MTA 98-367 Understanding Security Policies
dictionary attack
A type of password attack that automates password guessing by comparing encrypted passwords against a predetermined list of possible password values.
guessing attack
A type of password attack that involves and individual making repeated attempts to guess a password by entering different common password values, such as the user's name, a spouse's name, or a significant date.
The number of incorrect logon attempts permitted before a system will lock an account is known as the..
Account Lockout Threshold
Smurf Attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.
man-in-the-middle attack
A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.
brute force attack
A password-cracking program that tries every possible combination of permitted character types in an attempt to determine user's password
Group Policy Object (GPO)
A set of rules that allow an administrator granular control over the configuration of objects in Active Directory (AD), including user accounts, operating systems, applications, and other AD objects.
Spoofing Attack
A situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
Sniffers
A specially designed software (and in some cases hardware) applications that capture network packets (unencrypted) as they traverse a network, displaying them for the attacker.
In a Windows Server 2008 Active Directory, the ____________________ automatically applies in the event you have not set a fine-grained password policy
Default Domain Policy
Minimum password age
Defines how long users must wait before changing their password again.
password reset disk
Special type of floppy disk with which users can recover a lost password without losing access to any encrypted, or password-protected, data.
Account Lockout Threshold
Specifies the number of invalid logon attempts that will trigger an account lockout. This can be set from 0 to 999 attempts.
Reset account lockout counter after
Specifies the period of time that must pass after an invalid logon attempt before the lockout counter resets to zero.
Passwords
The most common security tools used to restrict access to computer systems. Consist of private phrases or words that give a particular user a unique access to a particular program or network. It has been recognized as one of the weak links in many security pograms
What limits how fast a password for an encrypted file is cracked?
The speed of your computer, particularly your processor and the complexity of the password. The more complex the password the longer it will take to crack. Passwords that are stored in an encrypted state are harder to crack than passwords stored in clear text or hashed.
True of False. You can enforce a password policy through group policy
True. Group Policy includes password settings in the security settings
What might happen if you require passwords to be too long?
Users will try to circumvent the password. Also users will most likely start to write them down on a paper which defeats the purpose of security.
Password History
Prevents users from using previously used passwords.
The ___________________________ needs to be less than or equal to the Account Lockout Duration.
Reset Account Lockout counter after
Password Settings Object (PSO)
New object type in Windows Server 2008 that enables the use of Fine-Grained Password Policies. Also known as msDS-PasswordSettings.
The type of attack that uses an extensive list of potential passwords is known as a(n) ______________
dictionary attack
Which of the following should users do when dealing with passwords? a. Use names of children and pets. b. Allow other users to see you type in your password. c. Write down your password on a piece of paper and keep it near your computer. d. Share your password to your co-workers e. None of these answer
e. None of these answer
Cracking encryption
When you attempt to decode a secret message without knowing all the specifics of the cipher, you are trying to "crack" the encryption.
What steps can you do to prevent someone from hacking your password?
a. Create a strong password that is at least 3 characters in length with at least 3 of the following combinations: Upper case letter, lower case letters, numbers and alphanumeric characters. b. Keep in mind importance of password length, complexity and randomness c. Consider the balance of password usability and security when creating one. d. Do not share your passwords e. Change your password frequently and when you are in doubt that it may have been compromised. f. Inspect your environment for physical breach such as keyloggers.
What are the two new features introduced in Windows Server 2008 that permit the use of fine-grained password policies? (Choose all that apply.) a. Password Settings Object b. Password Policy c. Password Settings Container d. Global Policy Object
a. Password Settings Object c. Password Settings Container
Which of the following would be an acceptable password on a Windows 7 Professional system with Password Complexity enabled and Minimum Password Length set to eight? (Choose all that apply.) a. Summer2010 b. $$Thx17 c. St@rTr3k d. ^^RGood4U e. Password
a. Summer2010 c. St@rTr3k d. ^^RGood4U
What type of attack tries to guess passwords by every combination of characters? a. brute-force attack b. smurf attack c. man-in-the-middle attack d. dictionary attack
a. brute-force attack
What type of software can you use to view usernames and passwords broadcasted over the network? a. sniffer b. dictionary software c. keylogger d. password leaker
a. sniffer
Local Security Policy
access controls applied to all accounts of a given windows computer
What is used to prevent someone from guessing a password multiple times?
account lockout settings
A __________ account is one type of account you can configure so that the password does not expire
service
When you use special software to read data as it is broadcast on a network, you are _______ the network.
sniffing
password crack attack
in this attack attackers get access to an encrypted password file from a workstation or server. Once they have access to the file, attackers start running password cracking tools against it
The strength of a password can be determine by looking at the password's:
length, complexity and randomness
physical attack
on a computer can completely bypass almost all security mechanisms such as: by capturing passwords and other critical data directly from keyboard when a software when a software or hardware keylogger is used
The setting that determines the number of unique passwords that must be used before a password can be re-used is the _____________.
password history
If a user forgets a password , they can reset the password with a _____ ____as long they created it before forgetting their password
password reset disk
Account lockout duration
password security setting that determines the length of time a lockout will remain in place before another logon attempt can be made. If set to zero an administrator has to manually unlock the account. Range from 0-99,999.
