70-214 Implementing and Administering Security in a Microsoft Windows 2000 Network Practice Exam

Demo Question 1.

You are the network administrator for EliteCertify. The network consists of a Windows 2000 Active Directory domain. All client computers run Windows 2000 Professional. Each department at EliteCertify is in a separate organizational unit (OU) in the domain. Each departmental OU contains user, group, and computer accounts for that department. The human resources (HR) department has one Windows 2000 Server computer named EliteCertify 1. The written security policy for the HR department requires all network communications with EliteCertify 1 to be encrypted. Client computers in the HR department must also be able to communicate with servers in other departments. The administrator for EliteCertify 1 creates a Group Policy object (GPO) named HRLockdown and links the GPO to the HR OU. HRLockdown is configured with the No Override check box selected. The administrators configure and assign a new IPSec policy named HRSec in the HRLockdown GPO with the parameters shown in the following table. Properties Settings Parameters (if required) Tunnel setting No IPSec tunnel specified Connection type All connections Authentication Kerberos IP filter list All IP traffic Source address: ANY Source Port: ANY Destination address: ANY Source port: ANY Destination address: ANY Destination port: ANY Filter action Require security The administrator reports that communications are secure within the department but that users in the department cannot access resources located on other network servers. You need to ensure that client computers in the HR department can communicate with other network servers, while maintaining the HR department's written policy. What should you do?

A. Unassign the HRSec policy in the HRLockdown GPO. Create child OU's named Servers and Clients in the HR OU. Move the computer accounts for the client computers and for EliteCertify 1 to the appropriate OUs. Create a GPO and link it to the Clients OU. Assign the Client (Respond Only) IPSec policy to that GPO. Create a GPO and link it to the Servers OU. Assign the Secure Server (Require Security) IPSec policy to that GPO.
B. Unassign the HRSec policy in the HRLockdown GPO. Create child OUs named Servers and Clients in the HR OU. Move the computer accounts for the client computers and for EliteCertify 1 to the appropriate OUs. Create a GPO and link it to the Clients OU. Assign the Client (Respond Only) IPSec policy to that GPO. Create a GPO and link to the Servers OU. Assign the Server (Request Security)IPSec policy to that GPO.
C. Create a child OU named Clients in the HR OU and move the client computer accounts to the OU. Create a GPO and link it to the Clients OU. Assign the Client (Respond Only) IPSec policy to the GPO. In the HRSec policy, specify the IP subnet address used by computers in the HR department as the source and destination addresses. In the HRSec policy, set the filter action property to Request security.
D. Create a child OU named Servers in the HR OU and move the computer account for EliteCertify 1 to the OU. Create a GPO and link it to the Servers OU. Assign the Secure Server (Require Security) IPSec policy to the GPO. In the HRSec policy, specify the IP subnet address used by computers in the HR department as the source and destination addresses. In the HRSec policy, set the filter action property to Request security.


Display Answer

Answer: A

Explanation: We cannot use the same IPSec policy for the server and for the clients. The Server must use the Secure Server (Require Security) IPSec policy to ensure that all communction to and from EliteCertify 1 is encrypted. The clients only need the use the Client (Respond Only) IPSec policy. We separate the server and the client computers by using separate OUs. Incorrect