web flashcards

Question 1

DirectAccess was introduced with which workstation/server pair?

Answer 1

Windows 7/Windows Server 2008 R2

Question 2

What kind of connectivity does DirectAccess establish between workstation and server?

Answer 2

bi-directional

Question 3

What type of server is the network location server (NLS)?

Answer 3

web

Question 4

What does the acronym ISATAP stand for?

Answer 4

Intra-Site Automatic Tunnel Addressing Protocol

Question 5

What utility do you use to configure DirectAccess?

Answer 5

Remote Access Management Console

Question 6

Windows Server 2012 varies from the Windows Server 2008 R2 implementation in that it does not require which one of the following?

Answer 6

two consecutive public IP addresses

Question 7

What is the most basic requirement for a DirectAccess implementation?

Answer 7

The DirectAccess server must be part of an Active Directory domain.

Question 8

If the client cannot reach the DirectAccess server using 6to4 or Teredo tunneling, the client tries to connect using what protocol?

Answer 8

IP-HTTPS

Question 9

What does the netsh namespace show policy command do?

Answer 9

determines the results of network location detection and the IPv6 addresses of the intranet DNS servers

Question 10

What kind of connectivity does DirectAccess provide between client computers and network resources?

Answer 10

seamless and always on

Question 11

DirectAccess is for clients connected to which network?

Answer 11

Internet

Question 12

How do the DirectAccess server and DirectAccess client authenticate each other?

Answer 12

computer and user credentials

Question 13

Which one of the following operating systems may not act as a DirectAccess client?

Answer 13

Windows Server 2008

Question 14

What kind of RADIUS server is placed between the RADIUS server and RADIUS clients?

Answer 14

a RADIUS proxy server

Question 15

What process determines what a user is permitted to do on a computer or on a network?

Answer 15

authorization

Question 16

What is a RADIUS server known as in Microsoft parlance?

Answer 16

Network Policy Server

Question 17

Which ports do Microsoft RADIUS servers use officially?

Answer 17

1812 and 1813

Question 18

When an access client contacts a VPN server or wireless access point, a connection request is sent to what system?

Answer 18

the NPS server

Question 19

Which system, in a RADIUS infrastructure, handles the switchboard duties of relaying requests to the RADIUS server and back to the client?

Answer 19

the access server

Question 20

What is the final step in the authentication, authorization, and accounting scenario between an access client and the RADIUS server?

Answer 20

an Accounting-Response to the access server

Question 21

To configure RADIUS service load balancing, you must have more than one kind of what system per remote RADIUS server group?

Answer 21

RADIUS server

Question 22

Which parameter specifies the order of importance of the RADIUS server to the NPS proxy server?

Answer 22

priority

Question 23

Using what feature can streamline the creation and setup of RADIUS servers?

Answer 23

templates

Question 24

What information does the Accounting-Start message contain?

Answer 24

the type of service and the user it’s delivered to

Question 25

Which system is the destination for Accounting-Start messages?

Answer 25

the RADIUS accounting server

Question 26

What type of NPS authentication is recommended over password authentication?

Answer 26

certificate

Question 27

Why is password-based authentication not recommended?

Answer 27

Usernames and passwords are sent in plain text.

Question 28

Where do you get certificates for authentication purposes?

Answer 28

a certificate authority

Question 29

An NPS policy is a set of permissions or restrictions that determine what three aspects of network connectivity?

Answer 29

who, when, and how

Question 30

Which variable can be set to authorize or deny a remote connection?

Answer 30

group membership

Question 31

The default connection request policy uses NPS as what kind of server?

Answer 31

RADIUS

Question 32

Where is the default connection policy set to process all authentication requests?

Answer 32

locally

Question 33

What is the last setting in the Routing and Remote Access IP settings?

Answer 33

how IP addresses are assigned

Question 34

What command-line utility is used to import and export NPS templates?

Answer 34

netsh

Question 35

To which type of file do you export an NPS configuration?

Answer 35

XML

Question 36

When should you not use the command-line method of exporting and importing the NPS configuration?

Answer 36

when the source NPS database has a higher version number than the version number of the destination NPS database

Question 37

Network policies determine what two important connectivity constraints?

Answer 37

who is authorized to connect AND the connection circumstances for connectivity

Question 38

When the Remote Access server finds an NPS network policy with conditions that match the incoming connection attempt, the server checks any _______________ that have been configured for the policy.

Answer 38

constraints

Question 39

If a remote connection attempt does not match any configured constraints, what does the Remote Access server do to the connection?

Answer 39

denies

Question 40

Identify the correct NPS templates. Select all that apply.

Answer 40

Shared Secrets
Health Policies
RADIUS Clients

Question 41

Which two of the following are Routing and Remote Access IP settings?

Answer 41

Client May Request an IP Address

Server Must Supply an IP Address

Question 42

Which Routing and Remote Access IP setting is the default setting?

Answer 42

Server Settings Determine IP Address Assignment

Question 43

Network Access Protection (NAP) is Microsoft’s software for controlling network access of computers based on what?

Answer 43

a computer’s overall health

Question 44

Because NAP is provided by _________, you need to install _________ to install NAP.

Answer 44

NPS

NPS

Question 45

DHCP enforcement is not available for what kind of clients?

Answer 45

IPv6

Question 46

Identify two remediation server types.

Answer 46

Anti-virus/anti-malware servers

Software update servers

Question 47

What type of Active Directory domain controller is recommended to minimize security risks for remediation servers?

Answer 47

read-only

Question 48

When you fully engage NAP for remediation enforcement, what mode do you place the policy in?

Answer 48

isolation

Question 49

To verify a NAP client’s configuration, which command would you run?

Answer 49

> netsh nap client show state

Question 50

Which two components must a NAP client have enabled in order to use NAP?

Answer 50

Security Center

NAP Agent

Question 51

Why do you need a web server as part of your NAP remediation infrastructure?

Answer 51

to provide user information in case of a compliance failure

Question 52

Where do you look to find out which computers are blocked and which are granted access via NAP?

Answer 52

the NAP Server Event Viewer

Question 53

Health policies are in pairs. What are the members of the pair? Select two.

Answer 53

NAP-compliant

NAP-noncompliant

Question 54

You should restrict access only for clients that don’t have all available security updates installed if what situation exists?

Answer 54

the computers are running Windows Update

Question 55

What happens to a computer that isn’t running Windows Firewall?

Answer 55

The computer is isolated.

Question 56

Health policies are connected to what two other policies?

Answer 56

network policies

connection request policies

Question 57

To use the NAP-compliant policy, the client must do what?

Answer 57

pass all SHV checks

Question 58

Which computers are not affected by VPN enforcement?

Answer 58

locally connected computers

Question 59

What is the default authentication protocol for non-domain computers?

Answer 59

NTLM

Question 60

What does the acronym NTLM stand for?

Answer 60

NT LAN Manager

Question 61

Role seizure is performed using the ________ command

Answer 61

NTDSUTIL

Question 62

FSMO role change process where the original role-holder DC is down

Answer 62

seizure

Question 63

FSMO role change process where the original role-holder DC is running

Answer 63

transfer

Question 64

Which of the FSMO roles ideally should not be on a Global Catalog server?

Answer 64

Infrastructure master

Question 65

Every additional domain in the forest adds how many domain-wide roles?

Answer 65

three (which)

Question 66

A forest with one domain has how many operations master roles?

Answer 66

five (which)

Question 67

True or False. Only one domain controller in the domain or forest performs each FSMO role.

Answer 67

true

Question 68

Which FSMO role updates group membership changes?

Answer 68

Infrastructure Master

Question 69

Which FSMO role tracks, moves, and renames objects and also updates references from objects in its domain to objects in other domains?

Answer 69

Infrastructure Master

Question 70

Which FSMO role is responsible for updating changes made to objects?

Answer 70

Infrastructure Master

Question 71

Which FSMO role acts as a focal point for all Group Policy changes to avoid Group Policy object conflicts?

Answer 71

PDC Emulator

Question 72

Which FMSO role acts as the domain master browser, creating browse lists of workgroups, domains, and servers?

Answer 72

PDC Emulator

Question 73

Which FSMO role replicates password changes within a domain?

Answer 73

PDC Emulator

Question 74

Which FSMO role acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers.

Answer 74

PDC Emulator

Question 75

True or False. RIDs (and SIDs) can be reused.

Answer 75

False

Question 76

This is created for a new security principal by combining the RID with the domain ID

Answer 76

Security Identifier SID

Question 77

What is RID?

Answer 77

Relative ID

Question 78

Which FSMO role allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principals (such as user, group, or computer accounts).

Answer 78

RID Master

Question 79

True or False. The domain naming master is essential in a single-domain environment.

Answer 79

False

Question 80

Which FSMO role adds new domains to and removes existing domains from the forest.

Answer 80

Domain Naming Master

Question 81

True or False. All other domain controllers hold read-only replicas of the schema.

Answer 81

True

Question 82

Only the _______ can perform write operations to the directory schema.

Answer 82

Schema Master

Question 83

Schema updates are replicated from the schema master to _________ in the forest.

Answer 83

Domain Controllers

Question 84

How many schema masters do you have in a forest?

Answer 84

one

Question 85

Which FSMO role maintains the Active Directory schema for the forest?

Answer 85

Schema Master

Question 86

True or False. Having a single operations master means that the master role owner does not have to be available to make directory changes associated with that specific operations master role.

Answer 86

False

Question 87

True or False. Having a single operations master means that the role owner must be available when dependent activities in the enterprise or domain take place.

Answer 87

True

Question 88

A domain controller that performs an operations master role is known as

Answer 88

Operations master

Question 89

Term for specialized domain controller tasks assigned to a domain controller in the domain or forest

Answer 89

FSMO Roles

Question 90

What does FSMO stand for?

Answer 90

Flexible Single Master Operation

Question 91

What does RADIUS stand for?

Answer 91

Remote authentication dial-in user service

Question 92

What limitations does NPS installation have?

Answer 92

Cant be installed on Failover Cluster or server core?

Question 93

What role or feature allows RADIUS?

Answer 93

Network Policy and Access Server

Question 94

What is considered a client of a RADIUS Server?

Answer 94

A VPN Server is a client because it uses the authorization and authentication services.

Question 95

What authentication protocol is used for smart card suppart?

Answer 95

Extensible Authentication Protocol(EAP)

Question 96

What authentication protocol uses your password as authentication?

Answer 96

MS-CHAPv2

Question 97

How do priority and weight work in RADIUS?

Answer 97

Low priority wins and higher weight is more likely to be used.

Question 98

What are the 4 RADIUS Accounting modes?

Answer 98

SQL Only
Text Logging
Parralel(SQL and Tex)
SQL with backup

Question 99

What certificates does a NPS server need?

Answer 99

Workstation authentication for the client computer and server authentication for the NPS server.

Question 100

Where in Group Policy would you auto enroll clients for the workstation authentication cert?

Answer 100

Computer Config\Policies\Windows Settings\Security Settings\Public Key Policies.

Question 101

What are connection request policies?

Answer 101

defines which connections are processed by the NPS Server and which are processed on a remote RADIUS Server.

Question 102

What are network policies?

Answer 102

define who is allowed to connect to the network, how they are authenticated, and what access is permitted.

Question 103

What happens to existing NPS templates when you import a new one?

Answer 103

It replaces any existing templates with those in the imported XML file.

Question 104

What must you do after you import a NPS configuration?

Answer 104

You must reconfigure SQL Server Logging.

Question 105

How can you Export/Import NPS Configuration?

Answer 105

The NPS console
or
Export-NPSConfiguration
Import-NPSConfiguration

Question 106

What group do you add RRAS to to activate in AD?

Answer 106

RAS and IAS Servers security group.

Question 107

How can you export NPS templates?

Answer 107

You Rclick on Templates Management - it exports ALL the templates

Question 108

Where in NPS can you specify whether the server is going to be a Radius Server vs a Radius Proxy?

Answer 108

When you configure New Connection Request Policy on the Authentication settings.

For a Radius server you ‘authenticate requests on this server’

For a proxy you ‘Forward requests to the following remote RADIUS server group for authentication’

Question 109

Should you Grant or Deny access a network policy for remediation?

Answer 109

Grant. Deny would prevent access to the remediation server. You are Granting/Denying access to the Remediation server NOT to the network.

Question 110

Where on the NPS Console can you force accounting requests to a specific NPS/RADIUS Server?

Answer 110

Under Settings of a Connection Request Policy

Question 111

What are the possible common Framed Protocols?

Answer 111

PPP

SLIP

Question 112

Which servers of an NPS configuration are available on the restricted network?

