该用户从未签到
|
认证名称:Implementing and Administering Security in a Microsoft Windows Server 2003 Network
9 g0 u: C2 w2 m$ P/ \考题数目:55 ' P7 b. T$ C) i1 D. v; \% L
价格:¥ 300
2 S( E5 b1 `# y! Y8 i( ]更新:2008-09-018 @- {0 i# j2 @+ w: @; {& _. S" y
1.You are a security administrator for your company. The network consists of a single Active Directory domain. 4 y) g* O* ^3 p
All servers run Windows Server 2003. All client computers run Windows XP Professional.
$ c+ l# m8 T; o5 FEight Windows Server 2003 computers are members of the domain. These computers are used to store confidential files. They reside in a data center that only IT administration personnel have physical access to. ' c8 a6 j0 i5 ?6 Y$ [5 b9 z
You need to restrict members of a group named Contractors from connecting to the file server computers. Allother employees require access to these computers.
7 ?5 O1 c# q9 P; [What should you do
# q! q6 |0 w5 }A. Apply a security template to the file server computers that assigns the Access this computer from the network right to the Domain Users group.* F, c0 h3 ^. H6 H% u
B. Apply a security template to the file server computers that assigns the Deny access to this computer from the net work right to the Contractors group.
. f: S; [' ^ c4 V N0 O* D i7 bC. Apply a security template to the file server computers that assigns the Allow log on locally right to the Domain Users group. , B& d$ f: |; n2 {4 Z- t$ r
D. Apply a security template to the file server computers that assigns the Deny log on locally right to the Contractors group. " K: u4 d" v$ r
Answer B . n8 A+ d' ~6 v& A
# ]9 V/ e7 F; p, Y8 ]$ I* |' v2. You are a security administrator for your company. The network consists of a single Active Directory domain.
7 ]6 S3 j M4 H r4 o1 KFour Windows Server 2003 computers run IIS and serve as Web servers on the Internet. & N+ Z# Q% V- V d9 e
The company's written security policy states that computers that are accessible from the Internet must be hardened against attacks. The procedure for hardening computers includes disabling unnecessary services. You evaluate which services are necessary by using the following information about the Web servers Customers and business partners access Web content on the Web servers after they authenticate by using a user 8 \9 w" P: V$ @- u3 h
name and password. To access certain parts of the site, some of these connections use the SSL protocol. 7 X0 e5 k5 f# L5 r, A5 A4 u
All software is installed locally on the Web servers by using removable media, except for service packs and security patches. 2 a! X: x( m* }. k/ ?! T
The Web servers automatically download service packs and security patches from an internal computer that runs Software Update Services (SUS). , z1 e8 @- S5 x2 \, U
The Web servers are not functioning as any other roles. U8 A- J- X. _6 }: a3 y
You need to create a security template for the Web servers that disables unnecessary services and allows necessary services to operate.
! q$ l7 _4 k4 n: |! ?* e' CWhat should you do
1 ^, o1 B2 i- R# rTo answer, drag the appropriate service startup types to the correct locations in the work area.
# ?, W: M- ^: }8 G7 t1 Y% c 8 q( G- {1 D: l$ C5 M
Answer
% | L3 S( t# ] t
% f/ K) G; F; e% _7 [. s% M
3 w A8 I; n& c- Z1 d7 q, K5 M3. You are a security administrator for your company. The network consists of a single Active Directory domain.
( k0 E8 X% j0 d0 ~* _ {4 h, ]Servers run either Windows Server 2003 or Windows 2000 Server. All client computers run Windows 2000 Professional. The latest operating system service pack is installed on each computer. % x9 W$ [( p7 H5 C7 j$ Q6 W
Thirty Windows Server 2003 computers are members of the domain and function as file servers. Client computers access files on these file servers over the network by using the Server Message Block (SMB) protocol. You are concerned about the possible occurrence of man-in-the-middle attacks during SMB communications.
( ^$ y8 c6 Z0 D$ cYou need to ensure that SMB communications between the Windows Server 2003 file servers and the client computers are cryptographically signed. The file servers must not communicate with client computers if the client computers cannot sign SMB communications. Client computers must be able to use unsigned SMB3 U9 m8 |6 {' X, u
communications with all other computers in the domain.
/ @$ C5 M7 a' D6 ~" _! }6 p, w" bWhat should you do to configure the file servers
/ T. Q# W% P% s8 O4 ?A. Apply a security template that enables the Microsoft network server Digitally sign communications (always) setting. 7 T1 T8 \' s( f, ]. h, C
B. Apply a security template that enables the Microsoft network server Digitally sign communications (if client agrees) setting. % ^" C/ _, U7 U1 Z
C. Apply a security template that enables the Domain member Digitally sign secure channel data (when possible)setting. $ Z: i5 e8 r/ [# \7 o
D. Apply a security template that enables the Domain member Digitally encrypt or sign secure channel data(always) setting.
1 ?5 O+ N3 V, V3 S1 C" w! NAnswer A
! O9 [. g" I+ f. d3 f- t/ H+ d
& u( a8 p; o- F* c4. You are a security administrator for your company. The network consists of two Active Directory domains that are in separate Active Directory forests. No Active Directory trust relationships exist between the domains. All servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows 2000Professional. All domain controllers run Windows Server 2003.$ W, {6 f% Z( @
You discover that users in one domain can obtain a list of account names for users in the other domain. This capability allows unauthorized users to guess passwords and to access confidential data.
& e& q0 u% C2 f( I4 v9 LYou need to ensure that account names can be obtained only by users of the domain in which the accounts reside.
! X4 l# c( w2 V. V+ O" nWhich two actions should you perform on the domain controllers (Each correct answer presents part of the solution. Choose two.) 8 p |: d8 Y' _* j( A
A. Apply a security template that disables the Network access Allow anonymous SIDName translation setting." ~" E! \9 x/ V9 s5 f
B. Apply a security template that enables the Network access Do not allow anonymous enumeration of SAM accounts setting.; i( v: m0 Q" g9 k
C. Apply a security template that enables the Network security Do not store LAN Manager hash value on next password change setting.( s* F7 a9 J3 A1 c+ W p4 G
D. Apply a security template that sets the Domain controller LDAP server signing requirements setting to Require signing. 0 h9 X, i9 X2 |% {7 F2 o
Answer A AND B
4 d$ N i7 h, y" W; q
- t; o* y0 P7 a2 Y5. You are a security administrator for your company. The network consists of a single Active Directory domain. * ^' @- E4 P3 s3 |
All servers run Windows Server 2003. All client computers run Windows 2000 Professional. Twenty Windows Server 2003 computers serve as domain controllers. Your organization uses only Active Directory integrated DNS. # Y7 N0 N' H9 T' x' R
The company's written security policy states that computers that contain employee user account names and passwords must be hardened against attacks. The procedure for hardening computers includes disabling unnecessary services. You are evaluating which services are necessary by using the following information about the domain controllers
3 f" j B. O& g4 oDomain controllers do not function as Web servers, application servers, file servers, or print servers.
, \3 N0 g6 W+ n5 `; [* ~Service packs and security patches are manually installed on domain controllers from local media. Service packs and security patches are installed only by IT administrators.
4 \4 G; ~; d* ]8 }& rAll servers in the company are remotely managed by using a third-party program.
/ X; a0 q5 J7 H7 Y; HPrinting is not allowed from the domain controllers.
, }4 T6 |: }; V5 e, C4 n% |Domain controllers do not run any IP routing protocols.
' h \% g$ d8 Z# H U% C& @1 rYou need to create a security template to be applied to all domain controllers that disables unnecessary services while allowing necessary services to operate.6 l$ f( {( ?8 q0 c7 e# {
What should you do 4 e( U: w" }# @- L6 W; P- y1 j
To answer, drag the appropriate service startup types to the correct locations in the work area. $ B: y$ e; }4 j/ ?6 m
" p0 n1 B/ x& R4 [% F8 m) k
Answer
$ U3 u" s- z. B% @
) i/ j; U3 W1 [1 V
! R9 L" ^ f6 s; e6. You are a security administrator for your company. The network consists of a single Active Directory domain. . X: W, }$ m4 R" d" H4 d) U
All servers run Windows Server 2003. All client computers run Windows XP Professional. You manage client computers by using Group Policy. & c: v1 C4 h/ {1 }, L
Some of the administrators in your company are responsible for managing network connectivity and TCPIP.
* Q; _& p: n) n# `9 j/ K! BThese administrators are known as infrastructure engineers and are members of a global group named Infra_Engineers. The infrastructure engineers must be able to configure and troubleshoot TCPIP settings on servers and client computers.
. T4 q3 E" Z/ }1 T/ E1 `& yYou need to configure a Restricted Groups policy that ensures that only infrastructure engineers are members of the Network Configuration Operators local group on all client computers. You want to achieve this goal without granting unnecessary permissions to the infrastructure engineers.
) _1 M1 j# Q/ p' I h1 NWhat should you do
+ f: E& f1 y M. E; GTo answer, drag the appropriate group or groups to the correct list or lists in the dialog box in the work area.
1 ?$ ?4 j6 D! ~$ T( [( p 7 h$ S4 E, g2 l: H3 L N) ~
Answer & c1 c J! z0 i/ e$ f, M# ]. F! R
* f. ?9 L/ J4 {7 _, c 3 Y7 x/ y7 H: _; d& ?0 c' ~
7. You are a security administrator for your company. The network consists of a single Active Directory domain.
( e" s8 {+ H9 {8 dAll servers run Windows Server 2003. All client computers run Windows 2000 Professional.
7 f5 {7 @& Z/ B) e- B4 l. [+ q* mThe company's written security policy states the following requirements
' N' r# ]0 z3 W5 g" _' N7 QAll access to files must be audited. . Q9 k1 r! k& [4 U2 [/ G7 W
File servers must be able to record all security events.
# g. d6 p- i5 d' N$ OYou create a new Group Policy object (GPO) and filter it to apply to only file servers. You configure an audit policy to audit files and folders on file servers. You configure a system access control list (SACL) to audit the appropriate files. 5 q, N5 z0 U2 S3 A
You need to ensure that the GPO enforces the written security policy.
3 M. B0 Q7 H1 @' {4 ?% E0 eWhich two additional actions should you perform to configure the GPO (Each correct answer presents part of the solution. Choose two.)
" u1 x2 {2 [" o' f( o* C, jA. Set a manual retention method for the security log.
7 z6 ^: g( g2 ], i' a+ n+ Y# ~B. Set the security log to retain entries for 7 days. 6 m4 M- |7 ^+ U
C. Set the maximum security log size to the maximum allowed size.
, h r# x+ v1 e# [& e2 aD. Configure the GPO to shut down the computer if it is unable to log security audits. 2 C, I& H" D A( G
E. Ensure that users who are responsible for reviewing audit log data are granted the right to manage the securitylog.
7 p r+ W8 H0 ]: s+ ]- C+ R# HAnswer D AND A$ H. d/ }3 C, ?$ V. b" i
7 I0 n- g+ x. ]! E8. You are a security administrator for your company. The network consists of a single Active Directory domain.
3 m! q3 ] [6 [5 `% R1 WAll servers run Windows Server 2003. All client computers run Windows XP Professional.6 e* S4 i# |, n
Administrators in your company use scripts to perform administrative tasks when they troubleshoot problems on client computers. They connect to the Telnet service on client computers when they run these scripts. For security reasons, all Telnet traffic is encrypted by using an IPSec policy. In addition, the Telnet service is configured for manual startup on all client computers. Administrators manually start and stop the Telnet service when they perform administrative tasks. 8 T1 Q% H3 k& j
Administrators report that they sometimes cannot start the Telnet service on client computers. You examine several client computers and discover that the Telnet service is disabled.
& B) |% [) y% Q; e( }You need to ensure that administrators can troubleshoot problems on client computers at all times. 7 Y. G! t l: m7 T& k3 S
What should you do ) F) o% _, n; |' b
A. Use a Restricted Groups policy in a new Group Policy object (GPO) to add the Domain Admins group to the Power Users group on each client computer.
