70-220 Brain Dump Revised
I had Miller
Textiles, Just Togs, Proseware, and Hanson. Scored
960
This dump zipped (Self-Extracting):
https://www.angelfire.com/dc/MS70220/Locksmith70_220_Self_Extracting.exe
I am sure not all answers are
correct (check answers) but it is enough to pass!!
*****PROSEWARE*****
(Case Study #1 11 Questions)
ProseWare Temporary Staffing agency 2500 employees
nation-wide
Organization:
HQ Chicago 150 people, Dept =Accounting, Payroll, HR (WIN98) & IT
(WinNT)
8 Regions > consists of Branches > 1 Region Manager/Region
Region manager submits info for the web site, but the branch manager must
approve it
200 Branch offices > 5 20 employees > 1 Manager > 1 IT helper
resets machines etc
Customer needs > 1 5 employees work on large customer sites
Payroll centers > Dallas and San Francisco > payroll for all employees
within the region
EXISTING ENVIRONMENT:
28 WinNT 4.0 Servers @ HQ 1 CA (not used)
2 file server
25 terminal server
1 Outlook WEB access server (OWA1)
DC1 & DC2
3 MS Exchange
4 UNIX servers - Oracle databases
RAS1
Anonymous access for people to post there Resumes to a special folder
(Recruiting) on OWA1 & to fill out an application form. Each office has
access to this folder
Intranet site tech support, HR, Company info. Branch offices >desktop
terminals & one modem PC
PCs > WEB & Mail access, Desktop Terminals >Mail access
WAN: 128 Kbps fractional T1 line between branch offices and HQ
Servers > Static IPs Client > DHCP Each branch = Subnet & Router
Envisioned Network:
Upgrade to Win2K and use AD
OWA1 will remain as WinNT4
Add: RAS2
IIS Server
Security: one enterprise root CA for customers Implemented
Certificate server for internal users Required
Secure connections to HR folder Required
2 way authentication for Laptops Required
IT:
Centralised Admin, Help desk & Administration
group
SALES:
Secure E-mail communication
Branch Offices:
Only the branch manager has access to the HR shared folder
Payroll:
Connect to the Unix machines
START OF QUESTIONS:
1. Which business requirement
will have the most impact on the win 2000 security design?
A. improved network
performance
B. continued use of the OWA 1 server in the Windows 2000 environment
C. projected number of branch
offices D. resource access for on-site offices
Answer: B
2. Which two security
solutions should you implement for headquarters? (Choose two)
A. EFS
B. digital certificate
C. encrypted data transmissions
D. PAP authentication
E. two-factor authentication
Answer: B, C
3. Design a windows 2000
authentication strategy for Proseware Corp.(use all computers and Auth. Methods)
Boxes are:
1) DC1
2) OWA1
3) ON-SITE offices
4) Local client computers
5) Anonymous Web Client
Auth Methods are:
A) Basic Auth with SSL
B) NTLM
C) Kerberos
DESIGN
Answer:L CL >KERB.
>DC-1 >NTLM >OWA1 >SSL >On-Site >SSL >OWA1 >SSL >AWC
4 > C > 1 > B > 2 > A > 3 > A > 2 > A > 5
4. Which authentication
method should ProseWare Corporation's employees at
on-site offices use after the computers are upgraded to Windows 2000?
A. NTLM
B. basic authentication with SSL
C. MS-CHAP
D. Kerberos
Answer: B
5. How can you allow ProseWare Corporation's employees at on-site offices to communicate
securely with headquarters?
A. Implement L2TP over IPSec
B. Use basic authentication with SSL
C. Implement DNS security and
Group Policies
D. Use encrypted
authentication with SSL
Answer: B
6. After all computers are
upgraded to Windows 2000, which security component should you reconfigure?
A. IPSec
B. authentication protocols
C. Certificate Services
D. network access permissions
Answer: D
7. What is the primary
security risk for ProseWare Corp?
A. Unauthorized network
authentication.
B. Theft of HR data
C. Unauthorized changes to
web content
D. Theft of payroll center
data
Answer: B
8. How can you implement
secure communications between the IT Department and the HR Department? (choose 2)
a. Use Kerberos authentication,
3DES encryption, and AH
b. Use Kerberos authentication, 3DES encryption, and ESP
c. Use certificate based
authentication, 3DES encryption, and AH
d. Use certificate based authentication, 3DES encryption, and ESP
e. Use pre-shared key authentication,
3DES encryption, and AH
f. Use pre-shared key
authentication, 3DES encryption, and ESP
g. Implement digital
certificates to secure communication between PCs.
Answer: B, D
9. Which type or types of CA
should you implement for internal use? (Choose all that apply)
a. Stand alone root CA
b.
c. 3rd
d. Stand alone subordinate CA
e.
Answer: B, E
10. The planned Active
Directory structure for ProseWare Corp. Is shown in the exhibit. How should you implement security
for the HR department?
a. Assign the Server (Request
Security) IPSec policy at the HR Users OU, and assign the Client (Respond Only)
IPSec policy at the domain level
b. Assign the Secure Server
(Require Security) and the Client (Respond Only) IPSec policy at the Branch
Users, HR Users, and IT Users OUs
c. Assign the Secure Server (Require Security) IPSec policy at the HR
Servers OU, and assign the Client (Respond Only) IPSec policy at the Domain
level.
d. Assign the local policy
and the Client (Respond Only) IPSec at the domain level.
Answer: C
11. Design a secure access
solution for ProseWare CorpBoxes
are:
1. DC1
2. OWA1
3. Branch Offices
4. On-site Offices
5. Terminal Services
Secure Methods are:
A. SSL
B. TCP/IP
C. Remote Desktop Protocol
RDP
Answer:
*****Just
Togs***** (Case Study #2 10 Questions)
1. Which type of CA should
you use to digitally sign the ActiveX control?
A.
B. Third-party CA
C. Enterprise root CA
D. Stand-alone root CA
Answer: B
2. Which audit policy should
you use on JTWEB?
A. Success and failure audit
for process tracking
B. Success and failure audit for object access
C. Success and failure audit
for logon events
D. Success and failure audit for
directory service access
Answer: B??? Cheet-Sheet says C hmmm I chose B On my test passed with a 960
3. Which methods should you
use to identify and authenticate existing customers on the Web site?
A. SSL, NTLM logon, and
database validation
B. SSL, anonymous logon, and
CHAP
C. SSL, NTLM logon and CHAP
D. SSL, anonymous logon and database validation
Answer: Everyone
else says A, Cheet-Sheets says D and I agree I passed
with a 960, I chose D
4. Which audit policy should
you use to detect possible intrusions into the Just Togs network?
A. Success and failure audit
for process tracking
B. Success and failure audit
for privilege
C. Success and failure audit
for policy change
D. Success and failure audit for logon events
Answer: D
5. How should you authenticate
visitors to the Web site?
A. Authenticate visitors to an anonymous account
B. Authenticate visitors by
requiring them to enter their user ID and password
C. Authenticate visitors by
using cookies
D. Authenticate visitors that
place an order as new or existing customers
Answer: A
RESEARCH #6 and #7 THEY APPEAR DIFFERNTLY ON TEST I
FORGOT WHAT I CHOSE??? HMMmmm
6. Which technology should
you use to securely connect the retail stores to headquarters?
A. MS-CHAP
B. IPSec
C. EAP-TLS
D. PPTP
Answer: D
7. Which authentication
protocol should you use to secure the VPN connection from the retail stores to
headquarters?
A. EAP
B. PAP
C. SPAP
D. MS-CHAP
Answer: D
8. Which changes should the retail
stores make to Support the VPN connection?
A. Configure the connection
type to dial in to headquarters. Use L2TP over IPSec to communicate with the
VPN server.
B. Configure the connection
type to dial in to the ISP. Use L2TP over IPSec to communicate with the VPN
server
C. Configure the connection type to dial in to the ISP. Use PPTP to
communicate with the VPN server
D. Configure the connection
type to dial in to headquarters. Use PPTP to communicate with the VPN server
Answer: C
9. Design a solution that
allows the retail stores to connect security to headquarters over a VPN and
customers to connect securely to headquarters by using the internet.
(Use all objects and
connections.)
Objects:
1. Customer
2. Headquarters
3. JTVPN
4. JTWEB
5. Retail Store.
Connections:
A. SSL
B. TCP/IP
C. VPN Tunnel
(You must select two objects
and choose which connection they are to be joined by)
answer: Retail > VPN > JTVPN > TCP/IP > HQ <
JTWEB < SSL < CUST 5 > C > 3 > B > 2 < 4 < A < 1
10.
Design a network that allows customers to
order clothing items on the web site. (Use all objects and connections.)
Objects:
1. Customer
2. External Firewall
3. Internal Firewall
4. JTDATA
5. JTWEB
Connections:
A. Secure Internet Connection
B. TCP/IP Connection
answer:
Cust. >Sec. IC >EF >Sec. IC >JTWEB >TCP/IP
>IF >TPC/IP >JTDATA 1 > A > 2 > A > 5 >B > 3 > B
> 4
*****HANSON
BROS.*****
(Case Study #3 16 Questions)
Hanson Brothers Medical
supply company
Head Quarters Chicago 1000 Employees 200 sales representatives
sells to hospitals in 23 states
15 distribution centres in different states
Business Process:
A sales rep visits each hospital Receives a supply order form
Checks the supplies at the warehouse
Fills out a paper order form, & faxes it to the nearest distrib centre
Distribution centre:
Receives fax Clerk inputs data into mainframe
Each rep only works for one distribution centre
Customer Service:
It doesnt effect the question
Existing IT Environment:
Computers: 1mainframe &250 PCs @ HQ (CENTRALISED ADMIN)
10 PCs @ each distribution centre
WAN: T1 line between each distribution centre and HQ
Envisioned IT Environment:
HQ: Replace the Mainframe with Win2K Servers (DC) and a VPN server
Sales-Reps: Laptops able to load on there own applications
(Win 2K Pro) Run an app called Salesforce order
supplies
Contain Customer info Encrypted & Recoverable (EFS)
IT management be aware of unauthorised access to
the network
Distrib Centres DC RRAS
have its own OU
(Win Pro) IT admin per centre add users & add/modify user groups
(DECENTRALISED ADMIN)
A folder for Each Hospital Hospital Folder Sales rep Modify
Hospital Order status sub-folder Order status Hospital Read
Sales Information Sub folder Sales Information Sales Rep Full control
Hospitals will be connected using RRAS
Sales Reps should be able to a) Dial in orders
b) automatically check order status at any time
c) Dial in though RRAS OR ISP & VPN connection
START OF QUESTIONS:
1. What are the existing and
envisioned IT administrative models for Hanson Brothers?
a. Existing centralized, Envisioned centralized
b. Existing
centralized, Envisioned decentralized
c. Existing decentralized,
Envisioned centralizedd. Existing decentralized,
Envisioned decentralized
Answer: B
2. How should hospitals
connect to headquarters to view the status of their orders? The hospital must
provide the phone line with which to connect.
a. Use the VPN with Windows
2000 logon authentication
b. Use Routing and Remote Access with Windows 2000 logon authentication
c. Use the VPN with Remote
Authentication Dial-In User Service (RADIUS) authentication.
d. Use Routing and Remote
Access with Remote Authentication Dial-In User Service (RADIUS) authentication
Answer: B
3. To which type of group
should you assign sales representatives?
a. Universal
b. Local
c. Global
d. Domain local
Answer: C
4. Tree Question Resources
1. Hospital - 1 folder
2. Hospital - 1 Orders subfolders
3. Hospital - 1 Sales Folders
Permissions
A. All hospitals (read)
B. All Hospitals (Modify)
C. All Hospitals (Full
Control)
D.
F. Dallas hospital -1
hospital (Full Control)
G.
H.
I.
Hospital can view only their
own status information via RRAS
only sales representatives can add, delete,
and change their hospital foldersOnly sales reps
can place orders (verification required)
ANSWER:
1. Hospital -1 folder: I
[sales reps: F. control ]
2. Hospital -1 Orders
subfolders: G,D [s.rep: Read
/ D.Hosp: Read ]
3. Hospital - 1 Sales
Folders: H [s. rep: Modify ]
I THINK THIS EXHIBIT IS WRONG, THE ANSWER IS ABOVE as
far as I know (passed with 960 chose above)
5. How should you grant the
necessary permissions to the IT administrator at each distribution center?
a. Create a new administrator
account for each distribution center's organizational unit (OU).Grant the
necessary permissions to this account.
b. Create an administrator group for each distribution center's
organizational unit (OU). Add an existing user designated as an administrator
to this account. Grant the necessary permissions to this group.
c. Create a new administrator
account for each distribution center's organizational unit (OU) in the
headquarters root. Grant the necessary permissions to each new administrator's
account.
d. Create an administrator
group for each organizational unit (OU) at the headquarters root.Add
an existing user designated as an administrator from each OU to this group.
Grant the necessary permissions to this group.
Answer: B
6. How should you encrypt
orders from the sales representatives to the distribution centers?
a. Use 40-bit encryption for
Routing and Remote Access. Use PPTP with packet filtering for VPN
b. Use 40-bit encryption for
Routing and Remote Access. Use PPTP without packet filtering for VPN.
c. Use 128-bit encryption for Routing and Remote Access. Use PPTP with
packet filtering for VPN
d. Use 128-bit encryption for
Routing and Remote Access. Use PPTP without packet filtering for VPN
Answer: C
7. Which four actions should
you take to meet the security requirements for the Windows 2000 upgrade?
(Choose 4)
a. Ensure that only the sales
representatives can create new orders.
b. Verify that only the Salesforce program can be loaded onto the portable
computers.
c. Encrypt data transmitted to the distribution centers.
d. Verify that only unaltered versions of the SALESFORCE program are
loaded onto the portable computers.
e. Restrict access to order status information to authorized Hanson Brothers
employees and authorized hospitals.
f. Prevent distribution
centers from using VPN to access information at other distribution centers.
g. Secure data on the portable computers.
Answer: C, D, E, G
8. This question presents you
with objects and connectors. The question asks you to create relationships
between the objects by using the connectors. You create these relationships by
selecting two objects and then selecting a connector.
DESIGN Question:
Four Boxes on screen:
1. Portable computer
2. RADIUS Server
3. RADIUS Proxy Server
4. RADIUS CLIENT Computer and
PPTP Server
Connections:
A. PPP
B. RADIUS Access Request
C. Proxied
Access Request
D. RADIUS Access Reply
E. Proxied
Access Reply
Design a RADIUS solution that
will allow sales reps to securely tunnel to headquarters (Use all resources and
all connections)
Answer: port--ppp--radclientandpptp--radaccessreq--radprox--proxaccreq--radserv--radaccreply--radprox--proxaccreply--radclientandpptp--ppp--portable1 > A > 4 > B >
3 > C > 2 > D > 3 > E > 4 > A > 1
9. How should you implement
auditing on the Windows 2000 Server computers?
a. Enable success audit for
logon events on the VPN server
b. Enable failure audit for
logon events on the VPN server
c. Enable success audit for
logon events on the domain controllers
d. Enable failure audit for logon events on the domain controllers
Answer: D
10. Which Group Policy
strategy should you use to prevent changes to the wallpaper on all computers?
a. Create a Group Policy for
each distribution center, and apply the Group Policy at the headquarters domain
b. Create a Group Policy for
each distribution center, and apply the Group Policy at each distribution
center's organizational unit (OU)
c. Create one Group Policy for all distribution centers, and apply the
Group Policy at the headquarters domain.
d. Create one Group Policy
for all distribution centers, and apply the Group Policy at each distribution
center's organizational unit (OU)
Answer: C
11. How should you restrict
hospital dial-up connections to only authorized hospitals?
a. Configure Routing and
Remote Access on the remote access server to use callback. Configure callback
to dial a phone number specified by the hospital computer during the connection
request.
b. Configure Routing and Remote Access on the remote access server to use
callback. Configure callback to dial a predefined phone number for each
hospital.
c. Set up a proxy server
(NAT) on the private side of the remote access server. Configure the proxy
server to accept the IP addresses of the hospital computers.
d. Set up a proxy server
(NAT) on the public side of the remote access server. Configure the proxy
server to accept the IP addresses of the hospital computers.
Answer: B
12. Design Question
Design a secure connection
between headquarters and the
8 boxes on chart:
1. Headquarters
2. Headquarters Internet Adpt
3. Headquarters Intranet Adpt
4. Headquarters win 2000 Router
5.
6.
7.
8.
Connections:
A. Hardware connection
B. Intranet Connection
C. L2TP Internet Tunnel
Answer: hq--intraconnection--hqintradapt--hware--hgw2krouter--hware--hqinteradapt--L2TP--dallasinteradapt--hware--dallasw2krouter--hware--dallasintraadapt--intraconnection--dallasdistcentre1
> B > 3 > A > 4 > 2 > C > 7 > A > 8 > A > 6
> B > 5
13. Another Design
Question:
Design a secure access
solution to allow sales reps to access to network resources at headquarters
(use all resources and all connections)
5 Boxes on Chart:
1. ISP
2. Portable Computer
3. Headquarters VPN Server
4. Hanson Brothers Internal
Resources
5. Headquarters Remote Access
Server
Connections:
A. ISP Connection
B. VPN Connection
C. PPP connection
D. Headquarters Internal
Network
PC >PPP
>ISP >ISP CON. >HQVPN
>VPN CON. >HQRAS >HIN >HB IR
Answer: 2 > C > 1 >
A > 3 > B > 5 > D > 4
14. How should you restrict
hospitals' access to the order status information?
a. Set permissions on each
hospital's order file to grant all hospitals Read permission to all order files
b. Set permissions on each hospital's order file to grant that hospital
Read permission to its own order file information
c. Enable Encrypting File System (EFS) on the order
status folder, and give a single copy of the recovery' key to all hospitals
d. Enable Encrypting File
System (EFS) on the order status folder, and give a copy of the unique recovery
key to each hospital
Answer: B
15. How should you configure
secure communications between the
a. Enable L2TP and configure an enterprise subordinate CA on the private
Hanson Brothers network
b. Enable L2TP and configure
an enterprise root CA on the private Hanson Brothers network
c. Enable L2TP and configure
an enterprise root CA on the public network.
