1. What are the Important Windows port numbers:
RDP – RDP – 3389 3389 – – (windows (windows rdp port number and remote desktop port number) FTP – FTP – 21 21 – – (file (file transfer protocol) TFTP – TFTP – 69 69 – – ( ( tftp port number ) Telnet – Telnet – 23 23 – – ( ( telnet port number) SMTP – SMTP – 25 25 – – ( ( SMTP port number) DNS – DNS – 53 53 – – ( ( dns port number and Domain Name System port number) DHCP – DHCP – 68 68 – – (DHCP (DHCP port number and Dynamic Host Configuration Protocol port number ) POP3 – POP3 – 110 110 – – ( ( post office Protocol 3 port ) HTTP – HTTP – 80 80 – – (http (http port number) HTTPS – HTTPS – 443 443 – – (https (https port number) NNTP – NNTP – 119 119 – – ( ( Network News Transfer Protocol Port number ) NTP – NTP – 123 123 – (ntp port number and network Time Protocol and SNTP port number ) – (ntp IMAP – IMAP – 143 143 – – (Internet (Internet Message Access Protocol port number) SSMTP – SSMTP – 465 465 – – ( ( SMTP Over SSl ) SIMAP – SIMAP – 993 993 – – ( ( IMAP Over SSL ) SPOP3 – SPOP3 – 995 995 – – ( ( POP# Over SS L) Time – Time – 123 123 – – ( ( ntp port number and network Time Protocol and SNTP port number ) NetBios – NetBios – 137 137 – – ( ( Name Service ) NetBios – NetBios – 139 139 – – ( ( Datagram Service ) DHCP Client – Client – 546 546 – – (DHCP (DHCP Client port number) DHCP Server – Server – 547 547 – – (DHCP (DHCP Server port number) Global Catalog – Catalog – 3268 3268 – – (Global (Global Catalog port number) LDAP – LDAP – 389 389 – – ( ( LDAP port number and Lightweight Directory Access Protocol port number ) RPC – RPC – 135 135 – – (remote (remote procedure call Port number) Kerberos – Kerberos – 88 88 – – ( ( Kerberos Port Number) SSH – SSH – 22 22 – – ( ( ssh port number and Secure Shell port number) 2. How to check tombstone lifetime value in your Forest Tombstone lifetime value different from OS to OS, for windows server 2000/2003 it‘s 60 days, In Windows Server 2003 SP1, default tombstone lifetime (TSL) value has increased from 60 days to 180 days, again in Windows Server 2003 R2 TSL value has been decreased to 60 days, Windows Server 2003 R2 SP2 and windows server 2008 it‘s 180 days If you migrating windows 2003 environment to windows windows 2008 then its 60 day‘s you can use the below command to check/view the current tombstone lifetime value for your Domain/Forest dsquery * ―cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=‖ –scope – scope base – base –attr attr tombstonelifetime Replace forestDN with your domain partition DN, for domainname.com the DN would be dc=domainname, dc=com Source: http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx 3. How to find the domain controller that contains the lingering object If we enable Strict Replication Consistency Lingering objects are not present on domain controllers that log Event ID 1988. The source domain controller contains the lingering object If we doesn’t enable Strict Replication Consistency Consistency Lingering objects are not present on domain controllers that log Event ID 1388. Domain controller that doesn‘t log Event ID 1388 and that domain controller contain the lingering object You have a 100 Domain controllers which doesn‘t enable Strict R eplication Consistency, then you will get the Event ID 1388 on all the 99 Domain controllers except the one that contain the lingering object
Need to Remove Lingering Objects from the affected domain controller or decommission the domain controller You can use Event Comb tool (Eventcombmt.exe) is a multi-threaded tool that can be used to gather specific events from the Event Viewer logs of different computers at the same time. You can download these tools from the following location: http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96eeb18c4790cffd&DisplayLang=en 4. What are Active Directory ports: List of Active Directory Ports for Active Directory replication and Active Directory authentication, this ports can be used to configure the Firewall Active Directory replication- There is no defined port for Active Directory replication, Active Directory replication remote procedure calls (RPC) occur dynamically over an available port through RPCSS (RPC Endpoint Mapper) by using port 135 File Replication Services (FRS)- There is no defined port for FRS, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPCSS (RPC Endpoint Mapper ) on port 135 Other required ports for Active Directory TCP 53 – DSN (DNS Download) UDP 53 – DSN (DNS Queries) TCP 42- WINS UDP 42- WINS TCP 3389- RDP (Remote Desktop) TCP 135 – MS-RPC TCP 1025 & 1026 – AD Login & replication TCP 389 – LDAP TCP 639 – LDAP over SSL/TLS TCP 3268 -Global Catalog TCP 3268 – Global Catalog over SSL/TSL UDP 137 & 138 – NetBIOS related UDP 88 – Kerberos v5 TCP 445 – SMB , Microsoft-ds TCP 139 – SMB 5. How to do active directory health checks? As an administrator you have to check your active directory health daily to reduce t he active directory related issues, if you are not monitoring the health of your active directory what will happen Let‘s say one of the Domain Controller failed to replicate, first day you will not have any issue. If this will continue then you will have login issue and you will not find the object change and new object, that‘s created and changed in other Domain Controller this will lead to other issues If the Domain Controller is not replicated more then 60 day‘s then it will lead to Lingering issue Command to check the replication to all the DC’s(through this we can check Active Directory Health) Repadmin /replsum /bysrc /bydest /sort:delta You can also save the command output to text file, by using the below command Repadmin /replsum /bysrc /bydest /sort:delta >>c:\replication_report.txt this will list the domain controllers that are failing to replicate with the delta value You can daily run this to check your active directory health 6. GPRESULT falied with access denied error:
Unable to get the result from gpresult on windows 2003 server, gpresult return with the access denied errors, you can able to update the group policy without issue Run the following commands to register the userenv.dll and recompile the rsop mof file To resolve the access denied error while doing the gpresult. 1. Open a cmd 1. re-register the userenv.dll Regsvr32 /n /I c:\winnt\system32\userenv.dll 2. CD c:\windows\system32\wbem 3. Mofcomp scersop.mof 4. Gpupdate /force 5. Gpresult Now you able to run the gpresult without error and even server reboot not required for this procedure 7. What is the command to find out site name for given DC dsquery server NYDC01 -site domain controller name = NYDC01 8. Command to find all DCs in the given site Command to find all the Domain Controllers in the ―Default-First-Site-Name‖ site dsquery server -o rdn -site Default-First-Site-Name Site name = Default-First-Site-Name 9. How many types of queries DNS does? Iterative Query Recursive Query
http://www.techiebird.com/windowshome.html 1. What are some of the new tools and features provided by Windows Server 2008? Windows Server 2008 now provides a desktop environment similar to Microsoft Windows Vista and includes tools also found in Vista, such as the new backup snap-in and the BitLocker drive encryption feature. Windows Server 2008 also provides the new IIS7 web server and the Windows Deployment Service. 2. What are the different editions of Windows Server 2008? The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise Edition provides a platform for large enterprisewide networks. The Datacenter Edition provides support for unlimited Hyper-V virtualization and advanced clustering services. The Web Edition is a scaled-down version of Windows Server 2008 intended for use as a dedicated web server. The Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V virtualization technology. 3. What two hardware considerations should be an important part of the planning process for a Windows Server 2008 deployment? Any server on which you will install W indows Server 2008 should have at least the m inimum hardware requirement for running the network operating system. Server hardware should also be on the Windows Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operating system incompatibility.
4. What are the options for installing Windows Server 2008? You can install Windows Server 2008 on a server not currently configured with NOS, or you can upgrade existing servers running Windows 2000 Server and Windows Server 2003. 5. How do you configure and manage a Windows Server 2008 core installation? This stripped-down version of Windows Server 2008 is managed from the command line. 6. Which Control Panel tool enables you to automate the running of server utilities and other applications? The Task Scheduler enables you to schedule the launching of tools such as Windows Backup and Disk Defragmenter. 7. What are some of the items that can be accessed via the System Properties dialog box? You can access virtual memory settings and the Device Manager via the System Properties dialog box. 8. When a child domain is created in the domain tree, what type of trust relationship exists between the new child domain and the trees root domain? Child domains and the root domain of a tree are assigned transitive trusts. This means that the root domain and child domain trust each other and allow resources in any domain in the tree to be accessed by users in any domain in the tree. 9. What is the primary function of domain controllers? The primary function of domain controllers is to validate users to the network. However, domain controllers also provide the catalog of Active Directory objects to users on the network. 10. What are some of the other roles that a server running Windows Server 2008 could fill on the network? A server running Windows Server 20 08 can be configured as a domain controller, a file server, a print server, a web server, or an application server. Windows servers can also have roles and features that provide services such as DNS, DHCP, and Routing and Remote Access. 11. Which Windows Server 2008 tools make it easy to manage and configure a servers roles and features? The Server Manager window enables you to view the roles and features installed on a server and also to quickly access the tools used to manage these various roles and features. The Server Manager can be used to add and remove roles and features as needed. 12. What Windows Server 2008 service is used to install client operating systems over the network? Windows Deployment Services (WDS) enables you to install client and server operating systems over the network to any computer with a PXE-enabled network interface. 13. What domain services are necessary for you to deploy the Windows Deployment Services on your network? Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain 14. How is WDS configured and managed on a server running Windows Server 2008? The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and install images to the server. 15. What is the difference between a basic and dynamic drive in the Windows Server 2008 environment? A basic disk embraces the MS-DOS disk structure; a basic disk can be divided int o partitions (simple volumes). Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.
16. What is RAID in Windows Server 2008? RAID, or Redundant Array of Independent Disks, is a strategy for building fault tolerance into your file servers. RAID enables you to combine one or more volumes on separate drives so that they are accessed by a single drive letter. Windows Server 2008 enables you to configure RAID 0 (a striped set), RAID 1 (a mirror set), and RAID 5 (disk striping with parity). 17. What conceptual model helps provide an understanding of how network protocol stacks such as TCP/IP work? The OSI model, consisting of the application, presentation, session, transport, network, data link, and physical layers, helps describe how data is sent and received on the network by protocol stacks. 18. What protocol stack is installed by default when you install Windows Server 2008 on a network server? TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active Directory implementations and provides for connectivity on heterogeneous networks. 19. How is a server running Windows Server 2008 configured as a domain controller, such as the domain controller for the root domain or a child domain? Installing the Active Directory on a server running Windows Server 2008 provides you with the option of creating a root domain for a domain tree or of creating child domains in an existing tree. Installing Active Directory on the server makes the server a domain controller. 20. What are some of the tools used to manage Active Directory objects in a Windows Server 2008 domain? When the Active Directory is installed on a server (making it a domain controller), a set of Active Directory snap-ins is provided. The Active Directory Users and Computers snap-in is used to manage Active Directory objects such as user accounts, computers, and groups. The Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined between domains. The Active Directory Sites and Services snap-in provides for the management of domain sites and subnets. 21. How are domain user accounts created and managed? The Active Directory Users and Computers snap-in provides the tools necessary for creating user accounts and managing account properties. Properties for user accounts include settings related to logon hours, the computers to which a user can log on, and the settings related to the user's password. 22. What type of Active Directory objects can be contained in a group? A group can contain users, computers, contacts, and other nested groups. 23. What type of group is not available in a domain that is running at the mixed-mode functional level? Universal groups are not available in a mixed-mode domain. The functional level must be raised to Windows 2003 or Windows 2008 to make these groups available. 24. What types of Active Directory objects can be contained in an Organizational Unit? Organizational Units can hold users, groups, computers, contacts, and other OUs. The Organizational Unit provides you with a container directly below the domain level that enables you to refine the logical hierarchy of how your users and other resources are arranged in the Active Directory. 25. What are Active Directory sites in Windows Server 2008? Active Directory sites are physical locati ons on the network's physical topology. Each regional domain that you create is assigned to a site. Sites typically represent one or more IP subnets that are connected by IP routers. Because sites are separated from each other by a router, the domain controllers on each site periodically replicate the Active Directory to update the Global Catalog on each site segment.
26. Can servers running Windows Server 2008 provide services to clients when they are not part of a domain? Servers running Windows Server 2008 can be configured to participate in a workgroup. The server can provide some services to the workgroup peers but does not provide the security and management tools provided to domain controllers. 27. What does the use of Group Policy provide you as a network administrator? Group Policy provides a method of controlling user and computer configuration settings for Active Directory containers such as sites, domains, and OUs. GPOs are linked to a particular container, and then individual policies and administrative templates are enabled to control the environment for the users or computers within that particular container. 28. What tools are involved in managing and deploying Group Policy? GPOs and their settings, links, and other information such as permissions can be viewed in the Group Policy Management snap-in. 29. How do you deal with Group Policy inheritance issues? GPOs are inherited down through the Active Directory tree by default. You can block the inheritance of settings from upline GPOs (for a particular container such as an OU or a local computer) by selecting Block Inheritance for that particular object. If you want to enforce a higher-level GPO so that it overrides directly linked GPOs, you can use the Enforce command on the inherited (or upline) GPO. 30. How can you make sure that network clients have the most recent Windows updates installed and have other important security features such as the Windows Firewall enabled before they can gain full network access? You can configure a Network Policy Server (a service available in the Network Policy and Access Services role). The Network Policy Server can be configured to compare desktop client settings with health validators to determine the level of network access afforded to the client. 31. What is the purpose of deploying local DNS servers? A domain DNS server provides f or the local mapping of full y qualified domain names to I P addresses. Because the DNS is a distributed database, the local DNS servers can provide record information to remote DNS servers to help resolve remote requests related to fully qualified domain names on your network. In terms of DNS, what is a caching-only server? A caching-only DNS server supplies inform ation related to queries based on the data it contains in its DNS cache. Caching-only servers are often used as DNS forwarders. Because they are not configured with any zones, they do not generate network traffic related to zone transfers. How the range of IP addresses is defined for a Windows Server 2008 DHCP server? The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more than one subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can be included in an exclusion range.
Web Security Interview Questions [DOC] By Ryan Barnett The goal of this document is to provide appropriate questions for HR/Managers to pose to individuals who are applying for web security related positions. These questions do not have right or wrong answers, but rather spark relevant conversation between the applicant and the hiring staff.
Entry Level Questions
1. What do yo u see as the most critic al and cu rrent threats effecting Internet accessible websites?
Goal of question To gauge the applicants knowledge of current web related threats. Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully they will mention information provided by web security organizations such as the Web Application Security Consortium (WASC) or the Open Web Application Security Project (OWASP).
2 . W h at o n l i n e r e s o u r c e s d o y o u u s e t o k e e p a b r e as t o f w e b s e c u r i t y i s s u e s ? C an y o u g i v e a n example of a recent web security vu lnerability or threat?
Goal of question Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable.
3 . W h at d o y o u s e e as c h a l l e n g e s t o s u c c e s s f u l l y d e p l o y i n g /m o n i t o r i n g w e b i n t r u s i o n d e t ec t i o n ?
Goal of question We are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS issues such as:
Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP) Proper logging increasing the verboseness of logging (Mod_Security audit_log) Remote Centralized Logging Alerting Mechanisms Updating Signatures/Policies
4 . W h at i s y o u r d e f i n i t i o n o f t h e t e r m " C r o s s - S i te S c r i p t i n g " ? W h a t i s t h e p o t e n t i a l i m p a c t t o servers and clients?
Goal of question This question will determine if the applicant is well versed in the terminology used in web security. The applicant needs to be able to articulate highly technological topics to a wide audience. The second question will help to verify that the applicant fully understands how XSS attacks work and the impact to client information. WASC has a web security glossary of terms that may be of help http://www.webappsec.org/glossary.html Cross-Site Scripting: (Acronym XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a users web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). XSS attacks do not typically directly target the web server or application, but are rather aimed at the client. The web server is merely used as a conduit for the XSS data to be presented to the end client. See also "Client-Side Scripting".
5. What are the most im portant steps you w ould recom mend for securing a new web server? Web application?
Goal of question Once again, there is no right or wrong answer, however we are interested in what the applicant views as important. Web Server Security:
Update/Patch the web server software
Minimize the server functionality disable extra modules Delete default data/scripts Increase logging verboseness Update Permissions/Ownership of files Web Application Security:
Make sure Input Validation is enforced within the code - Security QA testing Configured to display generic error messages Implement a software security policy Remove or protect hidden files and directories
How do you change your DNS settings in Linux/Windows? Here you‘re looking for a quick comeback for any position that will involve system administration (see system security). If they don‘t know how to change their DNS server in the two most popular operating systems in the world, then you‘re likely working with someone very junior or otherwise highly abstracted from the real world. What’s the difference between encoding, encryption, and hashing? Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn‘t primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input. Who do you look up to within the field of Information Security? Why? A standard question type. All we‘re looking for here is to see if they pay attention to the industry leaders, and to possibly glean some more insight into how they approach security. If they name a bunch of hackers/criminals that‘ll tell you one thing, and if they name a few of the pioneers that‘ll say another. If they don‘t know anyone in Security, we‘ll consider closely what position you‘re hiring them for. Hopefully it isn‘t a junior position. Where do you get your security news from? Here I‘m looking to see how in tune they are with the security community. Answers I‘m looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don‘t really matter. What does matter is that he doesn‘t respond with, ―I go to the CNET website.‖, or, ―I wait until someone tells me about events.‖. It‘s these types of answers that will tell you he‘s likely not on top of things. If you had to both encrypt and compress data during transmission, which would you do first, and why? If they don‘t know the answer immediately it‘s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn‘t know the answer but that I needed just a few seconds to figure it out. I thought out
loud and within 10 seconds gave him my answer: ―Compress then encrypt. If you encrypt first you‘ll have nothing but random data to work with, which will destroy any potential benefit from compression. What’s the difference between symmetric and public-key cryptography Standard stuff here: single key vs. two keys, etc, etc. In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function? You encrypt with the other person‘s public key, and you sign with your own private. If they confuse the two, don‘t put them in charge of your PKI project. What kind of network do you have at home? Good answers here are anything that shows you he‘s a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he‘s got multiple systems running multiple operating systems you‘re probably in good shape. What you don‘t want to hear is, ―I get enough computers when I‘m at work…‖ I‘ve yet to meet a serious security guy who doesn‘t have a considerable home network–or at least access to one, even if it‘s not at home. Network Security What port does ping work over? A trick question, to be sure, but an important one. If he starts throwing out port nu mbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn‘t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols. How exactly does traceroute/tracert work at the protocol level? This is a fairly technical question but it‘s an important concept to understand. It‘s not natively a ―security‖ question really, but it shows you whether or not they like to understand how things work, which is crucial for an Infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions. The key point people usually miss is that each packet that‘s sent out doesn‘t go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That‘s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that‘s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP. What are Linux’s strengths and weaknesses vs. Windows? Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security world. Cryptographically speaking, what is the main method of building a shared secret over a public medium?
