70-299

Microsoft

Implementing and Administering Security in a Microsoft Windows 2003

Network

Visit:

Pass4sureofficial.com is a reputable IT certification examination guide, study guides and audio exam provider, we not only ensure that you pass your 70-299 exam in first attempt, but also you can get a high score to acquire Microsoft certification.

If you use pass4sureofficial 70-299 Certification questions and answers, you will experience actual 70-299 exam questions/answers. We know exactly what is needed and have all the exam preparation material required to pass the exam. Our Microsoft exam prep covers over 95% of the questions and answers that may be appeared in your 70-299 exam. Every point from pass4sure

70-299 PDF, 70-299 review will help you take Microsoft 70-299 exam much easier

and become Microsoft certified. All the Questions/Answers are taken from real exams. Here's what you can expect from the Pass4sureOfficial Microsoft 70-299 course:

* Up-to-Date Microsoft 70-299 questions taken from the real exam.

* 100% correct Microsoft 70-299 answers you simply can't find in other 70-299 courses.

* All of our tests are easy to download. Your file will be saved as a 70-299 PDF.

* Microsoft 70-299 brain dump free content featuring the real 70-299 test questions.

Microsoft 70-299 certification exam is of core importance both in your Professional life and Microsoft certification path. With Microsoft certification you can get a good job easily in the market and get on your path for success. Professionals who passed Microsoft 70-299 exam training are an absolute favorite in the industry.

You will pass Microsoft 70-299 certification test and career opportunities will be open for you.

A / Implementing,Managing, and Troubleshooting SecurityPolicies
B / Implementing,Managing, and Troubleshooting PatchManagement Infrastructure
C / Implementing,Managing, and Troubleshooting Securityfor Network Communications
D / Planning, Configuring, andTroubleshooting Authentication, Authorization, and PKI

Relevant objective of each question ismentionedalongwith question number.

Question: 1.(C)

YouarethesecurityadministratorforCompany.Thenetworkconsistsoftwosegmentsnamed

SegmentAandSegment B.Theclientcomputerson thenetwork runWindowsXPProfessional. The servers run WindowsServer 2003.SegmentA containsa singleservernamedServer1. SegmentB containsall other computers,includinga servernamedServer2. Company’s written securitypolicystatesthatSegmentBmustnotbeconnectedtotheInternet.SegmentAis allowedtoconnecttotheInternet.ThereisnonetworkconnectionbetweenSegment Aand SegmentB. You cancopyfilesfrom SegmentA toSegment Bonlyby usingaCD-ROMto transport the files betweenthe two segments. The network topology is displayedin the exhibit.

You are planning a patch management infrastructure.On SegmentB,you install Software Update Services(SUS)onServer2.YouconfigureAutomaticUpdateson allcomputersinSegment Bto use securitypatches. Youneedtoensurethat allcomputersin Segment B automatically install security patches. What should youdo?

A. Install SUS on Server1.

Periodically copy the files in the Content folder andin the SUS root folder from Server1 to Server2.

B. Install SUS on Server1.

Periodically copy the files in the Content folder from Server1 toServer2. Copy the Approveditems.txt file from Server1 to the Windows folder onServer2.

C. On Server1, periodicallyconnect to the Microsoft WindowsUpdate Catalog Web site and download new security patches.Copy the files to the Content folder on Server2.

D. On Server1, configureAutomatic Updatesto use the URL of the Microsoft Windows

Update Web site. Periodically copy the downloadedfiles and theMssecure.xml file to the

Content folder on Server2.

Answer:A Explanation:

B – You mustcopy all items in the Content and SUSroot folder.

C – This is possible, but you wouldhaveto install the patches manually.

D–Turning onAU would updateServer1does notprovidefiles forServer2.TheMBSAusesan XML-based catalogfile,MSSecure.xml,todetermine the securityupdatesthat are available.The catalog file is compressedand isstored in the MSSecure.cab file.

IfSUSisusedtoapproveupdates,itretrievestheApproveditems.txtfilefromtherootofthe

IIS/SUSdefaultwebsite( not the Windows folder.

If you do not install SUS on Server1 there will be noContent folder(distribution point) on Server1.

Automatic Updatesshouldnot be turnedon, on the SUS servers.

SUSisa servercomponentthat,when installedona serverrunningWindows 2000,allows small andmedium enterprisestobring criticalupdatesfromWindowsUpdateinsidetheirfirewallsto distributetoWindows2000and WindowsXPcomputers.ThesameAutomaticUpdates componentthatcandirectWindows2000andWindowsXPcomputerstoWindowsUpdatecan be directed toa SUS server inside your firewall to install critical updates.

AutomaticUpdates retrievesallcriticalupdatesand MicrosoftSecurityResponseCenter security updates that are classifiedas moderate or important.

AutomaticUpdatesscansonlyforcriticalupdates,butifitsserverthatrunsSUScontains updatesotherthancriticalones,AutomaticUpdatesreceivesandappliesthoseaswell.SUS

receivescritical and moderate security updates.

CreatingDistributionPointsWhenyouinstallaserverthatrunsSUS,adistributionpointis createdonthatserver.Whenyousynchronizethe serverwithaparentserverorwithanexternal Web site,allthecontentontheWeb siteisdownloadedtothedistributionpoint.Ifnewupdates are downloaded,thisdistribution pointisupdatedduring every synchronization.DuringSetup,the distribution point is created in a virtual root (Vroot) named /Content.

IfyouchoosetomaintaincontentonthepublicWebsiteinsteadofdownloadingthepatchesto thelocal server runningSUS,thisdistribution pointisemptyexceptfortheAUCatalog.cabfile. AUCatalog.cab defines the updates thathavebeen approved for deployment to clients.

YoucanalsocreateadistributionpointonaserverthatisnotrunningSUS.Suchaservermust be running IIS 5.0 or later. You can download and test packages on servers running SUS, and then download approved and tested packages todistribution points for client access.

IfyourSUS designincludesdistribution points, performthefollowingtasksto createa distribution point:

1.ConfirmthatIISis present.

2. Create a folder named \Content.

3.CopyallofthefollowingitemsfromthesourceserverrunningSUStothenewlycreated

\Content folder:

• <root of the SUS Website>\Aucatalog1.cab

• <root of the SUS Website>\Aurtf1.cab

• <root of the SUS Website>\approveditems.txt

• All the files and folders under the \Content\cabs

4. Create an IIS Vroot called that points to the \content folder.

Question: 2.(B)

YouareasecurityadministratorforCompany.Thenetwork consistsofasingleActiveDirectory domainnamedCompany.com.AllserversrunWindowsServer2003.Company’swrittensecurity

policystatesthatsecuritypatchesmustbemanuallyinstalledonserversbyadministrators.You

needto configurethenetworkto complywiththe written securitypolicy.Youneedtomaintain security patches by usingthe minimumamount of administrative effort. What should you do?

A. Create a new organizational unit (OU)to contain all server computers.

CreateanewGroupPolicyobject(GPO)andlinkittotheOU.ConfiguretheGPOtodisable

AutomaticUpdates.Allow only administrators tostart AutomaticUpdates.

B.Createa neworganizationalunit(OU)tocontainallservercomputers.CreateanewGroup Policyobject(GPO)andlinkittotheOU.ConfiguretheGPOtoautomaticallydownload updates and notify whenthey are ready to be installed.

C. Create a new organizational unit (OU) named Admins to containall administrators.

Create a second OU named Serversto contain allserver computers. Create anew

GroupPolicyobject(GPO)andlinkittotheAdminsOU.ConfiguretheGPOtodisable

Automatic Updates.

D. Modify the Default Domain Policy GroupPolicy object (GPO) to disable Windows

Updateandtodisable AutomaticUpdates.Createaneworganizational unit(OU)named Admins.Place alladministratoraccountsinthe Admins OU. Block GPOinheritanceonthe Admins OU.

Answer:B Explanation:

A – Cannot be done using Network Neighborhood.

C–Scanningthefinancesubnetwouldreportonallcomputersonthesubnet,includingnon- finance computers.

D–Thisoptionagainwouldscanallsystemsinthedomain,notjustthefinanceonce.Thescan should be done from an administrative machine, not a users’ machine.

Objective: Implementing, Managing, and Troubleshooting Security for Network Communications

Sub-Objective: 3.4.1 Monitor IPSec policies by using IP Security Monitor.

1.PlanningaHostNameResolutionStrategyMCSA/MCSESelf-PacedTrainingKit(Exams70-

292and70-296):UpgradingYourCertificationtoMicrosoftWindowsServer2003,Microsoft

Press Chapter 7,

Thecorrectsyntaxismbsacli/hf-ihosts.txtsyntax.The-iflagisusedtoscanoneormore

Internet Protocol (IP) addresses.

Thembsacli/hf-fhhosts.txt.The-fhflagcausesthe tooltoscan theNetBIOScomputernames specifiedinthenamedtext file.Youmustspecifyonecomputername on each lineinthe.txtfile, up to a maximum of 256 names.

Thembsacli/hf-rhosts.txtsyntax.The-rflagisusedtospecifyarangeofIPaddressestobe scanned.

US;Q320454&FR=1

Switches available with /hf flag

mbsacli /hf [-h hostmane] [-fh filename] [-i ipaddress] [-fip filename] [-r ipaddressrange] [-d domainname][-n]

[-susSUSserver|SUSfilename][-b][-fqfilename][-s1][-s2][-nosum][-sum][-z][-v][-history level] [-nvc]

[-o option] [-f filename] [-unicode] [-t][-uusername] [-p password] [-x] [-?] To Select Which Computerto Scan

-hhostname-ScansthenamedNetBIOScomputername.Thedefaultlocationisthelocalhost. To scan multiple hosts, separate the host names witha comma(,).

-fhfilename-ScanstheNetBIOScomputernamesthatarespecifiedinthetextfilethatyou

named. Specify one computer name on each line in the .txtfile, toa maximum of256 names.

-ixxx.xxx.xxx.xxx-ScansthenamedIPaddress.ToscanmultipleIPaddresses,separateeach

IP addresswith a comma.

-fipfilename-ScanstheIPaddressesthatyouspecifiedinthetextfilethatyounamed.Specify one IP address on each line in the .txt file, with a maximum of 256 IP addresses.

-r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx - Scansaspecified range of IPaddresses.

NoteYou canusetheprevious switchesincombination.Forexample,youcanuseacommand- line with the following format:mbsacli /hf –h hostname1,hostname2 -i xxx.xxx.xxx.xxx-fip ipaddresses.txt -r yyy.yyy.yyy.yyy-zzz.zzz.zzz.zzz

-d domainname - Scans aspecified domain.

-n-Scansallthecomputersonthelocalnetwork.AllcomputersfromalldomainsinNetwork

Neighborhood (or My Network Places)are scanned

Question: 3.(B)

YouareasecurityadministratorforCompany.ThenetworkconsistsofasingleActiveDirectory domain named Company.com. The Company.com Active Directory domain contains 150

WindowsServer2003computersand7,500WindowsXPProfessionalclientcomputers.The

networkismadeupof64classCIPsubnetsthatrangefrom172.16.0.0through172.16.63.0.

Thefinancedepartmentuses135computersonthe 172.16.9.0/24IPsubnet.Thissubnetalso contains computersthatbelongtootherdepartmentsinthecompany.Allfinancedepartment computers aremembersofthe Company.comActiveDirectory domain.Youneedto produce a reportthatidentifieswhichMicrosoftsecuritypatchesarenotinstalledonthe computersinthe financedepartment.The reportmustcontaininformationaboutonlythefinancedepartment computers.You wantto achieve this goalbyusingtheminimum amount ofadministrativeeffort. What should you do?

A.RunMbsacli.exeonafinancedepartmentcomputerwiththeoptiontoscancomputersinthe

Network Neighborhood.

B.RunMbsacli.exeonafinancedepartmentcomputerwiththeoptiontoscancomputersby using a list of individual IP addresses on the finance departmentcomputers.

C.RunMbsacli.exeonafinancedepartmentcomputerwiththeoptiontoscancomputersonthe finance department IP subnet.

D.RunMbsacli.exeonafinancedepartmentcomputerwiththeoptiontoscancomputersinthe

Company.com Active Directory domain.

Answer:B Explanation:

Sincetherearenon-accountingcomputersonthesubnet,thescanneedstobeperformedby individualIP.Objective:Implementing, Managing,andTroubleshootingSecurityforNetwork Communications Sub-Objective: 3.4.1 Monitor IPSecpolicies by using IP SecurityMonitor.

1. Planning aHost NameResolution Strategy

MCSA/MCSESelf-Paced Training Kit (Exams 70-292 and 70-296):Upgrading Your

Certification to Microsoft Windows Server 2003, Microsoft Press Chapter 7,

The correct syntaxismbsacli/hf -fh hosts.txt.The -fhflag causesthetool to scanthe NetBIOS computernames specifiedinthenamedtextfile.Youmust specifyone computernameoneach lineinthe.txtfile,uptoa maximumof256names.Youshouldnotusethembsacli/hf-ihosts.txt syntax.The-iflagisusedtoscanone ormore InternetProtocol(IP)addresses.Youshouldnot usethembsacli/hf-rhosts.txt syntax.The-rflag isused to specifyarange ofIPaddresses tobe scanned.Switchesavailablewith/hfflagmbsacli/hf[-hhostmane][-fhfilename][-iipaddress][- fipfilename][-ripaddressrange][-ddomainname][-n][-susSUSserver|SUSfilename][-b][-fq filename][-s 1][-s2][-nosum][-sum] [-z][-v] [-historylevel][-nvc][-o option][-ffilename][- unicode][-t][-uusername][-ppassword][-x][-?]ToSelectWhichComputertoScan-hhostname

-Scansthe named NetBIOScomputername.The defaultlocationisthelocalhost.Toscan multiplehosts,separatethehostnameswitha comma(,).-fh filename-ScanstheNetBIOS computernamesthatare specifiedinthetextfilethat younamed.Specifyonecomputernameon

eachlineinthe.txtfile,toamaximumof256names.-ixxx.xxx.xxx.xxx-ScansthenamedIP

address.To scanmultipleIPaddresses,separateeachIPaddresswithacomma.-fipfilename- ScanstheIPaddressesthatyouspecifiedinthetextfilethat younamed.SpecifyoneIPaddress oneachlineinthe.txtfile,withamaximum of256IP addresses. -rxxx.xxx.xxx.xxx xxx.xxx.xxx.xxx-Scans a specified rangeofIPaddresses.NoteYoucan usethe previous switchesin combination.Forexample,youcanuseacommand-line withthefollowing format:mbsacli /hf –hhostname1,hostname2 -i xxx.xxx.xxx.xxx -fip ipaddresses.txt -r yyy.yyy.yyy.yyy-zzz.zzz.zzz.zzz -d domainname-Scansa specifieddomain.-n-Scansall the computers onthe local network. All computers from all domains in Network Neighborhood

(or My Network Places) are scanned

Reference:

Microsoft Baseline SecurityAnalyzer (MBSA) version1.2 is available, Microsoft Knowledge Base

Article – 320454

Pass4SureOfficial.comLifetimeMembershipFeatures;

-Pass4SureOfficial Lifetime Membership Package includes over 2500 Exams.

-Allexams Questions and Answers are included in package.

-AllAudio Guides are included freein package.

-AllStudy Guides are includedfreein package.

-Lifetime login access.

-Unlimited download, no account expiry, no hidden charges, just one time $99 payment.

-Free updates forLifetime.

-Free Download Access to All new exams added in future.

-Accurate answers with explanations (If applicable).

-Verified answers researched by industry experts.

-Study Material updated on regular basis.

-Questions, Answers and Study Guides are downloadable in PDF format.

-Audio Exams are downloadable in MP3 format.

-No authorizationcode required to open exam.

-Portableanywhere.

-100% successGuarantee.

-Fast, helpful support 24x7.

View list of All exams (Q&A) downloads

View list of All Study Guides (SG) downloads

View list of All Audio Exams (AE) downloads

DownloadAllExamsSamples

To purchase $99 Lifetime Full Access Membership clickhere

3COM ADOBE / CompTIA ComputerAssociates / Filemaker
Fortinet / IBM IISFA / LPI McAfee / OMG Oracle / Sun
Sybase
APC / CWNP / Foundry / Intel / McData / PMI / Symantec
Apple / DELL / Fujitsu / ISACA / Microsoft / Polycom / TeraData
BEA / ECCouncil / GuidanceSoftware / ISC2 / Mile2 / RedHat / TIA
BICSI / EMC / HDI / ISEB / NetworkAppliance / Sair / Tibco
CheckPoint / Enterasys / Hitachi / ISM / Network-General / SASInstitute / TruSecure
Cisco / ExamExpress / HP / Juniper / Nokia / SCP / Veritas
Citrix / Exin / Huawei / Legato / Nortel / See-Beyond / Vmware
CIW / ExtremeNetworks / Hyperion / Lotus / Novell / SNIA