Final exam: Web attack prevention and defense

Discover how much you've learned about Web server security with this final exam on Web attack prevention and defense.

This Content Component encountered an error

1.) Which of the following services is not required to run a Windows server solely configured to run IIS and publish a Web site on the Internet?

Web attack
prevention and defense

Download this Web attack prevention and defense final exam (.pdf).

Review materials for this exam by going to the Web attack prevention and defense home page.

Check out more learning materials from our Intrusion Defense School.

a. IIS Admin Service
b. Net Logon
c. Performance Logs and Alerts
d. Protected Storage
e. World Wide Web Publishing Service


2.) Which of the following statements is true about script kiddies?
a. They target specific organizations.
b. They scan specific systems for specific weaknesses.
c. They use subtle and varied tactics.
d. They may use your system to scan or exploit other systems.
e. The number of network attacks does not increase during school holidays.


3.) Which of the following properties must a "reliable" system demonstrate to be able to deliver essential services?
a. Resistance to attacks.
b. Recognition of attacks and the extent of any damage.
c. Recovery of full and essential services after attack.
d. Adjustment to reduce effectiveness of future attacks.
e. All of the above.


4.) Your Web server should be placed in a DMZ or "perimeter network," because…
a. It will be safe from attack.
b. It won't be able to access the Internet otherwise.
c. It locates it on a different subnet to your intranet.
d. It is easier to wire it to the Internet.
e. It has to trust traffic coming from the Internet.


5.) Which of the following would you allow to attack your Web site?
a. Crackers
b. Hackers
c. Script kiddies
d. Red Teams
e. None of the above


6.) You are running an e-commerce Web site that uses SSL to encrypt your customers' address and credit card information when they purchase goods via the site. You have blocked all unused ports on your Web server except ports 25, 80, 1433 and 1434. Will your customers be able to pay for their orders?
a. Yes
b. No


7.) Which of the following is not a true statement about the advantages of backing up system log files on a dedicated server?
a. It provides redundancy.
b. It reduces the cost of backing up log files.
c. You can compare two sets of logs against one another.
d. It allows cross checking of log files.
e. It protects against hackers altering or deleting local log files.


8.) Phishing differs from adware and spyware because…
a. it is not a problem for organizations but individuals.
b. it installs malicious software on your PC.
c. it uses social engineering and technical subterfuge whereas the other two do not.
d. it is easier to stop.
e. None of the above.


9.) Which one of the following components does not need to be installed to run IIS on a Windows server?
a. Common Files
b. FrontPage Server Extensions
c. Internet Information Services Snap-in
d. World Wide Web Server
e. They all need to be installed


10.) Which of the following directories should be deleted from a live IIS Web server connected to the Internet?
a. E:\Inetpub\ftproot
b. F:\Inetpub\iissamples
c. G:\Inetpub\mailroot
d. H:\Inetpub\wwwroot
e. None of them


11.) True or False: Client-side validation of form data is the same as server-validation except that it happens on the client's machine.


12.) Which of the following file types do you need to delete from your production IIS Web server?
a. .htm
b. .asp
c. .inc
d. .bak
e. None of the above


13.) Which of the following are signs that computers on your network may have been infected by spyware?
a. PCs are running unusually slow.
b. Ads are popping up.
c. Home pages have been altered.
d. There's a dramatic increase in network traffic.
e. All of the above.


14.) Internet Explorer divides the Internet into zones, so that you can assign a Web site to a zone with a suitable security level. To which level would you assign the site \\fileserver\documents?
a. Internet zone
b. Local intranet zone
c. Trusted sites zone
d. Restricted sites zone


15.) The NTFS file format allows you to…
a. Encrypt data as it travels over a network.
b. Encrypt files located on a computer's hard drive.
c. Encrypt passwords for storage in a database.
d. Hide passwords with asterisks while they are entered in a text box.
e. Encrypt digital certificates used to authenticate a Web site.


16.) True or False: You do not need a Terminal Server Client Access License to run Terminal Services to manage a Windows server remotely.


17.) Which phrase best fits the following sentence? Web form input is _________. The data is not blocked; it is allowed into the server and could be manipulated to compromise security.
a. always sent using POST
b. critical to an e-commerce site
c. safe to use
d. an "allowed path"
e. part of the HTTP protocol


18.) You run a Web site that provides ASP script examples that are stored in an Access database. What is the correct way to display the text <script> on a Web page?
a. <script>
b. &lt;script&gt;
c. <&lt;script&gt;>
d. &lt;<script>&gt;
e. &gt;script&lt;


19.) Microsoft's cipher.exe program…
a. permanently overwrites all of the deleted data on a hard drive.
b. permanently encrypts all of the deleted data on a hard drive.
c. empties the Recycle Bin data on a hard drive.
d. deletes the System Page file on system shut down.
e. empties the Recycle Bin data on system shut down.


20.) True or False: Null sessions are required on Windows IIS Web servers in order to allow anonymous access to the Web site using the Internet Guest account.


This was first published in June 2007

Dig deeper on Security Resources



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: