Correct: You can use Netsh in the BranchCache context and the Local Group Policy Editor to configure BranchCache on a client running Windows 7.. Correct: You can use Netsh in the BranchC
Trang 1B Correct: You should assign the Modify permission because this allows users to add,
modify, and delete files located in the accounting shared folder
c Incorrect: You should not assign the Full Control permission because then users have the ability to modify shared folder permissions
D Incorrect: You cannot assign the Owner permission to groups When you use basic
sharing, Windows automatically assigns this permission to the user who shares the folder
5. Correct Answer: D
a Incorrect: Enabling this option does not ensure that shared resources are visible to other computers in the HomeGroup This option allows HomeGroup readers to read and write
files in the public folder
B Incorrect: Enabling this option does not ensure that shared resources are visible to other computers in the HomeGroup This option controls the encryption level of file sharing
connections
c Incorrect: Password Protected Sharing restricts access to shared resources hosted on the client Only users with local accounts on the client are able to access shared resources
when Password Protected Sharing is enabled Enabling this option does not ensure that
shared resources are visible to other computers in the HomeGroup
D Correct: Network Discovery allows the client to find other computers on the network It also allows other computers on the network to view resources shared by the client
Lesson 2
1. Correct Answer: B
a Incorrect: Jeff needs an EFS certificate for you to be able to encrypt a file that he can
access Changing a password does not generate an EFS certificate
B Correct: If Jeff encrypts a file on the computer, it generates an EFS certificate You can
then use this EFS certificate to encrypt the file to his account
c Incorrect: Jeff does not need write access to the file for you to be able to use EFS
to encrypt the file to his account Jeff needs an encryption certificate, which can be
generated by having Jeff encrypt a file on the computer
D Incorrect: Letting Jeff take ownership of the files does not allow you to use EFS to
encrypt the file to his account Jeff needs an encryption certificate, which can be
generated by having Jeff encrypt a file on the computer
2. Correct Answers: A and B
a Correct: When you apply the Read & Execute (Deny) permission, Windows also
automatically applies the List Folder Contents (Deny) and Read (Deny) permissions
B Correct: When you apply the Read & Execute (Deny) permission, Windows also
automatically applies the List Folder Contents (Deny) and Read (Deny) permissions
Trang 2c Incorrect: Windows does not apply the Modify (Deny) permission when you apply the Read & Execute (Deny) permission
D Incorrect: Windows does not apply the Write (Deny) permission when you apply the Read & Execute (Deny) permission
3. Correct Answer: D
a Incorrect: Robocopy can be used to copy files and their associated NTFS permissions but cannot be used to calculate permissions
B Incorrect: Icacls can be used to display permissions but cannot be used to calculate the result of cumulative permissions
c Incorrect: Cipher is used to manage certificates and cannot be used to calculate the result of cumulative permissions
D Correct: The Effective Permissions tool can be used to calculate the result of cumulative permissions that accrue through multiple group memberships
4. Correct Answers: A and D
a Correct: Encrypted files remain encrypted when copied or moved to compressed folders
B Incorrect: Encrypted files remain encrypted when copied or moved to compressed folders Only unencrypted files become compressed when moved to compressed folders
c Incorrect: Files retain their original NTFS permissions only when they are moved
between folders on the same volume If you move them between volumes, they inherit the permissions of the destination folder You can use Robocopy to move files and retain their NTFS permissions, but Robocopy was not mentioned in the question text
D Correct: Files that are moved using Windows Explorer inherit the NTFS permissions assigned to their destination folder
5. Correct Answer: B
a Incorrect: EFS can be used to limit which users can access a document by encrypting it only to certain user accounts, but it cannot be used to track which user accounts have been used to access files
B Correct: Auditing allows you to track which user accounts are used to access files and folders You can configure auditing to track successful and failed attempts to use any of the special permissions
c Incorrect: You cannot use NTFS permissions to record which user accounts are used to access documents; you can only use NTFS permissions to restrict which user accounts are used to access documents
D Incorrect: BranchCache is used to speed up access to files across the wide area network (WAN); it cannot be used to record which user accounts access documents in a sensitive folder
Trang 3Lesson 3
1. Correct Answers: A and B
a Correct: If you are going to use hosted cache mode, it is necessary to deploy at least one server running Windows Server 2008 R2 with the BranchCache feature enabled in each
branch office
B Correct: Windows 7 Enterprise and Ultimate editions support BranchCache You
must upgrade clients to one of these operating systems if they are going to utilize
BranchCache
c Incorrect: Windows 7 Professional does not support the BranchCache feature
D Incorrect: A Windows Server 2008 RODC is not necessary to support BranchCache
2. Correct Answers: B and D
a Incorrect: You can use Net share to manage shared folders on a client running
Windows 7, but you cannot use it to enable and configure BranchCache You can use it
to enable BranchCache on a computer that hosts a shared folder, but BranchCache needs
to be enabled and configured before you can do this
B Correct: You can use Netsh in the BranchCache context and the Local Group Policy Editor
to configure BranchCache on a client running Windows 7
c Incorrect: Ipconfig provides IP address configuration information You cannot use
Ipconfig to configure BranchCache on a client running Windows 7
D Correct: You can use Netsh in the BranchCache context and the Local Group Policy Editor
to configure BranchCache on a client running Windows 7
3. Correct Answer: C
a Incorrect: If you use the command netsh branchcache set service disabled, the content
accessed over the WAN link is not cached locally
B Incorrect: If you use the command netsh branchcache set service mode=distributed, it
is possible that the content will be shared with the other computer running Windows 7
Ultimate, although in a properly configured environment, file and folder permissions
would restrict access
c Correct: You should use the command netsh branchcache set service mode=local,
because this allows the computer running Windows 7 Ultimate to satisfy requests from
its local cache without allowing that cache to be accessible to other computers on the
network
D Incorrect: You should not use the command netsh branchcache set service
mode=hostedclient location=fs-alpha.contoso.internal You can use the hostedclient mode
only if there is a server running Windows Server 2008 R2 that has BranchCache enabled
on your LAN
Trang 44. Correct Answer: D
a Incorrect: The command netsh branchcache set service mode=distributed configures Distributed Cache mode rather than Hosted Cache mode The question specifies that the clients use Hosted Cache mode
B Incorrect: The command netsh branchcache set service mode=local sets the client to use local caching only The question specifies that the clients use Hosted Cache mode
c Incorrect: The command netsh branchcache set service mode=hostedserver
clientauthentication=domain is used to configure the host server and cannot be used to
configure a Hosted Cache mode client
D Correct: To configure a BranchCache client to use a particular server in Hosted Cache mode,
issue the command netsh branchcache set service mode=hostedclient location=servername
You must specify the name of the local server running Windows Server 2008 R2 that functions as the BranchCache host when configuring Hosted Cache mode
5. Correct Answer: A
a Correct: The Configure BranchCache For Network Files policy allows you to set the latency value above which network files are cached by client computers in the branch office
B Incorrect: The Set Percentage Of Disk Space Used For Client Computer Cache policy configures the cache size, it cannot be used to configure latency settings
c Incorrect: Configuring the Set BranchCache Distributed Cache Mode policy sets the client to use Distributed Cache Mode You cannot configure latency settings using this policy
D Incorrect: Configuring the Set BranchCache Hosted Cache Mode policy sets the client to use Hosted Cache Mode You cannot configure latency settings using this policy
Chapter 8: Case Scenario answers
Case Scenario 1: Permissions and Encryption
1 You need to export the user’s private key from computer Waverley and import it to computer Warrandyte
2 Create a recovery agent certificate using Cipher exe Use the Local Group Policy Editor to assign this certificate as a recovery agent
3 You can use Robocopy exe or Icacls exe to move the files from one volume to another while retaining their existing permissions If you just move the files, the permissions will be lost
Case Scenario 2: Configuring Contoso Branch Offices
1 You should use Distributed Caching mode in the Wangaratta branch office because you are
Trang 52 You should configure the Hosted Cache mode at the Traralgon office because this ensures
that a maximum number of files are available in the centralized cache Hosted Cache allows
the cache to remain online, unlike Distributed Cache, which requires that all clients remain
online A server running Windows Server 2008 R2 is present at the Traralgon branch office to support Hosted Cache mode
3 Install the BranchCache feature on the server and configure shared folders to support
BranchCache Run the command set service mode=hostedserver clientauthentication=domain
on the server
Chapter 9: Lesson review answers
Lesson 1
1. Correct Answer: B
a Incorrect: You should not configure the policy UAC: Behavior Of The Elevation Prompt
For Administrators In Admin Approval Mode: Elevate Without Prompting This policy
relates to all administrator accounts except the built-in administrator account, which must
be managed with other policies
B Correct: You should configure the UAC: Admin Approval Mode For The Built-In
Administrator Account policy to Enabled This ensures that the built-in administrator
account must respond to a UAC prompt when performing a task that requires elevated
privileges
c Incorrect: You should not configure the UAC: Admin Approval Mode For The Built-In
Administrator account policy to Disabled This policy setting disables the UAC prompt for the built-in administrator account
D Incorrect: You should not configure the policy UAC: Behavior Of The Elevation Prompt
For Administrators In Admin Approval Mode: Prompt For Consent For Non-Windows
Binaries This policy relates to all administrator accounts except the built-in administrator
account, which must be managed with other policies
2. Correct Answer: B
a Incorrect: You should not configure the User Account Control: Behavior Of The Elevation
Prompt For Standard Users: Automatically Deny Elevation Requests policy When this
policy is configured, standard users receive no prompt when they perform a task that
requires elevation, and the elevation attempt automatically fails
B Correct: You should configure the User Account Control: Behavior Of The Elevation
Prompt For Standard Users: Prompt For Credentials policy This ensures that a standard
user is prompted for credentials when an attempt is made at elevation
c Incorrect: You should not configure the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Prompt For Credentials because this policy relates to approval for administrator accounts rather than standard user accounts
Trang 6D Incorrect: You should not configure the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode: Prompt For Consent because this policy relates to approval for administrator accounts rather than standard user accounts This policy also provides a prompt for consent rather than a prompt for credentials
3. Correct Answers: A and D
a Correct: You can use the Local Group Policy Editor console to import and export
security-related policies You could export the policies from the reference computer and then import them on each of the 30 client computers in the lab
B Incorrect: You cannot use the Computer Management console to import or export UAC policies
c Incorrect: You cannot use the User Account Control settings control panel item to import and export UAC policies
D Correct: You can use the Local Security Policy console to import and export
security-related policies You could export the policies from the reference computer and then import them on each of the 30 client computers in the lab
4. Correct Answer: D
a Incorrect: The UAC: Only Elevate Uiaccess Applications That Are Installed In Secure Locations policy does not deal with the writing of data to protected locations This policy deals with a special class of applications that interact with the operating system in an unusual way and restricts their execution based on location within the file system
B Incorrect: The UAC: Only Elevate Executables That Are Signed And Validated policy does not deal with the writing of data to protected locations It is used to restrict privilege elevation requests to applications that are digitally signed
c Incorrect: The UAC: Behavior Of The Elevation Prompt For Standard Users policy does not deal with the writing of data to protected locations; instead, it is used to configure Windows to provide UAC prompts for standard users
D Correct: The UAC: Virtualize File And Registry Write Failures To Per-User Locations policy determines whether application writes to protected locations are redirected elsewhere Disabling this policy ensures that an application that attempts to write data to
a protected location fails
5. Correct Answer: C
a Incorrect: You should not configure the UAC: Admin Approval Mode For The Built-In Administrator account This policy relates to how UAC works for the built-in administrator account To accomplish your goal, you need to disable the switch to Secure Desktop policy
B Incorrect: You should not configure the UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy This policy is already properly configured
To accomplish your goal, you need to disable the switch to Secure Desktop policy
Trang 7Desktop If this policy is disabled, whether a UAC prompt appears on the Secure Desktop depends on the setting in the UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode policy
D Incorrect: You should not configure the UAC: Behavior Of The Elevation Prompt For
Standard Users policy This policy relates to standard users and does nothing to disable
Secure Desktop for administrators To accomplish your goal, you need to disable the
switch to Secure Desktop policy
Lesson 2
1. Correct Answer: B
a Incorrect: You cannot remove saved Runas credentials using the Runas command You
must use the Credential Manager
B Correct: You can use the Credential Manager to remove credentials saved using the
Runas command
c Incorrect: You cannot use the Certificates console to remove credentials saved using
the Runas command The Certificates console is used to manage certificates
D Incorrect: You cannot use UAC settings to remove credentials saved using the Runas
command The User Account Control settings dialog box is used to change which
situations trigger UAC prompts
2. Correct Answers: C and D
a Incorrect: You should not configure the Interactive Logon: Smart Card Removal Behavior Properties: No Action policy because this allows users to remove their smart cards but
still remain logged on
B Incorrect: You should not configure the Interactive Logon: Smart Card Removal Behavior Properties: Lock Workstation because this locks the workstation rather than forcibly
logging off the user that removed the smart card
c Correct: You should configure the Interactive Logon: Smart Card Removal Behavior
Properties: Force Logoff policy setting because you want users logged off when they
remove their smart cards
D Correct: You should configure the Interactive Logon: Require Smart Card: Enabled policy because this requires users to log on using a smart card
3. Correct Answer: B
a Incorrect: The question does not state that the account has been locked; it says that the
user has forgotten her password Unlocking an account works only if a user knows her
password It does not reset her password
B Correct: You need to reset her password The user loses access to encrypted files if she
has not backed up her EFS key The user also loses access to any saved credentials stored
in Windows Vault
Trang 8c Incorrect: You can create a password reset disk for an account only if you know the account password You cannot create a password reset disk for another user account or for one where the user has forgotten her password
D Incorrect: You should not create a password reset disk for your own account because this does not help resolve the user’s problem
4. Correct Answer: D
a Incorrect: The Enforce Password History policy ensures that a user is unable to use
a recently used password when changing his password It does not ensure that a user must change his password after a certain amount of time
B Incorrect: The Minimum Password Length policy ensures that a user’s password meets
a minimum length requirement It does not ensure that a user must change his password after a certain amount of time
c Incorrect: The Minimum Password Age policy stops a user changing his password for
a minimum amount of time after the most recent password change It does not ensure that a user changes his password after a certain amount of time
D Correct: The Maximum Password Age policy ensures that a user must change his
password after a certain amount of time has expired In this case, you would set the policy to 21 days
5. Correct Answers: B, C, and D
a Incorrect: Credential Manager can back up Web site credentials, user names and passwords, and some forms of digital certificates, but it cannot back up self-signed EFS certificates generated by Windows 7 when you first encrypt a file
B Correct: You can use the Manage File Encryption Certificates tool to back up EFS
certificates to a password-protected PFX file
c Correct: You can use the Certificate Manager console to export an EFS certificate to
a password-protected PFX file
D Correct: Cipher exe is a command-line tool that you can use to back up an EFS certificate
to a password-protected PFX file
Chapter 9: Case Scenario answers
Case Scenario 1: User Account Control
at Coho Vineyard
1 You need to configure the UAC: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy and set it to Prompt For Credentials You also need to set the UAC: Switch To The Secure Desktop When Prompting For Elevation policy to Disabled This ensures that administrators are prompted for credentials but do not have to respond
Trang 92 You need to configure the UAC: Behavior Of The Elevation Prompt For Standard Users policy
to ensure that standard users are prompted for credentials when they perform an act that
requires elevation You also need to configure the UAC: Allow UIAccess Applications To
Prompt For Elevation Without Using Secure Desktop policy Doing this allows remote user
interaction with the UAC prompt when connected through UIAccess applications
3 You need to configure the UAC: Only Elevate Executables That Are Signed And Validated
policy You can use this policy because all applications that might require elevation at Coho
Vineyard have digital signatures
Case Scenario 2: Resolving Password Problems
at Wingtip Toys
1 Ensure that users back up their EFS key This can be done using Cipher exe, the Manage
File Encryption Certificates tool, or through Certmgr msc The users should use Credential
Manager to back up their stored Web site passwords
2 Get each user to create his or her own password reset disk
3 Configure the Maximum Password Age policy and configure the Enforce Password History
policy
Chapter 10: Lesson review answers
Lesson 1
1. Correct Answer: D
a Incorrect: Teredo is appropriate when a client has a private IPv4 address and when no
firewall blocks traffic on UDP port 3544 Because this port is blocked, the client uses
IP-HTTPS
B Incorrect: To use 6to4, the client must have a public IPv4 address The question states
that the client has been assigned a private IPv4 address
c Incorrect: To use a globally routable IPv6 address, the client must be assigned a globally
routable IPv6 address
D Correct: IP-HTTPS is used when the DirectAccess client is assigned a private IPv4 address
on a network that allows Internet access but that has a firewall that restricts most forms
of network traffic
2. Correct Answers: A and B
a Correct: Only Windows 7 Ultimate and Enterprise editions support the DirectAccess
feature
B Correct: Only domain-joined clients running Windows 7 are able to use DirectAccess
Trang 10c Incorrect: AppLocker policies control which applications can execute on a client running Windows 7 AppLocker policies do not relate to DirectAccess
D Incorrect: BranchCache policies allow clients in branch offices to cache WAN content locally BranchCache policies do not relate to DirectAccess
3. Correct Answer: A
a Correct: The DirectAccess server needs to have two network adapters and needs to be assigned two consecutive public IPv4 addresses
B Incorrect: The DirectAccess server needs to have two network adapters One network adapter must be assigned to the internal network, and the other must be accessible to the Internet
c Incorrect: The DirectAccess server needs to be assigned two consecutive public IPv4 addresses
D Incorrect: The DirectAccess server needs to have two network adapters One network adapter must be assigned to the internal network and the other must be accessible to the Internet
4. Correct Answer: A
a Correct: DirectAccess configures special GPOs that contain the DirectAccess
configuration settings These GPOs are applied to specific security groups that contain computer accounts A computer must be a member of these specific security groups for
it to be configured to use DirectAccess
B Incorrect: DirectAccess configuration occurs through the application of Group Policy based on computer account domain group membership It does not rely on local group membership
c Incorrect: The computer account must be a member of the domain security group, not the user account
D Incorrect: The computer account must be a member of the domain security group, not
a user account that is a member of a local group
5. Correct Answer: D
a Incorrect: The ipconfig command displays IP address configuration It does not display information about DirectAccess IP-HTTPS server configuration
B Incorrect: The netsh interface 6to4 show relay command displays 6to4 information 6to4 can be used when a computer is assigned a public address, rather than a private one, and
is not behind a NAT device
c Incorrect: The netsh interface ipv6 show teredo command displays Teredo information Teredo cannot be used if a hotel network firewall blocks all traffic except that on port 80 and 443
D Correct: The netsh interface httpstunnel show interfaces command shows information