CNIT 242 Final Exam Review
What is authentication?
"Do you have the credentials necessary to access this system?"
What is accounting?
"Once authorized to access a resource, how much of the resource are you using?"
What is the password security tradeoff?
"The more strict the password rules, the higher the chances users will violate the first rule of secure passwords."
What is authorization?
"What do you have permission to do once authenticated?"
What is the X.500 directory standard?
- "father of all directories" - introduced concept of a tree, leaf attributes, DN and RDN - multiple protocols/definitions exist - DSA: directory system agent - DUA: directory user agent - DAP: directory access protocol - DSP: directory system protocol - really a family of standards
What is encryption?
- "scrambling" or altering data so that it is not natively readable - good idea for removable media - available in all operating systems (natively, 3rd party)
What is the A DNS resource record?
- #1 - returns 32-bit IPv4 address, used for name resolution
What is the PTR DNS resource record?
- #12 - pointer to a CNAME, used for reverse lookups
What is the MX DNS resource record?
- #15 - maps a domain name to a list of mail exchange servers for that domain
What is the NS DNS resource record?
- #2 - used to delegate a DNS zone to use a given authoritative name server(s)
What is the AAAA DNS resource record?
- #28 - returns 128-bit IPv6 address, used for name resolution
What is the CNAME DNS resource record?
- #5 - used to create aliases within DNS, allowing multiple web servers to exist at the same IP address
What are lower level domains?
- 1st level subdomains are delegated to owners by registrars, accredited by ICANN (ie. purdue.edu) - 2nd level subdomains can be created at will by the own (ie. tech.purdue.edu
Describe AD and DNS
- AD relies on DNS for name resolution - SRV: service record, maps a particular service to one or more hostnames - AD DCs use SRV records - DNS names are used for AD domain names - DNS used to keep track of all resources in domain - DNS used to find a DC to authenticate against (DC locator service uses SRV to find closet DCs)
Describe the DNS process
- DNS resolver checks internally first (DNS cache and hosts file) - then sends a query to local DNS server - local DNS server attempts to resolve itself and if unable, makes a series of iterative queries to locate and query the AUTHORITATIVE name server for the target domain
What is a directory?
- a hierarchical information repository available to most network operating systems
What is an account lockout?
- after x failed login attempts, account is frozen - account can be frozen temporarily or until it is reset by administrator
What are some worm protection methods?
- all virus protection methods apply - know what ports are open - run only necessary network services - keep OS/applications updated
What is a centralized backup?
- allows you to backup data from multiple servers and workstations using a single backup server - safe - bandwidth and time - must use agent software on backup target machines
What are some spyware protection methods?
- anti-spyware software - run two or more; none are perfect - watch what software you download - read EULA
What is malware?
- any malevolent software that has a sinister purpose - infectious: worms, viruses - concealment: trojans, backdoors, rootkits - for profit: spyware, botnets - advertising: spam, adware
What are leaf object attributes in a directory?
- attributes that describe a leaf object - defined in directory schema - ie. printer attributes (make/model, duplex, etc)
What is a full backup?
- back up all files every time - disregards archive bit setting - ensures you have everything backed up - time consuming - takes a LOT of media - level 0 backup
What is a differential backup?
- backs up files that have been changed or added since last FULL backup - uses more media than an incremental backup - easier to restore than incremental (only latest media set required) - level 1
What is an incremental backup?
- backs up files that have changed or been added since last backup of any kind - uses the least media - most difficult to restore from (requires restore from full backup and all subsequent incremental backups) - level 2
What are resource records?
- basic data element in DNS and are used for all DNS queries
What is the AD schema?
- blueprint for what attributes the AD can store - each object is an instance of a class defined in the schema - attributes are defined in the class and available for each instance of the class - includes default schema that contains most common definitions - ADSIedit tool to edit attributes
How does Diameter implement accounting?
- built into the base protocol
What are the 4 typical layers in directory naming?
- c: country - o: organization - ou: organizational uni - cn: common name
What is a site?
- collection of well-connected AD subnets - used to group subnets together - helps to determine closest resources to a given client
What is adware?
- collects data to drive targeted advertising - often accepted in an end-user license - monitors a person's activities and reports back to a remote server - often take form of BROWSER COOKIES - can damage other software
What is a browse master?
- collects the information from the broadcasting stations and answers these queries - this is how network neighborhood gets populated
What is non-repudiation?
- concept related to data integrity - ensures that there is a trail of where data came from - eliminates ability to say that you didn't send data that you did send - implemented using DIGITAL SIGNATURES - eliminates "man-in-the-middle" attaches
What is spyware?
- convertly spy on a user's activities and report back to a third-party - usually does NOT attempt to propagate - keyloggers (log/report keystrokes, steal passwords, phishing attacks) - rapidly becoming main threat
What are some common container objects in a directory?
- country (locality) - organization - organizational unit (OU) - group of names
Describe some of the functions of AD
- created, managed, controlled on domain controllers - stores object information about users, computers, printers, and can group objects together (container objects) - uniquely identifies every object in the tree using GUID (SID and RID) supports: dc: domain component (defines root) c: count l: locality o: organization ou: organizational unit cn: command name (leaf node) - built around domains
Why should backups be performed?
- data is valuable - storage only moving parts in most computing hardware - mass storage MTBF of any system component - data retention laws
What are group policy objects (GPOs)?
- define individual settings - must be assigned to OU that contains a user/computer to assign GPO to a user or computer - "Not Configured" by default
What is the directory schema?
- defines attribute types a directory can contain - defines structure - one root - container objects (can be nested) - leaf objects - attributes
What is Kerberos?
- designed as a strong network authentication protocol for client/server applications - includes authorization mechanism - built in to AD (available as 3rd party add-on on most platforms) - DIFFICULT to implement but easy to maintain (permissions centralized) - authentication server (AS), ticket granting server (TGS), application server
What is DNS?
- domain name system - defines a hierarchical naming system - PRIMARY RESPONSIBILITY IS NAME RESOLUTION - originally a static approach (hard coded list of names/IPs; worked fine with manual IP configs but not with dynamics) form: host.subdomain(s).top_level_domain - each level must be unique within next higher level - up to 127 levels of domains - up to 63 characters per domain http://www.tech.purdue.edu/cit http: protocol www: host tech: 2nd level subdomain purdue: 1st level subdomain .edu: top-level domain /cit: resource
What are some virus protection methods?
- don't open email attachments unless its from someone you know - lock down browser settings - use a browser other than IE - application updates - disable unnecessary services in applications - watch for current exploits - anti-virus software (automatic updates, full system scans, on-demand file scanning, heuristic scanning) - email scanning
What are some ways to ensure the proper application of user IDs and passwords?
- don't write passwords down!! - avoid easy to guess passwords (names of family members/pets, birthdates, etc) - use at least EIGHT characters!
Describe AD implementation
- each DC holds complete copy of AD structure - some DCs are configured as global catalog servers - information on leaf objects only stored on DCs responsible for that portion of the tree - users created within specific domain and can authenticate against any DC within that domain (Kerberos) - users can be members of multiple groups
Describe AD replication
- each DC in an AD is equal in stature - replication occurs between DCs within a domain - managed through "sites & services"
What is a segment browse master?
- each network segment has a browse master that contains browse list for that segment - chose by elections based on "strength" of system - station boots = forces election to see if it should be segment browse master
What is the purpose of Active Directory?
- enables management of enterprise-wide information from a central repository that can be globally distributed
What is a digital certificate?
- encrypted data file that uses a Certificate Authority to guarantee the identity of the holder (trust CA = trust certificate used by CA) - also includes an ENCRYPTION KEY for secure transmissions
What is a profile?
- environment created specifically for a user - created for all new users by copying and modifying default profile
What is path?
- environmental variable in Windows that specified the location of programs
What is packet filtering?
- every packet coming in is analyzed and a decision is made as to whether the packet will be forwarded or dropped - decisions typically based on some combination of source/destination IP, layer 4 protocol, port number - make FORWARDING DECISIONS ONLY on statically configured parameters (packet doesn't match rule = denied)
What is magnetic disk?
- faster than tape due to random access - more reliable than tape - more expensive than tape - locally attached or networked
What are the two places where permissions can be set?
- file system - network share
What are some of the current malware trends?
- financial gain is rapidly outpacing simple chaos as MAIN motivator for malware - sophistication of malware increasing - as internet/computing devices get more complex, problems with malware will continue to mount - tradeoff between security and usability
What is a software firewall?
- firewall functionality built into software that runs as part of the operating system - typically only provide packet filtering but some can do some limited SPI - NEVER a replacement for hardware firewalls - secure different parts of network and target different attack vectors
What are firewall rules?
- firewalls enforce their policy by using rules - rule order is important - rules analyzed from TOP DOWN - FIRST MATCH ALGORITHM - match criteria used to decide which packet the rule will apply to - when match made, ACTION determines what happens to packet (Allow/Permit, Deny/Drop, Reject)
What are some password security recommendations?
- force periodic password changes - disallow the last x passwords - mix case - use non-alpha characters - disallow plain English passwords
Which backup do data restores always start with?
- full backup - if incrementals are used, must restore all incrementals since the last full backup - if differentials are used, must restore the most recent differential - if combination used, order: - full, most recent differential, each incremental since differential
How do biometrics work?
- functions as both ID and proof of ID - physiological - behavioral - issues with FALSE POSITIVES and FALSE NEGATIVES
What are some of the features and functions of a directory?
- functions to organize and centralize information, objects, and functions (users/groups, devices, applications) - used to perform authentication function - "phone book" about network users - best for larger organizations - can be a DETRIMENT to small organziations (complexity, unnecessary functionality) - single logical view of all network resources - geographic or functional organization (large organizations use combination of both) - resources distinguished by their position in tree - root of tree can be changed from user to user - items can inherit attributes based on their position in the tree (consistency across users, groups and resources within a directory location) - administration rights can be granted to portions of the tree - objects can be easily moved from one location to another (pruning, grafting)
What is pharming?
- hack DNS records to point to a duplicated bad website - usually lower level DNS servers - virus can alter local hosts.txt file to redirect users - best way to avoid is to look for CERTIFICATE ERRORS and don't enter information in non-secure sites
What is an absolute DN?
- includes complete location of item all the way from the root .gm.us.manufacturing.fotwayneassy.maintenance.jcdoe
Describe some of the functions of domains
- includes containers and objects as defined by X.500 - identified by DNS domain name - "governed" by one or more domain controllers - each domain controller can be authoritative for ONE AND ONLY ONE DOMAIN - domain tree can consist of multiple domains created from a single root domain
What are viruses/worms?
- infectious software whose main goal is to PROPAGATE THEMSELVES - distinguished by manner in which they spread - may contain a PAYLOAD
What is LDAP?
- lightweight directory access protocol - replacement for DAP - used for querying and modifying information in a directory - supports querying and modifying directory services running over TCP/IP - operates in a client/server manner over TCP port 389 Operations: - bind (authenticate) - search - compare - add - delete - modify - unbind - etc
What is DNS caching?
- local DNS resolvers and each DNS server save results of each DNS query (speeds up subsequent queries for same name) - authoritative server for each zone determines time to keep cached entries - reduces DNS overhead at cost of limiting ability to make changes to IP addressing - clear local DNS with ipconfig /flushdns (bad DNS information)
What are trojan horses and backdoors?
- malicious programs disguised as something innocuous or desirable - payload usually facilitates UNAUTHORIZED access to the system = backdoor - backdoors are used to bypass authentication mechanisms and access a remote machine
What is a worm?
- malware that actively attacks system vulnerabilities WITHOUT user intervention - FASTEST SPREADING type of malware - attacks focused on network services that listen for connections on open port - may or may not include a payload - routine install a BACKDOOR
What are top level domains?
- managed by ICANN - .edu, .com, .gov, .mil, .org, county-specific (240) - .biz, .info, .tv, .name, .pro, .aero,. coop, .museum - .lcl, .local, etc (local; non-public)
What is the media set?
- media required to do a single backup - most are rotated so no single set used
How often should passwords be changed?
- minimum 30 days - 90 days is OPTIMAL
What is magnetic tape?
- most commonly used media - relatively slow read/write transfer rates - sequential rather than random access - relatively inexpensive - 80-90% chance you can do full restore - clean heads of tape
What is a forest?
- multiple domain trees joined together - transitive trusts - can consist of many domains or just a single domain - created when first domain is created
Does DNS have security?
- no - vulnerable to DNS request spoofing, DNS cache poisoning, pharming DNSSEC: - all responses to DNS queries are digitally signed (by DNS root zone) - RRSIG: includes digital signature - DNSKEY: includes public key used to verify signature - DS: includes DNSKEY digest and is used to authenticate the public key - NSEC: includes the name of the authoritative DNS server to help prevent spoofing
What are some DNS tools?
- nslookup - ipconfig (/displaydns: shows resolver cache; /flushdns: clears local cache) - whois - mxtoolbox.com
What is a leaf in a directory?
- object that cannot contain other objects - person - computer - printer - most directories support alias objects which point to other entires in directory
What is a botnet?
- once a system is compromised, it becomes a DRONE, it then becomes part of a botnet - network of compromised systems used to accomplish some common goal - distribute spam, execute a DDOS attack, propagate malware, steal user information - becoming part of botnet is end goal of malware often - computer membership in botnets can be bought and sold on numerous black markets - Rustock, grum, etc
What is the local policy?
- only policy enforceable if there is no AD domain
What is terminal access controller access-control system (TACACS+)?
- operationally SIMILAR to RADIUS - uses TCP instead of UDP - breaks each of AAA functions into SEPARATE process - typically only used to access DEVICES, NOT workstations/servers
What is dynamic DNS?
- operationally similar to WINS but can be queried using standard DNS requests - allows a system to register its name and IP address with the DNS server as part of the boot process - requires a DNS server that specifically supports dynamic extensions - BIND (4.x does NOT support dynamic updates) - Windows Server 2003+ using native DNS - Novell 5.0+ using native DNS
What are organizational units (OUs)?
- organizational containers - can be nested
What is stateful packet inspection?
- packet filter that keeps track of the STATE of the connections - sometimes called dynamic packet filtering - tracks SYN/FIN/ACK/NAK flags and UDP data flows
What are some examples of proofs of identification?
- passwords - access code (ie. PIN number) - one-time tokens - biometrics - digital certificates
What is universal scope for AD groups?
- permissions can be assigned for any resource in any domain - membership can be drawn from any domain - implications to replication traffic
What is domain local scope for AD groups?
- permissions can be assigned for resources local to the domain in which the group was created - members can come from any domain
What is global scope for AD groups?
- permissions can be assigned for resources located in any domain - membership limited to local domain
What is the difference between inherited and explicit permissions?
- permissions can be explicitly assigned instead of inherited *AN EXPLICIT ALLOW CANNOT OVERRIDE AN INHERITED DENY!
What is a DNS zone?
- portion of the DNS namespace for which administrative responsibility has been delegated - sometimes equal to domains or can contain numerous domains - authoritative nameserver has responsibility over an entire zone or multiple zones
What are some permissions for pritners?
- print - delete jobs - reorder jobs
What is a roaming profile?
- profile stored on server-based share and accessible when user logs on - copied from share at logon and copied back at logoff - user's local profile still used - at logon, roaming profile copied to local profile of domain user, two are compared, and most recent is used - if user has local account also, two profiles will appear
What are directory services?
- protocols, functions, and APIs that allow access to directory information (DAP, LDAP, etc)
What is name resolution?
- provdes a means of converting human friendly name to network address - DNS - Microsoft "browsing" - WINS
What is a global catalog server?
- provides global listing of all objects in the directory
What is Microsoft "browsing"?
- provides means of determining which machines are currently available on the network - technique called broadcast browsing
What are some permissions for file systems?
- read - write - execute - list contents
What are relative DNs?
- relative DNs are relative to virtual root (called context) - context configurable for the user - only lists the location from the current as set in the client Absolute DN: .gm.us.manufacturing.fotwayneassy.maintenance.jcdoe Relative DN: .maintenance.jcdoe Context: .gm.us.manufacturing.fotwayneassy
What devices should be used to secure the perimeter of the network?
- security appliances - IDS and IPS used signatures to detect and/or prevent certain types of attacks - firewalls use rules to decide what to allow and what to block (software or hardware) - effectiveness on malware is proportional to the sophistication of the device
What are some of the purposes of malware?
- send spam - launched DDOS attacks - use computer to store/distribute illegal data - steal information/money - hide presence of other malware - chaos and destruction
What is a home folder?
- separate from a user's profile - central storage location where users can store files - basically just a mapped network drive
What is a DNS resolver?
- service that handles the name resolution query on the workstation
What are some trojan/rootkit protection methods?
- similar to virus protection - may required dedicated rootkit detection program - sometimes easier to rebuild rather than try and remove
What is an access control list (ACL)?
- simplest method of authorization - requires separate authentication method - attached to RESOURCE - contains a list of authorized users and their authorization level - used in Windows and Netware
What is a rootkit?
