You are a security administrator for your company. The network contains a Windows Server 2003 computer that runs IIS.
You use this server to host an lnternet Web site for customer product purchasing. You plan to use SSL on this server. You do not want customers to receive a certificate-related security alert when they use SSL to connect to your Web site.
You need to select an appropriate certification authority (CA) to serve as the issuer for your Web server SSL certificate. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.
A server named Server1 is not a member of the domain. All other computers are members of the domain. The network contains an enterprise certification authority (CA). All computers on the network trust the CA. The company’s written security policy states that all network traffic from the computers in the domain to Server1 must be encrypted. Server1 must not be added to the domain. You configure a Group Policy object (GPO) that assigns the predefined IPSec policy named Client (Respond Only). You link the GPO to the domain. You configure Server1 to use the predefined IPSec policy named Secure Server (Require Security). When you test this configuration, you cannot connect to Server1 from the computers in the domain.
You need to implement the written security policy. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All domain controllers run Windows Server 2003. All client computers run Windows XP Professional.
Users store files on a server named Server1. These files are confidential and must be encrypted at all times while on Server1. You configure a new certification authority (CA) and issue certificates that support Encrypting File System (EFS) to all users. Users report that they cannot encrypt files that are stored on Server1. They report that they can encrypt files that are stored locally on their client computers.
You need to ensure that users can encrypt files that are stored on Server1. What should you do?

You are a security administrator for your company. The network includes a public key infrastructure (PKI) that supports smart card logon. All client computers have smart card readers.
Managers are issued smart cards. Managers are required to use smart cards when logging on to client computers. You need to ensure that managers are required to use a smart card when logging on to any client computer and that all other users are required to use a smart card when logging on to a client computer assigned to a manager.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

You are a security administrator for your company. The network consists of an Active Directory forest that contains two domains. The domains are named treyresearch.com and litwareinc.com. All Active Directory domains are running at a Windows Server 2000 mixed mode functionality level.
Employees in the help desk department need to modify certain attributes of employee user accounts that reside in the treyresearch.com domain. The help desk department user accounts reside in the litwareinc.com domain.
You need to create a single group named Help Desk that contains all help desk department user accounts and that can be granted access to modify the employee user accounts in the treyresearch.com domain. What should you do?

You are a security administrator for your company. The network consists of two Active Directory domains. These domains each belong to separate Active Directory forests. The domain named graphicdesigninstitute.com is used primarily to support company employees. The domain named fineartschool.net is used to support company customers. The functional level of all domains is Windows Server 2003 interim mode.
A one-way external trust relationship exists in which the graphicdesigninstitute.com domain trusts the fineartschool.net domain. A Windows Server 2003 computer named Server1 is a member of the fineartschool.net domain. Server1 provides customers access to a Microsoft SQL Server 2000 database. The user accounts used by customers reside in the local account database on Server1. All of the customer user accounts belong to a local computer group named Customers. SQL Server is configured to use Windows lntegrated authentication. Your company has additional SQL Server 2000 databases that reside on three Windows Server 2003 computers. These computers are member servers in the graphicdesigninstitute.com domain.
The company’s written security policy states that customer user accounts must reside on computers in the fineartschool.net domain. You need to plan a strategy for providing customers with access to the additional databases.
You want to achieve this goal by using the minimum amount of administrative effort. What should you do?

You are a security administrator for your company. The network consists of two Active Directory domains that are in separate Active Directory forests. No Active Directory trust relationships exist between the domains. All servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows 2000 Professional. All domain controllers run Windows Server 2003.
You discover that users in one domain can obtain a list of account names for users in the other domain. This capability allows unauthorized users to guess passwords and to access confidential data.
You need to ensure that account names can be obtained only by users of the domain in which the accounts reside.
Which two actions should you perform on the domain controllers? (Each correct answer presents part of the solution. Choose two.)

You are a security administrator for your company. The network consists of a single Active Directory domain. Servers on the network run Windows Server 2003. All servers are in an organizational unit (OU) named Servers, or in OUs contained within the Servers OU.
Based on information in recent security bulletins, you want to apply settings from a security template named Messenger.inf to all servers on which the Messenger service is started. You do not want to apply these settings to servers on which the Messenger service is not started. You also do not want to move servers to other OUs.
You need to apply the Messenger.inf security template to the appropriate servers. What should you do?

You are a security administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All computers are members of the domain.
The company’s written security policy states that all servers must have the security settings that are specified in a security template named Verify.inf. The Verify.inf security template is copied to the SystemrootSecurityTemplates folder on each server.
You need to verify that the servers on the network meet the requirements in the written security policy. What should you do?