You are the network administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003.
The network contains servers that have Terminal Server enabled. The terminal servers host legacy applications that currently require users to be members of the Power Users group.
A new requirement in the company’s written security policy states that the Power Users group must be empty on all resource servers.
You need to maintain the ability to run the legacy applications on the terminal servers when the new security requirement is implemented.
What should you do? ()
A. Add the Domain Users global group to the Remote Desktop Users built-in group in the domain.
B. Add the Domain Users global group to the Remote Desktop Users local group on each terminal server.
C. Modify the Compatws.inf security template settings to allow members of the local Users group to run the applications. Import the security template into the Default Domain Controllers Policy Group Policy object (GPO).
D. Modify the Compatws.inf security template settings to allow members of the local Users group to run the applications. Apply the modified template to each terminal server.
您可能感兴趣的试卷
你可能感兴趣的试题
You are a network administrator for your company. All domain controllers run Windows Server 2003. The network contains 50 Windows 98 client computers, 300 Windows 2000 Professional computers, and 150 Windows XP Professional computers.
According to the network design specification, the Kerberos version 5 authentication protocol must be used for all client computers on the internal network.
You need to ensure that Kerberos version 5 authentication is used for all client computers on the internal network.
What should you do? ()
A. On each domain controller, disable Server Message Block (SMB) signing and encryption of the secure channel traffic.
B. Replace all Windows 98 computers with new Windows XP Professional computers.
C. Install the Active Directory Client Extensions software on the Windows 98 computers.
D. Upgrade all Windows 98 computers to Windows NT Workstation 4.0.
You are the network administrator for your company. The network consists of a single Active Directory domain. The network contains 10 domain controllers and 50 servers in application server roles. All servers run Windows Server 2003.
The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication. You need to deploy and refresh the custom security settings on a routine basis. You also need to be able to verify the custom security settings during audits.
What should you do? ()
A. Create a custom security template and apply it by using Group Policy.
B. Create a custom IPSec policy and assign it by using Group Policy.
C. Create and apply a custom Administrative Template.
D. Create a custom application server image and deploy it by using RIS.
You are the network administrator for your company. The network consists of a single Active Directory domain. The network contains 50 application servers that run Windows Server 2003.
The security configuration of the application servers is not uniform. The application servers were deployed by local administrators who configured the settings for each of the application servers differently based on their knowledge and skills. The application servers are configured with different authentication methods, audit settings, and account policy settings.
The security team recently completed a new network security design. The design includes a baseline configuration for security settings on all servers. The baseline security settings use the Hisecws.inf predefined security template. The design also requires modified settings for servers in an application role. These settings include system service startup requirements, renaming the administrator account, and more stringent account lockout policies. The security team created a security template named Application.inf that contains the modified settings.
You need to plan the deployment of the new security design. You need to ensure that all security settings for the application servers are standardized, and that after the deployment, the security settings on all application servers meet the design requirements.
What should you do? ()
A. Apply the Setup security.inf template first, the Hisecws.inf template next, and then the Application.inf template.
B. Apply the Application.inf template and then the Hisecws.inf template.
C. Apply the Application.inf template first, the Setup security.inf template next, and then the Hisecws.inf template.
D. Apply the Setup security.inf template and then the Application.inf template.
You are the network administrator for your company. The network consists of a single Active Directory domain. All domain controllers run Windows Server 2003. All client computers run Windows XP Professional.
The company has legacy applications that run on UNIX servers. The legacy applications use the LDAP protocol to query Active Directory for employee information.
The domain controllers are currently configured with the default security settings. You need to configure enhanced security for the domain controllers. In particular, you want to configure stronger password settings, audit settings, and lockout settings. You want to minimize interference with the proper functioning of the legacy applications.
You decide to use the predefined security templates. You need to choose the appropriate predefined security template to apply to the domain controllers.
What should you do?()
A. Apply the Setup security.inf template to the domain controllers.
B. Apply the DC security.inf template to the domain controllers.
C. Apply the Securedc.inf template to the domain controllers.
D. Apply the Rootsec.inf template to the domain controllers.
You are the network administrator for your company. The network consists of a single Active Directory domain. The company’s written security policy requires that computers in a file server role must have a minimum file size for event log settings. In the past, logged events were lost because the size of the event log files was too small. You want to ensure that the event log files are large enough to hold history. You also want the security event log to be cleared manually to ensure that no security information is lost. The application log must clear events as needed.
