15-50 Chapter 15 Planning, Implementing, and Maintaining a Network Infrastructure (2.0)
4. You are designing the NetBIOS name resolution strategy for a multisegment network
running Windows Server 2003 but that still includes some Windows NT servers and
Windows 95 workstations. You have decided that you don’t want to run a WINS server,
but you have a Windows NT 4.0 print server that all users must be able to access.
Which of the following strategies would make this possible? (Choose all that apply.)
A. Do nothing. The computers will be able to resolve the name of the server running
Windows NT name automatically using broadcast name resolution.
B. Create an LMHOSTS file on each computer with an entry containing the NetBIOS
name and IP address of the server running Windows NT.
C. Preload the NetBIOS name and IP address of the server running Windows NT into
the NetBIOS name cache
D. It can’t be done. You must run a WINS server for computers to be able to resolve
the NetBIOS names of computers on other networks.
Objective 2.8 Plan a NetBIOS Name Resolution Strategy 15-51
Objective 2.8 Answers
1.
Correct Answers: B
A. Incorrect: The NetBIOS name cache contains all the NetBIOS names that the
computer has recently resolved by any means, whether the resolved names are for
computers on the local network or another network.
B. Correct: Broadcast transmissions are limited to the local network, so the broad-
cast method can only resolve the name of a computer on the local network.
C. Incorrect: You can create entries in an LMHOSTS file for the NetBIOS name of
any computer on any network. In fact, the primary reason for using LMHOSTS
files is to resolve the names of computers on other networks.
D. Incorrect: WINS can resolve the NetBIOS names of any computer on any
network.
2. Correct Answers: D
A. Incorrect: A computer running a Windows operating system always checks the
NetBIOS name cache before using any other NetBIOS name resolution method,

but it uses LMHOSTS only after broadcast name resolution has failed.
B. Incorrect: A computer running a Windows operating system always checks the
NetBIOS name cache before using any other NetBIOS name resolution method,
then uses broadcasts and, failing that, LMHOSTS.
C. Incorrect: Computers running Windows operating systems try to resolve Net-
BIOS names using broadcast transmissions before they try using LMHOSTS, and
they always check the NetBIOS name cache before any other mechanism.
D. Correct: A computer running a Windows operating system that is not a WINS cli=
ent always checks the NetBIOS name cache first when trying to resolve a NetBIOS
name, then tries the broadcast transmission method. If the broadcast method fails,
the computer tries to look up the name in the LMHOSTS file.
15-52 Chapter 15 Planning, Implementing, and Maintaining a Network Infrastructure (2.0)
3. Correct Answers: B
A. Incorrect: This replication topology would result in only the New York WINS
servers having complete replicas of the database, because all replication traffic is
traveling in one direction.
B. Correct: This solution is called a ring replication topology, because each site is
sending its data to the east and receiving data from the west. This enables every
server to have a complete replica of the WINS database without creating a large
amount of redundant WAN traffic.
C. Incorrect: While this option does provide satisfactory replication performance, it
also generates much more WAN traffic than a ring topology.
D. Incorrect: The WINS client enables you to specify multiple WINS server
addresses only as fallbacks in case of a server failure. Adding all the WINS server
addresses to each client does not cause the client to register its NetBIOS name
with all the servers.
4. Correct Answers: B and C
A. Incorrect: Only the client computers on the same local area network as the
server running Windows NT would be able to resolve its name using broadcast
transmissions.

B. Correct: LMHOSTS functions as a backup to the broadcast name resolution
method, because it is able to resolve NetBIOS names of computers on other
networks.
C. Correct: Preloading the name of the server running Windows NT into the cache
using an LMHOSTS file enables the computer to resolve the name without using
the broadcast method.
D. Incorrect: An LMHOSTS file can resolve any NetBIOS name, regardless of
whether it is on the local network or not.
Objective 2.9 Troubleshoot Host Name Resolution 15-53
Objective 2.9
Troubleshoot Host Name
Resolution
Name resolution failures can often appear to users as complete TCP/IP communica=
tions failures, but that is not the case. When a client computer is unable to resolve a
name, it cannot obtain the IP address it needs to initiate communication with the
named computer. However, if you already have the named computer’s IP address, you
can connect to it directly by using the address in place of the name. This is the best
way to determine if a failure to connect to a TCP/IP system is due to a name resolution
problem. Once you have determined that a name resolution problem is causing your
communications failure, you can begin to isolate the location of the problem.
Name resolution failures can be the result of a problem on the client or on the com=
puter running the DNS server. At the client, the problem is typically an incorrect DNS
server address. Either the Preferred DNS Server or the Alternate DNS Server field in the
Windows Internet Protocol (TCP/IP) Properties dialog box must contain the IP address
of a valid and operating DNS server.
If the client contains valid DNS server addresses, the servers themselves might be mal=
functioning. The most obvious problem is that the DNS server is not functioning at all,
because it is suffering from its own TCP/IP communications failure. Like any other
computer, the DNS server must have the correct TCP/IP configuration parameters,
including a valid IP address and subnet mask, plus a default gateway address. Malfunc=

tioning hardware can also inhibit the server’s communications. If you cannot success-
fully ping a DNS server address, it is suffering from some sort of TCP/IP
communications failure.
If you can ping the DNS server computer, you should then check to see if the DNS
Server service is running. You might find that someone has shut down the service, or
that the service never started when the computer booted, or that the service has
stopped. You can check the Event Viewer console for error messages that might
explain the stoppage or just try restarting the service yourself.
In some cases, a DNS server might successfully resolve a name, but supply the wrong
IP address to the client. This could be due to any one of the following reasons:
■ Incorrect resource records—Administrators frequently type DNS resource records
by hand, and typographic errors can result. If a resource record contains an incor=
rect IP address, the only solution is to correct it manually.
15-54 Chapter 15 Planning, Implementing, and Maintaining a Network Infrastructure (2.0)
■ Dynamic update failures—If dynamic updates fail for any reason, the DNS server’s
resource records could contain incorrect or outdated IP addresses. In this event,
you can correct the resource records manually, or trigger a new dynamic update
by traveling to the computer whose resource record is wrong and typing IPCON=
FIG /registerdns at a command prompt. If dynamic updates still fail to occur,
check to see whether the server supports them and is configured to accept them.
■ Zone transfer failures—If the DNS server is supplying incorrect IP addresses from
a secondary zone, it is possible that a zone transfer has failed to occur, leaving out-
dated information in the secondary zone database file. Try to manually trigger a
zone transfer. If the zone transfer still does not occur, the problem might be due
to the incompatibility of different DNS server implementations, such as different
compression formats or unsupported resource record types. If this is the case, you
might have to update the secondary zone’s resource records manually until you
can update one or both servers to compatible DNS software implementations.
Objective 2.9 Troubleshoot Host Name Resolution 15-55
Objective 2.9 Questions

1.
Which of the following sets of symptoms could indicate that the DNS server service has
shut down?
A. You are unable to ping the DNS server from the client computer or any other com=
puter.
B. You are unable to ping the DNS server from the client computer, but you can ping
it from other computers.
C. You can successfully ping the DNS server from any computer, but you cannot
resolve a name using NSLOOKUP.EXE with that server.
D. You can successfully resolve a name using NSLOOKUP.EXE with the DNS server,
but the IP address it supplies is outdated.
2. Which of the following symptoms indicates that a DNS server has incorrect root hints?
A. The server can resolve names of computers on the local network, but it cannot
resolve names of computers on other networks.
B. The server can resolve all names, but the IP addresses for computers on the local
network are incorrect.
C. The server can resolve names into IP addresses, but it cannot resolve IP addresses
into names.
D. The server can resolve names for which it is authoritative, but it cannot resolve
any other names.
3. When troubleshooting an Internet connection problem on a client running the Win=
dows operating system, which of the following actions should you try to determine if
name resolution failures are the cause of the problem?
A. Connect to an Internet server using its IP address.
B. Ping the client’s preferred DNS server address.
C. Execute the IPCONFIG /registerdns command on the client.
D. Trigger a manual zone transfer on the client’s DNS.
15-56 Chapter 15 Planning, Implementing, and Maintaining a Network Infrastructure (2.0)
Objective 2.9 Answers
1.

Correct Answers: C
A. Incorrect: This symptom is an indication that either the client or the DNS server
is suffering from a complete TCP/IP communications failure, not just the failure of
the DNS service.
B. Incorrect: Because the server is operational, this symptom indicates that the cli=
ent computer is experiencing a TCP/IP communications failure.
C. Correct: The fact that the client can ping the DNS server indicates that the server
computer is operational, but the failure of the server to resolve names indicates
that the DNS Server service is not running or is not functioning properly.
D. Incorrect: A non-functioning DNS Server service would not supply any IP
addresses in response to client requests.
2. Correct Answers: D
A. Incorrect: DNS servers do not use broadcast transmissions during the name res=
olution process, so there is no way that they can be limited to resolving names on
the local network only.
B. Incorrect: Incorrect IP addresses could be a symptom of typographical errors in
resource records, dynamic update failures, or zone transfer failures. They are not
a symptom of incorrect root hints.
C. Incorrect: DNS servers perform reverse name resolutions (from addresses to
names) the same way they perform standard name resolutions. Incorrect root hints
would affect both of these processes.
D. Correct: The names for which a DNS server is authoritative are those stored in its
own zone database files. The inability to resolve other names indicates that the
server is having problems sending queries to other servers, which could be caused
by incorrect root hints.
Objective 2.9 Troubleshoot Host Name Resolution 15-57
3. Correct Answers: A
A. Correct: The ability to connect to an Internet server using its IP address when the
client cannot connect to the same server using its name is a definitive indication of
a name resolution problem.

B. Incorrect: The fact that the client computer cannot successfully ping the
preferred DNS server address does not establish that name resolution is the cause
of the client’s Internet connection problem. The client could be using the alternate
DNS server to resolve names and could actually be suffering from another
problem.
C. Incorrect: This command causes the client computer to reregister its name with
the DNS server using dynamic update. While this action does verify that the client
can communicate with the DNS server, it does not definitively identify name res=
olution failure as the source of the Internet connection problem.
D. Incorrect: Triggering a zone transfer initiates a replication process between two
DNS servers. This action cannot determine anything about DNS clients.

16 Planning, Implementing,
and Maintaining Routing
and Remote Access (3.0)
The Routing and Remote Access service in the Microsoft Windows Server 2003 family
of operating systems can route traffic in several ways, enabling you to configure a
server to route traffic between local area networks (LANs), between a LAN and a wide
area network (WAN), or a LAN and remote users who access the network using
modems or virtual private network (VPN) connections. Remote access servers present
unusual problems because of potential security hazards they represent. Users connect-
ing to a private network using the Internet or an open dial-up telephone line must be
authenticated before they receive access, and in many cases, must have their access
limited to specific resources. To create an effective routing and remote access strategy,
you must consider the security ramifications of the access you grant to your users and
take steps to prevent access by unauthorized users.
Tested Skills and Suggested Practices
The skills that you need to successfully master the Planning, Implementing, and Main-
taining Routing and Remote Access objective domain on the 70-293 exam include:
■ Plan a routing strategy.

❑ Practice 1: Configure a computer running Windows Server 2003 to function
as a router and install the Routing Information Protocol (RIP) and Open Short-
est Path First (OSPF) routing protocols. Then, examine the configuration
parameters available for each protocol and use the online help to determine
their functions.
❑ Practice 2: Configure the Routing and Remote Access service on a computer
running Windows Server 2003 four times, using the four preset configurations
provided by the Routing And Remote Access Server Setup Wizard. For each
configuration, list the components that the service installs by default and
examine the default configuration settings for each component.
16-1
16-2 Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0)
■ Plan security for remote access users.
❑ Practice 1: Configure a computer running Windows Server 2003 on a net-
work to function as a VPN remote access server. Then, configure a worksta-
tion running Microsoft Windows XP or Microsoft Windows 2000 Professional
to function as a VPN client and use it to connect to the server.
❑ Practice 2: Using the Routing And Remote Access console, practice creating
remote access policies using various combinations of conditions and remote
access profile elements.
■ Implement secure access between private networks.
❑ Practice 1: Configure a server running Windows Server 2003 to use the Secure
Server (Require Security) IPSec policy and a workstation running Windows XP
Professional to use the Client (Respond Only) IPSec policy. Then, connect to
the server from the workstation and, using the IP Security Monitor snap-in,
examine the statistics of the IPSec connection.
❑ Practice 2: Use the Network Monitor application included with Windows
Server 2003 to capture a sample of the traffic between two computers config-
ured to use IPSec and examine the internal structure of the packets.
■ Troubleshoot TCP/IP routing. Tools might include the route, tracert, ping, path-

