A.Use a password generator application to create a preshared key， and distribute it to all mobile users
B.Use computer autoenrollment to create digital certificates that can be used to authenticate to a VPN server
C.Acquire a digital certificate that can be used for SSL from a commercial CA for each computer that established a VPN connection
D.Configure IPSec policies on all Routing and Remote Access servers to require the use of digital certificates

A.Designate a data recovery agent and issue an EFS certificate to the data recovery agent. Export the private key and restrict access to the exported key
B.Make the data recovery agent a local administrator on all client computers
C.Remove the default data recovery agent from the Default Domain Policy GPO. Then， include the new data recovery agent instead
D.Delete the Default Domain Policy GPO. Configure a new GPO linked to the domain that does not specify a data recovery agent

A.Configure a remote access policy on the Routing and Remote Access server to require MS-CHAP v2 for all connections
B.Use a Group Policy object （GPO） to configure a Restricted Groups policy that applies to the Routing and Remote Access server. Use this Restricted Groups policy to remove all accounts form the local Users group， and then add authorized computer accounts
C.Configure the Routing and Remote Access server to use only PPTP connections
D.Configure the Routing and Remote Access server to use only IPSec over L2TP connections.Configure IPSec to use certificates

A.Configure the terminal server so that users log on by using local user accounts
B.Configure the terminal server so that users log on by using domain accounts
C.Configure the server to run SalesForceMax in a dedicated window when a user logs on to the terminal server
D.Configure the server to allow each user to have a Windows desktop when the user logs on to the terminal server
E.Use software restriction polices in Group Policy objects （GPOs） that apply to the terminal server
F.Use Appsec.exe to restrict applications on the terminal server

A.Require a PPTP VPN for all connections to the Web server
B.Require that traffic between Web browsers and the Web server uses an L2TP/IPSec tunnel
C.Require that traffic between Web browsers and the Web server uses SSL
D.Require certificate mappings between the Web server and Active Directory

A.On each client computer in the call center， configure a local policy that lists only authorized programs in the Allowed Windows Programs list
B.Using NTFS permissions， assign the Deny – Read permission for all unauthorized executable files to the client computer domain accounts
C.Design a Group Policy object （GPO） that enforces a software restriction policy on all client computers in the call center
D.Design a Group Policy object （GPO） that implements an IPSec policy on all client computers in the call center. Ensure that the IPSec policy rejects connections to any Web servers that the company does not operate

A.Disable all unnecessary services on each DHCP server
B.Modify the discretionary access control lists （DACLs） in Active Directory so that only members of the Enterprise Admins security group can authorize additional DHCP servers
C.Use an IPSec policy that allows only the packets necessary for DHCP and domain membership for each DHCP server
D.Install a digital certificate for SSL on each DHCP server

A.Configure and publish a certificate template that is suitable for S/MIME, Deploy a Group Policy object （GPO） so that a certificate that is based on this template is automatically issued to all domain users
B.Specify Group Policy objects （GPOs） and IPSec policies that require all client computers to use Kerberos authentication to connect to mail servers
C.For each mail server， acquire an SSL server certificate from a commercial CA whose root certificate is already trusted
D.Require IPSec encryption on all TCP connections that are used to send or receive e-mail messages

A.Deploy a Windows Server 2003 computer running SUS in the test network. Deploy SUS servers in each child domain to download administrator-approved updates from the test network SUS server
B.Deploy a Windows Server 2003 computer running SUS in the test network Use autoupdate policies in each child domain to download and deploy updates from the test network SUS server
C.Install MBSA on a Windows Server 2003 computer in the network network. Deploy MBSA as a Windows Installer package to all computers in the child domains， and configure MBSA to scan for updates from the server in the test network
D.Install IIS on a Windows Server 2003 computer in the test network. Create a Web site named Updates on this server. Configure an autoupdate policy in each child domain to download and deploy updates from the Updates Web site

A.Deploy an offline enterprise root CA in the corp.woodgrovebank.com domain. Deploy subordinate enterprise root CAs in each child domain. Install Internet Authentication Service （IAS） on one member server in the la.corp.woodgrovebank.com domain and one member server in the den.corp.woodgrovebank.com domain
B.Deploy an enterprise root CA in each domain. Install Internet Authentication Service （IAS） on a member server in the corp.woodgrovebank.com domain. Install the Routing and Remote Access service on a member server in each child domain， and configure these servers as RADIUS clients
C.Enroll and deploy user certificates to all administrators in each domain. Enroll and deploy computer certificates to all portable computers that have wireless network adapters. Configure each portable computer to use Protected EAP （PEAP） for authentication
D.Enroll and deploy computer certificates to all portable computers that have wireless network adapters. Configure each portable computer to use EAP-MS-CHAP v2 for authentication. Configure each portable computer to connect to the Internet Authentication Service （IAS） server

A.Implement an enterprise root CA in the corp.woodgrovebank.com domain.Implement subordinate CAs in each child domain. Take the root CA offline
B.Implement an enterprise root CA in the corp.woodgrovebank.com domain
C.Implement an enterprise root CA in each of the child domains. Take the enterprise CA in each domain offline
D.Implement an enterprise root CA in the corp.woodgrovebank.com domain. Implement a stand-alone root CA in each of the child domains