70-293 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Exam Review

Demo Question 20.

You work as the network administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory domain named EliteCertify.com. All servers on the EliteCertify.com network run Windows Server 2003 and all client computers runs Windows XP Professional. The EliteCertify.com domain contains two domain controllers named EliteCertify -DC01 and EliteCertify -DC02 respectively. EliteCertify.com recently opened a new staff business college. The staff business college is located in the EliteCertify.com corporate headquarters building. You deploy a new application server named EliteCertify -SR05 on the EliteCertify.com network. You install a new custom application named TestApp1 on EliteCertify -SR05. All course material is accessible through TestApp1. You deploy 30 new Windows XP Professional client computers at the staff business college. You connect each new client computer to the local area network (LAN). None of the 30 new client computers in the staff business college are domain members. Currently, no public key infrastructure (PKI) is deployed in the EliteCertify.com domain. You must ensure that only authorized domain users can access TestApp1. You do not want to incur any overhead that is not completely necessary to achieve your goal. What should you do to achieve your goal under these circumstances?

A. Create a new IPSec policy. Configure the IPSec policy so that Encapsulating Security Payload (ESP) using Kerberos authentication is applied for all traffic to EliteCertify -SR05.
B. Create a new IPSec policy. Configure the IPSec policy so that Authentication Header (AH. using Kerberos authentication is applied for all traffic to EliteCertify -SR05.
C. Create a new IPSec policy. Configure the IPSec policy so that Authentication Header (AH. using certificate-based authentication is applied for all traffic to EliteCertify -SR05.
D. On EliteCertify -SR05, change the local security policy so that the Digitally sign server communication (always) security policy is enabled to authenticate all traffic to EliteCertify -SR05.


Display Answer

Answer: B

Explanation: In Windows Server 2003, IPSec uses the Authentication Header (AH. protocol and Encapsulating Security Payload (ESP) protocol to provide data security. In your case, you only need to use AH. AH provides data authentication and integrity, and can therefore be used on its own when data integrity and authentication are relevant factors and confidentiality is not. This is because AH does not provide for encryption like ESP, and therefore cannot provide data confidentiality. With AH, a digital signature is used to verify the identity of the sender of the information. IPSec can use Kerberos, a preshared key, or digital certificates for authentication. Because you do not have a PKI, you should configure the IPSec policy so that Kerberos authentication is used. Incorrect answers: A. Authentication Header (AH. and Encapsulating Security Payload (ESP) can be used separately, or together. ESP ensures data confidentiality through encryption, data integrity, data authentication, and other features that support optional anti-replay services. To ensure data confidentiality, a number of symmetric encryption algorithms are used. You do not need to encrypt data being sent to and from EliteCertify -SR05. Encryption results in additional overhead on each packet. C. You cannot use certificate based authentication because this method of authentication is dependent on a PKI implementation. You would have to first deploy a PKI, which would result in additional expenses. D. The Digitally sign server communication (always) security policy would cause EliteCertify -SR05 to digitally sign data before it sends the data over the network. No mutual authentication between client and server would occur.