This is my last exam before I’m MCSE, so what I have done is:
1. Read the Microsoft 70-214 book (do the same – don’t cheat!)
2. Merged all the questions I have read over the last two years and selected just ones that related to topics in the 70-214 book.
Notes:
Sorry the pictures are missing, but most q’s are still useful.
If there are any questions listed which have nothing to do with security, then sorry about that – just an oversight!
If any answers seem wrong, or the explanations seem strange, then believe in yourself – I disagree with some of this stuff too!
Good luck all, from Creature ;)
1. You are using Windows 2000 professional at home with a smart card installed. You want to connect to you RAS server to pick up e-mail. What protocol will you need?
A. EAP
B. PPTP
C. IPSec
D. NETBEUI
Ans: A
2. You want to provide Internet access for the clients on your network. You decide to use Network Address Translation (NAT). You have a Windows 2000 computer you try to establish a secure Virtual Private Networking session with. You try connecting to the Remote Windows 2000 computer using L2TP. You are unable to establish a connection with the remote node using L2TP. You are able to make a connection with another computer in your same office.
Why are you unable to make a connection to the remote location?
A. NAT not allow for remote networking.
B. L2TP does not work with Windows 2000 computers.
C. You cannot establish a L2TP connection behind a computer running NAT. The L2TP session fails because the IP Security packets become corrupted.
D. You have not configured the NAT server to translate the IP Security packets.
Answer: C
Reason for answer: TechNet (259335)
- If the Virtual Private Network (VPN) client is behind any network device performing Network Address Translation (NAT), the L2TP session fails because encrypted IPSec Encapsulating Security Payload (ESP) packets become corrupted. If the VPN client is on the same node as Windows 2000 Integrated Circuits/Network Address Translation, the client is most likely able to establish an L2TP session because NAT does not perform any IP address or Port translation when packets originate from its own node.
3. You are the administrator of a Windows 2000 network. Recently, your network security was compromised and confidential data was lost. You are now implementing a stricter network security policy. You want to require encrypted TCP/IP communication on your network.
What should you do?
A. Create a GPO for the domain, and configure it to assign the Secure Server IPSec Policy.
B. Create a GPO for the domain, and configure it to assign the Server IPSec Policy and to enable Secure channel: Require strong session key.
C. Implement TCP/IP packet filtering, and open only the ports required for your network services.
D. Edit the local security policies on the servers and client computers and enable Digitally signed client and server communications.
Answer: A ( correct )
By default, Windows 2000 includes three predefined policies: Client, Secure Server, and Server. The first task is to decide if any of the default policies will apply or if it will be necessary to create a custom policy to meet your needs. None of the pre-configured policies are active by default. The policies are as follows:
Client (Respond Only) - allows the client to respond to other computers requesting security according to the settings in the default response rule. With this policy active, the client will never request security, but will negotiate IPSec based on the connecting host. This would allow you to configure client computers to respond to requests for secure communications, but without initiating the request.
Secure Server (Require Security) - allows the server to require IPSec negotiation prior to allowing a connection. This policy will allow unsecured incoming communications, but outgoing traffic will always be secured. This policy could be implemented in scenarios where data must always be secured.
Server (Request Security) - allows the server to request IPSec negotiation, but will allow unsecured communications if the other computer is not IPSec aware. You could use this policy to implement security between IPSec enabled computers without sacrificing interoperability with non-IPSec-enabled computers.
4. You want to provide Internet access for the clients on your network. You decide to use Network Address Translation (NAT). You have a Windows 2000 computer you try to establish a secure Virtual Private Networking session with. You try connecting to the Remote Windows 2000 computer using L2TP. You are unable to establish a connection with the remote node using L2TP. You are able to make a connection with another computer in your same office.
Why are you unable to make a connection to the remote location?
A. NAT does not allow for remote networking.
B. L2TP does not work with Windows 2000 computers.
C. You cannot establish a L2TP connection behind a computer running NAT. The L2TP session fails because the IP Security packets become corrupted.
D. You have not configured the NAT server to translate the IP Security packets.
Ans: C
5. You want to install windows2000 professional on 30 PXE-compliant computers and 35 non-PXE-compliant computers. All 65 computers are included on the current hardware compatibility list (HCL). You create a RIS image. You load the Image on the RIS server. You then start the 65 computers. You find that the 30 PXE-Compliant computers can connect to the RIS server. However, the 35 non-PXE-compliant computers have to connect to the RIS server. What should you do?
A. Run Rbfg.exe to create a Non-PXE-compliant startup disk
B. Run Riprep.exe to create a non-PXE complaint startup disk
C. Grant the everyone group NTFS Read permission for the RIS image
D. Grant the Administrators group NTFS Read permission for the RIS image
Ans: A
6. You are the administrator of your company's network. Your network has 75 windows 2000 professional computers and eight Windows 2000 Server computers. Users on the network drive save their work files in home folders on a network server. The NTFS partition that contains the home folders has Encrypting File System (EFS) enabled. The partition also has disk quotas defined. A user named Candy reports that she cannot save any files to her home folder. She also cannot update files in her home folder. When she attempts to save files to the folder she receives the following error message "insufficient disk space". Other users are not experiencing this problem with their home folders. You want to enable Candy to save files in her home folder. What should you do?
A. Log on to the network as a Recovery Agent. Decrypt all of candy's files in her home folder.
B. Log on to the network by using the domain Administrator account. Grant Candy Full control permission to her home folder.
C. Use Windows Backup to archive and remove old files on the server.
D. Increase the server a disk quota entry for Candy to accommodate the additional files.
ANS: D
7. You encrypt three files to ensure the security of the files. You want to make a backup copy of the three files and maintain security setting. You have the option of backing up to either the network or a floppy disk. What should you do?
A. Copy the files to a network share on a NTFS volume. Do nothing further.
B. Copy the files to a network share on a FAT32 volume. Do nothing further.
C. Copy the files to a floppy disk that has been formatted by using Windows 2000 Professional. Do nothing further.
D. Place the files in an encrypted folder. Then copy the folder to a floppy disk.
ANS: A (Only NTFS keeps encryption)
8. Kevin, the Software Developer of Perfect Solution Inc., recently left the job. The company's Administrator moves all of his home folder files to his Manager's home folder. The NTFS partition that contains the home folders has the Encrypting File System (EFS) enabled. When the Manager attempts to open Kevin's files, he is denied access. What should be done, so that the Manager can access those files with least administrative burden?
A. Grant the Manager NTFS Full Control (FC) permission to the files.
B. Grant the Manager the NTFS Take Ownership (TO) permission to the files.
C. Logon to the network as a Recovery Agent. Decrypt the files for the Manager.
D. Logon to the network as a member of Backup Operators group. Decrypt the files for the Manager.
ANS: C
(Why? Because only the user that created the EFS file or the Recovery agent can decrypt EFS files. Nobody else, it doesn't matter if you give them FC or TO)
9. You have a PC with one drive and one volume, which has a NTFS folder called Sales, which is compressed. You also have a folder called CORP, which is not compressed. You want to place Sales under Corp, still compressed, and have a backup of Sales in case something goes wrong. What should you do?
A. Backup the sales folder to an NTFS volume, and move Sales under Corp. (One more option they had given -- Move sales under Corp in the NTFS vol. - but backup not mentioned)
Ans: A
10. You want to install Win2K PRO on X new computers on your company's network. You first install Win2K PRO on one of the new computers. You log on to the computer by using local admin account. You install MS Office 97, a virus scanner, and other company standard applications. You then create a RIS image of the computer you configured. You want to configure the RIS image so that the standard applications will be accessible to the user when the user first logs on to the network. What should you do?
a) Run RBFG.exe before installing the standard apps
b) Run RIPREP.exe before installing the standard apps
c) Copy the ALL USERS profile to the DEFAULT users profile
d) Copy the LOCAL ADMINISTRATOR account profile to the DEFAULT user profile
Ans: D
Correct answer is D, when you set up the apps as a Local Administrator, depending on the apps, some shortcuts will be placed on the All Users profile (like MS Office 97) and others will be placed only in the Local Administrator profile. If you copy the Local Administrator profile, the custom settings (shortcuts) installed under this profile will be copied to the Default Users Profile, and thus available when new user are setup on the PC's. Use Control Panel --> System --> User profiles tab to copy the profile. The copied files will inherit the permissions setting for Default User folder. Remember the only things that you are providing here are shortcuts; you are NOT providing permissions or rights here. Those are controlled by NTFS permissions and group rights assignments. The All Users Profile is just that what it says for "ALL USERS", so it will be saved on the RIS image and deployed to the new PC's, this will include all the shortcuts associated with it. Check the study guide for W2KPRo on BrainBuzz.com, also look on (assuming C is your W2KPro drive) C\:Documents and Settings and check the different entries for the standards profiles. Especially on the Start Menu --> Programs area.
11. You load NT 4 on C and W2kp on D. You do not want users to save files to D in either operating system, but you do want them to be able to access D. You implement user quotas in W2kp so that users cannot save files to D. When you restart the PC and go into NT4, users can still write to D. What to do?
a. Use NT4 NTFS permissions to deny users write access to D:
b. Enable EFS on D:
c. Format the NT 4 partition and reload NT 4
Ans: A
12. You are the administrator of your company's network. You receive a request from Stephen's manager to disable Stephen's access to a network share named Financial. Stephen's user account is the only member in a group named Reports. The Reports group has Full Control permission to the Financial share. You delete the Reports group. You later find out that the manager was in error and that Stephen should have his access to Financial share restored. What should you do?
A. Re-create Reports and re-create Stephen's user account. Use existing NTFS permissions.
B. Re-Create Reports and grant Reports NTFS Full Control permission to Financial. Stephen's user account will still be a member of Reports.
C. Re-create Reports and grant Reports Full Control permission to Financial. Add Stephen's user account to Reports.
D. Re-Create Reports and add Stephen's existing user account to Reports. Use existing NTFS permissions.
ANS: C
13. You work for an accounting firm. Currently all developers are running Windows 98. The company wants to go to Windows 2000 Professional. Programmers are going to need to code in both a Windows 98 environment and a Windows 2000 environment. What platform can you install that will optimize the availability of code to both environments?
A. FAT16
B. FAT32
C. NTFS
D. HPFS
Ans: B
14. Which of the following volume Property dialog box tabs do you see for FAT32 partitions in the Disk Management utility? Choose all that apply.
A. General
B. Sharing
C. Security
D. Quota
Ans: A, B
The Security and Quota tabs are only available for NTFS partitions.
15. You have acquired a new Pentium III computer with two blank hard drives, a 40X CD Rom drive, an AGP display adapter, and a fast Ethernet network adapter. All hardware is on the HCL. You want to achieve these result:
Install win2000pro on the computer
Minimize the time required to install win2000pro
Choose a file system to enable maximum security of data on the computer
Have the computer join your domain
Your proposed solution is to start the computer, access the Bios, set the computer to boot from the CD Rom drive, save changes, and restart the computer. When Setup runs, complete the necessary tasks and specify the NTFS partition type. After restarting the computer again, restore the original boot disk configuration in the Bios. When prompted specify the appropriate domain name.
Which result does the proposed solution? (Choose 3)
A. Win 2000 pro is installed on computer
Then specify file system enable security
Have the computer join your domain
Ans: A
16. You are the administrator of your company's network. Your network has 200 windows 2000 Professional computers and 15 windows 2000 server computers. Users on the network save their work files in home folders on a network server. The NTFS partition that contains the home folders has Encrypting File System (EFS) enabled. A user named John leaves the company. You move all of the files from John's home folder to his manager's folder. When the manager attempts to open any of the files, she receives the following error message; "Access denied." You want the manager to be able to access the files. What should you do?
a. Grant the manager NTFS Full control permission to the files.
b. Grant the manager NTFS Take Ownership permission the files.
c. Log on to the network as a Recovery Agent. Decrypt the files for the manager.
d. Log on to the network as a member of the Backup Operators Group. Decrypt the fields for the manger.
