HOTSPOT
Your network contains an Active Directory domain. The domain contains a server named Server28.
The computer account of Server 28 is located in an organizational unit (OU) named OU1. A Group Policy object
(GPO) named Application Restriction Policy is linked to OU1.
The settings of the GPO are configured as shown in the GPO Settings exhibit. (Refer to the Exhibit.)
The Services console on Server28 is shown in the Services exhibit. (Refer to the Exhibit.)
Select Yes if the statement can be shown to be truebased on the available information; otherwise select No.
Each correct selection is worth one point.
Answer: 
Explanation:
http://technet.microsoft.com/en-us/library/ee460944.aspx
I think they all should be YES
Hi @Rafik. Why do you think they all should be YES?
Hey @Msutu, because of the path of deny policy. It specifies this only one location “C:\APP1\” and it is only applies only to the application names “App1.exe” .
%OSDRIVE% is the same variable as %SYSTEMROOT%, but the policy doesn’t apply to this because as i mentioned before it only applies to the specified application “C:\APP1\APP1.exe”
Do you agree ?
Path Rule Precedence. When there are multiple matching path rules, the most specific matching rule takes precedence.
The following is a set of paths, from highest precedence (more specific match) to lowest precedence (more general match).
Drive:\Folder1\Folder2\FileName.Extension
Drive:\Folder1\Folder2\*.Extension
*.Extension
Drive:\Folder1\Folder2\
Drive:\Folder1\
http://technet.microsoft.com/en-us/library/bb457006.aspx#EFAA
Hi Rafik, a small correction here, %OSDRIVE% is the same as %SystemDrive% “(c:\)” , not %SYSTEMROOT% which is “C:\windows”, but the ideea is the same, in my opinion they should all be YES. The DENY path rule will prevent the application located at C:\App1\App1.exe from running, and not the one located at C:\Program Files\App1.exe ~(%ProgramFiles%).
I think all should be YES
The correct answer is YYY. Because if you copy the executable APP1.EXE to c:\Programfiles and run %programfiles%\app1.exe the application will run successfully.
Correct answers are YYY.
Thanks guys! 🙂
When the path option is utilized with an Allow policy, the executable in the selected path will be allowed to run, but executable files in other directory paths, even with the same executable name, will be denied. An example of how Allow behaves is as follows: You configure an Allow rule for an application named BearToast. The application’s executable file, BTst.exe, is located in the C:\Program Files\BToast directory. Configuring this rule only allows applications with that designation executable name within that specific directory to run. Any applications of the same flavor in other directories will be denied.
In this scenario – Any application anywhere on the system drive (OS Drive) carrying App1.exe name wont lunch. So correct answers are NYY
A hash is a series of bytes with a fixed length that uniquely identifies a software program or file. The hash is computed by a hash algorithm[…] The hash of a software program is always the same, regardless of where the program is located on the computer.
So: No, Yes, Yes
The answer would be “No,Yes,Yes” if we had a hash rule condition, but we don’t.
We have a path rule condition instead (set under Rule type).
SRP works like this:
“Each rule contains (…) a rule condition. There are three possible rule conditions. These are:
Publisher conditions that allow or deny the running of files that have been signed by a particular software publisher.
Path conditions that allow or deny the running of files stored in a particular file path.
Hash conditions that allow or deny the running of files whose encrypted hashes match the one specified in the rule.””
My final answer is YES, YES, YES
(http://www.windowsecurity.com/articles-tutorials/Windows_Server_2012_Security/managing-applocker-windows-server-2012-and-windows-8-81-part2.html)
NO
YES
YES
Since when is %OSDRIVE% the same as %programfiles%?
The deny policy is on %OSDRIVE%
No Yes Yes
%OSDRIVE% is the same as %SystemDrive% or C:\ in that case. (please see the link below or try it by yourself)
Based on that, correct answer is: No/Yes/Yes
https://technet.microsoft.com/en-us/library/ee460944(v=ws.10).aspx
I think the answer is Y/Y/Y
“You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.”
Understanding Applocker
https://technet.microsoft.com/en-us/library/ee460942.aspx
Regards.
Answer is Y-Y-Y.
Lots of wrong answers found on the dumps. I had to test GPO to be sure.
%OSDRIVE% used by AppLocker refers to %SystemDrive% (https://technet.microsoft.com/en-us/library/ee460944(v=ws.10))
Since you deny access to C:\App1\App1.exe , if the application is located in C:\ProgramFiles\App1\App1.exe it will run just fine
all rules are type Path.
There is no rule to deny group1 from executing apps in the program files folder.
So the answers must be YYY.
This %systemdrive% is so weird, try this:
C:\>cd %systemdrive%
C:\
C:\>cd %systemroot%
C:\Windows>cd %systemdrive%
C:\Windows
C:\Windows>cd..
C:\>cd users
C:\Users>cd %systemdrive%
C:\Users