Windows Server 2003 Network Security Design Study Guide (Exam 70-298) [Electronic resources]

Brian Reisman, Mitch Ruebush

نسخه متنی -صفحه : 168/ 90

Case Study Questions

You need to design an authentication strategy that will allow only authorized users to access the SportWeb server from the extranet. What should you do?

Configure the website to use SSL. Configure the website to require certificates. Enable and configure client certificate mappings to the website.

Configure the website to use SSL. Disable anonymous access to the website. Configure the folder that represents the website with Read permissions for the groups of users allowed to view the content.

Configure the web server to require IPSec traffic (Server Require). Configure the web server to communicate only with client computers whose IP addresses are located in the partners’ IP address range. Disable anonymous access on the website. Configure the client computers to use IPSec (Client Respond).

Configure the website to use digest authentication. Disable anonymous access. Configure the web server to communicate only with client computers whose IP addresses are located in the partners’ IP address range.

You need to design an authentication strategy for internal users to the extranet. What should you do?

Disable anonymous access to the website. Verify that Windows authentication is the only authentication method enabled.

Create a Local group called ExtranetUsers. Create a Group Policy object (GPO) that will deploy a computer certificate to all client computers. Create a mapping for the certificate to the website. Apply Read permissions to the GPO for ExtranetUsers.

Configure the website to use digest authentication. Disable anonymous access and integrated Windows authentication.

Configure the website to use Microsoft .NET Passport authentication. Disable anonymous access and integrated Windows authentication.

Using the following exhibit, which of the following business and security requirements does the proposed solution meet? (Choose all the apply.)

Traffic is encrypted between the partners’ networks and the extranet.

Integrated Windows authentication with the intranet web servers to support a single logon.

Certificate authentication between the partners’ networks and the extranet web server.

Partners can connect to only the web server that hosts the extranet application.

You need to design a way to update the content on the web server. Your solution must meet the business and security requirements contained in the scenario. What are two possible solutions? (Choose two.)

Use WebDAV over an SSL connection to connect to the web server to update content.

Install the FrontPage Server Extensions on the web server. Enable the FrontPage Server Extensions through Web Service Extensions. Use FrontPage or Visual Studio to update content.

Use FTP over IPSec connection to transfer content to the web server.

Share the folder that holds the contents of the website. Connect to the file share on the web server. Transfer content through the share.

You need to design a strategy to log access to the company’s web server. What should you do?

Enable logging on the company’s website and select the NCSA Common log file format as the log file format. Store the log files on a SQL Server computer.

Use System Monitor to create a counter log that captures network traffic to the web server by using the Web Service object. Store the log files on a SQL Server computer.

Run Network Monitor on the web server. Create a capture file. Store the captured information in SQL Server.

Enable logging on the company website and select ODBC Logging. Configure the ODBC Logging options and use an account that is not an administrator to connect to the SQL Server machine.

Answers

A. The CSO has stated that they need a strong security mechanism to access the extranet servers. He doesn’t think that a username and password scheme will be enough because the partner companies have weaker security policies that often allow users to write down passwords (or potentially have users giving out passwords over the phone). You can protect against these problems by using a two-part authentication mechanism that uses a certificate and username/password on the website. This will make it so that the cracker needs both items to log on to the server as a user. You will also need to enable SSL to support client certificates as it is part of the SSL protocol.

B. The CSO has stated that they need a strong security mechanism to access the extranet servers. This is enabled for the partner networks. You would then need to distribute certificates to your users who need to access the extranet. You can make this easier by using Active Directory Group Policy to distribute certificates for a group and then give the group appropriate access permissions to the site.

A, C, D. The solution allows encrypted web traffic to the extranet through the firewall and has enabled all the necessary features on the extranet server to allow for the use of certificate authentication. It also has removed users of the ExtraNet group from the Domain Users group so that they would not be able to authenticate on other servers. The internal ISA server will not pass any traffic except SMTP to prevent access from the outside world, including the extranet users.

A, C. The requirements state that the solution is secure and all WAN communications must be encrypted, which means that you will need to make sure that the users authenticate and the content is encrypted. You will need to look for protocols that are possible and a corresponding means to encrypt the content. In this case WebDAV with SSL, and FTP with IPSec will work because they provide a means of encryption. The other solutions do not provide encryption.

D. The requirements for logging state that the log needs to be kept in a SQL Server 2000 database. You will need to use ODBC logging to do this with the options we presented here. You could also move the information in the text-based log files to the database by using a script or third-party product. This would be done offline and would probably be a more scalable solution if the website had a high traffic volume.