Chapter 5: Securing Network Services and Protocols | MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298

1.	A recent task force in your company defined several threats to the network that need to be addressed. As the head of that task force, you have been assigned the job of mitigating these threats with the least restriction to users and network availability. The top threat was identified as password attacks. Which solution would best address this threat while still meeting the criteria set forth? Implement strong password policies on all OUs and monitor network traffic to determine if data modification is taking place. Implement strong password policies at the domain level, and apply account lockout policies. Implement IPSec for all communication between clients and domain infrastructure servers. Limit user logon hours to normal working hours and implement account lockout policies. Monitor all logons attempted outside of specified logon hours.
2.	Your firm has 12 Windows XP Professional SP1 computers used in a manufacturing environment that are located on the shop floor where about 200 employees work. These computers are used by a variety of staff, and in any given work day, there might be 20 or 30 people that log on to the various computers. Recently, you ve noticed some odd IP traffic on the computers early in the morning, just before the start of the first shift. You had previously applied IPSec policy to the computers in this group via an OU that contains these 12 computers. What else could you do that might protect these computers and the network based on this information? Apply persistent policies to the 12 computers in the OU so that the computer is protected during startup and shutdown. Use smart cards for user authentication to prevent unauthorized access before and after working hours. Modify the IPSec policy to filter all IP traffic prior to start of shift. Check to see if the odd IP traffic is related to power fluctuations that might occur as other equipment on the shop floor is powered up at start of shift.
3.	You re checking the configuration of several computers that are connected directly to the Internet. One of the computers recently suffered a denial-of-service (DoS) attack, but the other three were fine. You notice that the computers that were not attacked had IPSec policies applied as shown in Figure 5.22. These settings are not the same as on the computer that was attacked. Which setting(s) are the most likely reason why these computers were not attacked or not successfully attacked ? Figure 5.22: IPSec Settings The computers that were not successfully attacked did not have the check box selected for Accept unsecured communication, but always respond using IPSec . The computer that was successfully attacked did not have the check box Allow unsecured communication with non-IPSec-aware computers selected. The computers that were not attacked did not have the Use session key perfect forward secrecy (PFS) selected. The computers that were not successfully attacked had the check box Allow unsecured communication with non-IPSec-aware computers selected.
4.	Your network consists of three servers running Windows NT 4.0 SP6a, two servers running Windows 2000, and one server configured as a domain controller (DC) running Windows 2000. The client computers are a mix of Windows 95, Windows 98, and Windows XP. You decide to upgrade the network to improve security. You retire two of the computers running Windows NT 4.0 and replace them with two computers on which you will configure Windows Server 2003. You install Windows Server 2003 on the first computer and configure it as a DC and DHCP server. You install Windows Server 2003 on the second computer and configure it as a DC and DNS server. You configure secondary DHCP and DNS server services on one of the Windows 2000 computers, which is configured as a member server. After you complete this, you find that none of the Windows 95 computers can connect to the domain and only some of the Windows 98 computers can. What is the most likely cause of this problem? The Windows 95 and Windows 98 computers are still trying to be authenticated by the two Windows NT 4.0 servers that were replaced . Reconfigure all clients to use the Windows Server 2003 computers instead. Windows Server 2003 DCs require SMB message block signing and cannot communicate with Windows 95 computers in a domain. Upgrade the Windows 95 computers. Upgrade the Windows 98 computers to Windows XP. Windows Server 2003 DCs require SMB message block signing. Windows 95 and Windows 98 support this only with the Active Directory client installed. Install the Active Directory client service or upgrade the operating system to Windows XP. The Windows Server 2003 DCs require SMB message block signing and as a result, the remaining NT 4.0 server and the Windows Server 2003 computers are not communicating. Upgrade the Windows NT 4.0 server to Windows 2000 or Windows Server 2003.
5.	You ve just been hired as the IT manager for a small company. The company s IT infrastructure consists of one domain, three segments, a handful of servers, and about 95 client computers, most of which are running Windows XP. Internet access is provided through a firewall and proxy server via an Internet service provider (ISP). The corporate Web site is hosted externally by a third party, and employees connect to the Web site just as they would to any other Web site. The company has recently expanded and there are two groups of employees who regularly share files among themselves using Windows XP-based laptops. You ve been tasked with finding a solution that will provide these two groups with connectivity in two different areas to enable file sharing. As always, the company is on a tight budget and wants this done quickly on a small budget. What s the best solution? Configure the two groups that require file sharing to use ad hoc wireless networking. Configure the two groups to use shorter DHCP IP lease times by applying wireless policies to them. Install wireless access points. Determine if PKI and RADIUS are implemented, and if not, implement them to provide security. Issue smart cards to the members of the two groups to provide strong authentication for the wireless users and provide wireless access via WAPs throughout the building.
6.	Your firm has three wireless network defined via Wireless Network (IEEE 802.1X) Policies. One network is configured to use Network authentication (Shared mode). The two other wireless networks use Data encryption (WEP enabled). Based on this information, what steps can you take immediately to improve security across the board? Enable Network authentication (Shared mode) on the two wireless networks currently using Data encryption (WEP enabled) . Edit the properties for the one network configured to use Network authentication (Shared mode) and set it to use WEP or, preferably, 802.1X. In addition, on the RADIUS server or wireless access points, force re-authentication every 10 minutes by changing the WEP key refresh option. Edit the WEP properties on the wireless network and configure the Data encryption (WEP enabled) setting to use both PEAP with EAP-TLS and EAP-TLS. Delete the network that is using Network authentication (Shared mode) and create a new network using the Data encryption (WEP enabled) setting.
7.	You are implementing a wireless network in portions of your large warehouse facility. There are a number of computers used by different users throughout the day for pulling or verifying orders. Users log on with smart cards to verify their identity so that orders are tied to user logon for verifying inventory, order accuracy, and other business metrics. You implement PEAP with EAP-TLS for strong authentication since users have smart cards. Throughout the day, some of these computers are used and some are idle and the pattern of usage varies depending on the day, time, and volume of business. You typically manage these computers remotely so that you can do things like update virus definition files or install software upgrades. You configure the settings as shown in Figure 5.23. Based on this information, what is the most likely result? Figure 5.23: Network Configuration You will improve security by requiring authentication as guest when user or computer information is unavailable. You will have to provide smart cards for any Guest users who need to access the network. You will not be able to authenticate users via smart cards. You will be unable to remotely manage the computers on the wireless network.
8.	Your network infrastructure already makes use of PKI technologies to create a secure network environment. The infrastructure included a remote access server, and most servers are running Windows Server 2003, although there are still a handful running Windows 2000. All clients have been upgraded over the past 18 months to Windows XP. You recently added IAS to your infrastructure and configured the remote access server as a RADIUS client. You have implemented several wireless networks in your building. You ve installed numerous wireless access points throughout the building and coverage is quite good throughout the building where wireless users roam. There is an area of the building that is not configured with WAPs because the area is a secure area that requires strong authentication just to physically access the area. You have not implemented wireless security in this area but are concerned about rogue WLANs being installed by employees in this highly secure area. What is the best solution to this situation? Implement a WLAN in the highly secure area using 802.1X using PEAP with EAP-TLS. Establish the WAPs as RADIUS clients and use the RADIUS server to authenticate computers and users. Regularly inspect user computers in the highly secure area for signs of wireless components . Set up a filter to prevent any IP packets with the IP address of the highly secure network segment to get into the rest of the network. Implement a WLAN with limited range in the highly secure area. This way, users outside of the highly secure area cannot freeload. Implement a WLAN in the highly secure area that is not connected to the wired network. Require strong authentication and data encryption using PEAP-EAP-MS-CHAPv2 since some of the servers are running Windows 2000.

Answers

1.	¾ B . Strong passwords help protect user accounts from password attacks such as dictionary or brute force attacks. Strong passwords include requiring minimum length, age, and complexity. Account lockout policies can be set to lock out accounts after a set number of failed logon attempts. This helps prevent password attacks that continually try to guess the correct password, whether manually (by someone typing on the keyboard) or automatically (by an automated software program). x Answer A is incorrect. Strong password policies will help prevent password attacks, but password policies are implemented at the domain level, not the OU level. Although monitoring network traffic can help determine if data modification is taking place, the primary threat was that of password attacks, so monitoring other things such as successful and failed logon attempts would yield better clues as to the source of the problem. Answer C is incorrect. IPSec communication can protect data between clients, but unless it s implemented along with strong authentication methods such as certificates or smart cards, the password attack will still be a threat. Answer D is incorrect. Limiting logon hours might help reduce some threats, but a password attack can occur at any time, including during allowed logon hours. Account lockout policies will help protect against password-based attacks, but A is a better answer because it has less impact on users and network usability, per the stated requirements.
2.	¾ A . Persistent policy can be used to protect computers during startup and shutdown. Typically, a computer must start up, connect to the network, and then have group policies applied. To better protect some computers, you can implement persistent policies, which are stored in the computer s local Registry and are implemented at startup. x Answer B is incorrect. Smart cards do provide stronger user authentication than do password-based solutions. However, the problem is only occurring early in the day and you have not positively identified the source of the problem. If you suspected an intentional intruder, you might expect to see the problem at other times as well. Regardless, applying persistent policy to protect these computers during startup is a solution that is far easier (and less expensive) to implement than smart cards. Answer C is incorrect. IPSec policies are applied via group policy and remain in effect for the computer until they are a) modified, b) removed, or c) the IPSec Services is manually stopped . You would typically filter all traffic all the time, not just at certain times of day This is not the best answer. Answer D is incorrect. Although power fluctuations could possibly impact the computers on the shop floor, it would not show up as odd IP traffic. You might see the computer screen flicker or the system halt or shut down.
3.	¾ A . The computers that were not successfully attacked did not have the check box selected for Accept unsecured communication, but always respond using IPSec . When this box is selected, computers can be intentionally overloaded with non-IPSec requests , forcing the computer to respond with IPSec and causing a DoS. This option not being selected on the computer that was attacked is the most likely cause of the problem. x Answer B is incorrect. The computer that experienced the DoS attack might or might not have had this check box selected. However, what this does is allow unsecured communications with down-level clients. If an intruder configures his or her system to not use IPSec, it would appear as a down-level client. However, the DoS attack was successfully launched because the computer was set to always respond with IPSec, which takes more overhead and is likely to cause a DoS if flooded with request. Therefore, this is not the best answer. Answer C is incorrect. The computers that were not attacked did not have the PFS box selected, that is true. However, this is not the reason why they were immune from the DoS attack. The Use session key perfect forward secrecy (PFS) option is used to guarantee that no keying material will be reused. The attack did not involve compromised keys and this option was not selected on the computers that were not attacked. Therefore, this setting on the computer that was attacked is irrelevant to this question. Answer D is incorrect. because, as you can see in Figure 5.22, Allow unsecured communication with non-IPSec-aware computers was not selected.
4.	¾ C . Windows Server 2003 DCs are configured to require SMB message block signing, by default. Although this can be disabled, it is not recommended. Instead, the best solution is to upgrade legacy clients or, where possible, install the Active Directory client service. The Active Directory client service is available for Windows 95 and 98 computers as well as for Windows NT 4.0 (via SP4 or higher). Windows XP supports SMB message block signing and has it enabled by default. Therefore, when a Windows Server 2003 DC requires SMB message block signing, Windows XP clients will respond with SMB message block signing. The default setting in Windows XP is to respond with SMB when the server requests it. x Answer A is incorrect. It is possible the Windows 95 and Windows 98 computers are trying to connect to domain services (DHCP, for example) on one of the Windows NT computers, if they were using static settings for the DHCP service. However, there is no information as to the configuration of the NT servers or the Windows 95 and 98 clients that would give you enough information to make this assumption. In addition, only some of the Windows 98 computers are not connecting to the network now, so you would look for what the difference was between the Windows 98 computers that were connecting and those that were not. SMB message block signing is not supported in older operating systems without add-on software and it is required, by default, on Windows Server 2003 DCs. Therefore, this is a possible answer but not the best answer. Answer B is incorrect. Windows Server 2003 DCs have SMB message block signing enabled by default. It can be disabled, which would allow the Windows 95 computers to connect to the DC, so the statement that Windows 95 computers cannot connect to Windows Server 2003 computers is not completely correct. In addition, although it is recommended you upgrade your Windows 95 computers to Windows XP to take advantage of a number of new security features, including SMB message block signing, this answer does not address the problem with some of the Windows 98 computers. Answer D is incorrect. If the remaining Windows NT 4.0 server were not running the latest service pack, it might be true that the Windows NT 4.0 computer and the Windows Server 2003 computer were not able to communicate since Windows NT 4.0 requires at least SP4 to use SMB message block signing. Therefore, this is not the correct answer.
5.	¾ A . Of the solutions given, this is the best immediate solution given the parameters. The two groups regularly share files. Ad hoc wireless networking does not connect the users to the wired infrastructure, only to each other in a peer-to-peer mode. This solution would be fast to implement since Windows XP supports ad hoc wireless networking and the wireless components for laptops are relatively inexpensive. If you later implement an infrastructure-based wireless solution, you might be able to use the same wireless components (if compatible). x Answer B is incorrect. It is true that wireless clients should use DHCP IP lease times that are shorter than the default, and this can be configured via DHCP scope settings. However, this does not address the first step, which is connecting the laptops together. Answer C is incorrect. This is certainly one solution but does not meet the needs outlined for a fast, inexpensive solution. If you already have PKI and RADIUS/IAS implemented, you would still need to ensure it was configured for wireless networking and install wireless access points. This is not the best solution for this scenario. Answer D is incorrect. Smart cards rely on PKI and RADIUS/IAS. As in Answer C , it is not clear whether the company has implemented these, but based on the size of the company and the overall IT infrastructure described, it is not likely that they have a PKI/RADIUS infrastructure. Therefore, this is neither the fastest nor the least expensive option.
6.	¾ B . Network authentication (Shared mode) is not a secure option for wireless networking because it shares a key with all WAPs and wireless clients. This makes it vulnerable to attack. Setting this network to use WEP will improve security on that one network. Next, set the key refresh options on the WAPs or RADIUS server (wherever it s implemented in the network) to be 10 minutes or less. While this does create more overhead, it makes the likelihood of the WEP key being cracked much lower. x Answer A is incorrect. This is just the opposite of the correct solution. Enabling Network authentication (Shared mode) on all wireless networks would expose the wireless networks a higher likelihood of the shared key being cracked. Answer C is incorrect. Although the use of PEAP with EAP-TLS or simply EAP-TLS will improve security, they should not be implemented together. Using the same authentication method with and without PEAP creates a security hole. Answer D is incorrect. Although you do want to enable WEP instead of Network authentication, you do not need to delete the network and create a new one. The existing network can be edited via the Wireless Network (IEEE 802.1X) Policies settings.
7.	¾ D . The computer must be set to use computer authentication if you want to remotely manage the computer when no users are logged on. This box is checked by default to allow computer authentication to occur when users log off. Thus, user or computer authentication is in effect at all times. Computer authentication allows the computer to be connected to the wireless network in a secure manner even when no users are logged on. x Answer A is incorrect. You essentially remove security when you select the option to Authenticate as guest when user or computer information is unavailable . This setting is most commonly used to provide public wireless access to the Internet when the wireless network is completely isolated from the corporate network. Otherwise, any user can gain access to the corporate network, essentially bypassing any security you might have implemented in other settings. Answer B is incorrect. Smart cards are typically only issued to authorized employees of the company. There might be some instances when you provide smart cards to nonemployees, such as a contractor working on a long- term basis who might need access to the network. However, there is nothing in this scenario that suggests you have authorized Guest users. In addition, the setting you selected does not require any credential because it will allow a Guest to authenticate if no other credentials (user or computer) are used. Thus, even authorized employees with smart cards could use these computers without using their smart cards and bypass security and desired business practices, including accuracy and work load assignment tracking. Answer C is incorrect. This setting shown in Figure 5.23 shows that the EAP type is set to use Smart Card or other certificate , so this answer is incorrect.
8.	¾ A . If you believe there is enough need for a WLAN in the highly secure area that users will create rogue WLANs on their own, you could implement a secure WLAN by using 802.1X with PEAP with EAP-TLS to use smart cards or certificates for strong authentication and TLS for data security. This protects against rogue WLANs because clients (can be configured for both computers and users) must be authenticated by the RADIUS server. By setting up the WAPs as RADIUS clients, users and computers will be authenticated via the RADIUS server (IAS) and data will be encrypted between wireless clients and WAPs. x Answer B is incorrect. Regular inspection of the highly secure area might be warranted, but this is not the best solution. If rogue WLANs are being installed, there might be a legitimate business need that the IT structure is not addressing (this assumes you don t have a personnel problem within the highly secured area that is intentionally trying to compromise the security and the company s policies). You can set up IPSec filtering to set requirements for data security on computers within the highly secure area, but this is a separate issue from whether or not rogue WLANs are being installed. Answer C is incorrect. Although you can control range to some limited degree, this is not the best solution. If you implement wireless components that have a range of 300 feet, it s difficult (if not impossible ) to control the shape of that 300 feet except by pointing wireless antennae in different directions. However, this is not really the crux of the problem. The problem is rogue WLANs within the highly secure area. If implemented with 802.1X features including strong authentication and data encryption, users outside the highly secure area whose wireless-enabled computers can find a signal will be unable to connect because access policies will prevent them from doing so. Answer D is incorrect. Implementing a WLAN that does not access the corporate network defeats the purpose of the WLAN and will not discourage rogue WLANs from being installed. PEAP with MS-CHAPv2 is used for password-based systems, which are not needed since users have smart cards. Windows 2000 does not support PEAP but does support MS-CHAPv2. Although this is not an issue with the highly secure WLAN, it is an incorrect statement that you would use PEAP with EAP-MS-CHAPv2 because you have Windows 2000-based computers.