Guide to Operating Systems
0-619-16040-3
Guide to Operating Systems Security
Chapter 9 Solutions
Answers to the Chapter 9 Review Questions
1.
______________________________ is a security method that is commonly used by S-HTTP
Answer: a. Cryptographic Message Syntax
2.
You are configuring Internet Explorer in Windows Server 2003. It is important to have tight security
when using this Web browser, because it is primarily used for the Windows Update process and to
access the Microsoft Web site for other information. Which of the following Internet Explorer security
measures should you configure? (Choose all that apply.)
Answer: a., b., and c.
3.
Microsoft RAS is compatible with which of the following protocols? (Choose all that apply.)
Answer: a., b., c., and d.
4.
Your organization is setting up a Microsoft RAS server that will have only Windows XP Professional
clients using smart cards. Which of the following options should you configure for authentication?
(Choose all that apply.)
Answer: b. and c.
5.
The bank for which you work operates as an automated payroll clearing house, in which companies
contact your server through dial-up access and RAS, which is running on the server. Which of the
following represents the best method for security for client accounts that access the RAS server to send
their data?
Answer: c. set callback on each account to Always Callback to and provide the specific telephone
number for the client
6.
The IT management in your organization is thinking about simply turning off the RAS servers on the
weekends so that users cannot access them when the staff is away. Which of the following is your
response?
Answer: c. A simpler method is to configure a remote security policy so that RAS is only accessed
on Mondays through Fridays.
7.
_______________________________ creates a tunnel over the Internet for secure VPN
communications.
Answer: b. Point-to-Point Tunneling Protocol
8.
Which of the following communications methods is (are) compatible with Microsoft RAS? (Choose all
that apply.)
Answer: a., b., c., and d.
9.
While you are in an IT department meeting, one of the programmers is concerned about using
Microsoft RAS because he states that it does not allow for data encryption. What is your reaction?
Answer: d. RAS does support up to 128-bit encryption.
10. HTTPS uses __________________________ for security.
Answer: a. SSL
11. One of the scientists in your company is using Red Hat Linux and the Mozilla Web browser. She
wants to protect her computer so that information is not permanently written on it through the Internet.
Which of the following are options available in Mozilla for her to configure? (Choose all that apply.)
Answer: a., b., and d.
1
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems
0-619-16040-3
12. Several of the users in your organization have used Internet Explorer to access Internet sites that
download Trojan horses to their computers. Which of the following is the best measure you can take to
prevent the users from accessing these and other known hazardous sites?
Answer: b. Place the known hazardous sites in the restricted sites zone in Internet Explorer.
13. Your organization currently has a shortage of user consultants to train users about security for users of
Internet Explorer, Mozilla, and Netscape Navigator. Which of the following might help in this
situation?
Answer: a. Combine security training for Mozilla and Netscape Navigator, because they use
similar security features.
14. FTP can be used from _________________________. (Choose all that apply.)
Answer: a., b., and c.
15. Your company uses NFS for sharing files. The new Linux server administrator says that NFS is UNIXbased and is naturally safe without any configuration. Do you agree with this assessment?
Answer: c. The /etc/hosts.allow and /etc/hosts.deny files should be configured to enhance security.
16. Your organization uses Internet Explorer and has decided that the access to scripts should be disabled
for users when they access the Internet. How is this possible?
Answer: c. This can be configured in the Internet zone, by controlling the use of scripts.
17. What tool enables you to configure a remote access policy on a Windows 2000/2003 server?
Answer: c. Routing and Remote Access
18. From where do you configure the security settings in Netscape Navigator?
Answer: a. Click the Edit menu, click Preferences, and click Privacy & Security.
19. A colleague has set up a Samba server in Red Hat Linux, and has determined that anonymous users are
logging on. What security has he most likely configured?
Answer: d. security = share
20. The remote access protocol, PPP, can be used to encapsulate which of the following? (Choose all that
apply.)
Answer: a., c., and d.
2
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems
0-619-16040-3
Hands-On Projects Tips and Solutions for Chapter 9
Project 9-1
In this project, students find out how to use FTP services through an Internet browser.
In Step 4, students might list a few of the folders that they see, such as a2ps, acct, binutils, calc, gcc,
and so on.
Project 9-2
This project enables students to learn about the security parameters built into Internet Explorer.
In Step 2, students should report the Internet Explorer version level, such as 6.0.3790.0, and the Cipher
Strength, such as 128-bit.
In Step 7, the main categories at this writing include:
 .NET Framework-reliant components
 Active-X controls and plug-ins
 Downloads
 Miscellaneous
 Scripting
 User Authentication
Also in Step 7, to disable ActiveX controls and plug-ins students should report that they would click
the Disable option button for each subcategory under ActiveX controls and plug-ins. Also, to disable
downloading files, click the Disable option button for File Download under Downloads.
In Step 10 students should report that Use HTTP 1.1 should be checked under HTTP 1.1 settings. Also,
SSL versions 2.0 and 3.0 can be enabled. Further, the options for controlling FTP access are:
 Enable folder view of FTP sites
 Use Passive FTP (for firewall and DSL modem compatibility)
Project 9-3
In this project, students learn about the security options in Internet Explorer for Mac OS X.
In Step 3, students should notice the parameters that can be configured on the Security tab, such as
alerts.
In Step 4, students should report the following security zones:
 Local intranet zone
 Trusted sites zone
 Internet zone
 Restricted sites zone
In Step 7, the categories students should record are:
 ActiveX Controls and Plug-ins
 Downloads
 User Authorization
 Miscellaneous
 Scripting
3
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems
0-619-16040-3
Project 9-4
In this project, students install the Internet Explorer Enhanced Security Configuration.
In Step 11, students should find that the security level is set to High for the Internet zone.
In Step 13, students should determine that the Web sites entered by default are:
 hcp://system
 http;//localhost
 https://localhost
In Step 15, the default trusted sites include:
 http://*.windowsupdate.microsoft.com
 http://oca.microsoft.com
 http://windowsupdate.microsfot.com
 http://*windowsupdate.com
In Step 17, no sites are restricted by default.
Project 9-5
In this project, students learn where to set up the Privacy & Security options for Mozilla in Red Hat
Linux 9.x.
In Step 4, to stop cookies from being written, click Disable cookies.
In Step 7, the encryption options for SSL3/TLS include:
 RC4 encryption with a 128-bit key and an MDS MAC
 FIPS 140-1 compliant triple DES encryption with SHA-1 MAC
 Triple DES encryption with a 168-bit key and SHA-1 MAC
 FIPS 140-1 compliant DES encryption with SHA-1 MAC
 DES encryption with a 56-bit key and a SHA-1 MAC
 RC4 encryption with a 56-bit key and a SHA-1 MAC
 DES encryption with CBC mode and a 56-bit key and a SHA-1 MAC
 RC4 encryption with a 40-bit key and an MDS MAC
 RC2 encryption with a 40-bit key and an MDS MAC
 No encryption with an MDS MAC
In Step 12, the HTTP versions supported are:
 HTTP 1.0
 HTTP 1.1
Project 9-6
In this project, students view the Privacy & Security options in Netscape Navigator.
In Step 4, the categories should be the same, with the addition of Popup Windows Control.
In Step 8, students should note that the HTTP options are similar to those in Mozilla.
4
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems
0-619-16040-3
Project 9-7
This project enables students to configure dial-in security on an account that accesses a Windows
2000/2003 server remotely.
Project 9-8
In this project, students set up a remote access policy for a RAS server. They will need access to a
RAS server that is already installed, but that does not already have a remote access policy configured.
In Step 7, some examples of restrictions are:
 Authentication Type (Windows Server 2003 only)
 Called-Station-Id
 Calling-Station-Id
 Client-Friendly-Name
 Client-IP-Address
 Client-Vendor
 Day-And-Time Restrictions
 Framed Protocol
 MS-RAS Vendor (Windows Server 2003 only)
 NAS-identifier
 NAS-IP-Address
 NAS-Port-Type
 Service-Type
 Tunnel-Type
 Windows-Groups
In Step 12, the options selected by default are:
 MS-CHAP
 MS-CHAP v2
In Step 13, in Windows 2000, the EAP options include:
 MD5-Challenge
 Smart Card or other Certificate
Also in Step 13, in Windows Server 2003, Smart Card or certificate is selected by default.
In Step 19, to restrict the access:
1. Click the Restrict Dial-in media box (in Windows 2000 Server) or the Allow access only through
these media (NAS-Port-Type) box (in Windows Server 2003).
2. Select Cable.
3. Select Ethernet.
5
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems
0-619-16040-3
Solutions to the Case Project Assignments
Winnipeg Labs is a company that sets up chemistry and physics laboratories in North American high
schools and colleges for student use. This company has sales representatives and lab setup technicians that
are constantly traveling. To accommodate this business, the company wants to set up a Microsoft RAS
server so that the employees in the field can use telephone lines to dial into their home network. The sales
representatives will use the dial-up access to check prices and to show customers different configurations of
laboratory models. The lab setup technicians will use the dial-up access to check on stocked items and to
order and ship the appropriate laboratory equipment, furniture, and materials.
The company views the ability to have remote access as an important sales strategy to increase the
customer base and to enable the company to more quickly design and set up new laboratories. They hire
you through Aspen IT Services to help them configure security for a Windows 2003 Microsoft Remote
Access server. Also, the company has several issues regarding Internet security that they ask you to help
resolve.
Case Project 9-1: Remote Access Protocols
The IT manager for Winnipeg Labs wants to learn more about remote access protocols. He asks you to
prepare a report that discusses these protocols.
Answer:
Important remote access protocols include the following:
 Serial Line Internet Protocol (SLIP): Originally designed for UNIX environments to provide
point-to-point communications encapsulating TCP/IP. This is an older remote communications
protocol with relatively high overhead.
 Compressed Serial Line Internet Protocol (CSLIP): Often now referred to as SLIP, a newer
version of SLIP that compresses header information in each packet sent across a remote link.
 Point-to-Point Protocol (PPP): Used more commonly than SLIP/CSLIP for remote
communications, offering relatively low overhead and the ability to encapsulate IPX/SPX,
NetBEUI, and TCP/IP. It negotiates communications with several network communications layers
at once, and it supports connection authentication.
 Point-to-Point Tunneling Protocol (PPTP): A remote communications protocol that enables
connectivity to a network through the Internet and connectivity through intranets and VPNs,
creating a private tunnel for communications.
 Layer Two Tunneling Protocol (L2TP): A protocol that transports PPP over a VPN, an intranet, or
the Internet, that works similarly to PPTP, but that uses an additional network communications
standard, called Layer Two Forwarding, which enables forwarding on the basis of MAC
addressing.
6
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems
0-619-16040-3
Case Project 9-2: RAS Authentication and Encryption
A server administrator has already installed RAS. Now she needs to know what authentication and
encryption options exist. Prepare a paper that discusses these options in Microsoft RAS.
Answer:
Students might use Tables 9-3 and 9-4 as the basis for their descriptions of Microsoft RAS.
Table 9-3 Authentication Types
Authentication Protocol
Challenge Handshake Authentication Protocol
(CHAP)
Description
CHAP requires encrypted authentication between
the server and the client, but uses a generic form of
password encryption, which enables UNIX
computers and other non-Microsoft operating
systems to connect to a RAS server.
EAP is used for clients who access RAS through
special devices such as smart cards, token cards,
and others that use certificate authentication. If you
click this option, then Certificate Services should be
installed so that you can configure them for a
particular device or certificate type. The Certificate
Services component is installed as a Windows
component by using the Control Panel Add or
Remove Programs tool.
MS-CHAP v1 and MS-CHAP v2 are set as the
defaults when you install a RAS server, which
means that clients must use MS-CHAP with PPP.
MS-CHAP is a version of CHAP that uses a
challenge-and-response form of authentication
along with encryption. Windows 95, 98, NT, 2000,
XP, and Server 2003 support MS-CHAP v1.
Developed especially for VPNs, MS-CHAP v2
provides better authentication than MS-CHAP v1,
because it requires the server and the client to
authenticate mutually. It also provides more
sophisticated encryption by using a different
encryption key for receiving than for sending.
Windows 2000, Windows XP, and Windows Server
2003 clients support MS-CHAP v2 and clients such
as Windows 95 and Windows 98 can be updated to
support this protocol. VPNs attempt to use MSCHAP v2 with a client and then use MS-CHAP v1
if the client does not support version 2.
PAP can perform authentication, but does not
require it, which means that operating systems
without password encryption capabilities, such as
MS-DOS, are able to connect to RAS.
SPAP provides PAP services for remote access
clients, network equipment, and network
management software manufactured by the Shiva
Corporation which is owned by Intel Network
Systems, Inc.
This option is not recommended, because it means
that no authentication takes place.
Extensible Authentication Protocol (EAP)
MS-CHAP v1 (also called CHAP with Microsoft
extensions)
MS-CHAP v2 (also called CHAP with Microsoft
extensions version 2)
Password Authentication Protocol (PAP)
Shiva’s Password Authentication Protocol (SPAP)
Unauthenticated
7
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems
0-619-16040-3
Table 9-4 RAS Encryption Options
Encryption option
Basic encryption (MPPE 40 bit)
Description
Enables clients using 40-bit encryption key MPPE
(Microsoft Point-to-Point Encryption, see Chapter
3); or clients can use 56-bit IPSec or DES
encryption (also see Chapter 3)
Enables clients to connect and not employ data
encryption
Enables clients using 56-bit encryption key MPPE,
56-bit IPSec encryption, or DES
Enables clients using 56-bit IPSec, Triple DES, or
MPPE 128-bit encryption
No encryption
Strong encryption (MPPE 56-bit)
Strongest (MPPE 128-bit)
For additional research, students might refer to Chapter 3 to review information about IPSec, DES, and
MPPE.
Case Project 9-3: Configuring Authentication and Encryption
As you are preparing the paper for Case Project 9-3, the server administrator asks you to supplement the
information in your paper by outlining how to set up authentication and encryption. Prepare an outline of
the steps in this process.
Answer:
The steps for configuring authentication and encryption (in this case for a single RAS server) are as
follows:
1. Click Start, point to All Programs, point to Administrative Tools, and click Routing and Remote
Access.
2. In the tree under the RAS server, double-click Remote Access Policies.
3. In Windows Server 2003, double-click Connections to Microsoft Routing and Remote Access
server.
4. Click Grant remote access permission, if it is not already selected.
5. Click the Edit Profile button.
6. Click the Authentication tab.
7. Configure the desired authentication, such as EAP (and the appropriate method) and the
appropriate versions of MS-CHAP (v1 and v2).
8. Make sure that Allow clients to connect without negotiating an authentication method is not
checked.
9. Click the Encryption tab.
10. Make sure that all forms of encryption are selected, except No encryption.
11. Click OK and click OK again.
12. Close the Routing and Remote Access window.
8
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems
0-619-16040-3
Case Project 9-4: Additional RAS Security Questions
After the server administrator configures RAS, she realizes there are a few more issues on which she needs
training:
 How to prevent users from accessing the RAS server every Monday between 2 a.m. and 6 a.m.,
which is the system time that she uses for maintaining this and other servers on the network
 How to set up RAS so that only users of dial-up lines can access it
 How to force off users who have been idle for over four minutes
Prepare a training document that addresses these questions.
Answer:
All of the security measures are configured as part of a profile in the remote access policy. To configure
these:
1. Open the Routing and Remote Access tool from the Administrative Tools menu.
2. Select Remote Access Policies in the tree under the RAS server.
3. Double-click Connections to Microsoft Routing and Remote Access server.
4. Click the Add button.
5. Double-click Day-And-Time Restrictions.
6. Use the pointer and drag it to block Monday from 2 a.m. to 6 a.m. Click the Denied option button.
Click OK.
7. Click the Edit Profile button.
8. Display the Dial-in Constraints tab.
9. Click Minutes server can be idle before it is disconnected [Idle-Timeout] and enter 4.
10. Click Allow access only through these media (NAS-Port-Type).
11. Click Async Modem.
12. Click OK.
13. Click OK again.
14. Close the Routing and Remote Access tool.
9
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems
0-619-16040-3
Case Project 9-5: Configuring Web Browser Security
While you are working with the server administrator, the IT manager contacts you with a question about
configuring Mozilla and Netscape Navigator. The company has not yet urged users to configure security on
their Web browsers, but today one user has inadvertently downloaded a Trojan horse from a Web site. The
IT manager asks for your recommendations about how to configure Mozilla and Netscape Navigator to
implement security on these Web browsers.
Answer:
In their responses, students should discuss the Privacy & Security options that can be configured in Mozilla
and Netscape Navigator. They might present this in terms of having the company form a Web security
committee. As a consultant, the student could present the Privacy & Security options to the committee and
recommend such things as configuring to use the highest levels of HTTP and SSL. They might recommend
restricting certain forms of downloaded information, such as cookies and images, and they might suggest
certificate management. Table 9-2 from the text is replicated below to show the general options that can be
configured.
Table 9-2 Mozilla security categories
Security/Privacy Category
Cookies
Images
Forms
Passwords
Master Passwords
SSL
Certificates
Validation
Options
Enables or disables writing cookies, provides a warning
message before writing a cookie, sets an expiration time for
cookies (cookies are informational files that Web servers
store on client computers)
Controls whether images can be written to disk and controls
the use of animation in images
Enables the retention of information about the user so that it
does not have to entered repeatedly on forms
Allows the browser to remember passwords that have been
used previously to access Web sites and to encrypt the
password information where it is stored on the local disk
Controls the use of a master password when you configure
specific Mozilla functions and protects web passwords and
certificates
Enables the SSL version level to be configured, configures
Transport Layer Security (TLS; used to prevent a third-party
from eavesdropping), and enables the use of security
warning messages
Used to manage client certificate selection, the use of
specific certificates, and security mechanisms like smart
cards
Manages the revocation of certificates and enables or
disables the use of Online Certificate Status Protocol
(OCSP)
10
© 2004 Course Technology and Michael Palmer. All rights reserved.