In the 70-270 exam, you are required to master the following TCP/IP skills: Installing and configuring TCP/IP Troubleshooting TCP/IP Configuring and troubleshooting dial-up networking connections to the Internet, private networks, and VPN, using either a network adapter or modem Configuring and troubleshooting ICS Enabling Remote Desktop and Remote Assistance Configuring and troubleshooting Windows Firewall | You must gain these skills to pass the 70-270 exam. You can supplement the exercises and questions with hands-on practice of configuring the various connections to connect to a private network or the Internet, share the Internet connection, configure the Windows Firewall, and establish a remote session. You need at least three computers, two modems, and two separate Internet connections to be able to configure each of these link types. |
Exercises 11.1 Changing the Account Lockout Policy In this exercise, you configure Account policy and IPSec policies. Estimated time: 15 minutes. 1. | Click Start, Control Panel, Performance and Maintenance, Administrative Tools.
| 2. | Double-click Local Security Policy.
| 3. | In the task pane, navigate to the Account Policies and expand them.
| 4. | Click to select the Account Lockout Policy.
| 5. | Three policies appear in the right pane: Account Lockout Duration, Account Lockout Threshold, and Reset Account Lockout Counter After. Double-click the Account Lockout Threshold policy.
| 6. | Set the number of attempts to 4. Click OK.
| 7. | A dialog box opens, prompting you to automatically configure the other two account policies. The default time periods suggested are 30 minutes each. Click OK.
| 8. | You can now change the Account Lockout Duration and Reset Account Lockout Counter After policies by double-clicking them and increasing or decreasing the time period. When you are finished, click OK to close the policy Properties dialog box.
| 9. | Navigate the task pane to the IP Securities on Local Computer node. Three policies appear in the right pane: Client (Respond Only), Secure Server (Require Security), and Server (Request Security). To configure IPSec for incoming users, you must select either Secure Server (Require Security) or Server (Request Security) and assign the policy.
| 10. | Double-click Secure Server (Require Security) to open the policy. The dialog box shown in Figure 11.16 opens.
Figure 11.16. You can view, add, change, or remove rules surrounding IPSec. | 11. | On the Rules tab, Click the All IP Traffic under IP Security Rules, and then click the Edit button.
| 12. | Under IP Filter Lists, you can see what traffic will be affected by the rule. You can make changes to this rule or remove it by clicking the Edit or Remove button.
| 13. | Click the Filter Action tab. Here, you can change the way that this policy will filter out the IP traffic described on the Rules tab. If you click the Add button, you can create a rule to negotiate or block the traffic described in the IP Filter Lists area.
| 14. | Click the Authentication Methods tab. Note that the default authentication method is Kerberos. You can click the Add button and configure authentication via a Certification Authority (CA) or a pre-shared key, which is basically a string of characters. Click OK to close the dialog box.
| 15. | To specify a particular computer to be the end of the tunnel, click the Tunneling tab and type the IP address.
| 16. | To designate the type of connection to which this IPSec policy will apply, click the Connection Type tab. This option enables you to select to apply the policy to only remote access connections, only LAN connections, or to all connections. Click OK to close the dialog box. Click OK again to close the IPSec policy.
