You are a security administrator for your company. The network consists of a single Active Directory domain. The network contains Windows XP Professional client computers and Windows Server 2003 computers.

You install Certificate Services to issue certificates to employees for secure e-mail encryption and Web site authentication. You revoke the certificates used by an employee when that employee leaves the company. Several thousand certificates are currently revoked, and multiple revocations occur daily. Company e-mail and Web applications already use strong revocation checking of certificates. You need to reduce the time that it takes for client computers to find out about certificate revocations and to process certificate revocation information.

You also need to limit the negative impacts that this change will have on network performance. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.

Your company hosts an extranet Web site that allows employees from a partner company to access confidential information over the lnternet. You want to require the partner company employees to use certificate-based authentication to access the extranet Web site. You have a public key infrastructure (PKI), which consists of a stand-alone root certification authority (CA) and an enterprise subordinate CA. The partner company does not have a PKI. You decide to issue certificates from your CA hierarchy to the partner company employees. The partner company certificates will require a different certificate policy than the policy currently used for issuing certificates to internal employees. Certificate revocation checking will be used during certificate-based authentication. You need to implement the necessary PKI changes to comply with these requirements.

You want to achieve this goal by using the minimum amount of administrative effort. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.

Your company hosts Web applications for customers. Each customer is a company that has multiple employees who require access to the Web applications. Each customer has one Web application. Each Web application is configured as a virtual directory. You configure a user account for each customer. You assign this account permission to read the virtual directory that contains the customer’s Web application. You need to ensure that employees can access only their company’s Web application.

You must accomplish this task without requiring customers to disclose passwords. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. Servers run either Windows Server 2003 or Windows 2000 Server. All client computers run Windows XP Professional.

The company’s written security policy states that user accounts must be locked if an unauthorized user attempts to guess the users, passwords. The current account policy locks out a user after two invalid password attempts in five minutes. The user remains locked out until the account is reset by an administrator. Users frequently call the help desk to have their account unlocked. Calls related to account lockout constitute 25 percent of help desk calls.

You need to reduce the number of help desk calls related to account lockout. What should you do?

You are a security administrator for your company. The network consists of two Active Directory domains named adatum.com and proseware.com. These domains are in the same Active Directory forest. The adatum.com Active Directory domain operates at a Windows 2000 mixed mode domain functional level. The proseware.com Active Directory domain operates at a Windows 2000 native mode domain functional level.

An application runs on four Windows Server 2003 computers. These computers are domain member servers in the adatum.com Active Directory domain. Authorized users in both the adatum.com and the proseware.com domains require access to this application. The network is depicted in the exhibit. (Refer to the Exhibit.)

You need to plan an authorization model to control user access to the application. You will place adatum.com user accounts in a group named Adatum AppUsers. You will place proseware.com user accounts in a group named Proseware AppUsers. You will use a group named AppResources to assign permissions that allow access to the application.

You need to choose the appropriate types of groups to implement your plan. Which three types of groups should you choose?(Each correct answer presents part of the solution. Choose three.)

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows 2000 Professional.

You manage a Windows Server 2003 computer named Server1 that is a domain member server. You use IIS on Server1 to host an Internet Web site. Approximately 4,000 employees of your company connect over the lnternet to access company confidential data on Server1. You control access to data on Server1 by using NTFS file permissions assigned to groups. Different groups are assigned access to different files. Employees must have access only to files that they are assigned access to based on their membership in a group. You enable SSL on Server1 to protect confidential data while it is in transit. You issue each employee an Authenticated Session certificate and store a copy of that certificate with their user account in the Active Directory domain.

You need to ensure that Server1 authenticates users based on possession of their certificate. What should you do?

You are a security administrator for your company. The network consists of two Active Directory forests.

The first forest is named tailspintoys.com and contains domain controllers that run either Windows Server 2003 or Windows 2000 Server. The second forest is named wingtiptoys.com and contains domain controllers that run Windows Server 2003. No trust relationships are established.

A certification authority (CA) running Windows Server 2003 Certificate Services is deployed and all computers are issued a Computer certificate. A Windows Server 2003 computer named Server1 is a member of the wingtiptoys.com Active Directory domain. Server1 provides users in both domains access to a payroll application. You decide to implement IPSec to encrypt the payroll application data during transmission. You configure a custom IPSec policy named Payroll App on Server1 using the rules shown in the exhibit. (Refer to the Exhibit.)

You configure an IPSec default Client policy on the client computers in both Active Directory domains. During testing, you notice that client computers in the wingtiptoys.com Active Directory domain use IPSec when communicating with Server1. However, client computers in the tailspintoys.com Active Directory domain cannot communicate with Server1.

You need to enable all client computers to use IPSec when communicating with Server1. What should you do?

You are the security administrator of your network. The network consists of an Active Directory domain. All computers on the network are in the domain. The domain controllers and file servers on the network run Windows Server 2003. The client computers run Windows XP Professional.

The file servers use a custom IPSec policy named Server Traffic. The Server Traffic policy contains rules to encrypt Telnet and SNMP traffic, as shown in the exhibit. (Refer to the Exhibit.) All client computers use the Client (Respond Only) IPSec policy. The default exemptions to IPSec filtering are disabled on the client computer. You want to configure the network so that Telnet, SNMP, and Kerberos traffic is encrypted by IPSec.

You do not want to encrypt other network protocols. What should you do? (Each correct answer presents part of the solution. Choose two.)

You are a security administrator for your company. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network is configured as shown in the Network Diagram exhibit. (Refer to the Exhibit.)

Users in the sales department use portable computers that are not connected to the company network. Each week sales users travel to the company’s main office and connect to the IEEE 802.11b wireless LAN (WLAN). The WLAN is configured as shown in the Wireless Configuration exhibit. (Refer to the Exhibit.) The WLAN hardware does not support IEEE 802.1x. Once a Week, sales users connect to the WLAN to retrieve confidential sales documents from file servers on the network.

You discover that unauthorized users intercepted data in sales documents while the documents were transmitted over the WLAN. You need to protect sales documents from being intercepted by unauthorized users. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. The network contains three member servers named Server1, Server2, and Server3.

The three member servers are connected to the Internet. You plan to implement remote access to the company network for users that work from home. You configure and enable Routing and Remote Access on Server1 and Server2. An assistant, who is an administrator on all member servers, configures and enables Routing and Remote Access on Server3. Users from the domain can successfully establish VPN connections from the lnternet to Server1 and Server2. However, users cannot establish a VPN connection to Server3. You discover that Server3 can only authenticate Internet VPN connections from local user accounts.

You need to ensure that users from the domain can successfully establish a VPN connection to Server3. What should you do?