Thư viện tri thức trực tuyến
Kho tài liệu với 50,000+ tài liệu học thuật
© 2023 Siêu thị PDF - Kho tài liệu học thuật hàng đầu Việt Nam
Planning, Implementing, and maintaining a Microsoft Windows server 2003 environment for an MCSE certifield on Windows 2000
Nội dung xem thử
Mô tả chi tiết
70-296
Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Environment
for an MCSE Certified on Windows 2000
Version 40.1
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 2 -
Important Note, Please Read Carefully
Study Tips
This product will provide you questions and answers along with detailed explanations carefully compiled and
written by our experts. Try to understand the concepts behind the questions instead of cramming the questions.
Go through the entire document at least twice so that you make sure that you are not missing anything.
Further Material
For this exam TestKing also provides:
* Online Testing. Practice the questions in an exam environment.
Try a demo: http://www.testking.com/index.cfm?pageid=724
* Study Guide. Concepts and labs. Provides a foundation of knowledge.
Latest Version
We are constantly reviewing our products. New material is added and old material is revised. Free updates are
available for 90 days after the purchase. You should check your member zone at TestKing an update 3-4 days
before the scheduled exam date.
Here is the procedure to get the latest version:
1. Go to www.testking.com
2. Click on Member zone/Log in
3. The latest versions of all purchased products are downloadable from here. Just click the links.
For most updates, it is enough just to print the new questions at the end of the new version, not the whole
document.
Feedback
Feedback on specific questions should be send to [email protected]. You should state: Exam number and
version, question number, and login ID.
Our experts will answer your mail promptly.
Copyright
Each pdf file contains a unique serial number associated with your particular name and contact information for
security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the
right to take legal action against you according to the International Copyright Laws.
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 3 -
Table of Contents
Topic 1: Planning and Implementing Server Roles and Server Security (23 Questions)....................................... 8
Part 1: Configure security for servers that are assigned specific roles. (3 questions) ...................................... 8
Part 2: Plan a secure baseline installation....................................................................................................... 12
A: Plan a strategy to enforce system default security settings on new systems. (2 questions)................. 12
B: Identify client operating system default security settings. (2 questions) ............................................. 15
C: Identify all server operating system default security settings. (1 question)......................................... 17
Part 3: Plan security for servers that are assigned specific roles. Roles might include domain controllers,
Web servers, database servers, and mail servers. ..................................................................................... 18
A: Deploy the security configuration for servers that are assigned specific roles. (9 questions)............. 18
B: Create custom security templates based on server roles. (5 questions) ............................................... 28
Part 4: Evaluate and select the operating system to install on computers in an enterprise. (1 question)........ 34
Topic 2: Planning, Implementing, and Maintaining a Network Infrastructure (47 Questions)............................ 37
Part 1: Plan a TCP/IP network infrastructure strategy.................................................................................... 37
A: Analyze IP addressing requirements. (2 questions)............................................................................. 37
B: Plan an IP routing solution. (1 question).............................................................................................. 39
C: Create an IP subnet scheme. (2 questions)........................................................................................... 40
Part 2: Plan and modify a network topology. ................................................................................................. 42
A: Plan the physical placement of network resources. (1 question)......................................................... 42
B: Identify network protocols to be used. (1 question)............................................................................. 44
Part 3: Plan an Internet connectivity strategy. (2 questions) .......................................................................... 45
Part 4: Plan network traffic monitoring. Tools might include Network Monitor and System Monitor. (1
question).................................................................................................................................................... 48
Part 5: Troubleshoot connectivity to the Internet. .......................................................................................... 50
A: Diagnose and resolve issues related to Network Address Translation (NAT). (0 questions).............. 50
B: Diagnose and resolve issues related to name resolution cache information. (0 questions) ................. 50
C: Diagnose and resolve issues related to client configuration. (0 questions).......................................... 50
Part 6: Troubleshoot TCP/IP addressing......................................................................................................... 50
A: Diagnose and resolve issues related to client computer configuration. (3 questions) ......................... 50
B: Diagnose and resolve issues related to DHCP server address assignment. (7 questions).................... 54
Part 7: Plan a host name resolution strategy. .................................................................................................. 66
A: Plan a DNS namespace design. (0 questions)...................................................................................... 66
B: Plan zone replication requirements. (5 questions) ............................................................................... 66
C: Plan a forwarding configuration. (5 questions).................................................................................... 73
D: Plan for DNS security. (2 questions) ................................................................................................... 79
E: Examine the interoperability of DNS with third-party DNS solutions. (5 questions) ......................... 81
Part 8: Plan a NetBIOS name resolution strategy........................................................................................... 89
A: Plan a WINS replication strategy. (1 question) ................................................................................... 89
B: Plan NetBIOS name resolution by using the Lmhosts file. (0 questions)............................................ 90
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 4 -
Part 9: Troubleshoot host name resolution. .................................................................................................... 90
A: Diagnose and resolve issues related to WINS and DNS services. (8 questions)................................. 90
B: Diagnose and resolve issues related to client computer configuration. (1 question)......................... 100
Topic 3: Planning, Implementing and Maintaining Routing and Remote Access (23 Questions)..................... 102
Part 1: Plan a routing strategy....................................................................................................................... 102
A: Identify routing protocols to use in a specified environment. (1 question) ....................................... 102
B: Plan routing for IP multicast traffic. (1 question) .............................................................................. 103
Part 2: Plan security for remote access users................................................................................................ 105
A: Plan remote access policies. (3 questions)......................................................................................... 105
B: Analyze protocol security requirements. (0 questions)...................................................................... 109
C: Plan authentication methods for remote access. (10 questions)......................................................... 109
Part 3: Implement secure access between private networks. ........................................................................ 122
A: Create and implement secure VPN connections. (4 questions) ......................................................... 122
B: Create and implement an IPSec policy. (2 questions)........................................................................ 129
Part 4: Troubleshoot TCP/IP routing. Tools might include the route, tracert, ping, pathping, and netsh
commands and Network Monitor. (2 questions)..................................................................................... 132
Topic 4: Planning, Implementing, and Maintaining Server Availability (35 Questions)................................... 135
Part 1: Plan services for high availability. .................................................................................................... 135
A: Plan a high availability solution that uses clustering services. (6 questions) .................................... 135
B: Plan a high availability solution that uses Network Load Balancing. (4 questions).......................... 141
Part 2: Identify system bottlenecks, including memory, processor, disk, and network related bottlenecks. (5
questions) ................................................................................................................................................ 147
Part 3: Implement a cluster server. (4 questions).......................................................................................... 154
Part 4: Manage Network Load Balancing. Tools might include the Network Load Balancing Monitor
Microsoft Management Console (MMC) snap-in and the WLBS cluster control utility. (4 questions). 160
Part 5: Plan a backup and recovery strategy. ................................................................................................ 165
A: Identify appropriate backup types. Methods include full, incremental, and differential. (6 questions)
........................................................................................................................................................... 166
B: Plan a backup strategy that uses volume shadow copy. (3 questions)............................................... 175
C: Plan system recovery that uses Automated System Recovery (ASR). (3 questions)......................... 179
Topic 5: Planning and Maintaining Network Security (27 Questions)............................................................... 184
Part 1: Configure network protocol security................................................................................................. 184
A: Configure protocol security in a heterogeneous client computer environment. (0 questions) .......... 184
B: Configure protocol security by using IPSec policies. (1 question).................................................... 184
Part 2: Configure security for data transmission. (1 question) ..................................................................... 185
Part 3: Plan for network protocol security. ................................................................................................... 186
A: Specify the required ports and protocols for specified services. (4 questions).................................. 186
B: Plan an IPSec policy for secure network communications. (2 questions) ......................................... 192
Part 4: Plan secure network administration methods.................................................................................... 195
A: Create a plan to offer Remote Assistance to client computers. (2 questions).................................... 195
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 5 -
B: Plan for remote administration. (2 questions).................................................................................... 199
Part 5: Plan security for wireless networks. (5 questions) ............................................................................ 202
