Designing Strategies for
Security Management
Terms you’ll need to understand:
✓ Remote desktop administration ✓ Telnet
✓ Emergency Management Services ✓ Software Update Services (SUS) ✓ Systems Management Server (SMS) ✓ Disaster recovery plan (DRP)
Techniques you’ll need to master:
✓ Designing security for network management ✓ Designing a security update infrastructure
. . . .
3
Your network has enough enemies, including viruses, well-intentioned users, and not so well-intentioned attackers. You must ensure that you don’t become your own worst enemy! You need to understand the risks associated with managing your network and mitigate those risks with whatever tools you have available. In addition, you need to keep your network up to date with the latest security patches. This process needs to be as automatic as pos-sible in your situation.
In this chapter, we discuss the tools that you can use to manage the risk of managing the network. These include simple tools such as the Run as com-mand as well as more complex tools used to monitor and manage servers and services. We also discuss the new tools in Windows Server 2003 that aid you in assessing the current patch level of computers in your network and in keeping computers up to date with security patches from the Microsoft Web site.
Designing Security for Network
Management
You need to understand the power of the Administrator account as well as other accounts that provide rights on the network. In the right hands, these are tools you use to manage a network. In the wrong hands, they are weapons that attackers can use against you. As you manage your network, take care that these accounts do not fall into the wrong hands. In addition, you need to understand the tools and services available to enhance and monitor the security of your network. Designing security for network management includes the following components:
➤Managing the risk of managing networks
➤Designing the administration of servers
➤Designing security for Emergency Management Services
Managing the Risk of Managing Networks
Windows Server 2003 controls access to Active Directory and the ability to manage it using security groups. Some groups are designed to give a person rights to manage an aspect of the network, solely because they are associat-ed with that group. These groups include Administrators, Server Operators,
Account Operators, Backup Operators, and many others. Administrators who are members of these groups must understand the power that the group membership gives them and use it wisely.
We now discuss the tools that Windows Server 2003 provides to assist an administrator in the safe management of the network. These tools include the following:
➤The Run ascommand
➤Restricted groups ➤Security auditing
The Run as Command
Even if you are an administrator, you need to log on every morning with the same type of user account that everyone else uses. You don’t need an admin-istrative account to check your email and browse the Web. You should only use an administrative account if you are doing something on the network that requires the use of an administrative account. This practice protects the network because the less you use an administrative logon, the less chance there is for a Trojan horse virus or some type of worm to pick it up and send it to an attacker. Also, if you walk away from a computer that you are logged on to with an administrative account, another person could use the comput-er and “play Administrator” for a while!
Although your users should only have one account, you and your other administrators need to have at least two accounts. You should use a normal user account until it is necessary to use the administrative account and, at that time, you can use the Run ascommand to perform a secondary logon.
You can use the Run ascommand either through the GUI or at the command
line. To use the Run ascommand with a GUI tool, simply right-click the tool,
click Run as, and then log on with the account that you want to use to run that tool. You might need to hold down the Shift key while you right-click, depending on the tool that you choose. Figure 3.1 shows the Run as
com-mand on the Start menu. Figure 3.2 shows the secondary logon screen for the Run ascommand. When the tool is closed, the system reverts back to the
Figure 3.1 You can right-click the tool to use the Run as command.
Figure 3.2 The Run as command provides a secondary logon for that tool only.
To use the Run ascommand from a command prompt, type the following syn-tax:
Runas /user:domain\account name “mmc %windir%\system32\tool.msc”
where domain is the name of your domain, account name is the name of the account with which you want to run the tool, and tool is the name of the tool that you want to run.
For example, Runas /user:bfe.vtc.com\administrator “mmc%windir%\system32\ dsa.msc” will run Active Directory Users and Computers in the bfe.com domain by the account name of Administrator.
After you enter this syntax correctly, you are then asked the password of the account with which you want to run the program. Figure 3.3 shows the com-mand line with the entered comcom-mand and the system’s response. After you enter the correct password, the system opens the tool. When the tool is closed, the system reverts back to your primary logon account.
Figure 3.3 You can use the Run as command from a command-line interface.
You can check the %windir%\system32 folder on your servers for files with .msc extensions. All files with .msc extensions can be used with the Run as menu option. You can even create shortcuts on the desktop or in your administrative tools using the same command.
We are only using the default name “Administrator” for the administrative account for this training example. You should always change the default names of adminis-trative accounts.
Restricted Groups
Membership in a security group can give someone permissions and rights that she would not have if she was not in that security group, especially if that group is a member of another group that has more rights. This is the way the system is supposed to work. But, what if someone is a member of a group that gives her administrative access and you are not aware that she is a mem-ber? In this case, your own system is working against you.
You might be thinking, “But I can just check all of the groups and make cer-tain that I know who the members are.” Well, that’s true, but there might be more groups to keep track of than you think. You have to consider that every workstation and member server has its own local groups as well! Wouldn’t it be nice to just lock those groups down with some type of template? Well, now you can!
Restricted Groups is a computer security policy that should be used primarily
with workstations and member servers. In other words, it is rarely used on domain controllers. It allows you to define who can be a member in a par-ticular security group on a computer and what other groups that group can be a member of as well. After you define who can be a member of that group, anybody else who currently is a member is removed from membership as soon as the security policy is refreshed. This way, it’s impossible for you to miss anybody. You can also copy the template that you create and use it on subsequent workstations and member servers.
You can create the template and apply the settings for Restricted Groups on a member server running Windows 2000 Server or Windows Server 2003 in two ways. You can either create the template in the local security settings for each of the computers that you choose or you can create a Group Policy and roll it out to all of the computers in an organizational unit (OU) or hierar-chy of OUs. For Windows 2000 Professional and Windows XP Professional clients, you can use Group Policy to enforce Restricted Groups.
As we mentioned previously, you should refrain from using Restricted Groups at the domain level; however, it is possible to use this tool to provide a “reality check” if you suspect that someone has obtained fraudulent access to administrative rights through membership in a security group.
To configure Restricted Groups on one member server, perform the follow-ing steps:
1.Open the Local Security Policy through Administrative Tools.
2.Expand the Security Settings option.
3.Right-click Restricted Groups.
4.Click Add Group.
5.Type the name of the group that you need to manage.
6.Add the members that you want to be in the group and the groups of which that group can be a member.
7.Click OK or Apply.
When you click OK or Apply, only the members that you have designated are still members of the groups for which you have set Restricted Groups. Any other members are removed from group membership. This takes effect the next time they log on to the server locally.
To configure Restricted Groups with Group Policy, perform the following steps:
1.Open the Group Policy Management Console and Group Policy Object Editor tools to create and configure a new Group Policy or edit an existing one.
2.Expand Computer Configuration. 3.Right-click Restricted Groups. 4.Click Add Group.
5.Type the name of the group that you need to manage.
6.Add the members that you want to be in the group and the groups of which that group can be a member.
7.Click OK or Apply.
When the Group Policy is linked to a container, the Restricted Groups set-tings become effective for all computers in that container. You can force the policy to apply as soon as you link it, using the gpupdatecommand, or you can
simply wait until the policy is refreshed automatically by the system.
When a Group Policy is linked to a container, you must ensure that no other poli-cies that could change the results of the Group Policy are linked to the same con-tainer. Remember, the last one to “flip those switches” wins!
Security Auditing
A wise person once said “You don’t get what you expect, you get what you inspect.” You need to have a system in place that aids you in monitoring the security of your network. This includes an audit policy that determines what is to be audited and a person or persons responsible for regularly checking the security log to look for anything that doesn’t seem to fit.
Windows Server 2003 provides the tools for auditing logons, resource access, account management, and more. Your audit policy determines what is written to the security log. The security log can then be read, archived, and printed with Event Viewer. Figure 3.4 shows the settings for Audit Policy in the Microsoft Management Console (MMC) named Default Domain Security Settings. Table 3.1 defines each of the settings that you could use in your audit policy. You can audit each of these settings for success, failure, or success and failure. Figure 3.5 shows an example of a security log in Event Viewer.
Figure 3.4 The settings in your audit policy determine what is written to the security log.
Table 3.1 Audit Policy Settings
Policy Definition
Audit Account Logon Events Is set on a domain controller. Audits domain controller’s authentication of a logon from another computer. Audit Account Management Audits activity that is generally associated with
adminis-trators, such as creating or renaming users or groups, or changing passwords.
Audit Directory Service Access Audits objects in Active Directory that have their system access control list (SACL) set for auditing.
Audit Logon Events Audits the local logon to a computer regardless of the role of the computer.
Audit Object Access Audits the access of resource objects, such as a file, folder, printer, Registry key, and so on that have the system access control list (SACL) set for auditing. Audit Policy Change Audits changes to user rights assignment policies, audit
policies, or trust policies.
Audit Privilege Use Audits each instance of a user exercising a user right. Audit Process Tracking Audits events usually associated with applications,
rather than users, such as program activation and han-dle duplication.
Audit System Events Audits a user’s restarting or shutting down of the sys-tem or any event that affects syssys-tem security or the security log.
Figure 3.5 You can view the results of a security audit in Event Viewer.
Designing the Administration of Servers
Managing an enterprise can be a cumbersome task, but Windows Server 2003 provides many tools to assist you in the efficient and safe management of your network, no matter how large it is. The tools with which you need to be familiar are as follows:➤Microsoft Management Consoles (MMCs) ➤Remote Desktop Administration
➤Telnet
➤Remote Assistance
Microsoft Management Consoles
Using Microsoft Management Consoles (MMCs), you can create your own custom “toolboxes” that keep the tools you use most frequently all in one place. You can then share these toolboxes with other administrators whom you trust, or you can create another toolbox that has only the tools that they need. You can simply share the completed MMC in a folder to which the other administrator has access, and he can then use the MMC as well. Share it with Read permission so that the administrator who receives the MMC cannot change the file without also changing the name and the ownership of
the file. To use the MMC tools, you must register the proper dynamic link libraries (DLLs). You can easily register most DLLs by entering adminpak.msi at a command prompt and following the Windows Server 2003 Admin-istrative Tools Installation Wizard.
An MMC itself has no administration capability; it’s only a toolbox that con-tains the real tools called snap-ins. These snap-ins are produced by Microsoft and many other vendors. They include most of the tools that you need to configure, manage, and monitor your network. Many of these tools can be used on the local computer or on a remote computer connected to the man-agement console. Figure 3.6 shows an MMC that has been customized to hold tools for two different computers.
Figure 3.6 You can build MMCs that hold tools for multiple computers.
Remote Desktop Administration
Remote Desktop Connection replaces the Remote Administration Mode for Terminal Services used in Windows 2000 Server. It provides a new interface that allows you to safely manage any computer that is configured to allow users to connect remotely. You can access Remote Desktop Connection by clicking Start, All Programs, Accessories, Communications, Remote Desktop Connection. You can then connect to the computer by entering the computer name and the password for that computer.
You can control the resolution and other aspects of the “user experience” on the Remote Desktop Connection settings. Figure 3.7 shows the Remote Desktop Connection dialog box. These options allow you to configure your remote session based on the allowed bandwidth and other restrictions. Figure 3.8 shows the custom settings that you can configure on the Experience tab. You should use Remote Desktop Connection when you are making a connection to only one other computer or server.
You must also be a member of the Remote Desktop Users security group to use Remote Desktop Connection. The administrator is a member of this group by default and can add other members.
Figure 3.7 You can configure options for Remote Desktop Connection.
To make multiple simultaneous connections, use the Remote Desktops snap-in. This tool enables you to manage many servers as if you were sitting in front of each one of them. You can control each of the connections and encrypt the connection over the Remote Desktop Protocol (RDP). You can quickly switch between several remote desktops. Figure 3.9 shows an MMC with the Remote Desktops snap-in installed.
Figure 3.8 You can configure custom settings on the Experience tab.
Figure 3.9 You can control multiple remote connections from one interface with the Remote Desktops snap-in.
Telnet
In general, you use Remote Desktop Connection or the Remote Desktops snap-in to connect with any computers that are running Microsoft operating systems. This provides the most secure method of remote administration.
For other servers and network devices on your network, you can use Telnet. The Telnet application is part of the TCP/IP suite, and any network that is using TCP/IP can use it. The Telnet client is built in to Windows Server 2003 and provides a command-line interface to another server and limited functionality to configure the server (see Figure 3.10). Telnet does not pro-vide security—all passwords and data are transmitted in clear text. If you use Telnet, you need to ensure that no sensitive information is being transmitted.
Figure 3.10 You can configure servers and network devices on a command-line interface with Telnet.
Telnet is not recommended for remote administration of Microsoft computers because all data and commands are transmitted in clear text.
To access a computer or network device with Telnet, perform the following steps:
1.Click Start.
2.Click Run.
3.Type telnet.
4.Type open.
5.Type the name of the host with which you want a connection.
6.Type ? for help with further commands.
The list of commands that are available are based on the type of host to which you have connected. All commands are alphanumeric. In other words, you can’t use your mouse or any type of GUI with Telnet. Table 3.2 lists some Telnet commands and the actions that they perform.
Table 3.2 Telnet Commands
Telnet Command Action Performed
Open hostname Establishes session with host
Close Closes connection
Display Shows current settings for client
Send Gives additional commands as defined by the type of host Set Allows you to configure options when used with additional
argu-ments, depending on the client
Unset Turns off options that were previously set
Status Determines connection status
? Shows Help menu based on host
Quit Closes Telnet client
Remote Assistance
Clients can request your assistance using the Remote Assistance tools, pro-vided by Windows XP Professional, and you can respond to their requests and assist them through your Window Server 2003 network. After you are connected, you can view the client’s computer and chat online. You can even take control of their mouse and keyboard with their permission. You can also upload files to them or download their files to your computer or central serv-er. Remote Assistance communication can be based on Windows Messenger or Microsoft Outlook. Figure 3.11 shows the Remote Assistance console on a Windows XP Professional client.
Designing Security for Emergency
Management Services
At this level, it almost goes without saying that you need to maintain redun-dant drives, power supplies, and server components. You also need to create backups of all data and configurations and keep copies offsite. This type of management activity is the day-to-day operations that help to keep the net-work operating smoothly, but what if something goes wrong?
Unfortunately, disasters, such as fires, floods, hurricanes, tornados, and earthquakes, do happen from time to time. Your Emergency Management
Services design needs to include a disaster recovery plan (DRP) that takes these
into account. Your DRP should focus on the disasters that are most common for your area. For example, you probably won’t be concerned about earth-quakes if you are located in Florida, and you wouldn’t worry much about hurricanes in South Dakota.
In the event of a disaster of this magnitude, the main goal is to get the com-puters back up to the point that your company can do business before you go out of business permanently! Your DRP should address a plan to rebuild the network to a functioning state as quickly as possible, even if your whole building is destroyed. The details of this plan will, of course, vary, depend-ing on the size and complexity of the company, but the main thdepend-ing you need is a place to work. The types of alternative sites that you should consider in your DRP are as follows:
➤Hot site ➤Warm site ➤Cold site
Hot Sites
A hot site is a location that is up and running 24/7 with everything that you need to function. Its main advantage is that, in the event of a disaster, you can move into the hot site and resume normal business operations in a matter of hours. Another advantage is that it is possible to do a “dry run” and test the hot site.
The hot site should be close enough to be practical for employees, yet far enough away so as not to be taken down by the same disaster that took down your main site. You can maintain the hot site, or you can pay another com-pany to provide the service. The main disadvantage of a hot site is the large cost associated with it. Typically, the potential loss of money is not enough to justify the cost of a hot site, so they are only used in organizations in which
people’s lives are at stake, such as highly sensitive governmental institutions or hospital networks.
Warm Sites
A warm site is a location that provides the space, electrical outlets, and com-munications lines that will be needed in the event of a disaster. It is not cus-tomized for one organization and might be used by many organizations in the event of a natural disaster. Typically, no computers are in place because it is assumed that the company will provide the computers when, and if, the time comes to use the site. The main advantage of this type of site is that it costs considerably less to maintain than a hot site. The main disadvantage of this type of site is that it is much more difficult to test your DRP from time to time.
Cold Sites
A cold site is a location that basically has four walls, a ceiling, and a bathroom! Typically, it’s a prearranged agreement with another party to use their space if a disaster happens. There is very little planning involved in a cold site. The main advantage is that it costs very little. Two parties in different areas might even agree to let each other use a part of their building in the event of a dis-aster, so there is no cost to either party. The main disadvantage of a cold site is that it does not fully provide a quick transition back to normal business operations.
Designing a Security Update
Infrastructure
Many of the latest attacks to computers and servers with Microsoft operat-ing systems have succeeded in spite of the fact that the patches to prevent these attacks were available on the Microsoft Web site prior to the attack. The attacker succeeded because the administrator had not yet installed the latest patches. Your design strategy should include a system to automate the installation of patches that are critical to the security of your network. You should be familiar with the tools that Microsoft provides with Windows Server 2003. Designing a security update infrastucture includes
➤Designing a Software Update Services (SUS) infrastructure
➤Designing Group Policy to deploy software updates
➤Designing a strategy for identifying computers that are not up to the current patch level
Designing a Software Update Services
Infrastructure
Software Update Services (SUS) is new to Windows Server 2003 but is
back-ward compatible to Windows 2000 servers running Service Pack 2 or high-er. It is downloadable from the Microsoft Web site at www.microsoft.com/ windows2000/windowsupdate/sus/default.asp. You should download and install
the SUS101SP1.exe file.
Your server needs to meet the following minimum hardware requirements to become a SUS server:
➤Pentium III 700MHz or higher
➤512MB RAM
➤6GB hard disk space
➤Windows 2000 Server with SP2 or later or Windows Server 2003 ➤IIS 5.0 or later
➤Internet Explorer 6.0 or later
You can use SUS to update clients running Windows 2000 Professional and Windows XP Professional with the latest service packs. SUS enables an administrator to automatically download, test, approve, and install the latest critical updates and service packs from the Microsoft Windows Update Web site. Figure 3.12 shows the SUS administration site. You need to be familiar with the features of SUS, as identified by Microsoft, including the following: ➤Built-in security
➤Selective content approval ➤Content synchronization options ➤Server-to-server synchronization ➤Multilanguage support
➤Remote administration via Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS)
Figure 3.12 You can manage SUS through a secure Web site.
Built-in Security
This one speaks for itself! You can’t enhance security if your enhancement cre-ates holes. The administrative pages of SUS are Web-based through IIS and are restricted to local administrators on the computer that hosts the updates. The synchronization always validates the digital certificates on any downloads to the update server. Any files that are not from Microsoft are automatically deleted.
Selective Content Approval
Updates are first downloaded to the server by running SUS synchronization. These, however, are not automatically available to the computers that have been configured to receive updates from that server. Instead, you can approve the updates before they are made available for download. This allows you to test the packages before deploying them.
Content Synchronization Options
You receive the latest critical updates and service packs from Microsoft through the process of synchronization. You can set a schedule for automatic synchronization at preset times. Alternatively, you can use the Synchronize Now button to manually synchronize the server.
Server-to-Server Synchronization
You can point your server to another server running Microsoft SUS instead of to the Windows update server. This creates a single point of entry for updates into the network, without requiring that each SUS server download
updates from the external Microsoft source. In this way, updates can be more easily distributed across the enterprise.
Multilanguage Support
SUS supports the publishing of updates to multiple operating system lan-guage versions. You can configure the list of lanlan-guages for which you want to download updates. You only need to download the languages that you will use. This greatly increases the speed of synchronization.
Remote Administration via HTTP or HTTPS
The SUS administrative interface is Web-based. This allows you to manage it remotely as if you were sitting in front of the server itself. Remote admin-istration requires Internet Explorer (IE) 5.5 or later.
Update Status Logging
You can specify the address of a Web server to which the Automatic Updates client should send statistics about updates that have been downloaded and installed. These statistics are sent using HTTP. You can access them in the IIS log file of the Web server.
Designing Group Policy to Deploy Software
Updates
Now that you’ve got the latest critical updates for your servers and clients synchronized into your SUS server, how do you get them into the clients and servers themselves? There is a hard way and an easier way. The hard way is to go to each client and manually change the Automatic Update settings within the properties of My Computer.
The easier way is to use Group Policy to change all of the computers that you need to change—simultaneously. You should configure the Group Policy to set the computers to the correct SUS server and then link the policy to the container in which the computer objects are located. You can configure those computers to automatically download and install the software or to notify the clients and let them make the decision to download and install it. Figures 3.13 and 3.14 show the Group Policy settings for SUS updates. To configure a Group Policy for SUS, perform the following steps:
1.Open the Group Policy Management Console (GPMC) or Group Policy tool.
2.Expand Computer Configuration in the properties of the policy. 3.Expand Administrative Templates.
4.Expand Windows Update.
5.Right-click Configure Automatic Updates to configure the settings for each computer.
6.Right-click Specify Intranet Microsoft Update Service Location to configure the server from which to receive the updates.
