Review Questions

1.

What are two main vulnerabilities to transmitting data across a network? (Choose the two best answers.)

1. Eavesdropping on packets

2. Illegal access to files on the network

3. Manipulating packets in transit

4. Denial of service to network devices

2.

Which of the following technologies will protect data transmitted across the Internet from eavesdropping or manipulation?

1. PAP

2. WEP

3. CHAP

4. IPSec

3.

You have a need to provide strong encryption and authentication for users of a wireless access point. What standard should you use?

1. 802.11b

2. 802.1x

3. 802.11g

4. 802.11a

4.

You have set up an access point that supports 802.1x. You want to take advantage of the stronger authentication and encryption standard. What services should you install on your Windows Server 2003 network to take advantage of the 802.1x standard? (Choose all that apply.)

1. Windows time service

2. Internet Authentication Service (IAS)

3. Certificate service

4. Web service

5.

You have a network that does not have a public key infrastructure set up. The cost of implementing and maintaining PKI is not worth the security it provides to your company. What protocol should you use to authenticate users on your VPN?

1. MS-CHAP

2. PAP

3. MS-CHAPv2

4. EAP

6.

You are using a Windows XP client to connect to a Windows Server 2003 RRAS server. You want to maximize the security of the data that you are transmitting over the VPN. What protocols would you use? (Choose all that apply.)

1. L2TP

2. PPTP

3. IPSec

4. PAP

7.

You need to establish a VPN connection through a NAT server that is running Windows Server 2003. You want to use the strongest available technology for the VPN. What technology would you choose for the VPN?

1. PPTP

2. IPSec

3. L2TP/IPSec

4. CHAP

8.

You are setting up a Windows Server 2003 machine as a RRAS server that will be used for dialup connections from a demand-dial router. This demand-dial router is running the Linux operating system. Which protocols should you use to authenticate with Windows Server 2003? (Choose the two best answers.)

1. PAP

2. CHAP

3. MS-CHAPv2

4. EAP

9.

You are designing a VPN solution that uses IPSec. You decide that the default rules of an IPSec policy are appropriate, except you want to make sure that the IPSec session is always negotiated. Which default rule would you select to meet this criteria on the server?

1. Server (Requires Security)

2. Server (Request Security)

3. Client (Respond Only)

4. A custom rule because the default rules don’t support requiring IPSec

10.

You need to give VPN access to the sales and executive groups, but no one else. You have a Windows Server 2003 network running Active Directory. How would you easily accomplish this task?

1. Add users that require remote access to the built-in Remote Access group.

2. Use Group Policy to apply the Allow Remote Access Account policy to the domain.

3. Use Group Policy to apply the Allow Remote Access Account policy to the domain. Filter the group policy based on membership to the sales and executive groups.

4. Go into every account that needs remote access and verify that each member of the sales and executives groups has remote access.

1.

A, C. You need to pay attention to the company’s need to prevent eavesdropping and packets being manipulated in transit on the network. Some companies might not need this kind of protection for certain types of data, and it’s important to keep this in mind because protecting data is a complex and time-consuming task and therefore costly.

2.

D. IPSec prevents the contents of packets from being read and manipulated through the Encapsulating Security Protocol (ESP) because it will both encrypt and sign the packets. PAP and CHAP are used for authenticating users on a VPN or network. WEP can be used to prevent eavesdropping on packets on a wireless network, but it does not encrypt the checksum, so a determined attacker could manipulate the packet.

3.

B. The 802.1x standard provides for the authentication of users on the wireless network. It also provides strong encryption for data transferred across the network. The 802.11a, b, and g standards can also be used to provide connection, but without the strong authentication and encryption standards of 802.1x.

4.

B, C. You will need to have the RADIUS server—in this case, ISA—installed so that the RADIUS client will be built into the access point. This will provide for authentication that can be mapped against your accounts in Active Directory. You will also need to establish that PKI and certificate services will be part of that infrastructure. The certificates are used for setting up TLS encryption and authenticating the client and the server.

5.

C. MS-CHAPv2 is an authentication protocol that does not pass the password across the network, thereby protecting it. This is the strongest authentication protocol for Windows without the use of EAP-TLS, which requires a PKI. MS-CHAP uses LAN Manager security and can be attacked with a man-in-the-middle attack. Also, the password can be cracked without brute force methods, so MS-CHAP was ultimately replaced with MS-CHAPv2. PAP passes the password in clear text over the network and is not secure. EAP is one of the strongest forms of authentication and requires the most investment in resources to set up certificates for each client.

6.

A, C. The L2TP combined with the IPSec protocol provides for strong authentication of the user based on a variety of protocols and strong encryption standards. This is the choice Microsoft recommends when you’re using an OS that supports L2TP/IPSec. PPTP will work on Windows 95 clients if you need to support them. PAP is an insecure authentication protocol.

7.

C. L2TP/IPSec is the ideal choice. In the past, with Windows 2000, you were limited in that IPSec would not pass through a NAT server and you would have then chosen PPTP for the VPN technology. With Windows Server 2003, NAT-Traversal is supported, so IPSec traffic will pass through the NAT box. However, IPSec alone does not provide for the user authentication that is required for a VPN which is provided by L2TP. CHAP is an authentication protocol that is used by many operating systems that hash the password, so the password is not sent clear text and is only used for authenticating with non-Microsoft systems. PPTP is a tunneling technology that could be used, but it is not recommended by Microsoft for use anymore when you have Windows 2000 or greater servers and clients. L2TP/IPSec is a stronger form of VPN technology than PPTP.

8.

B, D. You could use one of the standard protocols for setting up a PPP session, which are PAP, CHAP, and EAP. However, PAP is considered insecure because it passes passwords over the wire unprotected. This means that you are left with CHAP and EAP. If you can get it to work, EAP would be the strongest, but CHAP would be easier to set up. MS-CHAPv2 is Microsoft’s version of CHAP for authenticating Windows clients.

9.

A. You would set the server to Server (Requires Security) and the client to Client (Respond Only) to make sure that connections to the server are created only over IPSec. All the other options will make it so that the connection does not need IPSec in some situations.

10.

C. You would apply the group policy that allows remote access to the domain and then filter it so that it applies only to the sales and executive groups. Applying it to everyone in the domain would give remote access to everyone in the domain. There is no built-in Remote Access group to give users remote access. Going into every account would be too tedious, from both a creation and management perspective.