Appendix -- Answers

Chapter 1

Answers to Review Questions

1. Implementing multiple security protocols allows a wide array of client operating systems to interact securely with a Windows 2000 network.
2. The UNIX client can use multiple security protocols for authentication. In a default installation, the UNIX client could use Kerberos (if an interrealm trust is established between the Kerberos realm and an Active Directory domain) and secure channel (if using a Web browser) as security protocols for authentication.
3. A decentralized account management strategy can lead to several different Active Directory designs. The common characteristic in the designs is that the ability to create and manage accounts isn't restricted to a small group of administrators. Possible solutions include the deployment of child domains or the creation of an OU structure that allows account management to be delegated to required personnel.
4. When a network has a global presence, import/export rules may affect the deployment of strong encryption solutions. The United States currently restricts the export of strong encryption software to embargoed countries. Additionally, laws in foreign countries could require local management of network resources. These laws can affect your Active Directory design for domain structure.
5. In order for you to determine whether the design meets the technical requirements, the technical requirements must be measurable. If they're not measurable, determining whether the security design meets the technical requirements can be difficult.
6. The lab environment must emulate the production network. This includes emulating any WAN links and possible bottlenecks that exist on the production network. If the lab environment doesn't emulate the production network, any performance measurements are invalid because they don't reflect the actual performance that will occur in production.

Chapter 2

Answers to Activity Questions

1. 
   

   Policy	Success	Failure
   Audit account logon events		X
   Audit account management	X	X
   Audit directory service access
   Audit logon events
   Audit object access	X	X
   Audit policy changes	X	X
   Audit privilege use	X
   Audit process tracking
   Audit system events	X	X

2. The only additional settings that must be completed would be setting the object audit settings on the \\server\budget folder. This would include determining whether to audit the entire folder, all subfolders, or just specific files. It would also include auditing the Everyone group or specific user groups.
3. You should apply the audit policy to the Domain Controllers OU. If you want the same auditing to take place at all Windows 2000 computer accounts, you could also apply the settings at the domain.

Answers to Exercise 1 Questions

1. The amount of bandwidth available on the WAN link between London and Lima may require you to deploy a separate forest at the Lima location. You can determine this only by analyzing the amount of traffic involved with global catalog, schema, and configuration replication to the Lima location from London.
2. The requirement to restrict administrative management of the forest-wide administration groups would require duplication of effort if multiple forests are deployed. This would require the monitoring of membership of duplicate Enterprise Admins and Schema Admins groups.
3. Based on the current specifications, the Contoso network would require only a single forest. You have to implement separate forests only when multiple organizations want to prevent access to a common global catalog or when the schema must be different between locations. The replication traffic issue for the Lima site must be monitored because the WAN link could require a second forest to be deployed at the Lima site.
4. Contoso may decide to deploy multiple forests in the case of a merger with or acquisition by a second corporation. If the other organization has an existing Windows 2000 forest, the initial merger might require more than one forest. In time, the migration would lead to the merger of the two forests.

   Another scenario where it would be appropriate to deploy a second forest is for testing schema modifications. Because schema modifications are permanent, using a separate forest to test the schema modification routines and scripts will reduce the occurrences of incorrect schema modifications being applied to Active Directory.

Answers to Exercise 2 Questions

1. The requirement to reduce the amount of replication traffic to the Lima location, Seattle's desire to implement a different minimum password length than the other offices, and the requirement to limit modification to the Enterprise Admins and Schema Admins groups are all business factors that will require separate domains.
2. 
   

   

3. It would eliminate the need for a separate domain for Lima users.

Answers to Exercise 3 Questions

Designing an OU Structure for Administration

1. 
   

   

2. 
   

   OU	Administrators	Permissions
   Seattle Users	Helpdesk	Reset Password
   Seattle Users	Human Resources	Edit specific attributes
   Seattle Users\Marketing	MarketAdmins	Edit User Objects
   Seattle Users\Sales	SalesAdmins	Edit User Objects
   Seattle Users\Accounting	AccountAdmins	Edit User Objects
   Seattle Users\Finance	FinanceAdmins	Edit User Objects

Designing an OU Structure for Group Policy Deployment

1. 
   

   

2. 
   

   OU	Apply the Security Template
   London Computers	Desktops
   London Computers\Portables	Portables
   London Computers\File Servers	File Servers
   Domain Controllers	Domain Controllers
   London Computers\Web Servers	Web Servers

Answers to Review Questions

1. In most cases a single organization will wish to implement only a single forest. Design factors that will require multiple forests include recent mergers or acquisitions and the need to maintain varying versions of the schema within an organization.
2. An empty forest root domain limits the number of users who can modify membership in the Enterprise Admins and Schema Admins groups. By default, a member of the forest root Domain Admins group is capable of changing membership in these forest-wide administration groups. By minimizing the accounts implemented in the forest root domain, you can better manage membership of the Domain Admins group.
3. If Group Policy isn't being applied in the standard order of local, site, domain, and then OU policy, it's likely that a Group Policy has been configured to block inheritance. You can prevent this by configuring higher-level OUs and containers to override any blocking attempts. To troubleshoot Group Policy application problems, you can use the Gpresult.exe tool from the Microsoft Windows 2000 Resource Kit to determine which group policies are applied to a computer or user at logon.
4. An OU design must balance both administrative delegation and Group Policy deployment. The goal is to create an OU structure that meets both needs. You may have to try several designs before you succeed.
5. Enabling all audit options can cause the security log to fill with events very quickly. This can result in the computer being shut down due to a full event log if the security options are configured to do so. If you do enable a large amount of audit settings for a computer or an OU, you should consider increasing the default size of the security log and configuring what should take place when the security log fills.

Chapter 3

Answers to Activity Questions

1. There's no global catalog server at the remote office. If the WAN link is down, the authenticating DC won't be able to access a global catalog server to enumerate universal group membership.
2. There must be at least two domains in the network. If it had just one domain, the authenticating domain controller would be able to determine universal group membership by looking at the domain naming context.
3. At the remote network, the lone domain controller must be configured as a global catalog server. In addition, the domain controller must also be configured as a DNS server so that SRV resource records can be found if the network link goes down.
4. If the DSClient software is loaded on the down-level clients, the down-level clients will require access to a DNS server to determine a domain controller in their site for authentication. The down-level clients will be able to find the local domain controller as long as they're set to include broadcast for NetBIOS name resolution.

   If system policy is enabled and the load-balancing option isn't enabled within system policy, Windows 95 and Windows 98 clients won't be able to contact the PDC emulator to load system policy.

Answers to Exercise 1 Questions

Analyzing Server Placement

1. Windows 2000 client computers aren't PDC dependent. A Windows 2000 client can connect to any domain controller in the domain for password changes and for Group Policy application. But there are some WAN issues for processes that depend on the PDC emulator. For example, if administrators in Seattle are editing Group Policy, the MMC console connects to the PDC emulator of the domain by default.
2. The only office that doesn't have sufficient domain controller placement is Tampa. All authentication for the Tampa office must take place at the Seattle or London offices (where the domain controllers for the seattle.contoso.tld are located). At least one domain controller (two for fault tolerance) should be deployed at the Tampa office.
3. The Tampa and Lima offices don't have a local global catalog server. If the WAN link to the Seattle or London offices is unavailable, the authenticating DC won't be able to contact a global catalog server to determine universal group membership. This results in the user being logged on with cached credentials. At least one domain controller at each site should be configured as a global catalog server to ensure that logging on with cached credentials doesn't occur.
4. All DNS services are currently located at the London site in the contoso.tld domain. At least one server at each remote site should be configured as a secondary DNS server for the contoso.tld zone. Because all domain information for the four domains is contained in one zone, only the single zone must be created as a secondary at the remote sites. This ensures that if the WAN links are down, clients can locate network services on the local site.

Analyzing Default Trust Relationships

1. Two-way transitive trust relationships are established between each child domain and the contoso.tld domain by default. These two-way transitive trust relationships provide access to all resources in the forest.
2. You could establish shortcut trusts between the London and Seattle domains to reduce the authentication process when accessing resources between the two domains. This results in one less referral ticket being issued, because the contoso.tld domain is bypassed during the authentication process.

Answers to Exercise 2 Questions

1. All the down-level clients are using either LM or NTLM authentication, which isn't as secure as NTLMv2 authentication. The Windows for Workgroups 3.11 and Windows 98 clients use LM authentication, and the Windows NT 4.0 clients use NTLM authentication.
2. You must immediately upgrade the Windows for Workgroups clients to at least Windows 98. If the computers don't meet the minimum hardware requirements, remove them from the network. The Windows 98 and Windows NT 4.0 clients must have the DSClient software installed to ensure that NTLMv2 is used for authentication. The Windows NT 4.0 workstation clients should also have the latest service pack applied.
3. The DSClient software reduces the dependency on the PDC emulator for down-level clients. Rather than sending password changes to the PDC emulator, password changes can now be performed at a local domain controller. This is a great performance gain for Contoso because the PDC emulators are located at the London office.

   The DSClient software also makes the clients site-aware so that the clients can locate domain controllers on their own site, rather than using remote domain controllers. This reduces the dependency on WINS for remote logons.

4. The domain controllers must change the LMCompatibilityLevel setting to restrict authentication to NTLMv2 and disallow LM and NTLM authentication. This step also requires the removal of the Windows for Workgroups 3.11 clients from the network because they don't support NTLMv2 authentication.

Answers to Review Questions

1. Kerberos authentication uses the time stamp as authorization data during an authentication process. The time stamp is encrypted using the long-term key shared between the KDC and the client computer. If the time stamp varies by more than 5 minutes with the current time at the KDC, the KDC assumes that a replay attack is taking place and the authentication attempt results in failure. The client can run :Net Time \\domaincontroller /set" (where domaincontroller is a variable representing the domain controller in question) to set the computer's clock to match that of the domain controller.
2. The Kerberos Authentication Service Exchange (KRB_AS_REQ) is used when a client initially authenticates on the network. The KRB_AS_REP that the KDC sends back to the client contains the TGT that the client uses to identify itself with the KDC when requesting service tickets. The Kerberos Ticket Granting Exchange (KRB_TGS_REQ) occurs when the client presents the TGT for the purpose of acquiring a service ticket in a Kerberos Ticket Granting Exchange Response (KRB_TGS_REP).
3. Smart card logons use the PKINIT extensions to the Kerberos protocol. Rather than using a long-term key to encrypt authentication data between the client and the KDC, the private key/public key pair is located on the user's smart card instead. Rather than using the standard KRB_AS_REQ and KRB_AS_REP messages, a smart card logon uses the PA_PK_AS_REQ and PA_PK_AS_REP messages. Because Kerberos is the authentication mechanism, smart card logons are only available to Windows 2000 client computers and can't be implemented at Windows 95, Windows 98, or Windows NT 4.0 client computers.
4. Kerberos protocol allows service tickets to have a forwardable flag. This indicates that a server can request a service ticket on behalf of a client computer. When the KDC issues the ticket to the server, it allows the server to run processes in the user's security context.
5. As an interim solution, you can deploy the DSClient to the Windows 98 computers. The DSClient makes the following enhancements to a Windows 98 client: NTLMv2 protocol, site awareness, the ability to search Active Directory for objects, a reduction in the dependency on the PDC, ADSI support, a DFS fault-tolerant client, and the ability to edit Active Directory objects using the WAB.
6. If the domain is in native mode, the authentication domain controllers must contact global catalog servers to expand universal group membership. Clients also contact global catalog servers when they authenticate using a UPN. The global catalog associates the UPN with a domain and user account. If either a global catalog server or a DNS server is unavailable, this can result in cached credentials being used. The DNS server must be available because DNS is used as the service locator service for finding domain controllers and global catalog servers.

Chapter 4

Answers to Activity Questions

Tasks	Remote Administration Method
Create a new user account by using Active Directory Users and Computers	a. RUNAS command    b. Telnet Service c. Terminal Services    d. Can't use Remote Administration in this scenario
To create a new user account, you can use either the RUNAS command to launch Active Directory Users And Computers under the security context of a user with the right to create user accounts. You could also use Terminal Services to connect to a domain controller using an administrative user account to run Active Directory Users And Computers.
Recover an encrypted file using the domain's EFS Recovery account	a. RUNAS command    b. Telnet Service c. Terminal Services    d. Can't use Remote Administration in this scenario
To perform an EFS Recovery, you must load the profile of the user account where the private key for the EFS Recovery certificate is stored. Only by using Terminal Services could you remotely perform this task and still keep your current nonadministrative session active.
Run a batch file commnad that requires administrative access to the network	a. RUNAS command b. Telnet Service    c. Terminal Services    d. Can't use Remote Administration in this scenario
Because the administrative process is a batch command, you can use the Telnet service to launch the batch file as an administrator of the network. If the computer where the Telnet Client is located is a Windows 2000 based computer, you can use NTLM authentication to secure the administrative credentials. If protection of all commands and output is required, you must implement IPSec.
Manage a Certification Authority from a Windows 95 or Windows 98 computer	a. RUNAS command    b. Telnet Service c. Terminal Services    d. Can't use Remote Administration in this scenario
Windows 2000 administrative MMC consoles can be run only from a Windows 2000—based computer. By using the Terminal Services client, a Windows 95 or Windows 98 client computer can remotely run the Certification Authority MMC.
Run an administrative process by using and account that requires a smart card for authentication	a. RUNAS command    b. Telnet Service    c. Terminal Services d. Can't use Remote Administration in this scenario
Remote administration doesn t support the use of smart cards for authentication. If the account requires a smart card for authentication, the process must be launched at a computer with a smart card reader.
Verify whether a user account is locked out without interrupting an application that's running an hour-long process	a. RUNAS command    b. Telnet Service    c. Terminal Services    d. Can't use Remote Administration in this scenario
When you don t want to stop current processes from executing, the RUNAS command allows you to launch Active Directory Users And Computers without logging off the current user or stopping any currently executing processes.

Answers to Exercise 1 Questions

Analyzing Administrative Group Membership

1. You must establish separate accounts for each of the administrators that are to be used when performing administrative tasks. These accounts must be separate from the accounts they use for day-to-day activities.
2. Peter Connelly must be made a member of four separate groups. Because he wants to be able to back up and restore data in the four domains that make up the Contoso Ltd. Active Directory—contoso.tld, london.contoso.tld, seattle.contoso.tld, and lima.contoso.tld—he must be a member of the Backup Operators group in each of the domains.
3. Scott Gode must be made a member of the DNS Admins group. If the DNS design for Contoso has all of the domains within a single Active Directory—integrated zone (contoso.tld), then Scott will require membership only in the forest root domain's DNS Admins group. If each of the subdomains has a delegated DNS subdomain that's managed locally, then Scott must be a member of the DNS Admins group in each of the domains where Active Directory—integrated zones exist.
4. Kate Dresen must be a member of the Schema Admins group in the forest root domain (contoso.tld).
5. Only if the contoso.tld domain is in mixed mode. In that case the Schema Admins group would be a global group, rather than a universal group. This would require that Kate's administrative account be located in the contoso.tld domain.
6. 
   

   User	Group Membership
   Elizabeth Boyle	Lima\Account Operators
   Suzan Fine	Seattle\Account Operators
   Thom McCann	London\Account Operators

7. Each of the three accounts could have been delegated administrative rights for the domain that it is responsible for. This delegation would require only administrative permissions for user and computer objects.
8. Jörg must be made a member of the Group Policy Creators Owners group in each of the four domains. Membership in this group allows the creation of new Group Policy objects as well as management of existing Group Policy objects.
9. Because the forest-wide administration accounts (Enterprise Admins and Schema Admins) are located in the forest root domain, making Lisa a member of the contoso\Domain Admins group gives her the ability to manage membership of the forest-wide administrative groups.

Protecting Administrative Group Membership

1. The Restricted Groups policy must be applied to each of the four domains, because there are groups that require protection in each of the four domains. In each domain the Restricted Groups policy will be applied to the Domain Controllers OU.
2. It's still possible to change a group's membership when a Restricted Groups policy is applied. The group membership change will last only until the next time the Group Policy is applied. By default, this period is every 5 minutes for domain controllers.
3. Enable both success and failure auditing for Account Management at the Domain Controllers OU for each of the four domains.
4. 
   

   Group	Members	Member of
   Enterprise Admins	London\Administrator London\Domain Admins	Contoso\Administrators, Lima\Administrators, London\Administrators, Seattle\Administrators
   Schema Admins	London\Adminstrator	None
   Contoso\Domain Admins	Contoso\Administrator	Contoso\Administrators
   Lima\Domain Admins	Lima\Administrator	Lima\Administrators
   London\Domain Admins	London\Administrator	London\Administrators
   Seattle\Domain Admins	Seattle\Administrator	Seattle\Administrators
   Contoso\Administrators	Contoso\Domain Admins	N/A
   Lima\Administrators	Lima\Domain Admins	N/A
   London\Administrators	London\Domain Admins	N/A
   Seattle\Administrators	Seattle\Domain Admins	N/A

5. Contoso should perform manual audits of the administrative group memberships at regular intervals. At these intervals Contoso can review and, if necessary, define memberships for the Restricted Groups policy.

Answers to Exercise 2 Questions

1. In addition to their day-to-day user accounts, each user can also be assigned a second account for administrative functions. To differentiate between the two accounts, you could use a prefix such as "a-" or "a_" to identify the administrative account.
2. You can't require that the default administrator account in a domain have a smart card or be restricted to a specific workstation.
3. You could create an additional account that would be a member of the Enterprise Admins group. You could then restrict this newly created account to log on at londondc1 and londondc2 by using either workstation restrictions, smart card restrictions, or a combination of the two.
4. The newly created account would have to be included in the Member Of box of the Enterprise Admins group in restricted groups.
5. The two account operators could either use the RunAs service to launch Active Directory Users And Computers under the security context of their administrative account or they could use Terminal Services to connect to a domain controller and run Active Directory Users And Computers within the terminal sessions.
6. Because Elizabeth's primary workstation is a Windows 98 computer, she can't use the RunAs service or a custom MMC console. Elizabeth would have to use the Terminal Services client to connect to a Windows 2000—based server to perform administrative functions.
7. The Seattle administrator could use Telnet to run administrative scripts. The security risk in this form of management is that authentication, all typed commands, and all returned responses are sent on the network in clear text. The UNIX workstation wouldn't be able to use NTLM authentication, so IPSec must be considered to protect this sensitive data.

Answers to Review Questions

1. Just because you're an administrator doesn't mean that you require administrative access to all functions within a domain. This can result in excess privileges being assigned to an account.
2. No. Restricted Groups policy is applied at regular intervals when Group Policy is applied. At a domain controller, the default interval is every 5 minutes. There's a brief window of opportunity where the membership of a restricted group can be modified before Group Policy resets the membership to the desired membership.
3. This is an excess allocation of rights. With Windows 2000, you could delegate the ability to reset the password on user accounts for a domain only to a Help Desk group. This provides only the help desk with the required permissions.
4. Smart card logon can't be used in conjunction with the RunAs service or Terminal Services. If an account requires the use of a smart card, the administrative user will be forced to log on as that user at the workstation using the smart card to perform administrative tasks. This assumes that the user has a smart card reader at her computer.
5. To determine what security context a process is running under, an administrator can display the account associated with a process by using Pulist.exe from the Microsoft Windows 2000 Server Resource Kit. Or if Terminal Services are loaded, the Task Manager can display the User Name column.
6. The administrator at a UNIX workstation would be restricted to running text-based administrative utilities. With the installation of the Microsoft Windows 2000 Server Resource Kit at the Telnet server, several utilities can actually be used. The security risks of doing Telnet administration include the exposure of user account and password information in clear text on the network. Additionally, all screen display and keyboard input is transmitted in clear text by default.

Chapter 5

Answers to Activity Questions

1. The three domains in the technology.tld forest are running in mixed mode. The domains must be in native mode to allow global group in global group memberships and the use of domain local groups at a Windows 2000 member server. If you don't convert the domains to native mode (which isn't possible with Windows NT 4.0 BDCs), this proposal won't work.
2. This strategy will work because in mixed mode, global groups from the domain can be made members of a computer local group stored in the application server's local account database.
3. The three domains in the technology.tld forest are running in mixed mode. The domains must be in native mode to allow universal security groups. If you don't convert the domains to native mode (which isn't possible with Windows NT 4.0 BDCs), this proposal won't work.
4. Although this proposal looks similar to the second proposal, member servers are unable to recognize domain local groups in a mixed-mode environment. Domain local groups are shared among domain controllers only when in mixed mode.

Answers to Exercise 1 Questions

1. The slow WAN link between London and Lima could be a bottleneck for global catalog membership. If universal groups were to be used in securing resources for the Human Resources application, this could affect it.
2. Your security design must ensure that universal groups don't contain user accounts but global groups. Doing this prevents the membership of the universal groups from frequently changing and creating WAN traffic due to global catalog replication.
3. 
   

   Category	Global Group(s)	Membership
   Application Managers	Lima\AppManagers Seattle\AppManagers London\AppManagers	All Application managers.One global group for each domain.
   HR Managers	Lima\HRManagers Seattle\HRManagers London\HRManagers	All HR managers. One global group for each domain.
   HR Department	Lima\HRDept Seattle\HRDept London\HRDept	All members of the HR department. One global group for each domain.
   Employees	Lima\Domain Users* Seattle\Domain Users* London\Domain Users*	Makes the assumption that all domain users are employees.
   * As an alternative, you could use a custom global group that contains all employees if Domain Users contains some non-employee accounts.

4. 
   

   Domain Local Group	Membership	Where Deployed
   London\AppMgrAccess	Lima\AppManagers Seattle\AppManagers London\AppManagers	HRLondon Web
   London\HRMgrAccess	Lima\HRManagers Seattle\HRManagers London\HRManagers	HRLondon Web
   London\HRAccess	Lima\HRDept Seattle\HRDept London\HRDept	HRLondon Web
   London\HRAppEEAccess	Lima\Domain Users* Seattle\Domain Users* London\Domain Users*	HRLondon Web
   *If custom global groups were created to represent employees, these global groups would be a member of the HRAppEEAccess domain local group.

5. 
   

   Domain Local Group	Membership	Where Deployed
   Lima\AppMgrAccess	Lima\AppManagers Seattle\AppManagers London\AppManagers	HRLima
   Lima\HRMgrAccess	Lima\HRManagers Seattle\HRManagers London\HRManagers	HRLima
   Lima\HRAccess	Lima\HRDept Seattle\HRDept London\HRDept	HRLima
   Lima\HRAppEEAccess	Lima\Domain Users* Seattle\Domain Users* London\Domain Users*	HRLima
   *If custom global groups were created to represent employees, these global groups would be a member of the HRAppEEAccess domain local group.

6. 
   

   Domain Local Group	Membership	Where Deployed
   Seattle\AppMgrAccess	Lima\AppManagers Seattle\AppManagers London\AppManagers	HRSeattle
   Seattle\HRMgrAccess	Lima\HRManagers Seattle\HRManagers London\HRManagers	HRSeattle
   Seattle\HRAccess	Lima\HRDept Seattle\HRDept London\HRDept	HRSeattle
   Seattle\HRAppEEAccess	Lima\Domain Users* Seattle\Domain Users* London\Domain Users*	HRSeattle
   *If custom global groups were created to represent employees, these global groups would be a member of the HRAppEEAccess domain local group.

7. For each collection of three global groups, you must define a universal group that would contain the three global groups as members. The universal group would then be made a member of the domain local group associated with the universal group.
8. WAN traffic related to changes in universal group memberships can be minimized by limiting membership in universal groups to global groups. This way the changes to the global groups won't affect the membership of the universal groups. Doing this will prevent changes to the storage of universal group membership in the global catalog.

Answers to Exercise 2 Questions

1. The name of the account should not in any way reflect the service account's function. Just looking at the name of the account shouldn't reveal what access it may have on the network.
2. You could create the service account in either the london.contoso.tld or contoso.tld domains (because the head office is in London).
3. No. With the Windows 2000 transitive trust model, the account could be located in any of the four domains for usage in all domains.
4. In each of the three domains, you must collect the Human Resources application servers into a single OU. Creating a custom OU ensures that Group Policy can be applied uniformly only to the Human Resources application servers for the application of user rights at that OU.
5. You must assign the service account the Log On As A Service and Act As Part Of The Operating System user rights.

Answers to Review Questions

1. Universal groups are stored in the global catalog. Changes in membership of a universal group will cause WAN replication traffic as the modifications are replicated to all global catalog servers in the forest.
2. If the universal group contains members who aren't from the same domain, this will prevent the conversion to a global group. By definition, global groups can only contain members from the same domain where the global group is defined.
3. Eva didn't assign the user rights to allow her account to log on locally at the correct location. Local policy is always overwritten if Group Policy is defined at the site, domain, or OU. Because Eva can log on locally at all other servers, there must be an OU Group Policy that assigns the Log On Locally user right at the Marketing OU. Using another account, Eva must grant her account the Log On Locally user right at the Marketing OU.
4. The Add Workstations To A Domain user right allows the assigned user to add only up to 10 computers within the domain. Since the contractor will be adding more computers than that to the domain, you must delegate the Create Computer Objects permission to the domain so that the contractor can continue to add newly created computers to the domain.

Chapter 6

Answers to Activity Questions

1. Megan's effective permissions would be as follows:
   • Marketing: No access. Megan isn't a member of the Marketing project, the Marketing department, or management.
   • E-commerce: While based on NTFS permissions, Megan would have Modify permissions based on her membership in the E-commerce group, her effective permissions would only be Read permissions as the Share permissions would be the more restrictive permissions.
   • PKI Deployment: Although based on NTFS permissions, Megan would have Modify permissions because of her membership in the PKI Project group, her effective permissions would only be Read permissions, as the Share permissions would be the more restrictive permissions.
   • Windows 2000 Migration: Both NTFS permissions and share permissions offer Megan Read permissions for the Windows 2000 Migration folder. The IT Department is assigned the Read NTFS permission and the share permissions allow the Users group Read permissions.
2. You must change the share permissions to allow Change permissions. You could do this in a number of ways. One way would be to grant the Users group change permissions for the Projects share. Alternatively, you could assign the four project teams (Marketing Project, E-commerce Project, PKI Project, and Migration Project) Change permission to the projects share.
3. This wouldn't affect Megan's effective permissions because the Modify permissions assigned to the PKI Project and E-commerce Project teams are closer to the folder where the permissions are applied. These permissions would take precedence over the inherited permissions from the Projects folder.

Answers to Exercise 1 Questions

Planning Share Security

1. The Users domain local group must be assigned the Change permission. This permission allows users to read, create, modify, and delete documents in their personal folders. It also allows them to create, modify, and delete personal documents in the transfer folder. In addition, the Administrators group requires Full Control permissions to the shared folder to allow them to manage permissions and documents in the hierarchy.
2. You should set the share permissions for the each username share so that there is only a single entry. You should set the share permissions so that only the user who the folder is named for has Change permissions. This ensures that only that user can connect to the share.
3. You don't have to create individual user folders if all client computers are running Windows 2000. If they are, the users could connect to \\server\users\username and this would be established as an artificial root directory. Previous versions of Windows didn't provide this functionality.

Planning NTFS Security

1. Contoso requires that only the creator of a document should be allowed to modify the file; all other users of that file are restricted to Read permissions. This circumstance requires that you define special permissions for the Transfer folder.
2. 
   

   Folder	Permissions
   D:\Users	Administrators: Full Control Users: List Folder Contents
   D:\Users\User1	User1: Modify
   D:\Users\User2	User2: Modify
   D:\Users\User3	User3: Modify
   D:\Users\Transfer	Creator Owner: Modify TransferAdmins: Modify Users: Read Users: Create Files

   The d:\users folder requires that only administrators have Full Control permission. This permission will be inherited by all other folders in the hierarchy by default and doesn't have to be assigned elsewhere. Likewise, users require only the List Folder Contents permission to see the folders that they have permission to access.

   The individual user accounts are the only security principals that require access to their individual home directories. Modify permissions will meet security requirements. If you assign Full Control permissions, this could result in the user changing the permissions to allow other users access to the home folder.

   The transfer folder requires the use of special permissions. Assigning Read and Create Files permissions to the Users group allows users to create new files and read existing files. By making use of the special group Creator Owner, you can allow the creator of the document to have Modify permissions. You do this by examining the document to determine who owns it. Finally, the Transfer Admins domain local group also requires Modify permissions to manage documents in the Transfer folder.

3. In Active Directory Users And Computers, the home directory attribute is defined in the Account tab of the individual user's Properties dialog box.

Answers to Exercise 2 Questions

1. By changing the printer permissions for the Legal printer, you can create a domain local group that will have Print permissions to the legal department. The Everyone group should be removed from the DACL so that the Everyone group no longer has Print permissions.
2. 
   

   Group	Permissions
   Administrators	Print, Manage Printers, Manage Documents
   Print Operators	Print, Manage Printers, Manage Documents
   Legal Department	Print
   Creator Owner	Manage Documents

3. The Legal printer must be physically placed in a location that's accessible only by authorized users. This could be as simple as putting the printer in a room that requires a card key, a PIN code, or another method of identification to enter the room.
4. You can define IPSec to protect all print jobs submitted to the Legal printer. To provide total end-to-end protection, the Legal printer must be directly attached to the print server hosting the Legal printer. At this time IPSec aware network cards for printers aren't available. If the printer is a network-attached printer, the print job would be vulnerable to inspection by a network sniffer as it's sent from the print server to the network printer. Network sniffers are able to view the contents of unencrypted data packets as they're transmitted across the network.

Answers to Exercise 3 Questions

1. In Active Directory you must create a separate OU in each domain for laptop computers. The OU might or might not have additional child OUs defined to separate the laptop computers by department. The separate OU is required so that a Group Policy object can be defined that will implement an EFS recovery agent.
2. The Group Policy object must be linked to OU=Laptops, OU=Corporate Computers, DC=london, DC=contoso, DC=tld. You don't need to apply it at the two child OUs because Group Policy inheritance results in the Group Policy being applied to both child OUs.
3. In the Default Domain policy, the existing EFS recovery agent must be deleted from Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents. Be sure to save this as an empty set, and don't delete the entire policy. Only an empty set prevents EFS encryption from being performed.
4. The EFS recovery private key can be stored in a PKCS#12 file on a removable medium such as a Jaz drive, a floppy disk, or a CD-ROM. Then it can be stored in a safe that requires two-factor authentication. For example, each administrator might know only half of the safe's combination so neither can open the safe without the other's cooperation.
5. During the export process you can protect the private key with a password. Unless you know the password, you can't extract the private key from the PKCS #12 file.

Answers to Review Questions

1. Yes. If Scott's computer dual boots with Windows 98, the C drive must be either FAT or FAT32. This means that Scott can't define NTFS permissions to further secure the data. If anyone were to log on locally at Scott's computer, that person could access the contacts database and either delete it or modify entries.
2. The default Share permissions allow the Everyone group the Full Control permission. If Bob hasn't configured NTFS permissions to allow only his and Brian's accounts access, then anyone on the network can access documents in the newly shared folder. Leaving the default Share permissions forces you to have exact NTFS permissions.
3. Network print devices currently don't have IPSec capabilities. While IPSec protects data transmissions from the client computers to the print server, it can't be used to protect the data transmission to the network print device. To provide the required level of security, the print device must be locally attached to the print server.
4. The administrator of the domain can open all encrypted files on the network. Many people consider this counterproductive to security. To better secure EFS recovery, you must define a separate EFS recovery agent and you must export the private EFS recovery key to removable storage for use in the future.
5. This proposal won't work because EFS is based on a single user's private key to decrypt the file encryption key. The only way to share the document securely is to store the document on an NTFS partition and configure NTFS permissions to allow the two users only Modify access to the document. No other accounts should have access to the document.

Chapter 7

Answers to Activity Questions

1. The application of software can be either a computer or a user setting in Group Policy. This makes troubleshooting this problem more complicated.
2. If the software is assigned in user configuration, Don's user account probably wasn't moved to the Accounting OU from the Human Resources OU. This results in the Group Policy still being applied to his user account. If the software is assigned in computer configuration, Don's computer account probably wasn't moved to the Accounting OU and the Human Resources Group Policy is still being applied to his computer.
3. Don's user account must still be a member of the Human Resources domain local group. Group membership deletions are commonly missed when a user is transferred from one department to another.

Answers to Exercise 1 Questions

1. Assuming that you don't want to implement the Block Policy Inheritance or No Override attributes, you could apply the Hide Entire Network Group Policy object at one of two locations: either at the domain (seattle.contoso.tld) or at the Seattle Users OU (OU=Seattle Users, DC=seattle, DC=contoso, DC=tld). Either location would affect all users in the domain.
2. Within the Active Directory hierarchy, client computers could include both portable and desktop computers. Because of default inheritance, you'd have to apply the Group Policy object named "Rename Default Accounts" at both the Desktops OU (OU=Desktops, OU=Seattle Computers, DC=seattle, DC=contoso, DC=tld) and the Portables OU (OU=Portables, OU=Seattle Computers, DC=seattle, DC=Contoso, DC=tld).
3. You could apply the Disable Control Panel Group Policy object at either the domain (seattle.contoso.tld) or at the Seattle Users OU (OU=Seattle Users, DC=seattle, DC=contoso, DC=tld). Either location would affect all users in the domain.
4. You would apply the Accounting Logon Script Group Policy object at the Desktops OU to meet design requirements. There isn't a separate OU that contains only computers for the Accounting department.
5. Yes. The Hide Entire Network, Disable Control Panel, and Accounting Logon Script Group Policy objects all require security group filtering to fully meet design requirements.

Answers to Exercise 2 Questions

1. You must configure security group filtering so that the Administrators group and a custom Domain Local group that contains the members of the IT department would have the Deny permission for Apply Group Policy. The Users or Authenticated Users group would have the Read and Apply Group Policy permissions. The Deny permission would take precedence over the Allow permissions.
2. You must configure security group filtering so that the Administrators group and the Server Operators group would have the Deny permission for Apply Group Policy. The Users or Authenticated Users group would have the Read and Apply Group Policy permissions. The Deny permission would take precedence over the Allow permissions.
3. You can't combine the two Group Policy objects into a single Group Policy object because the settings are applied to different sets of users. You can combine them into a single Group Policy object only if the Group Policy settings are to be applied to the same security groups.
4. If you apply the Rename Default Accounts Group Policy object at the Seattle Computers OU, you have to apply security group filtering so that the Group Policy object was applied only to desktop and portable computers. This would require you to create two custom domain local groups that contained the computer accounts for all desktop and laptop computers in the domain. These Domain Local groups would require Read and Apply Group Policy permissions for the Group Policy object.
5. Create another OU named Accounting below the Desktops OU and apply the Accounting Logon Script to the new OU.

Answers to Exercise 3 Questions

Determining Effective Group Policy Settings

1. No. The Disable Control Panel policy is applied at the Seattle Users OU and by inheritance, Julie would be unable to access the Control Panel.
2. No. The Hide Entire Network Group Policy is applied to the Sales OU and as a member of the Sales group, Julie wouldn't be able to access the Entire Network icon in My Network Places.
3. Yes. The Enable Control Panel Group Policy is applied to the IT OU. This setting would have precedence over the Disable Control Panel Group Policy applied to the Seattle Users OU.

Determining the Effect of Blocking Policy Inheritance and No Override

1. Yes. The Block Policy Inheritance setting would prevent the application of the Disable Control Panel Group Policy applied at the Seattle Users OU. This is true even though the Group Policy object applied at the Sales OU has nothing to do with the Disable Control Panel setting.
2. No. The Hide Entire Network Group Policy is applied to the Sales OU and as a member of the Sales group, Julie wouldn't be able to access the Entire Network icon in My Network Places.
3. The administrator could enable the No Override attribute for the Disable Control Panel at the Seattle Users OU to ensure that Block Policy Inheritance would have no effect on the child OUs.
4. You must change the discretionary access control list (DACL) for the Disable Control Panel Group Policy object at the Seattle Users OU so that the IT Department is assigned the Deny permission for Apply Group Policy. This ensures that the Disable Control Panel Group Policy isn't applied to members of the IT Department.

Answers to Review Questions

1. The Group Policy settings take precedence if the default inheritance model ensues. Group Policy settings at the OU where the object is located take precedence over settings applied at the domain.
2. Yes. The Deny Apply Group Policy permission would supersede the Allow Apply Group Policy setting assigned to the Users group.
3. No. You must apply account policy settings at the domain to affect all domain users. In this scenario the two domains would require you to configure account policy settings at the domain.
4. You could apply Group Policy to the computer from the following locations:
   • The Corporate Site
   • The DC=abc, DC=com domain
   • The OU=Europe, DC=abc, DC=com OU
   • The OU=Lisbon, OU=Europe, DC=abc, DC=com
   • The OU=Accounting, OU=Lisbon, OU=Europe, DC=abc, DC=com
   • The OU=Computers, OU=Accounting, OU=Lisbon, OU=Europe, DC=abc, DC=com
5. The Gpresult utility shows which Group Policy objects were applied to a user or computer. If you used GPRESULT /C /S, you'd receive a super verbose listing of all Group Policy objects applied to the computer.

Chapter 8

Answers to Activity Questions

1. At first glance, the security template appears to prevent users from reusing passwords within 2 years. Passwords have a two-month maximum password age and password history is enforced at 12 passwords being remembered. Unfortunately, with the minimum password age set to be 2 days, a user can reuse a previous password within 24 days.
2. You must increase the minimum password age to 60 days. In reality, a minimum password age of 30 days is probably all that's required, because after 30 days the user will probably be used to the new password and unwilling to change it. You would set the minimum password age at 60 days only if you require strict enforcement of the password reuse policy.
3. The security template actually exceeds the minimum password length requirement.
4. No. The security template stores passwords with reversible encryption, which weakens the security of passwords in Active Directory. You should use this setting only if you use Challenge Handshake Authentication Protocol (CHAP) for remote access or implement digest authentication for Web services.
5. Yes. The proposed security template enables the use of complexity requirements for passwords. The enabling of complexity requirements ensures that passwords must contain three of the four components: uppercase letters, lowercase letters, numbers, and symbols. The complexity requirements also prevent users from using their account names as their passwords.
6. Password policies are part of account policies within Group Policy. You must import the security template into the Default Domain Policy to ensure that all domain controllers enforce the password policy settings.

Answers to Exercise 1 Questions

1. 
   

   Server Classification	Total # of Computers
   Domain controllers	13 computers (2 in the contoso.tld domain, 2 in the london.contoso.tld domain, 5 in the seattle.contoso.tld domain, and 4 in the lima.contoso.tld domain)
   File and print servers	6 computers (2 in the london.contoso.tld domain, 2 in the seattle.contoso.tld domain, and 2 in the lima.contoso.tld domain)
   Mail servers	4 computers (1 in the contoso.tld domain, 1 in the london.contoso.tld domain, 1 in the seattle.contoso.tld domain, and 1 in the lima.contoso.tld domain)
   Terminal servers	3 computers (1 in the london.contoso.tld domain, 1 in the seattle.contoso.tld domain, and 1 in the lima.contoso.tld domain)
   Web servers	Two Web servers in a workgroup
   Sales force operations	Two servers in the contoso.tld domain servers

2. 
   

   Computer Type	Template	Installation Method
   Domain controllers (Windows NT 4.0 upgrades)	Basicdc.inf	Manual
   Domain controllers (new installations)	Defltdc.inf	Automatic
   Mail servers (new installations)	Defltsv.inf	Automatic
   Client computers (new installations)	Defltwk.inf	Automatic
   Client computers (upgrades from Windows NT 4.0)	Basicwk.inf	Manual
   Client computers (upgrades from Windows 98)	Defltwk.inf	Automatic

Answers to Exercise 2 Questions

Determining Incremental Template Requirements

1. No. Applying the High Security security template prevents down-level clients from participating in the network. When you apply the High Security security templates, only Windows 2000 computers can participate in the network.
2. You could deploy the Secure security template to increase the security over the default level.
3. The Nottssid.inf security template will remove the Terminal Services Users group from all DACLs. Removing this group from all DACLs will require users to have explicit permissions to resources on the terminal server.

Designing Custom Templates for Server Classifications

1. Two. The account policy settings for password requirements must be applied at the domain, and the audit settings for the domain controllers must be applied at the Domain Controllers OU.
2. The domain controller must configure Password Policy to require a minimum password length of eight characters and to enable password complexity requirements.
3. Password policies are a subset of account policies, and to enforce them you must apply them at the domain by importing the security template into the Default Domain Policy.
4. The domain controller must configure auditing for success and failure for account management and account logon events.
5. You must import audit configuration to the Domain Controllers OU.
6. Yes. You can define NTFS permissions in the security template and import them into each domain—as long as the NTFS permissions are consistent across the domains and use default security groups.

Extending the Security Configuration Tool Set to Support the Sales Force Operations Application

1. No. You must extend the Security Configuration Tool Set to include additional registry settings.
2. You must edit the Sceregvl.inf file to include the additional registry entries.
3. 
   

   [Register Registry Values] MACHINE\Software\Contoso\SFO\Parameters\EnableSSL,3,%SFOSSL%,0 MACHINE\Software\Contoso\SFO\Parameters\SSLPort,4,%SFOPort%,1

4. 
   

   [Strings] SFOSSL = Enable SSL Encryption for Sales Force Operations SFOPort = Configure the SSL Listening Port for the Sales Force Operations Application

5. You must reregister Scecli.dll by running the command REGSVR32 SCECLI.DLL.

Answers to Exercise 3 Questions

1. You can import all the security templates into Group Policy, with the exception of the Web Server security template because the Web servers aren't members of the Windows 2000 domain structure. The Web servers are members of a workgroup.
2. 
   

   

3. You can use the Secedit command with the /CONFIGURE parameter to ensure that the Web server security template is always applied to the Web servers. By using the Scheduled Tasks program in Control Panel, you can run the Secedit command at regular intervals.

Answers to Review Questions

1. The Default security templates are applied automatically during a new installation of Windows 2000. You can apply Basic templates to Windows 2000 installations that are upgraded from Windows NT 4.0. The Basic template applies the default security of Windows 2000 to an upgraded computer. The main difference between the two templates is that the Basic template doesn't modify any existing user rights assignments.
2. An upgrade from Windows 95 to Windows 2000 automatically uses the Defltwk.inf security template. This upgrade requires the file system to be upgraded to NTFS to ensure the highest level of security. In addition, any user accounts that were created in Windows 95 (if multiple profiles are enabled), are made members of the Administrators local group.
3. By default, DACLs on the terminal server include the Terminal Server Users domain local group. This group includes all users who are connected to the terminal server. If you apply the Notssid.inf security template, the Terminal Server Users domain local group is removed from all DACLs and user access is based on the individual user accounts and their group memberships.
4. You have three alternatives for configuring the application to run in a Windows 2000 environment. First, you can apply the Compatws.inf security template to the Windows 2000—based computers to downgrade security to emulate the default Windows NT 4.0 environment. Second, you can make the Domain Users global group a member of the local Power Users group. This group is security equivalent to the Users group in Windows NT 4.0. Finally, you can determine which areas of the disk and registry the application requires elevated access to. Once you determine these areas, you can modify permissions to allow the application to execute correctly.
5. Because Novell NetWare 4.11 is your default network, you won't be able to use Group Policy to deploy the security template. In this case the easiest way to apply the security template would be to create a logon script that runs the Secedit command with the /CONFIGURE parameter.
6. 
   

   Setting	Rating (Below, Meets, Exceeds)	Rationale
   Enforce password history	Exceeds	The current settings will remember the last 18 passwords, while the template recommends 0 passwords.
   Maximum password age	Below	The security template recommends changing passwords every 42 days, while the current settings require changing passwords every 70 days.
   Minimum password age	Meets	Both settings are 0 days.
   Minimum password length .	Exceeds	The current settings require a minimum pass word length of seven characters, while the template allows NULL passwords
   Passwords must meet complexity requirements	Exceeds	The current settings require complex passwords, while the security template doesn t.
   Store passwords using reversible encryption	Below	T he current settings enable this option. Unless digest authentication or Challenge Handshake Authentication Protocol (CHAP) authentication is required, don t use this setting.

7. You should design Active Directory so that an OU exists for each computer classification. By doing this, you can import the associated security template into the Group Policy object for the OU so that the template is applied to all computer accounts in the OU or within any sub-OUs.

Chapter 9

Answers to Activity Questions

1. The external DNS server must host only the organization.tld domain.
2. 
   

   Host	IP Address or Contents
   mail.organization.tld	131.107.2.45
   www.organization.tld	131.107.2.25
   ftp.organization.tld	131.107.2.24
   dns.organization.tld	131.107.2.20

3. You must create a Mail Exchanger (MX) resource record that sets mail.organization.tld as the mail exchanger for the organization.tld domain. This action allows incoming e-mail to reach the organization.
4. The internal DNS server must host only the ad.organization.tld domain.
5. No. You could simply configure a forwarder so that unresolved DNS requests at the internal DNS server are forwarded to the external DNS server. This would be the case for any DNS queries for the organization.tld DNS domain because the internal DNS server wouldn't be authoritative for that zone.
6. 
   

   DNS Resource Record	IP Address or Contents
   mail.organization.tld	192.168.2.10
   MX record for organization	.tld mail.organization.tld

Answers to Exercise 1 Questions

1. Yes. The DNS zone is configured to allow dynamic updates, rather than enforcing secure dynamic updates. This configuration doesn't meet the security requirement to allow only authenticated computers to register DNS resource records in the zone. Change the Allow Dynamic Updates option to Only Secure Updates to enforce security on DNS dynamic updates.
2. The DNS servers for contoso.tld are currently available to requests from both internal and external DNS clients. Because contoso.tld is also the Active Directory forest root, this exposes their internal network addressing scheme.
3. You must establish a separate DNS server for external queries to contoso.tld. The external DNS server requires that only the specified resource records are included in the zone data. All address information for the DNS zone must be external IP addresses, not internal IP addresses.
4. Domain controllers in the London, Seattle, and Lima domains must configure secondary DNS zones for the contoso.tld DNS domain. Active Directory—integrated zones are stored in the domain naming context and can't be replicated outside of the domain. Only by using zone transfers can the data be made available in the child domains.
5. You must restrict the properties for zone transfers of the contoso.tld domain so that zone transfers can be requested only by the following IP addresses: 172.28.5.2, 172.28.5.3, 172.28.9.2, 172.28.9.3, 172.28.13.2, and 172.28.13.3. You don't have to include the two DNS servers in the contoso.tld domain, because the zone information is replicated by using Active Directory replication.
6. You must configure all DNS zones stored on the DNS servers in the London, Seattle, and Lima domains to prevent zone transfers.

Answers to Exercise 2 Questions

1. The DHCP Service at the Lima office is installed on a domain controller and is also a member of the DNSUpdateProxy group. Membership in this group prevents the DHCP server from taking ownership of the resource records it registers in DNS.
2. The domain controller won't take ownership of the SRV resource records or any resource records that it registers in DNS. The resource records could be "hijacked" and replaced with incorrect address information.
3. Move the DHCP Service to a member server, rather than hosting the DHCP Service on a domain controller.
4. Only Windows 2000—based DHCP services can be registered in Active Directory. Previous versions of Windows DHCP services don't verify if they are authorized in Active Directory before activating their scopes. The same holds true for third-party DHCP services.
5. Contoso must watch for symptoms of an unauthorized DHCP server. You can identify the unauthorized DHCP server by inspecting the IP configuration of a client that has received incorrect DHCP configuration information. You can't prevent unauthorized DHCP servers from issuing IP configuration information if they aren't Windows 2000—based.

Answers to Exercise 3 Questions

1. The DACLs for the Templates subfolder within each RIS Image folder structure must be modified to allow read permissions to only members of the department who are associated with the RIS image. If the client can't read the Templates subfolder, the RIS image won't be presented to the client.
2. Create a Windows 2000 security group that contains all user accounts that are members of the department. Create domain local groups for the Sales, Marketing, IT, and Accounting departments. For the specific image, only the domain local group allowed to install the image must be assigned Read permissions to the Template subfolder.
3. No. Separate RIS servers must be deployed with each RIS server hosting only a single image. Configure each RIS server to create the computer account in the OU related to the RIS image hosted on that RIS server.
4. Configure the RIS Server so that it doesn't respond to unknown client computers. Only client computers that have been prestaged with a computer account in Active Directory should be allowed to download RIS images.
5. The Lima and Seattle domains must delegate the ability to modify the attributes of the prestaged computer accounts in the OU structure. If the user doesn't have this permission, the RIS client installation will fail.

Answers to Exercise 4 Questions

1. No. You can assign only a single right for an SNMP community. The Public community covers the entire organization, but you can assign it only a single user right. You must add two additional communities, NetworkDevices and Windows2000, to assign permissions to the WAN management team and the Windows 2000 deployment team. The WAN management team requires Read-Write or Read-Create permissions for the community while the Windows 2000 deployment team requires Read-Only permissions.
2. Public is the default community name deployed with SNMP. You should never use the Public community name on your network because this is the first community that SNMP attacks will use. To limit risk, you could assign this community the None permission.
3. 
   

   Community	Permissions
   Public	None
   NorthAmerica	Read-Only
   SouthAmerica	Read-Only
   Europe	Read-Only
   Windows2000	Read-Only
   NetworkDevices	Read-Write

4. Configure each SNMP agent to accept SNMP requests only from approved SNMP management stations for the community. Configure the SNMP agent to send SNMP authentication traps to the designated SNMP management station for the community.
5. Configure the Windows 2000 SNMP agents at the London office to be members of both the Windows 2000 and Europe communities. Because they're members of two communities, SNMP authentication traps must be sent to both the SNMP management stations for the Windows 2000 deployment team (172.16.3.254) and the London office (172.28.6.254).
6. The Windows 2000 community is the only community that could use IPSec protection because it contains Windows 2000—based computers that all support IPSec. You must configure the IPSec security associations to encrypt only SNMP status messages and SNMP trap messages sent to the Windows 2000 deployment team SNMP management station. This action ensures that encryption isn't used for SNMP messages sent to other SNMP management stations.

Answers to Exercise 5 Questions

1. Terminal Services must be installed in Remote Administration Mode. Only administrators of the network can use Terminal Services when it's configured in Remote Administration Mode.
2. No. If you centrally enforce that the Winterm clients use the Time Billing application as their Terminal Services shell, then you will require a separate terminal server for the Windows for Workgroups clients.
3. The Winterm clients can change the Winterm settings so that they don't use the Time Billing application as their shell. By configuring the setting at the terminal server, you can prevent the client from overriding the desired shell application.
4. Apply the Notssid.inf security template to the terminal server that hosts the Windows for Workgroups clients to ensure that the Terminal Server Users group is removed from all DACLs.
5. Configure the terminal server to use either medium or high security to ensure that traffic both to and from the terminal server is encrypted. Low encryption encrypts only data sent from the client to the terminal server.

Answers to Review Questions

1. There are two possibilities. If the domain controller is hosting the DHCP Service and is a member of the DNSUpdateProxy group, the domain controller won't take ownership of its DNS resource records. Not taking ownership allows an unauthorized server to overwrite the resource records. The second possibility is that the DNS zone is not Active Directory—integrated or the zone isn't configured to allow Only Secure Updates. In either case, security isn't applied to the dynamic update process.
2. This can happen if the Windows 2000 server is a stand-alone server that isn't a member of the domain and no DHCP servers that are already authorized in Active Directory are on the local network. In this situation the DHCP Service continues to run. The DHCP server still issues DHCPInform packets every five minutes to find an Enterprise directory service.
3. In the NTFS partition where the images exist on the RIS server, you can change the DACLs on the Templates subfolder to allow only the authorized group to read the contents of the folder. By default, the Users domain local group has the necessary permissions.
4. You must configure the RIS Server so that it doesn't install the computer accounts in the default location. Configure the RIS server to create the computer accounts in a specific folder location.
5. Configure the SNMP agents to respond only to authorized SNMP management stations and enable SNMP authentication traps. When the unauthorized computer attempts an SNMP query, the SNMP agent sends an authentication trap to the configured SNMP management station.
6. Configure Terminal Services to use Remote Administration Mode, which restricts access to members of the Administrators group while allowing a maximum of two simultaneous connections.
7. This is expected behavior. Any network connections (including VPNs and dial-up connections) are shared by all Terminal Service clients (local and remote). The only way to prevent this would be to remove the modem from the server or have the manager use a different computer.

