|
|
A Quick Answer Key follows the Self Test questions. For complete questions, answers, and epxlanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.
1. | Mary is configuring her first Windows 2000 RRAS server and wants to use strong authentication protocols to keep her network secure. Which protocol(s) should she use?
|
|
2. | Jim is the security administrator for his company's legal department. The network and remote access solutions are based on Windows 2000 Server, and Legal just purchased smartcards for the entire department so that they can use secure dial-in access. Jim knows he needs to configure EAP-TLS, but he isn't sure where to configure it. He also only wants to change this setting for the legal department, not for all users. Where is this protocol configured?
|
|
3. | Jim's manager has asked him to configure the company Windows 2000 VPN server to allow for the use of smartcards for remote access authentication. What protocol does Jim need to use for this?
|
|
Answers
1. | þ C, E. EAP provides the ability to use smartcards for authentication and provides a strong authentication solution. MS-CHAPv2 provides the strongest authentication available for use with user ID and password. ý A, B, D. L2TP/IPSec is not an authentication protocol. Both PAP and CHAP are older protocols and provide either no protection or very weak protection of the information being passed. |
2. | þ A. If you want to configure specific conditions for a group of users, including the authentication protocol, you use a remote access policy. The specific location in the policy in this case is in the profile. ý , B, C, D. There is no Modem Pool in the Windows 2000 RRAS. Changing the RRAS server properties would impact the entire server, not just the legal department, although you can set the protocol there as well. There is no Authentication tab under the remote access policy; it is in the remote access profile. |
3. | þ B. EAP-TLS is the protocol needed for smartcard deployments. ý A, C, D, E. PPTP and L2TP are VPN protocols and do not apply to authentication. MS-CHAP v2 is an authentication protocol but does not support smartcards, and PPP is a transport protocol. |
4. | Mary maintains the remote access infrastructure for her company. Previously, Mary maintained a single Windows 2000 RAS server, but over the weekend she added another Windows 2000 RAS server for higher capacity. The two servers are in the same native-mode Active Directory domain, but during testing Mary cannot dial into the new server using her Windows 2000 credentials. What is the most likely problem?
|
|
Answers
4. | þ C. Profiles are stored locally and need to be recreated on the new server before users will be able to authenticate. ý A, B, D. RRAS is installed automatically as part of Windows 2000 Server. It does not need to be enabled in the Active Directory, and you can have more than one Windows 2000 RRAS server in the same domain. |
5. | Andrea is responsible for her company's Windows 2000 RRAS server, which has been running as an RAS server for several months. She just manually added services to the server so that the 120 sales representatives could connect to the network using VPN instead of modems. All the sales reps are using PPTP. The first five VPN users connect without issue, but then the server denies access to additional VPN users. RAS users seem to be unaffected by the issue. What is the most likely problem?
|
|
6. | June is trying to get a job as a network administrator, and she is being quizzed by the department manager on her knowledge of protocols. Her manager is particularly interested in her background in IPSec, so he has asked her to list the protocols used by IPSec. Which of the following are protocols used by IPSec?
|
|
Answers
5. | þ C. When you use the Dial-In wizard to configure the RRAS server, it will only create five PPTP and five L2TP ports. If the server had been configured for VPN the first time, 128 ports would have been configured. ý A, B, D. Windows 2000 doesn't require licenses for VPN connections. The DHCP server issue would impact VPN and RAS users. |
6. | þ A, B, E. ESP, AH, and ISAKMP are all protocols used by IPSec. ý C, D. PPTP and L2F, although tunneling protocols, are not used by IPSec. |
7. | Tom is the administrator of a Windows 2000 RAS server that's being used for dial-in connections to the corporate network. He needs to be sure that no one is connecting to the server from 1:00 a.m. until 2:00 a.m. while the server is being backed up. Tom is using one policy to permit access for all users. What is the easiest way to add this restriction for all users?
|
|
8. | Stacey is the system administrator of a Windows 2000 Routing and Remote Access server that permits the use of the Multilink protocol to allow users to connect with multiple dial-up lines. To configure this setup to work as efficiently as possible, Stacey needs to automatically drop a line from the Multilink connection when it's not being used. What protocol would need to be enabled to accomplish this task?
|
|
Answers
7. | þ C. You can easily add the deny access restriction to the policy by editing the policy properties and adding the condition. ý A, B, D. Answer A would work, but it would not be the easiest way to do it. You cannot add a deny access condition to a remote access profile. A remote access profile is part of the remote access policy and cannot be used on its own this way. |
8. | þ E. Bandwidth Allocation Protocol (BAP) monitors the utilization on a multilink connection and dynamically reduces the number of connected lines if the user's utilization drops below a certain amount. ý A, B, C, D. EAP-TLS, PAP, and PPP do not apply to the Multilink connections. Multilink is used to support the multiple connections, but it doesn't monitor utilization. |
9. | Tammy is responsible for setting up a new VPN server using Windows 2000 and the Routing and Remote Access Service. She wants to limit access to the VPN by creating a Remote Access Users group in the Active Directory running in native mode, so she creates the group, puts users in it, and creates a Remote Access Policy called VPN User Access. To be sure this is the only way to access the server, she deletes the default remote access policy. Under the Dial-In tab of each user, she sets the Remote Access Permissions to "Control access through Remote Access Policy." What is the last thing Tammy needs to do to limit access to this policy to users in the VPN User Access group?
