Questions and Answers

1. 

Which of the following authentication protocols can be used by fully updated Windows 98 VPN clients? (Choose all that apply.)

1. EAP

2. MS-CHAP v2

3. MS-CHAP v1

4. CHAP

5. SPAP

6. PAP

2. 

Your organization’s security policy has a requirement that passwords not be stored with reversible encryption. Which of the following authentication protocols can you use? (Choose all that apply.)

1. EAP

2. MS-CHAP v2

3. MS-CHAP v1

4. CHAP

5. SPAP

6. PAP

3. 

Your organization still has clients running Windows 95. Which of the following protocols can you use to authenticate dial-up clients? (Choose all that apply.)

1. EAP

2. MS-CHAP v2

3. MS-CHAP v1

4. CHAP

5. SPAP

6. PAP

1. 

b, c, d, e, and f. After appropriate updates have been applied, Windows 98 supports all authentication protocols except EAP.

2. 

a, b, e, and f. Only MS-CHAP v1 and CHAP require passwords to be stored with reversible encryption.

3. 

c, d, e, and f. Windows 95 does not support EAP. It does support MS-CHAP v2 for VPN connections but not for dial-up connections.

1. 

Your organization has multiple dial-up servers configured to authenticate to an IAS RADIUS server. Which tool should you use to restrict the hours during which users can dial up?

1. Active Directory Users And Computers

2. Computer Management

3. Routing And Remote Access

4. Internet Authentication Service

2. 

Your organization uses Windows authentication to verify the credentials of remote VPN clients. Which tool should you use to restrict the groups that can connect to the VPN server?

1. Active Directory Users And Computers

2. Computer Management

3. Routing And Remote Access

4. Internet Authentication Service

3. 

In an Active Directory domain environment, which of the following conditions must be met in order to use RAPs to control which remote access users are allowed to connect?

1. The domain functional level must be Windows 2000 Mixed.

2. The domain functional level must be Windows Server 2003.

3. You must use MS-CHAP v1 or MS-CHAP v2 authentication.

4. You must use an IAS RADIUS server.

1. 

d. You should create a RAP on the IAS server by using the Internet Authentication Service console.

2. 

c. You should create a RAP on the remote access server by using the Routing And Remote Access console.

3. 

b. The only requirement is that the domain functional level must be Windows Server 2003.

1. 

Which tools can you use to configure authentication and encryption methods for remote access connections on clients? (Choose all that apply.)

1. The Group Policy Object Editor snap-in

2. The CMAK Wizard

3. The network connections properties dialog box

4. The remote desktops console

1. 

b and c. Use the CMAK Wizard to create an executable file that you can distribute to clients to create the preconfigured connections, and use the network connections properties dialog box to manually configure authentication and encryption for remote access connections.

1. 

Which of the following solutions will you recommend?

1. Deploy dial-up servers running Windows Server 2003. Configure the clients to dial directly in to the Fabrikam, Inc., headquarters and authenticate to the remote access servers by using MS-CHAP v2 authentication.

2. Deploy dial-up servers running Windows Server 2003. Configure the clients to dial directly in to the Fabrikam, Inc., headquarters and authenticate to the remote access servers by using EAP authentication with public key certificates.

3. Configure the Windows Server 2003–based NAT server with VPN services. Configure the clients to connect directly to the VPN server and authenticate by using MS-CHAP v2 authentication.

4. Configure the Windows Server 2003–based NAT server with VPN services. Configure the clients to connect directly to the VPN server and authenticate by using EAP authentication with public key certificates.

2. 

Will you recommend using a PPTP or L2TP/IPSec VPN?

3. 

How will you configure the network connections on the client computers?

4. 

Should you recommend using a RADIUS server?

1. 

d. Though any of these solutions would work, using a VPN is more cost-effective than configuring dial-up servers because it does not require the purchase of additional hardware or software. You should recommend EAP authentication with public key certificates because you already have a PKI deployed and all clients are running Windows XP, Windows 2000, or Windows Server 2003. If you did not already have a PKI in place, MS-CHAP v2 authentication would be preferable.

2. 

Either PPTP or L2TP/IPSec will allow the consultants to access the internal network by using both authentication and encryption. However, you are already using IPSec on the internal network, so L2TP/IPSec would be the logical choice.

3. 

You could configure them manually or provide instructions to the consultants to configure the connections. However, the most efficient way to configure the connections is to use the CMAK Wizard to create an executable file and then distribute this executable file to the consultants.

4. 

There is no need for the addition of a RADIUS server because there will only be a single VPN server, and that server is already running Windows Server 2003. You can use Windows authentication and remote access policies on the remote access server itself.

1. 

What is the source of the problem?

2. 

How will you resolve the problem?

1. 

The user has the Verify Caller-ID check box selected. This is an excellent way to improve security; however, the value specified is a phone number that was left over from when the user connected by using a dial-up connection.

2. 

When a user connects to a VPN, the Verify Caller-ID value is used to validate the user’s source IP address, not the user’s phone number. You should either clear the Verify Caller-ID check box or change the value to the user’s IP address.