|
You have decided to deploy IPSec in your organization because you have several departments that are doing sensitive work and communicating across the Internet and other networks with a variety of persons in various organizations. There have been a few incidents where messages were sent instructing lower-level employees to perform certain tasks, purporting to be from their managers. However, investigation revealed that the managers did not send the messages; rather, they were sent by someone else, pretending to be the manager, who was attempting to sabotage the project. This experience has pointed out the need to provide authentication for the data packets that travel across the network so that the receiver of a message can be assured that it is genuine. It is equally important to ensure that the data in these messages doesn’t get changed during transmission. Finally, you want to be sure that nobody other than the authorized recipient is able to read the message itself. You want the entire packet to be digitally signed, so that it will have maximum protection. Which of the following IPSec configuration choices will provide this?
Use AH alone.
Use ESP alone.
Use AH and ESP in combination.
IPSec cannot provide authentication, integrity, and confidentiality simultaneously.
| ||
|
You have been hired as a consultant to help deploy IPSec for the network of a medium-size manufacturing firm that is developing a number of new products and must share sensitive data about its products over the network. As part of the planning process, you must determine the best authentication method to use with IPSec. What are the authentication methods that can be used with IPSec? (Select all that apply.)
Kerberos v5
Perfect Forward Secrecy (PFS)
Shared secret
Diffie-Hellman groups
|
Answers
|
You are the network administrator for a company that has recently migrated some of its servers to Windows Server 2003 from Windows 2000. However, there are still a number of Windows 2000 servers and clients on the network. You want to use the enhanced security available on your network, and you have some interoperability issues you are concerned with pertaining to Windows Server 2003 and your Windows 2000 servers and clients. Which key method should you implement?
Rivest-Shamir-Adleman (RSA)
Diffie-Hellman group 1
Diffie-Hellman group 2
Diffie-Hellman group 2048
| ||
|
You are a network administrator for a medium-sized medical office and you have recently deployed IPSec on the network in response to the physician/owner’s concerns about confidentiality of patient information. However, it appears that IPSec might not be working correctly on a particular client computer. You need to view the local routes assigned to this particular client on the network using the IPSec Policy Agent. How does the IPSec Policy Agent function in IPSec? (Select all that apply.)
Surveys the policy for configuration changes
Routes the assigned IPSec policy information to the IPSec driver
Uses the IP Security Policy Agent console to manage IPSec policies
For nondomain member clients, retrieves local IPSec policy information from the Registry
|
Answers
|
You are the network administrator for a large law firm. You have been tasked with the duty of deploying IP security for all network communications in the departments and divisions that handle sensitive data. You have delegated individual departments to your junior administrators. You now need to verify that IPSec has been deployed and configured properly on your Human Resources and Payroll computers. Which tools can be used to perform this function? (Select all that apply.)
IPSec Security Policy Monitor console
netsh command
Certificates snap-in
Resultant Set of Policy (RSoP)
| ||
|
You have deployed IPSec on your company’s network and it has been working well, except for one thing. You’ve tried modifying some of the IPSec policy rules using netsh commands in the ipsec context, but each time you do so, the rules work only until you reboot the server, and then they seem to disappear. You want to make changes to the IPSec policy rules that are permanent and do not change when the server is rebooted. Which netsh command could you use?
netsh ipsec dynamic set config
netsh ipsec dynamic
netsh interface ip
netsh interface ipv6 isatap
|
Answers
|
You are the network administrator for a medium-sized company that provides accounting services to a number of different clients. To avoid having clients’ financial information disclosed to the wrong parties, you are planning to implement IPSec on your network. You want your employees to be able to communicate securely both within the company and across the WAN with employees in your branch offices. You have recently hired a junior administrator who has his MCSE in Windows NT and 2000. You give him the task of implementing IPSec in your organization. The first thing he tells you is that because your smaller branch office uses NAT, that site will not be able to use IPSec. What is your response?
You already knew this, and intend to change that site from a NAT connection to a routed connection to accommodate this.
He is mistaken; IPSec has been able to work with NAT since Windows 2000.
He is mistaken; IPSec did not work with NAT in Windows 2000 but it does in Windows Server 2003.
You know IPSec is not compatible with NAT “out of the box,” but you can install a third-party program that will make it compatible.
| ||
|
You have been hired as network security specialist for a new startup company that has recently installed a new Windows Server 2003 network. The network was originally set up by a group of consultants, and they implemented IPSec for network communications so that communications with their secure servers could be protected. You are reviewing and evaluating the IPSec policies. Although several policies have been created, none of them seem to be effective. What do you conclude the consultants forgot to do after creating the policy?
Authorize the policy in Active Directory
Assign the policy in the IP Security Policy Management console
Edit the policy after creating it
Enable the policy in the IP Security Monitor console
| ||
|
You have been tasked with the duty of implementing IPSec on your new Windows Server 2003 network to increase security. You have never worked with IPSec before and you have been reading up on it. You’ve decided that you want to use PFS, but you are concerned about the resource usage on the domain controller due to reauthentication. Which of the following types of PFS can you implement without putting an undue burden on the authenticating server?
You can use master key PFS.
You can use session key PFS.
You can use either or both because PFS doesn’t use any resources on the domain controller.
You can use neither because both types of PFS use considerable resources on the domain controller.
| ||
|
You are creating a project to implement IPSec using the IPv6 protocol. Part of your security plan states that you must maintain data confidentiality as part of your IPSec implementation. When developing your plan further, what must you remember about Microsoft’s implementation of IPv6 that is included in Windows Server 2003?
IPv6 does not support data encryption.
IPv6 does not support authentication.
IPv6 does not support integrity.
IPv6 does not support IPSec.
| ||
|
You have been hired as a consultant to evaluate the IPSec deployment in a small music publishing company. Management is concerned that copyrighted material might be intercepted as it passes over the network and be stolen. You discover that the former network administrator who initially set up IPSec configured it to use the AH protocol only. You explain to the company manager that one of the things you recommend changing is to configure IPSec to use ESP. Why would you implement ESP in this situation? (Select all that apply.)
ESP ensures data integrity and authentication.
ESP prevents capture of packets.
ESP provides confidentiality.
ESP encrypts the packets.
| ||
|
You are on an IT team that is planning the deployment of IPSec throughout a large enterprise network. You have been advised that cost-effectiveness and efficient use of personnel are two priorities, because the company does not want to hire additional IT staff to support the deployment. Of the authentication methods available, which has the lowest administrative overhead and is the most efficient if you wish to support the implementation on 10,000 client machines?
Diffie-Hellman group 2048
Kerberos v5
Pre-shared keys
Digital certificates
|
Answers
|
You have been hired to manage security for a medium-sized network. Your first project is to implement IPSec on the network to protect communications that travel across it. You have just assigned an IPSec policy to a client, and you need to view the precedence of IPSec policy assignments and which policies have been assigned to the client. Which logging mode would you use in RSoP?
IPSec mode
RSoP mode
Logging mode
Planning mode
| ||
|
You have IPSec configured and running on your network. You want to capture some IPSec packets to ensure that the data inside cannot be viewed. You want to capture packets being sent from a remote client to a remote server, using a server in the server room. Which of the following tools will you need to use in order to capture these packets?
Network Monitor in Windows Server 2003
netsh commands in the ipsec context
The IP Security Monitor console
Systems Management Server (SMS)
| ||
|
You want to use the RSoP tool in logging mode to build some reports on the existing policy settings of one of your client computers. You have used RSoP before in planning mode, but never in logging mode. You open the RSoP Wizard from the Active Directory Users and Computers console, as you’ve done before, but you notice that there is no mechanism for selecting the mode, and only planning mode seems to be available. What is the problem?
The RSoP Wizard runs only in planning mode.
You should open the RSoP Wizard from Active Directory Sites and Services instead.
You should open the RSoP Wizard from the RSoP MMC instead.
You can select logging mode when you open the RSoP in Active Directory Users and Computers. You must have overlooked the option.
|
Answers
|
C. You would use the logging mode in RSoP (Answer C) for this purpose because it will show you which policies have taken precedence over others. It also shows detailed policy information such as filters, connection types, and tunnel endpoints. A, B, D. Answers A and B are incorrect because they do not exist as mode types for RSoP. Answer D is incorrect because the planning mode can run queries to show administrators which policies are assigned to which users, as well as the names of the target client computer name, IP address, and domain controller assignment from the Windows Management Instrumentation (WMI). |
|
|
D. To capture packets and view what is inside them, you need a network sniffer (protocol analyzer). The only tool in this list that will allow you to capture and view packets passing across machines on the network other than the one from which you are monitoring is the version of Network Monitor that is included in Microsoft’s SMS console software, which can place the network card in promiscuous mode so that traffic not sent or received by the local computer can still be captured. Therefore Answer D is correct. A, B, C. Answer A is incorrect because the Network Monitor included in Windows Server 2003 can capture packets, but only those sent to or from the local computer on which the Network Monitor is installed. Answer B is incorrect because the netsh command-line utility is used to apply various IPSec policies and cannot be used to view network traffic. Answer C is incorrect because the IPSec Monitor is used to view statistics and information about IPSec connections, but it does not allow you to view inside individual packets. |
|
|
C. Answer C is correct. When you open the RSoP Wizard from either Active Directory Users and Computers or Active Directory Sites and Services, you can use only planning mode. To use logging mode, you must open a stand-alone RSoP MMC. This is done by selecting Start | Run, and entering mmc. Then select File from the menu, choose the Add/Remove Snap-in, then Add. Then you can scroll down the list and add the RSoP console by double-clicking the Resultant Set of Policy and selecting Add. After the console has been added, select the Close button and then select OK. A, B, D. Answer A is incorrect because the RSoP Wizard can run in either planning or logging mode, but the available modes depend on how you open the Wizard. Answer B is incorrect because opening the Wizard from the Active Directory Sites and Services tool would not help; you would still have only planning mode available. Answer D is incorrect because there is no way to select logging mode when you use Active Directory Users and Computers to open the RSoP Wizard; only planning mode is available. |