Chapter 8: Lesson Review Answers Answers 813 B. Correct: You should assign the Modify permission because this allows users to add, modify, and delete files located in the accounting shared folder. c. Incorrect: You should not assign the Full Control permission because then users have the ability to modify shared folder permissions. D. Incorrect: You cannot assign the Owner permission to groups. When you use basic sharing, Windows automatically assigns this permission to the user who shares the folder. 5. Correct Answer: D a. Incorrect: Enabling this option does not ensure that shared resources are visible to other computers in the HomeGroup. This option allows HomeGroup readers to read and write files in the public folder. B. Incorrect: Enabling this option does not ensure that shared resources are visible to other computers in the HomeGroup. This option controls the encryption level of file sharing connections. c. Incorrect: Password Protected Sharing restricts access to shared resources hosted on the client. Only users with local accounts on the client are able to access shared resources when Password Protected Sharing is enabled. Enabling this option does not ensure that shared resources are visible to other computers in the HomeGroup. D. Correct: Network Discovery allows the client to find other computers on the network. It also allows other computers on the network to view resources shared by the client. Lesson 2 1. Correct Answer: B a. Incorrect: Jeff needs an EFS certificate for you to be able to encrypt a file that he can access. Changing a password does not generate an EFS certificate. B. Correct: If Jeff encrypts a file on the computer, it generates an EFS certificate. You can then use this EFS certificate to encrypt the file to his account. c. Incorrect: Jeff does not need write access to the file for you to be able to use EFS to encrypt the file to his account. Jeff needs an encryption certificate, which can be generated by having Jeff encrypt a file on the computer. D. Incorrect: Letting Jeff take ownership of the files does not allow you to use EFS to encrypt the file to his account. Jeff needs an encryption certificate, which can be generated by having Jeff encrypt a file on the computer. 2. Correct Answers: A and B a. Correct: When you apply the Read & Execute (Deny) permission, Windows also automatically applies the List Folder Contents (Deny) and Read (Deny) permissions. B. Correct: When you apply the Read & Execute (Deny) permission, Windows also automatically applies the List Folder Contents (Deny) and Read (Deny) permissions. 8 1 4 Answers c. Incorrect: Windows does not apply the Modify (Deny) permission when you apply the Read & Execute (Deny) permission. D. Incorrect: Windows does not apply the Write (Deny) permission when you apply the Read & Execute (Deny) permission. 3. Correct Answer: D a. Incorrect: Robocopy can be used to copy files and their associated NTFS permissions but cannot be used to calculate permissions. B. Incorrect: Icacls can be used to display permissions but cannot be used to calculate the result of cumulative permissions. c. Incorrect: Cipher is used to manage certificates and cannot be used to calculate the result of cumulative permissions. D. Correct: The Effective Permissions tool can be used to calculate the result of cumulative permissions that accrue through multiple group memberships. 4. Correct Answers: A and D a. Correct: Encrypted files remain encrypted when copied or moved to compressed folders. B. Incorrect: Encrypted files remain encrypted when copied or moved to compressed folders. Only unencrypted files become compressed when moved to compressed folders. c. Incorrect: Files retain their original NTFS permissions only when they are moved between folders on the same volume. If you move them between volumes, they inherit the permissions of the destination folder. You can use Robocopy to move files and retain their NTFS permissions, but Robocopy was not mentioned in the question text. D. Correct: Files that are moved using Windows Explorer inherit the NTFS permissions assigned to their destination folder. 5. Correct Answer: B a. Incorrect: EFS can be used to limit which users can access a document by encrypting it only to certain user accounts, but it cannot be used to track which user accounts have been used to access files. B. Correct: Auditing allows you to track which user accounts are used to access files and folders. You can configure auditing to track successful and failed attempts to use any of the special permissions. c. Incorrect: You cannot use NTFS permissions to record which user accounts are used to access documents; you can only use NTFS permissions to restrict which user accounts are used to access documents. D. Incorrect: BranchCache is used to speed up access to files across the wide area network (WAN); it cannot be used to record which user accounts access documents in a sensitive folder. Chapter 8: Lesson Review Answers Answers 815 Lesson 3 1. Correct Answers: A and B a. Correct: If you are going to use hosted cache mode, it is necessary to deploy at least one server running Windows Server 2008 R2 with the BranchCache feature enabled in each branch office. B. Correct: Windows 7 Enterprise and Ultimate editions support BranchCache. You must upgrade clients to one of these operating systems if they are going to utilize BranchCache. c. Incorrect: Windows 7 Professional does not support the BranchCache feature. D. Incorrect: A Windows Server 2008 RODC is not necessary to support BranchCache. 2. Correct Answers: B and D a. Incorrect: You can use Net share to manage shared folders on a client running Windows 7, but you cannot use it to enable and configure BranchCache. You can use it to enable BranchCache on a computer that hosts a shared folder, but BranchCache needs to be enabled and configured before you can do this. B. Correct: You can use Netsh in the BranchCache context and the Local Group Policy Editor to configure BranchCache on a client running Windows 7. c. Incorrect: Ipconfig provides IP address configuration information. You cannot use Ipconfig to configure BranchCache on a client running Windows 7. D. Correct: You can use Netsh in the BranchCache context and the Local Group Policy Editor to configure BranchCache on a client running Windows 7. 3. Correct Answer: C a. Incorrect: If you use the command netsh branchcache set service disabled, the content accessed over the WAN link is not cached locally. B. Incorrect: If you use the command netsh branchcache set service mode=distributed, it is possible that the content will be shared with the other computer running Windows 7 Ultimate, although in a properly configured environment, file and folder permissions would restrict access. c. Correct: You should use the command netsh branchcache set service mode=local, because this allows the computer running Windows 7 Ultimate to satisfy requests from its local cache without allowing that cache to be accessible to other computers on the network. D. Incorrect: You should not use the command netsh branchcache set service mode=hostedclient location=fs-alpha.contoso.internal. You can use the hostedclient mode only if there is a server running Windows Server 2008 R2 that has BranchCache enabled on your LAN. 8 1 6 Answers 4. Correct Answer: D a. Incorrect: The command netsh branchcache set service mode=distributed configures Distributed Cache mode rather than Hosted Cache mode. The question specifies that the clients use Hosted Cache mode. B. Incorrect: The command netsh branchcache set service mode=local sets the client to use local caching only. The question specifies that the clients use Hosted Cache mode. c. Incorrect: The command netsh branchcache set service mode=hostedserver clientauthentication=domain is used to configure the host server and cannot be used to configure a Hosted Cache mode client. D. Correct: To configure a BranchCache client to use a particular server in Hosted Cache mode, issue the command netsh branchcache set service mode=hostedclient location=servername. You must specify the name of the local server running Windows Server 2008 R2 that functions as the BranchCache host when configuring Hosted Cache mode. 5. Correct Answer: A a. Correct: The Configure BranchCache For Network Files policy allows you to set the latency value above which network files are cached by client computers in the branch office. B. Incorrect: The Set Percentage Of Disk Space Used For Client Computer Cache policy configures the cache size, it cannot be used to configure latency settings. c. Incorrect: Configuring the Set BranchCache Distributed Cache Mode policy sets the client to use Distributed Cache Mode. You cannot configure latency settings using this policy. D. Incorrect: Configuring the Set BranchCache Hosted Cache Mode policy sets the client to use Hosted Cache Mode. You cannot configure latency settings using this policy. Chapter 8: Case Scenario Answers Case Scenario 1: Permissions and Encryption 1. You need to export the user’s private key from computer Waverley and import it to computer Warrandyte. 2. Create a recovery agent certificate using Cipher.exe. Use the Local Group Policy Editor to assign this certificate as a recovery agent. 