If you have a web server that needs to be accessible from both your internal network as well as the Internet, the most secure way to do this is to place the server;
on the internet
on your internal network behind a firewall
in a DMZ
in a dual configuration
The best way to ensure that a role like DNS is installed on your Windows server using recognized industry practices is to use:
SCW
BPA
sconfig
winrm
If you wish to test all your WIndows updates before allowing your clients to install the updates, you should
Use GPO's to share updates and push them to your clients
have your clients download the updates from the Internet
Use a WSUS server
Use Mac clients, they don't need security updates
Window's "Core" refers to...
The main product offerings in the Window's office suite, including Word, Excel, and PowerPoint
The Kernel and network configuration of he operating system
The parts of the Windows security centre which helps to secure a client machine
An installation of Windows Server which has an extremely limited user interface and software installation
During startup/logon, a Microsoft client will apply policies from different places, effecting how the machine is managed.
What order are these policies applied in?
OU, Domain, Site, Local
Local, Site, Domain, OU
Local, Site, OU, Domain
Domain, OU, Local, Site
Fred is logged in as his standard (non-Root) user account. He needs to mount an external drive, fortunately his account is listed in the sudoers file; to run the mount command he can type;
mount /dev/sda1 /~/usb
su -l THEN mount /dev/sda1 /~/usb
sudo mount /dev/sda1 /~/usb
rootmount /dev/sda1 /~/usb
In the previous question, assuming fred uses the correct command, and it works as expected, what will the result be?
The external USB drive will be mounted
Fred will be prompted for his password
Fred will be prompted for the root password
Fred will be informed he cannot perform the action
You don't need to configure a default gateway to browse Internet websites if you have; *****
A firewall
A proxy server
A NAT server
You ALWAYS have to have a default gateway to get access of of your network.
Deploying multiple Honeypots on your network is considered a;
honeynet
beehive
honeyfarm
masquerade
What is the advantage of having an IDS system in the DMZ of your network
It can stop attacks that are occurring against your servers that are hosted there
It doesn't slow internal network traffic from reaching the Internet
It can lure attacks against your systems away from your actual servers
It can log both the types of attacks and where they are originating from against your servers
To more securely host services that are accessible from the Internet you could;
Place Internet servers in a screened subnet
Place Internet servers behind your Firewall
Put your servers in an Intranet
Put your servers in a Supernet
Why would you want to use Direct Access for your remote clients to allow access rather than a Virtual Private Network?
Direct Access uses Kerberos for authentication, so user credentials are not passed over the Internet
Direct Access occurs automatically when a user is not on the internal network, allowing the machine to be updated without user interaction
Because Direct Access uses a separate secure tunnel to transmit credentials over the Internet
Direct Access uses the PKI of the Active Directory Network, making it more secure than a VPN
NAT is an example of:
A stateful firewall
IPv4 to IPv6 translation
An application firewall
An IPSEC concentrator
In terms of threat assessment, what is a vulnerability?
An extra gateway onto your network
Using Internet Explorer
A security weakness that could be exploited by a threat
Having low bandwidth and throughput on your gateway
In Linux, the firewall implements as..
ipchains
natd
iptables
secured
On the inside of a properly firewalled network...
There is no need for a local firewall
A local firewall provides depth of defense
A local firewall can stop unwanted traffic from compromised internal machines from reaching other machines on the inside
Both B and C above
A way to build a secure server configuration that can be exported to other servers is to;
Run the BPA
Run sconfig
run winrm
run the SCW
To build a set of GPO's and policies to secure laptop machines on your network you can use;
Use the Security Configuration Manager to generate the policies
Ghost the laptop with an image
Place the laptop in the DMZ
make sure the laptop is properly updated
What is an advantage to installing a Certificate Authority into your Active Directory structure and creating a PKI?
It will encrypt all the data on your network
It stops the use of Kerberos authentication which is not very secure
It allows you to browse non-trusted web sites on the Internet securely
It can allow for trusted connection to Domains and computers outside your Domain
What is one of the security challenges of using imaging to setup your systems on the network?
Images can be modified while getting pushed out to target machines
Systems are not updated properly
Administrative accounts have the same password on all machine
Base images can have rootkits installed into them