|
|
10. | Jim is the remote access administrator for a medium-sized manufacturing company. He is in the process of rolling out a new Windows 2000 RRAS server, but he knows that the local telephone area code will be changing in six months. He would like to be able to automatically update the users' phone books with the new numbers, so he uses the Connection Manager Administration Kit to create a service profile for the end users. He is putting the new phone book on a server on the internal network. What protocol will be used by the users to get the new phone book?
|
|
11. | June is a network administrator supporting 500 mobile users who dial into the company network using several Windows 2000 RAS servers located throughout the country. She is planning to add between 5 and 10 new RAS servers in other offices in the company, so she has created a dynamic phone book using the Phone Book Administrator utility. Now she wants to publish the phone book so she can create a service profile for her users. What is the easiest way for her to create this phone book?
|
|
Answers
9. | þ A. Access by group is controlled by setting the Windows-Groups condition in the policy. ý B, C, D. You cannot tie ports to groups. You don't need to limit access to PPTP for this question, and you can't grant access through the group without using the Windows-Groups condition. You cannot set permissions as described in D. |
10. | þ D. The automatic phone book update tool uses the FTP protocol to update the phone books. ý A, B, D. None of these protocols can be used by the update tool. |
11. | þ C. The Phone Book Administration utility allows you to post phone books to the appropriate server using the Post command in the Publish Phone Book screen. ý A, B, D. While A would allow remote users to download this directory, maintaining a manual process like this is much more difficult than the correct answer. B wouldn't work, since the service profile uses FTP to download files. D is not correct because there is not a Publish option available from that menu. |
12. | Joan is a help desk specialist for a small manufacturing company that uses a Windows 2000 server for VPN services. Melissa, a sales engineer, is on a sales call and needs to access the company intranet to get some pricing information. Melissa is using a PPTP connection to access the company VPN, and it worked fine from the hotel last night from a dial-up ISP service. She is trying to connect from the customer network, but she's unable to establish a connection, so she has placed a call to Joan to see what's wrong. Which of the following is a possible reason for this problem?
|
|
13. | Ted is a help desk specialist for a small printer manufacturing company that uses a Windows 2000 server for VPN services. Jack, a sales engineer, is on a service call and needs to order parts on the company intranet. Jack is using an L2TP/IPSec connection to access the company VPN, and it works fine from Jack's home office, which connects to the Internet through a broadband connection. Unfortunately, Jack cannot connect from the customer's Ethernet network, and he has placed a help desk call for assistance. Which of the following is a possible reason for this problem?
|
|
14. | Tony is the administrator for his company's Windows 2000 RAS server, which uses the corporate Active Directory service for authentication. Joan, an end user in accounting, is trying to connect to the RAS server but keeps getting the message that she is not an authorized user. She can log into the Active Directory without issue when she is connected to the LAN. What might be causing the problem?
|
|
15. | Mary is a help desk technician supporting remote users connecting to the company's Windows 2000 RRAS server. She just got a call from Tony, who is using his company laptop and accessing the RRAS server through a PPTP VPN connection. Last week the connection worked fine, but today it is not connecting. When Mary asks if anything has changed, Tony reluctantly admits that his neighbor just installed a freeware encryption application on the system. What is the first step Mary should recommend to address this issue?
|
|
Answers
12. | þ B. In order for a client to communicate with the Windows 2000 VPN server using PPTP, it must be able to connect using the GRE protocol. This protocol is frequently blocked on corporate firewalls. ý A, C, D. PPTP will work across a NAT network. The ESP protocol is used in L2TP/IPSec, not PPTP. A proxy server is not needed for a successful VPN connection. |
13. | þ A. The IPSec portion of the L2TP/IPSec protocol will not support NAT. ý B, C, D. The GRE protocol is not used in conjunction with L2TP/IPSec. The PPP protocol is not used on an Ethernet network. Certificate support is not needed on the local firewall. |
14. | þ D. Before an account can be used to connect to the RAS server, it needs to be authorized through a combination of remote access policy and/or account permissions. ý A, B, C. PPTP ports are not used with RAS. Since the RAS server uses Active Directory for authentication, an incorrect password would prevent Joan from logging in at work. This also means that her network account is the same as her RAS account-they are both her Active Directory account. |
15. | þ D. The first thing that should be tried is undoing the changes made between the time the VPN worked and now-especially if the application is loaded on a company system and is not a standard application. ý A, B, C. Reinstalling the VPN client shouldn't be the first step; you should remove the application first. There are several other steps that should be taken before resorting to a complete system rebuild. There is no indication that this issue is virus-related. Updating virus protection is never a bad idea, but it will probably not address this issue. |
|
|