1. | Your network consists of Windows Server 2003 domain controllers (DCs), Windows 2003 DNS servers, and Windows XP clients . You have recently added a firewall to the network to provide security for the network from attack from the Internet. You have placed your Web, e-mail, and DNS servers outside the firewall. Your company has established a written policy that allows only SMTP, HTTP, and DNS traffic to pass through the firewall. Which ports do you need to permit? (Choose all that apply.)
|
|
2. | You are designing a network implementation for your company and you want to have an Internet presence for your Web and e-mail servers. The Web server is called WebSvr1, and the e-mail server is named MailSvr1. Due to a recent bout of attacks, you need to implement a solution that will provide security and protection for your network. You are concerned about providing security for the Web and e-mail servers, yet you need to provide anonymous access to the Web server for the general public. You are worried that these anonymous users might use their access to investigate and attack the rest of your network as well. How do you design your network? (Select the best answer.)
|
|
3. | You have a network that consists of four subnets. The networks IDs for the networks are 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and 10.0.4.0/24. Each subnet has two Windows Server 2003 and 75 Windows XP clients. You are planning to add a VPN server to the network to provide connectivity for remote users. You need to summarize the internal network IDs on the VPN server. What is the minimum information needed to accomplish the desired result?
|
|
4. | You are configuring routing on an RRAS server. The RRAS server s intranet interfaces are configured to be connected to the intranet with a manual TCP/IP configuration that will consist of the IP address, subnet mask, default gateway, and intranet DNS servers. You are now experiencing difficulties when users attempt to connect to the Internet. What must you do to resolve these conflicts?
|
|
5. | You are designing a VPN that will allow the company s sales force to travel to multiple cities around the Untied States. You are using an Internet service provider (ISP) that provides service across the United States and has local numbers in all major cities and many smaller cities as well. The ISP is constantly adding new telephone numbers as it expands its service area. The sales manager is concerned that his sales force will not know what the local access number will be in the cities where they will be traveling. He asks if there is a solution that will help the sales force to make the VPN connection so that they can pass confidential client information and sales orders back to corporate headquarters. What is the best solution to address this problem?
|
|
6. | You have designed a Windows Server 2003 VPN solution for your corporation. The solution has a Windows Server 2003 VPN server at headquarters. The VPN server has been placed behind the internal firewall protecting your network. You have created a DNS record on your Internet server in the DMZ so that you can perform name resolution to the VPN server. You have tested connectivity to the VPN server from all of the client computers using the PING utility. The clients at the branch offices are running Windows 98 and Windows XP. The Windows 98 clients are configured to use PPTP to establish the VPN connections. The Windows XP clients are configured to use L2TP using IPSec. The Windows 98 clients are using MS-CHAP v 2 to authenticate themselves as users. The Windows XP clients are using user-level certificate authentication with EAP-TLS. The Windows XP clients are not experiencing any difficulties in connecting, but the Windows 98 clients are not able to connect to the VPN server. What should you check to resolve the connectivity issue for the Windows 98 clients?
|
|
7. | You have just replaced many of your company s dial-in connections with VPN connections to reduce the costs of maintaining dial-in services. You have recently configured VPN access on a laptop for a user. You have specified the host name for the VPN server in the Host Name or IP Address box. Now the user is complaining that he is receiving the error message Destination Host Unknown. What is the most likely cause for this error message?
|
|
8. | You have just installed Routing and Remote Access on a Windows Server 2003 to function as a VPN server. Several remote users need to transmit confidential data to the company using the VPN server. The remote users are not members of your company s domain. The remote users are running Windows XP on the client computers, and they all have access to a local ISP to provide Internet connectivity. Data transmission security is critical to the company and to the remote users. All of the clients will be using L2TP to create the connection to the VPN server. Which secure authentication method should you use for these connections?
