Announcement

Collapse
No announcement yet.

70-290, Confusing practice question answer

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 70-290, Confusing practice question answer

    Exhibit
    Share permissions
    TestKingHR: Change

    NTFS Permissions
    Administrators: Full Control
    HR: Full Control

    You are the network administrator for Contoso. The network consists of a single Active Directory domain named Contoso.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.

    Users in the human resources department are members of a domain user group named HR. You create and share a folder named HRFiles on a member server named Server1. You configure permissions on the HRFiles as shown in the exhibit.

    Veronika, a user in the human resources department, creates a file in HRFiles. At Veronika’s request, you assign the Deny – Delete special permission on her file to the HR Group.

    The next day, Veronika reports that her file is deleted.

    You need to reconfigure the permissions on HRFiles. You must fulfill the following requirements:
    • Members of the HR group must be able to read, create, and modify files.
    • Members of the HR group must not be able to delete files on which they have no access permission.
    • Members of the HR group must not be able to delete files that they do not have permission to delete.

    What should you do?

    A. In the share permissions, assign the Deny – Change permission to the HR group.
    B. In the NTFS permissions, assign the Allow – Read permission to the HR group.
    C. In the share permissions, assign the Allow – Read permission to the HR group.
    D. In the NTFS permissions, assign the Allow – Modify permission to the HR group.
    They say the answer is D. I wouldn't say it's right, but it's the least wrong.

    Can someone enlighten me?
    By assigning Allow - Modify, are they must mean remove Full Control, as Modify is included in Full Control, yes?
    Even if they did lower permissions to Modify, Modify still allows you to delete.
    If the file is explicitly marked deny delete, why is it deletable? Aren't explicitly denied permissions checked first?

    Or is it because they had Full Control, so they could take control of the file/reassign permissions and then delete it? Lowering it to Modify removes their ability to circumvent the Deny rule, right? ...but that can't be right because I've never met anyone in HR that smart.

  • #2
    Re: 70-290, Confusing practice question answer

    Originally posted by Kayden View Post
    but that can't be right because I've never met anyone in HR that smart.
    I don't think that would be particularly relevant...
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: 70-290, Confusing practice question answer

      Originally posted by gforceindustries View Post
      I don't think that would be particularly relevant...
      Jokes aren't allowed?

      Comment


      • #4
        Re: 70-290, Confusing practice question answer

        The wonderful thing about written messages is that it's not always clear if something is a joke
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: 70-290, Confusing practice question answer

          Originally posted by gforceindustries View Post
          The wonderful thing about written messages is that it's not always clear if something is a joke


          Seeing as there wasn't any further correction, I take my assessment as correct?

          Comment


          • #6
            Re: 70-290, Confusing practice question answer

            I would agree that D is the least wrong, and would have to assume that it's the "correct" answer. All I can say is it's not how I would do it *. But then I'm not trying to gain a cert

            * As in, it's not the only step I would take.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: 70-290, Confusing practice question answer

              Long time that I did something with file permissions

              But they way as I see it:

              D is the correct answer.
              Why, well you have 3 criteria to fulfill... so let's brake them down... (that's the way I take my exams...)

              Criteria 1:
              • Members of the HR group must be able to read, create, and modify files.
              With Modify permissions they can almost do anything they need except changing permissions and taking ownerships.
              So they are able to read, create, and modify files.

              second criteria:
              • Members of the HR group must not be able to delete files on which they have no access permission.
              Correct, They are not able to change the permissions

              third criteria:
              • Members of the HR group must not be able to delete files that they do not have permission to delete.

              They are able to read create and modify it.
              However the special deny permission to delete it takes precedence over the modify permissions and since they can't change the permissions this is correct either.

              So D is correct... although I wouldn't do it this way in production environments... It would give you a lot of headache to set every time the deny permission on a single file.
              Last edited by Dumber; 5th August 2009, 19:42.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: 70-290, Confusing practice question answer

                But these tests are full of "right" wrong answers.
                Studying for another test, one of the questions was "You just finished installing the OS, what is the first thing you should do?"
                A) Perform backup
                B) Install apps
                C) Run Windows Update
                D) Register Windows

                Of course, you could make reasonable arguments for all four, but the "correct" answer was D, which totally ignores things like bios locked installs that you don't need to activate. Let's also ignore the gaping security holes or the fact that most people want a firewall or antivirus in place before even plugging anything in the NIC.

                The most important part of any Windows install is phoning home.

                Thanks for the in depth answer. How would you do it? Create a folder with the deny-delete that propagates and tell them to stick the files they want to keep there?


                Originally posted by Dumber View Post
                D is the correct answer.
                Why:
                Criteria 1:
                • Members of the HR group must be able to read, create, and modify files.
                They can almost do anything they need except changing permissions and taking ownerships.
                So they are able to read, create, and modify files.

                second criteria:
                • Members of the HR group must not be able to delete files on which they have no access permission.
                Correct, They are not able to change the permissions

                third criteria:
                • Members of the HR group must not be able to delete files that they do not have permission to delete.

                They are able to read create and modify it.
                However the special deny permission to delete it takes precedence over the modify permissions and since they can't change the permissions this is correct either.

                So D is correct... although I wouldn't do it this way in production environments... It would give you a lot of headache to set every time the deny permission on a single file.

                Comment


                • #9
                  Re: 70-290, Confusing practice question answer

                  Originally posted by Kayden View Post
                  D) Register Windows
                  Not once have I ever done that and none of my computers have caught fire yet

                  Of those 4, I would have said C. But since I tend to install Windows from customised media, there's usually not many updates that need installing anyway.

                  Also, if they want you to register the OS, why are they looking for you to do it after installing Windows rather than during the installation?
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: 70-290, Confusing practice question answer

                    Let the users put it on there homeshare

                    But I can brake it more down if you want

                    A. In the share permissions, assign the Deny – Change permission to the HR group.
                    Well goodbye then. Users can't access the share anymore

                    B. In the NTFS permissions, assign the Allow – Read permission to the HR group.
                    Yes they can read but how are they able to create or modify files?
                    C. In the share permissions, assign the Allow – Read permission to the HR group.
                    Yes they can read but how are they able to create or modify files?

                    But to make it more easy for yourself, why won't you test it in a lab or something.. you don't need much with Vmware or virtual PC. Simply one DC and one client would be sufficient..
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: 70-290, Confusing practice question answer

                      Oh no, I fully understand why the other options wouldn't work. I was just confused at first as to why they could delete even with deny on, but then I remembered full control, duh, they can remove the restriction. So, I was just asking if I was right.

                      As for putting everything in their homeshare, that doesn't really facilitate ease of management either, does it? If they all need to access the same files in the same directories and have some people read some and others delete others... Well, really, it sounds like there should be two groups, those who can read, and those who can modify... But I think that's reading a bit too much into it.
                      Originally posted by Dumber View Post
                      Let the users put it on there homeshare

                      But I can brake it more down if you want

                      A. In the share permissions, assign the Deny Change permission to the HR group.
                      Well goodbye then. Users can't access the share anymore

                      B. In the NTFS permissions, assign the Allow Read permission to the HR group.
                      Yes they can read but how are they able to create or modify files?
                      C. In the share permissions, assign the Allow Read permission to the HR group.
                      Yes they can read but how are they able to create or modify files?

                      But to make it more easy for yourself, why won't you test it in a lab or something.. you don't need much with Vmware or virtual PC. Simply one DC and one client would be sufficient..

                      Comment


                      • #12
                        Re: 70-290, Confusing practice question answer

                        I'm locking this thread because it is clear from the original post (line 3 of the quote -- didnt anybody spot it?) that the question is from a braindump site that has real exam questions, so breaching the Microsoft EULA

                        It is possible that the thread may be deleted after moderator discussion
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment

                        Working...
                        X