Page 1

Exam 70-298 study material Made available by Testkingprep.com

Free 70-298 Exam Preparation Questions Exam 70-298: Designing Security for a MS Windows Server 2003 Network

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


Case Study # 16 Question: 1 For the internally developed Web applications, you are asked to design a security solution. The business requirements must be met in your solution. What action should you perform? A. From a trusted commercial certification authority (CA), you should buy a root certification. Then the root certificated should be installed on all developers' computers. B. From a trusted commercial certification authority (CA), you should buy a code-signing certificate. Then the certificate should be installed on all company client computers. C. Root certification authority (CA) that is trusted by all company client computers should be installed and configured. Then code-signing certificates should be issued to all developers. D. A stand-alone root certification authorative (CA) that is trusted by all company client computers should be installed and configured. Then encryption certificates should be issued to all developers. Answer: C Question: 2 According to the company requirement, you are asked to design a patch management strategy. Your strategy must meet business requirements. What action should you perform? A. After Software Update Services (SUS) is installed on a domain controller, it should be configured to synchronize and approve updates nightly. Client computers should be configured to receive automatic updates from the domain controller. Make sure that users restart their client computers daily. B. On a computer on the internal network, Systems Management Server (SMS) should be installed. The Default Domain Policy GPO should be used to distribute the SMS client software to all computers in the domain. C. On a computer on the internal network, Microsoft Operations Manager (MOM) should be installed. The Default Domain Policy GPO should be used to distribute the MOM client software to all computers in the domain. D. After Software Update Services (SUS) is installed on a Web server, it should be configured to synchronize and approve updates nightly. Client computers should be configured to receive automatic updates from the Web server. Make sure that users restart their client computers daily. Answer: C Question: 3 Potential security threats should be identified. Under the existing IT and security environments, which of the following security breaches might happen? (Choose all the correct answers.) A. Domain administrator privileges would be accessible to couriers. B. Couriers' passwords will be discovered and utilized to access couriers' information by Business office staff. C. Domain administrator privileges will be gained by a virus that infects an IT administrator's client computer. D. All users would gain the ability to install untested security patches on their client computers by utilizing their user accounts. Answer: C Question: 4 For the public Web server, you are asked to design a security strategy. Your strategy must address the chief security officer's concerns. What action should you perform? A. On WEB01, Internet Connection Firewalll (ICF) should be installed. B. On WEB01, a Web server certificate should be installed. C. On WEB01, the URLScan ISAPI filer should be installed and configured. D. On WEB01, IIS should be configrued to operate in IIS 5.0 isolation mode. Answer: C Question: 5 According to the company requirement, you are asked to design a method of communication between the IT and HR departments. Business requirements must be met in your solution. What action should you perform? A. A customer IPSec policy should be designed to implement Authentication Header (AH) for all IP traffic. The IPSec policy should be designed to use preshared key authentication between the two

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


departments' computers. B. A customer IPSec policy should be designed to implement Encapsulating Payload (ESP) for all IP traffic. The IPSec policy should be designed to use preshared key authentication between the two departments' computers. C. A customer IPSec policy should be designed to implement Authentication Header (AH) for all IP traffic. The IPSec policy should be designed to use certificate-based authentication between the two departments' computers. D. A custom IPSec policy should be designed to implement Encapsulating Security Payload (ESP) for all IP traffic. The IPSec policy should be designed to use certificate-based authentication between the two departments' computers. Answer: D Question: 6 .For users of portable computers, you are asked to design an authentication strategy. Business requirements must be met in your solution. What action should you perform? A. On all laptops, computer certificates should be installed, all laptops should be configured to respond to requests for IPSec encryption. B. On all laptops, biometric authentication devices should be installed, the Default Domain Policy GPO should be configured to require complex passwords for all users. C. The portable computers should be configured to connect to only wireless networks that use Wired Equivalent Privacy (WEP). On all laptops, digital certificates should be installed. D. Smart cards and smart card readers should be issued to all portable computer users. The domain should be configured to require smart cards for login and to log off users who remote their smart cards. Answer: D Question: 7 For the financial data used by the accounting department, you are asked to design an access control strategy. Business requirements must be met in your solution. What action should you perform? A. The properties of accounting department computers should be modified to enable the Trust computer for delegation attribute. Accounting department client computers should be configured to communicate with P_FS2 by using IPSec. B. The properties of all administrator accounts in the forest should be modified to enable Account is trusted for delegation attribute. Accounting department client computers should be configured to communicate with P_FS2 by using IPSec. C. The properties of the computer object named P_FS2 should be modified to enable the Trust computer for delegation attribute. Accounting department users should be instructed to encrypt files by using Encrypting File System (EFS). D. The properties of all accounting department user accounts should be modified to enable the Account is trusted for delegation attribute. Accounting department users should be instructed to encrypt files by using Encrypting File System (EFS). Answer: C Question: 8 In order to make sure that only scripts that are approved by the IT department can run on company computers, you are asked to design a method. Business requirements must be met in your solution. What action should you perform? A. Windows Script Host should be configured to not execute Windows Script Component file types. B. Windows Script Host should be configured to execute only scripts that are signed by a certificate issued by an approved certification authority (CA). C. In the Default Domain Policy GPO, a new software restriction policy should be created. This policy disables the use of Wscript.exe and Cscript.exe. D. In the Default Domain Policy GPO, a new software restriction policy should be created. This policy removes the Microsoft Visual Basic Scripting Edition and the Windows Script Component file types from the File Types list. Answer: B Case Study #17

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


Background Overview DailyUp Traders manufactures security systems. The company provides their manufactured product to retail outlets, government, agencies, and the public. The components for DailyUp Trader product are offered by an manufacturer called Wiikigo,Ltd. Physical Locations There is a head office and two branch offices in the company. The head office is in Virginia, and the two branch offices are respectively in Plymouth and Portland. And the wiikogo,Ltd. is in Edinburgh. In addition, some contract work is outsourced by the DailyUp Traders to a group of offsite consultants. Planned Changes The following changes are going to be made by the DailyUp Traders. On a Windows Server 2003 domain controller in the Seattle office, the company intends to install Internet Authentication Service (IAS). In addition, the company decides to created an organizational unit (OU) called Portland in the dailyuptraders.com domain. What's more, you company will crate three child OUs in the Portland OU. The three child OUs are named Research, Wireless Clients, and PortlandIT. At last, product sales expansion to the internet will be implemented by the company. Business Processes The mangers in Virginia office make decisions about all administrative information technology (IT). Specific administrative tasks are performed by smaller IT staffs in each branch office. And the customers utilize faxes, e-mail messages, and phone calls to give orders. The company place customers' orders with sales users in Virginia or Plymouth. The content on the company's external web and the intranet Web is updated by the consultants and internal Web Developer. In addition, a public key infrastructure is not deployed on the consultants' network. Active Directory There are two Active Directory domains on the DailyUp Traders network, and they are respectively called dailyuptraders.com and plymouth.dailyuptraders.com. The dailyuptraders.com domain is in Virginia office and the plymouth.dailyuptraders.com domain is in Plymouth office. And the dailyuptraders.com domain is the child domain of plymouth.dailyuptraders.com domain. Windows Server 2003 is run by all domain controllers.You can see the OU structure for the network from the following DailyUp Traders OU Structure exhibit. The groups contained in the two domains are shown in the table listed below. Some shared company folders are on the member servers of Virginia. The folders are Research, Sales, Documentation, and Customer Information. Some folders are contained in the Customer Information shared folder. The folders are Order History, Payment, and Contact Info. Certificate and PKI Information An enterprise root certification authority (CA) is contained on the DailyUp Traders network. And CA is set to issue certificates to users and computers on the DailyUp Traders internal network. The company configures user and computer certificate autoenrollment in the dailyuptraders.com domain, and configures computer certificates autoenrollment in the plymouth.dailyuptraders.com domain. And the company only issues the user certificates to company employees. There is a single Active Directory domain on the Wiikigo,Ltd., and the domain name is Wiikigo.com. There is an Active Directory-integrated PKI in the Wiiligo,Ltd. An enterprise root CA and an enterprise subordinate CA are included in the network, and they are set to issue certificates to users on the Wiikigo, Ltd, internal network. Network Infrastructure You can see the existing network infrastructure from the following exhibit.

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


IP Address Information The IP address information of Virginia is 10.10.0.0/16. The IP address information of Plymouth is

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


10.20.0.0/16. And the IP address information of Portland is 10.30.0.0/16. The company configures a dialup connection on a server called RRAS1.And the company configures the dial-up connection with VPN ports and Network Address Translation(NAT). Minimum service pack should be utilized by all client computers to run Windows XP Professional. There is IEEE 802.11g wireless adapters in the wireless client computers in Portland. And smart card readers are deployed in the client computers in the Corporate Portables OU. Only Microsoft Outlook Web Access (OWA) in the perimeter network is utilized by client computers in the Portland office for e-mail. Problem Statements The following business problems should be taken into consideration. First, unauthorized users can utilize the client computers. Second, the transmission of the Web content is not secure, and the web content is utilized to update company Web sites. Third, the existing dial-up method for remote client connections is with low performance-and-price ratio. And the data transmitted by it is without protection. At last, the CA that issues certificates in the Virginia office is with limited capacity. Chief Information Officer A much securer network is needed in our company. Sufficient funds are prepared, however minimum amount of funds should be utilized in the security improvements. Our business partners and some government agencies are permitted to get access to part of our internal data. As a result, our internal resources protection is important. In addition, their computers should be ensured to have no configuration changes made by the users of our external Web site. Chief Security Officer Our internal PKI should be expanded to have Wiikigo,Ltd., and our branch offices included. A remote access solution should be designed so as to support data encryption and permit remote client computers access to research documentation on our products. And a single piece of information should not be relied on for remote access client credentials. Only remote access connections to the internal network from computers which are set to our specification will be accepted by us. IT Department Manager The security patches should be deployed efficiently. At present, client computers and servers are updated in the Virginia office by utilizing Software Update Services (SUS). All client computers in both domains are enabled to update themselves automatically. Which security patches from a SUS server have been applied to client computers should be reviewed by me. And the IT department in the Virginia office will have all the security patches tested and then approved. At present, FTP is utilized by the consultant to send us content which will be utilized to update the content on our Web sites. The data which is delivered by the consultants should be encrypted. A single method of authentication should be offered for all Web site users. And a single logon is not supported by the existing authentication. No additional domains creation or domain structure changes of our current domain structure will be allowed. Our PKI should be expanded to include CAs in each physical location. Certificates should be issued by CAs in Plymouth to users and computers based on domain name. Authentication for both remote access and wireless connections should be centralized, for the company has too many Routing and Remote Access servers. All dial-up access to the network will be eliminated, for it is too expensive. End User (Finance Department) The e-mail messages that we deliver to Wiikigo,Ltd., to our contacts and vendors should be encrypted. Unauthorized users are able to utilize the computer in our department. Minimum amount of bandwidth should be utilized for administrative tasks. And then all administrative tasks in the plymouth.dailyuptraders.com domain should be able to be performed by the IT staff in the Virginia office. The company wants a automated and persistent connection between the Plymouth and Virginia. And the data and credentials should be encrypted. What's more, unnecessary services should never been run by file servers. A certificate-based authentication method should be utilized by mobile company users. Internal company Web sites and some internal data should be available to government agencies and vendors. Besides all the above, the external Web site should be available to customers. A method should be thought out to protect the information that they utilize to place orders and view order status for customers. The company wants to have the connection encrypted. Security The following requirements should be taken into consideration. 128-bit encrypted connections to the internal Web server should be deployed by the government agencies and vendors, so that they can view

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


data in the Research folder. All members of the Sales group must be able to access the Customer Information folder. Only the members of the Sales, Sales Managers, and Boston Sales groups are allowed to access the Customer Information\Order History and the Customer Information\Contact Info folders. And only the Sales Managers group are allowed to access to the Customers Information\Payment folder. And the company wants to have the contents of the Customer Information\Payment folder encrypted. Documents not only locally but also in their network home folders should be encrypted by all users in the finance group. Documents can be encrypted when the users are working offline or on portable computers. What's more, security risks to the branch office's internal network must be cut to the least by the Microsoft Internet Security and Acceleration Server (ISA) computer firewall in Portland. The relevant portion of the following requirements is included in the company written security policy. First, the company wants all remote access clients to comply with company security policies. Second, L2TP and 3DES encryption should be utilized by all remote access connections. Third, the data should be encrypted and password authentication should be utilized in all existing and future wireless connections. Four, the company will authenticate Wireless clients, before allow them to access to the network. Five, Finance users should utilize two-factor authentication to log on to the network. Six, the company wants to have the users' credentials and data encrypted, when customers access the external Web site. Case Study #17 (Questions) Question: 1 According to the company requirements, an access control strategy should be designed for the Contact Info and the Order History folders. Which action will you do? A. First, a domain local group named Customer Relations should be created in the Plymouth.dailyuptraders.com domain. Second, the Customer Relations group should be added to the Customer Information folder. Third, the appropriate permissions should be assigned. Four, the Plymouth Customer Relations group should be added to the Customer Relations group. Five, permission inheritance should be disabled on the Payment folder. B. First, a domain local group named Customer Relations should be created in the Plymouth.dailyuptraders.com domain. Second, the Customer Relations group should be added to the Customer Information folder. Third, the appropriate permissions should be assigned. Four, the Plymouth Customer Relations group should be added to the Customer Relations group. Five, permission inheritance should be disabled on the Contact Info folder. C. First, a domain local group named Customer Relations should be created in the dailyuptraders.com domain. Second, the Sales group and the Sales Managers groups should be added to the Customer Relations group. Third, the Customer Relations group should be added to the Customer Information folder. Four, the appropriate permissions should be assigned. Five, the accounts for the sales department users in Plymouth should be added to the Plymouth Customer Relations group. Six, the Plymouth Customer Relations group should be added to the Customer Relations group. Disable permission inheritance on the Payment folder. D. First, a domain local group named Customer Relations should be created in the Plymouth.dailyuptraders.com domain. Second, the Customer Relations group should be added to the Order History folder. Third, the appropriate permissions should be assigned. Four, the Plymouth Customer Relations group should be added to the Customer Relations group. Five, permission inheritance should be disabled on the Payment folder. Answer: C Question: 2 According to the company requirements, ISA3 in Portland should be configured to enable communication with the network in Virginia. What should you do? A. An L2TP/IPSec tunnel should be created from ISA3 to the Virginia network. B. A PPTP tunnel should be created from ISA3 to the Virginia network. C. The ports should be opened for DNS, HTTP, HTTPS, Kerberos, RADIUS, LDAP, RPC endpoint mapper and client, and Server Message Block (SMB) over IP. D. The Routing and Remote Access Basic Firewall should be enabled. And then the ports should be opened for DNS, Kerberos, LDAP, Exchange RPCs, RADIUS, L2TP, and Internet Key Exchange

