Objective 3.3: Questions

1. 

Which of the following commands, when issued from the ipsec static> prompt when netsh ipsec is run on the command line, will add a filter to the secureweb filterlist that will deal traffic coming from network 10.10.2.32 /27 to the Web server located on the local host?

1. ipsec static>add filter filterlist=secureweb srcaddr=10.10.2.32 dstaddr=Me protocol=TCP mirrored=yes srcmask=255.255.255.224 dstmask=255.255.255.0 srcport=0 dstport=80

2. ipsec static>add filter filterlist=secureweb srcaddr=10.10.2.32 dstaddr=Me protocol=ICMP mirrored=yes srcmask=255.255.255.240 dstmask=255.255.255.0 srcport=0 dstport=80

3. ipsec static>add filter filterlist=secureweb srcaddr=192.168.0.32 dstaddr=Me protocol=TCP mirrored=yes srcmask=255.255.255.224 dstmask=255.255.255.0 srcport=80 dstport=0

4. ipsec static>add filter filterlist=secureweb srcaddr=192.168.0.32 dstaddr=Me protocol=TCP mirrored=yes srcmask=255.255.255.0 dstmask=255.255.255.0 srcport=80 dstport=0

2. 

Which of the following are limitations on the authentication methods that can be used by a standalone computer running Windows Server 2003 that is using IPSec to ensure that its network communications are encrypted?

1. There are no limitations on the authentication methods that can be used by a standalone computer running Windows Server 2003.

2. Standalone computers running Windows Server 2003 cannot use the Kerberos authentication method for IPSec. They are limited to using digital certificates or preshared keys.

3. Standalone computers running Windows Server 2003 cannot use a digital certificate as an authentication method for IPSec.

4. Standalone computers running Windows Server 2003 cannot use preshared keys as an authentication method for IPSec.

3. 

Rooslan has created an IPSec policy on a computer running Windows Server 2003 by entering the following list of commands from the netsh ipsec static> context command prompt:

add filterlist name=testlist add filteraction name=testaction inpass=no soft=no action=negotiate add filter filterlist=testlist srcaddr=any dstaddr=Me protocol= TCP mirrored=YES srcmask=0.0.0.0 dstmask=255.255.255.255 srcport= 0 dstport=110 add filter filterlist=testlist srcaddr=any dstaddr=Me protocol= TCP mirrored=YES srcmask=0.0.0.0 dstmask=255.255.255.255 srcport= 0 dstport=25 add policy name=testpolicy activatedefaultrule=no assign=no add rule name=testrule policy=testpolicy filterlist=testlist filteraction=testaction psk="Quis Custodiet Custodes"

The computer running Windows Server 2003 is running the POP3 service. Which of the following statements about Rooslan’s IPSec policy are true, given the configuration listed above? (Select all that apply.)

1. The testpolicy IPSec policy will not be assigned when it is created.

2. This policy deals with all traffic being sent to the local Windows Server 2003– based computer on which the testpolicy IPSec policy is applied.

3. This policy uses Kerberos 5 authentication to negotiate the IPSec connection.

4. If computers checking e-mail on the POP3 service hosted on the local Windows Server 2003–based computer are unable to negotiate IPSec security, insecure transmission will be allowed.

5. The default response rule is not activated in this policy.

4. 

You are the security administrator for the Tailspin Toys forest. The forest is running at the Windows Server 2003 functional level. There are three domains in this forest: root.tailspintoys.com, melbourne.tailspintoys.com, and redmond.tailspintoys.com. There is a group of 500 workstations running Windows XP Professional that are members of the melbourne.tailspintoys.com domain. There are 10 file and print servers running Windows 2000 Server that are members of the melbourne.tailspintoys.com domain. The 500 computers running Windows XP Professional are members of an organizational unit named WORKSTATION. The 10 file and print servers running Windows 2000 Server are members of the organizational unit named MEMBERSERV. The 10 file and print servers running Windows 2000 Server and the 500 computers running Windows XP Professional are all located at Site B within the domain. Several GPOs have been created, each of which has a different IPSec policy. These GPOs and their corresponding IPSec policies are listed below:

GPO one: No IPSec policy set

GPO two: Client (Respond Only) IPSec policy set

GPO three: Server (Request Security) IPSec policy set

GPO four: Secure Server (Require Security) IPSec policy set

GPO one is applied to the WORKSTATION OU. GPO two is applied to the melbourne.tailspintoys.com domain. GPO three is applied to the root.tailspintoys.com domain. GPO four is applied to Site B. Assume that no other IPSec policies are applied in the forest. Given this information, which of the following statements is correct?

1. If a computer running Windows NT Workstation 4.0 at Site B attempted to copy a file from one of the 10 file and print servers running Windows 2000 Server in the MEMBERSERV OU, the file transmission would be encrypted by IPSec.

2. Data transmissions between the 500 workstations running Windows XP Professional in the WORKSTATION OU and the 10 file and print servers running Windows 2000 Server in the MEMBERSERV OU will be encrypted by IPSec.

3. Data transmission between one of the 500 workstations running Windows XP Professional that is located in the WORKSTATION OU and a computer running Windows Server 2003 that is located in the root.tailspintoys.com domain will be encrypted by IPSec.

4. All data transmissions between computers located at Site B will be encrypted by IPSec.

5. 

Several users in your domain are attempting to use the FTP protocol to upload files to a computer running Windows Server 2003 on your organization’s screened subnet. The computer running Windows Server 2003 on the screened subnet has an IPSec policy set that requires security. Because it is a standalone computer, it does not use the default Active Directory/Kerberos IPSec authentication. Instead it uses a preshared key with the phrase “qua partis tutis”. All computers running Windows XP Professional in the domain are subject to a GPO at the domain level with the IPSec policy set Server (Request Security). What step or steps can you take to ensure that the users within your domain who require FTP access to the computer running Windows Server 2003 on the screened subnet can make encrypted connections to this computer?

1. Alter the IPSec policy in the GPO applied at the domain level to Client (Respond Only).

2. Alter the IPSec policy in the GPO applied at the domain level to Secure Server (Require Security).

3. Alter the local policy object on the computer running Windows Server 2003 on the screened subnet to allow Kerberos authentication of IPSec connections.

4. Edit the Server (Request Security) IPSec policy properties in the GPO applied at the domain level. Edit the properties of the <Dynamic> and ALL IP Traffic Rules. On the Authentication Methods tab, add a new authentication method of preshared key, and enter “qua partis tutis” as the string.

1. 

Correct Answers: A

1. Correct This command provides all of the correct source addresses, masks, and ports, in addition to destination addresses, mask, and ports. A srcport or dstport set to 0 is equivalant to “any”.

2. Incorrect This answer has the incorrect protocol (ICMP rather than TCP) and the incorrect source mask (which for /27 should be 255.255.255.224).

3. Incorrect This answer has the incorrect source address (192.168.0.32 rather than 10.10.2.32) in addition to the incorrect source port (which should be 0, which is understood as “any”) and destination port.

4. Incorrect This answer has the incorrect source address (192.168.0.32 rather than 10.10.2.32) in addition to the incorrect source port (which should be 0, which is understood as “any”) and destination port. It also has the incorrect source mask, which should be 255.255.255.224 rather than 255.255.255.0.

2. 

Correct Answers: B

1. Incorrect Standalone computers running Windows Server 2003 cannot use the Kerberos authentication method.

2. Correct Because they are not members of the domain, standalone computers running Windows Server 2003 cannot use the Kerberos authentication method for IPSec. They are limited to using digital certificates or preshared keys.

3. Incorrect Because they are not members of the domain, standalone computers running Windows Server 2003 cannot use the Kerberos authentication method for IPSec. They are limited to using digital certificates or preshared keys.

4. Incorrect Because they are not members of the domain, standalone computers running Windows Server 2003 cannot use the Kerberos authentication method for IPSec. They are limited to using digital certificates or preshared keys.

3. 

Correct Answers: A and E

1. Correct The assign=no switch of the add policy command ensures that the testpolicy IPSec policy will not be assigned.

2. Incorrect This policy deals with all traffic to ports 25 and 110 from all hosts to the local Windows Server 2003–based computer on which the policy is applied.

3. Incorrect This policy uses the preshared key “Quis Custodiet Custodes” to negotiate the IPSec connection.

4. Incorrect The soft=no switch of the add filteraction command specifies that only secure transmission will be allowed on these ports.

5. Correct The activatedefaultrule=no switch of the add policy command specifies that the default response rule is not activated in this policy.

4. 

Correct Answers: C

1. Incorrect The policy that has influence over the 10 file and print servers running Windows 2000 Server is the Client (Respond Only) policy. Windows NT Workstation 4.0 does not natively support IPSec, hence any file transmission between a computer running Windows NT 4.0 and one of the 10 computers running Windows 2000 Servers will be insecure.

2. Incorrect The policy that influences computers in both OUs is the Client (Respond Only) IPSec policy. Only one IPSec policy can be active at one time. Although OU policies do have precedence over domain policies, the fact that no policy is set in GPO one means that GPO two will remain dominant.

3. Correct The root.tailspintoys.com domain has the Secure Server (Require Security) policy set. This means that all transmissions between computers in this domain and any other host will be encrypted by IPSec.

4. Incorrect Downstream GPOs applied at the domain level enforce the Client (Respond Only) IPSec policy. As no policy specifies that IPSec should be requested, data transmission between clients in the melbourne.tailspintoys.com domain will be insecure.

5. 

Correct Answers: D

1. Incorrect Performing this step will not enable secure communication between computers on your network running Windows XP Professional and the Windows Server 2003–based computer running FTP on the screened subnet. By default, this policy uses Kerberos 5 authentication rather than the required preshared key.

2. Incorrect Performing this step will not enable secure communication between computers on your network running Windows XP Professional and the Windows Server 2003–based computer running FTP on the screened subnet. By default, this policy uses Kerberos 5 authentication rather than the required preshared key.

3. Incorrect This cannot be done because the computer running Windows Server 2003 on the screened subnet is not a member of the domain, and hence cannot use Kerberos authentication methods.

4. Correct Performing these steps will enable computers in your domain to initiate IPSec connections to the standalone computer running Windows Server 2003 on the screened subnet. After it has been determined that the Kerberos method of authentication does not work, the preshared-key method will be tried. Because the same preshared key exists on both source and destination computers, an IPSec connection will be able to be established.