Thursday, April 28, 2016

Exam 70-417 Upgrading Your Skills to MCSA Windows Server 2012

Published: September 21, 2012
Languages: English, German, Japanese
Audiences: IT professionals
Technology: Windows Server 2012 R2
Credit toward certification: MCP, MCSA, MCSE

Skills measured
This exam measures your ability to accomplish the technical tasks listed below. The percentages indicate the relative weight of each major topic area on the exam. The higher the percentage, the more questions you are likely to see on that content area on the exam. View video tutorials about the variety of question types on Microsoft exams.

Please note that the questions may test on, but will not be limited to, the topics described in the bulleted text.

Do you have feedback about the relevance of the skills measured on this exam? Please send Microsoft your comments. All feedback will be reviewed and incorporated as appropriate while still maintaining the validity and reliability of the certification process. Note that Microsoft will not respond directly to your feedback. We appreciate your input in ensuring the quality of the Microsoft Certification program.

If you have concerns about specific questions on this exam, please submit an exam challenge.

If you have other questions or feedback about Microsoft Certification exams or about the certification program, registration, or promotions, please contact your Regional Service Center.

This exam has been updated to cover the recent technology updates in Windows Server 2012 R2 and System Center 2012 R2. For more details, you may review the documents on the exam detail pages for exams 70-410, 70-411, and 70-412.

Install and configure servers (20 - 25%)
Install servers
Plan for a server installation, plan for server roles, plan for a server upgrade, install Server Core, optimize resource utilization by using Features on Demand, migrate roles from previous versions of Windows Server
Configure servers
Configure Server Core, delegate administration, add and remove features in offline images, deploy roles on remote servers, convert Server Core to/from full GUI, configure services, configure NIC teaming, install and configure Windows PowerShell Desired State Configuration (DSC)
Configure local storage
Design storage spaces, configure basic and dynamic disks, configure Master Boot Record (MBR) and GUID Partition Table (GPT) disks, manage volumes, create and mount virtual hard disks (VHDs), configure storage pools and disk pools, create storage pools by using disk enclosures

Preparation resources
Installing Windows Server 2012
Configure Server Core
Windows Server 2012 "Early Experts" challenge – Exam 70-410 – storage spaces

Configure server roles and features (20 - 25%)
Configure servers for remote management
Configure WinRM, configure down-level server management, configure servers for day-to-day management tasks, configure multi-server management, configure Server Core, configure Windows Firewall, manage non-domain joined servers

Preparation resources
NTFS shared folders in Windows Server 2012
Simplified printing with Windows 8 and Windows Server 2012
Using the Windows Server 2012 Server Manager for remote and multi-server management

Configure Hyper-V (20 - 25%)
Create and configure virtual machine (VM) settings
Configure dynamic memory, configure smart paging, configure Resource Metering, configure guest integration services, create and configure Generation 1 and 2 VMs, configure and use enhanced session mode, configure RemoteFX
Create and configure virtual machine storage
Create VHDs and VHDX, configure differencing drives, modify VHDs, configure pass-through disks, manage checkpoints, implement a virtual Fibre Channel adapter, configure storage Quality of Service
Create and configure virtual networks
Configure Hyper-V virtual switches, optimize network performance, configure MAC addresses, configure network isolation, configure synthetic and legacy virtual network adapters, configure NIC teaming in VMs

Preparation resources
Hyper-V Dynamic Memory overview
Configuring pass-through disks in Hyper-V
Hyper-V network virtualization overview

Install and administer Active Directory (25 - 30%)
Install domain controllers
Add or remove a domain controller from a domain, upgrade a domain controller, install Active Directory Domain Services (AD DS) on a Server Core installation, install a domain controller from install from media (IFM), resolve Domain Name System (DNS) SRV record registration issues, configure a global catalog server, deploy Active Directory infrastructure as a service (IaaS) in Microsoft Azure

Preparation resources
What's new in Active Directory Domain Services installation
Overview of Active Directory simplified administration
Using the updated Active Directory Administration Center
QUESTION 1
You have a server named DNS1 that runs Windows Server 2012 R2.
You discover that the DNS resolution is slow when users try to access the company intranet home page by using the URL http://companyhome.
You need to provide single-label name resolution for CompanyHome that is not dependent on the suffix search order.
Which three cmdlets should you run? (Each correct
Answer presents part of the solution. Choose three.)

A. Add-DnsServerPrimaryZone
B. Add-DnsServerResourceRecordCName
C. Set-DnsServerDsSetting
D. Set-DnsServerGlobalNameZone
E. Set-DnsServerEDns
F. Add-DnsServerDirectory Partition

Answer: A,B,D

QUESTION 2
Your network contains an Active Directory forest named contoso.com.
Users frequently access the website of an external partner company.
The URL of the website is http://partners.adatum.com.
The partner company informs you that it will perform maintenance on its Web server and that the IP addresses of the Web server will change.
After the change is complete, the users on your internal network report that they fail to access the website.
However, some users who work from home report that they can access the website.
You need to ensure that your DNS servers can resolve partners.adatum.com to the correct IP address immediately.
What should you do?

A. Run dnscmd and specify the CacheLockingPercent parameter
B. Run Set-DnsServerGlobalQueryBlockList
C. Run ipconfig and specify the Renew parameter
D. Run Set-DnsServerCache

Answer: D

QUESTION 3
Your network contains an Active Directory forest named adatum.com. The forest contains an Active Directory Rights Management Services (AD RMS) cluster.
A partner company has an Active Directory forest named litwareinc.com. The partner company does not have AD RMS deployed.
You need to ensure that users in litwareinc.com can consume rights-protected content from adatum.com.
Which type of trust policy should you create?

A. At federated trust
B. A trusted user domain
C. A trusted publishing domain
D. Windows Live ID

Answer: A
Explanation:
A. In AD RMS rights can be assigned to users who have a federated trust with Active Directory Federation Services (AD FS). This enables an organization to share access to rights-protected content with another organization without having to establish a separate Active Directory trust or Active Directory Rights Management Services (AD RMS) infrastructure.
http://technet.microsoft.com/en-us/library/dd772651(v=WS.10).aspx http://technet.microsoft.com/en-us/library/cc738707(v=WS.10).aspx
http://technet.microsoft.com/en-us/library/cc757344(v=ws.10).aspx


QUESTION 4
You are a network administrator of an Active Directory domain named contoso.com.
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the DHCP Server server role and the Network Policy Server role service installed.
You enable Network Access Protection (NAP) on all of the DHCP scopes on Server1.
You need to create a DHCP policy that will apply to all of the NAP non-compliant DHCP clients.
Which criteria should you specify when you create the DHCP policy?

A. The user class
B. The vendor class
C. The client identifier
D. The relay agent information

Answer: A

QUESTION 5
Your network contains an Active Directory domain named contoso.com. The domain contains servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 has the Active Directory Federation Services server role installed.Server2 is a file server.
Your company introduces a Bring Your Own Device (BYOD) policy.
You need to ensure that users can use a personal device to access domain resources by using Single Sign-On (SSO) while they are connected to the internal network.
Which two actions should you perform? (Each correct
Answer presents part of the solution. Choose two.)

A. Enable the Device Registration Service in Active Directory.
B. Publish the Device Registration Service by using a Web Application Proxy.
C. Configure Active Directory Federation Services (AD FS) for the Device Registration Service.
D. Install the Work Folders role service on Server2.
E. Create and configure a sync share on Server2.

Answer: A,C
Explanation: *Prepare your Active Directory forest to support devices
This is a one-time operation that you must run to prepare your Active Directory forest to support devices.
To prepare the Active Directory forest
On your federation server, open a Windows PowerShell command window and type: Initialize-ADDeviceRegistration
*Enable Device Registration Service on a federation server farm node To enable Device Registration Service
1.On your federation server, open a Windows PowerShell command window and type: Enable-AdfsDeviceRegistration
2.Repeat this step on each federation farm node in your AD FS farm.
Posted by at No comments:
Labels: , , , , , , ,

Sunday, April 17, 2016

Exam 70-412 Configuring Advanced Windows Server 2012 Services

Published: September 17, 2012
Languages: English, Chinese (Simplified), French, German, Japanese, Portuguese (Brazil)
Audiences: IT professionals
Technology: Windows Server 2012 R2
Credit toward certification: MCP, MCSA, MCSE

Skills measured
This exam measures your ability to accomplish the technical tasks listed below. The percentages indicate the relative weight of each major topic area on the exam. The higher the percentage, the more questions you are likely to see on that content area on the exam. View video tutorials about the variety of question types on Microsoft exams.

Please note that the questions may test on, but will not be limited to, the topics described in the bulleted text.

Do you have feedback about the relevance of the skills measured on this exam? Please send Microsoft your comments. All feedback will be reviewed and incorporated as appropriate while still maintaining the validity and reliability of the certification process. Note that Microsoft will not respond directly to your feedback. We appreciate your input in ensuring the quality of the Microsoft Certification program.

If you have concerns about specific questions on this exam, please submit an exam challenge.

If you have other questions or feedback about Microsoft Certification exams or about the certification program, registration, or promotions, please contact your Regional Service Center.

As of January 2014, this exam includes content covering Windows Server 2012 R2.

Configure and manage high availability (15–20%)
Configure Network Load Balancing (NLB)
Install NLB nodes, configure NLB prerequisites, configure affinity, configure port rules, configure cluster operation mode, upgrade an NLB cluster
Configure failover clustering
Configure quorum, configure cluster networking, restore single node or cluster configuration, configure cluster storage, implement Cluster-Aware Updating, upgrade a cluster, configure and optimize clustered shared volumes, configure clusters without network names, configure storage spaces
Manage failover clustering roles
Configure role-specific settings, including continuously available shares; configure virtual machine (VM) monitoring; configure failover and preference settings; configure guest clustering
Manage VM movement
Perform live migration; perform quick migration; perform storage migration; import, export, and copy VMs; configure VM network health protection; configure drain on shutdown

Preparation resources
Managing Network Load Balancing clusters
Setting Network Load Balancing parameters
Failover cluster deployment guide

Configure file and storage solutions (15–20%)
Configure advanced file services
Configure Network File System (NFS) data store, configure BranchCache, configure File Classification Infrastructure (FCI) using File Server Resource Manager (FSRM), configure file access auditing
Implement Dynamic Access Control (DAC)
Configure user and device claim types, implement policy changes and staging, perform access-denied remediation, configure file classification, create and configure Central Access rules and policies, create and configure resource properties and lists
Configure and optimize storage
Configure iSCSI target and initiator, configure Internet Storage Name server (iSNS), implement thin provisioning and trim, manage server free space using Features on Demand, configure tiered storage

Preparation resources
Network File System
File Server Resource Manager
Dynamic Access Control: Scenario overview

Implement business continuity and disaster recovery (15–20%)
Configure and manage backups
Configure Windows Server backups, configure Microsoft Azure backups, configure role-specific backups, manage VSS settings using VSSAdmin
Recover servers
Restore from backups, perform a Bare Metal Restore (BMR), recover servers using Windows Recovery Environment (Win RE) and safe mode, configure the Boot Configuration Data (BCD) store
Configure site-level fault tolerance
Configure Hyper-V Replica, including Hyper-V Replica Broker and VMs; configure multi-site clustering, including network settings, Quorum, and failover settings; configure Hyper-V Replica extended replication; configure Global Update Manager; recover a multi-site failover cluster

Preparation resources
Windows Server backup overview
Windows Recovery Environment (RE) explained
How to configure bare-metal restore/recovery media

Configure Network Services (15–20%)
Implement an advanced Dynamic Host Configuration Protocol (DHCP) solution
Create and configure superscopes and multicast scopes; implement DHCPv6; configure high availability for DHCP, including DHCP failover and split scopes; configure DHCP Name Protection; configure DNS registration
Implement an advanced DNS solution
Configure security for DNS, including Domain Name System Security Extensions (DNSSEC), DNS Socket Pool, and cache locking; configure DNS logging; configure delegated administration; configure recursion; configure netmask ordering; configure a GlobalNames zone; analyze zone level statistics
Deploy and manage IP Address Management (IPAM)
Provision IPAM manually or by using Group Policy, configure server discovery, create and manage IP blocks and ranges, monitor utilization of IP address space, migrate to IPAM, delegate IPAM administration, manage IPAM collections, configure IPAM database storage

Preparation resources
Dynamic Host Configuration Protocol (DHCP) overview
Step-by-step: Demonstrate DNSSEC in a test lab
Holistic administration of IP address space using Windows Server 2012 IP Address Management

Configure the Active Directory infrastructure (15–20%)
Configure a forest or a domain
Implement multi-domain and multi-forest Active Directory environments, including interoperability with previous versions of Active Directory; upgrade existing domains and forests, including environment preparation and functional levels; configure multiple user principal name (UPN) suffixes
Configure trusts
Configure external, forest, shortcut, and realm trusts; configure trust authentication; configure SID filtering; configure name suffix routing
Configure sites
Configure sites and subnets, create and configure site links, manage site coverage, manage registration of SRV records, move domain controllers between sites
Manage Active Directory and SYSVOL replication
Configure replication to Read-Only Domain Controllers (RODCs), configure Password Replication Policy (PRP) for RODC, monitor and manage replication, upgrade SYSVOL replication to Distributed File System Replication (DFSR)

Preparation resources
Deploy Active Directory Domain Services (AD DS) in your enterprise
Active Directory domains and trusts
Introduction to Active Directory replication and topology management using Windows PowerShell (Level 100)

Configure Identity and Access Solutions (15–20%)
Implement Active Directory Federation Services (AD FS)
Install AD FS; implement claims-based authentication, including Relying Party Trusts; configure authentication policies; configure Workplace Join; configure multi-factor authentication
Install and configure Active Directory Certificate Services (AD CS)
Install an Enterprise Certificate Authority (CA), configure certificate revocation lists (CRL) distribution points, install and configure Online Responder, implement administrative role separation, configure CA backup and recovery
Manage certificates
Manage certificate templates; implement and manage certificate deployment, validation, and revocation; manage certificate renewal; manage certificate enrollment and renewal to computers and users using Group Policies; configure and manage key archival and recovery
Install and configure Active Directory Rights Management Services (AD RMS)
Install a licensing or certificate AD RMS server, manage AD RMS Service Connection Point (SCP), manage RMS templates, configure Exclusion Policies, back up and restore AD RMS

Preparation resources
AD FS deployment guide
Active Directory Certificate Services overview
Deploy a private CA with Windows Server 2012
QUESTION 1
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. Cluster1 contains a cluster disk resource.
A developer creates an application named App1. App1 is NOT a cluster-aware application. App1 runs as a service. App1 stores date on the cluster disk resource.
You need to ensure that App1 runs in Cluster1. The solution must minimize development effort.
Which cmdlet should you run?

A. Add-ClusterGenericServiceRole
B. Add-ClusterGenericApplicationRole
C. Add-ClusterScaleOutFileServerRole
D. Add-ClusterServerRole

Answer: B
Explanation:
Add-ClusterGenericApplicationRole
Configure high availability for an application that was not originally designed to run in a failover cluster.
If you run an application as a Generic Application, the cluster software will start the application, then periodically query the operating system to see whether the application appears to be running. If so, it is presumed to be online, and will not be restarted or failed over.
EXAMPLE 1.
Command Prompt: C:\PS>
Add-ClusterGenericApplicationRole -CommandLine NewApplication.exe
Name OwnerNode State
---- --------- -----
cluster1GenApp node2 Online Description
-----------
This command configures NewApplication.exe as a generic clustered application. A default name will be used for client access and this application requires no storage.
Reference: Add-ClusterGenericApplicationRole
http://technet.microsoft.com/en-us/library/ee460976.aspx

QUESTION 2
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2. All client computers run Windows 8.
You need to configure a custom Access Denied message that will be displayed to users when they are denied access to folders or files on Server1.
What should you configure?

A. A classification property
B. The File Server Resource Manager Options
C. A file management task
D. A file screen template

Answer: B
Explanation:
Access-denied assistance can be configured by using the File Server Resource Manager console on the file server.
Note: Access-denied assistance is a new feature in Windows Server 2012, which provides the following ways to troubleshoot issues that are related to access to files and folders:
* Self-assistance. If a user can determine the issue and remediate the problem so that they can get the requested access, the impact to the business is low, and no special exceptions are needed in the central access policy. Access-denied assistance provides an access-denied message that file server administrators can customize with information specific to their organizations. For example, an administrator could set the message so that users can request access from a data owner without involving the file server administrator.
Reference: Scenario: Access-Denied Assistance

QUESTION 2
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed. All servers run Windows Server 2012.
You complete the Active Directory Federation Services Configuration Wizard on Server1.
You need to ensure that client devices on the internal network can use Workplace Join.
Which two actions should you perform on Server1? (Each correct Answer presents part of the solution. Choose two.)

A. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
B. Edit the multi-factor authentication global authentication policy settings.
C. Run Enable-AdfsDeviceRegistration.
D. Run Set-AdfsProxyProperties HttpPort 80.
E. Edit the primary authentication global authentication policy settings.

Answer: C,E
Explanation:
C. To enable Device Registration Service
On your federation server, open a Windows PowerShell command window and type: Enable-AdfsDeviceRegistration
Repeat this step on each federation farm node in your AD FS farm.
E. Enable seamless second factor authentication
Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a ‘known’ device and administrators can use this information to drive conditional access and gate access to resources.
To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices.
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK.
Reference: Configure a federation server with Device Registration Service.
QUESTION 3
You create a new virtual disk in a storage pool by using the New Virtual Disk Wizard. You discover that the new virtual disk has a write-back cache of 1 GB.
You need to ensure that the virtual disk has a write-back cache of 5 GB.
What should you do?

A. Detach the virtual disk, and then run the Resize-VirtualDisk cmdlet.
B. Detach the virtual disk, and then run the Set-VirtualDisk cmdlet.
C. Delete the virtual disk, and then run the New-StorageSubSystemVirtualDisk cmdlet.
D. Delete the virtual disk, and then run the New-VirtualDisk cmdlet.

Answer: D
Explanation:
So what about changing the cache size? Well, you can't modify the cache size, but you can specify it at the time that you create a new virtual hard disk. In order to do so, you have to use Windows PowerShell.
New-VirtualDisk –StoragePoolFriendlyName "" –FriendlyName " Reference: Using Windows Server 2012's SSD Write-Back Cache

QUESTION 4
Your company has offices in Montreal, New York, and Amsterdam.
The network contains an Active Directory forest named contoso.com. An Active Directory site exists for each office. All of the sites connect to each other by using the DEFAULTIPSITELINK site link.
You need to ensure that only between 20:00 and 08:00, the domain controllers in the Montreal office replicate the Active Directory changes to the domain controllers in the Amsterdam office.
The solution must ensure that the domain controllers in the Montreal and the New York offices can replicate the Active Directory changes any time of day.
What should you do?

A. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITE1INK. Modify the schedule of DEFAULTIPSITELINK.
B. Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of DEFAULTIPSITELINK.
C. Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITELINK. Modify the schedule of the new site link.
D. Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of the new site link.

Answer: C
Explanation:
We create a new site link between Montreal and Amsterdam and schedule it only between 20:00 and 08:00. To ensure that traffic between Montreal and Amsterdam only occurs at this time we also remove Amsterdam from the DEFAULTIPSITELINK.
Reference: How Active Directory Replication Topology Works
http://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx

QUESTION 5
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DHCP Server server role installed.
You need to create an IPv6 scope on Server1. The scope must use an address space that is reserved for private networks. The addresses must be routable.
Which IPV6 scope prefix should you use?

A. 2001:123:4567:890A::
B. FE80:123:4567::
C. FF00:123:4567:890A::
D. FD00:123:4567::

Answer: D
Explanation:
Explanation/Reference:
* A unique local address (ULA) is an IPv6 address in the block fc00::/7, defined in RFC 4193. It is the approximate IPv6 counterpart of the IPv4 private address.
The address block fc00::/7 is divided into two /8 groups: / The block fc00::/8 has not been defined yet.
/ The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string.
* Prefixes in the fd00::/8 range have similar properties as those of the IPv4 private address ranges:
/ They are not allocated by an address registry and may be used in networks by anyone without outside involvement.
/ They are not guaranteed to be globally unique.
/ Reverse Domain Name System (DNS) entries (under ip6.arpa) for fd00::/8 ULAs cannot be delegated in the global DNS.
Reference: RFC 4193

QUESTION 6
Your network contains an Active Directory forest named contoso.com.
Users frequently access the website of an external partner company. The URL of the website is http://partners.adatum.com.
The partner company informs you that it will perform maintenance on its Web server and that the IP addresses of the Web server will change.
After the change is complete, the users on your internal network report that they fail to access the website. However, some users who work from home report that they can access the website.
You need to ensure that your DNS servers can resolve partners.adatum.com to the correct IP address immediately.
What should you do?

A. Run dnscmd and specify the CacheLockingPercent parameter.
B. Run Set-DnsServerGlobalQueryBlockList.
C. Run ipconfig and specify the Renew parameter.
D. Run Set-DnsServerCache.

Answer: D
Explanation:
The Set-DnsServerCache cmdlet modifies cache settings for a Domain Name System (DNS) server.
Run Set-DnsServerCache with the -LockingPercent switch.
/ -LockingPercent
Specifies a percentage of the original Time to Live (TTL) value that caching can consume. Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, the DNS server does not overwrite a cached entry for half of the duration of the TTL. By default, the cache locking percent value is 100. This value means that the DNS server will not overwrite cached entries for the entire duration of the TTL.
Note. A better way would be clear the DNS cache on the DNS server with either Dnscmd /ClearCache (from command prompt), or Clear-DnsServerCache (from Windows PowerShell).
Reference: Set-DnsServerCache
http://technet.microsoft.com/en-us/library/jj649852.aspx
Incorrect:
Not A. You need to use the /config parameter as well:
You can change this value if you like by using the dnscmd command:
dnscmd /Config /CacheLockingPercent
Posted by at No comments:
Labels: , , , , , , ,

Wednesday, April 13, 2016

300-207 SITCS Implementing Cisco Threat Control Solutions

Exam Number 300-207 SITCS
Associated Certifications CCNP Security
Duration 90 minutes (65 - 75 questions)
Available Languages English, Japanese

Exam Description
The Implementing Cisco Threat Control Solutions (SITCS) (300-207) exam tests a network security engineer on advanced firewall architecture and configuration with the Cisco next-generation firewall, utilizing access and identity policies. This 90-minute exam consists of 65–75 questions and covers integration of Intrusion Prevention System (IPS) and context-aware firewall components, as well as Web (Cloud) and Email Security solutions. Candidates can prepare for this exam by taking the Implementing Cisco Threat Control Solutions (SITCS) course.

The following topics are general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.

1.0 Content Security 22%

1.1 Cisco ASA 5500-X NGFW Security Services

1.1.a Describe features and functionality
1.1.b Implement web usage control (URL-filtering, reputation based, file filtering)
1.1.c Implement AVC
1.1.d Implement decryption policies
1.1.e Describe traffic redirection and capture methods

1.2 Cisco Cloud Web Security

1.2.a Describe features and functionality
1.2.b Implement IOS and ASA connectors
1.2.c Implement AnyConnect web security module
1.2.d Describe web usage control
1.2.e Implement AVC
1.2.f Implement anti-malware
1.2.g Describe decryption policies

1.3 Cisco WSA

1.3.a Describe features and functionality
1.3.b Implement data security
1.3.c Implement WSA Identity and Authentication, including Transparent User Identification
1.3.d Describe web usage control
1.3.e Implement AVC
1.3.f Implement anti-malware
1.3.g Describe decryption policies
1.3.h Describe traffic redirection and capture methods (Explicit Proxy vs. Transparent Proxy)

1.4 Cisco ESA

1.4.a Describe features and functionality
1.4.b Implement email encryption
1.4.c Implement anti-spam policies
1.4.d Implement virus outbreak filter
1.4.e Implement DLP policies
1.4.f Implement anti-malware
1.4.g Implement inbound and outbound mail policies and authentication
1.4.h Describe traffic redirection and capture methods

2.0 Threat Defense 23%

2.1 Network IPS

2.1.a Implement traffic redirection and capture methods
2.1.b Implement network IPS deployment modes
2.1.c Describe signatures engines
2.1.d Implement event actions & overrides/filters
2.1.e Implement anomaly detection
2.1.f Implement risk ratings
2.1.g Describe IOS IPS

2.2 Configure device hardening per best practices

2.2.a IPS
2.2.b Content Security appliances

3.0 Devices GUIs and Secured CLI 16%

3.1 Content Security

3.1.a Implement HTTPS and SSH access
3.1.b Describe configuration elements
3.1.c Implement ESA GUI for message tracking

4.0 Troubleshooting, Monitoring and Reporting Tools 19%

4.1 Configure IME and IP logging for IPS

4.2 Content Security

4.2.a Describe reporting functionality
4.2.b Implement the WSA Policy Trace tool
4.2.c Implement the ESA Message Tracking tool
4.2.d Implement the ESA Trace tool
4.2.e Use web interface to verify traffic is being redirected to CWS
4.2.f Use CLI on IOS to verify CWS operations
4.2.g Use CLI on ASA to verify CWS operations
4.2.h Use the PRSM Event Viewer to verify ASA NGFW operations
4.2.i Describe the PRSM Dashboards and Reports

