Objective 3.4: Questions

1. 

Rooslan is configuring all of the workstations in his organization to use IPSec with a digital certificate for authentication. Until digital certificates can be installed on all workstations, they will be using preshared keys for authentication. There are two file servers that all workstations within the domain access. Both of these file servers run Windows Server 2003 and are configured with the Secure Server (Require Security) IPSec policy. This policy has been modified so that it accepts both certificate and preshared key authentication methods. Rooslan’s assistant Alex has been keeping, on his Handheld PC, a list of computers by location and IP address that have had certificates installed. Unfortunately the Handheld PC has been misplaced, and now Rooslan needs to know which workstations are still using a preshared key for IPSec authentication and which are using certificates. Which of the following actions will enable Rooslan to get a list of IP addresses for computers that are still using preshared keys? (Select two.)

1. Check the \Main Mode\Security Associations node in IP Security Monitor on both of the file servers running Windows Server 2003.

2. On both of the file servers running Windows Server 2003, run a command prompt. From the netsh ipsec static prompt type show all

3. On both of the file servers running Windows Server 2003, run a command prompt. From the netsh ipsec dynamic prompt type show mmsas

4. On both of the file servers running Windows Server 2003, check the Active Policy node of the IP Security Monitor.

5. On both of the file servers running Windows Server 2003, use the Security Configuration and Analysis MMC to list the IPSec security associations.

2. 

There are three standalone computers running Windows XP Professional on your network. Each has an IPSec policy set that requires security. Rather than use the default Active Directory authentication, each standalone workstation running Windows XP Professional uses preshared key authentication.

Host 1 uses a preshared key of Quis Custodiet Custodes and has an IP address of 10.10.10.22.

Host 2 uses a preshared key of Ita Erat Quando Hic Adveni and has an IP address of 10.10.10.30.

Host 3 uses a preshared key of Nullo Metro Compositum Est and has an IP address of 10.10.10.36.

Each of these hosts needs to be able to securely communicate with a computer running Windows Server 2003 that has the IP address 10.10.10.230, but currently only host 1 is able to communicate with the server. The computer running Windows Server 2003 is configured with a Secure Server (Require Security) policy, the properties of which are displayed in the following figure.

Which of the following correctly describes how the computer running Windows Server 2003 can be configured so that hosts 2 and 3 can communicate with it and with host 1? (You do not need to worry about other hosts on the network.)

1. Reconfigure the IPSec policies on host 2 and 3 to use the preshared key Nullo Metro Compositum Est.

2. Reconfigure the IPSec policies on hosts 2 and 3 to use the preshared key Ita Erat Quando Hic Adveni.

3. On the computer running Windows Server 2003, edit the properties of the Secure Server (Require Security) IPSec policy. From this computer, edit the All IP Traffic Filter list. From the Authentication Methods tab, add two new authentication methods that use the preshared key. The first authentication method should use the preshared key Nullo Metro Compositum Est. The second authentication method should use the preshared key Ita Erat Quando Hic Adveni.

4. On the computer running Windows Server 2003, edit the properties of the Secure Server (Require Security) IPSec policy. Create two new filters. The first filter should be named 10.10.10.30 and should deal with TCP traffic from host 10.10.10.30 to My IP Address. The second filter should be named 10.10.10.36 and should deal with TCP traffic from host 10.10.10.36 to My IP Address. Create two new rules. The first rule should use the filter named 10.10.10.30 and should require security. The authentication method should be set to Preshared Key, and the key should be set to Nullo Metro Compositum Est. The second rule should use the filter named 10.10.10.36 and should require security. The authentication method should be set to Preshared Key, and the key should be set to Ita Erat Quando Hic Adveni.

5. On the computer running Windows Server 2003, edit the properties of the Secure Server (Require Security) IPSec policy. Create two new filters. The first filter should be named 10.10.10.30 and should deal with TCP traffic from host 10.10.10.30 to My IP Address. The second filter should be named 10.10.10.36 and should deal with TCP traffic from host 10.10.10.36 to My IP Address. Create two new rules. The first rule should use the filter named 10.10.10.36 and should require security. The authentication method should be set to Preshared Key, and the key should be set to Nullo Metro Compositum Est. The second rule should use the filter named 10.10.10.30 and should require security. The authentication method should be set to Preshared Key, and the key should be set to Ita Erat Quando Hic Adveni.

3. 

Darren is having some problems with IPSec on a member server running Windows Server 2003. It appears that some of the Internet Key Exchange (IKE) main mode and quick mode negotiations are failing, but it is not clear why this is happening. Darren wants to log IKE exchanges on this server. Which of the following methods could Darren use to enable this form of logging?

1. He needs to edit the properties of the enabled IPSec policy on the computer running Windows Server 2003. He should select the Enable IKE Logging check box on the General tab.

2. He needs to run regedit on the member server running Windows Server 2003. He then needs to set the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging DWORD to 0. He should then restart the IPSec service.

3. He needs to run the netsh command on the member server running Windows Server 2003. He should type set config ikelogging 1 at the netsh ipsec dynamic prompt.

4. He needs to run the netsh command on the member server running Windows Server 2003. He should type set config ikelogging 0 at the netsh ipsec dynamic prompt.

5. He needs to run regedit on the member server running Windows Server 2003. He then needs to set the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging DWORD to 1. He should then restart the IPSec service.

4. 

Oksana wants to ensure that authentication will fail if any problems occur during the Certificate Revocation List (CRL) check during IKE certificate authentication on several computers running Windows Server 2003 in her domain. These computers are all members of the same OU. Which of the following methods will allow Oksana to achieve this goal?

1. Create a GPO and assign it to the OU. Edit the IPSec policy properties. Edit the rule that enforces security by certificate. Select the Perform CRL Check check box.

2. Create a GPO and assign it to the site. Edit the IPSec policy properties. Edit the rule that enforces security by certificate. Select the Perform CRL Check check box.

3. Type netsh ipsec dynamic set config strongcrlcheck 2 from the command prompt.

4. Type netsh ipsec dynamic set config strongcrlcheck 0 from the command prompt.

5. 

Rooslan has the following goals for a member server running Windows Server 2003 in his domain:

Primary goal: Enable IPSec driver event logging.

First secondary goal: Disable CRL checks during IKE certificate authentication.

Second secondary goal: Exempt all broadcast, multicast, and Kerberos traffic from IPSec filtering.

Rooslan performs the following actions:

He logs directly on to the computer running Windows Server 2003 by using Remote Desktop. He types the following from a command prompt:

netsh ipsec dynamic set config ipsecdiagnostics 7 netsh ipsec dynamic set config strongcrlcheck 2 netsh ipsec dynamic set config ipsecexempt 0 Rooslan then exits the command prompt and restarts the member server.

Which of the goals has Rooslan accomplished?

1. The primary goal and both secondary goals have been accomplished.

2. The primary goal and one secondary goal have been accomplished.

3. The primary goal has been accomplished, but no secondary goals have been accomplished.

4. The primary goal has not been accomplished. Both secondary goals have been accomplished.

5. No goals have been accomplished.

1. 

Correct Answers: A and C

1. Correct The \Main Mode\Security Associations node lists all of the computers that connect by means of IPSec to the hosts. It also lists the authentication method. In this case, the authentication method will list whether a preshared key or a certificate was used.

2. Incorrect This will display configuration information on IPSec policies, rules, and filter lists; it will not list which authentication method was used for individual clients.

3. Correct This will output a list of IP addresses and the authentication modes that they used to connect.

4. Incorrect This node lists policy information, such as policy name, description, and modification date. It will not show a list of associations.

5. Incorrect The Security Configuration and Analysis MMC does not have this functionality.

2. 

Correct Answers: E

1. Incorrect The question asks how the computer running Windows Server 2003 can be reconfigured, not how the host workstations running Windows XP can be reconfigured. Furthermore, Nullo Metro Compositum Est is the preshared key for host 3. In the scenario, the computer running Windows Server 2003 can only communicate with host 1, indicating that it is set to use the preshared key Quis Custodiet Custodes.

2. Incorrect The question asks how the computer running Windows Server 2003 can be reconfigured, not how the host workstations running Windows XP can be reconfigured. Furthermore, Ita Erat Quando Hic Adveni is the preshared key for host 2. In the scenario, the computer running Windows Server 2003 can only communicate with host 1, indicating that it is set to use the preshared key Quis Custodiet Custodes.

3. Incorrect For any given filter, there can only be a single preshared key.

4. Incorrect The first rule should use the filter named 10.10.10.36, and the second rule should use the filter named 10.10.10.30. In this answer, the preshared keys are switched around.

5. Correct This answer assigns the correct preshared keys to the correct IP addresses. Because there is a rule governing all traffic that has a preshared key that allows communication with host 1, host 1 will remain in communication after these new rules and filters are added. When security is negotiated, the authentication essentially works its way down the list until it either finds a rule it matches or until it runs out of rules.

3. 

Correct Answers: C

1. Incorrect Logging IKE exchanges cannot be enabled from the GUI. It must be enabled from the command line by using the netsh command in the ipsec context.

2. Incorrect This registry entry describes how logging of IKE exchanges is enabled in Windows 2000 or Windows XP. This method will not work in Windows Server 2003. Furthermore, setting the EnableLogging DWORD to 0 will disable logging of IKE exchanges on these operating systems.

3. Correct This will enable logging of IKE exchanges on the member server running Windows Server 2003.

4. Incorrect This command sequence will disable logging of IKE exchanges on the member server running Windows Server 2003.

5. Incorrect This will enable logging of IKE exchanges in Windows 2000 and Windows XP, but not in Windows Server 2003.

4. 

Correct Answers: C

1. Incorrect The CRL behavior cannot be modified by using the GUI. It must be modified by means of the netsh ipsec dynamic set config strongcrlcheck command.

2. Incorrect The CRL behavior cannot be modified by using the GUI. It must be modified by means of the netsh ipsec dynamic set config strongcrlcheck command.

3. Correct By default, Windows Server 2003 does perform CRL checks, though in some cases this will not stop the IKE certificate authentication. CRL checks can be modified by using the netsh ipsec dynamic set config strongcrlcheck [0/1/2] command. A setting of 2 will cause authentication to fail if any error occurs. A setting of 0 will disable the CRL check.

4. Incorrect By default, Windows Server 2003 does perform CRL checks, though in some cases this will not stop the IKE certificate authentication. CRL checks can be modified by using the netsh ipsec dynamic set config strongcrlcheck [0/1/2] command. A setting of 2 will cause authentication to fail if any error occurs. A setting of 0 will disable the CRL check.

5. 

Correct Answers: B

1. Incorrect The commands that Rooslan has issued will enable IPSec driver logging (the first command), will set strong CRL checks during IKE certificate authentication (the second command), and will exempt all broadcast, multicast, and Kerberos traffic from IPSec filtering (the final command). Because the second command does not disable CRL checks during IKE certificate authentication, the first secondary goal is not accomplished. The primary goal and the second secondary goal are accomplished.

2. Correct The commands that Rooslan has issued will enable IPSec driver logging (the first command), will set strong CRL checks during IKE certificate authentication (the second command), and will exempt all broadcast, multicast, and Kerberos traffic from IPSec filtering (the final command). Because the second command does not disable CRL checks during IKE certificate authentication, the first secondary goal is not accomplished. The primary goal and the second secondary goal are accomplished.

3. Incorrect The commands that Rooslan has issued will enable IPSec driver logging (the first command), will set strong CRL checks during IKE certificate authentication (the second command), and will exempt all broadcast, multicast, and Kerberos traffic from IPSec filtering (the final command). Because the second command does not disable CRL checks during IKE certificate authentication, the first secondary goal is not accomplished. The primary goal and the second secondary goal are accomplished.

4. Incorrect The commands that Rooslan has issued will enable IPSec driver logging (the first command), will set strong CRL checks during IKE certificate authentication (the second command), and will exempt all broadcast, multicast, and Kerberos traffic from IPSec filtering (the final command). Because the second command does not disable CRL checks during IKE certificate authentication, the first secondary goal is not accomplished. The primary goal and the second secondary goal are accomplished.

5. Incorrect The commands that Rooslan has issued will enable IPSec driver logging (the first command), will set strong CRL checks during IKE certificate authentication (the second command), and will exempt all broadcast, multicast, and Kerberos traffic from IPSec filtering (the final command). Because the second command does not disable CRL checks during IKE certificate authentication, the first secondary goal is not accomplished. The primary goal and the second secondary goal are accomplished.