QUESTION NO: 1 SIMULATION You are the network administrator for TestKing.com.

You have recently deployed a new Active Directory domain. All domain controllers run Windows Server 2003. The network contains Windows NT Workstation, Windows 98 client computers, and Windows XP client computers. You discover that the Windows NT Workstation client computers and Windows 98 client computers cannot communicate with the domain controllers. You do not experience this problem with the Windows XP client computers. You have verified that there are no network connectivity issues. You need to configure Group Policy objects (GPOs) to ensure that all client computers can communicate with the domain controllers. You want to ensure that the domain controllers support IP packet encryption where possible. You need to accomplish these configurations by configuring as few settings as possible. You cannot create new GPOs or GPO links. What should you do? Edit Default DC Policy. Computer configuration --> Windows Settings -->Security Settings -->Local Policies --> Security Options Disable: "Microsoft network server: Digitally sign communications (always)" Default: Enabled for domain controllers Enable: Microsoft network server: Digitally sign communications (if client agrees)

QUESTION NO: 3 SIMULATION You are the network administrator for TestKing.com. The network contains a Windows Server 2003 computer named TestKingA, which is located in a branch office. TestKingA is used as a file and print server. TestKingA contains a shared printer named TestKingPrinter. You perform a security audit of your network. Based on this audit, you disable several services on TestKingA. Users in the branch office report a number of problems. These include the following problems: 1. Users cannot see servers in the network office by using My Network Places. 2. Users cannot print documents on TestKingPrinter. You need to enable the appropriate services to resolve these issues without unnecessarily compromising the secure configuration of TestKingA. You need to ensure that in the event of a server reboot, these services remain enabled. What should you do? Answer: We need to restart the Computer Browser service and the Print Spooler service. We need to change the start-up type of the two services to "Automatic". Step #1. Click Start > Programs > Administrative Tools > Services to open the Services console.

Step #2. Right click on the Computer Browser service and select Properties.

Step #3. Change the start-up type to Automatic and click OK.

Step #4. Right click on the Computer Browser service and select Start to start the service.

Step #5. Repeat steps 2-4 for the Print Spooler service.

QUESTION NO: 5 SIMULATION You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named TestKing.com. You configure a Group Policy object (GPO) named GPOl to require target computers to use SMB signing when requested. You configure a GPO named GP02 to require target computers to use SMB signing for all communications. The company's written security policy states that all SMB data sent to member servers in the human resources (HR) and sales departments must be digitally signed. All other computers should use SMB signing only when they are communicating with member servers. All client computer accounts are located in an organizational unit (OU) named ClientComputers. All member server accounts in the sales department are located in an OU named SalesServers. All member server accounts in the HR department are located in an OU named HRServers. You need to modify the GPO links to ensure that SMB signing functions as required. The number of GPO links needs to be kept as low as possible. What should you do? Answer: Link GPO2 (require SMB signing) to HRservers OU and SalesServers OU. Link GPO1 (SMB signing if requested) to ClientComputers OU. Step #1. In Group Policy Management, expand the testking.com tree until you can see the organisational units.

Step #2. Right click on the HRServers OU and select "Link an Existing GPO..."

Step #3. Select GPO2 and click OK.

Step #4. Right click on the SalesServers OU and select "Link an Existing GPO..."

Step #5. Select GPO2 and click OK.

Step #6. Right click on the ClientComputers OU and select "Link an Existing GPO..."

Step #7. Select GPO1 and click OK.

QUESTION NO: 9 SIMULATION You are the network administrator for Contoso, Ltd. The network contains a Windows Server 2003 computer that runs Certificate Services and serves as an enterprise certification authority (CA). You need to achieve the following goals: 1. Configure Certificate Services to issue code-signing certificates 2.Use the Certificate Services Web interface to request a code- signing certificate for yourself 3. Ensure that only a user named Bruno has the authority to add certificates to Active Directory What should you do? REQUIREMENT:1 Configure Certificate Services to issue code-signing certificates STEP:1

STEP:2

STEP:3

REQUIREMENT:2 Use the Certificate Services Web interface to request a code-signing certificate for yourself STEP:1

STEP:2

STEP:3

STEP:4

REQUIREMENT:3 Ensure That only a user name Bruno has the authority to add certicates to active directory. STEP:1

STEP:2

QUESTION NO: 13 SIMULATION You are the network administrator for Contoso, Ltd. The network contains a Windows Server 2003 computer named Server1. Server1 runs the Routing and Remote Access service, and is used to create a VPN connection between offices in New York and Boston. The VPN connection is a demand-dial interface. The Boston VPN server has been renamed to router.contoso.com. You need to configure the New York VPN server to reflect this change. You discover that the New York VPN server maintains a constant connection to the Boston office at all times. You want the connection to be terminated whenever there is no interoffice traffic for 10 minutes or more. In the event that the VPN connection is needed but not connected, you want the New York VPN server to automatically reattempt the connection every 10 seconds until a connection is achieved. You need to reconfigure the New York VPN server to accomplish these goals. What should you do? Rt Clk Routing & Remote Access | Add Server: NY Server. Otherwise ok. Step #1. Click Start > Programs > Administrative Tools > Routing and Remote Access. Click the Network Interfaces icon to display the network interfaces in the right pane. Double click on the VPN interface.

Step #2. Change the host name to router.contoso.com.

Step 3. Select the Options tab.

Step #4. Change the connection type to "Demand dial". Set the idle time before hanging up to 10 minutes. Set the redial attempts to the maximum 99 and the redial interval to 10 seconds. Click OK.

1st Sim I had was configuring, managing, and installing certificates 2nd Sim I had was Server/Role Management (add/remove programs) 3rd Sim I had was Routing and Remote Access (VPNs, DDR, etc) 4th Sim I had was a simple TCP/IP troubleshooter to uninstall both IIS and Windows Media sces to install code signing certificate sces and give user bruno the right to publish certificates RRAS where you change the name of the boston router to router.contoso.com and change dial settings the one with GPO1 and GPO2 for HRservers and salesservers One with IPSec can't remember but make sure you know your IPSec in and out Sims: Number 1 (as appears on TK) Number 3 ( " " ) Number 10 ( " " ) Number 16 ( " " ) and Number 18 ( " " )

Sims 1, 3 , 10 , 16 , 18 Sim 1 (TK wrong 100%) solution from Glow recommend. Edit Default DC Policy. Computer configuration --> Windows Settings -->Security Settings -->Local Policies --> Security Options Disable: "Microsoft network server: Digitally sign communications (always)" Default: Enabled for domain controllers Enable: Microsoft network server: Digitally sign communications (if client agrees) Sim 3 (TK Ok) Sim 10 : step 1 open Certificaation Authority --> Issued Certificates --> Revoke Tess King

certificate. step 2 Rt Clk at 'Revoked Certificates' | Publish | Publish CRL. select ' New CRL' -->click OK Sim 16 (TK Ok) Sim 18 (TK Ok) Other Sims Sim 9 : 1. Configure Certificate Services to issue code-signing certificates -Open Certificate Services, right-cklick on certificate templates, click on New certificate template to issue ans selct Code signing 2. Use the Certificate Services Web interface to request a code-signing certificate for yourself -In IE connect to http://server1/certsrv, click on Request a Certificate, user certificate, Advanced Certificate request , Create and submit a request to this CA , at Certtificate Template : select 'Code Signing' --> click 'submit' , install this certificate, Yes , close IE 3. Ensure That only a user name Bruno has the authority to add certicates to active directory. (I correct error) open AD user&Computer --> Rt Cli on USER Bruno -> properties --> ADD -->Cert Publishers group --> click OK MUST DO: 1, 3, 5, 9, 13

SIMULATION:9 REQUIREMENT:1 Configure Certificate Services to issue code-signing certificates STEP:1

STEP:2

STEP:3

REQUIREMENT:2 Use the Certificate Services Web interface to request a code-signing certificate for yourself STEP:1

STEP:2

STEP:3

STEP:4

REQUIREMENT:3 Ensure That only a user name Bruno has the authority to add certicates to active directory. STEP:1

STEP:2

Part - 1 SIMULATION:2 REQUIREMENT: You need to ensure that client computers and member servers are forced to use the most secure authentication protocols without disrupting the availability of network resources. STEP:1

STEP:2

STEP:3

STEP:4

STEP:5

STEP:6

STEP:7

STEP:8

STEP:9

SIMULATION:10 REQUIREMENT:1 You need to ensure that Jack's Certificate can't be used on the CA. STEP:1

STEP:2

STPE:3

REQUIREMENT:2 You need to immediately update the CRL. STEP:1

STEP:2

SIMULATION: 18 REQUIREMENTS: You need to install Certificate Services on a Windows Server 2003 computer. You must ensure that the certificate store is automatically published to Active Directory. Certificate Services should use a self-signed root certificate, which uses a distinguished name of rootca.#########.com. You want the self-signed root certificate to be valid for three

years. STEP:1

STEP:2

STEP:3

STEP:4

STEP:5

STEP:6

STEP:7

SIMULATION:15 REQUIREMENTS: You need to ensure that only authenticated domain users can access the Web-based interface. You must not change the way users access other Web-based content on the same server. You must ensure that user credentials cannot be passed in clear text across the network. STEP:1

STEP:2

STEP:3

STEP:4

SIMULATION:17 REQUIREMENTS: You need to ensure that only data sent to and from the servers in the HR Servers OU is encrypted. You also need to ensure that SMB signing is not configured on any computers in your environment. The number of GPO links needs to be kept as low as possible. SOLUTION: You should not use GPO3 and GPO4, because we have to avoid SMB signing throughout the network. So the correct choices are: 1. Linking GPO1 to HR SERVERS OU. Secure Server (Require Security) 2. Linking GPO2 to CLIENT COMPUTERS. IP Security Policy: Client (Respond Only) STEP:1

STEP:2

STEP:3

STEP:4

STEP:5

SIMULATION:19 REQUIREMENT:1 Mary changes her surname to "Gibson" and needs to have her certificate reflect this change. You need to ensure that Mary is only able to use her new certificate to authenticate to the network. OLD CERTIFICATE:

STEP:1

STEP:2

STEP:3

NEW CERTIFICATE: