Difficulty: Easy
Correct Answer: MS-CHAP v2
Explanation:
Introduction / Context:
Remote access security in Windows 2000 relies on negotiated authentication protocols that determine password exchange strength, mutual authentication capability, and whether session keys for encryption are derived. Selecting the correct protocol is crucial to enforce both identity assurance and confidentiality of traffic.
Given Data / Assumptions:
Concept / Approach:
MS-CHAP v2 provides improved authentication over MS-CHAP v1 and classic CHAP, including mutual authentication and stronger keying material. It negotiates session keys used by MPPE to encrypt data streams. PAP sends credentials in cleartext; SPAP is proprietary and lacks mutual authentication. CHAP (RFC 1994) validates the client to the server but not the server to the client and does not inherently guarantee encryption unless paired with an encryption scheme; Windows implementations pair encryption robustly with MS-CHAP v2.
Step-by-Step Solution:
1) Enable RRAS and configure remote access policies to allow MS-CHAP v2.2) Ensure clients are set to prefer MS-CHAP v2 and require encrypted authentication.3) Confirm MPPE encryption settings (40/56/128-bit as supported) are enabled.4) Test a connection to verify mutual authentication prompts and encrypted link establishment.
Verification / Alternative check:
RRAS logging and client status should show MS-CHAP v2 in use and MPPE encryption active. Packet traces will indicate encrypted PPP payloads after authentication.
Why Other Options Are Wrong:
Common Pitfalls:
Allowing fallback to insecure methods; misconfiguring policies so clients negotiate weaker authentication; forgetting to require encryption in connection properties.
Final Answer:
MS-CHAP v2
Discussion & Comments