Answer 112

Remediation

Question 113

Where must the certificate be located if it was issued by a 3rd Party?

Answer 113

Personal under Certificates(Local) on the NPS Server

Question 114

What PS Command will add a new RADIUS Server?

Answer 114

> Add-RemoteAccessRadius

Question 115

What command will disconnect a specific VPN connection by a user or computer?

Answer 115

Disconnect-VPNUser

Question 116

What role must be installed to deploy a VPN?

Answer 116

Remote Access

Question 117

To enable HRA automatic discovery, what registry key must be created and /or set on the clients that are domain members?

Answer 117

EnableDiscovery at HKLM/SOFTWARE/Policies/Microsoft\NetworkAccessProtection\ClientConfig\Enroll\HcsGroups

Question 118

What PS Command disconnect a site-to-site interface that is connected?

Answer 118

> Disconnect-VpnS2SInterface

Question 119

What three settings can you export and import to a new NPS server when you need to deploy a second NPS server that will be configured the same as the first?

Answer 119

• Network Policies
• Connection Request Policies
• Radius Clients

Question 120

PS command to set VPN Authentication type

Answer 120

> Set-VPNAuthType

Question 121

To what two destinations can a RADIUS proxy forward connection attempts from RADIUS clients for further routing?

Answer 121

to Another Radius Proxy or to a Radius Server

Question 122

Which component of NPS defines configuration requirements for computers that attempt to connect to your network?

Answer 122

System Health Validators(SHVs)

Question 123

When a VPN server does not perform authentication and uses a RADIUS server, how should the VPN server be configured?

Answer 123

Solely as a RADIUS Proxy

Question 124

What PowerShell cmdlet is used to set the authentication method for incoming site-to-site (S2S) VPN interfaces?

Answer 124

> Set-VPNAuthProtocol

Question 125

What is a reason you would NOT automatically generate a shared secret in a Shared Secrets NPS template?

Answer 125

Not all clients support long Shared Secrets

Question 126

What is the only server that requires a certificate when using PEAP-MS-CHAP v2?

Answer 126

The server that performs authentication(Either RADIUS or Network Access Server)

Question 127

Which sections(s) in the NPS console will you use to create policies used with Network Access Protection (NAP) that designate the requirements of computers with regard to their health (such as security patches) before they are allowed to connect to the network?

Answer 127

Health Policies

Question 128

Which sections(s) in the NPS console will you use to define conditions under which computers can connect to the network and in which scenarios those policies apply?

Answer 128

Network Policies

Question 129

For which authentication methods does the NAP enforcement for 802.1x require you to deploy a PKI?

Answer 129

PEAP-TLS

Question 130

Which sections(s) in the NPS console will you use to define network access servers, wireless access points, or any other 802.1x compatible device that controls access to the network that needs to have its authentication requests processed by the RADIUS server?

Answer 130

Radius Clients

Question 131

Which NAP enforcement method does not require a certificate on the NPS server?

Answer 131

NAP for DHCP

Question 132

What PowerShell cmdlet modifies the configuration that is common to both DirectAccess (DA) and VPN, such as SSL certificate, internal interface, and Internet interface?

Answer 132

> Set-RemoteAccess

Question 133

Which four different types of network access servers can be RADIUS clients?

Answer 133

Wireless Access Points
802.1x authenticating Switches
Dial-in Servers
VPN Servers
Terminal Services Gateway server

Question 134

When an NPS server has a certificate issue by a third party, where must that certificate be located?

Answer 134

In the Personal store of the Certicates(Local) on the NPS server itself.

Question 135

What is exported when you export the entire NPS Configuration?

Answer 135

Radius Clients
Radius Servers
Network Policies
Connection Request Policies,
Registry,
Logging Info(But not SQL Logging info)

Question 136

Where do templates apply to?

Answer 136

Any server with the template assigned. If a template is changed on one NPS, it applies to all NPSs with that template.

Question 137

What configuration elements use templates?

Answer 137

Radius Shared Secret
Radius Clients
Remote Radius servers
IP Filters
Health Policies
Remediation Server Groups

Question 138

What are the 3 NPS migration picadilos?

Answer 138

• 2003 SP2 or >
• No cross languages
• You can migrate 32 to 64bit.

Question 139

What is the name of the IAS/NPS Migration tool?

Answer 139

IASMIGREADER.exe