/ r$ i$ q6 R AB. Use a Restricted Groups policy in a new Group Policy object (GPO) to ensure that the Power Users group on each client computer contains no members. " ?# a% Z# u3 Y# K& L$ ?2 S
C. Use a System Services policy in a new Group Policy object (GPO) to ensure that only Domain Admins can manage the Telnet service. ) w5 v& ?6 B. l/ P l
D. Use an Administrative Template setting to prevent local users from starting the Services snap-in. # U; y. \9 ]9 i2 c; ^/ ~3 U
Answer C
4 Z# g+ i$ u |2 m! X8 w 3 Q- d2 Z; \1 V) F2 v3 a
9. You are a security administrator for your company. The network consists of a single Active Directory domain. ; K7 v7 I+ n) W6 e8 K
Servers on the network run Windows Server 2003. All servers are in an organizational unit (OU) named Servers,or in Ous contained within the Servers OU.
0 B( p% d" R2 U4 _$ q5 Y: x3 ^5 r( lBased on information in recent security bulletins, you want to apply settings from a security template namedMessenger.inf to all servers on which the Messenger service is started. You do not want to apply these settings to servers on which the Messenger service is not started. You also do not want to move servers to other Ous. $ S! b( B% X) q( [2 ~. |9 c! V
You need to apply the Messenger.inf security template to the appropriate servers.
+ j" K% Z' U& {" B7 IWhat should you do
& b5 J9 V% v" ~" ~6 R9 LA. Import the Messenger.inf security template into a Group Policy object (GPO), and link the GPO to the Servers OU. Configure Administrative Templates filtering in the GPO. 4 D$ m9 k# x9 x4 Q" c: p
B. Import the Messenger.inf security template into a Group Policy object (GPO), and link the GPO to the Servers OU. Configure a Windows Management Instrumentation (WMI) Filter for the GPO.
6 k& \$ m3 f! s$ [% iD. Configure a logon script in a Group Policy object (GPO), and link the GPO to the Servers OU. Configure the script to run the gpupdate command if the Messenger service is started. 4 I$ y9 a8 Q H8 T
E. Edit the Messenger.inf security template to set the Messenger service startup mode to Automatic, and then run the secedit refreshpolicy command.
& S9 z$ s4 L# \" V# GAnswer B
W+ q3 X( s2 D) T/ d : {. z- y' h. ?2 y8 n# y$ A
10. You are a security administrator for your company. The network consists of a single Active Directory domain.
$ s6 @2 k* H% e8 d6 k: _& QAll domain controllers and servers run Windows Server 2003. All computers are members of the domain.
1 y, N3 M% g* O& z1 {The domain contains 12 database servers. The database servers are in an organizational unit (OU) named DBServers. The domain controllers and the database servers are in the same Active Directory site.
9 F: n! B) }+ o( t: _1 pYou receive a security report that requires you to apply a security template named Lockdown.inf to all database servers as quickly as possible. You import Lockdown.inf into a Group Policy object (GPO) that is linked to the DBServers OU.
' @+ t- t, ^ H5 o7 ~% `7 ZYou need to ensure that the settings in the Lockdown.inf security template are applied to all database servers as quickly as possible. 4 S$ I5 p8 r' a1 b# W% j. u* ^
What should you do ! s, v" S) o5 C3 f% t9 e7 ~& [2 l
A. On each database server, run the repadmin replicate command. ' m% n: H) [9 _. b; u0 ^( l
B. On each database server, run the gpupdate command. 4 A2 Q1 f: h) d u4 I9 Z2 D& A
C. On each database server, run the secedit refreshpolicy command.
K5 M8 c$ t/ k) s! c( ?( A0 @7 PD. On each database server, open Local Computer Policy, select Security Settings, and then use the Reload command.
5 e$ U: |9 b4 SE. On each database server, open Resultant Set of Policy, and then use the Refresh Query command. # E3 L+ n- @" w0 F+ d( I5 o
Answer B
6 ~# ?6 @/ c5 ~8 u3 o0 m " q& N, K7 R9 A# I. H+ s. r9 j3 A s
点击下载70-299考试题库预览部分(PDF格式)
. z5 I# b( a* b; I { |
|