Self Test

1.

You have decided to deploy IPSec in your organization because you have several departments that are doing sensitive work and communicating across the Internet and other networks with a variety of persons in various organizations. There have been a few incidents where messages were sent instructing lower-level employees to perform certain tasks, purporting to be from their managers. However, investigation revealed that the managers did not send the messages; rather, they were sent by someone else, pretending to be the manager, who was attempting to sabotage the project. This experience has pointed out the need to provide authentication for the data packets that travel across the network so that the receiver of a message can be assured that it is genuine. It is equally important to ensure that the data in these messages doesn’t get changed during transmission. Finally, you want to be sure that nobody other than the authorized recipient is able to read the message itself. You want the entire packet to be digitally signed, so that it will have maximum protection. Which of the following IPSec configuration choices will provide this?

1. Use AH alone.

2. Use ESP alone.

3. Use AH and ESP in combination.

4. IPSec cannot provide authentication, integrity, and confidentiality simultaneously.

2.

You have been hired as a consultant to help deploy IPSec for the network of a medium-size manufacturing firm that is developing a number of new products and must share sensitive data about its products over the network. As part of the planning process, you must determine the best authentication method to use with IPSec. What are the authentication methods that can be used with IPSec? (Select all that apply.)

1. Kerberos v5

2. Perfect Forward Secrecy (PFS)

3. Shared secret

4. Diffie-Hellman groups

1.

C

2.

A, C

3.

You are the network administrator for a company that has recently migrated some of its servers to Windows Server 2003 from Windows 2000. However, there are still a number of Windows 2000 servers and clients on the network. You want to use the enhanced security available on your network, and you have some interoperability issues you are concerned with pertaining to Windows Server 2003 and your Windows 2000 servers and clients. Which key method should you implement?

1. Rivest-Shamir-Adleman (RSA)

2. Diffie-Hellman group 1

3. Diffie-Hellman group 2

4. Diffie-Hellman group 2048

4.

You are a network administrator for a medium-sized medical office and you have recently deployed IPSec on the network in response to the physician/owner’s concerns about confidentiality of patient information. However, it appears that IPSec might not be working correctly on a particular client computer. You need to view the local routes assigned to this particular client on the network using the IPSec Policy Agent. How does the IPSec Policy Agent function in IPSec? (Select all that apply.)

1. Surveys the policy for configuration changes

2. Routes the assigned IPSec policy information to the IPSec driver

3. Uses the IP Security Policy Agent console to manage IPSec policies

4. For nondomain member clients, retrieves local IPSec policy information from the Registry

3.

C

4.

A, B, D

5.

You are the network administrator for a large law firm. You have been tasked with the duty of deploying IP security for all network communications in the departments and divisions that handle sensitive data. You have delegated individual departments to your junior administrators. You now need to verify that IPSec has been deployed and configured properly on your Human Resources and Payroll computers. Which tools can be used to perform this function? (Select all that apply.)

1. IPSec Security Policy Monitor console

2. netsh command

3. Certificates snap-in

4. Resultant Set of Policy (RSoP)

6.

You have deployed IPSec on your company’s network and it has been working well, except for one thing. You’ve tried modifying some of the IPSec policy rules using netsh commands in the ipsec context, but each time you do so, the rules work only until you reboot the server, and then they seem to disappear. You want to make changes to the IPSec policy rules that are permanent and do not change when the server is rebooted. Which netsh command could you use?

1. netsh ipsec dynamic set config

2. netsh ipsec dynamic

3. netsh interface ip

4. netsh interface ipv6 isatap

5.

A, B

6.

A

7.

You are the network administrator for a medium-sized company that provides accounting services to a number of different clients. To avoid having clients’ financial information disclosed to the wrong parties, you are planning to implement IPSec on your network. You want your employees to be able to communicate securely both within the company and across the WAN with employees in your branch offices. You have recently hired a junior administrator who has his MCSE in Windows NT and 2000. You give him the task of implementing IPSec in your organization. The first thing he tells you is that because your smaller branch office uses NAT, that site will not be able to use IPSec. What is your response?

1. You already knew this, and intend to change that site from a NAT connection to a routed connection to accommodate this.

2. He is mistaken; IPSec has been able to work with NAT since Windows 2000.

3. He is mistaken; IPSec did not work with NAT in Windows 2000 but it does in Windows Server 2003.

4. You know IPSec is not compatible with NAT “out of the box,” but you can install a third-party program that will make it compatible.

8.

You have been hired as network security specialist for a new startup company that has recently installed a new Windows Server 2003 network. The network was originally set up by a group of consultants, and they implemented IPSec for network communications so that communications with their secure servers could be protected. You are reviewing and evaluating the IPSec policies. Although several policies have been created, none of them seem to be effective. What do you conclude the consultants forgot to do after creating the policy?

1. Authorize the policy in Active Directory

2. Assign the policy in the IP Security Policy Management console

3. Edit the policy after creating it

4. Enable the policy in the IP Security Monitor console

9.

You have been tasked with the duty of implementing IPSec on your new Windows Server 2003 network to increase security. You have never worked with IPSec before and you have been reading up on it. You’ve decided that you want to use PFS, but you are concerned about the resource usage on the domain controller due to reauthentication. Which of the following types of PFS can you implement without putting an undue burden on the authenticating server?

1. You can use master key PFS.

2. You can use session key PFS.

3. You can use either or both because PFS doesn’t use any resources on the domain controller.

4. You can use neither because both types of PFS use considerable resources on the domain controller.

10.

You are creating a project to implement IPSec using the IPv6 protocol. Part of your security plan states that you must maintain data confidentiality as part of your IPSec implementation. When developing your plan further, what must you remember about Microsoft’s implementation of IPv6 that is included in Windows Server 2003?

1. IPv6 does not support data encryption.

2. IPv6 does not support authentication.

3. IPv6 does not support integrity.

4. IPv6 does not support IPSec.

11.

You have been hired as a consultant to evaluate the IPSec deployment in a small music publishing company. Management is concerned that copyrighted material might be intercepted as it passes over the network and be stolen. You discover that the former network administrator who initially set up IPSec configured it to use the AH protocol only. You explain to the company manager that one of the things you recommend changing is to configure IPSec to use ESP. Why would you implement ESP in this situation? (Select all that apply.)

1. ESP ensures data integrity and authentication.

2. ESP prevents capture of packets.

3. ESP provides confidentiality.

4. ESP encrypts the packets.

12.

You are on an IT team that is planning the deployment of IPSec throughout a large enterprise network. You have been advised that cost-effectiveness and efficient use of personnel are two priorities, because the company does not want to hire additional IT staff to support the deployment. Of the authentication methods available, which has the lowest administrative overhead and is the most efficient if you wish to support the implementation on 10,000 client machines?

1. Diffie-Hellman group 2048

2. Kerberos v5

3. Pre-shared keys

4. Digital certificates

7.

C

8.

B

9.

B

10.

A

11.

C, D

12.

B

13.

You have been hired to manage security for a medium-sized network. Your first project is to implement IPSec on the network to protect communications that travel across it. You have just assigned an IPSec policy to a client, and you need to view the precedence of IPSec policy assignments and which policies have been assigned to the client. Which logging mode would you use in RSoP?

1. IPSec mode

2. RSoP mode

3. Logging mode

4. Planning mode

14.

You have IPSec configured and running on your network. You want to capture some IPSec packets to ensure that the data inside cannot be viewed. You want to capture packets being sent from a remote client to a remote server, using a server in the server room. Which of the following tools will you need to use in order to capture these packets?

1. Network Monitor in Windows Server 2003

2. netsh commands in the ipsec context

3. The IP Security Monitor console

4. Systems Management Server (SMS)

15.

You want to use the RSoP tool in logging mode to build some reports on the existing policy settings of one of your client computers. You have used RSoP before in planning mode, but never in logging mode. You open the RSoP Wizard from the Active Directory Users and Computers console, as you’ve done before, but you notice that there is no mechanism for selecting the mode, and only planning mode seems to be available. What is the problem?

1. The RSoP Wizard runs only in planning mode.

2. You should open the RSoP Wizard from Active Directory Sites and Services instead.

3. You should open the RSoP Wizard from the RSoP MMC instead.

4. You can select logging mode when you open the RSoP in Active Directory Users and Computers. You must have overlooked the option.

13.

C

14.

D

15.

C