Implementing and Administering Security in a Microsoft Windows Server 2003 Network

1.You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional.
Eight Windows Server 2003 computers are members of the domain. These computers are used to store confidential files. They reside in a data center that only IT administration personnel have physical access to.
You need to restrict members of a group named Contractors from connecting to the file server computers. Allother employees require access to these computers.
What should you do?
A. Apply a security template to the file server computers that assigns the Access this computer from the network right to the Domain Users group.
B. Apply a security template to the file server computers that assigns the Deny access to this computer from the net work right to the Contractors group.
C. Apply a security template to the file server computers that assigns the Allow log on locally right to the Domain Users group.
D. Apply a security template to the file server computers that assigns the Deny log on locally right to the Contractors group.
Answer: B

2. You are a security administrator for your company. The network consists of a single Active Directory domain.
Four Windows Server 2003 computers run IIS and serve as Web servers on the Internet.
The company's written security policy states that computers that are accessible from the Internet must be hardened against attacks. The procedure for hardening computers includes disabling unnecessary services. You evaluate which services are necessary by using the following information about the Web servers: Customers and business partners access Web content on the Web servers after they authenticate by using a user
name and password. To access certain parts of the site, some of these connections use the SSL protocol.
All software is installed locally on the Web servers by using removable media, except for service packs and security patches.
The Web servers automatically download service packs and security patches from an internal computer that runs Software Update Services (SUS).
The Web servers are not functioning as any other roles.
You need to create a security template for the Web servers that disables unnecessary services and allows necessary services to operate.
What should you do?
To answer, drag the appropriate service startup types to the correct locations in the work area.

Answer:

 
3. You are a security administrator for your company. The network consists of a single Active Directory domain.
Servers run either Windows Server 2003 or Windows 2000 Server. All client computers run Windows 2000 Professional. The latest operating system service pack is installed on each computer.
Thirty Windows Server 2003 computers are members of the domain and function as file servers. Client computers access files on these file servers over the network by using the Server Message Block (SMB) protocol. You are concerned about the possible occurrence of man-in-the-middle attacks during SMB communications.
You need to ensure that SMB communications between the Windows Server 2003 file servers and the client computers are cryptographically signed. The file servers must not communicate with client computers if the client computers cannot sign SMB communications. Client computers must be able to use unsigned SMB
communications with all other computers in the domain.
What should you do to configure the file servers?
A. Apply a security template that enables the Microsoft network server: Digitally sign communications (always) setting.
B. Apply a security template that enables the Microsoft network server: Digitally sign communications (if client agrees) setting.
C. Apply a security template that enables the Domain member: Digitally sign secure channel data (when possible)setting.
D. Apply a security template that enables the Domain member: Digitally encrypt or sign secure channel data(always) setting.
Answer: A

4. You are a security administrator for your company. The network consists of two Active Directory domains that are in separate Active Directory forests. No Active Directory trust relationships exist between the domains. All servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows 2000Professional. All domain controllers run Windows Server 2003.
You discover that users in one domain can obtain a list of account names for users in the other domain. This capability allows unauthorized users to guess passwords and to access confidential data.
You need to ensure that account names can be obtained only by users of the domain in which the accounts reside.
Which two actions should you perform on the domain controllers? (Each correct answer presents part of the solution. Choose two.)
A. Apply a security template that disables the Network access: Allow anonymous SID/Name translation setting.
B. Apply a security template that enables the Network access: Do not allow anonymous enumeration of SAM accounts setting.
C. Apply a security template that enables the Network security: Do not store LAN Manager hash value on next password change setting.
D. Apply a security template that sets the Domain controller: LDAP server signing requirements setting to Require signing.
Answer: A AND B

5. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows 2000 Professional. Twenty Windows Server 2003 computers serve as domain controllers. Your organization uses only Active Directory integrated DNS.
The company's written security policy states that computers that contain employee user account names and passwords must be hardened against attacks. The procedure for hardening computers includes disabling unnecessary services. You are evaluating which services are necessary by using the following information about the domain controllers:
Domain controllers do not function as Web servers, application servers, file servers, or print servers.
Service packs and security patches are manually installed on domain controllers from local media. Service packs and security patches are installed only by IT administrators.
All servers in the company are remotely managed by using a third-party program.
Printing is not allowed from the domain controllers.
Domain controllers do not run any IP routing protocols.
You need to create a security template to be applied to all domain controllers that disables unnecessary services while allowing necessary services to operate.
What should you do?
To answer, drag the appropriate service startup types to the correct locations in the work area.