d. Enable L2TP and configure
an enterprise subordinate CA on the public network
Answer: A
16. How should you implement
IP filters at headquarters to secure the connection to the
a. Add source filters for the
b. Add source filters for the
c. Add source filters for
headquarters for UDP port 500 and IP protocol 50. Add destination filters for
the
d. Add source filters for
headquarters for UDP port 1701 and IP protocol 50. Add destination filters for
the
Answer: B
*****Miller Textiles***** (Case Study #4 10 Questions)
Miller Textiles: 12,000
employees
Joint venture Fabrikam (300 employees, 1
manufacturing company in Miami) & Miller Textiles
Engineers from Fabrikam & Miller will work
together
Organisation:
Each company have a Engineering, Manufacturing and Sales department
Existing Environment: (Miller)
Win 2k Manufacturing and Engineering Servers Distributed Administration
LAN & WAN Manufacturing connect to HQ with a T1 line (max use 40%)
1 RRAS at each site
100 Mbps cards on the Intranet
Single Domain, an OU for each manufacturing site, with its own IT admin
(DECENTRALISED ADMIN)
Existing Environment: (Fabrikam)
Win 2k single domain,
FABHQVPN VPN server & an e-mail server
MILLERSPACE shared folder on a Fabrikam server
Engineers from Fabrkam
Engineers from Miller have Read & Modify
permissions
Envisioned Environment (Miller)
Sales rep Customer folder on there laptop EFS Secure Sync when logged
onto network
FabrikamSPACE shared folder on the engineering
server @ each location
Engineering & Manufacturing Servers will only have site specific info
Engineering & Manufacturing departments will have their own OU @ each
location
IT admin @ each location will admin the OU with full control
LAN & WAN
T1 line between the HQ and all sites will remain
The RRAS on the manufacturing sites will be removed
Sales reps will be able to use the RAS servers located in the HQ backup to
VPN
VPN connections should be encrypted
Trust relationship between Boston and Fabrikam
Problem statement (Miller)
All data for joint venture must be available to all engineers & Secure
Resources @ both companies should be shared i.e. Printers
Auditing of the FabrikamSPACE who modifies or views
the info
START OF QUESTIONS:
1. What are the two primary
security risks for Miller Textiles? (Choose 2)
A. Fabrikam,
Inc., engineers modifying the manufacturing schedules for Miller Textiles
B. Unauthorized users viewing
manufacturing schedules
C. Fabrikam,
Inc, employees viewing confidential information from Miller Textiles
D. Unauthorized users gaining access to data for the space blankets
E. Unauthorized users gaining access to customer information on the
portable computers
Answer: D,E
2. Which security group
strategy should you use for the Miller Textiles sales representatives?
A. Assign all sales
representatives to domain local groups within their own domain. Put the domain
local groups into global groups.
B. Assign all sales representatives to global groups. Put the global
groups into domain local groups
C. Assign all sales
representatives to universal groups. Put the global groups into universal
groups
D. Assign all sales
representatives to computer local groups. Put the computer local groups into
universal groups
Answer: B
3. How should you encrypt
information over the VPN between the
A. Implement L2TP over IPSec
at the
B. Implement L2TP over IPSec at both the
C. Implement PPTP at both the
BOSTON OU and the FABRIKAM domain
D. Implement PPTP at the
Answer: B
4. How should you protect the
Internet interface on the Miller Textiles VPN server from unauthorized users?
A. Use Routing and Remote Access filters on the Internet interface of the
VPN server
B. Use Routing and Remote
Access filters on the internal interface of the VPN server
C. Disable dynamic DNS
updates on the internal interface of the VPN server
D. Disable dynamic DNS
updates on the Internet interface of the VPN server
Answer: A
5. How should you
authenticate users from Fabrikam, Inc who access
Miller Textiles network over the VPN?
A. Use the fully qualified domain name (FQDN) and password
B. Use certificate-based
authentication
C. Use EAPD. Use Internet
Authentication Service (IAS)
Answer: A
6. How should you assign the
authority for adding new user accounts at Miller Textiles after the upgrade?
A. Create one administrative
group at the
B. Delegate authority to a
domain administrator at each organizational unit (OU) to create new users for
all OUs
C. Delegate authority to a
domain administrator at the
D. Create a new administrative group at each organizational unit (OU) with
the authority to create new users at that OU
Answer: D
7. Which two security
components should you use on the portable computers? (Choose 2)
A. Internet Authentication
Service (IAS)
B. PPTP
C. Remote access policy
D. L2TP over IPSec
E. Remote Authentication
Dial-In User Service (RADIUS)
F. Encrypting File System (EFS)
Answer: D,F
8. For the Miller Textiles
sales representatives how should you implement Encrypting File System (EFS) on
the portable computers to allow central recovery?
A. Create enterprise root CAs at the
B. Use a third-party CA. Use
the third party as the recovery agent.
C. Use a self-signed
certificate. Define the local administrator as the recovery agent.
D. Create an enterprise root CA at the
Answer: D
9. Specify the required level
of security for each resource. Move the appropriate permissions to the
appropriate resource(s). Use only permissions that apply and you might need to
reuse permissions.
Resources:
1. Boston Engineering data
2. Boston Manufacturing data
3.
4.
5. Baja engineering data
6. Baja manufacturing data
7.
8.
Permissions:
A. Baja engineer (Modify)
B. Boston engineer (Modify)
C. Boston Sale Representative
(Read)
D. Fabrikam,
Inc. engineer (Modify)
E. Fabrikam,
Inc. engineer (Read)
answer: ABD > for: 1,3,5,7 C > for: 2,4,6,8
10. Design a secure
communications strategy. (Use only locations and connections that apply.)
Objects to connect:
1.
2.
3.
4. Baja (Miller Textiles) A(B)
5. Portable Computers (Miller
Textiles) C(B)
6.
Connections:
A. T1 Line
B. L2TP VPN
C. Routing and Remote Access
D. PPTP VPN
(You must select two objects
to connect)
Answer:
*****HIABUV TOYS***** (Case Study #5 8 Questions)
High above Toys:
20% growth/year www.highabovetoys.com Private IP = 172.16.0.0
HQ Minneapolis > Sales, Marketing, HR, IT, Legal, Accounting and Executives
4500 employees
350 Retail stores > 50 100 employees each
50 new stores/y > including Casablanca, Morocco (64Kbps)
15 Service Cent > 100 employees & 5 managers
128 Kbps link with a68 Kbps back up link from HQ to stores and service centre
T1 line between the HQ buildings
Computers:
HQ >4,500 WinNT WS, 150 WinNT Servers application & file servers __
WS = DHCP
Sales1 > BDC + runs IIS > Sales Domain __Server = Static
Only DCs and applications have shared resources
HR1 > encrypted connections
Each Store > 30 Win2k Pro and 2 WinNT Server (1 PDC &1BDC) __ Static IP
Each Service Centre > 30 Win2k Pro and 1 WinNT Server (1BDC) __ Static IP
Envisioned network:
Upgraded to Win2K
Sales1 will not be upgraded but replaced with a Win2k sever when all upgrades
complete native mode
Legal1 Secure Private Network between Legal1 & HR1
One account domain for HQ & one for retail stores
Security:
Secure tunnelling for authorised
users to access shared resources @ HQ
Confidential documents should be sent secure internally
Wants to implement a PKI
IT:
Administer user & computers, No Strong passwords
WAN: oversees the WAN
LAN: manages user accs, oversees the LAN, Win2Kserv
& domains and the retail store servers
Internet: oversee Internet security and connectivity
Sales & Marketing: Laptops & Colour printer
Secure Authentication of external manufactures
Access the retail stores for Sales history Info
LEGAL:
Copy confidential documents to shared folders for 1) HR 2) Executive dept 3)
Company Law firm
Retail Stores:
1) Cash Registers >WinNT generic log on for cashier access, No info stored
on the register
2) Managers > Win 2K Laptops, with e-mail and web access
3) 5 secured WinNT PCs for employees to browse pre-approved site
4) 3 Kiosk > customers can register for gifts or place orders >
automatically boot
Service Centres:
Unique log on names
Centre technician has access to e-mail & Internet
START OF QUESTIONS:
1. Which security requirement
will affect design of windows 2000 forest?
A. Implementation of Kerberos
authentication
B. Secure transactions at
Store Registers
C. Organization of user accounts
D. Secure communication
between legal and HR.
Answer: C
2. Which server or servers
provide the least security for user access?
A. Retail store servers
B. Service centers servers
C. SALES1
D. HR1
Answer: C
3. How should you secure the
new servers at the
A. Install the serves into a
new OU and implement Group Policies at the Site Level
B. Install the serves into a new OU and implement Group Policies at the OU
Level
C. Install the servers into their
own Active Directory tree and implement Group Policies at the Domain Level
D. Install the servers into
the same Active Directory tree as stores and modify the schema
Answer: B
4. Which strategy should you
use to accommodate the new
A. Add the Help Desk employee
to the Domain Admins group
B. Add the Help Desk employee
to the Enterprise Admins group
C. Delegate authority to the
Help Desk employee to manage the PC
D. Delegate authority to the Help Desk employee to modify accounts and
groups
Answer: D
5. Which security method
should you implement to provide data security between LEGAL1 and HR1?
A. Group Policies for shared
folders
B. IPSec with ESP (encrypts data)
C. IPSec with AH (encrypts
header information but not data)
D. EFS
Answer: B
6. Which security solution
should you implement to allow the service centers to communicate with
manufactures?
A. DFS with Crypto API
B. IPSecC.
Secure DNS
D. Secure Email
answer: D
7. How should you design windows
2000 domain and OU structure for HIABUVTOYS?
A. 2 accounts domains,
Migrate all resource domains into OUs under the HQ
Domain
B. 2 accounts domains,
Migrate all resource domains into OUs under the store
Domain
C. 2 accounts domains, Migrate existing stores domain into OUs under store domain
D. 2 accounts domains,
Migrate existing stores domain into OUs under HQ
domain
answer: C
8. Specify the required level
of security for each resource. (Some may be used more than once)
Conditions:
A. Additional restrictions
for anonymous connections.
B. Disable the Ctrl-Alt-Del
for logon.
C. Do not display last user
name in logon screen.
D. Message text for users
attempting to logon.
E. Rename administrator
account
Objects:
1. Domain Controller - ADE
2. Application Server - ADE
3. Cash register - BCDE
4. Public Kiosk - BCDE
answer: DomCont: ADE / Appserv: ADE / Cashreg: BCDE / Pubkiosk.: BCDE
*****Fabrikam*****
(Case Study #6 13 Questions)
Fabrikam, Inc manufacturer of food and Beverages 20,000
world wide 10,000 US
HQ San Fe 3 groups Corporate, Engineering & Operations
Corporate: Most @ HQ HR, Legal, executive, accounting and Sales &
Marketing departments
Has its own IT employees
Engineering: Design and build the operations facilities, including the network
After being built and tested > handed over to the Operations department
Has its own IT employees, who manage its network
Operations: Maintaining and operating facilities
Most employees work at the facilities sites
Has its own IT employees, who manage its network
Problem Statement:
Upgrade to Win2K, use AD, Delegate OU authority
Enterprise admins = Members of each group who are
members of Enterprise architecture committee
Existing environment:
NT4 multi-master domain model = Each of the 3 primary groups have its own
master domain
Domains = CORP, ENGR, OPER
Resource Domain = ENGRFLD = temporary resources located at worksites
START OF QUESTIONS:
1. What is Fabrikam, Inc.'s business model?
a. Centralized
management and decentralized operations
b. Centralized management and
centralized operations
c. Decentralized management
and decentralized operations
d. Decentralized management and centralized operations
Answer: A
2. What is the Engineering
group's tolerance for risk?
a. The Engineering group is
willing to try new approaches only after careful testing
b. The Engineering group is
very conservative and does not take any risks
c. The Engineering group is willing to try some new approaches
d. The Engineering group is
comfortable with a high level of risk
Answer: C
3. What is Fabrikam, Inc.'s IT model for management and operations?
a. Centralized management and decentralized operations
b. Decentralized management and centralized operations
c. Centralized management and
centralized operations
d. Decentralized management and decentralized operations
Answer: D
4. Which two security risks
facing the Operations group can you reduce or eliminate by using smart cards?
