| 1. You are the administrator for a Windows
2000 network. One of the employees, Jeane, has unexpectedly
left the company. Ben has been hired to replace Jeane.
Jeane had used Encrypting File System (EFS) to encrypt
a file on her Windows 2000 computer. Now that she is gone,
Ben must be able to access the encrypted file.
Which of the following two methods could you use to
accomplish your objective? (Select 2 choices)
A. You should back up the encrypted file and restore
it on your computer. Then, decrypt the file.
B. You should copy the file to a FAT32 partition.
C. You should log on to Jeane's computer using your Administrator account
and decrypt the file.
D. You should change Jeane's password so that Ben can log on to her account
and decrypt the file.
Answer: A, D
There are two ways that you can enable Ben to access
the encrypted file in this scenario.
1) In order to use EFS, an EFS recovery policy must
be defined. Therefore, if a user who encrypted a file
is unavailable, the recovery agent can be used to provide
the proper key to decrypt the file. The Administrators
account is the default recovery agent. As recovery
agent, your computer will have an EFS certificate installed,
which can be used to decrypt a file on your computer.
All you need to do is backup the file to your computer
and then restore it on your computer, and then decrypt
the file.
2) The other method would be to change the password
of Jeane's user account and give Ben the new password.
Copying an encrypted file to a FAT partition will
cause the file to lose its encryption. However, if
you are not the owner of the private key, you will
be unable to copy the file to a FAT partition.
You will not be able to decrypt the file by logging
on to Jeane's computer.
Objective 1: Creating, Configuring, Managing, Securing,
and Troubleshooting File, Print, and Web Resources.
2. As network administrator, you are in charge of
setting up the new Web site for your company. The Web
site will have a list of the company's products that
customers will be able to purchase using their credit
cards. The Web site is being hosted on a Windows 2000
Server computer that is installed with IIS (Internet
Information Server). You want to ensure that the customers' credit
card information is kept secure during transactions
over the Internet.
Which of the following actions should you take?
A. Enable EFS on the Windows 2000 Server computer
hosting your Web site.
B. Use the Secure Server policy for all Web site communications.
C. Configure the Web site to use IPSec for all transactions.
D. Use SSL on the Web site.
E. Do nothing. IIS protects Internet communication by default.
Answer: D
In this scenario, you should configure the Web site
to use secure sockets layer (SSL) handshake protocol
for all communications between the Windows 2000 IIS
computer and the customer's Web browsers. Additionally,
you need to install a server certificate from a third-party
certificate authority (CA).
Note:
The SSL protocol runs above TCP/IP (the main Internet Protocol) and below
higher-level protocols such as HTTP. SSL used in conjunction with a
third-party certificate authority will enable the SSL-enabled server
to authenticate itself to an SSL-enabled client, which in turn allows
the client to authenticate itself to the server. Both machines can
then establish an encrypted connection.
Encrypting File System (EFS) is a new feature supported
only by Windows 2000. EFS can be used to encrypt files
stored on the local disk. EFS cannot be used to encrypt
data that is being transmitted.
The Secure Server policy would cause all communication
to and from the Web server to be encrypted using IPSec.
IPSec is supported by Windows 2000 and later. It can
be assumed that some customers will not be using Windows
2000. Therefore, using IPSec is not a viable solution.
Objective 1: Creating, Configuring, Managing, Securing,
and Troubleshooting File, Print, and Web Resources.
3. As network administrator, one of your tasks involves
maintaining a Windows 2000 Server computer running
IIS. The name of the server is IISserver. You have
just placed several files that describe company policies
in a folder on the IIS server. You want users to be
able to access these files using the URL http://ISSserver/Policies.
Which of the following actions will accomplish your
goal?
A. Enable Web sharing on the folder containing the
company policy files. Specify "Policies" as
the folder's alias.
B. Enable Web sharing on the folder containing the company policy files.
Rename the folder to "IISserver".
C. Create a Web site. Configure the host header name for the Web site
as "Policies".
D. Create an FTP site and rename the folder containing the company policy
files to "Policies".
Answer: A
In order for employees to access the company policy
files using the URL http://IISserver/Policies, you
should take the following two actions. First, enable
Web sharing on the folder containing the company policy
files. Then, specify "Policies" as the folder's
alias.
NOTE:
1) URL stands for Uniform resource locator. It describes the address
and method of reaching a file (e.g., http) on the Internet or local
intranet.
2) HTTP stands for Hypertext Transfer Protocol and
is a transfer protocol used for transferring -- hypertext. "Hypertext" also
represents the first two letters in HTML code.
3) FTP stands for File Transfer Protocol and is another
type of transfer protocol used for transferring files.
4) A "host header" is a prefix to your domain
name and is used to subdivide your domain name. Host
headers point to specific directories on your web server.