Strong passwords
passwords that use several types of keyboard characters with at least 3 of the following: a. upper case b. lower case c. numeric characters d. non alphanumeric characters
Account Lockout Policy
refers to the number of incorrect logon attempts permitted before a system will lock out an account
What setting forces users to change their password? a. password history b. account lockout c. maximum password age d. minimum password age
c. maximum password age
What prevents users from changing a password multiple times so that they can change it to their original password? a. account lockout b. maximum password age c. minimum password age d. password history
c. minimum password age
Anytime you use a password, you should make it ___________. a. simple b. migrating c. strong d. constantly changing
c. strong
What is the generally accepted minimum password length? a. 8 b. 6 c. 4 d. 12
a. 8
The three configuration settings for account lockout are
a. Account lockout duration b. Account lockout threshold c, Reset account lockout counter after
The highest setting that Account Lockout Duration can use is?
99,999
Service Account
Is an account that a service on your computer uses to run under and access resources. This should not be a user's personal account. Can also be an account that is used for a scheduled task (e.g., batch job account) or an account that is used in a script that is run outside of a specific user's context. (Ref GIAC White Paper)
Which of the following are common types of password attacks? (Choose Two answers) a. Brute force b. Smurf c. Man in the middle d. Spoofing d. Cracking
a. Brute force d. Cracking
What settings are used to keep track of incorrect logon attempts and lock the account if too many attempts are detected within a certain set time? a. password policy b. authentication tracker c. account lockout d. user parameters
c. account lockout
What is the maximum setting for Minimum Password Age? a. 999 b. 998 c. 256 d. 14
b. 998
You are the head of the corporate security department, and the Microsoft team has asked you for some assistance in setting the password controls on their new stand-alone server. Which Administrative Tool should you use to configure these settings? a. Computer Management b. Local Security Policy c. Security Service d. Active Directory Users and Computers
b. Local Security Policy
Why would you use a minimum password age? a. To stop someone from trying over and over to guess a password b. To make sure a user does not reset a password multiple times until he or she can reuse his or her original password c. To automatically reset a password d. To ensure that someone does not guess a password
b. To make sure a user does not reset a password multiple times until he or she can reuse his or her original password
What do you call a password that is at least seven characters long and uses three of the following categories (uppercase, lowercase, numbers, and special characters)? a. healthy password b. complex password c. standard password d. migrating password
b. complex password
What do you use to define how long a password is in Windows? a. registry b. group policies c. Users applet in the Control Panel d. NTFS files
b. group policies
What malicious software captures every keystroke and sends it to a hacker? a. dictionary software b. keylogger c. password leaker d. sniffer
b. keylogger
You are setting up your first secure Windows 7 Professional workstation and you are setting the password history. What are the minimum and maximum settings you can use? (Choose the best answer.) a. 1, 24 b. 0, 998 c. 0, 24 d. 1, 14 e. 0, 14
c. 0, 24
Which of the following are not valid password controls? (Choose all that apply.) a. Password History b. Maximum Password Age c. Account Lockout Threshold d. Maximum Password Length e. Minimum Password Age
c. Account Lockout Threshold d. Maximum Password Length
Which of the following is/are not a complex password(s) for Mr. Taylor? a. Platter*SAN b. ThereisTimetoLive&Die c. John!Taylor d. Password01
c. John!Taylor d. Password01
Maximum password age
controls the maximum period of time that can elapse before a users are forced to change password
As the Chief Security Officer for a small medical records processing company, you suspect that a competitor will be attacking your network soon. Having worked in the business for a while, you're pretty sure that this competitor will try to run a dictionary attack against one of your Windows application servers. You want to be sure your competitor can't get into the server using this attack method. Which setting should you adjust in order to ensure this attack has a limited chance at success? (Choose the best answer.) a. Password History b. Maximum Password Age c. Minimum Password Length d. Account Lockout Threshold
d. Account Lockout Threshold
One form of brute force password attack uses an extensive list of predefined passwords. What is this form of brute force attack called? (Choose the best answer.) a. Cracking attack b. Bible attack c. Guessing attack d. Dictionary attack
d. Dictionary attack
What type of attack tries to guess passwords by trying common words? a. man-in-the-middle attack b. smurf attack c. brute-force attack d. dictionary attack
d. dictionary attack
What is the most common form of authentication? a. smart cards b. PIN c. digital certificates d. password
d. password
What setting is used to prevent users from reusing the same password over and over? a. account lockout b. minimum password age c. maximum password age d. password history
d. password history
What are the only passwords that should not expire? a. administrator accounts b. power users c. standard user d. service accounts
d. service accounts