280 likes | 289 Views
Clear 70-744 Securing Windows Server 2016 Real Exam Quickly using 2019 version of test questions and answers .<br>
E N D
Questions & Answers PDF Page 1 Microsoft 70-744 Exam Microsoft Securing Windows Server 2016 Exam Thank you for Downloading 70-744 exam PDF Demo You can also Buy Latest 70-744 Exam Full Version https://www.certkillers.net/Exam/70-744 https://www.certkillers.net
Questions & Answers PDF Page 2 Version: 17.0 Question: 1 Your network contains an Active Directory domain named contoso.com. The domain contains 1,000 client computers that run Windows 10. A security audit reveals that the network recently experienced a Pass-the-Hash attack. The attack was initiated from a client computer and accessed Active Directory objects restricted to the members of the Domain Admins group. You need to minimize the impact of another successful Pass-the-Hash attack on the domain. What should you recommend? A. Instruct all users to sign in to a client computer by using a Microsoft account. B. Move the computer accounts of all the client computers to a new organizational unit (OU). Remove the permissions to the new OU from the Domain Admins group. C. Instruct all administrators to use a local Administrators account when they sign in to a client computer. D. Move the computer accounts of the domain controllers to a new organizational unit (OU). Remove the permissions to the new OU from the Domain Admins group. Answer: C Explanation: https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-HYPERLINK "https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard"guard https://www.certkillers.net
Questions & Answers PDF Page 3 Question: 2 Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2016. You create a new bastion forest named admin.contoso.com. The forest functional level of admin.contoso.com is Windows Server 2012 R2. You need to implement a Privileged Access Management (PAM) solution. Which two actions should you perform? Each correct answer presents part of the solution. A. Raise the forest functional level of admm.contoso.com. B. Deploy Microsoft Identify Management (MIM) 2016 to admin.contoso.com. C. Configure contoso.com to trust admin.contoso.com. D. Deploy Microsoft Identity Management (MIM) 2016 to contoso.com. E. Raise the forest functional level of contoso.com. F. Configure admin.contoso.com to trust contoso.com. https://www.certkillers.net
Questions & Answers PDF Page 4 Answer: DE Explanation: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/deploy-pam-with-windows- server-2016 https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/windows-server-2016-functional- levels For the bastion forest which deploys MIM, you should raise the Forest Functional Level to “Windows Server 2016″ Question: 3 Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a domain controller. You configure Server1 as a Just Enough Administration (JEA) endpoint You configure the required JEA rights for a user named User1. You need to tell User1 how to manage Active Directory objects from Server2. What should you tell User1 to do first on Server2? A. From a command prompt, run ntdsutil.exe. B. From Windows PowerShell, run the Import-Module cmdlet. C. From Windows PowerShell run the Enter-PSSession cmdlet. D. Install the management consoles for Active Directory, and then launch Active Directory Users and Computer. Answer: C Explanation: References: https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by- step/ Question: 4 Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers. You deploy the Local Administrator Password Solution (LAPS) to the network. You deploy a new server named FinanceServer5, and join FinanceServerS to the domain. You need to ensure that the passwords of the local administrators of FinanceServer5 are available to https://www.certkillers.net
Questions & Answers PDF Page 5 the LAPS administrators. What should you do? A. On FinanceServerS, register AdmPwd.dll. B. On FmanceServerS, install the LAPS Windows PowerShell module. C. In the domain, modify the permissions for the computer account of FmanceServer5. D. In the domain, modify the permissions of the Domain Controllers organizational unit (OU). Answer: A Explanation: References: https://gallery.technet.microsoft.com/Step-by-Step-Deploy-Local-7c9ef772 Question: 5 Your network contains an Active Directory domain named contoso.com. The domain contains four servers. The servers are configured as shown in the following table. You need to manage FS1 and FS2 by using Just Enough Administration (JEA). What should you do before you can implement JEA? A. Install Microsoft .NET Framework 4.6.2 on FS1 B. Upgrade DC1 to Windows Server 2016 C. Install Windows Management Framework 5.0 on FS2. D. Deploy Microsoft Identity Manager (MIM) 2016 to the domain. Answer: C Explanation: https://msdn.microsoft.com/en-us/library/dn896648.aspx The current release of JEA is available on the following platforms: -Windows Server 2016 Technical Preview 5 and higher -Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2* with Windows Management Framework 5.0 installed FS1 is ready to be managed by JEA, but FS2 need some extra work to do, either upgrade it to Windows Server 2016 or install Windows Management Framework 5.0 installed, Question: 6 https://www.certkillers.net
Questions & Answers PDF Page 6 HOTSPOT Your network contains an Active Directory forest named contoso.com. The forest has Microsoft Identity Manager (MIM) 2016 deployed. You implement Privileged Access Management (PAM). You need to request privileged access from a client computer in contoso.com by using PAM. How should you complete the Windows PowerShell script? To answer, select the appropriate options in the answer area. Answer: Explanation: References: https://technet.microsoft.com/en-us/library/mt604089.aspx https://technet.microsoft.com/en-us/library/mt604084.aspx Question: 7 Your network contains an Active Directory domain named contoso.com. The domain contains five servers. All servers run Windows Server 2016. A new secunty policy states that you must modify the infrastructure to meet the following requirements: *Limit the nghts of administrators. *Minimize the attack surface of the forest *Support Multi-Factor authentication for administrators. You need to recommend a solution that meets the new security policy requirements. What should you recommend deploying? A. an administrative forest B. domain isolation C. an administrative domain in contoso.com D. the Local Administrator Password Solution (LAPS) https://www.certkillers.net
Questions & Answers PDF Page 7 Answer: A Explanation: You have to “-Minimize the attack surface of the forest”, then you must create another forest for administrators. https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing- privilegedaccess-reference-material#ESAE_BM This section contains an approach for an administrative forest based on the Enhanced Security Administrative Environment (ESAE) reference architecture deployed by Microsoft’s cybersecurity professional services teams to protect customers against cybersecurity attacks. Dedicated administrative forests allow organizations to host administrative accounts, workstations, and groups in an environment that has stronger security controls than the production environment. Question: 8 Your network contains two single-domain Active Directory forests named contoso.com and contosoadmin.com. Contosoadmin.com contains all of the user accounts used to manage the servers in contoso.com. You need to recommend a workstation solution that provides the highest level of protection from vulnerabilities and attacks. What should you include in the recommendation? A. Provide a Privileged Access Workstation (PAW) for each user account in both forests. Join each PAW to the contoso.com domain. B. Provide a Pnvileged Access Workstation (PAW) for each user in the contoso.com forest Join each PAW to the contoso.com domain. C. Provide a Pnvileged Access Workstation (PAW) for each administrator. Join each PAW to the contoso.com domain. D. Provide a Pnvileged Access Workstation (PAW) for each administrator. Join each PAW to the contosoadmin.com domain. Answer: D Explanation: https://docs.HYPERLINK privileged-access/securing-privilegedaccess-reference-material"microsoft.com/en-us/windows- server/identity/securing-privileged-access/securing-privilegedaccess-reference-material "https://docs.microsoft.com/en-us/windows-server/identity/securing- Question: 9 https://www.certkillers.net
Questions & Answers PDF Page 8 Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2016. The domain contains a server named Serverl that has Microsoft Security Compliance Manager (SCM) 4.0 installed. You export the baseline shown in the following exhibit. You have a server named Server2 that is a member of a workgroup. You copy the (2617e9b1-9672-492b-aefa-0505054848c2)folder to Server2. You need to deploy the baseline settings to Server2. What should you do? A. Download, install, and then fun the Lgpo.exe command. B. From Group Policy Management import a Group Policy object (GPO). C. From Windows PowerShell, run the Restore-GPO cmdlet. D. From Windows PowerShell, run the Import-GPO cmdlet. E. From a command prompt run the secedit.exe command and specify the /import parameter. Answer: D Explanation: References: https://anytecho.wordpress.com/2015/05/22/importing-group-policies-using-powershell-almost/ Question: 10 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Serve1, that runs Windows Server 2016. A technician is testing the deployment of Credential Guard on Server1. You need to verify whether Credential Guard is enabled on Server1. https://www.certkillers.net
Questions & Answers PDF Page 9 What should you do? A. From a command prompt fun the credwiz.exe command. B. From Task Manager, review the processes listed on the Details tab. C. From Server Manager, click Local Server, and review the properties of Server! D. From Windows PowerShell, run the Get-WsManCredSSP cmdlet. Answer: B Explanation: https://yungchou.wordpress.com/2016/10/10/credential-guard-made-easy-in-windows-10-version- 1607/ The same as before, once Credential Guard is properly configured, up and running. You should find in Task Manager the ‘Credential Guard’ process and ‘lsaiso.exe’ listed in the Details page as below. Question: 11 HOTSPOT Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016. The services on Server1 are shown in the following output. https://www.certkillers.net
Questions & Answers PDF Page 10 Server1 has the AppLocker rules configured as shown in the exhibit (Click the Exhibit button.) Rule1 and Rule2 are configured a$ shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. Answer: https://www.certkillers.net
Questions & Answers PDF Page 11 Explanation: https://docs.microsoft.com/en-us/windows/device-security/applocker/configure-the-application- identity-service The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies In this question, Server1’s Application Identity service is stopped, therefore, no more enforcement on AppLocker rules, everyone could run everything on Server1. from being enforced. Question: 12 HOTSPOT You are implementing Privileged Access Management (PAM) for an Active Directory forest named contoso.com. You install a bastion forest named adatum.com, and you establish a trust between the forests. You need to create a group in contoso.com that will be used by Microsoft Identity Manager to create groups in adatum.com. How should you configure the group? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer: https://www.certkillers.net
Questions & Answers PDF Page 12 Explanation: References: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment Explanation: Production forest is contoso.com Bastion forest is adatum.com https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment A security group on the local domain (contoso.com) There must be a group in the existing domain, whose name is the NetBIOS domain name followed by three dollar signs, e.g., CONTOSO$$$. The group scope must be domain local and the group type must be Security. This is needed for groups to be created in the dedicated administrative forest (adatum.com) with the same Security identifier as groups in this domain (contoso.com). Create this group with the following New-ADGroup -name ‘CONTOSO$$$’ -GroupCategory Security -GroupScope DomainLocal – SamAccountName ‘CONTOSO$$$’ After this, MIM could create “Shadow Group” in bastion adatum.com forest. Question: 13 You have the Windows Server 2016 operating system images as following table. https://www.certkillers.net
Questions & Answers PDF Page 13 . Your company’s security policy states that you must minimize the attack surface when provisioning new You need to deploy a Host Guardian Service cluster. Which image should you use for the deployment? servers. A. image1 B. image2 C. image3 D. image4 Answer: C Explanation: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded- vm/guarded-fabricprepare-for-hgs Prerequisites Hardware: HGS can be run on physical or virtual machines, but physical machines are recommended. If you want to run HGS as a three-node physical cluster (for availability), you must have three physical servers. (As a best practice for clustering, the three servers should have very similar hardware.) Operating system: Windows Server 2016, Standard or Datacenter edition. <—- so you cannot use Server Core or Nano Server for running Host Guardian Service. Server Roles: Host Guardian Service and supporting server roles. Configuration permissions/privileges for the fabric (host) domain: You will need to configure DNS forwarding between the fabric (host) domain and the HGS domain. If you are using Admin-trusted attestation (AD mode), you will need to configure an Active Directory trust between the fabric domain and the HGS domain. Question: 14 https://www.certkillers.net
Questions & Answers PDF Page 14 HOTSPOT You have 10 Hyper-V hosts that run Windows Server 2016. Each Hyper-V host has eight virtual machines that run a distributed web application named App1. You plan to implement a Software Load Balancing (SLB) solution for client access to App1. You deploy two new virtual machines named SLB1 and SLB2. You need to install the required components on the Hyper-V hosts and the new servers for the planned implementation. Which components should you install? Select the Appropriate in selection area. Answer: Explanation: https://blogs.technet.microsoft.com/tip_of_the_day/2016/06/28/tip-of-the-day-demystifying- software-definednetworking-terms-the-components/ https://technet.microsoft.com/en-us/library/mt632286.aspx SLB Host Agent – When you deploy SLB, you must use System Center, Windows PowerShell, or https://www.certkillers.net
Questions & Answers PDF Page 15 another management application to deploy the SLB Host Agent on every Hyper-V host computer. You can install the SLB Host Agent on all versions of Windows Server 2016 that provide Hyper-V support, including Nano Server. SLB MUX – Part of the Software Load Balancer (SLB on Windows Server 2016, the SLB MUX processes inbound network traffic and maps VIPs (virtual IPs) to DIPs (datacenter IPs), then forwards the traffic to the correct DIP. Each MUX also uses BGP to publish VIP routes to edge routers. BGP Keep Alive notifies MUXes when a MUX fails, which allows active MUXes to redistribute the load in case of a MUX failure – essentially providing load balancing for the load balancers. Question: 15 Your network contains an Active Directory domain named contoso.com. The domain contains two DNS servers that run Windows Server 2016. The servers host two zones named contoso.com and admin.contoso.com. You sign both zones. You need to ensure that all client computers in the domain validate the zone records when they query the zone. What should you deploy? A. a Microsoft Security Compliance Manager (SCM) policy B. a zone transfer policy C. a Name Resolution Policy Table (NRPT) D. a connection security rule Answer: C Explanation: https://www.certkillers.net
Questions & Answers PDF Page 16 You should use Group Policy NRPT to for a DNS Client to perform DNSSEC validation of DNS zone records. Question: 16 HOTSPOT Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series. Start of repeated scenario. Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2. The domain contains the servers configured as shown in the following table. https://www.certkillers.net
Questions & Answers PDF Page 17 All servers run Windows Server 2016. All client computers run Windows 10. You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1. End of repeated scenario. You need to configure Nano1 as a Hyper-V host. Which command should you run? To answer, select the appropriate options in the answer area. Answer: https://www.certkillers.net
Questions & Answers PDF Page 18 Explanation: References: https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server Question: 17 You have a virtual machine named FS1 that runs Windows Server 2016. FS1 has the shared folders shown in the following table. You need to ensure that each user can store 10 GB of files in \\FS1\Users. What should you do? A. From File Explorer, open the properties of volume D, and then modify the Quota settings. B. Install the File Server Resource Manager role service, and then create a file screen. C. From File Explorer, open the properties of D:\Users, and then modify the Advanced sharing settings. D. Install the File Server Resource Manager role service, and then create a quota. Answer: D Explanation: References: https://docs.microsoft.com/en-us/windows-server/storage/fsrm/create-quota Question: 18 https://www.certkillers.net
Questions & Answers PDF Page 19 Your network contains an Active Directory domain named contoso.com. You download Microsoft Security Compliance Toolkit 1.0 and all the security baselines. You need to deploy one of the security baselines to all the computers in an organizational unit (OU) named OU1. What should you do? A. Run 1gpo.exe and specify the /g parameter. From Policy Analyzer, click Add. B. From Group Policy Management, create and link a Group Policy object (GPO). Select the GPO and run the Import Settings Wizard. C. From Group Policy Management, click Group Policy Objects, and then click Manage Backups… D. From Group Policy Management, create and link a Group Policy object (GPO). Run 1gpo.exe and specify the /g parameter. Answer: B Explanation: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute- certificates-to-client-computers-by-using-group-policy Question: 19 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016. You need to allow network administrators to use Just Enough Administration (JEA) to change the TCP/IP settings on Server1. The solution must use the principle of least privilege. How should you configure the session configuration file? A. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Contoso\Network Configuration Operators. B. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Contoso\Network Configuration Operators. C. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Network Configuration Operators. D. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Network Configuration Operators. Answer: D Explanation: References: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new- pssessionconfigurationfile?view=powershell-6 Question: 20 DRAG DROP Your network contains an Active Directory domain named contoso.com. The domain contains several https://www.certkillers.net
