SCP SC0-502 問題集

質問 1：
By now, you are feeling confident that the security of the MegaCorp network is getting under control. You are aware that there are still several critical areas that you must deal with, and today you are addressing one of those areas. You have been able to take care of the router, firewall, security policy, and intrusion detection, now you are concerned with some of the hosts in the network.
Since the organization is not very large, you are the only person working in the IT end of the company. It will be up to you to directly work on the systems throughout the network. You make a quick chart of the systems you know should be in the MegaCorp network: Server0001, 10.10.20.101, Windows 2000 Server
Server0010, 10.10.20.102, Windows 2000 Server
Server0011, 10.10.20.103, Windows 2000 Server
Server0100, 10.10.20.104, Linux (Red Hat 8.0)
User systems, 10.10.100.100~10.10.100.200, Windows 2000 Professional
The addressing that you recommended months ago is in place, and it follows a distinct logical pattern, you are hoping that no new systems are hidden in the network somewhere.
In the company, you have been granted domain administrator rights, and no other user is authorized to have administrator, root, supervisor, or otherwise privileged level of access. All the Windows systems are to belong to one windows domain called SCNA.edu. Users are no longer allowed to install unauthorized applications, and are all to use the file servers for storage. Although they have the ability to do so, users are not supposed to store any work data on their local systems.
The servers are located in a server cabinet that is inside your office, so you decide to start working there. Using your knowledge of MegaCorp select the best solution for hardening the MegaCorp operating systems:}
A. The first thing you decide to do is plug your laptop into the server room, and run a full Nessus scan on the entire network, specifically looking for every backdoor vulnerability that the application can check. This takes some time to compile, but you eventually end up with a list of issues to address on each machine.
You move on to the Linux server, and run a fast Tripwire check on the system to look for any additional vulnerabilities. Once that check is done, you install SSH so that all access by every user will be encrypted to the server, and you run Bastille to lock down the system.
At the Windows systems, you address any issues found during the Nessus scan, you ensure that each system is updated with the latest patches, and you ensure that the systems are all functioning as fully secure and functional file servers to the network by implementing the HISECWEB.INF template in the Security Configuration and Analysis Snap-In.
Finally, you work on each desktop machine by removing any vulnerabilities listed in the scan report. You remove a few pieces of unauthorized hardware and many unauthorized applications.
B. You being by running a Nessus scan from your office laptop on the systems in the network, first the servers, then the user workstations. After the scans are complete, you store the reports on your laptop, and you take your laptop to the server room.
In the server room, you begin on the Windows servers. You implement a custom security template on each server using the Security Configuration and Analysis Snap-In, remove any unauthorized accounts, ensure that each system is updated with the latest patches, and ensure that the permissions on each shared object are as per policy.
You then work on the Linux server, by addressing each point identified in the Nessus scan. You then lock the system with Bastille, ensure that each system is updated with the latest patches, and run a quick Tripwire scan to create a baseline for the system.
You take your laptop with you as you go throughout the network to each user workstation, ensure that each system is updated with the latest patches, and you take care of each issue you found on the machines. There are a few systems that you find with unauthorized applications and you remove those applications.
C. You start the job by running some analysis on the Windows servers. You do this using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. You find several user accounts that have been given local administrator access, and you remove these accounts. You next use the Secedit tool to implement local encryption on the shared hard drive to secure the local files for the network users.
You then work on the Linux server. To your surprise there are no unauthorized root accounts, nor any unauthorized shares. You ensure that the permissions are correct on the shared objects, and run Bastille to lock down the server.
You then work on the client machines. Before you physically sit at each machine, you run a Nessus scan from your office. Bringing the results with you, you go to each machine and address any issues as identified in the Nessus scan, remove any unauthorized applications
D. The first thing you do is to run a Nessus scan against all the servers in the room, noting the findings of the scans. You then begin on the servers by running some tests on the Linux server. First, you run Tripwire on the entire system to ensure that there are no rogue Root accounts, and the test is positive. Second, you ensure that there are no unauthorized objects available through the network, and third you lock the system down with Bastille.
You then work on the Windows servers. You run a check to ensure there are no unauthorized administrator accounts, and there are not. You create a custom security template and implement the template on each server using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches.
Finally, you analyze the user's desktops. You go one by one through the network checking for added user accounts, and you find some. You remove these unauthorized accounts and check for software and applications. Again, you find some applications that are not allowed and you remove them. You check the systems for hardware changes, and address the issues that you find.
E. You begin by running a Nessus scan on each computer in the network, using the \hotfix switch to create a full report. The report identifies every vulnerability on each system and lists the specific changes you must make to each system to fix any found vulnerabilities.
You take the report to the server room and start with the Linux server. On the server, you run through the steps as outlined in the Nessus report, and end by locking the system using Bastille.
Then, you move to the Windows systems, again following the steps of the Nessus report, and ending by using the Security Configuration and Analysis Snap-In to implement the Gold Standard template on every server.
Finally, you proceed to each user workstation. At each user machine, you follow each step for each system, based on your report. Once you have addressed all the vulnerabilities in the systems, you run a quick Secedit scan on each system to ensure that they are all locked down and that proper encryption is configured.
正解：B

質問 2：
You finish the work you were doing in the morning, and head out to the monthly meeting. During this meeting, the Vice President of Strategic Partner Relations informs the group of some news, "we have decided that we need to implement a new web site that is for our strategic partners only. This site will be used for various purposes, but will primarily be used as a means of information exchange."
"So, is this going to be a private site?" asks Blue.
"Absolutely. We will not want any public users on this website. It's just for the people we identify in our Strategic Partner Program. I need those of you in security to be sure that this site is secure."
"We can take care of that. How many people do you think will be accessing the site?" asks Blue.
"Not too many, perhaps around fifty."
"So, is it correct to assume that you know each of these fifty people?"
"Yes, that is correct."
"OK, well this should not be too hard. Wel get working on this right away."
The meeting ends, and you and Blue chat more about the web site issue.
"Well, we know that only around fifty people are going to access the, and we know who these fifty are. This should not cause too many problems," Blue says.
"I agree. Do you think it will be all right to spend any money outside of the site itself?" you ask.
"Since we are dealing with so few people, that shouldn be a problem. However, we cannot go overboard. Go ahead and write up a plan for this and get it back to me in a day or two."
Based on your knowledge of GlobalCorp, choose the best solution to the web site security issue.}
A. You decide to use existing security technology of digital certificates and SSL to secure the site. You first install a new IIS server that will be the host of the web site. You then connect to the GlobalCorp CA for the executive building and request a new certificate for the web site.
You then configure the web site to Require a Secure Channel (SSL) and install the certificate. One you install the new certificate, you connect from the new server to the CA in each office where one or more of the fifty people that require access works. At that CA, you install the CA certificate, so that the new server will trust the certificates that each CA issues.
Next, you return to the configuration of the new web site. To make the site more secure, you require client certificates, and enable mappings for each user account. You call each user and ensure that they have a certificate from their own CA, which the new server now trusts. You walk them through the process of connecting to the site, and verify that secure access to them has been granted.
B. You decide to use digital certificates on smart cards to secure the web site. You will first install a new IIS web server to host the site. You then connect to the CA_SERVER and request a new certificate for the server. The server certificate will be used for authentication, and you have the certificate issued and stored on a portable USB drive.
You then configure a machine to function as the enrollment machine for smart cards. You are going to manage the smart cards yourself. At the machine that you are going to use for the smart cards, you first configure the system with an enrollment agent certificate from the CA_SERVER, and then you install the driver for the smart card reader.
Once the driver is installed, you make certificate requests for each of the fifty users. You start with the first user, by logging in to the CA and selecting the option to Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station radio button. You then select the Smartcard User template, and enter the user name. When prompted, you put a blank smart card in the reader and press the Enroll button, followed by entering the default PIN.
You then test access to the site from a remote machine using the smart card and PIN to be authenticated to the site. Once the test is complete, you write a short howto file and send it along with the smart card, smart card reader, and driver to each of the fifty users. You follow up with each user upon receipt to walk them through the configuration.
C. You decide that you will use freely available PGP certificates to secure access to the website. You will first install a new IIS web server to hose the site. You then configure one user account, with a strong password. You map this account as the only account that has access to the website.
You then log on locally, as this user account, to the server and create a public\private key pair. From that account you then send an outgoing email to all fifty users with the account private key. You finish the configuration of the website by making changes in the Security properties of the website.
In the Security properties, you select the Advanced tab. On the Advanced tab, you check the box to map this account to a local digital certificate, and you select the new certificate you just created.
Next, you contact each remote user and instruct them to open the email from you. You have them store the key they receive in their personal certificate store. To verify the install is correct, you walk them through the process of viewing their certificates in the MMC. Once verified, you have the user connect to the website, and enter the location of their certificate when asked for authentication credentials.
D. You decide to use strong authentication via biometrics, specifically fingerprint scanning to secure the web site. You will first install a new IIS web server to host the site. You then configure fifty user accounts for the remote users, and assign those accounts very strong passwords.
You then ship one biometric mouse and software to each remote client. You call each user and walk them through the process of configuration of their equipment. First, you tell them to create a matching user account with the same user name and very strong password as you used on the IIS server. You then have them install the software, which you instruct them to configure so that the biometric will be linked to the user account.
Once the software is installed, you instruct them to connect the mouse to their system and load the appropriate driver. With the driver installed, you tell them how to load the program and enroll their fingerprint. Once they have their fingerprint enrolled, and it is matched to their user account, you let them know that their side of the configuration is complete, and that you will call them shortly to finish the process.
You return to the configuration of the IIS server. In the Security properties of the website, you select the Advanced authentication tab. On the Advanced tab, you check the box for mapping user accounts to external biometric devices, and you check the box to allow the remote machine to control the mapping. You finish the configuration by configuring the site to use 128-bit RSA to encrypt the data between the client and the server.
With the server configuration done, you call the client back and have them log in using their biometric mouse. Once logged in, you instruct them to connect to the website and verify the secure site is running.
E. You decide that you will use digital certificates to secure the web site. You will first install a new private CA that the remote users can connect to and request their certificates. This CA will be protected with a very strong password. Each user will be given a user account to access the CA, also protected with a strong password.
Next, you install the new private web server. You then connect to the new CA and make a request for a certificate for the web site. Once you receive the certificate, you configure the web site to use the certificate to Require a Secure Channel (SSL). You then select the option to require client certificates, and you enable mapping for each user account.
Finally, you will call each person and instruct them on the process of connecting to the CA and requesting their certificate, which you will instruct them to store on their local machine. Once they have their certificate, you have them test access to the site, and when successful you move on to the next person.
正解：B

質問 3：
Now that you have a fully functioning CA hierarchy in each location, and that the trusted network is well underway, you are called in to meet with Orange. Orange comes into the room, and you talk to one another for a while. It seems that now with the CA hierarchy in place, you need to plan the certificate rollout for the individual users and computers in the network.
Since this is the executive building, Orange places higher security requirements here than on the other buildings. Certificates need to be issued to all the entities, computers and users, in the network. Orange has decided that for all senior level management, the process for certificate issuance should be even more secure than the rest of the deployment.
Based on this information, and you understanding of the GlobalCorp environment, choose the best solution to assigning certificates to the computers and users of the trusted network in the Executive building:}
A. You meet with the other administrators of the executive building and let them know what you are working on, and how they can help. You will first assign certificates to the computers in the network, followed by assigning certificates to the users in the network.
For this task, you divide the other administrators into four teams, one per floor of the building. Each team will be responsible for the assigning of certificates to the computers and users on the corresponding floor. To make the process faster, you have decided to install a new CA for each floor. The team leader on each floor will install and configure the CA, and you will oversee the process.
With the new CAs installed, one administrator from each team goes to each desk on the floor and makes a request for a certificate for the computer using Internet Explorer. Once the machine certificate is installed, the administrator has each user log on to their machine and the administrator walks the user through the process of connecting to the CA_SERVER\certsrv on their floor to request a user certificate.
To ensure the security of the senior level management, you lead the team on the fourth floor. You install the new CA yourself, and oversee the configuration of the certificates for every machine and user on the floor.
