Troubleshooting for Network Communications
These questions are derived from the Self Test Software Practice Test for Microsoft exam #70-299 – Implementing and Administering Security in a Microsoft Windows Server 2003 Network
Objective: Implementing, Managing, and Troubleshooting Security for Network Communications
SubObjective: Plan and implement security for wireless networks
Multiple Answer, Multiple Choice
You are a network administrator for a company named TXGlobal Electronics. The network consists of a single Active Directory forest with three domains: txglobal.com, east.txglobal.com, and west.txglobal.com. All servers run Windows Server 2003, and all client computers run Windows XP Professional with Service Pack 1.
A wireless LAN (WLAN) that complies with 802.11 industry standards will be deployed at each company location. Multiple access points (APs) will be deployed at each location. Only authorized users should be able to gain access to the wireless network. All data transmissions between wireless clients and the APs must be protected by using the highest possible security.
To meet these requirements, you install Microsoft Internet Authentication Service (IAS) on a domain controller in each domain. You also modify the company’s public key infrastructure (PKI) by deploying an enterprise root certification authority (CA).
Which of the following actions should you perform next? (Choose all that apply.)
- Deploy computer certificates to all wireless client computers.
- Deploy user certificates and smart cards to all wireless users.
- Configure all APs as RADIUS servers.
- Configure all APs as RADIUS clients.
- Configure all client computers as RADIUS clients.
- Enable IEEE 802.1X authentication for the WLAN.
- Enable static WEP authentication for the WLAN.
A. Deploy computer certificates to all wireless client computers.
B. Deploy user certificates and smart cards to all wireless users.
D. Configure all APs as RADIUS clients.
F. Enable IEEE 802.1X authentication for the WLAN.
Among the presented choices, you should deploy computer certificates to all wireless computers, deploy user certificates and smart cards to all wireless users, configure all APs as Remote Authentication Dial-In User Service (RADIUS) clients and enable IEEE 802.1X authentication.
Two-factor authentication can be implemented on a network through the use of smart cards. Users must insert a smart card into a smart card reader and then enter a personal identification number (PIN) to authenticate to the computer. Smart cards protect against most forms of tampering because the user’s credentials are flashed into a memory chip on the card. When smart cards are used for authentication, a user’s private key is never exposed over the network. Before a smart card is used, the user’s logon certificate, public key, and private key must be programmed on the smart card. You can program the smart card by using a Smart Card Enrollment station, which is integrated with Certificate Services. The EAP-TLS protocol is used for certificate and smart card authentication.
IAS is Microsoft’s implementation of the RADIUS protocol. When IAS is deployed on a network, a central RADIUS server is configured as the single point for authenticating all for remote access requests. This server should be a domain controller, but it can also be another network access server. The wireless network APs are configured as RADIUS clients for one or more RADIUS servers. When a wireless client attempts to connect to the network through the AP, the RADIUS client routes the access requests to the RADIUS server for authentication. The RADIUS server verifies the user’s access permissions and returns a response to the RADIUS client, which will then enforce the response to the access request. IAS provides the ability to create a centralized set of access permissions. You can also monitor and track usage of the wireless network by using IAS. These features support the centralized approach to network management and security.
IEEE 802.1X authentication supports certificate-based authenticated network access to wired Ethernet networks and wireless 802.11 networks. This authentication method provides centralized user identification, authentication, dynamic key management, and accounting. IEEE 802.1X authentication enhances security by ensuring that the remote client and the network authenticate each other. IEEE 802.1X authentication uses a per-user/per-session key to encrypt data over wireless connections and provides the ability to dynamically change keys. Each wireless computer and RADIUS client must have a computer certificate in order to use IEEE 802.1X authentication. These certificates are used to authenticate both ends of the connection, ensuring that only authorized wireless clients can access the WLAN.
Static WEP cannot be used to secure access to a wireless network. WEP encrypts data as it is transmitted between the wireless client and the AP and can be used to secure transmissions after authentication. WEP does not provide encryption during authentication, and it allows user credentials to be broadcast in clear text.
TechNet, Contents, “Security,” “Product and Technology Security Centers,” “Windows Server 2003,” “Securing Wireless LANs – A Windows Server 2003 Certificate Services Solution,” “Planning Guide,” “Planning Guide 6 – Designing Wireless LAN Security Using 802.1X.”
TechNet, Contents, “Security,” “Product and Technology Security Centers,” “Windows Server 2003,” “Securing Wireless LANs – A Windows Server 2003 Certificate Services Solution,” “Build Guide,” “Implementing the RADIUS Infrastructure for Wireless LAN Security.”