70-293 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Free Exam Test

Demo Question 14.

You work as the network administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory domain named EliteCertify.com. All domain controllers and servers on the EliteCertify.com network run Windows Server 2003 and all client computers run Windows XP Professional. All servers are located in an organization unit (OU) named EliteCertify Servers and all client computers are located in an organization unit (OU) named EliteCertify ClientComputers. You receive instruction to secure data communications by using IPSec. You must ensure that communication between client computers and servers are encrypted. You must also ensure that all servers are secure from Denial of Service (DoS) attacks using SYN packets. You create a new Group Policy Object (GPO) named Secure. The Secure GPO assigns a custom IPSec policy named Policy1. You link the Secure GPO to the EliteCertify Servers OU to ensure that all servers only allow secure data communications. You also assign the Client (Respond Only) IPSec policy in the Domain Security Policy GPO. The Exhibit shows the current Filter Action Properties configured for Policy1: Users complain that they cannot connect to any network servers. You investigate the issue and discover that no users, including you, can access network servers that reside in the EliteCertify Servers OU. You need to ensure that all users can access network servers, while still ensuring that secure data communications occur between client computers and servers. You want to protect all servers from DoS attacks. What should you do? (Each correct answer presents part of the solution. Choose TWO.)

A. Create a custom IPSec policy. Assign the custom IPSec policy to a GPO linked to the EliteCertify ClientComputers OU.
B. Create a rule that negotiates security between client computers and your servers that need to be secured.
C. Change the current IPSec policy applied to the EliteCertify Servers OU so that the Allow unsecured communication with non-IPSec-aware computers option is enabled.
D. Create a rule that permits all traffic between client computers and your servers that need to be secured.


Display Answer

Answer: A, B

Explanation: The issue you have to that the Client (Respond Only) IPSec policy assigned in the Domain Security Policy GPO sends connections attempts without using IPSec. All servers that reside in the EliteCertify Servers OU are configured to NOT allow unsecured communication connections. To resolve the issue, you need to create a custom IPSec policy and assign the custom IPSec policy to a GPO linked to the EliteCertify ClientComputers OU. You need to create a rule in the custom IPSec policy that negotiates security between client computers and your servers that need to be secured. Incorrect answers: C. If you enable the Allow unsecured communication with non-IPSec-aware computers option, then you will be putting your servers at risk to DoS attacks. All your client computers ARE IPSec-aware computers. D. This will not result in the client computers initiating secure communications with your servers.