Windows Server 2003

Front 1

You are the network administrator for a Microsoft Windows Server 2003 domain. All of your client computers run Microsoft Windows XP. While assisting a user, you notice that the user does not have to press CTRL+ALT+DELETE to log on. You ask other users and learn that many of them do not have to use the CTRL+ALT+DELETE key sequence. To resolve this problem, you configure a Group Policy Object (GPO) with the appropriate security settings on one of your Windows Server 2003 domain controllers. To test the new settings, you log on to the domain from one of the Windows XP client computers only to find that users are still not required to enter the CTRL+ALT+DELETE key sequence. What can you do to enforce the security settings immediately?


a. Run the Refresh policy from the command line.
b. Run Gpupdate /force from the command line.
c. Run Secedit.
d. Reboot the client computers.

Back 1

b. Run Gpupdate /force from the command line.


EXPLANATION: The command Gpupdate /force initializes an immediate application of local or Group Policy settings. Settings applied using Group Policy are applied to client computers every 90 minutes by default.

Front 2

Which item is not managed and/or secured by network security protocols?


a. Authentication
b. Authorization
c. Confidentiality
d. Activation
e. Nonrepudiation

Back 2

d. Activation

EXPLANATION: Network security protocols are used to manage and secure authentication, authorization, confidentiality, integrity, and nonrepudiation.

Front 3

Security configuration tools includes three snap-ins. Which of the following is not a security configuration tool?


a. Security Configuration And Analysis snap-in
b. Security Templates snap-in
c. Group Policy snap-in
d. Security Analyzer snap-in

Back 3

d. Security Analyzer snap-in



EXPLANATION: (Discussion starts on page 163.)

Front 4

How should the principle of least privilege be applied to members of the Administrator group?


a. The network administrator should perform routine tasks using an account with the principle of least privilege applied. When performing administrative tasks that require elevated permissions, the Run As feature should be utilized.
b. The principle of least privilege does not apply to network administrators.
c. Network administrators should perform all functions using the account with the highest level of privileges.
d. Members of the Administrator group should have minimum privileges. All functions that require elevated privileges should be performed by the enterprise administrator.

Back 4

a. The network administrator should perform routine tasks using an account with the principle of least privilege applied. When performing administrative tasks that require elevated permissions, the Run As feature should be utilized.


EXPLANATION: (Discussion starts on page 154.)

Front 5

You are network administrator of a Microsoft Windows Server 2003 network that must run a legacy payroll application, which is not certified by Microsoft. You install the application on a member server and apply the Compatws security template. A user named Maria, who is a member of the Local Users group, logs on to the server and attempts unsuccessfully to run the payroll application. What could you do to allow Maria to run this application successfully?


a. Make Maria’s user account a member of the Power Users group.
b. Make Maria’s user account a member of the Domain Users group.
c. Install the application on a domain controller, and apply the Compatws security template to the domain controller.
d. Give Maria’s user account the right to log on locally to the member server.

Back 5

a. Make Maria’s user account a member of the Power Users group.

EXPLANATION: The Compatws security template allows members of the Power Users group and higher-level groups to run applications that have not been certified by the Windows operating system. Members of the Local Users group do not receive elevated permission when this template is applied.

Front 6

What is the result of copying a file encrypted using EFS to a folder located on a disk that is formatted using the FAT32 file system?


a. The EFS encryption is lost.
b. The file remains encrypted.
c. An encrypted file cannot be copied from an NTFS file system partition to a FAT32 partition.
d. The file remains encrypted; however, the owner is no longer able to access the file.

Back 6

a. The EFS encryption is lost.

EXPLANATION: Encrypting File System (EFS) allows only the encryption of NTFS files. If a file is copied to a FAT32 partition, the file would no longer be encrypted.

Front 7

You have sensitive data in a network folder that is currently encrypted using EFS. The drive that the folder is stored on is low on space, and you would like to compress the contents of the folder. You compress the folder and all subfolders, but later you notice that the folder is not encrypted. How can you encrypt a folder using EFS and compress the contents to conserve disk space?


a. This cannot be accomplished. Encryption and compression are mutually exclusive.
b. You must compress the folder first, and then encrypt it.
c. Compress the folder, and then encrypt each file in the folder individually.
d. Move the folder to an NTFS file system partition.

Back 7

a. This cannot be accomplished. Encryption and compression are mutually exclusive.

EXPLANATION: (Discussion starts on page 161.)

Front 8

The accounting manager of your company works with a file named Payroll, which contains very sensitive information. You must secure this file so that only the accounting manager can gain access to the data. Which feature of Microsoft Windows Server 2003 should you implement?


a. NTFS file system permissions
b. Share permissions
c. EFS
d. Compression

Back 8

c. EFS

EXPLANATION: Encrypting File System (EFS) can be used to encrypt data that is stored on an NTFS partition. After the data is encrypted using EFS, only the owner of the file and the recovery agent can access the data.

Front 9

You are the network administrator for a Microsoft Windows Server 2003 domain. You update several client computers from Microsoft Windows 98 to Microsoft Windows XP. After the update, the users report that they can no longer run some of the applications they could use before the update. Which action can you take to allow the users to run all applications available before the update?


a. Place the affected user accounts in the Administrator group.
b. Apply the Securews security template to the upgraded computers, and place the affected user accounts in the Power Users group.
c. Apply the Compatws security template to the upgraded computers, and place the affected user accounts in the Power Users group.
d. Apply the Hisecws security template to the upgraded computers. No action is required for the user accounts.

Back 9

c. Apply the Compatws security template to the upgraded computers, and place the affected user accounts in the Power Users group.

EXPLANATION: To enable users to run legacy applications, you must apply the Compatws security template to the client computers. The user also must be assigned permissions that are equivalent to the Power Users group or higher.

Front 10

Which of the following accurately explains the principle of least privilege?


a. Give all users at least one level of permission above what they currently require to perform their job.
b. Create two user accounts for each user. Assign the first user account the least amount of privileges possible. Assign the second user account full administrative privileges.
c. Group objects that require the least privilege.
d. A user or object should not have privileges or access to information and resources unless it is absolutely necessary.

Back 10

d. A user or object should not have privileges or access to information and resources unless it is absolutely necessary.


EXPLANATION: The principle of least privilege states that users and objects should not have privileges or access to information and resources unless it is absolutely necessary for them to have such privileges and access.

Front 11

Data on your network must be encrypted while it is stored on the network drives and while it is in transit across the network. You encrypted a file using EFS, but that is all you have done. Which of the following objectives have you met?


a. The data will be encrypted only when it is stored on the disk.
b. The data will be encrypted when it is stored on the disk and when it is in transit across the network.
c. The data will be encrypted only when it is in transit across the network.
d. The data will not be encrypted when it is stored on a disk or when it is in transit across the network.

Back 11

a. The data will be encrypted only when it is stored on the disk.

EXPLANATION: Encrypting File System (EFS) encrypts data only while it
is stored on a disk. To encrypt data while it is in transit on the network, additional security, such as Internet Protocol Security (IPSec), is necessary.

Front 12

An employee named Maria encrypted a folder that was stored locally on her computer and that contained several important files. Maria recently left the company without unencrypting the folder or providing anyone with her private key. What is the recommended method for recovering the encrypted data?


a. Have the recovery agent install his private key on Maria’s computer, and then remove the encryption attributes from the folder.
b. Send the file to the recovery agent’s computer, and then remove the encryption attributes from the folder.
c. Copy the file to a FAT32 partition.
d. The encrypted folder cannot be recovered.

Back 12

b. Send the file to the recovery agent’s computer, and then remove the encryption attributes from the folder.

EXPLANATION: When encrypted data must be recovered and the owner is not available, the file should be sent to the recovery agent’s computer. This eliminates the need to install the recovery agent’s private key on the user’s computer.

Front 13

You are the administrator of the contoso.com domain, and you make several critical updates to security settings that are stored in the Active Directory directory service. You assign the security settings using Group Policy. All of your network servers run Microsoft Windows Server 2003. What can you do to ensure that these settings take effect immediately?


a. Run Gpupdate at the command line.
b. No action is required. Group Policy settings always take effect immediately.
c. Run Refreshpolicy at the command line.
d. Log off and log back on to the domain.

Back 13

a. Run Gpupdate at the command line.

EXPLANATION: The Gpupdate tool refreshes local Group Policy settings and Group Policy settings that are stored in Active Directory.