(Choose two)
a. Remote hackers connected
via modem
b. Remote hackers connected via the Internet
c. Denial of service attack
launched from the Internet
d. Employees connected via
the LAN
e. Unauthorized visitors physically entering a facility and connecting via
the LAN
Answer: B,E
5. Which Windows 2000 domain
structure should you use for Fabrikam, Inc.? (There
are four answer choices Choose one)
a. Create a single domain for
the entire company Replace existing resource domains with organizational units
(OUs)
b. Create three domains one
domain for Corporate, one domain for Engineering, and one domain for
Operations. Create each domain in its own forest. Replace existing resource
domains with organizational units (OUs)
c. Create three domains trees. One domain tree for Corporate, one domain
tree for Engineering, and one domain tree for Operations. Create the trees in
the same forest. Replace existing resource domains with organizational units (OUs)
d. Create three domain trees
one domain tree for Corporate, one domain tree for Engineering, and one domain
tree for Operations Create these trees in the same forest. Replace existing
resource domains with new domains
Answer: C
6. Which four technologies
should you include in the security strategy for the engineering group? (Choose
four)
a. Basic authentication with
SSL
b. Kerberos authentication
c. EAP
d. Internet Authentication
Service (IAS)
e. L2TP over IPSec
f. Directory Service (DS) mapping
g. Certificate Services
Answer: B,C,E,G
7. Which technology or
technologies should you include in your security strategy for the Operations
group? (Choose all that apply)
a. Basic authentication with
SSL
b. Encrypting File System (EFS)
c. Internet Authentication
Service (IAS)
d. L2TP over IPSec
e. Kerberos authentication
Answer: BDE
8. What should you include in
an audit policy for the CORP domain? (Choose one)
a. Failure audit for account
logon eventsFailure audit for directory service
access Success and failure audit for policy change Success and failure audit
for account management
b. Failure audit for object accessFailure audit for account logon eventsFailure
audit for directory service access Success and failure audit for policy change
c. Success and failure audit
for object access Success and failure audit for policy change Success and
failure audit for account logon events Success and failure audit for account
management
d. Success and failure audit for object access Success and failure audit
for policy change Success and failure audit for account logon events Success
and failure audit for directory service access
Answer: D
9. Which administrative task
or tasks should you complete to maintain the network at the operations
facilities? (Choose all that apply)
a. Group Policy administration
b. Digital certificate
administration
c. User account administration
d. Remote access
administration
e. Web content administration
Answer: A,C
10. Which two technologies
should engineers use for secure dial-up access when traveling?
(Choose two)
a. SSL
b. Kerberos authentication
c. Smart cards
d. Encrypting File System
(EFS)
e. PPTP
Answer: BC
11. Which technology should
you use for engineers working at existing operations facilities?
a. Kerberos authentication
b. Digital certificates
c. Basic authentication with
SSL
d. Routing and Remote Access
e. Internet Authentication
Service (IAS)
Answer: A
12. Which three policies
should you include in a security strategy for the CORP domain? (Choose three)
a. Enable account lockout
b. Disable password aging
c. Prevent the installation of unsigned drivers
d. Disable account lockout
e. Enforce strong passwords and password aging
f. Allow CD-ROM access to all
usersg. Limit CD-ROM access to users who are logged
on locally
Answer: A,C,E
13. How should you prevent
unauthorized users from accessing the Engineering group's file servers?
a. Enforce strong passwords,
implement password aging, disable unneeded services, audit file access in
folders containing confidential files, and set NTFS permissions
b. Block access to TCP and UDP ports 135-139 at the server, enforce strong
passwords, implement password aging, and use Encrypting File System (EFS) to
control access to folders containing confidential files
c. Block access to TCP and
UDP ports 135-139 at the server, and audit failed logon attempts
d. Enforce strong passwords,
block access to TCP and UDP ports 135-139 at the perimeter router, and disable
unneeded services
Answer: B
*****LITWARE
PHOTO***** (Case Study #7 13 Questions)
Litware, Inc sells digital cameras, printers etc supplies NA
HQ >Cleveland
Existing Environment:
Merged wit a French company: 8 offices >1,200 employees
Offices connected through a WAN
IT:
5 employees at each site
HQ > 4 network engineers, 1 web master, 3 web developers, 10
programmers/analysts
10 programmers/analysts > maintain inventory, purchasing, billing and
payroll applications
Customer Service:
Each office has 1: studios report problems to them, order supplies (Record each
call)
Try and fix problems with the web site (The Photo folder) or report it to the
webmaster
Envisioned Environment:
1) Web site: Studios can post proofs of their customers photos hosted at HQ
Win2K IIS
2) Customers could access their pictures using a User name & password
received from the studio
When customers visit the web site VB programs will be downloaded to their PCs
to view the Pics
Programs stored on a folder (Programs) on the Web server
The new Webmaster will have full control over the Web Servers
Each studio will have its own folder on the server consisting of a) Purchase
history b) Customer folder for each customer which will be password protected
Office manager will create and administer the customer folders
Secure connection to the Web server for Credit card details
Hold 5000 active customer accounts and how many orders are placed on the web
site
2 Web servers > LITWWEB & LITWDATA (Customer info)
Proxy > LITWPROX
DC > LITWDC
Only the Webmaster should be able to put new apps on LITWWEB
Each Studio will be an OU
Photos displayed on WEB for only 30 days
Customer Service:
Access to customer Information
Sales Representatives:
Access to customers order history
Enable Customers to securely view and order pictures
Enable studios to upload the Photos via the WEB to ONLY their customer folders
Customer Info should be available for Reports, support and Marketing
The server should be stable
START OF QUESTIONS:
1. What is the primary
security requirement for the studios?
a. Ensure that photos on the
Web site cannot be altered
b. Ensure that customers can
access only their own photos on the Web site
c. Ensure that customers' credit card numbers are secure.
d. Prevent customers'
computers from being infected with a virus when they view their photos on the
Web site
Answer: C
2. Network configurations are
shown in the exhibit (Click the Exhibit button). Which network configuration
provides the most security for LitWare, Inc?
a. FigureA
b. FigureB
(keine Antwort!)
c. FigureC
d. FigureD
answer: ???
3. To which type of group
should you assign all Web developers?
a. Global
b. Local
c. Domain local
d. Universal
Answer: A
4. How should you ensure that
each customer's account is disabled after 30 days?
a. Manually disable each
customer's user account after 30 days
b. Add a Group Policy to the LitWare organizational unit (OU) that specifies the
expiration rules for each customer's user account
c. Add a Group Policy to each
studio's organizational unit (OU) that specifies the expiration rules for each
customer's user account
d. Set an expiration date on each customer's user account
Answer: D
5. Which task should you
delegate to the office managers?
a. Modify the membership of a
group
b. Manage Group Policy links
c. Create, delete, and manage customer accounts.
d. Create, delete, and manage
groups.
