Windows Server 2003 Network Security Design Study Guide (Exam 70-298) [Electronic resources]

Brian Reisman, Mitch Ruebush

نسخه متنی -صفحه : 168/ 97
نمايش فراداده

Review Questions

1.

You are the administrator for a small company and you need to apply security settings to the domain controller. You don’t have the time to create a custom security template and you need to make sure that there is as little an impact on the installed applications as possible. Which of the following predefined templates should you apply to the company’s domain controller?

DC security.inf

securedc.inf

hisecdc.inf

compatdc.inf

2.

You need to secure your DNS infrastructure and make sure that unauthorized Internet users cannot modify the records on your DNS servers. You currently have separate DNS servers for internal and external hostname resolution. What task should you complete to secure your DNS servers from this type of attack? (Choose the best answer.)

Disable dynamic updates on the external DNS server and put the internal DNS server behind a firewall.

Disable insecure updates on the internal and external DNS servers.

Configure your Internet firewall to prevent the DNS service port from coming through to your Internet DNS server.

Implement DNSSEC on your DNS servers.

3.

Which server operating systems are supported in a High Security environment for security templates? (Choose two.)

Windows NT 4

Windows 2000 Server

Windows NT 3.51

Windows Server 2003

4.

Your network currently supports clients running Windows 98 and Windows 2000 Professional. You need to secure the workstations and the servers, which are all running Windows Server 2003. Which security environment should be used when selecting pre-defined security templates?

Legacy Client environment

Enterprise Client environment

High Security environment

Secure Server environment

5.

You have created a custom template for file servers that has been applied to your server. You have decided to install the WINS service on this server. You have already configured IPSec filters for the file server. What two tasks must you complete before users on your network are able to use the WINS service that you have installed? (Choose two.)

Configure an IPSec filter for the WINS service.

Configure a DNSSEC filter for the DHCP service.

Create a new security template that sets the WINS service to autostart and sets the other settings specific to this server role.

Create a new security template that allows the FTP server port to run on the server.

6.

You are the administrator for a small company that needs to apply security settings to the main file server. You need to implement the highest security possible even if it causes some applications to fail. Which of the following predefined templates should you apply to the company’s domain controller?

securews.inf

securedc.inf

hisecdc.inf

hisecws.inf

7.

You need to reduce the potential for DNS spoofing to exploit and force your servers into transferring the zone records to an unknown server. What is the best way to reduce the occurrence of this type of attack?

Configure the DNS server to transfer zone information to a specified list of servers by their fully qualified domain names only.

Enable the Prevent Full Zone Transfer option.

Configure the DNS server to transfer zone information to a specified list of servers by their IP addresses only.

Configure the DNSSEC policy according to the standard.

8.

You are concerned that changes have been made to the domain controller of your network and they conflict with the policies defined in its baseline template. Which tool can you use to determine if the template’s settings are current on the server?

Security Templates snap-in

Group Policy Editor

Active Directory Users And Computers snap-in

Security Configuration And Analysis snap-in

9.

You are going to be developing a security template that will be used to maintain your organization’s security baseline based on server function. Which of the following settings can be configured using a security template? (Choose all that apply.)

Account Policies

System Services behavior

User Rights Assignment

IPSec Filters

Security Group Membership

Audit Policy

10.

You are the security administrator for your organization and are charged with the implementation of your organization’s security policies. Your boss has asked you to evaluate your organization’s risk for DNS zone information to be transferred to insecure servers. You are asked to make sure you disable zone transfers entirely when you install the new DNS servers. After you install the new DNS servers with the default options, what additional task must you complete in order to meet this requirement?

Uncheck the Allow Zone Transfers check box in the DNS server’s Properties dialog box.

Disable the DNS service.

Nothing.

Configure the server to allow secure zone transfers by specified IP addresses only.

Answers

1.

B. The securedc.inf template provides enhanced security with a low likelihood of conflicting with application compatibility. The DC security.inf template is the one created when the server is promoted to a domain controller and has the default security settings for domain controllers stored in it. The hisecdc.inf template is more secure than the securedc.inf template, mostly because it puts a higher priority on security than application compatibility or functionality. There is no predefined template named compatdc.inf.

2.

A. The best way to prevent malicious updates from the Internet is to not allow Internet-accessible DNS servers to accept updates. Therefore, option A is better than option B. If you prevent the Internet DNS Server from being accessed through the DNS server port, Internet users will not be able to resolve the name of your Internet servers. Windows Server 2003 does not fully support DNSSEC and cannot be used for security or authorization with only Windows Server 2003 DNS servers.

3.

B, D. Windows NT 4 and Windows NT 3.51 are not supported server operating systems for the High Security environment. Windows 2000 Server and higher are the supported server operating systems.

4.

A. The Enterprise Client and High Security environments support only clients running Windows 2000 Professional and Windows XP Professional. There is no predefined security environment named Secure Server environment.

5.

A, C. You must configure IPSec so that WINS requests and responses will be processed to and from the server. DNSSEC is not supported fully on Windows Server 2003 and doesn’t have any filtering attributes to its functionality, nor is it relevant to the operation of a WINS server. You will need to configure a template that includes the automatic startup behavior for the WINS service. This is not an FTP server and therefore the FTP port doesn’t need to be open on the server.

6.

D. The hisecws.inf has the highest level of security in a predefined template that could be applied to a file server. The securedc.inf and the hisecdc.inf are to be applied to domain controllers, not file servers. Therefore, options B and C are incorrect. The securews.inf file is not as secure as the hisecws.inf file. Therefore, option A is incorrect.

7.

C. Both options A and C would work. However, option A is susceptible to DNS spoofing because it relies on name resolution for the allowed server list, whereas specifying the IP addresses of the machines that are allowed to receive the zone information does not depend on any name resolution feature, so a DNS spoof attack will not compromise the zone transfers. Therefore, option C is correct and option A is not. Option B is incorrect because there is no Prevent Full Zone Transfer option. Option D is incorrect because Windows Server 2003 does not fully support the DNSSEC standard, not that it would aid you in this scenario if it were supported.

8.

D. The only utility that provides the functionality to analyze the differences between the effective settings on a machine and those that are defined in a template is the Security Configuration And Analysis snap-in. The Security Templates snap-in is used for creating and modifying templates, the Group Policy editor is used to modify Group Policy settings; and the Active Directory Users And Computers snap-in is used for, among other things, to create containers and objects in the Active Directory.

9.

A, B, C, F. You can define Account Policies and Local Policies settings, including Auditing and User Rights Assignment settings —as well as the behavior of System Services from within security templates. Therefore options A, B, C, and F are correct. Options D and E are incorrect because they cannot be configured using security templates. IPSec filters are configured from within the network connection settings, and security group membership is usually managed using Active Directory Users And Computers.

10.

C. Zone transfers are disabled by default. Therefore, there is no need to change any setting or configuration option. Options A, B, and D are incorrect.