Chapter 8: Configuring Secure Network and Internet Authentication Methods

Network Authentication in Windows 2000

  1. You are the administrator of a mixed-mode Windows NT 4.0 domain. You have Windows 2000 and Windows NT 4.0 servers as well as Windows 2000 Professional, Windows NT Workstation, and Windows 95 client computers. What is the best network authentication method that you can reasonably hope for in your network?

    1. NTLM

    2. Kerberos

    3. Challenge-Handshake Authentication Protocol (CHAP)

    4. NTLMv2

    þ Answer D is correct. In this sort of situation, the best form of network authentication that you can hope for is NTLMv2. All legacy clients can be upgraded to support NTLMv2 by installing the dsclient. Windows 2000 supports NTLMv2 for backwards compatibility with legacy clients.

    ý Answer A is incorrect  because while NTLM is natively available for network authentication by all of your clients and servers, it is not the best method available to you.Answer B is incorrect because Kerberos can only be used in Windows 2000 Active Directory domains by Windows 2000 clients.Answer C is incorrect because CHAP is a dial-up networking authentication protocol and thus is not used for network authentication.

  2. You are the administrator of a Windows 2000 Active Directory domain. Your clients consist of Windows 2000 Professional, Windows NT 4.0, Windows 95, and Windows 3.11 clients. What form of network authentication will your Windows 2000 Professional clients use in this situation?

    1. NTLM

    2. Kerberos

    3. CHAP

    4. NTLMv2

    þ Answer B is correct. Windows 2000 clients in a Windows 2000 Active Directory domain will use the Kerberos protocol, by default, for network authentication.

    ý Answers A and D are incorrect because Windows 2000 clients in a Windows 2000 Active Directory domain will use the Kerberos protocol, by default,
    for network authentication.Answer C incorrect because CHAP is a dial-up networking authentication protocol and thus is not used for network
    authentication.

Kerberos Overview

  1. Kerberos provides two services to the network. What are the services that are provided to the network? (Choose two that apply.)

    1. TGS-issues individual session tickets that can be used to gain access to network resources.

    2. STS-issues individual session tickets that can be used to gain access to network resources.

    3. AS-authenticates users in the KDC's database and issues them a TGT.

    4. AS-authorizes users in the KDC's database and issues them a TGT.

    þ Answers A and C are correct. Kerberos provides the TGS and the authentication service to the network.

    ý Answer B is incorrect because session tickets are issues by the TGS.Answer
    D is incorrect because Kerberos does not perform authorization, only
    authentication.

  2. When using forwarded tickets, who acquires the session ticket for a client to access a back-end resource?

    1. The client

    2. The front-end server

    3. The back-end server

    4. The KDC

    þ Answer B is correct. When using forwarded tickets (the type supported in Windows 2000), the front-end server acts as a proxy for the client requesting session tickets to access back-end servers and resources.

    ý Answers A, C, and D are incorrect because when using forwarded tickets (the type supported in Windows 2000), the front-end server acts as a proxy for the client requesting session tickets to access back-end servers and resources.

Kerberos in Windows 2000

  1. The Kerberos protocol in Windows 2000 runs as a service on all domain controllers, thus all domain controllers are KDCs. What does the KDC use as its account database in Windows 2000?

    1. Active Directory

    2. Security Accounts Manager

    3. LSA

    4. HOSTS

    þ Answer A is correct. Kerberos in Windows 2000 uses the Active Directory as its user database.

    ý Answer B is incorrect because the Security Accounts Manager is the local computer security database used in Windows 2000 for logons to the local computer only.Answer C is incorrect because the LSA is not a user account database but is instead a security process that runs on Windows 2000 computers.Answer D is incorrect because the HOSTS file is used to provide preconfigured IP address to host name mappings for TCP/IP.

  2. You have several services that run in a front-end/back-end configuration on your network. All of your computers run Windows 2000 Server or Windows 2000 Professional. The back-end services run in the context of the local system account on the back-end servers. What do you need to do to enable forwarded authentication to occur so that your clients can authenticate to the services running on the back-end server? (Choose all that apply.)

    1. Select the Account is trusted for delegation check box on the client's domain user account properties page.

    2. Deselect the Account is sensitive and cannot be delegated check box on the client's domain user account properties page.

    3. Select the Trust computer for delegation check box on the back-end server's domain computer account properties page.

    4. Select the Account is trusted for delegation check box on the domain user account properties page that the services run under.

    þ Answers B and C are correct. In order for a client to be able to use a forwarded ticket, their user account must not be marked as sensitive. The services all run on the local system account, thus the computer must be trusted for delegation.

    ý Answers A and D are incorrect because you do not trust a client account for delegation-you trust a computer or a service account.

  3. In Windows 2000, what type of DNS record does a client use to locate a KDC?

    1. PTR

    2. A

    3. SRV

    4. MX

    þ Answer C is correct Clients query DNS for a SRV (service location) to locate a KDC.

    ý Answer B is incorrect because a PTR (pointer) record is used for reverse lookups in DNS.Answer B is incorrect because an A (host) record is used for normal lookups in DNS.Answer D is incorrect because an MX (mail exchange) record is used to point incoming mail traffic to the messaging server.

Configuring Kerberos Trusts

  1. Hannah needs to configure a new external trust to a Windows NT 4.0 domain. How can she perform this task? (Choose all that apply.)

    1. She can configure the trust by using the Netdom command.

    2. She can configure the trust by using the Active Directory users and computers console.

    3. She can configure the trust by using the Netsh command.

    4. She can configure the trust by using the Active Directory domains and trusts console.

    þ Answers A and D are correct. Hannah can use either the Netdom command or the Active Directory domains and trusts console to create, edit, verify, and remove trusts between domains.

    ý Answer B is incorrect because the Active Directory users and computers console cannot be used for administering domain trusts, it is used instead for working with Active Directory objects such as users, computers, OUs, groups, and group policy objects. Answer C is incorrect because the Netsh command is used for configuring network interface properties from the command line, not for working with domain trusts.

  2. What type of trust does Kerberos create between domains in Windows 2000?

    1. One-way non-transitive manual

    2. Two-way non-transitive automatic

    3. Two-way transitive automatic

    4. Two-way transitive manual

    þ Answer C is correct. Kerberos automatically creates two-way transitive trusts between all domains at the root of a forest and between a parent and child domain.

    ý Answers A, B and D are incorrect because Kerberos automatically creates two-way transitive trusts between all domains at the root of a forest and between a parent and child domain. NTLM trusts in Windows NT 4.0 were manually created one-way non-transitive trusts.

Configuring User Authentication

  1. Christopher is the network administrator of his company's Windows 2000 network, which consists of Windows 2000 Servers, Windows 2000 Professional clients, and Windows 98 clients. Christopher wants to ensure that only secure NTLM authentication occurs between his servers and clients. What must be done to make the Windows 2000 computers use NTLMv2 only?

    1. Christopher will need to install the DSClient on his Windows 2000 computers to enable NTLMv2.

    2. Christopher will need to install a security certificate on each of the Windows 2000 computers to enable NTLMv2.

    3. Christopher cannot use NTLMv2 on his Windows 2000 computers without installing at least one Windows .NET Server Domain Controller on the network with the high-encryption update.

    4. Christopher can require NTLMv2 via group policy and apply this to the entire domain.

    þ Answer D is correct. Christopher will need to require NTLMv2 via Group Policy and apply it at the domain level (or over multiple OUs as applicable) in order to force all of his Windows 2000 computer to use only NTLMv2.

    ý Answer A is incorrect because the DSClient is for usage on legacy clients and can be used to enable support for NTLMv2.Answer B is incorrect because installing certificates on the computers will not allow Christopher to use NTLMv2.Answer C is incorrect because NTLMv2 does not require the presence of Windows .NET Server on the network in order to be used-it is built-in in Windows 2000.

  2. Christopher is the network administrator of his company's Windows 2000 network, which consists of Windows 2000 Servers, Windows 2000 Professional clients, and Windows 98 clients. Christopher wants to ensure that only secure NTLM authentication occurs between his servers and clients. What must be done to make the Windows 98 computers use NTLMv2 only?

    1. Christopher will need to install the DSClient on his Windows 98 computers to enable NTLMv2.

    2. Christopher will need to install a security certificate on each of the Windows 98 computers to enable NTLMv2.

    3. Christopher will need to enable the NTLMv2 setting for the OU that contains his Windows 98 computers.

    4. Christopher will need to install a Windows 2000-based Remote Authentication Dial-In User Service (RADIUS) server on his network to allow him to use NTLMv2.

    þ Answer A is correct. By installing the DSClient on his Windows 98 computers, Christopher will be able to have them use NTLMv2 for network authentication.

    ý Answer B is incorrect because installing certificates on the computers will not allow him to use NTLMv2.Answer C is incorrect because enabling the NTLMv2 setting in the GPO that corresponds to the OU the Windows 98 belong to will not have any effect-legacy clients cannot take advantage of Group Policy Objects.Answer D is incorrect because installing a RADIUS server has nothing to do with enabling NTLMv2-it would be used to authenticate dial-up connections to the Remote Access Service (RAS) server from remote clients.

Configuring Web Authentication

  1. You have configured digest authentication for your Web servers. Jon, one of your user's who needs to authenticate to the Web servers, cannot do so. You have checked Jon's user account properties and found that the "Store Passwords Using Reversible Encryption" option has been checked but Jon still cannot authenticate. What is the most likely reason for his troubles?

    1. Jon's user account is disabled. You should enable it from Active Directory users and computers.

    2. Jon did not change his password after the "Store Passwords Using Reversible Encryption" option was enabled for his account.

    3. Jon changed his password after the "Store Passwords Using Reversible Encryption" option was enabled for his account, which disabled this setting.

    4. Jon's computer that he is attempting to make the connection with does not have the 128-bit high encryption patch applied.

    þ Answer B is correct. If the "Store Passwords Using Reversible Encryption" option is selected and Jon still cannot use digest authentication, it is highly likely that he has not changed his password since it was enabled. Changing his password will correct this situation.

    ý Answer A is incorrect because if Jon's account were disabled, he would not be able to use it at all, which is not the case here.Answer C is incorrect because changing Jon's password after enabling reversible encryption is just the fix needed for this situation.Answer D is incorrect because applying the high encryption patch is not a factor in this situation.

  2. Andrew is the network administrator for a small Windows 2000 Active Directory domain. He has configured Integrated Windows authentication for users attempting to authenticate to the Web server. Andrew's network is protected from the Internet by a Cisco PIX firewall. Users attempting to authenticate using Integrated Windows authentication complain that they cannot authenticate. What is the most likely cause of the troubles?

    1. Andrew has not configured the user's account properties with the "Store Passwords Using Reversible Encryption" option.

    2. Integrated Windows authentication fails when access is through a firewall due to the fact that the firewall places its IP address in the hash, thus rendering the authentication request invalid.

    3. Andrew has not configured for Integrated Windows authentication in the group policy object that covers the IIS server's computer account.

    4. Andrew has not configured for Integrated Windows authentication in the group policy object that covers the user's accounts.

    þ Answer B is correct. One of the weaknesses with Integrated Windows authentication is that it does not work through a firewall. The firewall places its IP address in the Integrated Windows authentication hash, thus making the authentication request invalid.

    ý Answer A is incorrect because configuring reversible encryption is for digest authentication, not Integrated Windows authentication.Answers C and D are incorrect because Integrated Windows authentication is not configured via group policy, but instead via the Web site "Properties" page.

  3. Catherine is the administrator of a Windows 2000 network. She has configured anonymous authentication for her Web servers. Users attempting to use anonymous authentication complain to her that they cannot access the site and instead receive a 401 error "Unauthorized: Logon failed" when they attempt to access the Web site. Catherine has checked her IIS servers and they show no unusual conditions. What is the most likely reason for this problem?

    1. The IIS server is hung. A restart of the server will clear the problem up.

    2. The anonymous account is either missing, misconfigured, or does not have the permissions required.

    3. The users do not have user accounts on the IIS server.

    4. The users are not using Internet Explorer 5.5 or later.

    þ Answer B is correct. Anonymous authentication is a very simple means to "corral" all Web site users into the permissions and privileges assigned to the IUSR_servername account. In most cases, you will want to leave this built-in local account as the anonymous authentication account. Anonymous authentication requires no authentication on the user's end-they are simply allowed access to the Web site and all is well. If this account is missing, misconfigured, or does not have the required permissions, then anonymous authentication will fail most likely resulting in the 401 error.

    ý Answer A is incorrect because if the IIS server were hung or otherwise not responding, you would likely get a 404 or 500 error instead of a 401 error-401 errors are specific to logon problems.Answer C is incorrect because specific user accounts are not required for anonymous authentication, only the existing of a properly configured anonymous authentication account.Answer D is incorrect because anonymous authentication works with all browsers, so the version of IE in use is not an issue here.

  4. You have enabled SSL on your Web site but now users complain to you that they cannot establish secure connections on port 80. You know that port 80 is the standard HTTP port, not the secure HTTP port. What port should they be attempting to connect to?

    1. 8080

    2. 443

    3. 25

    4. 110

    þ Answer B is correct. SSL makes connections on port 443 using URLs starting with https://.

    ý Answer A is incorrect because port 8080 is typically used by proxy servers.Answer C is incorrect because port 25 is used for SMTP.Answer D is incorrect because port 110 is used by POP3.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net