70-220

8/13/2019 70-220

http://slidepdf.com/reader/full/70-220 1/289

Designing Microsoft Windows 2000 Network Security

70-220

8/13/2019 70-220


Case Study 1:

Just Togs

8/13/2019 70-220


• Just Togs

• Background:

• Just Togs is a clothing retailer that has been

in business for eight years. Last year’s totalsales for all retail stores were $240 million.

After tremendous growth during the past eight

years the clothing business has slowed in itsexisting retail stores.

8/13/2019 70-220


• Organization:

• Headquarters:• Corporate headquarters are located in San Jose,

California, which employs approximately 80 people.There are 12 employees in the IT department.

• Retail Stores:

• There are approximately 50 employees at each ofthe retail stores, which are located in five majorcities in California.

8/13/2019 70-220


• Problem Statement:

• President:

• Our old business model relied on expansion by building new retail stores.However, expansion takes time, and the area served by a single retail store islimited. The only way to rapidly increase sales is to build a Web site. This sitewould allow customers from across the United States to buy our clothing.

• IT Director: • We have three major areas of concern. First, we must ensure that the information

on our Web server can be modified only with proper authorization and that theinformation is distributed only to those authorized. We also want to be informedwhen someone accesses data on the Web server. Second, information must besecure as it travels from the customer’s computer to our server. We must preventuser IDs, passwords, and financial information from being intercepted as thisinformation travels to our server. And lastly, information that the customersdownload must not damage their software or violate licensing agreements.

• Our IT department will be expanded to include a Webmaster, who will administerthe Web site, Web developers who will write code for the Web pages, and Webauthors who will create the Web content.

8/13/2019 70-220


• Marketing Director

• We have developed an ActiveX control that customers will be able to download from theWeb site. Customers can use this control to display different sizes of clothing on a 3-0model. They can customize the model with their measurements. They can then dress themodel with our clothes to show how the clothes will fit and select the correct size.

• When people first view our Web site, they will be considered visitors. After visitors entertheir name and address and receive an ID we will consider them customers.

• From our Web site, we must include a method for the customer to view our clothes andplace selected items in a shopping basket. We will need a checkout function that allows thecustomer to enter shipping and billing information. This should include the customer’s

name, address, phone number, and credit card number. This information, including thecustomer’s ID and password will be stored in a database.

• When customers revisit our site, we will be able to identify them automatically by their IDand password. They can then view the status of their orders or place additional orders. Weshould also let customers know that they are connected to the Just Togs Web site.

• The entire transaction should be logged. The information will be stored in a transaction-tracking file. This file will contain credit card numbers and other confidential customerinformation. The transaction-tracking file will allow us to bill the customer and to provideinformation for our customer service employees if problems arise.

8/13/2019 70-220


• Customer Service Director:

• All customer service employees must haveaccess to customer information. This includescustomers’ personal information, such as

name, address, phone number, and accountnumber.

8/13/2019 70-220


• Existing IT Environment:

• Headquarters:

• Headquarters has four Windows NT Server 4 0 computers. The remoteaccess server is named JTRAS. The primary domain controller is namedJ1DC1. The other two servers are used to run applications.

• Retail Stores: • Each retail store has two Windows NT Server 4 0 computers. One server

controls all cash register functions. The second server handles inventoryand word processing functions and has a dial-up connection toheadquarters. All retail stores use TCP/IP. Each office has its own useraccount for dial-up access. This connection is used to transmit dailysales and merchandise orders to headquarters.

• Connectivity: • All computers in the headquarters LAN are connected through a 100-

Mbps connection. Each retail store is connected to headquarters througha WAN with a 56-Kbps dial-up connection.

8/13/2019 70-220


• Envisioned IT Environment:

• Headquarters:

• The existing Windows NT Server domain controller will be upgraded to Windows2000 native mode, and a single forest will be created.

• A DMZ will be set up between the public and private network. In addition, JustTogs plans to add six new Windows 2000 Server computers. A Web servernamed JTWEB will be multi-homed. A server named JTDEV will be used byprogrammers to develop the Web content. A server named JTDATA will containall customer, inventory, and order information. This information will be stored inMicrosoft SQL Server databases. A server named JTVPN will be used as theVPN server; JTDC2 will be a new domain controller.

• • The company wants to eliminate its remote access server and allow the retail

stores to submit their data over the Internet through a VPN.

• Retail Stores:

• The hardware and software at the retail stores will remain the same.

• Connectivity: • The Wan and LAN bandwidth will remain the same.

8/13/2019 70-220


Just Togs Questions

1. Which type of CA should you use to digitallysign the ActiveX control?

A. Enterprise subordinate CAB. Third-party CA

C. Enterprise root CAD. Stand-alone root CA

8/13/2019 70-220


2. Which audit policy should you use onJTWEB?

A. Success and failure audit for processtrackingB. Success and failure audit for object access

C. Success and failure audit for logon eventsD. Success and failure audit for directoryservice access

8/13/2019 70-220


2. Which audit policy should you use onJTWEB?

A. Success and failure audit for processtrackingB. Success and failure audit for object

access C. Success and failure audit for logon eventsD. Success and failure audit for directoryservice access

8/13/2019 70-220


3. Which methods should you use to identify

and authenticate existing customers on theWeb site?

A. SSL, NTLM logon, and database validationB. SSL, anonymous logon, and CHAPC. SSL, NTLM logon and CHAP

D. SSL, anonymous logon and databasevalidation

8/13/2019 70-220


4. Which audit policy should you use to detect

possible intrusions into the Just Togsnetwork?

A. Success and failure audit for process

trackingB. Success and failure audit for privilegeC. Success and failure audit for policy change

D. Success and failure audit for logon events

8/13/2019 70-220


4. Which audit policy should you use to detect

possible intrusions into the Just Togsnetwork?

A. Success and failure audit for process

trackingB. Success and failure audit for privilegeC. Success and failure audit for policy changeD. Success and failure audit for logon events

8/13/2019 70-220


5. How should you authenticate visitors to the Website?

A. Authenticate visitors to an anonymous account

B. Authenticate visitors by requiring them to entertheir user ID and password

C. Authenticate visitors by using cookies

D. Authenticate visitors that place an order as newor existing customers

8/13/2019 70-220


6. Which technology should you use to securely

connect the retail stores to headquarters?

A. MS-CHAP

B. IPSecC. EAP-TLSD. PPTP

E. L2TP

8/13/2019 70-220


7. Which authentication protocol should you

use to secure the VPN connection from theretail stores to headquarters?

A. EAPB. PAPC. SPAPD. MS-CHAP

8/13/2019 70-220


8. Which changes should the retail stores make toSupport the VPN connection?

A. Configure the connection type to dial in to headquarters.Use L2TP over IPSec to communicate with the VPN server.

B. Configure the connection type to dial in to the ISP. UseL2TP over IPSec to communicate with the VPN server

C. Configure the connection type to dial in to the ISP. UsePPTP to communicate with the VPN server

D. Configure the connection type to dial in to headquarters.Use PPTP to communicate with the VPN server

8/13/2019 70-220


8. Which changes should the retail stores make toSupport the VPN connection?

A. Configure the connection type to dial in to headquarters.Use L2TP over IPSec to communicate with the VPN server.

B. Configure the connection type to dial in to the ISP. UseL2TP over IPSec to communicate with the VPN server

C. Configure the connection type to dial in to the ISP.Use PPTP to communicate with the VPN server

D. Configure the connection type to dial in to headquarters.Use PPTP to communicate with the VPN server

8/13/2019 70-220


9. Design a solution that allows the retail stores to connect security toheadquarters over a VPN and customers to connect securely toheadquarters by using SSL (Use all objects and connections.)Objects:

1. Customer 2. Headquarters 3. JTVPN 4. JTWEB 5. Retail Store.

Connections:

A. SSLB. TCP/IPC. VPN Tunnel

(You must select two objects and choose which connection they are to be joined by)

8/13/2019 70-220


10. Design a network that allows customers to order

clothing items on the web site. (Use all computers

and connections.)

Objects:

1. Customer 2. External Firewall 3. Internal Firewall4. JTDATA 5. JTWEB

Connections:

A. Secure Internet ConnectionB. TCP/IP Connection

8/13/2019 70-220


Case Study 2:

Prose Ware

8/13/2019 70-220


ProseWare

• Background: • ProseWare Corp is a temporary staffing agency that

provides companies with temp employees. ProseWareemploys 2,500 people nationwide.

• Organization:

• Headquarters: • Headquarters is located in Chicago, Illinois. Headquarters

includes the accounting, payroll, human resources, and ITdepartments. Headquarters employs 150 people.

8/13/2019 70-220


• Branch Offices:

• Prose Ware Corporation has branch offices in 200 locationsnationwide. Each branch office employs from 5 to 20 people.Each branch office has a branch manager. One person ineach branch office is a representative for the IT department.This person resets routers and helps the IT departmenttroubleshoot technical problems that occur at the branchoffice.

• Regions:

• Several branch offices that are in the same geographic areamake up a region. There are eight regions. One regionalmanager is assigned to each region. The regional managerssubmit information about branch offices, regions, andmarkets for posting on the Web page. Branch managersmust approve the content before it is published on thecompany's Internet Web page.

8/13/2019 70-220


• On-Site Offices:

• For Prose Ware Corp largest customers, thecompany provides one to five employees from thesales department to work full time at the Customeroffices. This helps Prose Ware identify customerneeds more efficiently.

• Payroll Centers:

• There are payroll centers in Dallas, Texas, SanFrancisco and California. Payroll centers processpaychecks for all employees within their region.

8/13/2019 70-220



• Computers: • All headquarters employees, except employees within the IT department,

use Windows 98 desktop computers. The IT department uses WindowsNT Workstation 4.0 desktop computers.

• Prose Ware Corporation has 28 Windows NT Server 4.0 computers atheadquarters. One of these computers is a certificate server that is notbeing used, two are file servers that store company data, and 25 runWindows NT Server 4.0, Terminal Server Edition.

• In addition, Prose Ware Corporation has one Outlook Web Access(OWA) server named OWA1, two domain controllers named DC1 andDC2, three Microsoft Exchange Server 5.5 computers, four UNIX serversthat contain Oracle databases, and one remote access server namedRAS1.

• On-site employees use OWA1 to connect to headquarters. Anonymoususers can connect to OWA1 to post resumes to an Exchange publicfolder named Recruiting and to fill out online applications. Each branchoffice has access to this public folder. The IT representative maintainscontrol of this folder.

8/13/2019 70-220


• The company also maintains an Intranet, whichincludes Web pages for technical support, humanresources information, and other company

information. Branch offices all have desktopterminals and one computer with a modem. Thebranch offices connect to a Terminal server atheadquarters. There are no servers in the branch

offices.

• All headquarters employees are granted access toe-mail and the Internet. Users in branch offices and

on-site offices are granted access to e-mail and theInternet from the computers. Users of desktopterminals are not granted access to the Internet.

8/13/2019 70-220


• WAN Connectivity:

• Branch offices are connected to headquarters by fractional

T1 lines the committed information rate is 128 Kbps.

• Prose Ware Corporation has a T1 line to the Internet. Thecompany's domain name is proseware.com.

ProseWare Corporation maintains a web page under thisdomain.

• On-site offices are not connected to the WAN.

• Network:

• All servers have static IP addresses. All client computers useDHCP. Each branch office has its own subnet and a router.

8/13/2019 70-220



• Computers: • Prose Ware Corporation wants to upgrade its network to

Windows 2000 and use one Active Directory tree. All serverswill be upgraded to Windows 2000 Server. All Terminalservers will use the Terminal Services feature. All desktopcomputers will be upgraded to Windows 2000 Professional.

• Prose Ware Corporation plans to add an additional remoteaccess server, which will be named RAS2. Both remoteaccess servers will run 2000 with Routing and Remote

Access. In addition, the company will add an InternetInformation Services (IIS) server.

• OWA1 will not be upgraded to windows 2000.

WAN C ti it

8/13/2019 70-220



• The WAN bandwidth will remain the same.

• Network: • Prose Ware Corporation wants to build a network that can

easily accommodate future growth.

• Security: • Prose Ware Corporation has implemented digital certificates

to communicate securely with customers. The company hasimplemented one enterprise root CA. Prose WareCorporation wants to set up a certificate server for internal

use only. The company also wants to implement securecommunications to the Human Resources shared folder toprevent theft of confidential data during transmission. Thecompany might consider two-factor authentication methodsfor portable computers.

8/13/2019 70-220


• Network Roles and Usage:

•

• Human Resources:

• The human resources department maintains afolder that contains confidential employee data. Thisfolder is located on one of the Windows NT 40 fileservers.

• IT:

• IT department maintains the network. The Terminalservers provide complete centralized administration

for Prose Ware Corporation. This allows all ITemployees to be located at headquarters. The ITdepartment is composed of network administratorsand help desk personnel.

S l

8/13/2019 70-220


• Sales: • The sales department uses the network to send and receive information

from potential temporary employees and to communicate with customers.Sales employees often send confidential information, such as personnelschedules, through e-mail.

• Branch Offices: • Branch offices store confidential employee data, such as benefits

information, in the Human Re-sources shared folder. The branchmanager copies this information to the folder. Only the branch managerhas access to this information. The IT representatives in the branch

offices report network downtime and are allowed to create global groupson the network for their offices.

• Payroll Centers: • Payroll centers connect to the Oracle databases at headquarters to

obtain payroll data. This data is used to create paychecks

ti

8/13/2019 70-220


prose ware questions

1. Which business requirement will have the most

impact on the win 2000 security design?

A. improved network performance

B. continued use of the OWA 1 server in theWindows 2000 environment

C. projected number of branch offices

D. resource access for on-site offices

ti

8/13/2019 70-220


prose ware questions

1. Which business requirement will have the most

impact on the win 2000 security design?

A. improved network performance

B. continued use of the OWA 1 server in theWindows 2000 environment

C. projected number of branch offices

D. resource access for on-site offices

8/13/2019 70-220


2. Which two security solutions should you

implement for headquarters? (Choose two)

A. EFS

B. digital certificateC. encrypted data transmissionsD. PAP authenticationE. two-factor authentication

8/13/2019 70-220


2. Which two security solutions should you

implement for headquarters? (Choose two)

A. EFS

B. digital certificate C. encrypted data transmissions D. PAP authenticationE. two-factor authentication

8/13/2019 70-220


3. Which authentication method should

Prose Ware Corporation's employees at on-site offices use after the computers areupgraded to Windows 2000?

A. NTLMB. basic authentication with SSL

C. MS-CHAPD. Kerberos

8/13/2019 70-220


4. How can you allow Prose Ware

Corporation's employees at on-site offices tocommunicate securely with headquarters?

A. Implement L2TP over IPSecB. Use basic authentication with SSLC. Implement DNS security and GroupPoliciesD. Use encrypted authentication with SSL

8/13/2019 70-220


4. How can you allow Prose Ware

Corporation's employees at on-site offices tocommunicate securely with headquarters?

A. Implement L2TP over IPSecB. Use basic authentication with SSL C. Implement DNS security and GroupPoliciesD. Use encrypted authentication with SSL

8/13/2019 70-220


6. After all computers are upgraded to

Windows 2000, which security componentshould you reconfigure?

A. IPSecB. authentication protocolsC. Certificate ServicesD. network access permissions

8/13/2019 70-220


7. What is the primary security risk for

Prose Ware Corp.?

A. Unauthorized network authentication.

B. Theft of HR data

C.Unauthorized changes to web content

D. Theft of payroll center data

8/13/2019 70-220


8. How can you implement secure communications between the IT

Department and the HR Department? (2)

a. Use Kerberos authentication, 3DES encryption, and AH

b. Use Kerberos authentication, 3DES encryption, and ESP

c. Use certificate based authentication, 3DES encryption, and AH

d. Use certificate based authentication, 3DES encryption, and ESP

e. Use pre-shared key authentication, 3DES encryption, and AH

f. Use pre-shared key authentication, 3DES encryption, and ESP

g. Implement digital certificates to secure communication between PCs.

8/13/2019 70-220


9. Which type or types of CA should you

implement for internal use? (Choose all thatapply)

a. Stand alone root CAb. Enterprise subordinate CAc. 3rd Party CAd. Stand alone subordinate CAe. Enterprise root CA

8/13/2019 70-220


9. Which type or types of CA should you

implement for internal use? (Choose all thatapply)

a. Stand alone root CAb. Enterprise subordinate CA

c. 3rd Party CAd. Stand alone subordinate CAe. Enterprise root CA

8/13/2019 70-220


10. The planned Active Directory structure for ProseWare Corp. is shown in

the exhibit. How should you implement security for the HR department?

a. Assign the Server (Request Security) IPSec policy at the HR_Users OU,and assign the Client (Respond Only) IPSec policy at the domain level

b. Assign the Secure Server (Require Security) and the Client (RespondOnly) IPSec policy at the Branch_Users, HR_Users, and IT_Users OUs

c. Assign the Secure Server (Require Security) IPSec policy at theHR_Servers OU, and assign the Client (Respond Only) IPSec policy atthe Domain level.

d. Assign the local policy and the Client (Respond Only) IPSec at thedomain level.

8/13/2019 70-220


10. The planned Active Directory structure for ProseWare Corp. is shown inthe exhibit. How should you implement security for the HR department?

a. Assign the Server (Request Security) IPSec policy at the HR_Users OU,and assign the Client (Respond Only) IPSec policy at the domain level

b. Assign the Secure Server (Require Security) and the Client (RespondOnly) IPSec policy at the Branch_Users, HR_Users, and IT_Users OUs

c. Assign the Secure Server (Require Security) IPSec policy at theHR_Servers OU, and assign the Client (Respond Only) IPSec policyat the Domain level.

d. Assign the local policy and the Client (Respond Only) IPSec at thedomain level.

Prose ware – Question 3 – Before:

8/13/2019 70-220


8/13/2019 70-220


Case Study 3:

Miller Textiles

• Miller Textiles

8/13/2019 70-220


Miller Textiles

• Background:

• Miller Textiles:

• Miller Textiles is a manufacturer of industrial fabrics. Miller Textileshas more than 12,000 employees. The headquarters are located inBoston, Massachusetts and there are manufacturing facilities inAtlanta, Georgia; Baja, Mexico and Dublin, Ireland. The Chief

Information Officer (CIO) has requested a security design proposalfor Miller Textiles.

• Fabrikam, Inc.:

• Fabrikam, Inc. is a manufacturer of specialty blankets. The companyhas more than 300 employees. Fabrikam, Inc. has only onemanufacturing facility in Miami, Florida.

8/13/2019 70-220


• Joint Venture:

• Miller Textiles has just completed an agreement with Fabrikam, Inc. tobegin a joint venture. Both companies want to expand their product linesto include space blankets. These blankets will protect satellites fromcollisions with meteorites and other space debris. Engineers from MillerTextiles and Fabrikam, Inc. will work together to produce the fabric thatwill be used in the blankets. This joint venture will require the twocompanies to communicate with each other frequently.

• Organization:

• Miller Textiles and Fabrikam Inc. both have a similar organizationalstructure. Each company has an engineering department, amanufacturing department, and a sales department. The engineeringdepartment includes engineers who will create the designs for the spaceblankets. The manufacturing department includes employees who willmanufacture the blankets. The sales department includes salesrepresentatives who will sell the blankets.

• Existing IT Environment (Miller Textiles):

8/13/2019 70-220


• Computers: • All servers, desktop computers, and portable computers run Windows 2000.

Each manufacturing facility and headquarters has a server named

MANUFACTURING and a server named ENGINEERING. TheMANUFACTURING server contains a schedule that shows the availability ofevery type of fabric produced by that facility. The ENGINEERING server containsall information needed to produce a new item or improve an existing item.

• LAN and WAN Connectivity: • The manufacturing facilities are connected to headquarters with T1 lines. The

maximum usage for the T1 connection is 40 percent. There is one remote accessserver at headquarters and one remote access server at each manufacturingfacility. The LAN at each manufacturing facility and headquarters runs at 100Mbps. Miller Textiles has a single domain named MILLER. Each manufacturingfacility has its own organizational unit (OU). The OUs are named ATLANTA,BAJA, BOSTON, and DUBLIN.

• Domain Model: • We are committing major resources to the space blanket project. The data

related to the project must remain secure. Each manufacturing facility has its ownIT employees who administer its OU. This distributed administration will beretained in the new security plan.

• Existing IT Environment (Fabrikam, Inc.):

8/13/2019 70-220


g ( , )

• Fabrikam, Inc. has just completed a full upgrade to Windows

2000 on all servers and desktop computers. There is asingle domain named FABRIKAM and a domain namespacenamed Fabrikam.com. The company has its own unique

Active Directory schema. In addition, Fabrikam, Inc has aVPN server named FABHQVPN and an e-mail server.

• All files for the joint venture are stored in a shared foldernamed MILLERSPACE. This folder is shared by engineersfrom Fabrikam, Inc, and Miller Textiles. It allows engineersfrom Miller Textiles to view and modify all files in the

MILLERSPACE folder.

• Envisioned IT Environment (Miller Textiles):

8/13/2019 70-220


( )

• Computers:

• All sales representatives will have a folder named Customeron their portable computers. Because this folder will be usedto store confidential customer information, the folder must besecure and encrypted. The folder will be updated when thesales representatives dial in to headquarters. The

connection must be secure. The envisioned environment atheadquarters is shown in the exhibit.

• Miller Textiles will have shared folders that will containinformation about the joint venture. This folder will be namedFABRIKAMSPACE. One folder will exist on theENGINEERING server at each location. The ENGINEERINGand MANUFACTURING servers at each location will containengineering and manufacturing data for that location only.

• LAN and WAN Connectivity:

8/13/2019 70-220


• The T1 line between headquarters and all manufacturing facilities willremain the same. All remote access servers at the manufacturingfacilities will be eliminated. Sales representatives will connect to the

network by using a dial-up connection located at headquarters. Theremote access server at headquarters will be used as a backup to theVPN. Communication across the VPN connection should be encrypted.Miller Textiles has a frame relay connection to the Internet through aVPN server.

• Domain Model: • There will be one DNS namespace named millertextiles.com. The

existing domain will be in one forest. The engineering department andthe manufacturing department will have their own organizational unit(OU) at each manufacturing facility and headquarters IT employeeslocated at each manufacturing facility will administer the OU for that

manufacturing facility. The OU administrators will have full control of allfolders on all servers within their OUs.• A trust relationship will be established between BOSTON and

FABRIKAM that will allow engineers access to each other’s domains.

8/13/2019 70-220


1. What are the two primary security risks for Miller Textiles?(Choose two)

A. Fabrikam Inc. engineers modifying the manufacturingschedules for Miller Textiles

B. Unauthorized users viewing manufacturing schedules

C. Fabrikam, Inc, employees viewing confidential informationfrom Miller Textiles

D. Unauthorized users gaining access to data for the space

blankets

E. Unauthorized users gaining access to customer informationon the portable computers

8/13/2019 70-220


1. What are the two primary security risks for Miller Textiles?(Choose two)

A. Fabrikam Inc. engineers modifying the manufacturingschedules for Miller Textiles

B. Unauthorized users viewing manufacturing schedules

C. Fabrikam, Inc, employees viewing confidential informationfrom Miller Textiles

D. Unauthorized users gaining access to data for the space

blankets

E. Unauthorized users gaining access to customerinformation

on the portable computers

8/13/2019 70-220


2. Which security group strategy should you use for the MillerTextiles sales representatives?

A. Assign all sales representatives to domain local groupswithin their own domain. Put the domain local groups intoglobal groups.

B. Assign all sales representatives to global groups. Put theglobal groups into domain local groups

C. Assign all sales representatives to universal groups. Put theglobal groups into universal groups

D. Assign all sales representatives to computer localgroups. Put the computer local groups into universalgroups

8/13/2019 70-220


2. Which security group strategy should you use for the MillerTextiles sales representatives?

A. Assign all sales representatives to domain local groupswithin their own domain. Put the domain local groups intoglobal groups.

B. Assign all sales representatives to global groups. Putthe global groups into domain local groups

C. Assign all sales representatives to universal groups. Put theglobal groups into universal groups

D. Assign all sales representatives to computer localgroups. Put the computer local groups into universalgroups

8/13/2019 70-220


3. How should you encrypt information over the VPNbetween the BOSTON organizational unit (OU) andthe FABRIKAM domain?

A. Implement L2TP over IPSec at the BOSTON OUonly

B. Implement L2TP over IPSec at both the BOSTONOU and the FABRIKAM domain

C. Implement PPTP at both the BOSTON OU and theFABRIKAM domain

D. Implement PPTP at the BOSTON OU only

8/13/2019 70-220


3. How should you encrypt information over the VPNbetween the BOSTON organizational unit (OU) andthe FABRIKAM domain?

A. Implement L2TP over IPSec at the BOSTON OUonly

B. Implement L2TP over IPSec at both theBOSTON OU and the FABRIKAM domain

C. Implement PPTP at both the BOSTON OU and theFABRIKAM domain

D. Implement PPTP at the BOSTON OU only

8/13/2019 70-220


4. How should you protect the Internet interface on theMiller Textiles VPN server from unauthorized users?

A. Use Routing and Remote Access filters on theInternet interface of the VPN server

B. Use Routing and Remote Access filters on theinternal interface of the VPN server

C. Disable dynamic DNS updates on the internal

interface of the VPN server

D. Disable dynamic DNS updates on the Internetinterface of the VPN server

8/13/2019 70-220


4. How should you protect the Internet interface on theMiller Textiles VPN server from unauthorized users?

A. Use Routing and Remote Access filters on theInternet interface of the VPN server

B. Use Routing and Remote Access filters on theinternal interface of the VPN server

C. Disable dynamic DNS updates on the internalinterface of the VPN server

D. Disable dynamic DNS updates on the Internetinterface of the VPN server

8/13/2019 70-220


5. How should you authenticate users from

Fabrikam, Inc who access Miller Textilesnetwork over the VPN?

A. Use the fully qualified domain name (FQDN)and password

B. Use certificate-based authentication

C. Use EAPD. Use Internet Authentication Service (IAS)

8/13/2019 70-220


5. How should you authenticate users from

Fabrikam, Inc who access Miller Textilesnetwork over the VPN?

A. Use the fully qualified domain name(FQDN) and password

B. Use certificate-based authentication

C. Use EAPD. Use Internet Authentication Service (IAS)

8/13/2019 70-220


6. How should you assign the authority for adding new useraccounts at Miller Textiles after the upgrade?

A. Create one administrative group at the BOSTONorganizational unit (OU) with the authority to create newusers at each OU.

B. Delegate authority to a domain administrator at eachorganizational unit (OU) to create new users for all OUs.

C. Delegate authority to a domain administrator at the

BOSTON organizational unit (OU) to create new users ateach OU.

D. Create a new administrative group at each organizationalunit (OU) with the authority to create new users at that OU.

8/13/2019 70-220


6. How should you assign the authority for adding new useraccounts at Miller Textiles after the upgrade?

A. Create one administrative group at the BOSTONorganizational unit (OU) with the authority to create newusers at each OU.

B. Delegate authority to a domain administrator at eachorganizational unit (OU) to create new users for all OUs.

C. Delegate authority to a domain administrator at the

BOSTON organizational unit (OU) to create new users ateach OU.

D. Create a new administrative group at eachorganizational unit (OU) with the authority to create newusers at that OU.

8/13/2019 70-220


7. Which two security components should you

use on the portable computers? (Choose two)

A. Internet Authentication Service (IAS)

B. PPTPC. Remote access policy

D. L2TP over IPSec

E. Remote Authentication Dial-In User Service(RADIUS)

F. Encrypting File System (EFS)

8/13/2019 70-220


7. Which two security components should you

use on the portable computers? (Choose two)

A. Internet Authentication Service (IAS)

B. PPTPC. Remote access policy

D. L2TP over IPSec

E. Remote Authentication Dial-In User Service(RADIUS)

F. Encrypting File System (EFS)

8 For the Miller Textiles sales representatives how should you implement

8/13/2019 70-220


8. For the Miller Textiles sales representatives how should you implementEncrypting File System (EFS) on the portable computers to allow centralrecovery?

A. Create enterprise root CAs at the BOSTON, ATLANTA, BAJA, andDUBLIN organizational units (OUs).Define the recovery agent at the OU level.

B. Use a third-party CA. Use the third party as the recovery agent.

C. Use a self-signed certificate. Define the local administrator as therecovery agent.

D. Create an enterprise root CA at the BOSTON organizational unit (OU),

and create enterprise subordinate CAs at the ATLANTA, BAJA,and DUBLIN OUs. Define the recovery agent at the domain level

8 For the Miller Textiles sales representatives how should you implement

8/13/2019 70-220


8. For the Miller Textiles sales representatives how should you implementEncrypting File System (EFS) on the portable computers to allow centralrecovery?

A. Create enterprise root CAs at the BOSTON, ATLANTA, BAJA, andDUBLIN organizational units (OUs).Define the recovery agent at the OU level.

B. Use a third-party CA. Use the third party as the recovery agent.

C. Use a self-signed certificate. Define the local administrator as therecovery agent.

D. Create an enterprise root CA at the BOSTON organizational unit

(OU), and create enterprise subordinate CAs at the ATLANTA,BAJA, and DUBLIN OUs. Define the recovery agent at the domainlevel.

9 Specify the required level of security for each resource Move the

8/13/2019 70-220


9. Specify the required level of security for each resource. Move theappropriate permissions to the appropriate resource(s). Use onlypermissions that apply and you might need to reuse permissions.

A. Boston Engineering dataB. Boston Manufacturing dataC. Atlanta Engineering dataD. Atlanta Manufacturing dataE. Baja Engineering data

F. Baja Manufacturing dataG. Dublin Engineering dataH. Dublin Manufacturing data

1. Baja engineer (Modify)2. Boston engineer (Modify)3. Boston Sale Rep. (Read)4. Facade, Inc. Engineer (Modify)5. Facade, Inc. Engineer (Read)

8/13/2019 70-220


8/13/2019 70-220


10 Design a secure communication strategy (use only the

8/13/2019 70-220


10. Design a secure communication strategy. (use only thelocations and connections that apply.)

Locations A BostonB MiamiC Baja

D Portable ComputersE DublinF Atlanta

Connections

1 -T1 Line2- L2TP VPN3- Routing and remote Access4- PPTP VPN

8/13/2019 70-220


8/13/2019 70-220


Case Study 4:

Enchanted Lakes Corporation

• Enchanted Lakes Corporation:

8/13/2019 70-220


• Background: • Enchanted Lakes is a software-consulting firm. The annual growth rate of

income for the company is 200%. The annual growth of office resources,

which includes employees and computers, is 50%.

• Headquarters: • The headquarters are located in Minneapolis, Minnesota. Headquarters,

which employs approximately 300 people, includes marketing, sales, IT,HR, accounting and the executive departments. Approximately 250 of the300 headquarters employees are consultants.

• Branch Offices:

• Branch offices are located in Copenhagen, Denmark, Des Moines, Iowaand Omaha, Nebraska. Each branch office employs 10-12 consultantsand one office manager. Each office manager is also responsible forsales, marketing and HR for that specific office


8/13/2019 70-220


• Computers: • The network at headquarters consists of 17 Windows 2000 Advanced Server

computers and 250 Windows 2000 Professional client computers. The salesdepartment has 2 Windows 2000 Server computers running MS SQL Server 7.0.Of the 250 client computers, 20 are desktop computers and 230 are portablecomputers.

• The marketing, IT and HR departments are equipped with desktop computers. Allother departments are equipped with portable computers and the users havebeen granted dial-in permissions. Enchanted Lakes also maintains a dial-inserver that resides inside a hardware-based firewall. The dial-in server is RAS1.Only employees have dial-up access. Headquarters also has a remote accessserver named VPN1. The company has an Internet Information Server (IIS)named TIME1. A program named TIME ENTRY is installed on this server.Consultants access this program to enter their hours of work for the week.Customers can access this program only to request resources. The company hasalso an Outlook Web Access (OWA) named OWA1. This server enables off-siteemployees to view email by using a web browser. Off-site employees canconnect to OWA1 only a secure connection. Most employees require remoteconnections to headquarters, because is anticipated remote connections arelikely to increase


8/13/2019 70-220


• Headquarters has a T1 connection to the Internet. The DesMoines and the Omaha branch offices connect to

headquarters via frame relay. The Copenhagen branchoffice is not connected to headquarters.

• LAN Connectivity: • The headquarters LAN runs on a 100-Mbps network.

• Branch Offices: • Each branch office has approximately 10-15 Windows 2000

portable computers and one Windows 2000 desktopcomputer. Each branch office has a T1 connection to theInternet. The Copenhagen branch office has a MS ExchangeServer computer, a domain controller and a remote accessserver named RAS2. Copenhagen sets up, administers andmaintains its own network.

8/13/2019 70-220



8/13/2019 70-220


• Human Resources: • The HR department uses a network file server to store confidential

employee information. The HR manager has the ability to manage HRresources throughout the company.

• Information Technology: • The IT department maintains the corporate network and recommends

hardware and software purchases for the entire company. The

department also implements physical and network security for thecompany.

• The server operators group designs networks, resolves second levelsupport problems and resolves the company’s network problems.

• The help desk administers the network, resolves first level supportproblems and resolves problems with employees computers.

• Sales:

8/13/2019 70-220


• Employees from the Sales department save personal salesdocuments to their portable computers and they save sharedsales documents to the SALES\DOCUMENTS folder. Salesemployees want their personal and shared sales documentsto be more secure. The Sales department hosts a sharedfolder named TIPS, which is located on the intranet. Thisfolder contains sales leads that are submitted by employees.Employees who submit leads that result in future businessare rewarded with a bonus. All employees must be able tosubmit leads. The Sales department needs to run reports onthe Sales leads information and the Executive department

needs to review the leads and the reports. The ITdepartment publishes the web page that lists the leads.

• Consultants: • Consultants use the corporate network to communicate with

8/13/2019 70-220


Consultants use the corporate network to communicate withother consultants and employees and to store customerrelated documents. Every week consultants must enter their

work hours into the TIME ENTRY program. The TIMEENTRY program requires the consultants to enter the dateand number of hours billed, the customer to bill, expensesincurred and a description of the work that has beenperformed. The consultants must access the TIME ENTRYprogram through a secure web browser.

• Branch Offices:

• Occasionally employees located at branch offices connect to

headquarters to access customer and billing information.Employees from Omaha and Des Moines offices can accessthis information through the current WAN environment.However employees from Copenhagen office cannot accessthe information in the current environment.

1 Wh t th f t i t t it i iti

8/13/2019 70-220


1. What are the four most important security prioritiesfor EL? (Choose four)

A. Providing secure communications betweenCopenhagen and headquarters.

B. Ensure secure authentication.

C. Implementing two-factor authentication for the ITdepartment.

D. Preventing denial-of-service attacks.

E. Implementing certificate services for Omaha.F. Protecting employee data on portable computers.

G. Preventing unauthorized network access.

1 Wh t th f t i t t it i iti

8/13/2019 70-220


1. What are the four most important security prioritiesfor EL? (Choose four)

A. Providing secure communications betweenCopenhagen and headquarters.

B. Ensure secure authentication.

C. Implementing two-factor authentication for the ITdepartment.

D. Preventing denial-of-service attacks.

E. Implementing certificate services for Omaha.F. Protecting employee data on portable

computers.

G. Preventing unauthorized network access.

2 Wh t th t i it i k f EL?

8/13/2019 70-220


2. What are the two primary security risks for EL?(Choose two)

A. Incorrect authentication of network users.

B. Data stolen from portable computers.

C. Unauthorized network access by employees.

D. Unauthorized network access by intruders.

E. A denial-of-service attack on OWA1.

2 Wh t th t i it i k f EL?

8/13/2019 70-220


2. What are the two primary security risks for EL?(Choose two)

A. Incorrect authentication of network users.

B. Data stolen from portable computers.

C. Unauthorized network access by employees.

D. Unauthorized network access by intruders.

E. A denial-of-service attack on OWA1.

8/13/2019 70-220


3. Which data from Copenhagen should you

encrypt?

A. All data.

B. Slip dataC. NetBIOS data

D. L2TP data

8/13/2019 70-220


3. Which data from Copenhagen should you

encrypt?

A. All data.

B. Slip dataC. NetBIOS data

D. L2TP data

4 How should you encrypt the sales department's

8/13/2019 70-220


4. How should you encrypt the sales department'sfiles?

A. Encrypt all folders that contain sales documents.

B. Encrypt only shared folders that contain salesdocuments.

C. Encrypt only personal sales documents

individually.

D. Encrypt only shared sales documents individually.

4 How should you encrypt the sales department's

8/13/2019 70-220


4. How should you encrypt the sales department sfiles?

A. Encrypt all folders that contain sales documents.

B. Encrypt only shared folders that contain salesdocuments.

C. Encrypt only personal sales documents

individually.

D. Encrypt only shared sales documents individually.

5 H h ld i l t tifi t

8/13/2019 70-220


5. How should you implement certificateservices for the Omaha office?

A. Use a third-party certificate services vendor.

B. Use the certificate services from theMinneapolis office.

C. Install certificate services on the Omahaoffice.

D. Share certificate services with the DesMoines office.

5 H h ld i l t tifi t

8/13/2019 70-220


5. How should you implement certificateservices for the Omaha office?

A. Use a third-party certificate services vendor.

B. Use the certificate services from theMinneapolis office.

C. Install certificate services on the Omahaoffice.

D. Share certificate services with the DesMoines office.

6 Which two technologies should you implement to

8/13/2019 70-220


6. Which two technologies should you implement toprovide additional security for portablecomputers? (Choose 2)

A. Distributed file system (DFS)

B. Encrypted file system (EFS)

C. Digital certificates.

D. IPSec

E. Kerberos authentication

6 Which two technologies should you implement to

8/13/2019 70-220


6. Which two technologies should you implement toprovide additional security for portablecomputers? (Choose 2)

A. Distributed file system (DFS)

B. Encrypted file system (EFS)

C. Digital certificates.

D. IPSec


7. How should you configure OWA1 and TIME1 to allow secure access for

remote employees? (Choose all that apply)

8/13/2019 70-220



A. Place TIME1 in a DMZ.

B. Place OWA1 in a DMZ.

C. Place TIME1 on the internal network.

D. Place OWA1 on the internal network.

E. Enable all connections from the external network.

F. Allow only TCP port 80 connections from the external network.

G. Allow only TCP port 443 connections from the external network.

7. How should you configure OWA1 and TIME1 to allow secure access for


8/13/2019 70-220



A. Place TIME1 in a DMZ.

B. Place OWA1 in a DMZ.

C. Place TIME1 on the internal network.

D. Place OWA1 on the internal network.

E. Enable all connections from the external network.

F. Allow only TCP port 80 connections from the external network.

G. Allow only TCP port 443 connections from the external network.

8. Which type of CA should you implement at

8/13/2019 70-220


yp y p

headquarters?

A. An online enterprise root CA with an onlineenterprise subordinate CA.

B. An offline enterprise root CA with an onlineenterprise subordinate CA.

C. An offline enterprise root CA with an offlineenterprise subordinate CA.

D. An online enterprise root CA with an offlineenterprise subordinate CA.

8. Which type of CA should you implement at

8/13/2019 70-220


yp y p

headquarters?

A. An online enterprise root CA with an onlineenterprise subordinate CA.

B. An offline enterprise root CA with anonline enterprise subordinate CA.

C. An offline enterprise root CA with an offlineenterprise subordinate CA.

D. An online enterprise root CA with an offlineenterprise subordinate CA.

9. Which permissions should you grant for the TIPS folder?

8/13/2019 70-220


A. IT department Full ControlSales department Full Control

Authenticated users Modify

B. IT department Full ControlSales department Full ControlEveryone Read

C. IT department Full ControlSales department Read

Authenticated users Read

D. IT department Full ControlSales department Full ControlEveryone Modify

9. Which permissions should you grant for the TIPS folder?

8/13/2019 70-220


A. IT department Full Control

Sales department Full Control

Authenticated users Modify

B. IT department Full ControlSales department Full ControlEveryone Read

C. IT department Full ControlSales department Read

Authenticated users Read

D. IT department Full ControlSales department Full ControlEveryone Modify

10 Whi h t f CA h ld i l t f

8/13/2019 70-220


10. Which type of CA should you implement forthe Copenhagen office after it is connected tothe WAN?

A. Enterprise subordinate CA.B. Enterprise root CA.

C. Stand-alone subordinate CA.

D. Stand-alone root CA.

10 Whi h t f CA h ld i l t f

8/13/2019 70-220


10. Which type of CA should you implement forthe Copenhagen office after it is connected tothe WAN?

A. Enterprise subordinate CA.B. Enterprise root CA.

C. Stand-alone subordinate CA.

D. Stand-alone root CA.

8/13/2019 70-220


Case Study 5:

Hiabuv Toys

Hiabuv ToysOrganization:

8/13/2019 70-220


Organization:

Headquarters:

Hiabuv Toys headquarters are located in Minneapolis,Minnesota. Headquarters includes the sales and

marketing, IT, legal, accounting, Human Resources,

and executive departments. It employs 4,500 people,

with a growth rate of 20 percent.Retail Stores:

There are 350 retail stores located nationwide. Each

store employs 50 – 100 people.

Over 50 new store will be opened each year.Service Centers:

There are 15 service centers nationwide, Which

employ 100 technicians and five managers.


8/13/2019 70-220



• All stores and service centers are connected toheadquarters by 128-Kbps lines. This connection is

backed by a 56-Kbps dial-up connection.

• LAN Connectivity:

• All headquarters buildings are connected by T1lines.

• Computers:

8/13/2019 70-220


• There are 4,500 Windows NT Workstation computers, and150 Windows NT Server computers located at headquarters.

The Servers are used as application servers and file servers.One server named SALES1 is used as a backup domaincontroller. It runs Internet Information Services (IIS), and is inthe SALES domain. Only domain controllers andapplications have shared resources.

• Human Resources has a server named HR1. All connectionsto this server must be encrypted.

• Each store has 30 Windows 2000 Professional computersand two Windows NT Server computers. One for a primary

domain controller for the local domain, and the other is abackup domain controller.

• Each service center has 30 Windows 2000 Professionalcomputers and one Windows NT Server, which is a backupdomain controller.

• Network:

8/13/2019 70-220


• The company’s Internet domain is namedhiabuvtoys.com. On the internal network, theprivate IP address is 172.16.0.0. Allcomputers use TCP/IP. At headquarters, theWindows NT Servers use static addressesand the Windows NT Workstations useDHCP.

• Static addresses are used for all retail stores,and service center computers.


8/13/2019 70-220


• WAN Connectivity:• The WAN bandwidth will remain the same.

The proposed overseas retail store will have

a LAN with a 64-Kbps connection toheadquarters.

• LAN Connectivity:• The LAN bandwidth will remain the same.

• Computers:

8/13/2019 70-220


• The company will upgrade to a Windows 2000network with one Active Directory tree and twodomains sharing the same namespace. HiabuvToys wants to design a directory service that allowsfor some autonomy, and wants to ensure thatbusiness units can be added, removed, or changed

without undue overhead. The SALES1 server willnot be upgraded. It will be replaced with a Windows2000 Server after all other computers are upgradedto Windows 2000. After this server is replaced, thenetwork will run in native mode. The legal

department will have its own Windows 2000 Servernamed LEGAL1. The department will implement asecure private network between LEGAL1 and HR1.

• Network:

• The physical network will not change. The companyt t t t d i f

8/13/2019 70-220


wants to create one account domain forheadquarters, and one account domain for its retail

stores. The overseas retail store will have a helpdesk employee located on-site to perform end-userapplication support and to resolve hardware issues.

• Security:• Authorized remote users should be able to access

shared resources at headquarters through securetunneling. Confidential documents should be sentinternally in a secure manner. Hiabuv needs toaccept transmission of confidential information frommanufacturers in a fast, easy, and reliable manner.No training should be required. The company wantsto implement a Public Key Infrastructure (PKI).


8/13/2019 70-220


• Information Technology:

• The IT department administers user and computer accountsfor the company. Strong passwords are not implemented.Users at headquarters have access to e-mail and theInternet. The IT department is divided into three groups: the

WAN group, the LAN group, and the Internet group. TheLAN group manages user accounts, oversees the LAN, theWindows 2000 Servers and domains and the retail storeservers. The WAN group oversees the WAN. The Internetgroup oversees Internet security and connectivity. Each

group has a different manager. Communication andagreement among the groups is poor. The Internet groupwants autonomy within the Active Directory.

• Sales and Marketing:

8/13/2019 70-220


• The sales and marketing department uses the

network to exchange e-mail and downloadinformation from manufacturer and competitor Websites. It works with more than 1,000 manufacturers.The department needs to receive information fromnew manufacturers and to verify their authenticitysecurely. The sales and marketing departmentneeds to access the retail stores for sales history

information. They require color printing, and dependon portable computers to access informationregardless of their location.

• Legal:

• The legal department needs to copy confidential documents to shard

8/13/2019 70-220


g p pyfolders for the Human Resources department, the executive department,and the company’s law firm.

• Retail Stores:

• The cash registers run Windows NT Workstation. Cash registers bootwith a generic logon for cashier access. The cash registers do notcontain any data. Store managers have Windows 2000 Professional

desktop computers, with e-mail and unlimited Internet access. Each storealso has five secured Windows NT Workstation computers for employeesto browse pre-approved Inter-net Web sites. Each store has three publickiosks. Customers can use kiosks to register for gifts or place orders.The kiosks automatically boot with and authenticate to a secured genericaccount.

• Service Centers:

• Each center uses unique logon names for access to the network. Eachcenter technician has access to e-mail and the Internet.

1 Which security requirement will affect design

8/13/2019 70-220


1. Which security requirement will affect designof windows 2000 forest?

A. Implementation of Kerberos authentication

B. Secure transactions at Store RegistersC. Organization of user accounts

D. Secure communication between legal and

HR.

1 Which security requirement will affect design

8/13/2019 70-220


1. Which security requirement will affect designof windows 2000 forest?

A. Implementation of Kerberos authentication

B. Secure transactions at Store RegistersC. Organization of user accounts

D. Secure communication between legal and

HR.

2 Which server or servers provide the least

8/13/2019 70-220


2. Which server or servers provide the leastsecurity for user access?

A. Retail store servers

B. Service centers serversC. SALES1

D. HR1

E. LEGAL1

2 Which server or servers provide the least

8/13/2019 70-220


2. Which server or servers provide the leastsecurity for user access?

A. Retail store servers

B. Service centers serversC. SALES1

D. HR1

E. LEGAL1

3. How should you secure the new servers at the

8/13/2019 70-220


3. How should you secure the new servers at theCasablanca store?

A. Install the servers into a new OU and implementGroup Policies at the Site Level

B. Install the servers into a new OU and implementGroup Policies at the OU Level

C. Install the servers into their own Active Directorytree and implement Group Policies at the Domain

Level

D. Install the servers into the same Active Directorytree as stores and modify the schema

3. How should you secure the new servers at the

8/13/2019 70-220


yCasablanca store?

A. Install the servers into a new OU and implementGroup Policies at the Site Level

B. Install the servers into a new OU and implementGroup Policies at the OU Level

C. Install the servers into their own Active Directorytree and implement Group Policies at the Domain

Level

D. Install the servers into the same Active Directorytree as stores and modify the schema

4. Which strategy should you use to accommodate the

new Casablanca store?

8/13/2019 70-220



A. Add the Help Desk employee to the Domain Admins group.

B. Add the Help Desk employee to the Enterprise Admins group.

C. Delegate authority to the Help Desk employee tomanage the PC.

D. Delegate authority to the Help Desk employee tomodify accounts and groups.

4. Which strategy should you use to accommodate the


8/13/2019 70-220



A. Add the Help Desk employee to the Domain Admins group.

B. Add the Help Desk employee to the Enterprise Admins group.

C. Delegate authority to the Help Desk employee tomanage the PC.

D. Delegate authority to the Help Desk employeeto modify accounts and groups.

5 Which security method should you

8/13/2019 70-220


5. Which security method should you

implement to provide data security betweenLEGAL1 and HR1?

A. Group Policies for shared foldersB. IPSec with ESP (encrypts data)

C. IPSec with AH (encrypts header informationbut not data)

D. EFS

5 Which security method should you

8/13/2019 70-220


5. Which security method should you

implement to provide data security betweenLEGAL1 and HR1?

A. Group Policies for shared foldersB. IPSec with ESP (encrypts data)

C. IPSec with AH (encrypts header informationbut not data)

D. EFS

6 Which security solution should you

8/13/2019 70-220


6. Which security solution should youimplement to allow the service centers tocommunicate with manufactures?

A. DFS with Crypto API

B. IPSec

C. Secure DNS

D. Secure Email

6 Which security solution should you

8/13/2019 70-220


6. Which security solution should youimplement to allow the service centers tocommunicate with manufactures?

A. DFS with Crypto API

B. IPSec

C. Secure DNS

D. Secure Email

7. How should you design windows 2000 domain and

OU structure for HIABUVTOYS?

8/13/2019 70-220



A. 2 accounts domains, Migrate all resource domainsinto OUs under the HQ Domain .

B. 2 accounts domains, Migrate all resource domainsinto OUs under the store Domain.

C. 2 accounts domains, Migrate existing storesdomain into OUs under store domain.

D. 2 accounts domains, Migrate existing storesdomain into OUs under HQ domain.

7. How should you design windows 2000 domain and


8/13/2019 70-220



A. 2 accounts domains, Migrate all resource domainsinto OUs under the HQ Domain .

B. 2 accounts domains, Migrate all resource domainsinto OUs under the store Domain.

C. 2 accounts domains, Migrate existing storesdomain into OUs under store domain.

D. 2 accounts domains, Migrate existing storesdomain into OUs under HQ domain.

Hiabuv – Question 8 – Before:

8/13/2019 70-220


8/13/2019 70-220


Case Study 6:

Fabrikam, Inc.

Fabrikam, Inc.

8/13/2019 70-220


• Background:• Fabrikam, Inc., is a manufacturer of beverage

and food products. The company employs

more than 20,000 people worldwide, withmore than 10,000 employees located outsidethe United States. The headquarters are

located in Santa Fe, New Mexico. Thecompany is divided into three groupsCorporate, Engineering, and Operations.

• Organization:

• Corporate:

8/13/2019 70-220


• Most of the Corporate group is located at headquarters. The Corporate group

includes the human resources, legal, executive, accounting, and sales andmarketing departments. The Corporate group has its own IT employees.• Engineering:

• Engineering group is responsible for designing and building the operationsfacilities for Fabrikam, Inc. The Engineering group also designs and installs thenetwork in new facilities. After the facilities are constructed and tested, they areturned over to the Operations group for ongoing management.

• The Engineering group is located in Santa Fe in a building on the headquarterscampus, but it is run in a highly autonomous manner. In particular, this group hasits own IT employees who manage its network. The Engineering group does notwant IT employees from the Corporate group to manage its computer resourcesor accounts.

• Operations:

• Operations group is responsible for maintaining the operations facilities. Althoughthe executives in the Operations group are located at headquarters, most of theemployees in this group work at the operations facilities. The Operations grouphas its own IT employees who manage the network for the operations facilities.


• Chief Technology Officer (CTO):

8/13/2019 70-220


gy ( )

• We have done a good job providing the basic tools people need tocommunicate with one another and to manage their own work, however,we have not been as vigilant as we should have been about securingconfidential information. The recipes for some of our products are tradesecrets with a value that is impossible to measure. In addition, ourcompetitors eagerly seek our plans for creating new products andopening new markets.

• We need to improve our overall data security and enhance the privacy ofour corporate communications. I have been pushing for tighter securityfor about a year, ever since what we refer to as the incident. One of ourcompetitors somehow accessed our network and viewed our plans forlaunching a new product. We didn't learn about this until months later.

We thought it was a coincidence when they launched a similar product just before we did, but our worst fears were later confirmed when wereceived reliable information that they had accessed our plans.

• Chief Information Officer (CIO):

• Although I agree with our CTO's position on enhancing security the

8/13/2019 70-220


• Although I agree with our CTO s position on enhancing security, thesituation is not that simple with thousands of people worldwide and

dozens of operational IT systems in place, it will be a challenge to evolveour existing IT infrastructure.

• We have run most of our networks on Windows NT for many years. Wenow run Windows NT 4.0, and we are vigilant about applying servicepacks and keeping systems up-to-date. After a joint evaluation involvingemployees from the Corporate group, the Engineering group, and theOperations group, we have decided to deploy 2000 over the next oneand a half years. We have already begun aggressively upgrading thenetwork at headquarters, and we are nearly complete with that work. Theprimary goal of our migration to Windows 2000 is to replace our multi-master domain model with a new model based on Active Directory. Wewant to be able to delegate authority at the organizational unit (OU) level.

• Members from each group have formed an enterprise architecturecommittee to resolve issues that affect all groups. Members from thiscommittee will be assigned to the Enterprise Admins group.

• Vice President of Operations:

• The security initiative is somewhat overblown A sales

8/13/2019 70-220


The security initiative is somewhat overblown. A salesemployee leaves some plans in a bar on a napkin, and now

all my employees have to learn new procedures. We'll goalong with corporate directives, but we haven't seen a needfor dramatically new approaches. I think this whole thing ispolitically motivated. I don't intend to fight it directly, but Idon't want to add any unnecessary workload for my

employees. We have enough work to do already.

• Vice President of Engineering:

• Engineers have always taken network security seriously. Wehave been telling employees at headquarters that too muchinformation has been vulnerable. Finally, someone islistening.

• IT Security Director:

• Some of the newer security technologies in Windows 2000

8/13/2019 70-220


y gseem like a natural fit, while others might cause problems ofa political nature. The Engineering group is interested inusing everything from smart cards to data encryption on theirportable computers. Because they have already upgraded toWindows 2000 Professional, this will help them incorporatenew technologies.

• The operations group thinks that everything is fine the way itis today. Ironically, the facilities that are run by theOperations group might be the most susceptible. Theinformation on their file servers is as confidential as theinformation at headquarters, but the Operations group does

not effectively limit physical access to their facilities andnetwork. It is too easy for someone to walk into one of thefacilities with a portable computer and log on to network. Iintend to ensure that the Operations group complies with thissecurity initiative.


• Domain Structure:

8/13/2019 70-220


• Fabrikam, Inc. uses a Windows NT 4.0 multi-master domain model. Eachof the three primary groups has its own master domain that contains theuser accounts for its employees. The domains are CORP, ENGR, andOPER. Resource domains are added as needed for each majorgeographic location. These domains establish a one-way trust to masterdomains only when necessary.

• A resource domain named ENGRFLD includes all temporary resourceslocated at construction sites worldwide, typically connected overdemand-dial lines. ENGRFLD also includes numerous centrally managedremote access servers. These servers support individual engineers whotravel to existing sites for repairs, improvements, and other modifications.Routing and Remote Access is used for dial-up access only.

• Resource domains for the Operations group have one-way trustrelationships with all three master domains to enable visiting employeesto access local resources with their single user accounts.

• WAN:

8/13/2019 70-220


• All computers use TCP/IP exclusively.Remote locations are connected toheadquarters in a variety of ways, dependingon size and bandwidth requirements. Large

sites have private high-speed leased-lineconnections, smaller sites have slowerconnections.

1. What is Fabrikam, Inc.'s business model?

8/13/2019 70-220


A. Centralized management and decentralizedoperations

B. Centralized management and centralized

operations

C. Decentralized management and decentralizedoperations

D. Decentralized management and centralizedoperations

1. What is Fabrikam, Inc.'s business model?

8/13/2019 70-220



B. Centralized management and centralized

operations

C. Decentralized management and decentralizedoperations

D. Decentralized management and centralizedoperations

2. What is the Engineering group's tolerance for risk?

8/13/2019 70-220


A. The Engineering group is willing to try newapproaches only after careful testing

B. The Engineering group is very conservative and

does not take any risks

C. The Engineering group is willing to try some newapproaches

D. The Engineering group is comfortable with a highlevel of risk

2. What is the Engineering group's tolerance for risk?

8/13/2019 70-220


A. The Engineering group is willing to try newapproaches only after careful testing

B. The Engineering group is very conservative and

does not take any risks

C. The Engineering group is willing to try somenew approaches

D. The Engineering group is comfortable with a highlevel of risk

3. What is Fabrikam, Inc.'s IT model for managementand operations?

8/13/2019 70-220



B. Decentralized management and centralized

operations

C. Centralized management and centralizedoperations

D. Decentralized management and decentralizedoperations

3. What is Fabrikam, Inc.'s IT model for managementand operations?

8/13/2019 70-220



B. Decentralized management and centralized

operations

C. Centralized management and centralizedoperations

D. Decentralized management and decentralizedoperations

4. Which two security risks facing the Operations

group can you reduce or eliminate by using smart

8/13/2019 70-220


g p y y gcards? (Choose two)

A. Remote hackers connected via modem

B. Remote hackers connected via the Internet

C. Denial of service attack launched from the Internet

D. Employees connected via the LAN

E. Unauthorized visitors physically entering a facilityand connecting via the LAN

4. Which two security risks facing the Operations

group can you reduce or eliminate by using smart

8/13/2019 70-220


g y y gcards? (Choose two)

A. Remote hackers connected via modem

B. Remote hackers connected via the Internet

C. Denial of service attack launched from the Internet

D. Employees connected via the LAN

E. Unauthorized visitors physically entering afacility and connecting via the LAN

5. Which Windows 2000 domain structure should you use for Fabrikam,

Inc.?

8/13/2019 70-220


A. Create a single domain for the entire company Replace existingresource domains with organizational units (OUs)

B. Create three domains one domain for Corporate, one domain forEngineering, and one domain for Operations. Create each domain in itsown forest. Replace existing resource domains with organizational units(OUs)

C. Create three domains trees. One domain tree for Corporate, one domaintree for Engineering, and one domain tree for Operations. Create thetrees in the same forest. Replace existing resource domains withorganizational units (OUs)

D. Create three domain trees one domain tree for Corporate, one domaintree for Engineering, and one domain tree for Operations Create thesetrees in the same forest. Replace existing resource domains with newdomains

5. Which Windows 2000 domain structure should you use for Fabrikam,

Inc.?

8/13/2019 70-220


A. Create a single domain for the entire company Replace existingresource domains with organizational units (OUs)

B. Create three domains one domain for Corporate, one domain forEngineering, and one domain for Operations. Create each domain in itsown forest. Replace existing resource domains with organizational units(OUs)

C. Create three domains trees. One domain tree for Corporate, onedomain tree for Engineering, and one domain tree for Operations.Create the trees in the same forest. Replace existing resourcedomains with organizational units (OUs)

D. Create three domain trees one domain tree for Corporate, one domaintree for Engineering, and one domain tree for Operations Create thesetrees in the same forest. Replace existing resource domains with newdomains

6. Which four technologies should you include in the

security strategy for the engineering group?(Ch f )

8/13/2019 70-220


(Choose four)

A. Basic authentication with SSL

B. Kerberos authentication

C. EAP

D. Internet Authentication Service (IAS)

E. L2TP over IPSec

F. Directory Service (DS) mapping

G. Certificate Services

6. Which four technologies should you include in the

security strategy for the engineering group?(Ch f )

8/13/2019 70-220


(Choose four)



C. EAP

D. Internet Authentication Service (IAS)

E. L2TP over IPSec

F. Directory Service (DS) mapping

G. Certificate Services

7. Which technology or technologies should

8/13/2019 70-220


you include in your security strategy for the

Operations group? (Choose all that apply)


B. Encrypting File System (EFS)

C. Internet Authentication Service (IAS)

D. L2TP over IPSec


7. Which technology or technologies should

8/13/2019 70-220


you include in your security strategy for the

Operations group? (Choose all that apply)


B. Encrypting File System (EFS)

C. Internet Authentication Service (IAS)

D. L2TP over IPSec


8. What should you include in an audit policy for the CORP domain?

A. Failure audit for account logon eventsFailure audit for directory service access

8/13/2019 70-220


Failure audit for directory service accessSuccess and failure audit for policy change

Success and failure audit for account management

B. Failure audit for object accessFailure audit for account logon eventsFailure audit for directory service accessSuccess and failure audit for policy change

C. Success and failure audit for object accessSuccess and failure audit for policy changeSuccess and failure audit for account logon eventsSuccess and failure audit for account management

D. Success and failure audit for object accessSuccess and failure audit for policy changeSuccess and failure audit for account logon eventsSuccess and failure audit for directory service access

8. What should you include in an audit policy for the CORP domain?

A. Failure audit for account logon eventsFailure audit for directory service access

8/13/2019 70-220


Failure audit for directory service accessSuccess and failure audit for policy change

Success and failure audit for account management

B. Failure audit for object accessFailure audit for account logon eventsFailure audit for directory service accessSuccess and failure audit for policy change

C. Success and failure audit for object accessSuccess and failure audit for policy changeSuccess and failure audit for account logon eventsSuccess and failure audit for account management

D. Success and failure audit for object access

Success and failure audit for policy change

Success and failure audit for account logon events

Success and failure audit for directory service access

9. Which administrative task or tasks shouldl i i h k h

8/13/2019 70-220


you complete to maintain the network at the

operations facilities? (Choose all that apply)

A. Group Policy administration

B. Digital certificate administration

C. User account administration

D. Remote access administrationE. Web content administration

9. Which administrative task or tasks shouldl t t i t i th t k t th

8/13/2019 70-220


you complete to maintain the network at the

operations facilities? (Choose all that apply)

A. Group Policy administration

B. Digital certificate administration

C. User account administration

D. Remote access administrationE. Web content administration

10. Which two technologies should engineersf di l h t li ?

8/13/2019 70-220


use for secure dial-up access when traveling?

(Choose two)

A. SSL


C. Smart cards

D. Encrypting File System (EFS)E. PPTP

10. Which two technologies should engineersf di l h t li ?

8/13/2019 70-220


use for secure dial-up access when traveling?

(Choose two)

A. SSL


C. Smart cards

D. Encrypting File System (EFS)E. PPTP

11. Which technology should you use fori ki t i ti ti

8/13/2019 70-220


engineers working at existing operations

facilities?

A. Kerberos authentication

B. Digital certificates

C. Basic authentication with SSL

D. Routing and Remote AccessE. Internet Authentication Service (IAS)

11. Which technology should you use fori ki t i ti ti

8/13/2019 70-220


engineers working at existing operations

facilities?

A. Kerberos authentication

B. Digital certificates

C. Basic authentication with SSL

D. Routing and Remote AccessE. Internet Authentication Service (IAS)

12. Which three policies should you include in a security

strategy for the CORP domain? (Choose three)

8/13/2019 70-220


A. Enable account lockout

B. Disable password aging

C. Prevent the installation of unsigned drivers

D. Disable account lockout

E. Enforce strong passwords and password aging

F. Allow CD-ROM access to all users

G. Limit CD-ROM access to users who are logged on locally

12. Which three policies should you include in a security

strategy for the CORP domain? (Choose three)

8/13/2019 70-220


A. Enable account lockout

B. Disable password aging

C. Prevent the installation of unsigned drivers

D. Disable account lockout

E. Enforce strong passwords and password aging

F. Allow CD-ROM access to all users

G. Limit CD-ROM access to users who are logged on locally

13. How should you prevent unauthorized users from

accessing the Engineering group's file servers?

8/13/2019 70-220


A. Enforce strong passwords, implement password aging,disable unneeded services, audit file access in folderscontaining confidential files, and set NTFS permissions

B. Block access to TCP and UDP ports 135-139 at the server,enforce strong passwords, implement password aging, anduse Encrypting File System (EFS) to control access tofolders containing confidential files

C. Block access to TCP and UDP ports 135-139 at the server,and audit failed logon attempts

D. Enforce strong passwords, block access to TCP and UDPports 135-139 at the perimeter router, and disableunneeded services

13. How should you prevent unauthorized users from

accessing the Engineering group's file servers?

8/13/2019 70-220


A. Enforce strong passwords, implement password aging,disable unneeded services, audit file access in folderscontaining confidential files, and set NTFS permissions

B. Block access to TCP and UDP ports 135-139 at theserver, enforce strong passwords, implement passwordaging, and use Encrypting File System (EFS) to controlaccess to folders containing confidential files

C. Block access to TCP and UDP ports 135-139 at the server,and audit failed logon attempts

D. Enforce strong passwords, block access to TCP and UDPports 135-139 at the perimeter router, and disableunneeded services

8/13/2019 70-220


Case Study 7:

Litware, Inc.

8/13/2019 70-220


8/13/2019 70-220


• Customer Service Representative:

E h ffi h it t i

8/13/2019 70-220


• Each office has its own customer serviceemployees. Studios call us when they arehaving problems with their equipment.Studios also call us to order supplies. We

keep records of each call. If a studio orcustomer calls to report a problem with ourWeb site, we will either try to make changes

the photo folders to resolve it or notify theWebmaster.

8/13/2019 70-220


• IT Director:

• The Web site will be hosted at headquarters. We will use Windows 2000

8/13/2019 70-220


qand Internet In-formation Services (IIS) on the servers. When a

customer, visits the Web site to view photos, programs developed inMicrosoft Visual Basic will be loaded on their computers. Theseprograms will format the pictures for viewing on the customer's computer.The programs will be stored in a folder named Program on the Webserver.

• I will hire five Web developers to develop the Web site and a Webmasterto administer the Web site. The Webmaster will have total control of theWeb servers. Each studio will have its own folder on the Web server.Each studio's folder will contain a folder for the studio's purchase historyand a customer folder for each of the studio's customers. The customerfolder will contain confidential information that should not be available tothe customer. The photos will be placed in a separate photo folder insidethe customer folder. Each customer will have only one folder for photos.

An office manager at each studio will be responsible for creatingcustomer folders and placing photos in the folders. We will also trainoffice managers to add customers to the Active Directory tree for theirstudio.


• IT Director:

• I'm not sure how to secure files from customers that don't have IDs and

8/13/2019 70-220


passwords. To take it easier for customers to order from the Web site, we should

allow studios to give each customer a plastic card with the customer's ID andpassword printed on it.


• When a studio calls with a problem, we have to look through paper files to findout if the studio is under warranty or uses a maintenance contract. If the studiocalls to order supplies, we have to look through paper files to find the studio's

credit terms.

• Sales Representative:

• Currently, customer information is stored in several places. Customer servicerepresentatives sometimes take an order when the studio is on the phone andthen do not inform the sales representatives about the order. We have to look

through the paper files to find any history of problems or purchases.

• Photography Studio:

• I want to ensure that no one can change the photos on the Web site. Whencustomers place an order, I want to ensure that their credit cards will be secureand that their information will not be accessed by one of my competitors.

• Requirements:

• President:

8/13/2019 70-220


• We need a Web site that will allow our studios todisplay their customers' photos. The customersshould be able to securely access their photos, and

order prints. The customers should also be able tospecify whether they want to pick up their picturesat the studio or have the pictures mailed to them.The Web site should be able to handle 5,000 active

customer accounts. I also need to see how manyorders are placed on our Web site.

• IT Director:

• The new Web site will have two servers. The first server,named LITWWEB, will be the Web server that will display allf th h t All h d di k th W b ill b

8/13/2019 70-220


of the photos. All hard disks on the Web server will be

formatted with NTFS. All offices will use the same Webserver. The second server, named LITWDATA, will containcustomer information, such as name, address, and orderhistory. In addition, we will have a proxy server namedLITWPROX and a domain controller named LITWDC.

• Web developers should be limited to a developmentenvironment; they should not have any access to the Webserver. Only the Webmaster should be able to move newprograms to LITWWEB. Studios should be able to post

pictures to the Web site over the Internet. Studios shouldalso be able to maintain their own customer accounts. Thecompany will have a single domain named LITWARE. Eachstudio and customer will have a user account in this domain.Each studio will be an organizational unit (OU).

• Photography Studio:

• We need an easy way to load our photos onto the Web site and set upthe customer data, including IDs and passwords. We want the customerphotos to be displayed on the Web for only 30 days. We will disable the

f

8/13/2019 70-220


customer account and remove the photos after 30 days.

• Customer:

• I want to be sure that my credit card information is not made available toanyone other than the studio and the film-processing laboratory.

• Web Developer:

• If changes to the Web software are requested, we need to be able toupgrade the Web server.


• We need access to customer information to resolve questions.

• Sales Representative:

• We need access to the customer order history so that we can see whatcustomers have bought and whether they have had any problems withour equipment and service.

• Webmaster:

• My main goal is a secure and stable Web site. Ineed to move programs from a test computer to the

8/13/2019 70-220


need to move programs from a test computer to the

Web server and to upgrade the Web software asneeded. I will also be responsible for identifying andfixing problems in each studio's folder on the Website.

• Conclusion:

• The new Web site should enable customers tosecurely view and order photos. It should allowphotography studios to load photos only to theirfolders. Customer information should be availablefor reports, support, and marketing. The Web siteshould be stable.

8/13/2019 70-220


1. What is the primary security requirement for the

studios?A Ensure that photos on the Web site cannot be

8/13/2019 70-220


A. Ensure that photos on the Web site cannot be

altered.

B. Ensure that customers can access only their ownphotos on the Web site.

C. Ensure that customers' credit card numbers aresecure.

D. Prevent customers' computers from being infectedwith a virus when they view their photos on theWeb site

2. Network configurations are shown in theexhibit (Click the Exhibit button) Which

8/13/2019 70-220


exhibit (Click the Exhibit button). Which

network configuration provides the mostsecurity for LitWare, Inc?

A. FigureA

B. FigureB

C. FigureC

D. FigureD

2. Network configurations are shown in theexhibit (Click the Exhibit button) Which

8/13/2019 70-220


exhibit (Click the Exhibit button). Which

network configuration provides the mostsecurity for LitWare, Inc?

A. FigureA

B. FigureB

C. FigureC

D. FigureD

3. To which type of group should you assign allWeb developers?

8/13/2019 70-220


Web developers?

A. Global

B. Local

C. Domain local

D. Universal

3. To which type of group should you assign allWeb developers?

8/13/2019 70-220


Web developers?

A. Global

B. Local

C. Domain local

D. Universal

4. How should you ensure that each customer's

account is disabled after 30 days?

8/13/2019 70-220


A. Manually disable each customer's user accountafter 30 days

B. Add a Group Policy to the Litware organizational

unit (OU) that specifies the expiration rules for eachcustomer's user account

C. Add a Group Policy to each studio's organizationalunit (OU) that specifies the expiration rules for each

customer's user accountD. Set an expiration date on each customer's user

account

4. How should you ensure that each customer's

account is disabled after 30 days?

8/13/2019 70-220


A. Manually disable each customer's user accountafter 30 days

B. Add a Group Policy to the Litware organizational

unit (OU) that specifies the expiration rules for eachcustomer's user account

C. Add a Group Policy to each studio's organizationalunit (OU) that specifies the expiration rules for each

customer's user accountD. Set an expiration date on each customer's user

account

5. Which task should you delegate to the officemanagers?

8/13/2019 70-220


managers?

A. Modify the membership of a group

B. Manage Group Policy links

C. Create, delete, and manage customeraccounts.

D. Create, delete, and manage groups.

5. Which task should you delegate to the officemanagers?

8/13/2019 70-220


managers?

A. Modify the membership of a group

B. Manage Group Policy links

C. Create, delete, and manage customer

accounts.

D. Create, delete, and manage groups.

6. Which type of CA should you use to digitallysign the Microsoft Visual Basic programs?

8/13/2019 70-220


sign the Microsoft Visual Basic programs?

A. Third-party CA

B. Enterprise root CA

C. Stand-alone root CA

D. Enterprise subordinate CA

6. Which type of CA should you use to digitallysign the Microsoft Visual Basic programs?

8/13/2019 70-220


sign the Microsoft Visual Basic programs?

A. Third-party CA

B. Enterprise root CA

C. Stand-alone root CA

D. Enterprise subordinate CA

7. Which two authentication methods shouldyou use to allow customers access to theirphotos on the Web site? (Choose two)

8/13/2019 70-220



B. Anonymous access

C. Integrated Windows authenticationD. Digest authentication with SSL

E. Digest authentication without SSL

F. Basic authentication without SSL

7. Which two authentication methods shouldyou use to allow customers access to theirphotos on the Web site? (Choose two)

8/13/2019 70-220



B. Anonymous access

C. Integrated Windows authenticationD. Digest authentication with SSL

E. Digest authentication without SSL

F. Basic authentication without SSL

8/13/2019 70-220


8/13/2019 70-220


9. How should you allow studios to create their own customer

accounts?

A Delegate authority to the office manager in each studio's

8/13/2019 70-220


A. Delegate authority to the office manager in each studio sorganizational unit (OU)

B. Delegate authority to the administrator in the LitWareorganizational unit (OU)

C. Add a new organizational unit (OU) under each studio, addan Administrator account in the new OU, and assignadministrator rights to the new Administrator account byusing Group Policy

D. Add a new organizational unit (OU) for each studio underthe LitWare OU, add an Administrator account in the newOU, and assign administrator rights to the new

Administrator account by using Group Policy

9. How should you allow studios to create their own customer

accounts?

A Delegate authority to the office manager in each

8/13/2019 70-220


A. Delegate authority to the office manager in eachstudio's organizational unit (OU)

B. Delegate authority to the administrator in the LitWareorganizational unit (OU)

C. Add a new organizational unit (OU) under each studio, addan Administrator account in the new OU, and assignadministrator rights to the new Administrator account byusing Group Policy

D. Add a new organizational unit (OU) for each studio underthe LitWare OU, add an Administrator account in the newOU, and assign administrator rights to the new

Administrator account by using Group Policy

10. Which authentication method or methods can you use to

allow studios to securely post pictures to LlTWWEB?(Choose all that apply)

8/13/2019 70-220


A. Digest authentication without SSL

B. Anonymous access

C. Integrated Windows authentication

D. Basic authentication without SSL

E. Digest authentication with SSL

F. Basic authentication with SSL

10. Which authentication method or methods can you use to

allow studios to securely post pictures to LlTWWEB?(Choose all that apply)

8/13/2019 70-220


A. Digest authentication without SSL

B. Anonymous access

C. Integrated Windows authentication

D. Basic authentication without SSL

E. Digest authentication with SSL

F. Basic authentication with SSL

11. How should you allow programming changes to

the Web site?

8/13/2019 70-220


A. Grant the Webmaster Full Control permission.

B. Grant the Webmaster Read and Write permission

only.

C. Grant the Web developers Full Control permission.

D. Grant the Web developers Read and Writepermission only.

11. How should you allow programming changes to

the Web site?

8/13/2019 70-220


A. Grant the Webmaster Full Control permission.

B. Grant the Webmaster Read and Write permission

only.

C. Grant the Web developers Full Control permission.

D. Grant the Web developers Read and Writepermission only.

12. Which audit policy should you use on LlTWWEB

to detect unauthorized access to the credit card

8/13/2019 70-220


files?

A. Failure audit for logon events

B. Success audit for logon events

C. Success and failure audit for process tracking


12. Which audit policy should you use on LlTWWEB

to detect unauthorized access to the credit card

8/13/2019 70-220


files?

A. Failure audit for logon events

B. Success audit for logon events

C. Success and failure audit for process tracking


13. How should you secure the customer photos on

LlTWWEB?

8/13/2019 70-220


A. Grant customers Read permission to their ownphoto folder

B. Digitally sign each customer's photo folder, and

give the private key to the customer

C. Apply Encrypting File System (EFS) to eachcustomer's photo folder, and give the private key

to the customer

D. Grant customers Read permission to each photo intheir own photo folder

13. How should you secure the customer photos on

LlTWWEB?

8/13/2019 70-220


A. Grant customers Read permission to their ownphoto folder

B. Digitally sign each customer's photo folder, and

give the private key to the customer

C. Apply Encrypting File System (EFS) to eachcustomer's photo folder, and give the private key

to the customer

D. Grant customers Read permission to each photo intheir own photo folder

8/13/2019 70-220


Case Study 8:

Hanson Brothers

• Hanson Brothers

• Background:

8/13/2019 70-220


• Hanson Brothers is a medical supply company. Theheadquarters are located in Chicago, Illinois. Thereare more than 1,000 employees at the headquarterslocation. Hanson Brothers sells and distributes

medical supplies to large hospitals in 23 states.

• The company has distribution centers in Boston,Massachusetts; Dallas, Texas; Miami, Florida;

Minneapolis, Minnesota; New Orleans, Louisiana;Tampa, Florida; Seattle, Washington; and St Louis,Missouri.

• Business Process:

• Sales Representatives:

8/13/2019 70-220


• More than 200 of the company's employees aresales representatives. Sales representatives visittheir existing customers at least once per week.During the visit, the sales representative receives aweekly supply order from the purchasing managerat the hospital. The sales representative then goesto the hospital warehouse, where the supplies arelocated. The sales representative checks eachsupply at the warehouse and fills out a paper order

form for the supplies that need to be replenished.The sales representative then faxes the order formto the nearest distribution center.

• Distribution Centers:

• After receiving a faxed order from the salesrepresentative, a clerk at the distribution center

8/13/2019 70-220


enters the order into the mainframe computer. Theorder is then filled and delivered to the hospital. Theentire process from the time the salesrepresentative visits the hospital until the suppliesare delivered takes approximately three days.

• Employees from each distribution center deliversupplies only within their region. Each distributioncenter has sales representatives who also check

and order supplies within the same region. Salesrepresentatives do not work for multiple distributioncenters.

• Customer Service:

• Sales representatives must call the customer

8/13/2019 70-220


p

service department at the distribution centerto request the status of an order. Salesrepresentatives also call to request the

availability of an item. Sales representativesuse toll-free numbers to place phone callsand send faxes to Hanson Brothers. Eight

customer service employees answer orderstatus and availability questions.


• Computers:

8/13/2019 70-220


• Hanson Brothers has one mainframe computer,which is located at headquarters. There are 250computer terminals at headquarters connected tothe mainframe computer. There are 10 computer

terminals at each distribution center.


• A T1 line connects the computer terminals at thedistribution centers to the mainframe computer.


• Computers:

8/13/2019 70-220


• The mainframe computer at headquarters will be replacedwith Windows 2000 Server computers, which will function asdomain controllers. Headquarters will also set up a VPNserver.

• All sales representatives will use their own portable

computers, and they will be able to load personal programsonto their computers. The portable computers will runWindows 2000 Professional. The portable computers willcontain a program named Salesforce, which will be used toorder supplies. The portable computers will also containcustomer information. This information must be encryptedand recoverable. A Sales Representative group will becreated for resource access.

• The IT manager must be aware of attempted unauthorizedaccess to the new network

• Distribution Centers:

• All computer terminals at the distribution centers will bereplaced with desktop computers running Windows 2000Professional. Each distribution center will have a domain

8/13/2019 70-220


controller that runs Routing and Remote Access. Eachdistribution center will be its own organizational unit (OU).Each distribution center will have an IT administrator. Thisadministrator will be able to add new users, add users toexisting groups, modify existing group membership, andcreate computer accounts.

• Each distribution center will have a folder for each hospital.Each hospital's folder will have two subfolders. Onesubfolder will contain the order status for the hospital, andthe other subfolder will contain sales information. The salesinformation is confidential and will be used only by thathospital's sales representative. The sales representativescan add, delete, and change their hospital folders.

• Customer Service:

• Customer service should have the ability to read

8/13/2019 70-220


and modify orders for all hospitals.

• Hospitals:

• Hospitals should be able to view only their ownorder status. They will be connected toheadquarters by using Routing and Remote

Access. Hanson Brothers will supply each hospitalwith a computer. The hospital will supply the phoneline. Each hospital will have a user account

• Problem Statement:• Marketing Manager:

• Sales representatives are spending too much time servicing existing accounts.The sales representatives need a way to place orders quickly, which allow them

8/13/2019 70-220


to increase their number of accounts. The portable computers will allow salesrepresentatives to visit each stockroom in the hospital instead of visiting awarehouse. The sales representatives will use Salesforce to enter the quantitiesof supplies in each location, and the program will report whether the supplyshould be ordered. If a supply is needed, an order will be created automatically. After all stockrooms have been checked, the sales representative will connect hisor her computer to a phone line in the hospital, connect to the distribution center,

and upload the batch of orders. The fulfillment process will not change.

• When hospitals call their sales representative to request an order status, it cantake up to one day for the sales representative to return the call. The salesrepresentatives should be able to connect to the distribution center at any time toview the status of an order.

• Sales representatives should also be able to connect to headquarters either bydialing directly to the remote access server or by dialing a local ISP andconnecting through a VPN. Only sales representatives should be able to place anorder. A verification process must be in place. Sales representatives should notbe able to view other sales representatives' information.

• IT Manager:

• Phone costs are increasing dramatically. An average of 200 faxes arereceived per day. Fax transmissions can last up to five minutes each.Hanson Brothers receives an average of 300 phone calls per dayrequesting order status and item availability.

8/13/2019 70-220


• We will add a new distribution center in Pittsburgh, Pennsylvania. Thenew distribution center will have good Internet connectivity. Because ofthe high cost of a T1 line, this distribution center will be connected toheadquarters through a VPN.

• The Salesforce program is updated regularly with a disk containing

software patches. A copy of the patch is sent on a floppy disk to eachcenter. One person at each distribution center makes a copy of the diskfor each of the sales representatives at that distribution center. The copyis distributed to the sales representatives at a monthly sales meeting. Wehave to make sure that the sales representative receives an unalteredcopy of the patch. We have had some problems in the past withemployees displaying inappropriate wallpaper on their computers. Weneed to restrict employees from changing the wallpaper on theircomputers.

1. What are the existing and envisioned IT

administrative models for Hanson Brothers?

8/13/2019 70-220


A. Existing centralized, Envisioned centralized

B. Existing centralized, Envisioned decentralized

C. Existing decentralized, Envisioned centralized

D. Existing decentralized, Envisioned decentralized

1. What are the existing and envisioned IT

administrative models for Hanson Brothers?


8/13/2019 70-220



B. Existing centralized, Envisioneddecentralized

C. Existing decentralized, Envisionedcentralized

D. Existing decentralized, Envisioneddecentralized

2. How should hospitals connect to headquarters to view the

status of their orders?

8/13/2019 70-220


A. Use the VPN with Windows 2000 logon authentication

B. Use Routing and Remote Access with Windows 2000logon authentication

C. Use the VPN with Remote Authentication Dial-In UserService (RADIUS) authentication.

D. Use Routing and Remote Access with Remote Authentication Dial-In User Service (RADIUS)authentication

2. How should hospitals connect to headquarters to view the

status of their orders?

8/13/2019 70-220


A. Use the VPN with Windows 2000 logon authentication

B. Use Routing and Remote Access with Windows 2000logon authentication

C. Use the VPN with Remote Authentication Dial-In UserService (RADIUS) authentication.

D. Use Routing and Remote Access with Remote Authentication Dial-In User Service (RADIUS)authentication

8/13/2019 70-220


3. To which type of group should you assign

sales representatives?

8/13/2019 70-220


A. Universal

B. Local

C. Global

D. Domain local

8/13/2019 70-220


8/13/2019 70-220


5. How should you grant the necessary permissions to the ITadministrator at each distribution center?

A. Create a new administrator account for each distribution center'sorganizational unit (OU). Grant the necessary permissions to thisaccount.

8/13/2019 70-220


B. Create an administrator group for each distribution center'sorganizational unit (OU). Add an existing user designated as anadministrator to this account. Grant the necessary permissions to thisgroup.

C. Create a new administrator account for each distribution center'sorganizational unit (OU) in the headquarters root. Grant the necessarypermissions to each new administrator's account.

D. Create an administrator group for each organizational unit (OU) at theheadquarters root. Add an existing user designated as an

administrator from each OU to this group. Grant the necessarypermissions to this group.

5. How should you grant the necessary permissions to the ITadministrator at each distribution center?

A. Create a new administrator account for each distribution center'sorganizational unit (OU). Grant the necessary permissions to thisaccount.

8/13/2019 70-220


B. Create an administrator group for each distribution center'sorganizational unit (OU). Add an existing user designated as anadministrator to this account. Grant the necessary permissionsto this group.

C. Create a new administrator account for each distribution center'sorganizational unit (OU) in the headquarters root. Grant the necessarypermissions to each new administrator's account.

D. Create an administrator group for each organizational unit (OU) at theheadquarters root. Add an existing user designated as an

administrator from each OU to this group. Grant the necessarypermissions to this group.

6. How should you encrypt orders from the sales

representatives to the distribution centers?

8/13/2019 70-220


A. Use 40-bit encryption for Routing and Remote Access.Use PPTP with packet filtering for VPN

B. Use 40-bit encryption for Routing and Remote Access.Use PPTP without packet filtering for VPN.

C. Use 128-bit encryption for Routing and Remote Access.Use PPTP with packet filtering for VPN

D. Use 128-bit encryption for Routing and Remote Access.Use PPTP without packet filtering for VPN

6. How should you encrypt orders from the sales

representatives to the distribution centers?

8/13/2019 70-220


A. Use 40-bit encryption for Routing and Remote Access.Use PPTP with packet filtering for VPN

B. Use 40-bit encryption for Routing and Remote Access.Use PPTP without packet filtering for VPN.

C. Use 128-bit encryption for Routing and RemoteAccess. Use PPTP with packet filtering for VPN

D. Use 128-bit encryption for Routing and Remote Access.Use PPTP without packet filtering for VPN

7. Which four actions should you take to meet the security requirementsfor the Windows 2000 upgrade? (Choose four)

A. Ensure that only the sales representatives can create new orders.

8/13/2019 70-220


B. Verify that only the Salesforce program can be loaded onto theportable computers.

C. Encrypt data transmitted to the distribution centers.

D. Verify that only unaltered versions of the Salesforce program areloaded onto the portable computers.

E. Restrict access to order status information to authorized HansonBrothers employees and authorized hospitals.

F. Prevent distribution centers from using VPN to access information atother distribution centers.

G. Secure data on the portable computers.

7. Which four actions should you take to meet the security requirementsfor the Windows 2000 upgrade? (Choose four)

A. Ensure that only the sales representatives can create new orders.

8/13/2019 70-220


B. Verify that only the Salesforce program can be loaded onto theportable computers.

C. Encrypt data transmitted to the distribution centers.

D. Verify that only unaltered versions of the Salesforce program areloaded onto the portable computers.

E. Restrict access to order status information to authorized HansonBrothers employees and authorized hospitals.

F. Prevent distribution centers from using VPN to access information atother distribution centers.

G. Secure data on the portable computers.

8/13/2019 70-220


8/13/2019 70-220


9. How should you implement auditing on the

Windows 2000 Server computers?

8/13/2019 70-220


A. Enable success audit for logon events on theVPN server

B. Enable failure audit for logon events on the VPN

server

C. Enable success audit for logon events on thedomain controllers

D. Enable failure audit for logon events on thedomain controllers

9. How should you implement auditing on the

Windows 2000 Server computers?

8/13/2019 70-220


A. Enable success audit for logon events on theVPN server

B. Enable failure audit for logon events on the VPN

server

C. Enable success audit for logon events on thedomain controllers

D. Enable failure audit for logon events on thedomain controllers

10. Which Group Policy strategy should you use to preventchanges to the wallpaper on all computers?

A. Create a Group Policy for each distribution center, and

8/13/2019 70-220


apply the Group Policy at the headquarters domain

B. Create a Group Policy for each distribution center, andapply the Group Policy at each distribution center'sorganizational unit (OU)

C. Create one Group Policy for all distribution centers, andapply the Group Policy at the headquarters domain.

D. Create one Group Policy for all distribution centers, andapply the Group Policy at each distribution center'sorganizational unit (OU)

10. Which Group Policy strategy should you use to preventchanges to the wallpaper on all computers?

A. Create a Group Policy for each distribution center, and

G

8/13/2019 70-220


apply the Group Policy at the headquarters domain

B. Create a Group Policy for each distribution center, andapply the Group Policy at each distribution center'sorganizational unit (OU)

C. Create one Group Policy for all distribution centers,and apply the Group Policy at the headquartersdomain.

D. Create one Group Policy for all distribution centers, andapply the Group Policy at each distribution center'sorganizational unit (OU)

11. How should you restrict hospital dial-up connections to onlyauthorized hospitals?

A. Configure Routing and Remote Access on the remote access server touse callback. Configure callback to dial a phone number specified by

th h it l t d i th ti t

8/13/2019 70-220


the hospital computer during the connection request.

B. Configure Routing and Remote Access on the remote access server touse callback. Configure callback to dial a predefined phone number atthe hospital.

C. Set up a proxy server (NAT) on the private side of the remote accessserver. Configure the proxy server to accept the IP addresses of thehospital computers.

D. Set up a proxy server (NAT) on the public side of the remote accessserver. Configure the proxy server to accept the IP addresses of the

hospital computers.

11. How should you restrict hospital dial-up connections to onlyauthorized hospitals?

A. Configure Routing and Remote Access on the remote access server touse callback. Configure callback to dial a phone number specified by

th h it l t d i th ti t

8/13/2019 70-220


the hospital computer during the connection request.

B. Configure Routing and Remote Access on the remote accessserver to use callback. Configure callback to dial a predefinedphone number at the hospital.

C. Set up a proxy server (NAT) on the private side of the remote accessserver. Configure the proxy server to accept the IP addresses of thehospital computers.

D. Set up a proxy server (NAT) on the public side of the remote accessserver. Configure the proxy server to accept the IP addresses of the

hospital computers.

8/13/2019 70-220


8/13/2019 70-220


14. How should you restrict hospitals' access to the orderstatus information?

A. Set permissions on each hospital's order file to grant all

h it l R d i i t ll d fil

8/13/2019 70-220


hospitals Read permission to all order files

B. Set permissions on each hospital's order file to grant thathospital Read permission to its own order file

C. Enable Encrypting File System (EFS) on the order statusfolder, and give a single copy of the recovery' key to allhospitals

D. Enable Encrypting File System (EFS) on the order statusfolder, and give a copy of the unique recovery key to eachhospital

14. How should you restrict hospitals' access to the orderstatus information?

A. Set permissions on each hospital's order file to grant all

h it l R d i i t ll d fil

8/13/2019 70-220


hospitals Read permission to all order files

B. Set permissions on each hospital's order file to grantthat hospital Read permission to its own order file

C. Enable Encrypting File System (EFS) on the order statusfolder, and give a single copy of the recovery' key to allhospitals

D. Enable Encrypting File System (EFS) on the order statusfolder, and give a copy of the unique recovery key to eachhospital

15. How should you configure secure communications

between the Pittsburgh distribution center andheadquarters?

A E bl L2TP d fi t i b di t CA

8/13/2019 70-220


A. Enable L2TP and configure an enterprise subordinate CAon the private Hanson Brothers network

B. Enable L2TP and configure an enterprise root CA on the

private Hanson Brothers network

C. Enable L2TP and configure an enterprise root CA on thepublic network.

D. Enable L2TP and configure an enterprise subordinate CAon the public network

15. How should you configure secure communications

between the Pittsburgh distribution center andheadquarters?

A E bl L2TP d fi t i b di t

8/13/2019 70-220


A. Enable L2TP and configure an enterprise subordinateCA on the private Hanson Brothers network

B. Enable L2TP and configure an enterprise root CA on the

private Hanson Brothers network

C. Enable L2TP and configure an enterprise root CA on thepublic network.

D. Enable L2TP and configure an enterprise subordinate CAon the public network

16. How should you implement IP filters at headquarters tosecure the connection to the Pittsburgh distributioncenter?

A. Add source filters for the Pittsburgh distribution center for

UDP port 500 and IP protocol 50 Add destination filters forh d t f UDP t 500 d IP t l 50

8/13/2019 70-220


UDP port 500 and IP protocol 50. Add destination filters forheadquarters for UDP port 500 and IP protocol 50

B. Add source filters for the Pittsburgh distribution center forUDP port 1701 and IP protocol 50. Add destination filters

for headquarters for UDP port 1701 and IP protocol 50

C. Add source filters for headquarters for UDP port 500 andIP protocol 50. Add destination filters for the Pittsburghdistribution center for UDP port 500 and IP protocol 50.

D. Add source filters for headquarters for UDP port 1701 andIP protocol 50. Add destination filters for the Pittsburghdistribution center for UDP port 1701 and IP protocol 50

16. How should you implement IP filters at headquarters tosecure the connection to the Pittsburgh distributioncenter?

A. Add source filters for the Pittsburgh distribution center for

UDP port 500 and IP protocol 50 Add destination filters forh d t f UDP t 500 d IP t l 50

8/13/2019 70-220


UDP port 500 and IP protocol 50. Add destination filters forheadquarters for UDP port 500 and IP protocol 50

B. Add source filters for the Pittsburgh distribution center forUDP port 1701 and IP protocol 50. Add destination filtersfor headquarters for UDP port 1701 and IP protocol 50

C. Add source filters for headquarters for UDP port 500 andIP protocol 50. Add destination filters for the Pittsburghdistribution center for UDP port 500 and IP protocol 50.

D. Add source filters for headquarters for UDP port 1701 andIP protocol 50. Add destination filters for the Pittsburghdistribution center for UDP port 1701 and IP protocol 50

C St d 9

8/13/2019 70-220


Case Study 9:

Contoso Ltd.

• Contoso Ltd.• Background:

• Contoso Ltd. is a wholly owned subsidiary of Adatum Corporation, a largefinancial services company primarily dealing in life insurance. Contoso Ltd. is

creating a web site that will allow insurance brokers to configure an insurancepolicy receive a quotation for that policy and purchase the policy When orders

8/13/2019 70-220


creating a web site that will allow insurance brokers to configure an insurancepolicy, receive a quotation for that policy and purchase the policy. When ordersare placed the actual creation and delivery of the policy will be handled by a third-party fulfillment company.

• The web site is designed to serve independent insurance brokers who are notemployed by Contoso or Adatum. Although there is a public section with content

describing Contoso Ltd. and its products in general terms most of the web site isrestricted to use only by brokers and policyholders. Brokers must register withContoso before they can use web site.

• Some of the policies that are sold by Contoso allow policyholders to allocate thevalue of the policy into various investment options. A policyholder can view thecurrent allocation and make changes online in accordance with well-defined

rules. Policyholders cannot buy new policies or terminate existing policies withoutthe aid of a broker. They can change the allocation of funds in existing policiesevery three months.

• Problem:• Vice President of Sales (Adatum Corp.):

• Although our company has been successful with traditionalapproaches to the financial market we are beginning to loosesome of our customers especially in the area of web based

8/13/2019 70-220


some of our customers especially in the area of web basedservice offerings. The new web site and its complement ofweb-based products will help us to maintain our existingcustomers and attract new customers. The brokers I havespoken with do not want many extra features but they are

concerned about other brokers accessing their information.In addition they do not want to hire a computer expert just tobe able to use this site.

• The financial industry has shown leadership in adopting newtechnologies and these brokers are willing to embrace this

new approach. They will not insist on personal assistance ifwe provide them with online resources to guide them.Depending on the success of this project we might attemptmore projects like this one or we might sell the entirecompany.

• Chief Information Officer (Contoso Ltd.):

• Although the web site is viewed as distinctly separate from AdatumCorp., we still must report results to them at frequent intervals especiallyduring the first year. We also must allow Adatum to check the status ofthis site any time. In addition the Vice President of Sales, the IS Directorand myself are required to keep up to date with developments at Adatum.We have user accounts on Adatum’s network for this purpose

8/13/2019 70-220


We have user accounts on Adatum s network for this purpose.

• IS Director (Contoso Ltd.):

• We have been given a mandate to develop and implement a web site

that will act as a virtual insurance company. The development work isalready in progress. We have chosen Windows 2000 as our platform andwe are developing a multi-tier Windows DNA insurance application.

• In addition to the insurance application the web site will also includecontent describing the company and its products. We need to create this

site and a network environment to run it on with only six servers. Ourprimary focus now is to ensure that the site is secure and to effectivelyaudit who is using the site. We have three distinct categories of users:brokers, policyholders and employees from both Contoso and Adatum.There are further subdivisions within these categories.

• Lead Developer (Contoso Ltd.):

• In the past when we needed to control access to web sites we usually just stored user-ids and passwords in a MS SQL Server database. Although this was easy to implement we have always recognizedshortcomings with this approach. We want to take advantage of thePublic Key Infrastructure (PKI) security features in Windows 2000 toprovide increased security

8/13/2019 70-220


provide increased security.

• Logistics Manager (Contoso Ltd.):

• During an initial enrolment period we will be actively signing up new

brokers to use this site. Based on our research there might be up to 5000brokers during this period. After the enrolment period we expect arelatively small number of brokers to join or leave on a daily basis. Wehave only one or two people that will manage memberships, but we canhire temporary employees during the initial enrolment period.Certification registration and delivery will be handled off-line. Brokersmust register for a certificate either in person or by telephone. After

Contoso employees verify a brokers identity and create a client certificateit will be delivered on floppy disk or CD through a secure courier service.

• Envisioned IT Environment:• Servers:

• All servers for this site will exist within a single domain. Sixservers will be used for the initial rollout for this site.CONTWEB1 will be used as the web server This server

8/13/2019 70-220


CONTWEB1 will be used as the web server. This serverruns Internet Information Services (IIS) and mid-tier COM-components that will be designed specifically for theinsurance application. CONTDATA will be used as the

database server. This server will run MS SQL Server 7.0.CONTDC will be a domain controller and certificate serverand it will run DNS, WINS and DHCP. CONTVPN, a multi-homed server, will be used to create a VPN to Adatum Corp.through the Internet. CONTWEB2 will be used as an intranet

web server, as a file and print server for employees ofContoso and a domain controller. CONTFIRE will be used asa firewall server. It will run third-party firewall software.

• Local Client Computers:

• A primary objective of the project is to minimize the employees needed tosupport this virtual insurance company. It is estimated that there will befewer than 20 people associated with this project and its site. Thisincludes employees for office administration, creating the web content,designing new insurance products and sales and marketing. Fewer than5 employees will use portable computers and might require remote

8/13/2019 70-220


5 employees will use portable computers and might require remoteaccess when they travel. The other employees will use desktopcomputers

• Internet Client Computers:

• Brokers will connect to this site over the Internet. Because it isanticipated that they will generally have a limited technical backgroundany set-up process needed for this site must be easy to follow. The targetaudience for this site is a relatively static group of users who areexpected to use the site regularly. Most of this site will not be available tothe public. Therefore the site will be designed specifically for Internet

Explorer 4.0 or later. The public section of this site will designed for bothInternet Explorer and Netscape browsers

• Administration:

• A small group of people will handle the administration of this site, such asupdating content and providing maintenance for the application. In general theywill perform these tasks directly on the servers or from a locally connecteddesktop computer.

• LAN:

8/13/2019 70-220


• A new LAN is being created to host the web site. All necessary services such asDNS will be provided by Windows 2000 Server computers on the LAN. TwoClass C address spaces have been acquired. One will be used for publicly visibleservers and the other one will be used for internal computers that should not beaccessed from the Internet. Network address translation (NAT) will not be used. All desktop computers will run Windows 2000 Professional.

• WAN:

• Contoso Ltd. will host this site at its office, which is a separate company ownedfacility dedicated to the project. It will not be directly connected to Adatum Corp’sWAN; instead a VPN connection through the Internet will be used. Adatum hasalready begun the process of upgrading to Windows 2000 at its headquarters.

• Internet Connectivity:

• Contoso has secured a domain name CONTOSO.COM to use for the site. Asingle T3 line has been leased to provide Internet connectivity.

1. What is CL's tolerance for risk?

A. CL is willing to try some new approaches.

8/13/2019 70-220


B. CL is comfortable with a high level of risk.

C. CL is willing to risk the entire company for large

rewards.

D. CL is willing to try only those approaches that theyhave successfully implemented before.

E. CL is very conservative and does not take anychances.

1. What is CL's tolerance for risk?

A. CL is willing to try some new approaches.

8/13/2019 70-220


B. CL is comfortable with a high level of risk.

C. CL is willing to risk the entire company for large

rewards.

D. CL is willing to try only those approaches that theyhave successfully implemented before.

E. CL is very conservative and does not take anychances.

2. What is the primary security risk for the desktopcomputers at CL?

A Another CL employee connected to a desktopcomputer via the LAN

8/13/2019 70-220


A. Another CL employee connected to a desktopcomputer via the LAN.

B. Denial-of-service attack launched from the

internet targeting a desktop computer.

C. Remote hackers directly connected to a desktopcomputer via the internet.

D. Remote hackers directly connected to a desktopcomputer via modem.

2. What is the primary security risk for the desktopcomputers at CL?

A Another CL employee connected to a desktopcomputer via the LAN

8/13/2019 70-220


A. Another CL employee connected to a desktopcomputer via the LAN.

B. Denial-of-service attack launched from the

internet targeting a desktop computer.

C. Remote hackers directly connected to adesktop computer via the internet.

D. Remote hackers directly connected to a desktopcomputer via modem.

8/13/2019 70-220


8/13/2019 70-220


4. How should you design the active directorystructure for CL?

A Create a single domain in its own forest Do notestablish trust relationships

8/13/2019 70-220


A. Create a single domain in its own forest. Do notestablish trust relationships.

B. Create a single domain in its own forest.

Establish a one-way trust relationship with Adatum

C. Create one child domain. Place the child domainin the same forest as AD's domain tree.

D. Create one domain in its own domain tree. Placethe domain tree within the same forest as AD'sdomain tree.

4. How should you design the active directorystructure for CL?

A Create a single domain in its own forest Do notestablish trust relationships

8/13/2019 70-220


A. Create a single domain in its own forest. Do notestablish trust relationships.

B. Create a single domain in its own forest.Establish a one-way trust relationship with Adatum

C. Create one child domain. Place the child domainin the same forest as AD's domain tree.

D. Create one domain in its own domain tree. Placethe domain tree within the same forest as AD'sdomain tree.

5. Which three options should you include in a securitytemplate for CONTWEB1? (Choose three)

A. Rename the administrator account.

8/13/2019 70-220


B. Allow CD-ROM access to all users.

C. Limit CD-ROM access to users who are logged on locally.

D. Enforce strong passwords.

E. Set the NTLM authentication level to LM and NTLM.

F. Disable account lockout.

5. Which three options should you include in a securitytemplate for CONTWEB1? (Choose three)

A. Rename the administrator account.

8/13/2019 70-220


B. Allow CD-ROM access to all users.

C. Limit CD-ROM access to users who are logged on locally.

D. Enforce strong passwords.

E. Set the NTLM authentication level to LM and NTLM.

F. Disable account lockout.

6. Which technology or technologies should you implement toprovide the highest level of security for communicationsbetween employees of AD and CL?

A. Internet authentication services (IAS) and NTLM

8/13/2019 70-220


A. Internet authentication services (IAS) and NTLMauthentication.

B. PPTP

C. SSL, digital certificates, and directory services (DS)mapping.

D. Basic authentication with SSL.

E. L2TP over IPSec

6. Which technology or technologies should you implement toprovide the highest level of security for communicationsbetween employees of AD and CL?

A. Internet authentication services (IAS) and NTLM

8/13/2019 70-220


A. Internet authentication services (IAS) and NTLMauthentication.

B. PPTP

C. SSL, digital certificates, and directory services (DS)mapping.

D. Basic authentication with SSL.

E. L2TP over IPSec

7. How should you separate intranet resources from publicly visible internet

servers?

A. Use a private IP address space. Configure both the internal DNS and theauthoritive internet based DNS server to resolve both internal andexternal names.

8/13/2019 70-220


B. Use corp.contoso.com as a suffix for all internal sites. Configure both theinternal DNS and the authoritive internet based DNS server to resolveboth internal and external names.

C. Use corp.contoso.com as a suffix for all internal sites. Configure theinternal DNS to resolve internal names, but do not include these namesin the authoritative internet based DNS server.

D. Use a private IP address space. Configure the authoritive internet basedDNS server to resolve internal names, but do not include these names on

the internal DNS server.

7. How should you separate intranet resources from publicly visible internet

servers?

A. Use a private IP address space. Configure both the internal DNS and theauthoritive internet based DNS server to resolve both internal andexternal names.

8/13/2019 70-220


B. Use corp.contoso.com as a suffix for all internal sites. Configure both theinternal DNS and the authoritive internet based DNS server to resolveboth internal and external names.

C. Use corp.contoso.com as a suffix for all internal sites. Configure theinternal DNS to resolve internal names, but do not include thesenames in the authoritative internet based DNS server.

D. Use a private IP address space. Configure the authoritive internet basedDNS server to resolve internal names, but do not include these names on

the internal DNS server.

8. Which technology or technologies should you

include in your security strategy to secure brokeraccess to the web site?

8/13/2019 70-220


A. Basic authentication with SSL.

B. SSL, digital certificates, and directory services (DS)mapping.

C. Internet authentication services (IAS) and an

ODBC database.

D. L2TP over IPSec

8. Which technology or technologies should you

include in your security strategy to secure brokeraccess to the web site?

8/13/2019 70-220


A. Basic authentication with SSL.

B. SSL, digital certificates, and directory services(DS) mapping.

C. Internet authentication services (IAS) and an

ODBC database.

D. L2TP over IPSec

9. How should you implement a Public Key Infrastructure (PKI) for CL?

A. Install an online enterprise root CA. Install an online enterprisesubordinate CA. Import a self signed server certificate on the

subordinate CA. Issue client certificates on the subordinate CA.

8/13/2019 70-220


B. Install an offline stand alone root CA. Install an online stand alonesubordinate CA. Issue client certificates on the root CA.

C. Install an online stand alone root CA. Import a server certificate from a

third party CA to the root CA certificate trust list. Use client certificatesfrom third party CA.

D. Install an offline enterprise root CA. Install an online enterprisesubordinate CA. Issue client certificates on the subordinate CA.

9. How should you implement a Public Key Infrastructure (PKI) for CL?

A. Install an online enterprise root CA. Install an online enterprisesubordinate CA. Import a self signed server certificate on the

subordinate CA. Issue client certificates on the subordinate CA.

8/13/2019 70-220


B. Install an offline stand alone root CA. Install an online stand alonesubordinate CA. Issue client certificates on the root CA.

C. Install an online stand alone root CA. Import a server certificate from a

third party CA to the root CA certificate trust list. Use client certificatesfrom third party CA.

D. Install an offline enterprise root CA. Install an online enterprisesubordinate CA. Issue client certificates on the subordinate CA.

10. What should you include in an audit policy forCONTDC? (Choose all that apply)

A. Success and failure audit for object access.

8/13/2019 70-220


Success a d a u e aud t o object access

B. Success and failure audit for directory servicesaccess.

C. Success and failure audit for policy change.

D. Success and failure audit for account management.

E. Success and failure audit for account logon events.

10. What should you include in an audit policy forCONTDC? (Choose all that apply)

A. Success and failure audit for object access.

8/13/2019 70-220


j

B. Success and failure audit for directory servicesaccess.

C. Success and failure audit for policy change.

D. Success and failure audit for account management.

E. Success and failure audit for account logonevents.

Good Luck

8/13/2019 70-220


Good Luck

The Kazemos Team

8/13/2019 70-220


Kazemos

70-220

Documents

Transcript of 70-220