Policy object to audit directory services access failures.
B. Edit the Default Domain Policy object to audit account logon failures.
C. Edit the New York OU and Paris OU Group Policy objects (GPOs) to audit logon failures.
D. Edit the Group Policy object (GPO) of each subordinate OU to audit directory service access failures.
Answer: B
Reason for answer: See Study Guide Server help and TechNet (Q256345)
Active Directory overview
If you implement Group Policy at the Default Domain Policy, the policy takes effect on all computers in the domain. If you implement Group Policy at the Default Domain Controllers policy, the policy only applies to the servers in the domain controller's organizational unit (OU). You can create OUs that contain workstations for which policies can be applied.
Active Directory is the directory service for Windows 2000 Server. It stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory directory service uses a structured data store as the basis for a logical, hierarchical organization of directory information.
Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network.
Security auditing is a feature of Windows 2000 that monitors various security-related events. Monitoring system events is necessary to detect intruders and to detect attempts to compromise data on the system. An example of an event that can be audited is a failed logon attempt. An Active Directory user account enables a user to log on to computers and domains with an identity that can be authenticated and authorized for access to domain resources.
Establishing an audit trail is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps assure user accountability, and provides evidence in the event of a security breach. There are three main steps to implementing security-related auditing for your system. First, you must turn on the categories of events you wish to audit. Examples of event categories are user logon and logoff and account management. The categories of events you select constitute your audit policy. When you first install Windows 2000, no categories are selected, and therefore no audit policy is in force. Computer Management lists the event categories that you can audit. Second, you must set the size and behaviour of the security log. Finally, if you have selected either the audit directory service access category or the audit object access category, you must determine the objects to which you want to monitor access and modify their security descriptors accordingly. For example, if you want to audit any attempts by users to open a particular file, you can set a Success or Failure attribute directly on that file for that particular event.
30. You are the administrator for a Windows 2000 network. Your network consists of one domain and two Organizational Units (OU). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created. However, you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.
What should you do?
A. Search the security event logs on each domain controller for account management events.
B. Search the security event logs on each domain controller for object access events.
C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name.
D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account.
Answer: A ( correct )
When you audit account management events, you're able to track changes of user account information (including password changes), additions and deletions
31. You are the Windows 2000 network administrator for your company. You are implementing the company's network security model. You network has several servers that contain sensitive or confidential information. You want to configure security auditing on these servers to monitor access to specific folders. You also want to prevent users from gaining access to these servers when the security logs become full.
What should you do?
A. Create a GPO that applies to the servers. Configure the GPO to enable auditing for object access. Set up the individual objects to be audited in Windows Explorer and then customize the Event Viewer logs to limit the size of the security log to 1,024 kb.
B. Create a GPO that applies to the servers. Configure the GPO to enable auditing for Directory Services access. Set up the individual objects to be audited in Windows Explorer and then customize the Event Viewer logs to limit the size of the security log to 1,024 KB. Configure the security event log so that it does not overwrite events.
C. Create a GPO that applies to the servers. Configure the GPO to enable auditing for Directory Service access. Set up the individual objects to be audited in Windows Explorer. Configure the Security Event log so that it does not overwrite events. Then configure the GPO to enable the "Shut down the system immediately if unable to log security audits" setting.
D. Create a GPO that applies to the servers. Configure the GPO to enable auditing for object access. Setup the individual objects to be audited in Windows Explorer. Configure the security event log so that it does not overwrite events. Then configure the GPO to enable the "Shut down the system immediately if unable to log security audits" setting.
Answer: D ( correct )
The two parts of auditing are to setup an audit policy at either the local or domain level (through a GPO) that defines the types of events to be audited (in this case object access). Secondly, the specific events must be specified (in this case by setting up the objects to be audited using Windows Explorer). To meet the last requirement of preventing users' access when log is full then you must configure the GPO to enable the "Shut down the system if unable to log" setting. This setting is actually called CrashOnAuditFail in the registry and in this case, must be set to 1.
32. You are the network administrator for Just Togs. Your Windows 2000 network consists of 15,000 users. Users have recently reported that documents are missing from the servers. You need to track the actions of the users to find out who has been deleting the files. You create a GPO on the justtogs.com domain and assign the appropriate permissions to the GPO.
What actions should you audit? (Choose two)
A. Directory Services access
B. Object access
C. Process tracking
D. Privileged use
E. Delete and Delete subfolders and files
Answer: B, E ( correct )
The two parts of auditing are to setup an audit policy at either the local or domain level (through a GPO) that defines the types of events to be audited (in this case object access). Secondly, the specific events must be specified (in this case by setting up the objects to be audited using Windows Explorer). To audit files and folders, you must be logged on as a member of the Administrators group or have been granted the "Manage auditing and security log" right in Group Policy. Administrators can also monitor access to Active Directory, causing successful and failed audit attempts to be logged in the Directory Service event log. This isn't what the question is asking here, though.
33. You are the administrator of a DNS server that runs on a Windows 2000 Server computer. You receive a report that the Windows 2000 Server computer constantly uses more than 80 percent of the CPU. You want to monitor the number of DNS queries that are handled by the DNS server.
What should you do?
A. Run the Nslookup command-line utility.
B. Use the Event Viewer and monitor the DNS server log.
C. Use the monitoring function of the server properties in the DNS console.
D. Use the DNS counters in System Monitor.
E. Check the contents of the Netlogon.dns file.
Answer: D ( correct )
System Monitor has DNS counters that monitor performance. Some DNS related counters include:
Total Query Received - total number of lookup queries received
Total Query Received/Sec - total number of queries received per second
Failed DNS Resolutions - failed resolutions
Pending DNS Resolutions - pending resolutions
Successful DNS Resolutions - successful resolutions
34. You are the administrator of your company's network. You have been auditing security events on the network since it was installed. A user on your network named JOHN THORSON recently reported that he was no longer able to change his password. Because there have been no recent changes to account policies, you suspect that someone has been modifying the properties of user accounts in Active Directory. There are thousands of entries in the event logs, and you need to isolate and review the events pertaining to this problem in the least possible amount of time.
What should you do?
A. In the security log, create a filter for events matching the following criteria:
Event source: Security Category: Account Management User: JTHORSON.
B. In the directory service log, create a filter for events matching the following criteria:
Event source: NTDS Security Category: Security. Search the remaining items for events referencing John Thorson's account.
C. In the directory service log, create a filter for events matching the following criteria:
Event source: NTDS Security Category: Global Catalog User: JTHORSON.
D. In the security log, create a filter for events matching the following criteria:
Event source: Security Category: Account Management. Search the remaining items for events referencing John Thorson's account.
Answer: D ( correct - A isn’t true 'cause there is no place to specify User and stuff )
To view a subset of events that have specific characteristics, click Filter Events on the View menu of Event Viewer. Filtering has no effect on the actual contents of the log, it changes only the view. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file.
35. You are the administrator for a Windows 2000 network. Your network consists of one domain and two organizational units (OUs). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created, but you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.
What should you do?
A. Search the security event logs on each domain controller for account management events.
B. Search the security event logs on each domain controller for object access events.
C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name.
D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account.
Answer A ( correct )
Using Event Viewer, you can filter and search the security logs for specific events.
36. You are the administrator of your company's network. Your event log shows that hackers are using brute force attacks to attempt to gain access to your network. You do not want user accounts to be easily accessible. You want to strengthen security to protect against brute force attacks.
What should you do? (Choose two)
A. Enable the "Users must log on to change the password" setting.
B. Enable the "Store password using reversible encryption for all users in the domain" setting.
C. Enable the "Password must meet complexity requirements" setting.
D. Increase minimum password length.
E. Increase minimum password age.
Answer: C, D ( correct - E also correct , but read the explanation below )
All the above settings are available in the Security Configuration and Analysis console. The best two choices here are "password must meet complexity requirements" and "minimum password length", which will create a "strong password". A third choice could be setting the "minimum password age", which prevents users from changing their password, then immediately changing it back to their original password. However, the question only asks for two answers.
37. You are the administrator for a Windows 2000 network. Your network consists of one domain and two Organizational Units (OU). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created. However, you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.
What should you do?
A. Search the security event logs on each domain controller for account management events.
B. Search the security event logs on each domain controller for object access events.
C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name.
D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account.
Answer: A ( correct )
When you audit account management events, you're able to track changes of user account information (including password changes), additions and deletions.
38. You are the administrator of a Windows 2000 domain. To control the desktop environment of users in the domain, you use a script file named Desktop.vbs to change settings in the current user profile. This script file is deployed as a login script for all users in the domain. The Desktop.vbs script usually takes 15 seconds to complete its work. You want to ensure that each user's desktop appears only aft the Desktop.vbs script is completed.
What should you do?
A. For all users in the domain, set the logon script in the user profile to Desktop.vbs.
B. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to run logon scripts synchronously.
C. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to set a maximum wait time of 15 seconds for Group Policy scripts.
D. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to set a timeout of 15 seconds for logon dialog boxes.
Answer: B ( correct )
When you configure logon scripts, there are settings that allow an administrator to control the maximum time the logon script is allowed to run, and whether to run the logon script synchronously. When a logon script is run synchronously, the user does not have access to the desktop until the logon script terminates.
39. You are the administrator of a DNS server that runs on a Windows 2000 Server computer. You receive a report that the Windows 2000 Server computer constantly uses more than 80 percent of the CPU. You want to monitor the number of DNS queries that are handled by the DNS server.
What should you do?
A. Run the Nslookup command-line utility.
B. Use the Event Viewer and monitor the DNS server log.
C. Use the monitoring function of the server properties in the DNS console.
D. Use the DNS counters in System Monitor.
E. Check the contents of the Netlogon.dns file.
Answer: D ( correct )
System Monitor has DNS counters that monitor performance. Some DNS related counters include:
Total Query Received - total number of lookup queries received
Total Query Received/Sec - total number of queries received per second
Failed DNS Resolutions - failed resolutions
Pending DNS Resolutions - pending resolutions
Successful DNS Resolutions - successful resolutions
40. You are the administrator of your company's network. You want to configure a Security Policy for the Windows 2000 Professional Computers that are in the sales department. On one of the computers, you use Security Templates to configure the Security Policy based on the desired security settings. You then export those settings to an .inf file that will be used on all of the Computers in the sales department. You want to configure each Computer to have a customized Security Policy. What should you do?
A. Use Secedit.exe to import the security settings from the .inf file to the computers in the sales department.
B. Use a text editor to change the default security settings to the desired security settings. Then export those settings to the Computers in the sales department.
C. Create an organizational unit (OU) named Sales. Add the users in the sales department to the Sales OU. Then apply the security template to the users in the Sales OU.
D. Create an organizational unit (OU) named Sales. Add the computers in the sales department to the Sales OU. Then apply the security template to computers in the Sales OU.
ANS: D
41. You are the administrator of your company's network. You use Security Templates to configure a Security Policy on the Windows 2000 Professional Computers in the Sales organizational unit (OU). You notice that the Computers in the Sales OU are not downloading the Security Policy settings. On each computer, the Security Policy appears in the Local Computer Policy, but is not listed as the effective policy. You want all computers in the Sales OU to have the Security Policy listed as the effective policy. What should you do?
A. Use Security Templates to correct the setting and export the security file.
B. Use Security Configuration and Analysis to import the security setting. Then create a Group Policy object (GPO) for the Sales QU.
C. Use Secedit /RefreshPolicy Machine_Policy command.
D. Use the Basicwk.inf security file settings, save the security file, and then import the file to the Computers.
ANS: C
42. You upgrade 5 computers in the Finance Organization (OU) from Win NT workstation 4.0 to W2P. The computers are used by members of the Finance OU to run financial application. All 5 computers are configure to have default security setting. A user named Helene report that she can no longer run the financial application on her W2P computer. Prior to the upgrade, Helene was able to run the financial application on her computer. Helene is a member of the local user group. You want the financial application to run on Helene's computer. What should you do?
A. Use computer Management to configure separate memory space for each financial application on Helene's computer
B. Use Security Templates to edit the Security Policy to include the financial application on Helene's computer. Then, add Helene's user account to the Power users group on Helene's computer.
C. Use Security configurations and Analysis to reconfigure the default security Policy.inf file to allow the financial applications to run on Helene's computer
D. Use Secedit.exe to apply the compatws.inf security to Helene's security Policy to loosen the permission for the local group on Helene's computer.
ANS: D
See the "Predefined security templates" topic in the W2KServer online help for more info"
43. You configure several Group Policies to restrict user's desktop settings. You want them to be applied immediately.
What should you do?
A. Run secedit /refreshpolicy MACHINE_POLICY
B. Run secedit /refreshpolicy USER_POLICY
C. Run net config /refreshpolicy DOMAIN_POLICY
D. Run refresh /DOMAIN_POLICY
Answer: B
44. You are the administrator of a high security network. Many files stored on your Windows 2000 file servers and Windows 2000 Professional computers are highly confidential. You want to implement identical security configurations on all Windows 2000 file servers and Windows 2000 Professional computers.
What should you do? (Choose all that apply)
A. Configure Group Policies to apply the security configuration to all Windows 2000 file servers and Windows 2000 Professional computers.
B. Use the Security Configuration Management Console to import security information from a file server as a template.
C. Use the Security Configuration Management Console to import security information from a Windows 2000 Professional Computer as a template.
D. Use Secedit to export the security configuration to all file servers.
E. Use Secedit to export the security configuration to all Windows 2000 Professional computers.
Answer: A, B, C
45. You configure several Group Policies to restrict user's desktop settings. You want them to be applied immediately. What should you do?
A. Run secedit /refreshpolicy MACHINE_POLICY
B. Run secedit /refreshpolicy USER_POLICY
C. Run net config /refreshpolicy DOMAIN_POLICY
D. Run refresh /DOMAIN_POLICY
Answer: B
Reason for answer: Server help
Desktop policies are located under the USER POLICY
To refresh Group Policy immediately
Click Start and then click Run to open the Run dialog box.
To refresh policies under the Computer Configuration node, type the following and then click OK:
secedit /refreshpolicy MACHINE_POLICY
To refresh policies under the User Configuration node, type the following and then click OK:
secedit /refreshpolicy USER_POLICY
46. You have four different distribution shares on your network for Windows 2000 Server installations. A new service pack was just announced. What should you do to make the service pack available for future installations?
A. Copy the service pack's driver.cab to the distribution "share", as well as layout.inf, dosnet.inf and txtsetup.sif
B. Use update /slip to apply the service pack to each "share".
C. Copy the layout.inf, dosnet.inf and txtsetup.sif files to each distribution "share".
D. Use sysdiff /diff to apply the service pack to each "share".
Answer B
Reason for answer: TechNet Service Pack Study Guide
To apply a new service pack, use Update.exe with the /slip switch to copy over the existing Windows 2000 files with the updated service pack files. Some of the key files that update during this process include:
New Layout.inf, Dosnet.inf, and Txtsetup.sif files, which have the updated checksums for all the service pack files. These files need additional entries if any additional files have been added.
A new driver .cab if the drivers in the cabinet file have been changed.
If you apply a service pack to a single computer running Windows 2000, you must reapply the service pack to add another service, unless you are updating from a network share that supports service pack slipstreaming.
