These questions are based on 70-290 – Managing and Maintaining a Microsoft Windows Server 2003 Environment
Self Test Software Practice Test
Objective: Manage and Maintain a Server Environment.
Sub-objective: Manage servers remotely.
Multiple answer, multiple-choice
You are your company’s network administrator. The corporate network consists of a single Active Directory domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional.
The company’s written security policy stipulates that only authorized VBScript files be allowed to run on any client computers. Currently, the only authorized script is named Admin.vbs, and it is located in a shared folder named AdminTools on a file server named Server1. The Admin.vbs file is a framework for computer administration scripts. There are several script modules that are intended for performing different tasks. Each time you begin using the Admin.vbs file, you modify it to enable the appropriate module, depending on the task that you need to perform. You must configure the appropriate software restriction policy to enforce the written security policy.
What should you do? (Choose two. Each correct answer presents part of the solution).
- Digitally sign all .vbs files; create a certificate rule with the Restricted security level.
- Create a path rule for \Server1AdminToolsAdmin.vbs, and set the security level to Unrestricted.
- Create a hash rule with the Disallowed security level for all .vbs files.
- Create a certificate rule with the Disallowed security level for the Admin.vbs file.
- Create a path rule for *.vbs and set the security level to Disallowed.
B. Create a path rule for \Server1AdminToolsAdmin.vbs, and set the security level to Unrestricted.
E. Create a path rule for *.vbs and set the security level to Disallowed.
Software restriction policies prevent users from running unauthorized programs. Software restrictions are defined by a default security level and additional rules, which stipulate exceptions to the default security level. By default, the default security level is set to Unrestricted, which allows the computer to run all programs. To prevent all .vbs files from being run, you should create a path rule, set its security level to Disallowed and specify the *.vbs path. When multiple rules of the same type apply to the same files, more specific rules override less specific rules. Thus, to override the previous rule in relation to the Admin.vbs file, you should create another path rule that targets only the Admin.vbs file and set the security level on that rule to Unrestricted.
It would be impractical to digitally sign all .vbs files to prevent them from being run. You would have to detect and sign each new .vbs file that appears on the network. Additionally, a security level can be set to either Unrestricted or Disallowed. Restricted is not a valid security-level setting. Similarly, it would be impractical to use a hash rule to restrict all .vbs files from being run because you would have to explicitly include each new .vbs file in the rule. Whenever any of the .vbs files changed, you would have to recalculate its hash; otherwise, the hash rule would no longer apply to the changed file.
If you created a certificate rule for the Admin.vbs file, then, for the rule to always remain in effect, you would have to sign the file each time it was changed. Additionally, to comply with the written security policy, the security level on this rule would have to be set to Unrestricted, not Disallowed.
Windows Server 2003 Online Help, Contents, “Security,” “Software Restriction Policies,” “Concepts.”