Questions & Answers PDF Page 20 Hyper-V hosts. You deploy a server named Server22 to a workgroup. Server22 runs Windows Server 2016. You need to configure Server22 as the primary Host Guardian Service server. Which three cmdlets should you run in sequence? To answer move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order. Answer: https://www.certkillers.net
Questions & Answers PDF Page 21 Explanation: References: shielded-vm/guarded-fabric-setting-up-the-host-guardian-service-hgs https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric- Question: 21 Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. The domain has Dynamic Access Control enabled. Server1 contains a folder named C:\Folder1. Folder1 is shared as Share1. You need to audit all access to the contents of Folder1 from Server2. The solution must minimize the number of event log entries. Which two audit policies should you enable on Server1? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Global Object Access- File System B. Object Access – Audit Detailed File Share C. Object Access – Audit Other Object Access Events D. Object Access – Audit File System E. Object Access – Audit File Share Answer: BE Explanation: References: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file- share https://docs.microsoft.com/en-us/windows/sHYPERLINK us/windows/security/threat-protection/auditing/audit-file-share"ecurity/threat- protection/auditing/audit-file-share "https://docs.microsoft.com/en- Question: 22 https://www.certkillers.net
Questions & Answers PDF Page 22 HOTSPOT Your network contains two Active Directory forests named adatum.com and priv.adatum.com. You deploy Microsoft Identity Manager (MIM) 2016 to the priv.adatum.com domain, and you implement Privileged Access Management (PAM). You create a PAM role named Group1 as shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. https://www.certkillers.net
Questions & Answers PDF Page 23 Answer: Explanation: References:https://tlktechidentitythoughts.wordpress.com/2016/09/07/mim-2016-setting-up- privileged-access-management-pam-in-an-existing-domain-using-the-built-in-pam-tool/ Question: 23 HOTSPOT You manage a guarded fabric in TPM-trusted attestation mode. You plan to create a virtual machine template disk for shielded virtual machines. You need to create the virtual machine disk that you will use to generate the template. How should you configure the disk? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. https://www.certkillers.net
Questions & Answers PDF Page 24 Answer: Explanation: References: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded- vm/guarded-fabric-configuration-scenarios-for-shielded-vms-overview https://docsHYPERLINK "https://docs.microsoft.com/en-us/system-center/dpm/what-s-new-in-dpm- 2016?view=sc-dpm-1801".microsoft.com/en-us/system-center/dpm/what-s-new-in-dpm- 2016?view=sc-dpm-1801 https://www.certkillers.net
Questions & Answers PDF Page 25 Question: 24 You plan to enable Credential Guard on four servers. Credential Guard secrets will be bound to the TPM. The servers run Windows Server 2016 and are configured as shown in the following table. You need to identify which server you must modify to support the planned implementation. Which server should you identify? A. Server1 B. Server2 C. Server3 D. Server4 Answer: D Explanation: References: us/windows/access-protection/credential-guard/credential-guardrequirements"ows/access- protection/credential-guard/credential-guardrequirements https://docs.microsoft.com/en-us/windHYPERLINK "https://docs.microsoft.com/en- Question: 25 Your network contains an Active Directory domain named contoso.com. You install the Windows Server Update Services server role on a member server named Server1. Server1 runs Windows Server 2016. You need to ensure that a user named Used can perform the following tasks: *View the Windows Server Update Services (WSUS) configuration. *Generate WSUS update reports. The solution must use the principle of least privilege. What should you do on Server1? A. Modify the permissions of the ReportWebService virtual folder from the WSUS Administration website. B. Add User1 to the WSUS Reporters local group. C. Add User1 to the WSUS Administrators local group. D. Run wsusutil.exe and specify the postinstall parameter. https://www.certkillers.net
Questions & Answers PDF Page 26 Answer: B Explanation: WSUS Reporters have read only access to the WSUS database and configuration When a user with “WSUS Reporters” membership, he can view configuration and generate reports as follow:- https://www.certkillers.net
Questions & Answers PDF Page 27 https://www.certkillers.net
Questions & Answers PDF Page 28 Thank You for trying 70-744 PDF Demo To Buy Latest 70-744 Exam Full Version visit link below https://www.certkillers.net/Exam/70-744 Start Your 70-744 Preparation [Limited Time Offer] Use Coupon “CKNET” for further discount on your purchase. Test your 70-744 preparation with actual exam questions. https://www.certkillers.net