Answer:

6. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional. You manage client computers by using Group Policy.
Some of the administrators in your company are responsible for managing network connectivity and TCP/IP.
These administrators are known as infrastructure engineers and are members of a global group named Infra_Engineers. The infrastructure engineers must be able to configure and troubleshoot TCP/IP settings on servers and client computers.
You need to configure a Restricted Groups policy that ensures that only infrastructure engineers are members of the Network Configuration Operators local group on all client computers. You want to achieve this goal without granting unnecessary permissions to the infrastructure engineers.
What should you do?
To answer, drag the appropriate group or groups to the correct list or lists in the dialog box in the work area.

Answer:

7. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows 2000 Professional.
The company's written security policy states the following requirements:
All access to files must be audited.
File servers must be able to record all security events.
You create a new Group Policy object (GPO) and filter it to apply to only file servers. You configure an audit policy to audit files and folders on file servers. You configure a system access control list (SACL) to audit the appropriate files.
You need to ensure that the GPO enforces the written security policy.
Which two additional actions should you perform to configure the GPO? (Each correct answer presents part of the solution. Choose two.)
A. Set a manual retention method for the security log.
B. Set the security log to retain entries for 7 days.
C. Set the maximum security log size to the maximum allowed size.
D. Configure the GPO to shut down the computer if it is unable to log security audits.
E. Ensure that users who are responsible for reviewing audit log data are granted the right to manage the securitylog.
Answer: D AND A

8. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional.
Administrators in your company use scripts to perform administrative tasks when they troubleshoot problems on client computers. They connect to the Telnet service on client computers when they run these scripts. For security reasons, all Telnet traffic is encrypted by using an IPSec policy. In addition, the Telnet service is configured for manual startup on all client computers. Administrators manually start and stop the Telnet service when they perform administrative tasks.
Administrators report that they sometimes cannot start the Telnet service on client computers. You examine several client computers and discover that the Telnet service is disabled.
You need to ensure that administrators can troubleshoot problems on client computers at all times.
What should you do?
A. Use a Restricted Groups policy in a new Group Policy object (GPO) to add the Domain Admins group to the Power Users group on each client computer.
B. Use a Restricted Groups policy in a new Group Policy object (GPO) to ensure that the Power Users group on each client computer contains no members.
C. Use a System Services policy in a new Group Policy object (GPO) to ensure that only Domain Admins can manage the Telnet service.
D. Use an Administrative Template setting to prevent local users from starting the Services snap-in.
Answer: C

9. You are a security administrator for your company. The network consists of a single Active Directory domain.
Servers on the network run Windows Server 2003. All servers are in an organizational unit (OU) named Servers,or in Ous contained within the Servers OU.
Based on information in recent security bulletins, you want to apply settings from a security template namedMessenger.inf to all servers on which the Messenger service is started. You do not want to apply these settings to servers on which the Messenger service is not started. You also do not want to move servers to other Ous.
You need to apply the Messenger.inf security template to the appropriate servers.
What should you do?
A. Import the Messenger.inf security template into a Group Policy object (GPO), and link the GPO to the Servers OU. Configure Administrative Templates filtering in the GPO.
B. Import the Messenger.inf security template into a Group Policy object (GPO), and link the GPO to the Servers OU. Configure a Windows Management Instrumentation (WMI) Filter for the GPO.
D. Configure a logon script in a Group Policy object (GPO), and link the GPO to the Servers OU. Configure the script to run the gpupdate command if the Messenger service is started.
E. Edit the Messenger.inf security template to set the Messenger service startup mode to Automatic, and then run the secedit /refreshpolicy command.
Answer: B

10. You are a security administrator for your company. The network consists of a single Active Directory domain.
All domain controllers and servers run Windows Server 2003. All computers are members of the domain.
The domain contains 12 database servers. The database servers are in an organizational unit (OU) named DBServers. The domain controllers and the database servers are in the same Active Directory site.
You receive a security report that requires you to apply a security template named Lockdown.inf to all database servers as quickly as possible. You import Lockdown.inf into a Group Policy object (GPO) that is linked to the DBServers OU.
You need to ensure that the settings in the Lockdown.inf security template are applied to all database servers as quickly as possible.
What should you do?
A. On each database server, run the repadmin /replicate command.
B. On each database server, run the gpupdate command.
C. On each database server, run the secedit /refreshpolicy command.
D. On each database server, open Local Computer Policy, select Security Settings, and then use the Reload command.
E. On each database server, open Resultant Set of Policy, and then use the Refresh Query command.
Answer: B

11. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All computers are members of the domain.
The company's written security policy states that all servers must have the security settings that are specified in a security template named Verify.inf. TheVerify.inf security
template is copied to the Systemroot\Security\Templates folder on each server.
You need to verify that the servers on the network meet the requirements in the written security policy.
What should you do?
A. On each server, run the gpresult command and save the results.
B. On each server, run the secedit.exe /analyze command for the Verify.inf security template and save the results.
C. On each server, run Microsoft Baseline Security Analyzer (MBSA) and save the results.
D. On a domain controller, import the Verify.inf security template into Security Configuration and Analysis, and then start the Resultant Set of Policy Provider service.
E. On a domain controller, import the Verify.inf security template into the Default Domain Policy Group Policy object (GPO), and then run the gpupdate command.
Answer: B

12. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All servers are members of the domain.
The company plans to deploy a new application named App1. The application runs on servers. To test the compatibility between App1 and other applications that run on the servers, you need to change several file and registry permissions in the Windows folder on the servers. A security template named TestPerms contains the file and registry permissions that need to be set for the application testing.
You create a new Group Policy object (GPO) named TestApp. You import the TestPerms security template into the TestApp GPO. You link the TestApp GPO to an organizational unit (OU) that contains only the servers that are used for the test.
You need to ensure that the file and registry permissions are set to the permissions in the TestPerms security template only during application testing.
What should you do when the application testing ends?
A. Disable the computer configuration settings in the TestApp GPO.
B. Disable the TestApp GPO link to the OU.
C. Unlink the TestApp GPO from the OU.
D. Delete the TestApp GPO, and then run the gpupdate.exe /sync command.
E. Delete the TestApp GPO, and then apply a security template that contains the original permissions.
Answer: E

13. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional.
One hundred users in your company are currently using an application named App1. App1 is stored in a folder on the hard disk of each user's client computer. To secure App1, you create a new Group Policy object (GPO) named App1 Policy. The App1 Policy GPO contains a file system security policy that applies a custom DACL to App1.
You configure the DACL to assign all users only the Allow - Read permission. You filter the App1 Policy GPO to apply only to computers that have App1 installed.
After you apply the App1 GPO, users immediately report that they receive an error message when they attempt to use App1. You delete the entry for App1 in the file system security policy. Users continue to report that they receive the same error message when they attempt to use App1.
You need to configure the network so that users can use App1. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Delete the App1 Policy GPO. Restart all client computers.
B. Create a new file system security policy in the App1 Policy GPO that assigns default permissions to App1.
C. Import the Setup security.inf security template into the App1 Policy GPO.
D. Disable the App1 Policy GPO.
Answer: B

14. You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows 2000 Professional.You create two top-level organizational units (Ous). One OU is named Finance. The other OU is named Marketing. You place user and computer accounts for users in the marketing and finance departments in the corresponding OU. You create a Group Policy object (GPO) for each OU and link each GPO to the corresponding OU. The GPO linked to the Marketing OU is shown in the Marketing GPO exhibit, and the GPO linked to the Finance OU is shown in the Finance GPO exhibit. (Click the Exhibit button.)

A client computer named Client1 is used by users in the marketing department. You reassign Client1 to users in the finance department. You move the computer object from the Marketing OU to the Finance OU. When you attempt to log on to Client1, you receive a message stating that the computer is intended for use by the marketing department only.
You need to ensure that users in the finance department do not receive the message. You want to achieve this goal without affecting users in the Marketing OU.
What should you do?
A. Edit the Finance GPO. Configure a blank logon message.
B. In the Marketing OU, block the inheritance of Group Policy.
C. Move the Marketing OU into the Finance OU.
D. Force the update of Group Policy on all client computers.
Answer: A

15. You are a security administrator for your company.
Your company uses an accounting and payroll application. Twenty payroll clerks use the application to input data from their client computers to a database running on a Microsoft SQL Server 2000 computer named Server1.
You need to prevent unauthorized interception of the data as it travels over the company network.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure SQL Server 2000 on Server1 to use SSL.
B. Configure an IPSec policy to require Authentication Headers (Ahs) between the payroll client computers and Server1.
C. Configure an IPSec policy to require Encapsulating Security Payload (ESP) between the payroll client computers and Server1.
D. Configure Server1 to require Server Message Block (SMB) signing.
Answer: C AND A

16. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional.
Some of the servers in the company are file servers. The file servers contain shared files that users in the sales and marketing departments use. The file servers are in an organizational unit (OU) named FileServers. The company's written security policy states that the date and time that a user successfully establishes a session to a file server
must be recorded. The written security policy also states that the date and time of successful and unsuccessful attempts to modify files on the file servers must be recorded.
You create a new Group Policy object (GPO) and link it to the FileServers OU. The Audit Policy section of the GPO is shown in the work area.
You need to configure the audit policy to meet the requirements of the written security policy. You must achieve this goal by using the minimum number of audit settings.
What should you do?
To answer, drag the appropriate policy setting or settings to the correct location or locations in the work area.

Answer:

17. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional. Users are in the marketing, sales, or production department.
A high-performance color print device named ColorPrinter1 is attached to a server named Server1. ColorPrinter1 is shared by the users in the marketing department. Only users in the marketing department are permitted to print documents on ColorPrinter1. Melanie is a user in the marketing department. Melanie is responsible for ensuring that print jobs on ColorPrinter1 print properly. She is also responsible for replacing paper and for general print device maintenance. Melanie is not permitted to modify the printer itself.
You need to configure permissions for ColorPrinter1. You create a global group named Marketing. You add all marketing users to the Marketing global group.
What else should you do?
A. Assign the global group the Allow - Manage Documents permission for ColorPrinter1. Assign Melanie the Allow - Manage Printers permission for ColorPrinter1.
B. Assign the global group the Allow - Print permission for ColorPrinter1. Create a local group on Server1. Add Melanie to the local group. Assign the local group the Allow - Manage Printers permission for ColorPrinter1.
C. Add the global group to a local group on Server1. Assign the local group the Allow - Manage Documents permission for ColorPrinter1. Assign Melanie the Allow - Manage Printers permission for ColorPrinter1.
D. Add the global group to a local group on Server1. Assign the local group the Allow - Print permission for ColorPrinter1. Create another local group on Server1. Add Melanie to the second local group. Assign the second local group the Allow - Manage Documents permission for ColorPrinter1.
Answer: D

18. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional.
You manage the network by using a combination of Group Policy objects (GPOs) and scripts. File names for scripts have the .vbs file name extension. Scripts are stored in a shared folder named Scripts on a server named Server1.
Users report that they accidentally run scripts that are received through e-mail and the Internet. They further report that these scripts cause problems with their client computers and often delete or change files. You discover that these scripts have .wsh, .wsf, .vbs, or .vbe file name extensions. You decide to use software restriction policies to
prevent the use of unauthorized scripts.
You need to configure a software restriction policy for your network. You want to achieve this goal without affecting management of your network.
Which three rules should you include in your software restriction policy? (Each correct answer presents part of the solution. Choose three.)
A. a path rule that disallows *.vb? Files
B. a path rule that disallows *.ws? Files
C. a trusted sites rule that allows the local intranet zone
D. a trusted sites rule that disallows the Internet zone
E. a path rule that allows \\server1\scripts\*.vb? Files
Answer: E AND B AND A

19. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional. All computers are members of the domain.
The network contains 10 Active Directory sites. Each site represents one of the company's offices. The offices are located around the world. Each office has a connection to the Internet. The company maintains dedicated leased lines between the offices.
You are planning a security patch management infrastructure for Microsoft security patches. You install Software Update Services (SUS) on a server named Server1.
You need to ensure that Automatic Updates on the client computers and servers installs only security patches that are company approved. You want to limit the use of the leased lines between the offices by allowing each computer to download the security patches from the Internet.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure Automatic Updates on all computers to use the Microsoft Windows Update servers.
B. Configure Automatic Updates on all computers to use SUS on Server1.
C. Copy the Approveditems.txt file from Server1 to the Windows folder on each computer.
D. Configure Server1 to maintain updates on the Microsoft Windows Update servers.
E. Use Group Policy to configure the SUS server location as the URL of the Microsoft Windows Update Web site on all computers.
F. On all computers, configure the value of the Run key in the registry as the URL of the Microsoft Windows Update Web site.
Answer: B AND D

20. You are the security administrator for your company. The network consists of two segments named Segment A and Segment B. The client computers on the network run Windows XP Professional. The servers run Windows Server 2003.
Segment A contains a single server named Server1. Segment B contains all other computers, including a server named Server2.
The company's written security policy states that Segment B must not be connected to the Internet. Segment A is allowed to connect to the Internet. There is no network connection between Segment A and Segment B. You can copy files from Segment A to Segment B only by using a CD-ROM to transport the files between the two segments. The network topology is displayed in the exhibit. (Click the Exhibit button.)

You are planning a patch management infrastructure. On Segment B, you install Software Update Services (SUS) on Server2. You configure Automatic Updates on all computers in Segment B to use http://Server2 and to install security patches.
You need to ensure that all computers in Segment B automatically install security patches.
What should you do?
A. Install SUS on Server1. Periodically copy the files in the Content folder and in the SUS root folder from Server1 to Server2.
B. Install SUS on Server1. Periodically copy the files in the Content folder from Server1 to Server2. Copy the Approveditems.txt file from Server1 to the Windows folder on Server2.
C. On Server1, periodically connect to the Microsoft Windows Update Catalog Web site and download new security patches. Copy the files to the Content folder on Server2.
D. On Server1, configure Automatic Updates to use the URL of the Microsoft Windows Update Web site. Periodically copy the downloaded files and the Mssecure.xml file to the Content folder on Server2.
Answer: A

21. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional.
There are 15 Windows Server 2003 computers that serve as domain controllers. For security reasons, you do not allow the domain controllers to access Web sites over the Internet.
You need to scan all of the domain controllers to identify which Microsoft security patches are not installed. You want to achieve this goal by using the minimum amount of administrative effort and by successfully completing the scan of all domain controllers.
What should you do?
A. Run Microsoft Baseline Security Analyzer (MBSA) on one of the domain controllers and target all the domain controllers.
B. Run Microsoft Baseline Security Analyzer (MBSA) on a client computer that has Internet access and target all the domain controllers.
C. Run Microsoft Baseline Security Analyzer (MBSA) on each domain controller with a copy of the MBSAScan.wsf file that you downloaded from the Microsoft Web site.
D. Run Microsoft Baseline Security Analyzer (MBSA) on each domain controller with a copy of the Mssecure.cab file that you downloaded from the Microsoft Web site.
Answer: B

22. You are a security administrator for your company.
The network consists of a single Active Directory domain. The network contains Windows Server 2003 computers.
Twelve of the Windows Server 2003 computers are configured as Web servers.
You need to produce a report that identifies which Microsoft security patches are not installed on the Web servers.
What should you do?
A. Run Gpresult.exe on the Web servers.
B. Run Mbsacli.exe on the Web servers.
C. Run Secedit.exe on the Web servers.
D. Run Qfecheck.exe on the Web servers.
E. Run Qchain.exe on the Web servers.
Answer: B

23. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows 2003 Server. All client computers run Windows XP Professional.
All computers are configured to use Automatic Updates to install updates without user intervention. Updates are scheduled to occur during off-peak hours.
During a security audit, you notice some client computers are not receiving updates on a regular basis. You verify that Automatic Updates is running on all client computers, and you verify that users cannot modify the Automatic Updates settings.
You need to ensure that computers on your network receive all updates.
What should you do?
A. Enable the No auto-restart for scheduled Automatic Updates installations setting.
B. Disable the Specify intranet Microsoft update service location setting.
C. Enable the Remove access to use all Windows Update features setting.
D. Enable the Reschedule Automatic Updates scheduled installations setting.
Answer: D

24. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003.
The company's written security policy states that security patches must be manually installed on servers by administrators.
You need to configure the network to comply with the written security policy. You need to maintain security patches by using the minimum amount of administrative effort.
What should you do?
A. Create a new organizational unit (OU) to contain all server computers. Create a new Group Policy object (GPO) and link it to the OU. Configure the GPO to disable Automatic Updates. Allow only administrators to start Automatic Updates.
B. Create a new organizational unit (OU) to contain all server computers. Create a new Group Policy object (GPO) and link it to the OU. Configure the GPO to automatically download updates and notify when they are ready to be installed.
C. Create a new organizational unit (OU) named Admins to contain all administrators. Create a second OU named Servers to contain all server computers. Create a new Group Policy object (GPO) and link it to the Admins OU.
Configure the GPO to disable Automatic Updates.
D. Modify the Default Domain Policy Group Policy object (GPO) to disable Windows Update and to disable Automatic Updates. Create a new organizational unit (OU) named Admins. Place all administrator accounts in the Admins OU. Block GPO inheritance on the Admins OU.
Answer: B

25. You are a security administrator for your company. All servers run Windows Server 2003. All client computers run Windows XP Professional.
You install Software Update Services (SUS) on a server named Server1. The company's written security policy states that all updates must be tested and approved before they are installed on network computers.
You need to ensure that SUS uses the minimum amount of disk space on Server1.
What should you do?
A. Configure Server1 to redirect client computers to the Microsoft Windows Update servers.
B. Compress the folder in which the downloaded updates are stored.
C. Configure Server1 to store only the locales that are needed.
D. Download the updates, and then delete updates that are not approved for client computers.
Answer: A

26. You are a security administrator for your company. The network consists of a perimeter network that is configured as shown in the exhibit. (Click the Exhibit button.)

All computers in the perimeter network run Windows Server 2003. The company's written security policy states the following:
All computers must pass a security inspection before they are placed in the perimeter network.
Only computers that pass inspection are permitted to communicate with firewalls or other computers that pass inspection.
All communication in the perimeter network is inspected by a network-based intrusion-detection system (IDS).
Communication between computers in the perimeter network must use the strongest possible authentication methods.
You decide to deploy IPSec in the perimeter network to enforce the written security policy. You enable IPSec on the firewall computers.
You need to plan IPSec configuration for the Windows Server 2003 computers so that it meets the written security policy.
Which three actions should you perform to configure IPSec? (Each correct answer presents part of the solution. Choose three.)
A. Configure tunnel mode.
B. Configure transport mode.
C. Enable Authentication Header (AH).
D. Enable Encapsulating Security Payload (ESP).
E. Use Kerberos authentication.
F. Use certificate-based authentication.
G. Use shared secret authentication.
Answer: (E AND C AND B) OR (B AND C AND F)

27. You are a security administrator for your company. The company consists of two divisions. One division is named Coho Winery and is located in San Francisco. The other division is named Coho Vineyard and is located in Paris. Each division is connected to the Internet by a 1.544 Mbps WAN connection.
Coho Winery consists of a single Active Directory forest named cohowinery.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Coho Winery has a Microsoft SQL Server 2000 database that contains customer information. The SQL Server 2000 database is hosted on a Windows Server 2003
computer named Server1.
Coho Vineyard consists of a single Active Directory forest named cohovineyard.com. All servers run Windows 2000 Server. All client computers run Windows 2000 Professional or Windows NT Workstation. All computers run the latest service packs.
To enable data replication, you configure a new Windows Server 2003 computer named Server2 in the cohovineyard.com forest. You install SQL Server 2000 on Server2. Your database administrator configures the database on Server1 to replicate to Server2 every night.
Management reports that a competitor acquired confidential customer data. You determine that the competitor intercepted customer data as it replicated from Server1 to Server2. You decide to use IPSec to protect customer data as it replicates.
You need to configure an IPSec policy to protect customer data as it replicates.
What should you do?
A. Configure the IPSec policy to use Authentication Header (AH) in transport mode with Kerberos authentication.
B. Configure the IPSec policy to use Encapsulating Security Payload (ESP) with certificate-based authentication in tunnel mode.
C. Configure the IPSec policy to use Authentication Header (AH) with certificate-based authentication in transport mode.
D. Configure the IPSec policy to use Encapsulating Security Payload (ESP) with Kerberos authentication in tunnel mode.
Answer: B

28. You are the security administrator of your network. The network consists of an Active Directory domain. All computers on the network are in the domain. The domain controllers and file servers on the network run Windows Server 2003. The client computers run Windows XP Professional.
The file servers use a custom IPSec policy named Server Traffic. The Server Traffic policy contains rules to encrypt Telnet and SNMP traffic, as shown in the exhibit. (Click the Exhibit button.)

All client computers use the Client (Respond Only) IPSec policy. The default exemptions to IPSec filtering are disabled on the client computer.
You want to configure the network so that Telnet, SNMP, and Kerberos traffic is encrypted by IPSec. You do not want to encrypt other network protocols.
What should you do? (Each correct answer presents part of the solution. Choose two.)
A. On the client computers, enable the default exemptions to IPSec filtering.
B. On the file servers, enable the default exemptions to IPSec filtering.
C. On the file servers, configure the IPSec policy in the local computer policy to encrypt Kerberos traffic.
D. Add a new rule to the Server Traffic policy to encrypt Kerberos traffic.
E. Configure the Server Traffic policy to enable the Default Response rule.
F. Configure the rules in the Server Traffic policy to use an authentication method other than Kerberos.
Answer: D AND F

29. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional. A server named Server1 is not a member of the domain. All other computers are members of the domain.
The network contains an enterprise certification authority (CA). All computers on the network trust the CA.
The company's written security policy states that all network traffic from the computers in the domain to Server1 must be encrypted. Server1 must not be added to the domain.
You configure a Group Policy object (GPO) that assigns the predefined IPSec policy named Client (Respond Only). You link the GPO to the domain. You configure Server1 to use the predefined IPSec policy named Secure Server (Require Security).
When you test this configuration, you cannot connect to Server1 from the computers in the domain.You need to implement the written security policy.
What should you do?
A. Disable the default exemptions to IPSec filtering on all computers in the domain.
B. Disable the default response rule in the Client (Respond Only) IPSec policy in the domain.
C. Configure Server1 so that it uses the predefined IPSec policy named Server (Request Security).
D. Configure the security options of the local computer policy on Server1 to always digitally sign communications.
E. Configure the assigned IPSec policies on Server1 and in the domain to use certificate-based authentication.
Answer: E

30. You are a security administrator for your company. The network consists of a single Active Directory domain.
All client computers run Windows XP Professional. All servers run Windows Server 2003. All computers on the network are members of the domain.
Traffic on the network is encrypted by IPSec. The domain contains a custom IPSec policy named Lan Security that applies to all computers in the domain. The Lan Security policy does not allow unsecured communication with non-IPSec-aware computers.
The company's written security policy states that the configuration of the domain and the configuration of the Lan Security policy must not be changed.
The domain contains a multihomed server named Server1. Server1 is connected to the company network, and Server1 is also connected to a test network. Currently, the Lan Security IPSec policy applies to network traffic on both network adapters in Server1.
You need to configure Server1 so that it communicates on the test network without IPSec security. Server1 must still use the Lan Security policy when it communicates on the company network.
How should you configure Server1?
A. Configure a packet filter for the network adapter on the test network to block the Internet Key Exchange (IKE) port.
B. Configure the network adapter on the test network to disable IEEE 802.1x authentication.
C. Configure the network adapter on the test network to enable TCP/IP filtering, and then permit all traffic.
D. Use the netsh command to assign a persistent IPSec policy that permits all traffic on the network adapter on the test network.
E. Assign an IPSec policy in the local computer policy that permits all traffic on the network adapter on the test network.
Answer: D