Apply Your Knowledge

Exercises

7.1 Sending a Remote Assistance Request

In this exercise, you create and send a Remote Assistance request. You need two Windows XP Professional or Windows Server 2003 computers (or one of each) to complete this procedure.

Estimated time: 15 minutes

Open the Help and Support Center by clicking Start, Help and Support.
Click the Remote Assistance link under the Support Tasks column.
On the Remote Assistance window, click the Invite Someone to Help You link.
Select a Windows Messenger user and click Invite This Person.
To send an email request using your MAPI-compliant messaging application, enter the Expert's first name and click Continue.
Supply the password and duration for the Remote Assistance request.
Enter the correct email address and add any other notes you want before sending the message.
To send the Remote Assistance request using a saved file, click Send Invitation as a File (Advanced).

7.2 Configuring Remote Assistance Group Policy Options

In this exercise, you configure the Group Policy options for Remote Assistance. You should have at least one Windows Server 2003 computer for this procedure.

Estimated time: 20 minutes

Locate the Group Policy Object for which you want to configure the Remote Assistance settings.
Locate the Remote Assistance node.
Double-click the Solicited Remote Assistance setting to open its Properties dialog box.
Select the Enabled radio button.
For the Permit Remote Control of This Computer option, select Allow Helpers to Remotely Control the Computer to ensure that you can fully offer Remote Assistance as needed. You can take control only if the user allows it.
For the Maximum Ticket Time option, configure a reasonable lifetime for the Remote Assistance request, such as 1 hour . This allows you a window in which to respond to the request without creating an overly large security risk.
For the Select the Method for Sending E-mail Invitations option, your selection depends on the messaging client in use on your network. The Mailto option configures the Remote Assistance request to be sent as an Internet link and works in virtually all situations. The SMAPI (Simple MAPI) option configures the request to be attached to the message.
Click OK to close the Solicited Remote Assistance Properties dialog box.
Double-click the Offer Remote Assistance setting to open its Properties dialog box.
To allow you to offer unsolicited Remote Assistance to users, select the Enabled radio button.
For the Permit Remote Control of This Computer option, select Allow Helpers to Remotely Control the Computer to ensure that you can fully offer Remote Assistance as needed. You can take control only if the user allows it.
Click the Show button to open the Show Contents dialog box.
To add users and/or groups, click the Add button. You can add only one object at a time, and you must use the following format:
```
 
```
```
  <   Domain Name   >\<   User Name   >  or  <   Domain Name   >\<   Group Name   >  
```
Click OK to close the Offer Remote Assistance Properties dialog box.

7.3 Creating a Wireless Network Security Policy

In this exercise, you create a new Wireless network security policy. You need at least one Windows Server 2003 computer to complete this process.

Estimated time: 20 minutes

Using either the Group Policy Management Console (GPMC) or Group Policy Editor (GPE), locate the GPO in which you want to create the WLAN security policy.
Locate the Wireless Network (IEEE 802.11) Policies node. Right-click it; then select Create Wireless Network Policy from the context menu to start the Wireless Network Policy Wizard.
Click Next to dismiss the opening page of the wizard.
Enter a name and description for the new policy on the Wireless Network Policy Name dialog box. Click Next.
The Completing the Wireless Network Policy Wizard dialog box appears. Ensure that the Edit Properties option is selected; then click Finish to exit the wizard and start configuring the policy's properties.
The policy Properties dialog box opens. Configure your selections as you like and switch to the Preferred Networks tab.
Click the Add button to open the New Preferred Setting Properties dialog box.
On the Network Properties tab, configure the selections as necessary. When you are done, switch to the IEEE 802.1x tab.
On the IEEE 802.1x tab, configure the selections as necessary. When you are done, click OK to commit the preferred network to the policy.
Back at the Preferred Networks tab of the policy Properties dialog box, you can add another preferred network if you want. You can also remove or edit existing preferred network entries as well as change their relative order by using the Move Up and Move Down buttons .
Click OK to close the WLAN policy Properties dialog box.
If you want to force Active Directory replication to occur, thus implementing your new WLAN policies, enter the gpupdate /target: computer command.

Review Questions

1:	You need to create and implement a plan for your network that will allow you to ensure that users can always receive real-time support for their problems. What new feature of Windows Server 2003 provides this solution for you?
2:	You are attempting to connect to one of your Windows Server 2003 computers using the Remote Desktop Connection utility but cannot. What is the most likely reason for this trouble?
3:	You are creating a new Wireless Network Security Policy. You need to ensure that your wireless clients can connect only to your Access Points and not directly to each other. What mode should you select?
4:	You are planning a new IPSec policy for use on your internal network between your Financial subnet and your Accounting subnet. What authentication methods will you have to select from when creating this new policy?
5:	What functions does AH provide in IPSec?

Exam Questions

1:	You are the network administrator for Joe's Crab Shack, a regional restaurant chain. You have recently begun to implement IPSec to secure communications on the internal network segments. You have just completed the configuration and implementation of the Richmond office network segment. Users in Richmond are now complaining to you that they can connect to their network resources from some computers but not from others. What do you suspect is the most likely cause of this problem? The computers do not have basic network connectivity. More than one IPSec policy is in place. The domain controller is not responding. The Kerberos key distribution center is not responding.
2:	You are the network administrator for Jeff's Jeep Tours, an Australian tour company. You have a central office located in Sydney with 20 other smaller remote offices located all over the country. You have recently completed your rollout of Windows Server 2003 for all servers and Windows XP Professional for all clients in the corporate network. Some of the remote offices have only three or four employees and no IT staff. The IT management responsibility for these offices is shared among all the IT staff in other locations. When users in remote locations with no IT staff have problems with their Windows XP Professional computers, what feature should they use to get help for their problem? Terminal Services Remote Desktop for Administration Remote Desktop Protocol Remote Assistance
3:	You are the network administrator for Jeff's Jeep Tours, an Australian tour company. You have a central office located in Sydney with 20 other smaller remote offices located all over the country. You have recently completed your rollout of Windows Server 2003 for all servers and Windows XP Professional for all clients in the corporate network. Some of the remote offices have only three or four employees and no IT staff. The IT management responsibility for these offices is shared among all the IT staff in other locations. You need to install a service pack on one of the Windows XP computers located in an office with no IT staff. What feature of Windows Server 2003 will you use? Terminal Services Remote Desktop for Administration Remote Desktop Protocol Remote Assistance
4:	You are the network administrator for Widgets and Hammerstein, LLC. Andrea, one of your users, has called you and says that she cannot connect to one of the network servers that requires secured communication. What can you do to quickly verify the IPSec policy in use on that computer? Use the IP Security Monitor snap-in to see what IPSec policy is in use on the computer. Use the Network Monitor to see what IPSec policy is in use on the computer. Use the IP Security Policies snap-in to see what IPSec policy is in use on the computer. Use the `ipconfig/all` command to see what IPSec policy is in use on the computer.
5:	You are the network administrator for Joe's Crab Shack, a regional restaurant chain. While at a standards setting meeting in Redmond, Washington, you are informed that one of your newly installed Windows Server 2003 DHCP servers has stopped leasing addresses. Rick, the president of the company, has asked you to make a Remote Desktop for Administration connection to the server via your VPN connection. After you have connected to your internal network via VPN, you attempt to create a Remote Desktop for Administration connection to the affected DHCP server and cannot. The DHCP server is located on the same IP subnet as the VPN server. You can create Remote Desktop for Administration connections to other Windows Server 2003 computers, however. What is the most likely reason for this problem? Remote Desktop is not enabled on the server. Your VPN server is not functioning correctly. TCP port 3389 is being blocked at your firewall. Remote Desktop is not enabled on your portable computer.
6:	You are the network administrator for Roger's Rockets, a manufacturer of toy rocket kits. You are preparing to configure a new Wireless LAN policy for your network. You want your wireless clients to connect only to Access Points and create no other connections. Which type of network will you configure in the new WLAN security policy? Ad hoc Infrastructure Central Core
7:	You are the network administrator for Sunny Day, Inc. You are creating a new IPSec policy for your internal network's financial subnet. When creating your new policy, which items can you specify as part of the IP filter? (Choose all that apply.) Source IP address Destination IP address Network protocol Operating system
8:	You are the network administrator for Roger's Rockets, a manufacturer of toy rocket kits. You have configured four different WLAN security policies for your network: one at the domain level, one on the Graphics OU, one on the Engineering OU, and one on the Manufacturing OU, which is a child object inside the Engineering OU. All users and computers in each department are located in the corresponding OU. For a computer located in the Manufacturing OU, which security policy will be implemented? The domain WLAN security policy The Engineering OU WLAN security policy The Graphics OU WLAN security policy The Manufacturing OU WLAN security policy
9:	You are the network administrator for Roger's Rockets, a manufacturer of toy rocket kits. You have one WLAN security policy in place for your network that is configured in the Default Domain GPO. When you make a change to this WLAN security policy that changes the list of preferred networks, what will any currently connected wireless clients do? The client connection will be momentarily broken if the new policy takes precedence over the old policy. The client connection will be momentarily broken. When the Wireless Configuration service restarts, the client will revert to any existing client-configured settings in place. The client connection will be momentarily broken. When the Wireless Configuration service restarts, the client will revert to the client settings that are configured in the next higher level WLAN security policy. The client connection will broken until the radio on the wireless client has been restarted.
10:	You are the network administrator for Herb's Happenings, a public relations firm. You want to create a new IPSec policy for traffic on your private network that provides the strongest secret key possible. In Windows Server 2003, what is the maximum Diffie-Hellman value that can be used? 512 bit 768 bit 1,024 bit 2,048 bit
11:	You are the network administrator for Joe's Crab Shack, a regional restaurant chain. While at a standards setting meeting in Redmond, Washington, you are informed that one of your newly installed Windows Server 2003 DHCP servers has stopped leasing addresses. Your assistant administrator has verified that there are plenty of unused leases in the current DHCP scope, but is unable to determine the cause of the problem. Company policy prohibits the use of any Instant Messaging clients within your internal network. How can your assistant get Remote Assistance from you to help troubleshoot the DHCP server? Use Emergency Management Services to make the request. Use the Recovery Console to make the request. Use an email-based request. Use MSN Messenger to make the request.
12:	You are the network administrator for Roger's Rockets, a manufacturer of toy rocket kits. You have just completed changing the WLAN security policy that is applied to your Engineering OU. You want this policy to be enforced immediately on all clients. What command can you issue to cause Group Policy to replicate immediately? `gpupdate /target:` `user` `secedit /configure` `gpupdate /target:` `computer` `secedit /analyze`
13:	You are the network administrator for Joe's Crab Shack, a regional restaurant chain. While at a standards setting meeting in Redmond, Washington, you are unsuccessfully attempting to initiate a Remote Desktop for Administration session with one of your Windows Server 2003 servers over the Internet. The server has a publicly accessible IP address, but it is located behind your network's external firewall. You can `ping` the server from your location and have verified via telephone conversation with onsite IT staff that Remote Desktop is enabled for this server. Your account is a member of the Domain Admins, Enterprise Admins, and Administrators groups for your Active Directory network. What is the most likely reason for the inability to make the Remote Desktop for Administration connection? IIS 6.0 is not installed on the server in question. TCP port 3389 is being blocked at the external firewall. TCP port 8088 is being blocked at the external firewall. Your user account does not have the required permissions to use Remote Desktop for Administration.
14:	You are the network administrator for Roger's Rockets, a manufacturer of toy rocket kits. You are creating a new WLAN security policy for the wireless clients located in the Engineering OU. You have one approved 802.11b WLAN in your organization with an SSID of rogrcktint1. From time to time the Engineering department needs to use a special testing WLAN. The SSID of this testing WLAN changes each time it is implemented. What setting can you configure for the Engineering OU WLAN security policy that will allow these wireless clients to connect to the special testing WLAN when it is available? You will need to update the WLAN security policy every time the special testing WLAN is available. You will need to create a new WLAN security policy in the Engineering OU every time the special testing WLAN is available. You will need to select the Automatically Connect to Non-preferred Networks option. You will need to select the Wireless Network Key (WEP) option.
15:	You are the network administrator for Jeff's Jeep Tours, an Australian tour company. You are configuring one of your Windows Server 2003 computers so that it will support Remote Desktop for Administration connections. You want two additional non-administrative personnel to be able to create Remote Desktop connections to the server. To what local group do you need to add their user accounts to allow these users to create Remote Desktop for Administration connections? HelpServicesGroup Remote Desktop Users Network Configuration Operators Administrators

Answers to Review Questions


A1:	Users can use Remote Assistance to request help from an Expert with their problems, provided that the computers on both ends of the connection are Windows XP or Windows Server 2003. For more information, see the section "Remote Assistance."

