Scott's 15+ Quiz Q's
Under what conditions can a user who is not a member of the local Administrators group roll back a device driver?
A user who is not a member of the local Administrators group can roll back a device driver as long as the device class related to the device the driver is for is listed in the Allow Limited Users To Install Drivers For These Device Classes policy.
You want to block all applications written by a specific publisher on a computer running Windows 7 Professional. What steps should you take to accomplish this goal?
Configure a Software Restriction Policy Certificate rule.
Several custom applications written by a partner organization need to run on your organization's Windows 7 Enterprise computers. These applications are updated frequently. How can you ensure that these applications can be executed while also ensuring that other non-authorized applications are still blocked? You must minimize the amount of time spent maintaining policies.
Configure path rules either in Software Restriction Policies or AppLocker Policies
Which steps could you take to ensure that users can trust the SSL certificate used on a partner organization's intranet if that SSL certificate was issued by that organization's internal CA?
Configure the Add-On List and Deny All Add-Ons unless specifically allowed in the Add-On List Policies. This will ensure that only authorized add-ons are run with Internet Explorer.
You want to block all applications written by a specific publisher except one on computers running Windows 7 Enterprise. What steps would you take to accomplish this goal?
Create an AppLocker Executable rule that uses a publisher certificate for file identification. Create an exception for the application you want to exempt.
True or False? DLL rules cover files with the .msi and .msp extensions
False. AppLocker rules work based on file extension. You can create AppLocker rules for the following types of files: ■ Executable Rules Apply to applications that use the .exe and .com extensions. A user who is not a member of the local Administrators group still can't directly run an application that requires elevated privileges. ■ Windows Installer Rules Applies to files with the .msi and .msp extensions. Allowing a user to run an installer file doesn't mean that the user has permission to install software. ■ Script Rules Applies to files that use the .ps1, .bat, .cmd, and .js extensions. Use hash rules with scripts that are rarely modified. Use path rules with scripts that are frequently updated. ■ DLL Rules Applies to libraries that use the .dll and .ocx extensions. Not enabled by default. Enabling DLL rules will likely cause an impact on performance.
True or False? Publisher rules can be created only for specific versions of executable files.
False. By default, AppLocker rules apply to Everyone, but you can configure them to apply to specific users or security groups. AppLocker rules can identify files using the following conditions: ■ Publisher Uses the publisher's signing certificate extracted from the reference application file. It's possible to use the following rule scopes: • Any Publisher Any digitally signed file. • Publisher Any file digitally signed by a specific publisher. • Product Name A specific product digitally signed by a specific publisher. • File Name A specific file name of a specific product digitally signed by a specific publisher. • File Version Specific version (or this version and higher) of a specific file name of a specific product signed by a specific publisher. ■ Path You can specify file location, folder, or folder and subfolders. The least secure type of AppLocker rule because an attacker might be able to move unauthorized executable into folder covered by scope of path rule if NTFS permissions have been incorrectly applied. ■ File hash Cryptographic hash of file. More manageable in AppLocker than they are in Software Restriction Policies because instead of having to manually generate a hash for each file, you can automatically generate hashes for all files. It is still necessary to update hash files for applications after applying software updates.
True or False? Members of the power users local group can roll back device drivers.
False. If a newly installed driver is functioning in a problematic way, you can use Device Manager to roll the driver back to a previous, hopefully better functioning, version. By default, the account used to perform this task needs to be a member of the local Administrators group. A normal user can also perform this task if the driver is for a device class that is listed in the Allow Limited Users To Install Drivers For These Device Classes policy. The Roll Back Driver button is available only if a previous version of the current device driver was installed on the computer. If a driver is not functioning properly, and you have access to a previous version of the driver software that you believe will run properly, you can remove the current driver, ensuring that you also delete it from the driver store. Once the newer non functioning driver has been completely removed, you can install the earlier version of the driver. Removing the newer driver is necessary only if the earlier version of the driver was not installed.
True or False? InPrivate Browsing blocks users' activity being recorded by proxy servers.
False. InPrivate Browsing limits what data is stored by the browser. InPrivate Browsing does not stop proxy servers from recording a user's browsing activity. Users trigger InPrivate Browsing by clicking InPrivate on the Tools menu. When using InPrivate Browsing, the browser stores data, such as cookies provided when a user logs on to a site, during the session. When the session ends, Internet Explorer deletes that data.
True or False? You can use shims to make Windows XP device drivers compatible with Windows 7.
False. Shims function as a translation layer redirecting API calls from programs that have compatibility problems with Windows 7 to the shim. The shim code then translates those incompatible API calls into API calls understood by Windows 7. Shims run as user-mode code inside a user-mode application process. It is not possible to use shims to resolve compatibility issues with device driver or other kernelmode code such as some older anti-malware applications.
True or False? You can use pnputil.exe from a standard command prompt to stage device drivers in the driver store.
False. Staging a driver places it in the driver store, ensuring that it will automatically be installed when a compatible device is detected without requiring that a user with local administrator privileges provide permission. Staging is useful in operating system deployment scenarios to ensure that all necessary drivers are part of the image. An administrator can stage a driver in the driver store using the pnputil.exe command-line utility from an elevated command prompt. A standard user can stage a driver only if the driver is signed and the device class is listed in the Allow Non-Administrators To Install Drivers For These Device Classes policy.
True or False? Users who are members of the local Administrators group can run the Program Compatibility Assistant manually.
False. The Program Compatibility Assistant detects when you execute programs known to have compatibility issues with Windows 7. It notifies you of the problem and provides information about a fix for when you next execute the program. The Program Compatibility Assistant can resolve User Account Control (UAC) conflicts or automatically configure the program to run in one of the compatibility modes listed earlier in this chapter. The Program Compatibility Assistant runs automatically when it detects the execution of an application for which it has compatibility problem-resolution information. The Program Compatibility Assistant cannot be run manually.
True or False? You must remove a driver from the driver store before you attempt to uninstall a device.
False. To uninstall a device, a user needs to be a member of the local Administrators group or the device setup class, and the driver must be listed in the Allow Non-Administrators To Install Drivers For These Device Classes policy. To uninstall a device using Device Manager, perform the following steps: 1. Right-click the device that you want to remove in Device Manager and then click Uninstall. You can also view the device's properties and click Uninstall on the Drivers tab of the device properties. 2. On the Confirm Device Removal page, you can choose the Delete The Driver Software For This Device option if you want to remove the device driver package from the driver store. 3. Once the process is complete, remove the device from the computer
True or False? A user who is a member of the power users local group on a computer running Windows 7 can manually update the device driver for any device.
False. Updating or changing a device driver requires that the user attempting the task be a member of the local Administrators group if the driver is not already in the drivers store. A standard user can install a driver under the following conditions: ■ The driver package is signed using a certificate present in the Trusted Publishers certificate store. ■ The device setup class for the driver is listed in the Allow Limited Users To Install Drivers For These Device Classes policy.
True or False? You can use Compatibility View to emulate the characteristics of third-party browsers.
False. With Compatibility View, Internet Explorer can emulate the way that previous versions of Internet Explorer displayed webpages. Compatibility View does not emulate the characteristics of third-party browsers. When upgrading to Windows 7, you need to ensure that web applications used by people in your organization are compatible with either Internet Explorer 8, which shipped with the operating system, or the current version of Internet Explorer. In some cases, you'll either have to use Compatibility View to display the web application if it doesn't work in more modern versions of Internet Explorer or use a solution such as Windows XP mode, so that the application can be accessed by the browser running on the virtual machine. You'll learn more about managing Compatibility View later in this chapter.
True or False? Adding a site to the Restricted Sites zone means that users can't use Internet Explorer.
False. With zones, you can configure different security settings based on a website's address. These security settings determine how Internet Explorer responds to content, such as ActiveX controls and scripts. The zones available in Internet Explorer on computers running Windows 7 are as follows: ■ Internet Applies to all websites by default. Default setting is Medium High. Not used for websites that are explicitly added to the Local Intranet, Trusted Sites, or Restricted Sites zones. ■ Local Intranet Default setting attempts to detect intranet sites based on site address and name. You can configure this site to automatically include local sites not listed in other zones, all sites that bypass the proxy server, and sites accessed by UNC address. The default setting is Medium. ■ Trusted Sites A special setting for sites that you explicitly trust not to damage your computer. The default setting is Medium. ■ Restricted Sites Does not block users from using the site, but does block the site from running scripted or active content. The default setting is High and cannot be changed. You can configure all sites that use a specific zone to use Protected Mode. Protected Mode forces Internet Explorer to run as a low-integrity process that restricts the application from interacting with processes running at higher integrity levels. Protected Mode is enabled by default for the Internet and Restricted Sites zones.
True or False? You can use AppLocker Policies to block the execution of applications on computers running Windows 7 Professional
False. You can use AppLocker Policies only with computers running Windows Enterprise and Ultimate. You can apply AppLocker Policies to user or group accounts. AppLocker Policies can apply to the current and future versions of an application without needing maintenance.
Which tool can you use to automatically check websites on the intranet to determine whether they might have compatibility issues with Internet Explorer?
The Internet Explorer Compatibility Test Tool.
Which tool can you use to stress-test a driver to determine whether it functions problematically in low-resource scenarios?
The Internet Explorer Compatibility Test Tool.
True or False? Accelerators are used with the text on a webpage
True. Accelerators are a special kind of add-on that enable you to select text on a webpage and then perform a function based on that text, such as performing a translation to another language or querying a mapping website for a street address. Accelerators categories include these: ■ Email You can forward selected text into an email message. ■ Map You can use a mapping service to display a location based on a highlighted address. ■ Translate You can forward text to a translation service. Accelerator Group Policy items are located in the \Windows Components\Internet Explorer\Accelerators node. You can configure the following accelerator-related policies: ■ Deploy Non-Default Accelerators You can deploy accelerators. Users cannot remove accelerators deployed through this policy. ■ Deploy Default Accelerators You can specify default accelerators. Although users can deploy additional accelerators, they can't modify the default accelerators. ■ Turn Off Accelerators Disables all accelerators. ■ Use Policy Accelerators Limits accelerator use to those specified by Group Policy.
True or False? You can block users from installing all unauthorized add-ons.
True. Add-ons enhance Internet Explorer's functionality, often through providing extra toolbars. ActiveX controls are referred to as plug-ins. You can manage add-ons by using the Manage Add-Ons dialog box and selecting the Toolbars And Extensions Add-On Type. Search Providers, Accelerators, and Tracking Protection are also types of add-ons. You can configure add-ons through the following policies, located in the \Windows Components\Internet Explorer node:
True or False? You can use Device Manager to determine which devices are in conflict with one another.
True. Although rare, it is possible that two different devices or device drivers, when installed on the same computer running Windows 7, might conflict rendering both devices nonfunctional. You can pursue the following strategies in an attempt to resolve this conflict: ■ Use Device Manager to determine which two devices are in conflict with each other. Disable each device in turn to verify that you have correctly identified which devices are conflicting. ■ Attempt to update the device driver software for each device. Updated drivers might resolve the conflict issue. ■ If possible, determine whether the problem is caused by a resource conflict. It might be possible to manually reconfigure one of the devices so that the conflict no longer occurs. ■ If you cannot resolve the conflict, you might need to replace one of the conflicting devices with one that is more compatible with your configuration.
True or False? You can configure AppLocker and Software Restriction Policies through the Local Security Policy editor.
True. AppLocker Policies are located in the Computer Configuration\ Windows Settings\Security Settings\Application Control Policies node of a GPO. Software Restriction Policies are located in the Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies node of a GPO. You can configure both AppLocker and Software Restriction Policies through Group Policy applied when a computer is a member of an Active Directory Directory Services domain, through local Group Policy, or through Local Security Policy.
You can configure AppLocker rules to use Audit mode.
True. AppLocker rules can be configured either for Enforcement or Auditing. Auditing means that users can still execute applications blocked by the rule, but an event will be written in the AppLocker Event Log, located in the Applications and Service Logs\Microsoft\Windows node of Event Viewer
True or False? There is a Windows Me compatibility mode.
True. Compatibility modes partially replicate the operating system environment of previous versions of Windows. You can configure a program to run using a compatibility mode by editing the settings on the Compatibility tab of the program's properties dialog box. Although some aspects of the operating system environment are reproduced, a program that functioned on a computer running Windows XP (SP 2) might not fully function when the Windows XP (SP 2) compatibility mode is selected, and you might have to take other steps to get it to function. Windows 7 SP 1 supports the following compatibility modes: ■ Windows 95 ■ Windows 98/Me ■ Windows NT 4.0 (SP 5)48 Chapter 3 Configuring Hardware and Applications ■ Windows 2000 ■ Windows XP (SP 2) ■ Windows XP (SP 3) ■ Windows Server 2003 (SP 1) ■ Windows Server 2008 (SP 1) ■ Windows Vista ■ Windows Vista (SP 1) ■ Windows Vista (SP 2) ■ Windows 7 Additional compatibility options that you can configure include the following: ■ Run In 256 Colors Use this option with applications that can run only with a limited color palette. ■ Run In 640 x 480 Screen Resolution Use this option with applications that cannot display in resolutions above 640 x 480. ■ Disable Visual Themes Helps with applications that have display problems with visual themes. ■ Disable Desktop Composition Disables certain features of the Aero user interface while the application is running. ■ Disable Display Scaling On High DPI Settings Disables automatic resizing of applications if large-scale fonts cause problems with the application appearance.
True or False? You can use a default rule to block all applications except those allowed by explicit Software Restriction Policies.
True. Default rules apply when no other Software Restriction Policy matches an application. Only one default rule can be enforced using Software Restriction Policies. There are three default rules: ■ Disallowed Users cannot execute an application that isn't specifically allowed by another Software Restriction Policy. ■ Basic User Users can execute any applications that do not require administrative rights. Users can execute applications that require administrative rights as long as there is a specific Software Restriction Policy that allows the application. ■ Unrestricted Users can execute any application not explicitly blocked by an existing Software Restriction Policy.
True or False? You can configure which hardware resources are used by some devices using Device Manager.
True. Each system resource that a device uses must be unique to that device. Plug and Play (PnP) devices manage this process automatically. It is also possible to perform this task manually using Device Manager. Resources used by devices include the following: ■ Interrupt request (IRQ) line numbers ■ Direct Memory Access (DMA) channels ■ Input/output (I/O) port addresses ■ Memory address ranges Configuring Hardware and Windows can't automatically configure the resource settings for a non-PnP device. You might need to use a special setup utility to configure resource allocation for these devices. To configure the resources for a device, alter the settings on the Resource tab of the Device's properties in Device Manager.
True or False? A path rule that blocks overrides a file hash rule that allows.
True. Explicitly defined Block rules always override Allow rules. This applies to publisher rules, path rules, or file hash rules. A path rule that blocks will override a publisher rule that allows. The exception to this is the AppLocker default Block rule. The default Block rule does not override explicitly defined Allow rules. You can use Block rules to block the execution of applications allowed through the Default rules.
True or False? InPrivate Filtering/Tracking Protection allows you to block third parties from tracking browsing activity across multiple sites.
True. InPrivate Filtering restricts how information can be tracked by external third parties. It does this by analyzing web content. If the same content is detected across a configurable number of websites, you will be given a prompt asking you whether you want to allow or to block that content. You can also configure InPrivate Filtering to automatically block any content provider or third-party website without requiring a prompt. InPrivate Filtering was replaced by Tracking Protection with the release of Internet Explorer 9
True or False? You can remove a device driver from the driver store using the pnputil.exe command-line utility.
True. Removing a staged device driver package from the driver store will not uninstall any currently operational devices that use those drivers. When you remove a package, only the driver package is deleted. If a new device that uses this driver is connected to the computer, Windows needs to locate the driver files because they will no longer be located in the driver store. To remove a driver from the driver store, perform the following steps: 1. Open an elevated command prompt and run the pnpuntil.exe -e command. 2. Determine the name of the driver. It will be in the format OEM#.inf, where # is a unique number. 3. To remove the driver from the driver store, type the command pnputil.exe -d OEM#.inf, where OEM#.inf is the name of the device driver that you want to remove. If the computer reports that the driver package is in use, you can uninstall the device or force removal of the package by using the -f option with the pnputil.exe command.
True or False? You can use Software Restriction Policies to block the execution of applications on computers running Windows 7 Professional.
True. Software Restriction Policies allow you to block the execution of applications on computers running Windows 7, Windows Vista, and Windows XP. Software Restriction Policies are the predecessors to AppLocker Policies. Besides working with previous versions of Windows, you can use Software Restriction Policies to control the execution of applications on editions of Windows 7 that don't support AppLocker. Software Restriction Policies use the following settings: ■ Unrestricted The application can be executed. ■ Disallowed The application is blocked from executing.
True or False? Certificate rules override path rules.
True. Software Restriction Policies are applied in a specific order, with more explicit rules overriding general rules. The order, with specific hash rules overriding all other rule types, is as follows: 1. Hash rules (Unique Identifiers) 2. Certificate rules ( Controls App usage by publisher) 3. Path rules ( Controls App based on files/folders) 4. Network Zone rules (Controls App based on download location - Internet Explorer) 5. Default rules ( Allowing access to default windows files & program files. When two rules conflict for the same program, the more specific rule takes precedence. For example, a certificate rule that sets a particular application to Unrestricted will override a path rule that sets a particular application to Disallowed. With AppLocker rules, covered later in this chapter, any block rule overrides allow rules.
True or False? You can configure new executable file types through policy.
True. The Designated File Types Policy specifies which file extensions are treated as executable and which are therefore subject to Software Restriction Policies. You can modify the list of designated file types to include or exempt some executable file types, although some, such as .com, .exe, and .vbs, cannot be modified.
True or False? You can use the IECTT to automate the testing of internal websites to determine whether they are compatible with Internet Explorer.
True. The IECTT is a tool that you can run to view web-based compatibility issues in real time. With the IECTT, you can automate the process of testing the compatibility of existing web applications to see how well they would work with Internet Explorer on Windows 7.
True or False? Certificate rules cover all applications digitally signed by the same vendor.
True. The difference between the Software Restriction Policy rules is as follows: ■ Hash Rules Hash rules use a cryptographic hash to identify a file. The file is identifiable even if it changes name and location. Applying a software update to a file means that the cryptographic hash needs to be recalculated. ■ Certificate Rules Identify files based on software publisher's certificate. Multiple applications from a single publisher can be covered by a single rule. Certificate rules still apply even when you apply software updates to files because these updates will be from the vendor, and the updated file will still be signed by the same publisher. Certificate rules can't be used to differentiate between different applications supplied by the same vendor. A certificate rule will allow all applications published by a vendor. ■ Path Rules You can specify a file, folder, or registry key as the target of a Software Restriction Policy. You can use wildcards with path rules. Path rules are specific, so if someone moves an executable to another location, the path rule no longer applies to that executable. ■ Network Zone Rule This rule applies to Windows Installer Packages (.msi files) obtained from Internet locations. Allows or blocks installation based on Internet zones location. ■ Default rules ( Allowing access to default windows files & program files. When two rules conflict for the same program, the more specific rule takes precedence.
True or False? You can use msinfo32.exe to view resource conflicts on a computer running Windows 7.
True. The msinfo32.exe utility can be used to view the memory, I/O, and IRQ resources assigned to every device connected to the computer. The Hardware Resources\Conflicts/Sharing node will display where resources are being shared and where they are in conflict.
True or False? You can deploy a custom shim database as a part of operating system deployment.
True. Windows 7 uses a shim database when attempting to load applications. A shim database is already included with Windows 7. This database contains shims for many popular applications, and this database is updated through Windows Update. If your organization has unique incompatible applications that would not be present in the Microsoft shim database, you can deploy a custom shim database to the Windows 7 client that will host shims that allow your organization's unique incompatible applications to run. You can create and manage custom shims 50 Chapter 3 Configuring Hardware and Applications and custom shim databases using the Compatibility Administrator, which is a part of the Application Compatibility Toolkit.
True or False? Applications installed in Windows XP mode can be launched from the Windows 7 Start menu.
True. Windows XP mode runs a virtualized copy of Windows XP (SP 3) on a computer running Windows 7 Professional, Enterprise, or Ultimate. From the user's perspective, Windows XP can be opened as a separate window that functions as a full version of Windows XP. Users can interact with the virtual operating system in the same manner as they interact with the host operating system. If you install a program in the Windows XP mode operating system, the program will be installed in the virtual operating system and will also be available directly from the Start menu on Windows 7. If organizations can't get compatibility modes to work or can't use the Application Compatibility Toolkit to make incompatible programs function, Windows XP mode is likely to work as a last resort. Windows XP mode is a last resort because the virtual Windows XP operating system still needs to be managed and updated, and deploying Windows XP mode increases the number of operating system instances that the IT department needs to manage
True or False? With Compatibility View, users can view pages designed for previous versions of Internet Explorer.
True. With Compatibility View, Internet Explorer can properly display sites designed for previous versions of Internet Explorer, such as Internet Explorer 6. Users can switch to Compatibility View by clicking the broken page item in the address bar. You can view a list of sites for which you have enabled Compatibility View in the Compatibility View Settings dialog box. You can manually add and remove sites from this list. You can use this dialog box to choose to enable some or all of the following: ■ Include a list of updated websites from Microsoft. ■ Display all intranet websites in Compatibility View. This is a default option. ■ Display all websites in Compatibility View.
True or False? You can configure Software Restriction Policies so that they are enforced for all users except local administrators.
True. With the Enforcement Properties Policy, you can configure the following settings: ■ Whether Software Restriction Policies apply to all software files except DLLs or to all files including DLLs ■ Whether Software Restriction Policies apply to all users or to all users except those who have accounts that are members of the local Administrators group ■ Whether certificate rules are enforced or ignored
You can configure a list of websites that should use Compatibility View for all computers running Windows 7 through Group Policy.
True. You can configure the policies in the \Administrative Templates\Windows Components\Internet Explorer\Compatibility View node. ■ Turn on Internet Explorer 7 Standards Mode Even though the policy mentions Internet Explorer 7, it also works with subsequent versions. It forces all sites to be displayed in Compatibility View. ■ Turn Off Compatibility View Disables Compatibility View. ■ Turn Off Compatibility View Button Disables the Compatibility View button.58 Chapter 3 Configuring Hardware and Applications ■ Include Updated Web Sites Lists From Microsoft Uses updated lists of sites from Microsoft. ■ Use Policy List Of Internet Explorer 7 Sites A set of sites automatically added to the list of sites used with Compatibility View. Users can add extra sites, but not remove any of the sites specified by this policy. Works with later versions of Internet Explorer.
True or False? Default rules are path rules.
True. You can create AppLocker default rules automatically. Default rules are necessary because when you enable AppLocker, the built-in rule of last resort blocks the execution of any application, installer, or script that is not the subject of an existing Allow rule. You create default rules by right-clicking the Executable Rules,
True or False? You can install digitally signed drivers only on computers running x64 versions of Windows 7.
True. You can install only device drivers that are signed by a trusted certification authority (CA) on computers running 64-bit versions of Windows 7. An organization that wants to digitally sign driver packages needs to use the MakeCert, Signability, and SignTool tools in the Windows Driver Kit (WDK). An organization can use these tools to sign unsigned drivers or replace the digital signatures of other publishers with their own digital signature. When using drivers that are signed by an organizational CA, it is necessary to ensure that the organization's CA is trusted by the computer running Windows 7. An exception to this is kernel-mode drivers. Kernel-mode drivers for 64-bit versions of Windows 7 must be signed by a CA that has an approved CA in its trust chain; they cannot be signed by organizational CAs.
True or False? You can configure an authorized list of search providers using Group Policy.
True. You can specify how you search for information on the Internet using the Internet Explorer 9 address bar. In Internet Explorer 9, users type a query directly into the address bar instead of into a specific search box, as was the case in previous versions. You can configure a list of providers using the following policy, located in the \Windows Components\Internet Explorer Group Policy node: ■ Add A Specific List Of Search Providers To The User's Search Provider List You can add specific providers to the list, and users can add and remove providers as long as the provider is on the list.
You can use Driver Verifier to stress-test drivers to determine if they become faulty when subject to resource pressure.
