You are the desktop administrator for Contoso, Ltd. The company’s network contains 1,000 Windows XP Professional computers, which are members of a single Active Directory domain. The computers’ hard disks are formatted as NTFS. The company’s software developers release a new custom application. The application uses a .dll file named AppLib.dll, which is installed in a folder named Program FilesContosoOpsApp. The company’s help desk technicians report that several users experience problems when they use the application because the AppLib.dll file was deleted on their client computers. The company’s software developers recommend
that you modify the file permissions on AppLib.dll so that users have only Read permission on the file. You need to ensure that all users have only Read permission on the AppLib.dll file on all 1,000 Windows XP Professional computers. What should you do?
A.
Write a logon script that moves the AppLib.dll file into the %systemroot%System32 folder. Ensure that Windows File Protection is enabled on all 1,000 Windows XP Professional computers. Apply the logon script to all domain user accounts.
B.
Use the Security Configuration and Analysis console to create a new security template that modifies the file permissions on AppLib.dll. Use the Active Directory Group Policy to import and apply the template to all 1,000 Windows XP Professional computers.
C.
Repackage the customer application in a Windows Installer package. Ask a domain administrator to create a Group Policy object (GPO) that advertises the package to all domain user accounts.
D.
Write a Microsoft Visual Basic Scripting Edition (VBScript) file named Modify.vbs that modifies the file permissions on AppLib.dll. E mail Modify.vbs to all company employees and instruct them to double click the file in order to run it.
Explanation:
File system security, in particular the permission on a specific file, can be configured by a security template. The Security Configuration and Analysis tool can be used to create such a template. This template can then be applied with a
Group Policy Object.
Incorrect Answers:
A: Windows File Protection protects files which are included in the Windows operating system. It will not protect application files.
C: Repacking and redeploying the application will not change the permission to the specific file. The AppLib.dll file could still be removed by the users.
D: It is not a good practice to require the users to do administrative tasks. We cannot rely on the users to do this. Furthermore, the script would most likely not achieve the desired effect, since the users might not have permission to change the file permission on the file.
Microsoft Techinfo, Step-by-Step Guide to Using the Security Configuration Tool Set