3. You can use Robocopy.exe or Icacls.exe to move the files from one volume to another while retaining their existing permissions. If you just move the files, the permissions will be lost. Case Scenario 2: Configuring Contoso Branch Offices 1. You should use Distributed Caching mode in the Wangaratta branch office because you are unable to deploy a server running Windows Server 2008 R2 to this location and Windows Server 2008 does not support BranchCache. Chapter 9: Lesson Review Answers Answers 817 2. You should configure the Hosted Cache mode at the Traralgon office because this ensures that a maximum number of files are available in the centralized cache. Hosted Cache allows the cache to remain online, unlike Distributed Cache, which requires that all clients remain online. A server running Windows Server 2008 R2 is present at the Traralgon branch office to support Hosted Cache mode. 3. Install the BranchCache feature on the server and configure shared folders to support BranchCache. Run the command set service mode=hostedserver clientauthentication=domain on the server. Chapter 9: Lesson Review Answers Lesson 1 1. Correct Answer: B a. Incorrect: You should not configure the policy UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Elevate Without Prompting. This policy relates to all administrator accounts except the built-in administrator account, which must be managed with other policies. B. Correct: You should configure the UAC: Admin Approval Mode For The Built-In Administrator Account policy to Enabled. This ensures that the built-in administrator account must respond to a UAC prompt when performing a task that requires elevated privileges. c. Incorrect: You should not configure the UAC: Admin Approval Mode For The Built-In Administrator account policy to Disabled. This policy setting disables the UAC prompt for the built-in administrator account. D. Incorrect: You should not configure the policy UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Prompt For Consent For Non-Windows Binaries. This policy relates to all administrator accounts except the built-in administrator account, which must be managed with other policies. 2. Correct Answer: B a. Incorrect: You should not configure the User Account Control: Behavior Of The Elevation Prompt For Standard Users: Automatically Deny Elevation Requests policy. When this policy is configured, standard users receive no prompt when they perform a task that requires elevation, and the elevation attempt automatically fails. B. Correct: You should configure the User Account Control: Behavior Of The Elevation Prompt For Standard Users: Prompt For Credentials policy. This ensures that a standard user is prompted for credentials when an attempt is made at elevation. c. Incorrect: You should not configure the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Prompt For Credentials because this policy relates to approval for administrator accounts rather than standard user accounts. 8 1 8 Answers D. Incorrect: You should not configure the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Prompt For Consent because this policy relates to approval for administrator accounts rather than standard user accounts. This policy also provides a prompt for consent rather than a prompt for credentials. 3. Correct Answers: A and D a. Correct: You can use the Local Group Policy Editor console to import and export security-related policies. You could export the policies from the reference computer and then import them on each of the 30 client computers in the lab. B. Incorrect: You cannot use the Computer Management console to import or export UAC policies. c. Incorrect: You cannot use the User Account Control settings control panel item to import and export UAC policies. D. Correct: You can use the Local Security Policy console to import and export security-related policies. You could export the policies from the reference computer and then import them on each of the 30 client computers in the lab. 4. Correct Answer: D a. Incorrect: The UAC: Only Elevate Uiaccess Applications That Are Installed In Secure Locations policy does not deal with the writing of data to protected locations. This policy deals with a special class of applications that interact with the operating system in an unusual way and restricts their execution based on location within the file system. B. Incorrect: The UAC: Only Elevate Executables That Are Signed And Validated policy does not deal with the writing of data to protected locations. It is used to restrict privilege elevation requests to applications that are digitally signed. c. Incorrect: The UAC: Behavior Of The Elevation Prompt For Standard Users policy does not deal with the writing of data to protected locations; instead, it is used to configure Windows to provide UAC prompts for standard users. D. Correct: The UAC: Virtualize File And Registry Write Failures To Per-User Locations policy determines whether application writes to protected locations are redirected elsewhere. Disabling this policy ensures that an application that attempts to write data to a protected location fails. 