You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.

Eight Windows Server 2003 computers are members of the domain. These computers are used to store confidential files. They reside in a data center that only lT administration personnel have physical access to.

You need to restrict members of a group named Contractors from connecting to the file server computers. All other employees require access to these computers. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. Servers run either Windows Server 2003 or Windows 2000 Server. All client computers run Windows 2000 Professional. The latest operating system service pack is installed on each computer.

Thirty Windows Server 2003 computers are members of the domain and function as file servers. Client computers access files on these file servers over the network by using the Server Message Block (SMB) protocol. You are concerned about the possible occurrence of man-in-the-middle attacks during SMB communications. You need to ensure that SMB communications between the Windows Server 2003 file servers and the client computers are cryptographically signed. The file servers must not communicate with client computers if the client computers cannot sign SMB communications.

Client computers must be able to use unsigned SMB communications with all other computers in the domain. What should you do to configure the file servers?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.

One hundred users in your company are currently using an application named App1. App1 is stored in a folder on the hard disk of each user’s client computer. To secure App1, you create a new Group Policy object (GPO) named App1 Policy. The App1 Policy GPO contains a file system security policy that applies a custom DACL to App1.

You configure the DACL to assign All users only the Allow – Read permission. You filter the App1 Policy GPO to apply only to computers that have App1 installed. After you apply the App1 GPO, users immediately report that they receive an error message when they attempt to use App1. You delete the entry for App1 in the file system security policy. Users continue to report that they receive the same error message when they attempt to use App1.

You need to configure the network so that users can use App1. You want to achieve this goal by using the minimum amount of administrative effort. What should you do?

You are a security administrator for your company. All servers run Windows Server 2003. All client computers run Windows XP Professional.

You install Software Update Services (SUS) on a server named Server1. The company’s written security policy states that all updates must be tested and approved before they are installed on network computers.

You need to ensure that SUS uses the minimum amount of disk space on Server1. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows 2003 Server. All client computers run Windows XP Professional.

All computers are configured to use Automatic Updates to install updates without user intervention. Updates are scheduled to occur during o peak hours. During a security audit, you notice some client computers are not receiving updates on a regular basis. You verify that Automatic Updates is running on All client computers, and you verify that users cannot modify the Automatic Updates settings.

You need to ensure that computers on your network receive all updates. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.

There are 15 Windows Server 2003 computers that serve as domain controllers. For security reasons, you do not allow the domain controllers to access Web sites over the lnternet. You need to scan all of the domain controllers to identify which Microsoft security patches are not installed.

You want to achieve this goal by using the minimum amount of administrative effort and by successfully completing the scan of all domain controllers. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional. All computers are members of the domain.

The network contains 10 Active Directory sites. Each site represents one of the company’s offices. The offices are located around the world. Each office has a connection to the lnternet. The company maintains dedicated leased lines between the offices. You are planning a security patch management infrastructure for Microsoft security patches. You install Software Update Services (SUS) on a server named Server1. You need to ensure that Automatic Updates on the client computers and servers installs only security patches that are company approved.

You want to limit the use of the leased lines between the offices by allowing each computer to download the security patches from the lnternet. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The company occasionally experiences downtime because of malicious lnternet worms that arrive as Microsoft Visual Basic Scripting Edition (VBS) files. You examine several client computers and discover that VBS files are downloaded by using Microsoft Outlook, instant messaging, or peer-to-peer file sharing programs.

You need to prevent users from running VBS files regardless of how they arrive on client computers. What should you do?

You are a security administrator for your company. The company has one main office and five branch offices. Network administrators work in the main office and each branch office.

Network administrators in the main office frequently create scripts that automate common administrative tasks. You review each script to ensure it does not introduce security vulnerabilities. Scripts that do not introduce security vulnerabilities are considered approved. Occasionally, branch office administrators modify these scripts and distribute the modified scripts to other branch office administrators. Branch office administrators often report that they accidentally run a modified version of a script.

You need to ensure that branch office administrators can verify which scripts are approved scripts. What should you do?

You are a security administrator for your company. The network consists of three Active Directory domains. All Active Directory domains are running at a Windows Server 2003 mode functionality level.

Employees in the editorial department of your company need access to resources on file servers that are in each of the Active Directory domains. Each Active Directory domain in the company contains at least one editorial department employee user account.

You need to create a single group named Company Editors that contains all editorial department employee user accounts and that has access to the resources on file server computers. What should you do?