18-28 Chapter 18 Planning and Maintaining Network Security (5.0) 3. Correct Answers: B and C A. Incorrect: The Remote Desktop Connection program is a client that enables a computer running an earlier version of the Windows operating system to manage a computer running Windows XP or Windows Server 2003. B. Correct: Windows 2000 Professional does not include support for Remote Desk- top. Therefore, you must install the Remote Desktop Connection client supplied with Windows XP and Windows Server 2003. C. Correct: When a user is not a member of the Administrators group on a com- puter to be managed with Remote Desktop, the user must be a member of the Remote Desktop Users local group on the computer. D. Incorrect: Remote Assistance is a separate feature that is not associated with and not required to use Remote Desktop. 4. Correct Answers: B and D A. Incorrect: Windows XP Home Edition includes the Remote Assistance client. B. Correct: Windows 2000 Server does not include support for Remote Assistance. C. Incorrect: Windows XP Professional includes the Remote Assistance client. D. Correct: Windows 2000 Professional does not include support for Remote Assistance. E. Incorrect: Windows Server 2003 includes the Remote Assistance client. Objective 5.5 Plan Security for Wireless Networks 18-29 Objective 5.5 Plan Security for Wireless Networks Wireless networking has existed for many years, but it is only recently, with the publi- cation of the 802.11 series of standards by the Institute of Electrical and Electronic Engi- neers (IEEE), that wireless local area networking (WLAN) technologies have become mainstream products. The 802.11b standard defines a WLAN technology run- ning at speeds up to 11 megabits per second (Mbps). This is the first affordable wire- less standard that provides performance that is comparable to that of a cabled LAN. The 802.11a and 802.11g standards promise to provide wireless networking at even greater speeds, up to 54 Mbps. WLANs can use two topologies: ad hoc and infrastructure. An ad hoc topology con- sists of two or more computers equipped with wireless network interface adapters that communicate directly with each other. An infrastructure topology consists of wire- less computers that communicate with an access point, which provides a connection to a standard cabled network. An access point is a WLAN transceiver that is also attached to the cabled network, using a standard Ethernet (or other data-link layer pro- tocol) connection. Wireless systems in an infrastructure topology can communicate with each other, but they do so through the access point; they cannot communicate directly. Because WLAN network interface adapters and access points transmit their network packets using radio signals, they present a significant natural security risk. WLAN sig- nals are omnidirectional, extending to the specified range of the equipment. Any com- patible device within transmission range can therefore transmit and receive the WLAN signals, enabling an unauthorized user to connect to the network or capture the pack- ets transmitted by other users, compromising the data inside. Depending on the range of your equipment and where you locate your access points, unauthorized users might even be able to access your WLAN from outside the building, unless you take steps to protect the network. To provide security for a wireless network, you must first create an environment in which users are authenticated and authorized before they are able to send data to and receive it from an access point. Authentication and authorization prevent unknown users from connecting to the wireless network, but they do not prevent eavesdroppers from capturing the data packets transmitted by wireless systems. To do this, you must 18-30 Chapter 18 Planning and Maintaining Network Security (5.0) configure the wireless devices to encrypt all the data they transmit. The most com- monly used security mechanisms on WLANs are the following: ■ IEEE 802.11 authentication—The 802.11 standard defines two types of authentica- tion. Open System authentication is not really an authentication at all, but rather an exchange of messages between a wireless client and an access point that specifies the identity of the user. In Shared Key authentication, a wireless client verifies its identity to an access point by demonstrating its knowledge of a secret key that the access point shared with the client earlier using a secure channel. Shared key encryption is not a particularly secure system, because the access point shares the same key with all the wireless clients. ■ IEEE 802.1X authentication—For authentication and authorization, Windows Server 2003 and Windows XP Service Pack 1 include a wireless client that is com- pliant with the IEEE 802.1X standard. IEEE 802.1X provides support for centralized user identification using a Remote Authentication Dial-In User Service (RADIUS) server, such as the Internet Authentication Service (IAS) included with Windows Server 2003. With this combination in place, the access points send the connection requests they receive from wireless clients to the RADIUS server, which authenti- cates them using an authentication protocol such as Extensible Authentication Pro- tocol-Transport Level Security (EAP-TLS) or Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), both of which are supported by ISA. The RADIUS server then uses remote access policies to authorize the authenticated clients. To use 802.1X on a network running the Windows operating system and using an infrastructure topology, your access points must support 802.1X and RADIUS authentication. ■ Wired Equivalent Privacy (WEP) encryption—Included in the 802.11 standard, WEP encrypts the data transmitted on a wireless network using an encryption key that is either 40 or 104 bits long and an algorithm called RC4. When the authenti- cation that precedes the encryption process uses EAP-TLS or PEAP-MS-CHAP v2, WEP is provided with strong cryptographic keys for each communications session, EAP-TLS using smart cards or digital certificates, and PEAP-MS-CHAP v2 using passwords only. ■ Wireless Network (IEEE 802.11) Policies—The Group Policy Object Editor console contains a subheading where you can create a policy that enables you to limit a computer’s wireless networking capabilities. You can restrict computers to infra- structure or ad hoc networks, and also specify the networks to which the com- puter can connect. Objective 5.5 Plan Security for Wireless Networks 18-31 Objective 5.5 Questions 1. Which of the following protocol standards defines the mechanism that Windows XP and Windows Server 2003 use to authenticate and authorize wireless network clients? A. IEEE 802.11a B. IEEE 802.11b C. IEEE 802.1X D. WEP 2. You are adding wireless network clients to your Ethernet network, in the form of lap- top computers that will be deployed to the sales staff. To secure the wireless connec- tions, you intend to use 802.1X and WEP. The laptops are also equipped with card readers, and you plan to issue smart cards to the salespeople. Which of the following authentication protocols must you use to support this security solution? A. PEAP-MS-CHAP v2 B. RADIUS C. RC4 D. EAP-TLS 3. You are a network consultant who has been called in to troubleshoot a wireless net- working problem. The company has a large wireless presence, with multiple access points scattered throughout a building. The access points are located so as to provide an unbroken field of coverage throughout the building, but in practice this has proven not to be so. When a wireless computer moves out of the transmission range of its native access point, it moves into the range of another access point, but it cannot con- nect. No matter which access point the computer starts at, it cannot connect to any of the other access points on the network. Which of the following reasons could possibly explain why this is happening? (Choose all that apply.) A. The wireless devices are configured to use Shared Key authentication. B. The construction of the building is inhibiting the wireless transmissions. C. The Wireless Network (IEEE 802.11) policy does not have the correct entries in the Preferred Networks list. D. The wireless devices are configured to use certificates for authentication, and the certificates are configured incorrectly. 18-32 Chapter 18 Planning and Maintaining Network Security (5.0) 4. You have recently installed a WLAN access point on your network and equipped a number of laptop computers with wireless network interface adapters. You want all the wireless clients to be able to connect only to the access point, but not directly to each other, so that your security infrastructure will remain in effect. Which of the following steps can you use to limit the clients’ connectivity in this way? A. Configure the wireless devices to use IEEE 802.1X and authenticate using the EAP- TLS protocol with smart cards. B. Configure the wireless devices to use Open System authentication. C. Create a Wireless Network (IEEE 802.11) policy, configure it to allow ad hoc net- working only, and apply it to the computers. D. Create a Wireless Network (IEEE 802.11) policy, configure it to allow infrastructure networking only, and apply it to the computers. Objective 5.5 Plan Security for Wireless Networks 18-33 Objective 5.5 Answers 1. Correct Answers: C A. Incorrect: The IEEE 802.11a standard defines a physical layer implementation that transmits signals at 5 gigahertz (GHz) and sends data at up to 54 Mbps using Orthogonal Frequency Division Multiplexing (OFDM). IEEE 802.11a is not used to authenticate and authorize wireless clients. B. Incorrect: The IEEE 802.11b standard defines a physical layer implementation that transmits signals at 2.4 GHz and sends data at up to 11 Mbps using direct sequence spread spectrum modulation. IEEE 802.11b is not used to authenticate and authorize wireless clients. C. Correct: IEEE 802.1X is a standard for authentication for wired Ethernet networks and wireless 802.11 networks. Windows XP and Windows Server 2003 can use IEEE 802.1X in conjunction with a RADIUS server to authenticate wireless clients using any one of several authentication protocols, including EAP-TLS and PEAP- MS-CHAP v2. D. Incorrect: Wired Equivalent Privacy (WEP), part of the IEEE 802.11 standard, defines the encryption that WLAN systems use to secure their transmissions. WEP is not used for authentication and authorization. 2. Correct Answers: D A. Incorrect: Protected Extensible Authentication Protocol-Microsoft-Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) is an authenti- cation protocol for wireless networks that do not have access to a public key infra- structure (PKI). Without a PKI, the network cannot use certificates, and without certificates, the network cannot use smart cards for authentication. B. Incorrect: Remote Authentication Dial-In User Service (RADIUS) is not an authentication protocol; it is a service that provides centralized authentication for other servers on the network, using any one of several authentication protocols. C. Incorrect: RC4 is not an authentication protocol; it is an encryption algorithm that wireless systems use as part of their WEP implementations. D. Correct: Extensible Authentication Protocol-Transport Level Security (EAP-TLS) is the only authentication protocol supported by Windows Server 2003 that enables users to authenticate with smart cards. 18-34 Chapter 18 Planning and Maintaining Network Security (5.0) 3. Correct Answers: A and C A. Correct: When you use Shared Key authentication, each client’s network key is unique to its initial access point. Connecting to other access points requires a dif- ferent key, which is one possible explanation for the clients’ failure to connect to multiple access points. B. Incorrect: Environmental factors, including the construction of the building, can affect wireless transmission ranges, but the effect would not be as consistent as it is in this case. The fact that each computer can successfully connect to its initial access point, but not to any other access points, indicates that the source of the problem lies elsewhere. C. Correct: If the network administrator has created a Wireless Network (IEEE 802.11) policy that specifies only the native access point in the Preferred Networks list, the clients cannot connect to the other networks using different access points. D. Incorrect: If the certificates were configured incorrectly, the computers would not be able to authenticate themselves to any wireless network. 4. Correct Answers: D A. Incorrect: The authentication mechanism you use does not affect which topol- ogy the computers are able to use. In this case, the client must use a smart card for authentication to the infrastructure network, but it can still connect to the other wireless computers on an ad hoc basis. B. Incorrect: The authentication mechanism you use does not affect which topol- ogy the computers are able to use. Despite the use of Open System authentication, the client can still connect to the other wireless computers on an ad hoc basis. C. Incorrect: An ad hoc network is one in which wireless computers communicate directly with each other, which is precisely what you are trying to avoid in this case. D. Correct: When you create a Wireless Network (IEEE 802.11) policy, you can limit the computers receiving the policy to ad hoc or infrastructure networking. By lim- iting the computers to infrastructure networking, you prevent them from commu- nicating directly with each other. Objective 5.6 Plan Security for Data Transmission 18-35 Objective 5.6 Plan Security for Data Transmission Windows Server 2003 and Windows XP Professional include three default IPSec poli- cies, which are as follows: ■ Client (Respond Only)—Configures the computer to use IPSec only when another computer requests its use. The computer using this policy never initiates an IPSec negotiation; it only responds to requests from other computers for secured communications. ■ Secure Server (Require Security)—Configures the computer to require IPSec security for all communications. If the computer attempts to communicate with another computer and discovers that the second computer does not support IPSec, the computer terminates the connection. ■ Server (Request Security)—Configures the computer to request the use of IPSec when communicating with another computer. If the other computer supports IPSec, the IPSec negotiation begins. If the other computer does not support IPSec, the systems establish a standard, unsecured IP connection. The default IPSec policies included with Windows Server 2003 define security specifica- tions for client and server roles that might not be appropriate for your network installa- tion. Although a computer is not running a server operating system, the computer may actually be functioning as a server. The Client (Respond Only) IPSec policy enables com- puters to use IPSec in response to another computer that requests it, but they cannot ini- tiate IPSec communications themselves. When implementing IPSec on your network, you must first examine the traffic patterns and the roles of your computers to determine which computers communicate with each other and for what reasons. Then, you either assign the default IPSec policies based on this communications analysis or create IPSec policies that are better suited to your network’s security requirements. 18-36 Chapter 18 Planning and Maintaining Network Security (5.0) Objective 5.6 Questions 1. You are a network administrator who has recently implemented IPSec on your net- work, which consists of servers running Windows Server 2003 and client workstations running Windows XP Professional. You have created separate organizational units in Active Directory for the servers and the workstations, and assigned the Secure Server (Require Security) IPSec policy to the Servers organizational unit and the Client (Respond Only) policy to the Workstations organizational unit. On examining the net- work traffic with a protocol analyzer, you notice that the users on some workstations are sharing files with each other directly, without first copying the files to a server, and that none of this traffic is being protected by IPSec. Which of the following steps can you take to secure the communications between the clients, as well as the communi- cations between clients and servers? (Choose all that apply.) A. Configure the Workstations organizational unit to use the Secure Server (Require Security) IPSec policy instead of the Client (Respond Only) policy. B. Modify the default response rule in the Clients (Respond Only) IPSec policy to include the IP addresses of the workstations. C. Modify the filter list in the Secure Server (Require Security) IPSec policy to include the IP addresses of the workstations. D. Move the computer objects from the Workstations organizational unit to the Serv- ers organizational unit. 2. Which of the following types of traffic is not secured by the default Secure Server (Require Security) IPSec policy? A. TCP B. UDP C. ICMP D. IP Objective 5.6 Plan Security for Data Transmission 18-37 3. You are the administrator of a network that has a number of servers running Windows Server 2003 that host a variety of data file types, some of which contain classified infor- mation needed by specific company officers and many of which do not. You have already stored the classified documents in directories that are protected using the Encrypting File System, but you also want to ensure their protection when they are transmitted over the network. You have decided to implement IPSec on the network for this purpose, but your testing has determined that encrypting all the network traffic causes a severe degradation in server performance, and there is no money in the bud- get for server upgrades at this time. Which of the following IPSec solutions will enable you to protect the sensitive files without encrypting all your network traffic? A. Configure the servers to use the Secure Server (Require Security) IPSec policy, the company officers’ computers to use the Server (Request Security) policy, and the other users’ computers to use the Client (Respond Only) policy. B. Configure the servers to use the Server (Request Security) IPSec policy and the company officers’ computers to use the Secure Server (Require Security) policy. C. Configure the servers to use the Secure Server (Require Security) IPSec policy and the company officers’ computers to use the Client (Respond Only) policy. D. Configure the servers and the company officers’ computers to use the Client (Respond Only) IPSec policy. [...]... include Microsoft Baseline Secu­ rity Analyzer and Microsoft Software Update Services ❑ Practice 1: Download the Microsoft Baseline Security Analyzer tool from the Microsoft Web site at http://www .microsoft. com/technet/treeview/default.asp?url=/ technet/security/tools/Tools/MBSAhome.asp and use it to examine the security configuration of your computer ❑ Practice 2: Examine the materials provided on the Microsoft. .. Main­ taining Security Infrastructure objective domain on the 7 0- 293 exam include: ■ Configure Active Directory directory service for certificate publication ❑ ❑ ■ Practice 1: Install Certificate Services on a computer running Windows Server 2003 and create an enterprise root certificate authority (CA) Practice 2: Use the Certificates snap-in for Microsoft Management Console (MMC) to request certificates... using auto-enrollment, you cannot create an enterprise subordinate CA without having an enterprise root CA first C Incorrect: Stand-alone CAs do not support auto-enrollment and are not capable of issuing smart card logon certificates D Incorrect: In addition to not supporting auto-enrollment or the required certifi­ cate types, a stand-alone subordinate CA cannot be created until a stand-alone root... certif­ icate? A Open the Certificates snap-in in Microsoft Management Console and request a cer­ tificate from the CA B Display the Command Prompt window and use the Certutil.exe program to request a certificate from the CA C Open the Certificate Templates snap-in in Microsoft Management Console, select the Basic EFS template, and request a certificate D Open Microsoft Internet Explorer, connect to the... Services home page (http://www .microsoft. com/windows2000/windowsup­ date/sus/default.asp) and make a list of the tasks that Software Update Ser­ vices (SUS) can perform, which network administrators would otherwise have to perform manually Further Reading This section lists supplemental readings by objective We recommend that you study these sources thoroughly before taking exam 7 0- 293 Objective 6.1 Review... Infrastructure.” This article is available on Microsoft s Web site at http://www .microsoft. com/technet/ prodtechnol/windowsserver2003/proddocs/deployguide/adsec/part2/rkddspki.asp Chapter 19 Objective 6.3 Planning, Implementing, and Maintaining Security Infrastructure (6.0) 1 9-3 Review Lesson 2 in Chapter 8, “Planning a Secure Baseline Installation.” Microsoft Corporation Securing Windows 2000 Server... Although written for the Microsoft Windows 2000 Server oper­ ating systems, this article discusses many concepts that are equally applicable to Win­ dows Server 2003 This content is available on Microsoft s Web site at http:// www .microsoft. com/technet/security/prodtech/windows/secwin2k/02defsls.asp Objective 6.4 Review Lesson 1 in Chapter 13, “Designing a Security Infrastructure.” Microsoft Corporation... 5.7 Troubleshoot Security for Data Transmission 1 8-4 3 Objective 5.7 Answers 1 Correct Answers: A and C A Correct: The Security Configuration And Analysis snap-in can compare a com­ puter’s current security policy settings with those in a specified security template and display the differences between them B Incorrect: Microsoft Baseline Security Analyzer examines a computer for com­ mon security lapses,... types should you use? A Enterprise root B Enterprise subordinate C Stand-alone root D Stand-alone subordinate Objective 6.1 Configure Active Directory Directory Service for Certificate Publication 1 9-7 Objective 6.1 Answers 1 Correct Answers: A and C A Correct: Enterprise CAs are intended for internal users on Active Directory net- works Because an enterprise CA stores certificates in the Active Directory... “Creating and Managing Digital Certificates.” Microsoft Corporation “PKI Enhancements in Windows XP Professional and Windows Server 2003.” This article is available on Microsoft s Web site at http:// www .microsoft. com/windowsxp/pro/techinfo/planning/pkiwinxp/default.asp Objective 6.2 Review Lessons 1, 2, and 3 in Chapter 11, “Creating and Managing Digital Certificates.” Microsoft Corporation “Designing a Public . Protocol -Microsoft- Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) is an authenti- cation protocol for wireless networks that do not have access to a public key infra- structure. RADIUS server, which authenti- cates them using an authentication protocol such as Extensible Authentication Pro- tocol-Transport Level Security (EAP-TLS) or Protected EAP -Microsoft Challenge Handshake. encryption key that is either 40 or 104 bits long and an algorithm called RC4. When the authenti- cation that precedes the encryption process uses EAP-TLS or PEAP-MS-CHAP v2, WEP is provided with