Entrance exam: Web attack prevention and defense

Test your knowledge of Web security to see if you'd benefit from our Intrusion Defense School lesson, "Web attack prevention and defense."

by Michael Cobb

Sure, IIS has its fair share of problems, but you could be your Web server's No. 1 vulnerability if you aren't Web security savvy. Take this exam to see if it's time to go back to school -- Web Security School, that is!

1.) What is SSL used for?
a. Encrypt data as it travels over a network
b. Encrypt files located on a Web server
c. Encrypt passwords for storage in a database
d. Encrypt specific elements of data for application-specific purposes
e. Encrypt digital certificates used to authenticate a Web site


How'd you score?

15-20 correct: Web Security Superstar!                        Hone your knowledge with these checklists:                     Essential fortification checklist 

Developer's active content delivery checklist                                   

Spyware removal checklist

Less than 15 correct: Time to enroll in Web Security School. In just a few short hours you can go from novice to expert.  Lesson 1: Securing a Web server 

Lesson 2: Defeating Web attacks 

Lesson 3: Securing Web apps

2.) Which port does HTTPS use?
a. 21
b. 53
c. 80
d. 137
e. 443


3.) True or False: An IT security risk analysis is the same as an IT vulnerability assessment.


4.) Phishing differs from adware and spyware because…
a. it is not a problem for organizations but individuals.
b. it installs malicious software on your PC.
c. it uses social engineering and technical subterfuge whereas the other two do not.
d. it is easier to stop.
e. None of the above


5.) Which is the recommended setting for auditing policy settings to audit Object Access?
a. Success: Off, Failure: Off
b. Success: Off, Failure: On
c. Success: On, Failure: Off
d. Success: On, Failure: On
e. None of the above


6.) As the administrator for a Windows-based network, you are installing Windows 2000 Server on a computer, which will run IIS and be connected to the Internet. Your domain name is mycompany.com. During the setup the installer asks whether you want this computer to be a member of a domain. Which option do you select?
a. No, this computer is not on a network or is on a network without a domain.
b. Yes, make this computer a member of the following domain: mycompany.com.


7.) Which of the following services is not required to run a Windows server solely configured to run IIS and publish a Web site?
a. IIS Admin Service
b. Performance Logs and Alerts
c. Protected Storage
d. Server Service
e. World Wide Web Publishing Service


8.) By default, IIS is configured to support many different common file name extensions that are related to a variety of features in IIS. Your site uses Active Server Pages and PHP for creating pages on the fly. Besides .asp and .php, what other file name extensions should be mapped to IIS?
a. .htw
b. .printer
c. .sthm
d. .idq
e. None of the above


9.) Which is the recommended log file format for logging IIS events?
a. Microsoft IIS Log File Format
b. NCSA Common Log File Format
c. W3C Extended Log File Format


10.) Web server A is set up to log system and IIS activity. Which is the best set up from the list below?
a. Log File Directory: %WinDir%\System32\LogFiles
b. Log File Directory: C:\Inetpub\wwwroot\LogFiles
c. Log File Directory: E:\Inetpub\wwwroot\LogFiles
d. Log File Directory: E:\Inetpub\LogFiles
e. Log File Directory: F:\LogFiles


11.) Which of the following network designs is considered the most secure?
a. Flat network
b. Triple-homed perimeter network
c. Back-to-back perimeter network


12.) Which of the following steps is not required to configure IIS to handle encrypted sessions?
a. Create a public-key pair in IIS to submit to a Certificate Authority (CA) when you request a certificate.
b. Request a server certificate from the CA.
c. Sign for the certificate when FedEx delivers it.
d. Install the certificate.
e. Configure the directories and pages that you want to secure.


13.) True or False: You don't need a digital certificate installed on your Web server to be able to securely manage it remotely using Windows Terminal Services.


14.) True or False: You can use the Microsoft Event Viewer snap-in to view your Windows and IIS log files.


15.) Which of the following is the best definition of risk analysis when discussing IT security?
a. Risk analysis looks at the probability that a hacker may break in to your system.
b. Risk analysis looks at the probability that your security measures won't stop a hacker breaking in to your system.
c. Risk analysis determines what resources you need to protect and quantifies the costs of not protecting them.
d. Risk analysis looks at the probability that a vulnerability exists in your system.
e. Risk analysis looks at the consequences of being connected to the Internet.


16.) Which is the correct set of network components that need to be available for the Internet-facing network card of a dual-homed IIS Web server running on Windows 2000?
a. Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP)
b. Client for Microsoft Networks, Internet Protocol (TCP/IP)
c. Internet Protocol (TCP/IP)
d. File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP)
e. None of the above


17.) Which is the correct definition of the Windows user right assignment "Log on locally"?
a. Determines which users can log on at the computer
b. Determines which users are prevented from logging on at the computer
c. Determines which service accounts can register a process as a service
d. Determines which users and groups are allowed to connect to the computer over the network
e. Allows a user to be logged on by means of a batch-queue facility


18.) What are the correct ACLs for IIS-generated log files?
a. System (Full Control), Administrators (Full Control), Everyone (RWC)
b. System (RWC), Administrators (Full Control), Everyone (RWC)
c. System (Full Control), Administrators (Full Control)
d. System (Full Control), Administrators (RWC)
e. System (Full Control), Administrators (Full Control), Guest (RWC)


19.) Which one of the following components does not need to be installed to run IIS on a Windows server?
a. Common Files
b. Internet Information Services Snap-in
c. Networking Services
d. World Wide Web Server
e. They all need to be installed


20.) The Security Accounts Manager database stores usernames, account privileges and security context information for every user allowed to log on to a Windows machine locally. Which copy of the SAM database should you delete on a Windows Web server?
a. Program Files\Microsoft\SAM
e. None of them


Return to Web attack prevention and defense

This was last published in June 2005

Dig Deeper on Web Server Threats and Countermeasures



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.