You need to design an access control strategy to prevent unauthorized users from
modifying the registry on the DNS servers.
What should you do?
A. Change the RestrictAnonymous registry subkey from 0 to 1 or 2.
B. Ensure that DNS1 and DNS2 have to correct permissions set on the WINREG subkey
for all groups.
C. Create a Domain Local group and add unauthorized users in this group on DNS1 and
DNS2.
D. Remove the Domain Users group from the Remote Desktop users group on DNS1 and
DNS2.
Answer: B
Explanation: The WINREG subkey controls the users and groups that can connect
remotely to the computer and modify its registry settings.350-001 If the key has been deleted then
all users can connect remotely and modify the registry settings. By default the
Administrators group has Allow-Full Control permission for this subkey. The Backup
Operators group has Allow-Read permission. This is what is required for the proper
administration of the server.
1. We need to ensure that both DNS1 and DNS2 are protected against this accidental
modification.
Leading the way in IT testing and certification tools, www.certifyme.com
- 59 -
2. I want to see only administrators able to remotely connect to DNS1 and DNS2 to
modify the registry settings.
3. I also want to have the ability to detect all attempts to log on interactively to either of
these servers."
Incorrect answers:
A: The RestrictAnonymous registry subkey is used to restrict anonymous users from
displaying lists of users and their security permissions on the computer.640-802 This setting
whether set to 1 or 2; will not affect the ability to connect remotely to a computer to
modify its registry.
C: In AGDLP, the recommended way to assign permissions to a resource, user accounts
are added to global groups, and then global groups are added to Domain Local groups.
Permissions or user rights assignments are finally assigned to the Domain Local group.
Regardless: in this scenario you want to prevent unauthorized users from modifying the
registry. Thus this option is incorrect.
D: The Remote Desktop Users group is able to create Remote Desktop connections to the
local computer.VCP-310 Usually this group is not populated and members of the local
Administrators group can access the computer via Remote Desktop connection. It is
mentioned in the case study:
1. DNS1 and DNS2 are both configured with the default remote Desktop connection
settings.
Thus the Domain Users group is not a default member of the Remote Desktop Users
group. This option is thus not correct.
Reference:
Elias N. Khnaser, Susan Snedak, Chris Peiris & Rob Amini, MCSE Designing Security
for a Windows Server 2003 Network Exam 70-298 Study Guide, Chapter 8, p. 454
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment