Chapter 7: Planning, Implementing, and Maintaining a Remote Access Strategy

1.

You are planning a remote access server and need to enable access for several employees. All the employees are in the same city. The company LAN is not currently connected to the Internet, and your security policy specifies that Internet connections should be avoided. Which of the following is the best choice for the remote access solution?

1. Dial-in access

2. VPN access

3. Wireless access

4. Dedicated WAN links

2.

You are configuring a remote access server on a Windows Server 2003 computer. The same server is acting as a domain controller and DHCP server, assigning IP addresses to clients. Which of the following is the simplest method of assigning IP addresses for remote clients?

1. Manually configure each client with an IP address.

2. Configure the RRAS server to use DHCP.

3. Configure a static address pool.

4. Use APIPA.

1.

A. Dial-in access is a convenient way to offer access to employees within a city; therefore, Answer A is correct.

Answer B is incorrect because VPN access requires Internet connections. Answer C is incorrect because wireless access is typically not feasible over long distances. Answer D is incorrect because dedicated links for each employee would add unnecessary expense.

2.

B. Because a DHCP server is already available, you can configure the RRAS server to request addresses from DHCP and avoid the need for separate addressing for dial-up clients; therefore, Answer B is correct.

Answer A is incorrect because manual configuration is not the simplest method. Answer C is incorrect because a static address pool would require additional configuration and consideration of potential conflicts with the DHCP server’s address range. Answer D is incorrect because APIPA is intended for small networks that do not have a DHCP server available.

3.

You are configuring a dial-in remote access server on a Windows Server 2003 computer. Employees will use remote access while traveling. You have ten employees with laptops who will require access to the server, but typically only one is traveling at a time. A telecommuting employee will also require access for eight hours a day. How many modems would be the minimum to reliably serve these users?

1. 1

2. 11

3. 2

4. 3

4.

You have several users who dial in to a remote access server using multilink connections, combining two modems into a single link. Although this provides a higher bandwidth to the users, you find the server runs out of modem lines frequently, and most users are not using their connections to their full potential. Which of the following is a solution to this issue?

1. Disable multilink connections.

2. Set the maximum number of multilink ports to one.

3. Use VPN instead of dial-in access.

4. Enable Bandwidth Allocation Protocol (BAP).

3.

C. Two modems should be sufficient: one for the telecommuting employee and one for any traveling employee who requires access; therefore, Answer C is correct.

Answer A is incorrect because one modem would be busy for eight hours a day and traveling employees would not be able to dial in. Answers B and D are incorrect because two modems should be sufficient.

4.

D. Bandwidth Allocation Protocol (BAP) can reduce a multilink connection by one line when it is not used to its full capacity, freeing the modem for other users; therefore, Answer D is correct.

Answer A is incorrect because disabling multilink entirely would unnecessarily reduce bandwidth for users that required it. Answer B is incorrect because setting the maximum number of ports to one would effectively disable multilink. Answer C is incorrect because using VPN access is not an immediate solution to this issue.

5.

You are configuring a Windows XP client machine to access a VPN server that supports L2TP over IPSec. You need to obtain a computer certificate for the client and wish to do so from the client machine. A CA is present on the local network. Which application can you use to request a certificate?

1. A Web browser

2. The Certificates MMC snap-in

3. The Certification Authority MMC snap-in

4. Connection Manager

6.

You have configured a VPN server running Windows Server 2003 and RRAS. Most clients are able to access the server, but clients running Windows 98 are reporting that they are unable to connect. Which of the following is most likely the cause of this problem?

1. Computer certificates are not installed.

2. L2TP is not enabled on the server.

3. PPTP is not enabled on the server.

4. Windows 98 does not support VPN client access.

5.

A. You can request a certificate by connecting to the CA using a Web browser; therefore, Answer A is correct.

Answer B is incorrect because you can use the Certificates MMC snap-in to request a certificate, but MMC is not usually installed on Windows XP. Answer C is incorrect because the Certification Authority snap-in is available only for the CA. Answer D is incorrect because Connection Manager can be used to make a VPN connection, but not to request a certificate.

6.

C. The likely problem is that PPTP is not enabled on the server, since Windows 98 clients do not support L2TP; therefore, Answer C is correct.

Answer A is incorrect because computer certificates are used with L2TP, which is not supported by Windows 98. Answer B is incorrect because L2TP support would not work with Windows 98 clients. Answer D is incorrect because Windows 98 does support VPN access, but requires the PPTP protocol.

7.

You are setting up wireless access to the network with two WAPs. You want to use a centralized authentication source for both access points. You have an existing IAS server on the network. Which of the following tasks are necessary to support wireless access? (Choose all that apply.)

1. Create a remote access policy.

2. Configure the WAPs to use RADIUS authentication.

3. Install a RADIUS server.

4. Add the WAPs as clients in the IAS server’s configuration.

8.

You have configured a WAP using the EAP-TLS protocol. The WAP is connected to a LAN with a Windows Server 2003 server. Which of the following additional tasks may be necessary to ensure that wireless clients can connect? (Choose all that apply.)

1. Enable PPP authentication.

2. Issue computer certificates to clients.

3. Issue user certificates or smart cards to users.

4. Install and configure IAS.

7.

A, B, and D. You will need to create a remote access policy, configure the WAPs to use RADIUS authentication, and add them as clients of the IAS server; therefore, Answers A, B, and D are correct.

Answer C is incorrect because the existing IAS server will act as the RADIUS server.

8.

B and C. For wireless access to work, each client needs a computer certificate and either a user certificate or smart card; therefore, Answers B and C are correct.

Answer A is incorrect because PPP authentication is not used with wireless access. Answer D is incorrect because IAS is not needed for wireless access, although it can be used to improve security and to centralize authentication.

9.

You are planning security for your network and have determined that the domain functional level is Windows 2000 Mixed mode. You have a combination of Windows Server 2003 and Windows 2000 Server domain controllers. Which of the following actions may be necessary to enable all of Windows Server 2003’s security features? (Choose all that apply.)

1. Eliminate or upgrade the Windows 2000 Server domain controllers.

2. Eliminate all Windows 2000 clients.

3. Raise the functional level to Windows Server 2003.

4. Raise the functional level to Windows Server 2003 Interim.

10.

You have a network with two Windows Server 2003 servers. You have raised the domain function level to Windows Server 2003. You need to install an additional domain controller and are considering an existing Windows 2000 Server. Which of the following tasks is necessary before using this machine as a domain controller?

1. Lower the function level to Windows 2000 Mixed mode.

2. Lower the function level to Windows Server 2003 Interim.

3. Upgrade the Windows 2000 Server to Windows Server 2003.

4. Demote the existing domain controller to a member server.

9.

A and C. To enable all security features, you can raise the functional level to Windows Server 2003. This will no longer enable Windows 2000 machines to act as domain controllers; therefore, Answers A and C are correct.

Answer B is incorrect because only the domain controllers must be running Windows Server 2003. Answer D is incorrect because the Windows Server 2003 Interim function level does not enable all security features.

10.

C. Once the domain function level is raised, it cannot be lowered, so the only solution is to upgrade the server to Windows Server 2003; therefore, Answer C is correct.

Answers A and B are incorrect because the domain function level cannot be lowered. Answer D is incorrect because the existing domain controller does not need to be changed.

11.

You have an RRAS server and have configured two remote access policies. The first policy on the list allows access for all members of the Power Users group. The second policy on the list denies access to clients that connect during evening hours. After testing your configuration, you determine that clients in the Power Users group are able to connect at any time. Which of the following actions would correct this problem?

1. Delete the first policy in the list.

2. Change user account properties to deny remote access.

3. Change the order of the policies.

4. Install an IAS server.

12.

You are operating a remote access server and currently allow VPN access and dial-in access. You have decided to disallow dial-in access after configuring all the clients for VPN access. Which of the following attributes can you check in a remote access policy to deny access to modem users?

1. Authentication-Type

2. NAS-Port-Type

3. Framed-Protocol

4. NAS-Identifier

11.

C. Because the first policy that matches a client is used, the policy to deny access for evening hours should be first on the list; therefore, Answer C is correct.

Answer A is incorrect because the first policy is necessary to grant access to the group. Answer B is incorrect because user accounts set to deny access will be denied remote access regardless of the policy. Answer D is incorrect because installing IAS is unnecessary to solve this problem.

12.

B. The NAS-Port-Type attribute can be used to check whether dial-in access is in use; therefore, Answer B is correct.

Answer A is incorrect because the Authentication-Type option is used to check the authentication method in use. Answer C is incorrect because the Framed-Protocol attribute specifies the protocol used to connect. Answer D is incorrect because the NAS-Identifier attribute is a string that identifies an RRAS server.

13.

One of your users is having problems getting a productivity application to work correctly. You suspect that he is performing the steps involved in using the application incorrectly, but the application interface is complex and it’s difficult for you to explain, over the phone, what he needs to do. The user is running Windows XP, and you want to connect to his PC and show him how to perform the task in question so that he can actually see you go through the steps. How would you arrange to do this?

1. Send the user a Remote Assistance Request.

2. Get the user to send a Remote Assistance Invitation.

3. Connect to the user’s PC using Remote Desktop.

4. Connect to the user’s PC using the Web Interface for Remote Administration.

14.

You are attempting to describe the remote assistance process to a co-worker. The co-worker asks what the correct terms are for the person requesting assistance and the person providing assistance so that he can look them up in Windows Help. Which of the following do you reply with? (Select two.)

1. Administrator

2. Novice

3. Expert

4. End user

13.

B. By getting the user to send you a Remote Assistance Invitation, you can connect to the user’s desktop and the user can follow what you are doing.

Answer A is incorrect, because sending the user a Remote Assistance Request is the wrong way and it is also not called a Request. Answer C is incorrect, because connecting to a user’s PC using Remote Desktop logs off anyone at the PC and he will not be able to see what you are doing. Answer D is incorrect, because Remote Administration is not available on Windows XP computers.

14.

B, C. In relation to a remote assistance session, Microsoft refers to the person requesting help as the Novice and the person providing it as the Expert.

A, D. Although valid terms in computer networking circles, Administrator and End user are not the terms Microsoft uses to officially refer to roles involved in using Remote Assistance.

15.

You are attempting to describe the remote assistance process to a co-worker. The co-worker asks what the correct terms are for the person requesting assistance and the person providing assistance so that he can look them up in Windows Help. Which of the following do you reply with? (Select two.)

1. Administrator

2. Novice

3. Expert

4. End user

15.

B, C. In relation to a remote assistance session, Microsoft refers to the person requesting help as the Novice and the person providing it as the Expert.

A, D. Although valid terms in computer networking circles, Administrator and End user are not the terms Microsoft uses to officially refer to roles involved in using Remote Assistance.