A2:	The most likely reason you cannot create the connection is that this server already has two existing Remote Desktop connections. For more information, see the section "Remote Desktop for Administration (RDA)."

A3:	To ensure that wireless clients create connections only to Access Points, select the Access Point (Infrastructure) Networks Only option. For more information, see the section "Planning Wireless LAN (WLAN) Security."

A4:	IPSec on Windows Server 2003 can use Kerberos v5, a digital certificate, or a shared secret (string) for user authentication. For more information, see the section "Planning Security for Data Transmission."

A5:	The IPSec AH provides three services as part of the IPSec protocol. First (as its name might suggest), AH authenticates the entire packet. Second, it ensures data integrity. Third, it prevents any replaying of the packet by a third party who might be trying to penetrate the IPSec tunnel. One service AH doesn't provide is payload encryption. AH protects your data from modification, but an attacker who is snooping the network would still be able to read the data. For more information, see the section "Authentication Header (AH)."

Answers to Exam Questions


A1:	B. More often than not when you have some computers able to create IPSec connections and others that cannot, you have more than one IPSec policy in place. If you are intentionally using multiple policies, you need to ensure that you have at least one common authentication and security method between them; otherwise , communications will fail. Basic network connectivity, while always a potential problem, does not appear to be the problem here; thus, answer A is incorrect. The status of the domain controller is not an issue here; thus, answer C is incorrect. The status of the KDC is also not an issue here; thus, answer D is incorrect. For more information, see the section "General IPSec Troubleshooting."

A2:	D. If configured to allow it, Windows XP and Windows Server 2003 computers can send Remote Assistance requests to an Expert asking for help with problems. The Novice requesting the Remote Assistance can choose from Windows Messenger, email, or a file to ask for Remote Assistance and can control the level of interaction and control the Expert has on the Novice's computer after the Remote Assistance connection has been made. Terminal Services is used in Windows Server 2003 to provide the Terminal Server role, allowing users to make connections to a Terminal Server to execute applications that are not available on their local computer, and does not provide a means for users to get help with problems on their computers; thus, answer A is incorrect. Remote Desktop for Administration is used to create administrative connections to computers and does not require a request to be sent; thus, answer B is incorrect. The Remote Desktop Protocol is used to power Remote Assistance and Remote Desktop for Administration but does not directly provide the solution required; thus, answer C is incorrect. For more information, see the section "Remote Assistance."

A3:	B. The Remote Desktop for Administration feature replaces what was previously known as Remote Administration mode of Terminal Services in Windows 2000 Server. RDA allows for a maximum of two concurrent connections to a server for the purposes of managing and maintaining it. Unlike Remote Assistance, RDA sessions do not start with a user request; an administrator can initiate an RDA connection whenever desired. Terminal Services is used in Windows Server 2003 to provide the Terminal Server role, allowing users to make connections to a Terminal Server to execute applications that are not available on their local computer, and does not provide a means for users to get help with problems on their computers; thus, answer A is incorrect. Remote Desktop for Administration is used to create administrative connections to computers and does not require a request to be sent; thus, answer C is incorrect. Remote Assistance allows a Novice to request help from an Expert if the Novice's computer is configured to allow Remote Assistance; thus, answer D is incorrect. For more information, see the section "Remote Desktop for Administration (RDA)."

A4:	A. You need to use the IP Security Monitor snap-in to examine what IPSec policy, if any, is currently assigned to the computer. Network Monitor and the IP Security Policies snap-in will not show you what IPSec policy is assigned, and neither will the `ipconfig/all` command; thus, answers B, C, and D are incorrect. For more information, see the section "The IP Security Monitor MMC Snap-in."

A5:	A. Because you can create a connection to your network via the VPN server, the most likely problem is that Remote Desktop is not enabled on this server. The VPN server is obviously functioning correctly because you are able to connect to the network via VPN; thus, answer B is incorrect. Because you are connecting directly to your internal network via a VPN tunnel, the status of the firewall configuration is not an issue; thus, answer C is incorrect. Remote Desktop does not need to be enabled on your portable computer; thus, answer D is incorrect. For more information, see the section "Remote Desktop for Administration (RDA)."

A6:	B. Infrastructure networks are those in which wireless clients create connections only to Access Points. Ad hoc networks are those in which wireless clients can create connections directly to each other without the need for an Access Point; thus, answer A is incorrect. Central and Core are not network types; thus, answers C and D are incorrect. For more information, see the section "Planning Wireless LAN (WLAN) Security."

A7:	A, B, and C. You can specify the source IP address, destination IP address, source port, destination port, and network protocol in your IP filters. The operating system is not part of the filters; thus, answer D is incorrect. For more information, see the section "Configuring and Implementing IPSec."

A8:	D. WLAN security policies are applied using the normal Group Policy processing order; thus, the security policy that is closest to the computer object takes precedence. Consequently, answers A, B, and C are incorrect. For more information, see the section "Planning Wireless LAN (WLAN) Security."

A9:	A. When a WLAN security policy is changed, the client connection will be momentarily broken if the new policy takes precedence over the old policythat is, if the new policy changes something such as the authentication method; thus, answers B, C, and D are incorrect. For more information, see the section "Planning Wireless LAN (WLAN) Security."

A10:	D. Windows Server 2003 provides the increased Diffie-Hellman option of 2,048 bits; thus, answers A, B, and C are incorrect. The Diffie-Hellman group is used to determine the length of the base material that is actually used to generate the IPSec secret key. This increased length increases the secret key strength and thus makes it more difficult for an attacker to break. For more information, see the section "Planning Security for Data Transmission."

A11:	C. Of the available options, the only valid one is to create and send an email request for Remote Assistance. The email request will contain a special URL that the Expert can use to initiate the Remote Assistance connection via the Microsoft Web site. The Expert will need to download and install an ActiveX applet as part of the connection process. Emergency Management Services and the Recovery Console cannot be used to send Remote Assistance requests; thus, answers A and B are incorrect. MSN Messenger is similar to Windows Messenger but cannot be used to send Remote Assistance requests; thus, answer D is incorrect. For more information, see the section "Remote Assistance."

A12:	C. You will need to use the `gpupdate /target:` `computer` command to immediately cause the computer configuration portion of Group Policy to refresh and update your changes. Wireless LAN security policies are not kept in the user configuration portion of Group Policy; thus, answer A is incorrect. The `secedit` command is no longer used to refresh Group Policy in Windows Server 2003; thus, answers B and D are incorrect. For more information, see the section "Planning Wireless LAN (WLAN) Security."

A13:	B. The most likely problem is that your external firewall has been configured to block traffic on TCP port 3389 and is thus preventing Remote Desktop Protocol traffic from crossing the firewall. IIS does not need to be installed to use Remote Desktop for Administration; thus, answer A is incorrect. TCP ports 8088 and 8080 are used by the Web Interface for Remote Administration and are not related to Remote Desktop for Administration; thus, answer C is incorrect. Your account does in fact have the required permissions because it is a member of the Enterprise Admins, Domain Admins, and Administrators group in your domain; thus, answer D is incorrect. For more information, see the section "Remote Desktop for Administration (RDA)."

A14:	C. By creating the WLAN security policy and selecting the Automatically Connect to Non-preferred Networks option, you can enforce the settings you want (such as those for authentication and so forth) on preferred networks but still allow wireless clients to connect to non-preferred networks if required. Under normal circumstances, you might likely not configure this option because it removes some administrative control you would otherwise exercise over what networks wireless clients can connect to. You don't need to modify the existing WLAN security policy when the special testing WLAN is available; thus, answer A is incorrect. Likewise, you don't need to create a new WLAN security policy; thus, answer B is incorrect. The Wireless Network Key (WEP) option is not related to this issue; thus, answer D is incorrect. For more information, see the section "Planning Wireless LAN (WLAN) Security."

A15:	B. You must add the user accounts for these two users to the local Remote Desktop Users group on the computer. The HelpServicesGroup is used by Remote Assistance connections; thus, answer A is incorrect. The Network Configuration Operators group is allowed to manage the networking properties of a server; thus, answer C is incorrect. You don't need to add these user accounts to the Administrators group to allow them to create Remote Desktop connections to this server; thus, answer D is incorrect. For more information, see the section "Remote Desktop for Administration (RDA)."