The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for a Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click to purchase, check out the complete book excerpt series.
Check your answers to Exam Cram Quiz #1: Designing an access control strategy for data.
Answer C is correct. The Delegation of Control Wizard focuses on the task itself and sets the DACLs to the appropriate setting. Active Directory Users and Computers is not a delegation tool; therefore, answer A is incorrect. regedit.exe is a tool you can use to edit the Registry; therefore, answer B is incorrect. Advanced permissions would focus on the DACLs themselves; therefore, answer D is incorrect.
Answers A and B are correct. All auditing is local and should be set on the local computer, but this can be accomplished through the Local Security tool on the computer or through Group Policy. Advanced permission settings control the creation of the SACL used to audit the objects themselves, not the audit policy; therefore, answer C is incorrect. Event Viewer is a tool that you can use to view the security log for the results of a security audit; therefore, answer D is incorrect.
Answer A is correct. Logon events tracks local logons on a computer to which it is applied. Directory service access tracks the viewing and changing of specific Active Directory objects to which SACLs are applied; therefore, answer B is incorrect. Account logon events is applied on domain controllersto track their authorization of users who log on from other computers on the network; therefore, answer C is incorrect. Privilege use tracks the actions of a user exercising a user right; therefore, answer D is incorrect.
Answers B and C are correct. Using settings with broader permissions makes it easier for the system to process the permissions. Using the same settings for multiple objects creates less DACLs and makes it easier on the system as a result. You should avoid removing the default permissions as this could have unexpected results; therefore, answer A is incorrect. You should avoid assigning Full Control because it allows the person with delegated permissions to change your permission configurations; therefore, answer D is incorrect.
Answer B is correct. A Domain Local group is created to give access to a resource. It is, therefore, named for the resource and must be contained in the same domain as the resource. Global groups are created to contain users and other Global groups. They are generally named for the function of the user and must be contained in the same domain as their members; therefore, answer A is incorrect. Universal groups are created in the Active Directory of a domain that is in at least Windows 2000 native mode. They are generally named for the overall function of the members to be contained in them; therefore, answer C is incorrect. Nested is not a type of group. A group is said to be nested if it is contained within another group; therefore, answer D is incorrect.
Answers A and C are correct. NTFS permissions include List Folder Contents, Read, Read & Execute, Write, Modify, Full Control, and Special Permissions. Change is a type of share permission; therefore, answer B is incorrect. Full Control permissions allow a user to take ownership and are common to shares and NTFS; therefore, answer D is incorrect.
Answer B is correct. Write permissions to a file or folder allow a user to change the file or folder but do not allow him to delete it. Modify permissions are NTFS permissions that allow a user to delete a file or folder; therefore, answer A is incorrect. Change permissions are share permissions that allow a user to delete a file or folder; therefore, answer C is incorrect. Read & Execute are NTFS permissions that do not allow a user to change a file or folder; therefore, answer D is incorrect.
Answers B and D are correct. You should first combine the share permissions and determine a result. Next, you should combine the NTFS permissions and determine a result. The effective permissions will then be the most restrictive of the two results. Determining the most restrictive of all of the permissions is not one of the steps; therefore, answer A is incorrect. Determining the least restrictive of all of the permissions is not one of the steps; therefore, answer C is incorrect.
Answer D is correct. Volume shadow copies can only be created on NTFS volumes. Volume shadow copies consist of a file and the "shadows" representing only the changes to the file, not full copies of the file; therefore, answer A is incorrect. Volume shadow copies are created on a schedule set by the administrator. The default schedule is twice per day at 7:00 a.m. and 12:00 p.m.; therefore, answer B is incorrect. Volume shadow copies do not replace the need to back up servers; therefore, answer C is incorrect.
Answers C and D are correct. You only need to audit the Registry when you feel that it has been attacked because auditing consumes system resources and reviewing the audits takes time. The administrator of a computer is, by default, the only account that has the right to make changes to the Registry of that computer. The Registry can be changed indirectly by users with the GUI tools; therefore, answers A and B are incorrect.
Click for the book excerpt series or purchase the book here.