Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint

Objective 3.1. Answers

A1: Correct Answers: C and D
  1. Incorrect: Although the documents are encrypted by means of EFS, when transmitted over the network they are decrypted by the sender. If the document is copied to an NTFS drive, it will be re-encrypted by the receiver. If it is copied to a file allocation table (FAT) drive it will not be re-encrypted. The important thing to note is that the document is unencrypted and vulnerable to interception while it is in transit.

  2. Incorrect: This policy only encrypts traffic if the partner that the system is communicating with requests it. If no request is made, the documents will pass across the network unencrypted. If all computers are configured with this policy, none will request encrypted transmission.

  3. Correct: Under this scheme, when transmission begins, a computer will request that IPSec be used. If the partner supports IPSec, encrypted transmission will commence; otherwise unsecured IP communication will occur. Because all computers in the organization will be configured with this policy, all will be able to service a request for IPSec communication. Portable computers running Windows XP can be assigned a server IPSec policy.

  4. Correct: This policy is the best option because transmission will not occur until security is negotiated.

A2: Correct Answers: D
  1. Incorrect: Documents encrypted by EFS do not remain encrypted as they pass across the network, unless IPSec is used.

  2. Incorrect: When all clients are configured with the Client (Respond Only) IPSec policy, there will be no encrypted transmissions across the network. This is because encrypted transmissions will only occur if they are specifically requested, and the Client (Respond Only) IPSec policy does not do this.

  3. Incorrect: Although this will ensure that the communication between the 50 users and the server is encrypted by IPSec, when documents are sent between their workstations they will be unencrypted because no security will be negotiated. Furthermore, the 20 users who are connecting to the third computer running Windows Server 2003, but who are not members of the group of 50, will be unable to communicate with that server because their systems are not configured to negotiate IPSec communications.

  4. Correct: If Rooslan implements this plan, it will meet the goals outlined by Alex. The Server (Request Security) policy requests IPSec communication. If the partner supports IPSec, communication occurs by means of IPSec; if the partner does not support IPsec, communication occurs by means of an unsecured method. If all of the computers in question have this policy applied, communication between them will be encrypted. Communication with computers outside this group of 51 (one server, 50 workstations) will be insecure—which is what was stated in Alex's plan.

  5. Incorrect: Windows 2000 Professional supports IPSec, as do Windows 2000 Server, Windows XP Professional, and Windows Server 2003.

A3: Correct Answers: A
  1. Correct: Policies applied at the OU level override those applied at the domain level; hence, the three servers in the SecureServer OU will retain the Secure Server (Require Security) IPSec policy. All other computers in the domain will have the Client (Respond Only) policy. The impact of this will be that all communication between the three computers running Windows Server 2003 and the computers in the rest of the domain will be encrypted. This meets the conditions of the primary goal and both secondary goals.

  2. Incorrect: Policies applied at the OU level override those applied at the domain level; hence, the three servers in the SecureServer OU will retain the Secure Server (Require Security) IPSec policy. All other computers in the domain will have the Client (Respond Only) policy. The impact of this will be that all communication between the three computers running Windows Server 2003 and the computers in the rest of the domain will be encrypted. This meets the conditions of the primary goal and both secondary goals.

  3. Incorrect: Policies applied at the OU level override those applied at the domain level; hence, the three servers in the SecureServer OU will retain the Secure Server (Require Security) IPSec policy. All other computers in the domain will have the Client (Respond Only) policy. The impact of this will be that all communication between the three computers running Windows Server 2003 and the computers in the rest of the domain will be encrypted. This meets the conditions of the primary goal and both secondary goals.

  4. Incorrect: Policies applied at the OU level override those applied at the domain level; hence, the three servers in the SecureServer OU will retain the Secure Server (Require Security) IPSec policy. All other computers in the domain will have the Client (Respond Only) policy. The impact of this will be that all communication between the three computers running Windows Server 2003 and the computers in the rest of the domain will be encrypted. This meets the conditions of the primary goal and both secondary goals.

  5. Incorrect: Policies applied at the OU level override those applied at the domain level; hence, the three servers in the SecureServer OU will retain the Secure Server (Require Security) IPSec policy. All other computers in the domain will have the Client (Respond Only) policy. The impact of this will be that all communication between the three computers running Windows Server 2003 and the computers in the rest of the domain will be encrypted. This meets the conditions of the primary goal and both secondary goals.

A4: Correct Answers: E
  1. Incorrect: This will not meet the objectives outlined in the question. This will not force IPSec communication, nor will that communication be authenticated by digital certificate.

  2. Incorrect: This will not meet the objectives outlined in the question. This will not force IPSec communication, nor will that communication be authenticated by digital certificate.

  3. Incorrect: This will not meet the objective in the question that communication must be authenticated by digital certificate.

  4. Incorrect: This particular custom IPSec policy uses Kerberos, rather than a specific digital certificate, as an authentication method.

  5. Correct: Although a more specific custom IPSec policy can be created using the actual ports used by the FTP protocol, this particular policy will meet the goals outlined in the question statement.

A5: Correct Answers: A and C
  1. Correct: If you use this policy, when transmissions are made to other hosts that use this policy, they will be encrypted. When transmissions are made to other hosts that do not use this policy, they will be unencrypted.

  2. Incorrect: If you perform this action, the workstations running Windows XP Professional will not be able to communicate with the workstations running Windows 2000 Professional in an insecure manner, which is one of your stated goals.

  3. Correct: With this policy applied, communication between the set of 10 computers running Windows Server 2003 and the computers running Windows XP Professional (assuming they have the policy applied as described in answer A) will be encrypted. Communication with the computers running Windows 2000 Professional will remain unencrypted.

  4. Incorrect: If this action were taken, the computers running Windows 2000 Professional would not be able to communicate with the Windows Server 2003 computers unless IPSec was used.

  5. Incorrect: Performing this action would force all computers within the organization to send encrypted transmissions. While this is fine for the computers running Windows XP, the question specified that the computers running Windows 2000 Professional should not be using encrypted transmissions.

A6: Correct Answers: D
  1. Incorrect: Computers running Windows NT Server 4.0 and Windows NT Workstation 4.0 cannot communicate with the version of IPSec that ships with Windows 2000, Windows XP, and Windows Server 2003. This means that any transmissions from computers running Windows NT Server 4.0 at Site C to any other computer on the Litware, Inc., network will be insecure. This means that the primary goal will not be accomplished, and neither will the second secondary goal. The first secondary goal does not involve any computers running Windows NT 4.0, and hence can be achieved.

  2. Incorrect: Computers running Windows NT Server 4.0 and Windows NT Workstation 4.0 cannot communicate with the version of IPSec that ships with Windows 2000, Windows XP, and Windows Server 2003. This means that any transmissions from computers running Windows NT Server 4.0 at Site C to any other computer on the Litware, Inc., network will be insecure. This means that the primary goal will not be accomplished, and neither will the second secondary goal. The first secondary goal does not involve any computers running Windows NT 4.0, and hence can be achieved.

  3. Incorrect: Computers running Windows NT Server 4.0 and Windows NT Workstation 4.0 cannot communicate with the version of IPSec that ships with Windows 2000, Windows XP, and Windows Server 2003. This means that any transmissions from computers running Windows NT Server 4.0 at Site C to any other computer on the Litware, Inc., network will be insecure. This means that the primary goal will not be accomplished, and neither will the second secondary goal. The first secondary goal does not involve any computers running Windows NT 4.0, and hence can be achieved.

  4. Correct: Computers running Windows NT Server 4.0 and Windows NT Workstation 4.0 cannot communicate with the version of IPSec that ships with Windows 2000, Windows XP, and Windows Server 2003. This means that any transmissions from computers running Windows NT Server 4.0 at Site C to any other computer on the Litware, Inc., network will be insecure. This means that the primary goal will not be accomplished, and neither will the second secondary goal. The first secondary goal does not involve any computers running Windows NT 4.0, and hence can be achieved.

  5. Incorrect: Computers running Windows NT Server 4.0 and Windows NT Workstation 4.0 cannot communicate with the version of IPSec that ships with Windows 2000, Windows XP, and Windows Server 2003. This means that any transmissions from computers running Windows NT Server 4.0 at Site C to any other computer on the Litware, Inc., network will be insecure. This means that the primary goal will not be accomplished, and neither will the second secondary goal. The first secondary goal does not involve any computers running Windows NT 4.0, and hence can be achieved.

A7: Correct Answers: E
  1. Incorrect: This will not work for two reasons. The first reason is that this policy only encrypts IPSec transmissions when a request is made. If all computers have this policy applied, no request will be made. The second reason this will not work is that computers running Windows NT Workstation 4.0 cannot use IPSec without resorting to a non-Microsoft IPSec solution.

  2. Incorrect: Computers running Windows NT Workstation 4.0 cannot use IPSec without resorting to a non-Microsoft IPSec solution. Although the computers running Windows XP and Windows Server 2003 will use IPSec, all transmissions to and from the computers running Windows NT Workstation 4.0 will be insecure.

  3. Incorrect: Computers running Windows NT Workstation 4.0 cannot use IPSec without resorting to a non-Microsoft IPSec solution. Although the computers running Windows XP and Windows Server 2003 will use IPSec, no transmission will be able to be made from these computers to the computers running Windows NT Workstation 4.0.

  4. Incorrect: The local policy will be overridden by the site policy, so the policy on all computers throughout the domain will be Client (Respond Only). The Client (Respond Only) will only encrypt traffic if requested. If all computers have this policy, none will request IPSec transmissions.

  5. Correct: Only Windows 2000, Windows XP, and Windows Server 2003 natively support IPSec. Windows NT Workstation 4.0 and Windows NT Server 4.0 do not support IPSec. The Secure Server (Require Security) policy will ensure that all transmissions that occur within the domain will be encrypted.


  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint