070-290 Actualtests.com - The Power of Knowing The Beijing office contains some servers that are registered in the Certkiller.com zone and other that are registered in the publishing.Certkiller.com zone. All computers in the Beijing office are configured to use the local DNS server as their preferred DNS server. The two offices are connected only by using a VPN through the Internet. Various network problems occasionally result in loss of connectivity between the two offices. Firewalls prevent the DNS servers in both offices from receiving queries from the Internet. You need to configure the DNS server in the Beijing office to allow successful resolution of all queries from the Beijing office for names in the publishing.Certkiller.com namespace, even when the VPN link between the Beijing and Cairo offices fails. What should you configure on the DNS server in the Beijing office? A. In the Certkiller.com zone, create a delegated subdomain named publishing. Specify the DNS server in the Cairo office as a name server. B. Create a secondary zone name publishing.Certkiller.com. Specify the DNS server in the Cairo office as a master server. C. Configure conditional forwarding for the publishing.Certkiller.com namespace. Specify the DNS server in the Cairo office as a target server. D. Create a stub zone named publishing.Certkiller.com. Specify the DNS server in the Cairo office as a master server. Answer: B Explanation: Reference SERVER HELP We must be able to lookup in the Beijing Certkiller.com for records in Cairo publishing.Certkiller.com. without network connection Beijing office (Certkiller.com) uses the local DNS server as their preferred DNS server. Beijing office need to allow successful resolution of all queries from the Beijing office for names in the publishing.Certkiller.com namespace, (Cairo server) even when the VPN link between the Beijing and Cairo offices fails. We just have one option is use delegation and point Secondary DNS server A DNS server that hosts a read-only copy of zone data. A secondary DNS server periodically checks for changes made to the zone on its configured primary DNS server, and performs full or incremental zone transfers, as needed. A secondary zone contains a complete copy of a zone. After transfers the secondary zone from the child domain we can set the name server of Cairo DNS in this way Delegation The process of using resource records to provide pointers from parent zones to child zones in a namespace hierarchy. This enable DNS servers in a parent zone to route queries to DNS servers in a child zone for names within their branch of the DNS namespace. Each delegation corresponds to at least one zone. Incorrect Answers: A We can not delegate a child zone to a principal zone we can delegate to another server in the child zone If you are deploying DNS on a large enterprise network, or if you expect your network to expand to include additional subnets and sites, consider distributing the management of portions of your DNS namespace to the administrators for the different subnets and sites in your network. To distribute the management of your DNS namespace, create subdomains of your initial DNS domain and delegate the authority for these subdomains to DNS servers located on different subnets or sites. In this way, you can create any number of separate and autonomous entities within a DNS namespace, each of which is authoritative for a portion of the overall namespace. 070-290 Actualtests.com - The Power of Knowing C We can not Forward queries that are not in the Cairo DNS cache for publishing.Certkiller.com over a Broken Link D We can not use a stub zone A partial copy of a zone that can be hosted by a DNS server and used to resolve recursive or iterative queries. Stub zones contain the Start of Authority (SOA) resource records of the zone, the DNS resource records that list the zone's authoritative servers, and the glue address (A) resource records that are required for contacting the zone's authoritative servers. Stub zones are used to reduce the number of DNS queries on a network, and to decrease the network load on the primary DNS servers hosting a particular name. QUESTION 64 You are the network administrator for the Berlin office of Certkiller. The company network consists of a single Active Directory domain named Certkiller.com. The Berlin office contains 15 file servers that contain confidential files. All the file servers run either Windows Server 2003 or Windows 2000 Server. All the file servers are in the BerlinFilePrint organizational unit (OU). Certkiller's security department sets a rule that specifies the size and retention settings for the Security event log of all file servers. The rule also specified that local administrators on servers cannot override the changes you make to the settings for the Security event log. You need to define a method to modify the Security event log settings on each file server in the Berlin office in order to meet the states requirements. What should you do? A. Modify the local security policy on each file server. Define the size and retention settings for the Security event log. B. Create a security template on one of the file servers by using the Security Configuration and Analysis tool. Define the size and retention settings for the Security event log in the template. Import the security template into the local security policy of the other 14 file servers. C. Use Event Viewer to modify the event log properties on each file server. Define the size and retention settings for the Security event log. D. Create a new Group Policy object (GPO) and link it to the BerlinFilePrint OU. In the GPO, define the size and retention settings for the Security event log. Answer: D Explanation: The servers are in OU BerlinFilePrint Setting will apply to Windows 2000 Servers and Windows(r) Servers 2003 Consider implementing these Event Log settings at the site, domain, or organizational unit level, to take advantage of Group Policy settings. Event Log This security area defines attributes related to the Application, Security, and System event logs: maximum log size, access rights for each log, and retention settings and methods. Event Log size and log wrapping should be defined to match the business and security requirements you determined when designing your Enterprise Security Plan. QUESTION 65 You are a network administrator for Certkiller. The network consists of a single Active Directory domain named Certkiller.com. The domain contains two Windows Server 2003 terminal servers that host applications that are used by company employees. An organization unit (OU) named Terminal Servers contains only the computer accounts for these two Terminal servers. A Group Policy object (GPO) named TSPolicy is linked to the Terminal Servers OU, and you have been granted the right to modify the GPO. Users should use the terminal servers to run only authorized applications. A custom financial application suite is currently the only allowed application. The financial application suite is installed in the folder C:\Program Files\MT Apps. The financial application suite contains many executable files. Users must also be 070-290 Actualtests.com - The Power of Knowing able to use Internet Explorer to access a browser-based application on the company intranet. The browser-based application makes extensive use of unsigned ActiveX components. The financial application suite and the browser-based application are frequently updates with patches or new versions. You need to configure the terminal servers to prevent users from running unauthorized applications. You plan to configure software restriction policies in the TSPolicy GPO. To reduce administrative overhead, you want to create a solution that can be implemented once, without requiring constant reconfiguration. Which three actions should you perform to configure software restriction polices? (Each correct answer presents part of the solution. (Choose three) A. Set the default security level to Disallowed. B. Set the default security level to Unrestricted. C. Create a new certificate rule. D. Create a new hash rule. E. Create a new Internet zone rule. F. Create a new path rule. Answer: A, E, F Explanation We need to prevent unauthorized applications from running. We should set the default security level to Disallowed. This will prevent the users running any applications; we can then make exceptions to this rule. An Internet zone rule would allow the users to run the intranet application. A path rule would allow the users to run the application in a certain path; in this case C:\Program Files\MT Apps. The question states that the application is regularly updated with patches etc. Therefore, we cannot use a hash rule or a certificate rule, because we would have to recreate the hash or the certificate every time the application was updated. The purpose of a rule is to identify one or more software applications, and specify whether or not they are allowed to run. Creating rules largely consists of identifying software that is an exception to the default rule. Each rule can include descriptive text to help communicate why the rule was created. A software restriction policy supports the following four ways to identify software: Hash—A cryptographic fingerprint of the file. Certificate—A software publisher certificate used to digitally sign a file. Path—The local or universal naming convention (UNC) path of where the file is stored. Zone—Internet Zone Hash Rule A hash rule is a cryptographic fingerprint that uniquely identifies a file regardless of where it is accessed or what it is named. An administrator may not want users to run a particular version of a program. This may be the case if the program has security or privacy bugs, or compromises system stability. With a hash rule, software can be renamed or moved into another location on a disk, but it will still match the hash rule because the rule is based on a cryptographic calculation involving file contents. A hash rule consists of three pieces of data, separated by colons: MD5 or SHA-1 hash value File length Hash algorithm id It is formatted as follows: [MD5 or SHA1 hash value]:[file length]:[hash algorithm id] Files that are digitally signed will use the hash value contained in the signature, which may be SHA-1 or MD5. Files that are not digitally signed will use an MD5 hash. Certificate Rule A certificate rule specifies a code-signing, software publisher certificate. For example, a company can require that all scripts and ActiveX controls be signed with a particular set of publisher certificates. Certificates used in 070-290 Actualtests.com - The Power of Knowing a certificate rule can be issued from a commercial certificate authority (CA) such as VeriSign, a Windows 2000/Windows Server 2003 PKI, or a self-signed certificate. A certificate rule is a strong way to identify software because it uses signed hashes contained in the signature of the signed file to match files regardless of name or location. If you wish to make exceptions to a certificate rule, you can use a hash rule to identify the exceptions. Path Rule A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported. Zone Rule. A rule can identify software from the Internet Explorer zone from which it is downloaded. QUESTION 66 You are the network administrator for Certkiller.com. The network consists of a single Active Directory domain named Certkiller.com. The domain contains Windows Server 2003 domain controllers, Windows Server 2003 member servers, and Windows XP Professional computers. The network security administrator revises the written company security policy. The security policy now states that all computers must have the ability to audit any attempts to change the registry. To comply with the company security policy, you need to enable auditing for the domain. You do not want to generate any other type of event that is not related to the changes in the security policy. How should you configure auditing? To answer, drag the appropriate Audit Policy setting or settings to the correct policy or polices. Answer: 070-290 Actualtests.com - The Power of Knowing Drag and drop Success and Failure to Audit Object Access Explanation Audit object access Description This security setting determines whether to audit the event of a user accessing an object for example, a file, folder, registry key, printer, and so forth that has its own system access control list (SACL) specified. Assign permissions to files, folders, and registry keys Appropriate object manager and Properties page Access control is the model for implementing authorization. Once a user account has received authentication and can access an object, the type of access granted is determined by either the user rights that are assigned to the user or the permissions that are attached to the object. For objects within a domain, the object manager for that object type enforces access control. For example, the registry enforces access control on registry keys. Every object controlled by an object manager has an owner, a set of permissions that apply to specific users or groups, and auditing information. By setting the permissions on an object, the owner of the object controls which users and groups on the network are allowed to access the object. The permission settings also define what type of access is allowed (such as read/write permission for a file). The auditing information defines which users or groups are audited when attempting to access that object. 070-290 Actualtests.com - The Power of Knowing After set the audit refresh the policy and enable the setting for everyone group on the regedit.exe you will see any attempt to access 070-290 Actualtests.com - The Power of Knowing QUESTION 67 You are the network administrator for Certkiller.com. The network consists of a single Active Directory domain named Certkiller.com. The intranet Web site is hosted on a Windows Server 2003 computer named Certkiller4, which is a member of a workgroup. All client computers are members of the domain and are enabled for IPSec. The network security administrator creates a new security policy for Certkiller4. The policy states that only HTTP traffic is permitted, that HTTP traffic must be encrypted, and that all computers must be authenticated. The new security policy is implemented. Domain users report that they are not able to connect to Certkiller4. You load the IP Security Monitor snap-in, and you view the details shown in the following window. 070-290 Actualtests.com - The Power of Knowing You need to ensure that all domain users can securely connect to Certkiller4. What should you do? A. Install a digital certificate on Certkiller4. B. Make Certkiller4 a member of the domain. C. Change the source and destination ports for outbound traffic. D. Change the source and destination ports for inbound traffic. Answer: B Explanation Certkiller4, is a member of a workgroup and must mange domain users permissions, As a Server in a workgroup, you can not manage users member of a domain, In that way you need to do Certkiller4 server member of domain Certkiller In order to authenticate all computers must be authenticated the server need to use Kerberos v5 this is the second reason because Certkiller4 need to be a member of Certkiller domain Incorrect answers: C and D: The rules are correct. QUESTION 68 You are the network administrator for Certkiller.com. The network consists of a single Active Directory domain named Certkiller.com. The domain contains Windows Server 2003 computers and Windows XP Professional computers. The written company security policy states that unnecessary services must be disabled and that servers must have the most recent, company-approved updates. You install and configure Software Update Services (SUS) on a server named CertkillerB. You install Windows Server 2003 Standard edition on a computer named CertkillerA. CertkillerA is used only as a file and print server. CertkillerA has two local user accounts, and the administrator account has been renamed. You need to find out whether CertkillerA is running unnecessary services and whether it has all available approved security updates. To reduce the amount of network bandwidth and time requirements, you need to scan for only the required information. 070-290 Actualtests.com - The Power of Knowing Answer: Check for windows vulnerabilities Check for security updates If you have this option to select Check Use SUS server and select server http://CertkillerB They give to you three options on this combo box and also in computer name combo box Select box Check for Unnecessary Services Windows checks Check for missing security updates and service packs Check for account password expiration Check for file system type on hard drives Check if auto logon feature is enabled Check if the Guest account is enabled 070-290 Actualtests.com - The Power of Knowing Check the Restrict Anonymous registry key settings Check the number of local Administrator accounts Check for blank and/or simple local user account passwords Check if unnecessary services are running List the shares present on the computer Check if auditing is enabled Check the Windows version running on the scanned computer Select box Security Updates Scan By default, a security update scan executed from the MBSA GUI or from mbsacli.exe (MBSA-style scan) will scan and report missing updates marked as critical security updates in Windows Update (WU), also referred to as "baseline" critical security updates. When a security update scan is executed from mbsacli.exe using the /hf switch (HFNetChk-style scan), all security-related security updates will be scanned and reported on. A user running an HFNetChk-style scan would have to use the -b option to scan only for WU critical security updates. When the SUS option is chosen, all security updates marked as approved by the SUS Administrator, including updates that have been superseded, will be scanned and reported by MBSA. QUESTION 69 You are the network administrator for Certkiller.com. The company has a main office at Toronto and several branch offices in North America. You work in Toronto. The network contains Windows Server 2003 computers and Windows XP Professional computers. A user named Jack works in a branch office. She reports that her client computers cannot connect to a remote VPN server. You suspect that her client computer did not receive a recent hot fix. You need to verify which hotfixes are installed on jack computer. What should you do? A. From a command prompt, run the update.exe command. B. From a command prompt, run the wmic qfe command. C. View the History-synch.xml file. D. View the History-apprive.xml file. Answer: B Explanation: WMIC extends WMI for operation from several command-line interfaces and through batch scripts Sample Execution C:\>wmic / qfe XP Windows XP Hot fix (SP2) Q810565 Update XP Windows XP Hot fix (SP2) Q810577 Update [global switches] <command> The following global switches are available: QFE - Quick Fix Engineering. QUESTION 70 You are the network administrator for Certkiller.com. The network contains Windows Server 2003 computers and Windows XP Professional computers. You install Software Update Services (SUS) on a server named CertkillerSrv. You scan the client computers to find out if any current hotfixes are installed. You notice that no client computers have been updated during the past seven days. You are unable to access the synchronization logs on CertkillerSrv. You need to ensure that SUS is functioning properly. What should you do on CertkillerSrv? A. Delete the History_Approve.xml file and restart the computer. B. Delete the Aucatalog.cab file and restart the computer. C. Restart the Background Intelligent Transfer Service (BITS). D. Restart all IIS-related services. [...]... servers run Windows Server 2003, and all client computers run Windows XP professional Actualtests. com - The Power of Knowing 070- 290 A file server named CertkillerFileSrv is configured as a stand-alone Distributed File System (DFS) root The disk configuration of CertkillerFileSrv is shown in the following table Disk Volume Contents Disk0 MAIN System files Disk1 DATA Database files Disk1 USERS Files and data... for Certkiller.com All network servers run Windows Server 2003 A file server named CertkillerSrvA has shadow copies enabled One shared folder on CertkillerSrvA has the configuration shown in the following table While viewing a previous version of CertkillerDocs, you open and edit Financials.xls However, when you try to save the edited file, you receive the following error message: You need to save your... The network consists of a single Active Directory domain named Certkiller.com All network servers run Windows Server 2003 You use a script written in Microsoft Visual Basic, Scripting Edition (VBScript) to create new user accounts You need to modify the script and Actualtests. com - The Power of Knowing ... Synchronization log is named history-Sync.xml and it is stored in the \AutoUpdate\Administration directory The file name for Approval log is History-Approve.xml and it is stored in the \AutoUpdate\Administration directory SUS uses the Background Intelligent Transfer Service (BITS) to perform the download by using idle network bandwidth QUESTION 71 You are the network.. .070- 290 Answer: D Explanation: SUS is dependant on the IIS services In this case the first step is to restart IIS services and check if all services start again After that we will need to look for error codes generated by SUS During synchronization, the Aucatalog1.cab... Disable quota management on USERS Answer: C Explanation: Enabling users to access previous versions of their files is a two step process The clients need the 'previous versions' client software installed and the volume hosting the shared folder must have Shadow Copies enabled Incorrect Answers: A: The Distributed Link Tracking Client service is not related to shadow copies B: Creating a DFS link to User... do? A Copy the previous version of CertkillerDocs to a separate location B Restore the previous version of CertkillerDocs to the default location C Save Financials.xls in a separate location by using Microsoft Excel D In the security properties of Financials.xls, assign the Allow - Modify permissions to the Everyone group Answer: C Explanation: When you view a 'previous version' of a file, the file . run Windows Server 2003, and all client computers run Windows XP professional. 070- 290 Actualtests. com - The Power of Knowing A file server named CertkillerFileSrv is configured as a stand-alone. amount of network bandwidth and time requirements, you need to scan for only the required information. 070- 290 Actualtests. com - The Power of Knowing Answer: Check for windows vulnerabilities. Certkiller4. You load the IP Security Monitor snap-in, and you view the details shown in the following window. 070- 290 Actualtests. com - The Power of Knowing You need to ensure that all domain users