Microsoft Microsoft Certifications 98-367 Questions & Answers

• Question 41:

  Mark works as a Security Administrator for TechMart Inc. The company has a a Windows-based network. Mark has gone through a security audit for ensuring that the technical system is secure and protected. While this audit, he identified many areas that need improvement. He wants to minimize the risk for potential security threats by educating team members in the area of social engineering, and providing basic security principle knowledge while stressing the Con?dentiality, Integrity, and Availability triangle in the training of his team members . Which of the following ways will Mark use for educating his team members on the social engineering process?

  A. He will call a team member while behaving to be someone else for gaining access to sensitive information.

  B. He will use group policies to disable the use of floppy drives or USB drives.

  C. He will develop a social awareness of security threats within an organization.

  D. He will protect against a Distributed Denial of Services attack.

  Correct Answer: A

  Social engineering can be defined as any type of behavior used to inadvertently or deliberately aid an attacker in gaining access to an authorized user's password or other sensitive information. Social engineering is the art of convincing people and making them disclose useful information such as account names and passwords. This information is further exploited by hackers to gain access to a user's computer or network. This method involves mental ability of people to trick someone rather than their technical skills. A user should always distrust people who ask him for his account name, password, computer name, IP address, employee ID, or other information that can be misused.

  Answer: B is incorrect. The group policies are used to disable the use of floppy drives or USB drives to ensure physical security of desktop computers. Several computers are able to use the mechanism of attaching a locking device to the desktops, but disabling USB and floppy drives can disable a larger set of threats. Answer: D is incorrect. While stressing the Con? dentiality, Integrity, and Availability triangle in the training of users, the process of providing availability is related to security training to ensure the protection against a Distributed Denial of Services attack.

• Question 42:

  Mark works as a Network Administrator for TechMart Inc. The company has a Windows-based network. Mark wants to implement a method to ensure that the mobile devices are in a good state of security health when they are trying to access the corporate network. Which of the following is a control or strategy that Mark will implement to assure the security health?

  A. TCP/IP protocol

  B. Kerberos

  C. Single Sign On

  D. Network Access Protection

  Correct Answer: D

  Network Access Protection (NAP) is a set of operating system components included with the Windows Server 2008 and Windows Vista/7 operating systems. It ensures that the client computers on a private network meet administrator-defined requirements for system health. NAP policies define the required configuration and update status for a client computer's operating system and critical software. For example, an administrator can set policies that computers might be required to have antivirus software with the latest virus definition installed and current operating system updates. Using NAP, a network administrator can enforce compliance with health requirements for the client computers connection to the network. NAP helps network administrators to reduce the risk caused by improperly configured client computers that might be exposed to viruses and other malicious software. Answer: C is incorrect. Single sign-on (SSO) is defined as a mechanism in which a single action of user authentication and authorization is used to allow a user to access all computers and systems where he got a access permission, without entering passwords for multiple times. Answer: B is incorrect. Kerberos is defined as a secure method used for authenticating a request for a service in a computer network. Answer: A is incorrect. TCP/IP protocol is used to define the rule computers are required to follow for communicating with each other over the internet.

• Question 43:

  Which of the following is a physical address stored in the Network Interface card on your system or any other device residing on your network?

  A. IP address

  B. I/O address

  C. MAC Address

  D. Broadcast address

  Correct Answer: C

  MAC address is a physical address stored in the Network Interface card on your system or any other device residing on your network. A Media Access Control (MAC) address is a numerical identifier that is unique for each network interface card (NIC). MAC addresses are 48-bit values expressed as twelve hexadecimal digits, usually divided into hyphen-separated pairs, for example, FF-00-F8-32-13-19. The MAC address consists of two parts. The first three pairs are collectively known as the Organizationally Unique Identifier (OUI). The remaining part is known as the device ID. The OUI is administered by IEEE. MAC addresses are also referred to as hardware addresses, Ethernet addresses, and universally administered addresses (UAAs). Answer: D is incorrect. Broadcast address is a special kind of IP address that is used to send packets to all the devices on a same segment of a network. For IP broadcasts, broadcast address is the address in which the host portion of the IP address consists of either all 0's or all 255's. For MAC broadcasts, all of the bet positions in the address are enabled, making the address FFFF.FFFF.FFFF in hexadecimal. Answer: A is incorrect. An IP address is a four-byte number that uniquely identifies a computer on a TCP/IP network. It is made up of 32 bits of information. These bits are divided into four sections, each section containing one byte (8 bits), also known as an octet. Each node on the TCP/IP network must be assigned a unique IP address. There are two types of IP addresses, i.e., Private and Public. Answer: B is incorrect. I/O address is a communication port between a device and the CPU. The CPU needs a memory address, known as Input/ Output (I/O) address, to communicate with any peripheral device. I/O address is a hexadecimal number that the CPU uses to identify a device. I/O address allows the CPU to send instructions to devices installed on the bus slot of a computer. Resources such as I/O addresses, IRQs, and DMAs are configurable aspects of communication between devices inside a PC. Whenever a component, such as a sound card or internal modem is installed in a PC, its I/O address, IRQ, and DMA channels must be correctly configured.