Figure 3.13 You can configure how and when clients receive updates.
Designing a Strategy for Identifying
Computers That Are Not Up to the Current
Patch Level
To provide a complete security plan, you need to make certain that all of your computers have the latest patches and security updates installed. You have many tools to choose from to assist you in scanning computers for the latest updates. These are available from Microsoft and other third parties. The Microsoft tools with which you should be familiar include the following: ➤Microsoft Baseline Security Analyzer
➤Systems Management Server (SMS) and the SUS Feature Pack
Microsoft Baseline Security Analyzer
You can use Microsoft Baseline Security Analyzer (MBSA) to scan for security-related updates on multiple computers. MBSA Version 1.1.1 includes both a GUI tool and a command-line interface tool. You can use these tools to per-form scans of Windows systems on your network. MBSA runs on Windows 2000, Windows XP, and Windows Server 2003 systems. You can perform scans of all Windows NT-based clients, including Windows NT Workstation and all later clients. You can also scan for updates to tions running on the clients, including Internet Explorer and Office applica-tions, such as Office 2000 and later. The computer being scanned must be running IE 5.01 or later and XML parser software. Parser software can be downloaded from the Microsoft Web site at www.microsoft.com/downloads.
Systems Management Server and SUS Feature Pack
Systems Management Server (SMS) and the SUS feature pack enable you to
manage security updates throughout any size company. The SUS feature pack streamlines the security patch management process for you. The SMS software can be used to customize installations.
The Security Update Inventory Tool in SMS uses the MBSA program to scan all of the clients and servers and then creates a detailed Web-based inventory report. Then, you can use the software distribution features built in to SMS to distribute the required software to the clients and servers. The wizards built in to the tool ensure that only the updates that are missing are installed. No redundant or unnecessary updates are performed.
Exam Prep Questions
Answer the questions for the following case study based on the information provided in the case study.
Case 1: WPX Inc.
WPX Inc. is a medium-size company with a main office in Atlanta and 12 remote offices in the Southeast United States. WPX has six administrators who manage the main office and the 12 branch offices with varying levels of authority and control. The company is concerned about the local security of the network and the number of administrative accounts required to manage the network. WPX is also considering options for emergency management and a DRP.
WPX has a constant need for remote management of the branch offices, which all contain at least one server. In addition, the company is considering options in regard to a DRP for the Atlanta office. Finally, WPX is concerned that its clients might not have all of the latest critical updates for security. It wants a system that can analyze the current status of its clients, install the software needed, and keep the clients up to date. You have been hired as a consultant to assist WPX.
Question 1
Which of these types of accounts should an administrator use to log on to the network and check her email?
❍ A. Administrative account ❍ B. Default Administrator account ❍ C. Email address
❍ D. Regular user account
Answer D is correct. Microsoft recommends that administrators use a regu-lar user account when they are not doing administrative work. She should not use her administrative account unless she is actually doing administrative activity; therefore, answer A is incorrect. The name of the Administrator account should be changed; therefore, answer B is incorrect. She cannot use her email address to log on; therefore, answer C is incorrect.
Question 2
Which tools should you use to control the membership of the administrative groups? (Choose two.)
❑ A. Restricted Groups
❑ B. Active Directory Users and Computers ❑ C. Active Directory Sites and Services ❑ D. Group Policies
Answers A and B are correct. Restricted Groups and Active Directory Users and Computers can be used to control the membership of administrative groups. Active Directory Sites and Services is used to control the physical aspects of Active Directory; therefore, answer C is incorrect. Group Policies are used to control security and access to resources; therefore, answer D is incorrect.
Question 3
Which of the following should you use for remote administration of multiple Windows Server 2003 servers in the same session?
❍ A. Remote Desktop Connection ❍ B. Remote Desktops snap-in ❍ C. Telnet
❍ D. File Transfer Protocol
Answer B is correct. The Remote Desktops snap-in is the only tool listed that allows multiple remote administration sessions. Remote Desktop Connection allows only one session at a time; therefore, answer A is incor-rect. Telnet is a command-line-based administration tool that is not secure; therefore, answer C is incorrect. File Transfer Protocol is not used to man-age computers; therefore, answer D is incorrect.
Question 4
Which tools are available as a snap-in to be used with a Microsoft Management Console? (Choose two.)
