SCP Security Certified Program SC0-502 SCP Exam Questions

Page: 1 / 14
Total 28 questions

Want more questions? Get Premium Access.
()

Question 1

Now that you have MegaCorp somewhat under control, you are getting ready to go home for the night. You have made good progress on the network recently, and things seem to be going smoothly. On your way out, you stop by the CEO office and say good night. You are told that you will be meeting in the morning, so try to get in a few minutes early. The next morning, you get to the office 20 minutes earlier than normal, and the CEO stops by your office, "Thanks for coming in a bit early. No problem really, I just wanted to discuss with you a current need we have with the network." "OK, go right ahead." You know the network pretty well by now, and are ready forwhatever is thrown your way. "We are hiring 5 new salespeople, and they will all be working from home or on the road. I want to be sure that the network stays safe, and that they can get access no matter where they are." "Not a problem," you reply. "Il get the plan for this done right away." "Thanks a lot, if you have any questions for me, just let me know." You are relieved that there was not a major problem and do some background work for integrating the new remote users. After talking with the CEO more, you find out that the users will be working from there home nearly all the time, with very little access from on the road locations. The remote users are all using Windows 2000 Professional, and will be part of the domain. The CEO has purchased all the remote users brand new Compaq laptops, just like the one used in the CEO's office, and which the CEO takes home each night; complete with DVD\CD-burner drives, built-in WNICs, 17" LCD widescreen displays, oversized hard drives, a gig of memory, and fast processing. wish I was on the road to get one of those, you think. You start planning and decide that you will implement a new VPN Server next to the Web and FTP Server. You are going to assign the remote users IP Addresses:

10.10.60.100~10.10.60.105, and will configure the systems to run Windows 2000 Professional. Based on this information, and your knowledge of the MegaCorp network up to this point, choose the best solution for the secure remote user needs:}

AYou begin with configuring the VPN server, which is running Windows 2000 Server. You create five new accounts on that system, granting each of them the Allow Virtual Private Connections right in Active Directory Users and Computers. You then configure the range of IP Addresses to provide to the clients as:
10.10.60.100 through 10.10.60.105. Next, you configure five IPSec Tunnel endpoints on the server, each to use L2TP as the protocol. Then, you configure the clients. On each system, you configure a shortcut on the desktop to use to connect to the VPN. The shortcut is configured to create an L2TP IPSec tunnel to the VPN server. The connection its lf is configured to exchange keys with the user ISP to create a tunnel between the user ISP endpoint and the MegaCorp VPN Server.

BTo start the project, you first work on the laptops you have been given. On each laptop, you configure the system to make a single Internet connection to the user's ISP. Next, you configure a shortcut on the desktop for the VPN connection. You design the connection to use L2TP, with port filtering on outbound UDP 500 and UDP 1701. When a user double-clicks the desktop icon you have it configured to make an automatic tunnel to the VPN server. On the VPN server, you configure the system to use L2TP with port filtering on inbound UDP 500 and UDP 1701. You create a static pool of assigned IP Address reservations for the five remote clients. You configure automatic redirection on the VPN server in the routing and remote access MMC, so once the client has connected to the VPN server, he or she will automatically be redirection to the inside network, with all resources available in his or her Network Neighborhood.

CYou decide to start the configuration on the VPN clients. You create a shortcut on the desktop to connect to the VPN Server. Your design is such that the user will simply double-click the shortcut and the client will make the VPN connection to the server, using PPTP. You do not configure any filters on the VPN client systems. On the VPN Server, you first configure routing and remote access for the new accounts and allow them to have Dial-In access. You then configure a static IP Address pool for the five remote users. Next, you configure the remote access policy to grant remote access, and you implement the following PPTP filtering:
Inbound Protocol 47 (GRE) allowed Inbound TCP source port 0, destination port 1723 allowed Inbound TCP source port 520, destination port 520 allowed Outbound Protocol 47 (GRE) allowed Outbound TCP source port 1723, destination port 0 allowed Outbound TCP source port 520, destination port 520 allowed

DYou configure the VPN clients first, by installing the VPN High Encryption Service Pack. With this installed, you configure the clients to use RSA, with 1024-bit keys. You configure a shortcut on the desktop that automatically uses the private\public key pair to communicate with the VPN Server, regardless of where the user is locally connected.On the VPN Server, you also install the VPN High Encryption Service Pack, and configure 1024-bit RSA encryption. You create five new user accounts, and grant them all remote access rights, using Active Directory Sites and Services. You configure the VPN service to send the server's public key to the remote users upon the request to configure the tunnel. Once the request is made, the VPN server will build the tunnel, from the server side, to the client.

EYou choose to configure the VPN server first, by installing the VPN High Encryption Service Pack and the HISECVPN.INF built-in security template through the Security Configuration and Analysis Snap-In. Once the Service pack and template are installed, you configure five user accounts and a static pool of IP Addresses for each account.You then configure the PPTP service on the VPN server, without using inbound or outbound filters due to the protection of the Service Pack. You grant each user the right to dial into the server remotely, and move on to the laptops. On each laptop, you install the VPN High Encryption Service Pack, to bring the security level of the laptops up to the same level as the VPN server. You then configure a shortcut on each desktop that controls the direct transport VPN connection from the client to the server.

Answer : C

Question 2

You finish the work you were doing in the morning, and head out to the monthly meeting. During this meeting, the Vice President of Strategic Partner Relations informs the group of some news, "we have decided that we need to implement a new web site that is for our strategic partners only. This site will be used for various purposes, but will primarily be used as a means of information exchange." "So, is this going to be a private site?" asks Blue. "Absolutely. We will not want any public users on this website. It's just for the people we identify in our Strategic Partner Program. I need those of you in security to be sure that this site is secure." "We can take care of that. How many people do you think will be accessing the site?" asks Blue. "Not too many, perhaps around fifty.""So, is it correct to assume that you know each of these fifty people?" "Yes, that is correct." "OK, well this should not be too hard. Wel get working on this right away." The meeting ends, and you and Blue chat more about the web site issue. "Well, we know that only around fifty people are going to access the, and we know who these fifty are. This should not cause too many problems," Blue says. "I agree. Do you think it will be all right to spend any money outside of the site itself?" you ask. "Since we are dealing with so few people, that shouldn be a problem. However, we cannot go overboard. Go ahead and write up a plan for this and get it back to me in a day or two." Based on your knowledge of Global Corp, choose the best solution to the web site security issue.}

AYou decide to use existing security technology of digital certificates and SSL to secure the site. You first install a new IIS server that will be the host of the web site. You then connect to the Globa lCorp CA for the executive building and request a new certificate for the web site. You then configure the web site to Require a Secure Channel (SSL) and install the certificate. One you install the new certificate, you connect from the new server to the CA in each office where one or more of the fifty people that require access works. At that CA, you install the CA certificate, so that the new server will trust the certificates that each CA issues. Next, you return to the configuration of the new web site. To make the site more secure, you require client certificates, and enable mappings for each user account. You call each user and ensure that they have a certificate from their own CA, which the new server now trusts. You walk them through the process of connecting to the site, and verify that secure access to them has been granted.

BYou decide that you will use digital certificates to secure the website. You will first install a new private CA that the remote users can connect to and request their certificates. This CA will be protected with a very strong password. Each user will be given a user account to access the CA, also protected with a strong password. Next, you install the new private web server. You then connect to the new CA and make a request for a certificate for the web site. Once you receive the certificate, you configure the web site to use the certificate to Require a Secure Channel (SSL). You then select the option to require client certificates, and you enable mapping for each user account. Finally, you will call each person and instruct them on the process of connecting to the CA and requesting their certificate, which you will instruct them to store on their local machine. Once they have their certificate, you have them test access to the site, and when successful you move on to the next person.

CYou decide to use digital certificates on smart cards to secure the web site. You will first install a new IIS web server to host the site. You then connect to the CA_SERVER and request a new certificate for the server. The server certificate will be used for authentication, and you have the certificate issued and stored on a portable USB drive. You then configure a machine to function as the enrollment machine for smart cards. You are going to manage the smart cards yourself. At the machine that you are going to use for the smart cards, you first configure the system with an enrollment agent certificate from the CA_SERVER, and then you install the driver for the smart card reader. Once the driver is installed, you make certificate requests for each of the fifty users. You start with the first user, by logging in to the CA and selecting the option to Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station radio button. You then select the Smartcard User template, and enter the user name. When prompted, you put a blank smart card in the reader and press the Enroll button, followed by entering the default PIN. You then test access to the site from a remote machine using the smart card and PIN to be authenticated to the site. Once the test is complete, you write a short howto file and send it along with the smart card, smart card reader, and driver to each of the fifty users. You follow up with each user upon receipt to walk them through the configuration. D. You decide to use strong authentication via biometrics, specifically fingerprint scanning to secure the web site. You will first install a new IIS web server to host the site. You then configure fifty user accounts for the remote users, and assign those accounts very strong passwords. You then ship one biometric mouse and software to each remote client. You call each user and walk them through the process of configuration of their equipment. First, you tell them to create a matching user account with the same user name and very strong password as you used on the IIS server. You then have them install the software, which you instruct them to configure so that the biometric will be linked to the user account. Once the software is installed, you instruct them to connect the mouse to their system and load the appropriate driver. With the driver installed, you tell them how to load the program and enroll their fingerprint. Once they have their fingerprint enrolled, and it is matched to their user account, you let them know that their side of the configuration is complete, and that you will call them shortly to finish the process. You return to the configuration of the IIS server. In the Security properties of the website, you select theAdvanced authentication tab. On the Advanced tab, you check the box for mapping user accounts to external biometric devices, and you check the box to allow the remote machine tocontrol the mapping. You finish the configuration by configuring the site to use 128 bit RSA to encrypt the data between the client and the server. With the server configuration done, you call the client back and have them log in using their biometric mouse. Once logged in, you instruct them to connect to the website and verify the secure site is running. E. You decide that you will use freely available PGP certificates to secure access to the website. You will first install a new IIS web server to hose the site. You then configure one user account, with a strong password. You map this account as the only account that has access to the website. You then log on locally, as this user account, to the server and create a public\private key pair. From that account you then send an outgoing email to all fifty users with the account private key. You finish the configuration of the website by making changes in the Security properties of the website. In the Security properties, you select the Advanced tab. On the Advanced tab, you check the box to map this account toa local digital certificate, and you select the new
certificate you just created. Next, you contact each remote user and instruct them to open the email from you. You have them store the key they receive in their personal certificate store. To verify the install is correct, you walk them through the process of viewing their certificates in the MMC. Once verified, you have the user connect to the website, and enter the location of their certificate when asked for authentication credentials.

Answer : C

Question 3

The network has been receiving quite a lot of inbound traffic, and although you have been given instructions to keep the network open, you want to know what is going on. You havedecided to implement an Intrusion Detection System. You bring this up at the next meeting. "After looking at our current network security, and the network traffic we are dealing with, I recommend that we implement an Intrusion Detection System," you begin. "We don't have any more budget for security equipment, it will have to wait until next year." This is the reply from the CEO that you were anticipating. "I realize that the budget is tight, but this is an important part of setting up security." You continue, "If Icannot properly identify all the network traffic, and have a system in place to respond to it, we might not know about an incident until after our information is found for sale on the open market."As expected, your last comment got the group thinking. What about false alarms?" asks the VP of sales, "I hear those things are always goingoff, and just endup wasting everyone" time.""Tha's a fair concern, but it is my concern. When we mplement the system, I will fine tune it and adjust t until the alarms it generates are ppropriate, and are generated when there is egitimately something to be concerned about.We are concerned with traffic that would indicate anattack; only then will the ystem send me an alert." or a few minutes there was talk back and forth in the room, and hen the CEO responds again to your nquiry, "I agree that this type of thing could be helpful. But, we simply don have any morebudget for it. Since it is a good idea, go aheadand find a way to implement this, but don't spend any oney on it."With this nformation, and your knowledge of MegaCorp, choose the answer that will provide the bestsolution for the IDS needs of MegaCorp:}

AYou install Snort on a dedicated machine just outside the router. The machine is designed to send alerts toyou when appropriate. You implement the following rule set: Alert udp any any -> 10.10.0.0\16 (msg: 'O\S Fingerprint Detected'; flags: S12;)Alert tcp any any -> 10.10.0.0\16 (msg: 'Syn\Fin Scan Detected'; flags: SF;)Alert tcp any any -> 10.10.0.0\16 (msg: 'Null Scan Detected'; flags: 0;) og tcp any any -> 10.10.0.0\16 any You then install Snort on the web and ftp server, also with this system designed to send ou alerts whenappropriate. You implement the built-in scan.rules ruleset on the server.

BYou configure a new dedicated machine just outside the router and install Snort on thatmachine. Themachine logs all intrusions locally, and you will connect to the machine remotelyonce each morning to pull the log files to your local machine for analysis. ou run snort with the following command: Snort ev \snort\log snort.conf and using the following ule base: lert tcp any any <> any 80 lert tcp any any <> 10.10.0.0\16 any (content: 'Password'; msg:'Password transfer Possible';) Log tcp any any <- 10.10.0.0\16 23 Log tcp any any <> 10.10.0.0\16 1:1024

CYou install your IDS on a dedicated machine just inside the router. The machine is designed to send alerts o you when appropriate. You begin the install by performing a new install of indows on a clean hard drive. ou install ISS Internet Scanner and ISS System Scanner on the new system. System canner is configured todo full backdoor testing, full baseline testing, and full password testing.Internet Scanner is configured with a custom policy you made to scan for all vulnerabilities. You configure both canners to generate automatic weekly reports and to send you alerts whenan incident of note takes place on the network.

DYou install Snort on a dedicated machine just inside the router. The machine is designed to send alerts to ou when appropriate. You do have some concern that the system will have toomany rules to operate efficiently. To address this, you decide to pull the critical rules out of the built-in rule ets, and create one simple rule set that is short and will cover all of the seriousincidents that the network might experience. alert udp any 19 <>
$HOME_NET 7 (msg:'DOS UDP Bomb'; classtype:attempted-dos;sid:271; rev:1;) lert udp $EXTERNAL_NET any
-> $HOME_NET any (msg:'DOS Teardrop attack';id:242; fragbits:M;classtype:attempted-dos; sid:270;
rev:1;)alert icmp
$EXTERNAL_NET any -> $HOME_NET any (msg:'DDOS TFN Probe'; id: 678; itype: 8;
content:'1234';classtype:attempted-recon; sid:221; rev:1;) lert icmp XTERNAL_NET any ->
$HOME_NET any (msg:'ICMP PING NMAP'; size:;itype:8;classtype:attempted econ; sid:469;
rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET any msg:'SCAN
XMAS';flags:SRAFPU; lasstype:attempted-recon; sid:625; rev:1;) lert tcp HOME_NET 31337
> $EXTERNAL_NET 80 (msg:'SCAN synscan microsoft'; id: 9426; flags: F;
lasstype:attempted-recon; sid:633; rev:1;)

EYou install two computers to run your IDS. One will be a dedicated machine that is on the outside of therouter, and the second will be on the inside of the router. You configure themachine on the outside of the router to run Snort, and you combine the default rules of several of the built-inrule sets. You combine the ddos.rules, dos.rules, exploit.rules, icmp.rules, nd scan.rules. n the system that is inside the router, running Snort, you also combine several of thebuilt-in rule sets. You combine thes can.rules,webcgi.rules,ftp.rules, web-misc.rules, andweb-iis.rules.You configure the alerts on the two systems to send youemail messages when events are identified. After youimplement he two systems, you run some external scans and tests using vulner ability checkers and exploit testing software. You modify your rules based on your tests.

Answer : E

Question 4

You had been taking a short vacation, and when you come into work on Monday morning, Orange is already at your door, waiting to talk to you. "We're got a problem," Orange says, "It seems that the password used by our Vice President of Engineering has been compromised. Over the weekend, we found this account had logged into the network 25 times. The Vice President was not even in the office over the weekend." "Did we get the source of the compromise yet?" "No, but it won't surprise me if it is our new neighbors at MassiveCorp. I need to you to come up with a realistic plan and bring it to me tomorrow afternoon. This problem must be resolved, and like everything else we do not have unlimited funds so keep that in mind." Based on this information, choose the best solution to the password local authentication problem in the Executive building.}

ASince you are aware of the significance of the password problems, and since you do not have unlimited funds, you plan to address this problem through education and through awareness. You write up a plan for Orange that includes the following points:
1.All end users are to be trained on the methods of making strong passwords
2.All end users are instructed that they are to change their password at a minimum of every 30 days. 3.The administrative staff is to run password-checking utilities on all passwords every 30 days.
4.All end users are to be trained on the importance of never disclosing their password to any other
individual.
5.All end users are to be trained on the importance of never writing down their passwords where they
areclearly visible.

BSince you are aware of the significance of the password problems, you plan to address the problem using technology. You write up a plan for Orange that includes the following points: 1.You will reconfigure the Testbed.globalcorp.org domain to control the password problem. 2.You will configure AD in this domain so that complex password policies are required. 3.The complex password policies will include: a.Password length of at least 8 characters b.Passwords must be alphanumeric c.Passwords must meet Gold Standard of complexity d.Passwords must be changed every 30 days e.Passwords cannot be reused

CSince you are aware of the significance of the password problems, you plan to address the problem using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-based authentication system.
2.You will install the RSA SecurID challenge-response token system.
3.You will create SecurID user records for each user to match their domain accounts.
4.You will assign each user record a unique token.
5.You will hand deliver the tokens to the correct executive.
6.Users will be required to use tokencodes from the One-Time tokencode list. The tokencodes will be alphanumeric and will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.

DSince you are aware of the significance of the password problems, plan to address the problem using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a biometric solution.
2.You will install retinal scanners at every user desktop in the executive building.You will install retinal scanners at every user?
desktop in the executive building.
2.You will install retinal scanners at every user desktop in the executive building.You will install retinal scanners at every user? Desktop in the executive building.
3.You will personally enroll each user at each desktop.3.You will personally enroll each user at each desktop.
4.You will instruct each user on the proper positioning and use of the scanner.4.You will instruct each user on the proper positioning and use of the scanner. 5.The biometric system will replace all passwords for authentication into each user Windows system.The biometric system will replace all passwords for authentication into each user?
Windows system. 6.The biometric system will replace all passwords for authentication into each user Windows system.The biometric system will replace all passwords for authentication into each user? Windows system.

ESince you are aware of the significance of the password problems, you plan to address the problem using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-based authentication system.
2.You will install the RSA SecurID time-based token system. 3.You will create SecurID user records for each user to match their domain accounts. 4.You will assign each user record a unique token. 5.You will hand deliver the tokens to the correct executive. 6.Users will be allowed to create their own PIN, which will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.

Answer : E

Question 5

Things have been running smoothly now at GlobalCorp for the last several weeks. There have been no major attacks, and it seems that the systems in place are performing just as expected. You are putting together some paperwork when you get a call from Orange to meet in the conference room. When you get there, Orange is wrapping up a meeting with the senior Vice President of Sales, whom you say hello to on your way in. "I was just talking with our senior VP here, and we're run into a new issue to discuss," Orange tells you. "Wel Il let you two sort this out. Orange, do let me know when it all ready to go."With that the VPleaves. You sit down across from Orange, who starts, "That was an interesting meeting. It seems that even though I have always said no to the request, we are being pressured to implement a wireless network." "Here?" you ask, "In the executive building?""Yes, right here. The sales team wishes to have the ability to be mobile. Instead of running a full scale roll out I have trimmed the request down to running a test implementation on the second floor. The test run on that floor will be used to determine the type of wireless rollout for the rest of the building, and eventually the rest of the campus. So, here is what we need to do. I need you to create the roll out plan, and bring that plan to me. Il review with you and implement as required." "As always, what is my budget restriction?" you ask. "In this case, security is the top priority. If we are going to run wireless, it has to be as secure as possible, use whatever you need. That being said, your plan has to use existing technologies, we are not going to fund the development of a new protocol or proprietary encryption system right now."You begin your work on this problem by pulling out your own wireless networking gear. You have alaptop that uses an ORiNOCO card, and you have a full directional antenna that you can holdor mount on a small tripod. You take your gear to the lobby of the second floor, and you load up Net Stumbler quickly to run a quick check that there are no access points in your area. The immediate area is clear of any signal, so you take you gear and walk the entiresecond floor, waitingto see if there is any signal, and you find none. With your quick walk through complete, you take your gear back to your office and start working on your plan. Using your knowledge of the GlobalCorp network, select the best solution to the wireless networking rollout problem:}

AYou have figured out that since the network is a test roll out, you have some flexibility in its configuration. After your walk through test, you begin by configuring the wireless nodes in the network to run in Ad Hoc mode, creating an Independent Basic Service Set (IBSS). You will use a complex SSID of 5cN@4M3! on all wireless nodes. You will next configure every node to nolonger broadcast any beacon packets. You will configure all the nodes to not use the default channel, and instead move them all to channel six. You will configure every node to use MAC address filtering, to avoid unauthorized nodes from attempting to gain access to the network. Finally, you will configure each node to use WEP in the strong 128-bit mode, along with a complex 16-character passphrase. Once the network is up and running, you take your gear (which is not an authorized client of the network) and every few days will walk the office again, checking for access. B. You have figured out that since the network is a test roll out, you have some flexibility in its configuration. After your walk through test, you begin by configuring the wireless nodes in the network to run in Ad Hoc mode, creating an Extended Basic Service Set (EBSS). You will use a complex SSID of 5cN@4M3! on all wireless nodes. You will next configure every node to no longer broadcast any beacon packets. You will configure all the nodes to not use the default channel, and instead move them all to channel six.You will configure every node to use MAC address filtering, to avoid unauthorized nodes from attempting to gain access to the network. Finally, you will configure each node to use WEP inthe strong 128-bit mode, along with a complex 16-character passphrase for generating four keys. You willmanually input the WEP Keys into each node. You will divide the test nodes into quarters, and configure each quarter to startup on the network using a different default WEP key. Once the network is up and running, you take your gear (which is not an authorized client of the network) and every few days will walk the office again, checking for access.

CYou determine that for the test network, you will run the network in infrastructure mode, using a SSID ofFLOOR2. During the test, you will create one single Basic Service Set (BSS),running through one access point. All test nodes will be configured to participate in theBSS, using the SSID ofFLOOR2, and the access point will be configured with MAC address filteringof the test nodes. You will configure the access point to use EAP, specifically EAP-TLS. You willconfigure a Microsoft RADIUS Server as the authentication server. You will configure the RADIUS server with a digital certificate. Using EAP-TLS, both the server and the client will be required to authenticate using their digital certificates before full network access will be granted. Clients will have supplicant software configured where required. You will next make a physical map of the office, using the tool Ekahau. Working with this tool, you will map out and track the positioning of each wireless device once the network isactive. When the network is up and running, you take your gear (which is not an authorized client of the network) and every few days will walk the office again, checking for access. You will continue the test by running checks from the parking lot, ensuring that you cannot gain access.

DYou determine that for the test network, you will run in infrastructure mode, using a SSID of FLOOR2. During the test, you will create one single Independent Basic Service Set (IBSS), running through one access point. All test nodes will be configured to participate in the IBSS, using the SSID of FLOOR2. You will configure the access point to use WPA, with an algorithm of TKIP. You will configure WPA to utilizethe full 128-bit key option, with the pre-shared WPA key option. The clientcomputers will need supplicants, so you will configure the Funk Software Odyssey Client on the clients, matching the key settings and TKIP settings.You will disable the access point from broadcasting its SSID, and you will configureMAC address filtering. Once the network is up and running, you take your gear (which is not an authorized client of the network) andevery few days will walk the office again, checking for access.

EYou figure out that you will run the test network in infrastructure mode, using a SSID of GlobalCorp. You will create one single Basic Service Set (BSS), all running through one accesspoint. All test nodes will be configured to participate in the BSS, using the SSID of GlobalCorp, and the accesspoint will be configured with MAC address filtering of the test nodes.You will configure the access point to utilize a combination of 802.1x and WPA. The WPA settings will befully secured with TKIP, and 128-bit keys, which change on a per session basis. The 802.1x settings will be to use Lightweight EAP (LEAP). The clients will be configured to use LEAP, witha fallback to TKIP at 128-bits.You will configure the access point to utilize a combination of 802.1x and WPA. The WPA settings will be fully secured with TKIP, and 128-bit keys, which change on a per session basis. The 802.1x settings will be to use Lightweight EAP (LEAP). The clients will be configured to use LEAP, with a fallback to TKIP at 128-bits. When the network is up and running, you take your gear (which is not an authorized client of the network) and every few days will walk the office again, checking for access. You will continue the test by running checks from the parking lot, ensuring that you cannot gain access.

Answer : C

Question 6

By now, you are feeling confident that the security of the MegaCorp network is getting under control. You are aware that there are still several critical areas that you must dealwith, and today you are addressing one of those areas. You have been able to take care of the router, firewall, security policy, and intrusion detection, now you are concerned with some of the hosts in the network. Since the organization is not very large, you are the only person working in the IT end of the company. Itwill be up to you to directly work on the systems throughout the network. You make a quick chart of the systems you know should be in the MegaCorp network:

Server0001, 10.10.20.101, Windows 2000 Server Server0010, 10.10.20.102, Windows 2000 Server Server0011, 10.10.20.103, Windows 2000 Server Server0100, 10.10.20.104, Linux (Red Hat 8.0) User systems, 10.10.100.100~10.10.100.200, Windows 2000 Professional The addressing that you recommended months ago is in place, and it follows a distinct logical pattern,you are hoping that no new systems are hidden in the network somewhere. In the company, you have been granted domain administrator rights, and no other user is authorized tohave administrator, root, supervisor, or otherwise privileged level of access. All the Windows systems are to belong to one windows domain called SCNA.edu. Users are no longer allowed to install unauthorized applications, and are all to use the file servers for storage. Although they have the ability to do so, users are not supposed to store any work data on their local systems. The servers are located in a server cabinet that is inside your office, so you decide to start working there. Using your knowledge of MegaCorp select the best solution for hardening the MegaCorp operating systems:}

AThe first thing you do is to run a Nessus scan against all the servers in the room, noting the findings of the scans. You then begin on the servers by running some tests on the Linux server. First, you run Tripwire on the entire system to ensure that there are no rogue Root accounts, and the test is positive. Second, you ensure that there are no unauthorized objectsavailable through the network, and third you lock the system down with Bastille. You then work on the Windows servers. You run a check to ensure there are no unauthorized administrator accounts, and there are not. You create a custom security template and implement the template on each server using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. Finally, you analyze the user desktops. You go one by one through the network checking for added user accounts, and you find some. You remove these unauthorized accounts and check for software and applications. Again, you find some applications that are not allowed and you remove them.You check the systems for hardware changes, and address the issues that you find.

BYou start the job by running some analysis on the Windows servers. You do this using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. You find several user accounts that have been given local administrator access, and youremove these accounts. You next use the Secedit tool to implement local encryption on the shared hard drive to secure the local files for the network users.You then work on the Linux server. To your surprise there are nounauthorized root accounts, nor any unauthorized shares. You ensure that the permissions are correct on the shared objects, and run Bastille to lock down the server. You then work on the client machines. Before you physically sit at each machine, you run a Nessus scan from your office. Bringing the results with you, you go to each machine andaddress any issues as identified in the Nessus scan, remove any unauthorized applications

CThe first thing you decide to do is plug your laptop into the server room, and run a full Nessus scan on the entire network, specifically looking for every backdoor vulnerability that theapplication can check. This takes some time to compile, but you eventually end up with a list of issues to address on each machine. You move on to the Linux server, and run a fast Tripwire check on the system to look forany additional vulnerabilities. Once that check is done, you install SSH so that all access by every user will be encrypted to the server, and you run Bastille to lock down the system. At the Windows systems, you address any issues found during the Nessus scan, you ensure that each system is updated with the latest patches, and you ensure that the systems are allfunctioning as fully secure and functional file servers to the network by implementing the HISECWEB.INFtemplate in the Security Configuration and Analysis Snap-In.Finally, you work on each desktop machine by removing any vulnerabilities listed in the scan report. You remove a few pieces of unauthorized hardware and many unauthorized applications.

DYou being by running a Nessus scan from your office laptop on the systems in the network, first the servers, then the user workstations. After the scans are complete, you store the reports on your laptop, and you take your laptop to the server room. In the server room, you begin on the Windows servers. You implement a custom security template on eachserver using the Security Configuration and Analysis Snap-In, remove any unauthorized accounts, ensure that each system is updated with the latest patches, and ensure that the permissions on each shared object are as per policy. You then work on the Linux server, by addressing each point identified in the Nessusscan. You then lock thesystem with Bastille, ensure that each system is updated with the latestpatches, and run a quick Tripwire scan to create a baseline for the system. You take your laptop with you as you go throughout the network to each userworkstation, ensure that each system is updated with the latest patches, and you take care of each issue you found on the machines. There are a few systems that you find with unauthorized applications and you removethose applications.

EYou begin by running a Nessus scan on each computer in the network, using the \hotfix switch to create a full report. The report identifies every vulnerability on each system and lists the specific changes you must make to each system to fix any found vulnerabilities. You take the report to the server room and start with the Linux server. On the server, you run through the steps as outlined in the Nessus report, and end by locking the system using Bastille. Then, you move to the Windows systems, again following the steps of the Nessus report, and ending by using the Security Configuration and Analysis Snap-In to implement the GoldStandard template on every server. Finally, you proceed to each user workstation. At each user machine, you follow each step for each system, based on your report. Once you have addressed all the vulnerabilities in the systems, you run a quick Secedit scan on each system to ensure that they are all locked down and that proper encryption is configured.

Answer : D

Question 7

You have now seen to it that all end users and computers in the Testbed office have received their certificates. The administrative staff has been trained on their use and function in the network. The following day, you meet with Orange to discuss the progress. "So far so good," starts Orange, "all the users have their certificates, all the computers have their certificates. I think we are moving forward at a solid pace. We have talked about the ways we will use our certificates, and we need to move towards securing our network traffic." "I agree," you reply, "last week I ran a scheduled scan, and we still have vulnerability in our network traffic. The folks from MassiveCorp would love to have a sniffer running in here, I sure of that." "That exactly the point. We need a system in place that will ensure that our network traffic is not so vulnerable to sniffing. We have to get some protection for our packets. I like you to design the system and then we can review it together." The meeting ends a few minutes later, and you are back in your office working on the design. Choose the best solution for protecting the network traffic in the executive office of the Testbed campus:}

AAfter further analysis on the situation, you decide that you will need to block traffic in a more completeway at the border firewalls. You have decided that by implementing stricter border control, you will be able to manage the security risk of the packets that enter and leave the network better. You implement a new firewall at each border crossing point. You will configure half of the firewalls with Checkpoint FW-1 NG and the other half with Microsoft ISA. By using two different firewalls, you are confident that you will be minimizing any mass vulnerability. At each firewall you implement a new digital certificate for server authentication, and you configure thefirewall to require every user to authenticate all user connections. You block all unauthorized traffic and run remote test scans to ensure that no information is leaking through. Once the test scans are complete, you verify that all users are required to authenticate with the new firewall before their traffic is allowed to pass, and everything works as you planned.

BYou spend time analyzing the network and decide that the best solution is to take advantage of VPN technology. You will create one VPN endpoint in each building. Your plan is to create aunique tunnel between each building.You first install a new Microsoft machine, and configure it to perform the functions ofRouting and RemoteAccess. You then create a tunnel endpoint, and configure each machine to use L2TP to create the tunnel. To increase security, you will implement full 256-bit encryption on each tunnel, and you will use 3DES on onehalf of the tunnels and AES on the other half of the tunnels. You will be sure that each tunnel uses the same algorithm on both ends, but by using two algorithms you are sure that you haveincreased the security of the network in a significant way.

CYou decide that you will implement an IPSec solution, using custom IPSec settings. You wish to utilize
thedigital certificates that are available in the network. You decide that you wish for there to be maximum strength, and therefore you choose to implement IPSec using both AH and ESP. First, you configure a custom policy for the servers in the network. You verify that none of the default policies are currently implemented, and you create a new policy. Your new policy will use SHA for AH and SHA+3DES for ESP. You make sure that the policy is to include all IP traffic, and for Authentication Method, you use the certificate that is assigned to each server. You reboot the servers that you can and use secedit to force the others to refresh their policy. Next, with the help of the administrative staff, you will configure each client in the network. For the clients, you verify that no default policy is enabled, and you create a policy that uses SHA for AH and SHA+3DES for ESP. You make sure that the policy is to include all IP traffic, and for Authentication Method, you use the certificate that is assigned to each server. You reboot the client machines that you can and use secedit to force the others torefresh their policy.

DYou decide that you will implement an IPSec solution, using the built-in functionality of Windows. You
decide that you wish for there to be maximum strength, and therefore you choose toimplement IPSec using both AH and ESP. First, you configure each server in the network with a new IPSec policy. You choose to implement the defaultServer IPSec Policy. Using this policy you are sure that all communication both to and from the server will utilize IPSec. You reboot the servers that you can and usesecedit to force the others to refresh their policy. Next, with the help of the administrative staff, you will configure each client in the network. For the clients, you use the default Client IPSec Policy. You reboot the client machines that you can and use secedit to force the others to refresh their policy.

EYou decide that you will implement an IPSec solution, using custom IPSec settings. You wish to utilize the digital certificates that are available in the network. You decide that you wish for there to be maximum strength, and therefore you choose to implement IPSec using both AH and ESP. First, you configure a custom policy for the servers in the network. To increase strength, you will implement your custom policy on top of the default Server IPSec Policy. You verify that the policy is running, and then you create a new policy. Your new policy will use SHA+3DES for AH and SHA for ESP. You make sure that the policy is to include all IP traffic, and for Authentication Method, you use the certificate that is assigned to each server. You reboot the servers that youcan and use secedit to force the others to refresh the two policies. Next, with the help of the administrative staff, you will configure each client in the network. For the clients you also need the highest in security, so you will use a custom policy on the default policy. You verify that the default Client IPSec policy is enabled, and then you create a policy that uses SHA+3DES for AH and SHA for ESP. You make sure that the policy is toinclude all IP traffic, and for Authentication Method, you use the certificate that is assigned to each server. You reboot the client machines that you can and use secedit to force the others to refresh the two policies.

Answer : C