MCSE Designing Security for a Windows Server 2003 Network Exam 70-298 Study Guide [Electronic resources]

Elias N. Khnaser

نسخه متنی -صفحه : 122/ 60
نمايش فراداده

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

Designing Security for Communication between Networks

1.

Your network consists of Windows Server 2003 domain controllers (DCs), Windows 2003 DNS servers, and Windows XP clients. You have recently added a firewall to the network to provide security for the network from attack from the Internet. You have placed your Web, e-mail, and DNS servers outside the firewall. Your company has established a written policy that allows only SMTP, HTTP, and DNS traffic to pass through the firewall. Which ports do you need to permit? (Choose all that apply.)

TCP/UDP 21

TCP/UDP 23

TCP/UDP 25

TCP/UDP 53

TCP/UDP 80

TCP/UDP 110

TCP/UDP 443

2.

You are designing a network implementation for your company and you want to have an Internet presence for your Web and e-mail servers. The Web server is called WebSvr1, and the e-mail server is named MailSvr1. Due to a recent bout of attacks, you need to implement a solution that will provide security and protection for your network. You are concerned about providing security for the Web and e-mail servers, yet you need to provide anonymous access to the Web server for the general public. You are worried that these anonymous users might use their access to investigate and attack the rest of your network as well. How do you design your network? (Select the best answer.)

Install Windows 2003 Server to act as the host computer for the Web and e-mail servers. Implement access control authentication for the users accessing the Web server. Add the IUSR_WebSvr1 user account to the directories that contain the Web files. Grant the IUSR_WebSvr1 user account read-only access. Grant access permissions to the network users as necessary.

Implement a firewall solution to protect the network. Place the Web and e-mail servers outside of the firewall. Configure the firewall to block user access from the Internet.

Implement a firewall solution to protect the network. Place two firewalls between the Internet and the internal network. Place the Web and e-mail servers outside the firewalls. Configure the firewalls to block user access from the Internet. Add the IUSR_WebSvr1 user account to the directories that contain the Web files. Grant the IUSR_WebSvr1 user account read-only access. Grant access permissions to the network users as necessary. Configure both firewalls to allow internal users to have access to the Internet.

Implement a firewall solution. Configure two firewalls. Place the Web and e-mail servers between the two firewalls. Configure the first firewall to allow access to the Web and e-mail servers by anonymous users using the IUSR_WebSvr1 user account. Configure the second firewall to allow internal users to have access to the Internet. Configure the second firewall not to allow any external users to pass through the firewall.

Implement a firewall solution to protect the network. Place two firewalls between the Internet and the internal network. Place the Web and e-mail servers inside the firewalls. Configure the firewalls to block all user access from the Internet. Add the IUSR_WebSvr1 user account to the directories that contain the Web files. Grant the IUSR_WebSvr1 user account read-only access. Grant access permissions to the network users as necessary. Configure both firewalls to allow internal users to have access to the Internet.

3.

You have a network that consists of four subnets. The networks IDs for the networks are 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and 10.0.4.0/24. Each subnet has two Windows Server 2003 and 75 Windows XP clients. You are planning to add a VPN server to the network to provide connectivity for remote users. You need to summarize the internal network IDs on the VPN server. What is the minimum information needed to accomplish the desired result?

An entry for each subnet is required in the static route table of the VPN server.

An entry for each subnet is required in the static route table of the remote clients.

A route summarization entry, 10.0.0.0/16, can be added to the VPN server.

A route summarization entry, 10.0.0.0/16, can be added to the remote clients.

4.

You are configuring routing on an RRAS server. The RRAS server’s intranet interfaces are configured to be connected to the intranet with a manual TCP/IP configuration that will consist of the IP address, subnet mask, default gateway, and intranet DNS servers. You are now experiencing difficulties when users attempt to connect to the Internet. What must you do to resolve these conflicts?

Configure the intranet interface to use the Internet DNS servers.

Configure the intranet interface with a public IP address.

Assign the IP address for the intranet interface to use DHCP.

Delete the default gateway configuration on the intranet interface.

Answers

1.

C, D, E

2.

D

3.

C

4.

D

Designing VPN Connectivity

5.

You are designing a VPN that will allow the company’s sales force to travel to multiple cities around the Untied States. You are using an Internet service provider (ISP) that provides service across the United States and has local numbers in all major cities and many smaller cities as well. The ISP is constantly adding new telephone numbers as it expands its service area. The sales manager is concerned that his sales force will not know what the local access number will be in the cities where they will be traveling. He asks if there is a solution that will help the sales force to make the VPN connection so that they can pass confidential client information and sales orders back to corporate headquarters. What is the best solution to address this problem?

There is nothing that can be done to help the sales force.

You can configure an Access database that contains all of the telephone numbers for the ISP.

You can configure a contact list in Exchange that lists the telephone numbers in all the cities that are supported by the ISP.

Create a custom phone book using Connection Point Services.

6.

You have designed a Windows Server 2003 VPN solution for your corporation. The solution has a Windows Server 2003 VPN server at headquarters. The VPN server has been placed behind the internal firewall protecting your network. You have created a DNS record on your Internet server in the DMZ so that you can perform name resolution to the VPN server. You have tested connectivity to the VPN server from all of the client computers using the PING utility. The clients at the branch offices are running Windows 98 and Windows XP. The Windows 98 clients are configured to use PPTP to establish the VPN connections. The Windows XP clients are configured to use L2TP using IPSec. The Windows 98 clients are using MS-CHAP v 2 to authenticate themselves as users. The Windows XP clients are using user-level certificate authentication with EAP-TLS. The Windows XP clients are not experiencing any difficulties in connecting, but the Windows 98 clients are not able to connect to the VPN server. What should you check to resolve the connectivity issue for the Windows 98 clients?

Upgrade all of the Windows 98 computers to Windows 2000 or Windows XP.

Configure the firewall to allow PPTP traffic to pass.

Move the VPN server to outside the external firewall.

Change the default authentication protocol to use certificates.

7.

You have just replaced many of your company’s dial-in connections with VPN connections to reduce the costs of maintaining dial-in services. You have recently configured VPN access on a laptop for a user. You have specified the host name for the VPN server in the Host Name or IP Address box. Now the user is complaining that he is receiving the error message “Destination Host Unknown.” What is the most likely cause for this error message?

The DNS server has not been properly configured for the new VPN server.

The laptop has not been authorized to connect to the VPN server.

The VPN client has not been configured with the username with permission to access the VPN server.

The Remote access policy has not been configured to allow access to the user.

8.

You have just installed Routing and Remote Access on a Windows Server 2003 to function as a VPN server. Several remote users need to transmit confidential data to the company using the VPN server. The remote users are not members of your company’s domain. The remote users are running Windows XP on the client computers, and they all have access to a local ISP to provide Internet connectivity. Data transmission security is critical to the company and to the remote users. All of the clients will be using L2TP to create the connection to the VPN server. Which secure authentication method should you use for these connections?

Configure L2TP to use MPPE 128-bit encryption.

Create a custom IPSec policy and select certificate-based 5 authentication. Apply the policy to the appropriate OU.

Configure L2TP to use MS-CHAP v2.

Use the certificate-based authentication method of the Routing and Remote Access custom IPSec policy for the L2TP connection.

Answers

5.

D

6.

B

7.

A

8.

D