- software designed for two purposes: 1. hide its presence 2. provide privileged access to a computer - once compromised, system can be used in DOS attacks or to proliferate spam = zombie/drone - often installed through a virus/worm payload (backdoor or trojan) or through additional hacking (cracked password)
What is optical storage?
- somewhat faster than tape - random access - fewer libraries available - more often used for archival purposes
What is application filtering?
- special type of firewall that is designed to control how applications communicate - often acts as intermediary (ie. proxy) - talks ON BEHALF of back-end server - specific to particular application
What is Diameter?
- successor to RADIUS - uses TCP - adds security (IPsec or TLS) - provides BOTH STATEFUL and STATELESS models - support for failover between Diameter servers - framework protocol onto which services (like AAA) can be built
What is spear phishing?
- targeted phishing attacks - usually specific to an organization
What is phishing?
- technically not attack against a system, but a direct attack against a person (social engineering) - MOST SUCCESSFUL HACKING METHOD - typically occurs through email - appears to be sent from trusted source - states that receiver must log into their account and provide what appears to be a legitimate link - user clicks link, logs on = bad guys record credentials - sophisticated
What is accounting?
- the tracking of the consumption of network resources by users (data usage; can be used for bill-back purposes)
What should daily backups be used for?
- to back up any data files that have changed throughout the day - changed files marked by OS using an archive attribute bit (dir /AA to display files with archive bit set)
What is a security identifier (SID)?
- unique identifier that includes an ID for the user, groups the user is a member of, and the domain to which the user is authenticating
What is broadcast browsing?
- upon boot, each station broadcasts that it is available - whenever a station wants to connect to another station, it broadcasts a query - asks for an address to destination computer (NetBIOS) name, MAC address and network address
What are subnets used for in AD?
- used to determine relative location of an item in the directory
What are distinguished names (DNs)?
- used to refer to individual entires - can be absolute or relative
What is a domain browse master?
- used when browsing is required across segments - multiple domain browse masters can exist but must be run on domain controllers - intra-segment browsing is NOT possible in a workgroup
What are some types of identification?
- user ID (UID) - physical object (ie. ATM card) - biometrics - digital certificates
What are some of the core applications that rely on the directory for information?
- user logon - VPN authentication - digital signature verification and storage of digital certificates - signle sign-on verification - team collaboration - document publishing
What is a domain logon?
- users in a domain environment will authenticate against domain controller(s) - login credentials stored in AD as an account object - provided credentials are compared against those stored in AD - each account object is assigned a Security Identifier (SID)
How does TACACS+ use authorization?
- uses ACLs on the NAS device - TACACS+ server tells access server what ACL to use
How does RADIUS implement accounting?
- uses start/stop packets to track usage
What is remote authentication dial in user server (RADIUS)?
- usually uses a network access server as RADIUS client - uses RADIUS server as central authentication point - server can point to other external sources such as a database, Kerberos, LDAP, AD server (separate protocols used to remotely check credentials) - can authenticate users of MULTIPLE device types - uses UDP
How can authentication be accomplished?
- what you know - what you have - what you are
What is zone delegation?
- when an administrator wants to let another administrator manage part of a zone, first administrator's nameserver delegates part of the zone to another nameserver
What is WINS?
- windows internet naming system - provides central mapping of host names to network addresses - upon system startup, client registers itself with WINS server - when a station wants to connect to another station, it asks WINS server for network address by using station's NetBIOS name - eliminates the need to broadcast - can be configured to use multiple servers (redundancy, replication, load balancing) - BEST PRACTICE: put a WINS server at each end of any WAN link to reduce expensive network traffic
How does TACACS+ implement accounting?
- writes information to a log or a database
What is a reverse zone?
- zones associated with IP addres - name resolution - uses .arpa TLD ("address and routing parameter area") in-addr.arpa subdomain.TLD form - lower level subdomains equivalent to octets in IP address in reverse order reverse zone entry for www.purdue.edu: 200.7.210.128.in-addr.arpa - delegated to ISP for IP address block - typically used to verify relationship between a domain name and a given server IP address
What is a forward zone?
- zones associated with name - IP address resolution forward lookup of www.purdue.edu: 128.210.7.200
What is a station restriction?
-only allows users (or disallows) to use certain stations - good for servers
What is the recommended minimum length for web passwords?
10 characters
What is the best backup window?
