Windows Server 2003 Network Security Design Study Guide (Exam 70-298) [Electronic resources]

Brian Reisman, Mitch Ruebush

نسخه متنی -صفحه : 168/ 48
نمايش فراداده

Case Study Questions

1.

You must design an authentication method for the R&D personnel in Albuquerque and Paris to access the applications and file servers they use. What should you do?

Require all R&D personnel to connect to the network with a L2TP/IPSec connection from their Windows clients.

Require all R&D personnel to connect to the network with a PPTP connection from their Windows clients.

Require all R&D personnel to have computer certificates installed on their workstations and then validate each workstation’s certificate before allowing access to services.

Require all R&D personnel to have smart card readers installed on their machines. Require a smart card logon to gain access to a terminal server computer that will be used to access resources on the network.

2.

You need to allow users in Albuquerque, Beijing, and Rio de Janeiro to access the wireless network. What should you do?

Configure WEP on the wireless access points and then on the client computers.

Configure the wireless access points to use 802.1x to authenticate users.

Set up IPSec on the client computers. Make sure that servers on the network require security so that the clients connect using IPSec.

Configure EAP-TLS authentication on the RADIUS server (in this case, Internet Authentication Service). Configure the wireless access points and client computers to use 802.1x authentication.

3.

You need to make sure that data sent over the wireless connection is encrypted. The wireless solution needs to meet the concerns of the Chief Security Officer. What should you do?

Create a Group Policy object (GPO) that is linked to the appropriate OUs. Create a wireless policy and use it to enable data encryption and dynamic key assignment.

Configure the wireless network settings at the interface on each client computer to require encryption.

Configure the wireless access point to not broadcast its SSID.

Create a logon script. Have the script configure the wireless network settings on the local computers to use encryption and assign keys.

4.

You need to design an IPSec policy so employees connecting to terminal servers and web servers in the Albuquerque office can work with confidential data from work or home. You need to decide what policy settings are necessary for IPSec. What should you do?

Drag the appropriate policy setting from the Policy Setting section to the correct location(s) in the Work Area section.

Type of Traffic

Servers To and From the Internet

Servers To and From Client Computers

Policy Setting

HTTP/HTTPS

No Policy

Remote Desktop Protocol (RDP)

Allow

All other protocols

Deny

5.

You need to design a secure connection strategy between the R&D and design departments’ resources. Your solution must minimize the impact on client, server, and network performance. What should you do?

Use IPSec to encrypt all communications between Albuquerque and Paris.

Configure the clients to use EAP-TLS and smart cards for authentication and encryption with the other location.

Configure SSL on all web servers at both locations.

Require all clients to establish a VPN connection using L2TP/IPSec to the other location.

Answers

1.

D. The security policy requires that R&D data and applications are protected by the highest level of protection. Using smart cards with EAP-TLS for authentication and encryption and using Terminal Services to prevent downloading of data is the strongest protection.

2.

D. You will need to authenticate the users on the network. Because security is a concern and the effort has been made to install PKI, you can use it in your wireless solution. You would avoid the WEP solution because managing the preshared keys would be too much work for the IT staff. You would need to add a RADIUS server to the network to use 802.1x authentication so B is not as complete as D. IPSec will encrypt the network traffic, but there is no authentication mechanism built into it, so C is not a solution to the company’s wireless requirements.

3.

A. You would use the Active Directory to push out a GPO that sets up the wireless network settings. This would require the least amount of work for the network administrators but still provide for setting up encryption.

4.

Type of Traffic

Servers To and From the Internet

Servers To and From Client Computers

HTTP/HTTPS

No Policy

No Policy

Remote Desktop Protocol (RDP)

Allow

Allow

All other protocols

Deny

You would not apply an IPSec policy to the HTTP/HTTPS traffic because you would use HTTPS to provide encryption and authentication for the application and would not need IPSec. You would want to encrypt the RDP traffic with IPSec for the RDP protocol to the terminal services for protection. All other traffic would be denied for IPSec to the servers from the Internet.

5.

A. To minimize the performance impact on the networks and the client and server CPUs, you should establish an IPSec tunnel between Albuquerque and Paris. This will encrypt only the network traffic that will travel over the link, limiting the network overhead, and will not use the client or server CPUs for encryption. Options B, C, and D would require each computer to perform encryption, which will degrade performance.