47. You are the administrator of your company's network. The network consists of one Windows NT 4.0 domain. You create and implement a security policy that is applied to all Windows 2000 Professional client computers as they are staged and added to the network. You want this security policy to be in effect at all times on all client computers on the network. However, you find out that administrators periodically change security settings on computers when they are troubleshooting or doing maintenance. You want to automate the security analysis and configuration of client computers on the network so that you can track changes to security policy and reapply the original security policy when it has been changed.
What should you do?
A. Use Windows NT System Policy to globally configure the security policy settings on the client computers.
B. Use Windows 2000 Group Policy to globally configure the security policy settings on the client computers.
C. Use the Security and Configuration Analysis tool on the client computers to analyze and configure the security policy.
D. Schedule the Secedit command to run on the client computer, analyze and configure the security policy.
Answer: D ( correct )
Normally, if the GPOs that define the environment for the user have not changed from the last time Group Policy was applied, the GPO is skipped and not applied again. In either case, specifying "/ENFORCE" on the command line re-applies the policy even if the GPOs that apply to the computer or user have not changed. An example of the command line in this case is: secedit /refreshpolicy machine_policy /enforce
48. You want to connect to your branch office printer through the browser. Your Windows 2000 Professional computer is running Peer Web Server. You were told the share name of the printer is HPColorL. You are unable to see it when you type its URL. What do you need to do to connect to this printer?
A. Double-click the connect hotspot in the left pane of the printer's dialog box to view the printer.
B. Ask the branch office administrator to reinstall the printer by using its URL as the port.
C. Install Internet Explorer 3.0 or higher on your Windows 2000 Professional.
D. Ask the administrator at the branch office to install IIS on the branch server.
ANS: D
49. You are the administrator of the Coho Vineyard network. The network consists of 10 Windows 2000 Advanced Server computers and 250 Windows 2000 Professional computers. Your company has two domains: cohovineyard.com and westcoastsales.com. The company's intranet site is on a Windows 2000 Advanced Server computer named ServerA. ServerA is on the cohovineyard.com domain and is running Internet Information Services (IIS) and Microsoft Proxy Server 2.0. You want to configure the Windows 2000 Professional Computers in the westcoastsales.com domain to access the intranet site.
You want users to be able to connect to the intranet site by using the URL http://servera/ rather than its fully qualified domain name. What should you do?
A. Add cohovineyard.com to the Domain Suffix Search Order on the computers.
B. Add westcoastsales.com to the Domain Suffix Search Order on the computers.
C. Add westcoastsales.com to the exceptions list in the proxy server settings on the computers.
D. Configure the proxy server settings on the computers to bypass the proxy server for intranet addresses.
ANS: A
Explanation: To get to ServerA from outside the domain a computer has to resolve the name to an IP address. If using DNS, it needs the fully qualified domain name, which consists of the computer name appended to the domain name...like this - servername.domainname.com. When you use the Domain Suffix Search Order option, it will try to resolve the name ServerA with the DNS. When it fails, it will append the listed domain names on the end and try to resolve it then. This means that when a user types in the server name only, it will successfully resolve it to ServerA.cohovineyard.com - it's like a short cut. Go to the TCP/IP properties, Advanced Button, DNS Tab, and then note the "Append these DNS Suffixes (in order)". Whatever Domain Names you have at your company can be added here. They will be appended after the ServerA server name and resolved, one after another.
50. You are the network administrator of the litware.com domain. LitWare, Inc., has its main office in Dallas and branch office in New York, Phoenix, and Seattle. A Windows 2000 Server computer named web1.litware.com is running Internet Information Service (IIS). This computer is located in the same office. Web developers in Dallas, New York, Phoenix, and Seattle need to update each of the Web sites and virtual directories located on web1.litware.com. Different updates will be occurring simultaneously. You want to ensure that each developer can use Microsoft FrontPage to update the sites successfully and to manage content changes.
What should you do?
A. Run the fpremadm command to install the server extensions for IIS on web1.litware.com. Configure the server extensions for each web site.
B. Run the fpsrvadm command to install the server extensions for IIS on web1.litware.com. Configure the server extensions for each Web site.
C. Install the server extensions for IIS on web1.litware.com by selecting Upgrade Extensions from All Tasks menu in IIS. Configure the server extensions for each Web site.
D. Configure the server extensions for each Web site by selecting Configure Server Extensions from the All Tasks menu in IIS. Configure the server extensions to allow each developer update access for each Web site.
Ans: D
51. You are the administrator of a Windows 2000 Server computer named Intra. Intra is a member of an Active Directory domain and hosts an Intranet Web Site for your company. Company policy requires that only authenticated users have access to the intranet site. All company users have a user account in the Active Directory domain. You configure directory security for the Web Site to use integrated security. However, you discover that users can access the Web Site without authentication. You need to ensure that only authenticated users can access the web site.
What should you do?
A. Install Active Directory on the server.
B. Select Basic Authentication check box.
C. Clear the Allow Anonymous Connection check box.
D. Disable the IUSE_inta user account on Intra.
E. Clear the Allow IIS to Control Password check box.
Answer: C
52. You are the administrator of a Windows 2000 Server computer. The server hosts several web sites that have logging enabled. You use a third-party reporting utility to analyze the log files produced by the web sites. You notice that all data from 7:00pm to midnight each night is included in the following day's log file. You want all data to be included in the correct day's log file. What should you do?
A. Ensure that the log type is set to W3C.
B. Change the log rollover property in the website's logging properties.
C. Change the time zone setting in the time properties on the web server.
D. Configure the time service on the web server to use local system account.
Answer: B
53. You are the administrator of an Internet Blue Sky Airlines. You install and configure a new Windows 2000 Server computer named server1.departments.blueskyairlines.com as an intranet server. The server
hosts the multiple departmental and resource WEB links to the network and databases. You configure a ticketing WEB site. You also configure a finance virtual directory in the department’s WEB site as shown in the Exhibit. "We see an exhibit in which we see the dir browsing enabling and person can see all the three". During the first morning the new server is available and the user reports that the only information they are seeing in their browser is a list of HTM and ASP files. For security reasons what the first action you need to take to disable the user ability to all the WEB sites in the form of a list. What should you do?
A. Clear the directory browsing on the server properties, and apply to child WEB sites.
B. Clear the directory browsing settings for the ticketing WEB sites and
then apply the settings to child virtual directories.
C. Clear the directory browsing checkbox for the department’s WEB sites and
then apply the settings to the child virtual directory
D. Clear the directory browsing checkbox for the financing virtual
directory.
Answer: A (I had this on exam; scored 1000. Correction to Clonepony.)
54. You are the network administrator of the litware.com domain. LitWare, Inc., has its main office in Dallas and branch office in New York, Phoenix, and Seattle. A Windows 2000 Server computer named web1.litware.com is running Internet Information Service (IIS). This computer is located in the same office. Web developers in Dallas, New York, Phoenix, and Seattle need to update each of the Web sites and virtual directories located on web1.litware.com. Different updates will be occurring simultaneously. You want to ensure that each developer can use Microsoft FrontPage to update the sites successfully and to manage content changes.
What should you do?
A. Run the fpremadm command to install the server extensions for IIS on web1.litware.com. Configure the server extensions for each web site.
B. Run the fpsrvadm command to install the server extensions for IIS on web1.litware.com. Configure the server extensions for
each Web site.
C. Install the server extensions for IIS on web1.litware.com by selecting Upgrade Extensions from All Tasks menu in IIS.
Configure the server extensions for each Web site.
D. Configure the server extensions for each Web site by selecting Configure Server Extensions from the All Tasks menu in IIS. Configure the server extensions to allow each developer update access for each Web site.
Answer: D
Reason for answer: (TechNet) and I have done this before.
The FrontPage snap-in is a Microsoft Management Console interface similar to the IIS snap-in. The FrontPage snap-in administers the FrontPage Server Extensions and FrontPage-extended webs, Web sites (virtual servers) in which FrontPage Server Extensions are installed.
Note The snap-in is available with Windows NT 4.0 and IIS 4.0 as well as with Windows 2000 and IIS 5.0. If you're running Windows NT 4.0 and IIS 4.0, you can also do administrative tasks with the Fpsrvwin, Fpsrvadm, and Fpremadm utilities and through the FrontPage Server Administrator.
The FrontPage snap-in is integrated into the IIS snap-in, adding commands, property sheets, and other tools required to administer the FrontPage Server Extensions.
The FrontPage 2000 Server Extensions administrative interface shows up as new menu options and tabs in the MMC's IIS snap-in rather than as a separate tool. This updated IIS snap-in, which replaces the fpservwin.exe utility, gives you an interface through which you can set most of the server extensions' major functions and their respective properties. When you click the fpservwin.exe shortcut (Start, Programs, Windows NT 4.0 Option Pack, Internet Information Server, FrontPage Server Admin), you receive a message that a newer version of the server extensions exists on the machine and that you should use the Upgrade Server Extensions option from the Task menu to upgrade the server extensions. The installation leaves fpservwin.exe - and the shortcuts that point to it-in place, but they're defunct.
55. You are the administrator of a Windows 2000 Server network at Blue Sky Airlines. You configure a server named print10.marketing.blueskyairlines.local as a print server at the Los Angeles site. You create and share a variety of printers on the server for use by employees in the marketing.blueskyairlines.local domain. You want to review the configured properties of all of the shared printers on the print10.marketing.blueskyairlines.local server. You want to perform this review from a Windows 2000 Professional computer at the London site of Blue Sky Airlines.
What should you do?
A. Use your Web browser to connect to http://print10.marketing.blueskyairlines.local/printer .
B. Use your Web browser to connect to http://print10.blueskyairlines.local/printer.
C. Run the net view \\print10 command.
D. Run the net view \\print10.blueskyairlines.com command.
Answer: A
Reason for answer: Server help
To manage printers from a browser
From Internet Explorer, or any other browser, type the following URL: http://PrintServerName/printers/
Or, type a specific printer URL:http://PrintServerName/PrinterName/
In All Printers on PrintServerName, click the printer you want to manage.
In PrinterName on PrintServerName, you can click any function on the left pane to stop, resume, or cancel a specific document or all documents. You can also click on a specific document in the queue, to see its properties.
An administrator can disable Internet printing with the Group Policy setting Disable Web-based Printing.
For Internet printing you must have Internet Information Service (IIS) installed on the Windows 2000 Server.
56. You are the network administrator for your company. Mike Nash is a member of the Administration group, and Nate Sun is a member of the Intern group. Both groups are in the same domain. On the intranet server, the Administration group is placed in the Security group, and the Intern group is placed in the Nonsecurity group. The Security group is then granted Full Control permission for the Sales virtual directory. Nate needs to update new sales information that is located on the Sales virtual directory. What should you do so that Nate can perform this task?
A. Enable Anonymous access for the intranet server.
B. Enable Anonymous access for the Sales virtual directory.
C. Remove Nate from the Intern group.
D. Make Nate a member of the Security group.
Answer: D
Reason for answer: D is the only answer that gives Nate enough permission to make updates.
57. You are the administrator of a Windows 2000 Server computer named Intra. Intra is a member of an Active Directory domain and hosts an Intranet Web Site for your company. Company policy requires that only authenticated users have access to the intranet site. All company users have a user account in the Active Directory domain. You configure directory security for the Web Site to use integrated security. However, you discover that users can access the Web Site without authentication. You need to ensure that only authenticated users can access the web site.
What should you do?
A. Install Active Directory on the server.
B. Select Basic Authentication check box.
C. Clear the Allow Anonymous Connection check box.
D. Disable the IUSE_inta user account on Intra.
E. Clear the Allow IIS to Control Password check box.
Answer: C
58. You are the network administrator for a branch office of a large company. Your network is connected to
the company network by means of a Windows 2000 routing and remote access two-way demand-dial
connection over ISDN. In addition to e-mail and application traffic, sensitive company data is transferred
across this connection.
You want to accomplish the following goals:
• All data transmitted over the connection will be secured.
• Rouge routers will be prevented from exchanging router information with either router.
• Both routers in the connection will be able to validate each other.
• Both routers in the connection will maintain up-to-date routing tables.
• Traffic over the demand-dial link during peak business hours will be minimized.
You take the following actions:
• Install a certificate services server at the main office.
• Enable EAP-TLS as the authentication protocol on both routing and remote access servers.
• Enable RIP version 2 on the demand dial interfaces.
Which result or results do these actions produce? (Choose all that apply)
A. All data transmitted over the connection is secure.
B. Rouge routers are prevented from exchanging router information with either router.
C. Both routers in the connection are able to validate each other.
D. Both routers in the connection are maintaining up-to-date routing tables.
E. Traffic over the demand-dial link during peak business hours is minimized.
Answer: A, C, D
Explanation: We have enable EAP-TLS as the authentication protocol on both routing and remote access
servers. The EAP (Extensible Authentication Protocol) supplies secure mutual authentication, therefore the
routers would be able to validate each other in a secure way.
EAP-Transport Level Security (EAP-TLS) supplies data encryption as well, which makes the transmitted data
secure. We have enabled RIP V2, which is used to keep the routing tables up-to-date by frequent broadcasts.
Incorrect Answers:
B: RIP version 2 is able to detect Rogue Routers but we must enable this detection.
59. You are the administrator of a Windows 2000 network. Some of the members of your company’s
graphics department use Macintosh computers and are not using Internet Explorer as their browser. These users inform you that they cannot request valid user certificate from your enterprise certificate
authority. You want to make it possible for these users to request certificates by using web-based
enrollment.
What should you do?
A. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory.
On the directory security tab, set the authentication type to basic authentication.
B. In the policy settings container in the CA console for your CA, add a new enrollment agent certificate.
C. Edit the ACL on the user certificate template to grant the graphics department users enroll access.
D. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory.
On the directory security tab, set the authentication type to Integrated Windows Authentication.
Answer: A
Explanation: IIS has four levels of authentication: anonymous access, which grants anyone access; basic
authentication, which sends passwords over the connection in clear text; integrated Windows authentication,
which uses Kerberos V5 and can only be used by Windows clients; and digest authentication, which is the best
choice for publishing information on a server over the Internet and through firewalls. In this scenario there is a
need to relax security so that the Macintosh users will be able to request certificates by using web-based
enrollment. By setting the authentication type to Basic Authentication most browsers will be able to connect to
the IIS server.
Incorrect Answers:
B: A new enrollment agent certificate is not needed. The Windows users are able to use the current one and
so will the Macintosh users when the authentication type is changed to Basic Authentication.
C: It is not necessary to change the ACL on the user certificate template for the users in the graphics
department. The Windows users in the graphics department have no problem with IIS.
D: Integrated Windows authentication uses Kerberos V5 and can only be used by Windows clients.
60. You are the administrator of a Web server hosted on the Internet that is running on a Windows 2000
Server computer. Your company's Web developers have developed applications that download ActiveX
controls automatically to your customers' browsers. You discover that the default security settings on
your customers' browsers are preventing the ActiveX controls from being downloaded automatically.
You want to facilitate the downloading of ActiveX controls from your Web server to the Internet clients.
What should you do?
A. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the
parent. Create a policy on the CA that allows the Web developers to request a certificate for code
signing.
B. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web
developers to request a certificate for trust list signing.
C. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the
parent. Create a policy on the CA that allows the Web developers to request a certificate for trust list
signing
D. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web
developers to request a certificate for code signing
Answer: A
Explanation: A commercial Certificate Authority is needed since external clients on the Internet will use the
Active X controls. The web developers need to sign their Active X controls with code signing certificates.