1am-5am - usually completed once a day
What is the order of execution of GPOs?
First: local policy Second: site policy Third: domain policy Fourth: OU policy *IF AN INHERITED POLICY CONFLICTS WITH AN EXPLICITLY STATED POLICY, THE CHILD DOES NOT INHERIT THE PARENT'S GPO* - can block inheritance for GPO
What is authentication compared against?
a known-good object
What are some directory options?
active directory: - windows directory server since Windows 2000 - replaced NTDS (NT directory services) - uses LDAP as its native directory access protocol edirectory: - previously known as Novell Directory Services (NDS) - Novell Netware 4.0 open directory: - used by Apple's OX X - uses LDAP and Kerberos - can integrate with AD
Describe the Kerberos authentication/authorization process
authentication: 1. client sends authentication request to AS 2. AS authenticates the user and provides a ticket granting ticket (TGT) authorization: 3. client provides TGT to the TGS when it wants to access a particular server/resource 4. TGS authorizes the user and provides a service granting ticket (SGT) application access: 5. client provides SGT to application server 6. access to the application is granted
What is LDAP naming?
cn=John doe,ou-Students,o=CIT,c=WL
What command is used to install AD?
dcpromo
Which tool can be used to clear up confusion with permissions?
effective permissions tool
True/False: GPOs are inherited across domains
false
True/False: Ideally, a user ID should be an email address
false
True/False: It's ok to run two or more anti-virus programs at the same time
false
True/False: In general, it's better to set all permissions on the network share and allow every access to the share.
false - better to set all permissions on file system
True/False: Viruses don't typically require the user to do something to infect and spread.
false - requires user to do something - tricks user - built in to file type - error of omission rather than commission (browser security too low, etc)
What kind of firewall excels at stopping inbound attacks?
hardware firewall
Where should data be backed up to?
individual server-based backup: - separate backup drive in each server - fastest method - stability issue - may have to re-build server to get to backup centralized backup individual drives - commonly placed in each server - only support a single media instance at a time media libraries: - auto-loaders off-site storage - always rotate backup media off-site - protects from theft, fire, natural disaster - encryption is important
Can permissions be assigned to distribution groups?
no
What is a concurrent login restriction?
only allows a user to be logged into one station
What is a logon time restriction?
only allows access to network during certain times
What is a firewall?
security device that performs at least: - packet filtering - stateful packet inspection - application-layer filtering - some routing functions - dedicated hardware - add-on hardware to router - software-based - logging can help identify potential attacks
What are NTFS permissions?
set on file system
What is the effective permissions tool?
shows the effective, cumulative permissions for a user or group as they apply to a resource
What are the two strategies for user/resource grouping?
simple (good for smaller networks): - place users into user groups - assign permissions to user groups resource groups (good for larger networks): - users placed in user groups - resources placed in resource groups - user groups placed in resource groups - rights assigned to resource groups (self documenting)
Describe some media rotation methods
simple: - weekly full backup followed by daily incrementals - required one media set for each day grandfather, father, son: - differential backups daily - one full backup each week - last weekly full backup "promoted" to monthly backup (stored offsite) tower of hanoi: - less overall media than GFS, lot of reuse - using n media sets - 2^n - 1 days before recycling last set
What kind of firewall excels at stopping outbound attacks?
software firewall
How does Diameter support authorization?
through the use of the NASREQ add-in application
How is authorization accomplished?
through use of permissions (or rights)
True/False: Only "Security" groups will have SIDs added to user tokens upon logon.
true
True/False: RADIUS includes authorization functions
true - access-accept response can include authorization attributes
True/False: It is best to assign access permissions to groups rather than individual users.
true - ensures consistency - eases administration (new group member = inherits proper rights; only have to change rights in one place)
True/False: Fire proof safes usually will not protect most media
true - media must be "media rated"
True/False: You should use encrypted protocols for remote user access when possible
true - replace Telnet with SSH - use SSL for secure web transactions - use IPsec for secured tunnel (VPN) connections
True/False: File system permissions are inherited as you go down the hierarchy.
true - subdirectory will, by default, inherit permissions of its parent
How are user IDs typically created?
typically created according to some algorithm
What is two-factor authentication?
uses two of the authentication methods to prove an identify
When are user policies applied?
when a user logs in
Where are share permissions applied?
when resource is accessed over a network
What are computer policies applied?
when the computer boots up