Certified Ethical Hacker v8

QUESTION NO: 2

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 runs Windows Server 2012.

You create a group Managed Service Account named gservice1.

You need to configure a service named Service1 to run as the gservice1 account.

How should you configure Service1?

A. From the Services console, configure the General settings.

B. From Windows PowerShell, run Set-Service and specify the -StartupType parameter.

C. From a command prompt, run sc.exe and specify the config parameter.

D. From a command prompt, run sc.exe and specify the privs parameter.

Answer: C

Explanation:

Executing the sc.exe command with the config parameter will modify service configuration.

Incorrect answers:

A. the General settings tab only allow you to stop, start and set type/parameters.

B. Set-Service provides a way for you to change the Description, StartupType, or DisplayName of a service.

D. Sets the response/action on service failure.

References:

http://windows.microsoft.com/en-us/windows-vista/using-system-configuration

http://technet.microsoft.com/en-us/library/ee176963.aspx

http://technet.microsoft.com/en-us/library/cc990290(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc738230(v=ws.10).aspx

QUESTION NO: 3

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012.

You create a security template named Template1 by using the Security Templates snap-in.

You need to apply Template1 to Server2.

Which tool should you use?

A. Security Configuration and Analysis

B. Server Manager

C. Computer Management

D. Security Templates

Answer: A

Explanation:

You should use the Security Configuration and Analysis snap-in because it will allow you to import and apply the appropriate security templates.

Incorrect answers:

B: Server Manager is used to configure network connections; add servers, roles and features, services, setting time zones, enable remote desktop and joining domains, rather than applying security templates.

C: Security Template application is best achieved using the Security Configuration and Analysis snap-in rather than the Computer Management snap-in.

D: You use Security Templates snap-in to modify settings in a security template.

References:

Exam Ref: 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and manage Group Policy, Objective 6.2: Configure Security Policies, p.322

QUESTION NO: 4

Your network contains an Active Directory domain named contoso.com.

All user accounts in the sales department reside in an organizational unit (OU) named OU1.

You have a Group Policy object (GPO) named GPO1. GPO1 is used to deploy a logon script to all of the users in the sales department.

You discover that the logon script does not run when the sales users log on to their computers.

You open Group Policy Management as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that the logon script in GPO1 is applied to the sales users.

What should you do?

A. Modify the Delegation settings of GPO1.

B. Modify the link order of GPO1.

C. Enforce GPO1.

D. Enable the link of GPO1.

Answer: D

Explanation:

D. GPO1 needs to be linked to OU1 for the logon script to be applied to the users in the organizational unit.

Incorrect answers:

A: Modifying delegation setting of the GPO will not ensure that the logon script is applied to the users.

B: Link order changes is not ensuring that the link is enabled and for the script to be applied to the users in the OU the GPO link must be enabled.

C: A link is required.

References:

http://technet.microsoft.com/en-us/library/cc732979.aspx

QUESTION NO: 5

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012.

You create a security template named Template1 by using the Security Templates snap-in.

You need to apply Template1 to Server2.

Which tool should you use?

A. System Configuration

B. Authorization Manager

C. Computer Management

D. Local Security Policy

Answer: A

Explanation:

You should use the Security Configuration and Analysis snap-in that can be found in the System Configuration because it will allow you to import and apply the appropriate security templates.

Incorrect answers:

B: The tool required to apply security templates is located in the System Configuration.

C: Security Template application is best achieved using the Security Configuration and Analysis snap-in rather than the Computer Management snap-in.

D: The tool that can be used to apply security templates can be found in the System Configuration.

References:

Exam Ref: 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and manage Group Policy, Objective 6.2: Configure Security Policies, p.322-324

QUESTION NO: 6

You only want to share a printer with Group1, administrators, central owner and operators. (pick 2 answers)

A. Add permissions to Group1

B. Remove permissions from administrators

C. Add permissions to operators

D. Add permissions to Central Owner

E. Remove permissions from everyone.

Answer: A, E

Explanation:

If you want to restrict the printer to Group 1 then you should grant Group1 the Allow permission while removing the Allow permission from the Everyone group.

Indorrect answers:

B: The question does not ask for adminsitrators to be excluded.

C: Operators have access by default.

D: Central Owner has access by default.

References:

http://technet.microsoft.com/en-us/library/cc719924%28v=WS.10%29.aspx

QUESTION NO: 7

Your network contains two Active Directory forests named contoso.com and adatum.com. All servers run Windows Server 2012.

A one-way external trust exists between contoso.com and adatum.com.

Adatum.com contains a universal group named Group1.

You need to prevent Group1 from being used to provide access to the resources in contoso.com.

What should you do?

A. Modify the Managed By settings of Group1.

B. Modify the Allowed to Authenticate permissions in adatum.com.

C. Change the type of Group1 to distribution.

D. Modify the name of Group1.

Answer: B

Explanation:

Universal groups are used to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include accounts and groups from any domain in the domain tree or forest.

For users in a trusted domain or forest to be able to access resources in a trusting Windows Server 2008 domain or forest where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the Allowed to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest.

Accounts that require access to the customer Active Directory will be granted a special right called Allowed to Authenticate. This right is then applied to computer objects (Active Directory domain controllers and AD RMS servers) within the customer Active Directory to which the account needs access.

Incorrect answers:

A: Changing the Managed By settings of group1 will not prevent it from being used to access resources in the domain.

C: Distribution group membership is non-security related.

D: Changing the name of group1 does not alter its group status.

References:

http://technet.microsoft.com/en-us/library/bb726978.aspx

http://technet.microsoft.com/en-us/library/cc781446(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

QUESTION NO: 8

Your network contains an Active Directory domain named contoso.com. The domain contains 20 computer accounts in an organizational unit (OU) named OU1. A user account named User1 is in an OU named OU2.

You are configuring a Group Policy object (GPO) named GPO1. You need to assign User1 the Back up files and directories user right to all of the computer accounts in OU1.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Link GPO1 to OU1.

B. Link GPO1 to OU2.

C. Modify the Delegation settings of GPO1.

D. From User Configuration in GPO1, modify the security settings.

E. From Computer Configuration in GPO1, modify the security settings.

Answer: A, E

Explanation:

A GPO must be linked before it is effective. The GPO1 security settings when accessed from the Computer Configuration utility will allow you to assign the appropriate user rights.

Incorrect answers:

B: The GPO should be linked but this is the wrong organizational unit.

C: The Delegation setting of the GPO is not the issue.

D: Security settings of the GPO should be done using the Computer Configuration utility.

References:

http://technet.microsoft.com/en-us/library/cc732979.aspx

QUESTION NO: 9

Your network contains an Active Directory domain named contoso.com. The domain contains 20 computer accounts that reside in an organizational unit (OU) named OU1.

A Group Policy object (GPO) named GPO1 is linked to OU1. GPO1 is used to assign several user rights to a user named User1.

In the Users container, you create a new user named User2.

You need to ensure that User2 is assigned the same user rights as User1 on all of the client computers in OU1.

What should you do?

A. Move User2 to OU1.

B. Modify the settings in GPO1.

C. Modify the link of GPO1.

D. Link a WMI filter to GPO1.

Answer: B

Explanation:

Group Policy objects are applied only to sites, domains, and organizational units. Group Policy settings affect only the users and computers that they contain. In particular, Group Policy objects are not linked to security groups.

If a user or computer is not contained in a site, domain, or organizational unit that is subject to a Group Policy object, either directly through a link or indirectly through inheritance, there is no combination of permissions on any security group that can cause those Group Policy settings to affect that user or computer.

Incorrect answers:

A: the question only mentions one organizational unit and that the computer accounts reside already.

C: Modifying the GPO1ink will render the GPO ineffective since a group policy obhect has to be linked to an organizational unit.

D: WMI filters only apply to members of the built-in group.

References:

http://technet.microsoft.com/en-us/library/cc786636(WS.10).aspx

QUESTION NO: 10

Your network contains an Active Directory domain named adatum.com. The domain contains a file server named Server2 that runs Windows Server 2012. 5erver2 contains a shared folder named Home. Home contains the home folder of each user.

All users have the necessary permissions to access only their home folder.

A user named User1 opens the Home share as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that all users see only their own home folder when they access Home.

What should you do from Server2?

A. From Windows Explorer, modify the properties of Home.

B. From Server Manager, modify the properties of the volume that contains Home.

C. From Windows Explorer, modify the properties of the volume that contains Home.

D. From Server Manager, modify the properties of Home.

Answer: C

Explanation:

Share permissions apply to users who connect to a shared folder over the network. Share permissions do not affect users who log on locally, or log on using Remote Desktop.

You need to navigate from your Windows interface to open Computer Management from where you can assign the appropriate permissions regarding the properties of the volume where the home folders reside.

References:

http://technet.microsoft.com/en-us/library/cc726004.aspx

QUESTION NO: 11 HOTSPOT

You have a server named Server1 that runs Windows Server 2012.

Several users are members of the local Administrators group.

You need to ensure that all local administrators receive User Account Control (UAC) prompts when they run a Microsoft Management Console (MMC).

Which setting should you modify from the Local Security Policy?

To answer, select the appropriate settings in the answer area.

Answer: <map><m x1="4" x2="283" y1="35" y2="47" ss="0" a="0" /></map>

Explanation:

B. UAC Is controlled by local security policy. Computer Configuration\Windows Settings\Security Settings\Local

Policies\Security Option

References:

http://technet.microsoft.com/en-us/library/jj574202.aspx

QUESTION NO: 12

Your network contains an Active Directory domain named contoso.com. The domain contains 100 user accounts that reside in an organizational unit (OU) named 0U1.

You need to ensure that a user named User1 can link and unlink Group Policy objects (GPOs) to OU1.

The solution must minimize the number of permissions assigned to User1.

What should you do?

A. Modify the permissions on OU1.

B. Run the Set-GPPermission cmdlet.

C. Add User1 to the Group Policy Creator Owners group.

D. Modify the permissions on the User1 account.

Answer: A

Explanation:

Permissions on the Organizational unit takes precendence over user accounts permissions. Thus by changing the permissions to the OU you can assign the appropriate permission to the user account.

Incorrect answers:

B: The user must be able to link and unlink GPO’s with the least number of permissions.

C: Making the user account a member of the Creator Owners group will allow too much permission to the user account.

D: Changing the permissions of the user account will still just allow the user the standard permissions which do not include the linking and unlinking of Group Policy Objects.

References:

http://technet.microsoft.com/en-us/library/jj190062 .

http://technet.microsoft.com/en-us/library/cc756952%28v=WS.10%29.aspx

QUESTION NO: 13

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012. Server1 contains a single virtual machine named VM1.

You need to ensure that a user named User1 can manage the virtual machine settings of VM1.

The solution must minimize the number of permissions assigned to User1.

To which group should you add User1?

A. Administrators

B. Power Users

C. Hyper-V Administrators

D. Server Operators

Answer: C

Explanation:

This group can reduce the number of users that belong to the local Administrators group while providing users with access to Hyper-V

Incorrect answers:

A: Assigning Administrator rights to User1 would grant too much permission to the user.

B: Membership of the Power Users group will not allow User1 to manage the virtual machine settings.

D: Membership of the Server Operators group will allow User1 too many rights for the task.

References:

http://technet.microsoft.com/en-us/library/hh831410.aspx

QUESTION NO: 14

Your network contains a file server named Server1 that runs Windows Server 2012. All client computers run Windows 8.

You need to ensure that when users are connected to the network, they always use local offline files that are cached from Server1.

Which Group Policy setting should you configure?

A. Configure slow-link mode

B. Configure Slow link speed

C. Enable file synchronization on costed networks

D. Turn on economical application of Administratively assigned Offline Files

Answer: A

Explanation:

Offline Files is used to provide faster access to cached files and redirected folders.

Incorrect answers:

B. Defines a slow connection for purposes of applying and updating Group Policy.

C. automatically tracks roaming and bandwidth usage limits while on metered connections

D. Lists network files and folders that are always available for offline use. This policy makes the specified files and folders available offline to users of the computer.

References:

http://technet.microsoft.com/en-us/library/hh968298.aspx

http://technet.microsoft.com/en-us/library/cc957631.aspx

http://technet.microsoft.com/en-us/library/jj127408.aspx

QUESTION NO: 15 DRAG DROP

Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1. Server1 runs Windows Server 2012 and has the File Server server role installed.

On Server1, you create a share named Documents. The Share permission for the Documents share is configured as shown in the following table.

The NTFS permission for the Documents share is configured as shown in the following table.

You need to configure the Share and NTFS permissions for the Documents share. The permissions must meet the following requirements:

  • Ensure that the members of a group named Group1 can read files and run programs in Documents.

  • Ensure that the members of Group1 can modify the permissions on their own files in Documents.

  • Ensure that the members of Group1 can create folders and files in Documents.

  • Minimize the number of permissions assigned to users and groups.

How should you configure the permissions?

To answer, drag the appropriate permission to the correct location. Each permission may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer: <map><m x1="3" x2="298" y1="80" y2="125" ss="0" a="0" /><m x1="6" x2="303" y1="137" y2="174" ss="0" a="0" /><m x1="7" x2="301" y1="186" y2="232" ss="0" a="0" /><m x1="8" x2="302" y1="245" y2="286" ss="0" a="0" /><m x1="1" x2="301" y1="297" y2="339" ss="0" a="0" /><m x1="3" x2="302" y1="357" y2="394" ss="0" a="0" /><m x1="517" x2="819" y1="69" y2="115" ss="1" a="0" /><m x1="518" x2="816" y1="127" y2="167" ss="1" a="0" /><m x1="528" x2="818" y1="174" y2="226" ss="1" a="0" /><c start="3" stop="0" /><c start="0" stop="1" /><c start="5" stop="2" /></map>

Explanation:

Granting a user Full Control NTFS permission on a folder enables that user to take ownership of the folder unless the user is restricted in some other way. Be cautious in granting Full Control.

If you want to manage folder access by using NTFS permissions exclusively, set share permissions to Full Control for the Everyone group.

NTFS permissions affect access both locally and remotely. NTFS permissions apply regardless of protocol. Share permissions, by contrast, apply only to network shares. Share permissions do not restrict access to any local user, or to any terminal server user, of the computer on which you have set share permissions. Thus, share permissions do not provide privacy between users on a computer used by several users, nor on a terminal server accessed by several users.\

References:

http://technet.microsoft.com/en-us/library/cc754178.aspx

QUESTION NO: 16 HOTSPOT

Your network contains an Active Directory domain. The domain contains a server named Server28.

The computer account of Server 28 is located in an organizational unit (OU) named OU1. A Group Policy object (GPO) named Application Restriction Policy is linked to OU1.

The settings of the GPO are configured as shown in the GPO Settings exhibit. (Click the Exhibit button.)

The Services console on Server28 is shown in the Services exhibit. (Click the Exhibit button.)

Select Yes if the statement can be shown to be true based on the available information; otherwise select No. Each correct selection is worth one point.

Answer: <map><m x1="501" x2="540" y1="77" y2="115" ss="0" a="0" /><m x1="386" x2="425" y1="149" y2="184" ss="0" a="0" /><m x1="383" x2="432" y1="213" y2="254" ss="0" a="0" /></map>

Explanation:

A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported.

When there are multiple matching path rules, the most specific matching rule takes precedence.

The following is a set of paths, from highest precedence (more specific match) to lowest precedence (more general match).

Drive:\Folder1\Folder2\FileName.Extension

Drive:\Folder1\Folder2\*.Extension

*.Extension

Drive:\Folder1\Folder2\

Drive:\Folder1\

In the exhibit it shows that the Administrators group is set to policy apply and the group1 group is set to policy deny.

References:

http://technet.microsoft.com/en-us/library/bb457006.aspx

http://technet.microsoft.com/en-us/library/dn449105.aspx

Topic 18, Configure application restriction policies

Configure rule enforcement; configure Applocker rules; configure Software Restriction Policies

QUESTION NO: 1 HOTSPOT

Your network contains an Active Directory domain named contoso.com.

Computer accounts for the marketing department are in an organizational unit (OU) named Departments\Marketing\Computers. User accounts for the marketing department are in an OU named Departments\Marketing\Users.

Marketing users can only log on to the client computers in the Departments\Marketing\Computers OU.

You need to apply an application control policy to all of the marketing users.

Which Group Policy Object (GPO) should you configure?

To answer, select the appropriate GPO in the answer area.

Answer: <map><m x1="146" x2="232" y1="280" y2="297" ss="0" a="0" /></map>

References:

http://technet.microsoft.com/en-us/library/cc781458(v=WS.10).aspx

http://technet.microsoft.com/en-us/library/hh967461.aspx

http://technet.microsoft.com/en-us/library/ee461050.aspx

http://technet.microsoft.com/en-us/library/ee461044.aspx

QUESTION NO: 2

Your network contains an Active Directory domain named contoso.com.

You need to prevent users from installing a Windows Store app named App1.

What should you create?