17. You are the administrator of your company's network. Your network has 75 windows 2000 professional computers and eight Windows 2000 Server computers. Users on the network drive save their work files in home folders on a network server. The NTFS partition that contains the home folders has Encrypting File System (EFS) enabled. The partition also has disk quotas defined. A user named Candy reports that she cannot save any files to her home folder. She also cannot update files in her home folder. When she attempts to save files to the folder she receives the following error message "insufficient disk space". Other users are not experiencing this problem with their home folders. You want to enable Candy to save files in her home folder. What should you do?
A. Log on to the network as a Recovery Agent. Decrypt all of candy's files in her home folder.
B. Log on to the network by using the domain Administrator account. Grant Candy Full control permission to her home folder.
C. Use Windows Backup to archive and remove old files on the server.
D. Increase the server a disk quota entry for Candy to accommodate the additional files.
ANS: D
18. Each user in your network has his/her own user directory. Jane copies a file to her user directory and receives the message "insufficient space." She finds that she cannot even add data to a file and save it. Others are not having any problems. What should you do?
a. Increase the Quota Limit for Jane
b. Defragment the hard drive
c. Confirm that NTFS compression has been enabled
d. Add Jane to the domain users group e. Confirm that backup is not running
ANS: A
19. Julie is trying to save a file that is 2MB in size. When she tries to save the file, she gets an error message that the disk is out of space. When the administrator checks available disk space, it is determined that there is more than 4GB of free disk space. What is the most likely cause?
A. The disk needs to be defragmented.
B. Julie does not have the NTFS permissions she needs to access the folder where she is trying to save the file.
C. Julie has exceeded her disk quota.
D. The folder is encrypted and Julie does not have the key required to write to the folder.
Answer: C
If Julie is getting "out of space" errors and the disk has free space, it is likely that the disk has disk quotas applied and Julie has exceeded her quota limitation.
20. You are the administrator of a Windows 2000 network. Users in the engineering department run Windows 2000 Professional on their desktop Computers. The size of the department has recently expanded from five users to 10 users. Users need to be able to update files in a shared folder named CommonData. The folder is stored on a FAT 16 partition on one of the Windows 2000 Professional Computers on the network. The files in CommonData are published in the Active Directory so that other users in the company can refer to them. The network also uses Distributed File System (DFS) to simplify access to its user data. Users in the engineering department report that when they try to access CommonData, they receive the following error message: "CommonData is not accessible. No more connections can be made to this remote Computer at this time." You want to ensure that users can access the files. What should you do?
A. Move CommonData to FAT32 partition on the host Computer, and share it again.
B. Move CommonData to an NTFS partition on the host computer, and share it again.
C. Increase the user limit on the network share to the maximum allowed.
D. Increase the Clients Cache this DFS referral value on the DFS leaf node that describes the data.
ANS: D
21. You are administrator of a Windows 2000 network. The network includes a Windows 2000 Server computer that is used as a file server. More than 800 of your company client computer are connected to this server. A shared folder named DATA on server is on an NTFS partition. The data folder contains more than 200 files. The permissions for the data folder are shown in the following table. TYPE OF PERMISSION ACCOUNT PERMISSION DATA Share Permissions Users: Change
DATA NTFS Permissions Users: Full Control You discovers that users are connected to the DATA folder. You have an immediate need to prevent 10 of the files in the DATA folder from being modified. You want your actions to have the smallest possible effects on the users who are using other files on the server.
What TWO actions should you take?
A. Modify the NTFS permissions for the ten files.
B. Modify the NTFS permissions for the DATA folder.
C. Modify the shared permissions for the DATA folder.
D. Log off the users from the network.
E. Disconnect all Users from the DATA folder.
Answer: A, E
22. Your windows 2000 professional computer has 10-shared folders that are available to other network users. A user reports that he cannot access a shared folder named Share A. You want to respond to the user's problem as quickly as possible by using an administrative tool. However, you cannot remember the server location of Share A. What should you do?
a. Use windows explorer to display the file paths of your shared folders.
b. Use storage in computer management to view local drive properties.
c. Use event viewer in computer management to search for shared folder error messages.
d. Use System tools in computer management to display the file paths of your shared folders.
Answer: D
23. Which of the following options is not an event type logged in the
Windows 2000 Professional Event Viewer utility?
A. Information
B. Critical
C. Warning
D. Error
Answer: B
The event types logged in Event Viewer are Information, Warning, and Error. Success Audit and Failure Audit events are also logged when events have been audited for success or failure. There is no event called Critical
24. Your company has a Routing and Remote Access server at its main office. One of the company's branch offices also runs Routing and Remote Access on a server that has one modem. This server is configured to use demand-dial routing to connect to the main office. This server is part of the company's Active Directory domains. The domain runs in native mode.
Some employees at this branch office use the branch office same to access their files from here. The manager of the branch office reports that sometimes none of the user in the office can connect to the main office. When you examine the event log on the branch office server to find that users have been connecting to the server during working hours.
The manager wants users to be able to dial in to the server between 6:00p.m. and 8:00a.m. However, the manager still wants users to be able to log on at any time when connected directly to the LAN.
A. Change the logon hours for user’s accounts to deny between 8:00a.m. and 6:00p.m.
B. Set the remote access policy to deny connection between 8:00a.m. and 6:00p.m.
C. Create one batch file to start Remote Access Connections Manager server, and create another batch file to stop it. Schedule the stop batch file to run at 8:00a.m. every day and the start batch file to run at 6:00 p.m. every day.
D. Create two user accounts for each user. Grant dial-in permission for an account and deny dial-in permission to second account. Change the login hour for the dial-in accounts to de logon between 8:00 a.m. and 6:00p.m.
Answer: B
25. Your are experiencing system errors on your Windows 2000 Server computer. Microsoft enterprise technical support has requested a dump of system memory to a file. You have configured a system-paging file on your boot partition that is larger than the total amount of system RAM.
How should you configure the Windows 2000 Server computer to generate the required dump file?
A. Configure the eventlog service to start automatically
B. Configure Dr. Watson for Win NT to create a crash dump file
C. Configure system recovery to write an event to the system log
D. Configure system recovery to write debugging information to %system root%\memory dump
Ans: D
26. Your Windows 2000 Server computer contains four 16GB hard disks. Disk0 is configured as a basic disk. Disk0 has a single 16GB partition that contains the boot and system files. Disk 1, 2 and 3 are configured as dynamic disks in a RAID5 volume. The entire server is backed up to a tape drive each night. During your daily review of the servers event logs, you discover that Disk1 has failed. You shut down the server and replace Disk1 with a new hard disk. When you restart the server Windows 2000 starts normally, but the data on the RAID5 volume is inaccessible. Disk Management indicates that Disk2 has failed too. You replace Disk2 with a new hard disk. Now you need to recover the data on the RAID5 volume as quickly as possible.
What should you do?
A. Use Disk Manager to rebuild RAID5 partition.
B. Delete and recreate the RAID5 partition. Restore the contents of RAID5 partition from the most recent tape backup.
C. Use Windows 2000 backup to restore the contents of Disk2. Use Disk Manager to rebuild the RAID5 partition on Disk1.
D. Delete and recreate the RAID5 partition. Restart the server by using Windows 2000 Setup CD, and select repair option.
Answer: B
27. How will you create a memory dump file to record the memory contents in case of Stop errors?
A. Use Startup/Shutdown tab in System applet of Control panel
B. Use Dr. Watson
C. Turn on auditing using User manager for Domains.
D. Edit the registry.
Ans: A
28. You install the Routing and Remote Access service on a Windows 2000 Server computer in your network. Your network is not directly connected to the Internet and uses the private IP address range 192.168.0.0. When you use Routing and Remote Access to dial in to the server, your computer connects successfully, but you are unable to access any resources. When you try to ping servers by using their IP addresses, you receive the following message: "Request timed out." When you run the ipconfig command, it shows that your dial-up connection has been given the IP address 169.254.75.182.
What should you do to resolve the problem?
A. Configure the remote access server with the address of a DHCP server.
B. Authorize the remote access server to receive multiple addresses from a DHCP server.
C. Configure the remote access server to act as a DHCP Relay Agent.
D. Ensure that the remote access server is able to connect to a DHCP server that has a scope for its subnet.
Answer: A
Reason for answer: TechNet (Q197197), (Q232703), (Q216805)
"IP address 169.254.75.182 is assigned by windows when one can not be found" C may seem like the right answer, but you got the 169 address because it did not find a DHCP server with a correct scope, you can not ping because you do not have a default gateway assigned, adding a DHCP relay agent may be part of the solution to answer D, but if the DHCP server is not configured with the scope it still will not work. This could be a two-answer question. I chose D and so does Troytec.
DHCP clients located across a router from a DHCP server require that the router be configured to forward DHCP traffic to a DHCP server on a remote subnet. This traffic is broadcast traffic and routers do not normally forward broadcast traffic unless configured to do so. A network router can be a hardware-based router, such as those manufactured by the Cisco Corporation or software-based such as Microsoft's Routing and Remote Access Services (RRAS). In either case, you need to configure the router to relay DHCP traffic to designated DHCP servers. The DHCP server IP addresses are configured on the router on a per-interface basis using IP helper functionality, or in the case of RRAS, using the DHCP relay agent.
The RemoteAcess Service will generate the following event:
Event 20169
Source RemoteAccess
Type Warning
Description:
Unable to contact a DHCP server. The Automatic Private IP Address will be assigned to dial-in clients. Clients may be unable to access resources on the network.
You can now use the DHCP Relay agent with RAS to provide DHCP scope options to RAS clients. The RAS client continues to receive an IP address from the RAS server, but may use DHCPInform packets to obtain WINS addresses, DNS addresses, domain names, or other DHCP options. DHCPInform messages are used to obtain DHCP scope option information without getting an IP address.
29. You are the administrator of a Windows 2000 Server network. You configure two sites: one for your New York office and one for your Paris office. You configure two organization units (OUs) named New York and Paris. In each of these OUs, you create subordinate OUs named Sales, Marketing, and Research. You place user accounts, stand-alone member servers, and Windows 2000 Professional computers in their appropriate subordinate OUs. You suspect that someone is trying to log on to your domain by guessing user account names and passwords. You want to fine out which computers are being used for these logon attempts.
What should you do?
A. Edit the Default Domain Controllers Policy object to audit directory services access failures.
B. Edit the Default Domain Policy object to audit account logon failures.
C. Edit the New York OU and Paris OU Group Policy objects (GPOs) to audit logon failures.
D. Edit the Group Policy object (GPO) of each subordinate OU to audit directory service access failures.
Answer: B
Reason for answer: See Study Guide Server help and TechNet (Q256345)
Active Directory overview
If you implement Group Policy at the Default Domain Policy, the policy takes effect on all computers in the domain. If you implement Group Policy at the Default Domain Controllers policy, the policy only applies to the servers in the domain controller's organizational unit (OU). You can create OUs that contain workstations for which policies can be applied.
Active Directory is the directory service for Windows 2000 Server. It stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory directory service uses a structured data store as the basis for a logical, hierarchical organization of directory information.
Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network.
Security auditing is a feature of Windows 2000 that monitors various security-related events. Monitoring system events is necessary to detect intruders and to detect attempts to compromise data on the system. An example of an event that can be audited is a failed logon attempt. An Active Directory user account enables a user to log on to computers and domains with an identity that can be authenticated and authorized for access to domain resources.
Establishing an audit trail is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps assure user accountability, and provides evidence in the event of a security breach. There are three main steps to implementing security-related auditing for your system. First, you must turn on the categories of events you wish to audit. Examples of event categories are user logon and logoff and account management. The categories of events you select constitute your audit policy. When you first install Windows 2000, no categories are selected, and therefore no audit policy is in force. Computer Management lists the event categories that you can audit. Second, you must set the size and behaviour of the security log. Finally, if you have selected either the audit directory service access category or the audit object access category, you must determine the objects to which you want to monitor access and modify their security descriptors accordingly. For example, if you want to audit any attempts by users to open a particular file, you can set a Success or Failure attribute directly on that file for that particular event.
30. You are the administrator for a Windows 2000 network. Your network consists of one domain and two Organizational Units (OU). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created. However, you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.
What should you do?
A. Search the security event logs on each domain controller for account management events.
B. Search the security event logs on each domain controller for object access events.
C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name.
D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account.
Answer: A ( correct )
When you audit account management events, you're able to track changes of user account information (including password changes), additions and deletions
31. You are the Windows 2000 network administrator for your company. You are implementing the company's network security model. You network has several servers that contain sensitive or confidential information. You want to configure security auditing on these servers to monitor access to specific folders. You also want to prevent users from gaining access to these servers when the security logs become full.
What should you do?
A. Create a GPO that applies to the servers. Configure the GPO to enable auditing for object access. Set up the individual objects to be audited in Windows Explorer and then customize the Event Viewer logs to limit the size of the security log to 1,024 kb.
B. Create a GPO that applies to the servers. Configure the GPO to enable auditing for Directory Services access. Set up the individual objects to be audited in Windows Explorer and then customize the Event Viewer logs to limit the size of the security log to 1,024 KB. Configure the security event log so that it does not overwrite events.
C. Create a GPO that applies to the servers. Configure the GPO to enable auditing for Directory Service access. Set up the individual objects to be audited in Windows Explorer. Configure the Security Event log so that it does not overwrite events. Then configure the GPO to enable the "Shut down the system immediately if unable to log security audits" setting.
D. Create a GPO that applies to the servers. Configure the GPO to enable auditing for object access. Setup the individual objects to be audited in Windows Explorer. Configure the security event log so that it does not overwrite events. Then configure the GPO to enable the "Shut down the system immediately if unable to log security audits" setting.
Answer: D ( correct )
The two parts of auditing are to setup an audit policy at either the local or domain level (through a GPO) that defines the types of events to be audited (in this case object access). Secondly, the specific events must be specified (in this case by setting up the objects to be audited using Windows Explorer). To meet the last requirement of preventing users' access when log is full then you must configure the GPO to enable the "Shut down the system if unable to log" setting. This setting is actually called CrashOnAuditFail in the registry and in this case, must be set to 1.
32. You are the network administrator for Just Togs. Your Windows 2000 network consists of 15,000 users. Users have recently reported that documents are missing from the servers. You need to track the actions of the users to find out who has been deleting the files. You create a GPO on the justtogs.com domain and assign the appropriate permissions to the GPO.
What actions should you audit? (Choose two)
A. Directory Services access
B. Object access
C. Process tracking
D. Privileged use
E. Delete and Delete subfolders and files
Answer: B, E ( correct )
The two parts of auditing are to setup an audit policy at either the local or domain level (through a GPO) that defines the types of events to be audited (in this case object access). Secondly, the specific events must be specified (in this case by setting up the objects to be audited using Windows Explorer). To audit files and folders, you must be logged on as a member of the Administrators group or have been granted the "Manage auditing and security log" right in Group Policy. Administrators can also monitor access to Active Directory, causing successful and failed audit attempts to be logged in the Directory Service event log. This isn't what the question is asking here, though.
33. You are the administrator of a DNS server that runs on a Windows 2000 Server computer. You receive a report that the Windows 2000 Server computer constantly uses more than 80 percent of the CPU. You want to monitor the number of DNS queries that are handled by the DNS server.
What should you do?
A. Run the Nslookup command-line utility.
B. Use the Event Viewer and monitor the DNS server log.
C. Use the monitoring function of the server properties in the DNS console.
D. Use the DNS counters in System Monitor.
E. Check the contents of the Netlogon.dns file.
Answer: D ( correct )
System Monitor has DNS counters that monitor performance. Some DNS related counters include:
Total Query Received - total number of lookup queries received
Total Query Received/Sec - total number of queries received per second
Failed DNS Resolutions - failed resolutions
Pending DNS Resolutions - pending resolutions
Successful DNS Resolutions - successful resolutions
34. You are the administrator of your company's network. You have been auditing security events on the network since it was installed. A user on your network named JOHN THORSON recently reported that he was no longer able to change his password. Because there have been no recent changes to account policies, you suspect that someone has been modifying the properties of user accounts in Active Directory. There are thousands of entries in the event logs, and you need to isolate and review the events pertaining to this problem in the least possible amount of time.
What should you do?
A. In the security log, create a filter for events matching the following criteria:
Event source: Security Category: Account Management User: JTHORSON.
B. In the directory service log, create a filter for events matching the following criteria:
Event source: NTDS Security Category: Security. Search the remaining items for events referencing John Thorson's account.
C. In the directory service log, create a filter for events matching the following criteria:
Event source: NTDS Security Category: Global Catalog User: JTHORSON.
D. In the security log, create a filter for events matching the following criteria:
Event source: Security Category: Account Management. Search the remaining items for events referencing John Thorson's account.
Answer: D ( correct - A isn’t true 'cause there is no place to specify User and stuff )
To view a subset of events that have specific characteristics, click Filter Events on the View menu of Event Viewer. Filtering has no effect on the actual contents of the log, it changes only the view. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file.
35. You are the administrator for a Windows 2000 network. Your network consists of one domain and two organizational units (OUs). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created, but you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.
What should you do?
A. Search the security event logs on each domain controller for account management events.
B. Search the security event logs on each domain controller for object access events.
C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name.
D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account.
Answer A ( correct )
Using Event Viewer, you can filter and search the security logs for specific events.
36. You are the administrator of your company's network. Your event log shows that hackers are using brute force attacks to attempt to gain access to your network. You do not want user accounts to be easily accessible. You want to strengthen security to protect against brute force attacks.
What should you do? (Choose two)
A. Enable the "Users must log on to change the password" setting.
B. Enable the "Store password using reversible encryption for all users in the domain" setting.
C. Enable the "Password must meet complexity requirements" setting.
D. Increase minimum password length.
E. Increase minimum password age.
Answer: C, D ( correct - E also correct , but read the explanation below )
All the above settings are available in the Security Configuration and Analysis console. The best two choices here are "password must meet complexity requirements" and "minimum password length", which will create a "strong password". A third choice could be setting the "minimum password age", which prevents users from changing their password, then immediately changing it back to their original password. However, the question only asks for two answers.
37. You are the administrator for a Windows 2000 network. Your network consists of one domain and two Organizational Units (OU). The OUs are named Corporate and Accounting. A user recently reported that she was not able to log on to the domain. You investigate and find out that the user's account has been deleted. You have been auditing all objects in Active Directory since the domain was created. However, you cannot find a record of the user account deletion. You want to find a record that identifies the person who deleted the account.
What should you do?
A. Search the security event logs on each domain controller for account management events.
B. Search the security event logs on each domain controller for object access events.
C. Search the Active Directory Users and Computers console on each domain controller for the user's previous account name.
D. Search the Active Directory Users and Computers console on each domain controller for the user's computer account.
Answer: A ( correct )
When you audit account management events, you're able to track changes of user account information (including password changes), additions and deletions.
38. You are the administrator of a Windows 2000 domain. To control the desktop environment of users in the domain, you use a script file named Desktop.vbs to change settings in the current user profile. This script file is deployed as a login script for all users in the domain. The Desktop.vbs script usually takes 15 seconds to complete its work. You want to ensure that each user's desktop appears only aft the Desktop.vbs script is completed.
What should you do?
A. For all users in the domain, set the logon script in the user profile to Desktop.vbs.
B. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to run logon scripts synchronously.
C. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to set a maximum wait time of 15 seconds for Group Policy scripts.
D. Create a new GPO; Assign the GPO to the domain. Add Desktop.vbs to the GPO as a logon script. Configure the GPO to set a timeout of 15 seconds for logon dialog boxes.
Answer: B ( correct )
When you configure logon scripts, there are settings that allow an administrator to control the maximum time the logon script is allowed to run, and whether to run the logon script synchronously. When a logon script is run synchronously, the user does not have access to the desktop until the logon script terminates.
39. You are the administrator of a DNS server that runs on a Windows 2000 Server computer. You receive a report that the Windows 2000 Server computer constantly uses more than 80 percent of the CPU. You want to monitor the number of DNS queries that are handled by the DNS server.
What should you do?
A. Run the Nslookup command-line utility.
B. Use the Event Viewer and monitor the DNS server log.
C. Use the monitoring function of the server properties in the DNS console.
D. Use the DNS counters in System Monitor.
E. Check the contents of the Netlogon.dns file.
Answer: D ( correct )
System Monitor has DNS counters that monitor performance. Some DNS related counters include:
Total Query Received - total number of lookup queries received
Total Query Received/Sec - total number of queries received per second
Failed DNS Resolutions - failed resolutions
Pending DNS Resolutions - pending resolutions
Successful DNS Resolutions - successful resolutions
40. You are the administrator of your company's network. You want to configure a Security Policy for the Windows 2000 Professional Computers that are in the sales department. On one of the computers, you use Security Templates to configure the Security Policy based on the desired security settings. You then export those settings to an .inf file that will be used on all of the Computers in the sales department. You want to configure each Computer to have a customized Security Policy. What should you do?
A. Use Secedit.exe to import the security settings from the .inf file to the computers in the sales department.
B. Use a text editor to change the default security settings to the desired security settings. Then export those settings to the Computers in the sales department.
C. Create an organizational unit (OU) named Sales. Add the users in the sales department to the Sales OU. Then apply the security template to the users in the Sales OU.
D. Create an organizational unit (OU) named Sales. Add the computers in the sales department to the Sales OU. Then apply the security template to computers in the Sales OU.
ANS: D
41. You are the administrator of your company's network. You use Security Templates to configure a Security Policy on the Windows 2000 Professional Computers in the Sales organizational unit (OU). You notice that the Computers in the Sales OU are not downloading the Security Policy settings. On each computer, the Security Policy appears in the Local Computer Policy, but is not listed as the effective policy. You want all computers in the Sales OU to have the Security Policy listed as the effective policy. What should you do?
A. Use Security Templates to correct the setting and export the security file.
B. Use Security Configuration and Analysis to import the security setting. Then create a Group Policy object (GPO) for the Sales QU.
C. Use Secedit /RefreshPolicy Machine_Policy command.
D. Use the Basicwk.inf security file settings, save the security file, and then import the file to the Computers.
ANS: C
42. You upgrade 5 computers in the Finance Organization (OU) from Win NT workstation 4.0 to W2P. The computers are used by members of the Finance OU to run financial application. All 5 computers are configure to have default security setting. A user named Helene report that she can no longer run the financial application on her W2P computer. Prior to the upgrade, Helene was able to run the financial application on her computer. Helene is a member of the local user group. You want the financial application to run on Helene's computer. What should you do?
A. Use computer Management to configure separate memory space for each financial application on Helene's computer
B. Use Security Templates to edit the Security Policy to include the financial application on Helene's computer. Then, add Helene's user account to the Power users group on Helene's computer.
C. Use Security configurations and Analysis to reconfigure the default security Policy.inf file to allow the financial applications to run on Helene's computer
D. Use Secedit.exe to apply the compatws.inf security to Helene's security Policy to loosen the permission for the local group on Helene's computer.
ANS: D
See the "Predefined security templates" topic in the W2KServer online help for more info"
43. You configure several Group Policies to restrict user's desktop settings. You want them to be applied immediately.
What should you do?
A. Run secedit /refreshpolicy MACHINE_POLICY
B. Run secedit /refreshpolicy USER_POLICY
C. Run net config /refreshpolicy DOMAIN_POLICY
D. Run refresh /DOMAIN_POLICY
Answer: B
44. You are the administrator of a high security network. Many files stored on your Windows 2000 file servers and Windows 2000 Professional computers are highly confidential. You want to implement identical security configurations on all Windows 2000 file servers and Windows 2000 Professional computers.
What should you do? (Choose all that apply)
A. Configure Group Policies to apply the security configuration to all Windows 2000 file servers and Windows 2000 Professional computers.
B. Use the Security Configuration Management Console to import security information from a file server as a template.
C. Use the Security Configuration Management Console to import security information from a Windows 2000 Professional Computer as a template.
D. Use Secedit to export the security configuration to all file servers.
E. Use Secedit to export the security configuration to all Windows 2000 Professional computers.
Answer: A, B, C
45. You configure several Group Policies to restrict user's desktop settings. You want them to be applied immediately. What should you do?
A. Run secedit /refreshpolicy MACHINE_POLICY
B. Run secedit /refreshpolicy USER_POLICY
C. Run net config /refreshpolicy DOMAIN_POLICY
D. Run refresh /DOMAIN_POLICY
Answer: B
Reason for answer: Server help
Desktop policies are located under the USER POLICY
To refresh Group Policy immediately
Click Start and then click Run to open the Run dialog box.
To refresh policies under the Computer Configuration node, type the following and then click OK:
secedit /refreshpolicy MACHINE_POLICY
To refresh policies under the User Configuration node, type the following and then click OK:
secedit /refreshpolicy USER_POLICY
46. You have four different distribution shares on your network for Windows 2000 Server installations. A new service pack was just announced. What should you do to make the service pack available for future installations?
A. Copy the service pack's driver.cab to the distribution "share", as well as layout.inf, dosnet.inf and txtsetup.sif
B. Use update /slip to apply the service pack to each "share".
C. Copy the layout.inf, dosnet.inf and txtsetup.sif files to each distribution "share".
D. Use sysdiff /diff to apply the service pack to each "share".
Answer B
Reason for answer: TechNet Service Pack Study Guide
To apply a new service pack, use Update.exe with the /slip switch to copy over the existing Windows 2000 files with the updated service pack files. Some of the key files that update during this process include:
New Layout.inf, Dosnet.inf, and Txtsetup.sif files, which have the updated checksums for all the service pack files. These files need additional entries if any additional files have been added.
A new driver .cab if the drivers in the cabinet file have been changed.
If you apply a service pack to a single computer running Windows 2000, you must reapply the service pack to add another service, unless you are updating from a network share that supports service pack slipstreaming.
47. You are the administrator of your company's network. The network consists of one Windows NT 4.0 domain. You create and implement a security policy that is applied to all Windows 2000 Professional client computers as they are staged and added to the network. You want this security policy to be in effect at all times on all client computers on the network. However, you find out that administrators periodically change security settings on computers when they are troubleshooting or doing maintenance. You want to automate the security analysis and configuration of client computers on the network so that you can track changes to security policy and reapply the original security policy when it has been changed.
What should you do?
A. Use Windows NT System Policy to globally configure the security policy settings on the client computers.
B. Use Windows 2000 Group Policy to globally configure the security policy settings on the client computers.
C. Use the Security and Configuration Analysis tool on the client computers to analyze and configure the security policy.
D. Schedule the Secedit command to run on the client computer, analyze and configure the security policy.
Answer: D ( correct )
Normally, if the GPOs that define the environment for the user have not changed from the last time Group Policy was applied, the GPO is skipped and not applied again. In either case, specifying "/ENFORCE" on the command line re-applies the policy even if the GPOs that apply to the computer or user have not changed. An example of the command line in this case is: secedit /refreshpolicy machine_policy /enforce
48. You want to connect to your branch office printer through the browser. Your Windows 2000 Professional computer is running Peer Web Server. You were told the share name of the printer is HPColorL. You are unable to see it when you type its URL. What do you need to do to connect to this printer?
A. Double-click the connect hotspot in the left pane of the printer's dialog box to view the printer.
B. Ask the branch office administrator to reinstall the printer by using its URL as the port.
C. Install Internet Explorer 3.0 or higher on your Windows 2000 Professional.
D. Ask the administrator at the branch office to install IIS on the branch server.
ANS: D
49. You are the administrator of the Coho Vineyard network. The network consists of 10 Windows 2000 Advanced Server computers and 250 Windows 2000 Professional computers. Your company has two domains: cohovineyard.com and westcoastsales.com. The company's intranet site is on a Windows 2000 Advanced Server computer named ServerA. ServerA is on the cohovineyard.com domain and is running Internet Information Services (IIS) and Microsoft Proxy Server 2.0. You want to configure the Windows 2000 Professional Computers in the westcoastsales.com domain to access the intranet site.
You want users to be able to connect to the intranet site by using the URL http://servera/ rather than its fully qualified domain name. What should you do?
A. Add cohovineyard.com to the Domain Suffix Search Order on the computers.
B. Add westcoastsales.com to the Domain Suffix Search Order on the computers.
C. Add westcoastsales.com to the exceptions list in the proxy server settings on the computers.
D. Configure the proxy server settings on the computers to bypass the proxy server for intranet addresses.
ANS: A
Explanation: To get to ServerA from outside the domain a computer has to resolve the name to an IP address. If using DNS, it needs the fully qualified domain name, which consists of the computer name appended to the domain name...like this - servername.domainname.com. When you use the Domain Suffix Search Order option, it will try to resolve the name ServerA with the DNS. When it fails, it will append the listed domain names on the end and try to resolve it then. This means that when a user types in the server name only, it will successfully resolve it to ServerA.cohovineyard.com - it's like a short cut. Go to the TCP/IP properties, Advanced Button, DNS Tab, and then note the "Append these DNS Suffixes (in order)". Whatever Domain Names you have at your company can be added here. They will be appended after the ServerA server name and resolved, one after another.
50. You are the network administrator of the litware.com domain. LitWare, Inc., has its main office in Dallas and branch office in New York, Phoenix, and Seattle. A Windows 2000 Server computer named web1.litware.com is running Internet Information Service (IIS). This computer is located in the same office. Web developers in Dallas, New York, Phoenix, and Seattle need to update each of the Web sites and virtual directories located on web1.litware.com. Different updates will be occurring simultaneously. You want to ensure that each developer can use Microsoft FrontPage to update the sites successfully and to manage content changes.
What should you do?
A. Run the fpremadm command to install the server extensions for IIS on web1.litware.com. Configure the server extensions for each web site.
B. Run the fpsrvadm command to install the server extensions for IIS on web1.litware.com. Configure the server extensions for each Web site.
C. Install the server extensions for IIS on web1.litware.com by selecting Upgrade Extensions from All Tasks menu in IIS. Configure the server extensions for each Web site.
D. Configure the server extensions for each Web site by selecting Configure Server Extensions from the All Tasks menu in IIS. Configure the server extensions to allow each developer update access for each Web site.
Ans: D
51. You are the administrator of a Windows 2000 Server computer named Intra. Intra is a member of an Active Directory domain and hosts an Intranet Web Site for your company. Company policy requires that only authenticated users have access to the intranet site. All company users have a user account in the Active Directory domain. You configure directory security for the Web Site to use integrated security. However, you discover that users can access the Web Site without authentication. You need to ensure that only authenticated users can access the web site.
What should you do?
A. Install Active Directory on the server.
B. Select Basic Authentication check box.
C. Clear the Allow Anonymous Connection check box.
D. Disable the IUSE_inta user account on Intra.
E. Clear the Allow IIS to Control Password check box.
Answer: C
52. You are the administrator of a Windows 2000 Server computer. The server hosts several web sites that have logging enabled. You use a third-party reporting utility to analyze the log files produced by the web sites. You notice that all data from 7:00pm to midnight each night is included in the following day's log file. You want all data to be included in the correct day's log file. What should you do?
A. Ensure that the log type is set to W3C.
B. Change the log rollover property in the website's logging properties.
C. Change the time zone setting in the time properties on the web server.
D. Configure the time service on the web server to use local system account.
Answer: B
53. You are the administrator of an Internet Blue Sky Airlines. You install and configure a new Windows 2000 Server computer named server1.departments.blueskyairlines.com as an intranet server. The server
hosts the multiple departmental and resource WEB links to the network and databases. You configure a ticketing WEB site. You also configure a finance virtual directory in the department’s WEB site as shown in the Exhibit. "We see an exhibit in which we see the dir browsing enabling and person can see all the three". During the first morning the new server is available and the user reports that the only information they are seeing in their browser is a list of HTM and ASP files. For security reasons what the first action you need to take to disable the user ability to all the WEB sites in the form of a list. What should you do?
A. Clear the directory browsing on the server properties, and apply to child WEB sites.
B. Clear the directory browsing settings for the ticketing WEB sites and
then apply the settings to child virtual directories.
C. Clear the directory browsing checkbox for the department’s WEB sites and
then apply the settings to the child virtual directory
D. Clear the directory browsing checkbox for the financing virtual
directory.
Answer: A (I had this on exam; scored 1000. Correction to Clonepony.)
54. You are the network administrator of the litware.com domain. LitWare, Inc., has its main office in Dallas and branch office in New York, Phoenix, and Seattle. A Windows 2000 Server computer named web1.litware.com is running Internet Information Service (IIS). This computer is located in the same office. Web developers in Dallas, New York, Phoenix, and Seattle need to update each of the Web sites and virtual directories located on web1.litware.com. Different updates will be occurring simultaneously. You want to ensure that each developer can use Microsoft FrontPage to update the sites successfully and to manage content changes.
What should you do?
A. Run the fpremadm command to install the server extensions for IIS on web1.litware.com. Configure the server extensions for each web site.
B. Run the fpsrvadm command to install the server extensions for IIS on web1.litware.com. Configure the server extensions for
each Web site.
C. Install the server extensions for IIS on web1.litware.com by selecting Upgrade Extensions from All Tasks menu in IIS.
Configure the server extensions for each Web site.
D. Configure the server extensions for each Web site by selecting Configure Server Extensions from the All Tasks menu in IIS. Configure the server extensions to allow each developer update access for each Web site.
Answer: D
Reason for answer: (TechNet) and I have done this before.
The FrontPage snap-in is a Microsoft Management Console interface similar to the IIS snap-in. The FrontPage snap-in administers the FrontPage Server Extensions and FrontPage-extended webs, Web sites (virtual servers) in which FrontPage Server Extensions are installed.
Note The snap-in is available with Windows NT 4.0 and IIS 4.0 as well as with Windows 2000 and IIS 5.0. If you're running Windows NT 4.0 and IIS 4.0, you can also do administrative tasks with the Fpsrvwin, Fpsrvadm, and Fpremadm utilities and through the FrontPage Server Administrator.
The FrontPage snap-in is integrated into the IIS snap-in, adding commands, property sheets, and other tools required to administer the FrontPage Server Extensions.
The FrontPage 2000 Server Extensions administrative interface shows up as new menu options and tabs in the MMC's IIS snap-in rather than as a separate tool. This updated IIS snap-in, which replaces the fpservwin.exe utility, gives you an interface through which you can set most of the server extensions' major functions and their respective properties. When you click the fpservwin.exe shortcut (Start, Programs, Windows NT 4.0 Option Pack, Internet Information Server, FrontPage Server Admin), you receive a message that a newer version of the server extensions exists on the machine and that you should use the Upgrade Server Extensions option from the Task menu to upgrade the server extensions. The installation leaves fpservwin.exe - and the shortcuts that point to it-in place, but they're defunct.
55. You are the administrator of a Windows 2000 Server network at Blue Sky Airlines. You configure a server named print10.marketing.blueskyairlines.local as a print server at the Los Angeles site. You create and share a variety of printers on the server for use by employees in the marketing.blueskyairlines.local domain. You want to review the configured properties of all of the shared printers on the print10.marketing.blueskyairlines.local server. You want to perform this review from a Windows 2000 Professional computer at the London site of Blue Sky Airlines.
What should you do?
A. Use your Web browser to connect to http://print10.marketing.blueskyairlines.local/printer .
B. Use your Web browser to connect to http://print10.blueskyairlines.local/printer.
C. Run the net view \\print10 command.
D. Run the net view \\print10.blueskyairlines.com command.
Answer: A
Reason for answer: Server help
To manage printers from a browser
From Internet Explorer, or any other browser, type the following URL: http://PrintServerName/printers/
Or, type a specific printer URL:http://PrintServerName/PrinterName/
In All Printers on PrintServerName, click the printer you want to manage.
In PrinterName on PrintServerName, you can click any function on the left pane to stop, resume, or cancel a specific document or all documents. You can also click on a specific document in the queue, to see its properties.
An administrator can disable Internet printing with the Group Policy setting Disable Web-based Printing.
For Internet printing you must have Internet Information Service (IIS) installed on the Windows 2000 Server.
56. You are the network administrator for your company. Mike Nash is a member of the Administration group, and Nate Sun is a member of the Intern group. Both groups are in the same domain. On the intranet server, the Administration group is placed in the Security group, and the Intern group is placed in the Nonsecurity group. The Security group is then granted Full Control permission for the Sales virtual directory. Nate needs to update new sales information that is located on the Sales virtual directory. What should you do so that Nate can perform this task?
A. Enable Anonymous access for the intranet server.
B. Enable Anonymous access for the Sales virtual directory.
C. Remove Nate from the Intern group.
D. Make Nate a member of the Security group.
Answer: D
Reason for answer: D is the only answer that gives Nate enough permission to make updates.
57. You are the administrator of a Windows 2000 Server computer named Intra. Intra is a member of an Active Directory domain and hosts an Intranet Web Site for your company. Company policy requires that only authenticated users have access to the intranet site. All company users have a user account in the Active Directory domain. You configure directory security for the Web Site to use integrated security. However, you discover that users can access the Web Site without authentication. You need to ensure that only authenticated users can access the web site.
What should you do?
A. Install Active Directory on the server.
B. Select Basic Authentication check box.
C. Clear the Allow Anonymous Connection check box.
D. Disable the IUSE_inta user account on Intra.
E. Clear the Allow IIS to Control Password check box.
Answer: C
58. You are the network administrator for a branch office of a large company. Your network is connected to
the company network by means of a Windows 2000 routing and remote access two-way demand-dial
connection over ISDN. In addition to e-mail and application traffic, sensitive company data is transferred
across this connection.
You want to accomplish the following goals:
• All data transmitted over the connection will be secured.
• Rouge routers will be prevented from exchanging router information with either router.
• Both routers in the connection will be able to validate each other.
• Both routers in the connection will maintain up-to-date routing tables.
• Traffic over the demand-dial link during peak business hours will be minimized.
You take the following actions:
• Install a certificate services server at the main office.
• Enable EAP-TLS as the authentication protocol on both routing and remote access servers.
• Enable RIP version 2 on the demand dial interfaces.
Which result or results do these actions produce? (Choose all that apply)
A. All data transmitted over the connection is secure.
B. Rouge routers are prevented from exchanging router information with either router.
C. Both routers in the connection are able to validate each other.
D. Both routers in the connection are maintaining up-to-date routing tables.
E. Traffic over the demand-dial link during peak business hours is minimized.
Answer: A, C, D
Explanation: We have enable EAP-TLS as the authentication protocol on both routing and remote access
servers. The EAP (Extensible Authentication Protocol) supplies secure mutual authentication, therefore the
routers would be able to validate each other in a secure way.
EAP-Transport Level Security (EAP-TLS) supplies data encryption as well, which makes the transmitted data
secure. We have enabled RIP V2, which is used to keep the routing tables up-to-date by frequent broadcasts.
Incorrect Answers:
B: RIP version 2 is able to detect Rogue Routers but we must enable this detection.
59. You are the administrator of a Windows 2000 network. Some of the members of your company’s
graphics department use Macintosh computers and are not using Internet Explorer as their browser. These users inform you that they cannot request valid user certificate from your enterprise certificate
authority. You want to make it possible for these users to request certificates by using web-based
enrollment.
What should you do?
A. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory.
On the directory security tab, set the authentication type to basic authentication.
B. In the policy settings container in the CA console for your CA, add a new enrollment agent certificate.
C. Edit the ACL on the user certificate template to grant the graphics department users enroll access.
D. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory.
On the directory security tab, set the authentication type to Integrated Windows Authentication.
Answer: A
Explanation: IIS has four levels of authentication: anonymous access, which grants anyone access; basic
authentication, which sends passwords over the connection in clear text; integrated Windows authentication,
which uses Kerberos V5 and can only be used by Windows clients; and digest authentication, which is the best
choice for publishing information on a server over the Internet and through firewalls. In this scenario there is a
need to relax security so that the Macintosh users will be able to request certificates by using web-based
enrollment. By setting the authentication type to Basic Authentication most browsers will be able to connect to
the IIS server.
Incorrect Answers:
B: A new enrollment agent certificate is not needed. The Windows users are able to use the current one and
so will the Macintosh users when the authentication type is changed to Basic Authentication.
C: It is not necessary to change the ACL on the user certificate template for the users in the graphics
department. The Windows users in the graphics department have no problem with IIS.
D: Integrated Windows authentication uses Kerberos V5 and can only be used by Windows clients.
60. You are the administrator of a Web server hosted on the Internet that is running on a Windows 2000
Server computer. Your company's Web developers have developed applications that download ActiveX
controls automatically to your customers' browsers. You discover that the default security settings on
your customers' browsers are preventing the ActiveX controls from being downloaded automatically.
You want to facilitate the downloading of ActiveX controls from your Web server to the Internet clients.
What should you do?
A. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the
parent. Create a policy on the CA that allows the Web developers to request a certificate for code
signing.
B. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web
developers to request a certificate for trust list signing.
C. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the
parent. Create a policy on the CA that allows the Web developers to request a certificate for trust list
signing
D. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web
developers to request a certificate for code signing
Answer: A
Explanation: A commercial Certificate Authority is needed since external clients on the Internet will use the
Active X controls. The web developers need to sign their Active X controls with code signing certificates.
Incorrect Answers:
B: An Enterprise Certificate Authority is used within a Windows Domain and would not be accessible by
Internet users. The customers are external and would not be able to access an Enterprise Certificate
Authority (CA). A commercial Certificate Authority is needed.
C: Trust list signing is a mechanism for allowing an administrator to specify a collection of trusted CAs.
Trust list signing cannot be used to enable downloading of Active X controls.
D: An Enterprise Certificate Authority is used within a Windows Domain and would not be accessible by
Internet users. The customers are external and would not be able to access an Enterprise Certificate
Authority (CA). A commercial Certificate Authority is needed.
61. You are the administrator of your company's network. You are configuring your users’ portable
computer to allow users to connect to the company network by using routing and remote access. You test
the portable computers on the LAN and verify that they can successfully connect to sources on the
company network by name.
When to test the connection through remote access, all the portable computers can successfully connect,
but they cannot access files on the computers on different segments by using the computer name.
What should you do to resolve the problem?
A. Set the authentication method to allow remote systems to connect without authentication.
B. Enable the computer account for each portable computer.
C. Change the computer name on each portable computer.
D. Install the DHCP relay agent on the remote access server.
Answer: D
Explanation: The DHCP relay agent must be installed on the Routing and Remote Access (RRAS) server. The
DHCP relay agent will allow communication between the DHCP server and the RAS clients. In particular the
RAS clients would be given the Default Gateway that has been configured for the scope at the DHCP server.
Incorrect Answers:
A: The RAS clients have already connected successfully. The problem is the Default Gateway setting of the
clients not the authentication method at the RRAS server.
B: It is not necessary to enable the computer accounts. The remote users already have access to the
network.
C: It is not necessary rename the computers. The remote users already have access to the network.
62. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server
computer named Delta. Routing and Remote Access is enabled for remote access on Delta. The domain is
in native mode. For all user accounts, the delta-in permission is set to control access through remote
access policies.
You want to allow all users in the domain to dial in during the workday. You also want to allow only
members of the global security group named support staff to be able to dial in between 6:00 P.M. and
8:00A.M. However, you do not want to allow the support Staff members to be able to dial in when the log
files are made each day between 7:00A.M. and 8:00A.M.
You create four remote access policies on Delta as shown in the following table.
To specify the appropriate access control for Delta, click the Select and Place button, and then drag the
remote access policies and place them in the correct order.
Select and Place.
Answer:
Support staff 7-8 Deny
Support staff all
Domain users’ 6-8 Deny
Domain users all
Explanation: The Remote Access Policies are applied in order. The first policy which meets the conditions is
applied. Only one policy can be applied.
Support staff policies must be applied before the Domain users policies, since the staff members also are
Domain users, and staff members need access 5-7 A.M.
The Deny policies must be applied before the allow policies. If not the Deny policies would never be applied.
63. You are the administrator of your company's network. To facilitate connections for remote
administration, you install Routing and Remote Access on a Windows 2000 domain controller.
You want to accomplish the following goals:
• Only administrators will have dial-up access.
• Dial-up connections will be accepted only from 4.00 p.m. to 7.00 a.m.
• Connections will be forcibly disconnected after 20 minutes of inactivity
• All connections will encrypt all communications
• Connections will be limited to one hour
You take the following actions:
• Set the level or levels of encryption to No Encryption and Basic.
• Add Domain Admins to the Windows Group Policy condition.
• Configure the rest of the remote access policy as shown in the exhibit. Which result or results do these actions produce? (Choose all that apply)
A. Only administrators have dial-up access
B. Dial-up connections are accepted only between 4:00 PM and 7:00 A.M
C. Connections are forcibly disconnected after 20 minutes of inactivity
D. All connections encrypt all communication
E. Connections are limited to one hour
Answer: A, C
Explanation: The exhibit indicates that the default remote access policy (RAP) has been changed. This is the
only RAP used. By adding the Domain Admins to the Windows Group Policy condition only the administrators
have dial-up access. Furthermore, the maximum session is set to 20 minutes, therefore after 20 minutes of being
connected, including being idle for 20 minutes, a forced disconnection will occur.
Incorrect Answers:
B. Dial-up connections are configured to restrict access to between 7:00 am and 4:00 pm as is shown in the
exhibit. Therefore connections will not be accepted between 4:00pm and 7:00 am the following
morning.
D: Some connections might be unencrypted since Basic and No encryption is allowed.
E: Although the idle time limit is one hour, the session time is limited to 20 minutes, therefore connections
are limited to 20 minutes, not one hour.
64. You are the administrator of your company's Routing and Remote Access servers. Your companies
administrators are able to dial in to the company's network to perform remote monitoring and
administration. This remote monitoring and administration requires an excessive amount of network
bandwidth. You want to allow only administrators to use multiple phone lines, and you want to limit all
other users to a single phone line.
You want to configure multiple phone-line network connections to adapt to changing bandwidth
conditions. When the phone lines fall below 50 percent capacity, you want to reduce the number of phone
lines utilized. You also want to allow all users the ability to connect to the network by Routing and. Remote Access. No default remote access policies currently exist.
What should you do? (Choose three)
A. Create one remote access policy on the Routing and Remote Access server.
B. Create two remote access policies on the Routing and Remote Access server.
C. Allow Multilink.
D. Decrease the maximum number of ports used by the Routing and Remote Access server.
E. Select the Require Bandwidth Allocation Protocol\ BAP) for the Dynamic Multilink Requests
check box.
F. Increase the maximum number of dial-up sessions.
Answer: B, C, E
Explanation: No default remote access policy exists in Windows 2000. We need to create two Remote Access
Policies (RAPs); one which applies to the administrators and on which applies to the ordinary users. Multilink
has to be allowed for the Administrator RAP.
The Routing and Remote Access console is then used to enable multilink and to enable the Bandwidth
allocation Protocol.
Incorrect Answers:
A: Two RAPs have to be created, not one. One should be created for the Administrators and another for the
Users.
D: Decreasing the number of ports used on the Routing and Remote Access server will decrease the number
of simultaneous connections. This is not in keeping with the requirements set out in this scenario.
F: Multilink has to be enabled, the number of dial-up sessions does not have to be increased.
65. You are the administrator of your company's network. Your company has branch offices in New York
and Paris. Because each branch office will support its own routing and remote access server, you
implement a remote authentication dial-in user service (RADIUS) server to centralize administration.
You remove the default remote access policy. You want to implement one company policy that requires
all dial-up communications to use 40-Bit encryption. You want to configure your network to require
secure communications by using the least amount of administrative effort.
What should you do? (Choose Two)
A. Create one remote access policy on each routing and remote access server.
B. Create one remote access policy on the RADIUS server.
C. Set encryption to Basic in the remote access policy or policies.
D. Set encryption to Strong in the remote access policy or policies.
E. Enable the secure server IPSec policy on the RADIUS server.
F. Enable the server IPSec policy on the RADIUS server.
Answer: B, C
Explanation: IAS, Microsoft’s implementation of RADIUS server, is used to centralize administration,
authentication, and authorization of RAS. Remote Access Policies is included in this centralization.
Furthermore, there are 3 levels of encryption on dial-up connections: basic, strong and strongest. Basic is 40-bit
encryption and is used on older Windows systems. Strong is 56-bit encryption and strongest is 128-bit
encryption. Strongest is only used inside North America because of legal issues.
Incorrect Answers:
A: Only one remote access policy at the RADIUS server has to be created, not one on each RRAS server.
D: If encryption were set to Strong in a remote access policy, 56-bit encryption would be used, this would
not be compatible with older Windows systems. In this scenario 40-bit encryption is required.
E: By enabling the Secure Server (Require security) IPSec policy at the Radius server, any clients,
including the Routing and Remote Access servers, which connect to this server must be IPSec-aware.
They are not in this scenario.
F: Enabling the Server (Request security) IPSec policy at the Radius server, would still allow unencrypted
communication initiated from a client who is not IPSec.
66. You are the administrator of your company’s network. You are configuring remote access services in
your Windows 2000 domain to allow mobile users to access network resources. You want the inbound
client connections to receive IP address administrator option configurations for the client computers. Users report that they cannot access network resources by using the server name or by searching Active
Directory. You investigate and find that when you connect to the remote access server, your client
computer is receiving its IP address configuration but none of the DHCP options. Internal client
computers are not experiencing this problem.
What should you do to resolve this problem?
A. Enable IP routing in the remote access Server’s Properties dialog box.
B. Disable IP routing in the remote access Server’s Properties dialog box.
C. Configure a static address pool on the remote access Server.
D. Configure the remote access server to act as a DHCP Relay Agent.
Answer: D
Explanation: In this scenario the mobile users receive their IP configurations from the Remote Access Server,
but they are not able to receive any DHCP options. In order to enable this, a DHCP relay agent must be
configured on the Remote Access server. This will allow DHCPINFORM, which are used to obtain Windows
Internet Name Service (WINS) and Domain Name System (DNS) addresses, domain name, Default Gateway or
other DHCP options originating from the DHCP server, to reach the mobile clients.
Incorrect Answers:
A: The mobile clients are able to connect to Remote Access Server. Therefore this is not a communication
problem. Therefore enabling IP routing will not solve the problem.
B: The mobile clients are able to connect to Remote Access Server. Therefore this is not a communication
problem. Therefore disabling IP routing will not solve the problem.
C: The mobile clients receive the correct IP configurations from the Remote Access Server. Therefore it is
not necessary to create a static address pool on the remote access Server.
67. You are the administrator of a Windows 2000 domain named contoso.com. The domain has a Windows
2000 member server computer named Ras1 and a Windows 2000-based DHCP server computer named
Dora. Routing and Remote access is enabled for access on Ras1. The network has two DNS servers that
use IP addresses of 10.1.5.2 and 10.1.5.3.
Ras1 has configured to use DHCP to assign IP addresses to the remote access client computers.
The configuration of the scope options on the DHCP server is shown in the following Windows.
The DHCP scope does not have any client computer reservations.
When remote access client computers dial into Ras1, they receive an IP address form the DHCP scope
range, but they do not receive the DNS address configured in the DHCP scope. Instead, the remote
access client computers receive a DNS server address of 10.1.5.2.
You want the remote access client computers to receive the DNS option from the DHCP server.
How should you configure the network to accomplish this goal?
A. Configure the remote access client computers to enable DHCP on the dial-up connection.
B. Configure Ras1to use Windows authentication.
C. Install and configure the DHCP relay agent routing protocol on the internet interface of Ras1.
D. On the DHCP server, configure the DNS scope option of 10.1.5.3 for the default routing and remote
access user class.
Answer: C
Explanation: In this scenario, the remote clients are receiving the correct DNS server address, as it was
specified in the scope. However, they are not able to receive DHCPINFORM packets from the DHCP server on
Dora. In order to enable this, a DHCP relay agent must be configured on Internet interface of Ras1. This is done
by adding the SideB interface to the DHCP Relay Agent IP routing protocol. The DHCP Relay Agent protocol
must also be configured with the IP address of a DHCP server, in this case the IP address of ServerA.
Incorrect Answers:
A: DHCP cannot be configured on a dial-up connection.
B: This is a DCHP problem, not an authentication problem. The RAS clients can perform remote access,
but they are configured with the incorrect DNS server.
D: The exhibit indicates that the correct DNS scope option of 10.1.5.3 has already been defined. There is
also no default routing and remote access user class.
68. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server
computer named Ras5. Routing and Remote Access is enabled for remote access on Ras5. The domain
also has a Windows NT 4.0 member server computer named Ras4. Ras4 is running Remote Access
Service (RAS). The domain is in mixed mode.
Users in the domain use Windows 2000 Professional computers to dial in to the network through Ras4 or
Ras5. However, Ras4 is not able to validate remote access credentials of domain accounts.
How should you configure the network to enable the Windows NT 4.0 Ras4 member server computer to
validate remote access domain users?
A. Change the domain from mixed mode to native mode.
B. Add the Ras4 computer account to the RAS and IAS Servers group.
C. Add the Everyone group to the Pre-Windows 2000 Compatible Access group.
D. Create a remote access policy that has the Ras4 computer account as a condition. Grant remote
access permission if the condition matches the properties of the dial-in attempt.
Answer: C
Explanation: The Pre-Windows 2000 Compatible Access is a backward compatibility group which allows read
access on all users and groups in the domain. In this the NT 4.0 RAS Server Ras4 needs to access the user
accounts of the domain. This is done by adding the Everyone group to the Pre-Windows 2000 Compatible
Access group. We can verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access
group with the net localgroup ‘Pre-Windows 2000 Compatible Access’ command. If not, we can issue the net
localgroup ‘Pre-Windows 2000 Compatible Access’ everyone /add command on a domain controller computer
and then restart the domain controller computer.
Incorrect Answers:
A: A domain that contains Windows NT servers cannot run in native mode, it can only run in mixed mode.
B: The Windows NT 4.0 Ras server will not be able access properties of user account by adding it to any
group. The Everyone group has to be added to the Pre-Windows 2000 Compatible Access group.
D: Creating a new remote access policy will not enable the NT 4.0 RAS server to access the properties of
the user accounts of the domain.
69. You are the administrator of your company’s network. Your web server is configured to run a third party
Web application for users on your network.
Another network administrator in your company has recently made some configuration changes to
secure the server. Users report that each time they try to connect to a secure web server, they receive the
following error message, “Web page requested is not available”. Users have no problem connecting to
FTP, and you have verified that the web service has started.
You want to discover why users are receiving the error message. What should you do to diagnose the
problem?
A. Verify that port 21 and port 20 are permitted in your TCP/IP filter.
B. Verify that port 443 is permitted in your TCP/IP filter.
C. Verify that the connect NTFS file permissions are on the web pages.
D. Verify that the port 80 is permitted in your TCP/IP filter.
Answer: B
Explanation: Port 443 is used for secure web traffic (HTTPS). Therefore TCP/IP should permit this port.
Incorrect Answers:
A: Port 20 and port 21 are used for FTP traffic.
C: This is not a permission problem, the web page that was requested was not available.
D: Port 80 is the HTTP protocol. HTTPS, secure web server, is port 443.
70. You are the administrator of a Windows 2000 network that has a main office and one branch office. You
use PPTP to connect the main office to the branch office.
You want to verify that the strongest possible level of data encryption is supported for the connection.
What should you do?
A. In the Routing and Remote access consoles, verify that the dial-in profile used to establish the
connection between the two offices allows only MS-CHAP.
B. In the properties of the Routing and Remote Access Server objects in the Routing and Remote access
consoles, verify that the Extensible Authentication Protocol is using MD5-CHAP.
C. In the properties of the PPTP interfaces in the Routing and Remote Access consoles, verify that MSCHAP
v2 is being used as the authentication method.
D. In the properties of the PPTP interfaces in the Routing and Remote Access consoles, verify that
Password Authentication Protocol (PAP) is being used as the authentication method.
Answer: B
Explanation: We can use EAP to support authentication schemes such as Generic Token Card, MD5-Challenge.(MD5-CHAP), Transport Level Security (TLS) for smart card support, and S/Key as well as any future
authentication technologies. Extensible Authentication Protocol using MD5-CHAP is more secure than MSCHAP
V2, MS-CHAP and PAP.
Incorrect Answers:
A: CHAP uses encrypted authentication but is vulnerable.
B: MD5-CHAP. The Message Digest 5 Challenge Handshake Authentication Protocol. This protocol
encrypts user names and passwords with an MD5 algorithm.
C: MS-CHAP V2 is an improvement on CHAP. In MS-CHAP the challenge response is calculated with a
Message Digest 4 (MD4)-hashed version of the password
D: PAP uses plaintext and is not a secure authentication protocol.
71. You are the administrator of a mixed Windows NT 4.0 and Windows 2000 network. All of the Windows
2000 Server computers in your network are member servers of a single Windows NT 4.0 domain. You
want to use two of these servers to test configurations of IPSec that are using the Kerberos authentication
protocol.
What should you do?
A. On both servers, create a new IPSec policy.
Configure a rule so that it will not use a tunnel.
Specify shared secret key authentication.