ping, and netsh commands and Network Monitor.
❑ Practice 1: Open a Command Prompt window on a computer running Windows
Server 2003 and examine the online help screens for the ROUTE, TRACERT,
PING, PATHPING, and NETSH commands. Then, experiment with the various
functions of these tools.
❑ Practice 2: Configure a computer running Windows Server 2003 to function
as a router. Then, install Network Monitor on the computer and use it to cap-
ture traffic on both network interfaces and examine the changes the router
makes to the IP headers in the captured packets.
Further Reading
This section lists supplemental readings by objective. We recommend that you study
these sources thoroughly before taking exam 70-293.
Objective 3.1 Review Lesson 2 in Chapter 2, “Planning a TCP/IP Network Infrastruc-
ture,” and Lessons 1 and 2 in Chapter 5, “Using Routing and Remote Access.”
Microsoft Corporation. Microsoft Windows Server 2003 Deployment Kit. Volume:
Deploying Network Services. Redmond, Washington: Microsoft Press, 2003. Review
Chapter 1, “Designing a TCP/IP Network.” This volume can also be found on
Microsoft’s Web site at />kit/deploykit.mspx.
Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0) 16-3
Objective 3.2 Review Lesson 3 in Chapter 5, “Using Routing and Remote Access.”
Microsoft Corporation. Microsoft Windows Server 2003 Deployment Kit. Volume:
Deploying Network Services. Redmond, Washington: Microsoft Press, 2003. Review
Chapter 8, “Deploying Dial-up and VPN Remote Access Servers.” This volume can
also be found on Microsoft’s Web site at
windowsserver2003/techinfo/reskit/deploykit.mspx.
Objective 3.3 Review Lessons 2 and 3 in Chapter 12, “Securing Network Communi-
cations Using IPSec.”
Microsoft Corporation. Microsoft Windows Server 2003 Deployment Kit. Volume:
Deploying Network Services. Redmond, Washington: Microsoft Press, 2003. Review
Chapter 6, “Deploying IPSec.” This volume can also be found at Microsoft’s Web site

at
Objective 3.4 Review Lesson 4 in Chapter 5, “Using Routing and Remote Access.”
Microsoft Corporation. Windows Server 2003 Online Help. Review the “Using the
Route Command,” “Using the Tracert Command,” “Using the Ping Command,”
“Using the Pathping Command,” and “The Netsh Command-Line Utility” pages in
the Windows Server 2003 Help and Support Center.
16-4 Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0)
Objective 3.1
Plan a Routing Strategy
A router is a device that connects two networks, either two local area networks (LANs)
or a LAN and a wide area network (WAN), and forwards traffic between the networks. A
router can be a dedicated hardware device or a computer with two network interfaces.
Windows Server 2003 includes the Routing and Remote Access service (RRAS), which
enables the computer to function as a router, using any one of several configurations.
Routers forward packets using information stored in a routing table. The routing table
consists of entries for specific network destinations, each entry specifying the interface
and the gateway that the router should use to send traffic to that destination. (Gateway
is the TCP/IP term for a router.) To reach a particular destination on a large network,
a router typically has to send packets to another router, which forwards them in the
same way, handing off the packets until they reach their final destinations. On the
route from the source to the destination computer, each router that processes a packet
is referred to as a hop. For example, a destination can be said to be four hops away
from the source.
One of the most important tasks in the operation of a router is adding information to
the routing table. Routers must have current and complete information to forward traf-
fic properly. On a large installation, the network configuration can change frequently,
and the routing table must keep up with the changes. There are two methods for
inserting information into a routing table: static routing and dynamic routing.
Static routing is a manual process in which an administrator creates or modifies rout-
ing table entries using a tool like the Windows Server 2003 Routing And Remote Access

console or the ROUTE.EXE command-line utility. Although static routing has the
advantage of not generating any additional network traffic, it suffers from several dis-
advantages, including the possibility of typographical errors, and the inability to auto-
matically compensate for changes in the network. Static routing is suitable only for
small networks that do not often change.
Dynamic routing uses a specialized routing protocol to gather information from
other routers on the network and automatically add it to the routing table. Routers are
able to create their own routing table entries for destinations on the networks to which
they are directly attached, but they have no direct knowledge of more distant net-
works. Dynamic routing protocols enable routers to share their routing table informa-
tion with other routers, enabling each router to build a composite routing table
compiled from many sources and containing an overall picture of the network.
Objective 3.1 Plan a Routing Strategy 16-5
Each entry in a routing table contains a value called a metric, which specifies the rel-
ative efficiency of the route. When a router is processing a packet and there is more
than one route to the packet’s destination, the router always chooses the route with the
lowest metric value. Routing protocols determine their metric values in one of two
ways. Distance vector routing uses the number of hops between the router and the
destination for the metric value, while link state routing uses a more complex (and
more accurate) calculation that accounts for additional factors, such as the transmission
speeds of the networks involved, and network congestion.
Windows Server 2003 supports two routing protocols: Routing Information Proto-
col (RIP) and Open Shortest Path First (OSPF). RIP is a simple distance vector rout-
ing protocol that enables a router to broadcast or multicast the contents of its routing
table at regular intervals. RIP is intended for relatively small networks, because it gen-
erates large amounts of traffic and because distance vector routing is generally not suit-
able for large installations with networks running at different speeds. OSPF is a more
complex protocol that uses link state routing, does not use broadcast or multicast trans-
missions, and has the ability to split a network into distinct areas, so that routers only
have to share their information with other routers in the immediate vicinity. OSPF has

more features and is more efficient than RIP, but it is also more difficult to implement.
You must plan an OSPF deployment carefully, while deploying RIP is simply a matter
of installing the protocol on a network’s routers.
Multicasting is a one-to-many communications technique that enables systems to
transmit messages to designated groups of recipients. Multicast transmissions use a sin-
gle destination IP address that identifies a group of systems on the network, called a
host group. Multicasts use Class D addresses, as assigned by the Internet Assigned
Numbers Authority (IANA), which can range from 224.0.1.0 to 238.255.255.255.
For a multicast transmission to reach an entire multicast group with members on dif-
ferent LANs, the routers on the network must know which hosts are members of the
group, so that they can forward the messages to them. Computers that are to be mem-
bers of a particular multicast host group must register themselves with the routers on
the local network, using the Internet Group Management Protocol (IGMP). To sup-
port multicasting, all the members of the host group and all the routers providing
access to the members of the host group must have support for IGMP.
16-6 Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0)
Objective 3.1 Questions
1.
You are the new administrator of the corporate internetwork for an Internet technology
company, which consists of approximately 500 nodes, located in several buildings on
a campus, and all connected using Fast Ethernet. Each building on the campus con-
tains one or more separate LANs, and the LANs are all connected by routers. The rout-
ers were installed several years ago and are currently running RIP version 1 as their
routing protocol. To get an idea of the network’s performance, you use a protocol ana-
lyzer to capture a representative sample of network traffic. While examining the sam-
ple, you notice that a significant amount of the network’s bandwidth is being
consumed by RIP broadcast traffic. You want to reduce the amount of traffic generated
by RIP, but you cannot reduce its functionality, as changes to the network infrastructure
are frequent and the routers must be able to keep up with them. You also do not want
to increase the current administrative burden of routing table maintenance. Which of

the following solutions can achieve all these goals?
A. Upgrade the routers to RIP version 2 and configure them to use multicast transmis-
sions instead of broadcasts.
B. Increase the RIP Periodic Announcement Interval settings on all the routers.
C. Configure all the routers to use OSPF instead of RIP.
D. Stop using RIP on all the routers and use static routing instead.
2. Which of the following are valid reasons for using a link state routing protocol on a
computer running Windows Server 2003 instead of a distance vector routing protocol?
(Choose all that apply.)
A. Link state routing protocols are easier to implement and configure than distance
vector routing protocols.
B. Link state routing protocols generate less network traffic than distance vector rout-
ing protocols.
C. Link state routing protocols support multicast transmissions, while distance vector
routing protocols do not.
D. Link state protocols use metrics that account for conditions such as network speed
and congestion, while distance vector routing protocols do not.
Objective 3.1 Plan a Routing Strategy 16-7
3. Which of the following protocols does a router need to support multicasting?
A. Routing Information Protocol (RIP)
B. Internet Control Message Protocol (ICMP)
C. Open Shortest Path First (OSPF)
D. Internet Group Management Protocol (IGMP)
4. Which of the following are RIP version 2 features that are not found in RIP version 1?
(Choose all that apply.)
A. Support for multicast transmissions
B. A Netmask value in the RIP message format
C. Support for unicast transmissions
D. A Gateway value in the RIP message format
16-8 Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0)

Objective 3.1 Answers
1.
Correct Answers: A
A. Correct: RIP version 1 always uses broadcasts to transmit routing table informa-
tion to other routers. Because all systems on the network must process incoming
broadcasts, the amount of traffic generated by the frequent update messages can
negatively affect network performance. By upgrading the routers to RIP version 2,
you can use multicast transmissions instead of broadcasts. Multicast RIP messages
are processed only by other routers.
B. Incorrect: Increasing the Periodic Announcement Interval setting on a RIP router
causes the system to transmit its routing table update messages less frequently,
reducing the amount of traffic that RIP generates. However, this also reduces the
functionality of RIP by causing it to compensate for network configuration
changes more slowly.
C. Incorrect: OSPF uses unicast transmissions instead of broadcasts, so it generates
less network traffic than RIP. However, OSPF requires more administrative atten-
tion than RIP.
D. Incorrect: Static routing generates no network traffic at all, but requires a great
deal more administration than RIP.
2. Correct Answers: B and D
A. Incorrect: Implementing OSPF, the link state routing protocol included with
Windows Server 2003, requires careful planning and configuration, while RIP, a
distance vector routing protocol, requires virtually no planning or configuration.
B. Correct: OSPF uses unicast transmissions to communicate with other routers,
while RIP can use only broadcast or multicast transmissions. Unicasts generate less
traffic because each packet is processed by only one destination computer.
C. Incorrect: OSPF, a link state routing protocol, uses only unicast transmissions; it
does not support multicasting. RIP, a distance vector routing protocol, does sup-
port multicasting.
D. Correct: OSPF, a link state routing protocol, computes its metrics based on a vari-

ety of factors, while RIP, a distance vector routing protocol, uses only the number
of hops for its metrics.
Objective 3.1 Plan a Routing Strategy 16-9
3. Correct Answers: D
A. Incorrect: RIP is a dynamic routing protocol. Although it can use multicast trans-
missions to send its messages, it does not facilitate multicasting.
B. Incorrect: ICMP is a TCP/IP protocol that routers use to send error messages
back to end systems. ICMP has nothing to do with multicasting.
C. Incorrect: OSPF is a dynamic routing protocol that does not provide support for
multicasting.
D. Correct: IGMP is the protocol that makes multicasting possible by enabling mem-
bers of a host group to register themselves with routers.
4. Correct Answers: A, B, and D
A. Correct: RIP version 1 supports only unicast transmissions, while version 2 sup-
ports multicasting as well, enabling you to reduce the amount of network traffic
that RIP generates.
B. Correct: RIP version 1 cannot supply a Netmask (or subnet mask) value in its
routes. The RIP version 2 message format contains a Netmask field.
C. Incorrect: RIP versions 1 and 2 both support the use of broadcast transmissions.
D. Correct: RIP version 1 cannot supply a Gateway value in its routes; RIP routers
use the transmitting router’s IP address instead when creating routing table entries
from RIP messages. The RIP version 2 message format contains a Gateway field.
16-10 Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0)
Objective 3.2
Plan Security for Remote
Access Users
A remote access server enables users at distant locations to connect to a network
using a dial-up telephone line or an Internet connection. The remote users establish a
connection with the remote access server, which then functions as a router, providing
them with access to network resources. The Routing and Remote Access service

(RRAS) in Windows Server 2003 is capable of functioning as a remote access server for
multiple clients simultaneously. RRAS supports remote access clients using standard
dial-up modems and virtual private network (VPN) connections. A VPN connection
is a secured conduit through the Internet that connects the remote access client and
server. The client dials in to a local Internet service provider (ISP) and establishes a
connection to the server using the Internet as a medium.
Having your network accessible through standard telephone lines and the Internet is
convenient for your users, but it also opens up your network to any potential intruder
with a modem or an Internet connection. Planning security is therefore a major part of
implementing a remote access server. Windows Server 2003 RRAS includes a variety of
security mechanisms that can protect the server and the network from unauthorized
access, including dial-in properties, authentication protocols, and remote access policies.
Dial-in properties are configuration settings that you find on the Dial-In tab of the
Properties dialog box for every user object in the Active Directory database. These
properties are as follows:
■ Remote Access Permission (Dial-in Or VPN)—Specifies whether the individual
user is allowed or denied remote access. You can also specify that remote access
be controlled using group memberships, as indicated in remote access policies.
■ Verify Caller ID—Enables you to specify the user’s telephone number, which the sys-
tem will verify using caller ID during the connection process. If the number the user
calls from does not match the number supplied, the system denies the connection.
■ Callback Options—Causes the RRAS server to break the connection after it
authenticates a user, then dial the user to reconnect. This mechanism saves on
long distance expenses by having the remote access calls originate at the server’s
location, but it can also function as a security mechanism if you furnish a specific
callback number in this box. The user must be dialing in from the location you
specify to connect to the server.
Objective 3.2 Plan Security for Remote Access Users 16-11
The most basic method for securing a remote access server is to perform an authenti-
cation that verifies the user’s identity. In most cases, users authenticate themselves by

supplying an account name and password after connecting to the server. The nature of
the authentication messages is controlled by an authentication protocol. RRAS supports
the following authentication protocol options:
■ Extensible Authentication Protocol (EAP)—An open-ended system that makes
it possible for RRAS to use third-party authentication protocols, as well as those
supplied with Windows 2000. EAP is the only authentication protocol supported
by Windows Server 2003 RRAS that enables you to use mechanisms other than
passwords (such as digital certificates stored on smart cards) to verify a user’s
identity.
■ Microsoft Encrypted Authentication Version 2 (MS-CHAP v2)—Version 2 of the
Microsoft Challenge Handshake Authentication Protocol is a pass-
word-based protocol that enables the client and the server to mutually authenti-
cate each other using encrypted passwords. MS-CHAP v2 is the simplest and most
secure option to use when your remote access clients are running Microsoft Win-
dows 98 or a later version of the Windows operating system.
■ Microsoft Encrypted Authentication (MS-CHAP)—An earlier version of the
MS-CHAP protocol that uses one-way authentication and a single encryption key
for transmitted and received messages. The security that MS-CHAP v1 provides is
inferior to that of version 2, but RRAS includes it to support remote access clients
running Microsoft Windows 95 and Microsoft Windows NT 3.51, which cannot use
MS-CHAP v2.
■ Encrypted Authentication (CHAP)—An industry standard authentication protocol
that is included in RRAS to support non-Microsoft remote access clients that can-
not use MS-CHAP or EAP. CHAP is less secure than either version of MS-CHAP
because CHAP requires using a reversibly encrypted password.
■ Shiva Password Authentication Protocol (SPAP)—Shiva Password Authentication
Protocol is a relatively insecure authentication protocol designed for use with
Shiva remote access products. SPAP uses a reversible encryption mechanism for
authentication.
■ Unencrypted Password (PAP)—The Password Authentication Protocol is a

password-based authentication protocol that transmits passwords in clear text,
leaving them open to interception by packet captures.
■ Allow Remote Systems To Connect Without Authentication—Enables remote
access clients to connect to the RRAS server with no authentication at all, enabling
anyone to access the network. The use of this option is strongly discouraged.
16-12 Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0)
RRAS also supports the use of Remote Authentication Dial-In User Service
(RADIUS), a standard defining a service that provides authentication, authorization,
and accounting for remote access installations. A RADIUS server stores the user
accounts and passwords for all remote access users, and can provide authentication
services for multiple remote access servers.
Remote access policies are sets of conditions that users must meet before RRAS
authorizes them to access the server or the network. You can create policies that limit
user access based on group memberships, day and time restrictions, and many other
criteria. Remote access policies can also specify which authentication protocol and
what type of encryption clients must use. Using the Routing And Remote Access con-
sole, you can create different policies for different types of connections, such as
dial-up, virtual private network (VPN), and wireless connections.
Remote access policies consist of three elements, which are as follows:
■ Conditions—Specific attributes that the policy uses to grant or deny authorization
to a user. If there is more than one condition, the user must meet all the conditions
before the server can grant access. Some of the conditions that RRAS remote
access policies can use include day and time restrictions and the use of a specific
authentication protocol, data-link layer protocol, or tunnel type, and membership
in a specific group set up using the Windows operating system.
■ Remote access permission—Clients receive permission to access the remote
network either by satisfying the conditions of the RRAS server’s remote policies, or
by an administrator explicitly granting them the permission on the Dial-in tab of
each user’s Properties dialog box.
■ Remote access profile—A set of attributes associated with a remote access pol-

icy that the RRAS server applies to a client once it has authenticated and autho-
rized it. The profile can consist of elements such as time limits for the connection
or specific IP addresses, authentication protocols, and types of encryption.
Objective 3.2 Plan Security for Remote Access Users 16-13
Objective 3.2 Questions
1.
Which of the following authentication protocols requires you to modify the way that
Active Directory encrypts user passwords?
A. PAP
B. CHAP
C. MS-CHAP
D. MS-CHAP v2
2. You are a network administrator designing a remote access security strategy for your
company. You want users accessing the network with VPN connections to be able to
connect to the server during business hours only, and you intend to require that users
authenticate themselves using smart cards. To accomplish these goals, you configure
RRAS to use the MS-CHAP v2 authentication protocol and you create a remote access
policy with a condition specifying the hours during which the users can connect. Spec-
ify which of the stated goals are accomplished by this solution.
A. This solution can accomplish neither of the stated goals: it will neither limit the
users’ logon hours nor enable smart card authentication.
B. This solution accomplishes only one of the stated goals: it will not limit the users’
logon hours, but it will enable smart card authentication.
C. This solution accomplishes only one of the stated goals: it will limit the users’
logon hours, but it will not enable smart card authentication.
D. This solution accomplishes both stated goals: it will limit the users’ logon hours
and enable smart card authentication.
16-14 Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0)
3. Which of the following Windows Server 2003 remote access configurations would
enable an attacker running Network Monitor to read user passwords from captured

packets in unencrypted form?
A. You configure RRAS to use CHAP for its authentication protocol and enable the
Store Password Using Reversible Encryption password policy for all remote access
users.
B. You configure RRAS to use PAP for its authentication protocol, and issue a smart
card to each user.
C. You configure the Allow Remote Systems To Connect Without Authentication
option on the RRAS server, and create a remote policy with a profile specifying the
use of the strongest encryption method available.
D. You configure RRAS to use MS-CHAP for its authentication protocol and set up the
callback options so the server reconnects to the client at a predetermined tele-
phone number.
4. Which of the following procedures can you use to limit client access to a remote access
server based on group membership?
A. Modify the properties of the clients’ user objects in the Active Directory Users And
Computers console.
B. Configure RRAS to use the EAP authentication protocol in the Routing And Remote
Access console.
C. Configure RRAS to use a RADIUS server to authenticate incoming client connec-
tions.
D. Use the Routing And Remote Access console to create a remote access policy.
Objective 3.2 Plan Security for Remote Access Users 16-15
Objective 3.2 Answers
1.
Correct Answers: B
A. Incorrect: The Password Authentication Protocol transmits passwords in clear
text, so it has no encryption requirements.
B. Correct: The Challenge Handshake Authentication Protocol requires access to
the users’ passwords, and by default, Windows Server 2003 does not store the
passwords in a form that CHAP can use. To authenticate users with CHAP, you

must open the group policy governing the users and enable the Store Password
Using Reversible Encryption password policy mechanism.
C. Incorrect: Version 1 of the Microsoft Challenge Handshake Authentication Proto-
col uses one-way authentication and a single encryption key for transmitted and
received messages, but it requires no modification of Active Directory’s password
storage method.
D. Incorrect: Version 2 of the Microsoft Challenge Handshake Authentication Proto-
col enables clients and servers to mutually authenticate each other using
encrypted passwords, but requires no modification to Active Directory.
2. Correct Answers: C
A. Incorrect: You can successfully limit remote access users’ logon hours using a
remote access policy, so the solution does accomplish one of the stated goals.
B. Incorrect: Remote access policies can limit users’ logon hours, but the MS-CHAP
v2 authentication protocol does not support smart cards.
C. Correct: The remote access policy can limit users’ logon hours, but to enable
smart card authentication, you must use the Extensible Authentication Protocol
(EAP).
D. Incorrect: While the solution can successfully limit users’ logon hours, you
cannot authenticate users with smart cards using MS-CHAP v2.
16-16 Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0)
3. Correct Answers: B
A. Incorrect: Storing passwords using a reversible encryption method, as required
for the Challenge Handshake Authentication Protocol, does not alter the fact that
the passwords are encrypted when the clients transmit them over the remote
access connection. An attacker capturing the packets using Network Monitor
would not be able to read the encrypted passwords.
B. Correct: The Password Authentication Protocol transmits user passwords in clear
text, so that anyone capturing the packets with a protocol analyzer such as Net-
work Monitor would be able to read the passwords.
C. Incorrect: Although enabling the Allow Remote Systems To Connect Without

Authentication option is a grave security risk, there is no danger of passwords
being compromised, because the clients do not transmit any passwords at all.
D. Incorrect: The Microsoft Challenge Handshake Authentication Protocol always
transmits passwords in encrypted form, so there is no danger of passwords being
compromised by Network Monitor, regardless of the callback options in effect.
4. Correct Answers: D
A. Incorrect: You can grant or deny users remote access and set caller ID and call-
back options by modifying the properties of user objects, but you cannot limit
their access based on group membership.
B. Incorrect: Authentication protocols do not limit users’ access based on group
memberships or any other criteria. They simply specify the format for the message
exchanges that the clients and server will use when authenticating.
C. Incorrect: Using RADIUS offloads the authentication process from the RRAS
service to an external RADIUS service, but RRAS is still responsible for server
access control.
D. Correct: Remote access policies enable you to limit user access based on group
memberships, day and time restrictions, and various other criteria.