Objective 3.7: Questions

1. 

Tailspin Toys has 50 sales representatives who go to various toy fairs and conventions across the country. Each of these sales representatives is equipped with a Tablet PC running Windows XP that has a built-in analog modem. Currently, when at these locations, sales representatives dial long distance to a remote access server equipped with modems at the Tailspin Toys headquarters site. Using this connection, they are able to access the company network. Rather than maintain this arrangement, the company has decided to give the 50 sales representatives a Point-to-Point Protocol (PPP) dialup account with a national Internet service provider (ISP). After they have connected to a local point of presence, they will connect by means of a VPN to the Tailspin Toys headquarters network. You are preparing for a meeting to decide whether or not this solution should implement Layer Two Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP). Your manager has the following preferences for the solution:

• Authentication of tunnels can occur without the use of IPSec.

• Headers should be compressed as much as possible.

• The solution must support transmission over PPP dialup connection and IP networks.

• The solution must be compatible with Windows XP and Windows Server 2003.

• The solution must provide proof that data was not modified in transit.

A VPN using PPTP is proposed by another attendee at the meeting. Your manager asks you to comment on this proposal based upon her preferences. Which of your manager’s preferences does this proposal fail to meet? (Select all that apply.)

1. The solution must be compatible with Windows XP and Windows Server 2003.

2. The solution must support transmission over PPP dialup connection and IP networks.

3. Authentication of tunnels can occur without the use of IPSec.

4. Headers should be compressed as much as possible.

5. The solution must provide proof that data was not modified in transit.

2. 

You are attempting to troubleshoot the VPN connections that are made between laptop computers running Windows XP Professional that are connected to 100BaseT LANs at airport terminals and your company’s Windows Server 2003–based VPN server, which is located at the main office. You want to know which type of tunnel and encryption combination the VPN server running Windows Server 2003 will attempt to negotiate with connecting clients running Windows XP. Which of the following will the VPN server running Windows Server 2003 attempt to negotiate first?

1. Microsoft Point-to-Point Encryption with IPSec

2. PPTP with IPSec

3. L2TP with Microsoft Point-to-Point Encryption

4. PPTP with Microsoft Point-to-Point Encryption

5. L2TP with IPSec

3. 

You are configuring a computer running Windows Server 2003 to host several modems so that employees at your company are able to dial into the organization’s network. One of your concerns is that the security of employees’ home telephone connections cannot be guaranteed. Your specific concern is that they might have been tapped and that information transmitted over the telephone lines might be intercepted. To deal with this concern, you want to disable all authentication protocols on the dial-up server running Windows Server 2003 that do not support data encryption. The dialog box that will enable you to do this is presented in the following figure:

Which of the following protocols should you disable? (Select all that apply.)

1. EAP

2. MS-CHAP v2

3. MS-CHAP

4. CHAP

5. Shiva Password Authentication Protocol (SPAP)

4. 

Rooslan is editing a dial-up networking entry for Fourth Coffee in the Connection Manager Administration Kit Wizard, as shown in the following figure:

Rooslan wants to ensure that only smart cards can be used for logon authentication and that all data transmitted over the connection is encrypted. Which of the following settings should Rooslan configure to meet these goals?

1. Rooslan should set the Security settings to Use Basic Security Settings. He should configure the Basic Security Settings to Require A Microsoft Secured Password and Require Data Encryption.

2. Rooslan should set the Security settings to Use Both Basic And Advanced. He should leave the default values in place for both the Basic and Advanced security settings.

3. Rooslan should set the Security settings to Use Advanced Security Settings. He should configure the Advanced Security Settings to Use Extensible Authentication Protocol (EAP): MD5-Challenge and set the Data Encryption to Require Encryption.

4. Rooslan should set the Security settings to Use Advanced Security Settings. He should configure the Advanced Security Settings to Use Extensible Authentication Protocol (EAP): Smart Card Or Other Certificate (Encryption Enabled) and set the Data Encryption to Require Encryption.

5. 

You have configured a member server that runs Windows Server 2003 in your domain as a Routing and Remote Access server. This member server has two analog modems attached to it and is to be used by technical support staff to access the network remotely if the company’s normal Internet link fails. You want MS-CHAP v2 to be the only authentication method available. Furthermore, you want to set the encryption level to Microsoft Point to Point Encryption (MPPE) 128 bit and to disallow multilink connections. All staff members who should have access to this service have accounts located in the Techie organizational unit (OU). Which of the following methods can you use to achieve your goals?

1. Create a new GPO and apply it to the Techie OU. In the \User Configuration\Windows Settings\Security Settings\Remote Access node, create a new remote access policy. Configure the remote access policy to limit the available authentication methods to EAP-TLS. Set the only allowable encryption level to Strongest, and disallow multilink connections.

2. Create a new GPO and apply it to the Techie OU. In the \User Configuration\Windows Settings\Security Settings\Remote Access node, create a new remote access policy. Configure the remote access policy to limit the available authentication methods to MS-CHAP v2. Set the only allowable encryption level to Strong, and disallow multilink connections.

3. On the Routing and Remote Access server running Windows Server 2003, create a new remote access policy for dial-up connections by using the wizard. Have this policy apply to the Techras OU. On the Authentication Methods page of the wizard, make sure that only the check box for MS-CHAP v2 is checked. On the Policy Encryption Level page, ensure that only the Strong Encryption check box is checked. After the wizard has finished, edit the properties of the new policy, and then edit the profile. On the Multilink tab, click Do Not Allow Multilink Connections.

4. Add all staff members who should be granted this remote access to a domain global group named Techras. On the Routing and Remote Access server running Windows Server 2003, create a new remote access policy for dial-up connections by using the wizard. Have this policy apply to the Techras group. On the Authentication Methods page of the wizard, make sure that only the check box for MS-CHAP v2 is checked. On the Policy Encryption level page, ensure that only the Strongest Encryption check box is checked. After the wizard has finished, edit the properties of the new policy, and then edit the profile. On the Multilink tab, click Do not Allow Multilink Connections.

1. 

Correct Answers: C, D, and E

1. Incorrect The proposal is compatible with Windows XP and Windows Server 2003, and hence meets your manager’s preference.

2. Incorrect The proposal will work over PPP dialup connections and IP networks, and hence meets your manager’s preference.

3. Correct PPTP does not provide tunnel authentication unless IPSec is used. L2TP provides tunnel authentication independently of IPSec. The proposal would need to use L2TP to meet your manager’s preferences.

4. Correct L2TP provides better header compression than PPTP (4 bytes versus 6 bytes). The proposal to use PPTP does not meet your manager’s preference that maximum header compression should occur.

5. Correct PPTP does not provide data integrity (proof that data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user). Only solutions using L2TP with IPSec provide data integrity and data origin authentication. Hence the PPTP proposal does not meet your manager’s preference that proof must be shown that data was not modified in transit.

2. 

Correct Answers: E

1. Incorrect Both of these are encryption protocols, and neither is used to generate a VPN tunnel to a VPN server running Windows Server 2003.

2. Incorrect A VPN server running Windows Server 2003 will first attempt to negotiate an L2TP with IPSec connection before moving on to other tunneling protocol and encryption combinations. L2TP with IPSec is the most secure VPN method available to Windows Server 2003.

3. Incorrect A VPN server running Windows Server 2003 will first attempt to negotiate an L2TP with IPSec connection before moving on to other tunneling protocol and encryption combinations. L2TP with IPSec is the most secure VPN method available to Windows Server 2003.

4. Incorrect A VPN server running Windows Server 2003 will first attempt to negotiate an L2TP with IPSec connection before moving on to other tunneling protocol and encryption combinations. L2TP with IPSec is the most secure VPN method available to Windows Server 2003.

5. Correct A VPN server running Windows Server 2003 will first attempt to negotiate an L2TP with IPSec connection before moving on to other tunneling protocol and encryption combinations. L2TP with IPSec is the most secure VPN method available to Windows Server 2003.

3. 

Correct Answers: D and E

1. Incorrect Data transmissions can only be encrypted if MS-CHAP, MS-CHAP v2, or EAP (TLS or MD5) authentication is used. These protocols generate their own encryption keys that are then used to encrypt data transmission.

2. Incorrect Data transmissions can only be encrypted if MS-CHAP, MS-CHAP v2, or EAP (TLS or MD5) authentication is used. These protocols generate their own encryption keys that are then used to encrypt data transmission.

3. Incorrect Data transmissions can only be encrypted if MS-CHAP, MS-CHAP v2, or EAP (TLS or MD5) authentication is used. These protocols generate their own encryption keys that are then used to encrypt data transmission.

4. Correct Although the authentication in CHAP is encrypted, which means that user names and passwords are not transmitted in plaintext, no encryption key is generated that can be used to encrypt the transmission after authentication occurs. So, although passwords that are intercepted cannot be instantly read, any data transmitted after authentication that is intercepted will pass unencrypted across the telephone line to the modem.

5. Correct Although the authentication in SPAP is encrypted, which means that user names and passwords are not transmitted in plaintext, no encryption key is generated that can be used to encrypt the transmission after authentication occurs. So, although passwords that are intercepted cannot be instantly read, any data transmitted after authentication that is intercepted will pass unencrypted across the telephone line to the modem.

4. 

Correct Answers: D

1. Incorrect Although this will ensure that data encryption is used, the basic security settings do not allow for the use of smart cards. This will not meet Rooslan’s goals.

2. Incorrect The default values require a secure password (not a smart card) and allow encryption to remain optional. This will not meet Rooslan’s goals.

3. Incorrect Although this will ensure that data is encrypted, MD5-Challenge configures password authentication, rather than smart card/certificate authentication, to be used. This will not meet Rooslan’s goals.

4. Correct This will ensure that data is encrypted and that a smart card is used. The default setting for Smart Card Or Other Certificate is My Smart Card. It is also possible to use a digital certificate installed on the connecting computer.

5. 

Correct Answers: D

1. Incorrect Remote access policies are not configured by GPO. They are configured on a Routing and Remote Access server and applied to groups or to individual users.

2. Incorrect Remote access policies are not configured by GPO. They are configured on a Routing and Remote Access server and applied to groups or to individual users.

3. Incorrect This particular remote access policy does not set the encryption level to MPPE 128, but to MPPE 56. Remote access policies can only apply to individual users and groups, not to OUs.

4. Correct Remote access policies are configured on the Routing and Remote Access server, not by means of Group Policy. Remote access policies are applied to groups or users, not to Group Policy objects or domains. Strongest Encryption sets the encryption to MPPE 128. If this method is followed, the goals described in the question will be achieved.