You work as the network administrator at certifyme.com. The certifyme.com
network consists of a single Active Directory domain named certifyme.com. All
servers on the certifyme.com network run Windows Server 2003 and all client
computers run Windows XP Professional.
The certifyme.com written security policy states that no unauthorized VBScript files
are to be deployed and executed on certifyme.com client computers. 350-001 All VBScript
files that contain scripts which are authorized to be executed on client computers
are located on several certifyme.com servers.
You must configure a software restriction policy that will comply with the
certifyme.com written security policy. To this end you plan to configure the default
security level as Unrestricted in your new software restriction policy. You do not
want to modify the software restriction policy each time that a new VBScript script
is authorized to be run on your client computers.
Leading the way in IT testing and certification tools, www.certifyme.com
- 106 -
What should you do? (Each correct answer presents part of the solution. Choose
THREE.)
A. Create a new Path rule.
Set the path to be *.vbs.
Set the security level to Disallowed.
B. Create a new Internet zone rule for authorized VBScript files.
Set the security level to Unrestricted.
C. Create a new Hash rule for authorized VBScript files.
Set the security level to Unrestricted.
D. Authorize each .vbs file by digitally signing it.
E. Create a new Certificate rule.
Set the security level to Unrestricted. 640-802
Answer: A, D, E
Explanation: There are four different types of software restriction policy rules.
Because more than one rule can be applied to one file, the priority of these rules is
as follows (highest to lowest):
1. Hash rules (highest priority)
2. Certificate rules take priority over Path rules.
3. Path rules take priority over Internet zone rules.
4. Internet zone rules (lowest priority)
To ensure that no unauthorized .vbs scripts are run on client computers, you need to
create a new path rule, set the path to be *.vbs, and set the security level to Disallowed.
After this, you need to ensure that each .vbs file that is authorized to run on client
computers is digitally signed. You then need to create a new Certificate rule and set the
security level to Unrestricted. Because Certificate rules take priority over Path rules, the
.vbs files that are authorized WILL be allowed to run on client computers, while
unauthorized files will NOT be allowed to be run. VCP-310
Incorrect Answers:
B: Because Hash rules have the highest propriety, you would need to specify each
authorized .vbs file in the rule. Then, whenever a new authorized .vbs file becomes
available, you would need to modify the rule. The question states that you do not want to
modify the software restriction policy each time that a new VBScript file is authorized to
be run on your client computers
C: Internet zone rules apply to Windows Installer .msi files.
Leading the way in IT testing and certification tools, www.certifyme.com
- 107 -
Reference:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment