Certifiable Q&A for February 16, 2001

Welcome to Certifiable, your exam prep headquarters. Here you'll find questions about some of the tricky areas that are fair game for the certification exams. Following the questions, you'll find the correct answers and explanatory text. We change the questions weekly.

Questions (February 16, 2001)
Answers (February 16, 2001)

Lately, security has preoccupied me. As I set up firewalls to protect my computers from the black hats, I remembered that a significant portion of Windows NT 4.0 core exams relates to securing network resources. Securing servers and networks is among the critical job skills that all network administrators must have, and both the NT 4.0 and Windows 2000 exams ask many questions to determine whether candidates understand the concepts.

This week's questions cover some topics relating to NT 4.0 domains, user rights, and NTFS permissions. Although I've never officially counted, questions about these topics comprise about 20 percent of the NT 4.0 MCSE core exams. At the very least, you're not likely to pass the exam if you don't answer these questions correctly; therefore, security should be high on your list of study topics.

Because next week's column will be the last one before the NT 4.0 MCSE core exams expire, I'll do one last column about NT 4.0 topics. Then, I'll take some of the questions from the past few weeks and show you how the Win2K exams present the same topics. Until then, good luck to all of you racing to make the deadline!

Questions (February 16, 2001)

Question 1
Your company needs to let all managers in the company view employee reviews. An administrative assistant in the Human Resources (HR) department will collect the reviews from each manager and place them in a shared folder on the network. The solution must meet the following objectives:

    Required Results

  • All managers must have Read permission to the shared folder.
  • No other employees can view the shared folder across the network.
  • Optional Results:

  • The administrative assistant must have Modify permission to the shared folder.
  • Everyone except administrators must be denied access to the files when logged on to the file server that hosts the shared folder.
  • Proposed Solution:

  • Create the Review Admins local group.
  • Create the Domain Review Admins global group and make it a member of the Review Admins local group.
  • On an NTFS partition, create a folder to hold the reviews.
  • Grant the Administrators local group Full Control permission to the folder.
  • Grant the Interactive local group No Access permission to the folder.
  • Grant the Review Admins local group Modify permission to the folder.
  • Share the folder.
  • Remove from the shared folder any permissions granted to the Everyone local group.
  • Grant the Managers global group Read permission to the shared folder.
  • Grant the Domain Review Admins global group Modify permission to the shared folder.
  • Make the administrative assistant a member of the Domain Review Admins global group.

Which results does the proposed solution produce?

  1. The proposed solution produces the required result and all of the optional desired results.
  2. The proposed solution produces the required result and one of the optional desired results.
  3. The proposed solution produces the required result but doesn't produce any of the optional desired results.
  4. The proposed solution doesn't produce the required result.

Question 2
Rebekah, a medical student, is rotating through a hospital's departments in 5-week intervals. Currently, Rebekah's logon account is a member of the Hospital1\Domain Users, Hospital1\Doctors, Hospital1\Pediatrics global groups. Computers throughout the hospital provide access to patients' charts and medical histories, which are stored in a shared folder on a central file server.

The file server has local groups named Doctors, Pediatrics, Intensive Care, Emergency Room, and Clinic. The Hospital1 domain has global groups named Doctors, Pediatrics, Intensive Care, Emergency Room, and Clinic, and each global group is a member of the local group with the same name. The Doctors local group has been granted Read permission to all files on the NTFS partition that holds patient information. The Pediatrics, Intensive Care, Emergency Room, and Clinic local groups have been granted the Write special permission to the folders that contain information about patients in those departments. The entire partition is shared on the network and only Authenticated Users have Change permission for the shared folder.

When Rebekah opens a file on the file server, which of the following permissions does she have for files in the Pediatrics subfolder? (Choose all that apply.)

  1. Read
  2. Write
  3. Delete
  4. Execute
  5. Change
  6. Take Ownership
  7. No Access

Question 3
You are the network administrator for XYZ Corporation, which has acquired two other companies, A-1 Corp and Acme Inc., in the past 6 months. Each company, including your own, has one Windows NT domain, of which both users and their computers are members. At the time of the acquisitions, you created trust relationships so that both A-1's and Acme's domains trust XYZ's domain. Now, you must let users in A-1's domain access resources in Acme's domain and let Acme's users access resources in the A-1 domain. What must you do?

  1. Create a trust so that XYZ's domain trusts the A-1 domain.
  2. Create a trust so that XYZ's domain trusts the Acme domain.
  3. Create two trusts so that XYZ's domain trusts both the A-1 and Acme domains.
  4. Create a trust so that the A-1 domain trusts the Acme domain.
  5. Create two trusts so that the A-1 domain trusts the Acme domain and the Acme domain trusts the A-1 domain.

Answers (February 16, 2001)

Answer to Question 1
The correct answer is B—The proposed solution produces the required result and one of the optional desired results. The proposed solution doesn't produce the second optional result because even an administrator will be a member of the Interactive local group when he or she logs on to the computer. The No Access permission (I know it seems odd to call it a permission) takes precedence over all other available permissions; therefore, this particular solution lets administrators access the folder from a remote computer but not when logged on locally. Note, however, only members of the Managers and the Domain Review Admins global groups can access the folder through the shared folder.

Answer to Question 2
The correct answers are A—Read and B—Write. Members of multiple groups gain the combined permissions of all the groups; therefore, Rebekah has Read and Write permissions for the NTFS partition. When you work through a shared folder on an NTFS partition, both the shared folder permissions and the NTFS permissions must permit an operation, or the operation is denied. The Change permission for the shared folder includes the Delete permission, but the NTFS permissions don't; therefore, Rebekah won't have Delete permission through the shared folder.

Answer to Question 3
The correct answer is E—Create two trusts so that the A-1 domain trusts the Acme domain and the Acme domain trusts the A-1 domain. Windows NT trust relationships are one-way trusts in which one domain trusts the other domain's accounts to access resources. Trust relationships aren't transitive. That is, if domain A trusts domain B and domain B trusts domain C, domain A doesn't trust domain C. Therefore, no trust relationships between the XYZ domain and the A-1 and Acme domains let accounts in the A-1 domains access resources in the Acme domain, or vice versa. For members of both domains to access resources in the other domain, the A-1 domain must trust the Acme domain, and the Acme domain must trust the A-1 domain.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish