Review Questions

1.

Which of the following authentication protocols is used in a forest trust between a Windows 2003 forest and a Windows 2000 forest?

1. LAN Manager

2. NTLM

3. NTLMv2

4. Kerberos v5

2.

To secure passwords stored in the SAM database of a Windows Server 2003 that is not a member of the domain which of the following policies should you configure in Local Security Policy?

1. Set the minimum password length to 15.

2. Set the minimum password length to 10.

3. Set the maximum password length to 10.

4. Set the maximum password length to 15.

3.

You need to create a policy that minimizes the chance that a password can be cracked using a brute force password cracking utility and then used to log on to the network. Which of the following policies should you configure or enable? (Choose all that apply.)

1. Maximum Password Age

2. Enforce Password History

3. Minimum Password Age

4. Account Lockout Duration

5. Account Lockout Threshold

6. Reset Account Lockout After n

7. Passwords Must Meet Complexity Requirements

4.

Which authentication protocol is the most secure option to Windows Server 2003?

1. LM Hash

2. NTLMv2

3. IPSec

4. EFS

5. Kerberos v5

5.

You design a secure password policy by enabling the Passwords Must Meet Complexity Requirements policy. Which of the following passwords are valid for a user whose name is John Rico and username is JRico? (Choose two.)

1. RiCo*3_1

2. F%2_=87ba^

3. t4(8^rt\

4. p@s$word

6.

According to best practices, which group scope should have permissions assigned to it?

1. Universal

2. Global

3. Domain Local

4. Enterprise

5. Domain

7.

When analyzing the authentication requirements of the network, which topics will play the most significant role? (Choose two.)

1. Business requirements

2. Service pack level

3. Interoperability requirements

4. Industry standards

8.

You need to access a printer that is shared from an NT 4 server that is a domain controller in an NT 4 domain. Which authentication protocol will be used?

1. LAN Manager

2. NTLM

3. NTLMv2

4. Kerberos v5

9.

You need to devise a grouping strategy for your Windows Active Directory organization. The Active Directory is made up of four domains. Some of the domain controllers are running Windows NT 4 and Windows 2000 in addition to Windows Server 2003. You need to create a group that can be used in any of the domains. Which of the following group types should you create?

1. Universal

2. Global

3. Domain Local

4. Enterprise

10.

Which of the following Windows Active Directory trusts are transitive by default? (Choose all that apply.)

1. Forest trust

2. Tree-root trust

3. External Trust

4. Realm trust

5. Parent/child trust

1.

C. Windows 2000 supports only the Kerberos v5 protocol for trusts within a forest, not between them. The strongest authentication protocol that Windows 2000 forests can use with a trust relationship is NTLMv2. LAN Manager and NTLM are used by earlier versions of Windows and are not used in this type of trust.

2.

A. The LM hash will split a password that is up to 14 characters and store it locally. Creating a password that is greater than 14 characters will prevent the hash from being stored locally. There is no Maximum Password Length policy that can be configured.

3.

A, B, C, G. The account-related policies will prevent an attacker from using a utility to attempt to log on to an authentication server. The policies will not thwart a password cracking utility from guessing the password hash once the hash is stored; rather they will make the guessed password obsolete by the time it has been decrypted. Setting the Maximum Password Age will require that a user change their password, ideally before the utility can obtain the password. The Enforce Password History and Minimum Password Age policies are used to prevent the user from changing their password back to one of their recently used passwords. These settings will make the password that the utility obtains obsolete. Setting the Passwords Must Meet Complexity Requirements policy will make the utility work harder and take longer to get the password.

4.

E. LM Hashes are used by LAN Manager related authentication protocols, they are not themselves a protocol. NTLMv2 is supported for authentication under Windows Server 2003, but it is less secure than the Kerberos v5 authentication protocol. IPSec is used to encrypt data on the wire and EFS is used to encrypt data on the file system.

5.

B, C. For a password to meet the security policy stated, it must contain three of the four types of characters: uppercase letters, lowercase letters, numbers, and special characters. In addition, the password cannot contain the user’s name or username. Option A contains the user’s last name and option D meets only two of the character requirements, so they are not valid. Answers B and C are valid complex passwords.

6.

C. According to best practices, you should follow the AG(G)DLP method, where accounts are placed in Global groups, Global groups are optionally nested, Global groups are placed in Universal groups (If you are using Enterprise level grouping), Universal groups, if used, are added to Domain Local groups or the Global groups will be added to the Domain Local groups, and Domain Local groups are assigned permissions. There is no group scope named Enterprise or Domain.

7.

A, C. Options A and C are correct because they will have the largest impact on the decisions that you will make as you design the security infrastructure in your network. Service pack levels and industry standards are not as important to the overall security design as the business or interoperability requirements are.

8.

B. Windows NT 4 supports only NTLM. NTLMv2 is supported on Windows 2000 Server and Windows XP, and Kerberos v5 is the default authentication protocol for Windows 2000 Server and Windows Server 2003 native domains.

9.

B. Universal groups are only supported when all domain controllers are running Windows 2000 Server and Windows Server 2003 and Active Directory is in Native mode. Windows NT 4 domain controllers only support Global groups.

10.

A, B, E. Forest trusts, tree-root trusts, and parent/child trusts are the only trusts that are transitive by default. A realm trust could be transitive, but not by default.