You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.

A server named Server1 is not a member of the domain. All other computers are members of the domain. The network contains an enterprise certification authority (CA). All computers on the network trust the CA. The company’s written security policy states that all network traffic from the computers in the domain to Server1 must be encrypted. Server1 must not be added to the domain. You configure a Group Policy object (GPO) that assigns the predefined IPSec policy named Client (Respond Only). You link the GPO to the domain. You configure Server1 to use the predefined IPSec policy named Secure Server (Require Security). When you test this configuration, you cannot connect to Server1 from the computers in the domain.

You need to implement the written security policy. What should you do?

You are a security administrator for your company. The network consists of a perimeter network that is configured as shown in the exhibit. (Click the Exhibit button.)

All computers in the perimeter network run Windows Server 2003. The company’s written security policy states the following: All computers must pass a security inspection before they are placed in the perimeter network. Only computers that pass inspection are permitted to communicate with firewalls or other computers that pass inspection. All communication in the perimeter network is inspected by a networ based intrusion-detection system (IDS). Communication between computers in the perimeter network must use the strongest possible authentication methods.You decide to deploy IPSec in the perimeter network to enforce the written security policy. You enable IPSec on the firewall computers.

You need to plan IPSec configuration for the Windows Server 2003 computers so that it meets the written security policy. Which three actions should you perform to configure IPSec? (Each correct answer presents part of the solution. Choose three.)

You are a security administrator for your company. The network consists of two Active Directory domains named tailspintoys.com and wingtiptoys.com. Each domain resides in a separate Active Directory forest and no trust relationships are established.

The Active Directory domains each contain an certification authority (CA) running Windows Server 2003 Certificate Services. These computers are named CA1 and CA2. Each CA belongs to separate and isolated CA hierarchies. Computers trust only the CA in their Active Directory domain. All computers are issued a standard Computer certificate from the CA in their Active Directory domain. Two Windows Server 2003 computers named Server1 and Server2 function as file servers as shown in the exhibit. (Refer to the Exhibit.)

Users from both domains access confidential data on both Server1 and Server2. You decide to implement IPSec to encrypt the file data during transmission. You configure an IPSec policy that uses ertificate-based IPSec authentication on both servers to encrypt file data transmissions. You configure an IPSec policy that uses certificate-based IPSec authentication on the client computers in both Active Directory domains to encrypt file data transmissions to Server1 and Server2. During testing, you notice that client computers use IPSec only when communicating with the file server in the same Active Directory domain.

You need to enable all client computers to use IPSec when communicating with both Server1 and Server2. What should you do?

You are a security administrator for Contoso, Ltd. The network consists of two Active Directory forests named contoso.com and public.contoso.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The network consists of an IEEE 802.11b wireless LAN (WLAN). Employees and external users use the WLAN. User accounts for employees are located in the contoso.com forest. User accounts for external users are located in the public.contoso.com forest. External users, computers do not have computer accounts in the public.contoso.com forest. To increase security, you upgrade the network hardware to support IEEE 802.1x. You configure a public key infrastructure (PKI). You issue Client Authentication certificates to employees, to client computers used by employees, and to external users.

You need to configure the WLAN to authenticate employees and external users. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All domain controllers run Windows Server 2003. All client computers run Windows XP Professional.

Users store files on a server named Server1. These files are confidential and must be encrypted at all times while on Server1. You configure a new certification authority (CA) and issue certificates that support Encrypting File System (EFS) to all users. Users report that they cannot encrypt files that are stored on Server1. They report that they can encrypt files that are stored locally on their client computers.

You need to ensure that users can encrypt files that are stored on Server1. What should you do?

You are a security administrator for Contoso, Ltd. The network consists of a single Active Directory domain named contoso.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All computers are members of the domain.

The company has a main office and three branch offices. Each office is configured as an Active Directory site. Each site contains domain controllers. A domain user named Kim reports that she forgot her password. She works in one of the branch offices. A des op support technician in the main office resets Kim’s password, enables the User must change password at next logon option on Kim’s user account, and then tells Kim the new password. Kim attempts to log on by using her new password and reports that she cannot change the password at logon. You investigate the problem. Kim’s user account is not locked out, and it is not disabled. Permissions for the user account are shown in the exhibit. (Refer to the Exhibit.)

You need to ensure that Kim can log on and change her password. What should you do?

You are a security administrator for your company. The network includes a public key infrastructure (PKI) that supports smart card logon. All client computers have smart card readers.

Managers are issued smart cards. Managers are required to use smart cards when logging on to client computers. You need to ensure that managers are required to use a smart card when logging on to any client computer and that all other users are required to use a smart card when logging on to a client computer assigned to a manager.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

You are a security administrator for your company. The network consists of an Active Directory forest that contains two domains. The domains are named treyresearch.com and litwareinc.com. All Active Directory domains are running at a Windows Server 2000 mixed mode functionality level.

Employees in the help desk department need to modify certain attributes of employee user accounts that reside in the treyresearch.com domain. The help desk department user accounts reside in the litwareinc.com domain.

You need to create a single group named Help Desk that contains all help desk department user accounts and that can be granted access to modify the employee user accounts in the treyresearch.com domain. What should you do?

You are a security administrator for your company. The network consists of two Active Directory domains. These domains each belong to separate Active Directory forests. The domain named graphicdesigninstitute.com is used primarily to support company employees. The domain named fineartschool.net is used to support company customers. The functional level of all domains is Windows Server 2003 interim mode.

A one-way external trust relationship exists in which the graphicdesigninstitute.com domain trusts the fineartschool.net domain. A Windows Server 2003 computer named Server1 is a member of the fineartschool.net domain. Server1 provides customers access to a Microsoft SQL Server 2000 database. The user accounts used by customers reside in the local account database on Server1. All of the customer user accounts belong to a local computer group named Customers. SQL Server is configured to use Windows lntegrated authentication. Your company has additional SQL Server 2000 databases that reside on three Windows Server 2003 computers. These computers are member servers in the graphicdesigninstitute.com domain.

The company’s written security policy states that customer user accounts must reside on computers in the fineartschool.net domain. You need to plan a strategy for providing customers with access to the additional databases.

You want to achieve this goal by using the minimum amount of administrative effort. What should you do?

You are a security administrator for your company. The network consists of two Active Directory domains that are in separate Active Directory forests. No Active Directory trust relationships exist between the domains. All servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows 2000 Professional. All domain controllers run Windows Server 2003.

You discover that users in one domain can obtain a list of account names for users in the other domain. This capability allows unauthorized users to guess passwords and to access confidential data.

You need to ensure that account names can be obtained only by users of the domain in which the accounts reside.

Which two actions should you perform on the domain controllers? (Each correct answer presents part of the solution. Choose two.)