True. You can use Driver Verifier to troubleshoot driver issues. You can use Driver Verifier to stress-test a system to determine whether a driver exhibits faulty behavior in situations such as when a system has low resources. Driver Verifier is included with Windows 7 and you launch it using the verifier.exe command.
True or False? You can configure Internet Explorer to check to see whether the signing certificate of the CA that issued the SSL certificate is valid.
True. You can view a list of Trusted Root Certification Authorities, Trusted Publishers, and Untrusted Publishers by clicking the Publishers button on the Content tab of Internet Options. You can configure Internet Explorer to trust a new Root CA by importing the CA certificate using this dialog box. You import code-signing certificates into the Trusted Publishers store when you want to trust digitally signed drivers or software from a specific vendor. Advanced Security Options related to certificates include the following: ■ Check For Publisher's Certificate Revocation Determines whether the publishing server's signing certificate is valid. Enabled by default. ■ Check For Server Certificate Revocation Determines whether the validity of SSL certificate on the web server is checked. Enabled by default. ■ Check For Signatures On Downloaded Programs Determines whether downloaded programs are digitally signed. Enabled by default. ■ Use SSL 2.0 Not enabled by default. Enable only if infrastructure does not support SSL 3.0 because there are security risks in using SSL 2.0. ■ Use SSL 3.0 Enabled by default. It is a more secure version of SSL than 2.0. ■ Use TLS 1.0 Enabled by default. ■ Use TLS 1.1 A more secure version of TLS 1.0; defined in 2006. Includes protection against cipher block chaining attacks. Not enabled by default. ■ Use TLS 1.2 A more secure version of TLS 1.1; defined in 2008. Not enabled by default. ■ Warn About Certificate Address Mismatch Performs a check to see whether website certificate matches website address. Enabled by default.
True or False? You can use a file hash to specify an exception to a path-based executable rule.
True. You use exceptions to allow specific applications to be exempt from more general rules. You can use a different way of identifying rules when creating an exception. For example, you could use a path-based exception to a publisher based rule. You can create exceptions for Block and Allow rules.
Which tools can you use to view resource conflicts?
Windows 7 Professional, Enterprise, and Ultimate support Windows XP mode
Which editions of Windows 7 support Windows XP mode?
Windows 7 Professional, Enterprise, and Ultimate support Windows XP mode.
Which tools can you use to configure AppLocker rules on stand-alone Windows 7 Enterprise computers functioning as kiosks?
You can use the either the Local Group Policy Editor or the Local Security Editor to configure AppLocker Rules on stand-alone Windows 7 Enterprise computers functioning as kiosks.
You configure Tracking Protection to block a specific third-party organization from tracking browsing activity across multiple sites for users of Internet Explorer 9.
You configure Tracking Protection to block a specific third-party organization from tracking browsing activity across multiple sites for users of Internet Explorer 9.
You have just installed a new device on a computer running Windows 7. You download and install version 2.2 of the device driver on the computer, but find that the device behaves erratically. After checking technical support forums, you discover that you can solve the problem by using version 2.1 of Configuring Hardware and Applications Chapter 3 47 the device driver, which you can also download from the vendor's website. What steps should you take to ensure that version 2.1 of this device driver is used instead of version 2.2?
You could use Windows XP mode, or you could create and deploy a shim for the application. Either solution would resolve the problem.
You have one application that runs fine on Windows XP with SP 3, but cannot be run on Windows 7 using a compatibility mode. This application is used by three people. What solutions could you use to ensure that these applications can run on the computers of these three users?
You could use Windows XP mode, or you could create and deploy a shim for the application. Either solution would resolve the problem.
In which zone should you place sites if you want to minimize the chance of users being harmed by rogue scripts or ActiveX controls?
You place sites in the Restricted Sites zone if you want to block ActiveX controls and scripts from running on untrusted websites.
You have three custom applications that are incompatible with Windows 7. You need to ensure that these applications can run but want to minimize the number of operating systems to which you need to apply software updates every month. Which solution should you implement to meet your goals?
You should use shims because using Windows XP mode would require an increase in the number of operating systems to which you need to apply software updates every month.
