Objective 3.2: Questions

1. 

You have a computer running Windows Server 2003 and IIS 6.0 located on a screened subnet. This computer runs a Web server that is used to provide product information to potential customers around the country. The computer is a member of your company’s domain. You want to configure the server so that all communication, except that accessing the Web site, must be encrypted by IPSec. This IPSec communication must be authenticated by Kerberos. Which of the following components would you include in the configuration of a custom IPSec policy that would be applied to the computer running Windows Server 2003? (Each correct answer forms part of the solution.)

1. Default Response Rule. Active Directory Default Authentication.

2. New Rule. No Tunnel Specified. All Network Connections. IP Filter List with the following properties. Source: Any IP Address. Destination: My IP Address. Protocol Type: TCP. From Any Port to Port 80. Permit Unsecured IP Packets.

3. New Rule. No Tunnel Specified. All Network Connections. Require Security. Active Directory Default Authentication.

4. New Rule. No Tunnel Specified. All Network Connections. IP Filter List with the following properties. Source: Any IP Address. Destination: My IP Address. Protocol Type: TCP. From Any Port to Port 25. Permit Unsecured IP Packets.

5. New Rule. No Tunnel Specified. All Network Connections. Request Security. Active Directory Default Authentication.

2. 

You are configuring an IPSec policy to allow only computers that have a specific digital certificate installed to send and receive e-mail by means of the Post Office Protocol 3 (POP3) service on Windows Server 2003. Which ports should you configure rules for? (Select all that apply.)

1. Port 23

2. Port 25

3. Port 80

4. Port 110

5. Port 143

3. 

You are configuring an IPSec filter for a computer running Windows Server 2003, and you have constructed a filter list as shown in the following figure.

If the Filter Action for this list were set to permit, and there were a filter list also configured to require security for all other IP traffic, which of the following statements would be true? (Select all that apply.)

1. Any host would be able to access any Web content hosted on the computer running Windows Server 2003.

2. A host with IP address 10.11.21.22 would be able to initiate a Telnet session to the computer running Windows Server 2003.

3. A host with IP address 10.10.5.6 would be able to initiate a Telnet session to the computer running Windows Server 2003.

4. A host with IP address 192.168.10.230 will be able to access the Secure Sockets Layer (SSL) Web site on the computer running Windows Server 2003.

5. A host with IP address 192.168.10.245 will be able to access the SSL Web site on the computer running Windows Server 2003.

4. 

You are in the process of configuring a set of IPSec filters for a Windows Server 2003 domain controller on your network. You want to make sure that you permit traffic to the Lightweight Directory Access Protocol (LDAP), Kerberos, and global catalog server ports. Given your requirements, which of the following ports should you permit traffic to? (Select all that apply.)

1. Port 3268

2. Port 3389

3. Port 53

4. Port 389

5. Port 80

5. 

You have a set of five servers running Windows Server 2003, Web Edition that are located on a screened subnet. These Web servers are each running a Web application that needs to access data on a computer running SQL Server 2000 that is located on your internal network. The IP addresses of the Web servers on the screened subnet are:

Server 1: 192.168.1.130

Server 2: 192.168.1.140

Server 3: 192.168.1.150

Server 4: 192.168.1.160

Server 5: 192.168.1.170

The IP address of the computer running Windows Server 2003 that is located on the internal network is 10.10.1.100. You want to ensure that data transmissions between the Web servers on the screened subnet and the computer running SQL Server on the internal network are encrypted by IPSec. You don’t need other traffic between the Web servers and the computer running SQL Server to be encrypted because such traffic is already blocked by the internal firewall, and the encryption and decryption process would just add to processor overhead. Which of the following custom rules would achieve this goal if it was set to Require Security? (Select all that apply.)

1. Protocol: TCP; Source Port: Any; Destination Port: 1433; Source Address: 192.168.1.128; Source Mask: 255.255.255.128; Destination Address: 10.10.1.100; Destination Mask: 255.255.255.255

2. Protocol: TCP; Source Port: Any; Destination Port: 1433; Source Address: 192.168.1.128; Source Mask: 255.255.255.192; Destination Address: 10.10.1.100; Destination Mask: 255.255.255.255

3. Protocol: TCP; Source Port: 1433; Destination Port: Any; Source Address: 10.10.1.100; Source Mask: 255.255.255.192; Destination Address: 192.168.1.128; Destination Mask: 255.255.255.255

4. Protocol: TCP; Source Port: Any; Destination Port: 1433; Source Address: 192.168.1.128; Source Mask: 255.255.255.224; Destination Address: 10.10.1.100; Destination Mask: 255.255.255.255

5. Protocol: TCP; Source Port: Any; Destination Port: 1433; Source Address: 192.168.1.128; Source Mask: 255.255.255.240; Destination Address: 10.10.1.100; Destination Mask: 255.255.255.255

1. 

Correct Answers: A, B, and C

1. Correct Configuring the Default Response Rule will allow IPSec connections to be negotiated with this server if requested by the client.

2. Correct Port 80 is the port used by the HTTP protocol. Creating this filter means that Web site traffic can be received and transmitted without requiring secured IPSec packets. Without this connection, Web site traffic would be encrypted via IPSec, limiting it to authorized users and locking out the potential customers.

3. Correct This rule in combination with the rule articulated in answer B will lock out all other forms of traffic unless it is secured via IPSec authenticated via Kerberos. This rule is required to meet the specification outlined in the question

4. Incorrect This component of an IPSec policy would allow insecure access to port 25. Port 25 is not the Web server port, and hence should only allow secure access.

5. Incorrect This rule only requests security. If none is forthcoming, the connection will be insecure.

2. 

Correct Answers: B and D

1. Incorrect Port 23 is used for Telnet. Port 23 has nothing to do with the POP3 service.

2. Correct Port 25 is the SMTP port. It is used by POP3 clients to send e-mail. A rule should be configured for this port so that only clients with a specific digital certificate can use it to send e-mail. In real life this could cause a problem because outside mail servers use port 25 to send e-mail from remote networks to the server. If such a policy were implemented, those hosts would be unable to make connections on port 25.

3. Incorrect Port 80 is the HTTP port. It doesn’t have anything to do with the POP3 service, but is used by IIS for HTTP traffic.

4. Correct Port 110 is the POP3 port. POP3 clients connect to this port to retrieve e-mail from a POP3 server. A rule should be configured for this port so that only clients with a specific digital certificate can use it to retrieve e-mail.

5. Incorrect Port 143 is used by the IMAP service. Although the IMAP service is used for e-mail, it is not used by the POP3 service in Windows Server 2003.

3. 

Correct Answers: A, C, and D

1. Correct The first line of the filter allows this to occur.

2. Incorrect Only hosts with IP addresses 10.10.0.0 through 10.10.255.255 will be able to access a Telnet server on the computer running Windows Server 2003.

3. Correct Only hosts with IP addresses 10.10.0.0 through 10.10.255.255 will be able to access a Telnet server on the computer running Windows Server 2003.

4. Correct Only hosts with IP addresses 192.168.10.225 through 192.168.10.238 will be able to access the SSL Web site on the computer running Windows Server 2003.

5. Incorrect Only hosts with IP addresses 192.168.10.225 through 192.168.10.238 will be able to access the SSL Web site on the computer running Windows Server 2003.

4. 

Correct Answers: A and D

1. Correct This port is used by the global catalog server.

2. Incorrect This port is used by Terminal Services servers. It is not relevant to the task at hand.

3. Incorrect Port 53 is the DNS server port. Nothing has been mentioned about this particular computer running a DNS server.

4. Correct This port is used by LDAP, an integral component of Active Directory.

5. Incorrect This port is used by the HTTP protocol. Nothing has been mentioned about this particular computer running a Web server.

5. 

Correct Answers: A and B

1. Correct This rule will allow data transmissions from the Web servers to the computers running SQL Server to be encrypted by IPSec. This answer includes all IP addresses in the range 192.168.1.129 through 192.168.1.254. Port 1433 is used for computers running SQL Server.

2. Correct This rule will allow data transmissions from the Web servers to the computers running SQL Server to be encrypted by IPSec. This answer includes all IP addresses in the range 192.168.1.129 through 192.168.1.190. Port 1433 is used for computers running SQL Server.

3. Incorrect This particular filter specifies an incorrect source address and source port.

4. Incorrect The source mask in this answer will only allow hosts from IP addresses 192.168.1.129 through 192.168.1.158. This will exclude Web servers 4 and 5.

5. Incorrect The source mask in this answer will only allow hosts from IP addresses 192.168.1.129 through 192.168.1.142. This will exclude Web servers 3, 4, and 5.