ExamWise For MCP / MCSE Certification : Security for a Microsoft Windows 2000 Network Exam 70-220 [1 ed.] 9781590956212

Citation preview

ExamWise For Designing Security for a Microsoft Windows 2000 Network Examination 70-220

Online practice exam provided by BeachFrontQuizzer, Inc., Friendswood, Texas www.bfqonline.com

Author Patrick Simpson MCNE, MCNI, MCSE+I, MSCE, MCT Published by TotalRecall Publications, Inc. 1103 Middlecreek Friendswood, TX 77546 281-992-3131 NOTE: THIS IS BOOK IS GUARANTEED: See details at www.TotalRecallPress.com

TotalRecall Publications, Inc. This Book is Sponsored by BeachFront Quizzer, Inc. Copyright © 2003 by BeachFront Quizzer, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the United States Copyright Act of 1976, No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical or by photocopying, recording, or otherwise without the prior permission of the publisher. The views expressed in this book are solely those of the author, and do not represent the views of any other party or parties. Printed in United States of America Printed and bound by Data Duplicators of Houston Texas Printed and bound by Lightning Source, Inc. in the USA and UK ISBN: 1-59095-621-4 UPC: 6-43977-03220-1 The sponsoring editor is Bruce Moran and the production supervisor is Corby R. Tate.

Worldwide eBook publication and distribution by:

This publication is not sponsored by, endorsed by, or affiliated with Microsoft, Inc. The “Windows® 2000, MCSE™, MCSD™, MCSE+I™, MCT™” Microsoft logos are trademarks or registered trademarks of Microsoft, Inc. in the United States and certain other countries. All other trademarks are trademarks of their respective owners. Throughout this book, trademarked names are used. Rather than put a trademark symbol after every occurrence of a trademarked name, we used names in an editorial fashion only and to the benefit of the trademark owner. No intention of infringement on trademarks is intended. Disclaimer Notice: Judgments as to the suitability of the information herein for purchaser’s purposes are necessarily the purchaser’s responsibility. BeachFront Quizzer, Inc. and TotalRecall Publications, Inc. extends no warranties, makes no representations, and assumes no responsibility as to the accuracy or suitability of such information for application to the purchaser’s intended purposes or for consequences of its use.

This book is dedicated to my wife Joy, and my children Lucas, Bethany and Alexander, for their patience and support. Thanks also to Bruce for the encouragement and support. Lastly, but mostly, thanks be to God, from Whom all gifts proceed

Patrick Simpson

ExamWise For Windows 2000 Security Certification BY Patrick Simpson MCNE, MCNI, MCSE+I, MSCE, MCT About the Author Patrick Simpson is a Microsoft MCSE, MCSE +I, MCT and a Novell Master CNE and Master CNI. He has been a Microsoft Certified Trainer for five years and working in the IT industry for approximately 9 years, specializing in network consulting and technical education. Patrick has written numerous certification study aids for both Microsoft Windows 2000 exams and for Novell certification exams. Pat is married and has three children and is currently working for a technical consulting/education company in Green Bay, WI. .

About the Contributing Author Travis Kelly has worked in computer repair and helpdesk for over 7 years and is currently CIW Certifiable. His computer background is quite varied and he has an intense interest in the current and future state of technology. Travis is working towards his bachelor’s degree in Houston, TX.

About the Editor Alan Grayson Alan Grayson (M.S. Systems Management, MCSE 2000, MCSE+I, MCDBA, MCSA, MCT, CNE-3/4, Net+, Server+, Master CIW Administrator, CIW E-Commerce Designer, CIW-CI) has seven years experience as a computer professional. He teaches at Mercer University in Macon, GA. You may email him at [email protected] or [email protected].

About The Book Part of The Question Book Series, this new Self Help and Interactive Exam Study Aid with 30-day voucher for online testing is now available for candidate’s preparing to sit the Microsoft 70-220 Designing Security for a Microsoft® Windows® 2000 Network certification exam. The book covers the information associated with each of the exam topics in detail and includes information found in no other book. Using the book will help readers determine if they are ready for the Microsoft 70-220 Designing Security for a Microsoft® Windows® 2000 Network certification exam. This book explains the concepts in a clear and easy-to-understand manner to help you not only pass the exam, but to apply the knowledge later in a real-world situation. Helpful tips and time management techniques will alleviate pre-exam jitters and put you in control.

About Online Testing www.bfqonline.com practice tests include SelfStudy sessions with instant feed back, simulative and adaptive testing with detailed explanations. Register at www.BFQPress.com or send an email Located in the back of the book is a 30-day voucher for online testing. NOTE: THIS BOOK IS GUARANTEED: See details at www.TotalRecallPress.com

Table of Contents VII

Table of Contents About the Author ...................................................................................................IV

About the Contributing Author ................................................................................ IV

About the Editor ....................................................................................................IV

About The Book .....................................................................................................V

About Online Testing..............................................................................................V

70-220 Exam Specifications ...............................................................................VIII

Networking Terminology .................................................................................... XIV

Case Study 01: Rocky Mountain School Case Study 02: Supreme Manufacturing, Inc. Case Study 03: Excel Forwarder Corp Case Study 04: Joe’s Canoe Company Case Study 05: ABC Toys Case Study 06: MediAssociate Case Study 07: Kellok Accounting Service Case Study 08: ProX Auditing Group Case Study 09: ExGovern Case Study 10: ProTax Case Study 11: B2Bexpert Case Study 12: SBP Associates Case Study 13: SamuraiPro Trading Company Case Study 14: LaserPoint Case Study 15: StylerX Case Study 16: MediX, Inc. Case Study 17: XFab, Inc. Case Study 18: ProStaff Money Back Book Guarantee 70-220 Free Practice Exam Online

1

29

55

75

95

113

131

149

167

179

191

205

219

233

247

261

277

291

307

308

VIII 70-220 Exam Specifications

70-220 Exam Specifications Exam 70-220:Installing, Configuring, and Administering Microsoft Windows 2000 Professional http://www.microsoft.com/traincert/exams/70-220.asp Information you will find in their document will include the following. Credit Toward Certification When you pass the Designing Security for a Microsoft® Windows® 2000 Network exam, you achieve Microsoft Certified Professional status. You also earn credit toward the following certifications: Core or elective credit toward Microsoft Certified Systems Engineer on Microsoft Windows 2000 certification Audience Profile Candidates for this exam operate in medium to very large computing environments that use the Windows 2000 network operating system. They have a minimum of one year's experience designing network infrastructures in environments that have the following characteristics: • Supported users range from 200-26,000+ • Physical locations range from 5-150+ • Typical network services and applications include file and print, database, messaging, proxy server or firewall, dial-in server, desktop management, and Web hosting. • Connectivity needs include connecting individual offices and users at remote locations to the corporate network and connecting corporate networks to the Internet. Skills Being Measured This certification exam tests the skills required to analyze the business requirements for security and design a security solution that meets business requirements. Security includes: • • • •

Controlling access to resources Auditing access to resources Authentication Encryption

Exam Preparation Guide IX

Analyzing Business Requirements The initial phase of designing security for a company or an organization involves gathering business information about the company, in terms of locations, connectivity, processes, and issues such as product life cycles, the company’s tolerance for risk and how the company identifies costs. In gathering this information, there are not decisions to be made; rather the designer/consultant is looking for issues that will help in weighing recommendations later in the design process. The designer needs to understand the IT department and how management is currently performed, how decisions are made, and the physical connectivity used between locations. In addition to this, the future plans of the company or organization in each of these areas needs to be clarified, so that any design recommendations can accommodate these plans. While much of this information gathering is not technical in nature, these issues in many cases will affect the security recommendations and aspects of the final design • Analyze the existing and planned business models. • Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices. • Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decision-making. • Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans. • Analyze factors that influence company strategies. • Identify company priorities. • Identify the projected growth and growth strategy. • Identify relevant laws and regulations. • Identify the company's tolerance for risk. • Identify the total cost of operations. • Analyze business and security requirements for the end user. • Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process. • Analyze the current physical model and information security model. • Analyze internal and external security risks.

X 70-220 Exam Specifications

Analyzing Technical Requirements This set of objectives is still consulting in nature, providing the designer with additional background information affecting the eventual design recommendations for the client company. The sheer size of the company, the number of users and the distribution of resources, such as DHCP or DNS servers, web servers and the like must be considered when building a security design. When the resources are accessed, how much bandwidth is available and for how long the resource is accessed will then lead the designer to consider certain solutions and discard others. Windows 2000 Active Directory provides the designer with many variations on the rights users may be given and the types of administrators that may be created. Existing systems and applications may be impacted by recommendations, and so changes may be necessary in this area. For instance, DNS in Windows 2000 must support SRV records, something that current DNS servers often do not support. Rollouts and upgrades may not proceed as planned, depending upon which security measures are put in place. Companies use a mix of support personnel, both internal and contractor. The security design will have to consider the training needs and the roles that each of these administrators will play after implementation. Network and systems management may be affected by the security design. Software packages in use may need to be replaced or upgraded. Management practices may no longer be possible in the newly secured network. The systems must allow for flexibility and growth, such as acquisitions. All of these issues add to the richness and complexity of the security design, challenging the designer to balance many issues in the design process. • Evaluate the company's existing and planned technical environment. • Analyze company size and user and resource distribution. • Assess the available connectivity between the geographic location of work sites and remote sites. • Evaluate the company's existing and planned technical environment. • Analyze company size and user and resource distribution. • Assess the available connectivity between the geographic location of work sites and remote sites. • Assess the net available bandwidth. • Analyze performance requirements. • Analyze the method of accessing data and systems. • Analyze network roles and responsibilities. Roles include administrative, user, service, resource ownership, and application. • Analyze the impact of the security design on the existing and planned technical environment. • Assess existing systems and applications. • Identify existing and planned upgrades and rollouts. • Analyze technical support structure. • Analyze existing and planned network and systems management.

Exam Preparation Guide XI

Analyzing Security Requirements The implementation of Active Directory adds tremendous capability in the securing of computers in a Windows 2000 network. Security settings for computers can be created using security templates provided by Microsoft, adding incremental security templates, or by creating custom templates. The settings can then be applied to multiple computers by placing computers in Active Directory containers and using Group Policy objects to push the security template settings. It is important to identify the different roles that the various Windows computers play in the network. Clearly domain controllers have different security requirements than do file servers, as laptops have different risks associated with their use than do kiosks. Each resource must be evaluated in terms of security needs. Shares, files, and printers are all examples of common resources in a network environment. Each resource has to be identified and the associated security risks and countermeasures recommended for many of these resources, Active Directory containers or group nesting will provide the focal point of access, and the resource will have a DACL or ACL that provides an interface for setting permissions. • Design a security baseline for a Windows 2000 network that includes domain controllers, operations masters, application servers, file and print servers, RAS servers, desktop computers, portable computers, and kiosks. • Identify the required level of security for each resource. Resources include printers, files, shares, Internet access, and dial-in access.

Designing a Windows 2000 Security Solution While security design begins in the earlier sectionsrs, with the discovery of information describing the Client Company or organization, the process of linking security solutions with needs begins in this section. This section examines the major areas of security in Windows 2000 and in each area seeks to clarify the purpose and scope of the security solution. We begin by looking at auditing, move on to delegation of authority and then look more closely at security policies, both account policies and Group Policies. From there we look at the different authentication solutions available in Windows 2000, clarifying the use for each, and the basics of each. We move on to security groups, the basis for organizing user accounts and giving access in a Windows 2000 network, then PKI, especially certificate services in Windows 2000. After detailing the other security solutions that rely upon certificate services, we close by looking at Windows 2000 services that need additional attention in ensuring their security: DNS, RIS, SNMP and terminal services.

XII 70-220 Exam Specifications Much of the detail in each of these areas is presumed to be already known; it is the job of the designer to know which solution to recommend for different situations, and to be aware of the larger, company-wide impact of each solution. The focus here is matching the solution to the need. • Design an audit policy. • Design a delegation of authority strategy. • Design the placement and inheritance of security policies for sites, domains, and organizational units. • Design an Encrypting File System strategy. • Design an authentication strategy. • Select authentication methods. Methods include certificate-based authentication, Kerberos authentication, clear-text passwords, digest authentication, smart cards, NTLM, RADIUS, and SSL. • Design an authentication strategy for integration with other systems. • Design a security group strategy. • Design a Public Key Infrastructure. • Design Certificate Authority (CA) hierarchies. • Identify certificate server roles. • Manage certificates. • Integrate with third-party CAs. • Map certificates. • Design Windows 2000 network services security. • Design Windows 2000 DNS security. • Design Windows 2000 Remote Installation Services (RIS) security. • Design Windows 2000 SNMP security. • Design Windows 2000 Terminal Services security.

Designing a Security Solution for Access Between Networks Corporate networks today are increasingly connecting, site-to-site, client-to-site, and even client-to-client. The costs and complexity of providing this connectivity has increased over the past few years, with the recent trend towards using the Internet rather than leasing lines between sites, and using the Internet for remote users rather than dial-up connectivity (like RAS, etc).

Exam Preparation Guide XIII This movement towards the Internet as a low-cost solution has given rise to concerns about security. Data transmissions across the Internet cannot be considered secure unless they are encrypted. Furthermore, this type of connectivity gives rise to the need to authenticate, that is, validate the identity of the sender. Otherwise, data transmissions could be intercepted, modified and forwarded on without knowledge that it had occurred. To reduce the risks involved in these areas, authentication and encryption solutions, loosely labeled as VPN or Virtual Private Network, have evolved. This section begins with a brief discussion of private and public networks, and then moves on to discuss the concerns and solutions for connectivity for external users and in LAN and WAN networks in Windows 2000. • • • • • • •

Provide secure access to public networks from a private network. Provide external users with secure access to private network resources. Provide secure access between private networks. Provide secure access within a LAN. Provide secure access within a WAN. Provide secure access across a public network. Design Windows 2000 security for remote access users.

Designing Security for Communication Channels Whether the communication is occurring on a LAN connection, or across some WAN interface, there may be the need to secure the channel. This section covers the use of SMB signing in a LAN to ensure authenticated communications, and the use of IPSec in securing communications in either a LAN or a WAN setting. While in the previous section we discussed VPN solutions in terms of fitting the solution with the need, in this section we focus on the use of IPSec in securing communications channels between two Windows 2000 computers. We will look at more detail in terms of how to design, configure, manage and tune IPSec configurations in a Windows 2000 network • • • • • • • •

Design an SMB-signing solution. Design an IPSec encryption scheme. Design an IPSec solution. Design an IPSec management strategy. Design negotiation policies. Design security policies. Design IP filters. Define security levels.

XIV Networking Terminology

Networking Terminology There are a lot of different terms and acronyms that you will be learning in this book. It must be assumed that you have a certain amount of networking experience or you may find it necessary to supplement this material with some other books on the subject of networks in general. Before we go very far we will need to define some of the common terms that we will be using often throughout our text. Additional terminology will be introduced as we learn more about security. • ACPI - Advanced Configuration and Power Interface -- an open industry specification that defines a flexible and extensible interface. This allows system designers to select appropriate cost/feature trade-offs for power management. • Access control list (ACL) - A list of security protections that apply to an entire object, a set of the object’s properties, or an individual property of an object. There are two types of access control lists: discretionary and system. • Authentication - A basic security function of cryptography. Authentication verifies the identity of the entities that communicate over the network. For example, the process that verifies the identity of a user who logs on to a computer either locally, at a computer’s keyboard, or remotely, through a network connection. • Certificate - A digital document that is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standard. • Certificate Services - The Windows 2000 service that issues certificates for a particular CA. It provides customizable services for issuing and managing certificates for the enterprise. • DACL – Discretionary Access Control List. A feature that is part of an object’s security that denies or grants users and/or groups permission to access the object. Because the object’s owner is the only one who can change the permissions granted or denied in the DACL, access is at the owner’s discretion.

Networking Terminology XV • Decryption - The process of making encrypted data readable again by converting ciphertext to plaintext. • Digital signature - A means for originators of a message, file, or other digitally encoded information to bind their identity to the information. The process of digitally signing information entails transforming the information, as well as some secret information held by the sender, into a tag called a signature. Digital signatures are used in public key environments and they provide nonrepudiation and integrity services. • Encrypting File System (EFS) - A new feature in Windows 2000 that protects sensitive data in files that is stored on disk using the NTFS file system. It uses symmetric key encryption in conjunction with public key technology to provide confidentiality for files. It runs as an integrated system service, which makes EFS easy to manage, difficult to attack, and transparent to the file owner and to applications. • Encryption - The process of disguising a message or data in such a way as to hide its substance. • Firewall – A method to keep a network secure, firewalls are used to give employees access to the Internet without breaching internal security, as well as preventing external intrusion into the internal network. • Hostnames – User-friendly names given to computers in a TCP/IP Network. • Kerberos authentication protocol - An authentication mechanism used to verify user or host identity. The Kerberos v5 authentication protocol is the default authentication service for Windows 2000. Internet Protocol security and the QoS Admission Control Service use the Kerberos protocol for authentication. • Key - A secret code or number required to read, modify, or verify secured data. Keys are used in conjunction with algorithms to secure data. Windows 2000 automatically handles key generation. For the registry, a key is an entry in the registry that can contain both subkeys and entries. In the registry structure, keys are analogous to folders, and entries are analogous to files. In the Registry Editor window, a key appears as a file folder in the left pane. In an answer file, keys are character strings that specify parameters from which Setup obtains the needed data for unattended installation of the operating system • Trusted User – A user who either has an account in the domain or whose account belongs in a trusted domain.

XVI Networking Terminology • IP address – The numeric identifier that the TCP/IP protocol uses to communicate. • MMC – Microsoft Management Console – a framework for hosting administrative consoles. The objects on the tree, including web pages, folders and management tools, define a console. • PKI - Public Key Infrastructure - a system of digital certificates, Certificate Authorities, and other registration entities that verify and authenticate the validity of each party involved in an Internet transaction. • Private key - The secret half of a cryptographic key pair that is used with a public key algorithm. Private keys are typically used to digitally sign data and to decrypt data that has been encrypted with the corresponding public key. • Proxy server - A firewall component that manages Internet traffic to and from a local area network and can provide other features, such as document caching and access control. A proxy server can improve performance by supplying frequently requested data, such as a popular Web page, and can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files. • Public key cryptography - A method of cryptography in which two different but complimentary keys are used: a public key and a private key for providing security functions. Public key cryptography is also called asymmetric key cryptography. • SID – Security Identifier – A unique identifier that represents the entity that exists in a Windows 2000 environment. A SID can represent a user, a computer, or a group of users. • Secure Sockets Layer (SSL) - A proposed open standard developed by Netscape Communications for establishing a secure communications channel to prevent the interception of critical information, such as credit card numbers. Primarily, it enables secure electronic financial transactions on the World Wide Web, although it is designed to work on other Internet services as well. • Smart card - A credit card-sized device that is used with a PIN number to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information. A smart card reader attached to the computer reads the smart card.

Networking Terminology XVII • Symmetric key encryption - An encryption algorithm that requires the same secret key to be used for both encryption and decryption. This is often called secret key encryption. Because of its speed, symmetric encryption is typically used rather than public key encryption when a message sender needs to encrypt large amounts of data.

Rocky Mountain School 1

Case Study 01: Rocky Mountain School You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by the Rocky Mountain School of Music to design the Network and the Security structure for the entire school.

School Mission The mission of the Rocky Mountain School of Music is to advance the art of music and its related disciplines. It seeks to educate students in the various fields of the profession and to promote an understanding of music. The School endeavors to preserve diverse repertories and cultural traditions while also creating opportunities for artistic, intellectual, and scholarly innovation in the realm of music. The School is dedicated to excellence in research, performance, composition, and teacher education, undertaken in a spirit of collaboration among its own constituents.

School Background The Rocky Mountain School of Music is consistently ranked among the strongest professional music schools in Canada. It attracts outstanding students and faculty in composition-theory, music education, musicology, and performance. The school is large enough to provide a wide variety of experience for students seeking degrees in music. At the same time, the atmosphere of a smaller school prevails with emphasis on individualized instruction in performance, comparatively small classes, and a faculty and staff that cares about its students. As a significant cultural resource, the School of Music serves the musical needs of the community, the region, the state, and the nation, and its influence is felt on an international level as well. One measure of a university's quality is the success of its graduates. Among the more than 10,000 alumni of the School of Music are 5 Pulitzer Prize winners in composition; members of major symphony orchestras, opera companies, jazz ensembles, and professional choral groups; and faculty members at many of the nation's most prestigious colleges and universities. Music education graduates direct some of the finest elementary and secondary music programs throughout Canada as well as in foreign countries. The school is proud of its record in assisting qualified graduates to assume leadership roles in the music profession through career counseling and professional advising.

2 Case Study 01: 70-220

Programs offered The Rocky Mountain School of Music has 2-degree programs available: Bachelor of Music Specializations available in:

• • • •

Applied Music Composition-Theory Music History Open Studies

Bachelor of Music Education Specializations available in:

• • •

Choral Music General Music Instrumental Music

Divisions The school currently has the following divisions:

• • • • • • • • • • • • •

Brass Composition-Theory Music Education Musicology String Woodwind Accompanying Jazz Organ Percussion Piano Piano Pedagogy Voice Divisions

Rocky Mountain School 3

Faculties The strength of the school lies in its distinguished and internationally known faculty, who are committed to teaching and at the same time maintain active performance schedules, contribute substantially to research in all areas of music. The school is justifiably proud of the excellent facilities, nationally recognized degree programs, and enjoyable campus life, but these are secondary considerations when compared to the quality education provided by the faculty for the students. The professional relationship between students and faculty is based upon mutual respect and a common interest in the quest for musical knowledge and artistry. There are nearly 100 full-time faculty members in music, which provides a student to faculty ratio of approximately 20 to 1. The wealth of experience the faculties bring to the classroom, studio, concert hall, or research facility, is supported by their continuous commitment to excellence.

Buildings and Facilities Currently the school has the following buildings:

• • • • • • • •

Rocky Band Building Computer-Assisted Music Lab Music Project Lab Experimental Music Lab Performing Arts Lab Music Library Building School of Piano Building Jeff Memorial Hall

4 Case Study 01: 70-220

Admin Structure The school has a Board of Directors for supervising the overall operations. The school president reports directly to the board. There are 2 vice presidents sharing the workload of administering the divisions of the school.

Organizational chart of the school and its Board of Directors.

Rocky Mountain School 5

IT Infrastructure There are currently 2 IT staffs in the school. The existing network is purely DOS-based with Netware 3.1 as the network OS. No special feature has been implemented. The registration office currently runs a 386PC with dBase3+ as the school registration system. The staffs generally use the old Geoworks software for designing flyers and other publications. Due to the availability of funding last year, the school managed to install a 100BaseFX network across the campus. In terms of bandwidth, the school has more than enough bandwidth for use.

Levels of Skills in IT According to the IT Supervisor of the school, their students are very positive towards the use of IT in their learning process. Some students already uses computer to do the music composition. Others have uses notebooks to take notes during lectures.

Risk Management In the past the school was once in difficulties due to a problem in funding. There had been a situation where the salaries of the teachers were not distributed on time, leading to a strike and a delay in the class progresses. Although this situation is not likely to happen again, the management insists on carry out a risk management process. It has been suggested that Microsoft’s Risk Management process is the ideal methodology to use.

Future Vision The school plans to open a branch in Austin, Texas. The management is willing to pay for a high speed 128K dedicated connection between the main campus and the new location. This new location will mainly be used to teach Music History and Music Appreciation. The school will also open up a branch in London. This new location will use dial up modem to connect to the main office. This new location will mainly be a marketing office to promote the school’s “Student Exchange” program.

6 Case Study 01: 70-220 The school wants to deploy WEB BASED software applications for everyone to use. However, there are some important legacy apps that cannot be web enabled. The education department has notified the school that, starting from the next academic year, about 10,000 students will be transferred to the school annually as one of the other music schools in the state will cease to operate eventually. Additionally, the school will offer distance-learning courses for students off campus.

Rocky Mountain School 7

1. You need to present a cost analysis to the school board about your Windows 2000 plan. Which of the following are valid factors to include? A. Infrastructure cost B. Web development cost C. Translation cost D. IDD cost

2. Which of the following document will you use when creating organizational units based on your company's structure? A. Org Chart B. NDA C. LOC D. ER E. SA

8 Case Study 01: 70-220 1. You need to present a cost analysis to the school board about your Windows 2000 plan. Which of the following are valid factors to include? *A. Infrastructure cost *B. Web development cost C. Translation cost D. IDD cost Explanation: The existing network infrastructure is way too old. To implement Windows 2000 you need to completely upgrade the infrastructure. You must then include this cost. BFQ Skill: Understanding Lifecycles

2. Which of the following document will you use when creating organizational units based on your company's structure? *A. Org Chart B. NDA C. LOC D. ER E. SA Explanation: An Org chart should reflect the structure of the company's OUs. BFQ Skill: Analyzing Company Model and Geographical Scope.

Rocky Mountain School 9

3. The branches in Austin and London are opened. To plan for the network security, which of the following will you take into account? A. Server locations B. IT staffs C. Site links D. Business model

4. The branches in Austin and London are opened. You assign London and Austin as the OUs. Which of the following is true? A. Staffs in the branch can have local support B. Staffs in the branch cannot have local support C. Delegation of control D. Faster network speed

10 Case Study 01: 70-220 3. The branches in Austin and London are opened. To plan for the network security, which of the following will you take into account? *A. Server locations *B. IT staffs *C. Site links *D. Business model Explanation: Since there are multiple sites in the network, apart from the site topology and server locations, you want to know where the IT staffs are located, since they will be performing the administrative works. BFQ Skill: Analyzing Company Model and Geographical Scope.

4. The branches in Austin and London are opened. You assign London and Austin as the OUs. Which of the following is true? *A. Staffs in the branch can have local support B. Staffs in the branch cannot have local support *C. Delegation of control D. Faster network speed Explanation: Because you can delegate, you can have local support staffs in the branches without giving them full admin rights. BFQ Skill: Analyzing Company Model and Geographical Scope.

Rocky Mountain School 11

5. How many sites will you create for the school? A. One for the school B. One per office and branch C. One per domain D. None of the choices

6. Which of the following information will be most critical for the OU design of the school? A. How employees are organized. B. How employees are paid. C. How servers are organized. D. How files are organized.

12 Case Study 01: 70-220 5. How many sites will you create for the school? A. One for the school *B. One per office and branch C. One per domain D. None of the choices Explanation: Site should follow subnet, hence it is logical to have at least one site per physical location. BFQ Skill: Analyzing Company Model and Geographical Scope.

6. Which of the following information will be most critical for the OU design of the school? *A. How employees are organized. B. How employees are paid. C. How servers are organized. D. How files are organized. Explanation: Without this information there is no way you can come out with a relevant OU directory structure. BFQ Skill: Analyzing Company Model and Geographical Scope.

Rocky Mountain School 13

7. Which of the following are relevant decisions to make in order to finalize the domain structure? A. Once you confirm how many branches the school will have B. Once you confirm how many staffs will be at each location C. Once you confirm how many servers will be at each location D. Once you confirm how many computers will be at each location

8. The school emphasizes that course information must remain confidential. The school will assign some laptops to some of the trainers. Which of the following will ensure the safety of the information? A. Use NTFS for the laptop B. Use EFS for the laptop C. Use FAT64 for the laptop D. None of the choices

14 Case Study 01: 70-220 7. Which of the following are relevant decisions to make in order to finalize the domain structure? *A. Once you confirm how many branches the school will have B. Once you confirm how many staffs will be at each location *C. Once you confirm how many servers will be at each location D. Once you confirm how many computers will be at each location Explanation: Headcount of staffs is not an important issue in the domain planning process. BFQ Skill: Analyzing Company Model and Geographical Scope.

8. The school emphasizes that course information must remain confidential. The school will assign some laptops to some of the trainers. Which of the following will ensure the safety of the information? *A. Use NTFS for the laptop *B. Use EFS for the laptop C. Use FAT64 for the laptop D. None of the choices Explanation: EFS makes sure that information remains secure even the laptop is stolen. To use EFS you must use NTFS. BFQ Skill: Analyzing Company Process.

Rocky Mountain School 15

9. Jay, who is your assistant, created a separate domain in a separate forest named MRF (Music Research Foundation) for the school. What do you need to create for this domain to communicate with the school domain? A. Trust relationship B. Site links C. Tunnel D. VPN

10. Mr. Derek Fullerk who is on the board of the school does not really like the idea of upgrading the existing network. He thinks that mature technology is old but reliable. Which of the following are valid reasons to support the deployment of new technology like Windows 2000? A. Lower TCO B. Increased Security C. High pay for the board D. Enjoy the glory of Windows 2000 MCSE E. Become a MCSP

16 Case Study 01: 70-220 9. Jay, who is your assistant, created a separate domain in a separate forest named MRF (Music Research Foundation) for the school. What do you need to create for this domain to communicate with the school domain? *A. Trust relationship B. Site links C. Tunnel D. VPN Explanation: Since the domain is in a separate forest, explicit trusts must be created manually. BFQ Skill: Analyzing Company Process.

10. Mr. Derek Fullerk who is on the board of the school does not really like the idea of upgrading the existing network. He thinks that mature technology is old but reliable. Which of the following are valid reasons to support the deployment of new technology like Windows 2000? *A. Lower TCO *B. Increased Security C. High pay for the board D. Enjoy the glory of Windows 2000 MCSE E. Become a MCSP Explanation: With advanced features in Windows 2000 the cost of ownership of the network will be much lower. Also, Windows 2000 has many more security features than NT4. BFQ Skill: Understanding Lifecycles

Rocky Mountain School 17

11. Which of the following can be used to extend the life of existing software applications? A. IIS B. MTS C. COM D. DCOM E. Terminal service

12. What is the risk for technology failure when implementing the school's network with Windows 2000? A. High B. Low C. Medium D. None of the choices

18 Case Study 01: 70-220 11. Which of the following can be used to extend the life of existing software applications? A. IIS B. MTS C. COM D. DCOM *E. Terminal service Explanation: Terminal service can to a certain extent web enable some legacy applications. BFQ Skill: Understanding Lifecycles

12. What is the risk for technology failure when implementing the school's network with Windows 2000? A. High *B. Low C. Medium D. None of the choices Explanation: Microsoft does not expect you to say HIGH RISK regarding Windows 2000.... BFQ Skill: Understanding Lifecycles

Rocky Mountain School 19

13. What will you consider as the mark for completion of your service lifecycle? A. When the end users' issues are resolved B. When your own issues are resolved C. When managements' issues are resolved D. None of the choices

14. Which of the following appropriately describe the organization structure of the school? A. Centralized B. Decentralized C. Monopoly D. Modular

20 Case Study 01: 70-220 13. What will you consider as the mark for completion of your service lifecycle? *A. When the end users' issues are resolved B. When your own issues are resolved C. When managements' issues are resolved D. None of the choices Explanation: The service life cycle is completed when the end users' issues are completely resolved. BFQ Skill: Understanding Lifecycles

14. Which of the following appropriately describe the organization structure of the school? A. Centralized *B. Decentralized C. Monopoly D. Modular Explanation: Refer to the Organization Chart in the case. Individual departments can manage their own activities. BFQ Skill: Analyzing Existing and Planned Business Models and Organizational Structures

Rocky Mountain School 21

15. The school board refers you to another client who has similar needs. The client is running a Musical Instrument Manufacturer. Which of the following are valid standard business models that may exist in this client's company? A. Divisions B. Branches C. Administrative D. Managerial

16. You are asked to improve the security of the newly implemented Windows 2000 network. Jay suggests that you deploy Kerberos for authentication to enhance the security. Which of the following are valid actions to take? A. Install Kerberos B. Download the latest Kerberos software from MIT C. Run the TCS installation program D. Remove the TCS binding E. Do nothing

22 Case Study 01: 70-220 15. The school board refers you to another client who has similar needs. The client is running a Musical Instrument Manufacturer. Which of the following are valid standard business models that may exist in this client's company? *A. Divisions *B. Branches C. Administrative D. Managerial Explanation: Another valid model is by unit functions. BFQ Skill: Analyzing Existing and Planned Business Models and Organizational Structures

16. You are asked to improve the security of the newly implemented Windows 2000 network. Jay suggests that you deploy Kerberos for authentication to enhance the security. Which of the following are valid actions to take? A. Install Kerberos B. Download the latest Kerberos software from MIT C. Run the TCS installation program D. Remove the TCS binding *E. Do nothing Explanation: There is no need for you to take any action. Kerberos is the Windows 2000 default anyway. BFQ Skill: Analyzing Existing and Planned Business Models and Organizational Structures

Rocky Mountain School 23

17. The director of the school worries about the current Windows 2000 single domain structure being inadequate to handle the large amount of new students coming in next year. Which of the following are valid actions to take? A. Compress the directory B. Compress the directory objects C. Modify the schema D. Design three new domains to hold the new user objects E. Do nothing

18. Which of the following allows off campus distance learning students to connect to the school's library network? A. Dial Up connections B. RRAS C. T1 D. E1 E. Calling card

24 Case Study 01: 70-220 17. The director of the school worries about the current Windows 2000 single domain structure being inadequate to handle the large amount of new students coming in next year. Which of the following are valid actions to take? A. Compress the directory B. Compress the directory objects C. Modify the schema D. Design three new domains to hold the new user objects *E. Do nothing Explanation: The scalability of Windows 2000 domain is far beyond that of NT4.0. You do not have to worry about the problem at all. BFQ Skill: Analyzing Existing and Planned Business Models and Organizational Structures

18. Which of the following allows off campus distance learning students to connect to the school's library network? *A. Dial Up connections *B. RRAS C. T1 D. E1 E. Calling card Explanation: You may allow remote students to dial in to the RRAS server and establish connections. BFQ Skill: Analyzing Existing and Planned Business Models and Organizational Structures

Rocky Mountain School 25

19. Which of the following is a secure way to connect all the branch offices without the need to set up point to point connections for each office? A. VPN B. Intranet C. Extranet D. Site link E. Fastweb

26 Case Study 01: 70-220 19. Which of the following is a secure way to connect all the branch offices without the need to set up point to point connections for each office? *A. VPN B. Intranet C. Extranet D. Site link E. Fastweb Explanation: With VPN the offices can communicate using Internet as the medium. VPN tunnel is very secure. BFQ Skill: Analyzing Existing and Planned Business Models and Organizational Structures

Rocky Mountain School 27

Supreme Manufacturing, Inc 29

Case Study 02: Supreme Manufacturing, Inc. You are an external Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by the Supreme Manufacturing Company to design the Security and the Directory for the entire company.

Company Background Supreme Manufacturing Company was established in the early 80s, with its root in Korea as a manufacturer of Photo Albums. Due to the strong predicted growth of its business in the coming years, it plans to develop at least 10 new types of albums in the foreseeable future.

Locations and Staffing Supreme has three locations, one being the head office and the others being the factories. The president is located in the head office, while the divisional heads are completely mobile – they have to travel around the factories. Head office Dokok-Dong, Gangnam-Gu, Seoul, Korea Number Of Staff: 10 Korea Branch - Factory Goori City Kyunggi-Do, Korea Number Of Staff: 600 China Branch - Factory Yangzhong, Jiangsu, China Number Of Staff: 300 US Branch – Sales Office Recently opened in San Francisco of California Number Of Staff: 30

30 Case Study 02: 70-220

Divisions Currently the production of each product category is under the supervision of its own divisional head. The logic behind this arrangement is that the production of each type of albums actually requires totally different types of expertise. The president directly oversees the operations of the different divisions. Since the president himself owns the company, there is no board of directors. However, there is a position called Managing Director which is at the top of the hierarchy. This is required by law in Korea. His wife took the position.

Figure 2-1: Division Structure

Supreme Manufacturing, Inc 31

Product offerings Supreme’s main products are photo albums. Products offering include: Covered ring type albums:

• • •

Self-adhesive sheet albums. P.V.C. slip in sheet albums Memo type paper sheet albums. Flip up type albums:

• • •

Single size cover albums. Double size cover albums. Library style albums. Slip in albums:

• Soft transparent P.V.C cover albums.

•

• Vinyl padded cover albums. • Minimax type albums. Post bound type albums:

• •

Self adhesive sheet albums. Slip in P.V.C sheet albums. Binder type albums:

• •

Self adhesive sheet albums. Slip in P.V.C. sheet albums. Memo slip in albums:

• •

Glue binding type albums. Needlework binding albums. Book bound type albums:

• •

Wood free paper sheet classic type albums. Self-adhesive sheet albums. Wedding albums:

• •

Hinge style joint albums Bolt screw type albums.(Post bound type).

32 Case Study 02: 70-220 Due to the strong predicted growth of its business in the coming years, it plans to develop at least 10 new types of albums in the foreseeable future.

Supreme is manufacturing not only the finished goods, but also the separated parts of the

photo albums, such as

1. Covers 2. Sheets 3. Labels Apart from manufacturing products under their own brand, they also accept special orders in term of O.E.M.

IT Structure Currently only the head office has a LAN running NT 4.0. The domain model is a simple single domain model. They do not YET have dedicated connection to the factories. The factories are using Win95 as dial up clients to connect to the head office server running RAS. In the coming months 256K dedicated connection will be installed. Currently, within all locations there are already 100MBPS LANs running smoothly. The president recognizes the importance of IT, and is planning to spend 30% of its last year revenue on the complete re-design of the IT infrastructure. Because of the growing importance of IT, the head office will house a new IT department. This department is further broken down into 4 smaller departments:

Figure 7-2: Departments Management would like to push for the deployment of a web based solutions for the entire companies as well as the partners to enter and retrieve information to and from a database on the internet after the new Windows 2000 infrastructure is in place. Information stored in this database will include customer information, supplier contracts and next year’s projection. The server will be used to host this application and the company’s web site.

Supreme Manufacturing, Inc 33

1. How do you implement security for the connections between the different offices and branches? A. Encryption on one end B. Encryption on the client C. Encryption on the server D. Encryption on both ends

2. Which of the following may increase the company's risk profile? A. Political climate in different parts of Asia B. Server capacity C. Windows 2000 stability D. WAN link reliability

34 Case Study 02: 70-220 1. How do you implement security for the connections between the different offices and branches? A. Encryption on one end B. Encryption on the client C. Encryption on the server *D. Encryption on both ends Explanation: Note that encryption will degrade performance. BFQ Skill: Analyzing Existing and Planned Business Models and Organizational Structures

2. Which of the following may increase the company's risk profile? *A. Political climate in different parts of Asia B. Server capacity C. Windows 2000 stability D. WAN link reliability Explanation: Political climate will certainly affect business in any country. BFQ Skill: Analyzing Factors that Influence Company Strategies

Supreme Manufacturing, Inc 35

3. For remote access, which of the following may enhance security? A. Verify caller-ID B. Always Callback to C. Deny all access D. Filter based on IP

4. Some of the office clerks do not have the hardware capacity to directly install and run a particular application. Which of the following will you choose to allow those clients access to the application securely? A. Use Terminal service B. Use RRAS C. Use VPN D. Use DCOM

36 Case Study 02: 70-220 3. For remote access, which of the following may enhance security? *A. Verify caller-ID *B. Always Callback to C. Deny all access D. Filter based on IP Explanation: With these actions you can identify the remote access clients. BFQ Skill: Analyzing Factors that Influence Company Strategies

4. Some of the office clerks do not have the hardware capacity to directly install and run a particular application. Which of the following will you choose to allow those clients access to the application securely? *A. Use Terminal service B. Use RRAS C. Use VPN D. Use DCOM Explanation: Terminal service client can run applications as long as they have connectivity and a browser. Also, Terminal service offer secure options for the connection. BFQ Skill: Analyzing Factors that Influence Company Strategies

Supreme Manufacturing, Inc 37

5. Which of the following may become the greatest security risk for the company? A. Unauthorized use of network file resources B. Unauthorized use of network printing resources C. Unauthorized use of RAS D. Database intrusion

6. Which of the following may be used to strength Windows 2000 's authentication mechanism? A. Use certificates B. Use PGP C. Use secure tunnel D. Use ICP

38 Case Study 02: 70-220 5. Which of the following may become the greatest security risk for the company? A. Unauthorized use of network file resources B. Unauthorized use of network printing resources C. Unauthorized use of RAS *D. Database intrusion Explanation: Since the database will be accessed for entering and retrieving important company information, if it is corrupted the company will be in big trouble. BFQ Skill: Analyzing Factors that Influence Company Strategies

6. Which of the following may be used to strength Windows 2000 's authentication mechanism? *A. Use certificates B. Use PGP C. Use secure tunnel D. Use ICP Explanation: Certificates can provide users with a more secure level of authentication than the default Kerberos. BFQ Skill: Analyzing Factors that Influence Company Strategies

Supreme Manufacturing, Inc 39

7. Which of the following are valid security settings to secure remote connections for the company? A. L2TP B. IPSec C. PGP D. IDP E. EAP

8. Which of the following is a valid strategy against possible database corruption? A. Daily backup B. Enhanced security C. Privatized the network D. Block all HTTP traffics

40 Case Study 02: 70-220 7. Which of the following are valid security settings to secure remote connections for the company? *A. L2TP *B. IPSec C. PGP D. IDP E. EAP Explanation: You should use L2TP and IPSec when trying to establish VPN connections for the offices. BFQ Skill: Analyzing Factors that Influence Company Strategies

8. Which of the following is a valid strategy against possible database corruption? *A. Daily backup *B. Enhanced security C. Privatized the network D. Block all HTTP traffics Explanation: Daily backup is an important strategy for fallback preparation. It is important to enhance security, but still, there is no 100% guarantee on the network safety. BFQ Skill: Analyzing Factors that Influence Company Strategies

Supreme Manufacturing, Inc 41

9. How do you classify your relationship with Supreme? A. Supreme out sources the job to you B. Supreme is your employer C. Supreme is your competitor D. None of the choices

10. Part of the Supreme's restructuring project is lagging behind schedule. Although this is not in your responsibility area, you like to give the management some useful suggestions. Which of the following will you recommend? A. Outsourcing B. Fire the project team members C. Issue penalty D. Cancel the project E. Restructure the project

42 Case Study 02: 70-220 9. How do you classify your relationship with Supreme? *A. Supreme out sources the job to you B. Supreme is your employer C. Supreme is your competitor D. None of the choices Explanation: Kerberos is the Windows 2000 default. L2TP and IPSec is the preferred choice for VPN connections. BFQ Skill: Analyzing the Structure of IT Management

10. Part of the Supreme's restructuring project is lagging behind schedule. Although this is not in your responsibility area, you like to give the management some useful suggestions. Which of the following will you recommend? *A. Outsourcing B. Fire the project team members C. Issue penalty D. Cancel the project E. Restructure the project Explanation: Outsourcing is the best way to quickly put things back on track. BFQ Skill: Analyzing the Structure of IT Management

Supreme Manufacturing, Inc 43

11. Why would you conduct a TCO analysis for the Windows 2000 deployment plan? A. To figure out the initial outlay of deployment and implementation B. To figure out the ROI of deployment and implementation C. To figure out the sunk cost of deployment and implementation D. To figure out the hidden cost of deployment and implementation

12. Which of the following groups of users will most likely breach the network security? A. Internal users B. External partners C. Business intelligence agent D. Competitors

44 Case Study 02: 70-220 11. Why would you conduct a TCO analysis for the Windows 2000 deployment plan? A. To figure out the initial outlay of deployment and implementation B. To figure out the ROI of deployment and implementation C. To figure out the sunk cost of deployment and implementation *D. To figure out the hidden cost of deployment and implementation Explanation: Training, installation, support, maintenance... are all factors to consider for TCO. BFQ Skill: Analyzing the Structure of IT Management

12. Which of the following groups of users will most likely breach the network security? *A. Internal users B. External partners C. Business intelligence agent D. Competitors Explanation: Internal users already have access to the network. They are insiders of the network. BFQ Skill: Analyzing the Structure of IT Management

Supreme Manufacturing, Inc 45

13. You need to upgrade some of Supreme's connectivity medium. Which of the following are valid business factors to consider? A. Cost of equipments B. Usage cost C. Brand name D. Supplier reputation E. Cable pin layouts

14. Which of the following groups is concerned with high level issues surrounding the business environment of Supreme? A. Users B. Executive C. Admin D. Partners

46 Case Study 02: 70-220 13. You need to upgrade some of Supreme's connectivity medium. Which of the following are valid business factors to consider? *A. Cost of equipments *B. Usage cost C. Brand name D. Supplier reputation E. Cable pin layouts Explanation: What we are talking about here are the "Business Factors". Cost, obviously, is an important business factor for consideration. BFQ Skill: Analyzing the Structure of IT Management

14. Which of the following groups is concerned with high level issues surrounding the business environment of Supreme? A. Users *B. Executive C. Admin D. Partners Explanation: The Executive group concerns about issues like operating environment, market conditions, regulations...etc. BFQ Skill: Analyzing Business and Security Requirements for the End User

Supreme Manufacturing, Inc 47

15. How do you ensure that legitimate users are not using their logon rights at time they are not supposed to log on? A. Filter their traffic B. Lockout their accounts C. Modify their passwords D. Restrict their domain logon hours

16. The web site that hosts the new web application is responding slowly. Which of the following is a possible security risk? A. Attack on the web site B. Unauthorized log on attempts C. Files copying D. Web server breakdown

48 Case Study 02: 70-220 15. How do you ensure that legitimate users are not using their logon rights at time they are not supposed to log on? A. Filter their traffic B. Lockout their accounts C. Modify their passwords *D. Restrict their domain logon hours Explanation: You may limit their logon hours to avoid possible non-legitimate attempts. BFQ Skill: Analyzing Business and Security Requirements for the End User

16. The web site that hosts the new web application is responding slowly. Which of the following is a possible security risk? *A. Attack on the web site B. Unauthorized log on attempts C. Files copying D. Web server breakdown Explanation: If the web site goes slow suddenly, that means a denial of service attack may be in place now. BFQ Skill: Analyzing Business and Security Requirements for the End User

Supreme Manufacturing, Inc 49

17. Some of the clerk's computers have displayed strange and garbled messages on the screen while accessing some network resources. Which of the following will you perform first? A. Run Tracert on their computers B. Run virus scan against their computers C. Install firewall on their computers D. Reboot their computers

18. The new web application consumes much of the web server's resource. Response to regular web site requests is very slow. How would you solve the end user issue in this case? A. Dedicate a server for the web application B. Dedicate a server for the company web site C. None of the choices D. All of the choices

50 Case Study 02: 70-220 17. Some of the clerk's computers have displayed strange and garbled messages on the screen while accessing some network resources. Which of the following will you perform first? A. Run Tracert on their computers *B. Run virus scan against their computers C. Install firewall on their computers D. Reboot their computers Explanation: Strange and garbled messages on the screen may be caused by virus infection. BFQ Skill: Analyzing Business and Security Requirements for the End User

18. The new web application consumes much of the web server's resource. Response to regular web site requests is very slow. How would you solve the end user issue in this case? A. Dedicate a server for the web application B. Dedicate a server for the company web site C. None of the choices *D. All of the choices Explanation: Since the two services basically serve different groups of users, separate servers should be deployed to maximize performance. BFQ Skill: Analyzing Business and Security Requirements for the End User

Supreme Manufacturing, Inc 51

19. You are considering the use of Terminal Service for Supreme. Which of the following can be used to manage its application connections? A. Group policies B. Remote access policies C. NTFS D. EFS E. DFS

52 Case Study 02: 70-220 19. You are considering the use of Terminal Service for Supreme. Which of the following can be used to manage its application connections? *A. Group policies *B. Remote access policies C. NTFS D. EFS E. DFS Explanation: Both of them can be deployed to manage connections to the Terminal service. BFQ Skill: Analyzing Business and Security Requirements for the End User

Supreme Manufacturing, Inc 53

Excel Forwarder Corp 55

Case Study 03: Excel Forwarder Corp You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by the Excel Forwarder Corp to design the Security and the Directory for the entire company.

