• No se han encontrado resultados

Estudio 4: Resolución con horizonte de planificación periódico

CAPÍTULO 6. Ajuste y comparación de métodos

6.4. Comparación de los dos métodos

6.4.4. Estudio 4: Resolución con horizonte de planificación periódico

C. Specify that the Microsoft User Authentication Module be used.

Answers to Review Questions 83

Answers to Review Questions

1. C. When you install SQL Server 2000 using Windows Authentication Mode, the security context of the user is used for validation to a DC before allowing setup to continue. Kerberos becomes the default authentication protocol, and the directories and Registry keys are secured in this mode as well.

2. A. Security Account Delegation, or Delegation Authentication, is the ability of one server to request a ticket on behalf of a user or service account when that user is currently connected to the local server but needs to connect to another server. Answer A is the only answer that fits the description of this behavior. Delegation Authentication is enabled by default in Windows 2000 Server.

3. C. The best practice is to turn off Delegation Authentication by default and then enable it for certain services and user accounts. This will guard against an easily hacked service account name and password combination being used to access the server via impersonation.

4. A, B. What is described in the question is Delegation Authentication, and it is enabled by default on all Windows 2000 servers. Requiring digital signatures, among the other answers, is the best way to secure communication between your servers. Answer D would not be appropriate because client-to-server communication was not a focus of this question.

5. D. SQL 2000 Server works with the Windows 2000 Server EFS, but it encrypts files under its service account name and password assignment. If you change this account without decrypting any encrypted files, this data will be totally lost to you until they are decrypted. The only way to decrypt the files is to use the account under which they were encrypted for the decryption process. 6. A, B, C, D, E, G. Because of the ExIFS, every item in an Exchange 2000 Server store can be

accessed using a number of different protocols. This allows for flexibility in how information is managed and stored. However, the different access points also create security concerns in that the information must be secured on multiple fronts. Items are secured using Windows 2000 Server user and group accounts and NTFS permissions.

7. B, D. Two actions you can take on inbound SMTP mail are to run that mail through both a con- tent scanner and an antivirus scanner. Doing both will protect your mail from viruses, unwanted attachments, and unwanted content. The URLScan and IIS Lockdown tools are suited for HTTP and port 80, not SMTP and port 25.

8. D, E, F, G. You might be surprised that you don’t have to move any databases to achieve this solu- tion. Because the OWA servers are not hosting any mailboxes or public folders, all you need to do is configure them to be front-end servers and then install security for communication between the cli- ents and the front-end server and again between the front-end servers and back-end servers. The best security for information between the front-end servers and your clients is SSL. IPSec can be used for calls between the servers. Because you are using front-end servers, you’ll need to install Network Load Balancing to load-balance calls between these two servers. By default, Network Load Balanc- ing uses a single IP address and namespace.

9. B, C. Although using SSL is a way to secure client-to-server communication over port 80, only URLScan and IIS Lockdown are tools that secure the server directly.

10. C, D. SMB signing, when required, is a method to ensure that all communication on your net- work is digitally signed at the packet level. In addition, Delegation Authentication is a type of impersonation that servers perform on behalf of clients. This can be removed to eliminate the possibility of an attacker using this feature to impersonate another user.

11. B, C, D. Because Unix workstations can use Kerberos, enabling NTLMv2 would be a step back for them. By using only TCP/IP, you eliminate IPX/SPX from the network and its need to use SAP to advertise the presence of each server to the clients on the network. And in installations in which a large number of clients need to authenticate to both NetWare and Windows 2000 Server, direc- tory synchronization can increase security by using the same accounts in both directories. 12. C, E. Because the compromise occurred using the Anonymous user account, first limit what this

account can do and its group memberships. By default, the Anonymous account is a member of the Everyone and Network security groups. Enabling this policy setting will require that you explicitly set permissions to all resources for the Anonymous user account. Although you might be able to think of other things that should be done in this scenario, only answers C and E directly mitigate against the threat of a compromise using the Anonymous account.

13. B. Because this is a SYN attack, configure the SynAttackProtect Registry key on your web server. Obviously, you might take other actions, but this one will help mitigate against the DoS attack on that individual server.

14. A. If you have no Windows 16-bit applications, turn off the 8.3 auto generation of filenames. With this feature turned on, an attacker needs only eight characters to refer to a filename. With this feature turned off, the attacker will need the entire filename in order to use a file.

15. A, B, C, D. Because most resources are password-protected, this is one of the favorite tech- niques that an attacker uses to compromise your network. All these measures will help increase the password security on your network. And all of them are recommended, except for the LM hash answer, which you must leave enabled if you have legacy clients, such as Windows NT 4 or Windows 98 clients.

16. D. If you were just allowing more verbs on your website, answer C might suffice. However, if you need to redo the service structure on your website after running the IIS Lockdown tool, you’ll need to uninstall and then reinstall the tool choosing the option during installation to secure this new type of server.

17. A, B, C, D. All these actions will help secure your website. By accepting connections from only certain IP addresses or DNS names, you significantly limit who can even connect to the web server. And then requiring user authentication will mean that hackers must not only spoof an IP address, but also compromise a username and password combination and then impersonate a user to gain access to the website.

18. A, B, C, F. To connect, wireless workstations need an access point. You can use SSL for port 80 connections between the workstation and the access point. To authenticate on the network, a RADIUS server can be employed to proxy the authentication requests from your users to the DC. Because all this communication will occur using encryption and signatures, you’ll need a CA available that both sides trust.

Answers to Review Questions 85

19. B. Because each wireless device may have a different way to authenticate on the network, you should require a different username and password combination for each client device. This is because client devices will vary in their security when passing the password from the client to the access point.

20. B, C. The default password security for Macintosh clients is 8 characters and clear-text pass- words. When you install File Services for Macintosh, you can then select the MS-UAM, which allows for password characters up to 14 characters in length.

Chapter

3

Installing, Managing,

Documento similar