Incorrect Answers:
B: An Enterprise Certificate Authority is used within a Windows Domain and would not be accessible by
Internet users. The customers are external and would not be able to access an Enterprise Certificate
Authority (CA). A commercial Certificate Authority is needed.
C: Trust list signing is a mechanism for allowing an administrator to specify a collection of trusted CAs.
Trust list signing cannot be used to enable downloading of Active X controls.
D: An Enterprise Certificate Authority is used within a Windows Domain and would not be accessible by
Internet users. The customers are external and would not be able to access an Enterprise Certificate
Authority (CA). A commercial Certificate Authority is needed.
61. You are the administrator of your company's network. You are configuring your users’ portable
computer to allow users to connect to the company network by using routing and remote access. You test
the portable computers on the LAN and verify that they can successfully connect to sources on the
company network by name.
When to test the connection through remote access, all the portable computers can successfully connect,
but they cannot access files on the computers on different segments by using the computer name.
What should you do to resolve the problem?
A. Set the authentication method to allow remote systems to connect without authentication.
B. Enable the computer account for each portable computer.
C. Change the computer name on each portable computer.
D. Install the DHCP relay agent on the remote access server.
Answer: D
Explanation: The DHCP relay agent must be installed on the Routing and Remote Access (RRAS) server. The
DHCP relay agent will allow communication between the DHCP server and the RAS clients. In particular the
RAS clients would be given the Default Gateway that has been configured for the scope at the DHCP server.
Incorrect Answers:
A: The RAS clients have already connected successfully. The problem is the Default Gateway setting of the
clients not the authentication method at the RRAS server.
B: It is not necessary to enable the computer accounts. The remote users already have access to the
network.
C: It is not necessary rename the computers. The remote users already have access to the network.
62. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server
computer named Delta. Routing and Remote Access is enabled for remote access on Delta. The domain is
in native mode. For all user accounts, the delta-in permission is set to control access through remote
access policies.
You want to allow all users in the domain to dial in during the workday. You also want to allow only
members of the global security group named support staff to be able to dial in between 6:00 P.M. and
8:00A.M. However, you do not want to allow the support Staff members to be able to dial in when the log
files are made each day between 7:00A.M. and 8:00A.M.
You create four remote access policies on Delta as shown in the following table.
To specify the appropriate access control for Delta, click the Select and Place button, and then drag the
remote access policies and place them in the correct order.
Select and Place.
Answer:
Support staff 7-8 Deny
Support staff all
Domain users’ 6-8 Deny
Domain users all
Explanation: The Remote Access Policies are applied in order. The first policy which meets the conditions is
applied. Only one policy can be applied.
Support staff policies must be applied before the Domain users policies, since the staff members also are
Domain users, and staff members need access 5-7 A.M.
The Deny policies must be applied before the allow policies. If not the Deny policies would never be applied.
63. You are the administrator of your company's network. To facilitate connections for remote
administration, you install Routing and Remote Access on a Windows 2000 domain controller.
You want to accomplish the following goals:
• Only administrators will have dial-up access.
• Dial-up connections will be accepted only from 4.00 p.m. to 7.00 a.m.
• Connections will be forcibly disconnected after 20 minutes of inactivity
• All connections will encrypt all communications
• Connections will be limited to one hour
You take the following actions:
• Set the level or levels of encryption to No Encryption and Basic.
• Add Domain Admins to the Windows Group Policy condition.
• Configure the rest of the remote access policy as shown in the exhibit. Which result or results do these actions produce? (Choose all that apply)
A. Only administrators have dial-up access
B. Dial-up connections are accepted only between 4:00 PM and 7:00 A.M
C. Connections are forcibly disconnected after 20 minutes of inactivity
D. All connections encrypt all communication
E. Connections are limited to one hour
Answer: A, C
Explanation: The exhibit indicates that the default remote access policy (RAP) has been changed. This is the
only RAP used. By adding the Domain Admins to the Windows Group Policy condition only the administrators
have dial-up access. Furthermore, the maximum session is set to 20 minutes, therefore after 20 minutes of being
connected, including being idle for 20 minutes, a forced disconnection will occur.
Incorrect Answers:
B. Dial-up connections are configured to restrict access to between 7:00 am and 4:00 pm as is shown in the
exhibit. Therefore connections will not be accepted between 4:00pm and 7:00 am the following
morning.
D: Some connections might be unencrypted since Basic and No encryption is allowed.
E: Although the idle time limit is one hour, the session time is limited to 20 minutes, therefore connections
are limited to 20 minutes, not one hour.
64. You are the administrator of your company's Routing and Remote Access servers. Your companies
administrators are able to dial in to the company's network to perform remote monitoring and
administration. This remote monitoring and administration requires an excessive amount of network
bandwidth. You want to allow only administrators to use multiple phone lines, and you want to limit all
other users to a single phone line.
You want to configure multiple phone-line network connections to adapt to changing bandwidth
conditions. When the phone lines fall below 50 percent capacity, you want to reduce the number of phone
lines utilized. You also want to allow all users the ability to connect to the network by Routing and. Remote Access. No default remote access policies currently exist.
What should you do? (Choose three)
A. Create one remote access policy on the Routing and Remote Access server.
B. Create two remote access policies on the Routing and Remote Access server.
C. Allow Multilink.
D. Decrease the maximum number of ports used by the Routing and Remote Access server.
E. Select the Require Bandwidth Allocation Protocol\ BAP) for the Dynamic Multilink Requests
check box.
F. Increase the maximum number of dial-up sessions.
Answer: B, C, E
Explanation: No default remote access policy exists in Windows 2000. We need to create two Remote Access
Policies (RAPs); one which applies to the administrators and on which applies to the ordinary users. Multilink
has to be allowed for the Administrator RAP.
The Routing and Remote Access console is then used to enable multilink and to enable the Bandwidth
allocation Protocol.
Incorrect Answers:
A: Two RAPs have to be created, not one. One should be created for the Administrators and another for the
Users.
D: Decreasing the number of ports used on the Routing and Remote Access server will decrease the number
of simultaneous connections. This is not in keeping with the requirements set out in this scenario.
F: Multilink has to be enabled, the number of dial-up sessions does not have to be increased.
65. You are the administrator of your company's network. Your company has branch offices in New York
and Paris. Because each branch office will support its own routing and remote access server, you
implement a remote authentication dial-in user service (RADIUS) server to centralize administration.
You remove the default remote access policy. You want to implement one company policy that requires
all dial-up communications to use 40-Bit encryption. You want to configure your network to require
secure communications by using the least amount of administrative effort.
What should you do? (Choose Two)
A. Create one remote access policy on each routing and remote access server.
B. Create one remote access policy on the RADIUS server.
C. Set encryption to Basic in the remote access policy or policies.
D. Set encryption to Strong in the remote access policy or policies.
E. Enable the secure server IPSec policy on the RADIUS server.
F. Enable the server IPSec policy on the RADIUS server.
Answer: B, C
Explanation: IAS, Microsoft’s implementation of RADIUS server, is used to centralize administration,
authentication, and authorization of RAS. Remote Access Policies is included in this centralization.
Furthermore, there are 3 levels of encryption on dial-up connections: basic, strong and strongest. Basic is 40-bit
encryption and is used on older Windows systems. Strong is 56-bit encryption and strongest is 128-bit
encryption. Strongest is only used inside North America because of legal issues.
Incorrect Answers:
A: Only one remote access policy at the RADIUS server has to be created, not one on each RRAS server.
D: If encryption were set to Strong in a remote access policy, 56-bit encryption would be used, this would
not be compatible with older Windows systems. In this scenario 40-bit encryption is required.
E: By enabling the Secure Server (Require security) IPSec policy at the Radius server, any clients,
including the Routing and Remote Access servers, which connect to this server must be IPSec-aware.
They are not in this scenario.
F: Enabling the Server (Request security) IPSec policy at the Radius server, would still allow unencrypted
communication initiated from a client who is not IPSec.
66. You are the administrator of your company’s network. You are configuring remote access services in
your Windows 2000 domain to allow mobile users to access network resources. You want the inbound
client connections to receive IP address administrator option configurations for the client computers. Users report that they cannot access network resources by using the server name or by searching Active
Directory. You investigate and find that when you connect to the remote access server, your client
computer is receiving its IP address configuration but none of the DHCP options. Internal client
computers are not experiencing this problem.
What should you do to resolve this problem?
A. Enable IP routing in the remote access Server’s Properties dialog box.
B. Disable IP routing in the remote access Server’s Properties dialog box.
C. Configure a static address pool on the remote access Server.
D. Configure the remote access server to act as a DHCP Relay Agent.
Answer: D
Explanation: In this scenario the mobile users receive their IP configurations from the Remote Access Server,
but they are not able to receive any DHCP options. In order to enable this, a DHCP relay agent must be
configured on the Remote Access server. This will allow DHCPINFORM, which are used to obtain Windows
Internet Name Service (WINS) and Domain Name System (DNS) addresses, domain name, Default Gateway or
other DHCP options originating from the DHCP server, to reach the mobile clients.
Incorrect Answers:
A: The mobile clients are able to connect to Remote Access Server. Therefore this is not a communication
problem. Therefore enabling IP routing will not solve the problem.
B: The mobile clients are able to connect to Remote Access Server. Therefore this is not a communication
problem. Therefore disabling IP routing will not solve the problem.
C: The mobile clients receive the correct IP configurations from the Remote Access Server. Therefore it is
not necessary to create a static address pool on the remote access Server.
67. You are the administrator of a Windows 2000 domain named contoso.com. The domain has a Windows
2000 member server computer named Ras1 and a Windows 2000-based DHCP server computer named
Dora. Routing and Remote access is enabled for access on Ras1. The network has two DNS servers that
use IP addresses of 10.1.5.2 and 10.1.5.3.
Ras1 has configured to use DHCP to assign IP addresses to the remote access client computers.
The configuration of the scope options on the DHCP server is shown in the following Windows.
The DHCP scope does not have any client computer reservations.
When remote access client computers dial into Ras1, they receive an IP address form the DHCP scope
range, but they do not receive the DNS address configured in the DHCP scope. Instead, the remote
access client computers receive a DNS server address of 10.1.5.2.
You want the remote access client computers to receive the DNS option from the DHCP server.
How should you configure the network to accomplish this goal?
A. Configure the remote access client computers to enable DHCP on the dial-up connection.
B. Configure Ras1to use Windows authentication.
C. Install and configure the DHCP relay agent routing protocol on the internet interface of Ras1.
D. On the DHCP server, configure the DNS scope option of 10.1.5.3 for the default routing and remote
access user class.
Answer: C
Explanation: In this scenario, the remote clients are receiving the correct DNS server address, as it was
specified in the scope. However, they are not able to receive DHCPINFORM packets from the DHCP server on
Dora. In order to enable this, a DHCP relay agent must be configured on Internet interface of Ras1. This is done
by adding the SideB interface to the DHCP Relay Agent IP routing protocol. The DHCP Relay Agent protocol
must also be configured with the IP address of a DHCP server, in this case the IP address of ServerA.
Incorrect Answers:
A: DHCP cannot be configured on a dial-up connection.
B: This is a DCHP problem, not an authentication problem. The RAS clients can perform remote access,
but they are configured with the incorrect DNS server.
D: The exhibit indicates that the correct DNS scope option of 10.1.5.3 has already been defined. There is
also no default routing and remote access user class.
68. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server
computer named Ras5. Routing and Remote Access is enabled for remote access on Ras5. The domain
also has a Windows NT 4.0 member server computer named Ras4. Ras4 is running Remote Access
Service (RAS). The domain is in mixed mode.
Users in the domain use Windows 2000 Professional computers to dial in to the network through Ras4 or
Ras5. However, Ras4 is not able to validate remote access credentials of domain accounts.
How should you configure the network to enable the Windows NT 4.0 Ras4 member server computer to
validate remote access domain users?
A. Change the domain from mixed mode to native mode.
B. Add the Ras4 computer account to the RAS and IAS Servers group.
C. Add the Everyone group to the Pre-Windows 2000 Compatible Access group.
D. Create a remote access policy that has the Ras4 computer account as a condition. Grant remote
access permission if the condition matches the properties of the dial-in attempt.
Answer: C
Explanation: The Pre-Windows 2000 Compatible Access is a backward compatibility group which allows read
access on all users and groups in the domain. In this the NT 4.0 RAS Server Ras4 needs to access the user
accounts of the domain. This is done by adding the Everyone group to the Pre-Windows 2000 Compatible
Access group. We can verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access
group with the net localgroup ‘Pre-Windows 2000 Compatible Access’ command. If not, we can issue the net
localgroup ‘Pre-Windows 2000 Compatible Access’ everyone /add command on a domain controller computer
and then restart the domain controller computer.
Incorrect Answers:
A: A domain that contains Windows NT servers cannot run in native mode, it can only run in mixed mode.
B: The Windows NT 4.0 Ras server will not be able access properties of user account by adding it to any
group. The Everyone group has to be added to the Pre-Windows 2000 Compatible Access group.
D: Creating a new remote access policy will not enable the NT 4.0 RAS server to access the properties of
the user accounts of the domain.
69. You are the administrator of your company’s network. Your web server is configured to run a third party
Web application for users on your network.
Another network administrator in your company has recently made some configuration changes to
secure the server. Users report that each time they try to connect to a secure web server, they receive the
following error message, “Web page requested is not available”. Users have no problem connecting to
FTP, and you have verified that the web service has started.
You want to discover why users are receiving the error message. What should you do to diagnose the
problem?
A. Verify that port 21 and port 20 are permitted in your TCP/IP filter.
B. Verify that port 443 is permitted in your TCP/IP filter.
C. Verify that the connect NTFS file permissions are on the web pages.
D. Verify that the port 80 is permitted in your TCP/IP filter.
Answer: B
Explanation: Port 443 is used for secure web traffic (HTTPS). Therefore TCP/IP should permit this port.
Incorrect Answers:
A: Port 20 and port 21 are used for FTP traffic.
C: This is not a permission problem, the web page that was requested was not available.
D: Port 80 is the HTTP protocol. HTTPS, secure web server, is port 443.
70. You are the administrator of a Windows 2000 network that has a main office and one branch office. You
use PPTP to connect the main office to the branch office.
You want to verify that the strongest possible level of data encryption is supported for the connection.
What should you do?
A. In the Routing and Remote access consoles, verify that the dial-in profile used to establish the
connection between the two offices allows only MS-CHAP.
B. In the properties of the Routing and Remote Access Server objects in the Routing and Remote access
consoles, verify that the Extensible Authentication Protocol is using MD5-CHAP.
C. In the properties of the PPTP interfaces in the Routing and Remote Access consoles, verify that MSCHAP
v2 is being used as the authentication method.
D. In the properties of the PPTP interfaces in the Routing and Remote Access consoles, verify that
Password Authentication Protocol (PAP) is being used as the authentication method.
Answer: B
Explanation: We can use EAP to support authentication schemes such as Generic Token Card, MD5-Challenge.(MD5-CHAP), Transport Level Security (TLS) for smart card support, and S/Key as well as any future
authentication technologies. Extensible Authentication Protocol using MD5-CHAP is more secure than MSCHAP
V2, MS-CHAP and PAP.
