Exam Prep Questions

You are the domain administrator for your Windows Server 2003 mixed mode domain. Clients in your domain consist of Windows 98, Windows Me, Windows 2000, and Windows XP Professional systems. You have been asked to configure and secure the IP traffic traveling from your headquarters to remote offices over an untrusted network, such as the Internet. You also need to configure a lower than standard level of data encryption because of backward-compatibility issues. Which of the following options is best suited to meet all your needs?

• A. Layer Two Tunneling Protocol (L2TP) and IP Security (IPSec)

• B. Layer Two Tunneling Protocol (L2TP) and Microsoft Point-to-Point Encryption (MPPE)

• C. Point-to-Point Tunneling Protocol (PPTP) and IP Security (IPSec)

• D. Point-to-Point Tunneling Protocol (PPTP) and Microsoft Point-to-Point Encryption (MPPE)

The correct answer is D. Authenticated Headers (AH) are used to digitally encrypt the source and destination ID addresses and the data to ensure that they have not been modified during their transit between hosts . AH addresses data integrity in this manner, but it does not encrypt data transmission.

Encapsulating Security Payload (ESP) is used to encrypt data packets and adds a nonencrypted header for packet routing. ESP does not guarantee the authenticity of header data, which is why it is often used in combination with AH to provide both authenticated headers and encrypted data payload. The Microsoft L2TP/IPSec VPN client allows systems running Windows 98, Windows Me, or Windows NT Workstation 4.0 to use L2TP and IPSec because those legacy operating systems cannot support L2TP and IPSec on their own.

Two forms of encryption are available: MPPE and IPSec. PPTP uses MPPE in 40-bit, 56-bit, or 128-bit encryption key strengths. The 40-bit key is normally used for backward-compatibility and international settings. For VPN connections, Windows 2000 uses MPPE with PPTP and IPSec encryption with L2TP. L2TP over IPSec can use Data Encryption Standard (DES) with a 56-bit key and Triple DES (3DES), which uses three 56-bit keys.

You are the domain administrator for your Windows Server 2003 mixed mode domain. Clients in your domain consist of Windows 98, Windows Me, Windows 2000, and Windows XP Professional systems. You have been asked to configure and secure the IP traffic traveling from your headquarters to remote offices over an untrusted network, such as the Internet.

Your solution must be able to be used on an IP network, be available to all clients in use, support header encryption and tunnel authentication, and provide encryption. Your primary objective is to secure IP traffic traversing an untrusted network in a manner that supports all clients in the environment. Your secondary objectives are carrying out these actions with the least amount of administrative effort and supporting the requirements for header encryption and tunnel authentication.

You decide to implement a strategy using L2TP and IPSec running in Transport mode and will enforce this security setting via the local security policy. What is the result of your actions?

• A. The primary objective and both secondary objectives have been met.

• B. The primary objective and one secondary objective have been met.

• C. The primary objective has not been met. However, both secondary objectives have been met.

• D. Only one secondary objective has been met.

• E. None of the objectives has been met.

The correct answer is D. The Microsoft L2TP/IPSec VPN client needs to be installed for systems running Windows 98, Windows Me, or Windows NT Workstation 4.0 to use L2TP and IPSec because these legacy operating systems cannot support these protocols on their own when the configuration is set up in Transport mode. This means the primary objective has not been met.

Setting the IPSec policy via the local policy does not meet the secondary objective of least amount of administrative effort. The other secondary objective ”addressing requirements for header encryption, tunnel authentication, and encryption ”is met by using L2TP and IPSec, as L2TP can be used on IP, Frame Relay, X.25, or ATM-based networks. L2TP supports header encryption and tunnel authentication and does provide the needed encryption through the use of IPSec.

You are the domain administrator for your Windows Server 2003 mixed mode domain. Clients in your domain consist of Windows 98, Windows ME, Windows 2000, and Windows XP Professional systems. You have been asked to configure and secure the IP traffic traveling from your headquarters to remote offices over an untrusted network, such as the Internet.

Your solution must be able to be used on an IP network, be available to all clients in use, support header encryption and tunnel authentication, and provide encryption. Your primary objective is to secure IP traffic traversing an untrusted network in a manner that supports all clients in the environment. Your secondary objectives are carrying out these actions with the least amount of administrative effort and supporting requirements for header encryption and tunnel authentication.

You decide to implement a strategy using L2TP and IPSec running in Tunnel mode between the headquarters' RRAS server and the server installed at the remote office in New York. You will enforce this security setting via the local security policies of those two servers. For legacy client systems to use this security solution, you will install the Microsoft L2TP/IPSec VPN client on the Windows 98, Me, and NT4 systems. What is the result of your actions?

• A. The primary objective and both secondary objectives have been met.

• B. The primary objective and one secondary objective have been met.

• C. The primary objective has not been met. However, both secondary objectives have been met.

• D. Only one secondary objective has been met.

• E. None of the objectives has been met.

The correct answer is B. When your setup uses Tunnel mode, the two RRAS servers negotiate all security for the traffic, so the Microsoft L2TP/IPSec VPN client does not need to be installed on the legacy systems.

Regardless of this extra step, the primary objective of securing all the IP traffic traveling from your network over an untrusted network and supporting all clients in the environment has been met.

Setting the IPSec policy via the local policies of the two servers does meet the secondary objective of reducing administrative effort, as the traffic rules need to be deployed only on those two systems. However, you installed the Microsoft L2TP/IPSec VPN client on legacy systems when it wasn't necessary, so this secondary objective wasn't fully met.

The other secondary objective ”addressing requirements for header encryption, tunnel authentication, and encryption ”is met by using L2TP and IPSec, as L2TP can be used on IP, Frame Relay, X.25, or ATM-based networks.

You are the domain administrator for your single Windows Server 2003 mixed mode domain. The 200 clients in your domain consist of Windows 2000 and Windows XP Professional systems, and all are located in this office. You have been asked to configure systems in your environment to use Remote Assistance so that local help desk users can log on to local users' systems as needed. All Windows XP client systems are running Internet Connection Firewall (ICF).

Your primary objective is to enable Remote Assistance for all client systems in your environment. Your secondary objectives are meeting your goals with the least amount of administrative effort and not altering the level of security on the LAN unless you need to.

You decide to open port 3389 on the external firewall for the Remote Assistance traffic. You also open port 3389 on the Windows XP client systems running ICF. What is the result of your actions?

• A. Remote Assistance will be enabled for all client systems in your environment, security will not be changed, and the steps taken involved the least amount of administrative effort.

• B. Remote Assistance will not be enabled for all client systems in your environment, security will be changed, and the steps taken required extra administrative effort.

• C. Remote Assistance will be enabled for all client systems in your environment, security will be changed, and the steps taken required extra administrative effort.

• D. Remote Assistance will not be enabled for all client systems in your environment, security will be changed, and the steps taken involved the least amount of administrative effort.

The correct answer is B. Remote Assistance will not be enabled for all client systems in your environment because the Windows 2000 systems cannot be administered. (Windows 2000 could use Terminal Services in remote administrative mode, but these systems do not have Remote Assistance capabilities.)

Security will be changed by opening port 3389 on the firewall when it's not necessary. Although Remote Assistance offers do need to use port 3389, opening this port on the external firewall wasn't necessary because all systems are local; there was no indication in the question that Remote Assistance connections need to be made from outside this environment. Also, Windows XP ICF is designed to allow novice or expert requests to work if the novice or the expert is behind the firewall, so opening port 3389 on the Windows XP client systems manually is not required, either. These steps required extra administrative effort.

With Remote Assistance, users (regarded by the system as "novices") can allow a help desk user or another more experienced user to connect to their systems to assist them. This process can take place via Windows Messenger or through an invitation sent as an email or a file. When users who need assistance create invitation files on their computers, the HelpAssistant account is automatically enabled and an entry in the novice's table is created. The IP address and computer name configuration information, including requested port mapping from any Universal Plug-and-Play (UPnP) NAT servers on all interfaces, on the novice computer is obtained.

You are the domain administrator for your single Windows Server 2003 mixed mode domain. The clients in your domain consist of Windows XP Professional systems, and all are located in this office. You have been asked to configure Remote Administration via Web access to manage the Windows Server 2003, Web Edition application servers by using a Web browser on a remote computer. Which of the following options best addresses what needs to be done?

• A. Web Interface for Remote Administration needs to be installed because it is not installed by default in Windows Server 2003, Web Edition.

• B. For the PDC emulator to be used in the domain for remote administration, Web Interface for Remote Administration needs to be installed on the PDC emulator because it is not installed by default.

• C. Web Interface for Remote Administration does not need to be installed because it is installed by default in Windows Server 2003, Web Edition.

• D. Web Interface for Remote Administration needs to be enabled on the PDC emulator; it is installed by default, but it is disabled.

The correct answer is C. When you need to manually install Web Interface for Remote Administration, go to Control Panel, Add/Remove Programs, and start the Windows Components Wizard. Select the Application Server check box, and then click Details.

Next, select the Internet Information Services (IIS) check box. In the Details section, select the World Wide Web Service check box and the Remote Administration (HTML) check box.

Web Interface for Remote Administration for an application server is installed by default in Windows Server 2003, Web Edition; on all other versions of Windows Server 2003, it must be manually installed. Installation of Remote Administration is not supported on domain controllers. Internet Explorer version 6.0 or later is recommended for Remote Administration.

You are the domain administrator for your single Windows Server 2003 mixed mode domain. The clients in your domain consist of Windows XP Professional systems, and all are located in this office. You have been asked to configure Remote Administration to manage the Windows Server 2003 systems in your environment so that administrators can make remote connections to work on systems when they are unable to log on locally.

You must configure the server operating system so that it can have at least one network-administered connection and a locally logged on person working at the same time. How can you configure these Windows Server 2003 systems so that they can be administered remotely?

• A. The operating system no longer has this type of remote administration functionality; a third-party option is required.

• B. Enable Terminal Services.

• C. Enable Remote Assistance.

• D. Enable Remote Desktop.

The correct answer is D. For systems to accept remote connections, they need to run Windows NT 4 Terminal Server Edition, Windows 2000 Server with Terminal Services enabled in at least administrative mode, Windows XP Professional with Remote Desktop enabled, or Windows Server 2003 operating system with Remote Desktop enabled.

To open the Remote Desktop Connection interface, click Start, All Programs, Accessories, Communications, Remote Desktop Connection. On Windows XP and Server 2003 systems, you can also go to the System Properties dialog box and select the Remote tab.

Windows Server 2003 does not support Terminal Services in Remote Administration mode, as Windows 2000 Server did. For this functionality, you would use the Remote Desktop connection on the server system, which allows two remote administration connections to the server and one locally logged on session, just as Windows 2000 Server and Terminal Services in Remote Administration mode did.

You are the server administrator for the WLFD01 system, which is a member of the gunderville.com domain. The server is a single-processor system running Windows Server 2003 Standard Edition and formatted with three separate partitions. The C:\ partition is NTFS, the D:\ partition is FAT32, and the E:\ partition, where shared resources are kept, is formatted with NTFS. You have been tasked with troubleshooting the existing Group Policies and polling their output based on site, domain, domain controller, and Organizational Unit (OU). In which mode is it best to run the Resultant Set of Policy MMC for this task?

• A. Planning mode

• B. Domain mode

• C. Logging mode

• D. Mixed mode

The correct answer is C. Resultant Set of Policy (RSoP) logging mode enables you to review policy settings that have been applied to computers and users and is optimized for discovering which policy settings are applied to a computer or user, discovering failed or overwritten policy settings, and reviewing how security groups affect policy settings. When you are logged on to a local system using a local user account, you can run a single RSoP logging mode query.

To run RSoP logging mode on a remote computer, you must be logged on as a member of the Domain Administrators or Enterprise Administrators security group or be delegated Generate Resultant Set of Policy (logging) rights.

When you run RSoP in planning mode, you can poll existing Group Policy objects (GPOs) for all policy settings that can be applied. This mode is best used under the following conditions:

You want to review the results of potential changes in policy settings if they are to be applied on a computer or user, domain, OU, or site.

The user is in Active Directory only (for example, a new account).

You want to test policy precedence when the user and the computer are in different security groups or different OUs.

You want to know what the results might be if the user or computer object is moved to a new location in the directory tree.

You need to simulate the results of policy application in a slow network situation or when loopback is used.

To run the tool in planning mode on a remote computer, you must be logged on as a member of the Domain Administrators or Enterprise Administrators security group or be delegated Generate Resultant Set of Policy (planning) rights.

You are the server administrator for the gunderville.com domain and are reviewing some settings on the WLFD08 standalone system.

The server is a dual-processor system running Windows Server 2003 Standard Edition and is formatted with three separate partitions. The C:\ partition is NTFS, the D:\ partition is FAT32, and the E:\ partition, where the shared resources are kept, is formatted with NTFS.

You have been tasked with troubleshooting existing Group Policies and polling their output based on site, domain, domain controller, and OU. You need to determine the location of a settings conflict in all the policies enabled on the local system, as you have multiple GPOs linked at all levels of the hierarchy. Which of the following answers shows the correct order of execution for policy settings in WLFD08?

• A. Local policy

• B. Local policy, site-level policy, domain-level policy, domain controller policy (if the domain controller is left in the domain controller container), Organizational Unit policy

• C. Site-level policy, domain-level policy, domain controller policy (if the domain controller is left in the domain controller container), Organizational Unit policy, local policy

• D. Site-level policy, domain-level policy, domain controller policy (if the domain controller is left in the domain controller container), Organizational Unit policy

The correct answer is B. Policies are executed in the following order for a domain member: local policy, site-level policy, domain-level policy, domain controller policy (if the domain controller is left in the domain controller container), Organizational Unit policy. When a system is not a member of a domain, the only policy that gets applied is the local policy.

You are the domain administrator for your single Windows Server 2003 domain. The 200 clients in your domain consist of Windows 2000 and Windows XP Professional systems, and all are located in this office. You have been asked to configure your environment with a security standard that uses IPSec so that systems outside your domain and non-Windows systems can set up a security association. Which of the following IPSec configurations enables you to do this with the least amount of administrative effort?

• A. Kerberos V5

• B. Preshared key

• C. Preshared secret

• D. Public key certificate

The correct answer is A. There are three primary authentication methods for IPSec, and the default authentication method for Windows Server 2003 domains is Kerberos V5. Kerberos V5 is used for an authentication method called dual verification, which is used to verify the identity of the user and network services.

Public key certificates are used to verify the identities of computers running non-Microsoft operating systems, standalone computers, clients that are not members of a trusted domain, or computers that are not running Kerberos V5. Preshared secrets and preshared keys are also capable of this verification, but they must be managed manually and are, therefore, much harder to administer and more susceptible to mishandling and compromise.

You are the network administrator for zandri.net , which is a Windows Server 2003 domain. You have identified four of your Windows Server 2003 systems in the W2K3END OU that need to use IPSec for secure connections to other systems. What is the best way to configure these systems with the least amount of administrative effort and without affecting other systems in the environment? (Choose two.)

• A. Configure the policy to be distributed to the four systems via Active Directory policy at the domain level.

• B. Configure the policy to be distributed to the four systems via Active Directory policy at the OU level.

• C. Configure the policy to be distributed to the four systems via local policy.

• D. Configure the policy to be distributed to the four systems via local policy and via Active Directory policy at the domain level.

The correct answers are B and C. You need to choose whether you will deploy IPSec policies in your environment by using Active Directory or local policies. Active Directory should be used to deploy policies if you have a considerable number of computers that need to be grouped for IPSec assignment and when any manually applied deployment is simply not practical. It is also the best option to choose when you want to centralize your IPSec strategy for your environment.

You should limit deploying IPSec policies through local policies to settings with a very small number of computers that need to use IPSec or when centralization of IPSec is not a high priority. In a heterogeneous environment you can perform a mix of these deployments, in which some systems receive their settings via Active Directory and others receive the settings via local policy.