Background Excel Forwarder Corp, an international freight forwarder and Customs Broker, has been providing Logistics and Transportation services since 1929. Excel also provides logistics and distribution services as well as purchase order management and ancillary freight services in addition to freight forwarding and Customs Brokerage. With over 65 years in the business, Excel offers fully computerized documentation and tracking in all areas of its operations. Some of the services offered by Excel are:

• • • • • • • • • •

Customs Broker Freight Forwarding NVOCC Logistics Management Distribution Consulting Insurance Air Freight Purchase Order Expediting EDI Services

Divisions The company divides its operations into two main categories: Air and Ocean. The

management structure is as follow:

Air – One director, directly reports to the CEO. Under the director are a

group of managers responsible for running the different service departments.

Ocean – One director, directly reports to the CEO. Under the director are a group of

managers responsible for running the different service departments.

The CEO admits that there are overlapping of activities and resources among Air and

Ocean. However, he does not plan to modify this structure as of the time being.

56 Case Study 03: 70-220

Locations There is one headquarter for all of its operation. This headquarter is located in New York.

Besides, there are 3 local offices in different region of the states.

Excel has the following locations:

• • • •

NY - Headquarter Miami Ocean & Air Los Angeles Air & Ocean Chicago Air & Ocean

Since the headquarter does not have enough space, Excel recently rented a small office place which is one street block away from the headquarter. The two are connected with ISDN BRI.

IT Structure The headquarter is running a NT4 network. The PDC of the single account domain is located in the headquarter. There are 5 BDCs for the account domain, and the BDCs are installed in the local offices. In addition, there are resource domains defined. All servers are running with dual 300mhz processors and 256M RAM. Excel uses State of the Art software to insure that all documentation is prepared quickly and correctly. The software runs on NT Workstation that ahs TCP/IP configured. The Excel Trade BBS allows the customers to receive email responses to the leads. This BBS runs on a standalone Linux server. There are also Unix and BeOS servers running on the network for various purposes. Excel is also in the process of finalizing the installation of a new software that will enable its clients to track their shipments on the internet.

Excel Forwarder Corp 57

Future Prospect Excel has recently become the partner of XSite, a web site that provides a central search engine for local, state and federal government agencies. This new site is useful in a sense that it eliminates the need to track down all the various agencies to locate available services. This partnership is expected to draw substantial new businesses to Excel. The CEO of Excel is looking into enhancing its existing IT structure in order to cope with the growing demand for its services. The latest forecast from Excel is that in 5 years time the number of employees will be doubled.

1. You need to implement security measures for the servers. Which of the following will you do? A. Put the servers in a locked room B. Set NTFS permissions C. Run EFS D. Deploy DFS

2. Which of the following are valid physical security measures for the company's servers? A. Place the servers in a locked room B. Implement keycard access for the server room C. Do not allow typical employees to enter the server room D. None of the choices

58 Case Study 03: 70-220 1. You need to implement security measures for the servers. Which of the following will you do? *A. Put the servers in a locked room B. Set NTFS permissions C. Run EFS D. Deploy DFS Explanation: We are talking about server security - the physical aspect of security. BFQ Skill: Analyzing Current Physical and Information Security Model

2. Which of the following are valid physical security measures for the company's servers? *A. Place the servers in a locked room *B. Implement keycard access for the server room *C. Do not allow typical employees to enter the server room D. None of the choices Explanation: Physical security for the server is important .... Not only about the security, but also the safety of the equipments. BFQ Skill: Analyzing Current Physical and Information Security Model

Excel Forwarder Corp 59

3. Which of the following are recommended to make sure that data can be recovered in case the office building is on fire? A. Use RAID B. Use Cluster Server C. Backup on a daily basis D. Take the backup media off site daily

4. You just set up Windows 2000 network for the company. Which of the following should be modified to enhance security? A. Rename the administrator account B. Disable the administrator account C. Stop the administrator account D. Delete the administrator account

60 Case Study 03: 70-220 3. Which of the following are recommended to make sure that data can be recovered in case the office building is on fire? A. Use RAID B. Use Cluster Server *C. Backup on a daily basis *D. Take the backup media off site daily Explanation: RAID and Cluster survives on the same computer or in the same building. You need something that will survive even off the building. Tape backup is the ideal choice. BFQ Skill: Analyzing Current Physical and Information Security Model

4. You just set up Windows 2000 network for the company. Which of the following should be modified to enhance security? *A. Rename the administrator account B. Disable the administrator account C. Stop the administrator account D. Delete the administrator account Explanation: By renaming the administrator account, hacker will have to guess the log in name, which is very time consuming. BFQ Skill: Analyzing Current Physical and Information Security Model

Excel Forwarder Corp 61

5. You want to be sure that only legitimate users can log onto the desktop computers. The company is willing to pay cash for enhancing the security. Which of the following will you recommend? A. SmartCard B. Complex password C. Complex user name D. Complex account

6. You want to deploy SmartCard for all users on the network. You want to make sure that when the card is removed the machine will be locked. How do you do this? A. Use Group Policies B. Use System Policies C. Use ACL D. Use DCL

62 Case Study 03: 70-220 5. You want to be sure that only legitimate users can log onto the desktop computers. The company is willing to pay cash for enhancing the security. Which of the following will you recommend? *A. SmartCard B. Complex password C. Complex user name D. Complex account Explanation: By using SmartCard, only user with a valid SmartCard plus the right password can log onto the computer. BFQ Skill: Analyzing Current Physical and Information Security Model

6. You want to deploy SmartCard for all users on the network. You want to make sure that when the card is removed the machine will be locked. How do you do this? *A. Use Group Policies B. Use System Policies C. Use ACL D. Use DCL Explanation: You use Group Policy to customize the logon requirement with SmartCard. BFQ Skill: Analyzing Current Physical and Information Security Model

Excel Forwarder Corp 63

7. Which of the following security can the "automatically log off users" option address for Excel? A. Physical security B. Logical security C. Internal security D. External security

8. How do you prevent your Excel staff from finding out the name of the last user who logged on? A. Use "Display last user name in logon screen" B. Use "Hide last user name in logon screen" C. Use "Do not display last user name in logon screen" D. Use "Mask last user name in logon screen"

64 Case Study 03: 70-220 7. Which of the following security can the "automatically log off users" option address for Excel? A. Physical security *B. Logical security C. Internal security D. External security Explanation: This option allows you to forcibly disconnect users when the logon time expires. BFQ Skill: Analyzing Current Physical and Information Security Model

8. How do you prevent your Excel staff from finding out the name of the last user who logged on? A. Use "Display last user name in logon screen" B. Use "Hide last user name in logon screen" *C. Use "Do not display last user name in logon screen" D. Use "Mask last user name in logon screen" Explanation: This is the correct name of the option that can be found at the Domain Security Snap In. BFQ Skill: Analyzing Current Physical and Information Security Model

Excel Forwarder Corp 65

9. Which of the following are the elements of a strong password policy that can be implemented in Excel? A. Set password history to remember last 8 passwords B. Passwords must include a mixture of letters, numbers and special characters C. Password must be 8 characters long at least D. None of the choices

10. Which of the following is a valid way to manage trusted partner access to Excel's web site? A. Use certificates B. Use ACL C. Use DACL D. Use EFS E. Use Group Policy

66 Case Study 03: 70-220 9. Which of the following are the elements of a strong password policy that can be implemented in Excel? *A. Set password history to remember last 8 passwords *B. Passwords must include a mixture of letters, numbers and special characters *C. Password must be 8 characters long at least D. None of the choices Explanation: Note that a password with 6 characters is not considered long. BFQ Skill: Analyzing Current Physical and Information Security Model

10. Which of the following is a valid way to manage trusted partner access to Excel's web site? *A. Use certificates B. Use ACL C. Use DACL D. Use EFS E. Use Group Policy Explanation: Certificate is a good way for authentication between partner companies. BFQ Skill: Analyzing Current Physical and Information Security Model

Excel Forwarder Corp 67

11. How would you provide greater security for emails in Excel? A. Deploy X400 certificate B. Deploy X509 certificate C. Deploy PKI D. Deploy 3Des

12. You want to track random password hacks in Excel's network. Which of the following action should you take? A. Use NTFS logging B. Use EFS logging C. Use server service logging D. Use Group Policy to perform audits

68 Case Study 03: 70-220 11. How would you provide greater security for emails in Excel? A. Deploy X400 certificate *B. Deploy X509 certificate *C. Deploy PKI D. Deploy 3Des Explanation: X509 certificates can be used in S/MIME. User can sign their messages digitally. BFQ Skill: Analyzing Current Physical and Information Security Model

12. You want to track random password hacks in Excel's network. Which of the following action should you take? A. Use NTFS logging B. Use EFS logging C. Use server service logging *D. Use Group Policy to perform audits Explanation: You should audit the instances of logon failure to find out what had happened to the network. BFQ Skill: Analyzing Current Physical and Information Security Model

Excel Forwarder Corp 69

13. You want to track improper access to Excel's network files. Which of the following event type should you audit? A. Directory Permission Access B. Service Access C. File and Object Access D. Random Object Access

14. How do you determine virus outbreak in Excel's network? A. Audit the failure of write access to data files B. Audit the success and failure of write access to data files C. Audit the success and failure of write access to program files D. Audit the success of write access to program files

70 Case Study 03: 70-220 13. You want to track improper access to Excel's network files. Which of the following event type should you audit? A. Directory Permission Access B. Service Access *C. File and Object Access D. Random Object Access Explanation: You should audit "File and Object Access" to find out what had happened to those files. BFQ Skill: Analyzing Current Physical and Information Security Model

14. How do you determine virus outbreak in Excel's network? A. Audit the failure of write access to data files B. Audit the success and failure of write access to data files *C. Audit the success and failure of write access to program files D. Audit the success of write access to program files Explanation: Viruses always try to modify the program files. BFQ Skill: Analyzing Current Physical and Information Security Model

Excel Forwarder Corp 71

15. Which of the following can be used to help detecting stolen password? A. Failure audit of logon and logoff B. Failure audit of logon C. Success audit of logon and logoff D. Success audit of logoff

72 Case Study 03: 70-220 15. Which of the following can be used to help detecting stolen password? A. Failure audit of logon and logoff B. Failure audit of logon *C. Success audit of logon and logoff D. Success audit of logoff Explanation: Failure audit is for detecting random password hack. BFQ Skill: Analyzing Current Physical and Information Security Model

Excel Forwarder Corp 73

Joe’s Canoe Company 75

Case Study 04:

Joe’s Canoe Company

You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by Joe’s Canoe Company to design the security and the directory for the entire company.

Background Joe’s Canoe Company is a company that produces canoes of different kinds. Most of its customers are in the Vancouver area. Since 1950 Joe has been designing and manufacturing Cedar Canvas Canoes. Through the years, as materials advanced, Joe began building Fiberglass, Kevlar and high tech Carbon Fiber Canoes. Joe's Master builders have 5 decades of canoe design and building experience, in all types, from the classic Cedarstrip to the family cottage canoe & the most advanced Carbon Fiber high performance canoes. According to the CEO, staffs in the company are on average at the age of 50 and above. Somehow they are a bit resistant to new technologies. Currently they are running on a Win NT network. Per your interview with the marketing manager, there is an increase in the demand for canoes in California, The company has been approached by a local canoe manufacturer from San Jose about a possible merger between the two companies. Your understanding on this is that, in the next one or two years, these two companies will still market their canoes separately under different brand names, However, the management will definitely want to see some sort of synergy in between. Last month a new representative office was opened in Kansas City, as the company can receive tax deduction from the city government.

Structure So far there is only one office location for Joe’s Canoe. departments: Marketing, Accounting, and Production. Each

There are 3 different

department has its own management team. The team leaders need to report to the CEO directly. Currently there are about 500 staffs. Of this amount, 60% of them will need to use computers in their daily operations.

76 Case Study 04: 70-220

Dealer Locations The CEO’s successor, James, has its roots as an IT consultant. He knows the importance of IT deployment. He likes to have all its dealers placing orders online to save processing costs. He recently built a VPN among the company and all its dealers. As of today, there are 6 dealers selling canoes for the company: 1.

Algonquin Bound - Madawaska

2.

Frontenac Outfitters - Sydenham

3.

Gordon Bay Marine - Mactier

4.

Muskoka Store - Gravenhurst

5.

Adventure Guide - Kitchener-Waterloo

6.

Boundary Bay Watersports - Whiterock, BC

James is a MCP on NT 4.0. He likes to use Microsoft products. He wants you to

implement a network design using Win2000 and active directory.

There was a NT4 network implemented for the company. It consists of two domains

containing accounts and resources. In addition, there are some other resource only

domains that trust these two domains. There are Unix, Linux and BeOS servers to

perform different functions on the network.

James is not happy with the fact that trust relationships are so complicated to setup. He

also dislikes that fact that scalability is limited with SAM.

In addition, James plan to install 10 Remote Access Servers to allow the sales of the

dealers to dial in.

Joe’s Canoe Company 77

1. Which of the following can be used to help detecting password attack? A. Failure audit of logon and logoff B. Failure audit of logon C. Success audit of logon and logoff D. Success audit of logoff

2. When evaluating Joe's Canoe's technical environment, which of the following will you consider? A. Roles of administrators B. Responsibilities of administrators C. Roles of users D. Responsibilities of users

78 Case Study 04: 70-220 1. Which of the following can be used to help detecting password attack? *A. Failure audit of logon and logoff B. Failure audit of logon C. Success audit of logon and logoff D. Success audit of logoff Explanation: Success audit is for detecting stolen password. BFQ Skill: Analyzing Current Physical and Information Security Model

2. When evaluating Joe's Canoe's technical environment, which of the following will you consider? *A. Roles of administrators *B. Responsibilities of administrators *C. Roles of users *D. Responsibilities of users Explanation: You must also assess the cost involved for the labor when evaluating the technical environment. BFQ Skill: Evaluating Company's Existing and Planned Technical Environment

Joe’s Canoe Company 79

3. How would you classify Joe's Canoe's network environment? A. Heterogeneous B. Homogeneous C. Internal D. External

4. To implement scalability for the existing Windows 2000 servers, which of the following will you try? A. Deploy RAID B. Add a second CPU onto the system C. Add memory D. Run Cluster

80 Case Study 04: 70-220 3. How would you classify Joe's Canoe's network environment? *A. Heterogeneous B. Homogeneous C. Internal D. External Explanation: Since there are many different types of NOSs and OSs on the network, it has to be a heterogeneous environment. BFQ Skill: Evaluating Company's Existing and Planned Technical Environment

4. To implement scalability for the existing Windows 2000 servers, which of the following will you try? A. Deploy RAID B. Add a second CPU onto the system C. Add memory *D. Run Cluster Explanation: Cluster solution provides 24x7 reliability as well as added performance, depending on the configuration. BFQ Skill: Evaluating Company's Existing and Planned Technical Environment

Joe’s Canoe Company 81

5. Which of the following are considered as cost effective high bandwidth connectivity options for a new 10 people branch office in Phoenix which is to be opened in 6 months? A. 512K B. DSL C. T1 D. T3

6. How do you secure the RAS communications between the dealer sales and the company? A. Deploy IAS B. Deploy RRAS C. Deploy DMZ D. Deploy EFS E. Deploy Firewall

82 Case Study 04: 70-220 5. Which of the following are considered as cost effective high bandwidth connectivity options for a new 10 people branch office in Phoenix which is to be opened in 6 months? A. 512K *B. DSL C. T1 D. T3 Explanation: DSL offers full time high speed connectivity at a very low cost, which is ideal for a small office of 10. BFQ Skill: Evaluating Company's Existing and Planned Technical Environment

6. How do you secure the RAS communications between the dealer sales and the company? *A. Deploy IAS B. Deploy RRAS C. Deploy DMZ D. Deploy EFS E. Deploy Firewall Explanation: When you have a large number of remote access servers, you should use IAS to centralize the authentication of access. BFQ Skill: Evaluating Company's Existing and Planned Technical Environment

Joe’s Canoe Company 83

7. The company is planning for an expansion into Japan. What technical limitation will you foresee? A. Can only use 128 bit encryption B. Cannot use 128 bit encryption C. Cannot use 48 bit encryption D. Cannot use SSL E. Cannot use DMZ

8. Part of the company's web site will deploy SSL. Which of the following will you use for secure authentication? A. HTTPS B. MSCHAP C. PAP D. PPTP

84 Case Study 04: 70-220 7. The company is planning for an expansion into Japan. What technical limitation will you foresee? A. Can only use 128 bit encryption *B. Cannot use 128 bit encryption C. Cannot use 48 bit encryption D. Cannot use SSL E. Cannot use DMZ Explanation: 128 Bit encryption can be used in the US and Canada only. BFQ Skill: Evaluating Company's Existing and Planned Technical Environment

8. Part of the company's web site will deploy SSL. Which of the following will you use for secure authentication? A. HTTPS *B. MSCHAP C. PAP D. PPTP Explanation: MS-CHAP is ideal for secure web site user authentication. EAP is for SmartCard and PAP is not secure at all. PPTP and L2TP are for VPN. BFQ Skill: Evaluating Company's Existing and Planned Technical Environment

Joe’s Canoe Company 85

9. James wants to deploy strong security policies for the company. Which of the following are valid cost that will be involved? A. Increased admin cost B. Increased support cost C. Increased pension cost D. Increased fringe benefit cost

10. The use of encryption on all connections had slowed down the network connections. Which of the following are the likely concerns from the user's perspective? A. Ease of connection B. Ease of disconnect C. Speed of connection D. Speed of disconnect

86 Case Study 04: 70-220 9. James wants to deploy strong security policies for the company. Which of the following are valid cost that will be involved? *A. Increased admin cost *B. Increased support cost C. Increased pension cost D. Increased fringe benefit cost Explanation: What if a careless user forgets the password or has the SmartCard lost? You will need to have your IT team to "rescue" him. This involves substantial cost. And this is likely to happen all the time. BFQ Skill: Impact of the Security Design on the Existing and Planned Technical Environment

10. The use of encryption on all connections had slowed down the network connections. Which of the following are the likely concerns from the user's perspective? *A. Ease of connection B. Ease of disconnect *C. Speed of connection D. Speed of disconnect Explanation: Keep this in mind: User dissatisfaction will grow very fast if connections are troublesome. BFQ Skill: Impact of the Security Design on the Existing and Planned Technical Environment

Joe’s Canoe Company 87

11. You want to implement security for remote access dealer sales. Which of the following are valid procedures to take? A. Place the dealer sales in one security group B. Grant the group with dial in RRAS permission C. Require strong password D. Require EFS E. Require SmartCard

12. Which of the following is a likely security risk introduced by RRAS to the company? A. Stolen password B. Message fraud C. Random hack D. Virus infection

88 Case Study 04: 70-220 11. You want to implement security for remote access dealer sales. Which of the following are valid procedures to take? *A. Place the dealer sales in one security group *B. Grant the group with dial in RRAS permission *C. Require strong password D. Require EFS E. Require SmartCard Explanation: Additionally you should implement call back security for even stronger security measures. BFQ Skill: Impact of the Security Design on the Existing and Planned Technical Environment

12. Which of the following is a likely security risk introduced by RRAS to the company? A. Stolen password B. Message fraud C. Random hack *D. Virus infection Explanation: Pay attention to possible virus infection brought by dial in remote users. BFQ Skill: Impact of the Security Design on the Existing and Planned Technical Environment

Joe’s Canoe Company 89

13. James prefers encryption of all traffics and files on the network. Why would you disagree? A. IP will not function correctly B. Performance will be seriously degraded C. Increase chance of server crashes D. Increase chance of client crashes E. Server will generates a lot of broadcasts

14. You are worrying that the network servers are overloaded. Which of the following will you monitor? A. System: Processor queue length B. System: Processor wait time C. System: Processor bus length D. System: Processor buffer

90 Case Study 04: 70-220 13. James prefers encryption of all traffics and files on the network. Why would you disagree? A. IP will not function correctly *B. Performance will be seriously degraded C. Increase chance of server crashes D. Increase chance of client crashes E. Server will generates a lot of broadcasts Explanation: Encryption and decryption are extremely CPU intensive. BFQ Skill: Impact of the Security Design on the Existing and Planned Technical Environment

14. You are worrying that the network servers are overloaded. Which of the following will you monitor? *A. System: Processor queue length B. System: Processor wait time C. System: Processor bus length D. System: Processor buffer Explanation: If this value exceeds 2 you may need a CPU upgrade. BFQ Skill: Impact of the Security Design on the Existing and Planned Technical Environment

Joe’s Canoe Company 91

15. James notified you that virus infections are found on some user's computers. Which of the following are possible behaviors of these viruses? A. Destroy data B. Format hard drive C. Destroy CDROM D. Destroy CPU E. Destroy boot record

92 Case Study 04: 70-220 15. James notified you that virus infections are found on some user's computers. Which of the following are possible behaviors of these viruses? *A. Destroy data *B. Format hard drive C. Destroy CDROM D. Destroy CPU *E. Destroy boot record Explanation: There is no way for viruses to cause physical damage to your hardware for now. BFQ Skill: Impact of the Security Design on the Existing and Planned Technical Environment

Joe’s Canoe Company 93

ABC Toys 95

Case Study 05: ABC Toys You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by ABC Toys Corp to design the Security and the Directory for the entire company.

Background ABC Toys, formerly Supreme Hobbies and Toys, is owned and operated by people who have over 110 years of combined experience as retailers, hobbyists, and business professionals. The mission of the company is to introduce, support, and nurture the exciting world of model building and collecting. The toys sold by ABC are known as family oriented - they offer product lines that introduce the youth to the excitement of toys. As introductory products, these lines also offer more advanced items for the rest of the family. To make sure that no rain check is ever needed, they keep stock of over 30,000 items in the stores.

Product Offerings The Toy Categories offered by ABC are:

• • • • • • • •

Dolls Die Cast Trains Model Horses Model Rockets Electric Trains Plastic Models Plush/Stuffed Wooden Trains

Of the above items, all trains related products are under the management of the Train Department. The rest are under the Toys Department. In theory, there is not much resource that can be shared between the two departments. In fact, there was once ABC wanted to merge the 2 departments. However, the plan has been abolished due to heavy objections from the labor union.

96 Case Study 05: 70-220

Locations The HQ is located in Hong Kong. The purchasing department is in Taiwan. The rest are run in Vietnam.

Currently there are 15 retail outlets throughout the world. Due to the rapid growth of the

business, they will establish 5 new retail points of presence in the coming two years.

Keep in mid that thee outlets are not owned by ABC. They are simply franchised outlets.

However, they can access the network resources of ABC via RAS.

SuperToy is the biggest reseller of ABC’s products. ABC sees SuperToy as its most

important partner, and thus allows dedicated 256K connections between the two

companies’ head offices.

Each retail outlet has a store manager who must report directly to the directors. Although

centralized administration is important, the company prefers to delegate to the local peers

to increase the effectiveness in decision-making.

IT Structure The company has an IT team of 4. They have developed the NT 4 network using the multiple domain model. All remote offices can connect to the HQ server via the lease lines.

Figure 5-1: IT Teams Each office has its own NT4 domain. There are Win95, 98 and NT clients throughout the network. Some of the computers will be upgraded to Windows 2000.In addition, there is one Netware4 server that holds a lot of critical information.

ABC Toys 97

1. Which of the following do not have support of Active Directory native mode? A. 95 B. 98 C. ME D. None of the choices

2. How do you allow the new Windows 2000 clients to access the Netware server without the need to install NWLink? A. Set up one Windows 2000 server with CSNW B. Set up one Windows 2000 server with GSNW C. Set up one Windows 2000 server with Migration Wizard D. None of the choices

98 Case Study 05: 70-220 1. Which of the following do not have support of Active Directory native mode? A. 95 B. 98 C. ME *D. None of the choices Explanation: All these clients can join Active Directory, either natively or with add-on software. BFQ Skill: Understanding Domain Controllers

2. How do you allow the new Windows 2000 clients to access the Netware server without the need to install NWLink? A. Set up one Windows 2000 server with CSNW *B. Set up one Windows 2000 server with GSNW C. Set up one Windows 2000 server with Migration Wizard D. None of the choices Explanation: A Windows 2000 server with GSNW is just like an agent for the other clients and connect to Netware on their behalf. BFQ Skill: Understanding Domain Controllers

ABC Toys 99

3. The Netware 4 server will be upgraded to Version 5 with TCP/IP support. Which of the following protocol would a Windows 2000 server with GSNW installed need in order to communicate with the new Netware server? A. TCP/IP B. NetBIOS C. NWLink D. RIP

4. You need to promote a Windows 2000 member server on the network to a domain controller. Which of the following command will you use? A. Dcpromo B. PromoDC C. NetDOM D. NetManage

100 Case Study 05: 70-220 3. The Netware 4 server will be upgraded to Version 5 with TCP/IP support. Which of the following protocol would a Windows 2000 server with GSNW installed need in order to communicate with the new Netware server? A. TCP/IP B. NetBIOS *C. NWLink D. RIP Explanation: Even though Netware 5 supports TCP/IP, you still must use NWLink to communicate with it. BFQ Skill: Understanding Domain Controllers

4. You need to promote a Windows 2000 member server on the network to a domain controller. Which of the following command will you use? *A. Dcpromo B. PromoDC C. NetDOM D. NetManage Explanation: You can promote or demote a server with this command. BFQ Skill: Understanding Domain Controllers

ABC Toys 101

5. In the upgrade plan, which of the following Windows 2000 services will you identify as REQUIRED for the new Windows 2000 network? A. DNS B. DHCP C. WINS D. IIS E. TS

6. Which of the following roles should you assign to the only domain controller in the Taiwan domain after the Windows 2000 upgrade? A. Schema master B. RID master C. Infrastructure master D. PDC emulator

102 Case Study 05: 70-220 5. In the upgrade plan, which of the following Windows 2000 services will you identify as REQUIRED for the new Windows 2000 network? *A. DNS B. DHCP C. WINS D. IIS E. TS Explanation: Only DNS is required. You can use static IP instead of DHCP in a small network. BFQ Skill: Understanding Domain Controllers

6. Which of the following roles should you assign to the only domain controller in the Taiwan domain after the Windows 2000 upgrade? A. Schema master *B. RID master *C. Infrastructure master *D. PDC emulator Explanation: The client utility should be installed on the pre-Windows 2000 clients. BFQ Skill: Understanding Domain Controllers

ABC Toys 103

7. Which of the following factor must you consider when designing the Operations Master placement? A. Do not put RID Master and GC together on one server B. Do not put Infrastructure Master and PDC emulator together on one server C. Do not put Domain Naming Master and GC together on one server D. Do not put Infrastructure Master and GC together on one server

8. Which of the following roles should be placed together on one server? A. Schema B. Domain naming C. RID D. Infrastructure

104 Case Study 05: 70-220 7. Which of the following factor must you consider when designing the Operations Master placement? A. Do not put RID Master and GC together on one server B. Do not put Infrastructure Master and PDC emulator together on one server C. Do not put Domain Naming Master and GC together on one server *D. Do not put Infrastructure Master and GC together on one server Explanation: If they are together, problems may arise when trying to update cross domain reference information. BFQ Skill: Understanding Operations Master

8. Which of the following roles should be placed together on one server? *A. Schema *B. Domain naming C. RID D. Infrastructure Explanation: Also, Domain Naming master will requires GC to be on the same server. BFQ Skill: Understanding Operations Master

ABC Toys 105

9. Which of the following may happen when the RID master is temporarily unavailable? A. New security principal objects cannot be created B. New security principal objects can still be created C. Existing security principal objects cannot be searched D. Existing security principal objects will disappear

10. You need to set up logon scripts for the Windows 2000 Pro computers in the company's new Windows 2000 domain. Which of the following is the valid path for the script? A. Default Domain Policy -> Computer Configuration -> Windows Settings B. Default Domain Policy -> Computer Objects -> Windows Settings C. Default Computer Policy -> Computer Configuration -> Windows Settings D. Default Domain Policy -> Computer Configuration -> Policy Settings

106 Case Study 05: 70-220 9. Which of the following may happen when the RID master is temporarily unavailable? *A. New security principal objects cannot be created B. New security principal objects can still be created C. Existing security principal objects cannot be searched D. Existing security principal objects will disappear Explanation: This normally causes little effects on the general users, as they seldom need to create objects in Active Directory. BFQ Skill: Understanding Operations Master

10. You need to set up logon scripts for the Windows 2000 Pro computers in the company's new Windows 2000 domain. Which of the following is the valid path for the script? *A. Default Domain Policy -> Computer Configuration -> Windows Settings B. Default Domain Policy -> Computer Objects -> Windows Settings C. Default Computer Policy -> Computer Configuration -> Windows Settings D. Default Domain Policy -> Computer Configuration -> Policy Settings Explanation: Remember the path for the exam. BFQ Skill: Understanding Group Policy Scenarios

ABC Toys 107

11. ABC Toys will open a small shop in India. This shop does not have reliable WAN connection and will not join the company's Active Directory. It will be a localized network without a domain structure. How will you implement security settings for this network? A. Use Local Security Policy B. Use Domain Security Policy C. No policy can be installed with a domain or Active Directory. D. None of the choices

12. Which of the following can only be implemented in domain level? A. Account lockout B. Kerberos C. Password complexity D. None of the choices

108 Case Study 05: 70-220 11. ABC Toys will open a small shop in India. This shop does not have reliable WAN connection and will not join the company's Active Directory. It will be a localized network without a domain structure. How will you implement security settings for this network? *A. Use Local Security Policy B. Use Domain Security Policy C. No policy can be installed with a domain or Active Directory. D. None of the choices Explanation: In Administrative Tools you can find tool for configuring Local Security Policy. BFQ Skill: Understanding Group Policy Scenarios

12. Which of the following can only be implemented in domain level? *A. Account lockout *B. Kerberos *C. Password complexity D. None of the choices Explanation: These are all domain wide settings and cannot be filtered by OU. BFQ Skill: Understanding Group Policy Scenarios

ABC Toys 109

13. Some of the laptop users need to modify the system settings and install customized software. Which of the following should you grant them? A. Domain admin B. Enterprise admin C. Site admin D. Local admin E. Group admin

14. Which of the following will be required if one forest is to be used on the new Windows 2000 network, given the fact there ABC has many domain controllers available? A. Schema master B. Domain Naming master C. RID master D. Infrastructure master E. PDC emulator

110 Case Study 05: 70-220 13. Some of the laptop users need to modify the system settings and install customized software. Which of the following should you grant them? A. Domain admin B. Enterprise admin C. Site admin *D. Local admin E. Group admin Explanation: You should grant those users local admin privilege so that they can perform the needed changes only on their laptop. BFQ Skill: Understanding Group Policy Scenarios

14. Which of the following will be required if one forest is to be used on the new Windows 2000 network, given the fact there ABC has many domain controllers available? *A. Schema master *B. Domain Naming master C. RID master D. Infrastructure master E. PDC emulator Explanation: These are per forest roles. The other choices are per domain roles. Since ABC has existing domain controllers, the per-domain roles should have been "taken" to those domain controllers already. BFQ Skill: Understanding Operations Master

ABC Toys 111

MediAssociate

113

Case Study 06: MediAssociate You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by MediAssociate to design the Security and the Directory for the entire company.

Background Since 1986, MediAssociate has been conducting research for legal and health care professionals involved in medical malpractice, personal injury, product liability and workers' compensation cases. Target customers are those who are overwhelmed with complicated health care issues and baffling medical jargon. The founders of MediAssociate has been in the medical-legal consultant field for over ten years. They have been providing consulting services for attorneys, physicians and other legal nurse consultants.

Services MediAssociate searches medical literature for articles, standards and guidelines that will enhance customer’s understanding of the case. The search is conducted by RNs experienced in the field, is supplemented with summaries of key articles, and conference sessions to answer the questions. MediAssociate locates qualified expert physicians and nurses whose accurate opinions will bolster customer’s position. Its nationwide network of specialists includes both consulting and testifying experts. MediAssociate can find the ideal expert fast, then help the customer to prepare that expert for deposition or trial. MediAssociate nurses will accompany the customers during their Independent Medical Examinations. These nurses will be prepared to offer testimony during deposition and trial.

IT Structure To offer the services listed above, MediAssociate has a very advanced IT infrastructure. Their network deploys fiber optics to connect their office in down town San Jose. The network is running 25 NT 4 Servers and 300 clients. To speed up research, they use a T3 line to connect to the internet. In addition, there are 4 Solaris workstations specially designed for a fault tolerant web site configuration. In addition, there are 5 offices in different parts of Phoenix, as well as two offices in Austin and Kansas City.

114 Case Study 06: 70-220

Organization Structure The company is structured in a way that reflects the services it offers. There are mainly 3 departments in the company, one for each main service.

Figure 6-1: Service Structure

Visions The company is expected to expand its network of affiliated professionals. Currently they have more than 25000 professionals in their network nationwide. These professionals are allowed to connect to the head office via dial up access. Due to the fast growth in business, it is estimated that in three years time the number of professionals that work with the company will be doubled. Since to a certain extent these professionals are not in house staffs, the company will want to have a separate community for them. This community should manage their own password and lockout policy on their own. The existing NT4 network was built with scalability in mind. There are 2 account domains together with 5 resource domains.

MediAssociate

115

The CIO wants to upgrade the network to W2K. He is impressed by the stability of the new OS. One thing the CIO really wants to implement is some sort of Smartcard devices for the in house staffs to log onto the network. He believes in technologies like Smartcard being the trend of the future. In addition, there is a need for a secure web site to host critical sales information for staffs to access.

1. Which of the following provided by NT4 can safeguard against intruders? A. EFS B. Kerberos C. TCS D. NT LAN Manager

2. In Windows 2000, security can be characterized as? A. Weak B. Normal C. Strong D. Ultra Strong

116 Case Study 06: 70-220 1. Which of the following provided by NT4 can safeguard against intruders? A. EFS B. Kerberos C. TCS *D. NT LAN Manager Explanation: NT LAN Manager is the NTLM authentication method, which is the default for NT4. BFQ Skill: Identifying Required Level of Security for Each Resource

2. In Windows 2000, security can be characterized as? A. Weak *B. Normal *C. Strong D. Ultra Strong Explanation: These are configured on a per domain basis. BFQ Skill: Identifying Required Level of Security for Each Resource

MediAssociate

117

3. How would you disable NetBIOS traffic for MediAssociate's secure web site? A. Block port 135 B. Block port 139 C. Block port 143 D. Block port 425

4. EFS is being implemented in MediAssociate. An important file named "Xfile.doc" is encrypted. Who can decrypt it? A. File owner B. Recovery agent C. Power user D. Server operator

118 Case Study 06: 70-220 3. How would you disable NetBIOS traffic for MediAssociate's secure web site? *A. Block port 135 *B. Block port 139 C. Block port 143 D. Block port 425 Explanation: Typically there is no need for NetBIOS support via the web. In fact, you should always block these ports. BFQ Skill: Identifying Required Level of Security for Each Resource

4. EFS is being implemented in MediAssociate. An important file named "Xfile.doc" is encrypted. Who can decrypt it? *A. File owner *B. Recovery agent C. Power user D. Server operator Explanation: Administrator is always assigned the role of recovery agent. BFQ Skill: Identifying Required Level of Security for Each Resource

MediAssociate

119

5. Tom needs to execute a command that should normally be accessible only by Tim. Tim is on vacation. How should Tom execute the command? A. Give Tom Tim's password B. Give Tom Tim's login name C. Tell Tom to RUN AS Tim D. Tell Tom to ACT AS Tim

6. The company's web server is suddenly overloaded with service requests. Which of the following is likely happening? A. DOS B. DOD C. DDR D. DIR

120 Case Study 06: 70-220 5. Tom needs to execute a command that should normally be accessible only by Tim. Tim is on vacation. How should Tom execute the command? A. Give Tom Tim's password B. Give Tom Tim's login name *C. Tell Tom to RUN AS Tim D. Tell Tom to ACT AS Tim Explanation: RUN AS is typically used to avoid logging on using the administrator account. BFQ Skill: Identifying Required Level of Security for Each Resource

6. The company's web server is suddenly overloaded with service requests. Which of the following is likely happening? *A. DOS B. DOD C. DDR D. DIR Explanation: DOS = Denial of service attack. BFQ Skill: Identifying Required Level of Security for Each Resource

MediAssociate

121

7. You found that HTTPS traffic cannot reach the company's web site. All other traffics are working fine. The web service is hosted by Windows 2000 IIS. Which of the following should you do? A. Remove the firewall B. Remove the packet filter C. Do not block port 80 D. Do not block port 443

8. You want to make sure that one party in a communication cannot deny that part of the communication occurred within MediAssociate's network. Which of the following is the term to describe this mechanism? A. Non-intrusion B. Non-disclosure C. Non-repudiation D. Non-Exposure

122 Case Study 06: 70-220 7. You found that HTTPS traffic cannot reach the company's web site. All other traffics are working fine. The web service is hosted by Windows 2000 IIS. Which of the following should you do? A. Remove the firewall B. Remove the packet filter C. Do not block port 80 *D. Do not block port 443 Explanation: Port 443 is for HTTPS while port 80 is for regular HTTP. BFQ Skill: Identifying Required Level of Security for Each Resource

8. You want to make sure that one party in a communication cannot deny that part of the communication occurred within MediAssociate's network. Which of the following is the term to describe this mechanism? A. Non-intrusion B. Non-disclosure *C. Non-repudiation D. Non-Exposure Explanation: This can be implemented with cryptography. BFQ Skill: Understanding Active Directory Concepts

MediAssociate

123

9. How do you implement a mechanism to make sure that one party in a communication cannot deny that part of the communication occurred within MediAssociate's network? A. Via Cryptography B. Via Digital Time Stamp C. Via Watermark D. Via Windows 2000 SID

10. Which of the following is the correct default time interval value for site replication between the sites of MediAssociate? A. 100 B. 120 C. 180 D. 240

124 Case Study 06: 70-220 9. How do you implement a mechanism to make sure that one party in a communication cannot deny that part of the communication occurred within MediAssociate's network? *A. Via Cryptography B. Via Digital Time Stamp C. Via Watermark D. Via Windows 2000 SID Explanation: We refer to this kind of mechanism as Non-repudiation. BFQ Skill: Understanding Active Directory Concepts

10. Which of the following is the correct default time interval value for site replication between the sites of MediAssociate? A. 100 B. 120 *C. 180 D. 240 Explanation: The default cost is 100, and the default interval is 180 minutes. BFQ Skill: Understanding Active Directory Concepts

MediAssociate

125

11. To implement greater security between the domains of MediAssociate's forest, Jay suggested to manually create trusts between them. Which of the following is true? A. This will enhance security to a limited extent B. This will enhance security C. This will enhance security only when the default trusts are disabled at boot time D. This will not enhance security at all

12. Which of the following regarding the Active Directory schema is true? A. A full copy is stored on each GC. B. A partial copy is stored on each GC. C. No copy is stored on the GC. D. Schema can be modified directly with SchemaEdit.exe

126 Case Study 06: 70-220 11. To implement greater security between the domains of MediAssociate's forest, Jay suggested to manually create trusts between them. Which of the following is true? A. This will enhance security to a limited extent B. This will enhance security C. This will enhance security only when the default trusts are disabled at boot time *D. This will not enhance security at all Explanation: Shortcut trusts can speed things up, but will not enhance security. You cannot disable the default trusts. BFQ Skill: Understanding Active Directory Concepts

12. Which of the following regarding the Active Directory schema is true? *A. A full copy is stored on each GC. B. A partial copy is stored on each GC. C. No copy is stored on the GC. D. Schema can be modified directly with SchemaEdit.exe Explanation: Full copy of the schema and the configuration directory partitions are stored on each GC. BFQ Skill: Understanding Active Directory Concepts

MediAssociate

127

13. Which of the following is true regarding schema data replication in Active Directory? A. Schema data is replicated every 180 minutes B. Schema data is replicated according to the site replications schedule C. Schema data is replicated when changes occur D. None of the choices

14. To set up multi site links between the offices in San Jose, Austin, Kansas City and Phoenix, which of the following must be addressed carefully? A. There must be a common replication window among the sites B. There must be different replication windows among the sites C. There must be no replication window among the sites D. None of the choices

128 Case Study 06: 70-220 13. Which of the following is true regarding schema data replication in Active Directory? A. Schema data is replicated every 180 minutes B. Schema data is replicated according to the site replications schedule *C. Schema data is replicated when changes occur D. None of the choices Explanation: Schema replication does not follow the site replication schedule. It does not change frequently anyway. BFQ Skill: Understanding Active Directory Concepts

14. To set up multi site links between the offices in San Jose, Austin, Kansas City and Phoenix, which of the following must be addressed carefully? *A. There must be a common replication window among the sites B. There must be different replication windows among the sites C. There must be no replication window among the sites D. None of the choices Explanation: Without a common replication window (a common time frame to allow replication), no replication will occur. BFQ Skill: Understanding Active Directory Concepts

MediAssociate

129

Kellok Accounting Service 131

Case Study 07: Kellok Accounting Service You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by Kellok Accounting Service to design the Security and the Directory for the entire company.

Background Kellok Accounting Service has been in businesses in the Pacific Northwest for nearly half a century, helping clients to develop effective accounting systems to use as an essential management tool.

Core accounting services Division AR-1 • • • • •

Financial statements for corporations, proprietorships, and partnerships Monthly accounting, including computer-generated journals and ledgers Developing financial accounting and control systems Analysis and implementation of accounting enhancements Training in record keeping

Division AR-2 • • • • •

Cash flow management Compliance with lender requirements Financing, including banks, SBA, FHA Consulting and business planning Budgeting and forecasting

Division AR-3 • • • • • • • • •

Computer technology assistance, including network design Bank reconciliations Accounts receivable and payable Inventory control Depreciation schedules and asset records Division AR-4 Payroll and other taxes Executive search for controller/financial staff Special purpose reports

132 Case Study 07: 70-220

Locations Headquarter – Palo Alto • • •

50 staffs 2 NT servers 1 Unix server

AR – 1 Palo Alto • • •

40 staffs 2 NT servers 1 Unix server

AR – 2 Redwood City • • •

40 staffs 1 NT server 1 Unix server

AR – 3 Fremont • • •

70 staffs 3 NT servers 1 Unix server

AR – 4 Oakland • •

20 staffs 1 NT server

All locations are interconnected with 128K ISDN lines.

All locations share the same password and lockout policies.

Kellok Accounting Service 133

NT Domain Model

The NT Domain Model for Kellok.

1. When you design the site names for Kellok, which of the following must you pay attention to? A. Alphanumeric characters only B. Alphanumeric characters and commas only C. Alphanumeric characters and hyphens only D. Alphanumeric characters and colons only

2. You are planning for the number of sites. AR-4 has suffered a connectivity problem and is expected to have only SMTP connectivity to the outside world within the next 2 years. Which of the following are valid considerations? A. AR-4 must have one domain controller at least B. AR-4 must have two domain controllers at least C. AR-4 should be of a separate site D. AR-4 should be integrated with AR-3 and AR-2

134 Case Study 07: 70-220 1. When you design the site names for Kellok, which of the following must you pay attention to? A. Alphanumeric characters only B. Alphanumeric characters and commas only *C. Alphanumeric characters and hyphens only D. Alphanumeric characters and colons only Explanation: DNS uses site names, so the site names must comply with the DNS name requirement. BFQ Skill: Active Directory Planning Considerations

2. You are planning for the number of sites. AR-4 has suffered a connectivity problem and is expected to have only SMTP connectivity to the outside world within the next 2 years. Which of the following are valid considerations? *A. AR-4 must have one domain controller at least B. AR-4 must have two domain controllers at least *C. AR-4 should be of a separate site D. AR-4 should be integrated with AR-3 and AR-2 Explanation: Since Ar-4 has only SMTP connectivity, it has to be of a separate site due to the inefficient replication capability limited by poor connectivity. BFQ Skill: Active Directory Planning Considerations

Kellok Accounting Service 135

3. In your planning, AR-2 and AR-3 are of the same site. However, the network links between them are found to be heavily utilized. Which of the following must you pay attention to? A. They should be of separate sites B. They should be combined into a separate domain C. They should be registered with Active Directory D. None of the choices

4. The Kellok's IT guys proposed to use router to filter traffic in order to reduce traffic between AR-2 and AR-3. Which of the following is true regarding this solution? A. Technically possible B. Technically impossible C. Not a good approach D. A good approach

136 Case Study 07: 70-220 3. In your planning, AR-2 and AR-3 are of the same site. However, the network links between them are found to be heavily utilized. Which of the following must you pay attention to? *A. They should be of separate sites B. They should be combined into a separate domain C. They should be registered with Active Directory D. None of the choices Explanation: This can eliminate authentication traffic across WAN link and reduce bandwidth usage. BFQ Skill: Active Directory Planning Considerations

4. The Kellok's IT guys proposed to use router to filter traffic in order to reduce traffic between AR-2 and AR-3. Which of the following is true regarding this solution? *A. Technically possible B. Technically impossible *C. Not a good approach D. A good approach Explanation: A better way is to put domain controllers and GCs on each location so that across the WAN traffic can be minimized. BFQ Skill: Active Directory Planning Considerations

Kellok Accounting Service 137

5. The Kellok's IT guys proposed to use screened subnets for security. Which of the following is needed to implement screened subnet? A. Active Directory B. Domain controller C. Internet firewall D. Central Server

6. How do you secure the objects in Active Directory? A. Use ACL B. Use DAL C. Use NTFS permission D. Use EFS

138 Case Study 07: 70-220 5. The Kellok's IT guys proposed to use screened subnets for security. Which of the following is needed to implement screened subnet? A. Active Directory B. Domain controller *C. Internet firewall D. Central Server Explanation: Screened subnet is mostly used with Internet firewall to protect the network from outside intrusion. BFQ Skill: Active Directory Planning Considerations

6. How do you secure the objects in Active Directory? *A. Use ACL B. Use DAL C. Use NTFS permission D. Use EFS Explanation: ACL has entries to determine the access levels for Active Directory objects. BFQ Skill: Securing the Active Directory

Kellok Accounting Service 139

7. How do you set the security feature of a Windows 2000 computer? A. Start -> Programs -> Administrative Tools -> Active Directory Users and Computers -> View -> Advanced Features B. Start -> Programs -> Administrative Tools -> Active Directory Sites and Services -> View -> Advanced Features C. Start -> Programs -> Administrative Tools -> Active Directory Domains and Trusts -> View -> Advanced Features D. None of the choices

8. When can you implement universal group for Kellok? A. When the network is in native mode B. When the network is in mixed mode C. When the network has more than one domain D. When the network has one domain

140 Case Study 07: 70-220 7. How do you set the security feature of a Windows 2000 computer? *A. Start -> Programs -> Administrative Tools -> Active Directory Users and Computers -> View -> Advanced Features B. Start -> Programs -> Administrative Tools -> Active Directory Sites and Services -> View -> Advanced Features C. Start -> Programs -> Administrative Tools -> Active Directory Domains and Trusts > View -> Advanced Features D. None of the choices Explanation: This is the way to access the Security Tab. BFQ Skill: Securing the Active Directory

8. When can you implement universal group for Kellok? *A. When the network is in native mode B. When the network is in mixed mode *C. When the network has more than one domain D. When the network has one domain Explanation: Keep in mind that we seldom use universal group, both in the real world and for the exams. BFQ Skill: Active Directory Planning Considerations

Kellok Accounting Service 141

9. One former executive just left Kellok. He had secured a folder with NTFS permission, and that no one has permission to access it. How do you access the data inside? A. Modify Owner B. Recreate the folder C. Hijack the folder D. Boot from DOS and copy the file

10. In order to prevent someone from falsely assigning object ownership, which of the following functions are not allowed in Windows 2000? A. Transfer ownership B. Grant ownership C. Remove Ownership D. Modify Owner

142 Case Study 07: 70-220 9. One former executive just left Kellok. He had secured a folder with NTFS permission, and that no one has permission to access it. How do you access the data inside? *A. Modify Owner B. Recreate the folder C. Hijack the folder D. Boot from DOS and copy the file Explanation: This is similar to the "Take Ownership" in NT4. BFQ Skill: Securing the Active Directory

10. In order to prevent someone from falsely assigning object ownership, which of the following functions are not allowed in Windows 2000? *A. Transfer ownership *B. Grant ownership *C. Remove Ownership D. Modify Owner Explanation: You can only modify owner, if you have sufficient rights and permissions to do so. BFQ Skill: Securing the Active Directory

Kellok Accounting Service 143

11. To implement the highest possible security for computers in AR-1, which of the following will you suggest? A. Remove all permissions for their computers B. Allow only read permissions for their computers C. Allow only browse permissions for their computers D. Use the HISEC template for their computers

12. Which of the following will happen to an object created by someone who logged on with the administrator account? A. Anyone who belongs to the administrator group can only browse the object B. Anyone who belongs to the administrator group can only read the object C. Anyone who belongs to the administrator group can modify the object D. None of the choices

144 Case Study 07: 70-220 11. To implement the highest possible security for computers in AR-1, which of the following will you suggest? A. Remove all permissions for their computers B. Allow only read permissions for their computers C. Allow only browse permissions for their computers *D. Use the HISEC template for their computers Explanation: Deploying security template is one good way to easily enforce computer security. BFQ Skill: Securing the Active Directory

12. Which of the following will happen to an object created by someone who logged on with the administrator account? A. Anyone who belongs to the administrator group can only browse the object B. Anyone who belongs to the administrator group can only read the object *C. Anyone who belongs to the administrator group can modify the object D. None of the choices Explanation: Users should be arranged into groups by the administrator. Proper permissions should then be assigned to the groups. BFQ Skill: Securing the Active Directory

Kellok Accounting Service 145

13. Which of the following security risk cannot be addressed with EFS? A. File transmission across the network B. File stored locally C. File stored on floppy D. File stored on NTFS

14. Which of the following site names are not valid for use in Kellok's network? A. AR@1 B. AR#2 C. AR 3 D. AR!4

146 Case Study 07: 70-220 13. Which of the following security risk cannot be addressed with EFS? *A. File transmission across the network B. File stored locally *C. File stored on floppy D. File stored on NTFS Explanation: EFS can only protect files locally stored with NTFS partition. BFQ Skill: Identifying Required Level of Security for Each Resource

14. Which of the following site names are not valid for use in Kellok's network? *A. AR@1 *B. AR#2 *C. AR 3 *D. AR!4 Explanation: Site names must comply with the DNS naming standard. Special characters and space are not allowed, with hyphen as an exception. BFQ Skill: Active Directory Planning Considerations

Kellok Accounting Service 147

ProX Auditing Group 149

Case Study 08: ProX Auditing Group You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by ProX Auditing Group to design the security and the Directory for the entire company.

Background ProX Auditing Group uses a logical sequence of steps to perform audits in the most efficient, effective, and timely manner possible. Its audits comply with the highest professional standards and lend credibility to client company's financial statements. Its experts can assist the clients in improving internal controls and operating efficiency, as well as recommend enhancements to make the client company more profitable. ProX offers the following audit services: ProX Austin

• • • •

General financial audits Review of agreed-upon procedures Analysis of internal and operating controls Review of computer systems for proper operation and control

procedures

ProX Kansas

• • • • •

Due diligence audits for mergers and acquisitions Federal single audit compliance Compliance with GAO "Yellow Book" requirements Compliance with grant requirements Compliance with loan covenants/regulatory requirements

150 Case Study 08: 70-220

Client sectors 1. Agriculture 2. Auto Dealers and Auto Repair 3. Beverages 4. Construction and Logging 5. Financial Institutions and Trusts 6. Governmental 7. Health Care Professionals 8. Lodging and Food Service 9. Insurance Services 10. Manufacturing 11. Non-Profit Organizations 12. Professional Service Firms 13. Real Estate 14. Retail and Wholesale Businesses 15. Timber 16. Trucks and Transportation Organization Structure

Organizational of ProX Auditing Group

ProX Auditing Group 151 The SF office is the head office. All the offices share the same set of rules and standards. The three ProX offices are interconnected with high speed T1 lines. Currently they are running on Netware 4.X. However, for file sharing, some NT servers are deployed as well. These NT servers are working together with the Netware 4.X servers on the same network. Clients are mainly Win98 based.

1. You are planning for the groups in the new ProX Windows 2000 network. This new network will be a mixed environment. Which of the following is a valid concern? A. You cannot use local groups B. You cannot use universal groups C. You cannot use domain local groups D. None of the choices

2. You need to provide a secure and fast networking environment for ProX. Which of the following should you avoid? A. HISEC template B. EFS C. Kerberos D. TCS E. NTFS

152 Case Study 08: 70-220 1. You are planning for the groups in the new ProX Windows 2000 network. This new network will be a mixed environment. Which of the following is a valid concern? A. You cannot use local groups *B. You cannot use universal groups *C. You cannot use domain local groups D. None of the choices Explanation: You are not recommended to use universal group anyway. BFQ Skill: Designing the Placement and Inheritance of Security Policies

2. You need to provide a secure and fast networking environment for ProX. Which of the following should you avoid? *A. HISEC template B. EFS C. Kerberos D. TCS E. NTFS Explanation: HISEC requires encryption for end to end communication, which will slow down the network big time. BFQ Skill: Designing the Placement and Inheritance of Security Policies

ProX Auditing Group 153

3. Which of the following is true regarding the deployment of global group? A. It can contain members from the same domain only B. It can contain members from different domains C. It can be granted permissions to resources of the same domain only D. It can be granted permissions to resources of different domains

4. You found that a particular group policy setting has been configured for a child OU in ProX, and the configuration for the parent is actually in conflict with the child. Which of the following will you do so that the value of the parent OU can take precedence? A. Disable Block rights B. Enable No override C. Enable No conflict D. Disable Write protect

154 Case Study 08: 70-220 3. Which of the following is true regarding the deployment of global group? *A. It can contain members from the same domain only B. It can contain members from different domains C. It can be granted permissions to resources of the same domain only *D. It can be granted permissions to resources of different domains Explanation: If the parent OU has enabled "No override", then the parent value will be implemented. BFQ Skill: Designing the Placement and Inheritance of Security Policies

4. You found that a particular group policy setting has been configured for a child OU in ProX, and the configuration for the parent is actually in conflict with the child. Which of the following will you do so that the value of the parent OU can take precedence? A. Disable Block rights *B. Enable No override C. Enable No conflict D. Disable Write protect Explanation: If the parent OU has enabled "No override", then the parent value will be implemented. BFQ Skill: Designing the Placement and Inheritance of Security Policies

ProX Auditing Group 155

5. You found that a particular group policy setting has been configured for a child OU in ProX, and the configuration for the parent is actually in conflict with the child. Which of the following will you do so that the value of the child OU can be preserved? A. Disable Block rights B. Disable No Block Inheritance C. Enable Block Inheritance D. Disable Write protect

6. You just made some changes to the security policies for ProX. How do you make them effective right away? A. Run SECEDIT.EXE B. Run SEDIT.EXE C. Use the /refreshpolicy parameter D. Use the /pushpolicy parameter

156 Case Study 08: 70-220 5. You found that a particular group policy setting has been configured for a child OU in ProX, and the configuration for the parent is actually in conflict with the child. Which of the following will you do so that the value of the child OU can be preserved? A. Disable Block rights B. Disable No Block Inheritance *C. Enable Block Inheritance D. Disable Write protect Explanation: This setting should be used sparingly. BFQ Skill: Designing the Placement and Inheritance of Security Policies

6. You just made some changes to the security policies for ProX. How do you make them effective right away? *A. Run SECEDIT.EXE B. Run SEDIT.EXE *C. Use the /refreshpolicy parameter D. Use the /pushpolicy parameter Explanation: SECEDIT.EXE is a command line utility that offers more function than the GUI counterpart. BFQ Skill: Designing the Placement and Inheritance of Security Policies

ProX Auditing Group 157

7. ProX will have some computers running Unix clients. Which of the following authentication method will be used? A. Kerberos B. NTLM C. X400 D. LDAP

8. ProX still maintain some NT4 laptops for the auditors. Which of the following configuration can be deployed to enhance the security of their connections with the in house network? A. VPN B. PPTP C. L2TP D. IPSec

158 Case Study 08: 70-220 7. ProX will have some computers running Unix clients. Which of the following authentication method will be used? *A. Kerberos B. NTLM C. X400 D. LDAP Explanation: Many Unix clients support Kerberos V5 authentication nowadays. BFQ Skill: Designing an Authentication Strategy

8. ProX still maintain some NT4 laptops for the auditors. Which of the following configuration can be deployed to enhance the security of their connections with the in house network? *A. VPN *B. PPTP C. L2TP D. IPSec Explanation: NT4 supports only VPN and PPTP. With Windows 2000 you can use L2TP and IPSec. BFQ Skill: Designing an Authentication Strategy

ProX Auditing Group 159

9. ProX still maintain some NT4 laptops for the auditors. Which of the following authentication methods can be used by these laptops? A. PAP B. EAP C. TCS D. MS-CHAP

10. Which of the following functions will DA in Windows 2000 provide? A. Prompt a browser user for an ID B. Prompt a browser user for a password C. Prompt a browser user for its credit card information D. Prompt an email sender for name and password

160 Case Study 08: 70-220 9. ProX still maintain some NT4 laptops for the auditors. Which of the following authentication methods can be used by these laptops? A. PAP B. EAP C. TCS *D. MS-CHAP Explanation: MS-CHAP is the most secure authentication method supported natively by NT4. BFQ Skill: Designing an Authentication Strategy

10. Which of the following functions will DA in Windows 2000 provide? *A. Prompt a browser user for an ID *B. Prompt a browser user for a password C. Prompt a browser user for its credit card information D. Prompt an email sender for name and password Explanation: DA stands for Digest Authentication, which provides increased security for Internet users. BFQ Skill: Designing an Authentication Strategy

ProX Auditing Group 161

11. Which of the following is required so that users in ProX can use DA? A. Web Browser that supports HTTP1.0 or above B. Web Browser that supports HTTP1.1 or above C. Web Browser that supports HTTP2.0 or above D. None of the choices

12. Which of the following correctly describe Kerberos? A. Ticket based B. Session based C. For authentication D. For authorization

162 Case Study 08: 70-220 11. Which of the following is required so that users in ProX can use DA? A. Web Browser that supports HTTP1.0 or above *B. Web Browser that supports HTTP1.1 or above C. Web Browser that supports HTTP2.0 or above D. None of the choices Explanation: With DA, user logon information is protected by a hash from the user ID and password and the server's public ID. BFQ Skill: Designing an Authentication Strategy

12. Which of the following correctly describe Kerberos? *A. Ticket based *B. Session based *C. For authentication D. For authorization Explanation: Kerberos gives user the right to access network resources for the entire session without the need to frequently request for authentication. BFQ Skill: Designing an Authentication Strategy

ProX Auditing Group 163

13. Which of the following OSI layer does Kerberos operate at? A. Application B. Presentation C. Session D. Transport

14. Which of the following are considered secure authentication method that can be deployed by Windows 2000 across WAN links? A. PPP B. EAP C. MS-CHAP D. Kerberos

164 Case Study 08: 70-220 13. Which of the following OSI layer does Kerberos operate at? *A. Application B. Presentation C. Session D. Transport Explanation: NTLM also operates on the Application layer. BFQ Skill: OSI Reference Model

14. Which of the following are considered secure authentication method that can be deployed by Windows 2000 across WAN links? *A. PPP *B. EAP *C. MS-CHAP D. Kerberos Explanation: Kerberos operates on the Application layer, and is the default for Windows 2000 authentication in LAN. BFQ Skill: Designing an Authentication Strategy

ProX Auditing Group 165

ExGovern 167

Case Study 09: ExGovern You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by The ExGovern Group to design the security and the directory for the entire company.

Background ExGovern is an agency specialized in working with government and non-profit organizations since 1979. Its governmental experience includes working with:

• • • • • • • •

Cities Counties State Agencies Federal Agencies School Districts Highway Districts Port Authorities Utility Districts

Services For governmental and non-profit entities, ExGovern has prepared, compiled, reviewed, and audited financial statements, performed limited scope audits using specific criteria, and, where appropriate, prepared tax returns. ExGovern frequently provides recommendations regarding internal accounting controls, organizational and operational structure, the flow of information to management, and other aspects of administration where weaknesses have been observed. ExGovern has a team of 100 audit managers who are respected specialists in governmental auditing and accounting procedures. They understand and take into account the limited funds available to government and non-profit organizations. The government-required audits are in accordance with:

• Generally accepted accounting standards prescribed by the American Institute of Certified Public Accountants • Government Auditing Standards issued by the Comptroller General, from the U.S. General Accounting Office • Single Audit Act • OBM Circulars A-128 and A-133.

168 Case Study 09: 70-220

Future Vision ExGovern is about to acquire its competitor GovernSpec. These two entities will remain independent after the acquisition. Both of them have their web presence, and they will do business using their own brand names. However, the staffs from ExGovern can have the rights to access certain resources of GovernSpec. For ExGovern itself, a major reorganization will occur as well. The new organization will be service oriented, with the following service departments available: Service Dept 1

• • •

Cities Counties State Agencies

Service Dept 2

• • •

Federal Agencies School Districts Highway Districts

Service Dept 3

• •

Port Authorities Utility Districts

The new organization chart for these departments is illustrated in Figure 9.1.

Organizational chart ExGovern.

ExGovern 169

IT Structure Currently their network is running Windows NT 4 and 3.51. For clients, they have NT 4

Workstation, Win95/98 and also Macintosh. The IT Manager of the company only wants

to upgrade the Server and some of the NT Workstation to W2K, and nothing else.

There will be 4 sites in the network due to the physical locations of ExGovern’s different

offices. These sites will be linked with 256K dedicated lines.

Some of their computers are placed in the lobby. It has been a problem that during night

shift the security of the lobby is too loose.

1. How would you address the security problem of the lobby? A. Install Physical cameras B. Configure Group policy C. Configure Computer policy D. None of the choices

2. You want to ensure that during daytime the computers on the lobby will not be tampered with in terms of software configuration. Which of the following steps will you take? A. Upgrade them to Windows 2000 Pro B. Set up an OU for this group of computers C. Configure the appropriate Group policy D. Apply the Group policy to the OU

170 Case Study 09: 70-220 1. How would you address the security problem of the lobby? *A. Install Physical cameras B. Configure Group policy C. Configure Computer policy D. None of the choices Explanation: The lobby's problem is a physical security problem. Cameras to a certain extent can monitor the lobby during night shift. BFQ Skill: Identifying the Required Level of Security for Each Resource

2. You want to ensure that during daytime the computers on the lobby will not be tampered with in terms of software configuration. Which of the following steps will you take? *A. Upgrade them to Windows 2000 Pro *B. Set up an OU for this group of computers *C. Configure the appropriate Group policy *D. Apply the Group policy to the OU Explanation: A standalone CA can always work by itself without integrating into Active Directory. BFQ Skill: Designing a Public Key Infrastructure

ExGovern 171

3. Which of the following must be done so that requests for certificates can be released from the CA? A. The administrator should verify the requestor identity B. The administrator should allow the request C. The administrator should contact the requestor D. The administrator should digitally sign the approval

4. You are configuring certificates for the staffs in ExGovern. Which of the following can prevent the compromise of security? A. Shorten the renewal cycle B. Lengthen the renewal cycle C. Deploy manual renewal D. Issue renewal quota

172 Case Study 09: 70-220 3. Which of the following must be done so that requests for certificates can be released from the CA? *A. The administrator should verify the requestor identity *B. The administrator should allow the request C. The administrator should contact the requestor D. The administrator should digitally sign the approval Explanation: The administrator should verify the information. This is not a TECHNICAL requirement, but is required for integrity of the process. BFQ Skill: Designing a Public Key Infrastructure

4. You are configuring certificates for the staffs in ExGovern. Which of the following can prevent the compromise of security? *A. Shorten the renewal cycle B. Lengthen the renewal cycle C. Deploy manual renewal D. Issue renewal quota Explanation: By requiring more frequent renewals, interception of the key is discouraged. BFQ Skill: Designing a Public Key Infrastructure

ExGovern 173

5. You have been asked to implement enterprise CA in ExGovern. Which of the following is required? A. Active Directory B. EFS C. L2TP D. PPTP

6. For extremely strict control of certificates for a small group of managers, which of the following certificate mapping will you use? A. One to One B. Many to One C. One to Many D. Many to Many

174 Case Study 09: 70-220 5. You have been asked to implement enterprise CA in ExGovern. Which of the following is required? *A. Active Directory B. EFS C. L2TP D. PPTP Explanation: Active Directory is required if you are to set up an Enterprise CA. BFQ Skill: Designing a Public Key Infrastructure

6. For extremely strict control of certificates for a small group of managers, which of the following certificate mapping will you use? *A. One to One B. Many to One C. One to Many D. Many to Many Explanation: This requires that you approve or reject every single request you receive. BFQ Skill: Designing a Public Key Infrastructure

ExGovern 175

7. When will you consider the use of Many to One certificate mapping? A. You have a large amount of clients B. You have a small amount of clients C. You are using an internal CA D. You are using an external CA

176 Case Study 09: 70-220 7. When will you consider the use of Many to One certificate mapping? *A. You have a large amount of clients B. You have a small amount of clients C. You are using an internal CA *D. You are using an external CA Explanation: Using a Commercial CA is desirable when you are doing business on the Internet. It has nothing to do with request monitoring. BFQ Skill: Designing a Public Key Infrastructure

ExGovern 177

ProTax 179

Case Study 10: ProTax You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by The ProTax Group to design the security and the directory for the entire company.

Background Since 1980, ProTax has established a formal tax service to serve the clients needs. Headed by CPAs with many years of experience in a wide array of industries, ProTax staff works year-round to stay abreast of developments in the ever-changing state and federal tax laws.

ProTax professionals offer a full line of tax services ProTax (Redwood City)

Preparation of tax returns for the following entities:

• • • • • • •

Individuals, Corporations, Partnerships, Non-profits, Pension plans, Gift and estates, and, Fiduciaries.

In addition to tax return preparation, ProTax also offer services for: ProTax (San Mateo) • • • • • • • • •

Business and individual tax planning, projections, and valuations Special reports/projections for tax planning Representation before taxing authorities Support for business acquisition, reorganizations, mergers, and incorporations Sale or purchase of business properties Executive compensation and benefit programs Deferred compensation plans Pension and profit sharing plans Employee benefit programs

180 Case Study 10: 70-220 ProTax (San Bruno) • • • • • • • •

Assistance with accurate and thorough record-keeping Sales tax audit prevention Payroll, sales, and use tax Especially for individuals: Estate and gift tax services Retirement planning Investment planning Higher education planning

ProTax is a very special organization. Basically every office is separately owned by different people. They do share resources with each other and to enjoy some synergy. They also share the same brand name when promoting their services.

Expected IT Structure ProTax (Redwood City) • •

Domain 1 100 Staffs

ProTax (San Mateo) • •

Domain 2 120 Staffs

ProTax (San Bruno) • •

Domain 3 65 Staffs

ProTax 181

1. You are creating Active Directory integrated zones for ProTax. Which of the following is true regarding this zone type? A. By default only secure dynamic updates are allowed B. By default all dynamic updates are allowed C. By default all updates are allowed D. None of the choices

2. You are creating Active Directory integrated zones for ProTax. Which of the following is true regarding the create permission? A. All User Group members can have this permission by default B. Only the Authenticated User Group members can have this permission by manual configuration C. Only the Authenticated User Group members can have this permission by default D. None of the choices

182 Case Study 10: 70-220 1. You are creating Active Directory integrated zones for ProTax. Which of the following is true regarding this zone type? *A. By default only secure dynamic updates are allowed B. By default all dynamic updates are allowed C. By default all updates are allowed D. None of the choices Explanation: Anyone specified in the DACL can create or modify dnsNode objects. BFQ Skill: Designing Windows 2000 Network Services Security

2. You are creating Active Directory integrated zones for ProTax. Which of the following is true regarding the create permission? A. All User Group members can have this permission by default B. Only the Authenticated User Group members can have this permission by manual configuration *C. Only the Authenticated User Group members can have this permission by default D. None of the choices Explanation: Application Server mode allows browser client to run the legacy applications via the web.

