70-214 Set 7
Terms
undefined, object
copy deck
- By default, how often is IPSec policy checked?
- every three hours
- What commands will stop and restart the IPSec Policy Agent?
- net stop policyagent and net start policyagent
- Why does IP Security use computer certificates, rather than user certificates?
- IP Security is in effect even if no one is logged in
- What are the three main parts of an IPSec policy?
- IP Security Rules; IP Filter Lists; IP Filter Actions
- What are the three main filter actions of an IPSec policy?
- Permit, Block, and Negotiate Security
- What port does an IPSec negotiation take place on?
- UDP port 500
- What are the protocol ID's for ESP and AH?
- 50 and 51
- What three frame types are used by 802.11b networks?
- control, management, and data
- What disadvantages does the Hermes wireless chipset have?
- does not support promiscuous mode
- What are the two main chipsets for wireless network cards?
- Hermes and PRISM2
- What advantage does the Hermes chipset have over PRISM2?
- ability to detect multiple AP's
- What is virtually the only defense against rogue AP's?
- frequent site surveys?
- What OSI layer does WEP operate at?
- the MAC sublayer of the Data Link layer
- What makes WEP vulnerable to plaintext attacks?
- the fact that encryption occurs at the data link layer, where much of each frame is well-known
- What is one of the primary advantages of WPA?
- it can be implemented through firmware updates (new equipment is not necessary)
- In Windows 2000, how is WEP configured for a wireless client?
- through utilities provided by the NIC manufacturer
-
What two services does Kerberos provide a network?
What ticket does each service provide? - Authentication Service (AS), granting a ticket-granting ticket (TGT); and the Ticket-Granting Service (TGS), granting service tickets
- What is the default lifespan of a Kerberos ticket?
- ten hours
- What are the two forms of delegation in Kerberos?
- proxy tickets and forwarded tickets
- Where is the KDC located?
- on every Windows 2000 domain controller
- What does the KDC use as its account database?
- Active Directory
- What user account does the KDC use?
- domain\krbtgt
- What level is Kerberos policy set at?
- at the domain level
- What entities are allowed to modify Kerberos policy?
- domain admins
- For delegation via forwarded tickets to occur, what four conditions must be met?
- client's AD account must have delegation enabled; service's AD account must have delegation enabled; client computer must be 2000 in a 2000 AD domain; service computer must be 2000 in a 2000 AD domain
- LM and NTLM are forms of what type of authentication?
- challenge/response
- Client certificate mapping requires the use of what security protocol?
- SSL
- Why is using certificates more efficient than using user accounts?
- certificates can be examined without connecting to a database
- Why are certificates considered more secure than passwords?
- it is harder to forge a certificate than to crack a password
- What five authentication methods does 2000 support?
- NTLM, Kerberos 5, Distributed Password Authority (DPA), EAP, and Secure Channel (Schannel)
- What command is used to create trusts?
- netdom
- What authentication method do 95 and 98 default to?
- LM
- What are the two main types of VPN's?
- remote access VPN and site-to-site VPN
- What log are remote access events logged to?
- the Application log
- What does PPTP use to encrypt the link between a VPN client and the server?
- MPPE
- What does PPTP use to encapsulate data?
- Generic Routing Encapsulation (GRE)
- What three protocols can be encapsulated with PPTP?
- IP, IPX, and NetBEUI
- What does L2TP require that makes it more secure, but more expensive, than PPTP?
- machine PKI certificates
- What major network feature is NOT supported by IPSec?
- NAT
- If a network is using NAT, what VPN protocol should be used?
- PPTP
- If the IPSec Policy Agent must be stopped and restarted, what other step is necessary for IPSec to function?
- the RRAS server must be restarted
- Where are remote access policies stored?
- on the RRAS server
- What is necessary in order to store Remote Access policies centrally?
- RADIUS
- What does CHAP use to encrypt authentication?
- MD5
- What is CHAP primarily used for?
- connecting to third-party (non-Microsoft) PPP servers
- What should be done if numerous events in the Application Log indicate that GPO templates cannot be accessed?
- restore the Policies folder from backup
- Where are GPO security templates stored?
- %systemroot%\Sysvol\Domain\Policies