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


(IKE). Answer: A Question: 3 According to the company requirements, security changes should be designed to provide maximum protection for customer data and courier assignments. Which action will you do? A. A separate domain should be created for courier authentication. B. The Default Domain Policy Group Policy object (GPO) should be changed so that complex user account passwords would be utilized by couriers. And then all couriers should be required to change their passwords the next time they log on to the Web application. C. Encrypting File System (EFS) should be utilized to have all files that contain customer data encrypted. D. Smart card authentication should be implemented for business office users and couriers, client operating systems should be upgraded as needed. And then the Web kiosks should be modified to require smart card presence for continued access. Answer: D Question: 4 According to the company requirements, an access control strategy should be designed for the Payment folder for the Sales Managers group. Which action will you do? A. Encrypting File System (EFS) remote encryption should be utilized. B. IPSec in transport mode should be utilized. C. Encrypting File System (EFS) over Web Distributed Authoring and Versioning (WebDAV) should be utilized. D. PEAP-EAP-TLS should be utilized. Answer: A Question: 5 According to the company requirements, a PKI should be designed for the Dailyup Traders internal network. Which action will you do? A. A stand-alone commercial issuing CA should be added to only the dailyuptraders.com domain. And then cross-certification should be configured between the commercial CA and the Plymouth.dailyuptraders.com domain. B. Enterprise subordinate issuing CAs should be added to the Virginia, Plymouth, and Portland LANs. And then qualified subordinations should be configured for each enterprise subordinate issuing CA. C. An enterprise root CA should be added to the dailyuptraders.com domain. And then crosscertification should be configured between the dailyuptraders.com domain and the Plymouth.dailyuptraders.com domain. D. An enterprise subordinate issuing CA should be added to the dailyuptraders.com domain. And then qualified subordination should be configured for the enterprise subordinate issuing CA I Plymouth. Answer: B Question: 6 According to the company requirements, security for the client computers should be increased in the finance department. What will you do to achieve the goal? (Choose more than one.) A. Encrypting File System (EFS) for offline files should be enabled. B. A screen saver password should be enabled. C. Automatic certificate enrollment should be enabled. D. Smart card logons should be enabled. Answer: A, D Question: 7 According to the company requirements, a security strategy should be designed for the Web folders and files created by the consultants and the internal Web developers. Which two actions will you perform? (Choose more than one) A. The internal Web developers should be required to utilize Telnet with Kerberos authentication, and then the consultants should be required to utilize L2TP with IPSec. B. The internal Web developers should be required to utilize Encrypting File System (EFS) over Web Distributed Authoring and Versioning (WebDAV). And then the consultants should be required to

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


utilize Microsoft .NET Passport authentication with Security Level 0. C. The internal Web developers should be required to utilize Web Distributed Authoring and Versioning (WebDAV) over SSL. And then the consultants should be required to utilize L2TP with IPSec. D. The internal Web developers should be required to utilize Web Distributed Authoring and Versioning (WebDAV) over SSL. And then the consultants should be required to utilize WebDAV over SSL. E. The internal Web developers should be required to utilize L2TP with IPSec. And then the consultants should be required to utilize Encrypting File System (EFS) over Web Distributed Authoring and Versioning (WebDAV). Answer: C, D Question: 8 According to the company requirements, a patch management strategy should be designed for Dailyup Traders. Which action will you perform? A. The Default Domain Policy Group Policy object (GPO) for the dailyuptraders.com domain should be set to configure client computers to download updates from the SUS server in Virginia. And then, the Default Domain Policy GPO for the Plymouth.dailyuptraders.com domain should be set to configure client computers to download updates from the SUS server in Virginia. B. A SUS server in each branch office should be installed and configured. And then, the SUS servers should be configured to download updates from the Virginia SUS server. At last, Microsoft Baseline Security Analyzer (MBSA) should be configured to scan for updates on computers in the Virginia office. C. Group Policy should be utilized to configure client computers to download updates from a Windows Update server on the Internet. And then, the Default Domain Policy Group Policy object (GPO) should be configured with a startup script that runs Mbsacli.exe. At last, it should be configured to scan the computers in both of the branch offices. D. A SUS server should be installed and configured in the Plymouth branch office. And then, the server should be configured to download updates from a Windows Update server on the Internet. At last, Microsoft Baseline Security Analyzer (MBSA) should be configured to scan for updates on computers in the Virginia office. Answer: B Case Study # 18 Background Overview Brothers Video shop is a home video retailer which sells all kinds of movies, TV plays. There is a company named Wiikigo which is acquired by Brothers Video shop. The business of Wiikigo provides shipping service. Physical locations Wiikigo resides in Tulsa. The head office of Brothers Video shop is located in Orlando. And it consists of six retail stores in America. Planned Changes The Network Diagram exhibit below shows the proposed network infrastructure in the company. The company will place a VPN server named VPN2 in the perimeter network. Mobile users will connect to the company network by utilizing VPN2. Windows XP Professional With the purpose of development and testing, the company will install a Web server named WEB02 on the internal network of the company. Business Processes There are six departments in Brothers Video shop. The six departments include IT, HR, Marketing, Accounting, Administration, Customer service departments. When buying videos from the company's Web site, internet users must register with Brothers Video shop. Then these users are classified as Web customers and their logon information is set to them in an e-mail message. Web customers connect to a virtual directory named Members. After they are authenticated, Web customers can view available commodities and use a Web application to place orders. This Web application is running on a Web

