web flashcards
DirectAccess was introduced with which workstation/server pair?
Windows 7/Windows Server 2008 R2
What kind of connectivity does DirectAccess establish between workstation and server?
bi-directional
What type of server is the network location server (NLS)?
web
What does the acronym ISATAP stand for?
Intra-Site Automatic Tunnel Addressing Protocol
What utility do you use to configure DirectAccess?
Remote Access Management Console
Windows Server 2012 varies from the Windows Server 2008 R2 implementation in that it does not require which one of the following?
two consecutive public IP addresses
What is the most basic requirement for a DirectAccess implementation?
The DirectAccess server must be part of an Active Directory domain.
If the client cannot reach the DirectAccess server using 6to4 or Teredo tunneling, the client tries to connect using what protocol?
IP-HTTPS
What does the netsh namespace show policy command do?
determines the results of network location detection and the IPv6 addresses of the intranet DNS servers
What kind of connectivity does DirectAccess provide between client computers and network resources?
seamless and always on
DirectAccess is for clients connected to which network?
Internet
How do the DirectAccess server and DirectAccess client authenticate each other?
computer and user credentials
Which one of the following operating systems may not act as a DirectAccess client?
Windows Server 2008
What kind of RADIUS server is placed between the RADIUS server and RADIUS clients?
a RADIUS proxy server
What process determines what a user is permitted to do on a computer or on a network?
authorization
What is a RADIUS server known as in Microsoft parlance?
Network Policy Server
Which ports do Microsoft RADIUS servers use officially?
1812 and 1813
When an access client contacts a VPN server or wireless access point, a connection request is sent to what system?
the NPS server
Which system, in a RADIUS infrastructure, handles the switchboard duties of relaying requests to the RADIUS server and back to the client?
the access server
What is the final step in the authentication, authorization, and accounting scenario between an access client and the RADIUS server?
an Accounting-Response to the access server
To configure RADIUS service load balancing, you must have more than one kind of what system per remote RADIUS server group?
RADIUS server
Which parameter specifies the order of importance of the RADIUS server to the NPS proxy server?
priority
Using what feature can streamline the creation and setup of RADIUS servers?
templates
What information does the Accounting-Start message contain?
the type of service and the user it’s delivered to
Which system is the destination for Accounting-Start messages?
the RADIUS accounting server
What type of NPS authentication is recommended over password authentication?
certificate
Why is password-based authentication not recommended?
Usernames and passwords are sent in plain text.
Where do you get certificates for authentication purposes?
a certificate authority
An NPS policy is a set of permissions or restrictions that determine what three aspects of network connectivity?
who, when, and how
Which variable can be set to authorize or deny a remote connection?
group membership
The default connection request policy uses NPS as what kind of server?
RADIUS
Where is the default connection policy set to process all authentication requests?
locally
What is the last setting in the Routing and Remote Access IP settings?
how IP addresses are assigned
What command-line utility is used to import and export NPS templates?
netsh
To which type of file do you export an NPS configuration?
XML
When should you not use the command-line method of exporting and importing the NPS configuration?
when the source NPS database has a higher version number than the version number of the destination NPS database
Network policies determine what two important connectivity constraints?
who is authorized to connect AND the connection circumstances for connectivity
When the Remote Access server finds an NPS network policy with conditions that match the incoming connection attempt, the server checks any _______________ that have been configured for the policy.
constraints
If a remote connection attempt does not match any configured constraints, what does the Remote Access server do to the connection?
denies
Identify the correct NPS templates. Select all that apply.
Shared Secrets
Health Policies
RADIUS Clients
Which two of the following are Routing and Remote Access IP settings?
Client May Request an IP Address
Server Must Supply an IP Address
Which Routing and Remote Access IP setting is the default setting?
Server Settings Determine IP Address Assignment
Network Access Protection (NAP) is Microsoft’s software for controlling network access of computers based on what?
a computer’s overall health
Because NAP is provided by _________, you need to install _________ to install NAP.
NPS
NPS
DHCP enforcement is not available for what kind of clients?
IPv6
Identify two remediation server types.
Anti-virus/anti-malware servers
Software update servers
What type of Active Directory domain controller is recommended to minimize security risks for remediation servers?
read-only
When you fully engage NAP for remediation enforcement, what mode do you place the policy in?
isolation
To verify a NAP client’s configuration, which command would you run?
> netsh nap client show state
Which two components must a NAP client have enabled in order to use NAP?
Security Center
NAP Agent
Why do you need a web server as part of your NAP remediation infrastructure?
to provide user information in case of a compliance failure
Where do you look to find out which computers are blocked and which are granted access via NAP?
the NAP Server Event Viewer
Health policies are in pairs. What are the members of the pair? Select two.
NAP-compliant
NAP-noncompliant
You should restrict access only for clients that don’t have all available security updates installed if what situation exists?
the computers are running Windows Update
What happens to a computer that isn’t running Windows Firewall?
The computer is isolated.
Health policies are connected to what two other policies?
network policies
connection request policies
To use the NAP-compliant policy, the client must do what?
pass all SHV checks
Which computers are not affected by VPN enforcement?
locally connected computers
What is the default authentication protocol for non-domain computers?
NTLM
What does the acronym NTLM stand for?
NT LAN Manager
Role seizure is performed using the ________ command
NTDSUTIL
FSMO role change process where the original role-holder DC is down
seizure
FSMO role change process where the original role-holder DC is running
transfer
Which of the FSMO roles ideally should not be on a Global Catalog server?
Infrastructure master
Every additional domain in the forest adds how many domain-wide roles?
three (which)
A forest with one domain has how many operations master roles?
five (which)
True or False. Only one domain controller in the domain or forest performs each FSMO role.
true
Which FSMO role updates group membership changes?
Infrastructure Master
Which FSMO role tracks, moves, and renames objects and also updates references from objects in its domain to objects in other domains?
Infrastructure Master
Which FSMO role is responsible for updating changes made to objects?
Infrastructure Master
Which FSMO role acts as a focal point for all Group Policy changes to avoid Group Policy object conflicts?
PDC Emulator
Which FMSO role acts as the domain master browser, creating browse lists of workgroups, domains, and servers?
PDC Emulator
Which FSMO role replicates password changes within a domain?
PDC Emulator
Which FSMO role acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers.
PDC Emulator
True or False. RIDs (and SIDs) can be reused.
False
This is created for a new security principal by combining the RID with the domain ID
Security Identifier SID
What is RID?
Relative ID
Which FSMO role allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principals (such as user, group, or computer accounts).
RID Master
True or False. The domain naming master is essential in a single-domain environment.
False
Which FSMO role adds new domains to and removes existing domains from the forest.
Domain Naming Master
True or False. All other domain controllers hold read-only replicas of the schema.
True
Only the _______ can perform write operations to the directory schema.
Schema Master
Schema updates are replicated from the schema master to _________ in the forest.
Domain Controllers
How many schema masters do you have in a forest?
one
Which FSMO role maintains the Active Directory schema for the forest?
Schema Master
True or False. Having a single operations master means that the master role owner does not have to be available to make directory changes associated with that specific operations master role.
False
True or False. Having a single operations master means that the role owner must be available when dependent activities in the enterprise or domain take place.
True
A domain controller that performs an operations master role is known as
Operations master
Term for specialized domain controller tasks assigned to a domain controller in the domain or forest
FSMO Roles
What does FSMO stand for?
Flexible Single Master Operation
What does RADIUS stand for?
Remote authentication dial-in user service
What limitations does NPS installation have?
Cant be installed on Failover Cluster or server core?
What role or feature allows RADIUS?
Network Policy and Access Server
What is considered a client of a RADIUS Server?
A VPN Server is a client because it uses the authorization and authentication services.
What authentication protocol is used for smart card suppart?
Extensible Authentication Protocol(EAP)
What authentication protocol uses your password as authentication?
MS-CHAPv2
How do priority and weight work in RADIUS?
Low priority wins and higher weight is more likely to be used.
What are the 4 RADIUS Accounting modes?
SQL Only
Text Logging
Parralel(SQL and Tex)
SQL with backup
What certificates does a NPS server need?
Workstation authentication for the client computer and server authentication for the NPS server.
Where in Group Policy would you auto enroll clients for the workstation authentication cert?
Computer Config\Policies\Windows Settings\Security Settings\Public Key Policies.
What are connection request policies?
defines which connections are processed by the NPS Server and which are processed on a remote RADIUS Server.
What are network policies?
define who is allowed to connect to the network, how they are authenticated, and what access is permitted.
What happens to existing NPS templates when you import a new one?
It replaces any existing templates with those in the imported XML file.
What must you do after you import a NPS configuration?
You must reconfigure SQL Server Logging.
How can you Export/Import NPS Configuration?
The NPS console
or
Export-NPSConfiguration
Import-NPSConfiguration
What group do you add RRAS to to activate in AD?
RAS and IAS Servers security group.
How can you export NPS templates?
You Rclick on Templates Management - it exports ALL the templates
Where in NPS can you specify whether the server is going to be a Radius Server vs a Radius Proxy?
When you configure New Connection Request Policy on the Authentication settings.
For a Radius server you ‘authenticate requests on this server’
For a proxy you ‘Forward requests to the following remote RADIUS server group for authentication’
Should you Grant or Deny access a network policy for remediation?
Grant. Deny would prevent access to the remediation server. You are Granting/Denying access to the Remediation server NOT to the network.
Where on the NPS Console can you force accounting requests to a specific NPS/RADIUS Server?
Under Settings of a Connection Request Policy
What are the possible common Framed Protocols?
PPP
SLIP
Which servers of an NPS configuration are available on the restricted network?
Remediation
Where must the certificate be located if it was issued by a 3rd Party?
Personal under Certificates(Local) on the NPS Server
What PS Command will add a new RADIUS Server?
> Add-RemoteAccessRadius
What command will disconnect a specific VPN connection by a user or computer?
Disconnect-VPNUser
What role must be installed to deploy a VPN?
Remote Access
To enable HRA automatic discovery, what registry key must be created and /or set on the clients that are domain members?
EnableDiscovery at HKLM/SOFTWARE/Policies/Microsoft\NetworkAccessProtection\ClientConfig\Enroll\HcsGroups
What PS Command disconnect a site-to-site interface that is connected?
> Disconnect-VpnS2SInterface
What three settings can you export and import to a new NPS server when you need to deploy a second NPS server that will be configured the same as the first?
- Network Policies
- Connection Request Policies
- Radius Clients
PS command to set VPN Authentication type
> Set-VPNAuthType
To what two destinations can a RADIUS proxy forward connection attempts from RADIUS clients for further routing?
to Another Radius Proxy or to a Radius Server
Which component of NPS defines configuration requirements for computers that attempt to connect to your network?
System Health Validators(SHVs)
When a VPN server does not perform authentication and uses a RADIUS server, how should the VPN server be configured?
Solely as a RADIUS Proxy
What PowerShell cmdlet is used to set the authentication method for incoming site-to-site (S2S) VPN interfaces?
> Set-VPNAuthProtocol
What is a reason you would NOT automatically generate a shared secret in a Shared Secrets NPS template?
Not all clients support long Shared Secrets
What is the only server that requires a certificate when using PEAP-MS-CHAP v2?
The server that performs authentication(Either RADIUS or Network Access Server)
Which sections(s) in the NPS console will you use to create policies used with Network Access Protection (NAP) that designate the requirements of computers with regard to their health (such as security patches) before they are allowed to connect to the network?
Health Policies
Which sections(s) in the NPS console will you use to define conditions under which computers can connect to the network and in which scenarios those policies apply?
Network Policies
For which authentication methods does the NAP enforcement for 802.1x require you to deploy a PKI?
PEAP-TLS
Which sections(s) in the NPS console will you use to define network access servers, wireless access points, or any other 802.1x compatible device that controls access to the network that needs to have its authentication requests processed by the RADIUS server?
Radius Clients
Which NAP enforcement method does not require a certificate on the NPS server?
NAP for DHCP
What PowerShell cmdlet modifies the configuration that is common to both DirectAccess (DA) and VPN, such as SSL certificate, internal interface, and Internet interface?
> Set-RemoteAccess
Which four different types of network access servers can be RADIUS clients?
Wireless Access Points 802.1x authenticating Switches Dial-in Servers VPN Servers Terminal Services Gateway server
When an NPS server has a certificate issue by a third party, where must that certificate be located?
In the Personal store of the Certicates(Local) on the NPS server itself.
What is exported when you export the entire NPS Configuration?
Radius Clients Radius Servers Network Policies Connection Request Policies, Registry, Logging Info(But not SQL Logging info)
Where do templates apply to?
Any server with the template assigned. If a template is changed on one NPS, it applies to all NPSs with that template.
What configuration elements use templates?
Radius Shared Secret Radius Clients Remote Radius servers IP Filters Health Policies Remediation Server Groups
What are the 3 NPS migration picadilos?
- 2003 SP2 or >
- No cross languages
- You can migrate 32 to 64bit.
What is the name of the IAS/NPS Migration tool?
IASMIGREADER.exe
