Guide to Operating Systems Security
0-619-16040-3
Guide to Operating Systems Security
Chapter 6 Solutions
Answers to the Chapter 6 Review Questions
1.
When an application is designed for faster connectionless transport, it uses which of the following?
(Choose all that apply.)
Answer: b. UDP
2.
Some of the staff in the warehouse building like to end the day playing games over the Internet.
However, none of their job duties necessitates access to the Internet, and playing the games exposes
the computers in their building to unnecessary security risks. Which of the following offers the best
solution?
Answer: c. Place a proxy that filters out HTTP and FTP traffic between their building and the
Internet connection.
3.
You are the server and network administrator for the city and county court system, which has Internet
connectivity. The judges are concerned about developing security to make it difficult for outside
Internet users to determine information about the network computers and their contents on the internal
court-system network. Which of the following should you do? (Choose all that apply.)
Answer: a. and b.
4.
A TCP source port is similar to a(n) _________________________________.
Answer: c. virtual circuit
5.
A network administrator in your organization has configured a firewall to block Telnet and SSH
communications by blocking the TCP and UDP ports 22 and 80. Will this accomplish the job?
Answer: d. No, because Telnet is still not blocked.
6.
IPTables is used to configure firewall and NAT activities in ____________________________.
Answer: d. Red Hat Linux
7.
Which of the following are functions performed by routers? (Choose all that apply.)
Answer: a., b., c., and d.
8.
One of the Windows XP Professional users who has configured a firewall suspects she may have been
the victim of an attempted attack. Which of the following might enable her to determine this?
Answer: b. Examine the \Windows\pfirewall.log file
9.
From where do you configure a firewall in Mac OS X?
Answer: a. System Preferences, and the Shared icon
10. You have placed a Web server between your border security devices and the Internet connection. This
area is the _______________________________.
Answer: c. demilitarized zone
11. The ______________________field in IP enables a determination of what path to use for sending a
particular packet, when multiple network paths can be used.
Answer: a. type of service
12. Port-scanning software used by an attacker may take advantage of which of the following types of
communications? (Choose all that apply.)
Answer: b. and d.
1
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
13. Port-scanning attacks are more likely to be fruitful against ___________________ than
_________________________.
Answer: d. TCP, UDP
14. The ___________________________ is the same as the physical address of a network interface.
Answer: b. media access control address
15. The vice president of finance in your company keeps confidential spreadsheets in the Public folder of
his Mac OS X workstation, and he is unknowingly sharing this folder for all to access over the
company’s internal network. The company IT director asks you to shut down access to his shared
folder. Which of the following might you do? (Choose all that apply.)
Answer: b. and c.
16. The 16-bit ________________________________ is a basic way in which TCP verifies the accuracy
of packets received at the destination computer of a data transmission from a source computer.
Answer: b. cyclic redundancy check
17. In an IT department meeting, the computer professionals are discussing how to implement Microsoft
Network Address Translation in Windows Server 2003. One of the user support professionals is
concerned that implementing NAT will cause confusion, because client workstations must use
addresses in the range of 10.0.0.0 to 10.255.255.255, and many users want to keep their present IP
addresses. What is your response?
Answer: d. It is possible to configure NAT so that users can keep the addresses they presently
have, as long as this does not cause problems with their access to outside networks.
18. Your company wants to configure ICF on the 64-bit version of Windows Server 2003, Datacenter
Edition. What step must be taken to configure ICF?
Answer: d. ICF is not presently available in this version of Windows Server 2003.
19. Which of the following are examples of border points on a network? (Choose all that apply.)
Answer: a., b., c., and d.
20. The network in the manufacturing building of your company is connected to a network used by the
sales division. The sales division network is an older network that has many workstations still
configured for the NetWare version 3 and 4 servers that were once on that network. You’ve noticed a
lot of unnecessary traffic that comes from the sales division network into the manufacturing network,
and the sales division network administrator is too busy to help. What might you do to help secure and
improve the network in the manufacturing building?
Answer: a. Place a firewall or router between the two networks that filters out IPX
communications.
2
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Hands-On Projects Tips and Solutions for Chapter 6
Project 6-1
In this project, students learn how to quickly determine the IP address and subnet mask of a computer
running Windows 2000/XP/2003.
In Step 2, students should record the IP address and subnet mask of the computer they are using.
Project 6-2
This project enables students to view the IP, subnet mask, and device address information for a
computer using Red Hat Linux 9.x.
In Step 2, students should record the IP address, subnet mask, and device address of the computer they
are using for this project.
Project 6-3
In this project, students view the IP address and subnet mask information from the NetWare Server
Console. Next, they view the IP address from ConsoleOne.
In Step 2 of the first set of steps, students should record the IP address and subnet mask.
In Step 5 of the second set of steps, students should record the IP address.
Project 6-4
In this project, students determine the IP address and subnet mask of a computer running Mac OS X.
In Step 3, students should record the IP address and subnet mask.
Consider having students use the terminal window to determine the IP address, as presented in the note
following this project.
3
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Project 6-5
Students enable ICF in Windows XP Professional (or Home Edition) in this project.
In Step 7, the services that students should record are:
 FTP Server
 Internet Mail Access Protocol Version 3 (IMAP3)
 Internet Mail Access Protocol Version 4 (IMAP4)
 Internet Mail server (SMTP)
 Post-Office Protocol Version 3 (POP3)
 Remote Desktop
 Secure Web Server (HTTPS)
 Telnet Server
 Web Server (HTTP)
In Step 9, port 80 is configured as both the external and internal port number of Web Server (HTTP).
In Step 10, the two security logging options are:
 Log dropped packets
 Log successful connections
In Step 11, the ICMP requests that can be acknowledged or ignored are:
 Allow incoming echo request
 Allow incoming timestamp request
 Allow incoming mask request
 Allow incoming router request
 Allow outgoing destination unreachable
 Allow outgoing source quench
 Allow outgoing parameter problem
 Allow outgoing time exceeded
 Allow redirect
Project 6-6
Students configure NAT for Windows Server 2003 in this project.
In Step 17, students should record their observations about what can be configured for each tab:
 General: Used to configure event logging for the firewall software
 Translation: Used to set parameters for TCP and UDP mapping
 Address Assignment: Used to automatically assign addresses for the internal network.
 Name Resolution: Used to specify how name resolution is handled, such as through the local
DNS server.
Also in Step 17, students should make a special note that the Address Assignment tab is used to assign
addresses to the computers on the private network.
4
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Project 6-7
This project enables students to configure NAT in Windows 2000 Server.
In Step 11, the connection options are:
 Connect using a modem, ISDN adapter, or other physical device
 Connect using virtual private networking (VPN)
In Step 15, the other options are:
 Route IPX packets on this interface
 Add a user account so a remote router can dial in
 Send a plan-text password if that is the only way to connect
 Use scripting to complete the connection with the remote router
Project 6-8
In this project, students configure a firewall in Red Hat Linux 9.x.
In Step 2, the security levels that students see are:
 High
 Medium
 No firewall
In Step 4, to configure the firewall only for SSH access you would make sure that only this service is
checked and that the others were unchecked.
Project 6-9
.
This project enables students to configure network services in Mac OS X and then to configure a
firewall to allow or deny incoming requests for the services they configure. The services that students
allow are:
 Personal File Sharing
 Remote Login – ssh
 FTP Access
 Printer Sharing
The incoming services that they deny are:
 Personal File Sharing
 Remote Login – ssh
 FTP Access
In Step 4, students should record which services are already turned on.
In Step 6, the services that student turned on in Step 5 are checked, which means that they are turned
on.
5
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Solutions to the Case Project Assignments
Gonzales, Klein, and Stanfield is a large accounting firm that handles the accounting needs of medium to
large corporations. The firm’s headquarters is located in Los Angeles, with 200 accountants and staff.
There are branch offices in Dallas, Chicago, New York, and Atlanta. The offices are linked together by
WAN connections offered through telecommunications companies. Also, each office has Internet
connectivity provided by their long-distance telephone service companies.
The headquarters office is divided into two divisions, one that specializes in auditing services and a second
that provides accounting and corporate tax services. This office uses a combination of Windows Server
2003, Standard Edition and Red Hat Linux 9.0 servers. The client computers are a combination of
Windows XP Professional and Mac OS X systems. Each of the branch offices has the same mixture of
computers.
Case Project 6-1: Border Security Considerations
Figure 6-23 is an informal representation of this network. Using this diagram, prepare a short report for the
firm that discusses points at which they should consider border security.
Answer:
As the text suggests, the border security is only as good as the weakest point. Students should suggest
establishing firewalls at all connection points between the firm’s internal network and the points of
connection to each public telecommunications network. Any connection that is not covered offers a way
into the network for an attacker. Further, in their reports students should discuss using the same security
policies on every firewall.
Encourage students to create their own diagram of the network and show on the diagram the points at
which they would install firewalls.
Case Project 6-2: Deploying NAT
The firm is interested in using NAT as a form of security, but the managers are not sure about the
advantages of NAT. Modify the report you created in Case Project 6-1 to:
 Provide an overview of the purpose of NAT
 Show where you would place NAT devices for security, using the diagram in Figure 6-23
Answer:
Network address translation (NAT) enables an organization to disguise the IP addresses of computers on
the internal network so that they are not revealed to the external network, such as the Internet. NAT does
this by translating the internal address to a different IP address for viewing on the external network.
One important advantage of NAT is that an organization can assign IP addresses to computers on the
internal network without registering them for universal use, such as for Internet access. Another advantage
is security. Potential attackers on the external network cannot determine the actual IP address of a computer
on the internal network, and so it is difficult for them to mount an attack.
One way to approach using NAT for Gonzales, Klein, and Stanfield is to install NAT at each location, so
that each one is protected. Because this organization handles so much confidential information, NAT offers
one important way to protect it.
6
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 6-3: Configuring NAT
The IT personnel at the headquarters and branch offices need a training document that explains how to
implement NAT on a computer running Windows Server 2003. Create such a training document to help
them get started.
Answer:
The general steps for configuring NAT are as follows:
1. Log on using an account that has administrator privileges.
2. Click Start, point to All Programs, point to Administrative Tools, and click Routing and Remote
Access.
3. Right-click the server in the tree and click Configure and Enable Routing and Remote Access.
4. Click Next when the Routing and Remote Access Server Setup Wizard starts.
5. Click Network address translation (NAT). Click Next.
6. Select the network interface to use. Further, ensure that Create a new demand-dial interface to the
Internet is selected. Finally, ensure that Enable security on the selected interface by setting a Basic
Firewall is selected.
7. Click Next and click Next again.
8. Click Next to use the Demand Dial Interface Wizard.
9. Click Next.
10. Click Connect using PPP over Ethernet (PPPoE). Click Next.
11. Provide a service name, and click Next.
12. Ensure that only Route IP packets on this interface is selected, and click Next.
13. Enter your user name, the name of your domain, the password for your account, and confirm the
password. Click Next.
14. Click Finish.
15. Click Finish again.
16. In the Routing and Remote Access window, expand the tree to view the elements under the
computer on which you configured NAT Also, if necessary, double-click IP Routing to view the
elements under it.
17. Right-click NAT/Basic Firewall and click Properties. Configure the property tabs to match your
network’s requirements.
18. Click OK.
19. Close the Routing and Remote Access window when you are finished.
Case Project 6-4: Deploying a Web Server
The headquarters office plans to set up a Web server that will offer general information about the company,
provide downloadable tax documents and forms, supply auditing information, and provide other documents
of interest to their clients. This particular server will not contain sensitive or confidential information.
Create a short report to explain (1) where you would locate this server on the headquarters network and (2)
what type of firewall security you would implement
Answer:
This Web server might be deployed in a demilitarized zone. This is a location within a network that exists
between two or more networks that have different security measures in place, such as between the private
network of a company and the Internet. The Web server is a good candidate for this type of placement, for
several reasons:
 It does not require a high level of security
 Its purpose is to offer information to clients and prospective clients over the Internet, and so it
needs fewer security restrictions to make this role possible.
 Placing it in the demilitarized zone prevents the need for risky Web traffic to enter the internal
network through a border gateway.
7
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 6-4: Deploying a Web Server (Cont.)
After the Web server is set up, the security might include (these are examples and students may suggest
additional or other security options):
 Configuring a firewall to restrict traffic that is not needed, such as traffic other than Internet-based
traffic, including Telnet, SSH, SMTP, and others. This can be done by disabling these services on
the server and closing the ports in the firewall.
 Configuring the appropriate NTFS permissions and Web permissions for files and folders.
 Making sure that strong passwords are used for administrative accounts on the server.
Encourage students to create a diagram to show the placement of the NAT server.
Case Project 6-5: Protecting Client Information on Workstations
Most of the Windows XP Professional and Mac OS X workstations on each network contain confidential
client information. Create a report for the managers that explains your general recommendations for
protecting the information on each computer.
Answer:
In Windows XP Professional and in Mac OS X the security measures that students might suggest include:
 Making sure that the client workstations have accounts configured and that the accounts are
protected by strong passwords.
 Closing any backdoor accounts.
 Carefully configuring folder and file security through permissions.
 Configuring permissions on any shared folders or turning off file sharing (and Windows file
sharing in Mac OS X).
 Configuring user rights in Windows XP Professional.
 Disabling services that might be a security risk and that are not needed, such a file sharing, Telnet,
SSH, HTTP, SMTP, FTP, remote procedure calls, and others.
 Configuring firewalls to lock down access to the operating systems.
Students might take this answer further by providing general descriptions of how to configure firewalls in
these systems.
To configure a Windows XP firewall:
1. Click Start and click Control Panel.
2. Click Network and Internet Connections and click Network Connections.
3. Right-click Local Area Connection and click Properties.
4. Click the Advanced tab.
5. Click the box for Protect my computer and network by limiting or preventing access to this
computer from the Internet.
6. Click the Settings button and configure the desired firewall options.
7. Click OK and click OK again.
To configure a Mac OS X firewall:
1. Click System Preferences in the Dock.
2. Double-click Sharing.
3. Select the Service tab.
4. Turn off the appropriate services.
5. Click the Firewall tab.
6. Start the firewall.
7. Close all windows that you have opened.
8. Click the System Preferences menu and click Quit System Preferences.
8
© 2004 Course Technology and Michael Palmer. All rights reserved.