Part 6: Plan security for data transmission.................................................................................................... 210
A: Secure data transmission between client computers to meet security requirements. (3 questions)... 211
B: Secure data transmission by using IPSec. (7 questions) .................................................................... 214
Part 7: Troubleshoot security for data transmission. Tools might include the IP Security Monitor MMC
snap-in and the Resultant Set of Policy (RSoP) MMC snap-in. (0 questions) ....................................... 226
Topic 6: Planning, Implementing, and Maintaining Security Infrastructure (31 Questions) ............................. 227
Part 1: Configure Active Directory directory service for certificate publication. (3 questions)................... 227
Part 2: Plan a public key infrastructure (PKI) that uses Certificate Services. .............................................. 230
A: Identify the appropriate type of certificate authority to support certificate issuance requirements. (4
questions) .......................................................................................................................................... 230
B: Plan the enrollment and distribution of certificates. (12 questions)................................................... 237
C: Plan for the use of smart cards for authentication. (3 questions)....................................................... 254
Part 3: Plan a framework for planning and implementing security. ............................................................. 260
A: Plan for security monitoring. (5 questions)........................................................................................ 260
B: Plan a change and configuration management framework for security. (1 question)........................ 266
Part 4: Plan a security update infrastructure. Tools might include Microsoft Baseline Security Analyzer and
Microsoft Software Update Services. (3 questions)................................................................................ 267
Topic 7: Planning and Implementing an Active Directory Infrastructure (74 Questions) ................................. 276
Part 1: Plan a strategy for placing global catalog servers. ............................................................................ 276
A: Evaluate network traffic considerations when placing global catalog servers. (9 questions) ........... 276
B: Evaluate the need to enable universal group caching. (6 questions).................................................. 289
Part 2: Plan a flexible operations master role placement.............................................................................. 298
A: Plan for business continuity of operations master roles. (3 questions).............................................. 298
B: Identify operations master role dependencies. (5 questions) ............................................................. 303
Part 3: Implement an Active Directory directory service forest and domain structure. ............................... 310
A: Create the forest root domain. (0 questions)...................................................................................... 310
B: Create a child domain. (1 question) ................................................................................................... 310
C: Create and configure Application Data Partitions. (0 questions)....................................................... 311
D: Install and configure an Active Directory domain controller. (5 questions) ..................................... 311
E: Set an Active Directory forest and domain functional level. (9 questions) ....................................... 317
F: Establish trust relationships. Types of trust relationships might include external trusts, shortcut trusts,
and cross-forest trusts. (8 questions)................................................................................................. 336
Part 4: Implement an Active Directory site topology. .................................................................................. 346
A: Configure site links. (6 questions) ..................................................................................................... 346
B: Configure preferred bridgehead servers. (8 questions)...................................................................... 358
C. Configure Intersite Replication (4 questions) .................................................................................... 372
Part 5: Plan an administrative delegation strategy........................................................................................ 377
A: Plan an organizational unit (OU) structure based on delegation requirements. (8 questions)........... 377
B: Plan a security group hierarchy based on delegation requirements. (2 questions) ............................ 393
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 6 -
Topic 8: Managing and Maintaining an Active Directory Infrastructure (32 Questions) .................................. 399
Part 1: Manage an Active Directory forest and domain structure. ............................................................... 399
A: Manage trust relationships. (3 questions) .......................................................................................... 399
B: Manage schema modifications. (2 questions) .................................................................................... 404
C: Add or remove a UPN suffix. (2 questions)....................................................................................... 407
Part 2: Monitor Active Directory replication failures. Tools might include Replication Monitor, Event
Viewer, and support tools. ...................................................................................................................... 410
A: Monitor Active Directory replication. (1 question) ........................................................................... 410
B: Monitor File Replication service (FRS) replication. (0 questions).................................................... 411
Part 3: Restore Active Directory directory services. .................................................................................... 411
A: Perform an authoritative restore operation. (6 questions).................................................................. 411
B: Perform a nonauthoritative restore operation. (7 questions).............................................................. 418
Part 4: Troubleshoot Active Directory.......................................................................................................... 428
A: Diagnose and resolve issues related to Active Directory replication. (7 questions).......................... 429
B: Diagnose and resolve issues related to operations master role failure. (1 question).......................... 437
C: Diagnose and resolve issues related to the Active Directory database. (3 questions) ....................... 439
Topic 9: Planning and Implementing User, Computer, and Group Strategies (22 Questions)........................... 443
Part 1: Plan a distribution group strategy. (1 question) ................................................................................ 443
Part 2: Plan a security group strategy. (6 questions)..................................................................................... 444
Part 3: Plan a user authentication strategy. ................................................................................................... 451
A: Plan a smart card authentication strategy. (2 questions).................................................................... 451
B: Create a password policy for domain users. (2 questions)................................................................. 454
Part 4: Plan an OU structure. ........................................................................................................................ 456
A: Analyze the administrative requirements for an OU. (0 questions)................................................... 456
B: Analyze the Group Policy requirements for an OU structure. (1 question)....................................... 457
Part 5: Implement an OU structure. .............................................................................................................. 458
A: Create an OU. (2 questions)............................................................................................................... 458
B: Delegate permissions for an OU to a user or to a security group. (6 questions)................................ 461
C: Move objects within an OU hierarchy. (2 questions) ........................................................................ 472
Topic 10: Planning and Implementing Group Policy (69 Questions)................................................................. 475
Part 1: Plan Group Policy strategy................................................................................................................ 475
A: Plan a Group Policy strategy by using Resultant Set of Policy (RSoP) Planning mode. (0 questions)
........................................................................................................................................................... 475
B: Plan a strategy for configuring the user environment by using Group Policy. (8 questions) ............ 475
C: Plan a strategy for configuring the computer environment by using Group Policy. (17 questions).. 486
Part 2: Configure the user environment by using Group Policy................................................................... 508
A: Distribute software by using Group Policy. (12 questions)............................................................... 508
B: Automatically enroll user certificates by using Group Policy. (2 questions) .................................... 524
C: Redirect folders by using Group Policy. (2 questions) ...................................................................... 526
D: Configure user security settings by using Group Policy. (10 questions)........................................... 528
Part 3: Deploy a computer environment by using Group Policy. ................................................................. 542
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 7 -
A: Distribute software applications by using Group Policy. (10 questions)........................................... 542
B: Automatically enroll computer certificates by using Group Policy. (1 question).............................. 560
C: Configure computer security settings by using Group Policy. (7 questions)..................................... 562
Topic 11: Managing and Maintaining Group Policy (24 Questions) ................................................................. 571
Part 1: Troubleshoot issues related to Group Policy application deployment. Tools might include RSoP and
the gpresult command. (7 questions) ...................................................................................................... 571
Part 2: Maintain installed software by using Group Policy. ......................................................................... 579
A: Distribute updates to software distributed by Group Policy. (4 questions) ....................................... 579
B: Configure automatic updates for network clients by using Group Policy. (4 questions) .................. 584
Part 3: Troubleshoot the application of Group Policy security settings. Tools might include RSoP and the
gpresult command. (9 questions) ............................................................................................................ 589
Topic 12: Miscellaneous Questions (11 Questions) ........................................................................................... 601
Total Number of Questions: 418
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 8 -
Topic 1: Planning and Implementing Server Roles and Server Security (23
Questions)
Part 1: Configure security for servers that are assigned specific roles. (3 questions)
QUESTION NO: 1
You are the network administrator for TestKing.com. The network consists of a single Active Directory
domain testking.com. The network contains two Windows Server 2003 domain controllers, two Windows
2000 Server domain controllers, and two Windows NT Server 4.0 domain controllers.
All file servers for the finance department are located in an organizational unit (OU) named Finance
Servers. All file servers for the payroll department are located in an OU named Payroll Servers. The
Payroll Servers OU is a child OU of the Finance Servers OU.
TestKing’s written security policy for the finance department states that departmental servers must have
security settings that are enhanced from the default settings. The written security policy for the payroll
department states that departmental servers must have enhanced security settings from the default
settings, and auditing must be enabled for file or folder deletion.
You need to plan the security policy settings for the finance and payroll departments.
What should you do?
A. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects,
and link it to the Finance Servers OU.
Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to
the Payroll Servers OU.
B. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects,
and link it to the Finance Servers OU.
Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to
the Payroll Servers OU.
C. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects,
and link it to the Finance Servers OU.
Create a second GPO to apply the Hisecws.inf security template to computer objects, and link it to the
Payroll Servers OU.
D. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects,
and link it to the Finance Servers and to the Payroll Servers OUs.
Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to
the Payroll Servers OU.
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 9 -
Answer: B
Explanation:
The Securews.inf template contains policy settings that increase the security on a workstation or member server
to a level that remains compatible with most functions and applications. The template includes many of the
same account and local policy settings as Securedc.inf, and implements digitally signed communications and
greater anonymous user restrictions.
Audit Object Access
A user accesses an operating system element such as a file, folder, or registry key. To audit elements like these,
you must enable this policy and you must enable auditing on the resource that you want to monitor. For
example, to audit user accesses of a particular file or folder, you display its Properties dialog box with the
Security tab active, navigate to the Auditing tab in the Advanced Security Settings dialog box for that file or
folder, and then add the users or groups whose access to that file or folder you want to audit.
Incorrect Answers:
A, C: The Compatws.inf security template is designed for Windows NT compatible applications that require
lower security settings in order to run. These settings are lower than the default settings.
D: The Payroll Servers OU is a child OU of the Finance Servers OU. GPO settings applied to parent OUs are
inherited by child OUs; therefore we don’t need to link the GPO to both the Finance Servers OU and the
Payroll Servers OU.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows
Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 9 and 10.
QUESTION NO: 2
You are the network admin for TestKing. Your network contains 50 application servers that run
Windows Server 2003.
The security configuration of the application servers is not uniform. The application servers were
deployed by local administrators who configured the setting for each of the application servers differently
based on their knowledge and skill. The application servers are configured with different authentication
methods, audit settings and account policy settings.
The security team recently completed a new network security design. The design includes a baseline
configuration for security settings on all servers. The baseline security settings use the hisecws.inf
predefined security template. The design also requires modified settings for servers in an application
server role. These settings include system service startup requirements, renaming the administrator
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 10 -
account, and more stringent account lockout policies. The security team created a security template
named application.inf that contains the required settings.
You need to plan the deployment of the new security design. You need to ensure that all security settings
for the application servers are standardized, and that after the deployment, the security settings on all
application servers meet the design requirements. What should you do?
A. Apply the setup security.inf template first, the hisecws.inf template next, and then the application.inf
template
B. Apply the Application.inf template and then the Hisecws.inf template.
C. Apply the Application.inf template first, then setup.inf template next, and then the hisecws.inf template
D. Apply the Setup.inf template and then the application.inf template
Answer: A.
Explanation:
The servers currently have different security settings. Before applying our modified settings, we should
reconfigure the servers with their default settings. This is what the security.inf template does. Now that our
servers have the default settings, we can apply our baseline settings specified in the hisecws.inf template. Now
we can apply our custom settings using the application.inf template.
Incorrect Answers:
B: The hisecws.inf template would overwrite the custom application.inf template.
C: Same as answer A. Also, the setup.inf security template doesn’t exist. To return a system to its default
security settings, we use the security.inf template.
D: The setup.inf security template doesn’t exist. To return a system to its default security settings, we use the
security.inf template.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows
Server 2003 Network Infrastructure.
QUESTION NO: 3
Your network contains Terminal servers that host legacy applications that require users to be members
of the Power Users group in order to run them.
A new company policy states that the Power Users Group must be empty on all servers. You need to
maintain the ability to run legacy applications on your servers when the new security requirement is
enabled.
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 11 -
What should you do?
