Web Security School Entrance Exam

Transcription

1 Web Security School Entrance Exam By Michael Cobb 1) What is SSL used for? a. Encrypt data as it travels over a network b. Encrypt files located on a Web server c. Encrypt passwords for storage in a database d. Encrypt specific elements of data for application-specific purposes e. Encrypt digital certificates used to authenticate a Web site 2.) Which port does HTTPS use? a. 21 b. 53 c. 80 d. 137 e ) True or False: An IT security risk analysis is the same as an IT vulnerability assessment. 4.) Phishing differs from adware and spyware because a. it is not a problem for organizations but individuals. b. it installs malicious software on your PC. c. it uses social engineering and technical subterfuge whereas the other two do not. d. it is easier to stop. e. None of the above

2 5.) Which is the recommended setting for auditing policy settings to audit Object Access? a. Success: Off, Failure: Off b. Success: Off, Failure: On c. Success: On, Failure: Off d. Success: On, Failure: On e. None of the above 6.) As the administrator for a Windows-based network, you are installing Windows 2000 Server on a computer, which will run IIS and be connected to the Internet. Your domain name is mycompany.com. During the setup the installer asks whether you want this computer to be a member of a domain. Which option do you select? a. No, this computer is not on a network or is on a network without a domain. b. Yes, make this computer a member of the following domain: mycompany.com. 7.) Which of the following services is not required to run a Windows server solely configured to run IIS and publish a Web site? a. IIS Admin Service b. Performance Logs and Alerts c. Protected Storage d. Server Service e. World Wide Web Publishing Service 8.) By default, IIS is configured to support many different common file name extensions that are related to a variety of features in IIS. Your site uses Active Server Pages and PHP for creating pages on the fly. Besides.asp and.php what other file name extensions should be mapped to IIS? a..htw b..printer c..sthm d..idq e. None of the above 9.) Which is the recommend log file format for logging IIS events? a. Microsoft IIS Log File Format b. NCSA Common Log File Format c. W3C Extended Log File Format 10.) Web server A is set up to log system and IIS activity. Which is the best set up from the list below? a. Log File Directory: %WinDir%\System32\LogFiles b. Log File Directory: C:\Inetpub\wwwroot\LogFiles

3 c. Log File Directory: E:\Inetpub\wwwroot\LogFiles d. Log File Directory: E:\Inetpub\LogFiles e. Log File Directory: F:\LogFiles 11.) Which of the following network designs is considered the most secure? a. Flat network b. Triple-homed perimeter network c. Back-to-back perimeter network 12.) Which of the following steps is not required to configure IIS to handle encrypted sessions? a. Create a public-key pair in IIS to submit to a Certificate Authority (CA) when you request a certificate. b. Request a server certificate from the CA. c. Sign for the certificate when FedEx delivers it. d. Install the certificate. e. Configure the directories and pages that you want to secure. 13.) True or False: You don't need a digital certificate installed on your Web server to be able to securely manage it remotely using Windows Terminal Services. 14.) True or False: You can use the Microsoft Event Viewer snap-in to view your Windows and IIS log files. 15.) Which of the following is the best definition of risk analysis when discussing IT security? a. Risk analysis looks at the probability that a hacker may break in to your system. b. Risk analysis looks at the probability that your security measures won t stop a hacker breaking in to your system. c. Risk analysis determines what resources you need to protect and quantifies the costs of not protecting them. d. Risk analysis looks at the probability that a vulnerability exists in your system. e. Risk analysis looks at the consequences of being connected to the Internet. 16.) Which is the correct set of network components that need to be available for the Internet-facing network card of a dual-homed IIS Web server running on Windows 2000? a. Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP) b. Client for Microsoft Networks, Internet Protocol (TCP/IP) c. Internet Protocol (TCP/IP) d. File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP)

4 e. None of the above 17.) Which is the correct definition of the Windows user right assignment Log on locally? a. Determines which users can log on at the computer b. Determines which users are prevented from logging on at the computer c. Determines which service accounts can register a process as a service d. Determines which users and groups are allowed to connect to the computer over the network e. Allows a user to be logged on by means of a batch-queue facility 18.) What are the correct ACLs for IIS-generated log files? a. System (Full Control), Administrators (Full Control), Everyone (RWC) b. System (RWC), Administrators (Full Control), Everyone (RWC) c. System (Full Control), Administrators (Full Control) d. System (Full Control), Administrators (RWC) e. System (Full Control), Administrators (Full Control), Guest (RWC) 19.) Which one of the following components does not need to be installed to run IIS on a Windows server? a. Common Files b. Internet Information Services Snap-in c. Networking Services d. World Wide Web Server e. They all need to be installed 20.) The Security Accounts Manager database stores usernames, account privileges and security context information for every user allowed to log on to a Windows machine locally. Which copy of the SAM database should you delete on a Windows Web server? a. Program Files\Microsoft\SAM b. WINNT\SYSTEM32\SAM c. WINNT\SYSTEM32\CONFIG\SAM d. WINNT\REPAIR\SAM e. None of them

5 Check your answers below, and then see how you scored: correct: Web Security Superstar! Hone your knowledge with these checklists available at searchsecurity.com/websecurityschool: Essential fortification checklist Developer's active content delivery checklist Spyware removal checklist Less than 15 correct: Time to enroll in Web Security School! In just a few short hours you can go from novice to expert. Lesson 1: Securing a Web server Lesson 2: Defeating Web attacks Lesson 3: Securing Web apps searchsecurity.com/websecurityschool ANSWERS 1.) The correct answer is: a. Encrypt data as it travels over a network Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of data in transmission across a network such as the Internet. 2.) The correct answer is: e. 443 Port 21 is used by FTP, and 53 is used by DNS. HTTP uses port 80 and NetBIOS uses port 137. HTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer (HTTP over SSL) and is a Web protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. 3.) The correct answer is: False A risk analysis is not the same as a vulnerability assessment. Risk analysis determines what resources you need to protect and tries to quantify any costs linked to not protecting them, such as loss of data, replacement of equipment, etc. It is the process of examining all of your risks and ranking those risks by level of severity. A vulnerability assessment looks at the likelihood of those risks actually happening, enabling you to make a decision as to what risks you are most vulnerable, and based on their severity, which

6 you need to protect against first. The two processes combined help you to prioritize your security policy and maximize your investment in securing your system. 4.) The correct answer is: e. None of the above. Phishing is a problem for organizations because it can affect their reputation. All three use social engineering and technical subterfuge to try and gain access to information. Technical subterfuge involves installing malicious software on a PC. Finally, they are all threats that are very difficult to stop and require security awareness training to reduce their potential impact. 5.) The correct answer is b. Success: Off, Failure: On Setting Object Access auditing determines whether to audit the event of a user accessing an object; for example, a file, folder, registry key, printer and so forth. Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited. If you log every successful object access event your log files will fill up with enormous amounts of data that will not tell you anything useful about an attack as the user accessing the object obviously had permission to access the object. 6.) The correct answer is: a. No, this computer is not on a network or is on a network without a domain. You should keep the Web server separate from your intranet. If the Web server is successfully attacked and it is part of your network domain, then the rest of your network could be exposed, allowing the attacker to compromise every machine on your network. 7.) The correct answer is: d. Server Service The Server Service is only required if you are going to run SMTP or NNTP services. 8.) The correct answer is: e. None of the above Any nonessential application mappings should be removed to minimize the possibility of their being exploited in an attack. For example, files that have the extension.htw are handled by webhits.dll, but a vulnerability in webhits allows attackers to break out of the Web virtual root file system. You do not need a printer attached to a Web server, and as you are using ASP and PHP, you do not need Server Side Directives or the

7 .sthm file type. Internet Data Query (.idq) files for the Indexing Service can allow an attacker to break outside of the Web virtual root and gain unauthorized access to files. 9.) The correct answer is: c. W3C Extended Log File Format This option allows you to log more information that is useful for monitoring the activity on your Web site. For example, you can log the query the client was trying to perform (if any) and the browser used on the client, and record the process event. 10.) The correct answer is: e. Log File Directory: F:\LogFiles The log files are being stored on a different drive to the operating system and the Web site's content. The F drive should be an NTFS formatted drive. 11.) The correct answer is: c. Back-to-back perimeter network This layout uses two firewalls to separate the perimeter network from the Internet on one side and the internal network on the other side. A tripled-homed network is certainly more secure than a flat network, where all resources are on the same network, but it is more suitable to a low budget, low value network. 12.) The correct answer is: c. Sign for the certificate when FedEx delivers it. The digital certificate will be delivered via the Internet, most likely from the CA s Web site. All the other steps are required to configure IIS to handle encrypted sessions. 13.) The correct answer is: True You don't a digital certificate installed on your Web server, as Microsoft has built encryption into both the Terminal Services client and server using RSA Security's RC4 cipher -- the same encryption algorithm commonly used for the Secure Socket Layer (SSL) protocol that is used to secure communications over the Internet. 14.) The correct answer is: False The Event Viewer snap-in is used to view application, security and system events recorded by the Event Log Service. With the event logs in Event Viewer, you can obtain information about your hardware, software and system components, and monitor security events on a local or remote computer, but you cannot use it to view IIS logs. To view your IIS-generated log files, you need to open them in a text viewer such as notepad, or use a report generator program such as Analog, which is freely available at

8 15.) The correct answer is: c. Risk analysis determines what resources you need to protect and quantifies the costs of not protecting them. Risk analysis is determining what resources you need to protect and quantifying any costs linked to not protecting them, such as loss of data, replacement of equipment, etc. It ranks those risks by level of severity. A vulnerability assessment looks at the likelihood of those risks actually happening. 16.) The correct answer is: c. Internet Protocol (TCP/IP) The only service you need to run for IIS on the Internet facing network card is the Internet Protocol (TCP/IP). You have two network cards in a dual-homed systems and the internal-facing card requires the Internet Protocol (TCP/IP) and Client for Microsoft Networks. This instance of Client for Microsoft Networks is sufficient to allow IIS to run. All other protocols and services, such as File and Printer Sharing for Microsoft Networks should not be enabled. 17.) The correct answer is: a. Determines which users can log on at the computer Option b. is the definition for the "Deny logon locally" assignment, while option c. is for the "Log on as a service assignment." Option d. is the definition for "Access this computer from the network" and option e. is the definition for "Log on as a batch job." 18.) The correct answer is: c. System (Full Control), Administrators (Full Control) You need to prevent hackers from deleting your log files to cover their tracks. Several Microsoft documents state that the Everyone group should have Read and Change permissions set for the log files, but this level of permission can expose sensitive data and allow an attacker to change ACLs on the log file directory. So it is best to not assign permissions at all to the Everyone group and not to give Change rights to any files that can be accessed over the network. 19.) The correct answer is: c. Networking Services Networking Services contains a variety of specialized, networkrelated services and protocols, none of which are needed to run IIS. Common Files contains program files required by IIS, while the Snap-in provides the administrative interface for IIS. 20.) The correct answer is: d. WINNT\REPAIR\SAM The file WINNT\Repair\SAM is a backup copy of the Security Accounts Manager database. A directory traversal attack could be used to download this file and give an attacker user-level access to

9 the Web server operating system. Apart form the WINNT\SYSTEM32\ CONFIG\SAM, the other SAM files are fictitious.