X

AZ-801 / Q21 / T1

  • 3 views
Exam
Microsoft AZ-801
HOTSPOT
Answer needs confirmation
Exam Topics Questions
Question

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains servers that run Windows Server as shown in the following table.

Server1 has the connection security rules shown in the following table.

Server2 has the connection security rules shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Proposed answer

Suggested answer

Comments
Lu5ck

Highly Voted 1 year, 11 months ago 

Request - Authenticate whenever possible but authentication is not required Require - Must be authenticated to be allowed NTLM is the fallback protocol and is always available unless explicitly disabled. https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview With that said, the answer indeed is Y, Y, Y.

upvoted 9 times 

Leocan

Highly Voted 1 year, 12 months ago 

1. Y - combine Rule12 and Rule 31. 2. Y - Rule 31, (assume there are no connection security rules on Server3) 3. Y - Rule 31, (assume there are no connection security rules on Server3)

upvoted 7 times 

RemmyT

Most Recent 4 months, 2 weeks ago 

Server1 Rule11 172.16.10.0/24 172.16.20.50 'Require inbound and outbound' 'Computer (NTLMv2)' Rule12 172.16.10.10 172.16.0.0/16 'Request inbound and outbound' 'Computer (Kerberos V5)' Server2 Rule21 Any Any 'Request inbound and outbound' 'Computer (NTLMv2)' Rule22 172.16.20.0/24 172.16.0.0/16 'Require inbound and request outbound' 'Computer (NTLMv2)' Server3 Rule31 Any Any 'Request inbound and outbound' 'Computer (Kerberos V5)' Rule32 172.16.30.80 172.16.10.10 'Require inbound and outbound' 'Computer (NTLMv2)'

upvoted 1 times 

smorar

6 months, 1 week ago 

1. Y - Rule12 and Rule 31. 2. Y - Rule 31 3. Y - Rule 31

upvoted 1 times 

SlavekJ

1 year, 2 months ago 

No, Yes, Yes - tested in lab 1 Why N - Rule11 Server1 (is included in scope 172.16.1.0/24) requires communication via ipsec with Server2 only and in NTLMv2 auth ONLY, but Server2 in Rule 32 can´t talk with, because it has auth Kerberos only, Rule32 is not valid, because Server2 has no interface from these endpoints(subnets). 2 Why Yes - Rule32 is invalid, but Rule31 is only Request Rule, not requiring, it doesn´t work, secure communication is not estabilished, but if Server3 has no rules, they can talk to each other not securely. It works. 3 Why Yes - it is the same like in number 2, they can talk to each other non securely.

upvoted 3 times 

calotta1

1 year, 4 months ago 

Yes, No, Yes.

upvoted 1 times 

KakashiCopyNinja

1 year, 5 months ago 

This question is not solveable, because one rule table for Server2 is missing. Is there someone to add the missing table to complete this question?

upvoted 1 times 

syu31svc

1 year, 7 months ago 

Yes No No I will go with this after testing it out But given that rules 31 and 32 are likely meant for Server3 and no rules are shown for Server2, it would be inconclusive

upvoted 1 times 

syu31svc

1 year, 7 months ago 

I meant No Yes Yes after test

upvoted 3 times 

STFN2019

1 year, 8 months ago 

for me it's 3x yes

upvoted 1 times 

cris66

1 year, 10 months ago 

I do not know what I am talking about so don't trust my opinion. I have changed my mind yet again and now think Y,N,N. Based on. A connection security rule forces authentication between two peer computers before they can establish a connection and transmit secure information. They also secure that traffic by encrypting the data that is transmitted between computers. Windows Firewall with Advanced Security uses IPsec to enforce these rules. In order to use connection security rules, both of the computers involved in the communications must have IPsec policies configured.

upvoted 2 times 

cris66

1 year, 10 months ago 

I do not understand the precedence of rules. MS Docs "The connection security rule applies to communications between any computer in Endpoint 1 and any computer in Endpoint 2." I have no experience in IPSec but seems strange to apply the rules to a server when in examples it is usually applied to Default Domain Policy or an OU with specific servers requiring IPSec. In the case of Server1 with question1 which is the most specific rule? You have 2 rules where 1 rule is more specific for Endpoint 2 and the other rule is more specific for Endpoint1. How do you decide which is more specific?

upvoted 2 times 

cris66

1 year, 10 months ago 

How can 1 be N? Even if you say Rule11 is more specific and requires NTLMv2, server 2 is requesting Kerberos only, not requiring it, so it will be happy to use NTLMv2.

upvoted 1 times 

jecawi9630

1 year, 10 months ago 

Got this in exam, on 01/26/2023. This question here is missing table for Server 2, with the rules 21 and 22. Do not remember the endpoints but authentication mode and authentication method as same as in table for server 3.

upvoted 4 times 

cris66

1 year, 11 months ago 

This link suggests that a domain member server would by default be able to send NTLMv2. https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level Member Server Effective Default Settings Send NTLMv2 response only

upvoted 2 times 

cris66

1 year, 11 months ago 

I think Y,Y,Y. for the second 2, if we dont know, surely we have to assume that the firewall is turned on with the default set of rules which would permit NTLMv2.

upvoted 2 times 

rimvydukas

1 year, 11 months ago 

1. N - Rule 11 is more specific one and in combination with Rule 31 this gives access denied as Rule 11 requests NTLM. 2. Y - Rule 31, (assume there are no connection security rules on Server3) 3. Y - Rule 31, (assume there are no connection security rules on Server3) Tested in my lab.

upvoted 3 times 

joehoesofat

2 years ago 

So we cant really answer any question about node 3 because we dont know its rules- so that makes this question easier- you see that ntlm is required for node 1 but not node 2- node 2 can do KErberos- and node 2 can a well- so the first one is Y. beyond that- It would seem node 3 would need to have NTLM enabled for the other 2 questions to be yes- but since we dont know we say no and no so Yes no no

upvoted 4 times 

lukiduc9625

2 years, 1 month ago 

1st statements: N - Rule11 is more specific then Rule12 thus Server1 (172.16.10.10) will try to communicate to Server2 (172.16.20.50) it will REQUIRE authentication by NTLMv2, but on Server2 the only matching rule for this communication is Rule31 which request authentication by Kerberos - in such situation these severs do not get along. 2nd and 3th statements: Y - when Server2 (172.16.20.50) try to communicate to Server3 (172.16.30.80) the only rule which matches is Rule31. It only request authentication, in other words authetnication is not obligatory, so communication with Server3 which has no IPSec rules will work. Rule32 will never be used - none of endpoints in this rule match to address of Server2.

upvoted 1 times 

cris66

1 year, 10 months ago 

Do not understand the logic that when 1 server REQUIRES NTLMv2 and other server REQUESTS Kerberos that they do not get along. 2nd Server can use NTLMv2. You start with REQUEST mode so that it will accept traffic then lock it down with REQUIRE mode. Server2 can use NTLMv2.

upvoted 2 times 

ProfileX

2 years, 2 months ago 

Y,Y,Y could be correct, not sure. I guess it depends on which order the overlapping rules are applied, which one gets precedence. I searched & found some guy saying more specific rules take precedence over less specific rules, but the info was vague and didn't give any references. If Rule32 gets priority then it would be Y,N,N

upvoted 2 times 

GoforIT21

2 years, 2 months ago 

I think the answer is indeed Y,N,N. Here is a source that states that more specific rules take precedence: "Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions. 1. Explicitly defined allow rules will take precedence over the default block setting. 2. Explicit block rules will take precedence over any conflicting allow rules. 3. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)" (https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring) In that case, rule32 does indeed block connections between server2 and server3. In contrast, rule11 and rule32 nicely overlap so that connections between server1 and server2 are possible.

upvoted 3 times