Network Security FAQ: Web Security
Q1. What is the difference between a right and a permission?
Q2. What can be done on a web server to make it more secure against intruders?
Answer: Six options make a web server more secure:
- Harden the file system.
- Set account policies.
- Edit group rights.
- Rename critical accounts.
- Turn on auditing.
- Remove or disable unnecessary services.
Q3. What is DAC?
Q4. How can you enable logging on your IIS web server?
Answer: To enable logging, open Internet Information Services in the Administrative tools menu, expand the tree, right-click Default Web Site, and choose Properties. On the Properties page, select the Web site tab.
Near the bottom of that page, you need to make sure that the check box Enable logging is enabled. Now, select Properties. You can see that, by default, a new log file is created every day. The default log file directory is %WinDir%\System32\LogFiles; however, you should change this to point somewhere else, preferably to another server.
Q5. What two methods restrict access to an IIS web server?
Q6. List three popular scripting languages used on web servers that are executed by browsers when visiting the site.
Q7. Describe the four security zones that are available in Internet Explorer.
Answer: The four security zones that are available in Internet Explorer are as follows:
Internet Contains all websites that are not placed in another zone.
Local Internet Contains all the websites that are on your company’s intranet. Here, you find all sites that have the same domain name as the one your PC is using.
Trusted sites Contains websites that you trust will not damage your data. If you want to have trusted sites, you must add them manually.
Restricted Contains websites that you do not trust because they might potentially damage your data. This is also a manual list.
Q8. Briefly describe the four predefined security levels in Internet Explorer.
- This is the safest way to browse but also the least functional.
- Less secure features are disabled.
- Cookies are disabled. (Some websites do not work.)
- This is appropriate for sites that might have harmful content.
- Browsing is safe and still functional.
- Prompts before downloading potential unsafe content.
- Unsigned ActiveX controls are not downloaded.
- This is appropriate for most Internet sites.
- This is the same as Medium without prompts.
- Most content is run without prompts.
- Unsigned ActiveX controls are not downloaded.
- This is appropriate for sites on your local network (intranet).
- Minimal safeguards and warning prompts are provided.
- Most content is downloaded and run without prompts.
- All active content can run.
- Appropriate for sites that you absolutely trust.
Q9. What is the difference between session cookies and persistent cookies?
Answer: The difference between session cookies and persistent cookies is as follows:
Session cookies This cookie is created when you visit an e-commerce website where you use a shopping cart to keep track of what you buy. After you check out of that website, the session cookie is deleted from your browser memory.
Persistent cookies When you go to a website and you see a personalized welcome message, you know that you have a persistent cookie on your PC. These cookies contain information about you and your account. Often, this information is a key that is related only to a database with your profile.
Q10. What is the best way to handle cookies?