A remote user (User1) is unable to reach a newly provisioned corporate windows workstation. The
system administrator has been given the following log files from the VPN, corporate firewall and
workstation host.
Which of the following is preventing the remote user from being able to access the workstation?
A.
Network latency is causing remote desktop service request to time out
B.
User1 has been locked out due to too many failed passwords
C.
Lack of network time synchronization is causing authentication mismatches
D.
The workstation has been compromised and is accessing known malware sites
E.
The workstation host firewall is not allowing remote desktop connections
I think were looking for answer E. As the question states, there has been a newly provisioned workstation, 10.1.1.5 is the local address of the workstation, 5.5.5.5 is the public address of the VPN user. If you look at the workstation firewall log, 5.5.5.5 has been denied Remote Desktop Procedure. Yes there were wrong passwords entered, but ultimately the user was denied by the workstation’s firewall.
0
0
Like many of the answers that I have seen, B is wrong. User1 authenticated after 3 attempts.
It looks like the connection was dropped after 1 hour. So the workstation has accepted the connection. Timeout is a possibility.
0
0
A. Network latency is causing remote desktop service request to time out
My comment: By looking at the VPN log, timeout is the main reason to disconnect.
B. User1 has been locked out due to too many failed passwords
My comment: By looking at the VPN log, the user successfully connect through the fourth attempt. Enter wrong password for 3 times did not lock out the user. Therefore, B is definitely wrong.
C. Lack of network time synchronization is causing authentication mismatches
My comment: Although the time shown on VPN log, Corporate firewall log, and Workstation host firewall log are different. It does not necessary mean the network time sync is NOT working.
D. The workstation has been compromised and is accessing known malware sites
My Comment: There is NO sign to show the workstation has been compromised.
E. The workstation host firewall is not allowing remote desktop connections
My Comment: The IP address 10.1.1.5 is using the port 3389. Port 3389 is Remote Desktop Connection. It means the workstation host firewall is actually allowing remote desktop connections.
After comparing the five choices, I would pick A be my answer.
2
1
What do you mean you see No sign to show the workstation has been compromised? The workstation is constantly hitting hackersite111.com!
I agree the answer is A, but because his log in timed out because his computer is hitting the malware site over six times a second.
1
0
Agree, and what’s with all the ICMP traffic on the Corp Firewall?
1
0
I think that’s the host computer trying to initiate a DOS attack but being blocked by the firewall. That host is definitely infected.
0
0
I picked E.
Here’s my take:
VPN- The user entered the wrong password 3 times, but authenticated and achieved a VPN connection the 4th time.
Corporate Firewall- RDP packets allowed at 14:01:16.
Workstation- RDP connection is blocked by host firewall. “(msrdp) (action=drop)”
An hour later, the VPN connection, which is still open but hasn’t detected any activity, times out and disconnects.
The times all match up if you make the correct adjustments to the firewall’s time. (CST-5, CST-6)
5
0