You create a security template named Fileserver.inf to meet the requirements. You need to test each file server and take the appropriate corrective action if needed. You audit a file server by using Fileserver.inf and receive the results shown in the exhibit. (Click the Exhibit button.)
You want to make only the changes that are required to meet the requirements.
Which two actions should you take? ()
A. Correct the Maximum application log size setting on the file server.
B. Correct the Maximum security log size setting on the file server.
C. Correct the Maximum system log size setting on the file server.
D. Correct the Retention method for application log setting on the file server.
E. Correct the Retention method for security log setting on the file server.
F. Correct the Retention method for system log setting for the file server.
You are the network administrator for your company. The network consists of a single Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains an organizational unit (OU) named Servers that contains all of the company’s Windows Server 2003 resource servers. The domain also contains an OU named Workstations that contains all of the company’s Windows XP Professional client computers.
You configure a baseline security template for resource servers named Server.inf and a baseline security template for client computers named Workstation.inf. The Server.inf template contains hundreds of settings, including file and registry permission settings that have inheritance propagation enabled. The Workstation.inf template contains 20 security settings, none of which contain file or registry permissions settings.
The resource servers operate at near capacity during business hours.
You need to apply the baseline security templates so that the settings will be periodically enforced. You need to accomplish this task by using the minimum amount of administrative effort and while minimizing the performance impact on the resource servers.
What should you do? ()
A. Create a Group Policy object (GPO) and link it to the domain. Import both the Server.inf and the Workstation.inf templates into the GPO.
B. Import both the Server.inf and the Workstation.inf templates into the Default Domain Policy Group Policy object (GPO).
C. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Create a Group Policy object (GPO) and link it to the Workstations OU. Import the Workstation.inf template into the GPO.
D. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Import the Workstation.inf template into the Default Domain Policy Group Policy object (GPO).
You are a network administrator for your company. The network consists of a single Active Directory domain. The network contains 80 Web servers that run Windows 2000 Server. The IIS Lockdown Wizard is run on all Web servers as they are deployed.
Your company is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an organizational unit (OU) named Web Servers.
You are planning a baseline security configuration for the Web servers. The company’s written security policy states that all unnecessary services must be disabled on servers. Testing shows that the server upgrade process leaves the following unnecessary services enabled:
Your plan for the baseline security configuration for Web servers must comply with the written security policy. You need to ensure that unnecessary services are always disabled on the Web servers.
What should you do? ()
A. Create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services. Link the GPO to the Web Servers OU.
B. Create a Group Policy object (GPO) and import the Hisecws.inf security template. Link the GPO to the Web Servers OU.
C. Create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Web Servers OU.
D. Create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Web Servers OU.
You are a network administrator for Alpine Ski House. The network consists of a single Active Directory domain. The network contains 50 Windows Server 2003 computers and 200 Windows XP Professional computers. Alpine Ski House does not use wireless networking. The network at Alpine Ski House is shown in the exhibit. (Click the Exhibit button.) Alpine Ski House enters into a strategic partnership with Adventure Works. Under the strategic partnership, Adventure Works will regularly send employees to Alpine Ski House. Your design team interviews Adventure Works administrators and discovers the following. Adventure Works employees require access to the Internet to retrieve e-mail messages and to browse the Internet. Adventure Works employees do not need access to the internal network at Alpine Ski House. Adventure Works employees all have portable computers that run Windows XP Professional, and they use a wireless network in their home office. The wireless network client computers of Adventure Works employees must be protected from Internet-based attacks.Adventure Works sends you a wireless access point that its employees will use to access the Internet through your network. You are not allowed to change the configuration of the wireless access point because any change will require changes to all of the wireless client computers. You need to develop a plan that will meet the requirements of Adventure Works employees and the security requirements of Alpine Ski House.
Your solution must be secure and must minimize administrative effort.
What should you do? ()
A. Install the wireless access point on a separate subnet inside the Alpine Ski House network. Configure a router to allow only HTTP, IMAP4, and SMTP traffic out of the wireless network.
B. Install the wireless access point on a separate subnet inside the Alpine Ski House network. Configure a VPN from the wireless network to the Adventure Works office network.
C. Install the wireless access point on the Alpine Ski House perimeter network. Configure Firewall1 to allow wireless network traffic to and from the Internet. Configure Firewall2 to not allow wireless traffic into the Alpine Ski House network.
D. Install the wireless access point outside Firewall1 at Alpine Ski House. Obtain IP addresses from your ISP to support all wireless users.
Your company has an Active Directory directory service domain. All servers run Windows Server 2003. All domain controllers are configured to audit specific events. You are developing a security monitoring plan for the domain controllers. You must back up the following information. Local logon attemptsDomain logon attemptsSecurity update installation attempts You need to specify the appropriate log files to back up.
Which files should you specify? ()
A. AppEvent.Evt and NTDS.Evt
B. NTDS.Evt and SecEvent.Evt
C. SecEvent.Evt and SysEvent.Evt
D. AppEvent.Evt and SysEvent.Evt
Your company has 250 client computers connected to the office LAN. The company has a pool of five public IP addresses. All client computers have dynamically assigned IP addresses. You need to provide all client computers with Internet access.
What should you use?()
A. DHCP Relay Agent
B. Routing Information Protocol (RIP)
C. Internet Group Management Protocol (IGMP)
D. Network Address Translation (NAT)/Basic Firewall
最新试题
You are the network administrator for your company. The network consists of a single Active Directory domain. All computers on the network are members of the domain. You administer a three-node Network Load Balancing cluster. Each cluster node runs Windows Server 2003 and has a single network adapter. The cluster has converged successfully. You notice that the nodes in the cluster run at almost full capacity most of the time. You want to add a fourth node to the cluster. You enable and configure Network Load Balancing on the fourth node. However, the cluster does not converge to a four-node cluster. In the System log on the existing three nodes, you find the exact same TCP/IP error event. The event has the following description: "The system detected an address conflict for IP address 10.50.8.70 with the system having network hardware address 02:BF:0A:32:08:46." In the System log on the new fourth node, you find a similar TCP/error event with the following description: "The system detected an address conflict for IP address 10.50.8.70 with the system having network hardware address 03:BF:0A:32:08:46." Only the hardware address is different in the two descriptions. You verify that IP address 10.50.8.70 is configured as the cluster IP address on all four nodes. You want to configure a four-node Network Load Balancing cluster. What should you do? ()
You are the network administrator for your company. The network consists of a single Active Directory domain. All computers on the network are members of the domain. You administer a Network Load Balancing cluster that consists of three nodes. Each node runs Windows Server 2003 and contains a single network adapter. The Network Load Balancing cluster can run only in unicast mode. The Network Load Balancing cluster has converged successfully. To increase the utilization of the cluster, you decide to move a particular application to each node of the cluster. For this application to run, you must add a Network Load Balancing port rule to the nodes of the cluster. You start Network Load Balancing Manager on the second node of the cluster. However, Network Load Balancing Manager displays a message that it cannot communicate with the other two nodes of the cluster. You want to add the port rule to the nodes of the cluster. What should you do? ()
You are the systems engineer for your company. The network consists of three physical networks connected by hardware-based routers. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional. Each physical network contains at least one domain controller and at least one DNS server. One physical network contains a Microsoft Internet Security and Acceleration (ISA) Server array that provides Internet access for the entire company. The network also contains a certificate server. Company management wants to ensure that all data is encrypted on the network and that all computers transmitting data on the network are authenticated. You decide to implement IPSec on all computers on the network. You edit the Default Domain Policy Group Policy object (GPO) to apply the Secure Server (Require Security) IPSec policy. Users immediately report that they cannot access resources located in remote networks. You investigate and discover that all packets are being dropped by the routers. You also discover that Active Directory replication is not functioning between domain controllers in different networks. You need to revise your design and implementation to allow computers to communicate across the entire network. You also need to ensure that the authentication keys are stored encrypted. Which two actions should you take?()
You are a network adminstrator for your company. You install an intranet application on three Windows Server 2003 computers. You configure the servers as a Network Load Balancing cluster. You configure each server with two network adapters. One network adapter provides client computers access to the servers. The second network adapter is for cluster communications. Cluster communications is on a separate network segment. The network team wants to reduce the cluster’s vulnerability to attack. These servers need to be highly available. The network team decides that the Network Load Balancing cluster needs to filter IP ports. The team wants the cluster to allow only the ports that are required for the intranet application. You need to implement filtering so that only the intranet application ports are available on the cluster. You need to achieve this goal by using the minimum amount of administrative effort. What should you do? ()