4.3 Monitor Cisco Security IntelliShield

4.3.a Describe at a high level the features of the Cisco Security IntelliShield Alert Manager Service

5.0 Threat Defense Architectures 8%

5.1 Design IPS solution

5.1.a Deploy Inline or Promiscuous
5.1.b Deploy as IPS appliance, IPS software or hardware module or IOS IPS
5.1.c Describe methods of IPS appliance load-balancing
5.1.d Describe the need for Traffic Symmetry
5.1.e Inline modes comparison – inline interface pair, inline VLAN pair, and inline VLAN group
5.1.f Management options

6.0 Content Security Architectures 12%

6.1 Design Web Security solution

6.1.a Compare ASA NGFW vs. WSA vs. CWS
6.1.b Compare Physical WSA vs. Virtual WSA
6.1.c List available CWS connectors

6.2 Design Email Security solution

6.2.a Compare Physical ESA vs. Virtual ESA
6.2.b Describe Hybrid mode

6.3 Design Application Security solution

6.3.a Describe the need for application visibility and control
QUESTION 1
During initial configuration, the Cisco ASA can be configured to drop all traffic if the ASA CX SSP
fails by using which command in a policy-map?

A. cxsc fail
B. cxsc fail-close
C. cxsc fail-open
D. cxssp fail-close

Answer: B

Explanation:

QUESTION 2
A network engineer may use which three types of certificates when implementing HTTPS
decryption services on the ASA CX? (Choose three.)

A. Self Signed Server Certificate
B. Self Signed Root Certificate
C. Microsoft CA Server Certificate
D. Microsoft CA Subordinate Root Certificate
E. LDAP CA Server Certificate
F. LDAP CA Root Certificate
G. Public Certificate Authority Server Certificate
H. Public Certificate Authority Root Certificate

Answer: B,D,F

Explanation:

QUESTION 3
Cisco’s ASA CX includes which two URL categories? (Choose two.)

A. Proxy Avoidance
B. Dropbox
C. Hate Speech
D. Facebook
E. Social Networking
F. Instant Messaging and Video Messaging

Answer: C,E

Explanation:

QUESTION 4
A Cisco Web Security Appliance's policy can provide visibility and control of which two elements?
(Choose two.)

A. Voice and Video Applications
B. Websites with a reputation between -100 and -60
C. Secure websites with certificates signed under an unknown CA
D. High bandwidth websites during business hours

Answer: C,D

Explanation:

QUESTION 5
Which Cisco Web Security Appliance design requires minimal change to endpoint devices?

A. Transparent Mode
B. Explicit Forward Mode
C. Promiscuous Mode
D. Inline Mode

Answer: A

Explanation:

Posted by at No comments:
Labels: , , , , , , , ,

Sunday, April 10, 2016

300-206 SENSS Implementing Cisco Edge Network Security Solutions

Exam Number 300-206 SENSS
Associated Certifications CCNP Security
Duration 90 minutes (65 - 75 questions)
Available Languages English, Japanese

Exam Description
The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to configure and implement security on Cisco network perimeter edge devices such as a Cisco switch, Cisco router, and Cisco ASA firewall. This 90-minute exam consists of 65-75 questions and focuses on the technologies used to strengthen security of a network perimeter such as Network Address Translation (NAT), ASA policy and application inspect, and a zone-based firewall on Cisco routers. Candidates can prepare for this exam by taking the Cisco Edge Network Security (SENSS) course.

The following topics are general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.

1.0 Threat Defense 25%
1.1 Implement firewall (ASA or IOS depending on which supports the implementation)

1.1.a Implement ACLs
1.1.b Implement static/dynamic NAT/PAT
1.1.c Implement object groups
1.1.d Describe threat detection features
1.1.e Implement botnet traffic filtering
1.1.f Configure application filtering and protocol inspection
1.1.g Describe ASA security contexts

1.2 Implement Layer 2 Security


1.2.a Configure DHCP snooping
1.2.b Describe dynamic ARP inspection
1.2.c Describe storm control
1.2.d Configure port security
1.2.e Describe common Layer 2 threats and attacks and mitigation
1.2.f Describe MACSec
1.2.g Configure IP source verification

1.3 Configure device hardening per best practices

1.3.a Routers
1.3.b Switches
1.3.c Firewalls

2.0 Cisco Security Devices GUIs and Secured CLI Management 25%

2.1 Implement SSHv2, HTTPS, and SNMPv3 access on the network devices

2.2 Implement RBAC on the ASA/IOS using CLI and ASDM

2.3 Describe Cisco Prime Infrastructure

2.3.a Functions and use cases of Cisco Prime
2.3.b Device Management

2.4 Describe Cisco Security Manager (CSM)

2.4.a Functions and use cases of CSM
2.4.b Device Management

2.5 Implement Device Managers

2.5.a Implement ASA firewall features using ASDM

3.0 Management Services on Cisco Devices 12%

3.1 Configure NetFlow exporter on Cisco Routers, Switches, and ASA

3.2 Implement SNMPv3

3.2.a Create views, groups, users, authentication, and encryption

3.3 Implement logging on Cisco Routers, Switches, and ASA using Cisco best practices

3.4 Implement NTP with authentication on Cisco Routers, Switches, and ASA

3.5 Describe CDP, DNS, SCP, SFTP, and DHCP

3.5.a Describe security implications of using CDP on routers and switches
3.5.b Need for dnssec

4.0 Troubleshooting, Monitoring and Reporting Tools 10%

4.1 Monitor firewall using analysis of packet tracer, packet capture, and syslog

4.1.a Analyze packet tracer on the firewall using CLI/ASDM
4.1.b Configure and analyze packet capture using CLI/ASDM
4.1.c Analyze syslog events generated from ASA

5.0 Threat Defense Architectures 16%

5.1 Design a Firewall Solution

5.1.a High-availability
5.1.b Basic concepts of security zoning
5.1.c Transparent & Routed Modes
5.1.d Security Contexts

5.2 Layer 2 Security Solutions

5.2.a Implement defenses against MAC, ARP, VLAN hopping, STP, and DHCP rogue attacks
5.2.b Describe best practices for implementation
5.2.c Describe how PVLANs can be used to segregate network traffic at Layer 2

6.0 Security Components and Considerations 12%

6.1 Describe security operations management architectures

6.1.a Single device manager vs. multi-device manager

6.2 Describe Data Center security components and considerations

6.2.a Virtualization and Cloud security

6.3 Describe Collaboration security components and considerations

6.3.a Basic ASA UC Inspection features

6.4 Describe common IPv6 security considerations

6.4.a Unified IPv6/IPv4 ACL on the ASA
QUESTION 1
All 30 users on a single floor of a building are complaining about network slowness. After
investigating the access switch, the network administrator notices that the MAC address table is
full (10,000 entries) and all traffic is being flooded out of every port. Which action can the
administrator take to prevent this from occurring?

A. Configure port-security to limit the number of mac-addresses allowed on each port
B. Upgrade the switch to one that can handle 20,000 entries
C. Configure private-vlans to prevent hosts from communicating with one another
D. Enable storm-control to limit the traffic rate
E. Configure a VACL to block all IP traffic except traffic to and from that subnet

Answer: A

Explanation:

QUESTION 2
A network printer has a DHCP server service that cannot be disabled. How can a layer 2 switch be
configured to prevent the printer from causing network issues?

A. Remove the ip helper-address
B. Configure a Port-ACL to block outbound TCP port 68
C. Configure DHCP snooping
D. Configure port-security

Answer: C

Explanation:

QUESTION 3
A switch is being configured at a new location that uses statically assigned IP addresses. Which
will ensure that ARP inspection works as expected?

A. Configure the 'no-dhcp' keyword at the end of the ip arp inspection command
B. Enable static arp inspection using the command 'ip arp inspection static vlan vlan-number
C. Configure an arp access-list and apply it to the ip arp inspection command
D. Enable port security

Answer: C

Explanation:

QUESTION 4
Which of the following would need to be created to configure an application-layer inspection of
SMTP traffic operating on port 2525?

A. A class-map that matches port 2525 and applying an inspect ESMTP policy-map for that class
in the global inspection policy
B. A policy-map that matches port 2525 and applying an inspect ESMTP class-map for that policy
C. An access-list that matches on TCP port 2525 traffic and applying it on an interface with the
inspect option
D. A class-map that matches port 2525 and applying it on an access-list using the inspect option

Answer: A

Explanation:

QUESTION 5
Which command is used to nest objects in a pre-existing group?

A. object-group
B. network group-object
C. object-group network
D. group-object

Answer: D

Explanation:
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)