• Question 44:

  John works as a Network Administrator for We-are-secure Inc. The We-are-secure server is based on Windows Server 2003. One day, while analyzing the network security, he receives an error message that Kernel32.exe is encountering a problem. Which of the following steps should John take as a countermeasure to this situation? Each correct answer represents a complete solution. Choose all that apply.

  A. He should restore his Windows settings.

  B. He should upgrade his antivirus program.

  C. He should observe the process viewer (Task Manager) to see whether any new process is running on the computer or not. If any new malicious process is running, he should kill that process.

  D. He should download the latest patches for Windows Server 2003 from the Microsoft site, so that he can repair the kernel.

  Correct Answer: BC

  Answer: B and C

  In such a situation, when John receives an error message revealing that Kernel32.exe is encountering a problem, he needs to come to the conclusion that his antivirus program needs to be updated, because Kernel32.exe is not a Microsoft

  file (It is a Kernel32.DLL file.).

  Although such viruses normally run on stealth mode, he should examine the process viewer (Task Manager) to see whether any new process is running on the computer or not. If any new process (malicious) is running on the server, he

  should exterminate that process.

  Answer: A and D are incorrect. Since kernel.exe is not a real kernel file of Windows, there is no need to repair or download any patch for Windows Server 2003 from the Microsoft site to repair the kernel.

  Note: Such error messages can be received if the computer is infected with malware, such as Worm_Badtrans.b, Backdoor.G_Door, Glacier Backdoor, Win32.Badtrans.29020, etc.

• Question 45:

  Which of the following can be used to implement two-factor authentications? Each correct answer represents a complete solution. Choose all that apply.

  A. Firewall security rule

  B. Password

  C. Smart card

  D. Encrypted network configuration

  Correct Answer: BC

  Answer: C and B

  Two-factor authentication is defined as a security process that is used to confirm user identities by using two individual factors as follows:

  Something they have such as token, smart cards, etc Something they know such as password.

• Question 46:

  Which of the following is a mechanism that allows authentication of dial-in and other network connections?

  A. VPN

  B. NTFS

  C. RADIUS

  D. Single Sign-On

  Correct Answer: C

  RADIUS is a mechanism that allows authentication of dial-in and other network connections. RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. The Remote Access Server, the Virtual Private Network server, the Network switch with port-based authentication, and the Network Access Server are all gateways that control access to the network, and all have a RADIUS client component that communicates with the RADIUS server. The RADIUS server is usually a background process running on a UNIX or Windows NT machine. RADIUS serves three functions: To authenticate users or devices before granting them access to a network To authorize those users or devices for certain network services To account for usage of those services Answer: D is incorrect. Single Sign-On is an approach which involves a server that acts as an online certificate authority within a single sign-on system. A single sign-on server will issue digital certificates into the client system, but never stores them. Users can execute programs, etc. with the temporary certificate. It is common to find this solution variety with x.509-based certificates. Answer: B is incorrect. NTFS is a high-performance file system proprietary to Microsoft. NTFS supports file-level security, compression, and auditing. It also supports large volumes and powerful storage solution such as RAID. The latest feature of NTFS is its ability to encrypt files and folders to protect sensitive data. Answer: A is incorrect. A virtual private network (VPN) is a form of wide area network (WAN) that supplies network connectivity over a possibly long physical distance. A virtual private network is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost. A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a tunnel that cannot be entered by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.

• Question 47:

  Which of the following tools traces all or specific activities of a user on a computer?

  A. Task Manager

  B. Event Viewer

  C. Network Monitor

  D. Keylogger

  Correct Answer: D

  A keylogger is a software tool that traces all or specific activities of a user on a computer. Once a keylogger is installed on a victim's computer, it can be used for recording all keystrokes on the victim's computer in a predefined log file. An

  attacker can configure a log file in such a manner that it can be sent automatically to a predefined e-mail address. Some of the main features of a keylogger are as follows:

  It can record all keystrokes.

  It can capture all screenshots.

  It can record all instant messenger conversations. It can be remotely installed.

  It can be delivered via FTP or e-mail.

  Answer: A is incorrect. Task Manager is a utility that is used for managing applications, processes, and the general system performance and also for viewing the networking and user statistics. The Task Manager utility is used to run or end

  programs or applications. Administrators use this tool to quickly identify and terminate a rogue application.

  

  This utility can be run by invoking a Windows Security menu by using the Ctrl+Alt+Delkey combination and then clicking the Task Manager button or by right- clicking the task bar and then clicking the Task Managermenu option. Answer: B is

  incorrect. Event Viewer is an administrative utility that displays the event log of a computer running Windows NT. Event Viewer displays the following categories of events:

  Error: These events show significant problems, such as loss of data or loss of functionality. Warning: These events are not necessarily significant but indicate possible problems. Information: These events describe the successful operation of

  an application, driver, or service. Success Audit: These events show successful audited security access attempts.

  Failure Audit: These events show failed audited security access attempts. Answer: C is incorrect. Network Monitor (Netmon) is a protocol analyzer. It is used to analyze the network traffic. It is installed by default during the installation of the

  operating system. It can be installed by using Windows Components Wizard in the Add or Remove Programs tool in Control Panel. Network Monitor is used to perform the following tasks:

  1.Capture frames directly from the network.

  2.Display and filter captured frames immediately after capture or a later time. 3.Edit captured frames and transmit them on the network.

  4.Capture frames from a remote computer.

• Question 48:

  On which of the following is the level of security set for an Internet zone applied?

  A. To the sites that you have specifically indicated as the ones that you trust.

  B. To all the Websites by default.

  C. To the sites that might potentially damage your computer, or your information.

  D. To the Websites and content that are stored on a corporate or business network.

  Correct Answer: B

  The level of security set for an Internet zone is applied to all the Websites by default. Answer: C is incorrect. The level of security set for the restricted sites is applied to the sites that might potentially damage your computer, or your

  information.

  Answer: D is incorrect. The level of security set for the local intranet zone is applied to the Websites and content that are stored on a corporate or business network. Answer:

  A is incorrect. The level of security set for the trusted sites is applied to sites that you have specifically indicated as the ones that you trust.

• Question 49:

  Which of the following security methods can be used to detect the DoS attack in order to enhance the security of the network?

  A. Protocol analyzer

  B. WIPS

  C. WLAN controller

  D. Spectrum analyzer

  Correct Answer: B

  WIPS is used to detect the DOS attack in order to enhance the security of the network. Wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence ofunauthorized access points

  (intrusion detection), and can automaticallytake countermeasures (intrusion prevention). The primary purpose of a WIPS is to prevent unauthorized network access to local area networks and other information assets by wireless devices.

  Answer:

  C is incorrect. A wireless LAN controller is a device that is used in combination with Lightweight Access Point Protocol (LWAPP) to manage light weight access points in large quantities by the network administrator or NOC. The wireless LAN

  controller is a part of the Data Plane within the Cisco Wireless Model. The WLAN controller automatically handles the configuration of anywhere from 6 to 300 wireless access-points, depending on the model. Answer: D is incorrect. A

  spectrum analyzer, or spectral analyzer, is a device that is used to examine the spectral composition of some electrical, acoustic, or optical waveform. It may also measure the power spectrum. The analog and digital spectrum analyzers are

  as follows:

  1.An analog spectrum analyzer uses either a variable band-pass filter whose mid- frequency is automatically tuned (shifted, swept) through the range of frequencies of which the spectrum is to be measured.

  2.A digital spectrum analyzer computes the discrete Fourier transform (DFT), a mathematical process that transforms a waveform into the components of its frequency spectrum.

  Answer: A is incorrect. A protocol analyzer is a network diagnostic utility for viewing the current contents of a packet traveling on the network. Protocol analyzers are mainly used for performance measurement and troubleshooting. These

  devices connect to the network to calculate key performance indicators (KPI) to monitor the network and speed up troubleshooting activities.

• Question 50:

  Which of the following is the most common method for an attacker to spoof email?

  A. Back door

  B. Replay attack

  C. Man-in-the-middle attack

  D. Open relay

  Correct Answer: D

  An open relay is the most common method for an attacker to spoof email. An open relay is an SMTP mail server configured in such a way that it allows anyone on the Internet to send e-mail through it. By processing mail that is neither for nor from a local user, an open relay makes it possible for a spammer to route large volumes of spam. Answer: C is incorrect. Man-in-the-middle attacks occur when an attacker successfully inserts an intermediary software or program between two communicating hosts. The intermediary software or program allows attackers to listen to and modify the communication packets passing between the two hosts. The software intercepts the communication packets and then sends the information to the receiving host. The receiving host responds to the software, presuming it to be the legitimate client. Answer: A is incorrect. A backdoor is a program or account that allows access to a system by skipping the security checks. Many vendors and developers implement backdoors to save time and effort by skipping the security checks while troubleshooting. A backdoor is considered to be a security threat and should be kept with the highest security. If a backdoor becomes known to attackers and malicious users, they can use it to exploit the system. Answer: B is incorrect. A replay attack is a type of attack in which attackers capture packets containing passwords or digital signatures whenever packets pass between two hosts on a network. In an attempt to obtain an authenticated connection, the attackers then resend the captured packet to the system. In this type of attack, the attacker does not know the actual password, but can simply replay the captured packet.