Web Security School Entrance Exam



Similar documents
Web Security School Final Exam

A Roadmap for Securing IIS 5.0

Windows IIS Server hardening checklist

Hardening IIS Servers

Network Configuration Settings

Security Guidelines for MapInfo Discovery 1.1

Web Plus Security Features and Recommendations

Setting Up Scan to SMB on TaskALFA series MFP s.

IIS, FTP Server and Windows

FileCloud Security FAQ

E-Commerce for IT Advanced. Louis Aguila & Matt Burt

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Data Stored on a Windows Server Connected to a Network

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Xerox DocuShare Security Features. Security White Paper

Locking down a Hitachi ID Suite server

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Guide to the Secure Configuration and Administration of Microsoft Internet Information Server 4.0

Setting Up SSL on IIS6 for MEGA Advisor

Windows Operating Systems. Basic Security

Cornerstones of Security

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Security IIS Service Lesson 6

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Enterprise Security Critical Standards Summary

SSL Guide. (Secure Socket Layer)

NETWRIX PASSWORD MANAGER

About Microsoft Windows Server 2003

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Introduction to the EIS Guide

Dionseq Uatummy Odolorem Vel Layered Security Approach

How To - Implement Single Sign On Authentication with Active Directory

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

Passing PCI Compliance How to Address the Application Security Mandates

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Directory and File Transfer Services. Chapter 7

How to Secure a Groove Manager Web Site

White Paper. Securing and Integrating File Transfers Over the Internet

Talk Internet User Guides Controlgate Administrative User Guide

Windows Server 2003 default services

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Configuring Security Features of Session Recording

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

WHITE PAPER Citrix Secure Gateway Startup Guide

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Click Studios. Passwordstate. Installation Instructions

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Microsoft Dynamics CRM Server 2011 software requirements

Sync Security and Privacy Brief

Network Setup Instructions

CMPT 471 Networking II

Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Using a VPN with Niagara Systems. v0.3 6, July 2013

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

QLIKVIEW MOBILE SECURITY

App Orchestration Setup Checklist

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

Principles of Information Assurance Syllabus

Windows Remote Access

Table of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index

GoToMyPC Corporate Advanced Firewall Support Features

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Workday Mobile Security FAQ

GlobalSCAPE DMZ Gateway, v1. User Guide

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

SonicWALL PCI 1.1 Implementation Guide

RemotelyAnywhere Getting Started Guide

How To Secure Your Data Center From Hackers

Secure IIS Web Server with SSL

Password Reset PRO INSTALLATION GUIDE

SCP - Strategic Infrastructure Security

Security Guide for ActiveRoles Server 6.1

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

December P Xerox App Studio 3.0 Information Assurance Disclosure

Advanced Administration

Implementing Secure Sockets Layer on iseries

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Installing Management Applications on VNX for File

My FreeScan Vulnerabilities Report

Security. TestOut Modules

IBM. Vulnerability scanning and best practices

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

imagepress CR Server A7000 Powered by Creo Color Server Technology For the Canon imagepress C7000VP/C6000VP/ C6000

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Securing your Online Data Transfer with SSL

Transcription:

Web Security School Entrance Exam By Michael Cobb 1) What is SSL used for? a. Encrypt data as it travels over a network b. Encrypt files located on a Web server c. Encrypt passwords for storage in a database d. Encrypt specific elements of data for application-specific purposes e. Encrypt digital certificates used to authenticate a Web site 2.) Which port does HTTPS use? a. 21 b. 53 c. 80 d. 137 e. 443 3.) True or False: An IT security risk analysis is the same as an IT vulnerability assessment. 4.) Phishing differs from adware and spyware because a. it is not a problem for organizations but individuals. b. it installs malicious software on your PC. c. it uses social engineering and technical subterfuge whereas the other two do not. d. it is easier to stop. e. None of the above

5.) Which is the recommended setting for auditing policy settings to audit Object Access? a. Success: Off, Failure: Off b. Success: Off, Failure: On c. Success: On, Failure: Off d. Success: On, Failure: On e. None of the above 6.) As the administrator for a Windows-based network, you are installing Windows 2000 Server on a computer, which will run IIS and be connected to the Internet. Your domain name is mycompany.com. During the setup the installer asks whether you want this computer to be a member of a domain. Which option do you select? a. No, this computer is not on a network or is on a network without a domain. b. Yes, make this computer a member of the following domain: mycompany.com. 7.) Which of the following services is not required to run a Windows server solely configured to run IIS and publish a Web site? a. IIS Admin Service b. Performance Logs and Alerts c. Protected Storage d. Server Service e. World Wide Web Publishing Service 8.) By default, IIS is configured to support many different common file name extensions that are related to a variety of features in IIS. Your site uses Active Server Pages and PHP for creating pages on the fly. Besides.asp and.php what other file name extensions should be mapped to IIS? a..htw b..printer c..sthm d..idq e. None of the above 9.) Which is the recommend log file format for logging IIS events? a. Microsoft IIS Log File Format b. NCSA Common Log File Format c. W3C Extended Log File Format 10.) Web server A is set up to log system and IIS activity. Which is the best set up from the list below? a. Log File Directory: %WinDir%\System32\LogFiles b. Log File Directory: C:\Inetpub\wwwroot\LogFiles

c. Log File Directory: E:\Inetpub\wwwroot\LogFiles d. Log File Directory: E:\Inetpub\LogFiles e. Log File Directory: F:\LogFiles 11.) Which of the following network designs is considered the most secure? a. Flat network b. Triple-homed perimeter network c. Back-to-back perimeter network 12.) Which of the following steps is not required to configure IIS to handle encrypted sessions? a. Create a public-key pair in IIS to submit to a Certificate Authority (CA) when you request a certificate. b. Request a server certificate from the CA. c. Sign for the certificate when FedEx delivers it. d. Install the certificate. e. Configure the directories and pages that you want to secure. 13.) True or False: You don't need a digital certificate installed on your Web server to be able to securely manage it remotely using Windows Terminal Services. 14.) True or False: You can use the Microsoft Event Viewer snap-in to view your Windows and IIS log files. 15.) Which of the following is the best definition of risk analysis when discussing IT security? a. Risk analysis looks at the probability that a hacker may break in to your system. b. Risk analysis looks at the probability that your security measures won t stop a hacker breaking in to your system. c. Risk analysis determines what resources you need to protect and quantifies the costs of not protecting them. d. Risk analysis looks at the probability that a vulnerability exists in your system. e. Risk analysis looks at the consequences of being connected to the Internet. 16.) Which is the correct set of network components that need to be available for the Internet-facing network card of a dual-homed IIS Web server running on Windows 2000? a. Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP) b. Client for Microsoft Networks, Internet Protocol (TCP/IP) c. Internet Protocol (TCP/IP) d. File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP)

e. None of the above 17.) Which is the correct definition of the Windows user right assignment Log on locally? a. Determines which users can log on at the computer b. Determines which users are prevented from logging on at the computer c. Determines which service accounts can register a process as a service d. Determines which users and groups are allowed to connect to the computer over the network e. Allows a user to be logged on by means of a batch-queue facility 18.) What are the correct ACLs for IIS-generated log files? a. System (Full Control), Administrators (Full Control), Everyone (RWC) b. System (RWC), Administrators (Full Control), Everyone (RWC) c. System (Full Control), Administrators (Full Control) d. System (Full Control), Administrators (RWC) e. System (Full Control), Administrators (Full Control), Guest (RWC) 19.) Which one of the following components does not need to be installed to run IIS on a Windows server? a. Common Files b. Internet Information Services Snap-in c. Networking Services d. World Wide Web Server e. They all need to be installed 20.) The Security Accounts Manager database stores usernames, account privileges and security context information for every user allowed to log on to a Windows machine locally. Which copy of the SAM database should you delete on a Windows Web server? a. Program Files\Microsoft\SAM b. WINNT\SYSTEM32\SAM c. WINNT\SYSTEM32\CONFIG\SAM d. WINNT\REPAIR\SAM e. None of them

Check your answers below, and then see how you scored: 15-20 correct: Web Security Superstar! Hone your knowledge with these checklists available at searchsecurity.com/websecurityschool: Essential fortification checklist Developer's active content delivery checklist Spyware removal checklist Less than 15 correct: Time to enroll in Web Security School! In just a few short hours you can go from novice to expert. Lesson 1: Securing a Web server Lesson 2: Defeating Web attacks Lesson 3: Securing Web apps searchsecurity.com/websecurityschool ---------------------------------------------------------------------------- ANSWERS 1.) The correct answer is: a. Encrypt data as it travels over a network Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of data in transmission across a network such as the Internet. 2.) The correct answer is: e. 443 Port 21 is used by FTP, and 53 is used by DNS. HTTP uses port 80 and NetBIOS uses port 137. HTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer (HTTP over SSL) and is a Web protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. 3.) The correct answer is: False A risk analysis is not the same as a vulnerability assessment. Risk analysis determines what resources you need to protect and tries to quantify any costs linked to not protecting them, such as loss of data, replacement of equipment, etc. It is the process of examining all of your risks and ranking those risks by level of severity. A vulnerability assessment looks at the likelihood of those risks actually happening, enabling you to make a decision as to what risks you are most vulnerable, and based on their severity, which

you need to protect against first. The two processes combined help you to prioritize your security policy and maximize your investment in securing your system. 4.) The correct answer is: e. None of the above. Phishing is a problem for organizations because it can affect their reputation. All three use social engineering and technical subterfuge to try and gain access to information. Technical subterfuge involves installing malicious software on a PC. Finally, they are all threats that are very difficult to stop and require security awareness training to reduce their potential impact. 5.) The correct answer is b. Success: Off, Failure: On Setting Object Access auditing determines whether to audit the event of a user accessing an object; for example, a file, folder, registry key, printer and so forth. Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited. If you log every successful object access event your log files will fill up with enormous amounts of data that will not tell you anything useful about an attack as the user accessing the object obviously had permission to access the object. 6.) The correct answer is: a. No, this computer is not on a network or is on a network without a domain. You should keep the Web server separate from your intranet. If the Web server is successfully attacked and it is part of your network domain, then the rest of your network could be exposed, allowing the attacker to compromise every machine on your network. 7.) The correct answer is: d. Server Service The Server Service is only required if you are going to run SMTP or NNTP services. 8.) The correct answer is: e. None of the above Any nonessential application mappings should be removed to minimize the possibility of their being exploited in an attack. For example, files that have the extension.htw are handled by webhits.dll, but a vulnerability in webhits allows attackers to break out of the Web virtual root file system. You do not need a printer attached to a Web server, and as you are using ASP and PHP, you do not need Server Side Directives or the

.sthm file type. Internet Data Query (.idq) files for the Indexing Service can allow an attacker to break outside of the Web virtual root and gain unauthorized access to files. 9.) The correct answer is: c. W3C Extended Log File Format This option allows you to log more information that is useful for monitoring the activity on your Web site. For example, you can log the query the client was trying to perform (if any) and the browser used on the client, and record the process event. 10.) The correct answer is: e. Log File Directory: F:\LogFiles The log files are being stored on a different drive to the operating system and the Web site's content. The F drive should be an NTFS formatted drive. 11.) The correct answer is: c. Back-to-back perimeter network This layout uses two firewalls to separate the perimeter network from the Internet on one side and the internal network on the other side. A tripled-homed network is certainly more secure than a flat network, where all resources are on the same network, but it is more suitable to a low budget, low value network. 12.) The correct answer is: c. Sign for the certificate when FedEx delivers it. The digital certificate will be delivered via the Internet, most likely from the CA s Web site. All the other steps are required to configure IIS to handle encrypted sessions. 13.) The correct answer is: True You don't a digital certificate installed on your Web server, as Microsoft has built encryption into both the Terminal Services client and server using RSA Security's RC4 cipher -- the same encryption algorithm commonly used for the Secure Socket Layer (SSL) protocol that is used to secure communications over the Internet. 14.) The correct answer is: False The Event Viewer snap-in is used to view application, security and system events recorded by the Event Log Service. With the event logs in Event Viewer, you can obtain information about your hardware, software and system components, and monitor security events on a local or remote computer, but you cannot use it to view IIS logs. To view your IIS-generated log files, you need to open them in a text viewer such as notepad, or use a report generator program such as Analog, which is freely available at www.analog.cx.

15.) The correct answer is: c. Risk analysis determines what resources you need to protect and quantifies the costs of not protecting them. Risk analysis is determining what resources you need to protect and quantifying any costs linked to not protecting them, such as loss of data, replacement of equipment, etc. It ranks those risks by level of severity. A vulnerability assessment looks at the likelihood of those risks actually happening. 16.) The correct answer is: c. Internet Protocol (TCP/IP) The only service you need to run for IIS on the Internet facing network card is the Internet Protocol (TCP/IP). You have two network cards in a dual-homed systems and the internal-facing card requires the Internet Protocol (TCP/IP) and Client for Microsoft Networks. This instance of Client for Microsoft Networks is sufficient to allow IIS to run. All other protocols and services, such as File and Printer Sharing for Microsoft Networks should not be enabled. 17.) The correct answer is: a. Determines which users can log on at the computer Option b. is the definition for the "Deny logon locally" assignment, while option c. is for the "Log on as a service assignment." Option d. is the definition for "Access this computer from the network" and option e. is the definition for "Log on as a batch job." 18.) The correct answer is: c. System (Full Control), Administrators (Full Control) You need to prevent hackers from deleting your log files to cover their tracks. Several Microsoft documents state that the Everyone group should have Read and Change permissions set for the log files, but this level of permission can expose sensitive data and allow an attacker to change ACLs on the log file directory. So it is best to not assign permissions at all to the Everyone group and not to give Change rights to any files that can be accessed over the network. 19.) The correct answer is: c. Networking Services Networking Services contains a variety of specialized, networkrelated services and protocols, none of which are needed to run IIS. Common Files contains program files required by IIS, while the Snap-in provides the administrative interface for IIS. 20.) The correct answer is: d. WINNT\REPAIR\SAM The file WINNT\Repair\SAM is a backup copy of the Security Accounts Manager database. A directory traversal attack could be used to download this file and give an attacker user-level access to

the Web server operating system. Apart form the WINNT\SYSTEM32\ CONFIG\SAM, the other SAM files are fictitious.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information