Chapter 8
You manage a single domain running Windows Server 2012 R2. You have configured a Restricted Group policy as show in the image. When this policy is applied, which actions will occur? (select two)
Any other members of the Backup Operators group will be removed. the desktop Admins group will be made a member of the Backup Operators group.
You are an administrator for a company that uses Windows 2008 for its server. In addition to active directory, you also provide file and print services, DHCP, DNS, and e-mail services .
Configure Object access auditing in a GPO and link it to the domain.
You are the network administrator for your company. Your company uses Windows XP professional as its desktop operating system. Rodney, a user in the research department, shares a computer with two other users.
Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Delete permission.
You have been asked to troubleshoot a Windows 8 computer that is a member of a workgroup. The director who uses the machine said he is able to install anything he wants as well as change system settings on-demand.
Enable the Run all admin approval mode setting in the local security policy.
Your are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server 2012 R2 for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. You are creating a security template that you plan to import into a GPO. You would like to log whenever a user is unable to log on to any computer using a domain user account.
Enable the logging of failed Account Logon events. Link the GPO to the domain controllers OU.
You are the server administrator for your network. Recently, the system time on several servers has been modified. You want to find out who has been making the change. You enable auditing for System events. After several days,
Filter the look for successful events. Look in the Security log.
You are the network administrator for northsim.com . The network consists of a single active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. You want to prevent users from running any file with .bat or .vbs extension unless the file is digitally signed by your organization.
In application control policies, create a script rule with a publisher condition.
You are the network administrator for northsim.com . The network consists of a single active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. You want to find out who has been running a specific game on the client computers.
In application control policies, create an executable rule with a path condition that identifies the file. For example rules, configure audit only.
You run a custom application on a Windows Server 2012 R2 server. You want to configure the firewall to allow the application to use a specific port, but restrict access to specific users.
In windows firewall with advanced security, add an inbound rule. Require only secure connections for the rule, and add the users to the list of authorized users.
You have a computer running windows 8. Prior to installing some software, you turn off User account control, reboot the computer, and install the software. You turn UAC back on, but it does not prompt you before performing sensitive actions.
Reboot the machine
You are the administrator for the widgets.com domain. Organizational unit have been created for each company department. User and computer accounts for each department have been moved into their repective departmental OUs. You would like to configure all computers in the Sales OU to prevent the installation of unsigned drivers.
Security Options
You are the administrator for the widgets.com domain. Organizational unit have been created for each company department. User and computer accounts for each department have been moved into their repective departmental OUs. You have two OUs that contain temporary users:
User Rights
Select the policy node you would choose to configure who is allowed to manage the auditing and security logs
User Rights Assignment
You are the network administrator for westsim.com . The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. There is one main office located in New York.
In windows firewall with advanced security, create a new isolation connection security rule and Require authentication for inbound and outbound connections.
You have several computer running Windows 8. You want to configure a GPO that will make the Windows 8 computers prompt for additional credentials whenever a sensitive action is taken.
Configure user account control (UAC) settings.
You are the network administrator for a large metropolitan hospital. The hospital must conform to several new regulations dealing with patient privacy
Add the mangers group to the GPO's discretionary access control list (DACL). Deny the Apply Group Policy and Read permissions to the managers group.
Click on the user right policy that is used to grant a user local access to the desktop of a Windows Server 2012 R2 system.
Allow log on locally
You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shutdown. You would like to use auditing to track who performs these actions.
Audit successful system events. Create a GPO to configure auditing. Link the GPO to the domain.
You are the network Administrator for eastsim.com . The network consists of one Active Directory domain. All the servers run Windows Server 2012 R2. You have been instructed to map a drive to a department share for all users.
Configure a Drive Maps policy in a GPO linked to the domain
You manage the branch office for your company network. The branch office has a single Active Directory domain, branch1.westsim.private. All computers in the branch office are members of the domain. All client computers run Windows 7. The branch office consists of two subnets and 50 host computers. A single DHCP server on Subnet1 delivers IP address information to all clients. A single server on Subnet2 is both the domain controller and DNS server. Dynamic updates are enabled on the DNS zone. You want to configure each client computer with consistent DNS server addresses and DNS search suffixes. You want to prevent users from modifying these settings. What should you do?
Configure a GPO with the DNS server and search suffix settings
You are the network administrator for westsim.com . The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. You have enabled outbound filtering for Public networks in the Windows Firewall with Advanced Security node of a Group Policy which applies to member servers.
Configure a custom outbound rule.
You are the security administrator for a large metropolitan school district. You are reviewing security standards with the network for the high school.
Configure the Computer configuration node of the computer center security GPO and restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the computer center computers group only.
You manage 20 computers running Windows 7 in a domain network. You want to prevent the Sales team members from making system changes. Whenever a change is initiated, you want to allow only those who can enter administrator credentials to be able to make the change.
Configure the User Account Control: Behavior of the elevation prompt for standard users setting in Group Policy to Prompt for credentials.
You are the network administrator for northsim.com . The network consists of a single active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. You want to prevent users from running a common game on their machines.
Create a hash rule
You are the administrator for the westsim.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective department OUs. Computers in the Accounting department use a custom application. During installation, the application creates a local group named AcctMagic. The group is used to control access to the program. By default, the account used to install the application is made a member of the group. You install the application on each computer in the Accounting department. All Accounting users must be able to run the application on any computer in the department. You need to add each user as a member of the AcctMagic group. You create a domain group named Accounting and make each user a member of this group. You then create a GPO name Acct Software linked to the Accounting OU. You need to define the restricted group settings. What should you do?
Create a restricted group named AcctMagic. Add the Accounting domain group as a member
You are the network administrator for eastsim.com . The network consists of a single Active Directory domain. All the servers run Windows 2012 R2. All the clients run Windows 8. The clients are shared by multiple users at work. You want to allow only members of the Sales team to run the sales lead application.
Create an executable rule with a file hash condition in application control policies.
You are the network administrator for eastsim.com . The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7. Many of the client computers are used by several different users.
Create an executable rule with a publisher condition in application control policies.
You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective department OUs. As part of your security plan, you have analyzed the use of Internet Explorer in your organization. You have defined three different groups of users. Each group has different needs for using Internet Explorer. For example, one group needs ActiveX controls enabled, while you want to disable ActiveX for the other two groups. You would like to create three templates that contain the necessary settings for each group. When you create a GPO, you'd apply the settings in the corresponding template rather than manually set the corresponding Administrative Template settings for Internet Explorer. What should you do?
Create three starter GPOs with the necessary settings. When creating the GPOs, select the starter GPO with the desired settings.
You manage a single domain names widgets.com . Recently, you notice that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those charges. You want to only enable auditing that shows you the old and new values of the changed objects.
Directory Service Changes
You run a custom application on a Windows Server 2012 R2 server. You want to configure the firewall to allow the application to use a specific port, but restrict access to only Wrk1 and Wrk2.
In windows firewall with advanced security, add an inbound rule. Require only secure connections for the rule, and add the computer to the list of authorized computers.
You are the network Administrator for eastsim.com . The network consists of one Active Directory domain. All the servers run Windows Server 2012 R2. All of the clients still run Windows Vista. The domain functional level of the domain is set to Windows Server 2008.
Install the client-side extensions (CSEs) on all of the client computers.
Select the policy node you would use to configure a user's Internet Explorer options.
Internet settings
Your network consists of a single Active Directory domain. The OU structure of the domain consists of a parent OU named HW_West, and child OUs of research, HR, Finance, sales, and operations.
Link DefaultSec to the HQ_West OU. Link HiSec to the HR and Research OUs. Configure password policies on a GPO linked to the domain.
You are consulting with the owner of a small network which has a Windows Server 2008 functioning as a workgroup server. There are six client desktop computers, each of which is running Windows XP Professional. There is no Internet connectivity.
Make sure the correct users and groups are listed in the Auditing properties of the files. Make sure Object Access auditing policy is configured for success and failure. Make sure the files to be audited are on NTFS partitions.
You are a domain administrator for a large, multi-domain network. There are approximately 2500 computers in your domain. Organizational Units (OUs) have been created for each department. Group Policy objects (GPOs) are linked to each OU to configure department-wide user and computer settings. While you were on vacation, another 20 computers were added to the network. The computers appear to be functioning correctly with one exception: the computers do not seem to have the necessary GPO settings applied. What should you do?
Move the computer accounts from their current location to the correct OUs.
You are the network administrator for westsim.com . The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. A member server named Web1 running the Web Server role is hosting an internal company web site.
On Web1 you should create a custom inbound firewall rule that allow HTTP traffic on Web1 from Domain Users. Add the TechContractors group as an exception to the rule.
Management is concerned that users are spending time during the day playing games and have asked you to create a restriction that will prevent all users and administrators from running Games app on Windows 8 Workstations.
Packaged app rules
You manage a single domain names widgets.com . One day you notice that a trust relationship you have established with another forest has changed.
Policy change events
You manage a single domain running Windows Server 2012 R2. You have configured a Restricted Group policy as show in the image. When this policy is applied, which actions will occur?
The backup operators group will be made a member of the Desktop Admins group.
You are the network administrator for westsim.com . The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. A server named App1 is running an application that uses a service named Custom App service.
You should create a custom rule using the windows firewall with advanced security.
You are the administrator of a network with a single Active Directory domain. Your domain contains three domain controllers and five member servers.
using active Directory users and computers, select Unlock Account for each account.
You manage a single domain named widgets.com . Organizational units have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account locout policy for the domain.
Create a granular password policy. Apply the policy to all users in the Directors OU.
You are the network administrator for your company. Your company uses Windows 7 Professional as its desktop operating system. All computers joined to a single Active directory domain. Several computers store sensitive information. You are configuring security settings that will distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its Security database.
Select failure for audit account logon events.
You are the network administrator for your company. Your company uses Windows 7 Professional as its desktop operating system. All computers joined to a single Active directory domain. Several computers store sensitive information. You are configuring security settings that will distributed to all computers on your network. You want to identify denied attempts to manipulate files on computers that have been secured through NTFS permissions.
Select failure for audit object access.
You need to configure Windows Firewall with Advanced Security to allow traffic for an application that dynamically opens up multiple ports on an ass-needed basis.
Add a program rule
Your network has a single Active Directory forest with two domains: eastsim.private and HQ.eastsim.private. Organizational units Accounting, Marketing, and Sales represent departments of the HQ domain. Additional OUs (not pictured) exist in both the eastsim.private and HQ.eastsim.private domains. All user and computer accounts for all departments company-wide are in their respective departmental OUs. You are in the process of designing Group Policy for the network. You want to accomplish the following goals: *You want to enforce strong passwords throughout the entire forest for all computers. All computers in both domains should use the same password settings. * The Accounting department has a custom software application that needs to be installed on computers in that department. * Computers in the Marketing and Sales departments need to use a custom background and prevent access to the Run command. You create the following three GPOs with the appropriate settings: Password Settings, Accounting App, and Desktop Settings. How should you link the GPOs to meet the design objectives? To answer, drag the label corresponding to the GPO to the appropriate boxes.
eastsim.private - password setting HQ.eastsim.private - password setting Accounting - Accounting app Marketing - Desktop Settings Sales - Desktop Settings
You are the network administrator for southsim.com . The network consists of a single Active Directory domain. All the servers run Windows 2012 R2. All the clients run Windows 8. The clients are shared by multiple users at work.
Browse and select the executable file for the application. Modify the rule to include the product name information.
You are the network administrator for eastsim.com . The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. You would like to prevent users from running all software on the computer except for software that has been digitally signed.
Configure an executable rule in application control policies with a publisher condition.
You are in charge of managing several servers. Your company requires many custom firewall rules in Windows Firewall with Advanced Security.
Configure firewall settings in group policy. Apply the GPO so that it applies to all applicable servers.
You are the administrator of a network with a single Active Directory domain. Your domain contains two domain controllers. Your company's security policy requires that locked out accounts are unlocked by administrators only.
Configure the account lockout duration to 0.
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8.1. The company has a main office in New York and several international locations including facilities in Germany and France. You have been asked to build a domain controller that will be deployed to the eastsim.com office in Germany. The network administrators in Germany plan to use Group Policy Administrative Templates to manage Group Policy in their location. You need to install the German version of the Group Policy Administrative Templates so they will be available when the new domain controller is deployed to Germany. What should you do?
Copy the German .ADML files to the apporpriate directory int he SYSVOL on a local domain controller
You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective department OUs. As you manage Group Policy objects (GPOs), you find that you often make similar user rights, security options, and Administrative Template settings in different GPOs. Rather than make these same settings each time, you would like to create some templates that contain your most common settings. What should you do?
Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs. Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs.
You manage a single domain names widgets.com . Recently, you notice that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those charges. You enable successful auditing of directory service access events in a GPO, and link the GPO to the domain.
Edit the access list for the OU. Identify specific users and events to audit.
You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective department OUs. From your workstation, you create a GPO that configures settings from a custom .admx file. You link the GPO to the sales OU. You need to make some modifications to the GPO settings from the server console. However, when you open the GPO, the custom Administrative Template settings are not shown. What should you do?
Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location
You are the network administrator of a small network consisting of three Windwos Server 2012 R2 computers, 50 Windows 7 professional workstations, and 100 Windows 8 workstations. Your network has a password policy in place with the following settings:
Enable the Minimum password age setting Enable the password must meet complexity requirements.
Your are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server 2012 R2 for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers.
Enable the logging of Logon events Link the GPO to the Member Servers OU.
You manage a single domain named widgets.com . Organizational units have been created for each company department. User and computer accounts have been moved into their corresponding OUs. you define a password and account lockout policy for the domain.
Implement a granular password policy of the users in the Directors OU.
You are the network administrator for eastsim.com . The network consists of a single Active Directory domain. All the servers run Windows 2012 R2. All the clients run Windows 8. The clients are shared by multiple users at work. Recently, users have downloaded and installed two malware programs onto the computer.
In application control policies, create a Windows Installer rule with a file hash condition.
You are the Administrator for a network with a single active directory domain named widgets.local . The widgets.local domain has an Organizational Unit object for each major department in the company, including the Information Systems department.
On the Group Policy object's access control list, deny the Apply Group Policy permission for members of the Domain Admins group.
You are the network administrator for your company. Your company uses Windows 7 Professional as its desktop operating system. All computers joined to a single Active directory domain. Several computers store sensitive information. You are configuring security settings that will distributed to all computers on your network. You want to identify denied attempts to change user's group membership in a computer's local database.
Select failure for audit account management
You are the network administrator for your network. You network consists of a single Active Directory domain. All servers run Windows Server 2012 R2. Your company recently mandated The following user account criteria:
Set Minimum password length to 12 Set account lockout duration to 0 Set account lockout threshold to 3
You manage several computers that run Windows 7. You would like to have better control over the applications that run on there computers, so you have decided to implement AppLocker..
Set the enforcement mode for executable rules to Enforce rules. Start the application identity service on the client.