Chapter 5 Solutions Review Questions 
[list=1]

Your company writes software for voting machines and needs to ensure that the software and documentation is carefully protected on its servers. Last week one of the servers was stolen from its machine room, but fortunately that server did not contain sensitive voting machine files. What file security can your company use to protect its information in the future, so that even if a server is stolen its files cannot be accessed?

Answer: a. Microsoft Encrypting File System 
[list=1]

A fellow programmer has set up a shared folder of programs he is working on, but the problem is that several users have discovered the folder and have been trying out the programs. What steps can the programmer take to ensure that only he can view and access the folder? (Choose all that apply.)

Answer: a. Use permissions to secure the shared folder. and c. Place a dollar sign after the name of the shared folder to hide it. 
[list=1]

Your company has salespeople who use Apple iPad tablet computers for travel. These salespeople need a way to use company files offline while traveling and then to synchronize the files on a server when they return. What Windows Server 2016 capability meets this need?

Answer: b. work folders 
[list=1]

The water resources group in your organization asked you to create a shared folder to hold research data. Ten people are in the group; two of them cannot access the file but the other eight can. What can you do to easily determine why two people cannot access it?

Answer: d. Check the effective access for that folder. 
[list=1]

You attempt to set folder quotas on a shared folder you are configuring through Server Manager, but this feature is not enabled. What can you do to enable using folder quotas? (Choose all that apply.)

Answer: c. Install File Server Resource Manager as a role service. 
[list=1]

A folder’s owner has __________ permissions.

Answer: Full control 
[list=1]

Which of the following are ACL-based object security techniques available in Windows Server 2016? (Choose all that apply.)

Answer: a. Ownership, c. Attributes, and d Auditing 
[list=1]

An Apple Macintosh running Sierra (macOS 10.12) can share files with Windows Server 2016 using the __________ protocol.

Answer: Server Message Block version 3.x 
[list=1]

A first step in configuring Distributed File System is to install which of the following File and Storage Services role services? (Choose all that apply.)

Answer: b. DFS Replication and d. DFS Namespaces 
[list=1]

The Computer Advisory Committee in your company has been concerned that users store many files on the servers, but aren’t good about deleting old files. This has resulted in less free space on the servers’ disks. What solution do you propose?

Answer: d. Set up disk quotas for user accounts. 
[list=1]

What are the two DFS models?

Answer: stand-alone and domain-based 
[list=1]

When you move a file from the Spreadsheets folder to the Corp Documents folder on a Windows Server 2016 server, what happens to the permissions on the file?

Answer: c. The moved file takes with it the permission it had in the Spreadsheets folder. 
[list=1]

Several of your DFS clients complain that it can take some time to access a DFS shared folder, even though they just recently accessed it. They are expecting faster response. What can you do?

Answer: a. Tune the cache duration for the folder. 
[list=1]

You have a series of older files that you don’t access often, but you do need them occasionally. Some of these folders take up large quantities of disk space. What NTFS feature can you use to reduce the disk space they occupy?

Answer: b. Use the compress attribute. 
[list=1]

Which of the following is required to configure DFS Replication? (Choose all that apply.)

Answer: c. Determine which server is the primary group member., and d. Define two or more folder targets. 
[list=1]

If Sara Weng belongs to one group that has modify permissions to the Research folder and to another group that only has read permissions to the Research folder, what access does she have?

Answer: a. read 
[list=1]

Before you can share a folder through Windows Server 2016, you must first _________.

Answer: turn on file and printer sharing 
[list=1]

Which of the following can you accomplish using the DFS Management tool? (Choose all that apply.)

Answer: a. Create a namespace root., b. Delegate management over a namespace root., c. Create a folder in a namespace root., and d. Tune a namespace root. 
[list=1]

A set of shared folders copied in DFS to one or more servers is called a _____.

Answer: replication group 
[list=1]

You are attempting to configure auditing for a folder, but you don’t see the Auditing tab. Which of the following is likely to be the problem?

Answer: a. You haven’t enabled auditing as a group policy. Hands-On Projects Tips and Solutions for Chapter 5 Activity 5-1 In this activity, students use Server Manager to install the Windows Search Service.  Activity 5-2 Students learn how to use the Encrypting File System in this activity. They create a folder, copy a file to the folder, and then encrypt the folder’s contents. In Step 2, on a newly created folder, students are likely to find that the Read-only (Only applies to files in folder) attribute is checked by default. In Step 3, when students click the Advanced button on the General tab, they will find two sets of two attributes:

• Archive and Index attributes
• Compress or Encrypt attributes

 Of the four attributes, only one is checked by default: Allow files in this folder to have contents indexed in addition to file properties. In Step 6, to verify that a folder is encrypted or that files within a folder are encrypted, view the properties of the folder or file, click the General tab, click the Advanced button, and make sure that Encrypt contents to secure data is checked. (Also, the font of the folder will now be in color, such as green.) A folder or file can be decrypted by removing the checkmark in front of Encrypt contents to secure data. Activity 5-3 In this activity, students create a new folder and configure its permissions. In Step 2, the default groups that have permissions are:

• SYSTEM (Allow for all permissions, except for Special permissions)
• Administrator (Allow for all permissions, except for Special permissions)
• Administrators builtin local group (Allow for all permissions, except for Special permissions)

 Consider using this step to discuss why it is important for a server administrator to know what permissions are set up automatically. In Step 6, the Server Operators group has the following permissions checked for Allow by default:

• Read & execute
• List folder contents
• Read

 Activity 5-4 This activity enables students to practice disabling the inherited permissions on the Utilities folder they created in the last activity.  Activity 5-5 This project enables students to practice configuring advanced permissions for a folder. Consider using this as an opportunity to have a short class discussion about situations in which you would set up special permissions and why they are necessary. In Step 14, the default permissions are:

• Traverse folder / execute file
• List folder / read data
• Read attributes
• Read extended attributes
• Read permissions

 Activity 5-6 In this activity, students learn how to set up auditing on a folder. Along with this activity you might discuss in class why auditing is a valuable security troubleshooting tool. The activity is divided into two parts. In part one, students learn how to enable auditing objects via a group policy in Active Directory. In the second part, students configure auditing on the Documentation folder they created earlier. In part one, step 15:To enable auditing logon activity students would configure Audit account logon events. To enable auditing account creation and changing password activity, they would select Audit account management. Activity 5-7 This project has students turn on file and printer sharing, network discovery, and sharing of Public folders. File and printer sharing must be turned on before a folder or printer can be shared for network clients. Activity 5-8 In this activity, students set up a shared folder for access by network clients. In Step 12, the File Sharing window is displayed. To remove a user, click the down arrow for the Permission Level and click Remove. In Step 15, to change the share name, enter the new name in the Share name box. Also to limit the number of simultaneous users, enter a new number in the Limit the number of simultaneous users to box. Activity 5-9 For this activity, students install the File Services Resource Manager feature and then configure a new shared folder. In Step 21, the option in the Configure share settings window are:

• Enable access-based enumeration
• Allow caching of share
• Encrypt data access

Use the Enable-access based enumeration option to permit users to view only folders and files for which they have permissions.  Activity 5-10 In this project, students publish a shared folder in Active Directory. In Step 3, two objects that can be published are a printer and a shared folder. Activity 5-11 This project enables students to practice examining effective permissions on a folder to help resolve a security conflict. Consider using this as an opportunity to discuss other security conflict solving tactics that you use. In Step 11, the effective access for the Everyone group is that there is no access, no permissions or shared permissions configured. Activity 5-12 In this project, students install the role services DFS Namespace and DFS Replication. Activity 5-13 In this activity, students install a domain-based namespace root in DFS. DFS Namespace and DFS Replication should already be installed before they start (as well as Active Directory). If you have a preference for how students name the namespace, share that with the students before they begin. Note that it does not matter whether a namespace is already installed except that the new namespace should have a different name. Caution: Ensure that students follow the Tip before starting, because Distributed Transaction Coordinator is likely to be disabled in Windows Firewall, causing problems for Steps 5 or 6. Activity 5-14 For this activity students add a new folder to the DFS namespace root and then use the Documentation folder they shared in Activity 5-5 as the folder target. Activity 5-15 Students learn how to use the File Server Resource Manager tool to configure disk quotas and quota templates in this activity. In Step 18, the settings that can be configured when creating a new template include:

• Template name
• Description (optional)
• Space limit
• Hard or soft quota
• Notification thresholds

  Case Projects Rocky Mountain College in Colorado is a fast-growing community college. It offers typical college programs and combines these with special classes for certificate and two-year programs such as fisheries management, wildlife studies and management, mountain geology, and ski and snowboard technologies. The college is located in the foothills below Rocky Mountain National Park and is both a residential and commuter campus. The college’s Information Technology Department manages the servers used for academic and administrative computing. Some departments, such as Engineering Studies, Computer Science, and English have servers located in the departments, with some administrative server tasks delegated to each department’s computer specialist. The Engineering Studies Department uses Macintosh and Linux client computers. The college’s Development Department also uses Macintosh computers. All academic and administrative servers are in the process of being upgraded from Windows Server 2012 to Windows Server 2016. Active Directory is installed and used for the servers. The college has 10 walk-in computer labs for students and faculty. Also, many faculty and students use laptop computers and iPads that they want to connect to the college computer network. The IT Department has hired you to consult on improving use of the servers and to advise on the upgrades. Case Project 5-1: Security Conflict The English Department maintains a Minutes folder, which contains minutes of department meetings and is accessed by the department chair, English Department faculty, and the staff. After the English Department’s computer specialist upgrades the department’s server to Windows Server 2016 and configures folders, the English Department chair and faculty can no longer access the Minutes folder. What tool do you suggest to solve this problem? Outline the general steps for using the tool. Answer: The computer specialist can use the effective access tool to troubleshoot possible permission conflicts on the Minutes folder. The general steps to use to get started with the effective access tool are:
[list=1]

Determine what groups are used for the chair and faculty.

