|
Home > Archive > 70-216 > August 2002 > Wed 70-216 Question of the Day
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Wed 70-216 Question of the Day
|
|
| wbafrank 2002-08-07, 10:43 am |
|  And today's poser is ....
Q28. Alison is in a meeting with her manager Frank and they are discussing the administration of the Remote Access Servers at the Flower Farm Collective.
Frank: "I'd like you to set up the remote access policy so that users are locked out if they enter the wrong password several times when they are dialing into our server."
Alison: "Okay, how about we lock them out for 48 hours if they enter the wrong password 5 consecutive times when using dialup?"
Frank: "That sounds good. Now can you explain to me how you set up the remote access server?"
Alison: "The server has been set up with default settings. I created a new group called flowerrasusers and it contains those users who require the ability to access our network via dial up."
Frank: "I'm still concerned that people that aren't members of this group are somehow getting dial-in access. Also, is it possible for you to limit access to non-buisness hours?"
Alison: "Yes, that should be possible."
After the meeting Frank hands Alison the following set of goals for her to achieve with respect to the RAS servers:
Primary Goal:
1. Deny Users Access for 48 hours if they enter the incorrect password 5 times.
Secondary Goals:
1. Limit access to RAS service to members of the flowerrasusers group.
2. Restrict RAS access to between 5pm and 8am for normal users.
3. Allow Administrators unlimited access to the RAS server at all times.
Which of the following achieves the primary goal but does not achieve any of the secondary goals?
A. Perform the following actions:
- Run regedit or regedt32.
- Go to the subkey HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Rem
oteAccess\Parameters\ AccountLockout
- Change the entry on MaxDenials from zero to five.
B. Perform the following actions:
- Run the Routing and Remote Access Service utility from the Administrative Tools menu.
- Expand the Current Server.
- Right Click the Remote Access Policies Node.
- Select "New Remote Access Policy".
- Select Add. Select Windows-Groups. Select flowerrasusers. Select Close. Right Click on flowerusers. Select "login between 5pm and 8am". Select Close.
- Select Add. Select Windows-Groups. Select Administrators. Select Close. Right Click on Administrators. Select "no logon restriction". Give the Policy the name "flower-lockout". Select Next. Select Add. Select Lockout after 5 attempts. Set the "reset lockout after" box to 48 hours. Click Close.
C. Perform the following actions:
- Run the Routing and Remote Access Service utility from the Administrative Tools menu.
- Expand the Current Server.
- Right Click the Remote Access Policies Node.
- Select "New Remote Access Policy".
- Give the Policy the name "flower-lockout". Select Next. Select Add. Select Lockout after 5 attempts. Set the "reset lockout after" box to 48 hours. Click Close.
- Select Add. Select Windows-Groups. Select flowerrasusers. Select Close. Right Click on flowerusers. Select "login between 5pm and 8am". Select Close.
- Select Add. Select Windows-Groups. Select Administrators. Select Close. Right Click on Administrators. Select "no logon restriction". Select Close.
D. Perform the following actions:
- Run the Routing and Remote Access Service utility from the Administrative Tools menu.
- Expand the Current Server.
- Right Click the Remote Access Policies Node.
- Select "New Remote Access Policy".
- Give the Policy the name "flower-lockout". Select Next. Select Add. Select Windows-Groups. Select Administrators. Select Close. Right Click on Administrators. Select "no logon restriction". Select Add. Select Lockout after 5 attempts and set the "reset lockout after" box to 48 hours. Select Add. Select Windows-Groups. Select flowerrasusers. Click close.
Good Luck .... see you tomorrow for the answer!! | |
| Pavlov 2002-08-07, 11:09 am |
| Ummm... D | |
| River19 2002-08-07, 11:47 am |
| This type of question (RRAS and multiple RAS policys) gave me trouble when I took the exam last time (I failed).
For this one, I'm going to say C
I am under the impression that RRAS policies are evaluated from the top down, but whenever a user matches one of the remote access policys (i.e., meets all the conditions) access is granted and the authentication stops, or am I mistaken? | |
| jmoody54 2002-08-07, 1:22 pm |
| A - is the only choice that achieves the primary goal but does not achieve any of the secondary goals. I guess. | |
| wbafrank 2002-08-08, 2:56 pm |
| quote:
Originally posted by wbafrank
And today's poser is ....
Q28. Alison is in a meeting with her manager Frank and they are discussing the administration of the Remote Access Servers at the Flower Farm Collective.
Frank: "I'd like you to set up the remote access policy so that users are locked out if they enter the wrong password several times when they are dialing into our server."
Alison: "Okay, how about we lock them out for 48 hours if they enter the wrong password 5 consecutive times when using dialup?"
Frank: "That sounds good. Now can you explain to me how you set up the remote access server?"
Alison: "The server has been set up with default settings. I created a new group called flowerrasusers and it contains those users who require the ability to access our network via dial up."
Frank: "I'm still concerned that people that aren't members of this group are somehow getting dial-in access. Also, is it possible for you to limit access to non-buisness hours?"
Alison: "Yes, that should be possible."
After the meeting Frank hands Alison the following set of goals for her to achieve with respect to the RAS servers:
Primary Goal:
1. Deny Users Access for 48 hours if they enter the incorrect password 5 times.
Secondary Goals:
1. Limit access to RAS service to members of the flowerrasusers group.
2. Restrict RAS access to between 5pm and 8am for normal users.
3. Allow Administrators unlimited access to the RAS server at all times.
Which of the following achieves the primary goal but does not achieve any of the secondary goals?
A. Perform the following actions:
- Run regedit or regedt32.
- Go to the subkey HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Rem
oteAccess\Parameters\ AccountLockout
- Change the entry on MaxDenials from zero to five.
B. Perform the following actions:
- Run the Routing and Remote Access Service utility from the Administrative Tools menu.
- Expand the Current Server.
- Right Click the Remote Access Policies Node.
- Select "New Remote Access Policy".
- Select Add. Select Windows-Groups. Select flowerrasusers. Select Close. Right Click on flowerusers. Select "login between 5pm and 8am". Select Close.
- Select Add. Select Windows-Groups. Select Administrators. Select Close. Right Click on Administrators. Select "no logon restriction". Give the Policy the name "flower-lockout". Select Next. Select Add. Select Lockout after 5 attempts. Set the "reset lockout after" box to 48 hours. Click Close.
C. Perform the following actions:
- Run the Routing and Remote Access Service utility from the Administrative Tools menu.
- Expand the Current Server.
- Right Click the Remote Access Policies Node.
- Select "New Remote Access Policy".
- Give the Policy the name "flower-lockout". Select Next. Select Add. Select Lockout after 5 attempts. Set the "reset lockout after" box to 48 hours. Click Close.
- Select Add. Select Windows-Groups. Select flowerrasusers. Select Close. Right Click on flowerusers. Select "login between 5pm and 8am". Select Close.
- Select Add. Select Windows-Groups. Select Administrators. Select Close. Right Click on Administrators. Select "no logon restriction". Select Close.
D. Perform the following actions:
- Run the Routing and Remote Access Service utility from the Administrative Tools menu.
- Expand the Current Server.
- Right Click the Remote Access Policies Node.
- Select "New Remote Access Policy".
- Give the Policy the name "flower-lockout". Select Next. Select Add. Select Windows-Groups. Select Administrators. Select Close. Right Click on Administrators. Select "no logon restriction". Select Add. Select Lockout after 5 attempts and set the "reset lockout after" box to 48 hours. Select Add. Select Windows-Groups. Select flowerrasusers. Click close.
And the answer is ....
Correct Answer: A
In this question you were asked to make sure that the primary goal was satisfied and that all the secondary goals were not. The default lockout period is 48 hours which is represented in hexadecimal as b40. If that doesn't make any sense to you translate it back into decimal and divide by 60. If you wanted to change it to 24 hours simply multiply 24 by 60 and translate it into hexadecimal. The subkey to change is in the same area and is called ResetTime.
By default there is no lockout - so theoretically RAS is susceptible (unless changed) to dictionary attacks. This is why it is a good idea to change this setting.
This question is a bit long winded - mostly to distract you. If you saw "only the primary goal, no secondary" - you'd quickly realise that most of the answers weren't relevant and you'd be able to answer it pretty quickly. | |
| unreal 2002-08-08, 8:25 pm |
| Sure this question is like a 'mountain' to climb, when I first saw it yesterday, pondered it over and over again, even print out a copy, and in the mist of my busy work, I still haven't a clue.
Actually suspected 'A', but caues it doesn't says anything abt '48' hours configurations, I actually felt the answer is 'NONE of the above'
Sure is 'detailed' ONE |
|
|
|
|