You are a network administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. The company’s main office is in Barcelona, and it has branch offices in Paris and London. The company has no immediate plans to expand or relocate the offices. The company wants to connect the office networks by using a frame relay WAN connection and Routing and Remote Access servers that are configured with frame relay WAN adapters. Computers in each office will be configured to use the local Routing and Remote Access server as a default gateway. You are planning the routing configuration for the Routing and Remote Access servers. You need to allow computers in Barcelona, Paris, and London to connect to computers in any office. You want to minimize routing traffic on the WAN connection. What should you do? ()
You are a network administrator for your company. The company has a main office and two branch offices. The branch offices are connected to the main office by T1 lines. The network consists of three Active Directory sites, one for each office. All client computers run either Windows 2000 Professional or Windows XP Professional. Each office has a small data center that contains domain controllers, WINS, DNS, and DHCP servers, all running Windows Server 2003. Users in all offices connect to a file server in the main office to retrieve critical files. The network team reports that the WAN connections are severely congested during peak business hours. Users report poor file server performance during peak business hours. The design team is concerned that the file server is a single point of failure. The design team requests a plan to alleviate the WAN congestion during business hours and to provide high availability for the file server. You need to provide a solution that improves file server performance during peak hours and that provides high availability for file services. You need to minimize bandwidth utilization. What should you do? ()
You are the systems engineer for Contoso, Ltd. The internal network consists of a Windows NT 4.0 domain. The company maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named contoso.com. The contoso.com zone is hosted by a UNIX-based DNS server running BIND 4.8.1. Contoso, Ltd., is planning to migrate to a Windows Server 2003 Active Directory domain-based network. The migration plan states that all client computers will be upgraded to Windows XP Professional and that all servers will be replaced with new computers running Windows Server 2003. The migration plan specifies the following requirements for DNS in the new environment:• Active Directory data must not be accessible from the Internet.• The DNS namespace must be contiguous to minimize confusion for users and administrators. • Users must be able to connect to resources in the contoso.com domain.• Users must be able to connect to resources located on the Internet. • The existing UNIX-based DNS server will continue to host the contoso.com domain. • The existing UNIX-based DNS server cannot be upgraded or replaced.You plan to install a Windows Server 2003 DNS server on the internal network. You need to configure this Windows-based DNS server to meet the requirements specified in the migration plan. What should you do? ()
You are the network administrator for your company. The network consists of a single Active Directory domain. The company has remote users in the sales department who work from home. The remote users’ client computers run Windows XP Professional, and they are not members of the domain. The remote users’ client computers have local Internet access through an ISP. The company is deploying a Windows Server 2003 computer named Server1 that has Routing and Remote Access installed. Server1 will function as a VPN server, and the remote users will use it to connect to the company network. Confidential research data will be transmitted from the remote users’ client computers. Security is critical to the company and Server1 must protect the remote users’ data transmissions to the main office. The remote client computers will use L2TP/IPSec to connect to the VPN server. You need to choose a secure authentication method. What should you do? ()
You are a network administrator for your company. The network consists of two Active Directory domains. You are responsible for administering one domain, which contains users who work in the sales department. User objects for the users in the sales department are stored in an organizational unit (OU) named Sales in your domain. Users in the sales department use a public key infrastructure (PKI) enabled application that requires users to present client authentication certificates before they are granted access. You install Certificate Services on two member servers running Windows Server 2003. You configure one server as an enterprise subordinate certification authority (CA) and the other server as a stand-alone root CA. You need to issue certificates that support client authentication to sales users only. You need to achieve this goal by using the minimum amount of administrative effort. What should you do? ()
You are a network administrator for your company. You install Windows Server 2003 on two servers named Server1 and Server2. You configure Server1 and Server2 as a two-node cluster. You configure a custom application on the cluster by using the Generic Application resource, and you put all resources in the Application group. You test the cluster and verify that it fails over properly and that you can move the Applications group from one node to the other and back again. The application and the cluster run successfully for several weeks. Users then report that they cannot access the application. You investigate and discover that Server1 and Server2 are running but the Application group is in a failed state. You restart the Cluster service and attempt to bring the Application group online on Server1. The Application group fails. You discover that Server1 fails, restarts automatically, and fails again soon after restarting. Server1 continues to fail and restart until the Application group reports that it is in a failed state and stops attempting to bring itself back online. You need to configure the Application group to remain on Server2 while you research the problem on Server1. What should you do? ()