Incorrect Answers:
A: CHAP uses encrypted authentication but is vulnerable.
B: MD5-CHAP. The Message Digest 5 Challenge Handshake Authentication Protocol. This protocol
encrypts user names and passwords with an MD5 algorithm.
C: MS-CHAP V2 is an improvement on CHAP. In MS-CHAP the challenge response is calculated with a
Message Digest 4 (MD4)-hashed version of the password
D: PAP uses plaintext and is not a secure authentication protocol.
71. You are the administrator of a mixed Windows NT 4.0 and Windows 2000 network. All of the Windows
2000 Server computers in your network are member servers of a single Windows NT 4.0 domain. You
want to use two of these servers to test configurations of IPSec that are using the Kerberos authentication
protocol.
What should you do?
A. On both servers, create a new IPSec policy.
Configure a rule so that it will not use a tunnel.
Specify shared secret key authentication.
Assign the new policy.
B. On one of your servers, install a stand-alone root Certificate Authority (CA).
Create a digital certificate for both servers.
On both servers create a new IPSec policy and specify the issued certificate for authentication.
Assign the policy.
C. On both servers, create a new IPSec policy.
Specify the tunnel end point as the IP address of the partner Server and specify a shared secret key to use for
authentication.
Assign a new policy.
D. Promote one of the servers to a domain controller.
Assign the domain controller as the default Secure Server IPSec policy.
Assign the other Server the default Client IPSec policy.
Answer: D
Explanation: Active Directory is needed for Kerberos Authentication. Kerberos is not supported in Windows
NT 4.0. Therefore we must promote one of the Windows 2000 member servers to a domain controller, use. Secure Server (Require encryption) on this domain controller and configure the other server with the Client
IPSec Policy. To promote a Windows 2000 member server to a domain controller we must install Windows NT
4.0 as a backup domain controller (BDC), promote the BDC to a primary domain controller (PDC), and then
promote to Windows 2000 mixed-mode domain controller.
Incorrect Answers:
A: A Windows 2000 domain controller is required for Kerberos authentication.
B: A Windows 2000 domain controller is required for Kerberos authentication.
C: A Windows 2000 domain controller is required for Kerberos authentication.
72.You are the administrator of your company’s network. Network is configured as shown in the exhibit.
You are configuring your Windows 2000 server computer that runs Internet Information Server (IIS).
Your Server uses the IP address of 131.107.2.2 to support internet users. Your server uses the IP address
of 10.1.1.2 to support an intranet application.
You want to configure your server to permit only web communications from the internet. You also want
to configure your server to allow access to shared folders and other resources for users on the intranet.
What should you do? (Choose two)
A. Enable a TCP filter. Permit only port 80 on the network adapter that uses the IP address of
131.107.2.2.
B. Enable a TCP filter. Permit only port 21 and port 20 on the network adapter that uses the IP
address of 131.107.2.2.
C. Permit all ports on the network adapter that uses the IP address of 131.107.2.2.
D. Enable a TCP filter. Permit only port 80 on the network adapter that uses the IP address of 10.1.1.2.
E. Enable a TCP filter. Permit only port 21 and port 20 on the network adapter that uses the IP address
of 10.1.1.2.
F. Permit all ports on the network adapter that uses the IP address of 10.1.1.2.
Answer: A, F
Explanation: In this scenario External Internet users will use the 131.107.2.2 IP address to use the Web server.
Therefore it should only be enabled for web traffic (HTTP), which uses the TCP port 80. Internal users will use
the 10.1.1.2 IP address to access the Web server. Furthermore, all traffic should be permitted.
Incorrect Answers:
B: Port 20 and port 21 which are used for FTP traffic, port 80 is used for http traffic. We should
therefore permit port 80 on Internet interface of the Web server.
C: Only port 80 should be permitted on the Internet interface of the Web server.
D: All ports should be permitted on the internal interface of the Web server, not only web traffic.
E: All ports should be permitted on the internal interface of the Web server, not only FTP traffic.
73. You are the administrator of your company’s network. Your network is configured in a Windows 2000
domain as shown in the following diagram.
Acct1 and Acct2 belong to the accounting department. Sales1 and Sales2 belong to the sales department.
Production1 and Production2 belong to the production department. Manager1 belongs to the
management department. The accounting department does not access the Internet.
You want to accomplish the following goals:
• All communications involving the Acct1 and Acct2 will be encrypted.
• Internet communications will not be encrypted.
• Communications between the sales department and the management department will be
encrypted.
• Performance overhead for encryption will be minimized.
You take the following actions:
Create an organizational unit (OU) structure as shown in the exhibit..• Add Acct1 and Acct2 to the ACCT OU.
• Add Sales1 and Sales2 to the Sales OU.
• Add all other computers to the Comp OU.
• Assign the default Secure Server IPSec Policy to the domain.
Which result or results do these actions produce? (Choose all that apply)
A. All communications involving Acct1 and Acct2 are encrypted.
B. Internet communications are not encrypted.
C. Communications between the sales department and the management department are encrypted.
D. Performance overhead for encryption is minimized.
Answer: A, C
Explanation: By choosing the Secure Server (Require security) as a default for the Domain all communication
would be encrypted; especially all communication involving Acct1 and Acct2, communications between the
sales and the managements department, and Internet communication.
Incorrect Answers:
B: By choosing the Secure Server (Require security) as a default for the Domain, all communication with
the servers, even Internet communication, would be encrypted.
D: Since even Internet communication is encrypted, even though is not required, the performance
overhead for encryption is not minimized.
74. You are the administrator of your company's network. Your network consists of Windows 2000 server
computer and Windows 2000 Professional computers.
You create an IPSec policy named accountingsec for use by employees in your accounting department.
Your company is concerned that the keys used for encryption could be compromised and used to decrypt future communications.
You want to prevent the re-use of previous-session keys. You also want to limit performance degradation.
What should you do?
A. Decrease the frequency of policy checks for updates.
B. On the Generate a new key every property, modify the time allocations.
C. Select the Master key perfect forward secrecy check box.
D. Select the Session key perfect forward secrecy check box.
Answer: D
Explanation: Session Key Perfect Forward Secrecy creates a new master key during every session re-key
operation and is the most secure setting.
Incorrect Answers:
A: Decreasing the frequency of policy checks would not prevent use of previous session keys.
B: If the time allocations of the Generate a new key every property is configured, a re-authentication
and new key generation at that interval would be configured. But there is no guarantee that a new
session will not use a previous session key.
C: Master key PFS should be used with caution as it requires re-authentication. This may cause additional
overhead for any domain controllers in your network.
75. You are the administrator of a Windows 2000 network. The administrator of your company's Human
Resources Organizational Unit wants to be able to manage Encrypting File System for the users in their
department. The administrators of the human resources department belong to a group named
HRAdmins, which has full administrative privileges to the OU.
To make it possible for the members of HRAdmins to manage EFS for the users in their department, you
install an Enterprise Certificate Authority for use by the entire company. However, the administrators of
the human resources department notify you that they are unable to create a Group Policy that allows
them to manage EFS for their department.
What should you do to enable the administrators of the Human Resources Organizational Unit to create
a Group Policy to manage EFS for the users in their department? (Choose Two)
A. Install a Subordinate Enterprise CA for use by the human resources department.
B. In the certification Authority console for the CA, add a new policy setting for a EFS Recovery Agent
certificate.
C. In the certification authority console for the CA, add a new policy setting for a Basic EFS certificate.
D. In Active Directory sites and services, grant the Enroll permission to the HRAdmins for the
Enrollment Agent Certificate Template.
E. In Active Directory sites and services, grant the Enroll permission to the HRAdmins for the EFS
Recovery Certificate Template.
F. In Active Directory sites and services, grant the Enroll permission to the HRAdmins for the EFS
Certificate Template.
Answer: B, E
Explanation: The administrators of the Human Resources department must be set up as Recovery Agents in
order to be able to administer EFS for their department. This can be accomplished by adding a new policy
setting for an EFS Recovery Agent certificate in the appropriate CA and granting the Enroll permission to the
HRAdmins for the EFS Recovery Certificate Template in Active Directory sites and services.
Incorrect Answers:
A: It is not necessary It is not necessary to install a subordinate Enterprise CA. The Enterprise CA can very
well be used.
C: A new policy setting for a EFS Recovery Agent certificate, not a Basic EFS certificate, should be added.
D: The HRAdmins should be granted enroll permissions to the EFS Recovery Certificate Template not the
Enrollment Agent Certificate Template.
F: The HRAdmins should be granted enroll permissions to the EFS Recovery Certificate Template not the
EFS Certificate Template.
76. You are the administrator of a Windows 2000 network. Your Public Key Infrastructure consists of an
offline Certificate Authority (CA) and a number of subordinate CAs.
Your company is selling one of its divisions. This division has a subordinate CA that it uses to issue
certificates. You want to ensure that once the division is sold, applications and other CAs on your
network will not accept the former division’s certificates. You also want to ensure that you can
implement your solution by using a minimum amount of administrative effort.
What should you do?
A. On the division’s subordinate CA, revoke all the certificates it has issued. Publish the Certificate Revocation List (CRL) to a server on your network. Uninstall the CS software and remove the CS
files.
B. On the company's root CA, revoke the certificate of the division’s subordinate CA. Publish the
Certificate Revocation List (CRL).
C. On the division’s subordinate CA, revoke the certificates it has issued. Publish the Certificate
Revocation List. Copy the EDB.LOG file from the subordinate CA to the Certification Distribution
Point on your network.
D. On the company's root CA, revoke CA, revoke the certificate of the division’s subordinate CA.
Publish the Certificate Revocation List (CRL). Copy the CRL file to the Certificate Distribution
Point on your network.
E. On the division’s subordinate CA, revoke the certificates it has issued. Publish the Certificate
Revocation List. Copy the CRL file to the Certificate Distribution Point on your network.
Disconnect the CA from the network.
Answer: D
Explanation: By revoking the certificate for the subordinate CA, instead of revoking all of the certificates it has
issued, the goal will be achieved with the least amount of administrative effort. Revoking a certificate is a two-step
process first we must revoke the certificate
and then Create (this is done automatically) and publish the Certificate Revocation List (CRL).
Incorrect Answers:
A: Revoking all certificates that the CA has issued is a daunting administrative task. It is better to revoke
the certificate for the CA itself.
B: The Certificate Revocation List (CRL), not the edb.log file, should be copied to the Certification
Distribution Point on your network.
C: Revoking all certificates that the CA has issued is a daunting administrative task. It is better to revoke
the certificate for the CA itself. The edb.log file is not used for revoking certificates.
E: Revoking all certificates that the CA has issued is a daunting administrative task. It is better to revoke
the certificate for the CA itself.
77. You are the administrator of Windows 2000 domain. The domain has a Windows 2000 member server
computer named Vegas. Routing and remote access is enabled for remote access on Vegas. Some of the
remote access client computers require the use of CHAP.
You enable CHAP on Vegas. You also configure the appropriate remote access policy to use CHAP.
However, users who require CHAP report that they are not able to dial in to Vegas.
What should you do?
A. Configure Vegas to prohibit the use LAN manager authentication.
B. Configure Vegas to disable use of link control protocol (LCP) extensions.
C. Configure the user accounts by selecting Store passwords using reversible encryption. Set the user
passwords to change the next time each user logs on.
D. Configure the user account to use static IP address when they dial into the network.
Answer: C
Explanation: To enable CHAP-based authentication, we must enable CHAP as an authentication protocol on
the remote access server, enable CHAP on the appropriate remote access policy, enable storage of a reversibly
encrypted form of the user's password, force a reset of the user's password so that the new password is in a
reversibly encrypted form, and enable CHAP on the remote access client running Windows 2000. When we
enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly
encrypted form and are not automatically changed. We must therefore either reset user passwords or set user
passwords to be changed the next time each user logs on
Incorrect Answers:
A: LAN manager authentication is used for legacy clients, for example DOS, but is of no use here.
B: Disabling LCP extensions would help in troubleshooting certain Internet Service Provider Login
problems. It would not help with this RRAS dial-in problem.
D: This is an authentication problem, not an IP configuration problem.
78. You are the administrator of a Windows 2000 domain. The Domain has a Windows 2000 member server
computer named Helsinki. Routing and remote access is enabled for remote access on Helsinki.
Users in the domain are able to dial in to the network by using their Windows 2000 Professional
computers.
Your company has a group named sales. You want to allow members of the sales group to use a smart
card for the remote authentication. The dial-in permission for all users in the sales group is set to control
access through remote access policy.
You create a new access policy named sales access. This remote access policy grants remote access to
members of the sales group any time of the day. This remote access policy is the first policy on the list of
remote access policies on Helsinki.
Members of the sales group are able to dial in to the network, but they report that they are unable to use
a smart card for remote authentication. You want to ensure that members of the sales group are able to
use the smart card authentication method.
What should you do?
A. In active directory, add Helsinki to the Pre-Windows 2000 compatible access group.
B. Enable EAP as an authentication method on the Helsinki remote access server and the Windows
2000 remote access client computers. Enable EAP in the profiles of the sales access remote access
policy.
C. For all the member of the sales group, select stored passwords using reversible encryption.
D. For all the members of the sales group, configure the user account to be trusted for delegation.
Answer: B
Explanation: Smart Card Authentication requires the use of the Extensible Authentication Protocol (EAP).
EAP has to be configured at the RAS server, at the RAS clients, and in profiles o the remote access policy.
Incorrect Answers:
A: The Pre-Windows 2000 Compatible Access is a backward compatibility group which allows read access
on all users and groups in the domain. Adding Helsinki to it would not enable smart card authentication.
C: The stored passwords using reversible encryption setting is used when the CHAP protocol is enabled. It
is not used to enable smart card authentication.
D: The trusted for delegation privilege enables the user (or computer) to access resources on another
computer. It is not used to enable smart card authentication.
79. You are the administrator of your company's network. The network consists of one Windows 2000
domain running in native mode. You are not running Certificate Services in the domain.
Your company is a sales organization and has 150 salespeople. When these salespeople are out of office,
they require file and print services, e-mail and access to the company's product and inventory database.
These salespeople belong to a group named SalesMobile.
Your company has dedicated T1 access to the internet. Your company also uses a virtual private network
(VPN) to reduce the costs and hardware required to support the salespeople.
You want to accomplish the following goals:
• Required network resources will be accessible to all salespeople..• Connections to the network will be made only by salespeople.
• Sensitive company data will be kept confidential over the VPN connections.
• Access to the network will only take place during business hours.
• All salespeople will be able to connect to the network simultaneously.
You take the following actions:
• Install routing and remote access on a Windows 2000 server computer and configure virtual private
networking.
• Grant the salespeople the Allow Access dial-in permission.
• Edit the default remote access policy to grant remote access permission.
• Edit the default remote access profile to require strong encryption of data.
Which result or results do these actions produce?
A. Required network resources are accessible to all salespeople.
B. Connections to the network are made only by salespeople.
C. Sensitive company data is kept confidential over the VPN connections.
D. Access to the network only takes place during business hours.
E. All salespeople are able to connect to the network simultaneously.
Answer: A, C
Explanation:
A: Salespeople have access to the network resources, since they have the Allow Access dial-in permission.
The default remote access profile will also allow access, since it has no conditions.
C: The default remote access profile (RAP) is set to require strong data encryption. There is no other way
to get access, so all company data are kept confidential.