Assign the new policy.
B. On one of your servers, install a stand-alone root Certificate Authority (CA).
Create a digital certificate for both servers.
On both servers create a new IPSec policy and specify the issued certificate for authentication.
Assign the policy.
C. On both servers, create a new IPSec policy.
Specify the tunnel end point as the IP address of the partner Server and specify a shared secret key to use for
authentication.
Assign a new policy.
D. Promote one of the servers to a domain controller.
Assign the domain controller as the default Secure Server IPSec policy.
Assign the other Server the default Client IPSec policy.
Answer: D
Explanation: Active Directory is needed for Kerberos Authentication. Kerberos is not supported in Windows
NT 4.0. Therefore we must promote one of the Windows 2000 member servers to a domain controller, use. Secure Server (Require encryption) on this domain controller and configure the other server with the Client
IPSec Policy. To promote a Windows 2000 member server to a domain controller we must install Windows NT
4.0 as a backup domain controller (BDC), promote the BDC to a primary domain controller (PDC), and then
promote to Windows 2000 mixed-mode domain controller.
Incorrect Answers:
A: A Windows 2000 domain controller is required for Kerberos authentication.
B: A Windows 2000 domain controller is required for Kerberos authentication.
C: A Windows 2000 domain controller is required for Kerberos authentication.
72.You are the administrator of your company’s network. Network is configured as shown in the exhibit.
You are configuring your Windows 2000 server computer that runs Internet Information Server (IIS).
Your Server uses the IP address of 131.107.2.2 to support internet users. Your server uses the IP address
of 10.1.1.2 to support an intranet application.
You want to configure your server to permit only web communications from the internet. You also want
to configure your server to allow access to shared folders and other resources for users on the intranet.
What should you do? (Choose two)
A. Enable a TCP filter. Permit only port 80 on the network adapter that uses the IP address of
131.107.2.2.
B. Enable a TCP filter. Permit only port 21 and port 20 on the network adapter that uses the IP
address of 131.107.2.2.
C. Permit all ports on the network adapter that uses the IP address of 131.107.2.2.
D. Enable a TCP filter. Permit only port 80 on the network adapter that uses the IP address of 10.1.1.2.
E. Enable a TCP filter. Permit only port 21 and port 20 on the network adapter that uses the IP address
of 10.1.1.2.
F. Permit all ports on the network adapter that uses the IP address of 10.1.1.2.
Answer: A, F
Explanation: In this scenario External Internet users will use the 131.107.2.2 IP address to use the Web server.
Therefore it should only be enabled for web traffic (HTTP), which uses the TCP port 80. Internal users will use
the 10.1.1.2 IP address to access the Web server. Furthermore, all traffic should be permitted.
Incorrect Answers:
B: Port 20 and port 21 which are used for FTP traffic, port 80 is used for http traffic. We should
therefore permit port 80 on Internet interface of the Web server.
C: Only port 80 should be permitted on the Internet interface of the Web server.
D: All ports should be permitted on the internal interface of the Web server, not only web traffic.
E: All ports should be permitted on the internal interface of the Web server, not only FTP traffic.
73. You are the administrator of your company’s network. Your network is configured in a Windows 2000
domain as shown in the following diagram.
Acct1 and Acct2 belong to the accounting department. Sales1 and Sales2 belong to the sales department.
Production1 and Production2 belong to the production department. Manager1 belongs to the
management department. The accounting department does not access the Internet.
You want to accomplish the following goals:
• All communications involving the Acct1 and Acct2 will be encrypted.
• Internet communications will not be encrypted.
• Communications between the sales department and the management department will be
encrypted.
• Performance overhead for encryption will be minimized.
You take the following actions:
Create an organizational unit (OU) structure as shown in the exhibit..• Add Acct1 and Acct2 to the ACCT OU.
• Add Sales1 and Sales2 to the Sales OU.
• Add all other computers to the Comp OU.
• Assign the default Secure Server IPSec Policy to the domain.
Which result or results do these actions produce? (Choose all that apply)
A. All communications involving Acct1 and Acct2 are encrypted.
B. Internet communications are not encrypted.
C. Communications between the sales department and the management department are encrypted.
D. Performance overhead for encryption is minimized.
Answer: A, C
Explanation: By choosing the Secure Server (Require security) as a default for the Domain all communication
would be encrypted; especially all communication involving Acct1 and Acct2, communications between the
sales and the managements department, and Internet communication.
Incorrect Answers:
B: By choosing the Secure Server (Require security) as a default for the Domain, all communication with
the servers, even Internet communication, would be encrypted.
D: Since even Internet communication is encrypted, even though is not required, the performance
overhead for encryption is not minimized.
74. You are the administrator of your company's network. Your network consists of Windows 2000 server
computer and Windows 2000 Professional computers.
You create an IPSec policy named accountingsec for use by employees in your accounting department.
Your company is concerned that the keys used for encryption could be compromised and used to decrypt future communications.
You want to prevent the re-use of previous-session keys. You also want to limit performance degradation.
What should you do?
A. Decrease the frequency of policy checks for updates.
B. On the Generate a new key every property, modify the time allocations.
C. Select the Master key perfect forward secrecy check box.
D. Select the Session key perfect forward secrecy check box.
Answer: D
Explanation: Session Key Perfect Forward Secrecy creates a new master key during every session re-key
operation and is the most secure setting.
Incorrect Answers:
A: Decreasing the frequency of policy checks would not prevent use of previous session keys.
B: If the time allocations of the Generate a new key every property is configured, a re-authentication
and new key generation at that interval would be configured. But there is no guarantee that a new
session will not use a previous session key.
C: Master key PFS should be used with caution as it requires re-authentication. This may cause additional
overhead for any domain controllers in your network.
75. You are the administrator of a Windows 2000 network. The administrator of your company's Human
Resources Organizational Unit wants to be able to manage Encrypting File System for the users in their
department. The administrators of the human resources department belong to a group named
HRAdmins, which has full administrative privileges to the OU.
To make it possible for the members of HRAdmins to manage EFS for the users in their department, you
install an Enterprise Certificate Authority for use by the entire company. However, the administrators of
the human resources department notify you that they are unable to create a Group Policy that allows
them to manage EFS for their department.
What should you do to enable the administrators of the Human Resources Organizational Unit to create
a Group Policy to manage EFS for the users in their department? (Choose Two)
A. Install a Subordinate Enterprise CA for use by the human resources department.
B. In the certification Authority console for the CA, add a new policy setting for a EFS Recovery Agent
certificate.
C. In the certification authority console for the CA, add a new policy setting for a Basic EFS certificate.
D. In Active Directory sites and services, grant the Enroll permission to the HRAdmins for the
Enrollment Agent Certificate Template.
E. In Active Directory sites and services, grant the Enroll permission to the HRAdmins for the EFS
Recovery Certificate Template.
F. In Active Directory sites and services, grant the Enroll permission to the HRAdmins for the EFS
Certificate Template.
Answer: B, E
Explanation: The administrators of the Human Resources department must be set up as Recovery Agents in
order to be able to administer EFS for their department. This can be accomplished by adding a new policy
setting for an EFS Recovery Agent certificate in the appropriate CA and granting the Enroll permission to the
HRAdmins for the EFS Recovery Certificate Template in Active Directory sites and services.
Incorrect Answers:
A: It is not necessary It is not necessary to install a subordinate Enterprise CA. The Enterprise CA can very
well be used.
C: A new policy setting for a EFS Recovery Agent certificate, not a Basic EFS certificate, should be added.
D: The HRAdmins should be granted enroll permissions to the EFS Recovery Certificate Template not the
Enrollment Agent Certificate Template.
F: The HRAdmins should be granted enroll permissions to the EFS Recovery Certificate Template not the
EFS Certificate Template.
76. You are the administrator of a Windows 2000 network. Your Public Key Infrastructure consists of an
offline Certificate Authority (CA) and a number of subordinate CAs.
Your company is selling one of its divisions. This division has a subordinate CA that it uses to issue
certificates. You want to ensure that once the division is sold, applications and other CAs on your
network will not accept the former division’s certificates. You also want to ensure that you can
implement your solution by using a minimum amount of administrative effort.
What should you do?
A. On the division’s subordinate CA, revoke all the certificates it has issued. Publish the Certificate Revocation List (CRL) to a server on your network. Uninstall the CS software and remove the CS
files.
B. On the company's root CA, revoke the certificate of the division’s subordinate CA. Publish the
Certificate Revocation List (CRL).
C. On the division’s subordinate CA, revoke the certificates it has issued. Publish the Certificate
Revocation List. Copy the EDB.LOG file from the subordinate CA to the Certification Distribution
Point on your network.
D. On the company's root CA, revoke CA, revoke the certificate of the division’s subordinate CA.
Publish the Certificate Revocation List (CRL). Copy the CRL file to the Certificate Distribution
Point on your network.
E. On the division’s subordinate CA, revoke the certificates it has issued. Publish the Certificate
Revocation List. Copy the CRL file to the Certificate Distribution Point on your network.
Disconnect the CA from the network.
Answer: D
Explanation: By revoking the certificate for the subordinate CA, instead of revoking all of the certificates it has
issued, the goal will be achieved with the least amount of administrative effort. Revoking a certificate is a two-step
process first we must revoke the certificate
and then Create (this is done automatically) and publish the Certificate Revocation List (CRL).
Incorrect Answers:
A: Revoking all certificates that the CA has issued is a daunting administrative task. It is better to revoke
the certificate for the CA itself.
B: The Certificate Revocation List (CRL), not the edb.log file, should be copied to the Certification
Distribution Point on your network.
C: Revoking all certificates that the CA has issued is a daunting administrative task. It is better to revoke
the certificate for the CA itself. The edb.log file is not used for revoking certificates.
E: Revoking all certificates that the CA has issued is a daunting administrative task. It is better to revoke
the certificate for the CA itself.
77. You are the administrator of Windows 2000 domain. The domain has a Windows 2000 member server
computer named Vegas. Routing and remote access is enabled for remote access on Vegas. Some of the
remote access client computers require the use of CHAP.
You enable CHAP on Vegas. You also configure the appropriate remote access policy to use CHAP.
However, users who require CHAP report that they are not able to dial in to Vegas.
What should you do?
A. Configure Vegas to prohibit the use LAN manager authentication.
B. Configure Vegas to disable use of link control protocol (LCP) extensions.
C. Configure the user accounts by selecting Store passwords using reversible encryption. Set the user
passwords to change the next time each user logs on.
D. Configure the user account to use static IP address when they dial into the network.
Answer: C
Explanation: To enable CHAP-based authentication, we must enable CHAP as an authentication protocol on
the remote access server, enable CHAP on the appropriate remote access policy, enable storage of a reversibly
encrypted form of the user's password, force a reset of the user's password so that the new password is in a
reversibly encrypted form, and enable CHAP on the remote access client running Windows 2000. When we
enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly
encrypted form and are not automatically changed. We must therefore either reset user passwords or set user
passwords to be changed the next time each user logs on
Incorrect Answers:
A: LAN manager authentication is used for legacy clients, for example DOS, but is of no use here.
B: Disabling LCP extensions would help in troubleshooting certain Internet Service Provider Login
problems. It would not help with this RRAS dial-in problem.
D: This is an authentication problem, not an IP configuration problem.
78. You are the administrator of a Windows 2000 domain. The Domain has a Windows 2000 member server
computer named Helsinki. Routing and remote access is enabled for remote access on Helsinki.
Users in the domain are able to dial in to the network by using their Windows 2000 Professional
computers.
Your company has a group named sales. You want to allow members of the sales group to use a smart
card for the remote authentication. The dial-in permission for all users in the sales group is set to control
access through remote access policy.
You create a new access policy named sales access. This remote access policy grants remote access to
members of the sales group any time of the day. This remote access policy is the first policy on the list of
remote access policies on Helsinki.
Members of the sales group are able to dial in to the network, but they report that they are unable to use
a smart card for remote authentication. You want to ensure that members of the sales group are able to
use the smart card authentication method.
What should you do?
A. In active directory, add Helsinki to the Pre-Windows 2000 compatible access group.
B. Enable EAP as an authentication method on the Helsinki remote access server and the Windows
2000 remote access client computers. Enable EAP in the profiles of the sales access remote access
policy.
C. For all the member of the sales group, select stored passwords using reversible encryption.
D. For all the members of the sales group, configure the user account to be trusted for delegation.
Answer: B
Explanation: Smart Card Authentication requires the use of the Extensible Authentication Protocol (EAP).
EAP has to be configured at the RAS server, at the RAS clients, and in profiles o the remote access policy.
Incorrect Answers:
A: The Pre-Windows 2000 Compatible Access is a backward compatibility group which allows read access
on all users and groups in the domain. Adding Helsinki to it would not enable smart card authentication.
C: The stored passwords using reversible encryption setting is used when the CHAP protocol is enabled. It
is not used to enable smart card authentication.
D: The trusted for delegation privilege enables the user (or computer) to access resources on another
computer. It is not used to enable smart card authentication.
79. You are the administrator of your company's network. The network consists of one Windows 2000
domain running in native mode. You are not running Certificate Services in the domain.
Your company is a sales organization and has 150 salespeople. When these salespeople are out of office,
they require file and print services, e-mail and access to the company's product and inventory database.
These salespeople belong to a group named SalesMobile.
Your company has dedicated T1 access to the internet. Your company also uses a virtual private network
(VPN) to reduce the costs and hardware required to support the salespeople.
You want to accomplish the following goals:
• Required network resources will be accessible to all salespeople..• Connections to the network will be made only by salespeople.
• Sensitive company data will be kept confidential over the VPN connections.
• Access to the network will only take place during business hours.
• All salespeople will be able to connect to the network simultaneously.
You take the following actions:
• Install routing and remote access on a Windows 2000 server computer and configure virtual private
networking.
• Grant the salespeople the Allow Access dial-in permission.
• Edit the default remote access policy to grant remote access permission.
• Edit the default remote access profile to require strong encryption of data.
Which result or results do these actions produce?
A. Required network resources are accessible to all salespeople.
B. Connections to the network are made only by salespeople.
C. Sensitive company data is kept confidential over the VPN connections.
D. Access to the network only takes place during business hours.
E. All salespeople are able to connect to the network simultaneously.
Answer: A, C
Explanation:
A: Salespeople have access to the network resources, since they have the Allow Access dial-in permission.
The default remote access profile will also allow access, since it has no conditions.
C: The default remote access profile (RAP) is set to require strong data encryption. There is no other way
to get access, so all company data are kept confidential.
Incorrect Answers:
B: The default dial-in permission in native mode is Control Access through Remote Access Policy. This
applies to all user accounts in the domain, except the Salespeople users who have Allow access. The
default remote access policy has no restrictions so every user would be able to get remote access.
D: No time restriction policy has been selected in default RAP. The default setting is to allow dial during
all times. Access will not be restricted to business hours.
E: Only 10 PPTP ports are configured by default. The 150 sales people would not be able to connect
simultaneously with only 10 ports. The PPTP ports setting must be increased to at least 150.
80. You are the administrator of your company’s network. You are configuring a Windows 2000 network for
dial up access. Your users need to access their computers from home. To increase security your company
issue smart cards to all users who have dial up access. You need to configure your routing and remote
access server. What should you do? (Choose two)
A. Select the Extensible Authentication Protocol (EAP) check box.
B. Select the Microsoft encrypted authentication version 2 (MS-CHAP v2) to check box.
C. Install a computer certificate on the routing and remote access server.
D. Install a smart card logon certificate on the routing and remote access server.
E. Install a computer certificate on the dial-up access client computer.
Answer: A, D
Explanation: The Extensible Authentication Protocol (EAP) is required for authentication using smart cards. A
smart card logon certificate must be installed on routing and remote access server.
Incorrect Answers:
B: EAP, not MS-CHAP V2, must be used for smart card user authentication.
C: A smart card logon certificate, not a computer certificate, must be installed.
D: A smart card logon certificate, not a computer certificate, must be installed.
81. You are the administrator of your company’s network. Your company employs account executives who
need access to the latest company data when they are traveling. You want to ensure that your company
will establish the network connection for your account executives regardless of where the call originates.
Your company also allows vendors access to the network by routing and remote access to submit
purchase orders. To ensure network security, your company wants to specify the location from which vendors can connect.
You want to configure your company’s routing and remote access server to facilitate access for account
executive and vendors. Which three actions should you take to ensure this configuration? (Choose three)
A. Set the Callback option to Always Callback to for the account executives.
B. Set the Callback option to Set by Caller for the account executives.
C. Set the Callback option to No callback for the vendors.
D. Set the Callback option to Always Callback to for the vendors.
E. Set the Callback option to Set By Caller for the vendors.
F. Enable link Control protocol (LCP) extensions.
G. Enable EAP.
Answer: B, D, F
Explanation: By configuring the Callback option to Set by Caller for the account executives, the executives
will be able to dial-in regardless where the call originates.
By configuring the Callback option to Always Callback to for the vendors, the company can specify from where
the vendors are allowed to dial-in.
Enabling link Control protocol (LCP) extensions will enable callback during the LCP negotiation of LCP. And
callback is used in the Callback option in this scenario.
Incorrect Answers:
A: The account executives must be able to call in regardless of location. The Callback option must be set to
Set By caller, not Always callback to.
C: The No Callback option would allow the vendor to call in regardless of location, which shouldn’t be
allowed.
E: The vendors must not be able to call in regardless of location. The Callback option must be set to
Always callback to, not Set By caller.
G: EAP would require further configuration to work.
82. You are the administrator of your company's network, which consists of a single Windows 2000 Domain.
Your human resources department maintains a confidential database server named HRSvr1. because the
information in the database is essential to your company's successful operation, HRSvr1 requires he
highest possible level of security.
The only server that exchanges confidential information with HRSvr1 is a middle-tier application server
named HRClt2 provides client query responses to HR users. These responses are secured by application level
encryption.
A former administrator configured custom IPSec policies on both HRSvr1 and HRClt2. however, you
suspect that these policies do not provide an adequate level of security for traffic between the two servers.
When you run the IP security monitor on HRClt2, you receive the output shown in the exhibit. You need to modify the existing IPSec policies to secure all traffic between the two servers. Which two
actions should you perform? (Each correct answer presents part of the solution. Choose Two)
A. Configure the IPSec policy properties on both servers to include both 2DES and DES algorithms.
B. Configure IPSec policy properties on both servers to include both HMAC-SHA and HMAC-MD5 algorithms.
C. Configure IPSec session Key PFS (Perfect Forward secrecy) on HRSvr1
D. Configure IPSec Master Key PFS (Perfect Forward secrecy) on HRClt2
E. Set the IP filter on HRClt2 to include only the IP address of HRSvr1
F. Set the IP filter action on both servers to negotiate both authentication header (AH) and
encapsulating security payload (ESP) protocol traffic with peer.
Answer: B, C
Explanation: B: The HMAC-SHA and HMAC-MD5 encryption algorithms are the most secure.
C: Session Key Perfect Forward Secrecy will create a new master key during every session re-key operation. It
should be configured on a server that is a part of the domain.
Incorrect Answers:
A: HMAC-SHA and HMAC-MD5 are more secure than DES and 3DES. There is no encryption algorithm
called 2DES.
D: IPSec Keys should be configured on servers that are part of the domain (HRSrv1) not on application
servers (HRClt2).
E, F: IP filters cannot be used to configure IPSec policies.
83. You are the network administrator for Lucerne Publishing. Your network consists of a single Windows
2000 Domain.
Lucerne Publishing employs a full-time staff. It also contracts authors for short-term projects. All fulltime
employees use portable computers that run Windows 2000 Professional. These users require remote
access to network resource, such as applications and printers. Contracted authors use their personal
computers, which run a variety of operating systems, including Windows 98, Windows NT 4.0, and
Windows 2000 Professional. The authors require remote access to the network so they can upload draft
and revisions to a file share located on a Windows 2000 Server named Srv1.
To ensure connection security, you allow access to the network only by means of a virtual private
network (VPN) connection through the internet. You use PPTP as the VPN protocol, and you configure
four VPN servers as a Network Load Balancing (NLB) cluster.
Several authors now report that they experience rejected connections when they log on and try to access
srv1. Full-time employees report no problems.
How should you correct this problem?
A. Remove the cluster IP address from the server interfaces that receive the PPTP connections
B. Remove the dedicated IP address from the server interfaces that receive the PPTP connections
C. Edit the default remote access profile to grant access only to VPN connection and to increase the
Disconnect if idle setting to 10 minutes.
D. Edit the default remote access policy to grant access only to NAS Port Type VPN and to increase the
Disconnect If Idle setting to 10 minutes.
Answer: B
Explanation: If we are using Network Load Balancing to load balance Point-to-Point Tunneling Protocol
(PPTP), clients running Windows 95, Windows 98, or Windows NT 4.0 may, under certain circumstances, be
unable to connect to a Network Load Balancing cluster.
This problem can occur if the Network Load Balancing hosts use a dedicated IP address on the network adapter
to which Network Load Balancing is bound. To avoid the problem, we must remove the dedicated IP address
from all Network Load Balancing cluster hosts. This problem does not occur with Windows 2000 clients.
Incorrect Answers:
A: The dedicated IP address, not the cluster IP address, should be removed the server interfaces that receive
the PPTP connections.
C: The connections for the down level clients are immediately rejected. They are not disconnected because
of the Disconnect if idle setting. The Disconnect if idle is disabled by default.
D: The Disconnect if idle is disabled by default. The problem cannot be fixed by restricting access to only
to NAS Port Type VPN.
84. You are the administrator of your company's network, which consists of five servers running Windows
2000 Server and 20 client computers running Windows 2000 Professional. All servers have static IP
addresses and all client computers use Automatic Private IP addresses (APIPA) for IP address
assignment. One server is multihomed, with a persistent connection to your company's internet service
provider (ISP).
Your company is acquired by another company. You must now provide internet access for all internal
users. You must also enable remote users to access your internal servers. Your solution must involve the
fewest possible changes to your current network configuration.
Which action or actions should you perform? (Choose all that apply)
A. Enable Internet Connection Sharing on the multihomed server
B. Install the Network address Translation protocol (NAT) on the multihomed server.
C. Configure the multihomed server as a DHCP allocator and exclude the static server addresses
D. Map the internal server addresses and ports to IP addresses in a pool assigned by your ISP.
E. Configure the external interface on the multihomed server as a demand-dial interface for DNS query
resolution.
Answer: B, C, D
Explanation: Network address Translation protocol (NAT) must be installed on the multihomed server.
There is no DHCP server in the network so the NAT computer must be configured as a DHCP allocator. The
static server addresses must be excluded from the range of the DHCP allocator.
Incorrect Answers:
A: ICS would only provide internet access, it would not enable remote users to access your internal servers.
E: There is a persistent connection to the ISP. It is therefore not necessary to configure the external
interface on the NAT computer as a demand-dial interface.
85. You are the network administrator for Luceme Publishing. Your company employs a full-time staff. It
also contracts authors for short-term projects.
All full-time employees use portable computers running Windows 2000 Professi |