BFQ Skill: Designing Windows 2000 Network Services Security

ProTax 183

3. ProTax needs to deploy line of business applications via the web. Terminal services are to be deployed. Which of the following can provide failover control under this setup? A. Maintain the database server on the same server B. Do not maintain any database server C. Maintain the database server on other servers D. None of the choices

4. Tim proposed to deploy Router to Router VPN. This solution may be too expensive. Which of the following can act as an alternative for the Windows 2000 Professional clients? A. End to end tunnel with L2TP and IPSec B. End to end tunnel with L2TP and MSCHAP C. End to end tunnel with L2TP and IPSec D. End to end tunnel with L2TP and P2TP

184 Case Study 10: 70-220 3. ProTax needs to deploy line of business applications via the web. Terminal services are to be deployed. Which of the following can provide failover control under this setup? A. Maintain the database server on the same server B. Do not maintain any database server *C. Maintain the database server on other servers D. None of the choices Explanation: By placing the database on another server, redundancy can be achieved. BFQ Skill: Designing Windows 2000 Network Services Security

4. Tim proposed to deploy Router to Router VPN. This solution may be too expensive. Which of the following can act as an alternative for the Windows 2000 Professional clients? *A. End to end tunnel with L2TP and IPSec B. End to end tunnel with L2TP and MSCHAP C. End to end tunnel with L2TP and IPSec D. End to end tunnel with L2TP and P2TP Explanation: In any case, security is implemented at the expense of speed. BFQ Skill: Designing Windows 2000 Network Services Security

ProTax 185

5. Which of the following is a potential drawback of using Basic Authentication on ProTax's web site? A. Base64 encoding B. Base128 encoding C. Base256 encoding D. Base512 encoding

6. Proxy server will be deployed in ProTax's network. Which of the following secure authentication method can be deployed for web site user authentication? A. DA B. SH C. Basic D. Challenge E. Response

186 Case Study 10: 70-220 5. Which of the following is a potential drawback of using Basic Authentication on ProTax's web site? *A. Base64 encoding B. Base128 encoding C. Base256 encoding D. Base512 encoding Explanation: Base64 encoding can easily be decoded. BFQ Skill: Designing Windows 2000 Network Services Security

6. Proxy server will be deployed in ProTax's network. Which of the following secure authentication method can be deployed for web site user authentication? *A. DA B. SH C. Basic D. Challenge E. Response Explanation: DA is secure as it uses hash function to protect authentication data. It can also work through the Proxy server. BFQ Skill: Designing Windows 2000 Network Services Security

ProTax 187

7. ProTax will deploy DA for its web site. Which of the following is used on DA's hashing scheme? A. MD1 B. MD2 C. SHA D. ZCH E. MD5

8. ProTax wants to issue SmartCards to all its clients for accessing its secure private information area. Which of the following protocol is needed? A. EAP-TLS B. CHAP C. CHAP 2 D. MS-CHAP E. L2TP

188 Case Study 10: 70-220 7. ProTax will deploy DA for its web site. Which of the following is used on DA's hashing scheme? A. MD1 B. MD2 C. SHA D. ZCH *E. MD5 Explanation: SSL is a popular method for secure web site access. Certificate from an established commercial CA provides a mean of identify authentication. BFQ Skill: Designing Windows 2000 Network Services Security

8. ProTax wants to issue SmartCards to all its clients for accessing its secure private information area. Which of the following protocol is needed? *A. EAP-TLS B. CHAP C. CHAP 2 D. MS-CHAP E. L2TP Explanation: Whenever you see the word "SmartCard", choose EAP. BFQ Skill: Designing Windows 2000 Network Services Security

ProTax 189

B2Bexpert 191

Case Study 11: B2Bexpert You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by B2BExpert to design the Security and the Directory for the entire company.

Background B2Bexpert is an open, business-to-business electronic marketplace for building materials that enhances the customer-supplier relationship. The B2BExpert marketplace enables buyers and sellers of building materials to benefit from timely and relevant market information, broader customer reach, highly efficient transactional capabilities, and more automated logistical and back-office processes allowing greater control over the relationship side of business. The B2BExpert marketplace will initially focus on structural lumber, but quickly move into other building materials, starting with structural panels. Ultimately, B2BExpert's marketplace will support the buying and selling of all building materials used in residential home and light commercial construction, such as engineered wood products, millwork, siding, roofing, gypsum wallboard, insulation, and other major building materials. B2BExpert's customers are buyers and sellers of truckload and railcar quantities of building materials including producers, wholesalers, and retailers.

B2BExpert Services B2BExpert has partnered with a number of partners, allowing members to choose from a variety of value-added services to fulfill transactions in the B2BExpert Marketplace. B2BExpert works with individual members to design specific service packages. Members will always control the extent to which the services are used. Shipment management - Experienced transportation managers will take care of facilitating client’s shipments Shipment tracking - Improve inventory forecasting through online tracking of rail shipments. ETA's for B2BExpert shipments are continuously monitored, updated, and displayed online.

192 Case Study 11: 70-220 Delivered price automatically calculated for buyers - Delivered prices displayed from all mills enable quicker, more accurate purchasing decisions Customized pricing for multiple ship-to locations FOB mill pricing for sellers - Mills need only enter FOB mill or region prices, all freight costs are automatically calculated for delivered prices to customer locations. Guaranteed payments to sellers - Secure payment transaction through 3rd party escrow service

B2B IT Infrastructure All servers are running NT4.0 and are housed in the head office in Boston. B2Bexpert itself forms a single NT4 domain. To work with the partners without disclosing confidential information, the IT department has to pay extreme attention in terms of setting up the trusts necessary for the domains to communicate. Currently Exchange Server 5.5 is deployed as their email solution. B2Bexpert is using the same domain name for internal and external network. Administrator needs to add host to the DNS manually. Also, users have difficulty logging onto the internal network and access the resource they need.

B2Bexpert 193

1. Where are the security policies of B2Bexpert stored? A. Group policy object B. Security template C. Security template object D. Registry E. Domain controller

2. James' local setting for Audit Logon event has been set to audit failure. Why would the effective setting be "No auditing"? A. The domain policy is overriding the local policy B. The local policy is overriding the domain policy C. James has not set the effective setting option yet D. None of the choices

194 Case Study 11: 70-220 1. Where are the security policies of B2Bexpert stored? *A. Group policy object B. Security template C. Security template object D. Registry E. Domain controller Explanation: Policies are stored on the Group Policy Objects. BFQ Skill: Understanding Group Policy and MMC

2. James' local setting for Audit Logon event has been set to audit failure. Why would the effective setting be "No auditing"? *A. The domain policy is overriding the local policy B. The local policy is overriding the domain policy C. James has not set the effective setting option yet D. None of the choices Explanation: If there is a conflicting domain policy, the domain policy takes precedence if the computer is a member of a domain. BFQ Skill: Understanding Group Policy and MMC

B2Bexpert 195

3. James' local setting for Audit Logon event has been set to audit failure. The domain policy has been set to "No auditing". Under what condition will the local setting be effective? A. The domain policy is overriding the local policy B. The local policy is overriding the domain policy C. James sets the effective setting option manually D. His computer is a member of a workgroup

4. You want to prevent users of the shipping department from configuring sound events on their Windows 2000 Pro. How do you do that? A. Set an OU for this group of users B. Design a GPO to restrict users from accessing Control Panel C. Apply the GPO to the OU D. Restart the domain controller

196 Case Study 11: 70-220 3. James' local setting for Audit Logon event has been set to audit failure. The domain policy has been set to "No auditing". Under what condition will the local setting be effective? A. The domain policy is overriding the local policy B. The local policy is overriding the domain policy C. James sets the effective setting option manually *D. His computer is a member of a workgroup Explanation: If his computer is a member of a workgroup, the domain policy will not have any effect towards it. BFQ Skill: Understanding Group Policy and MMC

4. You want to prevent users of the shipping department from configuring sound events on their Windows 2000 Pro. How do you do that? *A. Set an OU for this group of users *B. Design a GPO to restrict users from accessing Control Panel *C. Apply the GPO to the OU D. Restart the domain controller Explanation: You are restricting users from setting the sound options via control panel. There is no need to restart the domain controller after assigning a GPO. BFQ Skill: Understanding Group Policy and MMC

B2Bexpert 197

5. There is a special setting for one of the staffs in the Accounts department. You need to configure local policy on his Windows 2000 computer. Which of the following must be done after that? A. Replace the policy.dll B. Restart the computer C. Refresh its policy D. Rebuild the kernel

6. Which of the following are valid console modes available in Windows 2000 that allows authoring of policy? A. Author B. Publisher C. Manager D. Administrator

198 Case Study 11: 70-220 5. There is a special setting for one of the staffs in the Accounts department. You need to configure local policy on his Windows 2000 computer. Which of the following must be done after that? A. Replace the policy.dll *B. Restart the computer C. Refresh its policy D. Rebuild the kernel Explanation: For changes in local setting to take effect, you MUST restart the computer. BFQ Skill: Understanding Group Policy and MMC

6. Which of the following are valid console modes available in Windows 2000 that allows authoring of policy? *A. Author B. Publisher C. Manager D. Administrator Explanation: There are 4 valid console modes, with one being the author mode and the rest being different types of User mode. BFQ Skill: Understanding Group Policy and MMC

B2Bexpert 199

7. Which of the following are valid user console modes available in Windows 2000? A. Full access B. Limited access multiple window C. Limited access single window D. Read access

8. B2Bexpert plans to use a multi domain model. Which of the following is true regarding the deployment of site GPOs in this environment? A. Network traffic will increase B. Network traffic will decrease C. Network security will be compromised D. Network security will not be compromised

200 Case Study 11: 70-220 7. Which of the following are valid user console modes available in Windows 2000? *A. Full access *B. Limited access multiple window *C. Limited access single window D. Read access Explanation: The other mode is called Author. BFQ Skill: Understanding Group Policy and MMC

8. B2Bexpert plans to use a multi domain model. Which of the following is true regarding the deployment of site GPOs in this environment? *A. Network traffic will increase B. Network traffic will decrease C. Network security will be compromised D. Network security will not be compromised Explanation: Since GPO is stored on a domain controller, every domain under the site with the GPO must contact this domain controller. BFQ Skill: Applying Group Policy

B2Bexpert 201

9. You should apply GPO for B2Bexpert in which of the following order? A. Computer -> NT 4.0 -> Local -> Site -> Domain -> OU B. Computer -> Local -> Site -> Domain -> OU -> NT 4.0 C. Local -> NT 4.0 -> Computer -> Site -> Domain -> OU D. Computer -> NT 4.0 -> Local -> OU -> Domain -> Site

10. When applying GPOs, you found that there is a conflicting entry in the Local GPO and the Domain GPO. Which one will become effective? A. Local GPO B. Domain GPO C. Site GPO D. OU GPO

202 Case Study 11: 70-220 9. You should apply GPO for B2Bexpert in which of the following order? *A. Computer -> NT 4.0 -> Local -> Site -> Domain -> OU B. Computer -> Local -> Site -> Domain -> OU -> NT 4.0 C. Local -> NT 4.0 -> Computer -> Site -> Domain -> OU D. Computer -> NT 4.0 -> Local -> OU -> Domain -> Site Explanation: Remember this order for the exam. BFQ Skill: Applying Group Policy

10. When applying GPOs, you found that there is a conflicting entry in the Local GPO and the Domain GPO. Which one will become effective? A. Local GPO *B. Domain GPO C. Site GPO D. OU GPO Explanation: The one applied later will override the others. BFQ Skill: Applying Group Policy

B2Bexpert 203

SBP Associates 205

Case Study 12: SBP Associates You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by SBP Associates to design the Active Directory for the entire company.

Background SBP Associates has been in the consulting business in the San Francisco Bay Area for 10 years. Its business is characterized by long-standing partner relationships with clients. It takes an entrepreneurial approach to servicing clients. Its service units work closely together, share resources, experiences and strategies.

Services The core of its business is to provide "Full Service" Association Management. At SBP, Full Service Association Management includes the following functions: 1. 2. 3. 4.

Executive Management Administrative Services Information Services Accounting

206 Case Study 12: 70-220

Organization Structure The CEO of the company reports directly to the board of directors. Under the CEO there are two divisions. The internal division handles all the internal affairs, while the Service Division provides service to the customers.

Under the Service Division, there are 4 departments: Department of Executive Management 100 people, head office, SF EM.Service.SBP.com Department of Administrative Services 100 people, Oakland office AS.Service.SBP.com Department of Information Services 36 people, San Jose office IS.Service.SBP.com Department of Accounting 55 people, Milpitas office AT.Service.SBP.com

SBP Associates 207

1. When applying GPOs for SBP, you found that there is a conflicting entry in the Computer GPO and the OU GPO. Which one will become effective? A. Computer GPO B. Domain GPO C. Site GPO D. OU GPO

2. Which of the following permission will you need to apply to the Admin Service user group so that they can be influenced by the GPO you configured? A. Apply group policy and Read Permissions B. Apply group policy and Create Permissions C. Apply group policy and Modify Permissions D. None of the choices

208 Case Study 12: 70-220 1. When applying GPOs for SBP, you found that there is a conflicting entry in the Computer GPO and the OU GPO. Which one will become effective? A. Computer GPO B. Domain GPO C. Site GPO *D. OU GPO Explanation: The one applied later will override the others. BFQ Skill: Applying Group Policy

2. Which of the following permission will you need to apply to the Admin Service user group so that they can be influenced by the GPO you configured? *A. Apply group policy and Read Permissions B. Apply group policy and Create Permissions C. Apply group policy and Modify Permissions D. None of the choices Explanation: The users do not need to modify the group policy. Apply and Read permissions are good enough for them. BFQ Skill: Applying Group Policy

SBP Associates 209

3. Which of the following is true regarding password policies in a domain? A. Domain controllers will ignore the password and lockout policies defined at any other level B. Domain controllers will use the password and lockout policies defined at any other level C. Domain controllers will integrate the password and lockout policies defined at any other level D. None of the choices

4. How would you ensure that the Windows 2000 Pro computers in SBP always implement the computer policies regardless of users? A. Enable loopback processing B. Enable policy termination C. Enable "Use Computer Policy Only" option D. None of the choices

210 Case Study 12: 70-220 3. Which of the following is true regarding password policies in a domain? *A. Domain controllers will ignore the password and lockout policies defined at any other level B. Domain controllers will use the password and lockout policies defined at any other level C. Domain controllers will integrate the password and lockout policies defined at any other level D. None of the choices Explanation: Domain password policies always override OU password policies. BFQ Skill: Configuring Group Policy

4. How would you ensure that the Windows 2000 Pro computers in SBP always implement the computer policies regardless of users? *A. Enable loopback processing B. Enable policy termination C. Enable "Use Computer Policy Only" option D. None of the choices Explanation: Loopback can be in either the Replace mode or the Merge mode. BFQ Skill: Configuring Group Policy

SBP Associates 211

5. Which of the following modes in loopback processing allows the integration of Computer Account settings and User Accounting settings? A. Replace mode B. Merge mode C. Integration mode D. Mixed mode

6. Which of the following are valid concerns when planning for auditing in SBP's Windows 2000 network? A. Audit only specific files or objects of interest B. Audit only for a limited time frame C. Audit only for a particular protocol D. None of the choices

212 Case Study 12: 70-220 5. Which of the following modes in loopback processing allows the integration of Computer Account settings and User Accounting settings? A. Replace mode *B. Merge mode C. Integration mode D. Mixed mode Explanation: Replace mode will have User settings being replaced by the Computer settings. BFQ Skill: Configuring Group Policy

6. Which of the following are valid concerns when planning for auditing in SBP's Windows 2000 network? *A. Audit only specific files or objects of interest *B. Audit only for a limited time frame C. Audit only for a particular protocol D. None of the choices Explanation: The reason to limit auditing is that auditing involves overheads on the CPU and the disk I/O. BFQ Skill: Designing an Audit Policy

SBP Associates 213

7. A recent audit reviews that an user account under the name John has excessive failure in logons. Which of the following is a valid concern in this case? A. John's account has been under dictionary attack B. John's account has been corrupted C. John's account has been disabled D. John's account has been locked out

8. Mary has accidentally modified an OU's security policy. Which of the following should be done to undo the changes? A. Choose UNDO from MMC B. Choose UNAPPLY from MMC C. Choose CANCEL in MMC D. None of the choices

214 Case Study 12: 70-220 7. A recent audit reviews that an user account under the name John has excessive failure in logons. Which of the following is a valid concern in this case? *A. John's account has been under dictionary attack B. John's account has been corrupted C. John's account has been disabled D. John's account has been locked out Explanation: Excessive logon failures are likely caused by password attacks. BFQ Skill: Designing an Audit Policy

8. Mary has accidentally modified an OU's security policy. Which of the following should be done to undo the changes? A. Choose UNDO from MMC B. Choose UNAPPLY from MMC C. Choose CANCEL in MMC *D. None of the choices Explanation: You cannot undo a change to a policy directly. BFQ Skill: Utilizing Security Templates

SBP Associates 215

9. Mary has accidentally modified an OU's security policy. What preventive measure can you take to facilitate the restoration of the original settings? A. Export the settings to INF before making changes B. Import the settings from the INF when you want to restore C. Backup the entire Active Directory before making changes D. Restore the Active Directory when you need to restore

10. How do you restrict some functions on ALL computers of SBP via a security template? A. Choose Windows 2000 Domain -> Registry node B. Choose Windows 2000 Domain Security Template -> Registry node C. Choose Windows 2000 Security Enhanced Template -> Registry node D. Choose Windows 2000 Domain Policy Template -> Registry node

216 Case Study 12: 70-220 9. Mary has accidentally modified an OU's security policy. What preventive measure can you take to facilitate the restoration of the original settings? *A. Export the settings to INF before making changes *B. Import the settings from the INF when you want to restore C. Backup the entire Active Directory before making changes D. Restore the Active Directory when you need to restore Explanation: You should be extremely careful when trying to make changes to the security policies. BFQ Skill: Utilizing Security Templates

10. How do you restrict some functions on ALL computers of SBP via a security template? A. Choose Windows 2000 Domain -> Registry node *B. Choose Windows 2000 Domain Security Template -> Registry node C. Choose Windows 2000 Security Enhanced Template -> Registry node D. Choose Windows 2000 Domain Policy Template -> Registry node Explanation: From here you can define a security policy for a registry key or a database value. BFQ Skill: Utilizing Security Templates

SBP Associates 217

SamuraiPro Trading Company 219

Case Study 13: SamuraiPro Trading Company You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by SamuraiPro Trading Company to design the security and the directory for the entire company.

Background SamuraiPro Trading Company is the leading provider of top quality Samurai related martial arts goods in the Orange county. It is continually searching for and testing new items to put in its catalog. However, new items must pass its personal in house use test. The catalog resides on the SQL Server 7 machine together with the IIS service. The network has both NT3.5 and NT 4.0 servers. The firewall resides on a Linux machine. At SamuraiPro, a significant amount of time and energy is spent using and testing the swords that it sells. To promote its products, SamuraiPro frequently participated at the Blade Show in Orange County. At the trade show its staff will take records of its visitors and give them access to its web site. The URL of the web site is www.Spro.com

Structure In SamuraiPro’s business environment, there are 3 important entities: SamuraiPro itself, its supplier in Japan, and the trade show company. They have agreed to share their resources with each other on a limited extent. According to the CEO, sales are expected to growth by 150% next year. Instead of opening new locations, SamuraiPro will form partnership with other companies. The partnership will be under separate control.

220 Case Study 13: 70-220 Currently, the sales departments of SamuraiPro are organized as follow: SALES | |----------------Æ Sword | |-----Æ Short sword |-----Æ Long sword |----------------Æ Mat |----------------Æ Shirts

SamuraiPro Trading Company 221

1. How would you prevent rogue DHCP servers from appearing in the new SamuraiPro Windows 2000 network? A. Manually start the DHCP services B. Restrict access to Active Directory DHCP server object C. Enable Rogue server detection D. Disable DHCP autostart E. Audit the DHCP server object

2. You are asked to prepare a delegation strategy for SamuraiPro. Which of the following elements would be the one with the most control over all the other objects? A. Active Directory B. Domain controller C. ACL D. EFS

222 Case Study 13: 70-220 1. How would you prevent rogue DHCP servers from appearing in the new SamuraiPro Windows 2000 network? A. Manually start the DHCP services *B. Restrict access to Active Directory DHCP server object C. Enable Rogue server detection D. Disable DHCP autostart E. Audit the DHCP server object Explanation: The DHCP server object has a list of IP of the authorized DHCP servers. BFQ Skill: utilizing Security Templates

2. You are asked to prepare a delegation strategy for SamuraiPro. Which of the following elements would be the one with the most control over all the other objects? A. Active Directory B. Domain controller *C. ACL D. EFS Explanation: ACL is used almost everywhere to determine who can do what in the system. It has control on many aspects of the system. BFQ Skill: Designing a Delegation of Authority Strategy

SamuraiPro Trading Company 223

3. Which of the following is true regarding nested delegation? A. Same as hierarchical delegation B. Allows you to delegate to smaller and smaller units C. Enhance security D. None of the choices

4. Timmy needs to move some objects from the Shirts OU to the Mats OU. Which of the following permissions are required for him to do so? A. Permission to create objects in Mats OU B. Permission to create objects in Shirts OU C. Permission to delete objects in Mats OU D. Permission to delete objects in Shirts OU

224 Case Study 13: 70-220 3. Which of the following is true regarding nested delegation? *A. Same as hierarchical delegation *B. Allows you to delegate to smaller and smaller units C. Enhance security D. None of the choices Explanation: Too many nested levels may introduce delay or even problems. Beware of using nested delegation. BFQ Skill: Designing a Delegation of Authority Strategy

4. Timmy needs to move some objects from the Shirts OU to the Mats OU. Which of the following permissions are required for him to do so? *A. Permission to create objects in Mats OU B. Permission to create objects in Shirts OU C. Permission to delete objects in Mats OU *D. Permission to delete objects in Shirts OU Explanation: Timmy needs to be able to create new object in the destination OU, and to delete object from the source OU. BFQ Skill: Designing a Delegation of Authority Strategy

SamuraiPro Trading Company 225

5. The newly hired CIO of SamuraiPro wants to deploy RAID 10 on all the critical Windows 2000 servers. Which of the following must you pay attention to? A. Windows 2000 does not support software RAID10 B. Windows 2000 supports software RAID10 C. Windows 2000 supports software RAID10 with service pack 2 D. Hardware RAID10 solution is needed

6. You need to prepare a backup strategy for the Windows 2000 servers in SamuraiPro's network. Which of the following will be backed up by the option "system state data"? A. Registry B. Active Directory C. Sysvol D. Com+ E. Boot files

226 Case Study 13: 70-220 5. The newly hired CIO of SamuraiPro wants to deploy RAID 10 on all the critical Windows 2000 servers. Which of the following must you pay attention to? *A. Windows 2000 does not support software RAID10 B. Windows 2000 supports software RAID10 C. Windows 2000 supports software RAID10 with service pack 2 *D. Hardware RAID10 solution is needed Explanation: RAID10 is the fastest and the most reliable RAID form so far. Windows 2000 supports RAID 0, 1 and 5 by software. BFQ Skill: Implementing Disaster Recovery

6. You need to prepare a backup strategy for the Windows 2000 servers in SamuraiPro's network. Which of the following will be backed up by the option "system state data"? *A. Registry *B. Active Directory *C. Sysvol *D. Com+ *E. Boot files Explanation: System State data includes all the most important files needed for restoration. BFQ Skill: Implementing Disaster Recovery

SamuraiPro Trading Company 227

7. You need to prepare a backup strategy for the Windows 2000 servers in SamuraiPro's network. How do you backup the system state data of server A from server B? A. By using DCOM B. By using DTS C. By using MMC with the Remote Backup snap in D. By using MMC with the Remote Storage snap in E. None of the choices

8. You need to prepare a backup strategy for the Windows 2000 servers in SamuraiPro's network. You want Susan to be responsible for backing up Server A's system state data. Which of the following is required? A. Make her a member of the LOCAL admin group B. Make her a member of the DOMAIN admin group C. Make her a member of the UNIVERSAL admin group D. None of the choices

228 Case Study 13: 70-220 7. You need to prepare a backup strategy for the Windows 2000 servers in SamuraiPro's network. How do you backup the system state data of server A from server B? A. By using DCOM B. By using DTS C. By using MMC with the Remote Backup snap in D. By using MMC with the Remote Storage snap in *E. None of the choices Explanation: System state data can only be backed up locally. BFQ Skill: Implementing Disaster Recovery

8. You need to prepare a backup strategy for the Windows 2000 servers in SamuraiPro's network. You want Susan to be responsible for backing up Server A's system state data. Which of the following is required? *A. Make her a member of the LOCAL admin group B. Make her a member of the DOMAIN admin group C. Make her a member of the UNIVERSAL admin group D. None of the choices Explanation: The backup of System State data is completely local, so one must be a local admin to execute the backup. BFQ Skill: Implementing Disaster Recovery

SamuraiPro Trading Company 229

9. You use Fast ReStore for SamuraiPro's Server C because of registry and data corruption. Which of the following may occur? A. You may lose some of the settings after restoration. B. You preserve all the original settings after restoration. C. You will be promoted for choices D. You will NOT be promoted for choices

10. How do you recover a troubled Windows 2000 server without having the emergency repair disks? A. Start the computer and choose the L option B. Start the computer and choose the W option C. Start the computer and choose the F option D. Boot into SAFE mode and manually locate the emergency folder E. Use the emergency disks for other similar servers

230 Case Study 13: 70-220 9. You use Fast ReStore for SamuraiPro's Server C because of registry and data corruption. Which of the following may occur? *A. You may lose some of the settings after restoration. B. You preserve all the original settings after restoration. C. You will be promoted for choices *D. You will NOT be promoted for choices Explanation: Fast Restore will try to restore every registry file. If one cannot be restored, default Windows 2000 value will be used instead. BFQ Skill: Implementing Disaster Recovery

10. How do you recover a troubled Windows 2000 server without having the emergency repair disks? *A. Start the computer and choose the L option B. Start the computer and choose the W option C. Start the computer and choose the F option D. Boot into SAFE mode and manually locate the emergency folder E. Use the emergency disks for other similar servers Explanation: The L option will try to locate the Repair folder from the hard drive for you. BFQ Skill: Implementing Disaster Recovery

SamuraiPro Trading Company 231

LaserPoint 233

Case Study 14: LaserPoint You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by LaserPoint to design the security and the directory for the entire company.

Background LaserPoint has been importing laser pointers by the thousands since 1994. Its business model is quite unique: it operates from the garages of the partners to reduce overhead to almost zero, which allows them to provide low prices for the customers. Fortunately, all of garages have cable modems connectivity, which allows them to connect with each other via VPN. So far there are 5 garages in this business. Each garage has its own NT4 domain.

Products Products sold by LaserPoint include: Sales Team 1 • • • • •

Green Laser Pointers Keychain Pointers Pattern Pointers Full Size Pointers Ballpoint Pen Pointers

Sales Team 2 • • • • •

Laser Yoyo Laser Glove Laser Aimer Gunsight Diode Modules Spectacle Binoculars

234 Case Study 14: 70-220

Organization Each sales team has about 3 members. They are all working in the downtown garage location. The owner of the company prefers to organize the sales teams into the OUs. There are special considerations regarding these products. For example: • Only UPS or courier can ship green laser pointers, because of their high value. • Foreign buyers are responsible for customs duty charges. • Buyer is responsible for shipping charges and if buyer refuses to accept the merchandise ordered, buyer is also responsible for the charges to return the shipment to the company. All orders are mailed the day received up to 3PM Central Time. When paying by credit card, orders can be shipped only to the credit card billing address. For orders of 50 units or more, special shipping rates apply. Each garage hires 2 part time staffs as the shipment handlers. Shipping and handling is an important part of the company. LaserPoint has a web server dedicated to providing shipping schedules to the customers. In addition, they have arrangements to connect to the shipping company’s extranet. Laserpoint plans to host a new web site (code name Italy) for web based information enquiry. This site will be open to the public. An Oracle database server will provide data to the IIS web services running on Windows 2000.

Proposed IT Structure

LaserPoint 235

1. Which of the following are valid guidelines for deploying EFS in BFQ LaserPoint's network? A. Files that are to be shared should not be encrypted B. Files that are to be shared should be encrypted C. The partitions where the files reside must be of NTFS D. The partitions where the files reside must be of NTFS or FAT32

2. The owner of an encrypted file left the company. As an administrator what should you do recover the file content? A. Use Data Recovery Agent B. Use Recovery Wizard C. Restore the file from the tape D. Remove the encrypted attribute from the file's properties

236 Case Study 14: 70-220 1. Which of the following are valid guidelines for deploying EFS in BFQ LaserPoint's network? *A. Files that are to be shared should not be encrypted B. Files that are to be shared should be encrypted *C. The partitions where the files reside must be of NTFS D. The partitions where the files reside must be of NTFS or FAT32 Explanation: Since encrypted file can only accessed by the recovery agent or the owner, there is no point to encrypt the file if it is to be shared. BFQ Skill: Designing an Encrypting File System Strategy

2. The owner of an encrypted file left the company. As an administrator what should you do recover the file content? *A. Use Data Recovery Agent B. Use Recovery Wizard C. Restore the file from the tape D. Remove the encrypted attribute from the file's properties Explanation: Encrypted file can only accessed by the recovery agent or the owner. BFQ Skill: Designing an Encrypting File System Strategy

LaserPoint 237

3. Server A has NTFS partitions while Server B has FAT32 partitions. Mary created a file and encrypted it in Server A. Later she moved the file to Server B. What would happen? A. The file is encrypted B. The file is no longer encrypted C. The file is compressed D. The file is uncompressed

4. Server A has NTFS partitions while Server B has FAT32 partitions. Mary created a file and now she wants to encrypt it in Server A. There is NO CA present in the network. What should she do to encrypt the file? A. Just proceed B. Install a CA C. Obtain a certificate from a commercial CA D. Obtain a certificate from the enterprise CA E. None of the choices

238 Case Study 14: 70-220 3. Server A has NTFS partitions while Server B has FAT32 partitions. Mary created a file and encrypted it in Server A. Later she moved the file to Server B. What would happen? A. The file is encrypted *B. The file is no longer encrypted C. The file is compressed D. The file is uncompressed Explanation: Once the file is moved to a non-NTFS partition it is no longer encrypted. BFQ Skill: Designing an Encrypting File System Strategy

4. Server A has NTFS partitions while Server B has FAT32 partitions. Mary created a file and now she wants to encrypt it in Server A. There is NO CA present in the network. What should she do to encrypt the file? *A. Just proceed B. Install a CA C. Obtain a certificate from a commercial CA D. Obtain a certificate from the enterprise CA E. None of the choices Explanation: Without a CA, EFS will self sign the certificate. BFQ Skill: Designing an Encrypting File System Strategy

LaserPoint 239

5. Server A has NTFS partitions while Server B has FAT32 partitions. Mary created a file and now she wants to encrypt it in Server A. There is NO CA present in the network. How should she encrypt the file? A. Use the encrypt.exe command B. Use Windows Explorer C. Use EFS Wizard D. Use MMC E. None of the choices

6. Server A has NTFS partitions while Server B has FAT32 partitions. Mary created a file and now she wants to encrypt it in Server A. She wants to access further encryption capabilities from the command line. Which of the following should she do? A. Use the CIPHER command B. Use the ENCRYPT command C. Use MMC.exe D. Use EFSWizard.exe

240 Case Study 14: 70-220 5. Server A has NTFS partitions while Server B has FAT32 partitions. Mary created a file and now she wants to encrypt it in Server A. There is NO CA present in the network. How should she encrypt the file? A. Use the encrypt.exe command *B. Use Windows Explorer C. Use EFS Wizard D. Use MMC E. None of the choices Explanation: She can mark the file for encryption with Windows Explorer. BFQ Skill: Designing an Encrypting File System Strategy

6. Server A has NTFS partitions while Server B has FAT32 partitions. Mary created a file and now she wants to encrypt it in Server A. She wants to access further encryption capabilities from the command line. Which of the following should she do? *A. Use the CIPHER command B. Use the ENCRYPT command C. Use MMC.exe D. Use EFSWizard.exe Explanation: There are many options available for this command. You can encrypt, decrypt, and view file status ....etc. BFQ Skill: Designing an Encrypting File System Strategy

LaserPoint 241

7. How do you implement EFS recovery policy for BFQ LaserPoint? A. Via the Group Policy MMC snap in -> Public Key Policies -> EFS node B. Via the Group Policy MMC snap in -> Public Key Policies -> ERDA node C. Via the Group Policy MMC snap in -> Private Key Policies -> ERDA node D. Via the Group Policy MMC snap in -> Private Key Policies -> EFS node

8. The Proxy Server on the network has packet filtering enabled. Which of the following method can enhance the security? A. Make sure that the Proxy clients connect directly to the Proxy Server B. Make sure that the Proxy clients do not connect directly to the Firewall C. Make sure that the Proxy clients connect directly to the DNS Server A D. Make sure that the Proxy clients do not connect directly to the DNS Server B

242 Case Study 14: 70-220 7. How do you implement EFS recovery policy for BFQ LaserPoint? A. Via the Group Policy MMC snap in -> Public Key Policies -> EFS node *B. Via the Group Policy MMC snap in -> Public Key Policies -> ERDA node C. Via the Group Policy MMC snap in -> Private Key Policies -> ERDA node D. Via the Group Policy MMC snap in -> Private Key Policies -> EFS node Explanation: ERDA stands for Encrypted Data Recovery Agents. EFS recovery policy should be configured as part of the overall security policy. BFQ Skill: Designing an Encrypting File System Strategy

8. The Proxy Server on the network has packet filtering enabled. Which of the following method can enhance the security? *A. Make sure that the Proxy clients connect directly to the Proxy Server *B. Make sure that the Proxy clients do not connect directly to the Firewall C. Make sure that the Proxy clients connect directly to the DNS Server A D. Make sure that the Proxy clients do not connect directly to the DNS Server B Explanation: The Proxy Server can provide packet filtering for the clients only if the clients do not by pass it. BFQ Skill: Providing Secure Access to Public Networks from a Private Network

LaserPoint 243

9. You are asked to prevent in house staffs from accessing competitors' web sites. Which of the following are valid methods of doing this? A. Deploy Proxy Server B. Filter by domain name C. Filter by ARP D. Filter port 80 E. Deploy Connection Sharing

10. Which of the following are valid ways to enhance the security of the database for project Italy? A. Implement a DMZ B. Place the web server in the screened subnet C. Place the database server outside of the screened subnet into the internal area of the network D. Place the database server outside of the screened subnet right next to the router

244 Case Study 14: 70-220 9. You are asked to prevent in house staffs from accessing competitors' web sites. Which of the following are valid methods of doing this? *A. Deploy Proxy Server *B. Filter by domain name C. Filter by ARP D. Filter port 80 E. Deploy Connection Sharing Explanation: You may use Proxy Server to filter by URL. This can be done only if the clients cannot bypass it. BFQ Skill: Providing Secure Access to Public Networks from a Private Network

10. Which of the following are valid ways to enhance the security of the database for project Italy? *A. Implement a DMZ *B. Place the web server in the screened subnet *C. Place the database server outside of the screened subnet into the internal area of the network D. Place the database server outside of the screened subnet right next to the router Explanation: Two firewalls are needed to construct a DMZ. The web server should be placed in the screened subnet, as it is always the target of attack. BFQ Skill: Providing Secure Access to Public Networks from a Private Network

LaserPoint 245

StylerX 247

Case Study 15: StylerX You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by StylerX to design the security and the directory for the entire company.

Background StylerX is a clothing retailer that has been in business for eight years. Last year’s total sales for all retail stores were $330 million. It has a Headquarters in Tampa with approximately 105 people, with 17 employees in the IT department. It has retail Stores located in five major cities in Florida, with 70 employees at each of the retail stores. To expand its business, it needs a web site. Currently, the company has most of its functions handled by NT4 servers. The network has the entire infrastructure in place, and have dial up connectivity with all the retail stores.

Web Site Summary • Information on Web server can be modified only with proper authorization • Information must be secure as it travels from the customer’s computer to server. • Information that customers download must not damage their software or violate licensing agreements. • Need an ActiveX control that can display different sizes of clothing on a 3D model. • After visitors enter their name and address and receive an ID they will be considered as customers. • Web site must include a shopping basket and a checkout function • the site can identify returning customer automatically by their ID and password • Transaction information will be stored in a transaction-tracking file.

248 Case Study 15: 70-220

Visions and Strategy • All existing Windows NT Server domain controller will be upgraded to Windows 2000 native mode, and a single forest will be created. • A DMZ will be set up • More Windows 2000 Server computers will be added: • SXWEB – multihomed web server • SXDEV - used by programmers to develop the Web content. • SXDATA - contain all customer, inventory, and order information in SQL Server • SXVPN - VPN server. • SXDC1 and SXDC2 - domain controllers. • Eliminate all remote access servers and allow the retail stores to submit their data over the Internet through a VPN. • Hardware and software at the retail stores will remain the same. • Wan and LAN bandwidth will remain the same.

StylerX 249

1. Which type of CA will you use to digitally sign the ActiveX control of StylerX? A. third-party CA B. enterprise CA C. Active Directory CA D. Domain controller CA

2. Which audit policy should you use on SXWEB? A. success and failure audit for object access. B. failure audit for object access. C. success audit for object access. D. None of the choices

250 Case Study 15: 70-220 1. Which type of CA will you use to digitally sign the ActiveX control of StylerX? *A. third-party CA B. enterprise CA C. Active Directory CA D. Domain controller CA Explanation: Since the ActiveX controls will be used by outside parties, you should have a third party CA to sign them. BFQ Skill: Designing a Public Key Infrastructure

2. Which audit policy should you use on SXWEB? *A. success and failure audit for object access. B. failure audit for object access. C. success audit for object access. D. None of the choices Explanation: You want to know who has accessed the file objects as well as who fails to access the objects. BFQ Skill: Designing an Audit Policy

StylerX 251

3. Which methods should you use to identify and authenticate existing customers on the StylerX Web site? A. SSL B. anonymous logon C. database validation D. basic authentication

4. Which audit policy should you use to detect possible intrusions into the StylerX Fashion First network? A. Success and failure audit for logon events B. Success and failure audit for object access events C. Success and failure audit for use of user rights events D. None of the choices

252 Case Study 15: 70-220 3. Which methods should you use to identify and authenticate existing customers on the StylerX Web site? *A. SSL *B. anonymous logon *C. database validation D. basic authentication Explanation: For large amount of web users, it is better off for you to set up a database for verification rather than to rely on the mechanism provided by IIS. BFQ Skill: Designing an Authentication Strategy

4. Which audit policy should you use to detect possible intrusions into the StylerX Fashion First network? *A. Success and failure audit for logon events B. Success and failure audit for object access events C. Success and failure audit for use of user rights events D. None of the choices Explanation: Hackers using password attack will generate many failed logons. BFQ Skill: Designing an Audit Policy

StylerX 253

5. Which of the following are valid connection settings for StylerX? A. Customer to Firewall - use secure Internet connection B. Firewall to SXWEB - Use TCP/IP connection C. SXWEB to internal firewall - Use TCP/IP connection D. Internal firewall to SXDATA - Use TCP/IP connection

6. Which of the following are valid connection methods for StylerX and its retail stores? A. Retail stores to VPN -> use VPN Tunnel B. Customer to SXWEB -> use SSL C. Retail stores to VPN -> use EAP D. Customer to SXWEB -> use TLS

254 Case Study 15: 70-220 5. Which of the following are valid connection settings for StylerX? *A. Customer to Firewall - use secure Internet connection *B. Firewall to SXWEB - Use TCP/IP connection *C. SXWEB to internal firewall - Use TCP/IP connection *D. Internal firewall to SXDATA - Use TCP/IP connection Explanation: Customers from the outside world should connect to StylerX using SSL. BFQ Skill: Designing an Authentication Strategy

6. Which of the following are valid connection methods for StylerX and its retail stores? *A. Retail stores to VPN -> use VPN Tunnel *B. Customer to SXWEB -> use SSL C. Retail stores to VPN -> use EAP D. Customer to SXWEB -> use TLS Explanation: VPN tunnel should be used for VPN connection. Customers from the outside world should connect to StylerX using SSL. BFQ Skill: Designing an Authentication Strategy

StylerX 255

7. How should you authenticate visitors to the StylerX Web site? A. Authenticate visitors to an anonymous account. B. Basic Authentication C. Challenge and Response D. None of the choices

8. Which technology should you use to securely connect the retail stores to StylerX headquarters? A. EAP B. TLS C. L2TP D. PPTP

256 Case Study 15: 70-220 7. How should you authenticate visitors to the StylerX Web site? *A. Authenticate visitors to an anonymous account. B. Basic Authentication C. Challenge and Response D. None of the choices Explanation: You want to use a database for verification instead of relying on IIS. BFQ Skill: Providing External User with Secure Access to Private Networks

8. Which technology should you use to securely connect the retail stores to StylerX headquarters? A. EAP B. TLS C. L2TP *D. PPTP Explanation: PPTP is used because the retail stores are using NT4, which supports only PPTP for tunneling. BFQ Skill: Providing External User with Secure Access to Private Networks

StylerX 257

9. Which authentication protocol should you use to secure the VPN connection from the retail stores to StylerX headquarters? A. MS-CHAP B. CHAP C. PAP D. EAP

10. Which changes should the retail stores make to support the VPN connection to StylerX? A. Configure the connection type to dial in to the ISP. B. Use PPTP to communicate with the VPN server. C. Use L2TP to communicate with the VPN server. D. Use EAP to authenticate with the VPN server.

258 Case Study 15: 70-220 9. Which authentication protocol should you use to secure the VPN connection from the retail stores to StylerX headquarters? *A. MS-CHAP B. CHAP C. PAP D. EAP Explanation: MSCHAP is the MS implementation of CHAP, and is considered secure to be used with PPTP. BFQ Skill: Providing Secure Access Between Private Networks

10. Which changes should the retail stores make to support the VPN connection to StylerX? *A. Configure the connection type to dial in to the ISP. *B. Use PPTP to communicate with the VPN server. C. Use L2TP to communicate with the VPN server. D. Use EAP to authenticate with the VPN server. Explanation: NT4 supports only PPTP, not L2TP. To use VPN, one must be connected to the Internet. BFQ Skill: Providing Secure Access Between Private Networks

StylerX 259

MediX, Inc. 261

Case Study 16: MediX, Inc. You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by MediX Inc to design the security and the directory for the entire company.

Background About MediX MediX is a medical supply company with the headquarters located in Jacksonville, Florida. There are more than 1,000 employees at headquarters. The company sells and distributes medical supplies to large hospitals in 40 states. It has distribution centers in Boston, Massachusetts; Dallas, Texas; Miami, Florida; Minneapolis, Minnesota; New Orleans, Louisiana; Tampa, Florida; Seattle, Washington; and St Louis, Missouri.

IT Environment There is one mainframe computer located at the headquarters. There are 280 computer terminals at headquarters connected to the mainframe computer. There are also computer terminals at each distribution center. T1 line connects the computer terminals at the distribution centers to the mainframe computer.

Envisioned IT Environment The mainframe computer at the headquarter will be replaced with Windows 2000 Server. All servers and client computers should be upgraded to Windows 2000 too, except that some sales rep will still carry WinNT4 laptops. The portable computers will contain a program named XSalesforce, which will be used to order supplies. The portable computers will also contain customer information. Delegation of administrative tasks will be required. Security for network and offline information is the key of the strategy. VPN should be deployed for connectivity between the headquarters and the many distribution centers. Hospitals should be able to view only their own order status. They will be connected to headquarters by using Routing and Remote Access. Each hospital will have a user account.

262 Case Study 16: 70-220

MediX, Inc. 263

1. What is the existing IT administrative model for MediX ? A. Centralized B. Decentralized C. Parallel D. Linear

2. What is the envisioned IT administrative model for MediX ? A. Centralized B. Decentralized C. Parallel D. Linear

264 Case Study 16: 70-220 1. What is the existing IT administrative model for MediX ? *A. Centralized B. Decentralized C. Parallel D. Linear Explanation: Since it relies largely on a mainframe, it is obviously a centralized design. BFQ Skill: Analyzing The Structure of IT Management

2. What is the envisioned IT administrative model for MediX ? A. Centralized *B. Decentralized C. Parallel D. Linear Explanation: Windows 2000 allows for the delegation of authority, which is a decentralized management model. BFQ Skill: Analyzing The Structure of IT Management

MediX, Inc. 265

3. In order to view the status of their orders, how should hospitals connect to the headquarter? A. Use Routing and Remote Access B. Use Windows 2000 logon authentication C. Use VPN D. Use MS-CHAP logon authentication

4. At each distribution center of MediX, how should you grant the necessary permissions to the IT administrator? A. Create an administrator group for each distribution center's organizational unit. B. Add an existing user designated as an administrator to this account. C. Grant the necessary permissions to this group. D. None of the choices

266 Case Study 16: 70-220 3. In order to view the status of their orders, how should hospitals connect to the headquarter? *A. Use Routing and Remote Access *B. Use Windows 2000 logon authentication C. Use VPN D. Use MS-CHAP logon authentication Explanation: It is listed clearly in the case that the hospitals will be connecting with RAS. Logon authentication is required for security. BFQ Skill: Designing Windows 2000 Security for Remote Access Users

4. At each distribution center of MediX, how should you grant the necessary permissions to the IT administrator? *A. Create an administrator group for each distribution center's organizational

unit.

*B. Add an existing user designated as an administrator to this account.

*C. Grant the necessary permissions to this group.

D. None of the choices Explanation: OU is a good tool form delegation of authority. The peer will not be given more than what he needs. BFQ Skill: Applying Group Policy

MediX, Inc. 267

5. In order to encrypt orders from the sales representatives to the distribution centers for MediX, you should? A. Use 40-bit encryption for Routing and Remote Access B. Use 128-bit encryption for Routing and Remote Access C. Use PPTP with packet filtering for VPN D. Use Kerberos

6. How do you meet the security requirements for the MediX Windows 2000 upgrade? A. Encrypt data transmitted to the distribution centers. B. Verify that only unaltered versions of the XSalesforce program are loaded onto the portable computers. C. Ensure that only the sales representatives can create orders. D. Secure the data on the portable computers.

268 Case Study 16: 70-220 5. In order to encrypt orders from the sales representatives to the distribution centers for MediX, you should? A. Use 40-bit encryption for Routing and Remote Access *B. Use 128-bit encryption for Routing and Remote Access *C. Use PPTP with packet filtering for VPN D. Use Kerberos Explanation: The entire operation of MediX is within the US, so you can deploy 128bit encryption. VPN is a must have for connectivity of this sort. BFQ Skill: Providing External Users with Secure Access to Private Network

6. How do you meet the security requirements for the MediX Windows 2000 upgrade? *A. Encrypt data transmitted to the distribution centers.

*B. Verify that only unaltered versions of the XSalesforce program are loaded onto

the portable computers.

*C. Ensure that only the sales representatives can create orders.

*D. Secure the data on the portable computers.

Explanation: All these are appropriate actions to take for enhancing the security. BFQ Skill: Identifying the Required Level of Security for Each Resource

MediX, Inc. 269

7. How should you implement auditing on the Windows 2000 Server computers for MediX? A. Enable failure audit for logon events on the domain controllers. B. Disable failure audit for logon events on the domain controllers. C. Set an auditing schedule D. Set an auditing filter

8. In order to prevent changes to the wallpaper on all MediX computers, which Group Policy strategy should you use? A. Create one Group Policy for all distribution centers B. Apply the Group Policy at the headquarters domain C. Enable registry editing D. Deploy system policy locally

270 Case Study 16: 70-220 7. How should you implement auditing on the Windows 2000 Server computers for MediX? *A. Enable failure audit for logon events on the domain controllers. B. Disable failure audit for logon events on the domain controllers. C. Set an auditing schedule D. Set an auditing filter Explanation: Numerous failed logon attempts reflect the possibility of password attack from hacker. BFQ Skill: Designing an Audit Policy

8. In order to prevent changes to the wallpaper on all MediX computers, which Group Policy strategy should you use? *A. Create one Group Policy for all distribution centers *B. Apply the Group Policy at the headquarters domain C. Enable registry editing D. Deploy system policy locally Explanation: You want to create one Group Policy for all distribution centers because the same restriction is to be applied towards ALL the computers. BFQ Skill: Applying Group Policy

MediX, Inc. 271

9. How do you restrict hospitals' access to the order status information? A. Set permissions on each hospital's order file to grant that hospital Read permission to its own order file. B. Set permissions on each hospital's order file to grant that hospital Change permission to its own order file. C. Add each hospital account into a filtered group D. Add each hospital account into a screened network

10. How should you configure secure communications between the Pittsburgh distribution center and headquarters for MediX? A. Enable L2TP B. Configure an enterprise subordinate CA on the private MediX network. C. Deploy third party CA D. Deploy 40-bit encryption

272 Case Study 16: 70-220 9. How do you restrict hospitals' access to the order status information? *A. Set permissions on each hospital's order file to grant that hospital Read permission to its own order file. B. Set permissions on each hospital's order file to grant that hospital Change permission to its own order file. C. Add each hospital account into a filtered group D. Add each hospital account into a screened network Explanation: That means staff of one hospital cannot read the files of the other hospitals. BFQ Skill: Providing Secure Access Between Private Networks

10. How should you configure secure communications between the Pittsburgh distribution center and headquarters for MediX? *A. Enable L2TP *B. Configure an enterprise subordinate CA on the private MediX network. C. Deploy third party CA D. Deploy 40-bit encryption Explanation: You do not really need a third party CA if your Internet activities are not opened to the public. BFQ Skill: Designing a Public Key Infrastructure

MediX, Inc. 273

11. How should you authenticate users from BlanketX who access XFab's network over the VPN? A. Use the fully qualified domain name. B. Use the fully qualified domain password. C. Use the fully qualified domain name and password. D. None of the choices

274 Case Study 16: 70-220 11. How should you authenticate users from BlanketX who access XFab's network over the VPN? A. Use the fully qualified domain name. B. Use the fully qualified domain password. *C. Use the fully qualified domain name and password. D. None of the choices Explanation: With Windows 2000 FQDN is the choice to go. BFQ Skill: Providing External Users with Secure Access to Private Network Resources

MediX, Inc. 275

XFab, Inc. 277

Case Study 17: XFab, Inc. You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by XFab Inc to design the security and the Directory for the entire company.

Background XFab is a manufacturer of industrial fabrics. It has more than 13,000 employees. It has headquarters located in Boston, Massachusetts, and there are manufacturing facilities in Atlanta, Georgia, Baja, Mexico, and Dublin, Ireland. BlanketX is a manufacturer of specialty blankets. It has more than 350 employees, and has only one manufacturing facility in Miami, Florida. XFab has just completed an agreement with BlanketX to begin a joint venture. Both companies want to expand their product lines to include space blankets. These blankets will protect satellites from collisions with meteorites and other space debris. XFab and BlanketX both have a similar organizational structure. Each company has an engineering department, a manufacturing department, and a sales department. The engineering department includes engineers who will create the designs for the space blankets. The manufacturing department includes employees who will manufacture the blankets. The sales department includes sales representatives who will sell the blankets.

Existing IT Environment In Xfab, all servers, desktop computers, and portable computers run Windows 2000. Each manufacturing facility and headquarters has a server named MANUFACTURING and a server named ENGINEERING. The manufacturing facilities are connected to headquarters with T1 lines. There is one remote access server at headquarters and one remote access server at each manufacturing facility. XFab has a single domain named XFABER. Each manufacturing facility has its own organizational unit (OU). The OUs are named ATLANTA, BAJA, BOSTON, AND DUBLIN. BlanketX has just completed a full upgrade to Windows 2000 on all servers and desktop computers. There is a single domain named BLANKETX and a domain namespace named BlanketX.com. The company has its own unique Active Directory schema. In addition, BlanketX, Inc has a VPN server named FABHQVPN and an e-mail server. All files for the joint venture are stored in a shared folder named FABSPACE.

278 Case Study 17: 70-220

Envisioned IT Environment For XFab, there will be one DNS namespace named XFab.com. The existing domain will be in one forest. The engineering department and the manufacturing department will have their own organizational unit at each manufacturing facility and headquarters IT employees located at each manufacturing facility will administer the OU for that manufacturing facility. The OU administrators will have full control of all folders on all servers within their OUs. A trust relationship will be established between BOSTON and BLANKETX that will allow engineers access to each other’s domains. Note that the security design for BlanketX, Inc. will not be changed.

XFab, Inc. 279

1. Which of the following is the primary security risk for XFab regarding BlanketX? A. BlanketX employees viewing confidential information from XFab. B. Unauthorized users gaining access to the floppy drive on the portable computers. C. Both choices D. None of the choices

2. Which of the following is the primary security risk for XFab regarding the portable computers? A. Unauthorized users gaining access to customer information on the portable computers. B. Unauthorized users gaining access to the floppy drive on the portable computers. C. Both choices

280 Case Study 17: 70-220 1. Which of the following is the primary security risk for XFab regarding BlanketX? *A. BlanketX employees viewing confidential information from XFab. B. Unauthorized users gaining access to the floppy drive on the portable computers. C. Both choices D. None of the choices Explanation: You should design your security strategy to address this issue. Special permission or trust settings may be needed in this scenario. BFQ Skill: Analyzing Factors that Influence Company Strategies

2. Which of the following is the primary security risk for XFab regarding the portable computers? *A. Unauthorized users gaining access to customer information on the portable computers. B. Unauthorized users gaining access to the floppy drive on the portable computers. C. Both choices Explanation:

XFab, Inc. 281

3. Which security group strategy should you use for the XFab sales representatives? A. Assign all sales representatives to universal groups. B. Assign all sales representatives to global groups. C. Put the global groups into domain local groups. D. Put the global groups into universal groups.

4. How should you encrypt information over the VPN between the BOSTON OU and the BLANKETX domain? A. Implement L2TP over IPSec B. Implement L2TP with MSCHAP C. Implement PPTP with MSCHAP D. Implement PPTP over IPSec

282 Case Study 17: 70-220 3. Which security group strategy should you use for the XFab sales representatives? A. Assign all sales representatives to universal groups. *B. Assign all sales representatives to global groups. *C. Put the global groups into domain local groups. D. Put the global groups into universal groups. Explanation: In the MCSE 2000 series exam, never choose any answer that involves universal group. BFQ Skill: Identifying the Required Level of Security for Each Resource

4. How should you encrypt information over the VPN between the BOSTON OU and the BLANKETX domain? *A. Implement L2TP over IPSec B. Implement L2TP with MSCHAP C. Implement PPTP with MSCHAP D. Implement PPTP over IPSec Explanation: When both sides are running Windows 2000, use the L2TP and IPSec combination for secure connection. BFQ Skill: Providing Secure Access Between Private Networks

XFab, Inc. 283

5. How should you protect the Internet interface on the XFab VPN server from unauthorized users? A. Use Routing and Remote Access filters on the Internet Interface of the VPN server. B. Use Routing and Remote Access filters on the Interface of the domain controller. C. Use Active Directory filters on the Internet Interface of the VPN server. D. None of the choices

6. How should you assign the authority for adding new user accounts at XFab after the upgrade? A. Create a new administrative group at each OU with the authority to create new users B. Create a new administrative group at each Domain with the authority to create new users C. Create a new administrative group at each Forest with the authority to create new users D. None of the choices

284 Case Study 17: 70-220 5. How should you protect the Internet interface on the XFab VPN server from unauthorized users? *A. Use Routing and Remote Access filters on the Internet Interface of the VPN server. B. Use Routing and Remote Access filters on the Interface of the domain controller. C. Use Active Directory filters on the Internet Interface of the VPN server. D. None of the choices Explanation: Windows 2000's filtering capabilities can provide certain degree of protection. However, filtering can cause delay, as the filtering interface is becoming a bottleneck. BFQ Skill: Providing External Users with Secure Access to Private Network Resources

6. How should you assign the authority for adding new user accounts at XFab after the upgrade? *A. Create a new administrative group at each OU with the authority to create new users B. Create a new administrative group at each Domain with the authority to create new users C. Create a new administrative group at each Forest with the authority to create new users D. None of the choices Explanation: This is an example of delegation via OU. BFQ Skill: Identifying the Required Level of Security for Each Resource

XFab, Inc. 285

7. Which security components should you use on the portable computers to secure network connections? A. L2TP B. EFS C. EAP D. TLS

8. Which security components should you use on the portable computers to secure the local files should the portable computers get lost? A. L2TP B. EFS C. EAP D. TLS

286 Case Study 17: 70-220 7. Which security components should you use on the portable computers to secure network connections? *A. L2TP B. EFS C. EAP D. TLS Explanation: L2TP is for network connection while EFS is for local hard drive file protection via encryption. BFQ Skill: Designing Windows 2000 Network Services Security

8. Which security components should you use on the portable computers to secure the local files should the portable computers get lost? A. L2TP *B. EFS C. EAP D. TLS Explanation: L2TP is for network connection while EFS is for local hard drive file protection via encryption. BFQ Skill: Designing Windows 2000 Network Services Security

XFab, Inc. 287

9. For the XFab sales representatives, how should you implement EFS on the portable computers to allow central recovery? A. Create an enterprise root CA at the Boston OU B. Create enterprise subordinate CAs at the Atlanta, Baja, and Dublin OUs. C. Define the recovery agent at the domain level. D. Define the recovery agent at the OU level. E. None of the choices

288 Case Study 17: 70-220 9. For the XFab sales representatives, how should you implement EFS on the portable computers to allow central recovery? *A. Create an enterprise root CA at the Boston OU

*B. Create enterprise subordinate CAs at the Atlanta, Baja, and Dublin OUs.

*C. Define the recovery agent at the domain level.

D. Define the recovery agent at the OU level. E. None of the choices Explanation: Always remember that recovery agent should be defined at the domain level, not the OU level. BFQ Skill: Design a Public Key Infrastructure

XFab, Inc. 289

ProStaff 291

Case Study 18: ProStaff You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by ProStaff, Inc. to design the security and the directory for the entire company.

Background ProStaff is a temporary staffing agency that provides companies with temp

employees. It employs 2,500 people nationwide. Its headquarter is located in

Jacksonville; Florida. Headquarter includes the accounting, payroll, human

resources, and IT departments.

ProStaff has branch offices in 200 locations nationwide. Several branch offices that

are in the same geographic area make up a region. There are eight regions.

There are payroll centers in Dallas, Texas, and San Francisco. Florida Payroll centers

process paychecks for all employees within their region.

Existing IT Environment All headquarters employees, except employees within the IT department, use Windows 98 desktop computers. The IT department uses Windows NT Workstation 4.0 desktop computers.

ProStaff Corporation has 28 Windows NT Server 4.0 computers at headquarters. One

of these computers is a certificate server that is not being used, two are file servers

that store company data, and 25 run Windows NT Server 4.0, Terminal Server

Edition.

ProStaff Corporation has one Outlook Web Access server named OWA1, two

domain controllers named DC1 and DC2, three Microsoft Exchange Server 5.5

computers, four UNIX servers that contain Oracle databases, and one remote access

server named RAS1. On-site employees use OWA1 to connect to headquarters.

Anonymous users can connect to OWA1 to post resumes to an Exchange public

folder named Recruiting and to fill out online applications. Each branch office has

access to this public folder. The IT representative maintains control of this folder.

The company also maintains an Intranet, which includes Web pages for technical support, human resources information, and other company information. Branch offices all have desktop terminals and one computer with a modem. The branch offices connect to a Terminal server at headquarters.

292 Case Study 18: 70-220 There are no servers in the branch offices. All headquarters employees are granted access to e-mail and the Internet. Users in branch offices and on-site offices are granted access to e-mail and the Internet from the computers. Users of desktop terminals are not granted access to the Internet. Branch offices are connected to headquarters by fractional T1 lines with a committed information rate of 128 Kbps. ProStaff Corporation has a T1 line to the Internet. The company's domain name is ProStaff.com.

ProStaff Corporation maintains a web page under this domain. On-site offices are not

connected to the WAN.

Envisioned IT Environment ProStaff Corporation wants to upgrade its network to Windows 2000 and use one Active Directory tree. All Terminal servers will use the Terminal Services feature. All desktop computers will be upgraded to Windows 2000 Professional. ProStaff has plans to add an additional remote access server, which will be named RAS2. It will add an Internet Information Services server. OWA1 will not be upgraded to Windows 2000. WAN bandwidth will remain the same.

Security ProStaff has implemented digital certificates to communicate securely with customers. It has implemented one enterprise root CA. It wants to set up a certificate server for internal use only. It also wants to implement secure communications to the Human Resources shared folder to prevent theft of confidential data during transmission.

ProStaff 293

1. Which of the following business requirements will have the most impact on the Windows 2000 security design for ProStaff? A. Continued use of the OWA1 server B. The Windows 2000 Server upgrade C. The Windows 2000 Pro upgrade D. None of the choices

2. Which security solution should you implement for the headquarter regarding secure network communication? A. Encrypted Data Transmissions B. EFS C. TCS D. Kerberos

294 Case Study 18: 70-220 1. Which of the following business requirements will have the most impact on the Windows 2000 security design for ProStaff? *A. Continued use of the OWA1 server B. The Windows 2000 Server upgrade C. The Windows 2000 Pro upgrade D. None of the choices Explanation: Since OWA1 is not Windows 2000, it does not have the advanced security functions offered by Windows 2000. BFQ Skill: Identifying the Required Level of Security for Each Resource

2. Which security solution should you implement for the headquarter regarding secure network communication? *A. Encrypted Data Transmissions B. EFS C. TCS D. Kerberos Explanation: Data transmission should be encrypted. EFS is for local encryption only. BFQ Skill: Identifying the Required Level of Security for Each Resource

ProStaff 295

3. Which security solution should you implement for the headquarter regarding network authentication? A. Certificates B. EFS C. TCS D. Kerberos

4. Which of the following are valid authentication strategies for use in ProStaff? A. Anonymous Web Client -- Basic Authentication with SSL -OWA1 B. On Site Offices -- Basic Authentication with SSL - OWA1 C. None of the choices

296 Case Study 18: 70-220 3. Which security solution should you implement for the headquarter regarding network authentication? *A. Certificates B. EFS C. TCS D. Kerberos Explanation: Digital Certificate is the most secure method for authentication. BFQ Skill: Designing a Public Key Infrastructure

4. Which of the following are valid authentication strategies for use in ProStaff? *A. Anonymous Web Client -- Basic Authentication with SSL -- OWA1 *B. On Site Offices -- Basic Authentication with SSL - OWA1 C. None of the choices Explanation: Basic Authentication works for different types of clients. SSL provides secure communication over the web. BFQ Skill: Designing an Authentication Strategy

ProStaff 297

5. Which of the following authentication methods should ProStaff Corporation's employees at the on-site offices use after the computers are upgraded to Windows 2000? A. Basic authentication B. SSL. C. Basic authentication with SSL. D. None of the choices

6. After all computers are upgraded to Windows 2000, which security component should be reconfigured? A. Network access permission B. Active Directory modification permission C. DHCP permission D. DNS update permission

298 Case Study 18: 70-220 5. Which of the following authentication methods should ProStaff Corporation's employees at the on-site offices use after the computers are upgraded to Windows 2000? A. Basic authentication B. SSL. *C. Basic authentication with SSL. D. None of the choices Explanation: Basic authentication provides authentication, while SSL provides secure communication protection. Both of them should be used together. BFQ Skill: Designing an Authentication Strategy

6. After all computers are upgraded to Windows 2000, which security component should be reconfigured? *A. Network access permission B. Active Directory modification permission C. DHCP permission D. DNS update permission Explanation: Windows 2000 offers many more access options. You should reconfigure the network access settings to take advantage of the new options. BFQ Skill: Securing the Active Directory

ProStaff 299

7. What is the primary security risk for ProStaff Corp? A. Theft of Human Resource data B. Theft of network file resources C. Theft of network print resources D. None of the choices

8. How will you implement secure communications between the IT department and the HR Department? A. Certificate based authentication B. Pre-shared key authentication C. 3DES encryption D. ESP

300 Case Study 18: 70-220 7. What is the primary security risk for ProStaff Corp? *A. Theft of Human Resource data B. Theft of network file resources C. Theft of network print resources D. None of the choices Explanation: HR is the life blood of ProStaff, as ProStaff is providing temp employees to clients. BFQ Skill: Analyzing Company Processes

8. How will you implement secure communications between the IT department and the HR Department? *A. Certificate based authentication *B. Pre-shared key authentication *C. 3DES encryption *D. ESP Explanation: All these are valid ways to enhance the security of the communication across the network of ProStaff. BFQ Skill: Providing Secure Access between Private Networks

ProStaff 301

9. Which type or types of CA should you implement for internal use? A. Stand Alone root CA B. Enterprise root CA C. Commercial CA D. 3rd Party CA

10. How should you implement security for the HR department? A. Assign the Secure Server (Require Security) IPSec policy at the HR_Servers OU B. Assign the Client (Respond Only) IPSec policy at the Domain level C. Assign the Secure Server (Require Security) IPSec policy at the Domain level D. Assign the Client (Respond Only) IPSec policy at the HR_Servers OU

302 Case Study 18: 70-220 9. Which type or types of CA should you implement for internal use? *A. Stand Alone root CA *B. Enterprise root CA C. Commercial CA D. 3rd Party CA Explanation: Outside CA is needed only if you are doing business on the Internet with outside parties. BFQ Skill: Designing a Public Key Infrastructure

10. How should you implement security for the HR department? *A. Assign the Secure Server (Require Security) IPSec policy at the HR_Servers OU *B. Assign the Client (Respond Only) IPSec policy at the Domain level C. Assign the Secure Server (Require Security) IPSec policy at the Domain level D. Assign the Client (Respond Only) IPSec policy at the HR_Servers OU Explanation: Remember that the client policy should always be set at the domain level. For servers, it is better to place them in an OU and then apply the policy towards the OU. BFQ Skill: Applying Group Policy

ProStaff 303

11. Which of the following are valid secure access solutions for ProStaff? A. On-site Offices uses SSL to connect to OWA1 B. Branch Offices uses RDP to connect to Terminal Servers C. Terminal Servers uses TCP/IP to connect to DC1 D. None of the choices

304 Case Study 18: 70-220 11. Which of the following are valid secure access solutions for ProStaff? *A. On-site Offices uses SSL to connect to OWA1 *B. Branch Offices uses RDP to connect to Terminal Servers *C. Terminal Servers uses TCP/IP to connect to DC1 D. None of the choices Explanation: Note that Terminal services use RDP to communicate with clients. Also, since the terminal server is in the inside network, simple TCP/IP is more than enough for communicating with the domain controller. BFQ Skill: Designing Windows 2000 Network Services Security

306 Other Microsoft Books

Other Microsoft Certification books by TotalRecall Publications InsideScoop to MCP / MCSE Certification: Exam 70-220 Designing Security for a Microsoft Windows 2000 Network ExamInsight For MCP / MCSE Certification: Exam 70-220 Designing Security for a Microsoft Windows 2000 Network ExamWise For MCP / MCSE Certification: Exam 70-210 Managing Microsoft Windows 2000 Professional ExamWise For MCP / MCSE Certification: Exam 70-215 Installing, Configuring, and Administering Microsoft Windows 2000 Server ExamWise For MCP / MCSE Certification: Exam 70-216 Implementing and Administering a Microsoft Windows 2000 Network Infrastructure ExamWise For MCP / MCSE Certification: Exam 70-217 Managing a Microsoft Directory Services Infrastructure ExamWise For MCP / MCSE Certification: Exam 70-218 Managing a Microsoft Windows 2000 Network Environment ExamWise For MCP / MCSE Certification: Exam 70-219 Designing a Windows 2000 Directory Services Infrastructure ExamWise For MCP / MCSE Certification: Exam 70-221 Designing a Microsoft Windows 2000 Network Infrastructure ExamWise For MCP / MCSE Certification: Exam 70-227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition

Money Back Book Guarantee 307

Money Back Book Guarantee This guarantee applies only to books published by TotalRecall Publications, Inc.!

We are so confident in our products, we are prepared to offer the following guarantee

to YOU our valued customer: If you do not pass your certification exam after two

attempts, we will give money back!

Visit http://www.totalrecallpress.com

Select “Money Back Book Guarantee” for details.

Registered book purchasers who qualify will receive

1. Receive a 50% cash refund of purchase price 2. Receive a free TotalRecall book of equal value. Note: you must pay for shipping and handling. To qualify for this TotalRecall Guarantee you must meet these requirements and perform the following tasks: 1. Register your purchase at the TotalRecall web site http://www.totalrecallpress.com 2. Fail the corresponding exam twice ( No time Limit ) 3. Contact TotalRecall for the RMA # and to claim this guarantee Send email to mailto:[email protected] Subject must contain your Membership # or Registration # Ship the following to claim your refund. 1. RMA # from returned email 2. Documents of exam scores for both failed attempts 3. Return the Book to the following address TotalRecall Publications, Inc. Attn: Corby Tate 1103 Middlecreek Friendswood, TX 77546 888-992-3131 [email protected] 281-992-3131 281-482-5390 Fax http://www.bfq.com It's a Passing day here at the BeachFront. Thank you for using the TotalREcall Success Program. Bruce Moran President

308 Free Practice Exam Online

70-220 Free Practice Exam Online With the purchase of this book you qualify for a Free

Beachfront Quizzer, Inc. Online Practice exam.

Visit www.TotalRecallPress.com for details.

Register your book purchase at

www.TotalRecallPress.com

Your Registration Code is: = EW-03220-1000

System Requirements: Internet connection:

Call: 281-992-3131

Good Luck with your certification!

Your Book Registration Number is EI-02220-1000

You cannot go wrong with this book because it is GUARANTEED:

See details at www.TotalRecallPress.com