Self Test

1.  

A recent task force in your company defined several threats to the network that need to be addressed. As the head of that task force, you have been assigned the job of mitigating these threats with the least restriction to users and network availability. The top threat was identified as password attacks. Which solution would best address this threat while still meeting the criteria set forth?

1. Implement strong password policies on all OUs and monitor network traffic to determine if data modification is taking place.

2. Implement strong password policies at the domain level, and apply account lockout policies.

3. Implement IPSec for all communication between clients and domain infrastructure servers.

4. Limit user logon hours to normal working hours and implement account lockout policies. Monitor all logons attempted outside of specified logon hours.

2.  

Your firm has 12 Windows XP Professional SP1 computers used in a manufacturing environment that are located on the shop floor where about 200 employees work. These computers are used by a variety of staff, and in any given work day, there might be 20 or 30 people that log on to the various computers. Recently, you ve noticed some odd IP traffic on the computers early in the morning, just before the start of the first shift. You had previously applied IPSec policy to the computers in this group via an OU that contains these 12 computers. What else could you do that might protect these computers and the network based on this information?

1. Apply persistent policies to the 12 computers in the OU so that the computer is protected during startup and shutdown.

2. Use smart cards for user authentication to prevent unauthorized access before and after working hours.

3. Modify the IPSec policy to filter all IP traffic prior to start of shift.

4. Check to see if the odd IP traffic is related to power fluctuations that might occur as other equipment on the shop floor is powered up at start of shift.

3.  

You re checking the configuration of several computers that are connected directly to the Internet. One of the computers recently suffered a denial-of-service (DoS) attack, but the other three were fine. You notice that the computers that were not attacked had IPSec policies applied as shown in Figure 5.22. These settings are not the same as on the computer that was attacked. Which setting(s) are the most likely reason why these computers were not attacked or not successfully attacked ?

Figure 5.22: IPSec Settings

1. The computers that were not successfully attacked did not have the check box selected for Accept unsecured communication, but always respond using IPSec .

2. The computer that was successfully attacked did not have the check box Allow unsecured communication with non-IPSec-aware computers selected..

3. The computers that were not attacked did not have the Use session key perfect forward secrecy (PFS) selected.

4. The computers that were not successfully attacked had the check box Allow unsecured communication with non-IPSec-aware computers selected.

4.  

Your network consists of three servers running Windows NT 4.0 SP6a, two servers running Windows 2000, and one server configured as a domain controller (DC) running Windows 2000. The client computers are a mix of Windows 95, Windows 98, and Windows XP. You decide to upgrade the network to improve security. You retire two of the computers running Windows NT 4.0 and replace them with two computers on which you will configure Windows Server 2003. You install Windows Server 2003 on the first computer and configure it as a DC and DHCP server. You install Windows Server 2003 on the second computer and configure it as a DC and DNS server. You configure secondary DHCP and DNS server services on one of the Windows 2000 computers, which is configured as a member server. After you complete this, you find that none of the Windows 95 computers can connect to the domain and only some of the Windows 98 computers can. What is the most likely cause of this problem?

1. The Windows 95 and Windows 98 computers are still trying to be authenticated by the two Windows NT 4.0 servers that were replaced . Reconfigure all clients to use the Windows Server 2003 computers instead.

2. Windows Server 2003 DCs require SMB message block signing and cannot communicate with Windows 95 computers in a domain. Upgrade the Windows 95 computers. Upgrade the Windows 98 computers to Windows XP.

3. Windows Server 2003 DCs require SMB message block signing. Windows 95 and Windows 98 support this only with the Active Directory client installed. Install the Active Directory client service or upgrade the operating system to Windows XP.

4. The Windows Server 2003 DCs require SMB message block signing and as a result, the remaining NT 4.0 server and the Windows Server 2003 computers are not communicating. Upgrade the Windows NT 4.0 server to Windows 2000 or Windows Server 2003.

1.  

B

2.  

A

3.  

A

4.  

C

5.  

You ve just been hired as the IT manager for a small company. The company s IT infrastructure consists of one domain, three segments, a handful of servers, and about 95 client computers, most of which are running Windows XP. Internet access is provided through a firewall and proxy server via an Internet service provider (ISP). The corporate Web site is hosted externally by a third party, and employees connect to the Web site just as they would to any other Web site. The company has recently expanded and there are two groups of employees who regularly share files among themselves using Windows XP-based laptops. You ve been tasked with finding a solution that will provide these two groups with connectivity in two different areas to enable file sharing. As always, the company is on a tight budget and wants this done quickly on a small budget. What s the best solution?

1. Configure the two groups that require file sharing to use ad hoc wireless networking.

2. Configure the two groups to use shorter DHCP IP lease times by applying wireless policies to them.

3. Install wireless access points. Determine if PKI and RADIUS are implemented, and if not, implement them to provide security.

4. Issue smart cards to the members of the two groups to provide strong authentication for the wireless users and provide wireless access via WAPs throughout the building.

6.  

Your firm has three wireless network defined via Wireless Network (IEEE 802.1X) Policies. One network is configured to use Network authentication (Shared mode) . The two other wireless networks use Data encryption (WEP enabled) . Based on this information, what steps can you take immediately to improve security across the board?

1. Enable Network authentication (Shared mode) on the two wireless networks currently using Data encryption (WEP enabled) .

2. Edit the properties for the one network configured to use Network authentication (Shared mode) and set it to use WEP or, preferably, 802.1X. In addition, on the RADIUS server or wireless access points, force re-authentication every 10 minutes by changing the WEP key refresh option.

3. Edit the WEP properties on the wireless network and configure the Data encryption (WEP enabled) setting to use both PEAP with EAP-TLS and EAP-TLS.

4. Delete the network that is using Network authentication (Shared mode) and create a new network using the Data encryption (WEP enabled) setting.

7.  

You are implementing a wireless network in portions of your large warehouse facility. There are a number of computers used by different users throughout the day for pulling or verifying orders. Users log on with smart cards to verify their identity so that orders are tied to user logon for verifying inventory, order accuracy, and other business metrics. You implement PEAP with EAP-TLS for strong authentication since users have smart cards. Throughout the day, some of these computers are used and some are idle and the pattern of usage varies depending on the day, time, and volume of business. You typically manage these computers remotely so that you can do things like update virus definition files or install software upgrades. You configure the settings as shown in Figure 5.23. Based on this information, what is the most likely result?

Figure 5.23: Network Configuration

1. You will improve security by requiring authentication as guest when user or computer information is unavailable.

2. You will have to provide smart cards for any Guest users who need to access the network.

3. You will not be able to authenticate users via smart cards.

4. You will be unable to remotely manage the computers on the wireless network.

8.  

Your network infrastructure already makes use of PKI technologies to create a secure network environment. The infrastructure included a remote access server, and most servers are running Windows Server 2003, although there are still a handful running Windows 2000. All clients have been upgraded over the past 18 months to Windows XP. You recently added IAS to your infrastructure and configured the remote access server as a RADIUS client. You have implemented several wireless networks in your building. You ve installed numerous wireless access points throughout the building and coverage is quite good throughout the building where wireless users roam. There is an area of the building that is not configured with WAPs because the area is a secure area that requires strong authentication just to physically access the area. You have not implemented wireless security in this area but are concerned about rogue WLANs being installed by employees in this highly secure area. What is the best solution to this situation?

1. Implement a WLAN in the highly secure area using 802.1X using PEAP with EAP-TLS. Establish the WAPs as RADIUS clients and use the RADIUS server to authenticate computers and users.

2. Regularly inspect user computers in the highly secure area for signs of wireless components . Set up a filter to prevent any IP packets with the IP address of the highly secure network segment to get into the rest of the network.

3. Implement a WLAN with limited range in the highly secure area. This way, users outside of the highly secure area cannot freeload.

4. Implement a WLAN in the highly secure area that is not connected to the wired network. Require strong authentication and data encryption using PEAP-EAP-MS-CHAPv2 since some of the servers are running Windows 2000.

5.  

A

6.  

B

7.  

D

8.  

A