Review Questions

Previous page
Table of content
Next page

1.  

Which DNS security policy specifies that zone transfers are only allowed to specific IP addresses?

  1. Low-level

  2. Mid-level

  3. High-level

  4. Secure-level

c. the high-level dns security policy, as defined by microsoft, states that zone transfers should only be sent to other dns servers that are configured through their ip address. the low-level dns security policy allows zone transfers to any other dns server whereas the mid-level dns security policy allows zone transfers to any dns server defined on the name servers tab of the soa record. the secure-level policy does not really exist.

2.  

You want to control the replication of WINS records so that they replicate every hour . What type of replication should you use?

  1. Push

  2. Pull

  3. Time-initiated

  4. Dynamic

b. pull replication is configured to wait for a specified amount of time before requesting changes within the partner s database.

3.  

What DNS options allow you to direct client queries to servers that are authoritative for a zone? (Choose all that apply.)

  1. Primary zones

  2. Stub zones

  3. Delegations

  4. Zone transfers

b, c. stub zones and delegations are methods for identifying dns servers that are authoritative for a specific zone if the zone in question is not located on the current dns server.

4.  

Which zone type is used to identify a server that is authoritative for a zone, and will automatically retrieve the SOA record for the zone, the NS records for the name servers within the zone, and the A records for those name servers?

  1. Delegation

  2. Primary zone

  3. Secondary zone

  4. Stub zone

d. a stub zone is responsible for redirecting clients to a name server that is authoritative for the zone they are querying. when a stub zone is created, it will copy the soa record as well as the ns and a records of the name servers for the zone for which it is configured. the records will be refreshed based upon the time-to-live of the soa record.

5.  

How does WINS interoperate with DHCP?

  1. The DHCP server assigns the WINS server address and node type options to clients .

  2. The DHCP server registers the computer name of clients within the WINS database.

  3. The WINS server provides remote clients with access to the DHCP server.

  4. The WINS server receives IP address information from the DHCP server and then passes the address information to the client.

a. dhcp clients can be configured to receive the ip address of the wins server along with the node type, or resolution method, from the dhcp server.

6.  

To which of the following types of attacks are DNS servers susceptible? (Choose all that apply.)

  1. Footprinting

  2. Data modification

  3. Denial of Service

  4. Redirection

a, b, c, d. you will need to make sure you take the four attack types into account when designing the dns infrastructure. base your security requirements for each dns server upon the attacks that are most likely to occur against that server.

7.  

Becca is designing her name resolution infrastructure and is trying to determine how she is going to design the DNS solution for Active Directory. She plans on installing several Windows Server 2003 domain controllers and she wants to take advantage of Active Directory “integrated zones. Which of the following DNS server types will accommodate her needs?

  1. UNIX BIND 8.1.2

  2. UNIX BIND 9.1.0

  3. Windows NT 4

  4. Windows Server 2003

d. from the available options, only windows server 2003 will support active directory integrated zones. of the other options, both of the unix bind systems will support active directory, but only on primary and secondary zone types. windows nt 4 dns servers will not support active directory.

8.  

Leon is designing the DNS infrastructure and need to determine the namespace that will be used for his organization. The design calls for a back-to-back firewall to define a perimeter network and protect the internal network. Currently the organization is using bloomco.com as the external name for their internet presence. In order to protect the internal network and keep administration costs to a minimum, which of the following options should Leon consider using? (Select all that apply)

  1. bloomco.com

  2. ad.bloomco.com

  3. bloomco.net

  4. bloomco.lcl

b, c, d. by using names that are not the same as the internet presence, the internal network is then separated from the internet presence, yet the administration is simplified since you can create delegation records, stub zones, or forwarding to allow internal users to gain access to external resources.

9.  

Sally is designing the WINS replication topology for her company. Seven offices have been identified as locations for WINS servers and all of the servers need to have records replicated to them so that the clients can find the resources they need. She has identified the Austin location as the hub for the replication topology and wants to make sure that the WINS service is available at all times. What can she do to increase the reliability of the WINS server?

  1. Increase the memory on the server.

  2. Put the WINS service on clustered hardware.

  3. Put the WINS service on domain controllers.

  4. Increase the number of processors.

b. the wins service is cluster-aware and the only fault-tolerant option listed is the clustering solution.

10.  

Tom is concerned that an attacker may be able to discover the addresses of servers on his network by using zone transfers. To alleviate his fears, what should be included within the DNS design? (Select all that apply.)

  1. Allow zone transfers only to systems identified by their IP address within the SOA record.

  2. Do not allow zone transfers to DNS servers within the perimeter network.

  3. Allow zone transfers to all servers.

  4. Use Active Directory-integrated zones within the perimeter network.

a, b. if you select to allow zone transfers to dns servers that are identified by their ip address within the properties of the soa record, you will only transfer zone data to those servers and not to all name servers within your network. you should not include servers within the perimeter if at all possible so that internal records are not hosted on a dns server within the perimeter. you should not allow zone transfers to all dns servers because that is an open door for an attacker to request and receive zone transfers. active directory integrated zones are more secure because you host the zones within active directory instead of within a text file on the server. however if you place a server that has an active directory integrated zone within the perimeter, you are placing a domain controller within the perimeter that will then be accessible to attackers who access your perimeter. also, active directory integrated zones need to have zone transfers configured just like primary zones since they allow the zone data to be replicated to secondary zones.

Answers

1.  

C. The high-level DNS security policy, as defined by Microsoft, states that zone transfers should only be sent to other DNS servers that are configured through their IP address. The low-level DNS security policy allows zone transfers to any other DNS server whereas the mid-level DNS security policy allows zone transfers to any DNS server defined on the Name Servers tab of the SOA record. The secure-level policy does not really exist.

2.  

B. Pull replication is configured to wait for a specified amount of time before requesting changes within the partner s database.

3.  

B, C. Stub zones and delegations are methods for identifying DNS servers that are authoritative for a specific zone if the zone in question is not located on the current DNS server.

4.  

D. A stub zone is responsible for redirecting clients to a name server that is authoritative for the zone they are querying. When a stub zone is created, it will copy the SOA record as well as the NS and A records of the name servers for the zone for which it is configured. The records will be refreshed based upon the time-to-live of the SOA record.

5.  

A. DHCP clients can be configured to receive the IP address of the WINS server along with the node type, or resolution method, from the DHCP server.

6.  

A, B, C, D. You will need to make sure you take the four attack types into account when designing the DNS infrastructure. Base your security requirements for each DNS server upon the attacks that are most likely to occur against that server.

7.  

D. From the available options, only Windows Server 2003 will support Active Directory “ integrated zones. Of the other options, both of the UNIX BIND systems will support Active Directory, but only on primary and secondary zone types. Windows NT 4 DNS servers will not support Active Directory.

8.  

B, C, D. By using names that are not the same as the Internet presence, the internal network is then separated from the internet presence, yet the administration is simplified since you can create delegation records, stub zones, or forwarding to allow internal users to gain access to external resources.

9.  

B. The WINS service is cluster-aware and the only fault-tolerant option listed is the clustering solution.

10.  

A, B. If you select to allow zone transfers to DNS servers that are identified by their IP address within the properties of the SOA record, you will only transfer zone data to those servers and not to all name servers within your network. You should not include servers within the perimeter if at all possible so that internal records are not hosted on a DNS server within the perimeter. You should not allow zone transfers to all DNS servers because that is an open door for an attacker to request and receive zone transfers. Active Directory “integrated zones are more secure because you host the zones within Active Directory instead of within a text file on the server. However if you place a server that has an Active Directory “integrated zone within the perimeter, you are placing a domain controller within the perimeter that will then be accessible to attackers who access your perimeter. Also, Active Directory “integrated zones need to have zone transfers configured just like primary zones since they allow the zone data to be replicated to secondary zones.



Previous page
Table of content
Next page
MCSE
MCSE: Windows Server 2003 Active Directory and Network Infrastructure Design Study Guide (70-297)
ISBN: 0782143210
EAN: 2147483647
Year: 2004
Pages: 159
Authors: Brad Price, Sybex
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Image Processing with LabVIEW and IMAQ Vision
Systematic Software Testing (Artech House Computer Library)
Junos Cookbook (Cookbooks (OReilly))
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy