(Sample) MCSE 2003 IPSec Exam Questions and Answers
70-291 level questions
Q:
John is the administrator for a law firm. His network consists of five servers
running Microsoft Windows Server 2003, Standard Edition, and 150 computers running
Microsoft Windows XP Professional. His network uses public IP addresses in the
12.53.207.0 /24 address range. Since security has become a concern, John set
all of his servers' IPSec polices to Secure Server, and set all of his computers'
IPSec polices to Client. He has been using Network monitor to verify that all
traffic between the servers and the computers is encrypted. He has recently
observed traffic to one of his servers is not being encrypted.
What is the first step that John should take to troubleshoot this issue?
Reapply the IPSec policy on the server.
Change the servers' IPSec authentication method to shared key.
Change the computers' IPSec policy to Secure Server.
In the IP Security Monitor, verify the Security Associations.
A:
Verifying the Security Associations should be done first. The first step in
troubleshooting is to discover what the problem is, and accessing the Security
Associations will allow John to determine if any of the traffic to the server
is being encrypted.
Q:
What is this? "...set all of his computers' IPSec polices to Client..."
A: N/A
Q:
Jim is the administrator for a medium-sized network consisting of 40 servers
running Microsoft Windows Server 2003, Standard Edition, and 2,000 computers
running Microsoft Windows XP Professional. The users on his network frequently
use the Internet for research, file downloads, and Internet e-mail.
Jim's network contains a single Active Directory domain that consists of seven
organizational units (OUs).
A recent security audit has recommended encrypting all internal network traffic.
Last night Jim implemented the Secure Server IPSec policy for the Domain Controllers
security policy, and the Secure Server IPSec policy through Group Policies for
each departmental OU. He implemented the Client IPSec policy for the Desktops
OU.
This morning none of the IT employees can access any resources on the Internet
from any of the servers or domain controllers.
What can Jim do to allow the required Internet access for the IT employees while
still encrypting internal communications?
Create a custom IPSec policy that requests IPSec for HTTP and FTP traffic.
Create a custom IPSec policy that requires IPSec for SMTP and FTP traffic, as
well as TCP ports 110 and 80.
Create a custom IPSec policy that requests IPSec for HTTP and FTP traffic, as
well as TCP ports 110 and 25, and requires IPSec for all other traffic.
Create a custom IPSec policy that exempts SMTP and FTP traffic, as well as TCP
ports 110 and 80 from using IPSec.
A:
The current issue is that the computers are required to use IPSec, which the
Internet servers are not configured to use. Since it would be impractical to
reconfigure all the servers on the Internet, you must allow the types of traffic
your users are communicating with to not use IPSec when they access Internet
resources. This issue would be resolved if there was an IPSec policy requesting
the use of IPSec with the traffic types specified browsing: HTTP, file downloads:
FTP, and Web-based e-mail: SMTP (TCP port 25) and POP3 (TCP port 110). By continuing
to request the use of IPSec with these traffic types, the internal use of these
types of traffic would still be encrypted.
The current policy already requires IPSec for these traffic types (SMTP, FTP,
and ports 110 and 80), as well as all others.
A policy that requests (error? should this say requires?) IPSec for HTTP and
FTP traffic would block access to Web-based e-mail.
Exempting these traffic types (SMTP and FTP traffic, as well as TCP ports 110
and 80) would allow access to Internet resources, but it would result in no
encryption when communicating with these traffic types to internal resources.
Q:
Stan is the new network security administrator for a large network. He would
like to verify the IPSec settings on 30 servers running Microsoft Windows Server
2003, Enterprise Edition.
What tools can Stan use to view the IPSec settings? (Choose two.)
Netmon.exe
Gpedit.msc
Netsh.exe
Perfmon.exe
Ipsecmon.exe
A:
Both the Network Shell (netsh.exe) and the Group Policy Editor (gpedit.msc)
can be used to view and configure IPSec settings.
Network Monitor (Netmon.exe) can be used to view the results of the IPSec settings
and the encrypted packets, but it does not display any configuration information.
The legacy IP Security Monitor (ipsecmon.exe) does not display a computer's
IPSec configuration. It is a legacy program that monitors the IPSec key exchanges
and displays the results.
Performance Monitor (perfmon.exe) does not display a computer's IPSec configuration;
it monitors the computer's internal processes and services.
Q: N/A
A:
Joe is the administrator for an architectural firm. His network consists of
seven servers running Microsoft Windows Server 2003, Enterprise Edition, and
250 computers running Microsoft Windows XP Professional. Since security has
become a concern, Joe has set all of his servers' IPSec polices to Server, and
set all of his computers' IPSec polices to Client. He has been using Network
monitor to verify that all traffic between the servers and the computers is
encrypted. He has recently observed HTTP traffic to one of his servers is not
being encrypted. He has opened the IP Security Monitor and verified that numerous
security associations have been established.
What is the most likely cause of this unencrypted traffic?
There are mismatched authentication settings.
The computers are not part of the Kerberos realm.
The IPSec filter is misconfigured.
The server is not part of the Kerberos realm.
Q: N/A
A:
Since the unencrypted traffic is limited to a single protocol, the most likely
cause is a misconfigured IPSec filter. IPSec filters are used to exclude specific
protocols from IPSec encryption.
If the authentication settings were not configured properly, no encryption would
be taking place.
If the server was not part of the Kerberos realm (Active Directory forest) and
the authentication was set to Kerberos, either no encryption would be taking
place or everything would be encrypted (if certificates or shared keys were
being used for authentication).
If the computers were not part of the Kerberos realm (Active Directory forest)
and the authentication was set to Kerberos, either no encryption would be taking
place or everything would be encrypted (if certificates or shared keys were
being used for authentication).
70-293 level questions
Q:
Master Key Perfect Forward Secrecy (PFS)
A:
When you enable the Master Key Perfect Forward Secrecy (PFS) option in the properties
of the IPSec Policy, a new session key will be generated for each new session,
resulting in a higher level of security.
Because of the extra processing required to generate new keys, the key generation
process runs slower and limits performance.
Q:
You have the client administration tools installed on your workstation running
Windows XP Professional so that you can manage the servers from your desktop.
You are concerned with the security of the data being sent only between your
computer and the servers.
What can you do to ensure the data is transmitted securely?
Implement a Group Policy that assigns the Secure Server IPSec Policy on the
OU that contains the servers. Assign a local Secure Server IPSec Policy on your
workstation.
Implement a Group Policy that assigns the Server IPSec Policy on the OU that
contains the servers. Assign a local Client IPSec policy on your workstation.
Implement a Group Policy that assigns the Secure Server IPSec Policy on the
OU that contains the servers. Add your workstation to that OU.
A:
The Server IPSec Policy forces the servers to request security. If the client
cannot use IPSec, the data is transferred unencrypted. By implementing the Server
IPSec Policy on the OU where the servers are, they will request the use of IPSec
for all transmissions. Since the client computers are not configured for IPSec,
they will not encrypt data and the servers will allow unencrypted sessions.
By implementing a local Client IPSec Policy on your workstation, when the servers
request encryption, you will respond and encrypt data.
The Secure Server IPSec Policy forces encryption and will not transfer data if encryption cannot be used. Assigning this policy to the servers would prevent all of the client computers except your workstation from connecting.