❑ A. Computer Management ❑ B. My Computer ❑ C. Windows Explorer
❑ D. Active Directory Users and Computers
Answers A and D are correct. Computer Management and Active Directory Users and Computers are both available as a Remote Desktops snap-in. My Computer is a tool specific to one computer and not available as a snap-in; therefore, answer B is incorrect. Windows Explorer is specific to one com-puter and not available as a snap-in; therefore, answer C is incorrect.
Question 5
Which tools should you use to set the actions and objects that will be audited? (Choose two.)
❑ A. Security log
❑ B. Group Policy Object Editor ❑ C. Windows Explorer
❑ D. Active Directory Domains and Trusts
Answer B and C are correct. You should use the Group Policy Object Editor to set the actions of the audit (success or failure) and the Windows Explorer tool to set the objects to be audited. The security log is a tool used to view the results of an audit, not to set it up; therefore, answer A is incorrect. Active Directory Domains and Trusts is a tool used to manage trusts between domains; therefore, answer D is incorrect.
Question 6
Which audit policy is set on a domain controller to audit its authentication of users on other computers in the domain?
❍ A. Audit Logons ❍ B. Audit Account Logons ❍ C. Audit Privilege Use ❍ D. Audit Process Tracking
Answer B is correct. Audit Account Logons can only be set on a domain con-troller. It audits that computer’s authentication of another computer to the domain. Audit Logons is set on the local computer to audit local logons; therefore, answer A is incorrect. Audit Privilege Use is set to monitor a user’s exercise of user rights; therefore, answer C is incorrect. Audit Process Tracking is set to monitor an application’s use of system resources; therefore, answer D is incorrect.
Question 7
You decide to lease a space for emergency purposes approximately 100 miles from the Atlanta office. This space will be equipped and maintained with the power and communications needs for the network in the event a natural disas-ter or fire destroys the Atlanta office. It will not currently be equipped with any computers. Which type of alternative site have you chosen?
❍ A. Hot site ❍ B. Cold site ❍ C. Spare site ❍ D. Warm site
Answer D is correct. Because the site will not contain the actual servers and other hardware, but will be equipped with the right power and communica-tions conneccommunica-tions, it should be referred to as a warm site. A hot site is equipped with computers and is ready to move in within hours; therefore, answer A is incorrect. A cold site is a location that has no planned resources at all; therefore, answer B is incorrect. A spare site is not a term that is used in this context; therefore, answer C is incorrect.
Question 8
Which tools should you use to synchronize a server with the Microsoft Windows Update Web site and receive the latest critical updates and service packs? (Choose two.)
❑ A. Windows Update ❑ B. Group Policy
❑ C. Active Directory Users and Computers ❑ D. Software Update Services
Answers A and D are correct. Windows Update is used to synchronize an individual computer with the latest updates on the Microsoft Web site. Software Update Services can be used in a hierarchical arrangement to test and distribute the latest Microsoft updates. Group Policies are used to con-trol security and access to resources; therefore, answer B is incorrect. Active Directory Users and Computers is used to control the logical aspects of Active Directory; therefore, answer C is incorrect.
Question 9
Which tool should you use to scan clients and servers to determine whether they have the latest updates installed?
❍ A. Microsoft Baseline Security Analyzer (MBSA) ❍ B. Software Update Services (SUS)
❍ C. Group Policy Management Console ❍ D. Computer Management
Answer A is correct. MBSA can be used to scan computers for the latest secu-rity updates and other secusecu-rity weaknesses. SUS is used to install the latest updates, but does not scan the computer; therefore, answer B is incorrect. The Group Policy Management Console is used to create and manage Group Policies; therefore, answer C is incorrect. Computer Management does not scan the computer for the latest updates; therefore, answer D is incorrect.
Question 10
Which of these clients can be configured with Group Policy to use Software Update Services? Choose all that apply.
❑ A. Windows 98
❑ B. Windows XP Home Edition ❑ C. Windows XP Professional ❑ D. Windows 2000 Professional
Answers C and D are correct. Windows XP Professional and Windows 2000 Professional are the only clients listed that can be configured with Group Policy. Group Policy cannot be used to control Windows 98; therefore, answer A is incorrect. Windows XP Home Edition does not support Group Policy; therefore, answer B is incorrect.
