NET-122 (TestOut Chapter 8)
Central Store
A file location that is checked by the Group Policy tools by default when adding Administrative Templates to GPOs.
Restricted Groups
A group policy that can be used to control membership for groups that require high security.
Group Policy Preferences
A set of extensions that increase the functionality of Group Policy Objects (GPOs), include advanced settings for folders, mapped drives, and printers.
Standard user account
A standard user account has the minimum amount of user rights and privileges required to perform most basic tasks.
Hash
A unique value or number generated by a formula using the contents of an executable file that is substantially smaller than the contents of the file.
Administrative Templates
Administrative templates are registry-based settings that you can configure within a GPO to control the computer and overall user experience, such as: Use of Windows features such as BitLocker, offline files, and parental controls Customize the Start menu, taskbar, or desktop environment Control notifications Restrict access to Control Panel features Configure Internet Explorer features and options
Notify me only when programs try to make changes to my computer (do not dim the desktop)
Use the following Group Policies for the equivalent of Notify me only when programs try to make changes to my computer (do not dim the desktop): The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries. The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled. The Behavior of the elevation prompt for standard users policy setting is set to Prompt for credentials.
1. You are the network administrator for eastsim.com. The network consists of one Active Directory domain. You have been instructed to map a drive to a department share for all users. The company no longer uses login scripts, so you must ensure that the department share is mapped using Group Policy. What should you do?
Configure a Drive Maps policy in a GPO linked to the domain.
2. You would like to prevent users from running any software with .exe or .com extensions on computers in the domain unless they have been digitally signed. The rule should apply to all known and unknown software. How should you configure this rule in AppLocker?
Configure an executable rule with a publisher condition.
Always notify
Use the following Group Policies for the equivalent of Always Notify: The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent on the secure desktop. The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled.
Never notify
Use the following Group Policies for the equivalent of Never notify: The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Elevate without prompting. The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled. The User Account Control: Run all administrators in Admin Approval Mode policy setting is disabled. UAC is disabled. If you use Group Policies to turn off UAC, reboot the system for changes to take effect.
Notify me only when programs try to make changes to my computer
Use the following Group Policies for the equivalent of Notify me only when programs try to make changes to my computer: The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries. The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled.
8. You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You have two OUs that contain temporary users, TempSales and TempMarketing. For all users within these OUs, you want to restrict what the users are able to do. For example, you want to prevent them from shutting down the system or accessing computers through a network connection. Which GPO category would you edit to make the necessary changes?
User Rights
User Configuration
User policies are enforced for specific users. User policy settings include: Software that should be installed for a specific user. Scripts that should run at logon or logoff. Internet Explorer user settings, such as favorites and security settings. Registry settings that apply to the current user (the HKEY_CURRENT_USER subtree). User policies are initially applied as the user logs on. They often customize Windows based on user preferences. All computer policies run before any user policies run.
Privilege Elevation
An elevation of privileges, from a standard user to an administrator, granted to an application.
Executable
An executable rule applies to files with .exe and .com extensions.
3. You are the network administrator of the westsim.com domain. You have several users who use Windows laptop machines because they travel frequently. When they are on the road, they need to use a VPN connection to access network resources in the domain. Click on the Group Policy preferences Control Panel setting you would use to configure these laptops with the correct VPN connection settings.
Click on Network Options
Group Policy Object (GPO)
A collection of settings that control how a computer will behave.
Network Options
Configures VPN and dial-up connections.
Always notify
A UAC prompt and the secure desktop are displayed for 150 seconds. The user cannot perform any other actions until they respond to the prompt, which will automatically deny the request after 150 seconds. This is the recommended configuration because it is the most secure.
Secure Desktop
A UAC setting that makes the desktop unavailable when a UAC prompt is triggered.
Local Users and Groups
Manages local users and groups.
User Account Control (UAC)
A Windows feature designed to prevent unauthorized changes to your computer by prompting for authentication before continuing with a task.
Group Policy
A Windows feature that allows Active Directory administrators to implement specific configurations for users and computers.
Administrator
A Windows user that can perform any action on the computer.
Standard User
A Windows user with minimal rights and privileges.
Account Lockout and Password Policies
Account Lockout and Password policies control passwords and user lockout properties for the entire domain. Password Policy settings control characteristics enforced for user passwords. Account Lockout Policy settings control what happens when a user enters one (or more) incorrect passwords. Policy settings are applied to the computer, not the user. Although you can configure Account Policies settings in any GPO, only the settings configured in a GPO linked to the domain take effect. The following list describes the password policy settings: Enforce password history requires users to create unique passwords. Set this to a high number to keep users from frequently repeating passwords. Windows can remember up to 24 old passwords. A maximum password age must be configured for this setting to take effect. Maximum password age requires the user to change the password after a given length of time. Setting this value to 0 means that the password never expires. Minimum password age keeps users from changing passwords immediately after they've reset their passwords. This prevents users from defying the password history by initiating multiple password changes in a sequence to get back to their preferred password. The value must be less than the maximum age and should be a setting greater than 0. A setting of 0 allows the user to reset the password immediately. Minimum password length prevents users from using passwords that are too short. At a minimum, enforce passwords of eight characters or longer. Password must meet complexity requirements prevents using passwords that are easy to guess or easy to crack. This setting enforces the following: Requires users to create a password with a minimum of three of the four types of special characters ( lower case letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *). Disallows the use of dictionary words or any part of the user login identification. Requires that passwords be 6 characters long (or longer). Store passwords using reversible encryption is, essentially, equivalent to storing plain-text passwords. This setting should be disabled unless a specific application requires access to the plain-text password. The following list describes account lockout policy settings. Account lockout duration determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically. When set to a value of 0, an administrator must unlock the account. Account lockout threshold determines the number of attempts a user can make before the account is locked. A typical setting is 3. Reset account lockout counter after determines the amount of time (in minutes) that must pass before the number of invalid attempts counter is reset.
Account Logon
Account logon auditing tracks when a user account is used to authenticate to a computer. Account logon auditing generates an event on the system where the user account exists. When a local user account is used, the local computer records the logon event. When a domain user account is used, the domain controller records the logon event. In a multiple domain controller environment, you do not know which domain controller will authenticate a user. Event log subscriptions allow you to centralize the event log by collecting copies of specified events from multiple computers.
Account Management
Account management auditing tracks changes to user accounts, including: Create Rename Disable/enable Delete Change the password
1. You have created a group policy that prevents users in the accounting department from accessing records in a database that has confidential information. The group policy is configured to disable the search function for all users in the Accounting OU no matter which workstation is being used. After you configure and test the policy, you learn that several people in the Accounting OU have valid reasons for using the search function. These users are part of a security group named Managers. What can you do to prevent the Group Policy object (GPO) that you have configured from applying to members of the Managers group?
Add the Managers group to the GPO's discretionary access control list (DACL). Deny the apply Group Policy and read permissions to the Managers group.
1. You are an administrator over several Windows servers. You also manage a domain in Active Directory. Your responsibilities include managing permissions and rights to make sure users can do their jobs while also keeping them from doing things they should not be doing. With Windows Server systems and Active Directory, the concepts of permissions and rights are used to describe specific and different kinds of tasks. Drag the concept on the left to the appropriate task examples on the right. (Each concept can be used more than once.)
Allow members of the Admins group to back up the files in the Marketing folder on the CorpFiles server. Rights Assign members of the Admins group read-only access to the files in the Marketing folder on the CorpFiles server. Permissions Allow members of the Admins group to restore the files in the Marketing folder on the CorpFiles server. Rights Assign members of the Marketing group read-write access to the files in the Marketing folder on the CorpFiles server. Permissions Allow members of the Admins group to log on locally to the CorpFiles server. Rights Allow members of the Admins group to shut down the CorpFiles server. Rights Allow members of the Marketing group to send print jobs to the Marketing color printer. Permissions
1. You manage several Windows workstations in your domain. You want to configure a GPO that will make them prompt for additional credentials whenever a sensitive action is taken. What should you do?
Configure User Account Control (UAC) settings.
Administrator account
An administrator account can perform any action on the computer. For example, administrators can turn off firewalls, configure security policies, and install new drivers and other software for the entire computer. Remember the following about administrator accounts: Administrators are members of the local Administrators group. Each computer has a built-in administrator account that is disabled by default. During a new installation, the first user account created is automatically made a member of the Administrators group. Subsequent user accounts are created as standard users by default. For upgrades, the built-in administrator account is enabled if it is the only user account with administrative privileges. Otherwise, it is disabled. If the system has at least one administrator account, the built-in administrator account cannot be used to log on in Safe mode. Safe mode logon using the built-in administrator account is never allowed for computers that are members of a domain.
AppLocker
An application whitelisting technology that allows the restriction of programs that users can execute based on the program's path, publisher, or hash.
2. You manage a single domain running Windows Server. You have configured a restricted Group Policy as shown in the image. When this policy is applied, which actions will occur? (Select two.)
Any other members of the Backup Operators group will be removed. The Desktop Admins group will be made a member of the Backup Operators group.
AppLocker policies, also known as application control policies, are similar to software restriction policies, but allow much more granular control. AppLocker rules take precedence over software restriction policies.
AppLocker policies have the following features: AppLocker provides flexibility so you can specific software to allow or block. Options include blocking all products from a specific publisher, all products with a specified product name, or all files with a specified file name. Policies can be applied to all existing, future, or previous versions of an application. Polices can be applied to a specific OU or to the entire domain. The Automatically Generate Rules wizard can be used to read the contents of a specified folder and then generate recommended rules based on the folder contents. Exceptions can be included in policies. The option to automatically create default rules should be run to create the necessary exceptions to allow programs: To allow members of the Administrators group to run all applications or application installers on the system. To allow all users to run applications or application installers in the Windows folder. To allow all users to run applications or application installers in the Program Files folder You must enable the default rules for each rule type. For example, failure to specify the default executable rules prevents Windows from executing system files in the C:\Windows and C:\Program Files directories.
Permissions
Are the ability to use objects, such as files, folders, and printers. Rights are the ability to perform actions on a computer, such as log on, shut down, back up, and restore. For example, a user logging on to gain access to the desktop of a Windows server must have the Allow Log On Locally right.
9. You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use auditing to track who performs these actions. What should you do to only monitor the necessary events and no others? (Select two. Each choice is a required part of the solution.)
Audit successful system events. Create a GPO to configure auditing. Link the GPO to the domain.
Accounts
Be aware of the following regarding security options in the Accounts category: The Administrator account status policy determines whether the administrator account is enabled or disabled. By default, the Administrator account is disabled on workstations, but enabled on servers. If a workstation starts in Safe mode, the Administrator account is enabled. It is a best practice to: Disable the Administrator account and Guest account on workstations. If you cannot disable the Administrator and Guest accounts, rename them using the Rename administrator account and the Rename guests account policies. Enable the Limit local account use of blank passwords to console logon only policy.
Interactive Logon
Best practices for the following Interactive logon settings are: Disable Display user information when the session is locked. Enable Do not display last user name. Disable Do not require CTRL+ALT+DEL. The key sequence has been referred to as the security attention sequence. It stops any software running in the background to prevent Trojan viruses from capturing the user name and password. Use Message text for users attempting to log on to provide a disclaimer that the computer is only for employee use. Enable Prompt user to change password before expiration as a reminder to the users to change their passwords. Enable Require smart card as an additional security measure.
Block Inheritance
Blocking inheritance prevents settings in all GPOs linked to parent objects from being applied to child objects. You configure inheritance blocking on the domain or an organizational unit (OU). You cannot block inheritance on a per-GPO basis; blocking inheritance blocks all GPOs linked above the blocking object. Only Group Policies applied directly to the container take effect. A blue circle with a white exclamation mark in it indicates blocked Group Policy inheritance.
Loopback Processing
By default, Group Policy configuration applies computer settings during system startup and user settings during logon. For this reason, user settings take precedence in the event of a conflict. However, using loopback processing, computer settings can be reapplied after user logon. Following are some circumstances when you might use loopback processing: If you want computer settings to take precedence over user settings. If you want to prevent user settings from being applied. If you want to apply specified user settings for the computer regardless of the location of the user account in Active Directory. Loopback processing runs in Merge or Replace mode. Merge mode gathers the Computer Configuration GPOs and appends them to the User Configuration GPOs when the user logs on. Replace mode prevents the User Configuration GPOs from being applied.
5. You are the network administrator of the westsim.com domain. You have several users in the Sales OU who use Windows laptop machines because they travel frequently. These laptops are all in the Computers OU along with the desktop computers used by other users in the Sales OU. The Computers OU is a child of the Sales OU. There is a service preference that need to be applied to the laptops that does not need to be applied to desktop computers. You configure a Group Policy preference for this service that you want to apply to just the laptops. You link this Group Policy to the Computers OU. Click on the Group Policy preferences Common option setting you would use to configure the preference to apply only to the laptop computers in the Computers OU.
Click on Item-Level Targeting
4. You are the network administrator of the westsim.com domain. You have several users who use Windows laptop machines because they travel frequently. These users have very sensitive information on their laptops, so you have been asked to take additional security measures with these machines. You install smart card readers on each laptop so that no one can access a lost or stolen laptop unless they also have the smart card. Click on the Group Policy preferences Control Panel setting you would use to configure these laptops so the Smart Card Reader service starts when the laptop is powered on.
Click on Services
3. Select the policy node you would choose to configure who is allowed to manage the auditing and security logs.
Click on User Rights Assignment
2. Click on the user right policy that is used to grant a user local access to the desktop of a Windows server.
Click on User Rights Assignment in the left pane Click on Allow log on locally in the right pane
2. You've just deployed a new Active Directory domain, as shown in the figure below. You now need to deploy Group Policy objects (GPOs) to apply configuration settings and enforce security policies. Click the container(s) to which a GPO can be applied.
Click on the Corp and Domain Controllers Organizational Units
7. Management is concerned that users are spending time during the day playing games and have asked you to create a restriction that will prevent all standard users and administrators from running the Games app. Click on the option you would use in Group Policy Management Editor to implement this restriction.
Clicked on Packaged app Rules
Local Policies/User Rights Assignment
Computer policies include a special category of policies called user rights. User rights identify system maintenance tasks and the users or groups who can perform them. Examples of user rights include: Access this computer from the network (the ability to access resources on the computer through a network connection). Load and unload device drivers. Back up files and directories (does not include restoring files and directories). Shut down the system. Remove a computer from a docking station.
Computer Configuration
Computer policies, or machine policies, are enforced for the entire computer and are applied when the computer boots. Computer policies are in effect regardless of the user logging into the computer. Computer policies include: Software that should be installed on a specific computer. Scripts that should run at startup or shutdown. Password restrictions that must be met for all user accounts. Network communication security settings. Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree). Computer policies are initially applied as the computer boots and are enforced before any user logs on.
Managing Local Group Policy
Computers that are not part of a domain use local Group Policy settings to control security settings and other restrictions on the computer. Local Group Policy settings are also applied to domain-joined computers. However, domain Group Policy overrides local Group Policy if a particular policy setting is defined in both places. To manage local Group Policy, use Microsoft Management Console (MMC): Enter mmc at the command line to launch Microsoft Management Console. Add the Group Policy Object Editor snap-in from the File menu. By default, it will add the Local Computer Group Policy snap-in. Select Users to edit Local Group Policy for specific users on the computer. You can save the Group Policy Object Editor console to allow for easy access in the future. You can also access the local Group Policy snap-in directly by entering gpedit at the command line.
6. You are the administrator of a network with a single Active Directory domain. The domain includes two domain controllers. Your company's security policy requires that locked out accounts are unlocked by administrators only. Upon reviewing the account lockout policy, you notice the account lockout duration of 99999. You need to configure your domain's account lockout policy to comply with your company's security policy. What should you do next?
Configure Account lockout duration as 0.
2. You are the network administrator for eastsim.com. The network consists of one Active Directory domain. Several users have received new computers to replace their older systems that were out of warranty. You are preparing to join the new computers to the domain. Your company has several limitations on what users can do with their workstations. For example, users are not allowed to use USB removable media devices or create any kind of executable files. You must make sure each new computer configuration is in compliance with these limitations, but you do not want to go from computer to computer to make the changes. Which of the following can you perform to meet these requirements with the least possible effort?
Configure Group Policy preferences.
8. You are an administrator for a company that uses Windows servers. In addition to Active Directory, you also provide file and print services, DHCP, DNS, and email services. There is a single domain and a single site. There are two member servers, one that handles file and print services only, and one database server. You are considering adding additional servers as business increases. Your company produces mass mailings for its customers. The mailing list and contact information provided to your company by its clients is strictly confidential. Because of the private information sometimes contained in the data (one of your clients is a hospital), and because of the importance of the data to your operation, the data can also be considered a trade secret. You want to ensure the data stored on your member servers is only accessed by authorized personnel for business purposes. You've set file permissions to restrict access, but you want to track the authorized users. How should you configure your security policy to track access to the data files?
Configure object access auditing in a GPO and link it to the domain.
1. Your network consists of a single Active Directory domain. The OU structure of the domain consists of a parent OU named HQ_West and the child OUs Research, HR, Finance, Sales, and Operations. You have created a Group Policy Object (GPO) named DefaultSec, which applies security settings that you want to apply to all users and computers. You have created a second GPO named HiSec, which has more restrictive security settings that you want to apply to the HR and research departments. Both GPOs use custom security templates. You also want to ensure that strong password policies are applied to all client computers. How should you link the GPOs to the OUs? (Select three. Each correct answer is part of the complete solution.)
Configure password policies on a GPO linked to the domain. Link HiSec to the HR and Research OUs. Link DefaultSec to the HQ_West OU.
2. You are the security administrator for a large metropolitan school district. You are reviewing security standards with the network administrators for the high school. The school's computer center has workstations for anyone's use. All computers in the computer center are members of the Computer Center Computers global group. All workstations are currently located in the Computers container. The computer center computers have access to the Internet so users can perform research. Any user who uses these computers should be able to run Internet Explorer only. Other computers in the high school should not be affected. To address this security concern, you create a Group Policy object (GPO) named Computer Center Security. How can you configure and apply this GPO to enforce the computer center's security?
Configure the Computer Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the Computer Center Computers group only.
2. You manage 20 Windows workstations in your domain network. You want to prevent the sales team members from making system changes. Whenever a change is initiated, you want to allow only those who can enter administrator credentials to be able to make the change. What should you do?
Configure the User Account Control: Behavior of the elevation prompt for standard users setting in Group Policy to prompt for credentials.
Folder Options
Configures folder options and file extension associations.
Power Options
Configures power options and power schemes for computers.
Services
Configures services to: Run automatically Start if required Disable and stop if necessary
Devices
Consider using the following policies to secure devices based on the security needs of the organization. Prevent users from installing printer devices protects the system from the possible introduction of incompatible and malware-infected drivers. Restrict CD-ROM drive access to locally logged-on user only prevents network users from accessing resources on an optical disc. Allowed to format and eject removable media protects removable media from users when disabled. Unsigned driver installation behavior specifies what happens when an attempt is made to install an unsigned driver.
Network Security
Consider using the following policies to secure network access based on the organization's security needs. Enable Force log off when logon hours expire to enforce logon hours. Disable Allow system to be shut down without having to log on to require a user to log in before shutting down a server.
10. You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. The company has a main office in New York and several international locations, including facilities in Germany and France. You have been asked to build a domain controller that will be deployed to the eastsim.com office in Germany. The network administrators in Germany plan to use Group Policy administrative templates to manage Group Policy in their location. You need to install the German version of the Group Policy administrative templates so they will be available when the new domain controller is deployed to Germany. What should you do?
Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller.
7. You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. As you manage Group Policy objects (GPOs), you find that you often make similar user rights, security options, and Administrative Template settings in different GPOs. Rather than make these same settings each time, you would like to create some templates that contain your most common settings. What should you do? (Select two. Each choice is a possible solution.)
Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs. Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs.
6. Your organization has been using an in-house custom-developed application. The team that developed that application created a Group Policy template in the form of an ADMX file, which you have used to assign necessary rights to a group of users who use the application. Another group of users now needs to have the same rights. This group belongs to an OU that one of your assistants has full control management rights to. When your assistant tries to use the Group Policy template to assign rights to this group, she cannot find the template in Active Directory. What must you do to give your assistant access to this Group Policy template?
Create a central store on the SYSVOL share and copy the ADMX file into it.
1. You are the administrator for the westsim.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective department OUs. Computers in the accounting department use a custom application. During installation, the application creates a local group named AcctMagic. This group is used to control access to the program. By default, the account used to install the application is made a member of the group. You install the application on each computer in the accounting department. All accounting users must be able to run the application on any computer in the department. You need to add each user as a member of the AcctMagic group. You create a domain group named Accounting and make each user a member of this group. You then create a GPO named Acct Software linked to the Accounting OU. You need to define the restricted group settings. What should you do?
Create a restricted group named AcctMagic. Add the Accounting domain group as a member.
4. You want to prevent users from running any file with a .bat or .vbs extension unless the file is digitally signed by your organization. How should you configure this rule in AppLocker?
Create a script rule with a publisher condition.
5. You want to find out who has been running a specific game on the client computers. You do not want to prevent users from running the program, but instead want to log information when the file runs. The application is not digitally signed. How should you configure this rule in AppLocker?
Create an executable rule with a path condition that identifies the file. Set the enforcement mode to audit only.
6. You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. As part of your security plan, you have analyzed the use of Internet Explorer in your organization. You have defined three different groups of users. Each group has different needs for using Internet Explorer. For example, one group needs ActiveX controls enabled, and you want to disable ActiveX for the other two groups. You would like to create three templates that contain the necessary settings for each group. When you create a GPO, you want to apply the settings in the corresponding template rather than manually set the corresponding Administrative Template settings for Internet Explorer. What should you do?
Create three starter GPOs with the necessary settings. When creating the GPOs, select the starter GPO with the desired settings.
11. You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You want to only enable auditing that shows you the old and new values of the changed objects. Which directory service auditing subcategory should you enable?
Directory Service Changes
Directory Service Access
Directory service access auditing tracks changes to Active Directory objects. Beginning with Windows Server 2008, directory service access auditing capabilities have been integrated with Group Policy. The audit directory service access policy is divided into four subcategories: Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication When you enable Directory Service Access auditing, auditing for all four subcategories is enabled. To enable auditing for individual categories, use the Auditpol /set /subcategory command. When configuring directory service access auditing, enable auditing on the domain or OU, then identify the users and objects to audit. Simply enabling auditing using a GPO will be insufficient. To record the old and new values for changed objects, audit directory service changes. Auditing the directory service access subcategory creates a log entry when a change is made, but does not log the actual values that were changed.
3. When Active Directory is installed, several containers are created by default. Which default container would you be able to apply a Group Policy to?
Domain Controllers OU
10. You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You enable successful auditing of directory service access events in a GPO and link the GPO to the domain. After several days, you check Event Viewer, but you do not see any events listed in the event log indicating changes to Active Directory objects. What should you do?
Edit the access list for the OU. Identify specific users and events to audit.
5. You are the network administrator for your company. Rodney, a user in the research department, shares a computer with two other users. One day, Rodney notices that some of his documents have been deleted from the computer's local hard drive. You restore the documents from a recent backup. Rodney now wants you to configure the computer so he can track all users who delete his documents in the future. You enable auditing of successful object access events in the computer's local security policy. Rodney then logs on and creates a sample document. To test auditing, you then log on and delete the document. However, when you examine the computer's security log, no auditing events are listed. How can you make sure an event is listed in the security log whenever one of Rodney's documents is deleted?
Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Delete permission.
5. After configuring a password policy to require users to create strong passwords, you start to notice sticky notes stuck to monitors throughout the organization. The sticky notes often have strings of characters written on them that appear to be passwords. What can you do to prevent the security risk that this practice presents?
Educate users on how to create and remember strong passwords.
5. You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. From your workstation, you create a GPO that configures settings from a custom .admx file. You link the GPO to the Sales OU. You need to make some modifications to the GPO settings from the server console. However, when you open the GPO, the custom administrative template settings are not shown. What should you do?
Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location.
2. You are the network administrator of a small network consisting of three Windows servers and 150 Windows workstations. Your network has a password policy in place with the following settings: Enforce password history: 10 passwords remembered Maximum password age: 30 days Minimum password age: 0 days Minimum password length: 8 characters Password must meet complexity requirements: Disabled Store password using reversible encryption: Disabled One day, while sitting in the cafeteria, you overhear a group of co-workers talk about how restrictive the password policy is and how they have found ways to beat it. When required to change the password, they simply change the password 10 times at the same sitting. Then they go back to the previous password. Your company has started a new security crackdown, and passwords are at the top of the list. You thought you had the network locked down, but now you see that you need to put an end to this practice. Users need to have passwords that are a combination of letters and numbers and do not contain a complete dictionary word. Users should not be able to reuse a password immediately. What should you do? (Choose two. Each answer is part of the solution.)
Enable the Password must meet complexity requirements setting. Enable the Minimum password age setting.
3. You have been asked to troubleshoot a Windows workstation that is a member of your domain. The director who uses the machine said he is able to install anything he wants and change system settings on demand. He has asked you to figure out why User Account Control (UAC) is not being activated when he performs a sensitive operation. You verify that the director's user account is a standard user and not a member of the local Administrators group. You want the UAC prompt to show. What should you do?
Enable the Run all administrators in Admin Approval Mode setting in the Group Policy .
7. You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows servers for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. Computer accounts for workstations are located in the Workstations OU. You are creating a security template that you plan to import into a GPO. What should you do to log whenever a user is unable to log on to any computer using a domain user account? (Select two. Each choice is a required part of the solution.)
Enable the logging of failed account logon events. Link the GPO to the Domain Controllers OU.
Devices
Enables or disables devices based on a device class identifier.
6. You would like to have better control over the applications that run on the computers in your domain, so you have decided to implement AppLocker. You have created default rules and an executable rule that only allows the company's accounting application to run. When you test these rules, you find that you can still run any program on your test client. What should you do? (Select two. Each correct answer is part of the solution.)
Ensure that the enforcement mode for executable rules is set to Enforce rules. Start the Application Identity service on the client.
Rights are applied to individual computers locally. You can view the User Rights Assignment policy settings under Computer Configuration\Security Settings\Local Policies in Group Policy. When assigning rights, keep the following in mind: Rights are part of the security policy for the computer. Rights can be assigned using local or domain policies. Use the Local Group Policy Editor for local policies and Group Policy Management for domain policies to configure user right policy settings. If a right is assigned in a domain GPO, the right affects the local security settings on the computer accounts the GPO affects. By default, he Default Domain Controllers Policy GPO assigns the Allow Log On Locally right on domain controllers to the following groups: Account Operators Administrators Backup Operators Print Operators Server Operators
For workstations and member servers, the Allow Log On Locally right is assigned to the following groups by default: Administrators Backup Operators Power Users Users Guests You can explicitly deny a right to users or groups. For example, you could deny the Print Operators group the right to log on locally. There are many User Rights Assignment policies that you can use to manage what users are allowed to do on the system where the policies are applied, including: Access this computer from the network Add workstations to domain Allow log on locally Allow log on through Remote Desktop Services Back up files and directories Change system time Force shutdown from a remote system Load and unload device drivers Manage auditing and security log Perform volume maintenance tasks Profile system performance Restore files and directories Shut down the system Take ownership of files or other objects
4. Click on the tool you can use to configure Restricted Groups to control membership for groups that require high security.
Go to Tools and click on Group Policy Management
Granular Password Policy
Granular password policies allow you to create password policies for users and global groups separate from the password policy applied to the entire domain. Using granular password policies, you could, for example, require administrators to use 14-character passwords while requiring only eight-character passwords for standard users. In general, you should use Account Policies to enforce a domain-wide password policy. Then use granular password policies to enforce policies for groups of users that have more or less restrictive password policy needs than the domain-wide password policy. You should know the following facts about granular password policies: The domain must be running at the Windows Server 2008 domain functional level or higher. Password policies affect only user account passwords, not computer account passwords. Only members of the Domain Admins group can set granular password policies, but you can delegate the permission. Granular password policies are saved as a Password Settings object (PSO) in the Password Settings container (PSC). There is one default PSC. It cannot be renamed, deleted, or moved. You can create additional PSCs, but they will not take effect. The PSC holds one or more PSOs. You can define multiple PSOs with unique password policy settings. PSOs have attributes for all of the settings that can be defined in the Default domain policy except Kerberos settings. Policies can be applied to user accounts or global security groups. Each granular policy can be applied to multiple users and/or groups. Granular password policies affect only users within the current domain. Policies are not enforced when applied to OUs, the domain, or other group types. To apply a granular policy to all users within an OU, create a global security group that contains all OU members. Apply the policy to the group. When you move a user account to a different OU, remember to also change the group membership so that the granular password policy no longer applies.
Managing Domain GPOs
Group Policy Objects (GPOs) can be linked to Active Directory sites, domains, and organizational units (OUs). Use the Group Policy Management console to link a GPO to one of these objects. Be aware of the following: A GPO applied to an OU affects the objects in the OU and sub-OUs. A GPO applied to a domain affects all objects in all OUs in the domain. Built-in containers, such as the Computers container, and folders cannot have GPOs linked to them. Once the GPO has been linked, you can edit various policy settings within it. When linking Group Policies: The Default Domain Controllers policy is linked to the domain controllers OU by default. This policy increases security of the domain controllers. You can run the dcgpofix command to restore the original settings of the Default Domain Controllers Group Policy. On the Linked Group Policy Objects tab, you can change the link order of Group Policies. The Group Policy Inheritance tab lists the order in which Group Policies will be applied. The policies are listed in reverse order of precedence, meaning that the last policy on the list--the one with the highest precedence number--will be applied first. To delete a Group Policy, you must delete it from the Group Policy Objects container.
5. You have configured a new GPO. You use a scoping method to prevent it from applying to a specific user using a specific computer. Which tool can you use to see if your scoping method is successful?
Group Policy Results
Assigning GPO Permissions
Group Policy permissions control the operations that users can perform on the GPO as well as the application of the GPO to the user. To apply settings to a user, the user must have the Allow Read and Apply Group Policy permissions. By default, each GPO grants the Authenticated Users group (essentially, all network users) the Allow Read and Apply Group Policy permissions. This means that, by default, GPO settings apply to all users. Permissions also control who can edit Group Policy settings and manage the GPO.
1. You want to prevent users in your domain from running a common game on their machines. This application does not have a digital signature. You want to prevent the game from running even if the executable file is moved or renamed. You decide to create an AppLocker rule to protect your computer. Which type of condition should you use in creating this rule?
Hash
Never notify
If logged on as an administrator, all actions are executed without UAC prompts or the secure desktop. If logged on as a standard user, all actions requiring privilege elevation are automatically denied. Turning UAC off requires a system reboot.
Keep in mind the following about GPOs:
If possible, combine multiple settings into one Group Policy. Reducing the number of Group Policies that require processing reduces boot and logon time. The Default Domain policy contains the only account and password policies that are going to take effect unless you create a password settings object (PSO). GPOs do not exist at the forest level. To enforce a GPO in multiple domains, create the GPO in one domain, export it, and then import it into other domains.
When a task or operation requires administrative privileges, a UAC prompt provides the user with the ability to elevate the privilege level of the application from a standard user to an administrator user without having to log off, switch users, or use the Run As option.
If the user is a standard user, then UAC prompts for credentials. The user must provide the username and password of an administrative user account. If the user is a member of the Administrators group, then they will be prompted for consent. Because the user is already an administrator, they simply need to confirm that they want to allow the application to run as an administrator.
4. You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. How can you make the change with the least amount of effort? (Select two.)
Implement a granular password policy for each user in the Directors OU. Create a group for the members of the Directors OU and then apply a granular password policy to the group.
Be aware of the following when configuring auditing: Auditing requires system resources. You view audit entries in the Event Viewer Security log. In Windows Server 2012, you can set up conditional auditing. Both Directory Service Access and Object Access auditing require two steps for configuration: 1. Enable auditing in the local security policy or Group Policy. 2. Configure auditing on the specific objects. View the System Access Control List (SACL) of the Active Directory object or the NTFS file or folder to identify the users, groups, or actions to track.
In addition to tracking the necessary events, make sure your logs are properly configured to save all of the necessary information. Use the Event Log policies in Group Policy to configure the Security log size and retention method. To preserve all logged actions, configure logs to not overwrite events. When logs are not configured to clear automatically, you must periodically save and clear the logs to make room for additional events. Enable the Audit: Shut down system immediately if unable to log security audits security option to prevent the system from being used if the log is full (this setting is also referred to as CrashOnAuditFail). Beginning with Windows Server 2008 R2, advanced auditing capabilities were integrated with Group Policy. Advanced auditing offers 53 setting that allows you to eliminate unwanted data and specifically target data important for system management and security. Advanced auditing settings can be used in place of the nine basic auditing settings. If you use Advanced Audit Policy Configuration settings, enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
Privilege elevation
Increases the privilege level of an application from that of a standard user to that of an administrator.
Group Policy Object (GPO)
Is a collection of settings that can be applied to a group of users or computers. A number of factors determine the Group Policy settings that will actually be applied to a given object in the Active Directory domain. When working with Group Policy settings, be aware that: Through Group Policy inheritance, settings in a GPO are applied to all objects below the container where the GPO is linked. The GPO settings inherited by any object are the sum of all settings from all GPOs linked to all parent OUs and the domain itself. GPOs are applied in the following order: 1. The local Group Policy on the computer. 2. GPOs associated with a site. 3. GPOs linked to the domain. 4. GPOs linked to the organizational unit (OU). If the OU has nested OUs, the Group Policy is applied from the highest-level OU to the lowest-level OU. In other words, the Group Policy in the parent OU will run before the Group Policy in the child OU. A specific setting in a GPO can be: Undefined, meaning that the GPO has no value for that setting and does not change the current setting. Defined, meaning that the GPO identifies a value to enforce. Be aware of negatives in policies. If you disable a policy that disables a feature, the feature is enabled. Individual settings within all GPOs are combined to form the effective Group Policy setting as follows: If a setting is defined in one GPO and undefined in another, the defined setting will be enforced (regardless of the position of the GPO in the application order). If a setting is configured in two GPOs, the setting in the last applied GPO will be used. The local Group Policy is applied only when there are no GPOs linked to a domain or the OU. GPOs linked to an OU override GPOs linked to a domain when both are applied.
User Account Control (UAC)
Is a tool that generates an alert when a task or operation needs administrative privileges.
Printers
Manages shared printers, TCP/IP printers, and local printers.
6. You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers. What should you do to be able to check each server's log for the events? (Choose two. Each choice is a required part of the solution.)
Link the GPO to the Member Servers OU. Enable the logging of logon events.
4. You are managing rights on a standalone server. You want to make changes to the settings of the Restore Files and Directories policy. Which of the following is the tool you must use to make changes to this policy?
Local Group Policy Editor
Logon
Logon auditing tracks logon or log off on the local system or when a network connection is made to a system. For logon auditing, an audit event is recorded in the audit log of the local system regardless of the type of user account used. For example, when a user logs on to a computer using a domain account, a logon event is recorded on the local workstation while an account logon event is recorded on the domain controller.
Environment
Manages user and system environment variables or updates the environment path.
1. You are consulting with the owner of a small network that has a Windows server functioning as a workgroup server. There are six Windows desktop computers. There is no Internet connectivity. The server contains possibly sensitive information, so the owner wants to make sure that no unauthorized access occurs. You suggest that auditing be configured so that access to sensitive files can be tracked. What can you do to make sure that the files generate audit results? (Choose three. Each correct answer is part of the required solution.)
Make sure the correct users and groups are listed in the auditing properties of the files. Make sure the Object Access auditing policy is configured for success and failure. Make sure the files to be audited are on NTFS partitions.
Secure desktop
Makes the desktop unavailable when a UAC prompt is triggered. This helps to ensure that malicious software is not able to alter the display of the UAC prompt.
Files Folders
Manages files or folders, including copying configuration files to users' profile folders and regularly cleaning up temporary folders.
Drive Maps
Manages network drive mappings without writing logon scripts.
Registry
Manages registry entries without the need to write scripts.
Scheduled Tasks
Manages scheduled tasks on targeted users and computers.
Shortcuts
Manages several types of shortcuts on multiple targeted users and computers.
The Restricted Groups policy is a powerful tool that can be used to control membership for groups that require high security. One potential use for Restricted Groups is managing the membership of local groups on domain member servers and workstations. Using the Group Policy Management console, a restricted group can be defined in two ways:
Members of this group identifies users who are to be made members of a restricted group. All users listed become members of the specified group on systems where the policy is in effect. Any user who is already a member of the group but whose username is not included in the list will be removed from group membership when the policy is applied. Any user included in the list who is not currently a member of the restricted group will automatically become a member of the group when the policy is applied. This group is a member of defines one or more groups the restricted group will become a member of when the policy is applied. You can use this option to define membership in a local group by adding a restricted group. The restricted group to be added to the local group must be a group defined in Active Directory. Using This group is a member of is the preferred method for defining membership in a restricted group. When using Restricted Groups, keep in mind: Once an administrator has designated group membership with a Restricted Groups policy, no one can add or remove members. A user can use other tools to change the group membership, but a refresh of the Group Policy settings will overwrite any changes made. The Restricted Groups policy does not change group membership in other groups. When using Restricted Groups to control membership in default local groups, carefully identify all system groups that the computer, applications, and legacy applications need to run. The implications of leaving out a critical user or group can be severe. If you link a GPO with Restricted Groups configured to a domain, the setting will be inherited by all computers in the domain, including domain controllers and Active Directory security groups. This may or may not be desirable. Be sure to analyze how you want the policy to be applied before you create it. Extensive testing is recommended before activating a GPO using Restricted Groups in a production environment.
Ini Files
Modifies and updates individual properties within a .ini file.
Object Access
Object access auditing tracks access to files, folders, or printers. You can also audit actions taken by a certificate authority, access to specific registry settings, or access to specific IIS metabase settings. For file auditing to occur, the files must be on NTFS partitions. In addition to enabling auditing in the audit policy, you must configure auditing on the specific objects you want to track.
3. You are the administrator for a network with a single Active Directory domain named widgets.local. The widgets.local domain has an organizational unit object for each major department in the company, including the information systems department. User objects are located in their respective departmental OUs. Users who are members of the Domain Admins group belong to the Information Systems department. However, not all employees in the Information Systems department are members of the Domain Admins group. To simplify employees' computing environment and prevent problems, you link a Group Policy object (GPO) to the widgets.local domain that disables the control panel for users. How can you prevent this Group Policy object from applying to members of the Domain Admins group?
On the Group Policy object's access control list, deny the apply Group Policy permission for members of the Domain Admins group.
Packaged App
Packaged app (.appx) rules apply to Windows applications that are purchased through the Windows Store and can be used on devices running Windows 8 and later workstations. All of the executable files, Windows installer files, and scripts for Windows packaged apps have the same identity (software publisher name, product name, and product version). Packaged apps can be controlled in AppLocker with just one rule using the single identity.
Use the following strategies to protect against password attacks: Educate users on how to create and remember strong passwords. Enforcing strict password restrictions might actually weaken network security if you do not educate users about proper procedures to take to protect logon credentials. If users do not understand the restrictions that have been implemented, they might try to circumvent these restrictions by writing down passwords. Take the following measures to educate users: Tell users that they should not write down passwords or share logon credentials with other users. Teach users how to construct and remember complex passwords. For example, for the password bw2Fs3d, users might create the following sentence: bob went 2 the "capital" Florist shop 3 times daily. Educate users about social engineering tactics. Instruct them not to respond to requests for passwords from administrators or other seemingly trusted personnel. Implement policies that prevent administrators from asking for sensitive information. Implement two-factor authentication.
Password policies detail the requirements for passwords for the organization. This can include the following: The same password should never be used for different systems. Accounts should be disabled or locked out after a specified amount of failed login attempts. Passwords should never contain words, slang, or acronyms. Users should be required to change their passwords within a certain time frame and use a rotation policy. A strong password policy should be enforced. Strong passwords: Contain multiple character types, uppercase letters, lowercase letters, numbers, and symbols. Are a minimum length of eight characters or more. Use no part of a username or e-mail address.
Granular Password Policy
Policies within a GPO that applies password policies for users and global groups that are separate from the password policy applied to the entire domain.
Account Lockout and Password Policies
Policies within a GPO that control passwords and user lockout properties for the entire domain.
Audit Policies
Policies within a GPO that controls the recording of system events and other system changes.
Policy Change
Policy change auditing tracks changes to user rights, trust relationships, IPsec and Kerberos policies, or audit policies.
12. You manage a single domain named widgets.com. This morning, you noticed that a trust relationship you established with another forest has changed. You reconfigured the trust, but you want to be able to identify if this change happens again in the future. You want to configure auditing to track this event. Which auditing category should you enable?
Policy change events
4. Scoping allows you to target a given GPO to specific users and/or computers. Drag the scoping method on the left to the appropriate description on the right. (Methods can be used once, more than once, or not at all.)
Prevents settings in GPOs linked to parent objects from being applied to child objects. Block Inheritance Causes computer settings to be reapplied after user login. Loopback Processing Prevents inheritance from being blocked for a specific GPO. Enforced Causes computer settings to take precedence over user settings. Loopback Processing
Privilege Use
Privilege use auditing tracks the following actions: A user exercises a user right. An administrator takes ownership of an object.
Process Tracking
Process tracking auditing records actions taken by applications. Process tracking auditing is used mainly for program debugging and tracking.
