You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003.
You plan to deploy remote access to the network for users that work from home. The company’s written security policy states the following remote access requirements:
Users are allowed to use remote access during the day only.
Enterprise Admins are never allowed to use remote access.
Domain Admins are always allowed to use remote access.
A user who is a member of both the Enterprise Admins group and the Domain Admins group is not allowed to use remote access.
You configure and enable Routing and Remote Access on a member server named Server1. You delete the predefined remote access policies. The remote access permission for all user accounts in the domain is set to use remote access policies. You need to ensure that the remote access policies on Server1 comply with the written security policy. exhibit What should you do?
To answer, drag the remote access policy that should appear first in the remote access policy list to the First Policy box. Continue dragging the appropriate remote access policies to the corresponding numbered boxes until you list all required policies in the correct order. You might not need to use all numbered boxes.
Drag and drop question. Drag the items to the proper locations.

You are a security administrator for your company. The network consists of a perimeter network that is configured as shown in the exhibit. (Click the Exhibit button.)
All computers in the perimeter network run Windows Server 2003. The company’s written security policy states the following: All computers must pass a security inspection before they are placed in the perimeter network. Only computers that pass inspection are permitted to communicate with firewalls or other computers that pass inspection. All communication in the perimeter network is inspected by a networ based intrusion-detection system (IDS). Communication between computers in the perimeter network must use the strongest possible authentication methods.You decide to deploy IPSec in the perimeter network to enforce the written security policy. You enable IPSec on the firewall computers.
You need to plan IPSec configuration for the Windows Server 2003 computers so that it meets the written security policy. Which three actions should you perform to configure IPSec? (Each correct answer presents part of the solution. Choose three.)

You are a security administrator for your company. The network consists of two Active Directory domains named tailspintoys.com and wingtiptoys.com. Each domain resides in a separate Active Directory forest and no trust relationships are established.
The Active Directory domains each contain an certification authority (CA) running Windows Server 2003 Certificate Services. These computers are named CA1 and CA2. Each CA belongs to separate and isolated CA hierarchies. Computers trust only the CA in their Active Directory domain. All computers are issued a standard Computer certificate from the CA in their Active Directory domain. Two Windows Server 2003 computers named Server1 and Server2 function as file servers as shown in the exhibit. (Click the Exhibit button.)
Users from both domains access confidential data on both Server1 and Server2. You decide to implement IPSec to encrypt the file data during transmission. You configure an IPSec policy that uses ertificate-based IPSec authentication on both servers to encrypt file data transmissions. You configure an IPSec policy that uses certificate-based IPSec authentication on the client computers in both Active Directory domains to encrypt file data transmissions to Server1 and Server2. During testing, you notice that client computers use IPSec only when communicating with the file server in the same Active Directory domain.
You need to enable all client computers to use IPSec when communicating with both Server1 and Server2. What should you do?

You are a security administrator for Contoso, Ltd. The network consists of a single Active Directory domain named contoso.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All computers are members of the domain.
The company has a main office and three branch offices. Each office is configured as an Active Directory site. Each site contains domain controllers. A domain user named Kim reports that she forgot her password. She works in one of the branch offices. A des op support technician in the main office resets Kim’s password, enables the User must change password at next logon option on Kim’s user account, and then tells Kim the new password. Kim attempts to log on by using her new password and reports that she cannot change the password at logon. You investigate the problem. Kim’s user account is not locked out, and it is not disabled. Permissions for the user account are shown in the exhibit. (Click the Exhibit button.)
You need to ensure that Kim can log on and change her password. What should you do?

You are a security administrator for Contoso, Ltd. The network consists of a single Active Directory domain named contoso.com. The network contains Windows Server 2003 computers and Windows XP Professional client computers.
You create organizational units (OUs) in Active Directory to contain the user, computer, and group objects for each department in the company. The OU structure is shown in the exhibit. (Click the Exhibit button.)
You want to allow selected users to encrypt data by using Encrypting File System (EFS). However, the requirements for using EFS vary based on the OU in which the user’s computer resides. Use of EFS should be disabled on all computers in the Domain Computers OU. You must enable EFS for the following OUs: Human Resources Finance Engineering ResearchDesignated security administrators must be able to help users access encrypted files on occasion. Tom and Andrew are the two security administrators assigned to help users with encrypted files. Tom must be able to decrypt all files on computers in the Human Resources OU and the Finance OU. Andrew must be able to decrypt all files on computers in the Engineering OU and in the Research OU. There are currently no EFS policies defined for computers in the domain. You need to create EFS policies in the domain to meet the listed requirements.exhibit What should you do?
To answer, drag the appropriate EFS configuration to the correct domain container locations in the work area.
Drag and drop question. Drag the items to the proper locations.

You are a security administrator at your company. The network consists of a single Active Directory domain. The network contains Windows 2000 Professional client computers and Windows Server 2003 computers.
Three Windows Server 2003 computers are named CA1, CA2, and CA3. You want to implement a public key infrastructure (PKI) to support the security requirements in your company. All certification authorities (CAs) must belong to the same CA hierarchy. You plan to install Certificate Services on CA1 first. CA1 will not be connected to the network and will be stored in a locked cabinet in the company data center. You plan to use CA2 to issue certificates for IPSec and Encrypting File System (EFS). You will configure CA2 to automatically issue these certificates. You plan to use CA3 to issue certificates that enable business partners to authenticate to your IIS Web site. CA3 will not be a member of the Active Directory domain.
You need to configure Certificate Services on each server to fulfill the server’s designated role. exhibit What should you do?
To answer, drag the appropriate Certificate Services configuration roles to the correct server locations in the work area.
Drag and drop question. Drag the items to the proper locations.

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.
You manage client computers by using Group Policy. Some of the administrators in your company are responsible for managing network connectivity and TCP/IP. These administrators are known as infrastructure engineers and are members of a global group named lnfra_Engineers. The infrastructure engineers must be able to configure and troubleshoot TCP/IP settings on servers and client computers. You need to configure a Restricted Groups policy that ensures that only infrastructure engineers are members of the Network Configuration Operators local group on All client computers.
You want to achieve this goal without granting unnecessary permissions to the infrastructure engineers. exhibit What should you do? To answer, drag the appropriate group or groups to the correct list or lists in the dialog box in the work area.
Drag and drop question. Drag the items to the proper locations.

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows 2000 Professional.
You create two top-level organizational units (OUs). One OU is named Finance. The other OU is named Marketing. You place user and computer accounts for users in the marketing and finance departments in the corresponding OU. You create a Group Policy object (GPO) for each OU and link each GPO to the corresponding OU. The GPO linked to the Marketing OU is shown in the Marketing GPO exhibit, and the GPO linked to the Finance OU is shown in the Finance GPO exhibit. (Click the Exhibit button.)
A client computer named Client1 is used by users in the marketing department. You reassign Client1 to users in the finance department. You move the computer object from the Marketing OU to the Finance OU. When you attempt to log on to Client1, you receive a message stating that the computer is intended for use by the marketing department only.
You need to ensure that users in the finance department do not receive the message. You want to achieve this goal without affecting users in the Marketing OU. What should you do?