| In this chapter, you have examined the basic implementation and troubleshooting of IPSec in Windows Server 2003. In the following exercises, you will practice some of the concepts and methods discussed in this chapter. Exercises 8.1. Creating an IPSec Management Console In this exercise, you will create a customized MMC console that can be used to implement, monitor, and troubleshoot IPSec. Estimated Time: 10 minutes Open a blank MMC by clicking Start, Run. Then type mmc to open a blank MMC. In your new console, click the File menu and select Add/Remove Snap-in. The Add/Remove Snap-in dialog box opens. Click the Add button to open the Add Standalone Snap-in dialog box. Scroll down the list, select IP Security Monitor, and click the Add button. Select IP Security Policy Management and click the Add button. You are prompted to choose the scope that the snap-in will manage. For this example, choose Local Computer from the Select Computer or Domain page. Notice that you have the option to select the Active Directory domain that this computer is part of, another Active Directory domain, or another computer. Click Finish to complete the addition of the IP Security Policy Management snap-in to your console. Click Close on the Add Standalone Snap-in dialog box. Click OK on the Add/Remove Snap-in dialog box. Your completed IPSec management console is shown. Save your newly created console by clicking File, Save. Enter a suitable name, such as IPSec Management Console, and click Save. By default, the console is saved in the Administrative Tools folder of the currently logged-in user.
8.2. Examining Kerberos Ticket Information In this exercise, you will download, install, and use the kerbtray.exe utility to examine the Kerberos tickets in effect on your server. Estimated Time: 20 minutes Go the Microsoft Downloads Web site at www.microsoft.com/downloads and search for "Windows Server 2003 Resource Kit Tools." Download the Windows Server 2003 Resource Kit Tools to your server. Install the Windows Server 2003 Resource Kit Tools to your server. Click Start, Programs, Windows Resource Kit Tools, Command Shell to open a command shell in the installation directory. Start the kerbtray.exe utility by entering the command kerbtray.exe and pressing Enter. The application starts and appears in your server's tray area, near the clock. Double-click on the tray icon to open the Kerberos Tickets dialog box. In the scrolling section, examine the various tickets your session currently has. Use the bottom section to examine the properties of each ticket.
Exam Questions | 1. | You are the systems administrator for Joe's Crab Shack, a regional restaurant chain. You have recently begun to implement IPSec to secure communications on the internal network segments. You have just completed the configuration and implementation of the Richmond office network segment. Users in Richmond are now complaining to you that they can connect to their network resources from some computers, but not from others. What do you suspect is the most likely cause of this problem? 
| A. | The computers do not have basic network connectivity. |
| B. | More than one IPSec policy is in place. |
| C. | The domain controller is not responding. |
| D. | The Kerberos key distribution center is not responding. |
| | 2. | You are the systems administrator for Widgets and Hammerstein, LLC. Andrea, one of your users, has called you and says that she cannot connect to one of the network servers that requires secured communication. What can you do to quickly verify the IPSec policy in use on that computer?
| A. | Use the IP Security Monitor snap-in to see what IPSec policy is in use on the computer. |
| B. | Use the Network Monitor to see what IPSec policy is in use on the computer. |
| C. | Use the IP Security Policies snap-in to see what IPSec policy is in use on the computer. |
| D. | Use the ipconfig/all command to see what IPSec policy is in use on the computer. |
| | 3. | You are the systems administrator for Sunny Day, Inc. You are creating a new IPSec policy for your internal network's financial subnet. When creating your new policy, which items can you specify as part of the IP filter? (Choose all that apply.)
| A. | Source IP address |
| B. | Destination IP address |
| C. | Network protocol |
| D. | Operating system |
| | | | 4. | You are the systems administrator for Herb's Happenings, a public relations firm. You want to create a new IPSec policy for traffic on your private network that provides the strongest secret key possible. In Windows Server 2003, what is the maximum Diffie-Hellman value that can be used?
| A. | 512 bit |
| B. | 768 bit |
| C. | 1,024 bit |
| D. | 2,048 bit |
| | 5. | You are a technical architect for Little Faith Enterprises, a venture capital company. You have recently been assigned a new security intern who will be assisting you over the summer months to implement a company-wide IPSec solution on your networks. In talking with your intern, Allison, you discover that she is a little weak on IPSec and its relevant components, so you decide to teach her about how Authentication Header (AH) and the Encapsulating Security Protocol (ESP) work. When discussing ESP, which of the following header fields is responsible for ensuring that a replay attack will not be successful?
| A. | Security Paramters Index (SPI) |
| B. | Sequence Number |
| C. | Padding |
| C. | Padding Length |
| E. | Next Header |
| | 6. | You are a technical architect for Little Faith Enterprises, a venture capital company. You are still training your newly assigned security intern, Allison, about how Authentication Header (AH) and the Encapsulating Security Protocol (ESP) work. When discussing AH, which of the following header fields is responsible for ensuring the integrity of the message?
| A. | Next Header |
| B. | Length |
| C. | Security Paramters Index (SPI) |
| D. | Sequence Number |
| E. | Authentication Data |
| | | | 7. | From the list of header components given, what is the correct order of header components for an IP packet with the ESP header inserted in tunnel mode? (All options will be used and will need to be arranged in the correct order to correctly answer this question.)
| A. | New IP header |
| B. | IPSec ESP authentication |
| C. | TCP header |
| D. | IPSec ESP trailer |
| E. | Packet data |
| F. | IPSec ESP header |
| G. | Original IP header |
| | 8. | From the list of header components given, which one is signed but not encrypted in an IP packet with the ESP header inserted in transfer mode?
| A. | IPSec ESP trailer |
| B. | Packet data |
| C. | IPSec ESP header |
| D. | TCP header |
| | 9. | You are the systems administrator for Herb's Happenings, a public relations firm. While examining the IPSec statistics in the Main Mode node of the IP Security Monitor snap-in, you notice that you have a very low number of IKE Main Mode SAs and a very high number of Soft Associations. What is typically the problem that causes this to happen?
| A. | SAs were not formed with computers due to credentials or permissions mismatches. |
| B. | SAs were formed with computers that do not support IPSec or were not able to negotiate successful IPSec connections. |
| C. | SAs were not formed with computers due to Service Pack level mismatches. |
| D. | SAs were formed with computers that do not have a valid domain account in Active Directory. |
| | | | 10. | You are the systems administrator for Widgets and Hammerstein, LLC. You have been directed by the network manager to secure all communications between servers and workstations in the financial department. All of the server and workstations are on a single, isolated subnet. What would be the easiest way to ensure that non IPSec-enabled (and configured) computers could not establish any communications with your servers?
| A. | Create a custom IPSec policy. |
| B. | Assign the Client (Respond Only) policy. |
| C. | Assign the Server (Request Security) policy. |
| D. | Assign the Secure Server (Require Security) policy. |
| | 11. | From the list of header components given, what is the correct order of headers for an IP packet with the ESP header inserted in transfer mode? (All options will be used and will need to be arranged in the correct order to correctly answer this question.)
| A. | IPSec ESP header |
| B. | IPSec ESP trailer |
| C. | IP header |
| D. | Packet data |
| E. | IPSec ESP authentication |
| F. | TCP header |
| | 12. | What tool can you use to graphically monitor the Kerberos tickets that a user has in his or her temporary cache?
| A. | kerbtray.exe |
| B. | klist.exe |
| C. | IP Security Monitor |
| D. | pathping |
| | 13. | From the list of header components given, what is the correct order of headers for an IP packet with the AH header inserted in transfer mode? (All options will be used and will need to be arranged in the correct order to correctly answer this question.)
| A. | Packet data |
| B. | TCP header |
| C. | IP header |
| D. | IPSec AH header |
|
Answers to Exam Questions | | | 1. | B. More often than not, when you have some computers able to create IPSec connections and others that cannot, you have more than one IPSec policy in place. If you are intentionally using multiple policies, you need to ensure that you have at least one common authentication and security method between them; otherwise, communications will fail. Basic network connectivity, while always a potential problem, does not appear to be the problem here; thus, Answer A is incorrect. The status of the domain controller is not an issue here; thus, Answer C is incorrect. The status of the KDC is also not an issue here; thus, Answer D is incorrect. | | 2. | A. You need to use the IP Security Monitor snap-in to examine what IPSec policy, if any, is currently assigned to the computer. Network Monitor and the IP Security Policies snap-in will not show you what IPSec policy is assigned, and neither will the ipconfig/all command; thus, Answers B, C, and D are incorrect. | | 3. | A, B, and C. You can specify the source IP address, destination IP address, source port, destination port, and network protocol in your IP filters. The operating system is not part of the filters; thus, Answer D is incorrect. For more information, see the section "Configuring and Implementing IPSec." | | 4. | D. Windows Server 2003 provides the increased Diffie-Hellman option of 2,048 bits; thus, Answers A, B, and C are incorrect. The Diffie-Hellman group is used to determine the length of the base material that is actually used to generate the IPSec secret key. This increased length increases the secret key strength and thus makes it more difficult for an attacker to break. | | 5. | B. The Sequence Number field provides the anti-replay functionality of ESP; thus, Answers A, C, D, and E are incorrect. The sequence number is an incrementally increasing number (starting from 0) that is never allowed to cycle and indicates the packet number. The machine receiving the packet checks this field to verify that the packet has not been received already. If a packet with this number has already been received, the packet is rejected. For more information, see the section "Understanding the Architecture and Components of IPSec." | | 6. | E. The Authentication Data field contains the Integrity Check Value (ICV) used to verify the integrity of the message, which is a calculated hash value; thus, Answers A, B, C, and D are incorrect. The receiver calculates the hash value and checks it against the ICV to verify packet integrity. For more information, see the section "Understanding the Architecture and Components of IPSec." | | 7. | A-1, F-2, G-3, C-4, E-5, D-6, B-7. When an IP packet is sent with the ESP header inserted in tunnel mode, the packet headers are in the following order: New IP header, IPSec ESP header, Original IP header, TCP header, Packet data, IPSec ESP trailer, IPSec ESP authentication. For more information, see the section "Understanding the Architecture and Components of IPSec." | | 8. | C. The IPSec ESP header is signed, but not encrypted, when an IP packet is sent with the ESP header inserted in transfer mode; thus Answers A, B, and D are incorrect. The remaining header items listed are all signed and encrypted. For more information, see the section "Understanding the Architecture and Components of IPSec." | | | | 9. | B. When you see a high number of Soft Associations, this is typically an indication of SAs formed with computers that do not support IPSec or were not able to negotiate successful IPSec connections; thus Answers A, C, and D are incorrect. This problem can be an indication of mismatched security and authentication settings. For more information, see the section "Monitoring IPSec." | | 10. | D. In this case, the easiest way to accomplish the required solution is to assign the Secure Server (Require Security) policy; thus Answers A, B, and C are incorrect. This policy is implemented on computers that require highly secure communications, such as servers transmitting sensitive data. The filters in this policy require all outbound communication to be secured, allowing only the initial inbound communication request to be unsecured. For more information, see the section "Configuring and Implementing IPSec." | | 11. | C-1, A-2, F-3, D-4, B-5, E-6. When an IP packet is sent with the ESP header inserted in transfer mode, the packet headers are in the following order: IP header, IPSec ESP header, TCP header, Packet data, IPSec ESP trailer, IPSec ESP authentication. For more information, see the section "Understanding the Architecture and Components of IPSec." | | 12. | A. kerbtray.exe, part of the Windows Server 2003 Resource Kit tools, is used to display the cached Kerberos tickets a user has. kerbtray.exe is used from within the Windows GUI. klist.exe performs the same function but from the command line. For more information, see the section "Monitoring and Troubleshooting Kerberos." | | 13. | C-1, D-2, B-3, A-4. When an IP packet is sent with the AH header inserted in transfer mode, the packet headers are in the following order: IP header, IPSec AH header, TCP header, Packet data. For more information, see the section "Understanding the Architecture and Components of IPSec." |
|
