Case Study Questions

 < Day Day Up > 



1.

How should you configure the connectivity from the internal network to the Internet?

  1. Bastion host

  2. Three-pronged configuration

  3. Back-to-back configuration

  4. None of the above

c. one of the business requirements states that there must be more than one layer that an attacker must breach in order to penetrate the internal network. only the back-to-back configuration provides two firewalls, with the dmz sitting between the public network and the private or internal network.

2.

Which of the following actions should you take immediately after an intrusion has been detected?

  1. Create an image copy of the server.

  2. Apply the latest service pack and hotfixes

  3. Check the event logs on the server.

  4. Disconnect the network cable of the affected system(s).

d. the first thing that should be done once an attacker is detected is to disconnect the network cable from the system that has been compromised. once the network cable is unplugged, you should next create an image copy of the server to be evaluated later or used as evidence. in a lab environment, you could load the image onto a computer and check the logs to trace the exploit. once the server is deemed unaffected by the breach, you should make sure that the latest patches and service packs are applied.

3.

You need to make sure that the appropriate patches are applied to all workstations in a timely fashion, even if they are not in the office. Which of the following methods would guarantee this requirement is met? (Choose all that apply.)

  1. Automate Windows Update.

  2. Use Group Policy to push the updates to all users, including those logged in remotely.

  3. Train the users to update their computers regularly, including when they are out of the office.

  4. All of the above.

a, b. all of the options could be used to meet this requirement. however, training users to do it manually is a good idea, although it won t guarantee that the updates are applied in a timely fashion. automating windows update will allow for the automatic download and installation of patches and hotfixes on a fairly regular basis. group policy can also be used to push the updates to the workstations; this is useful when the patches need to be tested before they are rolled out to the users.

4.

You are going to upgrade a Windows 2000 Server to Windows Server 2003, Enterprise Edition and promote it to a domain controller. You need to make sure that it meets the business requirements. Which of the following would you do? (Choose all that apply.)

  1. Uninstall Internet Information Services from the Windows 2000 Server machine before upgrading it to Windows Server 2003.

  2. Install an antivirus package on it and schedule it to update daily.

  3. Automate Windows Update services.

  4. Remove the SVCHOST service.

  5. Disable all nonessential services.

b, c, e. you should make sure that an antivirus package is installed on the server and that it is updated regularly. automating windows update services allows for the latest security-related patches to be automatically deployed when available. disabling the nonessential services will make the attack surface smaller and more difficult to penetrate. by default, when you upgrade from windows 2000 to windows server 2003, enterprise edition, internet information services is disabled; therefore it is not necessary to manually uninstall it prior to the upgrade. the svchost service runs many essential services and should not be shut down; you can monitor what services are running through it using the tasklist /svc command.

5.

A security breach occurs and you need to make sure that the appropriate authorities get notified and are provided with all the necessary evidence. Which of the following steps should you take while still maintaining the business requirements? (Choose two.)

  1. Image the compromised system.

  2. Close the office.

  3. Shut down the public network connection.

  4. Disconnect the compromised server from the network.

a, d. the first thing that you should do in this situation is to isolate the compromised system; this is easily achieved by unplugging the ethernet cable from the switch. once the system has been isolated, you should create an image backup of it to preserve the evidence. shutting down the public network connection would affect more than the minimal number of services and violates the business requirements. closing the office is even worse than shutting off the public network connection.

6.

You are creating a response procedure to react to the inventory web service server becoming compromised. Which one of the following tasks should you complete in order to maintain your organization’s service level agreement with the company’s resellers?

  1. Move the inventory service to an uncompromised site or server and notify the resellers of the incident.

  2. Create a team to notify the press regarding the incident.

  3. Activate the response team to begin patching services.

  4. Isolate the inventory service and notify the resellers of the problem.

a. because the business requirements state that you must have the inventory service back up within an hour, you must move it to another server or site while the team responds to the incident.

Answers

1.

C. One of the business requirements states that there must be more than one layer that an attacker must breach in order to penetrate the internal network. Only the back-to-back configuration provides two firewalls, with the DMZ sitting between the public network and the private or internal network.

2.

D. The first thing that should be done once an attacker is detected is to disconnect the network cable from the system that has been compromised. Once the network cable is unplugged, you should next create an image copy of the server to be evaluated later or used as evidence. In a lab environment, you could load the image onto a computer and check the logs to trace the exploit. Once the server is deemed unaffected by the breach, you should make sure that the latest patches and service packs are applied.

3.

A, B. All of the options could be used to meet this requirement. However, training users to do it manually is a good idea, although it won’t guarantee that the updates are applied in a timely fashion. Automating Windows Update will allow for the automatic download and installation of patches and hotfixes on a fairly regular basis. Group Policy can also be used to push the updates to the workstations; this is useful when the patches need to be tested before they are rolled out to the users.

4.

B, C, E. You should make sure that an antivirus package is installed on the server and that it is updated regularly. Automating Windows Update services allows for the latest security-related patches to be automatically deployed when available. Disabling the nonessential services will make the attack surface smaller and more difficult to penetrate. By default, when you upgrade from Windows 2000 to Windows Server 2003, Enterprise Edition, Internet Information Services is disabled; therefore it is not necessary to manually uninstall it prior to the upgrade. The SVCHOST service runs many essential services and should not be shut down; you can monitor what services are running through it using the tasklist /svc command.

5.

A, D. The first thing that you should do in this situation is to isolate the compromised system; this is easily achieved by unplugging the Ethernet cable from the switch. Once the system has been isolated, you should create an image backup of it to preserve the evidence. Shutting down the public network connection would affect more than the minimal number of services and violates the business requirements. Closing the office is even worse than shutting off the public network connection.

6.

A. Because the business requirements state that you must have the inventory service back up within an hour, you must move it to another server or site while the team responds to the incident.



 < Day Day Up > 



MCSE. Windows Server 2003 Network Security Design Study Guide Exam 70-298
MCSE: Windows(r) Server 2003 Network Security Design Study Guide (70-298)
ISBN: 0782143296
EAN: 2147483647
Year: 2004
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net