| Review Questions 1. | If your computer cannot download a file from an FTP server named ftp.myftpserver.local with an IP address of 192.168.0.13, what troubleshooting tool should you use? What is the command structure? | 2. | What protocol is used across a POTS line and can encapsulate IPX/SPX packets in a TCP/IP packet? Between PPP and SLIP, which is used with the protocol described? | 3. | Why does the Windows XP computer configure its network adapter with an IP address of 192.168.0.1 even though you were configuring ICS for a dial-up modem connection? | 4. | When a user requests remote assistance, what methods can she choose from? Which ones can be secured, and how? | 5. | When you upgrade to SP2, your computer stops being able to provide a Remote Desktop session. What is likely the problem? | Exam Questions 1. | You are the administrator for Seams Corp., a company that weaves custom textiles. The sales team uses portable laptops and travels throughout the country. SEAMS Corp. has instituted a policy to require users to be verified with a mutual form of authentication. Which of the following protocols provides mutual authentication? (Choose all that apply.) | A. | PAP | | B. | CHAP | | C. | MS-CHAPv2 | | D. | Smart card certificate |
| 2. | At Seams, one of the salespeople, Stacy, uses dial-up connections to the Internet and then uses a VPN connection when she travels. Stacy has had some concerns about cookies. She does not want another company using data that may personally identify her without her consent. She has heard that websites that use P3P provide full disclosure of the use of her data and asks to have her laptop configured appropriately. After you configure the setting, Stacy connects to a website she has visited before and notices that the website did not support P3P, but it greeted her by name when she opened the site. How can you prevent this from happening in the future? | A. | Change the privacy setting to Low. | | B. | Change the privacy setting to High. | | C. | Require IE to check for new versions of files whenever it loads a website. | | D. | Delete all the existing cookies. |
| 3. | One of the sales team calls while on a sales trip to Seams' largest silk importer. Kim has connected to the VPN from the client's network. Kim tried to open a sample contract document from within Internet Explorer, but she received a File not found error. You verify that the document exists and that the server is currently running the Web services. Kim tells you that the URL she used was http://server/file/sample.doc. How do you fix Kim's problem? | A. | Tell Kim to type ping server. | | B. | Grant Kim's domain account the right of Full Control over the root of the network share //server/file. | | C. | Ask Kim to retype the command using the term file://. | | D. | Ask Kim to retype the command using the term https://. |
| 4. | When a user attempts to access a resource and receives the error that the server's certificate indicates that it is not a trusted resource, how can you fix the problem? | A. | Open the command window and type TRUST mycomputer. | | B. | Import the certificate for the server into the Trusted Publishers list. | | C. | In Internet Options, click Advanced and select the Enable Profile Assistant check box. | | D. | Replace the user's smart card, or generate a new certificate. |
| 5. | | Your friend Mary has a wireless network in her house. She has two computersone for herself and a laptop that she uses for workboth configured with a wireless network interface. Mary's home computer is connected via an Ethernet 100 network adapter to a broadband modem. The other adapter is connected to the wireless access point. Mary has had a barrage of traffic hit her home computer and is concerned about the lack of protection for her work laptop. The work laptop also contains two adapters: A wireless one connects to the home network, and the other is used when Mary logs in at the office. What should you tell Mary to help her protect her computer? |
| A. | Raise the Privacy setting to Block All Cookies. | | B. | Enable the Windows Firewall on Mary's laptop for the wireless adapter. | | C. | Enable the Windows Firewall on Mary's home computer for the wireless adapter. | | D. | Enable the Windows Firewall on Mary's home computer for the interface leading to the broadband modem. |
| 6. | | You are the desktop administrator at the headquarters (HQ) for Billboreds, LLC. You have been called to assist Suzanne, a help desk administrator, whose Windows XP Professional laptop is connected to the corporate network via an 802.11(g) wireless adapter. Company policy prevents users from running Windows Firewall on corporate networkconnected computers because an Internet firewall is already in existence, and headquarters has a T-3 line to the Internet because a large number of bandwidth-intensive data transactions occur across an extranet VPN link with vendors and clients alike. Suzanne has developed a new application and wishes to demonstrate it. The application runs on Suzanne's home computer, which uses Windows XP Professional SP2 and is connected to the Internet with a dedicated cable modem link and static IP address. Suzanne complains that when she is at work, she is unable to connect to her home computer to run a Remote Desktop Connection, which she needs to do to demonstrate the application. You have verified that Suzanne has enabled Windows Firewall on her home computer. What actions can you and Suzanne perform to enable the Remote Desktop Connection? (Choose all that apply.) |
| A. | On Suzanne's home computer, open the Windows Firewall Properties sheet from within Control Panel. Under the Exceptions tab, select the Remote Desktop check box. | | B. | On Suzanne's laptop, open the Windows Firewall Properties sheet from within Control Panel. Under the Exceptions tab, select the Remote Desktop check box. | | C. | On the corporate router and firewall, verify that Remote Desktop protocol traffic for port TCP 3389 is enabled for both incoming and outgoing ports. | | D. | On Suzanne's laptop, open the wireless network connection Properties sheet, click the Advanced tab, and enable Internet Connection Sharing. | | E. | On Suzanne's home computer, open the dedicated link to the Internet connection Properties sheet, click the Advanced tab, and enable Internet Connection Sharing. | | F. | On Suzanne's laptop, open the System Properties sheet, click the Remote tab, and select the Allow Users to Connect Remotely to This Computer check box. Click the Select Remote Users button and add Suzanne's user account. | | G. | On Suzanne's home computer, open the System Properties sheet, click the Remote tab, and select the Allow Users to Connect Remotely to This Computer check box. Click the Select Remote Users button and add Suzanne's user account. |
| 7. | You are a help desk administrator for Billbored's LLC. The company's network consists of an Active Directory forest with an "empty" root domain and two child domains: one that houses user and desktop accounts and the other that houses proprietary resources and the majority of administrative accounts. All employees are running Windows XP Professional computers and receive IP addresses from DHCP servers. The company has implemented folder redirection so that computers can be moved about the network without affecting users' data. A new user calls the help desk because he cannot open his My Documents folder. You ask him to open the My Network Places folder, and he reports that the folder is empty. You then provide him with the instructions to run Ipconfig. He reports that the screen states: Windows IP Configuration Ethernet adapter Local Area Connection: Media State ......................: Media disconnected Connection-specific DNS Suffix: . : IP address .......................:192.168.0.88 Subnet Mask ......................:255.255.255.0 Default Gateway ..................: What should you instruct the user to do? | A. | Click Start, Run, type netstat e in the Open text box, and press Enter. | | B. | Plug the cable into the wall outlet, and the other end into the Ethernet adapter of the computer, and if they are already connected then ensure the connection is not loose. When they are firmly connected, open the command prompt window and type ipconfig /release, and then follow that command with ipconfig /renew. | | C. | Plug the cable into the wall outlet, and the other end into the Ethernet adapter of the computer, and if they are already connected then ensure the connection is not loose. When they are firmly connected, click Start, Control Panel. From the Internet and Network Connections category, select Network Connections. Right-click the LAN connection object and select Bridge Connections from the shortcut menu. | | D. | Click Start, Run, type cmd in the Open text box, and press Enter. At the command prompt, type nbtstat RR and press Enter. | | E. | Click Start, Run, type notepad c:\windows\system32\drivers\etc\hosts, and press Enter. Add the IP address of the DHCP server to the end of the HOSTS file. |
| 8. | You are the network administrator for DLJ Software, a software company that specializes in high-end computer games as well as complex mathematical and graphical art programs. Brad is a software developer who runs Windows XP Professional on his computer, along with IIS, so that he can share web-based applications for testing purposes. Brad calls up and says that other people cannot access his web-based applications. He then tells you that he has tried to open the web page on his local browser but cannot open the page. You try to open the page using Brad's URL and you receive an error that says Cannot find server or DNS error. What should you configure on Brad's computer to ensure that Brad can share his applications? | A. | Click Start, All Programs, Administrative Tools, Internet Information Services (IIS). Select Brad's computer. Click the Action menu, select All Tasks, and then click Restart IIS. | | B. | Click Start, Run, type Inetmgr (the command to start Internet Information Services Manager) in the Open text box, and press Enter. Select Brad's computer and then navigate to the Default website. Right-click Default Web Site and select Start. | | C. | Right-click My Computer and select Manage. Navigate to Services and Applications, and then to Services. Right-click the World Wide Web Publishing service and select Restart from the shortcut menu. | | D. | Click Start, Run, type cmd in the Open text box, and press Enter. At the command prompt type ipconfig /registerdns and press Enter. |
| 9. | You are an enterprise administrator for MoneyCard, a consumer credit company. You have three main locations, each housing over 8,000 peopleLondon, New York, and Phoenix, each connected by high-speed OC3 links. Internet usage policy states that users are prohibited from registering privacy-related information on non-approved websites, using any Internet email accounts other than their moneycard.local email, or using any website that is not P3P compliant. Users are instructed not to contact the Help Desk via email because of the unreliability of the SMTP protocol. To receive support, users must contact the Help Desk with a phone call or by leaving a completed Help Desk Request document file in the Help Desk share of the Help.Moneycard.local server. When the Help Desk transmits a request to you, they copy the file to the Assist Me share of the Help.Moneycard.local server. You have begun deploying Windows XP Professional to your second pilot group of computers in Phoenix and have directed all users in the first pilot group to call you on your cell phone for help until the project goes beyond the pilot stage. Marcus is a user in the first pilot group in New York. He calls you on your cell phone and tells you that he attempted to send you a Remote Assistance invitation via Windows Messenger but was prevented from doing so because he did not have a .NET Passport. How can Marcus send you a Remote Assistance invitation? | A. | Marcus can overlook corporate privacy policy and register a .NET Passport using his corporate email address. | | B. | Marcus can overlook corporate privacy policy and register a .NET Passport while at the same time signing up for a new Hotmail email account. | | C. | Marcus can save the Remote Assistance invitation as a file in the Help Desk share of the Help.Moneycard.local server. | | D. | Marcus can save the Remote Assistance invitation as a file in the Assist Me share of the Help.Moneycard.local server. |
| 10. | You are the enterprise administrator for MoneyCard. The network consists of three sites: New York, London, and Phoenix, each connected to the other two sites by a high-speed link. Each site filters traffic using an access control list (ACL) on the routers between the sites to prevent proliferation of malicious traffic. You have flown to London to deploy Windows XP Professional across the entire network. There is a Windows 2003 Server configured with Terminal Services in the New York office, and users are comfortable with using the Remote Desktop Connection application. One of the executives in London has had consistent errors on his computer, and you decide to enable Remote Desktop for your user account on his computer so that you can connect remotely and attempt to re-create the errors. Given the company's strict Internet usage policy, you edit the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\Portnumber and configure the Remote Desktop TCP port as 4322. All computers use DHCP and Dynamic DNS, and when you execute Ipconfig, you discover that the exec's current IP address is 192.168.33.82 and his DNS server's IP address is 192.168.33.2 You determine that the name of the exec's computer is LON182-EX. What steps should you take to connect to the exec's computer from the Phoenix office? (Choose all that apply.) | A. | On each router between the sites, explicitly allow TCP port 4322 for both incoming and outgoing traffic. | | B. | On your computer, open the Registry Editor and edit the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\Portnumber. | | C. | On your computer, enable Windows Firewall from the Windows Firewall utility in the Internet and Network Connections category in Control Panel. | | D. | On the exec's computer, enable Windows Firewall from the Windows Firewall utility in the Internet and Network Connections category in Control Panel, click the Exceptions tab, and select the Remote Desktop check box. | | E. | On your computer, click Start, All Programs, Accessories, Communications, and select Remote Desktop Connection. In the text box, type 192.168.33.2 and click the Connect button. | | F. | On your computer, click Start, All Programs, Accessories, Communications, and select Remote Desktop Connection. In the text box, type 192.168.33.82:4233 and click the Connect button. | | G. | On your computer, click Start, All Programs, Accessories, Communications, and select Remote Desktop Connection. In the text box, type LON182-EX:4322 and click the Connect button. | | H. | On your computer, click Start, All Programs, Accessories, Communications, and select Remote Desktop Connection. In the text box, type LON182-EX and click the Connect button. |
| Answers to Review Questions 1. | You should attempt to ping the server using its IP address. The command should be ping 192.168.0.13. For more information, see the section "Ping." | 2. | A protocol that can encapsulate IPX/SPX packets in a TCP/IP packet is a tunneling protocoleither L2TP or PPTP. Both L2TP and PPTP are used with PPP. SLIP is used with Unix hosts. For more information, see the section "Using a VPN Connection to Connect to Computers." | 3. | One of ICS's functions is to create a simplified DHCP service on the ICS host. This system uses the IP address range of 192.168.0.1192.168.0.254 and provides these addresses to the computers on the private network. The network adapter on that network is given the dedicated address of 192.168.0.1, and that address is then used as the default gateway on all the private network computers. For more information, see the section "Configuring and Troubleshooting Internet Connection Sharing (ICS)." | 4. | A user can select from Windows Messenger, email, and a file request. Only the email and file requests can be secured with a password. For more information, see the section "Remote Assistance." | 5. | The likely problem is that ICF was enabled, and upon upgrade to Windows Firewall, the default configuration is to disable Remote Desktop traffic. For more information, see the section "Configuring, Managing, and Troubleshooting Remote Desktop and Remote Assistance." | Answers to Exam Questions 1. | C and D. Both MS-CHAPv2 and smart card certificates provide a two-way, or mutual, authentication process between the client and server during dial-up sessions. Answers A and B are incorrect because both provide one-way authentication. For more information, see the section "Remote Access Authentication Protocols." | 2. | D. The reason that the computer displayed personal information was that the cookie had been left before the privacy setting had been configured. To prevent this from continuing, the best thing to do is to delete existing cookies. Answers A and B are incorrect because changing the privacy setting does not affect data already existing on the computer that is transmitted to the website, such as cookies. Answer C is incorrect because cookies contain privacy information and they are located on the hard drive, not downloaded from the website. For more information, see the section "Connecting to Resources by Using Internet Explorer." | 3. | C. The best method of accessing a file using the browser is to use FILE:// rather than HTTP://. Answer A is incorrect because the ping command only tells you whether the server is available, which you have already confirmed. Answer B is incorrect because a lack of rights would have returned an error that Kim did not have sufficient rights to open the file. Answer D is incorrect because the HTTPS:// prefix uses SSL for encryption. If you tried to open a file that required SSL, you would have received an error indicating that you needed to use the HTTPS:// prefix. For more information, see the section "Connecting to Resources by Using Internet Explorer." | 4. | B. The user needs to import the server's certificate into the list of trusted publishers. Answer A is incorrect because typing TRUST mycomputer does not create a trust relationship with a server. Answer C is incorrect because enabling the Profile Assistant does not affect whether a server is trusted. Answer D is incorrect because the error is not the user's generated certificates (which are on the smart card), but the fact that the server's certificate has not been added as a trusted publisher. For more information, see the section "Remote Access Authentication Protocols." | 5. | D. To be better protected, you should enable the Windows Firewall on Mary's home computer for the network adapter that is connected to the Internet. Answer A is incorrect because blocking all cookies does not protect the computer from directed traffic. Answers B and C are incorrect because the traffic is passing into Mary's home computer, from which the laptop could then be exposed to viruses or other problems. You do not need to protect the laptop's wireless computer if you can protect both the laptop and the home computer by enabling the firewall on only the home computer, where it connects to the Internet, which is on the Ethernet interface leading to the broadband modem. For more information, see the section "Using a VPN Connection to Connect to Computers." | 6. | A, C, and G. Three things must be in place before Suzanne can connect a Remote Desktop Connection to her home computer: (1) the corporate router and firewall must allow the RDP traffic to be transmitted, (2) Suzanne's home computer's Windows Firewall must be configured to allow an exception for RDP traffic, and (3) Suzanne's home computer must be configured to enable Remote Desktop services with Suzanne's user account granted permission to connect. The standard port is TCP 