Answer: C
6. Which type of CA should
you use to digitally sign the Microsoft Visual Basic programs?
a. Third-party CA
b.
c. Stand-alone root CA
d.
Answer: A
7. Which two authentication
methods should you use to allow customers access to their photos on the Web
site? (Choose two)
a. Basic authentication with SSL
b. Anonymous access
c. Integrated Windows authentication
d. Digest authentication with SSL
e. Digest authentication
without SSL
f. Basic authentication
without SSL
Answer: A,D
8. This question asks you to
create a tree structure. The tree structure includes three levels of nodes,
each marked with distinct colors and shapes.
LITWWEBB Resources
Permissions:
A. Studio (read)
B. Studio (modify)
C. Studio (Full control)
D. Customer (Read)
E. Customer (Modify)
F. Customer (Full Control)
G. Webmaster (Read)
H. Webmaster (Modify)
I. Webmaster (Full Control)
This Graphic is from a newer dump (doesnt
look right to me, but maybe it might help someone???)
1. LitWare
Root Webmaster (Full Control)
2. Program folder Webmaster (Full
Control)
3. Studio Folder Studio (Full Control)
4. Customer folder Studio
(Full Control)
5. Photo folder Customer (Read)
Answer: I1--I2--C3C4--D5
Specify the required level of
security for each Web Site resource. The folder Hierarchy for the web site is
shown in the exhibit. (Don΄t have it). Move the
appropriate permission to the appropriate resource or resources. (Use only
permissions that apply. You might need to reuse permissions.)
9. How should you allow
studios to create their own customer accounts?
a. Delegate authority to the office manager in each studio's
organizational unit (OU)
b. Delegate authority to the
administrator in the LitWare organizational unit (OU)
c. Add a new organizational
unit (OU) under each studio, add an Administrator account in the new OU, and
assign administrator rights to the new Administrator account by using Group
Policy
d. Add a new organizational
unit (OU) for each studio under the LitWare OU, add
an Administrator account in the new OU, and assign administrator rights to the
new Administrator account by using Group Policy
Answer: A
10. Which authentication
method or methods can you use to allow studios to securely post pictures to LlTWWEB? (Choose all that apply)
a. Digest authentication
without SSL
b. Anonymous access
c. Integrated Windows
authentication
d. Basic authentication
without SSL
e. Digest authentication with SSL
f. Basic authentication with SSL
Answer: E,F
11. How should you allow
programming changes to the Web site?
a. Grant the Webmaster Full Control permission
b. Grant the Webmaster Read
and Write permission only
c. Grant the Web developers
Full Control permission.
d. Grant the Web developers
Read and Write permission only
Answer: A
12. Which audit policy should
you use on LlTWWEB to detect unauthorized access to
the credit card files?
a. Failure audit for logon
events
b. Success audit for logon
events
c. Success and failure audit
for process tracking
d. Success and failure audit for object access
Answer: D
13. How should you secure the
customer photos on LlTWWEB?
a. Grant customers Read permission to their own
photo folder
b. Digitally sign each customer's
photo folder, and give the private key to the customer
c. Apply Encrypting File
System (EFS) to each customer's photo folder, and give the private key to the
customer
d. Grant customers Read
permission to each photo in their own photo folder
Answer: A
*****
Enhancement Lakes Corporation
(EL) Software consulting firm
HQ Minneapolis (Sales, Marketing, IT, HR, Executive and Acc Depts) 300 people 250 Consultants
Branch 1 office manager &10 12 consultants
Network:
HQ >17 Win2K advance Server & 250 Win 2K Pro (230 dial in Laptops)
Marketing, HR & IT have the desktop PCs
Dial in server (inside the firewall) RAS1 only for employees
VPN1
IIS server runs a program called TIMEENTRY TIME1 (consultants enter there time
sheets here)
Outlook Web Access OWA1 Secure connection only
Sales > 2 Win2K Server (SQL)
Connectivity:
HQ Internet = T1 line
Branch office:
10 15 portable Win2K Pro &1 Win 2K desktop
T1 connection to the internet
Frame relay to HQ
Copenhagen: Sets up & administrates there own network
No connection to HQ
MS Exchange Server
DC
RAS2
Will implement PKI to issue certs to its employees
Will use secure tunneling.
Security:
HQ Password polices are established network resources are secure
**Implement a PKI to encrypt data transmission
HR:
Uses a network file server
Sales:
Save info to there laptops and \\sales\documents
START OF QUESTIONS:
1. What are the four most important
security priorities for EL? (Choose four)
A. Providing secure communications between
B. Ensure secure authentication.
C. Implementing two-factor
authentication for the IT department.
D. Preventing
denial-of-service attacks.
E. Implementing certificate
services for
F. Protecting employee data on portable computers.
G. Preventing unauthorized network access.
Answer: A,B,F,G
2. What are the two primary
security risks for EL? (Choose two)
A. Incorrect authentication
of network users.
B. Data stolen from portable computers.
C. Unauthorized network access by employees.
D. Unauthorized network
access by intruders.
E. A denial-of-service attack
on OWA1.
Answer: B,C
3. Which data from
A. All data.
B. Slip data
C. Net/bios data
D. L2TP data
Answer: D
4. How should you encrypt the
sales department's files?
A. Encrypt all folders that
contain sales documents.
B. Encrypt only shared folders
that contain sales documents.
C. Encrypt only personal sales documents individually.
D. Encrypt only shared sales
documents individually.
Answer: C
5. How should you implement
certificate services for the
A. Use a third-party certificate
services vendor.
B. Use the certificate services from the
C. Install certificate
services on the
D. Share certificate services
with the
Answer: B
6. Which two technologies
should you implement to provide additional security for portable computers? (choose 2)
A. Distributed file system
(DFS)
B. Encrypted file system (EFS)
C. Digital certificates.
D. IPSec
E. Kerberos authentication
Answer: B,C
7. How should you configure OWA1
and TIME1 to allow secure access for remote employees? (Choose all that apply)
A. Place TIME1 in a DMZ.
B. Place OWA1 in a DMZ.
C. Place
TIME1 on the internal network.
D. Place
OWA1 on the internal network.
E. Enable all connections
from the external network.
F. Allow only TCP port 80
connections from the external network.
G. Allow only TCP port 443 connections from the external network.
Answer: A,B,G
8. Which type of CA should
you implement at headquarters? (Choose one)
A. An online enterprise root
CA with an online enterprise subordinate CA.
B. An offline enterprise root CA with an online enterprise subordinate CA.
C. An offline enterprise root
CA with an offline enterprise subordinate CA.
D. An online enterprise root
CA with an offline enterprise subordinate CA.
Answer: B
9. Which permissions should
you grant for the TIPS folder? (Choose one)
A. IT department Full ControlSales department
Full ControlAuthenticated users Modify
B. IT department Full ControlSales department Full ControlEveryone
Read
C. IT department Full ControlSales department ReadAuthenticated
users Read
D. IT department Full ControlSales department Full ControlEveryone
Modify
Answer: A
10. Which type of CA should
you implement for the
A. Enterprise Subordinate CA.
B. Enterprise root CA.
C. Stand-alone subordinate
CA.
D. Stand-alone root CA.
Answer: A
*****Contoso***** (Case Study #9 10 Questions)
CL) Contoso
LTD. Subsidiary of AD, selling life insurance
Creating a web site > allow insurance brokers to configure a insurance
policy
>Receive a quotation for the policy
>Purchase the policy
>If the policy is ordered a third party will handle it
>General area, area for brokers and policy holders
>Brokers must register before they are allowed to use it
>Policyholders can make changes online with accordance to rules (every 3
months)
>Policyholders can not buy or terminate without aid of a broker
>AD can gain access to the site, must create reports for AD
>Only 6 server
>Primary focus = Secure & audit who is using it
>3 categories of users 1)Brokers 2)Policyholders 3)CL & AD employees
>PKI to be used
>5000 brokers, 2 people to manage membership
>Offline Certification and membership (Either by phone or in person)
>Certificate delivered securely to broker on a CD or floppy
Envisioned Certificate:
Single domain
CONTWEB1 Web Server (IIS)
CONTDATA Database Server (SQL 7.0)
CONTDC DC, Certificate server, DNS, WINS, DHCP
CONTVPN Multi-homed VPN server, Create a VPN through the Internet to AD
CONTWEB2 Intranet server, DC, File & Print server
CONTFIRE Firewall server
5 Laptops who need to dial in
Netscape and IE4.0 (or latter)
2 Class C addresses have been bought (One for the Intranet, one for the Public
network)
START OF QUESTIONS:
1. What is CL's tolerance for
risk? (Choose one)
A. CL is willing to try some new approaches.
B. CL is comfortable with a high level of risk.
C. CL is willing to risk the entire company for large rewards.
D. CL is willing to try only those approaches that they have successfully
implemented before.
E. CL is very conservative and does not take any chances.
Answer: A
2. What is the primary security risk for the desktop computers at CL? (Choose
one)
A. Another CL employee connected to a
desktop computer via the LAN.
B. Denial-of-service attack launched from the internet targeting a desktop
computer.
C. Remote hackers directly connected to a desktop computer via the internet.
D. Remote hackers directly connected to a desktop computer via modem.
Answer: A
Once Again who
knows where these graphics came from? But they might be helpful
3. Design an authentication
strategy for the web site after certificates have been issued to the brokers.
Use only computers and authentication methods that apply.
Computer Authentication
method
A. Kerberos
B. Basic authentication with SSL
C. SSL and directory services (DS) mapping
D. HTTP and directory services (DS) mapping
1. Broker
2. CONTDC
3. CONTDATA
4. CONTWEB1
5. CONTVPN
6. CL
4. How should you design the
active directory structure for CL? (Choose one)
A. Create a single domain in
its own forest. Do not establish trust relationships.
B. Create a single domain in its own
forest. Establish a one-way trust relationship with Adatum
C. Create one child domain. Place the child domain in the same forest as AD's domain tree.
D. Create one domain in its own domain tree. Place the domain tree within the
same forest as AD's domain tree.
Answer: B
5. Which three options should you include in a security template for CONTWEB1?
(Choose three)
A. Rename the administrator account.
B. Allow CD-ROM access to all users.
C. Limit CD-ROM access to users who are logged on locally.
D. Enforce strong passwords.
E. Set the NTLM authentication level to
LM and NTLM.
F. Disable account lockout.
Answer: ADE
6. Which technology or technologies should you implement to provide the highest
level of security for communications between employees of AD and CL? (Choose
one)
A. Internet authentication services (IAS) and NTLM authentication.
B. PPTPC. SSL, digital certificates, and directory services (DS) mapping.
D. Basic authentication with SSL.
Answer: E
7. How should you separate intranet resources from publicly visible internet
servers? (Choose one)
A. Use a private IP address space. Configure both the internal DNS and the authoritive internet based DNS server to resolve both
internal and external names.
B. Use corp.contoso.com as a suffix for all internal sites. Configure both the
internal DNS and the authoritive internet based DNS
server to resolve both internal and external names.
C. Use corp.contoso.com as a suffix for
all internal sites. Configure the internal DNS to resolve internal names, but
do not include these names in the authoritive
internet based DNS server.
D. Use a private IP address space. Configure the authoritive
internet based DNS server to resolve internal names, but do not include these
names on the internal DNS server.
Answer: C
8. Which technology or technologies should you include in your security
strategy to secure broker access to the web site? (Choose one)
A. Basic authentication with SSL.
B. SSL, digital certificates, and
directory services (DS) mapping.
C. Internet authentication services (IAS) and an ODBC database.
D. L2TP over IPSec
Answer: B
9. How should you implement a Public Key Infrastructure (PKI) for CL? (Choose
one)
A. Install an online enterprise root CA. Install an online enterprise
subordinate CA. Import a self signed server certificate on the subordinate CA.
Issue client certificates on the subordinate CA.
B. Install an offline stand alone root CA. Install an online stand alone
subordinate CA. Issue client certificates on the root CA.
C. Install an online stand alone root CA. Import a server certificate from a
third party CA to the root CA certificate trust list. Use client certificates
from third party CA.
D. Install an offline enterprise root CA. Install an online enterprise
subordinate CA. Issue client certificates on the subordinate CA.
Answer: D
10. What should you include
in an audit policy for CONTDC? (Choose all that apply)
A. Success and failure audit for object access.
B. Success and failure audit for directory
services access.
C. Success and failure audit for policy change.
D. Success and failure audit for account management.
E. Success and failure audit for account
logon events.
Answer: BE
