You are a security administrator for Contoso, Ltd. The network consists of a single Active Directory domain named contoso.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All computers are members of the domain.

The company has a main office and three branch offices. Each office is configured as an Active Directory site. Each site contains domain controllers. A domain user named Kim reports that she forgot her password. She works in one of the branch offices. A des op support technician in the main office resets Kim’s password, enables the User must change password at next logon option on Kim’s user account, and then tells Kim the new password. Kim attempts to log on by using her new password and reports that she cannot change the password at logon. You investigate the problem. Kim’s user account is not locked out, and it is not disabled. Permissions for the user account are shown in the exhibit. (Refer to the Exhibit.)

You need to ensure that Kim can log on and change her password. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows 2000 Professional.

You manage a Windows Server 2003 computer named Server1 that is a domain member server. You use IIS on Server1 to host an Internet Web site. Approximately 4,000 employees of your company connect over the lnternet to access company confidential data on Server1. You control access to data on Server1 by using NTFS file permissions assigned to groups. Different groups are assigned access to different files. Employees must have access only to files that they are assigned access to based on their membership in a group. You enable SSL on Server1 to protect confidential data while it is in transit. You issue each employee an Authenticated Session certificate and store a copy of that certificate with their user account in the Active Directory domain.

You need to ensure that Server1 authenticates users based on possession of their certificate. What should you do?

You are a security administrator for your company. The network consists of two Active Directory domains. These domains each belong to separate Active Directory forests. The domain named graphicdesigninstitute.com is used primarily to support company employees. The domain named fineartschool.net is used to support company customers. The functional level of all domains is Windows Server 2003 interim mode.

A one-way external trust relationship exists in which the graphicdesigninstitute.com domain trusts the fineartschool.net domain. A Windows Server 2003 computer named Server1 is a member of the fineartschool.net domain. Server1 provides customers access to a Microsoft SQL Server 2000 database. The user accounts used by customers reside in the local account database on Server1. All of the customer user accounts belong to a local computer group named Customers. SQL Server is configured to use Windows lntegrated authentication. Your company has additional SQL Server 2000 databases that reside on three Windows Server 2003 computers. These computers are member servers in the graphicdesigninstitute.com domain.

The company’s written security policy states that customer user accounts must reside on computers in the fineartschool.net domain. You need to plan a strategy for providing customers with access to the additional databases.

You want to achieve this goal by using the minimum amount of administrative effort. What should you do?

You are a security administrator for your company. Your company uses an accounting and payroll application. Twenty payroll clerks use the application to input data from their client computers to a database running on a Microsoft SQL Server 2000 computer named Server1.

You need to prevent unauthorized interception of the data as it travels over the company network. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The company occasionally experiences downtime because of malicious lnternet worms that arrive as Microsoft Visual Basic Scripting Edition (VBS) files. You examine several client computers and discover that VBS files are downloaded by using Microsoft Outlook, instant messaging, or peer-to-peer file sharing programs.

You need to prevent users from running VBS files regardless of how they arrive on client computers. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. The network contains three member servers named Server1, Server2, and Server3.

The three member servers are connected to the Internet. You plan to implement remote access to the company network for users that work from home. You configure and enable Routing and Remote Access on Server1 and Server2. An assistant, who is an administrator on all member servers, configures and enables Routing and Remote Access on Server3. Users from the domain can successfully establish VPN connections from the lnternet to Server1 and Server2. However, users cannot establish a VPN connection to Server3. You discover that Server3 can only authenticate Internet VPN connections from local user accounts.

You need to ensure that users from the domain can successfully establish a VPN connection to Server3. What should you do?

You are the security administrator for your company. The network consists of two segments named Segment A and Segment B. The client computers on the network run Windows XP Professional. The servers run Windows Server 2003.

Segment A contains a single server named Server1. Segment B contains all other computers, including a server named Server2. The company’s written security policy states that Segment B must not be connected to the lnternet. Segment A is allowed to connect to the lnternet. There is no network connection between Segment A and Segment B. You can copy files from Segment A to Segment B only by using a CD-ROM to transport the files between the two segments. The network topology is displayed in the exhibit. (Refer to the Exhibit.)

You are planning a patch management infrastructure. On Segment B, you install Software Update Services (SUS) on Server2. You configure Automatic Updates on all computers in Segment B to use http://Server2 and to install security patches.

You need to ensure that all computers in Segment B automatically install security patches. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. The network contains Windows Server 2003 computers.

Twelve of the Windows Server 2003 computers are configured as Web servers.

You need to produce a report that identifies which Microsoft security patches are not installed on the Web servers. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003.

The company’s written security policy states that security patches must be manually installed on servers by administrators. You need to configure the network to comply with the written security policy.

You need to maintain security patches by using the minimum amount of administrative effort. What should you do?

You are a security administrator for your company. The network contains a Windows Server 2003 computer that runs IIS.

You use this server to host an lnternet Web site for customer product purchasing. You plan to use SSL on this server. You do not want customers to receive a certificate-related security alert when they use SSL to connect to your Web site.

You need to select an appropriate certification authority (CA) to serve as the issuer for your Web server SSL certificate. What should you do?