A. Add the domain users global group to the Remote Desktop Users built-in group in the domain
B. Add the domain users global group to the Remote Desktop Users local group on each terminal server
C. Modify the compatws.inf security template settings to allow members of the local users group to run the
applications. Import the security settings into the default Domain Controllers Group Policy Object.
D. Modify the compatws.inf security template settings to allow members of the local users group to run the
applications. Apply the modified template to each terminal server
Answer: D
Explanation:
The default Windows 2000 security configuration gives members of the local Users group strict security
settings, while members of the local Power Users group have security settings that are compatible with
Windows NT 4.0 user assignments. This default configuration enables certified Windows 2000 applications to
run in the standard Windows environment for Users, while still allowing applications that are not certified for
Windows 2000 to run successfully under the less secure Power Users configuration. However, if Windows 2000
users are members of the Power Users group in order to run applications not certified for Windows 2000, this
may be too insecure for some environments. Some organizations may find it preferable to assign users, by
default, only as members of the Users group and then decrease the security privileges for the Users group to the
level where applications not certified for Windows 2000 run successfully. The compatible template
(compatws.inf) is designed for such organizations. By lowering the security levels on specific files, folders, and
registry keys that are commonly accessed by applications, the compatible template allows most applications to
run successfully under a User context. In addition, since it is assumed that the administrator applying the
compatible template does not want users to be Power Users, all members of the Power Users group are
removed.
Incorrect Answers:
A, B: Global group is a group that is available domainwide in any domain functional level, so why would you
add to another group.
C: The Compatws.inf template is not intended for domain controllers, so you should not link it to a site, to the
domain, or to the Domain Controllers OU
Reference:
Dan Holme, and Orin Thomas MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, Glossary.
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to
Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows
Server 2003 environment: Exams 70-292 and 70-296, Chapter 9.
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 12 -
Part 2: Plan a secure baseline installation.
A: Plan a strategy to enforce system default security settings on new systems. (2 questions)
QUESTION NO: 1
You are the network administrator for TestKing.com. The network consists of a single Active Directory
domain named testking.com. The functional level of the domain is Windows Server 2003. The domain
contains an organizational unit (OU) named Servers that contains all of TestKing’s Windows Server 2003
resource servers. The domain also contains an OU named Workstations that contains all of TestKing’s
Windows XP Professional client computers.
You configure a baseline security template for resource servers named Server.inf and a baseline security
template for client computers named Workstation.inf. The Server.inf template contains hundreds of
settings, including file and registry permission settings that have inheritance propagation enabled. The
Workstation.inf template contains 20 security settings, none of which contain file or registry permissions
settings.
The resource servers operate at near capacity during business hours.
You need to apply the baseline security templates so that the settings will be periodically enforced. You
need to accomplish this task by using the minimum amount of administrative effort and while minimizing
the performance impact on the resource servers.
What should you do?
A. Create a Group Policy object (GPO) and link it to the domain.
Import both the Server.inf and the Workstation.inf templates into the GPO.
B. Import both the Server.inf and the Workstation.inf templates into the Default Domain Policy Group
Policy object (GPO).
C. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak
hours by using the secedit command.
Create a Group Policy object (GPO) and link it to the Workstations OU.
Import the Workstation.inf template into the GPO.
D. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak
hours by using the secedit command.
Import the Workstation.inf template into the Default Domain Policy Group Policy object (GPO).
Answer: C
Explanation:
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 13 -
The question states that you need to apply the baseline security templates so that the settings will be periodically
enforced. To accomplish this you must create a scheduled task so that the performance impact on resource
servers is minimized.
The question also states that Workstation.inf is a baseline security template for client computers. Therefore, the
GPO has to be linked to the OU that contains the client computers, and the Workstation.inf template must be
imported to the said GPO so that it can be applied.
Secedit.exe is a command line tool that performs the same functions as the Security Configuration And
Analysis snap-in, and can also apply specific parts of templates to the computer. You can use Secedit.exe in
scripts and batch files to automate security template deployments.
You can create a baseline security configuration in a GPO directly, or import a security template into a GPO.
Link the baseline security GPO to OUs in which member servers’ computer objects exist.
Incorrect Answers:
A: GPOs process security templates from the bottom up; therefore, by import both the Server.inf and the
Workstation.inf templates into a single GPO, we would ensure that the settings in the security template
imported last are applied in cases where there are conflicting settings. If we apply this to the domain, then
all computers would have the same settings.
B, D: The Default Domain Policy Group Policy object (GPO) is applied only to the Domain Controllers group.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows
Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 10.
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to
Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows
Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 9.
QUESTION NO: 2
You are a network administrator for TestKing. The network consists of a single Active Directory domain
named testking.com. The network contains 80 Web servers that run Windows 2000 Server. The IIS
Lockdown Wizard is run on all Web servers as they are deployed.
TestKing is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into
an organizational unit (OU) named Web Servers.
You are planning a baseline security configuration for the Web servers. The company’s written security
policy states that all unnecessary services must be disabled on servers. Testing shows that the server
upgrade process leaves the following unnecessary services enabled:
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 14 -
• SMTP
• Telnet
Your plan for the baseline security configuration for Web servers must comply with the written security
policy.
You need to ensure that unnecessary services are always disabled on the Web servers.
What should you do?
A. Create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services.
Link the GPO to the Web Servers OU.
B. Create a Group Policy object (GPO) and import the Hisecws.inf security template.
Link the GPO to the Web Servers OU.
C. Create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled.
Link the GPO to the Web Servers OU.
D. Create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services.
Link the GPO to the Web Servers OU.
Answer: C
Explanation:
Windows Server 2003 installs a great many services with the operating system, and configures quite a few with
the Automatic startup type, so that these services load automatically when the system starts. Many of these
services are not needed in a typical member server configuration, and it is a good idea to disable the ones that
the computer doesn’t need. Services are programs that run continuously in the background, waiting for another
application to call on them. Instead of controlling the services manually, using the Services console, you can
configure service parameters as part of a GPO. Applying the GPO to a container object causes the services on
all the computers in that container to be reconfigured. To configure service parameters in the Group Policy
Object Editor console, you browse to the Computer Configuration\Windows Settings\Security Settings\System
Services container and select the policies corresponding to the services you want to control.
Incorrect Answers:
A: The logon script would only run when someone logs on to the web servers. It’s likely that the web servers
will be running with no one logged in.
B: The Hisecws.inf security template is designed for workstations, not servers.
D: The startup script would only run when the servers are restarted. A group policy would be refreshed at
regular intervals.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows
Server 2003 Network Infrastructure.
70 - 296
Leading the way in IT testing and certification tools, www.testking.com
- 15 -
B: Identify client operating system default security settings. (2 questions)
QUESTION NO: 1
You are the network admin for TestKing. All servers run Windows Server 2003.
Every week, you run the mbsacli.exe /hf command to ensure that all servers have the latest critical
updates installed. You run the mbsaclie.exe /hf command from a server named server1.
When you scan a server named TestKingB you receive the following error message stating Error 200,
System not found, Scan failed.
When you ping TestKingB you receive a reply.
You need to ensure that you can scan TestKingB by using the mbsacli.exe /hf.
What should you do?
A. Copy the latest version of the Mssecure.xml to the program files\microsoft baseline security analyzer
folder on server1
B. Ensure that the Server service is running on TestKingB
C. Install IIS common files on Server1
D. Install the latest version of IE on TestKingB
Answer: B
Explanation:
From Microsoft: Error: 200 - System not found. Scan not performed. This error message indicates that mbsacli
/hf did not locate the specified computer and did not scan it. To resolve this error, verify that this computer is on
the network and that the host name and IP address are correct. We know that the computer is on the network
because we can successfully ping it. Therefore, the cause of the problem must be that the Server service isn’t
running.
Incorrect Answers:
A: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to be with
Server1.
C: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to be with
Server1.
D: The version of IE that comes with Windows Server 2003 is sufficient, and therefore does not need to be
upgraded.