70-293 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Certification Test

Demo Question 18.

You work as the network administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory domain named EliteCertify.com. All domain controllers and servers on the EliteCertify.com network run Windows Server 2003, and all client computers runs Windows XP Professional. IPSec secures data communications between servers and client computers. A server named EliteCertify -SR03 is configured as a file server. All users access shared folders hosted on this server. EliteCertify -SR03 also runs Microsoft Exchange. The current IPSec policy configured and applied to EliteCertify -SR03 has the following rules: 1. Rule 1: * Filters traffic from all IP addresses. * Filter Action: Negotiate Security - ESP using SHA1 and 3DES. * Kerberos authentication. 1. Rule 2: * Filters SMTP traffic from EliteCertify -SR22. * Filter Action: Permit 1. Rule 3: * Filters SMTP traffic from all IP addresses. * Filter Action: Negotiate Security - AH using SHA1. * Kerberos authentication. The updated EliteCertify.com written security policy includes a number of new security requirements for EliteCertify -SR03. You must enforce the requirements stipulated in the new security policy. Firstly, all SMTP traffic between EliteCertify -SR03 and clients must be encrypted. Other than for this, no traffic need be encrypted. Secondly, all computers that belong to the EliteCertify.com domain must be able to access shared folders on the server. Thirdly, another computer named EliteCertify -SR22 must be able to access EliteCertify -SR03 by using SMTP. EliteCertify -SR22 is not a member of the EliteCertify.com domain. To enforce the requirements of the updated EliteCertify.com written security policy, you apply the Client (Respond only) IPSec policy to all client computers on the network. You still need to update the current IPSec policy to incorporate each requirement of the updated EliteCertify.com written security policy. You do not want to add EliteCertify -SR22 to the EliteCertify.com domain. What should you do? (Each correct answer presents part of the solution. Choose TWO.)

A. Reorder the existing rules to be: Rule 2, Rule 3, and Rule 1.
B. On Rule 1, modify the Filter Action so that it is Negotiate security - AH Kerberos authentication.
C. On Rule 2, modify the Filter Action so that it is Negotiate security - AH Certificates authentication.
D. On Rule 3, modify the Filter Action so that it is Negotiate security - ESP Kerberos authentication.


Display Answer

Answer: B, D

Explanation: Because all SMTP traffic between EliteCertify -SR03 and clients must be encrypted, you need to change Rule 3 by modifying the Filter Action to be Negotiate security - ESP Kerberos authentication. ESP ensures data confidentiality through encryption, data integrity, data authentication, and other features that support optional anti-replay services. To ensure data confidentiality, a number of symmetric encryption algorithms are used. Secondly, because no other traffic needs be authenticated, you need to change the Rule 1 by modifying the Filter Action to be Negotiate security - AH Kerberos authentication. Incorrect answers: A. The current order of application of the three rules does not need to be modified because more specific rules have precedence over less specific rules. C. If you change Rule 2 by modifying the Filter Action so that it is Negotiate security - AH Certificates authentication, you will be preventing EliteCertify -SR22 from accessing EliteCertify -SR03.