Windows Server 2003 Network Security Design Study Guide (Exam 70-298) [Electronic resources]

Brian Reisman, Mitch Ruebush

نسخه متنی -صفحه : 168/ 87
نمايش فراداده

Review Questions

1.

Your company has the following requirement: All traffic sent over WAN links must be secure. What protocol would you enable for web content sent over the WAN? (Choose all that apply.)

HTTP

SSL

IPSec

MD5

2.

What protocols are included as part of IIS? (Choose all that apply.)

SMTP

HTTP

SMB

NetBIOS

3.

Your company has had some security issues with the WebDAV protocol due to improperly applied permissions. Your boss has decided that WebDAV does not need to be running on the IIS servers. You need to prohibit WebDAV. What should you do?

Set the EnableWebDAV key in each website’s portion of the metabase to False.

Set the EnableWebDAV key in the IIS portion of the Registry to False.

Install UrlScan 2.5 on the server. Configure UrlScan to filter WebDAV.

Prohibit WebDAV in the Web Service Extensions section of the IIS Manager administration tool.

4.

You need to authenticate a user with a domain controller running Active Directory. The client is using Internet Explorer 6 on Windows XP. You want to use the Kerberos protocol to authenticate your users. Which option should you choose for authentication?

Basic authentication

Digest authentication

Integrated Windows authentication

.NET Passport authentication

5.

You need to enable authentication on your server, but you need to support any browser that the user chooses to use. You will also need to use a SQL Server 2000 database to store the credentials. What authentication method should you use?

Forms-based authentication

Basic authentication

.NET Passport authentication

Certificate authentication

6.

You need to provide a secure authentication mechanism for an extranet with two partner sites. The partner sites will have approximately 200 users each. You want a secure but easy-to-manage authentication method. You do not require the identification of each individual user, just the organization. What should you do?

Enable SSL on the extranet website. Generate a certificate and user account for each user in the partner company. Enable the one-to-one certificate mapping with the appropriate Windows user account. Set proper permissions based on the user account.

Enable SSL on the extranet website. Generate a certificate and user account for each partner in the partner company. Enable the many-to-one certificate mapping with the appropriate Windows user account. Set proper permissions based on the user account.

Enable .NET Passport authentication.

Enable forms-based authentication. Assign each user a username and password. Have each user authenticate through the web page.

7.

You need to authenticate a user with a domain controller running Active Directory. The client will use an HTTP 1.1–compliant browser, but it will not necessarily be Internet Explorer. You do not need encryption for all content and have chosen not to enable SSL. You need to provide for password security. Which option should you choose for authentication?

Basic authentication

Digest authentication

Integrated Windows authentication

.NET Passport authentication

8.

One of your company’s web applications keeps crashing. You suspect that an attacker is exploiting a bug in the server to cause it to crash, thereby creating a denial of service attack. You need to determine what web requests are causing the web server to crash. What type of logging should you enable on the server?

Protocol logging

Audit object access with Windows auditing

ODBC logging

Network Monitor logging

9.

You need to log what users are downloading from the website. What should you do?

Enable protocol logging for the website.

Use Performance Monitor to monitor the Downloads\Content counter.

Install Network Monitor to record all activity with the server.

Enable auditing on the directories from which the content is hosted. Audit successful downloads of content.

10.

You need to update the content on your web server. The content is sensitive and should remain private. Your server is on the other side of a firewall that allows only HTTP and HTTPS to pass through it. What should you do?

Use WebDAV to update the content of the server. You don’t need to worry about encryption because WebDAV is secure.

Use WebDAV to update the content of the server. Enable SSL on the site to encrypt the content as it is being updated.

Install FTP on the web server. Configure FTP to update the virtual directory. Use FTP to upload the new content.

Install FTP on the web server. Configure FTP to update the virtual directory. Use FTP to upload the new content. Configure IPSec on the server and client to encrypt the traffic.

Answers

1.

B, C. SSL and IPSec would both be correct with the information provided in the question. Both of these protocols allow you to establish a secure session with a server. HTTP does not provide encryption. MD5 is a signing algorithm, not an encryption protocol.

2.

A, B. Simple Mail Transfer Protocol (SMTP) and Hypertext Transfer Protocol (HTTP) are part of IIS. Server Message Block (SMB) and NetBIOS are not, but they are part of Windows networking.

3.

D. IIS 6 introduces the Web Service Extensions section of the IIS Manager. It allows you to enable or prohibit various ISAPI extensions installed on the server. This is the preferred way to disable WebDAV with IIS 6. You could install UrlScan and filter the WebDAV protocol, but it is no longer the preferred method. The metabase and Registry keys do not exist.

4.

C. You would choose integrated Windows authentication, which supports either NT LAN Manager or Kerberos v5 for authentication. Basic authentication sends the credentials to the server in plain text but does not use Kerberos. Digest authentication will encrypt the password but does not use Kerberos. .NET Passport authentication uses a mechanism similar to Kerberos to authenticate users, but it is not Kerberos.

5.

A. You should create a web page to request the information required to authenticate the user. This means a developer will need to write code to authenticate the credentials against a database in SQL Server 2000. If the credentials check out, then the user is directed to the requested URL. Basic, .NET Passport, and certificate authentication support many different clients but require the use of Active Directory.

6.

B. You will want to enable a certificate mechanism to be most secure because the user needs a certificate to authenticate. .NET Passport authentication and forms-based authentication are not as secure and require more work in the form of custom programming for the website. Option A requires more work than necessary in setting up and maintaining all the user accounts, certificates, and mappings because the business requirements state that they are not interested in identifying individual users, just the partner organizations. You would map certificates to the partner organization based on a rule.

7.

B. You would choose digest authentication because it will provide for encryption of the password and works with HTTP 1.1–compliant browsers. This option requires using Active Directory on Windows Server 2003. Basic authentication sends the password in clear text. Integrated Windows authentication only works with Internet Explorer. .NET Passport authentication does not use Active Directory.

8.

A. Protocol logging logs the URLs and additional information for each request that comes to the server into a text file. This file can be a standard form that is readily parsed by a number of applications for reporting purposes. Audit object access with Windows auditing would only log access to files on the NTFS file system that the website was on. The hacker may be exploiting a bug that never touches a file on the file system, so this log may yield nothing useful. ODBC logging is just an option to store your protocol log, so it could capture the information, but it is a more complex form of logging and is not the simplest solution. Network Monitor would work in capturing the information if it is configured correctly, but it is not the simplest approach.

9.

A. You would enable protocol logging for the website; protocol logging will record all requests sent to the server in a text file or in an ODBC-compliant database like SQL Server 2000. This is the easiest way to get this information. Network Monitor would record the information, but it would be more difficult to parse and read, so protocol logging is a better choice. You cannot use Performance Monitor or auditing to obtain the same information.

10.

B. You will need to use WebDAV because the firewall will not pass FTP traffic. You will also need to use SSL to encrypt the content update because WebDAV has no built-in encryption mechanism.