INFO 404
LAB ANSWERS
LAB 1: INSTALLING AND MANAGING CERTIFICATION SERVICES
1. In Exercise 1-2, why was it necessary to log on to the Contoso domaininstead of the domainxxyy domain?
Because the logged on user must be a member of the Enterprise Admins group to install an enterprise CA, and the Administrator account in the domainxxyy domain is not a member of this group. The Administrator account in the Contoso domain is a member.
2. In Exercise 1-2, when the CA Certificate Request page appears, whatwould you have to do next if you selected the Save The Request To AFile option instead of Send The Request Directly To A CA Already OnThe Network?
You would have to submit the request file manually to the enterprise root CA on Server01, and then manually return the resulting certificate to Computerxx.
3. In Exercise 1-4, in the Certificates snap-in, what determines whichtypes of certificates are listed on the Certificate Types page?
What the Certificate Types list contains is determined by which certificate templates are installed on the CA and which templates the user has permission to use.
4. In Exercise 1-5, was the certificate to your name shown as revoked? Why or why not?
Because the stand alone server does not automatically publish the list. Not only does the list need to be manually published, the refresh period has to have passed.
LAB 2: PACKET FILTERING & IPSEC
1. When creating the IP filter list in Exercise 2-3, what would be the resultif, for the Source Address, you selected A Specific IP Subnet and specifiedthe network address of your student domain, and for the DestinationAddress, you specified Computeryy’s IP Address? Explain youranswer.
The result would be no different than the current configuration, because the Mirrored check box was selected, causing the wizard to create identical filters reversing the source and destination addresses.
2. Assume that you are going to assign the Intranet Web Security policy tothe domainxxyy domain. If so, why would clearing the Mirrored checkbox while creating the IP filter list in Exercise 2-3 have no apparenteffect on the communications between Computerxx and Computeryy?
Because the same IP security policy is being applied to both computers, so protection is still provided for traffic running in both directions.
3. Throughout this lab, you have configured IPSec to use the defaultauthentication method, which is the Kerberos authentication protocol.It is also possible to use preshared keys for authentication. Give tworeasons why Microsoft recommends against using preshared keys.
Preshared keys produce a weaker form of encryption than Kerberos or certificates. Preshared keys are stored in clear text in the Windows registry and in hexadecimal format in Active Directory, both of which are readable.
4. In Exercise 2-5, for what type of system would you specify a tunnelendpoint while creating a rule?
For a gateway providing access to a remote network.
5. What kind of network traffic is the IP filter list you created in Exercise 2-3 designed to isolate? Explain how you can tell.
The filter isolates all Web traffic between Computeryy and the classroom network. Specifying Computeryy’s IP address as the source address and the classroom network address as the destination address causes the filter to select only the packets transmitted from Computeryy to the other systems on the classroom network. Specifying 80 as the source port causes the filter to select only the messages involved in Web server
communications.
PART II
1. In Exercise 2-8, you used the IP Security Monitor snap-in to find outwhich IPSec policies are operating on your computers. List two othermethods for determining which policy is active on a Microsoft WindowsServer 2003 computer.
You can use the Resultant Set Of Policy snap-in or the netsh ipsec static show all command.
2. In Exercise 2-8, why is the Intranet Web Security policy not assigned toComputerxx?
Because the Intranet Web Security policy is applied to the Intranet OU,and the Computerxx computer object is not located in that OU.
3. In Exercise 2-8, when you assign the Server (Request Security) policyto the domainxxyy domain, why does Computeryy continue to use theIntranet Web Security policy?
Because Computeryy has received its IPSec policy from a GPO assigned to an OU, and, for IPSec policies, OU assignments take precedence over domain assignments.
4. In Exercise 2-6, you created a display filter that isolated the HTTP packetsin your captured traffic sample. What would be the result if youapplied the same display filter to the traffic sample you captured inExercise 2-9? Why?
Applying the same display filter to the traffic sample captured in Exercise 2-9 would result in Network Monitor displaying no packets at all. Although the packets in the second sample do contain HTTP data, the HTTP messages are encapsulated by ESP and encrypted, so they are not visible to Network Monitor.
LAB 3: AUTHORISATION STRATEGIES
1. After setting up the account groups and resource groups as detailed inthis lab, suppose that the current trainee manager, Deborah Poe,decides to leave the company and Max Benson is promoted to her position.What must you do to grant Max the permissions previouslyassigned to Deborah?