A. An application control policy executable rule

B. An application control policy packaged app rule

C. A software restriction policy certificate rule

D. An application control policy Windows Installer rule

Answer: B

Explanation:

Windows 8 is coming REALLY SOON and of course one of the big new things to computer with that is the new Packaged Apps that run in the start screen. However these apps are very different and do not install like traditional apps to a path or have a true “executable” file to launch the program. Of course enterprises need a way to control these packaged apps and therefore Microsoft has added a new feature Packaged Apps option to the AppLocker feature.

Incorrect answers:

A: An executable rule applies to files with a .exe and a .com extension.

C: The issue at hand mentions a Windows Store application and to prevent users from installing it, you need to create an application control policy packaged app rule.

D: Windows Installer rules apply to Windows Installer packages with .msi and .msp extensions.

References:

http://www.grouppolicy.biz/2012/08/how-manage-published-a-k-a-metro-apps-in-windows-8-using-grouppolicy/

Exam Ref: 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and manage Group Policy, Objective 6.3: Configure application restriction policies, p.341

QUESTION NO: 3 HOTSPOT

Your network contains an Active Directory domain named adatum.com. All domain controllers run Windows Server 2012. All client computers run Windows 7. The computer accounts for all of the client computers are located in an organizational unit (OU) named OU1.

An administrator links a Group Policy object (GPO) to OU1. The GPO contains several application control policies.

You discover that the application control policies are not enforced on the client computers.

You need to modify the GPO to ensure that the application control policies are enforced on the client computers.

What should you configure in the GPO?

To answer, select the appropriate service in the answer area.

Answer: <map><m x1="14" x2="458" y1="167" y2="187" ss="0" a="0" /></map>

Explanation:

Before you can enforce AppLocker policies, you must start the Application Identity service by using the Services snap-in console.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To start the Application Identity service

  • Click Start , click Administrative Tools , and then click Services .

  • In the Services snap-in console, double-click Application Identity .

  • In the Application Identity Properties dialog box, click Automatic in the Startup type list, click Start , and then click OK .

References:

http://technet.microsoft.com/en-us/library/dd759130.aspx

QUESTION NO: 4 HOTSPOT

Your network contains an Active Directory domain named contoso.com. Domain controllers run either Windows Server 2008 R2 or Windows Server 2012. All client computers run Windows 8.

All computer accounts are located in an organizational unit (OU) named OU1.

You create a Group Policy object (GPO) that contains several AppLocker rules. You link the GPO to OU1.

You need to ensure that the AppLocker rules apply to all of the client computers.

What should you configure in the GPO?

To answer, select the appropriate service in the answer area.

Answer: <map><m x1="17" x2="457" y1="173" y2="189" ss="0" a="0" /></map>

Explanation:

Configuring the Application Identity will specify where the Group Policy will be applied.

References:

http://www.grouppolicy.biz/2012/08/how-manage-published-a-k-a-metro-apps-in-windows-8-using-grouppolicy/

Exam Ref: 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and manage Group Policy, Objective 6.3: Configure application restriction policies, p.341

QUESTION NO: 5

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012.

You create and enforce the default AppLocker executable rules.

Users report that they can no longer execute a legacy application installed in the root of drive C.

You need to ensure that the users can execute the legacy application.

What should you do?

A. Modify the action of the existing rules.

B. Create a new rule.

C. Add an exception to the existing rules.

D. Delete an existing rule.

Answer: B

Explanation:

The Default AppLocker rule needs to be overwritten by adding a new rule.

Incorrect answers:

A: the default AppLocker rule is already preventing users from executing the legacy app. Therefor the existing rules should be overwritten with a new rule.

C: An exception to the existing default rule will not allow users to execute the application.

D: Deleting the rule does not allow users to execute the application.

References:

http://www.grouppolicy.biz/2012/08/how-manage-published-a-k-a-metro-apps-in-windows-8-using-grouppolicy/

Exam Ref: 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and manage Group Policy, Objective 6.3: Configure application restriction policies, p.341

QUESTION NO: 6 HOTSPOT

Your network contains an Active Directory domain named contoso.com. All client computers run Windows 8.

An administrator creates an application control policy and links the policy to an organizational unit (OU) named OU1. The application control policy contains several deny rules. The deny rules apply to the Everyone group.

You need to prevent users from running the denied application.

What should you configure?

To answer, select the appropriate object in the answer area.

Answer: <map><m x1="37" x2="472" y1="235" y2="260" ss="0" a="0" /></map>

Explanation:

You should apply an application control policy for executable rules. When AppLocker policies from various GPOs are merged, both the rules and the enforcement modes are merged. The most similar Group Policy setting is used for the enforcement mode, and all rules from linked GPOs are applied.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and Manage Group Policy, Objective 6.2: Local Users and Groups, p. 329

http://technet.microsoft.com/en-us/library/dd759115.aspx

QUESTION NO: 7

Your network contains an Active Directory domain named contoso.com.

All of the App1ocker policy settings for the member servers are configured in a Group Policy object (GPO) named GPO1.

A member server named Server1 runs Windows Server 2012.

On Server1, you test a new set of App1ocker policy settings by using a local computer policy.

You need to merge the local App1ocker policy settings from Server1 into the App1ocker policy settings of GPO1.

What should you do?

A. From Local Group Policy Editor on Server1, exportan .xml file. Import the .xml file by using Group Policy Management Editor.

B. From Local Group Policy Editor on Server1, exportan .inf file. Import the .inf file by using Group Policy Management Editor.

C. From Server1, run the Set-ApplockerPolicy cmdlet.

D. From Server1, run the New-ApplockerPolicy cmdlet.

Answer: C

Explanation:

The Set-AppLockerPolicy cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.

When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy.

Incorrect answers

A: You need to merge the AppLocker policy settings not export and import it.

B: There I no need to export and the import the AppLocker policy settings.

D: This is not a new policy that has to be applied.

References:

http://technet.microsoft.com/en-us/library/ee791816(v=ws.10).aspx

Exam Ref 70-410: Installing and configuring Windows Server 2012, Chapter 10: Implementing Group Policy, Lesson1: Planning, Implementing and managing Group Policy, p. 479

Topic 19, Configure Windows Firewall

Configure rules for multiple profiles using Group Policy; configure connection security rules; configure Windows Firewall to allow or deny applications, scopes, ports, and users; configure authenticated firewall exceptions; import and export settings

QUESTION NO: 1

Your network contains an Active Directory domain named contoso.com.

All servers run Windows Server 2012.

An application named Appl.exe is installed on all client computers. Multiple versions of App1.exe are installed on different client computers. Appl.exe is digitally signed.

You need to ensure that only the latest version of App1.exe can run on the client computers.

What should you create?

A. An application control policy packaged app rule

B. A software restriction policy certificate rule

C. An application control policy Windows Installer rule

D. An application control policy executable rule

Answer: D

Explanation:

You should apply an application control policy for executable rules, and it can be based on version.

Incorrect answers:

A. A publisher rule for a Packaged app is based on publisher, name and version

B. You can create a certificate rule that identifies software and then allows or does not allow the software to run, depending on the security level.

C. The Windows Installer rule is meant for .msi or .msp applications.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and Manage Group Policy, Objective 6.2: Local Users and Groups, p. 329

http://technet.microsoft.com/en-us/library/dd759068.aspx

http://technet.microsoft.com/en-us/library/hh994588.aspx

http://www.grouppolicy.biz/2012/08/how-manage-published-a-k-a-metro-apps-in-windows-8-using-grouppolicy/

http://technet.microsoft.com/en-us/library/hh994597.aspx#BKMK_Cert_Rules

QUESTION NO: 2

Your network contains a server named Server1 that runs Windows Server 2012. Server1 is a member of a workgroup.

You need to configure a local Group Policy on Server1 that will apply only to non-administrators.

Which tool should you use?

A. Server Manager

B. Group Policy Management Editor

C. Group Policy Management

D. Group Policy Object Editor

Answer: D

Explanation:

Once you create a GPO, you can open it in the Group Policy Management Editor and configure the GPO’s policies, specifically those settings that target the non-administrators. In this scenario however, you still need to configure the Group Policy thus you would need the GPO Editor.

Incorrect answers:

A: This is not the correct tool to configure a group policy object.

B: The Group Policy Management Editor is used to verify whether the central store is functioning properly with regard to all GPO’s that are linked to your domain.

C: Group Policy Management refers to the tasks that can be done using the Group Policy Management Editor.

References:

Training Guide: Installing and Configuring Windows Server 2012, Chapter 10: Implementing Group Policy, Lesson 1: Planning, implementing and managing group policy, p. 475

QUESTION NO: 3

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server! that runs Windows Server 2012. Server1 contains a virtual machine named VM1 that runs Windows Server 2012.

You need to ensure that a user named User1 can install Windows features on VM1. The solution must minimize the number of permissions assigned to User1.

To which group should you add User1?

A. Administrators on VM1

B. Power Users on VM1

C. Hyper-V Administrators on Server1

D. Server Operators on Server1

Answer: A

Explanation:

The user has to be an administrator on VM1 to be able to install features.

Incorrect answers:

B: You must be part of the Administrators group to be able to install features.

C: This would be allowing the user too much permission than is necessary.

D: Making the user a member of the server operators group would be assigning too much permission.

References:

Training Guide: Installing and Configuring Windows Server 2012, Chapter 10: Implementing Group Policy, p.539

QUESTION NO: 4

Your network contains an Active Directory domain named contoso.com. The domain contains an application server named Server1. Server1 runs Windows Server 2012.

You have a client application named App1 that communicates to Server1 by using dynamic TCP ports.

On Server1, a technician runs the following command:

New-NetFirewallRule -DisplayName AllowDynamic -Direction Outbound -LocalPort 1024-65535 -Protocol TCP

Users report that they can no longer connect to Server1 by using Appl. You need to ensure that App1 can connect to Server1.

What should you run on Server1?

A. Set-NetFirewallRule -DisplayName AllowDynamic -Action Allow

B. netsh advfirewall firewall set rule name=allowdynamic new action = allow

C. Set-NetFirewallRule -DisplayName AllowDynamic -Direction Inbound

D. netsh advfirewall firewall add rule name=allowdynamic action=allow

Answer: C

Explanation: When using the using the Windows Firewall with Advanced Security console. You can select the Inbound Rules node and scroll down in the list, you can see nine different Network Discovery rules. The Direction Inbound rule is the rule that will allow App1 to connect to Server1.

Incorrect answers:

A: This in an incorrect parameter to use in this scenario because you need to specify Direction Inbound.

B: The netsh.exe command line is used to configure TCP/IP settings such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses and many other options.

D: The netsh.exe command line is used to configure TCP/IP settings such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses and many other options.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and manage Group Policy, Objective 6.4: Configure Windows Firewall, p. 348

Training Guide: Installing and Configuring Windows Server 2012, Chapter 6: Network Administration, Lesson 4: Configuring IPv6/IPv4 Interoperability, p. 269

QUESTION NO: 5

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012.

You create a new inbound rule by using Windows Firewall with Advanced Security.

You need to configure the rule to allow Server1 to accept unsolicited inbound packets that are received through a network address translation (NAT) device on the network.

Which setting in the rule should you configure?

A. Edge traversal

B. Authorized computers

C. Interface types

D. Remote IP address

Answer: A

Explanation:

Edge traversal allows the computer to accept unsolicited inbound packets that have passed through an edge device, such as a network address translation (NAT) router or firewall.

References:

http://technet.microsoft.com/en-us/library/cc731927.aspx

QUESTION NO: 6

Server1 runs Windows Server 2012 and is installed as an FTP server.

Client use App1 to connect to Server1 for FTP.

App1 use TCP port 21 for control and a dynamic port for data. You have allowed port 21 in firewall. What should you do next to allow clients to use App1 to connect to server1 using ftp.

A. At Server1 allow firewall rule of outbound

B. At Server1 allow firewall rule of inbound

C. netshadvfirewalldomainprofile state off

D. netshadvfirewall set global StatefulFtp enable

Answer: B

Explanation:

To allow client computers to use the app to connect to the Server1 ftp you will have to configure an inbound firewall rule.

Incorrect answers:

A: You need to make allowance for inbound traffic at Server1.

C: The netshadvfirewalldomainprofile state off command will configure the overall operational state of Windows Firewall with Advanced Security.

D: The netshadvfirewall set global StatefulFtp enable command is used to configure settings that will apply globally

References:

http://technet.microsoft.com/en-us/library/cc771920%28v=WS.10%29.aspx

QUESTION NO: 7

Your network contains an Active Directory domain named contoso.com. The domain contains an Application server named Server1. Server1 runs Windows Server 2012.

Server1 is configured as an FTP server.

Client computers use an FTP Application named App1.exe. App1.exe uses TCP port 21 as the control port and dynamically requests a data port.

On Server1, you create a firewall rule to allow connections on TCP port 21.

You need to configure Server1 to support the client connections from App1.exe.

What should you do?

A. Run netsh firewall addportopening TCP 21 dynamicftp.

B. Create a tunnel connection security rule.

C. Create an outbound firewall rule to allow App1.exe.

D. Run netshadvfirewall set global statefulftp enable.

Answer: D

Explanation:

The Netsh advfirewall set global statefulftp command will configure how Windows Firewall with Advanced Security handles FTP traffic that uses an initial connection on one port to request a data connection on a different port.

When statefulftp is enabled (Disabled being the default setting) the firewall tracks the port numbers specified in PORT command requests and in the responses to PASV requests, and then allows the incoming FTP data traffic entering on the requested port number.

Incorrect answers

A: This is not necessary as the firewall rule to allow connections on TCP port 21 was already created.

B: A tunnel connection security rule will not support client connections,, you need to enable stateful ftp connections on the firewall.

C: An inbound firewall rule would be more appropriate.

References:

http://technet.microsoft.com/en-us/library/cc771920%28v=ws.10%29.aspx#BKMK_set_2a

http://technet.microsoft.com/en-us/library/cc766369%28v=WS.10%29.aspx

QUESTION NO: 8

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012.

Server2 establishes an IPSec connection to Server1.

You need to view which authentication method was used to establish the initial IPSec connection.

What should you do?

A. From Windows Firewall with Advanced Security, view the quick mode security association.

B. From Event Viewer, search the Application Log for events that have an ID of 1704.

C. From Event Viewer, search the Security Log for events that have an ID of 4672.

D. From Windows Firewall with Advanced Security, view the main mode security association.

Answer: D

Explanation:

Main mode negotiation establishes a secure channel between two computers by determining a set of cryptographic protection suites, exchanging keying material to establish a shared secret key, and authenticating computer and user identities. A security association (SA) is the information maintained about that secure channel on the local computer so that it can use the information for future network traffic to the remote computer. You can monitor main mode SAs for information like which peers are currently connected to this computer and which protection suite was used to form the SA.

Incorrect answers:

A: the quick mode SA is but a part of the main mode SA.

B: Main mode and quick mode security associations can be monitored using the Windows Firewall with Advanced Security snap-in or Windows PowerShell, NOT Event Viewer.

C: Main mode and quick mode security associations can be monitored using the Windows Firewall with Advanced Security snap-in or Windows PowerShell, NOT Event Viewer.

References:

http://technet.microsoft.com/en-us/library/dd448497(v=ws.10).aspx

QUESTION NO: 9

Your network contains an Active Directory domain named contoso.com. The domain contains an Application server named Server1. Server1 runs Windows Server 2012.

Server1 is configured as an FTP server.

Client computers use an FTP Application named App1.exe. App1.exe uses TCP port 21 as the control port and dynamically requests a data port.

On Server1, you create a firewall rule to allow connections on TCP port 21.

You need to configure Server1 to support the client connections from App1.exe.

What should you do?

A. Run netshadvfirewall set global statefulftp enable.

B. Create an inbound firewall rule to allow App1.exe.

C. Create a tunnel connection security rule.

D. Run Set-NetFirewallRule -DisplayNameDynamicFTP -Profile Domain

Answer: A

Explanation:

The Netsh advfirewall set global statefulftp: command configures how Windows Firewall with Advanced Security handles FTP traffic that uses an initial connection on one port to request a data connection on a different port.

When statefulftp is enabled, the firewall examines the PORT and PASV requests for these other port numbers and then allows the corresponding data connection to the port number that was requested.

The Enable parameter means the firewall will track the port numbers specified in PORT command requests and in the responses to PASV requests, and then allows the incoming FTP data traffic entering on the requested port number.

Incorrect answers:

B: There is already a firewall rule that allows inbound connections on TCP port 21.

C: A tunnel connection security rule will not support client connections because you need to enable stateful ftp connections on the firewall.

D: This is not necessary as the firewall rule to allow connections on TCP port 21 was already created.

References:

http://technet.microsoft.com/en-us/library/cc771920%28v=ws.10%29.aspx#BKMK_set_2a

Site Search:

Close

Close
Download Free Demo of VCE
Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.


Simply submit your e-mail address below to get started with our interactive software demo of your free trial.


Enter Your Email Address

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.