Exam AZ-801 topic 1 question 21 discussion

Request - Authenticate whenever possible but authentication is not required Require - Must be authenticated to be allowed NTLM is the fallback protocol and is always available unless explicitly disabled. https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview With that said, the answer indeed is Y, Y, Y.

1. Y - combine Rule12 and Rule 31. 2. Y - Rule 31, (assume there are no connection security rules on Server3) 3. Y - Rule 31, (assume there are no connection security rules on Server3)

Sound it is in-completed question. Cannot coomnent

Server1 Rule11 172.16.10.0/24 172.16.20.50 'Require inbound and outbound' 'Computer (NTLMv2)' Rule12 172.16.10.10 172.16.0.0/16 'Request inbound and outbound' 'Computer (Kerberos V5)' Server2 Rule21 Any Any 'Request inbound and outbound' 'Computer (NTLMv2)' Rule22 172.16.20.0/24 172.16.0.0/16 'Require inbound and request outbound' 'Computer (NTLMv2)' Server3 Rule31 Any Any 'Request inbound and outbound' 'Computer (Kerberos V5)' Rule32 172.16.30.80 172.16.10.10 'Require inbound and outbound' 'Computer (NTLMv2)'

1. Y - Rule12 and Rule 31. 2. Y - Rule 31 3. Y - Rule 31

No, Yes, Yes - tested in lab 1 Why N - Rule11 Server1 (is included in scope 172.16.1.0/24) requires communication via ipsec with Server2 only and in NTLMv2 auth ONLY, but Server2 in Rule 32 can´t talk with, because it has auth Kerberos only, Rule32 is not valid, because Server2 has no interface from these endpoints(subnets). 2 Why Yes - Rule32 is invalid, but Rule31 is only Request Rule, not requiring, it doesn´t work, secure communication is not estabilished, but if Server3 has no rules, they can talk to each other not securely. It works. 3 Why Yes - it is the same like in number 2, they can talk to each other non securely.

Yes, No, Yes.

This question is not solveable, because one rule table for Server2 is missing. Is there someone to add the missing table to complete this question?

Yes No No I will go with this after testing it out But given that rules 31 and 32 are likely meant for Server3 and no rules are shown for Server2, it would be inconclusive

for me it's 3x yes

I do not know what I am talking about so don't trust my opinion. I have changed my mind yet again and now think Y,N,N. Based on. A connection security rule forces authentication between two peer computers before they can establish a connection and transmit secure information. They also secure that traffic by encrypting the data that is transmitted between computers. Windows Firewall with Advanced Security uses IPsec to enforce these rules. In order to use connection security rules, both of the computers involved in the communications must have IPsec policies configured.

I do not understand the precedence of rules. MS Docs "The connection security rule applies to communications between any computer in Endpoint 1 and any computer in Endpoint 2." I have no experience in IPSec but seems strange to apply the rules to a server when in examples it is usually applied to Default Domain Policy or an OU with specific servers requiring IPSec. In the case of Server1 with question1 which is the most specific rule? You have 2 rules where 1 rule is more specific for Endpoint 2 and the other rule is more specific for Endpoint1. How do you decide which is more specific?

Got this in exam, on 01/26/2023. This question here is missing table for Server 2, with the rules 21 and 22. Do not remember the endpoints but authentication mode and authentication method as same as in table for server 3.

This link suggests that a domain member server would by default be able to send NTLMv2. https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level Member Server Effective Default Settings Send NTLMv2 response only

I think Y,Y,Y. for the second 2, if we dont know, surely we have to assume that the firewall is turned on with the default set of rules which would permit NTLMv2.

1. N - Rule 11 is more specific one and in combination with Rule 31 this gives access denied as Rule 11 requests NTLM. 2. Y - Rule 31, (assume there are no connection security rules on Server3) 3. Y - Rule 31, (assume there are no connection security rules on Server3) Tested in my lab.

So we cant really answer any question about node 3 because we dont know its rules- so that makes this question easier- you see that ntlm is required for node 1 but not node 2- node 2 can do KErberos- and node 2 can a well- so the first one is Y. beyond that- It would seem node 3 would need to have NTLM enabled for the other 2 questions to be yes- but since we dont know we say no and no so Yes no no