My interesting

You are considering a pilot program for the rollout of the first service pack for Office 2003 in your organization. All of the workstations in your organization are running Windows XP Professional. Your organization has five departments. There is also a small IT unit with five staff members. Each department has its own OU within the Active Directory structure. 642-481  HP0-J23  MB6-817  350-018 Approximately 100 user accounts reside in each OU. Because the requirements for each department are different, each department’s OU has an individualized Group Policy Object applied. You want the pilot program to run for a month before you deploy Office 2003 Service Pack 1 across the rest of your organization. You want to make sure that all applications currently used in the organization are compatible with the service pack. Which of the following is the best suggestion for membership of the pilot program? 350-018  000-061

1. Create a lab with five different workstations running Windows XP. Add each of these workstations to the OU that corresponds to each department.

2. Select one user from each department to be a member of the pilot program.

3. Select five users from each department to be members of the pilot program.

4. Have each member of IT join a corresponding departmental OU. Deploy the service pack to each IT staff member’s system. Correct Answers: C   MB6-817  642-481  642-691 350-030

In your Windows Server 2003 350-030 functional level domain CONTOSO.COM, you have a domain global group named SUPERUSERS. A security template has been configured that specifies the membership of the SUPERUSERS group as Rooslan, Oksana, Kasia, Shan, and Mick. This security template also assigns the SUPERUSERS group a large number of administrative rights. 350-018 This security template has been imported into a GPO that is applied at the domain level and has been running perfectly for the past week. Today you get a call from your junior administrator who believes that he might have accidentally added the user accounts of Orin and Laherty to the SUPERUSERS group through the Active Directory Users and Computers console on the domain controller. You log on to the domain controller to check, and indeed these accounts have been added to the SUPERUSERS group. 642-481 Which of the following steps should you take to most easily return the membership of the SUPERUSERS group to the original five users listed in the restricted groups policy as quickly as possible?

1. From the command prompt on the domain controller, issue the GPUPDATE/FORCE command.

2. Delete Orin, Laherty, and Mick’s user accounts from the membership of the SUPERUSERS group.

3. Remove the GPO that is applied to the domain. Import the new security template into the Default Domain Policy GPO. MB6-817

4. Import the new security template back into the GPO that is applied to the domain.

5. From the command prompt on the domain controller, issue the SECEDIT/REFRESHPOLICY command.

   Correct Answers: A

   1. Correct When the membership of a restricted group is altered manually by someone adding new members to the group, those members will remain until a policy update is forced. You can accomplish this instantly by running 000-061 a GPUPDATE /FORCE from the command prompt. After this is done, the group membership will be returned to its proper state.

   2. Incorrect This will not solve the problem. Mick’s user account is also supposed to be a part of the SUPERUSERS group.

   3. Incorrect This step is not necessary; on the next Group Policy update the membership of the group will be returned to its proper state.  642-691

   4. Incorrect This will not change anything; the GPO already has the correct security settings. The membership of the group will be returned properly when the next Group Policy update occurs.

   5. Incorrect Although this technique would have worked with Windows 2000, in Windows Server 2003 SECEDIT /REFRESHPOLICY has been replaced by the GPUPDATE command.

000-061 Foley is planning the phased deployment of a new service pack for Windows XP Professional across the A. Datum Corporation organization. A. Datum Corporation has 700 users whose accounts are all contained within the default Users container of Active Directory directory service. 350-030 The 700 computer accounts of the systems that these users use are located in the default Computers container. The users are divided into four domain global security groups. The Engineers group has 400 members, the Sales group has 150 members, the Secretarial group has 100 members, and the Management group has 50 members. Employees at A. 642-691 Datum Corporation use their own workstations. In consultation with management, Foley has decided to split the deployment of the service pack into four phases. These phases are as follows: 642-524

• Phase One: 200 members of the Engineers group

• Phase Two: The rest of the Engineers group

• Phase Three: Sales group and Secretarial group

• Phase Four: Management group

Which of the following plans would allow Foley to carry out this phased deployment plan with the minimum of administrative effort? n10-003

1. Create two new global security groups: ENG-PH1 and ENG-PH2. Create a GPO that assigns the service pack in the Computer Configuration\Software Settings\Software Installation node. For Phase One, apply this GPO to the ENG-PH1 group. For Phase Two, apply this GPO to the MB6-817 group. For Phase Three, apply this GPO to the Sales and Secretarial groups. For Phase Four, apply this GPO to the Managers group.

2. Create two new global security groups: ENG-PH1 and ENG-PH2. Create a GPO that assigns the service pack in the User Configuration\Software Settings\Software Installation node. For Phase One, apply this GPO to the ENG-PH1 group. For Phase Two, apply this GPO to the ENG-PH2 group. For Phase Three, apply this GPO to the Sales and Secretarial groups. For Phase Four, apply this 642-481 GPO to the Managers group.

3. Create four new global security groups: Phase1, Phase2, Phase3, and Phase4. Add the computer accounts for the systems that the first 200 groups of engineers use to the Phase1 group. Add the computer accounts for the rest of the engineers’ systems to the Phase2 group. Add the computer accounts for the systems that the sales and secretarial groups use to the Phase3 350-018 group. Add the computer accounts for the systems that the managers use to the Phase4 group. Create a GPO that assigns the service pack in the User Configuration\Software Settings\Software Installation node. Assign this GPO to the default Users container, but in the Group Policy properties make sure that the Authenticated Users group does not have the Read and Apply Group Policy Allow check boxes checked. For each phase, add a security group and assign the Read and Apply Group Policy (allow) HP0-J23 permission.

4. Create four new global security groups; Phase1, Phase2, Phase3, and Phase4. Add the computer accounts for the systems that the first 200 groups of engineers use to the Phase1 group. Add the computer accounts for the rest of the engineers’ systems to the Phase2 group. 70-652 Add the computer accounts for the systems that the sales and secretarial groups use to the Phase3 group. Add the computer accounts for the systems that the managers use to the Phase4 group. Create a GPO that assigns the service pack in the Computer Configuration\Software Settings\Software Installation node. Assign this GPO to the default Users container, but in the Group Policy properties make sure that the Authenticated Users group does not have the Read and Apply Group Policy n10-003 Allow check boxes checked. For each phase, add a security group and assign the Read and Apply Group Policy (allow) permission.

5. Create four new organizational units called Phase1, Phase2, Phase3, and Phase4. Move the computer accounts for the systems that the first 200 engineers use to the Phase1 OU. Move the rest of the engineers’ computer accounts to the Phase2 OU. Move all the computer accounts for the systems that the Sales and Secretarial group use to the Phase3 OU. 642-524 Move all of the computer accounts for the systems that the managers use to the Phase4 OU. Create a new GPO named XPSP_DEPLOY. Configure the GPO so that it assigns the Windows XP service pack in the Computer Configuration\Software Settings\Software Installation node. For phase one, assign the XPSP_DEPLOY GPO to the Phase1 OU. For phase two of the deployment, assign the XPSP_DEPLOY GPO to the Phase2 OU. For phase three, assign the XPSP_DEPLOY GPO to the Phase3 OU. To finalize the deployment, assign the XPSP_DEPLOY GPO to the Phase4 OU. 70-630

You have created a domain local security group named IISADMINS in the single domain that is used at your organization. This group will be assigned special permissions and rights on your organization’s Web servers. You want to limit the membership of that group to four users: 70-630  Orin, Oksana, Kasia, and Shan. The computers running Windows Server 2003 that host the organization’s Web Servers have all been placed in an organizational unit named IISSERV. IISSERV is a child OU of the MEMBERSERV OU. There are three sites at your company: HQ, Branch One, and Branch Two. Two IIS servers are located at Branch One, three are located at HQ, and one is located at Branch Two. You have configured the restricted groups node of a security template as shown in the figure below. n10-003 The IISADMINS group has been assigned permissions only on the servers that are located within the IISSERV OU. Which of the following methods represents the best way of using this security template to meet your goal of limiting the membership of the IISADMINS group to the specified users?  642-524

1. Import the Restricted-Group-IISADMINS security template into the Default Domain GPO.

2. Import the Restricted-Group-IISADMINS security template into a GPO which you then apply to the IISSERV OU. HP0-J23

3. Create a GPO, import the Restricted-Group-IISADMINS security template, and apply the GPO to the IISADMINS group.

4. Log on to each IIS server locally and import the Restricted-Group-IISADMINS security template into the local Group Policy object.  642-481

   Correct Answers: B

   1. Incorrect Unless there is good reason to do otherwise, try to be as specific as possible when importing security templates. Because this template influences only servers in the IISSERV OU, this OU is the best place to apply a GPO that has had this template imported.  n10-003

   2. Correct This answer follows the principle of applying Group Policy objects as specifically as possible. Rather than all computers in the domain having to process this policy when it isn’t relevant, only member systems in the IISSERV OU will have to process it.  000-061

   3. Incorrect Group Policy objects cannot be applied to groups. They can be applied only to organizational units, sites, and domains.  70-652

   4. Incorrect The Restricted Groups node is not available in local Group Policy objects. This security template can only be used on policies applied at the site, domain, or organizational unit level.  MB6-817

You are planning a security template for an Internet Authentication Service (IAS) server that is to be located on your company’s perimeter network (also known as DMZ, 642-481 demilitarized zone, and screened subnet) LAN. Users will authenticate against the server with their domain accounts. The internal firewall has been configured to allow necessary traffic between the IAS server and the organization’s domain controllers. At present, you are considering which services the template should start automatically. The template will be configured so that all services that are not critical to the function of the IAS server will be disabled. Which of the following services is critical for the function of an IAS server? 642-524 (Select all that apply.)

1. Certificate Services

2. Background Intelligent Transfer Service

3. Distributed Link Tracking Server

4. Netlogon 350-018

5. IAS service

   Correct Answers: D and E

   1. Incorrect Certificate Services is critical for the function of a Certificate Server, but not for an IAS server. 70-630

   2. Incorrect The Background Intelligent Transfer Service is not used by an IAS server.

   3. Incorrect Distributed Link Tracking Server is used for tracking linked files across NTFS drives and has nothing to do with running an IAS server. n10-003

   4. Correct Netlogon maintains a secure channel between the IAS server and a domain controller so that authentication can occur against domain accounts.

   5. Correct The IAS Service forms the core of an IAS server’s functions, and hence is mandatory in any security template supporting the IAS server role. 642-691

Transmission Control Protocol/Internet Protocol (TCP/IP), the protocol suite used by most private networks and the Internet, was not designed for security. In fact, it is extraordinarily vulnerable. Communications are passed between as many as dozens of different network devices, and in the case of the public Internet, the sender of the message has no control over who owns the network equipment that carries the messages. There is ample opportunity for an attacker to eavesdrop on your private communications.  pk0-002  70-272  70-291  HP0-841

TCP/IP communications are also easy to impersonate and manipulate. When a computer receives a TPC/IP message, the computer has no way of determining whether the IP address in the message is genuine, or whether the message was modified in transit. This makes TCP/IP vulnerable to such attacks as the man-in- the-middle attack, which an attacker can use to compromise private data and user credentials.

Internet Protocol security (IPSec) is a newer protocol suite that works with TCP/ IP to verify the integrity of communications, authenticate computers, and encrypt traffic. When implemented, IPSec dramatically reduces the risk of several common attacks. Microsoft Windows Server 2003, in addition to other recent versions of Microsoft Windows, includes IPSec capabilities. However, understanding, planning, and configuring an IPSec infrastructure is a complex task. This chapter will teach you the fundamentals of IPSec, provide you with information for planning an IPSec deployment, and familiarize you with the tools used to configure IPSec.  70-290  70-270  70-294  70-284

Once again, consider the scenario of a remote user retrieving e-mail from a mail server on a private network. When the user’s e-mail client attempts to initiate a connection to the mail server’s IP address, IPSec on the client computer detects that traffic is being sent to a network that must be accessed by using IPSec tunnel mode. The client’s IPSec then establishes an IPSec connection to the IPSec gateway that provides access to the internal network.

IPSec will then encapsulate the entire packet generated by the e-mail client, including the source and destination IP addresses, the TCP header, and the application’s data. IPSec adds a new IP header with the destination address of the IPSec gateway. The IPSec gateway will decrypt the packet, restoring the packet to the original condition it was in when sent by the e-mail client. The original IP header is restored too, including the original source and destination IP addresses. Finally, the IPSec gateway forwards the packet to the mail server.

As with transport mode, the e-mail client is not aware that the communications were protected with IPSec. Unlike with transport mode, the mail server’s operating system also is unaware that IPSec was in use, because the IPSec gateway removed the IPSec header and trailer before forwarding the packets to the private network.

If hosts on two networks are communicating across the Internet and all clients are IPSec enabled, transport mode can be used to encrypt traffic between individual hosts, or tunnel mode can be used to encrypt all traffic sent between the two networks. Naturally, tunnel mode is more convenient because it doesn’t require every host to have IPSec enabled-but which is more secure?

Tunnel mode is more secure than transport mode, in theory. Remember, VPNs protect against an attacker trying to capture your traffic, analyze it, and use the information gathered to do something malicious. Imagine that an attacker is capturing IPSec-encrypted packets as they travel between the private networks of two competing businesses. If tunnel mode is used, all the attacker can determine is how much traffic is sent between the networks, and when it is being sent. This information might be useful because the attacker might be able to guess that a sudden increase in traffic volume indicates an impending merger between the companies and then use that information to buy some stock and make an illegal profit.

If transport mode is used, attackers can analyze the total volume of traffic being sent, just as they could with tunnel mode. However, they can also analyze the shape of traffic sent between hosts within the network. By analyzing the shape, they might be able to determine the internal IP addresses of Web and e-mail servers and build a partial map of the private network. Even though they can’t see the encrypted contents of the packets, they can examine the lengths of the packets and the communications patterns. Web traffic, for example, can be recognized even when encrypted because Web browsers send multiple, short requests to a Web server, which returns multiple, much longer responses containing the files that make up a Web page. E-mail servers, backup servers, and Active Directory directory service domain controllers can also be identified by attackers analyzing the shape of traffic.

Now, even if an attacker does manage to capture and analyze your traffic, would this information really be useful? Probably not, but I’ve talked to a few organizations that use this possibility as a justification to avoid VPNs, so I think it’s important to understand the risk. While we’re at it, a tin foil hat reduces the risk of aliens reading my mind, but you won’t see one on my head. VCP-310   1z0-051   70-270  70-649

[350-030-LAB] – CCIE Voice Lab exam

[350-029-Lab] – CCIE Service Provider Lab exam
[70-562(VB)] – TS:MS.NET Framework 3.5, ASP.NET Application Development
[70-562(CSharp)] – TS:MS.NET Framework 3.5, ASP.NET Application Development
[642-655] – WAASFE-Wide Area Application Services for Field Engineers
[642-654] – WAASSE – Wide Area Application Services for System Engineers

[642-274] – Implementing Cisco Unified MeetingPlace Services
[310-400] – Sun Certified Integrator for Indentity Manager 7.1
[310-105] – Sun Certified Solaris Associate
[310-084] – Sun Certified Web Component Developer for Java. EE5 Upgrade
[310-066] – Upgrade Exam for the Sun Certified Java Programmer.SE 6.0

[310-062] – Sun Certified Enterprise Architect for J2EE 5, Part3
[310-053] – Sun Certified Enterprise Architect, Java, EE5 Upgrade Exam
[310-045] – Sun Certified Netbeans IDE Specialist
[642-566] – Security Solutions for Systems Engineers
[74-675] – Microsoft@ Response Point, Configuring
[sy0-201] – CompTIA Security+ (2008 Edition) Exam
[190-982] – Administering IBM Lotus Quickr 8.1 Services for WebSphere Po
[190-981] – IBM Lotus Notes Domino 8.5 Building the Infrastructure
[190-980] – Lotus Notes Domino 8.5 System Administration Operating Funda.
[190-956] – IBM Lotus Notes Domino 8.5 System Administration Update.
[190-952] – IBM Lotus Notes Domino 8.5 Application Development Fundament
[190-951] – IBM Lotus Notes Domino 8.5 Application Development Update.
[190-950] – Administering IBM Lotus Quickr 8.1 Services for Domino
[000-964] – Storage Sales – N series Version 2
[000-014] – IBM Tivoli Storage Manager FastBack V5.5 Specialist
[HP1-P44] – Implementing Advanced Integrity Servers 2009
[HP0-M25] – Assessing Web Application Security
[HP1-J65] – Implementing Advance EVA Solution in a Blade Environment
[HP0-J22] – Designing HP StorageWorks Solutions
[BR0-002] – CompTIA Network + Bridge Exam
[BR0-001] – CompTIA Bridge Exam – Security+

Public key encryption uses two keys to encrypt and decrypt messages. A message encrypted with one key can only be decrypted with the second key in the key pair, and vice-versa.  VCP-310 642-845 642-453

To send a private message using public key encryption, encrypt the message with the recipient?s public key. Only the private key can be used to decrypt the message.

Certificates expire at a time specified when the certificate is generated. CRLs are used to revoke a certificate before that specified time.

Root CAs cannot issue certificates that are valid beyond the CA?s certificate?s expiration date. Specifying a long lifetime for the root CA reduces labor, but this might increase your vulnerability to brute force attacks.

Microsoft certification authorities (CAs) support two types of certificate templates: version 1 and version 2. Version 1 templates are provided for backwards compatibility and support many general needs for subject certification. Version 2 templates allow for the customization of most settings in the template.

Version 2 templates require Active Directory. They can be created and duplicated by any member of the Windows Server 2003 family: however, certificates based on Version 2 templates can be issued only by a CA that is running Windows Server 2003, Enterprise Edition or Windows server 2003, Datacenter Edition.

A Windows Server 2003 family CA provides several methods for certificate enrollment: Web-based, the Certificates console, the Certreq.exe command-line utility, and autoenrollment.

If you have a client running an operating system that is earlier than Windows 2000, you must use manual enrollment because it is not aware of Active Directory and Group Policy. Windows 2000 supports autoenrollment of computer certificates, and Windows XP and Windows Server 2003 support autoenrollment of both user and computer certificates.

Autoenrollment enables organizations to automatically deploy public key?based certificates to users and computers. It also supports smart card?based certificates.

If a user loses access to a private key, the user can lose important data. Specifically, EFS-encrypted files will be inaccessible.

Key archival and recovery can scale to meet enterprise requirements. However, it requires version 2 certificates, enterprise CAs, and Active Directory.  70-649  70-270  642-691  642-825

Install, manage, and configure Certificate Services. 70-649  642-825  VCP-310 642-453  646-204

Install and configure root, intermediate, and issuing certification authorities (CAs). Considerations include renewals and hierarchy.

Configure certificate templates.

Configure, manage, and troubleshoot the publication of certificate revocation lists (CRLs).

Configure archival and recovery of keys.

Deploy and revoke certificates to users, computers, and CAs.

Back up and restore the CA.

Encryption is a tremendously powerful security tool, providing authentication and high levels of privacy and data integrity that would otherwise be impossible. For encryption to be useful in an enterprise, you must deploy a public key infrastructure (PKI). Microsoft Windows Server 2003 implements PKI functionality in Certificate Services. As a security administrator, you need to be able to build a PKI infrastructure to suit the needs of organizations ranging from small businesses to enterprises.

Deploying the infrastructure is only the beginning, however. You also need to make the deployment of certificates to end users an easy and straightforward task. Ideally, you will deploy certificates with no user interaction whatsoever. You will also need to be able to save the day when users lose their private keys by recovering the private key and restoring their access to encrypted data.  642-383  642-691  70-270 70-647  642-845