Chapter 10

Answers to Activity Questions

1. Certificates issued by the Root CA can have a validity period of only up to two years. A CA cannot issue certificates that have a longer validity period than the certificate issued to the CA.
2. Certificates issued by the Division CA can have a validity period of only up to two years. The certificate issued to the Division CA can only have a maximum validity period of two years. A CA cannot issue certificates with a validity period longer than the certificate issued to the CA.
3. Certificates issued by the Department CA can have a validity period of only up to two years. The certificate issued to the Department CA can only have a maximum validity period of two years. This is because the Division CA can only issue CA certificates that have a validity period less than or equal to the validity period of its CA certificate. A CA cannot issue a certificate with a validity period longer than the certificate issued to the CA.
4. The Root CA must have a validity period that is longer than the five-year validity period required by the Division CA.

Answers to Exercise 1 Questions

1. A single CA structure can be defined to meet all Contoso Ltd. PKI requirements.
2. You should remove the root CA from the network so that an administrator can only manage the root CA from the console of the root CA.
3. Once all necessary certificates are issued by the root CA, you can protect the root CA from natural disaster by creating a system image of the root CA and storing the system image off-site.
4. You should base the second level of the CA hierarchy on geography. Each office requires its own CA. Each CA could be named after the office where the CA is located.
5. You should base the third level of the CA hierarchy on usage. This arrangement meets the design requirement to have a separate CA for each project.
6. You should configure the top two levels of CAs as offline CAs. Offline CAs are always Standalone CAs.
7. You should install the root CA using a Capolicy.inf configuration file. This configuration file ensures that the CRL publication point is set to a location that's available on the network when the root CA is removed from the network.
8. 
   

   

Answers to Exercise 2 Questions

1. Contoso should obtain the certificate for the Web servers hosting the subscription Web site from public CAs such as Verisign or Entrust. The private key and public key associated with the public CA certificate will be used to encrypt the session key that encrypts traffic between a Web client and the Web server.
2. You should configure IIS to accept client certificates. This configuration allows the user to choose between certificate-based or user-entered authentication. When you configure IIS to require client certificates, only certificate-based authentication is supported.
3. The issuing CA for the Web CAs should be a Standalone CA. Only a Standalone CA allows a certificate administrator to review certificate requests and either issue or deny the request based on the information provided by the customer in the Web-based form.
4. The certificate mappings should be defined in IIS. This is the only server the certificates will use for authentication. There's no need to define the mappings in Active Directory.
5. One-to-one mappings are required for the subscription Web site. Each user will have a unique subscription. Because of this, all users must have their own certificates and user accounts.
6. You should define the CRL publication schedule as a value less than 24 hours. This setting ensures that certificate revocations are effective within a day.
7. Every hour, clients and the subscription Web server would have to download an updated version of the CRL. If an average of 10 certificates are revoked in a single day, the size of the CRL would grow rapidly and require lots of network traffic to download the updated CRL.

Answers to Exercise 3 Questions

1. A cross-certification hierarchy can be defined between the root CAs of the Northwind Traders and Contoso Ltd. CA hierarchies.
2. The Contoso CA should trust only certificates issued by the Cooperation CA in the Northwind Traders CA hierarchy. The proposed solution will result in any certificates issued by any CA in the Northwind Traders CA hierarchy being trusted by clients in the Contoso forest.
3. You can define a CTL that allows only certificates for the purpose of user authentication issued by the Cooperation CA to be trusted from the Northwind Traders CA hierarchy.
4. You can configure a many-to-one mapping to allow any users who've received a certificate from the Cooperation CA to be mapped to an account created at the Web server.
5. You could define the account mapping in IIS because the Web server is located in the extranet and may not have access to Active Directory to determine the account mapping.
6. You must trust that the CA administrator in the other organization maintains the CA and that only approved users for the project have acquired Web authentication certificates from the partner's CA.

Answers to Review Questions

1. You can restore the root CA from backup if the system state is included in the backup set. If the root CA also uses the Web enrollment pages, you also must include the IIS metabase in the backup set. Alternatively, you can back up the Certificate Services database from the Certification Authority console.
2. You can remove Certificate Services from the root CA and then reinstall it. When the reinstallation takes place, you should reuse the previous private and public key of the root CA so that issued certificates aren't invalidated by the root CA's having a different private key.
3. Amy's computer or the server hosting the Human Resources Web site has cached the previous version of the CRL. Even though the CRL has been updated, the Web server and the client computer won't download the updated CRL until the existing CRL expires in the local cache.
4. The defined permissions allow any authenticated user on the network to request an enrollment agent certificate. An Enrollment Agent certificate allows a user to request certificates on behalf of other users. The DACL should be changed to only grant Authenticated Users the Read permission and to grant the SmartCardDeployment group Enroll permissions.
5. The certificate mapping must be defined at the IIS server because the Web server isn't a member of the client's domain. Only domain members can take advantage of Active Directory mappings.
6. The certificate mapping can be defined in Active Directory because the Web servers are located on the internal network and are probably members of the domain. Active Directory mapping allows the mappings to be defined only once and used throughout the domain. Only domain members can take advantage of Active Directory mappings.

Chapter 11

Answers to Activity Questions

1. a. Eva's private key is used to encrypt the message digest that's used to determine authenticity and integrity of the digitally signed message. Eva's use of her own private key proves that the message can have originated only from her.
2. b. Don must use Eva's public key to decrypt the message digest. Any time a private/public key pair is used, the other key in the key pair must be used to decrypt the encrypted payload.
3. b. Don must use Eva's public key to encrypt the contents of an e-mail message sent to Eva. Using Eva's public key ensures that only Eva can decrypt the message.
4. a. Eva must use her private key to decrypt the message content that was encrypted by using her public key. Only the matching key in a public/private key pair can be used to decrypt a message.
5. a and d. Eva must use both her private key and Don's public key for this task. Eva's private key is used to encrypt the message digest that protects the message's contents for authenticity and integrity. Don's public key is then used to encrypt the message contents to protect the message from observation during transmission.
6. b and c. Don must first use his private key to decrypt the message content. Once the message content is decrypted, he uses Eva's public key to decrypt the message digest that protects the message content from being altered during transmission.

Answers to Exercise 1 Questions

1. SMB signing ensures that mutual authentication takes place between a client and a server.
2. Yes. Currently, two Windows 95—based computers require access to the PHOENIX server. Windows 95—based computers don't support SMB signing.
3. The Group Policy object applied to the PHOENIX server must be configured to Digitally Sign Server Communication (When Possible). It can't be configured to always require digitally signed server communications, because that would prevent the Windows 95 clients from connecting to the server.
4. The Windows 2000—based computers must have the Digitally Sign Client Communication (When Possible) security option enabled to allow SMB signing to be used when requested.
5. Place the PHOENIX server in an OU that's assigned a GPO that has the Digitally Sign Server Communication (When Possible) security option enabled. All computers involved in the new magazine project should be placed in a separate OU that is assigned a GPO that has the Digitally Sign Client Communication (When Possible) security option enabled.
6. You can change the GPO applied to the PHOENIX server to enable the Digitally Sign Server Communication (Always) security option. In addition, you must modify the registry on the Windows 98 computers to enable SMB signing. Since there are only two computers, you can perform this registry change manually.
7. You must configure NTFS permissions to allow only project team members access to all data stored on the PHOENIX server.

Answers to Exercise 2 Questions

1. You must determine which e-mail applications are being used by the lawyers and Contoso to ensure that a common e-mail protection protocol can be used. The choice is between PGP and S/MIME.
2. The CA certificates and CA certificate revocation lists must be published to an external location so the lawyers can verify the CA certificates and the certificate revocation status of the certificate used to sign and encrypt messages.
3. The Contoso employees can send a digitally signed message to the lawyers. The digitally signed message will include the certificate with the message. One of the attributes of the certificate is the public key associated with the certificate.
4. Each lawyer must send a digitally signed message to each Contoso employee instructing that employee to distribute the lawyer's public key. Because the lawyers and the Contoso employees don't share a common directory, public keys must be manually exchanged.
5. Exchange stores public key information in either the Exchange directory (for Microsoft Exchange Server 5.5) or in Active Directory (Exchange 2000 Server). Clients can acquire another user's public key by querying the directory.
6. The message must be both digitally signed and encrypted when sent to the lawyers. The digital signature protects the message from modification and the encryption protects the message from inspection.

Answers to Exercise 3 Questions

1. No. Only the subscription and back-issue ordering Web pages require SSL encryption. You could leave the rest of the site unprotected.
2. You can configure the Web server to require 128-bit encryption when using SSL.
3. Because the Contoso Web site will be involved in an e-commerce project, you should acquire the Web server certificate from a third-party CA or public CA such as Verisign or Entrust. Using a public CA increases consumer confidence in the Web site.
4. The digital certificates for customers should be issued by a privately managed CA within the Contoso organization. By using a private CA, Contoso can reduce the time it takes to revoke an issued certificate.
5. You must make the CRL for the issuing CA and the CRLs for any other CAs in the CA hierarchy publicly available on the Internet to ensure availability to customers. In addition, you need to adjust the CRL publication period so that cached versions of the CRLs don't create a long period between the certificate revocation and its recognition by all PKI participants.

Answers to Review Questions

1. To use e-mail balloting, you must address several issues. You have to establish a registration system to acquire certificates for the voters. The voters require a private key to digitally sign their vote. You could do this by creating an SSL-protected Web site where voters register for a certificate. The voting system requires both digital signatures and mail encryption. The digital signature would provide authenticity for the voter. The mail encryption protects the vote from being read as it's transmitted to the voting committee. The voter also requires the public certificate from the voting station so that the message can be encrypted.
2. You can configure the PROJECT1 server to Digitally Sign Server Communications (Always) because Windows 98, Windows NT 4.0, and Windows 2000 all support SMB signing. You must also enable the client operating systems for SMB signing or the connection attempts will fail.
3. You must configure the PROJECT1 server to Digitally Sign Server Communications (When Possible) because Windows 95 clients don't support SMB signing. This setting allows Windows NT 4.0— and Windows 2000—based computers to use SMB signing but still allows Windows 95 clients to connect without using SMB signing.
4. The e-mail applications may not support the same protocol for mail signing and encryption. If one e-mail application supports only PGP and the other supports only S/MIME, secure e-mail exchange isn't possible.
5. The CRLs and certificates for your certificate's certificate chain aren't available to the business associate over the Internet. If the CRL isn't available for the issuing CA (or any other CAs up to the root of the CA hierarchy) certificate revocation checking will fail and invalidate the certificate.
6. The gas company has enabled the requirement for browsers to support 128-bit encryption. The clients who can't connect don't have the high encryption packs installed. For Windows 98 and Windows NT 4.0, the clients must install the strong encryption patch for their browsers. For Windows 2000, this involves the installation of the High Encryption Pack for Windows 2000. The gas company can make the installation easier by creating a Web page with links to the browser's download sites for the encryption packs.

Chapter 12

Answers to Activity Questions

1. You can't use IPSec in this case because Windows NT 4.0 server doesn't support it. You can use IPSec only between operating systems that support it. In this scenario you could use SMB signing to provide the same functionality provided by IPSec AH.
2. No. The IP addresses shown in Figure 12.17 indicated that the firewall in this scenario is performing NAT, and IPSec can't pass through firewalls that perform NAT. You can tell the firewall is performing NAT because the server is using an external IP address and the client computer is assigned an RFC 1918 address in the 192.168.0.0/16 network.
3. Yes. In this scenario, although both the client and server are using RFC 1918 addressing, the firewall isn't performing NAT services. NAT services are performed only when one interface of the firewall uses private network addressing as defined in RFC 1918 and the other interface uses public network addressing.
4. No. The dual-homed computers connecting to the Internet are performing NAT, and IPSec can't pass through the NAT servers.
5. You could configure IPSec tunnel mode between the perimeter servers at each office. Even though the two perimeter servers are performing NAT, the IPSec tunnel would terminate before the NAT process is performed against the incoming data packets.

Answers to Exercise 1 Questions

Designing IPSec Policies for the Web Server

1. You can apply IPSec to the Web server and protect data streams between the internal network and the DMZ. Although RFC 1918 addressing is being used, both the internal network and the DMZ are using RFC 1918 addressing. This indicates that the internal firewall isn't performing NAT. Likewise, it's a good idea to protect ports exposed to the Internet by using IPSec to ensure that protection is provided in the event an attack is launched from within the DMZ.
2. No. The external firewall is performing NAT. IPSec is unable to pass through a firewall or perimeter server that performs NAT.
3. The protected data streams require both AH and ESP protocol protection. To prevent source routing attacks, the entire packet must be signed. Only AH applies the digital signature to all fields in a packet (excluding mutable fields). ESP is required to encrypt the data that's transmitted between the internal administrator computers and the Web server.
4. The Web server requires that all IPSec filters require IPSec transport mode. You don't need to implement IPSec tunnel mode for the solution.
5. 
   

   Protocol	Source IP	Destination IP	Protocol	Source Port	Destination Port	Action
   HTTP	Any	My IP address	TCP	Any	80	Permit
   HTTPS	Any	My IP address	Any	TCP	443	Permit
   SQL-Data	My IP address	172.30.10.10	TCP	Any	1433	Negotiate
   Any	172.30.0.0/16	My IP address	Any	Any	Any	Negotiate
   Any	Any	My IP address	Any	Any	Any	Block

6. You must enable the option to mirror the listed rules. Mirroring ensures that response packets are also secured based on the action defined for the protocol.
7. The administrator computers must authenticate with the Web server by using public key authentication. Kerberos can't be used in this scenario because the Web server isn't a member of the contoso.tld forest. Only members within the same forest can use Kerberos authentication. Using a preshared key isn't considered a highly secure authentication method.
8. Both the connections to the SQL server and connections from administrators require the use of 3DES encryption. The IPSec encryption algorithms should be edited to accept only connections that support 3DES. This ensures that DES encryption isn't supported.
9. All participating computers require the installation of the Windows 2000 High Encryption Pack. Windows 2000—based computers support 3DES and 128-bit encryption with the High Encryption Pack installed.

Designing IPSec Policies for the Sales Order Server

1. You can apply IPSec to protect all data transmitted to the sales Application server. The secured segment and the public segments all use RFC 1918 addressing, so the firewall isn't performing any NAT services.
2. The protected data streams require both AH and ESP protocol protection. The requirement to prevent replay attacks requires AH protection and the requirement to encrypt all data requires ESP protection.
3. The sales Application server requires that all IPSec filters require IPSec transport mode. You don't need to implement IPSec tunnel mode for the solution.
4. 
   

   Protocol	Source IP	Destination IP	Protocol	Source Port	Destination Port	Action
   Sales Updates	Any	My IP address	TCP	Any	77889	Negotiate
   Sales Queries	Any	My IP address	TCP	Any	77890	Negotiate
   Any	Any	Any	Any	Any	Any	Block

5. The administrator computers must authenticate with the sales Application server by using Kerberos authentication. Kerberos is the default authentication protocol and all computers will have accounts in the domain that will allow Kerberos authentication to be implemented.
6. The firewall must be configured to pass ISAKMP packets (UDP port 500), IPSec AH packets (Protocol ID 51), IPSec ESP packets (Protocol ID 50), and Kerberos packets (UDP port 88 and TCP port 88).
7. The firewall loses the ability to determine which protocols are encrypted by IPSec. The firewall will only recognize the packets as ESP-encrypted packets and won't know what protocol is being passed through the firewall.

Answers to Exercise 2 Questions

1. You can place the administrator computers that will connect to the Web server from the London site in an OU that has the Client (Respond Only) default IPSec policy assigned. This policy allows the computers to use IPSec when requested.
2. Certificates must be deployed to both the Web server and to the administrator computers at the London office. All involved computers will require a computer certificate or an IPSec certificate for authentication purposes.
3. You can define a custom Group Policy object that both configures an automatic certificate request for an IPSec certificate and assigns the Client (Respond Only) IPSec policy. You can then modify the permissions for the Group Policy object to allow only the Web Server Administrators group the Read and Apply Group Policy permissions. This limits access to only the designated computers.
4. You must modify the permissions on the IPSec certificate template to grant the Web Server Administrators group Read and Enroll permissions. Additionally, you must configure an Enterprise CA on the network to include the IPSec certificate template in its Policy Settings so that the CA can issue IPSec certificates.
5. Since the SA isn't being established, you must determine what's causing the SA to fail. You can test authentication by applying a filter different than the one for the Web server. This ensures that authentication isn't causing the problem. For this problem, you may have to look at the Oakley logs to determine why the negotiation fails. The most likely cause of failure is that the Windows 2000 High Encryption Pack may not be applied to the newly installed computer. The SA for the IPsec filter requires that 3DES encryption is applied. Only computers with the Windows 2000 High Encryption Pack can use 3DES for encryption purposes.

Answers to Review Questions

1. Yes. ESP packets can be enabled to prevent replay attacks. ESP does this by using a combination of the SPI and sequence number fields. If the server receives a packet with a previously used sequence number for the SPI, the packet will be discarded.
2. AH will prevent manipulation of the data during transmission, but AH doesn't offer any encryption services to the transmitted data. To fully meet the requirements, you must apply ESP.
3. No. The solution prevents inspection of the files only as they are transmitted through the IPSec tunnel. The data can still be inspected on the Payroll LAN and on the external accounting company's LAN. To provide total encryption, the two companies could implement IPSec transport mode through the IPSec tunnel. This action allows end-to-end protection of the file against inspection as it's transmitted across the network.
4. There are two solutions. The easiest one would be to stop or disable the Telnet service on the FTP server. Alternatively, you could assign an IPSec policy to the FTP server that blocks all connections to the Telnet port (TCP port 23). This action prevents all connections to the Telnet port, no matter where the attack is launched.
5. Preshared key authentication data is often stored in plaintext at the host performing IPSec. While preshared keys offer the most flexibility for implementing IPSec, the risk that someone could copy the preshared key from the IPSec configuration and use it at another computer or network device is usually unacceptable in high security networks.
6. When an IP packet is protected from modification, AH applies a digital signature to all fields in the IP packet except mutable fields. Mutable fields are fields that have values that must change as the data is transmitted across the network. For example, the Time To Live (TTL) field isn't included in the protected fields as the field decrements by one every time the IP packet crosses a router. If the TTL field were included in the protected fields, the packet would be invalidated if it were sent to any other network segments.

Chapter 13

Answers to Activity Questions

1. The connection is failing because the connection attempt is using L2TP as the tunneling protocol and the remote access policy is configured to accept only PPTP connections. The automatic setting always attempts to use L2TP before using PPTP. Because both the VPN server and the VPN clients have computer certificates installed, the connection attempts to use L2TP as the VPN protocol.
2. You could configure the VPN client's connection object to use PPTP rather than automatically determining the tunnel type. The automatic setting attempts to use L2TP because both computers have computer certificates installed.
3. You could modify the conditions for the VPN Client Access remote access policy to allow both PPTP and L2TP connections or to allow only L2TP connections.
4. Removing the computer certificate from either the VPN server or the VPN client results in the use of PPTP as the tunneling protocol. L2TP requires computer certificates to be used for authenticating the machine accounts involved in the L2TP connection attempt.

Answers to Exercise 1 Questions

Determining a Solution

1. Contoso can enter into an agreement with an ISP, such as UUNet or America Online (AOL), that provides worldwide connectivity. The ISP can be used to provide local access phone numbers. Once connected to the Internet, remote clients can connect to their corporate office using a VPN connection.
2. PPTP must be deployed to support both the Windows NT 4.0 and Windows 2000 Professional—based laptops.
3. No. The VPN server is located behind a firewall that isn't performing NAT. The IP address of the VPN server doesn't fall into any of the RFC 1918 pools of IP addresses.
4. You can configure RADIUS authentication at the ISP so that authentication requests are forwarded to an IAS server running at Contoso's London office.
5. Separate remote access policies can be defined for each operating system. By placing the laptops into operating system-specific groups, you can define conditions that determine which remote access policy to apply to a remote access connection.

Designing the Firewall

1. You must configure the firewall to allow traffic destined to the VPN server to pass through the firewall. For PPTP, this requires allowing data that's destined to TCP port 1723 on the tunnel server and uses protocol ID 47. For L2TP, data destined to UDP port 500 on the tunnel server using protocol ID 50 must be passed.
2. No. The traffic will be encrypted within the VPN tunnel as it passes through the external firewall.
3. Yes. Once the data reaches the tunnel server, it's unencrypted and transferred to internal servers through the internal firewall. Normal firewall processing can be performed to inspect all network traffic.

Designing Remote Access for Laptops Running Windows 2000 Professional

1. You can create a group that contains only the sales force users that are running Windows 2000 Professional. You can then create a condition to allow access only if the users are members of the security group. You can apply an additional condition that requires the use of L2TP as the tunneling protocol. You can then configure the profile to match the requirements for connections using Windows 2000 Professional.
2. You can configure the remote access policy profile to only accept EAP authentication using a smart card. This action ensures that smart cards are required.
3. Smart card logon requires that each user has a certificate assigned to their smart card for user authentication. This can be done with either a smart card logon or a smart card user certificate. The VPN server must also have a computer certificate so that mutual authentication of the server can take place.
4. Yes. Each laptop must be assigned a computer certificate to allow the machine accounts to be authenticated for the IPSec association.
5. You can configure the remote access policy profile for Windows 2000 Professional clients to enforce the desired settings.
6. You must configure the remote access policy profile to require EAP authentication using smart cards, to accept connections only if the strongest form of encryption is used, and to disconnect connections if they are idle for more than 30 minutes. Requiring the strongest form of encryption forces all connections to use 3DES encryption when using L2TP. The use of 3DES requires that the Windows 2000 High Encryption Pack is installed on the VPN server and on the remote access clients.
7. You can configure a CMAK package that defines the required defaults for a remote access connection. By preventing user access to the tabs in the connection object where the defaults are defined, you can prevent the user from modifying the connection object.

Designing Remote Access for Laptops Running Windows NT 4.0 Workstation

1. You can create a group that contains only the sales force users who are running Windows NT 4.0. You can then create a condition that allows access only if the users are members of the security group. You can apply an additional condition that requires the use of PPTP as the tunneling protocol. You can then configure the profile to match the requirements for connections using Windows 2000 Professional.
2. You can configure the remote access policy profile for Windows 2000 Professional clients to enforce MS-CHAPv2 authentication for the VPN connection, to only accept connections using the strongest form of encryption available, and to disconnect connections if they are idle for more than 30 minutes. Requiring the strongest form of encryption forces all connections to use 128-bit MPPE encryption when using PPTP. The use of 128-bit encryption requires the 128-bit security patch to be applied to all Windows 98—based laptops and the Windows 2000 High Encryption Pack to be applied to the VPN server.

Identifying RADIUS Design Decisions

1. A RADIUS proxy must be used at the ISP to forward RADIUS requests to an IAS server at the corporate network.
2. The RADIUS proxy requires the sales force users to provide either a prefix or suffix that identifies the RADIUS server to which the authentication requests should be passed. You can define the RADIUS prefix or suffix in the CMAK package installed at the clients.
3. You could place the RADIUS server on the internal network. This reduces the number of ports that must be opened on the internal firewall to allow RADIUS authentication requests to pass through the firewall.
4. You would configure the VPN servers located at the London, Seattle, and Lima offices as RADIUS clients.
5. Remote access policy is now defined at the IAS server on the corporate network, rather than at each of the VPN servers. This centralizes remote access policy definition and application.

Answers to Exercise 2 Questions

1. You must use L2TP/IPSec for the VPN between the London and Barcelona offices. Only L2TP/IPSec meets the requirement to authenticate both the computer accounts and the user accounts associated with the VPN. PPTP only authenticates user accounts and IPSec tunnel mode only authenticates computer accounts.
2. Yes. If you configure a separate remote access policy that defines the connection from the Barcelona VPN server, you can define specific connection requirements for the VPN.
3. You can configure the conditions for the remote access policy to identify the Barcelona server. By setting the Client IP address to the IP address of the Barcelona server and setting the tunnel type to L2TP, you will identify all connection attempts from the Barcelona VPN server.
4. The tunnel servers must acquire computer certificates so that the IPSec agreements can be authenticated. L2TP requires that the machine authentication take place using certificates.
5. You must configure the external interface of the Barcelona VPN server to only accept packets to and from the IP address of the London VPN server using UDP port 500. Additionally, the packet filters should allow packets using ESP packets to be exchanged between the two VPN servers. You do this by configuring a filter that allows protocol ID 50. ESP packets provide the encryption of the L2TP tunnel.

Answers to Review Questions

1. EAP provides support for two-factor forms of authentication. Retinal scans are considered two-factor because no two retinas are identical and each approved retina pattern is associated with a user account in the domain.
2. At first glance, you may want to deny remote access to the former employee's user account. This won't work if the former employee knows the account and password for other accounts with dial-in permissions. The best action in this case would be to revoke the machine certificate issued to the former employee's computer. Without a machine certificate, the connection will fail machine authentication and prevent L2TP connections.
3. Configure Group Policy to disable RRAS on all Windows 2000—based computers in the domain. You can enable RRAS for authorized servers by placing the servers in the same OU or in a common OU structure and applying a Group Policy object that enables RRAS.
4. If you suspect the local phone company of inspecting data transmitted on your WAN links, the only solution is to enable encryption of confidential data as it's transmitted over the WAN link. You can use either IPSec or a tunnel solution to encrypt the transmitted data.
5. Use the Connection Manager Administration Kit to create a connection profile that doesn't permit users to save their passwords for remote access connections. This precaution would prevent a thief from connecting to the corporate network using a stolen laptop.
6. If the firewall protecting the firewall implements NAT, you can use only PPTP as the VPN protocol. L2TP/IPSec and IPSec tunnel mode packets can't cross a firewall that performs NAT.

Chapter 14

Answers to Activity Questions

1. Content scanning allows the content of an e-mail message to be scanned to determine if an attachment includes a virus. You could configure the firewall to strip any infected attachments from incoming messages and inform an administrator that an infected e-mail has entered the system.
2. Configure static address mapping to translate any packets addressed to the external IP address of the Web server to the private network address of the Web server.
3. Configure packet filtering at the firewall to only allow connections using authorized protocols. Any attempts to scan the external IP address at the firewall will identify only ports that are permitted by the packet filters.
4. Use stateful inspection to track UDP protocol connections. Both SNMP (UDP port 161) and SNMP traps (UDP port 162) are connectionless protocols. Stateful inspection will track the host IP address and host port for any connections using SNMP and SNMP traps to ensure that the exchange is occurring only between two hosts and that the session isn't hijacked.
5. Configuring acceptable time-outs at the firewall for nonestablished sessions will prevent a SYN flood attack by dropping half-open session establishment exchanges. If the session isn't established within the defined interval, the session will be dropped so that other sessions can be established.
6. NAT will protect the private network addressing scheme by replacing all private network IP addresses with a public network IP address configured in the NAT protocol. After the NAT process is completed, all outbound packets will have the same IP address.

Answers to Exercise 1 Questions

1. Yes. Two different subnets are exposed on the DMZ. The VPN server has an address from the 131.107.100.0/24 network, while the other computers in the DMZ have addresses from the 172.29.100.0/24 network. You can't combine two sets of IP addresses on the same subnet.
2. No. The VPN server must accept both PPTP and L2TP/IPSec connections. 172.29.100.206 is a private network address that requires NAT at the server for outgoing packets. IPSec can't pass through a NAT service.
3. You must define an additional zone that uses public network addressing. You must place the VPN server in this zone so that NAT isn't applied to data entering and exiting this new zone. For this configuration to be possible with only two firewalls, the external firewall must support three NICS.
4. 
   

   

Answers to Exercise 2 Questions

Securing DNS Access

1. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   DNS	172.30.1.2	Any	172.29.100.201	53	TCP	Allow
   DNS	172.30.1.2	Any	172.29.100.201	53	UDP	Allow
   DNS	172.30.1.3	Any	172.29.100.201	53	TCP	Allow
   DNS	172.30.1.3	Any	172.29.100.201	53	UDP	Allow
   DNS	172.30.0.0/24	Any	Any	53	TCP	Deny
   DNS	172.30.0.0/24	Any	Any	53	UDP	Deny

   The first two packet filters allow the ns2.contoso.tld server (172.30.1.2) to forward DNS queries to the ns.contoso.tld server (172.29.100.201). The third and fourth packet filters allow the ns1.contoso.tld server (172.30.1.3) to also forward DNS requests to the ns.contoso.tld DNS server. The last two packet filters prevent any other computers in the private network (172.30.0.0/24) from sending DNS queries through the internal firewall. This packet filter restricts DNS clients to using DNS servers on the private network.

2. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   DNS	172.29.100.201	Any	Any	53	TCP	Allow
   DNS	172.29.100.201	Any	Any	53	UDP	Allow
   DNS	Any	Any	172.29.100.201	53	TCP	Allow
   DNS	Any	Any	172.29.100.201	53	UDP	Allow

   The first two packet filters allow the ns.contoso.tld server (172.29.100.201) to send DNS requests to any DNS service on the Internet as required for DNS servers configured to use root hints. The last two packet filters allow DNS client and servers on the Internet to send DNS queries to the ns.contoso.tld DNS server.

3. Configure the ns.contoso.tld to allow only DNS zone transfers to recognized preconfigured secondary DNS servers. This configuration prevents an attacker from forcing a zone transfer to acquire all DNS resource records in the contoso.tld zone.

Securing Web Access

1. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   IKE	172.29.100.204	500	172.30.10.10	500	UDP	Allow
   ESP	172.29.100.204		172.30.10.10		ID 50	Allow
   IKE	172.29.100.205	500	172.30.10.10	500	UDP	Allow
   ESP	172.29.100.205		172.30.10.10		ID 50	Allow
   IKE	172.30.10.200	500	172.29.100.204	500	UDP	Allow
   ESP	172.29.10.200		172.29.100.204		ID 50	Allow
   IKE	172.30.10.200	500	172.29.100.205	500	UDP	Allow
   ESP	172.29.10.200		172.29.100.205		ID 50	Allow
   HTTP	172.30.0.0/24	Any	172.29.100.202	80	TCP	Allow
   HTTPS	172.30.0.0/24	Any	172.29.100.202	443	TCP	Allow

   The first two packet filters allow the first node in the NLBS Web cluster (172.29.100.204) to establish an IPSec SA using ESP encryption with the SQL Server on the private network (172.30.10.10). The third and fourth packet filters allow the second node in the NLBS Web cluster (172.29.100.205) to do the same thing. The fifth, sixth, seventh, and eighth packet filters allow the Web administrator's computer (172.30.10.200) to establish IPSec SAs using ESP encryption with the two nodes in the NLBS Web cluster. The last two packet filters limit access from the private network (172.30.0.0/24) to the NLBS cluster address (172.29.100.202) to only using HTTP and HTTPS.

2. IPSec SAs must be established between computers. The Web administrator will be connecting to one of the two nodes in the NLBS cluster, not to the cluster itself, for management functions.
3. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   HTTP	Any	Any	172.29.100.202	80	TCP	Allow
   HTTPS	Any	Any	172.29.100.202	443	TCP	Allow

   The two packet filters limit public network computers to accessing the NLBS Web cluster (172.29.100.202) only by using HTTP or HTTPS protocols.

4. The IIS 5.0 security checklist includes a secure Web server security template that you can apply to the Web server nodes. This security template ensures that the recommended security configuration is applied to the Web servers.
5. 
   

   Host Name	External IP Address	Internal IP Address
   ns.contoso.tld	131.107.99.2	172.29.100.201
   mail.contoso.tld	131.107.99.3	172.29.100.203
   www.contoso.tld	131.107.99.4	172.29.100.202

Securing VPN Server Access

1. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   RADIUS-Auth	131.107.100.3	Any	172.30.10.50	1812	UDP	Allow
   Any	131.107.100.128/25	Any	172.30.10.0/24	Any	Any	Allow

   The first packet filter allows the VPN server (131.107.100.3) to forward RADIUS authentication packets to the IAS server (172.30.10.50) located on the private network. The second packet filter allows the IP addresses assigned to VPN client computers (131.107.100.128/25) to access any computers on the private network (172.30.10.0/24) using any protocol. Because no RADIUS accounting packets are required no packet filter is included for RADIUS accounting packets (UDP 1813).

2. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   PPTP	Any	Any	131.107.100.3	1723	TCP	Allow
   GRE	Any		131.107.100.3		ID 47	Allow
   IKE	Any	500	131.107.100.3	500	UDP	Allow
   ESP	Any		131.107.100.3		ID 50	Allow
   RADIUS-Accting	131.107100.3	Any	172.30.10.50	1812	UDP	Allow
   Any	131.107100.128/25	Any	172.30.10.0/24	Any	Any	Allow

   The first two packet filters allow VPN clients on the public network to connect to the VPN server (131.107.100.3) using PPTP connections. The third and fourth packet filters allow VPN clients on the public network to connect to the VPN server using L2TP/IPSec connections. The fifth packet filter allows the VPN server to forward RADIUS authentication requests to the IAS server (172.30.10.50) on the private network, and the final packet filter allows the pool of IP addresses assigned by the VPN server to remote access clients (131.107.100.128/25) to access any resources on the private network (131.107.30.0/24) using any protocol.

3. The VPN server is located in a DMZ that's attached to the external firewall. For the traffic to enter the mid-ground DMZ between the external and internal firewalls, the external firewall must first evaluate the traffic.

Securing Mail Access

1. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   Any	172.30.0.0/16	Any	172.29.100.203	Any	Any	Allow

   This packet filter allows private network users (172.30.0.0/16) to access the mail server (172.29.100.203) in the DMZ using any protocol.

2. No. The current packet filter allows any client computer in the London network to connect to the mail server using any protocol.
3. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   SMTP	Any	Any	172.29.100.203	25	TCP	Allow
   SMTP	172.29.100.203	Any	Any	25	TCP	Allow
   Any	131.107.100128/25	Any	172.29.100.203	Any	Any	Allow

   The first packet filter allows the mail server (172.29.100.203) to accept incoming SMTP messages from any computer on the Internet. The second packet filter allows the mail server to send SMPT messages to any SMTP servers on the Internet. The final packet filters allows remote access clients (131.107.100.128/25) to connect to the mail server using any protocol.

4. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   HTTPS	Any	Any	172.29.100.203	443	TCP	Allow

   This packet filter allows public network computers to connect the mail.contoso.tld server only by using HTTPS protocol. If a connection is attempted using HTTP, the connection attempt would be denied.

Answers to Review Questions

1. The Web interface that external hospitals and emergency response organizations use to view information shouldn't access these fields from the SQL server. You could also restrict the data within these fields by using views in the SQL server that are limited to specific groups for access. The account that the Web server uses to query the SQL server must not be a member of groups that have access to the disease screening and donor identity fields.
2. The protocol filters are incorrectly entered. The HTTP protocol listens on TCP port 80 for connections. The client uses a random port above 1024 when establishing the HTTP connection. Likewise, the HTTPS protocol listens on TCP port 443 for connections.
3. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   HTTP	Any	Any	10.10.10.10	80	TCP	Allow
   HTTPS	Any	Any	10.10.10.10	443	TCP	Allow

4. The Web server and the FTP server are both members of the contoso domain. Servers in a DMZ should be members of a different forest to protect the account information in the contoso domain. If you configure a trust relationship between the domain in the DMZ and the contoso.tld domain, account information can still be acquired from the contoso domain.
5. You can take a few measures to protect your Web site. The first is to configure your firewall to drop connections that don't complete session initialization within a specified time period. If the time period expires, the session is dropped. Second, you can identify which ports the "zombie" computers are using and block the ports at the firewall. This assumes that the "zombie" computers aren't connecting to the HTTP or HTTPS ports on the Web server.
6. You must verify the firewall to ensure that only authorized protocols are allowed to reach the server in your DMZ. If a public network user was able to install the software application, the Web server's local security must be weak. By applying the IIS 5.0 Security Checklist to the Web server, you apply stronger local security that prevents unauthorized software from being loaded to the Web server. Because passwords may be compromised, all users on the network should be forced to change their passwords immediately to prevent the attacker from gaining access to the network.

Chapter 15

Answers to Activity Questions

1. Locating the Proxy on the Private Network
   
    
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   HTTP	192.168.10.0/24	Any	192.168.20.8	80	TCP	Allow
   HTTPS	192.168.10.0/24	Any	192.168.20.8	443	UDP	Allow
   DNS	192.168.10.10	Any	192.168.20.7	53	TCP	Allow
   DNS	192.168.10.10	Any	192.168.20.7	53	UDP	Allow
   Any	192.168.10.2	Any	Any	Any	Any	Allow
   Any	192.168.10.0/24	Any	Any	Any	Any	Deny

   You don't need to configure a packet filter to allow private network clients to connect to the Proxy Server because the Proxy Server is located on the private network segment. The internal firewall requires packet filters to allow computers in the private network (192.168.10.0/24) to access the Web server (192.168.20.8), as shown in the first two packet filters. The third and fourth packet filters restrict the DNS server located on the private network (192.168.10.10) to connecting only to the DNS server in the DMZ (192.168.20.7). The fifth packet filter allows the Proxy Server (192.168.10.2) to connect to any resources on the Internet, and the final packet filter prevents client computers on the private network from connecting to the Internet and any other computers in the DMZ that aren't defined in the internal firewall packet filters.

2. Locating the Proxy in the DMZ
    
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   DNS	192.168.20.7	Any	131.107.1.1	53	TCP	Allow
   DNS	192.168.20.7	Any	131.107.1.1	53	UDP	Allow
   Any	192.168.10.2	Any	Any	Any	Any	Allow

   The first two packet filters allow the DNS server in the DMZ (192.168.20.7) to forward DNS requests to the DNS server at the ISP (131.107.1.1). The final packet filter allows packets originating at the Proxy Server (192.168.10.2) to be sent to any resources on the Internet.

3. No. If configured correctly, the internal firewall would drop any packets sent to the Internet from the private network clients. However, there would be nothing wrong with blocking the private network clients just to ensure that they're blocked if the packet filters were configured incorrectly at the internal firewall.

Locating the Proxy in the DMZ

1. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   HTTP	192.168.10.0/24	Any	192.168.20.8	80	TCP	Allow
   HTTPS	192.168.10.0/24	Any	192.168.20.8	443	UDP	Allow
   DNS	192.168.10.10	Any	192.168.20.7	53	TCP	Allow
   DNS	192.168.10.10	Any	192.168.20.7	53	UDP	Allow
   Any	192.168.10.0/24	Any	192.168.20.2	Any	Any	Allow
   Any	192.168.10.0/24	Any	Any	Any	Any	Deny

   The first two packet filters allow the client computers on the private network (192.168.10.0/24) to connect to the Web server in the DMZ (192.168.20.8) using HTTP and HTTPS. The third and fourth packet filters allow the DNS server on the private network (192.168.10.10) to forward DNS requests to the external DNS server (192.168.20.7). The fifth packet filter allows private network client computers (192.168.10.0/24) to forward DNS requests to the Proxy Server located in the DMZ (192.168.20.2), and the final packet filter prevents the private network client computers from connecting to the Internet and any other computers in the DMZ that aren't defined in the internal firewall packet filters.

2. No. The Proxy Server is located in the DMZ. Any packets that have the source IP address as the Proxy Server will be response packets sent back to Proxy Server client computers.
3. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   DNS	192.168.20.7	Any	131.107.1.1	53	TCP	Allow
   DNS	192.168.20.7	Any	131.107.1.1	53	UDP	Allow
   Any	192.168.20.2	Any	Any	Any	Any	Allow

   The first two packet filters allow the DNS server in the DMZ (192.168.20.7) to forward DNS requests to the DNS server at the ISP (131.107.1.1). The final packet filter allows packets originating at the Proxy Server (192.168.20.2) to be sent to any resources on the Internet.

Answers to Exercise 1 Questions

1. Yes. The IT department must determine the authorized protocols in discussions with the technology specialists from each department.
2. Yes. The guidelines propose termination for employees if they knowingly access unauthorized sites on the Internet.
3. The guidelines don't define the private network user's responsibilities. Without a definition of responsibilities, it will be very difficult to enforce disciplinary action. For example, if you don't define that protection of the user's password is the user's responsibility, users could provide their credentials to an attacker without any disciplinary action. It doesn't matter whether the private network user provides the password intentionally or unintentionally.

Answers to Exercise 2 Questions

1. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   Any	172.30.0.0/24	Any	172.29.100.203	Any	Any	Allow
   HTTP	172.30.0.0/24	Any	172.29.100.202	80	TCP	Allow
   HTTPS	172.30.0.0/24	Any	172.29.100.202	443	TCP	Allow
   Any	172.30.40.40	Any	Any	Any	Any	Allow
   Any	172.30.0.0/24	Any	Any	Any	Any	Deny

   The first packet filter allows all computers on the private network (172.30.0.0/24) to connect to the mail server (172.29.100.203) using any protocol. The second and third packet filters allow the private network computers to connect to the Web server cluster (172.29.100.202) using HTTP and HTTPS only. The fourth packet filter allows the Proxy Server (172.30.0.0/24) to connect to any resources in the DMZ or the Internet using any protocol, and the last packet filter prevents computers on the private network from connecting to any other resources in the DMZ or on the Internet.

2. You must configure the client computers to bypass the Proxy Server for local network addresses and include the Web cluster Fully Qualified Domain Name (FQDN) in the list of local network servers.
3. You can populate this listing by using the IEAK Profile Manager to create a .ins file with default settings. If the client computer is configured to detect proxy settings automatically, the .ins file will be read at startup and apply the configuration changes. In addition, you can use Group Policy to prevent changes to the Connections tab by hiding the Connections tab.
4. 
   

   Protocol	Source IP	Source Port	Target IP	Target Port	Transport Protocol	Action
   Any	172.30.40.40	Any	Any	Any	Any	Allow
   SMTP	172.29.100.203	Any	Any	25	TCP	Allow
   DNS	172.29.100.201	Any	Any	53	TCP	Allow
   DNS	172.29.100.201	Any	Any	53	UDP	Allow

   The first packet filter allows the Proxy Server (172.30.40.40) requests sent from the private network to connect to resources on the Internet using any protocol. The second packet filter allows the mail server (172.29.100.203) to connect to other mail servers on the Internet using SMTP. The final two packet filters allow the DNS server in the DMZ (172.29.100.201) to connect to any DNS server on the Internet using connection-oriented and connectionless DNS queries.

Answers to Exercise 3 Questions

1. You must add the adatum.tld domain to the listing of domains in the domain filter properties. This prevents connections to any computers in the adatum.tld Internet domain.
2. You must configure the Local Intranet zone and the Trusted Site zone to a security setting of Medium. Medium allows the download of signed ActiveX controls and doesn't prompt the user when the download of an ActiveX control is attempted.
3. The Web Proxy service allows access to the HTTP and HTTPS protocols. Permissions must be configured so that they are granted only to the members of the Marketing, Human Resources, Accounting, IT, and Training departments.
4. Create separate global groups for each department. For example, create global groups named Marketing Internet Users, HR Internet Users, Accounting Internet Users, IT Internet Users, and Training Internet Users. Add these global groups to a Web Users domain local group that's assigned the permissions to the Web and Secure protocols in the Web Proxy service.
5. The Telnet, NNTP, POP3, SMTP, and NetMeeting protocols all require the use of the WinSock Proxy service. One group strategy would be to create separate domain local groups for each of the protocols. For example, you could create a Telnet Protocol domain local group. Into each of these groups you could then place the departmental global group that requires the use of the associated protocol.
6. Each computer that requires access to protocols secured by the WinSock Proxy service will require the installation of the WinSock Proxy client software.
7. Enable the Content Advisor and set restrictions on nudity and sex to prevent access to pornographic Web sites. In addition, you should probably prevent access to unrated sites to ensure that unrated pornographic sites can't be loaded at a Web browser.
8. For Windows 2000—based clients you can use a mix of the IEAK and Group Policy to lock down the configuration of Internet Explorer. You can use the IEAK to define the required configuration and to apply updates to the configuration. Group Policy allows you to restrict access to the Internet Options configuration. By restricting access, you prevent the required settings from being modified.
9. You can protect non-Windows 2000—based clients only by using the IEAK to define the required configuration settings and to restrict access to specific options in the Internet Explorer configuration.

Answers to Review Questions

1. You must control the firewall at the Vancouver branch office to prevent access to the Internet by any computer located in the Vancouver subnet (172.16.8.0/22). This packet filter must prevent Internet access from any computer in the 172.16.8.0/22 subnet using any protocol.
2. You could use the IEAK to create a more restrictive configuration for Internet Explorer to deploy at the Mexico City office. In addition, you could create a global group that contains only Mexico City Internet users. Lastly, you would make the global group a member of the local groups that allow the use of protocols required by the Mexico City office.
3. The downloading of pirated DVD movies could lead to a raid of your organization's network by government authorities looking to crack down on pirated media downloaded to computers from the Internet. A raid could lead to the public humiliation of your organization.
4. When designing packet filters for the Proxy Server, you could have created specific filters that allow the Proxy Server to use only authorized protocols when connecting to the Internet. A packet filter strategy such as this would prevent the Proxy Server from using undefined protocols to access the Internet.
5. Ensure that your virus scanning software enforces the update of virus signatures for all installations of the software. In addition, you must create logon scripts that inspect the disks of client computers to verify the installation of the software. If the software isn't installed, the connection attempt should be terminated.
6. NNTP requires the WinSock Proxy client to be installed on all computers that requires access to the WinSock Proxy service. The new computers don't have the WinSock Proxy client installed.
7. The WinSock proxy and Web Proxy on the client computer need to be modified to not use the Proxy Server when the user connects to the Internet using her personal ISP. The Proxy Server is unavailable when she connects by using the ISP, and therefore all Internet connections fail.

Chapter 16

Answers to Activity Questions

1. System 7 File Sharing uses clear text authentication. Configure the Macintosh client to use Apple Standard Encryption or install the MS-UAM to provide Microsoft encryption for authentication.
2. Samba version 2.0.5 uses clear text authentication, which increases the risk of password interception. You should use Samba version 2.0.6 or above to enable NTLM authentication for Samba clients.
3. Telnet uses clear text authentication, which can result in credentials being viewed as they are transmitted to the Telnet server from the Telnet client. To protect authentication credentials, you must configure an IPSec security association between the UNIX computer and the Windows 2000 Server hosting the Telnet service to encrypt all Telnet transmissions.
4. FPNW provides secure authentication for NetWare clients. Installing FPNW on the Windows 2000 Server ensures that there are no risks when a Novell client authenticates directly with an FPNW server.
5. The use of the Attach command stores the Active Directory password in the NetWare login script. This could allow another user or supervisor in the NetWare network to view the Active Directory password. You should modify trustee rights on the NetWare 3.12 server to prevent the user from modifying her NetWare login script.
6. AH protects the FTP messages only from being modified during transit. Because the data isn't encrypted, the user account and password entered in the FTP client are observable as they are transmitted across the network. To protect the user credentials, the security association should use IPSEC Encapsulating Security Payloads, which encrypt the transmitted data.
7. There are no risks when the FTP transmissions are encrypted using IPSec ESP. All authentication data is encrypted during network transmission.

Answers to Exercise 1 Questions

1. The Macintosh clients require that the MS-UAM be installed. Security requirements require that all authentication be encrypted, and only the MS-UAM supports passwords greater than eight characters.
2. You must define two separate Mac-accessible volumes in the Computer Management console, one for the Data folder and one for the Graphics folder.
3. You can configure security in two ways. First, you must create global groups for access to the Data and to the Graphics folders. You must place users in one of the two groups. Additionally, you could create volume passwords for each of the Mac-accessible volumes. By providing only the volume password to authorized users, you can control access.
4. File Services for Macintosh requires that Mac-accessible volumes be located on NTFS partitions.
5. You must assign the global group for the Data folder the Change permission and assign the global group associated with the D:\Graphics folder the Change permission.
6. Because the employees have the same account name, they should always authenticate by indicating their domain and account name. For example, the Director of Marketing should always authenticate as London\FRamirez to ensure that authentication requests are passed to a domain controller in the london.contoso.tld domain.

Answers to Exercise 2 Questions

1. CSNW can be used only at the London office where the BIGRED NetWare server exists. The WAN uses only TCP/IP, and the CSNW client requires NWLink IPX/SPX to be used.
2. No. The solution won't work because the GSNW server must connect to the BIGRED server using IPX/SPX and the WAN supports only TCP/IP. Only London office clients will have access to the BIGRED server through the LondonGate GSNW server. The GSMW servers must either be moved to the London network segment or IPX/SPX must be enabled on the WAN.
3. Yes. The accounting clients from the Lima and Seattle offices will be able to connect to the LondonGate GSNW server using TCP/IP. Being on the same network segment, the LondonGate GSNW server will be able to connect to the BIGRED server using IPX/SPX.
4. No. NetWare administration requires the installation of the Novell Client for Windows 2000. The Novell Client for Windows 2000 must be installed on her computer to grant her administrative access to the NetWare server.
5. You must configure the GSNW share to only allow members of the accounting department access. You can place the members into global groups at each of the three domains. You can then make the three global groups members of a domain local group in the London domain that's granted Read permissions to the data.
6. OU=accounting.OU=london.O=contoso
7. You must make the service account used by the LondonGate GSNW server a member of the Ntgateway group. In addition, you should configure trustee rights for the directory containing the historical accounting data to grant the gateway account only Read and File Scan trustee rights.

Answers to Exercise 3 Questions

1. FTP uses clear text authentication, which could result in Active Directory User accounts and passwords being compromised on the network.
2. The GRAPHICS server must load Server for NFS to allow the UNIX users to use NFS to transfer data to the GRAPHICS server.
3. You must configure User Name Mapping to associate the UIDs and GIDs of the UNIX users to Active Directory user accounts. The associated Active Directory accounts will be assigned permissions in the DACL associated with the FromUNIX folder.
4. A domain local group that contains the Active Directory accounts for the UNIX users must be assigned the Change permissions for the FromUNIX folder.
5. You must configure Two-Way Password Synchronization to ensure that the passwords stored on the NISCONTOSO.contoso.tld NIS server are synchronized with the associated user accounts in Active Directory.

Answers to Review Questions

1. You must install File Services for Macintosh on the source code server to allow the Macintosh users to access the source code. To ensure secure access, the Macintosh clients must install the MS-UAM to enforce encrypted passwords up to a maximum of 14 characters. To enforce this, configure File Services for Macintosh to require Microsoft authentication.
2. The accounting department will require the same level of access to the LINDATA server. Rather than installing NetWare client software on each computer, you can install GSNW on a single Windows 2000 server. You must make the service account associated with GSNW a member of the Ntgateway group in NDS, and you should assign the account only the necessary trustee rights to access the payroll data. At the GSNW server, you can further restrict access by allowing only the accounting department users access to the GSNW share.
3. You must implement MSDSS to ensure that passwords are synchronized between Active Directory and NDS. The Windows 2000 server that hosts MSDSS must have the Novell Client for Windows 2000 installed to ensure that the service has sufficient access to NDS to synchronize passwords.
4. You must deploy MMS. With MMS you must configure a management agent for each directory service to support a single integrated metadirectory. Within each management agent, you can configure which attributes the directory service is authoritative for. This process ensures that only modifications at the authoritative directory service cause modification of the metadirectory.
5. The users who have lost the ability to log on to the network must not be using the MS—UAM for authentication. Apple Standard Encryption only supports eight character passwords. To enable the users to log on to the network from the Macintosh computers, the organization must deploy the MS—UAM to all Macintosh computers and configure Files Services for Macintosh to accept only Microsoft authentication.

Chapter 17

Answers to Review Questions

1. An organization's security policy provides the guiding framework for all security plans. Without such a policy, an organization can't establish the appropriate level of security to deploy.
2. The implementation of increased security can result in a loss of functionality or a loss in user convenience. Security can cause some business practices to be removed due to the vulnerabilities that they expose.
3. The security manager can keep abreast of the latest security issues by subscribing to security bulletins and reviewing industry publications (both paper and electronic) to be aware of the latest security issues facing the network.
4. Service packs include the latest Windows 2000 hot fixes in a single package but do become out of date in a short time. In addition to installing the latest service pack, you should also consult windowsupdate.microsoft.com/ to determine if any further updates related to security are required.
5. When the new management is in place, the larger organization's security policy may not be the same as yours. The plans should eventually be modified to reflect the acquiring organization's security policy.