Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/27

Click to flip

27 Cards in this Set

  • Front
  • Back
Your network consists of a single Active Directory domain and three stand-alone servers that run Microsoft Windows 2000 Advanced Server. You configure IPSec policy to require that all communication is encrypted, and you apply the policy using Group Policy at the domain level. You discover that client computers in the domain cannot communicate with the stand-alone servers. What can you do to allow computers on the network to communicate with the stand-alone servers using IPSec?

a. Upgrade the stand-alone servers to Microsoft Windows Server 2003.
b. Implement local security policy on the stand-alone computers that require encryption for communication.
c. Use Group Policy to apply Secure Server policy to the stand-alone servers.
d. Create a separate domain and make the three stand-alone servers domain controllers.
b. Implement local security policy on the stand-alone computers that require encryption for communication.

EXPLANATION: Internet Protocol Security (IPSec) policies that are defined at the domain level apply to all computers in the domain. Stand-alone servers that are not members of the domain need compatible IPSec policies configured in the local security policy settings on them.
You are the network administrator for the contoso.com domain. IPSec policy has been defined and implemented on your network to ensure that all communication is encrypted. You have not installed the IP Security Monitor snap-in, but you need to display the active state of IPSec policies on your network. How can this be accomplished without installing additional snap-ins?

a. Run Ipsecmon from the command line.
b. Use Netsh in dynamic mode to view the active state of IPSec policies.
c. Use Netsh in static mode to view the active state of IPSec policies.
d. This cannot be accomplished without adding the IP Security Monitor snap-in.
b. Use Netsh in dynamic mode to view the active state of IPSec policies.

EXPLANATION: Netsh is a command-line scripting tool that can be used to display or modify the local or remote computer configuration. To view the Internet Protocol Security (IPSec) policies that are active, Netsh should be used in dynamic mode.
You are responsible for securing communication between your corporate office in Atlanta and a branch office in Orlando. Both offices utilize internal IP addressing and NAT. How must you configure IPSec to successfully secure traffic between these two sites?

a. Configure IPSec to operate in tunnel mode.
b. Configure IPSec to operate in transport mode.
c. NAT cannot be used in conjunction with IPSec.
d. Configure IPSec to operate in NAT mode.
a. Configure IPSec to operate in tunnel mode.

EXPLANATION: Internet Protocol Security (IPSec) can be configured to operate in one of two modes: tunnel mode or transport mode. To provide site-to-site encryption or gateway-to-gateway encryption between networks that use Network Address Translation (NAT), IPSec must use tunnel mode.
Which tool included in Microsoft Windows Server 2003 can be used to view IPSec policies that are assigned but not applied to IPSec clients?

a. Ipsecmon
b. RSoP
c. IP Security Monitor
d. Ipconfig
b. RSoP

EXPLANATION: The Resultant Set of Policy (RSoP) is a snap-in that displays only detailed Internet Protocol Security (IPSec) policy settings. RSoP can be used to determine which IPSec policies have been assigned but have not been applied to IPSec clients.
Your Microsoft Windows Server 2003 network uses IPSec to encrypt data communications. Client computers run either Microsoft Window XP Professional or Microsoft Windows 2000 Professional. You determine that some, but not all, communication is encrypted using IPSec. You would like to view the active IPSec policies that are in effect on each computer. Which tool included in Windows Server 2003 will allow you to view the active IPSec policies applied to each type of computer?

a. Ipsecmon
b. Netdiag
c. IP Security Monitor
d. RSoP
b. Netdiag

EXPLANATION: Netdiag is a command-line tool that can be used to display Internet Protocol Security (IPSec) information, as well as to test and view network configuration. Netdiag is available in Windows Server 2003, Windows 2000, and Windows XP. IP Security Monitor and Resultant Set of Policy (RSoP) both are available only in Windows Server 2003.
Communication partners using IPSec require identical security policies.

a. True
b. False
b. False


EXPLANATION: Communicating peers using Internet Protocol Security (IPSec) do not require identical security policies. Both peer computers must have a security policy with enough negotiation options to establish a common set of requirements for communication.
You are the network administrator for a Microsoft Windows Server 2003 network that has clients running Microsoft Windows XP and Microsoft Windows 2000. You configure IPSec policies on all of the computers so network traffic will be encrypted. You later discover that some, but not all, traffic is encrypted. Which of the following is the most likely reason that IPSec does not encrypt some of the traffic?

a. Client computers are configured to use the Client (Respond Only) policy, not the Server (Request Security) policy.
b. Servers are configured to use the Server (Request Security) policy, but not the Secure Server policy.
c. Client computers are configured to use the Secure Server policy.
d. Clients are configured to use the Server policy, not the Client policy.
a. Client computers are configured to use the Client (Respond Only) policy, not the Server (Request Security) policy.

EXPLANATION: The Client (Respond Only) policy will not initiate secure communication, but will use secure communication if the communication peer requests it. If the client computers were configured with the Server (Request Security) policy, secure communication would always be requested.
You are the network administrator for a mixed-mode domain. Your network has four servers running Microsoft Windows Server 2003 and three servers running Microsoft Windows 2000. Your client computers run Microsoft Windows 2000 Professional. Which of these computers can use Netsh to configure IPSec policies?

a. The servers running Windows Server 2003 and Windows 2000
b. The client computers running Windows 2000
c. The servers running Windows Server 2003 only
d. The servers running Windows 2000 only
c. The servers running Windows Server 2003 only

EXPLANATION: Netsh commands are supported only on computers running members of the Windows Server 2003 family.
Which of the following is a feature of IPSec that verifies the identity of peer computers before any data is sent?

a. IP packet filtering
b. Automatic security associations
c. Peer authentication
d. Anti-replay
c. Peer authentication

EXPLANATION: Internet Protocol Security (IPSec) verifies the identity of the peer computer before any data is sent. Peer authentication can be based on preshared keys, public keys, or Kerberos.
You recently upgraded your server running Microsoft Windows 2000 to Microsoft Windows Server 2003. Your network utilizes IPSec for encryption. You would like to view the details of your IPSec policies. At the command line, you type ipsecmon and receive an error. You know that this worked before you upgraded the operating system. What can you do to view information about the IPSec policies that are active on your network?


a. Download the Ipsecmon utility from the Microsoft Web site.
b. Run IPSec Policy Agent from the command line.
c. Add the IP Security Monitor MMC snap-in.
d. Add the RSoP MMC snap-in.
c. Add the IP Security Monitor MMC snap-in.

EXPLANATION: Ipsecmon is a utility included in Windows 2000. In Windows Server 2003, Ipsecmon is replaced with the IP Security Monitor snap-in. To view current statistics about active policies on a Windows Server 2003 network, the IP Security Monitor snap-in must be installed through the Microsoft Management Console (MMC).
Which protocol does IPSec use to provide authentication, integrity, and anti-replay for both the IP header and the data payload?

a. ESP
b. IKE
c. AH protocol
d. Kerberos
c. AH protocol

EXPLANATION: Internet Protocol Security (IPSec) provides security using a combination of protocols including the Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol. The AH protocol provides authentication, integrity, and anti-replay for the entire packet. ESP provides confidentiality, authentication, integrity, and anti-replay for the data payload only.
Your Microsoft Windows Server 2003 network consists of one domain, contoso.com, and three OUs named Atlanta, New York, and Los Angeles. The Secure Server (Require Security) policy using the default authentication has been applied at the domain level for contoso.com. Users in the Atlanta OU can no longer communicate with clients or servers in the New York or Los Angeles OUs. Which of the following is preventing the communication?

a. The administrator for the Atlanta domain has applied the Client (Respond Only) IPSec policy; this policy has been configured to require the use of certificates for authentication to the Atlanta OU.
b. Security policy has been applied at the domain level when it should be applied at the OU level.
c. The administrator for the Atlanta domain has applied the Server (Request Security) IPSec policy using Kerberos for authentication to the Atlanta OU.
d. The administrator for the Atlanta domain has applied the Secure Server (Require Security) IPSec policy using Kerberos for authentication to the Atlanta OU.
a. The administrator for the Atlanta domain has applied the Client (Respond Only) IPSec policy; this policy has been configured to require the use of certificates for authentication to the Atlanta OU.

EXPLANATION: Internet Protocol Security (IPSec) policies that are applied at the organizational unit (OU) level take precedence over policies applied at the domain level.
IPSec requires that communication partners authenticate before transmitting data. What can be used to establish mutual authentication between two hosts when neither host uses Kerberos for authentication?

a. NAT
b. EFS
c. Public key certificates
d. E-mail
c. Public key certificates

EXPLANATION: Internet Protocol Security (IPSec) relies on mutual authenti-cation to provide secure communication. When mutual authentication must occur between computers that use different authentication protocols, a public key certificate can be used.
You are the network administrator for Litware, Inc., and you are responsible for the IPSec policies for the corporate network. After making several changes to your IPSec policy, you notice that all communication on your network immediately ceases. For the policy change to have taken place immediately, which tool must you have used to implement the changes to the IPSec policy?