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


server named Web01. The request is submitted to Wiikigo for packaging and shipping after an order is placed. There is a shared folder named Action on a server named Data01. A record of all customer activity is stored on Action. The share permissions for the TRANS folder are set to assign the Allow-Full Control permission to the Authenticated Users group. Active Directory There is a single Active Directory domain in the company network. Windows Server 2003 is run by all servers. Either Windows NT Workstation 4.0 or Windows 98 is run by all client computers. All computers have the most recent service packs installed. The OU Diagram exhibit below shows the relevant portion of the organizational unit (OU) structure. For the desktop computers, the computers accounts are contained in the Desktop Computers OU. For the laptops, the computers accounts are contained in the Laptop OU. The legacy OU contains all user and computer accounts for the HR department. Network Infrastructure There is a wireless LAN for the Orlando office. There are two Microsoft Internet Security and Acceleration (ISA) Server 2000 computers in the company network. The two computers are respectively named ISA01 and ISA02. There is a server which runs IIS 6.0 named WEB1. This server hosts a public Web site. Between Brothers Video shop and Wiikigo, a VPN tunnel has been built. Users at Wiikigo can use this VPN tunnel to access Web01. A custom application is used by the HR department. This application can only run on Windows NT Workstation 4.0. There is a file server which is named SRV01. Personnel information is stored on SRV01 by the custom service departments. SRV01 is also configured as an offline stand-alone root certification authority (CA). Problem Statements The company must consider the following two business problems: 1 Once the planned upgrades are complete, when HR department users are logging on to their client computers, they will not be able to alter their passwords any longer. 2 At present, there is no user who has user cettificates. There is no time for administrators to provide help for all users. Chief Information Officer Since our Internet connection has been overused during the past few months, we must take measures not to place extra strain on this connection. I know that there are various buffer overflow attacks against Web servers. I want to be able to have the user request redirected to an HTML document that stipulates the legal consequences. Since the existing patch management solution costs lavish time and resources, we have to optimize it. In addition, we should have the ability of finding out which security patches are installed on company computers. Chief Security Officer I can find enough reason for us to have the company's security management polices and practices redesigned. I am worry about that our network is easy to attack because of the existing wireless configuration. In addition, I care about the security of the servers that users from Wiikigo can access. I intend to have companywide user certificates implemented as the first phase of the new authentication strategy. Besides this, I want to use Group Policy objects (GPOs) to manage our wireless network. On the company network, several computers make no response, this is because some users downloaded and installed unauthorized software from the Internet. As a few mobile users will connect to the company network, we must guarantee these connections are as secure as possible. Written Security Policy The written security policy of the Brothers Video shop contains the following requirements: 1 All software must be approved for company use. 2 MS-CHAP v2 authentication must be supported by VPN2. 3 For the wireless network, string authentication is needed. 4 Only users in the customer service department must be able to connect to the wireless network. 5 Only members of the customer service department who laptops are permitted to encrypt data. 6 The customer service department must have its own data recover agent. 7 For users in the accounting department, two-factor authentication must be implemented. 8 Information stored in the TRANS folder must be encrypted and only the IT department staff is allowed to access it.

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


9 All traffic to the Member virtual directory on WEB1 must be encrypted. 10 Web customers must be able to validate the identity of WEB1. 11 All attempts that use the local user accounts to log on to Windows Server 2003 and Windows XP Professional computers must be tracked. 12 The registry on WEB2 must only be able to be modified by IT administrator.

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html


For complete Exam 70-298 Training kits and Self-Paced Study Material Visit: http://www.testkingprep.com/70-298.html

http://www.testkingprep.com/

For Latest 70-298 Exam Questions and study guides- visit- http://www.testkingprep.com/70-298.html

Exam 70-298 preparation questions  

Testkingprep is the leader in providing certification solution to the seekers and testking certification study guide is more authentic than...

Read more
Read more
Similar to
Popular now
Just for you