Network Security FAQ: Web Security

Network Security FAQ: Web Security

Q1. What is the difference between a right and a permission?

Answer: A right applies to actions that involve accessing the resources of the operating system itself, such as shutting down the system. A permission applies to accessing the file system’s resources, such as reading and writing files.

Q2. What can be done on a web server to make it more secure against intruders?

Answer: Six options make a web server more secure:

  • Harden the file system.
  • Set account policies.
  • Edit group rights.
  • Rename critical accounts.
  • Turn on auditing.
  • Remove or disable unnecessary services.

Q3. What is DAC?

Answer: Discretionary Access Control (DAC) is a means of restricting access to information based on the identity of users and membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials presented at the time of authentication (username, password, hardware/software token, and so on). In most typical DAC models, owners of information or resources can change permissions at their discretion (thus the name). DAC’s drawback is that the administrator cannot centrally manage these permissions on files and information stored on the web server.

Q4. How can you enable logging on your IIS web server?

Answer: To enable logging, open Internet Information Services in the Administrative tools menu, expand the tree, right-click Default Web Site, and choose Properties. On the Properties page, select the Web site tab.

Near the bottom of that page, you need to make sure that the check box Enable logging is enabled. Now, select Properties. You can see that, by default, a new log file is created every day. The default log file directory is %WinDir%\System32\LogFiles; however, you should change this to point somewhere else, preferably to another server.

Q5. What two methods restrict access to an IIS web server?

Answer: The two methods that restrict access to an IIS web server are on a user-by-user basis or by IP addresses.

Q6. List three popular scripting languages used on web servers that are executed by browsers when visiting the site.

Answer: The three popular scripting languages used on web servers that are executed by browsers when visiting the site are Java, JavaScript, and VBScriptActiveX.

Q7. Describe the four security zones that are available in Internet Explorer.

Answer: The four security zones that are available in Internet Explorer are as follows:

Internet Contains all websites that are not placed in another zone.

Local Internet Contains all the websites that are on your company’s intranet. Here, you find all sites that have the same domain name as the one your PC is using.

Trusted sites Contains websites that you trust will not damage your data. If you want to have trusted sites, you must add them manually.

Restricted Contains websites that you do not trust because they might potentially damage your data. This is also a manual list.

Q8. Briefly describe the four predefined security levels in Internet Explorer.

Answer: The four predefined security levels in Internet Explorer follow.
High
  • This is the safest way to browse but also the least functional.
  • Less secure features are disabled.
  • Cookies are disabled. (Some websites do not work.)
  • This is appropriate for sites that might have harmful content.
Medium
  • Browsing is safe and still functional.
  • Prompts before downloading potential unsafe content.
  • Unsigned ActiveX controls are not downloaded.
  • This is appropriate for most Internet sites.
Medium-low
  • This is the same as Medium without prompts.
  • Most content is run without prompts.
  • Unsigned ActiveX controls are not downloaded.
  • This is appropriate for sites on your local network (intranet).
Low
  • Minimal safeguards and warning prompts are provided.
  • Most content is downloaded and run without prompts.
  • All active content can run.
  • Appropriate for sites that you absolutely trust.

Q9. What is the difference between session cookies and persistent cookies?

Answer: The difference between session cookies and persistent cookies is as follows:

Session cookies This cookie is created when you visit an e-commerce website where you use a shopping cart to keep track of what you buy. After you check out of that website, the session cookie is deleted from your browser memory.

Persistent cookies When you go to a website and you see a personalized welcome message, you know that you have a persistent cookie on your PC. These cookies contain information about you and your account. Often, this information is a key that is related only to a database with your profile.

Q10. What is the best way to handle cookies?

Answer: The best solution is to force all your cookies to be session cookies. You can do this by making the folder in which the cookies are stored read-only. Your browser can accept them but cannot save them to disk.

About the author

Scott

Leave a Comment