Front 14

You have just been hired as the network administrator for Blue Yonder Airlines. The previous administrator left suddenly and did not provide information about the security configuration on your network. How can you easily determine the current security settings for computers on your network with minimal administrative effort?


a. Use the Microsoft Baseline Security Analyzer (MBSA).
b. Use the Security Configuration And Analysis snap-in.
c. Run Secedit at the command line.
d. Use the Security Templates snap

Back 14

a. Use the Microsoft Baseline Security Analyzer (MBSA).

EXPLANATION: Microsoft Baseline Security Analyzer is a powerful tool that is used for checking security settings on multiple computers.

Front 15

When a file that has been encrypted using EFS is copied from one folder on an NTFS file system drive to another folder on an NTFS drive, the file will remain encrypted?


a. True
b. False

Back 15

a. True

EXPLANATION: Copies of files that are encrypted using Encrypting File System (EFS) will retain their encryption attributes if they are copied or backed up to another location on an NTFS volume.

Front 16

You are the network administrator for the contoso.com domain. You want to assign rights to add workstations to the domain to two assistants. However, you do not want the assistants to have any other rights that are not assigned to all other domain users. What is the recommended method of accomplishing this task?


a. Assign the right to add workstations to the domain to the user accounts of both assistants.
b. Create a security group named Assistants. Add the user accounts of both assistants to the Assistants group, then grant the right to add workstations to the domain to the Assistants group.
c. Place the user accounts of both assistants in the Administrators group.
d. Give the users the Administrator account password and have them use the Run As function to add workstations to the domain.

Back 16

b. Create a security group named Assistants. Add the user accounts of both assistants to the Assistants group, then grant the right to add workstations to the domain to the Assistants group.

EXPLANATION: The recommended method for assigning rights to place users in groups and assign the rights to the groups.

Front 17

Which of the following best describes the purpose of authorization?


a. Authorization is used to prove you are who you say you are.
b. Authorization is used to determine what you can do on the network after you are authenticated.
c. Authorization is used to keep data secret.
d. Authorization is used to ensure that the data received is the same as the data sent.

Back 17

b. Authorization is used to determine what you can do on the network after you are authenticated.

EXPLANATION: (Discussion starts on page 146.)

Front 18

You create a file in an encrypted folder. You later decide that multiple users must have access to this file and that encryption is no longer necessary. You move the file to an unencrypted folder and assign Read permission to the Domain Users group. Members of the Domain Users group complain that they still cannot access the file. Which action should you take to allow the Domain Users group to access this file?


a. Re-create the file in an unencrypted form.
b. Restore a copy of the file from a tape backup.
c. Assign the Domain Users group Read and Modify permissions for the file.
d. Clear the encryption attribute for the file.

Back 18

d. Clear the encryption attribute for the file.

EXPLANATION: If a file is moved from an encrypted folder to an unencrypted folder, the file will remain encrypted.

Front 19

The Secedit command-line tool provides an administrator with the ability to perform functions similar to those that can be performed using the Security Configuration And Analysis snap-in. Which function cannot be performed using Secedit?


a. Configure
b. Authenticate
c. Analyze
d. Generate rollback

Back 19

b. Authenticate

EXPLANATION: The Secedit tool has the capability to perform the following functions: configure, analyze, import, export, validate, and generate rollback.

Front 20

What command-line tool included with Microsoft Windows Server 2003 can be used to encrypt and decrypt a file or folder?


a. Cipher utility
b. Secedit utility
c. Gpupdate utility
d. Encrypt utility

Back 20

a. Cipher utility

EXPLANATION: The Cipher utility is a command-line tool that is included in Windows Server 2003; it has the capability to encrypt and decrypt files and folders.

Front 21

You must encrypt data while it is stored on a disk and while it is in transit across the network. You have implemented EFS to encrypt the data while it is stored on the disk. Which additional technology should you implement to encrypt the data while it is in transit across the network?

a. IPSec
b. Secedit utility
c. Cipher utility
d. Compress utility

Back 21

a. IPSec

EXPLANATION: Internet Protocol Security (IPSec) encrypts data while it is being transported across Transmission Control Protocol/Internet Protocol (TCP/IP) networks.

Front 22

You are the network administrator for a Microsoft Windows Server 2003 network that has a single domain named contoso.com. You would like to create a password policy that requires all passwords to have a minimum of eight characters. Which of the seven configurable areas in the Security Templates snap-in contains the settings that affect password policies?


a. Account Policies
b. Local Policies
c. Restricted Groups
d. File System

Back 22

a. Account Policies

EXPLANATION: The Account Policies area includes policies pertaining to user accounts. The policies are the Password policy, the Account Lockout policy, and the Kerberos policy.

Front 23

You are a help desk administrator, and you just received a call from a user who complains that he is unable to encrypt a file that he just created. What is a possible reason the file cannot be encrypted?


a. The file is stored on an NTFS file system partition.
b. The file is located inside an unencrypted folder on an NTFS partition.
c. Only the administrator can encrypt the file.
d. The file is stored on a FAT32 partition.

Back 23

d. The file is stored on a FAT32 partition.

EXPLANATION: The features of Encrypting File System (EFS) are available only when using NTFS.

Front 24

You create an unencrypted file named Test on an NTFS file system volume. Later you move the file Test into a folder that is encrypted. What effect will this move have on the file?


a. The Test file will inherit the encryption attribute of the destination folder.
b. The Test file will not inherit the encryption attribute of the destination folder.
c. You will be unable to move an unencrypted file into an encrypted folder.
d. You will be prompted to choose whether the file will be encrypted after it is moved.

Back 24

a. The Test file will inherit the encryption attribute of the destination folder.


EXPLANATION: All files that are moved or copied into an encrypted folder become encrypted.

Front 25

As the network administrator for the contoso.com domain, you established a security baseline and created a template with the baseline settings; this template has been applied to all computers in the domain. You now want to verify the effectiveness of your security settings. What should you do to help determine whether your security settings are effective?

a. Enable auditing
b. Run Gpupdate
c. Enable the Security Baseline tool
d. Run Secedit

Back 25

a. Enable auditing

EXPLANATION: To determine whether your security configuration obtains the desired results, you should enable auditing. Auditing allows administrators to view log information about events on the network.

Front 26

The MMC Security Templates snap-in lists all of the built-in security templates. It has a heading labeled Setup Security. The Setup Security heading contains seven configurable areas. Which of the following items is not a configurable area contained in the Security Templates snap-in?

a. Account Policies
b. Restricted Groups
c. File System
d. Applications

Back 26

d. Applications


EXPLANATION: Predefined templates have seven configurable areas: Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry, and File System.

Front 27

You create an unencrypted file named Test on an NTFS file system volume. Later you move the file Test into a folder that is encrypted. What effect will this move have on the file?



a. The Test file will inherit the encryption attribute of the destination folder.
b. The Test file will not inherit the encryption attribute of the destination folder.
c. You will be unable to move an unencrypted file into an encrypted folder.
d. You will be prompted to choose whether the file will be encrypted after it is moved.

Back 27

a. The Test file will inherit the encryption attribute of the destination folder.

EXPLANATION: All files that are moved or copied into an encrypted folder become encrypted.

Front 28

Which command-line tool can be used to configure and analyze system security by comparing current settings against at least one template?


a. Secedit utility
b. Gpupdate utility
c. Analyze utility
d. Ipconfig utility

Back 28

a. Secedit utility


EXPLANATION: (Discussion starts on page 166.)

Front 29

You are the administrator of the contoso.com domain, and you would like to apply the principle of least privilege on your network by performing your day-to-day tasks logged on to the network using an account that does not have administrative privileges. Certain functions that you perform daily, however, require administrative privileges, and you would like to be able to accomplish these tasks without having to provide additional credentials. How could you accomplish specific administrative tasks without having to provide additional user credentials?

a. Create a shortcut that performs the Run As function for the particular task that you would like to perform.
b. Create a shortcut that logs you off the network and back on as the domain administrator.
c. Right-click the task you would like to perform, and then choose Run As. When prompted to provide credentials, press ESC.
d. This cannot be accomplished.

Back 29

a. Create a shortcut that performs the Run As function for the particular task that you would like to perform.

EXPLANATION: One method of applying the principle of least privilege is to use the Run As feature. The Run As feature can be used through the context menu, when starting a program, from the command line, or through the use of shortcuts.