Microsoft 70 - 270: Installing, Configuring and administering Microsoft windows XP professional: Version 21.0

s for individual resources such as files, Active Directory objects, and registry keys. The Power Users group cannot, by default, manage the security and auditing logs. This option is not required for this scenario, however. We just want the Power users to be able to specify auditing on files and folders. Subsection, Configure, manage, and troubleshoot account settings (0 questions) Subsection, Configure, manage, and troubleshoot account policy (2 Questions) QUESTION NO: 1 You are a help desk technician for TestKing.com. Susan is an executive. Because Susan travels frequently, she uses a Windows XP Professional portable computer that has a smart card reader. Susan asks you to configure her computer so that she can dial in to the company network when she is out of the office. Company security policy states that dial-in users must use a smart card when they connect to the network, and that the users must use the strongest form of data encryption possible. Company security policy 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 224 - also states that client computers must disconnect if the routing and remote access server does not support both smart card authentication and the strongest possible authentication. You need to configure the dial-up connection properties on Susan’s computer to dial in to the company network. Your solution must ensure that company security policies are enforced. Which three actions should you perform? (Each correct Answer: presents part of the solution. Choose three) A. Select the Advanced (custom settings) security option. B. Select the Require data encryption check box. C. Select the Typical (recommended settings) security option. D. Select the Use smart card item from the Validate my identity as follows list. E. Select the Maximum strength encryption item from the Data encryption list. F. Select the Allow these protocols option, and select the MS-CHAP v2 check box. G. Select the Extensible Authentication Protocol (EAP) option, and select Smart Card or other Certificate from the EAP list. Answer: A, E, G. Explanation: Company security policy requires that dial-in users must use a smart card to connect to the network, must use the strongest form of data encryption possible and client computers must disconnect if the routing and remote access server does not support both smart card authentication and the strongest possible authentication. Therefore we should configure the dial-up connection properties on Susan’s computer by selecting the advanced settings to set specific protocols and other options. We must then select the Extensible Authentication Protocol (EAP) option and select Smart Card or other Certificate from the EAP list. This will enable smart card authentication. We must then select the Maximum strength encryption item from the Data encryption list to ensure that only the maximum security is used. This will ensure that client computers will disconnect if the routing and remote access server does not support both smart card authentication and the strongest possible authentication. Incorrect Answers: B: By select the Require data encryption check box we will ensure that some form of encrypted authentication occurs but we will not ensure that maximum strength encryption is used. C: The Typical (recommended settings) security option does not use maximum strength encryption. D: The Use smart card item in the Validate my identity as follows list will not ensure that only the maximum strength encryption is used, you have to edit the advanced properties. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 225 - F: MS-CHAP v2 is not the highest form of encryption. QUESTION NO: 2 You are a help desk technician for TestKing.com. Marie is a member of your company's sales department. Marie asks you to configure her Windows XP Professional portable computer so that she can dial in to the company network when she is out of the office. The company uses two servers for Routing and Remote Access: one is a Microsoft Windows NT server 4.0 computer, and the other is a Windows 2000 Server computer. Each server contains four modems. Each modem connects to a dial-up telephone line, and a single telephone number distributes incoming calls across the eight telephone lines. Company security policy requires that dial-up logon credentials be encrypted and use the maximum possible security when they are transmitted. You need to ensure that Marie can dial in and log on by using her domain user account. You also need to ensure that company security policy is enforced. How should you configure the security settings for the dial-up connection? A. Select the Typical (recommended settings) option. Select the Require data encryption (disconnect if none) check box. B. Select the Typical (recommended settings) option. Select the Require secured password list item from the validation list. C. Select the Typical (recommended settings) option. Select the Automatically use my Windows logon name and password (and domain if any) check box. D. Select the Advanced (custom settings) option. On the Advanced Security Settings tab, clear all check boxes except the Microsoft CHAP Version 2 (MS-CHAP v2) check box. Answer: D. Explanation: MS-CHAP version 2 encrypts all authentication traffic and thus meets the company security policy. Note: Originally Windows NT 4.0 Server did not support MS CHAP v2. Windows NT 4.0 Server Service pack 4 and later supports MS CHAP V2. It seems safe to assume that the Windows NT Server 4.0 computer in this scenario has service pack 4.0 or later. Incorrect Answers: 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 226 - A: The Require data encryption (disconnect if none) check box will encrypt the data but not the authentication. It will therefore still permit unencrypted authentication. B: We should require both secured password and data encryption. We need to ensure the MS-CHAP v2 is used as it has the strongest encryption. The only way to do this is with the advanced settings. C: The Automatically use my Windows logon name and password (and domain if any) check box will not provide encryption of authentication information. Subsection, Configure, manage, and troubleshoot user and group rights (0 questions) Subsection, Troubleshoot cache credentials. (1 question) QUESTION NO: 1 You are a help desk technician for TestKing.com. Your company's network includes an Active Directory domain and Windows XP Professional computers that are configured as members of the domain. Company policy prohibits users from accessing their computers unless they are authenticated by a domain controller. However, users report that they can log on to their computers, even though a network administrator has told then that a domain controller is not available. As a test, you log off of your computer and disconnect it from the network. You discover that you can log on by using your domain user account. You need to ensure that users cannot access their computers unless they are authenticated by a domain controller. How should you configure the local computer policy on these computers? A. Enable the Require domain controller to unlock policy. B. Set the Number of previous logons to cache policy to 0. C. Remove all user and group accounts from the Log on locally user right. D. Remove all user and group accounts from the Access this computer from the network user right. Answer: B. Explanation: If we log on to a computer and we are authenticated by a Domain Controller, our logon is cached. If we try to log on again, but no Domain Controller is 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 227 - available, Windows will look for a cached logon. If one exists, we will be permitted to log on. To disable this ability, we should configure Windows not to cache logons. Incorrect Answers: A: This setting does not exist. C: This will disable all logons even if a DC is available for authentication. D: This will not affect the user’s ability to log on locally. Section 4: Configure, manage, and troubleshoot Internet Explorer security settings. (9 Questions) QUESTION NO: 1 You are a help desk technician for Trey Research. All employees use Windows XP Professional computers. A user named Anne reports a problem browsing the Internet. She says that she cannot use a search to browse to www.treyresearch.com You use Remote Assistance to examine search engines on Anne’s computer. When you try to use the search engine, you receive the following warning message: "You cannot send HTML forms." When you try to use other search engines on Anne's computer, you receive the same message. Anne verifies that she is able to use the search engine to browse the company intranet without problems. You need to ensure that Anne can use any search engine to browse the Internet from her computer. What should you do? A. Instruct Anne to click the Search button on the Internet explorer toolbar and then type her search keywords in the form displayed by Internet explorer. B. Instruct Anne to use https:// instead of http:// when typing the URLs for the search engines. Instruct Anne to ensure that Internet Explorer displays a lock icon in its status bar before she submits information in a form on a Web page. C. On Anne’s computer, open the Security properties for Internet explorer. Add www.treyresearch.com to the Trusted Sites list. Clear the Require server verification for all sites in this zone check box. D. On Anne’s computer, open the Security properties for Internet explorer. In the security settings for the Internet zone, select the Submit non-encrypted form data option. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 228 - Answer: C. Explanation: The Trusted sites zone is intended for sites that we consider absolutely safe. In our scenario the www.treyresearch.com should be considered safe, since it is the URL of the company. The Require server verification for all sites in this zone check box specifies whether Internet Explorer verifies that the server for a Web site is secure before connecting to any Web site in this zone. By clearing this option http traffic would be allowed and https would not be required. Incorrect Answers: A: This is a security configuration problem. The user does not need to be instructed how to perform the search – the procedure is correct. B: It would be awkward for the users to type https://. It is better to clear the Require server verification for all sites in this zone check box for the zone www.treyresearch.com. This would allow http traffic. D: This option is the default setting. No encrypted data would be needed to access the site www.treyresearch.com. QUESTION NO: 2 You are a help desk technician for your company Litware,Inc. Litware, Inc. maintains a secure intranet Web site at intranet.litwareinc.com. All employees use Windows XP Professional computers. A user named Katherine reports that she cannot access the secure Web site by using Internet explorer. When she types into the Internet explorer address bar, an error message reports that the digital certificate is not from a trusted source. You confirm that the intranet Web server is using a digital certificate issued by your company's Enterprise Certificate Authority. The Enterprise Certificate Authority is located on a server named certificates.litwareinc.com You need to ensure that Katherine can access the secure intranet Web site without receiving an error message. What should you do? A. Ask a network administrator to modify the properties for IIS on intranet.litwareinc.com and set the SSL port number to 443. B. Ask your network administrator to create a Certificate Trust List (CTL) that includes your Enterprise Certificate Authority. On Katherine’s computer, open the Certificates settings for Internet explorer and import the CTL. C. On Katherine’s computer, open the security properties for Internet Explorer. Add intranet.litwareinc.com to the Trusted Sites list. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 229 - D. On Katherine’s computer, open the Security properties for Internet Explorer. Open the Trusted Sites dialog box, and select the Require server verification for all sites in this zone check box. E. On Katherine’s computer, open Internet Explorer’s list of certificates. Import a copy of the certificate used by the intranet.litwareinc.com server into Katherine’s Trusted Publishers certificates store. Answer: E. Explanation: The Internet Explorer Certificate Manager enables you to install and remove trusted certificates for clients and CAs. Many CAs have their root certificates already installed in Internet Explorer. You can select any of these installed certificates as trusted CAs for client authentication, secure e-mail, or other certificate purposes, such as code signing and time stamping. If a CA does not have its root certificate in Internet Explorer, you can import it. Each CA’s Web site contains instructions that describe how to obtain the root certificate. To install or remove clients and CAs from the list of trusted certificates click Internet Options on the Tools menu, and then click the Content tab. Click Certificates and then click the Trusted Publishers tab. To add other certificates to the list, click Import. The Certificate Manager Import Wizard steps you through the process of adding a certificate. Incorrect Answers: A: This is the default setting and so does not need to be changed. B: You do not need to create a new list. You can add certificates to the existing list. C: The Trusted sites zone is intended for sites that you consider absolutely safe. For the most part, IE will accept just about any type of content from such sites, without considering potential harm. The only exception is that users will be prompted before downloading unsigned ActiveX controls or ActiveX controls that have not been marked as safe. We want to avoid this prompting. D: The Require server verification for all sites in this zone setting specifies whether Internet Explorer should verify that the server for a Web site is secure before connecting to any Web site in this zone. This setting does not concern digital certificates. QUESTION NO: 3 You are a help desk technician for TestKing.com. All users have Windows XP Professional computers. A user named Richard reports that he cannot access www.southridgevideo.com, an Internet Web site, by using Internet explorer. Whenever Richard types into the Internet explorer address bar, he receives 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 230 - the following error message; “Your security settings prohibit the display of unsigned ActiveX Controls.” According to company policy, users should download unsigned ActiveX control only from Internet Web sites that have been approved by the company's information security department. You verify that www.southridgevideo.com is listed as an approved Web site. On Richard’s computer, you also verify that Internet explorer is configured with the default settings. You need to ensure that Richard can access www.southridgevideo.com without receiving an error message. You also want to comply with company properties for Internet explorer on Richard’s computer. You need to configure Richards's computer. First, you open the Security properties for Internet Explorer on Richards's computer. Which two actions should you perform next? (Each correct Answer: presents part of the solution. Choose two) A. Add www.southridgevideo.com to the Trusted Sites list. B. Remove www.southridgevideo.com from the Restricted Sites list. C. In the Internet zone settings, enable the Allow unsigned ActiveX control option. D. Open the Local intranet sites dialog box and clear the Include all network paths check box. E. Open the Trusted Sites dialog box and clear the Require server verification for all sites in this zone check box. F. Open the Intranet Sites dialog box. In Advanced properties, add www.southridgevideo.com to the list of Web sites. Answer: A, E. Explanation: The Trusted sites zone is intended for sites that you consider absolutely safe. For the most part, Internet Explorer will accept just about any type of content from such sites, without considering potential harm. The only exception is that users will be prompted before downloading unsigned ActiveX controls or ActiveX controls that have not been marked as safe. The Require server verification for all sites in this zone check box specifies whether Internet Explorer verifies that the server for a Web site is secure before connecting to any Web site in this zone. By clearing this option http traffic would be allows and https would not be required. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 231 - Incorrect Answers: B: www.southridgevideo.com has not been added to the Restricted Sites list. Unsigned drivers are disabled by default in the Internet zone. C: Enabling the Allow unsigned ActiveX control option in the Internet zone would give access to www.southridgevideo.com but it would also allow downloading of unsigned from any internet site. This would break company policy which only allows downloading of unsigned drivers from approved sites. D: This is not a problem with a local intranet site. It is a problem with a public Internet site. F: The Intranet zone does not allow unsigned controls by default. QUESTION NO: 4 You are a help desk technician for TestKing.com. Michael and Veronica are users in your company's marketing department. Michael and Veronica use Windows XP Professional portable computers. Michael and Veronica use Internet explorer to connect to a Web-based Internet e- mail service. Michael reports that he is required to provide a user name and password each time he accesses the Web site. However, Veronica is not required to log on each time she accesses the Web site. The Web site remembers Veronica’s user name and password. You need to configure Michael’s computer so that the Web site can remember his user name and password. How should you configure Internet explorer on Michael’s computer? A. Set the security level for the Internet zone to medium. B. Set the privacy configuration for First party cookies to accept. C. Modify the privacy configuration so that the Always allow session cookies check box is selected. D. Modify the security configuration so that the Internet e-mail Web site is included in the Trusted Sites list. Answer: B. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 232 - Explanation: A cookie is a text file that the Web site places on our hard disk. In this case, the text file would contain the username and password. First-party cookies are cookies that are associated with the host domain. Third-party cookies are cookies from any other domain. Incorrect Answers: A: This would affect all the security settings. We only need to change one setting. C: Session cookies are deleted when the user disconnects from the Web site. We need a permanent cookie so the information is still there after we disconnect from the website. D: This will not resolve the problem. The site needs to write a cookie to our hard disk. QUESTION NO: 5 You are the administrator of 20 Windows XP Professional computers for Contoso, Ltd. The computers are members of a Windows 2000 domain. The domain contains an enterprise certification authority (CA). The CA is used to issue Web server certificates to the human resources (HR) department's intranet Web servers. When users connect to the intranet Web servers at https://intra.hr.contoso.com, the Security Alert dialog box appears, as shown in the exhibit. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 233 - You want to ensure that the users can securely connect to the HR department's intranet Web servers and that the Security Alert dialog box does not appear. What should you do? A. Add *.hr.contoso.com to the list of sites in the Local intranet zone. B. Add the server certificate for intra.hr.contoso.com to the Trusted Publishers list. C. Add the enterprise CA root certificate to the Trusted Root Certificate Authorities list. D. Configure Internet Explorer to enable the Use TLS 1.0 option Answer: C Explanation: The clients receive the certificate, but they don't trust the publisher of the certificate. We should add the certificate of issuing CA, the CA root certificate, to the Trusted Root Certificate Authorities list. Incorrect Answers: A: Adding the domain to the Local intranet zone, would set the security level for this Internet domain. It would not, however, remove the Security Alert dialog box. The clients must be configured to trust the Certificate Authority. B: First the certifying authority must be trusted. The server for intra.hr.contosos.com is a Web server, not a Certificate Authority. D: The clients must be configured to trust the Certificate Authority. This is not achieved by enabling the Use TLS 1.0 option. TLS 1.0 is communication protocol, and it is not involved in security. QUESTION NO: 6 You are the administrator of 300 Windows XP Professional computers. The computers are members of a Windows 2000 domain and are connected to the Internet. A user named Andrea reports that when she attempts to place an online order at https://www.contoso.com/sales, she receives the dialog box that is shown in the Security Alert exhibit. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 234 - When you connect to https://www.contoso.com/sales from other Windows XP Professional computers, you do not receive an error message. You verify that Andrea correctly typed the address of the Web site. The security certificate that was returned from the Web site to Andrea's computer is shown in the Certificate exhibit. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 235 - You want to ensure that Andrea can securely place an online order at https://www.contoso.com/sales without receiving an error message stating that the security certificate and the site name do not match. What should you do? A. Use the Certificate Import Wizard to install the certificate in the certificate store. B. Configure Internet Explorer to enable the Check for server certificate revocation option. C. Configure Internet Explorer to add www.contoso.com to the list of sites in the Trusted sites zone. D. Update the Hosts file on Andrea's computer. Use virus-detection software to check for Trojan horse applications that might have changed the Hosts file. Answer: B Explanation: The first exhibit shows that the security certificate is from a trusted certifying authority, but that name of the security certificate is invalid or does not match 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 236 - the name of the site. The second exhibit shows the Canonical Name (CN) incorrectly is set to warez.cpandl.com instead of the correct www.contoso.com. Clearly this certificate should not be trusted. We should make Internet Explorer to check if certificates already have been revoked. We must enable the Check for server certificate revocation option (see note below). Note: Entrust.net's Certificate Revocation List (CRL) is a list of every Web server certificate that has been revoked. Revoked Web server certificates are no longer trusted for a variety of reasons ( for example, the private key has been lost or compromised). Modern browsers will automatically check a CA's CRL to determine if a Web server certificate is trustworthy. Without such a capability, it is not possible to maintain a trustworthy networking environment. End users who have Internet Explorer 5.0 or higher can turn on Auto CRL by following the steps below: 1. Click on the Tools menu 2. Select Internet Options 3. Select the Advanced tab 4. Scroll down to Security Options and make sure the following 2 options are checked: - Check for publisher's certificate revocation - Check for server certificate revocation 5. Restart your machine Reference: What are the benefits of Entrust.net's Web server certificate service? Incorrect Answers: A: The second exhibit shows that the exhibit is certificate is not trustworthy. The Canonical Name, warez.cpandl.com, and the O=Contoso fake site is a clear indication of this. We should not use this certificate. C: The problem is that the certificate is fake, not that www.contoso.com is not trusted. D: This is not a name resolution problem. The problem is the fake certificate. Note: The Hosts file contains host name to IP address mappings. QUESTION NO: 7 You are the administrator of 20 Windows XP Professional computers. The computers are members of a Windows 2000 domain and are used by your company’s Web developers. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 237 - The Web developers report that that can access the company’s intranet Web servers successfully when they use short DNS names, such as and However, when they attempt to access the intranet servers by using the corresponding IP addresses, such as and they cannot download ActiveX components or execute scripts from the intranet servers. For testing purposes, the Web developers access the intranet servers by using the IP addresses. The IP addresses of the intranet servers are in the 10.65.1.0/24 address range. There is no firewall between the intranet servers and the Windows XP Professional computers that are used by the Web developers. You want to ensure that the Web developers can download ActiveX components and execute scripts when they access the intranet servers by using the IP addresses. You do not want to change the current settings for ActiveX components and scripts for Internet Explorer security zones. What should you do? A. Add the 1.65.10.in-addr.arpa reverse zone to the DNS server on the company network. B. Add 10.65.1.* to the list of sites in the Local intranet zone. C. Configure the Internet Explorer LAN connection settings to disable the Bypass proxy server for local addresses option. D. Configure the Local intranet zone to disable the Include all local (intranet) sites not listed in other zones option. Answer: B Explanation: A security setting prevents the downloading of ActiveX components and the execution of scripts when IP addresses are used. We solve this problem by explicitly adding the Web site to the Local intranet (see below). Local intranet sites are considered to be trusted and ActiveX components would be download and scripts would execute. Procedure: Open Internet Explorer->Tools Menu->Internet Options->Security tab- >Select Local Intranet->Sites button->Advanced button->finally add the site (see picture). 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 238 - Incorrect Answers A: There is no need to add entries to the DNS zone since the web servers can be accessed. Furthermore, reversed entries would be of no use here. C: There is no firewall or proxy between the web servers and the clients. D: If we disable the Include all local (intranet) sites not listed in other zones the local zones would no longer be considered local. This would be counterproductive. We want to add the IP address range to the zone, not remove sites from the local zone. QUESTION NO: 8 You are the administrator of a Windows XP Professional computer. The computer is a member of a Windows 2000 domain. The domain contains an enterprise certification authority (CA). You use the computer to connect to the Internet. Six months ago, you paid for online computer support services from a support company. The support company's Web site is at https://www.testkings.com. Now you attempt to connect to the Web site again to use the support service. Before the Web page is displayed, you receive a dialog box. The message in the dialog box asks you to select a certificate to use when you connect. However the list of certificates that is shown in the dialog box is empty. You cannot select a certificate and you cannot connect to the companys. Web page. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 239 - In Internet Explorer, you open the Internet Options dialog box and check Certificates. Several personal certificates appear in the Advanced Purposes list. You want to be able to connect to the support company's Web site at https://www.testkings.com. What should you do? A. Configure Internet Explorer to enable the Use TLS 1.0 option. B. Add the server certificate for www.testkings.com to the Trusted Publishers list. C. Contact the support company to obtain a certificate and add the certificate to the list of personal certificates. D. Request a user certificate from the enterprise CA. E. Change the security settings of the Internet zone to enable the Anonymous logon option. Answer: C Explanation: We need provide a valid certificate to be able to access the support site. We should ask the support company to provide us with an appropriate certificate. Note: Secure Sockets Layer (SSL) uses certificates for authentication. Incorrect Answers A: TLS (Transport Layer Security) 1.0 is used for backward compatibility. It would not be helpful here. B: The scenario does not seem to indicate that the client receives any server certificate from the support company. The client is immediately required to provide a certificate. D: A certificate from a local Certificate Authority would no help accessing the external site. E: Logon credentials are not used with SSL. Certificates are used instead. QUESTION NO: 9 Exhibit: 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 240 - You are the administrator of a Windows XP Professional portable computer at the TestKing.com main office in Toronto. When you are traveling, you often dial in to the Internet to connect to TestKing.com’s network. TestKing has a policy that prohibits Web sites that do not have a Platform for Privacy Preferences (P3P) privacy policy from saving cookies on employees’ computers. Web sites that do not have a P3P policy are allowed to save cookies. You configure Internet Explorer to comply with TestKing policy. After you make this configuration change, you receive a Privacy dialog box when you visit Web sites that do not comply with TestKing policy. The Privacy dialog box is shown in the exhibit. However, you notice that these Web sites still welcome you based on personalized information. The Restricted Web sites list in the privacy reports lists blocked cookies for these Web sites. You want to ensure that Web sites that do not comply with TestKing.com’s policy cannot track your access to their Web sites. What should you do? A. Change the Privacy setting to High. B. Change the Advanced Privacy setting to block cookies for first-party and third- party cookies. C. Change the Temporary Internet Files setting to check for newer versions of stored pages every time you start Internet Explorer. D. Delete existing cookies that you received from the noncompliant Web sites. Answer: D Explanation: The web sites are able to welcome you based on personalized information because their cookies already exist on your computer from previous visits to the sites. To prevent this, you need to delete your existing cookies. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 241 - Incorrect Answers: A: The Privacy setting will not affect existing cookies. It will only block new cookies. B: This will block new cookies. It won’t affect the existing cookies. C: This will check for newer versions of cached web pages. It will not affect existing cookies. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 242 - Questions that are not be allocated in the above Topics (8 Questions) QUESTION NO: 1 You are the desktop administrator for your company’s sales department. There are 20 Windows 2000 Professional portable computers in the sales department. You need to upgrade these computers to Windows XP Professional. You are able to successfully upgrade all 20 of the computers. However, one user reports that he is unable to open Add or Remove Program in Control Panel. You suspect that there is a corrupt .dll file. You want to repair this user’s computer with the least amount of administrative effort. What should you do? A. Run the Sfc.exe command to scan the computer. B. Run the Sigverif.exe command to verify file signatures. C. Run the Verify command to ensure file verification. D. Restart the computer, and select the last known good configuration. Answer: A Explanation: In Windows 2000 and Windows XP, the Windows File Protection (WFP) feature prevents overwriting or replacement of certain system files, such as system .dll files. A command-line utility called System File Checker (SFC.EXE) allows an Administrator to scan all protected files to verify their versions. SFC.exe scans all protected system files and replaces incorrect versions with correct Microsoft versions. In this scenario it seems likely that a system .dll is corrupted and should be replace or repaired- Reference: Windows 2000 Platform Development, Windows File Protection and Windows How to Use the File Signature Verification Tool to Find Third-Party Drivers (Q259283) Incorrect Answers: 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 243 - B: The Windows Signature Verification tool (Sigverif.exe) can be used to identify unsigned drivers on a Windows-based computer. However, it would not be able to repair or replace corrupted .dll files. C: There is no specific command called Verify in Windows XP that verifies files. Instead the sfc.exe command can be used to verify system files. D: Last Known Good configuration would be useless since the computer has just been upgraded from Windows 2000 Professional. QUESTION NO: 2 You are the desktop administrator for you company’s sales department. The IT manager for the sales department needs to distribute three custom applications to the department’s Windows XP Professional computers. She deploys these applications by using Group Policy. Some users report that they must log several times before the newly deployed applications are present on their computers. You need to ensure that all software is deployed the next time the users log on. What should you do? A. Enable the Always wait for the network at computer startup and logon policy. B. Enable the Always use classic logon policy. C. Enable the Turn off background refresh of Group Policy policy. D. Enable the Group Policy slow link detection policy. Answer: A Explanation: By default Windows XP clients, contrary to Windows 2000 clients, use Fast Logon Optimization. This results in the asynchronous application of policy when the computer starts up and when the user logs on. This makes the logon process faster, but some GPOs might not be applied. To ensure that all GPOs are applied we should enable the Always wait for the network at computer startup and logon policy. This would force the Windows XP clients to process the GPOs synchronously which guarantee that they are all applied. In this scenario this would ensure that the all published software would be deployed next time the users log on. Reference: 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 244 - Professor Windows - February 2002, Managing a Windows 2000 Domain with Windows XP Professional Clients Present MSDN, Platform SDK: Policies and Profiles, Logon Optimization Microsoft Windows XP Professional Administrator's Pocket Consultant, Chapter 8, Working with Logon and Startup Policies MSDN, Platform SDK: Policies and Profiles, Background Refresh of Group Policy Windows 2000 Server documentation, Policy for Group Policy: User configuration Incorrect Answers: B: The Always use classic logon policy only override the default simple logon screen and uses the logon screen from previous versions of Windows. It would not affect the processing of GPOs. C: The Background Refresh of Group Policy determines how often the GPOs are refreshed. If we enable the Turn off background refresh of Group Policy no GPOs would be refreshed. This would not address the current problem. D: The Group Policy slow link detection policy defines a slow connection for purposes of applying and updating Group Policy. There is no indication that any slow WAN links are used in this scenario however. QUESTION NO: 3 You are the administrator of 150 Windows XP Professional computers. The computers are members of a Windows 2000 domain. You use Group Policy objects (GPOs) and Windows Installer to install applications on the computers. Users in the App Managers group frequently need access to new applications. You want to deploy the applications so that they can be used from all 150 Windows XP Professional computers. You do not want the deployed applications to appear on users’ Start menus before the applications are installed. What should you do? A. Use a GPO linked to the domain to assign the new applications to users. Filter the GPO for the App Managers group. B. Use a GPO linked to the domain to publish the new applications to users. Filter the GPO for the App Managers group. C. Use a GPO linked to the domain to assign the new applications to computers. Filter the GPO for the App Managers group. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 245 - D. Use a GPO linked to the domain to publish the new applications to computers. Filter the GPO for the App Managers group. Answer: B Explanation: Published applications do not appear in the Start menu. You must install them with the Add/Remove Programs Control Panel applet. Applications can only be published to users, not to computers. Reference: Microsoft Windows 2000 Server White Paper, Windows 2000 Group Policy Incorrect Answers: A: We cannot use assigned applications as they appear on the Start menu. C: We cannot use assigned applications as they appear on the Start menu. D: Applications cannot be published to computers, only assigned. QUESTION NO: 4 You are the desktop administrator for TestKing.com. You install Windows XP Professional on a new portable computer that will be used by one of the company’s software developers. You test the computer after you complete the installation and find out the computer functions properly. The computer contains a 6-GB hard disk and a removable 4-GB hard disk. The 6- GB hard disk is configured as drive C, and the removable hard disk is configured as disk D. You install Windows 98 on drive D and deliver the computer to the software developer. The software developer reports that the computer does not start when drive D is not connected. Instead, the computer briefly displays an operating system menu, and then it displays an error message stating that an operating system could not be found. When drive D is connected, the computer starts Windows 98. You need to configure the computer so that it starts Windows XP Professional whether or not drive D is connected. What should you do? A. Modify the computer’s BIOS so that it automatically detect whether drive D is connected. B. Modify the computer’s BIOS so that drive C is first in the computers boot order. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 246 - C. Modify the Boot.ini file on the computer by changing the default= entry to the following value: multi(0)disk(0)rdisk(0)partition(1)=”Microsoft Windows XP Professional” /fastdetect D. Modify the Boot.ini file on the computer by changing the entry for Windows 98 to the following value: D: “Microsoft Windows 98” /fastdetect Answer: C Explanation: The scenario indicates that the computer always tries to start from the second disk: • When the second disk is connected it starts from it. • When only the first disk is connected it fails to start. We must change the default start entry to the first disk. This is achieved by changing the default entry to: multi(0)disk(0)rdisk(0)partition(1)=”Microsoft Windows XP Professional” /fastdetect Incorrect Answers A: This is not a feature that can be configured in BIOS. Furthermore, the BIOS always detects if any drives are connected in the first place. B: The C drive is already the drive which the computer boots from. It is just that disk 2 is the default boot disk. D: This is not the format of boot.ini entries. QUESTION NO: 5 You are the desktop administrator for TestKing.com’s sales department. The IT manager for the sales department wants to ensure that each Windows XP Professional event log retains approximately 5 MB of data. He deploys this policy to the computers in the sales department by using Group Policy. You find out that the policy has not been applied consistently. You need to ensure that the policy is applied consistently. Which command should you run? A.Secedit /refreshpolicy user_policy B.Secedit /refreshpolicy machine_policy C.Gpupdate /target:computer D.Gpupdate /target:user Answer: C 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 247 - Explanation: The Gpupdate command refreshes local and Active Directory–based Group Policy settings, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command. We should apply the policy to the computers, not to the users. Reference: Windows XP help, gpupdate Incorrect Answers A, B: The "old" secedit.exe was replaced with GPUpdate. D: We should apply the policy to the computers, not to the users. QUESTION NO: 6 You are the desktop administrator for TestKing.com. The company has an Active Directory domain that includes 15 Microsoft Windows NT Workstation 4.0 computers and 20 new Windows XP Professional computers. Domain users of Windows NT Workstation 4.0 computers can run an older application, developed by TestKing, on their computer. However, domain users of Windows XP Professional computers cannot run the same legacy application on their computers. You need to enable all users of Windows XP Professional computers to run this application. Your solution must not give the users administrative control of their computers. You create an organizational unit (OU) named Pro and a Group Policy object (GPO) named TestKingLegacy. How should you reconfigure the Windows XP Professional computers? A. Add the domain user accounts to the Pro OU. Import the Basicwk.inf security template to the TestKingLegacy GPO. B. Add the domain user accounts to the Pro OU. Import the Compatws.inf security template to the TestKingLegacy GPO. C. Add the computer accounts to the Pro OU. Import the Basicwk.inf security template to the TestKingLegacy GPO. D. Add the computer accounts to the Pro OU. Import the Compatws.inf security template to the TestKingLegacy GPO. Answer: D 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 248 - Explanation: We must use the Compatws.inf security template to make the Legacy application to run. The security template should be applied to the specific computers. Note: The Compatible template changes the default file and registry permissions that are granted to Users in a manner that is consistent with the requirements of most non- certified applications. Additionally, since it is assumed that the administrator that is applying the Compatible template does not want end users to be Power Users, the Compatible template also removes all members of the Power Users group. Reference: Windows XP Help, Predefined security templates Incorrect Answers B: The Security template should be applied to computers, not users. A, C: There is no basicwk.inf security template in Windows XP. QUESTION NO: 7 You are the desktop administrator for TestKing. Laura is a user in TestKing's accounting department. Laura uses a Windows XP Professional computer. Laura installs a new software application that was listed in her Add or Remove Programs list. Laura reports that the new application now opens whenever she double-clicks any file that has a .doc file name extension. She also reports that 24 new icons appear on the New menu when she right-clicks her desktop. Laura asks you to reconfigure her computer so that Microsoft Word opens when she double-clicks files that have a .doc file name extension. She also wants you to remove the new icons from the New menu. You instruct Laura to uninstall the new application. After she uninstalls the application, she reports that she can no longer open .doc files by double-clicking them. She also reports that the unwanted icons on the New menu are still present. You reinstall the new application, and it continues to open when Laura double- clicks .doc files. You want to restore the .doc file association and to remove the unwanted icons from the New menu on Laura's computer. You want to accomplish these tasks as quickly as possible. You also want to ensure that none of Laura's other documents or personal settings are affected. What should you do? A. Restore the computer to the restore point that was created when Laura installed the new application. B. Restore the System State data to Laura's computer from a backup tape. 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 249 - C. Use the Windows XP Professional CD-ROM to perform an Automated System Recovery (ASR) restore. D. Restart the computer by using the last known good configuration. Answer: A Explanation: System Restore is a component of Windows XP Professional that you can use to restore your computer to a previous state, if a problem occurs, without losing your personal data files (such as Microsoft Word documents, browsing history, drawings, favorites, or e-mail). System Restore monitors changes to the system and some application files, and it automatically creates easily identified restore points. These restore points allow you to revert the system to a previous time. They are created daily and at the time of significant system events (such as when an application or driver is installed). You can also create and name your own restore points at any time. Incorrect Answers: B: Restoring the system state data will not remove the application or restore file associations. C: An Automated System Recovery (ASR) restore would be used to repair a computer that won’t boot. It is not used to restore file associations or remove applications. D: The last known good configuration will return the registry to its state at the time of the last successful logon. This will not restore file associations or remove applications. QUESTION NO: 8 You are the desktop administrator for TestKing's sales department. The IT manager for the sales department needs to distribute a custom application to the Windows XP Professional computers in the sales department. He deploys the software by using Group Policy. Susan is a user in the sales department. She reports that the custom application is not available. You examine her computer, and you verify that the application is not present on her computer. You want to ensure that the software is deployed the next time Susan logs on. Which command should you run? A. Secedit /refreshpolicy user_policy /enforce B. Secedit /refreshpolicy machine_policy /enforce C. Gpupdate /target:computer /sync D. Gpupdate /target:user /sync Answer: C 70 - 270 Leading the way in IT testing and certification tools, www.testking.com - 250 - Explanation: The question states that the application is deployed to the computers. Therefore, we need to refresh the computer policy. The command to refresh the computer policy is gpupdate /target:computer /sync. This command has replaced the old secedit /refreshpolicy command. Incorrect Answers: A: The secedit /refreshpolicy command has been superseded by the gpupdate command. B: The secedit /refreshpolicy command has been superseded by the gpupdate command. D: The question states that the application is deployed to the computers. Therefore, we need to refresh the computer policy, not the user policy.