|
|
Answers
1. | ¾ C , D , E . SMTP corresponds to TCP/UDP port 25, DNS is TCP/UDP port 53, and HTTP is TCP/UDP port 80. These are the ports that need to be open based on the scenario. x Answers A , B , F , and G are incorrect. TCP/UDP port 21 is FTP, TCP/UDP port 23 is Telnet, TCP/UDP port 110 is POP3, and TCP/UDP port 443 is HTTPS. |
2. | ¾ D . This solution creates a DMZ to protect your network. Anonymous users will have access to the Web and e-mail servers. Internal users will have access to the Internet. The firewalls will block unnecessary traffic that could be used to allow hackers to gain access to the network. x Answer A is incorrect because anonymous users will still be able to attempt to exploit the network through any open ports. There is nothing in place to isolate the network from the Internet. Answers B and C are incorrect because the Web and e- mails servers are vulnerable to attack from the Internet. Answer E is incorrect because this will block anonymous users from the Web server. |
3. | ¾ C . You can add a route summarization entry for the internal subnets on the VPN server. This will be the easiest solution. x Although you could add an individual entry for each subnet, it would be easier to provide a route summarization for this task, so Answer A is incorrect. You do need to provide any routing information on the remote clients, so Answers B and D are incorrect. |
4. | ¾ D . To prevent default route conflicts with the default route pointing to the Internet, you must not configure the default gateway on the intranet interface. x By setting the intranet interface to use the DNS servers on the Internet, you will not be able to perform internal network name resolution. This makes Answer A incorrect. Answer B is incorrect because it will prevent any of the clients from being able to connect to the router providing Internet access. It is preferable to statically assign IP addresses on an interface that will be used for routing. In addition, DHCP typically will assign default gateway information to all of the DHCP clients so that the DHCP clients can connect to the Internet. This will cause default gateway conflicts. This makes Answer C incorrect. |
5. | ¾ D . Connection Point Services allows you to automatically update and distribute phone books that contain multiple Points of Presence for the ISP. The phone book will give the sales force complete information so that when they travel they can connect to the different local access numbers provided by the ISP. x A is incorrect because you can create a phone book using Connection Point Services. Answers B and C are incorrect because the Access database and Exchange will not automatically distribute its information to the sales force. The ability of the Connection Point Services to automatically distribute itself to the desired users makes it the best solution. |
6. | ¾ B . The most probable reason why the Windows 98 clients are not able to connect to the VPN server is that the firewall is configured to allow L2TP traffic and to block the PPTP traffic. By allowing the PPTP traffic to pass, you should resolve this issue. x Answer A is incorrect because upgrading the Windows 98 clients to Windows 2000 or Windows XP will not solve the problem that the PPTP clients are being blocked at the firewall. Answer C would allow all of the clients to connect to the VPN server; however, you would also increase the security risk to the VPN server so this is not an optimal solution. Answer D is incorrect because the issue at hand is that PPTP is being blocked at the firewall. The Windows 98 users will be able to authenticate themselves using MS-CHAP v2. Although more secure, certificate authentication is not required in this situation. |
7. | ¾ A . The DNS server must be configured with an appropriate entry for the VPN server. Without the DNS entry the VPN server will be unreachable. x Answer B is incorrect because the error message would be denied access if the remote computer was not authorized to connect to the VPN server. Answer C is incorrect because if it had been an authentication problem, the message would tell you that the authentication was incorrect. Answer D is incorrect because if it had been a remote policy access issue, access denied would have been the message. |
8. | ¾ D . Routing and Remote Access allows you to create custom IPSec policies for the VPN connections. This policy will be applied to all connections made to the VPN server. Since the users are not members of your company s domain, a policy applied to a GPO will not affect them. A policy applied to the connection itself will enforce that the desire authentication method will be used. x Answer A is incorrect because MPPE is used with PPTP connections. In addition, the question asks about the authentication method, not the data encryption scheme. Answer B is incorrect since the remote users are not members of the domain, and any policy applied to an OU will not have the desired effect. You will need to create a policy that is applied whenever a connection is established. Answer C is incorrect because certificate-based authentication is the highest form of security available under Server 2003, not MS-CHAP v2. |