If a computer has a single IP address, it can host
several Web sites by assigning different "host
header names" to each Web site. The following
is an example of using host headers:
"site1.IISserver.com" or "site2.IISserver.com".
You should not rename the folder containing the company
policy files to "IISserver".
If you created a new Web site and configured the host
header name for the Web site as "Policies",
users would have to use the URL http://Policies to
access the files. Additionally, you would have to configure
DNS to resolve "Policies" to the correct server.
If you created an FTP site, users would have to use
the prefix of "ftp" rather than "http" to
access the files.
Objective 1: Creating, Configuring, Managing, Securing,
and Troubleshooting File, Print, and Web Resources.
4. You are in the process of promoting a Windows 2000
Server computer to a domain controller. The server
has two hard disks. The first hard disk is 20-GB, 15
of which are un-partitioned. The second disk is 30-GB
and contains the boot partition. The second disk also
has 15-GB of un-partitioned space. You want to configure
Active Directory for the highest level of performance.
Which of the following actions should you take to
accomplish your objective? (Choose all that apply)
A. Create a 30-GB striped volume and install Active
Directory on this new volume.
B. Create a 15-GB simple volume on the first disk and 15 GB striped volume
on the second disk. Install Active Directory on the first disk and the
Active Directory log files on the boot partition.
C. Install the Active Directory log files on the second disk.
D. Install the Active Directory log files on the first disk.
E. Create a 30-GB simple volume and install Active Directory on this
new volume.
Answer: A, D
To maximize Active Directory performance on the new
domain controller, you should separate the Active Directory
log files, Active Directory database and the Windows
2000 operating system. To accomplish this, install
the Active Directory log files in a partition of their
own on disk one and then create a 30 GB striped volume
from the un-partitioned space from both disks, and
install Active Directory on this new volume. Striped
volumes offer the best read/write performance of any
volume configuration.
Objective 1: Creating, Configuring, Managing, Securing,
and Troubleshooting File, Print, and Web Resources.
5. You are in the process of configuring your company's
Web site. The Web site is being hosted on a Windows
2000 Server computer running IIS. The IIS computer
is located on the corporate LAN and will be accessed
by company employees as well as users from the Internet.
There will be times when the Web site needs to be re-configured
and during these times you want the site to be accessible
only by company employees. All users on the corporate
LAN use Windows 2000 Professional and Internet Explorer.
Which of the following strategies should you use to
accomplish your objectives using the least amount of
administrative effort?
A. Configure the Web site to use Basic authentication.
B. Configure the Web site to use only anonymous access and Digest authentication.
Change the IIS permissions for the Web site during the Web site's re-configuration
periods.
C. Configure the Web site to use anonymous access and Integrated Windows
authentication. Disable anonymous access during the Web site's reconfiguration
periods.
D. Configure the Web site to use anonymous access. Configure the IIS
permissions for the Web site so that only company employees can access
the Web site during re-configuration periods.
Answer: C
Only option C will give you the results you desire
in this scenario. Configuring the Web site to use anonymous
access will enable users from the Internet to access
the Web site. Anonymous access will also enable users
from the corporate LAN to access the Web site. During
re-configuration periods, Integrated Windows authentication
will enable users from the corporate LAN to access
the Web site.
This is how it works. When a user attempts to access
a Web site under anonymous access, a special user account
is used. If this user account has the necessary NTFS
permissions to access the Web site content, access
will be granted. If the user account does not have
the necessary NTFS permissions, then anonymous access
will be denied and then any viable authentication methods
will be attempted by the user. If the user has appropriate
authentication, then the user will be granted access
under the authentication context of their individual
account rather than under the anonymous access context.
Therefore, during re-configuration periods, you can
simply disable anonymous access so that users from
the Internet are denied access.
Alternatively, you could leave the anonymous access
enabled, and change the NTFS permissions for the special
user account so that it is denied access to the Web
site contents. However, this method would require more
administrative effort than is necessary. NTFS permissions
can be applied to resources or users. You could not
use IIS permissions to accomplish the objectives in
this scenario, because IIS permissions can only be
applied to resources, NOT users.
Digest Authentication is a new type of authentication
that comes with Windows 2000 and Internet Information
Services 5.0. With Digest authentication, a user's
password is encrypted. You could use Digest authentication
in this scenario, but the option that uses Digest authentication
also suggests using IIS permissions to change access
during re-configuration periods. Therefore, option
B is incorrect.
Basic authentication is a type of authentication that
transmits a user's password in plain text. Using Basic
authentication alone is not sufficient to meet the
requirements of this scenario.
NOTE: Integrated Windows authentication can only be
used with Internet Explorer. Integrated Windows authentication
is more secure than Basic authentication, but cannot
be used across some firewalls. However, it will be
sufficient for the requirements of this scenario.
Objective 1: Creating, Configuring, Managing, Securing,
and Troubleshooting File, Print, and Web Resources.
|