a. Netsh in dynamic mode
b. Netsh in static mode
c. IP Security Monitor snap-in
d. Group Policy
a. Netsh in dynamic mode

EXPLANATION: Netsh has two modes: static and dynamic. Changes made using Netsh in dynamic mode take effect immediately.
Which tool included in Microsoft Windows Server 2003 can be used to view information related to IKE events?

a. Event Viewer security log
b. Performance Logs And Alerts
c. Replmon
d. Event Viewer audit log
d. Event Viewer audit log


EXPLANATION: Event Viewer can be used to view the following Internet Protocol Security (IPSec) events: IPSec Policy Agent events in the audit log, IPSec driver events in the system log, Internet Key Exchange (IKE) events in the audit log, and IPSec policy change events in the audit log.
Which feature of IPSec is responsible for negotiating a mutual set of security requirements between communication partners?

a. ISAKMP
b. IKE
c. IPSec policy agent
d. IPSec SA
a. ISAKMP

EXPLANATION: Internet Protocol Security (IPSec) uses the Internet Security Association and Key Management Protocol (ISAKMP) to dynamically negotiate a mutual set of security requirements between communication partners. The policies need not be identical but must contain enough negotiation options to establish a common set of requirements.
Your domain consists of servers running Microsoft Windows Server 2003, clients running Microsoft Windows XP Professional, and clients running Microsoft Windows 98. Your company recently started a confidential research project and all network communication related to this project must be encrypted using IPSec. All of the client computers for employees working on this project run Windows 98. After installing the server for the project, you configure the Secure Server (Require Security) policy and apply the policy to the server using the local security policies. You then apply the Client (Respond Only) policy to the OU that contains all of the client computers that are involved in this project. You discover that none of the Windows 98 clients are able to communicate with the server. What additional step must you take to allow the clients running Windows 98 to communicate with the server?

a. Apply the Server (Request Security) policy to the client computers.
b. Download the legacy IPSec client for Windows 98 from the Microsoft Web site.
c. Start the IPSec Policy Agent.
d. Install Network Monitor on the client computers running Windows 98.
b. Download the legacy IPSec client for Windows 98 from the Microsoft Web site.

EXPLANATION: Internet Protocol Security (IPSec) is available in Windows 2000, Windows XP, and Windows Server 2003. Microsoft operating systems prior to Windows 2000 must download the legacy IPSec client from the Microsoft Web site.
A server running Microsoft Windows Server 2003 on your network contains highly sensitive information; this server is configured to use IPSec for all communications. Which two of the following Windows Server 2003 tools can be used to monitor and troubleshoot IPSec on your network?
a. IP Security Monitor
b. Event Viewer
c. IPSec Policy Agent
d. Performance Monitor
a. IP Security Monitor
b. Event Viewer

Correct answer: a and b
EXPLANATION: IP Security Monitor can be used to monitor active Internet Protocol Security (IPSec) policies on a network. Event Viewer can be used to view IPSec-related events.
You are the security administrator of contoso.com, and you have been asked to secure all network communication, including communication with the Active Directory directory service during the computer startup process. You have applied the Secure Server (Require Security) security policy. Which additional step should you take to ensure that communication is encrypted using IPSec?

a. Configure an IPSec policy that encrypts all Active Directory traffic, and use Group Policy to apply the policy.
b. Configure a persistent policy that requires traffic to Active Directory to always be secured by IPSec.
c. Configure the local security policy on all client and server computers to require encryption for all Active Directory traffic.
d. IPSec cannot be used to secure Active Directory traffic.
b. Configure a persistent policy that requires traffic to Active Directory to always be secured by IPSec.

EXPLANATION: Persistent policies, also known as permanent policies, can be used to enhance or override Active Directory–based on local Internet Protocol Security (IPSec) policies. Persistent policies can also be used to provide a secure transition from the computer startup process to the point at which Active Directory–based policies are applied.
Which type of security attack is designed to prevent the normal use of computers or network resources?

a. Packet sniffing
b. DoS attack
c. Man-in-the-middle attack
d. Identity spoofing
b. DoS attack

EXPLANATION: A Denial-of-service (DoS) attack is designed to disrupt the normal use of computers or network resources by flooding the device with unsolicited traffic.
You want to analyze the main mode IPSec statistics on a member server that runs Microsoft Windows Server 2003 in your domain. The server is accessed frequently by a large number of clients, and you know there will be a lot of statistical information. Which utility can you use to log this information for future analysis?

a. Use the Netsh command-line utility.
b. Use the Netdiag command-line utility.
c. Use IP Security Monitor.
d. Use RSoP.
a. Use the Netsh command-line utility.

EXPLANATION: The Netsh command-line tool can be used to monitor Internet Protocol Security (IPSec) policy information by displaying the policy information or logging it for future analysis.
To encrypt network traffic, you implement IPSec on your network. You would like to record and view events related to SA establishment. Which steps can you take to record and view SA establishment events?

a. Enable the Oakley log in the Microsoft Windows Server 2003 registry.
b. Configure IPSec to log SA events to the Event Viewer audit log.
c. Configure IPSec to log SA events to a Microsoft Excel spreadsheet.
d. Enable the Oakley log in Windows Server 2003 Administrative Tools.
a. Enable the Oakley log in the Microsoft Windows Server 2003 registry.

EXPLANATION: The Oakley log can be used to view details about the security association (SA) establishment process. Enabling the Oakley log requires making a change to the computer’s registry.
You are the network administrator for the contoso.com domain. Your network consists of a Microsoft Windows Server 2003 domain. Your corporate security policy requires that all communication be encrypted using IPSec. Your company has a partnership with Litware, Inc. Litware users must communicate with Contoso users; however, the Litware users are not members of the Contoso domain, and you are not certain about which operating system the Litware computers run. How should you configure authentication so that all communication is encrypted?

a. Configure both Contoso and Litware policies to use X.509 certificates for authentication.
b. Configure both Contoso and Litware policies to use NTLM for authentication.
c. Configure Contoso to use Kerberos for authentication, and configure Litware to use X.509 certificates for authentication.
d. Use the default authentication settings for both Litware and Contoso.
a. Configure both Contoso and Litware policies to use X.509 certificates for authentication.

EXPLANATION: Internet Protocol Security (IPSec) relies on authentication to provide secure communication. When the communication must occur between systems that might not use Kerberos for authentication, X.509 certificates can be used. X.509 certificates are often used on open networks, such as the Internet, and on intranets and extranets.
Your corporate network contains 10 servers running Microsoft Windows Server 2003. Client computers run either Microsoft Windows XP Professional or Microsoft Windows NT 4. You applied the Secure Server (Require Security) IPSec policy to the OU that contains the servers, and you applied the Client (Respond Only) IPSec policy to the OU that contains the client computers. Some, but not all, users of client computers report that they can no longer access the network. What should you do to resolve this problem?

a. Upgrade the client computers running Windows NT 4 to run Windows XP Professional.
b. Apply the Server (Request Security) IPSec policy to the OU that contains the client computers.
c. Apply the Secure Server (Require Security) IPSec policy to the OU that contains the client computers.
d. Apply the Server (Request Security) IPSec policy to the OU that contains all of the network servers.
a. Upgrade the client computers running Windows NT 4 to run Windows XP Professional.

EXPLANATION: The implementations of Internet Protocol Security (IPSec) in Windows 2000, Windows XP, and Windows Server 2003 are based on industry standards developed by the Internet Engineering Task Force (IETF). IPSec policies applied to organizational units (OUs) that contain client computers do not affect the client computers that run Windows NT 4.
Which of the following is a command-line tool that is included in Microsoft Windows Server 2003 and can be used to monitor and manage IPSec?

a. Ping
b. Netsh
c. Oakley log
d. Event Viewer
b. Netsh

EXPLANATION: (Discussion starts on page 203.)
You are the network administrator for a Microsoft Windows Server 2003 domain. You configured local security on all client and server computers with the Server (Request Security) policy. You later discover that all communication is unencrypted. What is the reason that encryption is not being used?

a. A security policy has been applied using Group Policy at the domain level that does not require the use of IPSec encryption.
b. Local security policies do not affect computers that are members of a domain.
c. The local security policies should have been configured to use the Client (Respond Only) default security policy.
d. Local security policies cannot require IPSec encryption.
a. A security policy has been applied using Group Policy at the domain level that does not require the use of IPSec encryption.

EXPLANATION: Active Directory–based Internet Protocol Security (IPSec) policies will override local IPSec policies. In this scenario, if an Active Directory–based IPSec policy is deployed using Group Policy that does not require security, all communication would be unencrypted.
Which of the following best describes the function of IKE?

a. A standard that defines the mechanism for establishing SAs
b. A standard that defines the mechanism for logging on to the Internet
c. Public and private key exchange for EFS encryption
d. None of the above
a. A standard that defines the mechanism for establishing SAs

EXPLANATION: Internet Key Exchange (IKE) is a standard that provides a mechanism for establishing security associations (SAs) necessary for communications that use Internet Protocol Security (IPSec).