5. Correct Answer: C a. Incorrect: You should not configure the UAC: Admin Approval Mode For The Built-In Administrator account. This policy relates to how UAC works for the built-in administrator account. To accomplish your goal, you need to disable the switch to Secure Desktop policy. B. Incorrect: You should not configure the UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy. This policy is already properly configured. To accomplish your goal, you need to disable the switch to Secure Desktop policy. c. Correct: You need to disable the UAC: Switch To The Secure Desktop When Prompting For Elevation. If this policy is enabled, UAC prompts always appear on the Secure Chapter 9: Lesson Review Answers Answers 819 Desktop. If this policy is disabled, whether a UAC prompt appears on the Secure Desktop depends on the setting in the UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode policy. D. Incorrect: You should not configure the UAC: Behavior Of The Elevation Prompt For Standard Users policy. This policy relates to standard users and does nothing to disable Secure Desktop for administrators. To accomplish your goal, you need to disable the switch to Secure Desktop policy. Lesson 2 1. Correct Answer: B a. Incorrect: You cannot remove saved Runas credentials using the Runas command. You must use the Credential Manager. B. Correct: You can use the Credential Manager to remove credentials saved using the Runas command. c. Incorrect: You cannot use the Certificates console to remove credentials saved using the Runas command. The Certificates console is used to manage certificates. D. Incorrect: You cannot use UAC settings to remove credentials saved using the Runas command. The User Account Control settings dialog box is used to change which situations trigger UAC prompts. 2. Correct Answers: C and D a. Incorrect: You should not configure the Interactive Logon: Smart Card Removal Behavior Properties: No Action policy because this allows users to remove their smart cards but still remain logged on. B. Incorrect: You should not configure the Interactive Logon: Smart Card Removal Behavior Properties: Lock Workstation because this locks the workstation rather than forcibly logging off the user that removed the smart card. c. Correct: You should configure the Interactive Logon: Smart Card Removal Behavior Properties: Force Logoff policy setting because you want users logged off when they remove their smart cards. D. Correct: You should configure the Interactive Logon: Require Smart Card: Enabled policy because this requires users to log on using a smart card. 3. Correct Answer: B a. Incorrect: The question does not state that the account has been locked; it says that the user has forgotten her password. Unlocking an account works only if a user knows her password. It does not reset her password. B. Correct: You need to reset her password. The user loses access to encrypted files if she has not backed up her EFS key. The user also loses access to any saved credentials stored in Windows Vault. 8 2 0 Answers c. Incorrect: You can create a password reset disk for an account only if you know the account password. You cannot create a password reset disk for another user account or for one where the user has forgotten her password. D. Incorrect: You should not create a password reset disk for your own account because this does not help resolve the user’s problem. 4. Correct Answer: D a. Incorrect: The Enforce Password History policy ensures that a user is unable to use a recently used password when changing his password. It does not ensure that a user must change his password after a certain amount of time. B. Incorrect: The Minimum Password Length policy ensures that a user’s password meets a minimum length requirement. It does not ensure that a user must change his password after a certain amount of time. c. Incorrect: The Minimum Password Age policy stops a user changing his password for a minimum amount of time after the most recent password change. It does not ensure that a user changes his password after a certain amount of time. D. Correct: The Maximum Password Age policy ensures that a user must change his password after a certain amount of time has expired. In this case, you would set the policy to 21 days. 5. Correct Answers: B, C, and D a. Incorrect: Credential Manager can back up Web site credentials, user names and passwords, and some forms of digital certificates, but it cannot back up self-signed EFS certificates generated by Windows 7 when you first encrypt a file. B. Correct: You can use the Manage File Encryption Certificates tool to back up EFS certificates to a password-protected PFX file. c. Correct: You can use the Certificate Manager console to export an EFS certificate to a password-protected PFX file. D. Correct: Cipher.exe is a command-line tool that you can use to back up an EFS certificate to a password-protected PFX file. Chapter 9: Case Scenario Answers Case Scenario 1: User Account Control at Coho Vineyard 1. You need to configure the UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy and set it to Prompt For Credentials. You also need to set the UAC: Switch To The Secure Desktop When Prompting For Elevation policy to Disabled. This ensures that administrators are prompted for credentials but do not have to respond immediately to the prompt. Chapter 10: Lesson Review Answers Answers 821 2. You need to configure the UAC: Behavior Of The Elevation Prompt For Standard Users policy to ensure that standard users are prompted for credentials when they perform an act that requires elevation. You also need to configure the UAC: Allow UIAccess Applications To Prompt For Elevation Without Using Secure Desktop policy. Doing this allows remote user interaction with the UAC prompt when connected through UIAccess applications. 3. You need to configure the UAC: Only Elevate Executables That Are Signed And Validated policy. You can use this policy because all applications that might require elevation at Coho Vineyard have digital signatures. Case Scenario 2: Resolving Password Problems at Wingtip Toys 1. Ensure that users back up their EFS key. This can be done using Cipher.exe, the Manage File Encryption Certificates tool, or through Certmgr.msc. The users should use Credential Manager to back up their stored Web site passwords. 2. Get each user to create his or her own password reset disk. 3. Configure the Maximum Password Age policy and configure the Enforce Password History policy. Chapter 10: Lesson Review Answers Lesson 1 1. Correct Answer: D a. Incorrect: Teredo is appropriate when a client has a private IPv4 address and when no firewall blocks traffic on UDP port 3544. Because this port is blocked, the client uses I P - H T T P S . B. Incorrect: To use 6to4, the client must have a public IPv4 address. The question states that the client has been assigned a private IPv4 address. c. Incorrect: To use a globally routable IPv6 address, the client must be assigned a globally routable IPv6 address. D. Correct: IP-HTTPS is used when the DirectAccess client is assigned a private IPv4 address on a network that allows Internet access but that has a firewall that restricts most forms of network traffic. 2. Correct Answers: A and B a. Correct: Only Windows 7 Ultimate and Enterprise editions support the DirectAccess feature. B. Correct: Only domain-joined clients running Windows 7 are able to use DirectAccess. 8 2 2 Answers c. Incorrect: AppLocker policies control which applications can execute on a client running Windows 7. AppLocker policies do not relate to DirectAccess. D. Incorrect: BranchCache policies allow clients in branch offices to cache WAN content locally. BranchCache policies do not relate to DirectAccess. 3. Correct Answer: A a. Correct: The DirectAccess server needs to have two network adapters and needs to be assigned two consecutive public IPv4 addresses. B. Incorrect: The DirectAccess server needs to have two network adapters. One network adapter must be assigned to the internal network, and the other must be accessible to the Internet. c. Incorrect: The DirectAccess server needs to be assigned two consecutive public IPv4 addresses. D. Incorrect: The DirectAccess server needs to have two network adapters. One network adapter must be assigned to the internal network and the other must be accessible to the Internet. 4. Correct Answer: A a. Correct: DirectAccess configures special GPOs that contain the DirectAccess configuration settings. These GPOs are applied to specific security groups that contain computer accounts. A computer must be a member of these specific security groups for it to be configured to use DirectAccess. B. Incorrect: DirectAccess configuration occurs through the application of Group Policy based on computer account domain group membership. It does not rely on local group membership. c. Incorrect: The computer account must be a member of the domain security group, not the user account. D. Incorrect: The computer account must be a member of the domain security group, not a user account that is a member of a local group. 5. Correct Answer: D a. Incorrect: The ipconfig command displays IP address configuration. It does not display information about DirectAccess IP-HTTPS server configuration. B. Incorrect: The netsh interface 6to4 show relay command displays 6to4 information. 6to4 can be used when a computer is assigned a public address, rather than a private one, and is not behind a NAT device. c. Incorrect: The netsh interface ipv6 show teredo command displays Teredo information. Teredo cannot be used if a hotel network firewall blocks all traffic except that on port 80 and 443. D. Correct: The netsh interface httpstunnel show interfaces command shows information related to the DirectAccess IP-HTTPS configuration. . Answers: A and B a. Correct: Only Windows 7 Ultimate and Enterprise editions support the DirectAccess feature. B. Correct: Only domain-joined clients running Windows 7 are able to use DirectAccess. . self-signed EFS certificates generated by Windows 7 when you first encrypt a file. B. Correct: You can use the Manage File Encryption Certificates tool to back up EFS certificates to a password-protected. a client running Windows 7. c. Incorrect: Ipconfig provides IP address configuration information. You cannot use Ipconfig to configure BranchCache on a client running Windows 7. D. Correct: You