Securing Windows Server 2016 v1.0 (70-744)

Page:    1 / 14   
Total 208 questions

DRAG DROP -
You have two servers named Server1 and Server2 that run Windows Server 2016. The servers are in a workgroup.
You need to create a security template that contains the security settings of Server1 and to apply the template to Server2. The solution must minimize administrative effort.
Which snap-in should you use for each server? To answer, drag the appropriate snap-ins to the correct servers. Each snap-in may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:




Answer :

References:
https://www.windows-server-2012-r2.com/security-templates.html

You are creating a Nano Server image for the deployment of 10 servers.
You need to configure the servers as guarded hosts that use Trusted Platform Module (TPM) attestation.
Which three packages should you include in the Nano Server image? Each correct answer presents part of the solution.

  • A. Microsoft-NanoServer-SCVMM-Compute-Package
  • B. Microsoft-NanoServer-SecureStartup-Package
  • C. Microsoft-NanoServer-Compute-Package
  • D. Microsoft-NanoServer-ShieldedVM-Package
  • E. Microsoft-NanoServer-Storage-Package
  • F. Microsoft-NanoServer-SCVMM- Package


Answer : BCD

References:
https://docs.microsoft.com/en-us/system-center/vmm/guarded-deploy-host?toc=/windows-server/virtualization/ https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server

Your network contains an Active Directory domain named contoso.com. The domain contains several shielded virtual machines.
You deploy a new server named Server1 that runs Windows Server 2016.
You install the Hyper-V server role on Server1.
You need to ensure that you can host shielded virtual machines on Server1.
What should you install on Server1?

  • A. Host Guardian Hyper-V Support
  • B. the Windows Biometric Framework (WBF)
  • C. VM Shielding Tools for Fabric Management
  • D. BitLocker Network Unlock


Answer : A

References:
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-guarded-host-prerequisites

Your network contains an Active Directory domain named contoso.com.
You deploy a server named Server1 that runs Windows Server 2016. Server1 is in a workgroup.
You need to collect the logs from Server1 by using Log Analytics in Microsoft Operations Management Suite (OMS).
What should you do first?

  • A. Create an event subscription
  • B. Create a Data Collector-Set
  • C. Install Microsoft Monitoring Agent on Server1
  • D. Join Server1 to the domain


Answer : C

References:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents

HOTSPOT -
Your network contains an Active Directory domain named contoso.com.
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain. You install the ATA Gateway on a server named Server1.
To assist in detecting Pass-the-Hash attacks, you plan to configure ATA Gateway to collect events.
You need to configure the query filter for event subscriptions on Server1.
How should you configure the query filter? To answer, select the appropriate options in the answer are.
Hot Area:




Answer :

References:
https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection

Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your company has a marketing department.
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.


All servers run Windows Server 2016. All client computers run Windows 10 and are domain members. All laptops are protected by using BitLocker Drive
Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers. An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1. A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
End of repeated scenario.
You enable deep script block logging for Windows PowerShell.
In which event log will PowerShell code that is generated dynamically appear?

  • A. Applications and Services Logs/Windows PowerShell
  • B. Windows Logs/Security
  • C. Applications and Services Logs/Microsoft/Windows/PowerShell/Operational
  • D. Windows Logs/Application


Answer : C

References:
https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-7

Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your company has a marketing department.
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.


All servers run Windows Server 2016. All client computers run Windows 10 and are domain members. All laptops are protected by using BitLocker Drive
Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers. An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1. A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
End of repeated scenario.
You need to create a Role Capability file on Server3. Which file should you create?

  • A. File1.ini
  • B. File1.ps1
  • C. File1.xml
  • D. File1.psrc


Answer : D

References:
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/role-capabilities?view=powershell-7

Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your company has a marketing department.
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.


All servers run Windows Server 2016. All client computers run Windows 10 and are domain members. All laptops are protected by using BitLocker Drive
Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers. An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1. A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
End of repeated scenario.
You need to implement BitLocker Network Unlock for all of the laptops. Which server role should you deploy to the network?

  • A. Host Guardian Service
  • B. Device Health Attestation
  • C. Windows Deployment Services
  • D. Network Controller


Answer : C

References:
https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock

Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your company has a marketing department.
The network contains an Active Directory domain named contoso.com. The domain contains the servers configured as shown in the following table.


All servers run Windows Server 2016. All client computers run Windows 10 and are domain members. All laptops are protected by using BitLocker Drive
Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers. An OU named OU2 contains the computer accounts of the computers in the marketing department. A Group Policy object (GPO) named GP1 is linked to OU1. A GPO named GP2 is linked to OU2.
All computers receive updates from Server1. You create an update rule named Update1.
End of repeated scenario.
You need to ensure that AppLocker rules will apply to the marketing department computers. What should you do?

  • A. From the properties of OU2, modify the COM+ partition Set.
  • B. In GP2, configure the Startup type for the Application Identity service.
  • C. In GP2, configure the Startup type for the Application Management service.
  • D. From the properties of OU2, modify the Security settings.


Answer : B

References:
https://docs.microsoft.com/en-us/windows/device-security/applocker/configure-the-application-identity-service

Your network contains an Active Directory domain named contoso.com. The domain contains a certification authority (CA).
You need to implement code integrity policies and sign them by using certificates issued by the CA.
You plan to use the same certificate to sign policies on multiple computers.
You duplicate the Code Signing certificate template and name the new template CodeIntegrity.
How should you configure the CodeIntegrity template?

  • A. Enable the Allow private key to be exported setting and modify the Key Usage extension.
  • B. Disable the Allow private key to be exported setting and modify the Application Policies extension.
  • C. Disable the Allow private key to be exported setting and disable the Basic Constraints extension.
  • D. Enable the Allow private key to be exported setting and enable the Basic Constraints extension


Answer : D

References:
https://blogs.technet.microsoft.com/ukplatforms/2017/05/04/create-code-integrity-signing-certificate/

DRAG DROP -
Your network contains an Active Directory domain named contoso.com. The domain contains a user named User1 and a computer named Computer1. Remote
Server Administration Tools (RSAT) is installed on Computer1.
You need to add User1 as a data recovery agent in the domain.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:




Answer :

Explanation:
References:
https://msdn.microsoft.com/library/cc875821.aspx#EJAA
https://www.serverbrain.org/managing-security-2003/using-the-cipher-command-to-add-data-recovery-agent.html

Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers.
You deploy the Local Administrator Password Solution (LAPS) to the network.
You discover that the members of a group named FinanceAdministartors can view the password of the local Administrator accounts on the servers in an organizational unit (OU) named FinanceServers.
You need to prevent the FinanceAdministartors members from viewing the local administrators ‘passwords on the servers in FinanceServers. Which permission should you remove from FinanceAdministartors?

  • A. all extended rights
  • B. read all properties
  • C. read permissions
  • D. list contents


Answer : A

References:
https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/

Your network contains an Active Directory Domain named contoso.com. The domain contains 10 servers that run Windows Server 2016 and 800 client computers that run Windows 10.
You need to configure the domain to meet the following requirements:
-> Users must be locked out from their computer if they enter an incorrect password twice.
-> Users must only be able to unlock a locked account by using a one-time password that is sent to their mobile phone.
You deploy all the components of Microsoft Identity Manager (MIM) 2016.
Which three actions should you perform before you deploy the MIM add-ins and extensions? Each correct answer presents part of the solution.

  • A. Deploy a Multi-Factor Authentication provider and copy the required certificates to the MIM server.
  • B. From a Group Policy object (GPO), configure Public Key Policies.
  • C. From the MIM Portal, configure the Owner Approval Workflow.
  • D. Deploy a Multi-Factor Authentication provider and copy the required certificates to the client computers.
  • E. From the MIM Portal, configure the Password Reset AuthN Workflow.
  • F. From a Group Policy object (GPO), configure Security Settings.


Answer : AEF

References:
https://docs.microsoft.com/en-us/microsoft-identity-manager/working-with-self-service-password-reset

You have a file server named FS1 that runs Windows Server 2016.
You plan to disable SMB 1.0 on the server.
You need to verify which computers access FS1 by using SMB 1.0.
What should you run first?

  • A. Debug-FileShare
  • B. Set-FileShare
  • C. Set-SmbShare
  • D. Set-SmbServerConfiguration
  • E. Set-SmbClientConfiguration


Answer : D

Your network contains an Active Directory domain named contoso.com.
The domain contains four global groups named Group1, Group2, Group3, and Group4. A user named User1 is a member of Group3.
You have an organizational unit (OU) named OU1 that contains computer accounts. A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account named Computer1.
GPO1 has the User Rights Assignment configured as shown in the following table.


You need to ensure that User1 can access the shares on Computer1. What should you do?

  • A. Modify the membership of Group3.
  • B. Modify the membership of Group2.
  • C. Modify the membership of Group1.
  • D. Modify the membership of Group4.
  • E. In GPO1, modify the Allow log on locally user right.


Answer : B

Page:    1 / 14   
Total 208 questions