3389 for RDP. Answers B, D, E, and F are all incorrect because you do not need to configure anything on Suzanne's laptop, nor do you need to enable Internet Connection Sharing. For more information, see the section "Configuring, Managing, and Troubleshooting Remote Desktop and Remote Assistance." | 7. | B. The ipconfig command revealed that the media was disconnected for the adapter, and because the discussion about BillBored's LLC revealed that computers were often moved around the network, it is likely that the installers simply didn't plug the network cable into the adapter or wall, or didn't plug it in firmly enough. When the adapter is connected, you can run ipconfig /release to remove the existing TCP/IP configuration information and then run ipconfig /renew to obtain a new IP address. Answer A is wrong because netstat e will display the Ethernet statistics, but that isn't possible to do without the adapter being connected. Answer C is incorrect because you do not need to bridge connections. Answer D is wrong because there is no need to check the NetBIOS statistics. Answer E is wrong because the DHCP process always uses a broadcast when a DHCP client asks for a lease of an IP address; you never need to know the IP address of the DHCP server until the middle of that process. For more information, see the section "Ipconfig." | 8. | B. The computer displays an error that the server cannot be found when the default website is not running. Answers A, C, and D are less likely to be the problems, but could potentially be used as troubleshooting steps. For more information, see the section "Configuring, Managing, and Implementing Internet Information Services (IIS)." | 9. | D. As a temporary measure, you can have Marcus save the Remote Assistance request as a file in the Assist Me share of the Help.Moneycard.local server, which you already monitor. When the pilot stage is over, users can save Remote Assistance requests as files in the Help Desk share of the Help.Moneycard.local server and the Help Desk will be able to service those requests at that time. In the meantime, however, answer C is incorrect. Answers A and B are incorrect because they both violate the MoneyCard corporate policy. For more information, see the section "Remote Assistance." | 10. | A and G. To connect to the executive's computer, you need to enable TCP port 4322 on each router by allowing it for incoming and outgoing traffic. Then, to connect to the computer via the new TCP port, you would use the computer's NetBIOS name of LON182-EX concatenated with a colon (:) and the port number of 4322. Answer B is incorrect because the Registry key is only for listening for incoming connections and you do not need to configure that on the client computer. Answer C is incorrect because you do not need to enable Windows Firewall to use Remote Desktop, plus the default configuration of Windows Firewall is to disable Remote Desktop unless you create an exception for it. Answer D is incorrect because even if you enable Windows Firewall and configure Remote Desktop as an Exception, you would still need to edit the port number. Answer E is incorrect because the IP address is that of the DNS server. Answer F is incorrect because the IP address is the exec's current IP address; at some point you would not be able to connect via the IP address if the computer leased a different IP address from the DHCP server, so you should use the NetBIOS name. In addition, the port in answer F is incorrectly identified as 4233, not 4322. Answer H is incorrect because the port number is not identified in the Connect text box, so it defaults to TCP port 3389 and the exec's computer is not listening to that port. For more information, see the section "Configuring, Managing, and Troubleshooting Remote Desktop and Remote Assistance." | Suggested Readings and Resources The following are some recommended readings on the subject of implementing, managing, and troubleshooting network protocols and services in Windows XP Professional: Microsoft Official Curriculum course 2520, Deploying Microsoft Windows XP Professional, all modules. Information available from http://www.microsoft.com/learning/syllabi/en-us/2520Afinal.mspx Websites Description of Internet Connection Sharing in Windows XP, at http://support.microsoft.com/default.aspx?scid=kb;en-us;310563 Configuring APIPA, at http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prjj_ipa_eiih.asp How to troubleshoot TCP/IP connectivity with Windows XP, at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314067 Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2, at http://www.microsoft.com/downloads/details.aspx?familyid=a7628646-131d-4617-bf68-f0532d8db131&displaylang=en Windows XP Service Pack 2 Problem Solver, at http://www.michna.com/kb/WxSP2.htm Learn Windows XP TCP/IP Addressing in Windows XP Professional, at http://www.2000trainers.com/article.aspx?articleID=101&page=2
Chappell, Laura and Ed Tittel. Guide to TCP/IP, Second Edition. Course Technology, 2004. ISBN: 061921242X. |