4. You have a computer running Windows. Prior to installing some software, you turn off User Account Control (UAC), reboot the computer, and install the software. You turn UAC back on, but it does not prompt you before performing sensitive actions. You want the protection of UAC, but it is not working at all. What should you do?
Reboot the machine.
Prompting for Consent
Requires a continue or cancel response.
Admin Approval Mode
Requires an explicit approval of elevation by responding to the UAC prompt.
Prompting for Credential
Requires the user to enter an administrator username and password.
9. You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You would like to configure all computers in the Sales OU to prevent the installation of unsigned drivers. Which GPO category would you edit to make the necessary changes?
Security Options
Local Policies/Security Options
Security options allow you to apply or disable rights for all of the users the policy applies to. Examples of Security Options policies include: Computer shut down when Security event log reaches capacity Unsigned driver installation
Rights
Security that determines what type of actions a user may perform.
Permissions
Security that governs the ability to access objects.
2. You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its security database. How can you create a policy that meets these requirements?
Select Failure for Audit account logon events.
4. You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to change a user's group membership in a computer's local database. How can you create a policy that meets these requirements?
Select Failure for Audit account management.
3. You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to manipulate files on computers that have been secured through NTFS permissions. How can you create a policy that meets these requirements?
Select Failure for Audit object access.
1. You are the network administrator for your network. Your network consists of a single Active Directory domain. Your company recently mandated the following user account criteria: User accounts must be deactivated after three unsuccessful logon attempts. User account passwords must be at least 12 characters long. User accounts must be manually reset by an administrator once they are locked out. You must make the changes to affect everyone in the domain. You are editing the Default Domain Group Policy object. What should you do? (Choose three. Each correct choice represents part of the solution.)
Set Account lockout duration to 0. Set Account lockout threshold to 3. Set Minimum password length to 12.
Starter Group Policy Objects
Starter Group Policy Objects, or Starter GPOs, allow you to store a collection of administrative template policy settings in a single object. When you create a new GPO from a starter GPO, the new GPO has all of the Administrative template policy settings and values that were defined in the starter GPO. You can easily distribute starter GPOs by exporting and then importing them to another environment.
System
System events auditing tracks system shutdown, restart, or the starting of system services. It also tracks events that affect security or the security log.
3. You manage a single domain running Windows Server. You have configured a restricted Group Policy as shown in the image. When this policy is applied, which action will occur?
The Backup Operators group will be made a member of the Desktop Admins group.
6. Group Policies can be used to set the same notification levels at the domain level that can be set for local machines using the User Account Control (UAC) tool. You need to configure the Notify me only when programs try to make changes to my computer notification level using Group Policy. Which of the following Group Policies must be set to complete this configuration?
The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries. The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled.
Windows Installer
The Windows installer rule applies to installer files with .msi and .msp extensions.
When a user logs on to the system, an access token is generated for her. The access token controls the type of actions that the user can perform on the system.
The access token identifies the user account as either a standard user or an administrator. When a standard user logs on, a standard user access token is generated. When an administrator logs on, two access tokens are generated (one standard user token and one administrator token). The standard user token is used to attempt to perform all tasks for both standard users and administrators. If a standard user access token is not sufficient to perform the task, the system requests privilege elevation. The standard user is prompted to provide administrator user credentials (username and password). The administrative user is asked whether the administrative token should be used to perform the task.
Be aware of the following: The Application Identity service (AppIDSvc) must be started and running on the client for AppLocker rules to be enforced. You can set the service to start automatically using Group Policy. If both software restriction policies and AppLocker policies are configured on the same policy object, only the AppLocker settings will be applied. Microsoft recommends that you use AppLocker and not software restriction policies for Windows 7 and later. If no rules have been defined for a specific type, then all applications of that type are allowed to run. Once you define a rule, then only software allowed by that rule or the default rules is allowed. Exceptions allow you to specify a condition that is exempt from the AppLocker rules. In order for AppLocker to take effect, you must configure rule enforcement. AppLocker has a mode called soft-enforcement or auditing. Soft-enforcement mode: Uses restrictions to only monitor AppLocker events. Blocked software is still allowed to run while in soft-enforcement mode. Audits AppLocker functionality before full implementation in the environment. Verifies which applications are affected without actually blocking or hard-enforcing the applications from executing.
The enforcement mode (either Enforce rules or Audit only) applies to all rules of a specific type. You cannot selectively enforce or audit different rules within a rule type. For example, you cannot audit one executable rule and enforce another executable rule, but you can audit all executable rules and enforce all script rules. Events that are generated by auditing AppLocker are written to the AppLocker event log. Each log contains the following information: Rule name SID of the user or group File and path of the restricted or permitted application Rule type or condition used Each file within a standard desktop application can have a unique identity including software publisher name, product name, product version, etc. Each of these individual components must be controlled separately within AppLocker.
ADMX Files
The file type used to store custom Administrative Templates.
Hash
The hash condition uses the digital fingerprint, or file hash, of the application. A hash value of a file is based on the content of the file, not the name of the file. You must recreate file hashes each time the software is updated or changes versions.
3. You are the administrator for a domain named internal.widgets.com. This domain spans a single site (the Default-First-Site-Name site). You want to configure password and account lockout policies that Active Directory domain controllers will enforce. You have created a Group Policy object with the settings you want to apply. Most of the domain controllers are located in the Domain Controllers OU, although you have moved some domain controllers to a sub-OU called Secure Domain Controllers. Where should you link the Group Policy object that you created?
The internal.widgets.com domain.
Path
The path condition specifies a folder, a file, or a wildcard of files to restrict or allow execution. If you specify a folder, restrictions apply to all programs within that folder. Path conditions are the least secure of all the AppLocker conditions. Implement NTFS permissions to prevent users from copying executable files to locations outside the scope of the path condition.
Scoping
The process of targeting a GPO at specific users and/or computers.
Publisher
The publisher condition uses the digital signature of the application's publisher. The digital signature contains details about the company that created the application. The publisher condition provides the greatest flexibility for applying AppLocker restrictions. The digital signature is extracted from the application file. If the file does not have a digital signature, it cannot be used with the publisher condition. You can use the slider on the left of the publisher options to specify: Any publisher All products, files and product versions from a publisher A specific product, files name and file version for a specified publisher All versions, a specific version, previous versions, or future versions of a product Any combination of publisher, product name, file name, and file version The Use custom values option gives you additional flexibility for specifying the publisher settings.
Script
The script rule applies to .ps1, .bat, .cmd, .vbs, and .js file extensions.
Local Group Policy
The set of group policy objects for standalone and non-domain computers.
Notify me only when apps try to make changes to my computer (do not dim the desktop)
The user is prompted only when a program is trying to make changes to the computer or a program that is not included with Windows attempts to modify Windows settings. The secure desktop is not displayed.
Notify me only when apps try to make changes to my computer
The user is prompted only when programs try to make changes to the computer or Windows settings. A UAC prompt and the secure desktop is displayed for 150 seconds. The user cannot perform any other actions until they respond to the prompt, which will automatically deny the request after 150 seconds.
5. User Account Control (UAC) is a tool that generates an alert when a task or operation needs administrative privileges. You use the UAC settings in Control Panel to configure the sensitivity of UAC. Drag the UAC notification level on the left to the appropriate description of what it does on the right.
The user is prompted only when programs try to make changes to the computer or Windows settings. The secure desktop is not displayed. Notify me only when apps try to make changes to my computer (do not dim the desktop) A UAC prompt and the secure desktop are displayed for 150 seconds. The user cannot perform any other actions until they respond to the prompt. Always notify The user is prompted only when programs try to make changes to the computer or Windows settings. The secure desktop is displayed for 150 seconds. Notify me only when apps try to make changes to my computer If logged on as a standard user, all actions requiring privilege elevation are automatically denied. Never notify
For each GPO, the following options in Group Policy Management help you to manage the application of the GPO: On the Details tab, set the GPO Status to reflect how the policy is applied: Use Computer configuration settings disabled if the Group Policy applies only to users or groups. Use User configuration settings disabled if the Group Policy applies only to computers. On the Settings tab, you can view the settings that have been defined.
To determine how scoping affects the application of the GPO: Use Group Policy Modeling to launch the Group Policy Modeling wizard: You can simulate how the Group Policies will be applied: Based on a specified user or users in a container. Based on a specified computer or computers in a container. Based on a slow network connection. Based on loopback processing. Use Group Policy Results to launch the Group Policy Results wizard and determine how Group Policies are applied for a specified user and computer combination. The Details tab of the Group Policy Results wizard identifies settings as well as the Group Policy driving each setting.
Enforced
To prevent inheritance from being blocked for a specific GPO, select the Enforced (no override) option for the GPO link. You configure the enforced option on a per-GPO basis. Enforced GPOs are applied last and override other GPO settings. An enforced policy cannot be blocked or overwritten. A lock icon indicates an enforced policy.
Security Group Filtering
To use Security Group Filtering: Create a global group. Filter in one of the two ways: Filter a policy you want to apply to everyone but the global group by setting the following rights for the global group: Deny - Apply Group Policy Deny - Read Filter a policy you want applied only to the global group by modifying the properties of the GPO to allow only the global group to run the Group Policy.
5. You want to give the TPlask user the right to log on to any of the domain controllers in your domain and gain access to the desktop. This user does not belong to any of the default groups that have the Allow log on locally right by default. Which of the following steps can you take to give the Allow log on locally right to this user? (Select two. Each correct answer is a complete solution.)
Use Active Directory Users and Computers to add the TPlask user account to the Administrators group. Use Group Policy Management Editor to add the TPlask user account to the Allow log on locally policy.
3. Recently, some users in your domain have downloaded and installed an open source program that contains malware. After download, the application is installed by running a program with a .msi extension. The file is not digitally signed. You have a copy of this open source program running on your server, and it did not install any malware. The users that got the malware likely obtained the program from a website they did not know was malicious. How can you prevent users from installing this software if it has been tampered with?
Use AppLocker to create a Windows installer rule with a file hash condition.
File System
Use File System policies to configure file and folder permissions that apply to multiple computers. For example, you can limit access to specific files that appear on all client computers.
Windows Management Interface (WMI) Filtering
Use Windows Management Interface (WMI) filtering to determine the scope of a GPO dynamically based on hardware and software characteristics such as CPU, memory, disk space, registry data, drivers, network configuration, or application data. Using WMI filtering, you create a script containing a test that results in a yes or no response. WMI filtering: Applies the policy if the response is yes. Does not apply the policy if the response is no. Is restricted to only one WMI filter per GPO. Uses queries written in WMI query language (WQL). Should be applied for a well-defined purpose and limited amount of time. Evaluates the target computer every time a Group Policy refresh occurs.
Account Policies
Use account policies to control the following: Password settings Account lockout settings Kerberos settings Account policies are in effect only when configured in a GPO linked to the domain itself. They can't be applied if the GPO is linked to an OU.
Local Policies/Audit Policy
Use audit policy settings to configure auditing for events, such as log on, account management, or privilege use.
Software Restriction Policies
Use software restrictions policies to define the software permitted to run on any computer in the domain. You can apply these policies to specific users or all users. You can use software restrictions to: Identify allowed or blocked software. Allow users to run only specified files on multi-user computers. Determine who can add trusted publishers. Apply restrictions to specific users or all users.
5. You want to use Restricted Groups to manage the membership of local groups on the domain member servers that you manage. You can define a restricted group in one of two ways: Members of this group This group is a member of The This group is a member of option is the preferred method for most use cases. Which of the following explains why this is the preferred method?
Using the This group is a member of option does not remove existing members of the group if they are not part of the restricted group.
Using a Central Store
When you use Administrative Templates, the policy is stored locally, and the settings are saved to Group Policy on the domain controller. The central store allows Administrative Templates to be available to be edited by other domain administrators. Group Policies are kept in SYSVOL, a share that is created when you install Active Directory. All domain controllers in the domain have a replicated copy of SYSVOL. To create a central store: Create a folder named PolicyDefinitions in file:\\FQDN\SYSVOL\FQDN\. For example: \\Northsim.com\SYSVOL\Northsim.com\PolicyDefinitions Copy the contents of the local PolicyDefinitions folder to the PolicyDefinitions folder on SYSVOL. The path of the local PolicyDefinitions folder is typically: C:/Windows/PolicyDefinitions
Using Administrative Templates
You can use Administrative Templates to create Group Policies to manage Microsoft Office or in-house applications. File types for Administrative Templates use an XML-based file format that allows multi-language support and version control: .admx files are the Administrative Template files and require Windows Vista or later to edit. .adml files contain the language-specific Administrative Template files. .adm files are the pre-XML format used for Administrative Templates. This older format is still usable in current versions of Windows Server.
Registry
You can use registry policies to: Configure specific registry keys and values. Specify if a user can view and/or change a registry value, view sub-keys, or modify key permissions.
4. Your network has a single Active Directory forest with two domains, eastsim.private and HQ.eastsim.private. The organizational units Accounting, Marketing, and Sales represent departments of the HQ domain. Additional OUs (not pictured) exist in both the eastsim.private and HQ.eastsim.private domains. All user and computer accounts for all departments company-wide are in their respective departmental OUs. You are in the process of designing Group Policy for the network. You want to accomplish the following goals: You want to enforce strong passwords throughout the entire forest for all computers. All computers in both domains should use the same password settings. The Accounting department has a custom software application that needs to be installed on computers in that department. Computers in the marketing and sales departments need to use a custom background and prevent access to the Run command. You create the following three GPOs with the appropriate settings: Password Settings, Accounting App, and Desktop Settings. How should you link the GPOs to meet the design objectives? To answer, drag the label corresponding to the GPO to the appropriate boxes.
eastsim.private Password Settings HQ.eastsim.private Password Settings Accounting Accounting App Marketing Desktop Settings Sales Desktop Settings
Policy
is a set of configuration settings applied to objects such as users or computers. Group policies allow the administrator to apply multiple settings to multiple objects within the Active Directory domain at one time. Collections of policy settings are stored in a Group Policy object (GPO). The GPO includes registry settings, scripts, templates, and software-specific configuration values.