Guide to Operating Systems Security
0-619-16040-3
Guide to Operating Systems Security
Chapter 3 Solutions
Answers to the Chapter 3 Review Questions
1.
IPSec can be used with which of the following types of encryption keys? (Choose all that apply.)
Answer: a. and c.
2.
Which of the following authentication methods is particularly suited to UNIX and Linux systems
because it can be used with piping?
Answer: a. SSH
3.
Your organization is planning to set up Windows XP Professional computer systems that have the
ability to use smart cards. In preparation, you should configure _____________________ to be used
with the smart cards.
Answer: b. Extensible Authentication Protocol
4.
Your organization is installing a Windows Server 2003 NNTP server. Which of the following should
you configure on the server for security?
Answer: d. SSL
5.
Advanced Encryption Standard uses which of the following? (Choose all that apply.)
Answer: a. and b.
6.
The formula (key x 20) / (data/key) is an example of a(n) _______________________.
Answer: c. encryption algorithm
7.
A sniffer ________________________________. (Choose all that apply.)
Answer: a. and d.
8.
For greater security, your company has decided to store Red Hat Linux 9.x password data in a location
other than the /etc/passwd and /etc/shadow files. What should you obtain to accomplish this?
Answer: d. a pluggable authentication module for this purpose
9.
Which of the following would you expect to find in an X.509-compliant digital certificate? (Choose all
that apply.)
Answer: d. serial number for the certificate
10. You network houses many old Windows 98 systems because some users have refused to upgrade, but
they are running the Directory Service Client. Which of the following should be configured as the
authentication for these systems to provide the best security?
Answer: d. NTLM v2
11. You are setting up to use digital certificates on a network that uses Windows 2000 and 2003 servers. In
the process of setting up to use digital certificates, you need to designate a
___________________________.
Answer: c. a server acting as a certificate authority
12. You have configured a Windows 2003 server to use Kerberos. Many users are complaining that after
three hours of continuous access to the server, they lose access and must log on again to resume
working. How can you best fix this problem?
Answer: b. Reconfigure Kerberos so maximum lifetime for a user ticket is eight hours or more.
1
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
13. Which of the following would you expect to come with an LCD?
Answer: a. security token
14. ________________________________ is an authenticating server for EAP.
Answer: c. RADIUS
15. Your company uses Red Hat Linux 9.x servers and workstations. There is a need to encrypt specific
top secret directories of files to protect their contents. Which of the following should you use
Answer: a. Cryptographic File System
16. When an attacker creates a customized script to try every character to find the password to an
administrator’s account, this is an example of a ______________________ attack.
Answer: c. brute force
17. Which of the following is (are) true of challenge/response authentication? (Choose all that apply.)
Answer: a., b., c., and d.
18. One advantage of SSL is that it ______________________________.
Answer: a. is service-independent
19. A secure way to remotely access Red Hat Linux 9.x workstations and servers is by using the
_________ command.
Answer: c. ssh
20. IPv6 uses __________________________ for secure communications.
Answer: b. extension headers
21. ______________________ tend to be more secure.
Answer: b. Longer encryption keys
22. In Windows Server 2003, the Client role in IPSec communications ______________________.
Answer: d. causes the server to use IPSec if the contacting client is already using it on first contact
23. ____________________ is a program that attackers use to access password information on a NetWare
server
Answer: b. Pandora
24. How might an attacker decrypt data protected by the Encrypting File System?
Answer: c. through the registered recovery agent
25. Microsoft Point-to-Point Encryption is used with ____________________________. (Choose all that
apply.)
Answer: a. and d.
2
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Hands-On Projects Tips and Solutions for Chapter 3
Project 3-1
In this project, students use the Red Hat Linux Terminal window to view the /etc/shadow file, which
contains account information, including encrypted passwords.
In Step 4, students should record their encrypted passwords, which will consist of a number of
unintelligible upper and lower case letters, numbers, and other characters.
Project 3-2
In this project, students associate an AES-encrypted password with a Mac OS X disk image.
In Step 10, students should observe that the new volume is placed in the desktop and as icon under
Macintosh HD.
Project 3-3
This project is designed to enable students to view the remote access policy encryption options in
Windows 2000 Server or Windows Server 2003. You will need to install RAS and configure a remote
access policy before students begin.
In Step 6, the encryption options in Windows Server 2003 are:
 Basic encryption (MPPE 40-bit)
 Strong encryption (MPPE 56-bit)
 Strongest encryption (MPPE 128-bit)
 No encryption
In Windows 2000 Server, the options are listed as:
 No Encryption
 Basic
 Strong
Students should also record which of the options are selected.
Project 3-4
This project has students create a file, encrypt it in the file’s properties, and then use the cipher
command to see a listing of encrypted and unencrypted files.
In Step 11, students should see an E in front of the folder they encrypted. Files and folders that are not
encrypted have a U in front.
Project 3-5
This project is included so that students can see from where to install certificate services in Windows
2000 Server and Windows Server 2003.
In Step 3, the options to install are:
 Certificate Services CA
 Certificate Services Web Enrollment Support
3
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Project 3-6
This project gives students the opportunity to view the certificate authorities configured in Mac OS X
using Internet Explorer.
In Step 5, students will note that there is a long list of certificate authorities already configured. To
deselect a certificate authority, students should report that they would remove the checkmark to the left
of the authority.
Project 3-7
In this project, students learn how to configure a Kerberos policy in Windows 2000 Server and
Windows Server 2003.
In Step 2, students should report the following policy options:
 Enforce user logon restrictions
 Maximum lifetime for service ticket
 Maximum lifetime for user ticket
 Maximum lifetime for user ticket renewal
 Maximum tolerance for computer clock synchronization
Project 3-8
.
This project enables students to configure the SSL options in the Mozilla Web browser in Red Hat
Linux 9.x.
In Step 4, students should report the following SSL protocol version options:
 SSL version 2
 SSL version 3
 TLS
Project 3-9
In this project students learn about the ssh command in Red Hat Linux 9.x or in Mac OS X. If you
have a computer to which they can connect, provide students with an account to use for the connection,
so they can test the ssh command.
In Step 3, students should report there are three authentication methods described. Also, they should
note that the ssh command uses RSA for encryption.
Project 3-10
This project enables students to learn how to configure IPSec in Windows 2000 Server and Windows
Server 2003.
In Step 13, the Filter Action selected is Request Security (Optional). On the Connection Type tab, the
connection types are All network connections, Local area network (LAN), and Remote access. Also,
use the Tunnel Setting tab to configure tunneling. The authentication method is Kerberos.
4
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Solutions to the Case Project Assignments
Allied Research develops new fuels for jet and rocket engines. The company works in a campus-like
environment that consists of five buildings in close proximity. Three of the buildings are dedicated to
research and house 42, 41, and 52, research scientists and their staffs. The scientists and their research
assistants use Red Hat Linux 9.0 workstations and the other support staff in this building use Windows XP
Professional workstations. One building on the campus is used for manufacturing research devices and for
conducting tests. The 65 employees in this building use a combination of Mac OS X for graphics work,
Red Hat Linux 9.0 for technology and science applications, and Windows XP Professional for office
applications and keeping some small research databases. The fifth building contains the administrative unit,
IT facilities, and conference offices. This building houses 61 people who primarily use Windows XP
Professional and Mac OS X. The IT facilities in the building house all of the company’s servers in a secure
machine room. There are 14 Windows 2000 servers, two Windows 2003 servers, nine NetWare 6.5 servers,
and four Red Hat Linux servers. The servers are maintained by a staff of IT professionals. All of the
buildings are fully networked into one enterprise network that encompasses the entire campus. The
company has hired you, through Aspen IT Services to consult on security issues.
Case Project 3-1: Securing File Systems
The research scientists and their support staff want to secure specific directories and folders on their Red
Hat Linux 9.0 and Windows XP Professional workstations. They want you to create a short briefing that
explains options available for these systems, including your observations about their strengths and
weaknesses.
Answer:
In Red Hat Linux 9.0, the research scientists and their support staff can use the Cryptographic File System
(CFS). CFS can encrypt an entire file system or only specified directories within a file system. Strengths of
CFS include:
 It can use many types of encryption, including 3DES, which is stronger than DES.
 It is compatible with UNIX/Linux files systems, such as ext2 and ext3, used by Red Hat Linux
operating systems.
 It can be used with NFS.
 It is open source.
The open source quality might also be a weakness, if the open source authors do not issue patches and
upgrades on a regular basis due to other commitments, or if users significantly modify the open source
code, making it hard to maintain later on.
In Windows XP Professional, they can use the Encrypting File System (EFS). Strengths of EFS are:
 It is available in Windows 2000, Windows XP Professional, and Windows Server 2003.
 It is easy for users to implement via setting an advanced folder or file attribute.
 More complex management can be handled through the cipher command.
 It supports a registered recovery agent, in case something happens to the original user account that
encrypted the folders and files.
Its weaknesses include:
 It uses DES which is not as secure as other encryption methods.
 The registered recovery agent capability could be compromised, if an attacker succeeds in
accessing an account that has Administrator privileges.
5
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 3-2: Using the Cipher Command
As you are developing the briefing about securing directories and folders, one of the senior scientists calls
to say she has heard about the cipher command. Include a section in your briefing that describes the cipher
command and its options.
Answer:
The cipher command is used through the Command Prompt window in Windows 2000, Windows XP
Professional, and Windows Server 2003. The cipher command includes many switches that can be used to
encrypt, decrypt, and manage file and folder encryption. This command can be useful, for example, in
obtaining a quick display of which folders and files are encrypted.
Table 3-1 from the text is reproduced below to provide a quick reference to the commands.
Parameter
/?
/e
/d
/s
/a
/i
/f
/q
/h
/k
/n
/u
/r
/w
/x
Description
Lists the cipher commands
Encrypts the specified folder so any files added to the folder are
encrypted
Decrypts the contents of the specified folder and sets the folder so that
any files added to the folder are not encrypted
Used with other cipher options so that they are applied to the contents of
the current folder and the contents of subfolders under it
Executes the specified operation on all files and directories
Proceeds with the encryption, ignoring reported errors
Forces the encryption operation on all folders and files (ignores folders
and files currently encrypted)
Generates a short-version encryption report
Enables you to view which folders and files use the hidden or system
attributes
The account employing cipher is provided a new encryption key,
meaning that previous keys associated with other accounts are no longer
valid—use with extreme caution
Use with the /u option so that encryption keys are not modified, but so
that you can view the currently encrypted folders and files
Updates the cipher user’s encryption key
Used to invoke a recovery agent key so that the server administrator can
set up a recovery policy
Purges data from disk space that is flagged as unused (but which still
contains data that could be recovered)
Copies encryption key and certificate data to a file the is encrypted for
use by the cipher user
6
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 3-3: Using an Alternative to Telnet
The Red Hat Linux 9.0 and Mac OS X users often use Telnet to access information on one another’s
computers. They want you to assess this practice in terms of security and to suggest one or more
alternatives for more secure communications.
Answer:
Telnet is not inherently secure, other than using a user account name and password for authentication.
Consider giving students extra credit, if they research and learn that some operating systems can have the
Telnet service enabled without the requirement to use a password or without a configured password.
Secure Shell (SSH) can be implemented particularly in UNIX/Linux, including Mac OS X to provide
enhanced authentication. SSH uses RSA and digital certificates to authenticate at log on. After the log on
authentication, 3DES is used to encrypt communications.
Telnet with SSH is implemented in UNIX/Linux systems, including Red Hat Linux 9.0 and Mac OS X as
the ssh command available through a Terminal window. The Allied Research users should employ SSH in
their communications by using the ssh command instead of the telnet command for remote access
communications.
Case Project 3-4: NTLM Analysis
Your analysis of the company shows that the Windows 2000 Server and Windows Server 2003 systems are
set up to use NTLM for security. Create a briefing for the IT management that:
 Describes the strengths and weaknesses of using NTLM
 Presents an alternative to NTLM
 Generally describes how to set up the alternative to NTLM
Answer:
Allied Research probably used NTLM in the past to support security on older Windows operating systems,
such as Windows 98 or earlier. NTLM employs a challenge/response form of authentication, which is a
relative strength. Another strength is that NTLM is backwardly compatible with Windows operating
systems prior to Windows 2000. However, NTLM does not provide the security strengths of Kerberos,
which is also supported by the Windows 2000 Server, Windows XP Professional, and Windows Server
2003 systems.
Kerberos is a good alternative to NTLM and should be configured to be used on the network for the
Windows-based clients and servers. Kerberos works by using a service ticket and key distribution center.
The general steps for setting up Kerberos are:
1. In Windows 2000 Server, point to Programs, point to Administrative Tools, and click Domain
Controller Security Policy. In Windows Server 2003, click Start, point to All Programs, point to
Administrative Tools, and click Domain Security Policy.
2. In Windows 2000 Server, open in the tree Windows Settings, Security Settings, and Account
Policies. Or in Windows Server 2003 open the following in the tree: Computer Configuration,
Windows Settings, Security Settings, and Account Policies. Click Kerberos Policy under Account
Policies.
3. Double-click the desired options in the right pane to configure any of:
 Enforce user logon restriction
 Maximum lifetime for a service ticket
 Maximum lifetime for a user ticket
 Maximum lifetime for user ticket renewal
 Maximum tolerance for computer clock synchronization
7
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 3-4: NTLM Analysis (Cont.)
4.
After the parameters are configured, close the Domain Controller Security Policy window in
Windows 2000 Server or the Default Domain Security Settings window in Windows Server 2003.
Case Project 3-5: Encryption and Authentication Attacks
Allied Research is very concerned about the possibility that their information might be compromised by
attackers. The vice president for research asks you to prepare a document for the Allied Research security
management team that:
 Describes ways in which their systems might be attacked
 Discusses modern encryption and authentication methods you recommend
 Discusses general steps to harden their systems against attack
Answer:
In discussing ways in which systems can be attacked, students should mention factors such as:
 Using sniffer software to capture network traffic, such as for obtaining account names and
passwords
 Using brute force attacks, such as through customized scripts, to try to determine passwords to
accounts
 Breaking into password files and trying to decrypt passwords and digital signatures associated
with accounts
 Simple password guessing
 Attacking weak keys in encryption techniques, such as shorter keys
 Using programs to attempt to break encryption algorithms
Examples of modern encryption and authentication methods that students might recommend are: AES,
SSL, SSH, Kerberos, and IPSec. Students can recommend others, and should provide a short justification
for each.
In terms of general steps to harden systems in relation to encryption and authentication, students might start
with the suggestions in the text and also provide their own suggestions or ones that have been discussed in
class. The suggestions in the text are:
 Ensure that all user accounts have hard-to-guess strong passwords—particularly accounts that
have administrator privileges.
 Use the strongest forms of encryption and authentication permitted by the operating systems in use
on your network, such as using AES or 3DES instead of DES.
 When possible, select to use the longest encryption keys, such as 64-bit or 128-bit keys instead of
56-bit keys.
 Frequently inventory the encryption and authentication methods used by operating systems and
close any holes.
 Have network and server administrators avoid directly using administrative accounts, but instead
use personal accounts that have administrative privileges. Also, when working at another person’s
computer, administrators should use command-line options to access administrative accounts,
such as the runas command in Windows 2000/XP/2003 or the su command in UNIX/Linux.
8
© 2004 Course Technology and Michael Palmer. All rights reserved.