You are an Enterprise administrator for ABC.com. All servers on the corporate network run
Windows Server 2003 and all client computers run Windows XP.
The network contains a server named ABC-SR01 that has Routing and Remote Access service
and a modem installed which connects to an external phone line.
A partner company uses a dial-up connection to connect to ABC-SR01 to upload product and
inventory information. This connection happens between the hours of 1:00am and 2:00am every
morning and uses a domain user account to log on to ABC-SR01.
You have been asked by the security officer to secure the connection.
How can you ensure that the dial-up connection is initiated only from the partner company and that
access is restricted to just ABC-SR01? Choose three.

A.
Set up the log on hours restriction for the domain user account to restrict the log on to between
the hours of 1:00am and 2:00am.

B.
Set up a local user account on ABC-SR01. Have the dial-up connection configured to log on
with this account.

C.
Set up the remote access policy on ABC-SR01 to allow the connection for the specified user
account between the hours of 1:00am and 2:00am.

D.
Set up the remote access policy with the Verify Caller ID option to only allow calling from the
phone number of the partner company modem.

E.
Set up the remote access policy to allow access to the domain user account only.

Explanation:
To allow only the minimum amount of access to the network, ensure that only the
partner’s application can connect to your network over the dial-up connection, you need to first
create a local account named on ABC-SR01. You need to then add this account to the local Users
group and direct the partner company to use this account for remote access.
You can use a local account to provide remote access to users. The user account for a stand-alone server or server running Active Directory contains a set of dial-in properties that are used
when allowing or denying a connection attempt made by a user. You can use the Remote Access
Permission (Dial-in or VPN) property to set remote access permission to be explicitly allowed,
denied, or determined through remote access policies.
Next, you need to configure a remote access policy on ABC-SR01 to allow the connection for only
the specified user account between 1 AM and 2 AM.
In all cases, remote access policies are used to authorize the connection attempt. If access is
explicitly allowed, remote access policy conditions, user account properties, or profile properties
can still deny the connection attempt.
You need to then configure the policy to allow only the specific calling station identifier of the
partner company’s computer. When the Verify Caller ID property is enabled, the server verifies the
caller’s phone number. If the caller’s phone number does not match the configured phone number,
the connection attempt is denied.
Reference: Dial-in properties of a user account
http://technet.microsoft.com/en-us/library/cc738142.aspx