You are a security administrator for certifyme.com. The network consists of a single
Active Directory domain named certifyme.com. All servers run Windows Server
2003. All client computers run Windows XP Professional.
You manage the network by using a combination of Group Policy objects (GPOs)
and scripts. File names for scripts have the .vbs file name extension. Scripts are stored in a shared folder named Scripts on a server named certifyme1.
Users report that they accidentally run scripts that are received through e-mail and
the Internet. They further reports that these scripts cause problems with their client
computers and often delete or change files. You discover that these scripts have
.wsh, .wsf, .vbs, or .vbe file name extensions. You decide to use software restriction
policies to prevent the use of unauthorized scripts.
You need to configure a software restriction policy for your network.350-001 You want to
achieve this goal without affecting management of your network.
Which three rules should you include in your software restriction policy? (Each
correct answer presents part of the solution. Choose THREE.)
A. A path rule that disallows *.vb? files.
B. A path rule that disallows *.ws? files.
C. A trusted sites rule that allows the local intranet zone.
D. A trusted sites rule that disallows the Internet zone.
E. A path rule that allows \\certifyme1\scripts\*.vb? files.
Answer: A, B, E
Leading the way in IT testing and certification tools, www.certifyme.com
- 132 -
Explanation: By using the software restriction policy, you allow unknown code, which
might contain viruses or code that conflicts with currently installed programs, to run only
in a constrained environment (often called a sandbox) where it is disallowed from
accessing any security-sensitive user privileges. For example, an e-mail attachment that
contains a worm would be prohibited from automatically accessing your address book
and therefore could not propagate itself. If the e-mail attachment contained a virus, the
software restriction policy would restrict its ability to damage your system because it
would be allowed to run only in a constrained environment.
If you create a path rule for a program with a security level of Disallowed, a user can still
run the software by copying it to another location.640-802 The wildcard characters that are supported by the path rule are the asterisk (*) and the
question mark (?).
You can use environment variables, such as %programfiles% or %systemroot%, in your
path rule.
To create a path rule for software when you do not know where it is stored on a computer
but you have its registry key, you can create a registry path rule.
To prevent users from running e-mail attachments, you can create a path rule for your
mail program's attachment folder that prevents users from running e-mail attachments.
The only file types that are affected by path rules are those that are listed in Designated
file types.VCP-310 There is one list of designated file types that is shared by all rules.
For software restriction policies to take effect, users must update policy settings by
logging off from and then logging on to their computers.
When more than one rule is applied to policy settings, there is a precedence of rules for
handling conflicts.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment