Questions and Answers

 < Day Day Up > 



Lesson 1 Review

Page
11-8

1. 

Which of the following is an advantage that SSL has over IPSec?

  1. It can use a shared secret for authentication.

  2. It can tunnel traffic between two networks.

  3. It does not require the client to be authenticated.

  4. It is transparent to the application.

c. ssl s primary advantage over ipsec is that it does not require the client to be authenticated. this allows users on the internet to access the web server without providing personally identifiable information.

2. 

Which of the following is an advantage of using an SSL certificate issued by a public CA?

  1. You can use the certificate for free.

  2. Browsers will trust the CA by default and will not warn the user.

  3. It takes less time to obtain a certificate from a public CA.

  4. You do not have to reveal personal information to the CA.

b. the primary advantage of using a certificate issued by a public ca is that browsers and other applications will trust the ca by default, without requiring the user to add the root ca to the application s list of trusted cas.

3. 

Which port should you open on a firewall to allow HTTP traffic protected by SSL?

  1. 80

  2. 110

  3. 443

  4. 995

c. http protected by ssl uses tcp port 443.

4. 

Which port will you open on a firewall to allow POP3 traffic protected by SSL?

  1. 80

  2. 110

  3. 443

  4. 995

d. pop3 protected by ssl uses tcp port 995.

Answers

1. 

c. SSL’s primary advantage over IPSec is that it does not require the client to be authenticated. This allows users on the Internet to access the Web server without providing personally identifiable information.

2. 

b. The primary advantage of using a certificate issued by a public CA is that browsers and other applications will trust the CA by default, without requiring the user to add the root CA to the application’s list of trusted CAs.

3. 

c. HTTP protected by SSL uses TCP port 443.

4. 

d. POP3 protected by SSL uses TCP port 995.

Lesson 2 Review

Page
11-24

1. 

Which of the following scenarios are appropriate for using client certificates? (Choose all that apply.)

  1. To authenticate users returning to a public e-commerce site.

  2. To authenticate and authorize users at a partnering company that manages its own CA.

  3. To gather demographic information about the users who visit your Web site.

  4. To authenticate users on an intranet when an enterprise CA is present.

b and d. client certificates are ideal for authenticating users at partnering companies that manage their own cas. you can use many-to-one mapping to allow access to users who have valid certificates, thereby delegating responsibility for managing user access to the partner company. client certificates can also be used on an intranet when users have been issued user certificates.

2. 

A user is having a problem authenticating with a client certificate. Which of the following is the best tool to troubleshoot this problem?

  1. Network Monitor

  2. IIS Manager

  3. Certificates snap-in

  4. SSL Diagnostics Utility

d. although you can capture and analyze client certificate authentication traffic by using network monitor, the best tool to use is the ssl diagnostics utility.

Answers

1. 

b and d. Client certificates are ideal for authenticating users at partnering companies that manage their own CAs. You can use many-to-one mapping to allow access to users who have valid certificates, thereby delegating responsibility for managing user access to the partner company. Client certificates can also be used on an intranet when users have been issued user certificates.

2. 

d. Although you can capture and analyze client certificate authentication traffic by using Network Monitor, the best tool to use is the SSL Diagnostics Utility.

Lesson 3 Review

Page
11-37

1. 

When a certificate is installed on a domain controller, which of the following types of communications can be protected with SSL? (Choose all that apply.)

  1. Kerberos authentication

  2. Global catalog traffic

  3. DNS queries

  4. LDAP queries

  5. File replication

b and d. only global catalog traffic and ldap queries can be protected with ssl. however, kerberos authentication is always encrypted, and file replication might be encrypted by means of different mechanisms, such as ipsec.

2. 

After installing an SSL certificate on a computer running SQL Server, how can you protect database communications by using SSL? (Choose all that apply.)

  1. Select the Force Protocol Encryption check box on the computer running SQL Server.

  2. Add Encrypt=YES to the ODBC connection string.

  3. Add Use Encryption for Data=True to the ODBC connection string.

  4. Add Encrypt=YES to the OLE DB connection string.

  5. Add Use Encryption for Data=True to the OLE DB connection string.

a, b, and e. if you want to require encryption for all incoming connections to the computer running sql server, select the force protocol encryption check box on the computer running sql server. otherwise, add the appropriate string to the odbc or ole db connection strings.

Answers

1. 

b and d. Only global catalog traffic and LDAP queries can be protected with SSL. However, Kerberos authentication is always encrypted, and file replication might be encrypted by means of different mechanisms, such as IPSec.

2. 

a, b, and e. If you want to require encryption for all incoming connections to the computer running SQL Server, select the Force Protocol Encryption check box on the computer running SQL Server. Otherwise, add the appropriate string to the ODBC or OLE DB connection strings.

Design Activity: Case Scenario Exercise

Page
11-39

1. 

How should you protect the personal information and credit card numbers of consumers purchasing products from your Web site?

  1. IPSec

  2. S/MIME

  3. PKI

  4. SSL

  5. Physical security

d. you should use ssl to authenticate your web servers to the consumer to prevent man-in-the- middle attacks and to encrypt the communications to prevent eavesdropping. ssl only provides protection for the information in transit, however. the private information can still be exposed if your web servers, or any other servers that have access to the information, are compromised by an attacker.

2. 

You want to purchase SSL certificates created by a trusted public CA for your Web servers so that users will not be prompted about the certificate. How many SSL certificates do you need to purchase?

  1. 1

  2. 2

  3. 3

  4. 4

a. you only need a single certificate for both web servers because they are hosting a single web site. the two servers will have an identical common name: www.adventure-works.com. as a result, you can install the same certificate on both servers. however, the ca you use to issue the certificates might require you to purchase a certificate for each physical web server as part of the service agreement.

3. 

How can you protect the communications between the Web servers and the database servers? (Choose all that apply.)

  1. IPSec

  2. S/MIME

  3. PKI

  4. SSL

  5. Physical security

a, d, and e. you can use either ipsec or ssl to authenticate your database server and encrypt the communications between the web servers and the database servers. additionally, you can physically secure the network hardware connecting the computers to reduce the opportunity that attackers have for eavesdropping. you can choose to use one, two, or all three of these mechanisms.

Answers

1. 

d. You should use SSL to authenticate your Web servers to the consumer to prevent man-in-the- middle attacks and to encrypt the communications to prevent eavesdropping. SSL only provides protection for the information in transit, however. The private information can still be exposed if your Web servers, or any other servers that have access to the information, are compromised by an attacker.

2. 

a. You only need a single certificate for both Web servers because they are hosting a single Web site. The two servers will have an identical common name: www.adventure-works.com. As a result, you can install the same certificate on both servers. However, the CA you use to issue the certificates might require you to purchase a certificate for each physical Web server as part of the service agreement.

3. 

a, d, and e. You can use either IPSec or SSL to authenticate your database server and encrypt the communications between the Web servers and the database servers. Additionally, you can physically secure the network hardware connecting the computers to reduce the opportunity that attackers have for eavesdropping. You can choose to use one, two, or all three of these mechanisms.

Design Activity: Troubleshooting Lab

Page
11-41

1. 

First, reproduce the error by using Internet Explorer on Computer1. What is the exact error message?

a security alert message box appears when you attempt to access the page https://adventure- works.com. the message box shows a warning symbol and the message the name on the security certificate is invalid or does not match the name of the site.

2. 

Examine the certificate. What is the cause of the problem?

the common name shown on the certificate is www.adventure-works.com. this is sufficient to allow users to access the site by using that name in the url. however, if users leave off the www portion of the fqdn, they will receive the error message you saw because the url does not exactly match the name on the certificate.

3. 

How can you resolve the problem? (Choose all that apply.)

  1. Add the adventure-works.com common name to the certificate.

  2. Install a second SSL certificate with the name adventure-works.com on the same Web site.

  3. Create a second Web site using the IIS Manager, and configure that Web site with the host header adventure-works.com. Configure that Web site to redirect requests to http://www.adventure-works.com.

  4. Configure adventure-works.com to use a second IP address, and add that IP address to your Web server. Create a second SSL certificate with the name adventure-works.com, and associate that certificate with the second IP address.

  5. Add a redirection directive to the certificate to instruct the browser to send requests to https://www.adventure-works.com.

c and d. only one ssl certificate can be associated with a given ip address/port number combination. therefore, you cannot use separate ssl certificates with host headers. however, you can configure a web site with host headers that redirects all non-ssl requests to http://www.adventure-works.com . users will still receive a warning if they type https://adventure- works.com directly into the address bar, however. to avoid this potential problem, you can add a second ip address to the web server and associate a second ssl certificate with that ip address.

Answers

1. 

A Security Alert message box appears when you attempt to access the page https://adventure- works.com. The message box shows a warning symbol and the message “The name on the security certificate is invalid or does not match the name of the site.”

2. 

The common name shown on the certificate is www.adventure-works.com. This is sufficient to allow users to access the site by using that name in the URL. However, if users leave off the www portion of the FQDN, they will receive the error message you saw because the URL does not exactly match the name on the certificate.

3. 

c and d. Only one SSL certificate can be associated with a given IP address/port number combination. Therefore, you cannot use separate SSL certificates with host headers. However, you can configure a Web site with host headers that redirects all non-SSL requests to http://www.adventure-works.com. Users will still receive a warning if they type https://adventure- works.com directly into the address bar, however. To avoid this potential problem, you can add a second IP address to the Web server and associate a second SSL certificate with that IP address.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net