Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 13

Chapter 13

1.B. The Minimum password age policy enables you to prevent users from cycling rapidly through passwords and thereby defeating the Enforce password history policy. When enabled, a user cannot change her password again for the interval specified by this policy.
2.E. The Store passwords using reversible encryption policy reduces security because it stores passwords in a format that is essentially the same as plain text. You should enable this policy only if needed for clients that cannot use normal encryption.
3.A, B, C. All these policies affect user lockouts and help to prevent unauthorized access by intruders while minimizing inconvenience to legitimate users. By enabling the Account lockout duration policy and specifying a short interval such as 10 minutes, an intruder attempting a password attack of some type will be locked out of the account. If a legitimate user is locked out because of entering her password incorrectly, she only needs to wait this specified interval before she is able to log on; during this interval, the intruder will likely try elsewhere. The Account lockout threshold policy setting specifies how many incorrect passwords can be entered before the account is locked out; keep this value low enough so that a legitimate user has several attempts should she make typing mistakes. The Reset account lockout counter after policy specifies the number of minutes after which the account lockout counter is reset to zero; it prevents lockouts in the event that a legitimate user makes errors at several different times. The Password must meet complexity requirements policy prevents use of simple passwords but does not affect account lockout.
4.D. You should specify the password policy settings in a PSO that is linked to a security group in the Legal OU that contains the user accounts of Legal department employees. Password policies specified in a GPO linked to an OU are not enforced by default; only the password policies specified in a GPO linked to the domain are enforced. Neither the Block Inheritance nor the No Override option changes this effect. You cannot link a PSO to an OU; you can link only to a user or group.
5.B, D. You need to use Adsiedit.msc to create a PSO containing the fine-grained password policy settings that you want to apply. Then you need to use Active Directory Users and Computers (or in Windows Server 2008 R2, Active Directory Administrative Center) to link the PSO to the group to which it should apply (in this case, the Research group). You would use Gpedit.msc (the Group Policy Management Editor) to create domain-based account policy settings and the Group Policy Management Console to access a GPO in which you apply these settings. However, these tools are not used in creating PSOs. Windows PowerShell enables you to perform many Windows- and Active Directory–based management actions, but you cannot configure a PSO.
6.A. When multiple PSOs have been configured, the PSO applied directly to a user’s account will override all other PSOs. If multiple PSOs are applied to the same group, the PSO with the lowest Password Settings Precedence value will apply. Any settings defined in PSOs will override the default settings that have been applied to any domain-based GPO.
7.B. The Security Templates tool enables you to save a custom security policy template on a member server. You can then use the Security Configuration and Analysis tool to create a database containing settings in the policy template and apply them to the standalone server. You cannot apply these settings directly to the standalone server by means of Security Configuration and Analysis. The Security Configuration Wizard enables you to check the security settings applied to your servers but not to copy settings from one server to another. You could manually specify all the required settings using the Local Security Policy snap-in at the standalone server; however, this procedure is more tedious and error-prone than using the Security Configuration and Analysis and Security Templates tools.
8.D. You should audit the Detailed Directory Service Replication subcategory of directory service auditing. This subcategory tracks all the actions specified here. To enable this auditing subcategory, use the Advanced Audit Policy Configuration node in the Windows Server 2008 R2 Group Policy Management Console. In the original version of Windows Server 2008, you must use the Auditpol.exe command-line tool to configure this auditing subcategory.
9.A, D. The audit account management event includes creation, modification, or deletion of user accounts or groups; renaming or disabling of user accounts; or configuring and changing passwords, and the audit logon events tracks logon or logoff by a user at a member server or client computer. Audit account logon events tracks logon or logoff by a domain user account at a domain controller and not at local computers. Audit object access tracks when a user accesses an object such as a file, folder, Registry key, or printer that has its own system access control list (SACL) specified. This action is not required in this scenario.
10.C. Auditing of object access is a two-step process. First, you must enable auditing of object access in the appropriate GPO, as you have done. Second, you must also configure the SACL for each required object. This involves specifying auditing entries for the folder containing the documents to be audited. It is not necessary to enable auditing of logon events to track modifications to documents. Auditing of object access can be enabled at any GPO applicable to the server containing the documents; it is not necessary to enable this in a GPO linked to the Legal OU. Directory service access tracks access to AD DS objects such as user or group accounts or OUs; it does not track access to document files or folders.
11.D. The Audit Account Lockout policy enables you to configure auditing of this specific action. It is found only under Logon/Logoff within Advanced Audit Policy Configuration\Audit Policies. The new granular auditing policies found in Windows Server 2008 R2 enable this level of auditing, which is not found in the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy subnode and is not available on older Windows Server computers. Further, this setting is not found under Account Logon (which deals with logons and logoffs at domain controllers and not at member servers or client computers).
12.B. The Auditpol.exe tool enables you to configure auditing from the command line, as is necessary when working at a Server Core computer. Adsiedit.msc enables you to configure fine-grained password policies among other tasks. Gpedit.msc is the Group Policy Management Editor, which enables you to configure GPOs on computers running the full version of Windows Server 2008. Scwcmd.exe is a command-line version of the Security Configuration Wizard, which enables you to maintain security of your servers. None of these tools enables you to configure auditing from the command line.


You are currently reading a PREVIEW of this book.


Get instant access to over $1 million worth of books and videos.


Start a Free Trial

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint