Chapter 7: Securing VPN and Extranet Communications


1.  

Your network consists of Windows Server 2003 domain controllers (DCs), Windows 2003 DNS servers, and Windows XP clients . You have recently added a firewall to the network to provide security for the network from attack from the Internet. You have placed your Web, e-mail, and DNS servers outside the firewall. Your company has established a written policy that allows only SMTP, HTTP, and DNS traffic to pass through the firewall. Which ports do you need to permit? (Choose all that apply.)

  1. TCP/UDP 21

  2. TCP/UDP 23

  3. TCP/UDP 25

  4. TCP/UDP 53

  5. TCP/UDP 80

  6. TCP/UDP 110

  7. TCP/UDP 443

 c , d , e . smtp corresponds to tcp/udp port 25, dns is tcp/udp port 53, and http is tcp/udp port 80. these are the ports that need to be open based on the scenario. x answers a , b , f , and g are incorrect. tcp/udp port 21 is ftp, tcp/udp port 23 is telnet, tcp/udp port 110 is pop3, and tcp/udp port 443 is https.

2.  

You are designing a network implementation for your company and you want to have an Internet presence for your Web and e-mail servers. The Web server is called WebSvr1, and the e-mail server is named MailSvr1. Due to a recent bout of attacks, you need to implement a solution that will provide security and protection for your network. You are concerned about providing security for the Web and e-mail servers, yet you need to provide anonymous access to the Web server for the general public. You are worried that these anonymous users might use their access to investigate and attack the rest of your network as well. How do you design your network? (Select the best answer.)

  1. Install Windows 2003 Server to act as the host computer for the Web and e-mail servers. Implement access control authentication for the users accessing the Web server. Add the IUSR_WebSvr1 user account to the directories that contain the Web files. Grant the IUSR_WebSvr1 user account read-only access. Grant access permissions to the network users as necessary.

  2. Implement a firewall solution to protect the network. Place the Web and e-mail servers outside of the firewall. Configure the firewall to block user access from the Internet.

  3. Implement a firewall solution to protect the network. Place two firewalls between the Internet and the internal network. Place the Web and e-mail servers outside the firewalls. Configure the firewalls to block user access from the Internet. Add the IUSR_WebSvr1 user account to the directories that contain the Web files. Grant the IUSR_WebSvr1 user account read-only access. Grant access permissions to the network users as necessary. Configure both firewalls to allow internal users to have access to the Internet.

  4. Implement a firewall solution. Configure two firewalls. Place the Web and e-mail servers between the two firewalls. Configure the first firewall to allow access to the Web and e-mail servers by anonymous users using the IUSR_WebSvr1 user account. Configure the second firewall to allow internal users to have access to the Internet. Configure the second firewall not to allow any external users to pass through the firewall.

  5. Implement a firewall solution to protect the network. Place two firewalls between the Internet and the internal network. Place the Web and e-mail servers inside the firewalls. Configure the firewalls to block all user access from the Internet. Add the IUSR_WebSvr1 user account to the directories that contain the Web files. Grant the IUSR_WebSvr1 user account read-only access. Grant access permissions to the network users as necessary. Configure both firewalls to allow internal users to have access to the Internet.

 d . this solution creates a dmz to protect your network. anonymous users will have access to the web and e-mail servers. internal users will have access to the internet. the firewalls will block unnecessary traffic that could be used to allow hackers to gain access to the network. x answer a is incorrect because anonymous users will still be able to attempt to exploit the network through any open ports. there is nothing in place to isolate the network from the internet. answers b and c are incorrect because the web and e-mails servers are vulnerable to attack from the internet. answer e is incorrect because this will block anonymous users from the web server.

3.  

You have a network that consists of four subnets. The networks IDs for the networks are 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and 10.0.4.0/24. Each subnet has two Windows Server 2003 and 75 Windows XP clients. You are planning to add a VPN server to the network to provide connectivity for remote users. You need to summarize the internal network IDs on the VPN server. What is the minimum information needed to accomplish the desired result?

  1. An entry for each subnet is required in the static route table of the VPN server.

  2. An entry for each subnet is required in the static route table of the remote clients.

  3. A route summarization entry, 10.0.0.0/16, can be added to the VPN server.

  4. A route summarization entry, 10.0.0.0/16, can be added to the remote clients.

 c . you can add a route summarization entry for the internal subnets on the vpn server. this will be the easiest solution. x although you could add an individual entry for each subnet, it would be easier to provide a route summarization for this task, so answer a is incorrect. you do need to provide any routing information on the remote clients, so answers b and d are incorrect.

4.  

You are configuring routing on an RRAS server. The RRAS server s intranet interfaces are configured to be connected to the intranet with a manual TCP/IP configuration that will consist of the IP address, subnet mask, default gateway, and intranet DNS servers. You are now experiencing difficulties when users attempt to connect to the Internet. What must you do to resolve these conflicts?

  1. Configure the intranet interface to use the Internet DNS servers.

  2. Configure the intranet interface with a public IP address.

  3. Assign the IP address for the intranet interface to use DHCP.

  4. Delete the default gateway configuration on the intranet interface.

 d . to prevent default route conflicts with the default route pointing to the internet, you must not configure the default gateway on the intranet interface. x by setting the intranet interface to use the dns servers on the internet, you will not be able to perform internal network name resolution. this makes answer a incorrect. answer b is incorrect because it will prevent any of the clients from being able to connect to the router providing internet access. it is preferable to statically assign ip addresses on an interface that will be used for routing. in addition, dhcp typically will assign default gateway information to all of the dhcp clients so that the dhcp clients can connect to the internet. this will cause default gateway conflicts. this makes answer c incorrect.

5.  

You are designing a VPN that will allow the company s sales force to travel to multiple cities around the Untied States. You are using an Internet service provider (ISP) that provides service across the United States and has local numbers in all major cities and many smaller cities as well. The ISP is constantly adding new telephone numbers as it expands its service area. The sales manager is concerned that his sales force will not know what the local access number will be in the cities where they will be traveling. He asks if there is a solution that will help the sales force to make the VPN connection so that they can pass confidential client information and sales orders back to corporate headquarters. What is the best solution to address this problem?

  1. There is nothing that can be done to help the sales force.

  2. You can configure an Access database that contains all of the telephone numbers for the ISP.

  3. You can configure a contact list in Exchange that lists the telephone numbers in all the cities that are supported by the ISP.

  4. Create a custom phone book using Connection Point Services.

 d . connection point services allows you to automatically update and distribute phone books that contain multiple points of presence for the isp. the phone book will give the sales force complete information so that when they travel they can connect to the different local access numbers provided by the isp. x a is incorrect because you can create a phone book using connection point services. answers b and c are incorrect because the access database and exchange will not automatically distribute its information to the sales force. the ability of the connection point services to automatically distribute itself to the desired users makes it the best solution.

6.  

You have designed a Windows Server 2003 VPN solution for your corporation. The solution has a Windows Server 2003 VPN server at headquarters. The VPN server has been placed behind the internal firewall protecting your network. You have created a DNS record on your Internet server in the DMZ so that you can perform name resolution to the VPN server. You have tested connectivity to the VPN server from all of the client computers using the PING utility. The clients at the branch offices are running Windows 98 and Windows XP. The Windows 98 clients are configured to use PPTP to establish the VPN connections. The Windows XP clients are configured to use L2TP using IPSec. The Windows 98 clients are using MS-CHAP v 2 to authenticate themselves as users. The Windows XP clients are using user-level certificate authentication with EAP-TLS. The Windows XP clients are not experiencing any difficulties in connecting, but the Windows 98 clients are not able to connect to the VPN server. What should you check to resolve the connectivity issue for the Windows 98 clients?

  1. Upgrade all of the Windows 98 computers to Windows 2000 or Windows XP.

  2. Configure the firewall to allow PPTP traffic to pass.

  3. Move the VPN server to outside the external firewall.

  4. Change the default authentication protocol to use certificates.

 b . the most probable reason why the windows 98 clients are not able to connect to the vpn server is that the firewall is configured to allow l2tp traffic and to block the pptp traffic. by allowing the pptp traffic to pass, you should resolve this issue. x answer a is incorrect because upgrading the windows 98 clients to windows 2000 or windows xp will not solve the problem that the pptp clients are being blocked at the firewall. answer c would allow all of the clients to connect to the vpn server; however, you would also increase the security risk to the vpn server so this is not an optimal solution. answer d is incorrect because the issue at hand is that pptp is being blocked at the firewall. the windows 98 users will be able to authenticate themselves using ms-chap v2. although more secure, certificate authentication is not required in this situation.

7.  

You have just replaced many of your company s dial-in connections with VPN connections to reduce the costs of maintaining dial-in services. You have recently configured VPN access on a laptop for a user. You have specified the host name for the VPN server in the Host Name or IP Address box. Now the user is complaining that he is receiving the error message Destination Host Unknown. What is the most likely cause for this error message?

  1. The DNS server has not been properly configured for the new VPN server.

  2. The laptop has not been authorized to connect to the VPN server.

  3. The VPN client has not been configured with the username with permission to access the VPN server.

  4. The Remote access policy has not been configured to allow access to the user.

 a . the dns server must be configured with an appropriate entry for the vpn server. without the dns entry the vpn server will be unreachable. x answer b is incorrect because the error message would be denied access if the remote computer was not authorized to connect to the vpn server. answer c is incorrect because if it had been an authentication problem, the message would tell you that the authentication was incorrect. answer d is incorrect because if it had been a remote policy access issue, access denied would have been the message.

8.  

You have just installed Routing and Remote Access on a Windows Server 2003 to function as a VPN server. Several remote users need to transmit confidential data to the company using the VPN server. The remote users are not members of your company s domain. The remote users are running Windows XP on the client computers, and they all have access to a local ISP to provide Internet connectivity. Data transmission security is critical to the company and to the remote users. All of the clients will be using L2TP to create the connection to the VPN server. Which secure authentication method should you use for these connections?

  1. Configure L2TP to use MPPE 128-bit encryption.

  2. Create a custom IPSec policy and select certificate-based 5 authentication. Apply the policy to the appropriate OU.

  3. Configure L2TP to use MS-CHAP v2.

  4. Use the certificate-based authentication method of the Routing and Remote Access custom IPSec policy for the L2TP connection.

 d . routing and remote access allows you to create custom ipsec policies for the vpn connections. this policy will be applied to all connections made to the vpn server. since the users are not members of your company s domain, a policy applied to a gpo will not affect them. a policy applied to the connection itself will enforce that the desire authentication method will be used. x answer a is incorrect because mppe is used with pptp connections. in addition, the question asks about the authentication method, not the data encryption scheme. answer b is incorrect since the remote users are not members of the domain, and any policy applied to an ou will not have the desired effect. you will need to create a policy that is applied whenever a connection is established. answer c is incorrect because certificate-based authentication is the highest form of security available under server 2003, not ms-chap v2.

Answers

1.  

¾ C , D , E . SMTP corresponds to TCP/UDP port 25, DNS is TCP/UDP port 53, and HTTP is TCP/UDP port 80. These are the ports that need to be open based on the scenario.

x Answers A , B , F , and G are incorrect. TCP/UDP port 21 is FTP, TCP/UDP port 23 is Telnet, TCP/UDP port 110 is POP3, and TCP/UDP port 443 is HTTPS.

2.  

¾ D . This solution creates a DMZ to protect your network. Anonymous users will have access to the Web and e-mail servers. Internal users will have access to the Internet. The firewalls will block unnecessary traffic that could be used to allow hackers to gain access to the network.

x Answer A is incorrect because anonymous users will still be able to attempt to exploit the network through any open ports. There is nothing in place to isolate the network from the Internet. Answers B and C are incorrect because the Web and e- mails servers are vulnerable to attack from the Internet. Answer E is incorrect because this will block anonymous users from the Web server.

3.  

¾ C . You can add a route summarization entry for the internal subnets on the VPN server. This will be the easiest solution.

x Although you could add an individual entry for each subnet, it would be easier to provide a route summarization for this task, so Answer A is incorrect. You do need to provide any routing information on the remote clients, so Answers B and D are incorrect.

4.  

¾ D . To prevent default route conflicts with the default route pointing to the Internet, you must not configure the default gateway on the intranet interface.

x By setting the intranet interface to use the DNS servers on the Internet, you will not be able to perform internal network name resolution. This makes Answer A incorrect. Answer B is incorrect because it will prevent any of the clients from being able to connect to the router providing Internet access. It is preferable to statically assign IP addresses on an interface that will be used for routing. In addition, DHCP typically will assign default gateway information to all of the DHCP clients so that the DHCP clients can connect to the Internet. This will cause default gateway conflicts. This makes Answer C incorrect.

5.  

¾ D . Connection Point Services allows you to automatically update and distribute phone books that contain multiple Points of Presence for the ISP. The phone book will give the sales force complete information so that when they travel they can connect to the different local access numbers provided by the ISP.

x A is incorrect because you can create a phone book using Connection Point Services. Answers B and C are incorrect because the Access database and Exchange will not automatically distribute its information to the sales force. The ability of the Connection Point Services to automatically distribute itself to the desired users makes it the best solution.

6.  

¾ B . The most probable reason why the Windows 98 clients are not able to connect to the VPN server is that the firewall is configured to allow L2TP traffic and to block the PPTP traffic. By allowing the PPTP traffic to pass, you should resolve this issue.

x Answer A is incorrect because upgrading the Windows 98 clients to Windows 2000 or Windows XP will not solve the problem that the PPTP clients are being blocked at the firewall. Answer C would allow all of the clients to connect to the VPN server; however, you would also increase the security risk to the VPN server so this is not an optimal solution. Answer D is incorrect because the issue at hand is that PPTP is being blocked at the firewall. The Windows 98 users will be able to authenticate themselves using MS-CHAP v2. Although more secure, certificate authentication is not required in this situation.

7.  

¾ A . The DNS server must be configured with an appropriate entry for the VPN server. Without the DNS entry the VPN server will be unreachable.

x Answer B is incorrect because the error message would be denied access if the remote computer was not authorized to connect to the VPN server. Answer C is incorrect because if it had been an authentication problem, the message would tell you that the authentication was incorrect. Answer D is incorrect because if it had been a remote policy access issue, access denied would have been the message.

8.  

¾ D . Routing and Remote Access allows you to create custom IPSec policies for the VPN connections. This policy will be applied to all connections made to the VPN server. Since the users are not members of your company s domain, a policy applied to a GPO will not affect them. A policy applied to the connection itself will enforce that the desire authentication method will be used.

x Answer A is incorrect because MPPE is used with PPTP connections. In addition, the question asks about the authentication method, not the data encryption scheme. Answer B is incorrect since the remote users are not members of the domain, and any policy applied to an OU will not have the desired effect. You will need to create a policy that is applied whenever a connection is established. Answer C is incorrect because certificate-based authentication is the highest form of security available under Server 2003, not MS-CHAP v2.




MCSE Designing Security for a Windows Server 2003 Network. Exam 70-298
MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298
ISBN: 1932266550
EAN: 2147483647
Year: 2003
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net