Use File Explorer to find the Minutes folder.

Right-click the folder and click Properties.

Click the Security tab.

Click the Advanced button.

Click the Effective Access tab.

Click the link for Select a user.

Use the Select User, Computer, Service Account, or Group dialog box to select the groups in which the chair and faculty are members.

Click View effective access.

  Case Project 5-2: Planning Folder Permissions Up to this point, the college has used a relatively unplanned approach to planning folder permissions, sometimes using the default permissions on newly created folders. Now they have created a new committee to review security on the servers and the committee is working to develop a specific policy for setting up NTFS folder permissions and share permissions. They have asked for your recommendations on the following types of folders:

• The \Windows folder (which is not shared).
• Software application folders (which are not shared).
• Home folders for faculty and staff (which are not shared).
• Folders containing the college’s financial accounting databases (which are not shared and are used only by members of the Administrative Business Department).
• A shared folder containing electronic pages from the faculty and staff handbook (which is shared for faculty and staff use only).
• Shared folders used by instructors to provide students with class information and assignments.

 If slide presentation software is available to you, such as PowerPoint, consider giving your response as a slide presentation. Answer: Students have some latitude as to how they address these security recommendations. Some ideas include the following:

• For the \Windows folder use advanced permission to traverse folder / execute file, but give the Administrators group Full control access.
• For the software applications folders use read & execute and write to enable users to run applications and write temporary files.
• For home folders give the account holders Full control; or give them Read & execute, List folder contents, Read, Write, and Modify permissions and leave Full control and ownership with a server administrator.
• For folders containing the financial accounting databases, create a domain local group for the Administrative Business Department that is given Read & execute, List folder contents, Read, Write, and Modify permissions. Also, create a global group containing the accounts of the department members and add that global group to the domain local group as a member.
• For the shared folder with the handbook pages, create a domain local group and give it Read & execute and List folder contents permissions. On the folder share give the domain local group Reader share permissions. Create a global group (or use existing global groups) of the accounts that need access to the folder and make this a member of the domain local group. Give Full control access to the person or persons who manage the contents of the folder, such as a member from the human resources department. Have the main person responsible take ownership of the folder to be able to fully manage it, including managing permissions. Also, give the folder manager(s) owner and co-owner share permissions.
• For shared folders used by instructors, consider assigning a server administrator to have Full control and Ownership of these folders and share folder ownership. Give the individual instructor of a folder Read & execute, List folder contents, Read, Write, and Modify permissions. Also give the individual instructor Change or Contribute share permissions (so the instructor can delete and modify any files). Students may also discuss how they would use domain local and global groups to manage permissions and share permissions.

  Case Project 5-3: Using DFS Each Windows Server contains shared folders that are accessed by students, faculty, and staff. The problem is that many users are still very confused about which folders are on which servers. As a result, they waste a lot of time trying to find the specific shared folder that they need. The college asks you to help them develop a way to make the folders easier to find and access. Create a report that explains how DFS works and how it can be of value in their situation. Design a very general DFS folder structure that they might implement. For example, you might base the folder structure on academic and administrative departments in the college. Consider preparing a slide presentation, if you have this software available, such as PowerPoint.
 Answer:
 Rocky Mountain College should consider implementing a domain-based model of DFS that would allow them to consolidate these shared folders so that they appear to exist in one place. By using the domain-based model, the company can take advantage of several DFS capabilities:

• The ability to have multilevel folder structures under one or more namespace roots
• The ability to load balance information across the servers
• The ability to build in fault tolerance by implementing DFS replication

 A domain-based DFS implementation uses these elements: a namespace root, shared folders, and replication groups on selected participating DFS servers. The namespace root is a main container in the Active Directory that provides links to shared folders on any computer in the domain. When a client views the shared folders in a namespace root, all of the folders appear as though they are in one main folder on the same computer. The shared folders are in a hierarchical order under the namespace root. A replication group is a set of shared folders in DFS that is designated to be copied to one or more servers in a domain. When you create replication groups, you can balance client access across multiple servers for better network and server performance. Replication groups also provide fault tolerance, because the contents of a shared folder can exist on multiple computers. If one computer goes down, the folder contents are still available on other computers. Students can suggest different types of folder structures, but should include a rationale for the general structure that they propose. One option, for example, is to create two namespace roots, one for the academic side and one for the administrative side. Under each root could be departments or divisions. On the academic side, instructor folders or class folders might be under each department, for example. Case Project 5-4: Accommodating Shared Access to the Macintosh and Linux Clients The Engineering Studies and Development departments want to access shared folders on the Windows Server 2016 servers. What Windows Server 2016 and client options are available to enable sharing with these clients? Answer: Modern Macintosh computers, beginning with the Maverick OS, natively use SMB version 2 protocol for file sharing, which is compatible with Windows operating systems. Further, older Macintosh computers and Linux computers can use the Samba application for using SMB to access shared Windows resources. Yet another option is the ability to use a sharing profile that employs NFS protocol for sharing with Linux (or Macintosh computers).