B. You meet with the other administrators of the executive building and let them know what you are working on, and how they can help. You will first assign certificates to the computers in the network. To make the process easier, you have decided to configure the network so that the computers will request certificates automatically. In order to do this you perform the following steps: 1.You open Active Directory Users and Computers 2.You use Group Policy to edit the domain policy that is controlling the executive building. 3.You expand Computer Configuration to Public Key Policies, and you click the Automatic Certificate request option. 4.In the template list, you select computer, and define CA as the location to send the request. 5.You restart the computers that you can, and wait for the policy to refresh on the systems you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your focus to all the users in the executive building. In order to have each user obtain a certificate you issue a memo (the actual memo goes into extreme detail on each step, even listing common questions and answers) to all users that instructs them to perform the following steps:
1.Log on to your computer as your normal user account
2.Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3.Select the option to Request A Certificate, and to choose a User Certificate Request type, then
submit the request.
4.When the certificate is issued, click the Install This Certificate hyperlink on screen.
Finally, you address the senior level management. For these people, you want the security to be
higher, so you select a different certificate scheme. By using a different scheme, you ensure that
there will be no possibility of other people in the building gaining access to the senior level
management accounts. For these accounts you utilize licensed PGP digital certificates that can be
used for both authentication and secure email. You personally show each manager how to create
and use their key ring, providing for very secure communication.
C. You meet with the other administrators of the executive building and let them know what you are working on, and how they can help. You will first assign certificates to the computers in the network. To make the process easier, you have decided to configure the network so that the computers will request certificates automatically. In order to do this you perform the following steps: 1.You open Active Directory Users and Computers 2.You use Group Policy to edit the domain policy that is controlling the executive building. 3.You expand Computer Configuration to Public Key Policies, and you click the Automatic Certificate request option. 4.In the template list, you select computer, and define CA as the location to send the request. 5.You restart the computers that you can, and wait for the policy to refresh on the systems you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your focus to all the users in the executive building. In order to have each user obtain a certificate you issue a memo (the actual memo goes into extreme detail on each step, even listing common questions and answers) to all users that instructs them to perform the following steps: 1.Log on to your computer as your normal user account 2.Open Internet Explorer, and to connect to the CA_SERVER\certsrv. 3.Select the option to Request A Certificate, and to choose a User Certificate Request type, then submit the request. 4.When the certificate is issued, click the Install This Certificate hyperlink on screen.
Finally, you address the senior level management. For these people, you want the security to be higher, so you select a stronger algorithm for their certificates. With all the other certificates, you used the default key strength and algorithms. However, the senior level management needs higher security. Therefore, you personally walk each person through the process of requesting a certificate; only you ensure that they select 1024-bit AES as their encryption algorithm.
D. You meet with the other administrators of the executive building and let them know what you are working on, and how they can help. You will first assign certificates to the computers in the network. To make the process easier, you have decided to configure the network so that the computers will request certificates automatically. In order to do this you perform the following
steps:
1.You open Active Directory Users and Computers
2.You use Group Policy to edit the domain policy that is controlling the executive building.
3.You expand Computer Configuration to Public Key Policies, and you click the Automatic
Certificate request option.
4.In the template list, you select computer, and define CA as the location to send the request.
5.You restart the computers that you can, and wait for the policy to refresh on the systems you
cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your focus to the
users, except for the senior management, in the executive building. In order to have each user
obtain a certificate you issue a memo (the actual memo goes into extreme detail on each step,
even listing common questions and answers) to all users that instructs them to perform the
following steps:
1.Log on to your computer as your normal user account
2.Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3.Select the option to Request A Certificate, and to choose a User Certificate Request type, then
submit the request.
4.When the certificate is issued, click the Install This Certificate hyperlink on screen.
Finally, you address the senior level management in the building. For these people, you personally
go into their office and walk through the steps with each person.
1.The user logs on to the computer with their normal user account
2.You open the MMC and add the personal certificates snap-in
3.You right-click certificates and Request A New Certificate
4.The user fills in the requested information, and you verify this information.
5.You put the certificate request onto a USB drive, and take the request back to the CA.
6.You put the USB drive into the CA, manually process the request, and put the issued certificate
onto the USB drive.
7.You bring the USB drive back to each person, and manually import their new certificate
E. You meet with the other administrators of the executive building and let them know what you are working on, and how they can help. You will first assign certificates to the computers in the network. To make the process easier, you have decided to configure the network so that the computers will request certificates automatically. In order to do this you perform the following steps: 1.You open Active Directory Users and Computers 2.You use Group Policy to edit the domain policy that is controlling the executive building. 3.You expand Computer Configuration to Public Key Policies, and you click the Automatic Certificate request option. 4.In the template list, you select computer, and define CA as the location to send the request. 5.You restart the computers that you can, and wait for the policy to refresh on the systems you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your focus to all the users in the executive building. In order to have each user obtain a certificate you issue a memo (the actual memo goes into extreme detail on each step, even listing common questions and answers) to all users that instructs them to perform the following steps: 1.Log on to your computer as your normal user account 2.Open Internet Explorer, and to connect to the CA_SERVER\certsrv. 3.Select the option to Request A Certificate, and to choose a User Certificate Request type, then submit the request. 4.When the certificate is issued, click the Install This Certificate hyperlink on screen.
正解：D

質問 4：
You had been taking a short vacation, and when you come into work on Monday morning, Orange is already at your door, waiting to talk to you.
"We're got a problem," Orange says, "It seems that the password used by our Vice President of Engineering has been compromised. Over the weekend, we found this account had logged into the network 25 times. The Vice President was not even in the office over the weekend."
"Did we get the source of the compromise yet?"
"No, but it won't surprise me if it is our new neighbors at MassiveCorp. I need to you to come up with a realistic plan and bring it to me tomorrow afternoon. This problem must be resolved, and like everything else we do not have unlimited funds so keep that in mind."
Based on this information, choose the best solution to the password local authentication problem in the Executive building.}
A. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-
based authentication system.
2.You will install the RSA SecurID challenge-response token system.
3.You will create SecurID user records for each user to match their domain accounts.
4.You will assign each user record a unique token.
5.You will hand deliver the tokens to the correct executive.
6.Users will be required to use tokencodes from the One-Time tokencode list. The tokencodes will
be alphanumeric and will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.
B. Since you are aware of the significance of the password problems, you plan to address the
problem using technology. You write
up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a token-
based authentication system.
2.You will install the RSA SecurID time-based token system.
3.You will create SecurID user records for each user to match their domain accounts.
4.You will assign each user record a unique token.
5.You will hand deliver the tokens to the correct executive.
6.Users will be allowed to create their own PIN, which will be 4 characters long.
7.The tokens will replace all passwords for authentication into each user Windows system.
C. Since you are aware of the significance of the password problems, you plan to address the problem using technology. You write up a plan for Orange that includes the following points: 1.You will reconfigure the Testbed.globalcorp.org domain to control the password problem. 2.You will configure AD in this domain so that complex password policies are required. 3.The complex password policies will include:
a.Password length of at least 8 characters
b.Passwords must be alphanumeric
c.Passwords must meet Gold Standard of complexity
d.Passwords must be changed every 30 days
e.Passwords cannot be reused
D. Since you are aware of the significance of the password problems, and since you do not have unlimited funds, you plan to address this problem through education and through awareness. You write up a plan for Orange that includes the following points: 1.All end users are to be trained on the methods of making strong passwords 2.All end users are instructed that they are to change their password at a minimum of every 30 days. 3.The administrative staff is to run password-checking utilities on all passwords every 30 days. 4.All end users are to be trained on the importance of never disclosing their password to any other individual. 5.All end users are to be trained on the importance of never writing down their passwords where they are clearly visible.
E. Since you are aware of the significance of the password problems, plan to address the problem
using technology. You write up a plan for Orange that includes the following points:
1.For all executives you recommend no longer using passwords, and instead migrating to a
biometric solution.
2.You will install retinal scanners at every user desktop in the executive building.You will install
retinal scanners at every user? desktop in the executive building.2.You will install retinal scanners
at every user desktop in the executive building.You will install retinal scanners at every user?
desktop in the executive building.
3.You will personally enroll each user at each desktop.3.You will personally enroll each user at
each desktop.
4.You will instruct each user on the proper positioning and use of the scanner.4.You will instruct
each user on the proper positioning and use of the scanner.
5.The biometric system will replace all passwords for authentication into each user Windows
system.The biometric system will replace all passwords for authentication into each user?
Windows system.5.The biometric system will replace all passwords for authentication into each
user Windows system.The biometric system will replace all passwords for authentication into each
user? Windows system.
正解：B