You need to ensure that only computers that are joined to the domain can access network resources on the domain

Your network consists of one Active Directory domain and one IP subnet. All servers run Windows
Server 2008. All client computers run Windows Vista, Windows XP Professional, and Windows 2000
Professional. The servers are configured as shown in the following table. (Click the Exhibit)

Server2 is configured to support Network Access Protection (NAP) by using IPsec, DHCP, and 802.1 x
enforcement methods. Users from a partner company have computers that are not joined to the
domain. The computers successfully connect to the network. You need to ensure that only
computers that are joined to the domain can access network resources on the domain. What should
you do?

Your network consists of one Active Directory domain and one IP subnet. All servers run Windows
Server 2008. All client computers run Windows Vista, Windows XP Professional, and Windows 2000
Professional. The servers are configured as shown in the following table. (Click the Exhibit)

Server2 is configured to support Network Access Protection (NAP) by using IPsec, DHCP, and 802.1 x
enforcement methods. Users from a partner company have computers that are not joined to the
domain. The computers successfully connect to the network. You need to ensure that only
computers that are joined to the domain can access network resources on the domain. What should
you do?

A.
Configure all DHCP scopes on Server1 to enable NAP.

B.
Configure all network switches to require 802.1 x authentication.

C.
Create a Group Policy object (GPO) and link it to the domain. In the GPO, enable a secure server
IPsec policy on all member servers in the domain.

D.
Create a Group Policy object (GPO) and link it to the domain. In the GPO, enable a NAP
enforcement client for IPsec communications on all client computers in the domain.

Explanation:
To ensure that only computers that are joined to the domain can access network resources on the
domain, you need to create a GPO, link it to the domain and enable a secure server IPsec policy on
all member servers in the domain in the GPO. IPsec domain and server isolation methods are used to
prevent unmanaged computers from accessing network resources. This method enforces health
policies when a client computer attempts to communicate with another computer using IPsec.
Configuring DHCP scope cannot stop unmanaged computers that are not joined to the domain from
accessing the network. NAP is not required in this scenario because you just want the member
computers to access network resources. Therefore, you need not create a GPO, link it to the domain.
Enable a NAP enforcement client for IPsec communications on all client computers in the domain in
the GPO.
Protecting a Network from Unmanaged Clients / Solutions
http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/unmanagedclie
nts.mspx



Leave a Reply 0

Your email address will not be published. Required fields are marked *