Incorrect Answers:
B: The default dial-in permission in native mode is Control Access through Remote Access Policy. This
applies to all user accounts in the domain, except the Salespeople users who have Allow access. The
default remote access policy has no restrictions so every user would be able to get remote access.
D: No time restriction policy has been selected in default RAP. The default setting is to allow dial during
all times. Access will not be restricted to business hours.
E: Only 10 PPTP ports are configured by default. The 150 sales people would not be able to connect
simultaneously with only 10 ports. The PPTP ports setting must be increased to at least 150.
80. You are the administrator of your company’s network. You are configuring a Windows 2000 network for
dial up access. Your users need to access their computers from home. To increase security your company
issue smart cards to all users who have dial up access. You need to configure your routing and remote
access server. What should you do? (Choose two)
A. Select the Extensible Authentication Protocol (EAP) check box.
B. Select the Microsoft encrypted authentication version 2 (MS-CHAP v2) to check box.
C. Install a computer certificate on the routing and remote access server.
D. Install a smart card logon certificate on the routing and remote access server.
E. Install a computer certificate on the dial-up access client computer.
Answer: A, D
Explanation: The Extensible Authentication Protocol (EAP) is required for authentication using smart cards. A
smart card logon certificate must be installed on routing and remote access server.
Incorrect Answers:
B: EAP, not MS-CHAP V2, must be used for smart card user authentication.
C: A smart card logon certificate, not a computer certificate, must be installed.
D: A smart card logon certificate, not a computer certificate, must be installed.
81. You are the administrator of your company’s network. Your company employs account executives who
need access to the latest company data when they are traveling. You want to ensure that your company
will establish the network connection for your account executives regardless of where the call originates.
Your company also allows vendors access to the network by routing and remote access to submit
purchase orders. To ensure network security, your company wants to specify the location from which vendors can connect.
You want to configure your company’s routing and remote access server to facilitate access for account
executive and vendors. Which three actions should you take to ensure this configuration? (Choose three)
A. Set the Callback option to Always Callback to for the account executives.
B. Set the Callback option to Set by Caller for the account executives.
C. Set the Callback option to No callback for the vendors.
D. Set the Callback option to Always Callback to for the vendors.
E. Set the Callback option to Set By Caller for the vendors.
F. Enable link Control protocol (LCP) extensions.
G. Enable EAP.
Answer: B, D, F
Explanation: By configuring the Callback option to Set by Caller for the account executives, the executives
will be able to dial-in regardless where the call originates.
By configuring the Callback option to Always Callback to for the vendors, the company can specify from where
the vendors are allowed to dial-in.
Enabling link Control protocol (LCP) extensions will enable callback during the LCP negotiation of LCP. And
callback is used in the Callback option in this scenario.
Incorrect Answers:
A: The account executives must be able to call in regardless of location. The Callback option must be set to
Set By caller, not Always callback to.
C: The No Callback option would allow the vendor to call in regardless of location, which shouldn’t be
allowed.
E: The vendors must not be able to call in regardless of location. The Callback option must be set to
Always callback to, not Set By caller.
G: EAP would require further configuration to work.
82. You are the administrator of your company's network, which consists of a single Windows 2000 Domain.
Your human resources department maintains a confidential database server named HRSvr1. because the
information in the database is essential to your company's successful operation, HRSvr1 requires he
highest possible level of security.
The only server that exchanges confidential information with HRSvr1 is a middle-tier application server
named HRClt2 provides client query responses to HR users. These responses are secured by application level
encryption.
A former administrator configured custom IPSec policies on both HRSvr1 and HRClt2. however, you
suspect that these policies do not provide an adequate level of security for traffic between the two servers.
When you run the IP security monitor on HRClt2, you receive the output shown in the exhibit. You need to modify the existing IPSec policies to secure all traffic between the two servers. Which two
actions should you perform? (Each correct answer presents part of the solution. Choose Two)
A. Configure the IPSec policy properties on both servers to include both 2DES and DES algorithms.
B. Configure IPSec policy properties on both servers to include both HMAC-SHA and HMAC-MD5 algorithms.
C. Configure IPSec session Key PFS (Perfect Forward secrecy) on HRSvr1
D. Configure IPSec Master Key PFS (Perfect Forward secrecy) on HRClt2
E. Set the IP filter on HRClt2 to include only the IP address of HRSvr1
F. Set the IP filter action on both servers to negotiate both authentication header (AH) and
encapsulating security payload (ESP) protocol traffic with peer.
Answer: B, C
Explanation: B: The HMAC-SHA and HMAC-MD5 encryption algorithms are the most secure.
C: Session Key Perfect Forward Secrecy will create a new master key during every session re-key operation. It
should be configured on a server that is a part of the domain.
Incorrect Answers:
A: HMAC-SHA and HMAC-MD5 are more secure than DES and 3DES. There is no encryption algorithm
called 2DES.
D: IPSec Keys should be configured on servers that are part of the domain (HRSrv1) not on application
servers (HRClt2).
E, F: IP filters cannot be used to configure IPSec policies.
83. You are the network administrator for Lucerne Publishing. Your network consists of a single Windows
2000 Domain.
Lucerne Publishing employs a full-time staff. It also contracts authors for short-term projects. All fulltime
employees use portable computers that run Windows 2000 Professional. These users require remote
access to network resource, such as applications and printers. Contracted authors use their personal
computers, which run a variety of operating systems, including Windows 98, Windows NT 4.0, and
Windows 2000 Professional. The authors require remote access to the network so they can upload draft
and revisions to a file share located on a Windows 2000 Server named Srv1.
To ensure connection security, you allow access to the network only by means of a virtual private
network (VPN) connection through the internet. You use PPTP as the VPN protocol, and you configure
four VPN servers as a Network Load Balancing (NLB) cluster.
Several authors now report that they experience rejected connections when they log on and try to access
srv1. Full-time employees report no problems.
How should you correct this problem?
A. Remove the cluster IP address from the server interfaces that receive the PPTP connections
B. Remove the dedicated IP address from the server interfaces that receive the PPTP connections
C. Edit the default remote access profile to grant access only to VPN connection and to increase the
Disconnect if idle setting to 10 minutes.
D. Edit the default remote access policy to grant access only to NAS Port Type VPN and to increase the
Disconnect If Idle setting to 10 minutes.
Answer: B
Explanation: If we are using Network Load Balancing to load balance Point-to-Point Tunneling Protocol
(PPTP), clients running Windows 95, Windows 98, or Windows NT 4.0 may, under certain circumstances, be
unable to connect to a Network Load Balancing cluster.
This problem can occur if the Network Load Balancing hosts use a dedicated IP address on the network adapter
to which Network Load Balancing is bound. To avoid the problem, we must remove the dedicated IP address
from all Network Load Balancing cluster hosts. This problem does not occur with Windows 2000 clients.
Incorrect Answers:
A: The dedicated IP address, not the cluster IP address, should be removed the server interfaces that receive
the PPTP connections.
C: The connections for the down level clients are immediately rejected. They are not disconnected because
of the Disconnect if idle setting. The Disconnect if idle is disabled by default.
D: The Disconnect if idle is disabled by default. The problem cannot be fixed by restricting access to only
to NAS Port Type VPN.
84. You are the administrator of your company's network, which consists of five servers running Windows
2000 Server and 20 client computers running Windows 2000 Professional. All servers have static IP
addresses and all client computers use Automatic Private IP addresses (APIPA) for IP address
assignment. One server is multihomed, with a persistent connection to your company's internet service
provider (ISP).
Your company is acquired by another company. You must now provide internet access for all internal
users. You must also enable remote users to access your internal servers. Your solution must involve the
fewest possible changes to your current network configuration.
Which action or actions should you perform? (Choose all that apply)
A. Enable Internet Connection Sharing on the multihomed server
B. Install the Network address Translation protocol (NAT) on the multihomed server.
C. Configure the multihomed server as a DHCP allocator and exclude the static server addresses
D. Map the internal server addresses and ports to IP addresses in a pool assigned by your ISP.
E. Configure the external interface on the multihomed server as a demand-dial interface for DNS query
resolution.
Answer: B, C, D
Explanation: Network address Translation protocol (NAT) must be installed on the multihomed server.
There is no DHCP server in the network so the NAT computer must be configured as a DHCP allocator. The
static server addresses must be excluded from the range of the DHCP allocator.
Incorrect Answers:
A: ICS would only provide internet access, it would not enable remote users to access your internal servers.
E: There is a persistent connection to the ISP. It is therefore not necessary to configure the external
interface on the NAT computer as a demand-dial interface.
85. You are the network administrator for Luceme Publishing. Your company employs a full-time staff. It
also contracts authors for short-term projects.
All full-time employees use portable computers running Windows 2000 Professional. These users require
remote access to network resources, such as applications and printers. Contracted authors use personal
computers that run a variety of operating systems, including Windows 98, Windows NT 4.0, and
Windows 2000 Professional. The authors require remote access to the network so they can upload revised
documents to file servers. You allow remote access to the network only by means of a virtual private
network connection through the internet.
You configure 40 PPTP ports on a single VPN server. To ensure high availability of the VPN service, you
configure three additional VPN servers. You configure 40 L2TP ports on each new server. You configure
round robin DNS entries for all four VPN servers.
Several authors now report that they experience rejected connections when they dial the VPN servers.
After repeated attempts they are eventually able to connect. Full-time employees report no problems.
You need to correct this problem while ensuring the highest possible level of security for each connection.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two).
A. Configure 40 PPTP ports on each new VPN server
B. Configure 40 L2TP ports on the original VPN server
C. Remove the 40 PPTP ports on the original VPN server
D. Remove the 40 L2TP ports from each new VPN server.
E. Remove the dedicated IP address from the server interfaces that receive the VPN connections.
F. Remove the round robin DNS entries for the VPN servers and assign users to specific VPN servers.
Answer: A, D
Explanation: In this scenario one VPN server is configured for PPTP, the other three are configured for L2TP.
L2TP is supported by Windows 2000, but it is not supported by downlevel clients such as Windows 98 and
Windows NT 4.0. When a remote downlevel client connects the connection will only be successful when it uses
the VPN server configured for PPTP, that is it is 25% chance of getting a connection. The Windows 2000
remove clients get access either by PPTP or by L2TP.
A: By configuring all VPN server with 40 PPTP ports there would be no problem to get a connection for any
author, including the ones using downlevel clients.
D: L2TP is not encrypted unless it is used in connection with IPSec. By removing L2TP from all L2TP ports
only secure PPTP connections would be allowed.
Incorrect Answers:
B: L2TP is not secure. Windows 2000 clients which get L2TP connections would have unencrypted
connections.
C: The L2TP ports, not the PPTP ports, should be removed. The downlevel clients, Windows 95 or
Windows NT 4.0, would not be able to be granted remote access if PPTP ports are removed.
E: The IP address configuration of the server interface has a correct setting. The problem at hand concerns
the L2TP protocol.
F: Round robin is working correctly. It is not necessary to change the configuration of round robin.
86. You are the administrator of your company's network, which consists of a single Windows 2000 domain.
Company employees need to access network resources when they are working remotely.
Some remote users work at home, using personal desktop computers that run either Windows 98 or
Windows 2000 Professional. The home computers do not have computer accounts in the company's
domain. Other remote users have company-issued portable computers that run Windows 2000
Professional. The portable computers have computer accounts in the company's domain. The portable
computers also contain a smart card reader, which is the only means of authentication for the employees
who use them.
To provide secure access for all remote users, you enable Routing and remote access on a Windows 2000
Server computer that is connected to the internet. You also create ports for 25 PPTP virtual private
network connections. You verify that all VPN client computers are configured correctly.
To ensure security, you create a single routing and remote access policy for all users and configure
authentication as shown in the exhibit. All remote users with desktop computers running Windows 2000 Professional can now successfully
connect to the VPN server. However, no other remote users can establish a connection.
You need to enable all remote users to connect to the VPN server. You also need to ensure the highest
possible level of authentication security.
Which two actions should you perform in the remote access profile? (Each correct answer presents part
of the solution. Choose two)
A. Create computer accounts for all the home computers
B. Select the Extensible Authentication Protocol check box and select Smart Card or other certificate in
the list box.
C. Select the extensible authentication protocol check box and select MD5 Challenge in the lost box.
D. Select the Microsoft Encrypted Authenticated check box
E. Select the Unencrypted Authentication check box.
F. Clear the Microsoft encrypted Authentication Version 2 check box.
Answer: A, B
Explanation: Select the Extensible Authentication Protocol (EAP) with the Smart Card or other certificate
option must be selected since the portable computers have smart card readers as the only means of
authentication. Smart card authentication requires computer accounts for all the home computers.
Incorrect Answers:
C: MD5 challenge cannot be used since the portable computers have smart card readers as the only means
of authentication.
D: Microsoft CHAP would not provide highest possible level of authentication security.
E: Unencrypted Authentication would not provide highest possible level of authentication security.
F: It is not necessary to clear the MS CHAP V2 check box. It is cleared automatically when Extensible
Authentication Protocol is selected.
87. You are the network administrator of a Woodgrove bank. Woodgrove bank needs records of every one
who will access company’s network by routing and remote access. You are configuring the routing and
remote access server for remote access.
You need to log all logon activity on the routing and remote access server. What should you do?
A. In the audit policy for the domain, enable directory service access.
B. In the audit policy for the domain, enable audit logon events.
C. In the audit policy for the domain, enable audit account logon events.
D. On the routing and remote access server, enable log authentication requests in the remote access
logging properties.
E. On the routing and remote access server, enable log accounting requests in the remote access logging
properties.
Answer: D
Explanation: The Log authentication requests option can help by alerting us to problems with transaction
volume and of unauthorized attempts to access resources. To enable Log Authentication requests we must
open the Routing and Remote Access console and click Remote access logging in the console tree. In the details
pane, right-click Local File, and then click Properties. Select the Settings tab, select one or more check boxes
for recording authentication and select the Log authentication requests check box.
Incorrect Answers:. A: This setting is configured in the Routing and Remote access console, not in the audit policy for the
domain
B: This setting is configured in the Routing and Remote access console, not in the audit policy for the
domain
C: This setting is configured in the Routing and Remote access console, not in the audit policy for the
domain
E: The Log authentication requests, not the Log accounting requests, should be selected.
88. You are the administrator of your company's network. You need to Implement a remote access solution
that is highly available and highly secure. Your company consists of a single location and has a T3
connection to the Internet.
Your company has 1,000 salespeople who need reliable connectivity to the company network from any
remote location. All servers are running Windows 2000 Advanced Server, and all client computers are
running Windows 2000 Professional.
You want to accomplish the following goals:
• No single point of failure, aside from total loss of the T3, will result in total loss of remote access
connectivity.
• No authentication traffic will be carried as clear text.
• No data traffic will be carried as clear text.
• Support for at least 200 simultaneous remote users accessing the network will be available at all
times.
You take the following actions:
• Install three virtual private network (VPN) servers at the main office.
• Configure each VPN server to support 150 PPTP connections.
• Configure the client computers to use Password Authentication Protocol (PAP) as the authentication
protocol.
Which result or results do these actions produce? (Choose all that apply)
A. No single point of failure, aside from total loss of the T3, results in total loss of remote access
connectivity.
B. No authentication traffic is carried as clear text
C. No data traffic is carried as clear text
D. Support for at least 200 simultaneous remote users accessing the network is available at all times
Answer: A, D
Explanation: 3 VPN servers have been installed at the main office. This provides redundancy.
The 3 VPN servers provide 150 connections each. 450 simultaneous connections are supported. Even if one
VPN is stopped 300 simultaneous connections will still be provided.
Incorrect Answers:
B: PAP uses no encryption for authentication. The authentication traffic is sent in clear text.
C: PPP encryption requires either EAP-TLS, MS-CHAP or MS-CHAP v2 in combination with Point-to-Point
Encryption (MPPE) to encrypt data. PPP does not provide data encryption.
89. You are the administrator of a Windows 2000 network. The network consists of a single domain that has three Windows
2000 domain controllers, 1000 Windows and 2000 Professional workstations.
Your company wants to make use of digital certificates by installing its own certificate authority (CA).
You want to protect the root CA and the private key. You also want to ensure that you are able to
effectively manage your company’s public key infrastructure.
You want to accomplish the following goals:
• The server that is hosting the root CA will have a maximum amount of protection from any
security breaches that could occur on the network.
• The server that is hosting the root CA will be able to certify other CAs and revoke certificates.
• All the servers in your domain will be able to access the revocation status of all certificates in
your public key infrastructure.
• Certificate requests by users or computers in the domain will immediately be processed and
either granted or denied.
You take the following actions.
• On a member Windows 2000 Server computer connected to the network, install a stand-alone root
CA.
• Disconnect the server on which you install the stand-alone root CA from the network and place it in a secure and separate location.
Which result or results do these actions produce? (Choose all that apply)
A. The server that is hosting the root CA has maximum amount of protection from any security
breeches that can occur on the network.
B. The server that is hosting the root CA is able to certify other CAs and revoke certificates.
C. All the servers in your domain are able to access the revocation status of all certificates in your
public key infrastructure.
D. Certificate requests made by users or computers in the domain are immediately processed and either
granted or denied.
Answer: A, C
Explanation: In this scenario the CA is very well protected since it is disconnected. The CA was installed on a
member server that was connected the network that is a Windows 2000 Domain with Active Directory. This
ensures that the Active Directory will be updated during the CA installation process. This information will
remain in the Active Directory even after the CA is disconnected from the network. This information will
include the revocation status of all certificates in your public key infrastructure.
Incorrect Answers:
B: The root CA is disconnected and will not be able to certify other CAs or revoke certificates.
D: The root CA is disconnected and certificates requests will not be made immediately.
90. You are the administrator o your company's network, which consists of a single Windows 2000 Domain.
The network includes two domain controllers running Windows 2000 Server and two backup domain
controllers running Windows NT 4.0. Another Windows 2000 Server computer named VPN1 runs
Routing and Remote access. All client computers run Windows 2000 Professional.
Employees who travel to customer sites use company-issued portable computers. These computers are
configured for smart card support with company-issued certificates. Traveling employees dial in to VPN1
for network access.
You need to configure VPN1 to ensure that virtual private network (VPN) connections are as secure as
possible.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Require Microsoft Point-to-Point Encryption (MPPE) for all dial-up users
B. Require L2TP/IPSec tunnel connections for all dial-up users
C. Require PPTP tunnel connections for all dial-up users
D. Require MS-CHAP v2 authentication for all dial-up users
E. Require EAP smart cards or certificates for authentication for all dial-up users.
Answer: C, E
Explanation: The portable computers are configured for smart card support with company-issued certificates.
Only the Extensible Authentication Protocol (EAP) supports smart card authentication. In Windows 2000 there
are two tunneling protocols: PPTP and L2TP/IPSec. L2TP supports tunnel authentication but Microsoft’s PPTP
implementation relies on the user’s password as the basis for creating session keys for authentication and
encryption. This reliance on user password makes the implementation, as weak as any user’s password. This
makes L2TP/IPSec more secure than PPTP. But you cannot use L2TP for dial up connections, so we will have
to use PPTP.
Incorrect Answers:
A: Point-to-Point Encryption Protocol (MPPE) is only used for PPTP connections not L2TP connections.
B: L2TP cannot be used on dial-up connections.
D: Only EAP, not MS-CHAP V2, can be used for smart card authentication.
91. You are the administrator if your company's network, which includes two Windows 2000 Server
computers named Gate 1 and Apps2. The network also includes 50 client computers running Windows
2000 Professional.
Apps2 runs a custom client/server application that is used to store confidential information. Gate1 runs
routing and remote access and provides connectivity to your company's internet service provider by
means of an ISDN connection. Gate1 also accesses information stored on Apps2. Client computers use
Gate1 to access internet resources.
You need to ensure that all communications with Apps2 are secure and encrypted. You apply the Secure
Server IPSec policy to Apps2 and to Gate1, and you apply the client IPSec policy to all 50 client
computers.
Users now report that they cannot access any internet resources. On investigation, you discover that
Gate1 connects to your ISP and then immediately drops the connection.
You must ensure that Gate1 can be used to access Internet resources. You must also ensure that
communications with Apps2 remains encrypted. What should you do?
A. Remove the client IPSec policy from all 50 client computers
B. Remove the secure Server IPSec policy from Gate1 and assign the Server IPSec policy on Gate1
C. Remove the Secure Server IPSec policy from Gate1 and assign the Client IPSec policy on Gate1
D. Remove the Secure Server IPSec policy from Apps2 and assign the Server IPSec policy o Apps2.
Answer: B
Explanation: The Secure Server (Require Security) security policy does not allow unsecured communications
with clients. The Server (Request Security) policy causes the server to attempt to initiate secure
communications for every session. If a client who is not IPSec-aware initiates a session, it will be allowed. The
Client (Respond Only) policy allows communications in plaintext but will respond to IPSec requests and
attempt to negotiate security. The problem in this scenario is that when Gate1 uses Secure Server (Require
Security) security it will not accept the connection to Internet, since Internet is not IPSec enabled. By removing
the secure Server IPSec policy from Gate1 and assign the Server IPSec policy on Gate1, Gate1 would accept
Internet connections. All local connections would still be encrypted since Apps2 uses Secure Server and the
client IPSec policy has been already been applied to the 50 client computers
Incorrect Answers:
A: By removing the client IPSec policy from all 50 client computers, Gate1 and Apps2 would no longer
accept any connections to them.
C: If the Client (Respond Only) policy would be used on Gate1, the connections between Gate1 and the
clients would be in plaintext.
D: Changing IPSec policy of Apps2 would not help. Gate1 would still require security and would not
accept Internet connections.
92. You are the administrator of your company's network, which includes one Windows 2000 domain in
native mode. Four servers on the network are available for remote users. All four are member servers
running Windows NT server 4.0 and the routing and remote access service. Currently, remote access is
administered individually by Active Directory user attributes.
You want to administer remote access by using centralized remote access policies. Which two courses of
action should you perform? (Each correct answer presents part of the solution. Choose two)
A. Configure the four servers as RADIUS clients
B. Change the domain to mixed mode
C. Configure the four servers as domain controllers in their own Windows NT 4.0 domain. Create a
one-way trust from the Windows NT 4.0 domain to the Windows 2000 domain.
D. On a Windows 2000 member server, configure the Internet Authentication service. Create a remote
access policy on the IAS server
E. On a Windows 2000 member server, configure the internet Authentication service. Create a remote
access policy on a domain controller to administer all remote users.
Answer: A, D
Explanation: IAS is a Remote Authentication Dial-In User Service (RADIUS) server. RADIUS is a network
protocol that enables remote authentication, authorization, and accounting of users who are connecting to a
network access server (NAS). A network access server such as Windows Routing and Remote Access can be a
RADIUS client or RADIUS server. IAS is used to centralize management of routing and remote access. To set
up IAS we must install IAS on a Windows 2000 member server; create a remote access policy on the IAS
server; and configure the four servers as RADIUS clients.
Incorrect Answers:
B: A native mode Windows 2000 domain cannot be changed to a mixed-mode domain. IAS and radius
works on Windows NT.
C: With IAS the management is centralized. The Windows NT 4.0 servers are not domain controllers.
E: With IAS the remote access policy should be centralized and created on the IAS server, not on any
domain controller.
93. You are the administrator of your company's network, which serves a single site with 150 users. The
network includes eight servers running Windows 2000 server. One server hosts your internal web site.
All servers have static IP addresses in the range from 10.1.1.2 through 10.1.1.10. All client computers run
Windows 2000 Professional and are DHCP clients, using an address range of 10.1.1.11 through 10.1.1.200
You need to provide internet access to internal users. To do so, you plan to use a pool of 100 IP addresses
supplied by a contracted internet service provider. Your solution must involve the least possible
administrative effort.
What should you do?
A. Allow all client computers to use automatic Private IP addressing for IP address assignment.
Configure all servers to use static IP addresses in the 192.168.0.0 subnet.
B. Install a server for network address translation. Add the IP address of the private interface of this
server to the excluded range on your DHCP server. Change the IP address of the private interface for
the network address translation protocol to 10.1.1.201.
C. Install a server for network address translation and enable the default DHCP allocator. Add the
existing server addresses to the excluded range. Change the IP address of the private interface for the
network Address Translation protocol to 10.1.1.201
D. Map internal addresses and port numbers of your servers to the pool of IP addresses and port
numbers assigned by your internet service provider.
Answer: D
Explanation: To supply internet access to local clients in a Windows 2000 environment we have three main
choices: we could use Internet Connection Sharing (ICS), which is limited to about 20 clients, can only use one
public IP address and can be run on Windows 2000 Professional; or Network Address Translation (NAT),
which can use multiple public IP addresses and must run on Windows 2000 Server; or Proxy server, which can
use multiple public IP addresses, provides caching, provides control of traffic flow and requires additional
software, such as Windows Proxy Server 2.0.
ICS cannot be used in this scenario since it only can use one public IP addresses.
Proxy server is not mentioned in this scenario, which leases NAT.
Using NAT you can use several public IP addresses by mapping the internal addresses and port numbers to the
pool of public IP addresses and port number used.
Incorrect Answers:
A: ICS cannot be used in this scenario since it only can use one public IP addresses.
B, C: Their must be a mapping between the public Internet addresses and the internal IP addresses.
94. You are the administrator of your company's network. Your DMZ network includes a DHCP server that
provides IP addressing information to remote users. The relevant portion of the DMZ is configured as
shown in the exhibit.
Every five minutes, the management servers collect performance and security log information from all servers on segment A.
You need to ensure that the DHCP server cannot issue IP addressing information to any DHCP clients on
segment A. Your solution must be effective even if a valid scope for that segment is created on the DHCP
server.
What should you do?
A. Disable the DHCP service binding to network adapter A
B. Disable TCP/IP binding to network adapter A
C. Disable NetBIOS over TCP/IP binding to network adapter A
D. Disable the client for Microsoft Networks on network adapter A
Answer: B.
Explanation: By disabling the TCP/IP binding to network adapter A no TCP/IP traffic will be allowed on it, in
particular no DHCP server lease reach the segment connected to Network adapter A.
Incorrect Answers:
A: DHCP service binding is not configurable on a network adapter.
C: The “Disable NetBIOS over TCP/IP binding” is a WINS configuration and would not prevent DHCP
leases on the interface.
D: Client for Microsoft Network is network service. Disabling it will not prevent DHCP issuing IP
addressing information on segment A.
95. You are the administrator of your company's network, which consist of a single Windows 2000 domain.
The relevant portion of its configuration is shown in the exhibit..RAS1 is a Windows 2000 Server computer running routing and remote access. Your firewall is a
hardware-based firewall solution that supports port filtering and General routing Encapsulation packet
editing. All computers on your internal subnet use private IP addresses in the 10xxx range. The firewall
provides network address translation for internet access.
Company employees must be able to use the internet to connect to your internal subnet. You need to
ensure that the connections are as secure as possible.
Which three courses of action should you perform? (Each correct answer presents part of the solution.
Choose three)
A. Configure the client computers to dial in to RAS1 by using an L2TP virtual private network.
Configure RAS1 to accept L2TP connections.
B. Configure the client computers to dial in to RAS1 by using a PPTP virtual private network.
Configure RAS1 to accept PPTP connections.
C. Configure the firewall to route incoming traffic on the PPTP port to RAS1
D. Configure the firewall to route incoming traffic on the L2TP port to RAS1
E. Configure the firewall to edit the GRE call ID on incoming GRE packets
F. Install a server encryption certificate on RAS1
Answer: B, E
Explanation: The firewall provides network address translation. This makes it impossible to use L2TP/IPSec
since IPSEC changes the IP headers. We cannot use the L2TP protocol since it would not provide any security,
which is a requirement. So the clients and the RAS server must be configured to use PPTP. If we are using a
PPTP tunnel, then we can place our VPN server behind the firewall if the firewall supports GRE packet editing,
which is the case in this scenario. Unlike the TCP and IP protocols, which communicate on ports, the GRE
protocol uses "call ID numbers" to establish sessions.
Incorrect Answers:
A: L2TP/IPSEC cannot be used in connection with NAT.
C: There are no PPTP ports to be configured on the firewall, instead configure the firewall to edit the GRE
call ID on incoming GRE packets.
D: There are no L2TP ports to be configured on the firewall. We must use PPTP not L2TP or L2TP/IPSec.
F: IPSec cannot be used in conjunction with NAT.
96. You are the network administrator for the Baldwin Museum of Science. Your network includes a
member server named Inet1, which is connected to the internet. Inet1 runs Windows 2000 server.
Your institution sponsors joint research projects with Trey Research, whose main laboratory is located in
another city. The Trey Research network includes a PPTP server named Trey3. You need to create a
demand-dial router connection to this server.
You create a virtual private network demand-dial interface on Inet1. You use a domain account to
configure the dial-out credentials, accepting default settings. However, you change the VPN server type
from automatic to PPTP.
When you try to connect to Trey3, you receive an error message stating that access is denied. How should
you correct this problem?
A. Change the tunnel type to L2TP/IPSec. Configure an IPSec policy on Inet1 and Trey3 for pre-shared
key authentication.
B. Ensure that a new user account is created on Trey3. Change the dial-out credentials on Inet1 to use
the new account
C. For the dial-out account on Inet1, obtain a certificate from a commercial certificate provider trusted
by the Trey Research domain.
D. Ensure that the default remote access policy is removed from Trey3. On Inet1, change the VPN
server type to automatic.
Answer: C
Explanation: Three authentication methods are available when forming a VPN: Kerberos 5, certificates and
pre-shared secret key. The two most scalable methods, Kerberos and certificates, require Active Directory.
Certificate authentication also requires access to a CA (certificate authority). If the two computers are in the
same domain or in a trusted domain, you can use Kerberos authentication. By obtaining a certificate from a commercial certificate provider trusted by the Trey Research domain Inet1 would be able to authenticated by
Trey3.
Incorrect Answers:
A: To use pre-shared key authentication L2TP/IPSec tunnel type must be used, the registry must be edited,
and the IPSec Policy must configured for the pre-shared key. The registry has not been edited.
Note: To implement the Pre-shared Key authentication method for use with a L2TP/IPSec connection we must
add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers. We must then
manually configure an IPSec policy before a L2TP/IPSec connection can be established between two
Windows 2000-based computers.
B: Inet1 and Trey3 do not belong to the same domain. Therefore Kerberos authentication is not possible.
D: Removing that the default remote access policy from Trey3 would make it harder to get remote access.
97. You are the administrator of your company's network, which consists of a single Windows 2000 domain.
All employees use company-issued portable computers that run Windows 2000 Professional. These
computers have computer accounts in the company's domain. These computers also contain a smart card
reader, which is the only means of authentication for their users.
You need to provide secure access to network resources for users who work remotely. You enable routing
and remote access on a stand-alone Windows 2000 Server computer that is connected to the internet. You
also create ports for 25 PPTP virtual private network connections. You verify that all VPN client
connections are configured correctly.
To ensure security, you create a routing and remote access policy and configure authentication as shown
in the exhibit.
You need to enable all remote users to connect to the VPN server. You also need to ensure the highest
possible level of authentication security.
What should you do?
A. Join the VPN server to the domain and select smart card or other certificate for the EAP method in
the remote access policy.
B. Configure 25 L2TP ports on the VPN server and remove the 25 PPTP ports
C. Select the Unencrypted Authentication (PAP, SPAP) check box in the remote access policy
D. Clear the Microsoft encrypted Authentication (MS-CHAP) check box in the remote access policy
E. Clear the Microsoft encrypted Authentication version 2 (MS-CHAP v2) check box in the remote
access policy.
Answer: D
Explanation: We should clear the Microsoft encrypted Authentication (MS-CHAP) check box in the remote
access policy as MS-CHAP uses a lower level of authentication than the MS-CHAP v2.
Incorrect Answers:
A: Only the company-issued portable computers has got smart card readers, and only these computers
would be able to use EAP Smart Card or other Certificate. The users who work remotely and access the
network through internet cannot use EAP. They must use another protocol, preferably the MS-CHAP V2
protocol.
B: L2TP does not provide any encryption unless it is combined with IPSec. Therefore PPTP must be used.
C: PAP is unencrypted and shouldn’t be an allowed authentication protocol.
E: Clear the MS-CHAP checkbox, not the MS-CHAP V2 checkbox. MS-CHAP V2 is more secure
authentication protocol.
98. You are the administrator of your company's network. The relevant portion of its configuration is shown
in the following diagram.
All client computers run either Windows 2000 Professional or Windows 98. WinDNS1 runs Windows
2000 Server and the DNS server service. Router1 runs Windows 2000 Server and routing and remote
access. Router1 also contains two network adapters. The first adapter connects to Subnet1 and is not
configured with any TCP/IP filters. The second adapter connects to Subnet2 and is configured as shown
in the exhibit.
You want Router1 to enable users to access Web sites and FTP sites, while blocking other outgoing
traffic. However, users report that they cannot access any Web sites or FTP sites.
Which action should you perform on Router 1 to correct this problem?
A. On the network adapter for Subnet 2, delete the input filter for destination ports 80 and 443.
B. In Routing and Remote access, move the input filters from the network adapter for Subnet2 to the
network adapter for subnet1.C. On the network adapter for Subnet2, change the input filters to drop all packets left unspecified
rather than to receive all packets left unspecified.
D. In routing and remote access, copy the input filters from the network adapter for subnet 2 to the
output filters of the network adapters for subnet 1.
Answer: C
Explanation: By examining the exhibit we see that Subnet2 is set to “Receive all packets except those that
meet the criterion below”. And we see that the Destination ports of 20 (FTP), 21 (FTP), 53 (DNS), 80 (HTTP)
and 443 (HTTPS). This means that no accesses to Web sites or FTP sites are allowed. By changing this setting
to “Drop all packets except those that meet the criterion below” the only access provided would be access to
FTP sites and Web Sites (and DNS server).
Incorrect Answers:
A: It is not necessary to delete the filter; it is applied incorrectly. It should drop, not receive, all packets
except those that meets the criteria.
B: The input filter is correctly placed on network adapter on Subnet2, which connects to the internet. It
filters incoming network traffic.
If the input filter were moved to network adapter for subnet, then the filter would be applied to all
ingoing traffic to the local network. It would be almost work in the same way.
D: The input filter is correctly placed on network adapter on Subnet2, which connects to the internet. It
filters incoming network traffic. If the input filter were moved to the output filter for network adapter for
subnet, then the filter would be applied to all outgoing traffic from the local network
99. You are the administrator of your company's network, which includes a Windows 2000 Server computer
named CorpllS. This server runs Internet Information Services and hosts a web application named
WebApp. The application is used by internal users for company billing and invoicing.
Your company's developers modify WebApp. Now the application allows downloads of your product
catalog, encrypts communications between CorpllS and Web browsers, and accepts orders and credit
card numbers from employees who access CorpllS from the internet. You install the modified version of
WebApp on CorpllS. You configure a TCP/IP packet filter to allow HTTP and FTP traffic to pass.
Users report that they can no longer access WebApp. When they try, they receive the following error
message, “Web page requested is not available.”
How should you correct this problem?
A. Assign the default server (Request security) IPSec policy on CorpllS.
B. Create a custom IPSec policy for CorpllS that requests but does not require clients to use IPSec
authentication.
C. Configure a packet filter to allow TLS and SSL traffic to pass
D. Configure the Web site properties on CorpllS to allow anonymous connections.
Answer: C
Explanation: In this scenario WebApp is used on the LAN by internal users. It is running smoothly. A
modified version of WebApp is used by employees through the Internet. The modification includes encryption
of communications between CotpIIS and Web browsers. This is either an authentication problem or an
encryption problem. To clue to the problem is the error message “Web page requested is not available.” This is
not the error message an incorrect authentication attempt would produce. The available techniques to provide
encryption through internet are to create a VPN with L2TP/IPSec or to use Secure Sockets Layer (SSL), also
called HTTPS. In this scenario no VPN is used which leaves SSL. SSL (HTTPS) uses TCP port 443. The
TCP/IP packet filer has been configured to only allow HTTP and FTP traffic to pass. By modifying the filter so
that SSL traffic is allowed to pass, employees would be able to use the modified WebApp through Internet.
Incorrect Answers:
A: To be able to use IPSec a VPN connection must be established.
B: To be able to use IPSec a VPN connection must be established.
D: The error message indicates that this is not an authentication problem. It is an encryption problem.
100. You are the administrator of your company's network, which consists of a single Windows 2000 domain.
The network has a persistent connection to the internet. The relevant portion of its configuration is
shown in the exhibit.
Your company employs mobile salespeople who use portable computers, which run either Windows 98 or
Windows 2000 Professional. To enable these users to access internal resources, you place a virtual private
network server named VPN1 outside your firewall. VPN1 is a stand-alone Windows 2000 Server
computer running routing and remote access. The firewall performs network address translation, and it
is configured to allow inbound access from VPN1only.
You need to use the most secure VPN connection possible for each connection. You configure appropriate
VPN ports on VPN1.
VPN1 must now be configured to allow only appropriate traffic through the firewall on the internal
interface. Which output and input filters should you configure for the internal network adapter? To answer click the select and place button, and the drag the correct filter configuration to the appropriate
filter type. You might need to use some filter configurations more than once. Use the minimum number of
necessary filters.
SELECT AND PLACE
Answer:
Explanation: Output Filters
Source: Firewall external address, TCP port 1723
Source: Firewall external address, IP protocol ID 47
Input Filters
Destination: Firewall external address, TCP port 1723
Destination: Firewall external address, IP protocol ID 47
The firewall performs network address translations. The VPN must use PPTP, it cannot use L2TP/IPSec due the
network address translation. Both IPSec and NAT changes the IP headers and they cannot both be used on a
connection.
The VPN server is attached directly to the Internet and the firewall is between the VPN server and the intranet.
In this configuration, the VPN server must be configured with packet filters that only allow VPN traffic in and
out of its Internet interface.
PPTP use TCP port 1723 for tunnel maintenance traffic. For a filter to pass PPTP data it must allow IP protocol
ID 47.
The source and destinations addresses that are usually used to allow VPN traffic is the IP address of the VPN
server. In this case the firewall performs Network Address Translation so the Firewall external address is used
instead.
Incorrect Answers:
PPTP does not use UDP port 500, it uses TCP port 1723.
PPTP does not use TCP port 1701, it uses TCP port1723.
PPTP does not use IP protocol ID 50, it uses IP protocol ID 47.
Only the PPTP port and the PPTP IP protocol ID traffic should be allowed, not any protocol.
The firewall provides Network Address translation. The Firewalls external IP address must be used, not the
internal subnet address. There is no internal subnet address.
101. You are the administrator of your company's network. The relevant portion of its configuration is shown
in the exhibit. . VPN1 and router1 run Windows 2000 Server and routing and remote access. Each server
contains two network adapters named NIC1 and NIC2. internal network users need to access both
internal and external resources.
>
Subnet 1 is used by more than 10 contractors hired by your company. Their client computers run
Windows 2000 Professional. Two contractors now need to access HTTP-based resources on your internal network. For security reasons, the contractors create a virtual private network connection that uses
PPTP to access VPN1.
To reduce network traffic through VPN1, you want to prevent the contractors from accessing internet
resources over the VPN tunnel. You decide to configure a TCP/IP input filter of one of your network
adapters to drop HTTP traffic.
Which network adapter should you reconfigure?
A. NIC1 on Router1
B. NIC1 on VPN1
C. NIC2 on Router1
D. NIC2 on VPN1
Answer: A
Explanation: The contractors use a PP2P VPN connection to access VPN1. The contractors use HTTP
resources on the Internal Subnet.
They should not be allowed to access Internet resources.
By dropping all incoming HTTP traffic on NIC1, the contractors will not be able to access Internet, at least not
with the HTTP protocol. They would still be able to access HTTP resources on the Internal Subnet, since this
data is tunneled through NIC1 and will not be dropped.
Incorrect Answers:
B: Users on the Internal Subnet need to access HTTP based resources on the Internet. Dropping all
incoming HTTP traffic on NIC1 would make this impossible. HTTP traffic must be allowed to pass
VPN1.
C: Dropping HTTP traffic on NIC2 would stop all Internet HTTP traffic but it would also stop HTTP based
resources on the Internal Network, and the contractors must be able to use these resources.
D: HTTP traffic must be allowed to pass VPN1 to allow the users on the Internal network to use HTTP
resources on the Internet.
102. You are the administrator of your company’s network. Your network is configured as shown in the
following graph. You configure your Windows 2000 Server to route all network traffic on your Intranet. Users on both
segments need access to files on the other segment. A portion of the routers route table is shown in the
following table.
You also install and start Internet Information Services Web Service on the server. Users on both
segments report they cannot access the Web service. What must you do?
A. Disable all TCP/IP port filters
B. Create a PPTP tunnel so that it has a filter that filters everything except protocol 6.
C. Run the route delete 192.168.0.0 command and route add 192.168.0.0 mask 255.255.0.0 10.0.0.169
command.
D. Run the route delete 10.0.0.0 command and route add 192.168.0.0 mask 255.0.0.0 192.168.0.200
command.
Answer: A
Explanation: A TCP/IP filter could be blocking for example TCP port 80, which is used by the HTTP protocol
. By removing all filters, all traffic would be allowed to pass.
The route table is correct:
Destination 10.0.0.0 is routed to 10.0.0.169, the routers interface to the 10.0.0.0 subnet.
Destination 10.0.0.169 routes to the loopback address 127.0.0.1. 10.0.0.169 is one of the routers interfaces.
Destination 192.168.0.0 is routed to 192.168.0.200, the routers interface to the 192.16.0.0 subnet.
Destination 192.168.0.200 routes to the loopback address 127.0.0.1. 192.168.0.200 is one of the routers
interfaces.
Incorrect Answers:
B: A filter that accepts PPTP but drop everything else should allow TCP Port 1723 and IP protocol 47, not
protocol 6.
PPTP use TCP port 1723 for tunnel maintenance traffic. For a filter to pass PPTP data it must allow IP
protocol ID 47.
C: Destination 192.168.0.0 is correctly routed to 192.168.0.200, the routers interface to the 192.168.0.0
subnet. It should not be router to the other router interface 10.0.0.169.
D Destination 10.0.0.0 is correctly routed to 10.0.0.169, the routers interface to the 10.0.0.0 subnet. It
shouldn’t be deleted.
The following command gives an incorrect route: route add 192.168.0.0 mask 255.0.0.0 192.168.0.200
The network mask should be 255.255.0.0 not 255.0.0.0.
103. Admins of your Sales OU want to be able to manage EFS for their users. These admins are all in a group
named SalesAdmin, which has full administrative privileges to the OU.
You install an Enterprise Certificate Authority for use by the entire company. However, the admins of
the Sales OU notify you that they are unable to create a GroupPolicy that allows them to manage EFS for
their OU. What should you do? (Choose two)
A. Grant the enroll permission to the SalesAdmin group for the Recovery Certificate Template.
B. Add the SalesAdmin group's certificate to the CA's CRL
C. Add a new policy setting for an EFS Recovery Agent certificate in the Certification Authority
console for the CA
D. Install a Enterprise Subordinate CA on one of the computers in the Sales OU
Answer: A, C
Explanation: To allow the SalesAdmin group to manage EFS for their OU we must grant the SalesAdmin
enroll permission for the Recovery Certificate template and add the SalesAdmin as EFS Recovery Agent. To
grant the enroll permission to the SalesAdmin group for the Recovery Certificate Template we must open the
Active Directory Sites and Services folder, from the View menu select Services (if not already enabled), select
Services, select Public Key Services, select Certificate templates, right click on EFS Recovery, select
Properties, select the Security tab, choose Add SalesAdmin, and Enable Enroll. To add a new policy setting for
an EFS Recovery Agent certificate in the Certification Authority console for the CA we must open the
Certification Authority console, right click on server, select Properties, select the Security tab, choose Add
SalesAdmin, and Enable Enroll.
Incorrect Answers:
B: By adding the SalesAdmin group's certificate to the CA's Certificate Revocation List (CRL) all certificates issued by the SalesAdmin group would be revoked.
D: It is not necessary to install a separate CA, an Enterprise Subordinate CA, on a computer in the Sales OU.
104. You install Certificate Services on two computers running Windows 2000 Server. CertRoot is an
Enterprise Root Certificate Authority. CertSub is an Enterprise Subordinate CA. You have two
domains: sycom.com and support.sycom.com. You add a new domain, tech.sycom.com. You attempt to
issue a certificate from CertSub for a user account in tech.sycom.com. The Event Viewer shows the CA
was unable to publish a certificate for tech. sycom.com\DC. DC is a domain controller for tech.
sycom.com. What is the most likely reason you receive this error message?
A. DC (tech. sycom. com domain controller) is offline
B. You are not a member of the Certificate Administrators for tech. sycom.com
C. CertSub is not a member of the group "tech.sycom.com\Cert Publishers"
D. The Enterprise CA is offline
Answer: C
Explanation: In this scenario a new domain tech.sycom.com is installed. There is no Certificate Authority
(CA) in the tech.sycom.com domain. To be able to issue a certificate from a domain, the Server on which the
CA was installed must be a member of the Certificate Publishers group of this domain. In our scenario this
translates to: Certsub must be a member of Cert Publishers group in tech.sycom.com domain.
Incorrect Answers:
A: If the domain controller would have been offline another error message would be shown.
B: It is not necessary to be a member of the Certificate Administrators. The server, on which the CA was
installed, must be a member of the domain from which the certificate was issued.
D: If the Enterprise CA would have been offline another error message would be shown.
105. Your domain has a Windows 2000 member server computer named Srv1. Routing and Remote Access
and CHAP are enabled for remote access on Srv1. You have also configured the appropriate remote
access policy to use CHAP. However, users who require CHAP report that they are not able to dial into
SRV1. What should you do?
A. Configure SRV1 to disable LCP extensions
B. Configure clients to use MSCHAP for dial in
C. Configure SRV1 to use SPAP for dial in
D. Disable "Mutual authentication" on SRV1
Answer: A
Explanation: If we cannot connect to a server by using PPP, or the remote computer terminates our
connection, the server may not support LCP extensions. In Network and Dial-up Connections, clear the Enable
LCP extensions check box.
Incorrect Answers:
B: Both the Remote Access Policy and the client is configured to use CHAP. Configuring the client to use
MS-CHAP would not make any difference.
C: The client is configured to use CHAP. Configuring SRV1 to use SPAP for dial-in would not allow
communication. Both client and server must use the same authentication protocol.
D: CHAP does not support mutual authentication, so disabling mutual authentication will not help.
106. You are configuring your users' portable computers to allow users to connect to the company network by
using Routing and Remote Access. You test the portable computers on the LAN and verify that they can
successfully connect to resources on the network by name. When you test the connection through RRAS
all of the computers can successfully connect but they cannot access files on computers, which are on
different segments by using the computer names. What should you do to resolve this problem?
A. Configure TCP/IP filters on the RRAS server to allow TCP/IP traffic to pass
B. Install the DHCP Relay Agent on the RRAS server
C. Configure the RRAS server with a static IP address
D. Create A (Host) record for the RRAS server in DNS
Answer: B
Explanation: In this scenario the RAS clients would get access to the network, but not by name access
computers which are on different segments than the RRAS server.
The problem at hand is that the RAS clients are not able to reach the DHCP and get proper IP configuration.
And therefore they have cannot reach beyond the subnet of the RRAS server.
By installing a DHCP Relay agent on the RRAS and configure it with an IP address of a DHCP server, the RAS
clients would receive proper IP configuration and would be able to reach resources on different segments of the
remote network.
Incorrect Answers:
A: The RAS client has already been able to get access and get an IP address from the RRAS server. There
is not any filter blocking TCP/IP traffic.
C: The RRAS server has appropriate IP configuration; it is able to accept remote connection and is also
able to lease IP addresses.
D: The RAS client is able to connect to the RRAS server, in cannot connect to other segments.
107. Your domain is running in mixed mode. RRAS is enabled for remote access on Srv1. The domain also
has a Windows NT4. 0 member server named Srv2. Srv2 is running Remote Access Service. Users in the
domain use Windows 2000 Professional computers to dial in to the network through Srv1 or Srv2.
However Srv2 is not able to validate remote access credentials of domain accounts. How would you
configure the network to enable Srv2 to validate remote access domain users?
A. Add the Everyone group to the RRAS access group
B. Configure srv2 as a DHCP relay agent
C. Configure Srv1 to use MSCHAP for authentication and Srv2 to use Chap
D. Add the Everyone group to the Pre-Windows 2000 Compatible Access group
Answer: D
Explanation: If VPN clients are dialing in to a VPN server running Windows NT 4.0 that is a member of a
Windows 2000 mixed-mode domain, verify that the Everyone group is added to the Pre-Windows 2000
Compatible Access group with the net localgroup ‘Pre-Windows 2000 Compatible Access’ command. Pre-Windows
2000 Compatible Access is a backward compatibility group which allows read access on all users and
groups in the domain.
Incorrect Answers:
A: The Everyone group should be added the Pre-Windows 2000 Compatible Access group, not the RRAS
access group.
B: A RRAS server that required a DHCP Relay would still validate remote access.
C: Windows NT support the MS-CHAP authentication protocol. Replacing the MS-CHAP protocol with
CHAP would only make authentication less secure, it would help Srv2 to be able to authenticate remote
clients.
108. You are the administrator of a Web server hosted on the Internet that runs on a Windows 2000 Server.
You want to download ActiveX controls automatically to your customers' internet browsers. The default
security settings on your customers' browsers prevent this. What should you do to automate the
downloading of your ActiveX controls?
A. Install an Enterprise CA on one of your domain controllers and have it issue a certificate for code
signing.
B. Install an Enterprise Subordinate CA that uses a commercial CA as the parent. Create a policy on the
Subordinate CA that allows the Web developers to request a certificate for code signing.
C. Install an Enterprise CA on one of your domain controllers. Install an Enterprise Subordinate CA on
one of your member servers. Issue code-signing certificates to your Web developers.
D. Configure your Web server to request code signing certificates from a commercial CA such as
Verisign.
Answer: D
Explanation: Only external customer will use the certificates. It is not necessary of a Certification Authority
(CA) connected to the domain. The best solution is to use certificates from a commercial CA such as Verisign.
Incorrect Answers:
A: External customers would not be able to use an Enterprise CA since they are not a part of your domain.
B: The certificate must be issued by the public CA, not the subordinate Enterprise CA, to be able to be used
by external customers with no rights or permission in the domain.
C: External customers would not be able to use an Enterprise Subordinate CA that uses an Enterprise CA,
since they are not part of the domain.
109. You are the administrator of a Windows 2000 network that consists of a single domain. Because no
employee in your company should have the ability to encrypt files by using Encrypting File System
(EFS). You need to remove this ability from all users in the domain. What should you do to accomplish
this goal? (Choose all that apply)
A. From the Run command, start Secpolmsc
B. Go to the Encrypted Data Recovery Agents container and delete the certificate you find. From the
Active Directory Users and Computers console, access the Group Policy Editor and edit the domain
policy.
C. Go to the Public Key Policies container and delete the Encrypted Data Recovery Agents policy. From
the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain
policy.
D. Go to the Encrypted Data Recovery Agents container and delete the certificate you find
E. Go to the Encrypted Data Recovery Agents container and initialize the empty policy. From the Active
Directory Users and Computers console, access the Group Policy Editor and edit the domain policy
F. Go to the Public Key Policies container and initialize the empty policy
Answer: D, E
Explanation: The ability to encrypt files must be removing from all users in the domain. This is done by going
to the Encrypted Data Recovery Agents container and deleting the certificate we find there; going to the
Encrypted Data Recovery Agents container and initialize the empty policy; and from the Active Directory Users
and Computers console, access the Group Policy Editor and edit the domain policy. There is a difference
between an empty policy and no policy. In Active Directory where the effective policy is an accumulation of
Group Policy Objects defined at various levels in the directory tree, the absence of a recovery policy at higher level
nodes (for example, at the domain node) allows policies at a lower level to take effect. An empty recovery
policy at higher-level nodes disables EFS by providing no effective recovery certificates. On a given computer
(stand-alone or joined to the domain), an effective policy must have at least one valid recovery certificate to
enable EFS on that computer. Furthermore, the EFS Policy has to be deleted.
Incorrect Answers:
A: There is no command tool or Microsoft Management Snap in called Secpolmsc.
B: An empty policy must be initialized. If not, other policies could take effect and enable EFS.
C: The Encrypted Data Recovery Agents policy is contained in the Encrypted Data Recovery Agents
container, not in Public Key Policies container.
The empty policy must be initialized.
F: The empty policy is initialized in the Encrypted Data Recovery Agents container, not the Public Key
Policies container. The EFS Policy has to be deleted
110. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server
computer named DeskA. Routing and Remote Access is enabled for remote access on DeskA. Your
company is organizing an industry trade show in a conference center. You have set up 15 desks and telephones in the conference area. During the conference, attendees will be allowed to dial in to your
network by using any of the 15 telephones. Each telephone line has its own telephone number.
The conference attendees can use their own portable computers to dial in. When attendees dial in to
DeskA, they do not need to specify a user name or password However, you do not want to allow dial-in
access from any telephone other than the 15 telephones in the conference area. You enable
unauthenticated access on the DeskA remote access server. You also create a remote access policy named
Conference that allows unauthenticated access as the authentication method. Attendees report that they
are not able to dial in unless they specify a user name and password. You want to ensure that attendees
can dial in without specifying a user name and password. What should you do?
A. Create a user account named Conference Guest. Configure Routing and Remote Access to use the
Conference Guest account as the default user identity.
B. Configure the Conference Guest account to use the 15 phone numbers as Caller ID. Create 15 user
accounts named Conf-1, Conf-2, Conf-3, and so on through Conf-15 Specify a separate Caller ID
phone number for each of the 15 users.
C. Create 15 user accounts that use each phone number as the user name. Configure Routing and
Remote Access to use the calling number as the authentication identity.
D. Configure the Conference remote access policy so that it has a Calling-Station ID condition. Use the
15 phone numbers as the condition
Answer: C
Explanation: The calling number can be used for authentication. The remote clients would not need to provide
any credentials.
Automatic Number Identification/Calling Line Identification (ANI/CLI) authentication is the authentication of a
connection attempt based on the phone number of the caller. ANI/CLI service returns the number of the caller
to the receiver of the call and is provided by most standard telephone companies. In ANI/CLI authentication, a
user name and password are not sent.
Incorrect Answers:
A: The user accounts should have the telephone numbers as user names.
B: We want to avoid the need to supply user name and password. In caller ID authorization, the
caller sends a valid user name and password. The caller ID that is configured for the dial-in
property on the user account must match the connection attempt; otherwise, the connection
attempt is rejected.
D: In general, the conditions defined in a remote access policy are combined and all of them have to
be met. By defining 15 Calling-Station ID condition no one would get access since a remote
caller only can meet one of this conditions.
111. You are the administrator of a Windows 2000 network. Your company wants you to provide a high level
of security for its Public Key Infrastructure. You decide to create an offline root Certificate Authority
(CA). You want the offline root CA to be capable of processing certificate requests from files, and you
want the offline root CA to be recognized as a trusted root authority for Windows 2000 client computers.
How should you create the offline root CA?
A. On a member Windows 2000 Server computer that is connected to the network, create an Enterprise
CA. After you install the CA, remove the server to a secure and separate location
B. On a member Windows 2000 Server computer, create a subordinate Enterprise CA that uses a
Commercial CA as the certifying authority. After you install the CA, remove the server to a secure
and separate location
C. On a stand-alone Windows 2000 Server computer that is isolated from the network, create a standalone
CA. Export the certificate for the CA to a floppy disk
D. In the Default Domain Group Policy object (GPO) , import the certificate to the Enterprise Trust
Certificate Store
E. On a stand-alone Windows 2000 Server computer that is isolated from the network, create a standalone
CA. Export the certificate for the CA to a floppy disk. In the Default Domain Group Policy
object (GPO), import the certificate to the Trusted Root Certification Authority Store
Answer: A
Explanation: An offline root CA is used for security reasons to protect it from possible attacks by users on the network. To create an offline root Certificate Authority (CA) we must log on to a Windows 2000 member
server that is a part of a domain with a domain administrators account. While the computer is connected to the
network we must install a root CA, not a subordinate CA. The computer must be connected to be able to update
the Active Directory, so that its certificates can be used after it has been taken offline. We must then change the
URL location of the certificate revocation list (CRL) distribution point to a location to all users in you
organization's network and take the server offline.
Incorrect Answers:
B: The offline CA must be a root CA, not a subordinate CA.
C: The computer on which the offline CA is installed must be a member of the Domain, not a standalone
server. The computer must also be connected to network when the CA is installed.
D: The CA must be installed on a Windows 2000 member server connected to the network. Just importing a
certificate will not work.
E: The CA must be installed on a Windows 2000 member server, not a standalone Windows 2000 server,
connected to the network.
112. You are the administrator of a Windows 2000 network. The network consists of one Windows 2000
domain that has Windows 2000 Professional client computers and Windows NT Workstation 40 client
computers. To create a digital certificate, you use a stand-alone certificate server configured as a root
Certificate Authority (CA). You use the digital certificate to secure a virtual directory on your Internet
Web server. Users report that when they connect to the virtual directory by means of a new URL, a
Security Alert dialog box appears with the following warning message 'The security certificate was issued
by a company you have not chosen to trust. You want to prevent this warning message from appearing.
You also want to avoid any unnecessary reconfiguration of either the certificate server or the Web server.
What should you do?
A. Inform your users of the new URL that points to the host name used in the digital
certificate.
B. Configure a Group Policy that automatically installs as a trusted authority in the client computers the
digital certificate for the certificate server.
C. Inform your users that they need to install a client certificate from the certificate server.
D. Inform your users that they need to install as a trusted authority in the client computers the digital
certificate for the certificate server.
Answer: D
Explanation: The server must be viewed as a trusted authority by the clients. They must install a certificate
that makes the server a trusted authority for the client, so that they will trust the server. If all clients were
Windows 2000 computer the best solution would be to use a Group Policy to deploy the trusted authority
certificate, but there are Windows NT 4.0 clients and they cannot use Group Policies. The best solution in this
scenario is to inform the users and ask them to install the certificate themselves. After the users has installed a
trusted authority in the client computers the digital certificate for the certificate server, they would trust the
application server and would not receive any more errors messages like the one given in the scenario above. A
certificate is an encrypted set of authentication credentials. A certificate includes a digital signature from the
certificate authority that issued the certificate. In the certificate authentication process, your computer presents
its certificate to the server, and the server presents its certificate to your computer, enabling mutual
authentication. Certificates are authenticated by using a public key to verify this digital signature, which is
contained in a trusted authority root certificate that is stored on your computer. These root certificates are the
basis for certificate verification and should be supplied only by a system administrator. Windows 2000 provides
a number of trusted root certificates. We should add or remove trusted root certificates only if our system
administrator advises it.
Incorrect Answers:
A: A trusted authority certificate for the server must be applied on the clients, not a digital certificate that
points to the host name of the server.
B: There are Windows NT 4.0 clients and they cannot use Group Policies.
C: A trusted authority certificate, not a client certificate, must be installed.
113. You are the administrator of a Windows 2000 domain. The domain has six Windows 2000 based Routing
and Remote Access servers and two Windows 2000 based Internet Authentication Service (IAS) Servers named IAS1and IAS2. The six Routing and Remote access servers use the two IAS servers to
authenticate remote access credentials. On IAS1, you change the remote access policies. You want to
ensure that this change is also enforced on IAS2.
What should you do?
A. In the Active Directory Sites and Services console, force replication from IAS1 to IAS2.
B. On IAS1, select Register service in Active Directory. Repeat this command on IAS2.
C. Use the Netsh command-line utility to copy the IAS configuration from IAS1 to IAS2.
D. Manually copy the ras.mdb file from IAS1 to IAS2.
Answer: C
Explanation: Remote Access Policies are not stored in Active Directory; they are stored locally in the
IAS.MDB file. To copy the IAS configuration to another server we must type netsh aaaa show config
\file.txt at the command prompt. This stores the configuration settings, including registry settings, in a
text file. The path can be relative, absolute, or a UNC path. We must then copy the file we created to the
destination computer, and at a command prompt on the destination computer, type netsh exec \file.txt. A
message will appear indicating whether the update was successful or not.
Incorrect Answers:
A: Remote Access Policies are not stored in Active Directory; they are stored locally in the IAS.MDB file.
B: Remote Access Policies are not stored in Active Directory.
D: There is no such a thing like a ras.mdb file in Windows 2000.
|