Remove the Max Benson user object from the Trainees group and add it to the Trainee Mgrs group.
2. In Exercise 3-7, why can’t you make the domain local groups members of the global groups, instead of the other way around?
Because global groups cannot have domain local groups as members.
3. In Exercise 3-3, using the Deborah Poe account, you attempted to copythe Eula.txt file from the C:\Win2k3\I386 folder on Computeryy tothe I386 folder in the Win2k3 share on the Computerxx server, andthis attempt failed. However, in Exercise 3-4, Deborah was able to copya file to the root of the Win2k3 share. Which special permissionsaccount for the difference between these two results?
The Create Files/Write Data special permission gives Deborah Poe theability to create a new file in the Win2k3 folder, as she did in Exercise 3-4.In Exercise 3-3, however, Deborah attempted to overwrite a file in a subfolderof Win2k3, which she was unable to do because she lacks the Deleteand the Delete Subfolders And Files special permissions.
4. When creating resource groups, why is it preferable to use domainlocal groups instead of machine local groups?
Because machine local groups must be administered on the computerhosting the resource, while you can administer domain local groups centrallyusing Active Directory Users And Computers.
5. What would happen if you added Deborah Poe to the Trainees groupas well as the Trainee Mgrs group?
The user would not have full control of the Win2k3 folder because theTrainees group is denied the Write permission to the folder, and thisdenial would take precedence over the allow permissions granted to theTrainee Mgrs group.
LAB 4: DEPLOYING SUS
1. In Exercise 6-2, you synchronized your newly installed SUS serverfrom another SUS installation running on the classroom Server01computer. If you were to synchronize to the Windows Update serverson the Internet instead, would the process in most cases take more orless time? Explain why.
Because you are synchronizing from another SUS server on the local network, the process is relatively quick. In the majority of cases, synchronizing from the Windows Update servers on the Internet would take much longer, both because of the relatively slow speed of Internet connections (compared to local area network connections) and because of the constant traffic to the Windows Update servers.
2. In Exercise 4-5, after you open the Password Must Meet ComplexityRequirements Properties dialog box, enable the policy, and click OK, isthe policy now enabled on the computer? Explain why or why not.
The policy is not enabled on the computer because the Password Must Meet Complexity Requirements Properties dialog box can only make changes to the database. To enable the policy on the computer, you must apply the entire database.
3. For each of the elements with red or yellow Xs that you listed inExercise 4-6, specify what you must do to rectify each problem.
____
■ Automatic Updates Configure the Automatic Updates client.
■ Password Expiration Specify password expiration times forthe Administrator and Guest accounts.
■ IE Enhanced Security Configuration For Administrators
Enable Internet Explorer Enhanced Security Configuration inthe Add/Remove Programs Control Panel.
■ IE Enhanced Security Configuration For Non-Administrators
Enable Internet Explorer Enhanced Security Configuration in theAdd/Remove Programs Control Panel.
4. Scan a computer with the IP address 192.168.54.199 for all securityvulnerabilities, using the Windows Update servers and redirecting outputto a file called 192.168.54.199.txt.
Mbsacli /i “192.168.54.199” /f 192.168.54.199.txt
5. Scan all of the computers in the contoso.com domain for missingupdates, password problems, and operating system vulnerabilitiesonly. Use an SUS server called Intranet1, and save the output to a filecalled contoso.txt, all without displaying any output.
Mbsacli /n SQL+IIS /d contoso /sus /f “contoso.txt” /q
LAB 5: PASSWORD POLICIES
1. In Exercise 5-2, what would have happened if you had created the newMark Lee user account without having previously modified the defaultdomain password policies?
You would have been unable to create the user object, because the password you specified would not have conformed to the default policy requirements.
2. Assume that the Account Lockout policies for your domain are set tothe values shown in the following table. What changes could you maketo the policy values that would increase the security of the network?Explain your answer.
Account Lockout Duration / 0Account Lockout Threshold / 3 invalid logon attempts
Reset Account Lockout / After 5 minutes
Increasing the Reset Account Lockout After value would force potential intruders to wait longer before they could attempt to access the account by trying new passwords.
3. In Exercise 5-2, you were unable to change the password for the MarkLee account to markleepass1. In what ways did this password not conformto the domain password policies?
The password contained the user’s name, and it did not contain capital letters or symbols.
4. Would lowering the value of the Enforce Password History policyincrease or decrease the security of the network? Explain your answer.
Lowering the value would decrease security, because users would be able to reuse the same passwords more frequently.