Home » Microsoft » 70-647 » What should you do?
Your network consists of one Active Directory domain and one IP subnet. All servers run Windows Server 2008. All client computers run Windows Vista, Windows XP Professional, and Windows 2000 Professional. The servers are configured as shown in the following table. (Click the Exhibit)
Server2 is configured to support Network Access Protection (NAP) by using IPsec, DHCP, and 802.1 x enforcement methods.
Users from a partner company have computers that are not joined to the domain. The computers successfully connect to the network.
You need to ensure that only computers that are joined to the domain can access network resources on the domain.
What should you do?
A. Configure all DHCP scopes on Server1 to enable NAP.
B. Configure all network switches to require 802.1 x authentication.
C. Create a Group Policy object (GPO) and link it to the domain. In the GPO, enable a secure server IPsec policy on all member servers in the domain.
D. Create a Group Policy object (GPO) and link it to the domain. In the GPO, enable a NAP enforcement client for IPsec communications on all client computers in the domain.
Correct Answer: C
Explanation/Reference:
Explanation:
To ensure that only computers that are joined to the domain can access network resources on the domain, you need to create a GPO, link it to the domain and enable a secure server IPsec policy on all member servers in the domain in the GPO. IPsec domain and server isolation methods are used to prevent unmanaged computers from accessing network resources. This method enforces health policies when a client computer attempts to communicate with another computer using IPsec.
Configuring DHCP scope cannot stop unmanaged computers that are not joined to the domain from accessing the network. NAP is not required in this scenario because you just want the member computers to access network resources. Therefore, you need not create a GPO, link it to the domain. Enable a NAP enforcement client for IPsec communications on all client computers in the domain in the GPO.
Reference: Protecting a Network from Unmanaged Clients / Solutions
http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/unmanagedclient s.mspx