Diffie-Hellman. And if they get that right you can follow-up with the next one. What’s the difference between Diffie-Hellman and RSA? Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they get that far, make sure they can elaborate on the actual difference, which is that one requires you to have key material beforehand (RSA), while the other does not (DH). Blank stares are undesirable. What kind of attack is a standard Diffie-Hellman exchange vulnerable to? Man-in-the-middle, as neither side is authenticated. Application Security Describe the last program or script that you wrote. What problem did it solve? All we want to see here is if the color drains from the guy‘s face. If he panics then we not only know he‘s not a programmer (not necessarily bad), but that he‘s afraid of programming (bad). I know it‘s controversial, but I think that any high-level security guy needs some programming skills. They don‘t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required. How would you implement a secure login field on a high traffic website where performance is a consideration? We‘re looking for a basic understanding of the issue of wanting to serve the front page in HTTP, while needing to present the login form via HTTPs, and how they‘d recommend doing that. A key piece of the answer should center around avoidance of the MiTM threat posed by pure HTTP. Blank stares here mean that they‘ve never seen or heard of this problem, which means they‘re not likely to be anything near pro level. What is Cross-Site Request Forgery? Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired answer: when an attacker gets a victim‘s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically). How does one defend against CSRF? Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we‘re looking for recogniti on and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you‘re hiring for. If you were a site administrator looking for incoming CSRF attacks, what would you look for? This is a fun one, as it requires them to set some ground rules. Desired answers are things like, ―Did we already implement nonces?‖, or, ―That depends on whether we already have controls in place…‖ Undesired answers are things like checking referrer headers, or wild panic.
What’s the difference between HTTP and HTML? Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again, the main thing you‘re looking for is for him not to panic. How does HTTP handle state? It doesn‘t, of course. Not natively. Good answers are things like ―cookies‖, but the best answer is that cookies are a hack to make up for the fact that HTTP doesn‘t do it itself. What exactly is Cross Site Scripting? You‘d be amazed at how many security people don‘t know even the basics of this immensely important topic. We‘re looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser. What’s the difference between stored and reflected XSS? Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim‘s browser when the results are returned from the site. What are the common defenses against XSS? Input Validation/Output Sanitization, with focus on the latter. Corporate/Risk What’s the goal of information security within an organization? < p>This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. ―To control access to information as much as possible, sir!‖ While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I‘m looking for. A much better answer in my view is something along the lines of, ―To help the organization succeed.‖ This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding—-a realization that security is there for the company and not the other way around. What’s the difference between a threat, vulnerability, and a risk? As weak as the CISSP is as a securit y certification it does teach some good concepts. Knowin g basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you‘d like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent. If you were to start a job as head engineer or CSO at a Fortune 500 company due to the previous guy being fired for incompetence, what would your priorities be? [Imagine you start on day one with no knowledge of the environment]
We don‘t need a list here; we‘re looking for the basics. Where is the important data? Who interacts with it? Network diagrams. Visibility touch points. Ingress and egress filtering. Previous vulnerability assessments. What‘s being logged an audited? Etc. The key is to see that they could quickly prioritize, in just a few seconds, what would be the most important things to learn in an unknown situation. As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities? This one is opinion-based, and we all have opinions. Focus on the quality of the argument put forth rather than whether or not they they chose the same as you, necessarily. My answer to this is that vulnerabilities should usually be the main focus since we in the corporate world usually have little control over the threats. Another way to take that, ho wever, is to say that the threats ( in terms of vectors) will a lways remain the same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying defense-in-depth based on threat modeling in addition to just keeping ourselves up to date. Both are true, of course; the key is to hear what they have to say on the matter. The Onion Model The questions above are fairly straightforward. They are, generally, negative filters, i.e. they‘re designed to excluded candidates for having glaring weaknesses. If you are dealing with a more advanced candidate then one approach I recommend taking is that of the onion model. The Onion Model of interviewing starts at the surface level and then dives deeper and deeper —often to a point that the candidate cannot go. This is terrifically revealing, as it shows not only where a candidate‘s knowledge stops, but also how they deal with not knowing something. One component of this cannot be overstated: Using this method allows you to dive into the onion in different ways, so even candidates who have read this list, for example, will not have perfect answers even if you ask the same question. An example of this would be start ing with: How does traceroute work? They get this right, so you go to the next level. What protocol does it use? This is a trick question, as it can use lots of options, depending on the tool. Then you move on. Describe a Unix traceroute hitting google.com at all seven layers of the OSI model. Etc. It‘s deeper and deeper exploration of a single question. Here‘s a similar option for the end-phase of such a question. If I’m on my laptop, here inside my company, and I have just plugged in my network cable. How many packets must leave my NIC in order to complete a traceroute to twitter.com?
The key here is that they need to factor in all layers: Ethernet, IP, DNS, ICMP/UDP, etc. And they need to consider round-trip times. What you‘re looking for is a realization that this is the way to approach it, and an attempt to knock it out. A bad answer is the look of WTF on the fact of the interviewee. This could be asked as a final phase of a multi-step protocol question that perhaps starts with the famous, ―What happens when I go to Google.com?‖ How would you build the ultimate botnet? Answers here can vary widely; you want t o see them cover the basics: encryption, DNS r otation, the use of common protocols, obscuring the heartbeat, the mechanism for providing updates, etc. Again, poor answers are things like, ―I don‘t make them; I stop them.‖ Role-Playing as an Alternative to the Onion Model Another option for going to increasi ng depth, is to role-play with the candidate. You present t hem a problem, and they have to troubleshoot. I had one of these during an interview and it was quite valuable. You would tell them, for example, that they‘ve been called in to help a client who‘s received a call from their ISP stating that one or more computers on their network have been compromised. And it‘s their job to fix it. They are now at the client site and are free to talk to you as the client (interviewing them), or to ask you as the controller of the environment, e.g. ―I sniff the external connection using tcpdump on port 80. Do I see any connections to IP 8.8.8.8.‖ And you can then say yes or no, etc. From there they continue to troubleshooting/investigating until they solve the problem or you discontinue the exercise due to frustration or pity. Conclusion For more on hiring overall, I recommend doing a good amount of research. Most important to learn, as I talked about above, is the limitations of interviews. Use other data available to you whenever possible, and above everything else: Be extremely cautious of anyone who thinks they can spot ―the one‖ because they‘re good at it.. Bias is a major problem in interviewing, and it‘s likely that someone with a steadfast belief in his or her interview brilliance is doing harm to your organization by introducing bad candidates. When possible, do what Google did: Explore the data. Look at how candidates did in interviews relative to how they did on the job. Wherever you have mismatches you have a problem with your process. Feel free to contact me if you have any comments on the questions, or if you have an ideas for additions.
Information Security Interview Questions Posted: May 8, 2013 in InfoSec Tags: interview question and answers, web application security 11 The number of Information Security related jobs are growing extensively…. There is a huge requirement for skilled InfoSec professionals across the globe.. the jobs positions are available for freshers, experienced guys and top management (typically CISO etc)… This post is my attempt to collect typical InfoSec interview question and answers to help those looking out opportunit ies in this field… I‘ll keep on updating the questions regularly.. You can also share/contribute any questions you might have faced during your InfoSec interviews…. Category I: General Security Concepts / Network Security / OS Security 1) Is there any difference between Information Security and IT Security? If yes, please explain the difference. Ans- Yes. Information Security and IT Security are both different terms often used interchangeably. IT Security focuses on purely technical controls (like implementing antivirus, firewall, hardening systems etc) while Information Security is more wider term which implies securing ―information‖ as an asset be it in any form. (ex shredding of paper documents to prevent dumpster driving etc). So IT security can be considered as a subset of Information Security. 2) What is the difference between Encoding, Encryption and Hashing? Ans- At a very high level, all these 3 terms might appear to be similar and people often confuse between them. But each of the technique is distinct and has different use case. The purpose of encoding is to transform data so that it can be properly (and safely) consumed by a different type of system, e.g. binary data being sent over email, or viewing special characters on a web page. The goal is not to keep information secret, but rather to ensure that it‘s able to be properly consumed. It does not require a key as the only thing required to decode it is the algorithm that was used to encode it. Examples: ASCII, Unicode, URL Encoding, Base64. The purpose of encryption is to transform data in order to keep it secret from others. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. Examples: AES, Blowfish, RSA. The purpose of hashing is to take arbitrary input and produce a fixed-length string that has the following attributes: 1. 2. 3. 4.
The same input will always produce the same output. Multiple disparate inputs should not produce the same output. It should not be possible to go from the output to the input. Any modification of a given input should result in drastic change to the hash.
Examples- MD5, SHA1, SHA2 etc. Hashing is often used in computer forensics to verify integrity of the digital evidence. 3) What is the difference between proxy, firewall, IDS and IPS? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity.
Firewall is basically meant for network traffic control/filtering mainly at layer-3. It allows/denies packets and connections based on certain pre-defined rules. IDS- Intrusion Detection System is an application which tries to detect intrusion attempts based on attack signature database it has. IPS- Intrusion Prevention System detects the intrusion (like IDS) and goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based on rules) Examples: 1. 2. 3. 4.
proxy – Squid Firewall- IPTables, CISCO Pix, ZoneAlarm IDS- SNORT IPS- IBM Proventia
4) How does asymmetric encryption work? 5) How does SSL work? 6) What is port scanning? What are the countermeasures to prevent it? 7) What is Man in Middle attack? Can it be prevented? 8) What is the difference between false positive and false negative? 9) Explain the term ‗Defense in depth‘. 10) What do you mean by stateful inspection by a firewall? 11) What is DMZ? Which systems should be placed in DMZ? What are common security precautions for DMZ systems? 12) What is DLP? How does it work? 13) In what scenario, AD authentication should be used? 14) Is SSH completely secured? If not, can it be hardened more? 15) What is Virtualization? What are the security risks in it? 16) What do you mean by ‗BYOD‘ ? Explain security concerns related with it. 17) What are the different layers of OSI model? Can you list 1 vulnerability corresponding to each of the OSI layer? 18) What are honeypots? 19) Tell about any of the major security incident that happened recently. 20) How do you keep yourself updated with latest trends in Information Security? Ans: I refer to various security news sites , blogs etc (Like thehackernews, Rapid7 blog etc) Also I am subscribed to various online security magazines like Pentest magazine, HackInsight etc and I surf through the archives of various security conferences held worldwide.
21) Which OS do you feel is more secure? Linux or Windows? Ans: No OS is secured unless and until its administrator is smart enough to secure it. Though Windows has more publicly found security issues, it can still be hardened appropriately. Its all about perception and having right sense of security. Linux definitely provides robust security, however a mis-configured Linux box could really pose a big threat to security. 22) Explain in brief, Multi Factor authentication. 23) Explain in short how Kerberos works. 24) How to harden a Windows Machine? 25) How to harden a Linux Machine? 26) How can you prevent DOS/DDOS attack? 27) What is a 0-Day Vulnerability? Can it be prevented? 28) What is the biggest difference between Windows OS and Linux OS? 29) Can an IDS be used to prevent intrusions? (Ans is yes, ex- SNORT, one of the open source IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS) 30) Explain any type of Wi-Fi Attack and how to prevent it. 31) What is SIEM? Why it is useful? 32) What is rainbow attack? Is there a way to prevent it? 33) Explain the difference between hub, switch and router. 34) What do you mean by reverse shell in Linux? 35) Explain file ACL‘s (permissions) in Linux. What is the use of sticky bit? 36) What is NAT and PAT? Explain difference between them and how do they work. 37) Comment on security concerns in Cloud Computing. 38) What is the use of ‗salt‘ in reference to passwords? Are there any limitations of using it? 39) What is single sign-on? What are security risks with it? Category II: VA/PT 1) What is the difference between Vulnerability Assessment and Penetration Testing? Which one needs to be performed first? 2) What are the steps to perform VA/PT?
3) What precautions are required to be taken while performing VA/PT? 4) With whom would you share the findings of VA/PT and how would you convey the risk of the findings effectively so that mitigation can be initiated immediately? 5) What tools do you normally use for VA and PT? Which tool you find the best and why? 6) What all should be included in report of VA/PT assessment? 7) Is it possible to hack into a system without using any tool? If yes, how would you do it? (Manually?) 8) How can you identify whether a remote machine is a Windows Machine or Linux Machine? 9) What is the difference between active and passive information gathering? (give 1 example of each) 10) How does sniffing works? Explain how can you sniff into a network. Can sniffing attack be prevented and how? 11) What would you do if nmap port scans are blocked by network security administrator? How would you gather host information in such case? 12) What are the different components of metasploit? Explain client side exploits/attacks. Category III: Web Application Security 1) Why is Web Application Security Important? 2) ―Making the website HTTPS would make it secure‖ share your comments on this. 3) What are cookies? What security threat do they pose? 4) What is SQL Injection attack? What are its types? 5) What are the ways to prevent SQL Injection? 6) What is XSS attack? What are its types? 7) What are the ways to prevent XSS attacks? 8) What is CSRF? How to prevent it? 9) What are the top 5 Web Application Vulnerabilities you know? 10) Explain any case wherein you found some critical web application vulnerability and you also provided solution to fix the same. 11) How would you mitigate vulnerabilities in a legacy application where much of code change is not feasible? 12) What tools do you use for performing Web Application security testing?
13) How do you test security for web services? 14) What is the difference between White Box Application Security testing and Blackbox Application Security testing? 15) Do you have hands on knowledge of source code review? Give any example of vulnerability/bug you found during source code review. 16) What standards do you refer for Web Application Security and related vulnerabilities? 17) What are the most important steps you would recommend to secure your new web server? 18) Will L-3 firewall be useful in protecting the web application against common attacks? If yes, then to what extent? 19) What is Directory Listing? What is its impact? How to prevent it? 20) Can you explain any 2 vulnerabilities occurring due to poor session management? 21) Where should be the Web Server and Database server placed in network for optimal security? 21) Is there any risk when conducting Application Security testing on production instance? Ans: Ideally, Application Security testing should never be performed on production instance. Automated scanners can insert, modify or even delete data from the target application. This could be a big risk. So the testing should be carried out on test instance which should contain exact replica of the application code running on production instance. If at all you have to test on production instance, its owner must take responsibility (in writing) of any data loss that may occur after testing. 22) How would you investigate or trace any security incident which occurred due to exploitation of some vulnerability in your web application? 23) Please explain how would you test a mobile application for security vulnerabilities? 24) Explain about Database Security. What are common controls for securing Databases. 25) How would you convince the developer to fix the vulnerabilities you found in the Web Application? Ans: It is a normal human mentality not to accept our mistakes. Same applies in this case. No developer would easily accept that code written by him has serious security bugs. So, you have to demonstrate him the vulnerability you discovered with proper PoC. And explain him the severity and impact if the vulnerability gets exploited. You have to be polite while explaining and not get into arguments. 26) How does HTTP handles state? Ans: HTTP is a stateless protocol. Category IV: Risk Management/ Compliance/ Security Frameworks 1) What is Risk Assessment and Risk Management? Are they same? 2) What are the standards available for Risk Management?
3) What are the types of Risks? 4) What are the possible ways to treat the risk? 5) What is the difference between threat, vulnerability , exploit and risk? 5) What is residual risk? Can it be eliminated? 6) What is ISO 27001? Why an organization should adopt it? 7) What is the difference between ISO 27001 and ISO 27002? 8) What is PCI-DSS? Is there any similarity between PCI-DSS and ISO27001? 9) What type of organizations are required to be compliant with PCI-DSS? 10) What is the difference between a standard, policy, procedure? 11) What would you do to make security program / initiative successful in the organization? 12) How would you convince the senior management to invest in certain security initiative? 13) How much would you ideally spend on securing a Windows Server? (This is a very generic question, but would really test whether the candidate is clear with the basics like asset value, impact analysis etc) 14) What is the difference between technical controls and procedural controls? (give 1 example of each) 15) Explain high level steps for initiating and implementing ISO27001. Category V: Strategic / Scenario Based Questions 1) Please comment: Which one would be more securely built? Open Source software or Commercial/Proprietary software? 2) Whom do you get inspired from in the field of Information Security? 3) How many packets would travel from a laptop if a user initiates a traceroute to facebook.com? 4) Consider a scenario, the network has become extremely slow, there are many escalations coming to service desk, what would you do a as security professional? Do you see a possibility of any security threat in this? How would you face this situation? 5) Suppose business team wants to launch an application or urgent basis, but you know its vulnerable to some critical attacks, what would you do in such case? Should business requirement be given priority or security should be the priority? 6) What are the latest trends in Information Security? 7) Is Internet Banking really safe and secure? What are your views on this? 8) Where do you see yourself (in which role/position) after 3-4 years?
9) Should social networking websites (like facebook) be allowed or blocked? Justify with proper reason. 10) Anonymous hackers are hacking into some critical infrastructure around the world. Can you comment on how would they be doing this? 11) Have you heard about stuxnet? Explain your views on it and how could it have been prevented? Category VI: Computer Forensics/Laws 1) What do you mean by checksum? What are the popular algorithms for calculating checksums? What is its significance in computer forensics? 2) Describe steganography, its types and how to detect it? 3) What do you mean by file carving? 4) What is meant by bit stream image? Why it is important in forensics? 5) What is swap space? What is its relevance in forensics? What is page file? 6) Explain high level steps for seizing a live computer system. 7) What are the main challenges in computer forensics? 8) What is file shredding? Ans: File Shredding is a technique used to securely erase/wipe or destroy the file (logical or physical) in such a way that it cannot be re-constructed to derive its original meaning. 9) Can data be recovered after shredding is performed? 10) What are the famous tools used in computer forensics? 11) What hardware is necessary for performing computer forensics? 12) What care should be taken while packaging the seized evidence? 13) What is slack space? 14) List few situations wherein lost data cannot be recovered. Ans: If the data is stored on magnetic media, and that media comes in contact with very strong magnetic field then it may result in permanent loss of data. If data is on the disk is over-written more then 30 times, it may get in unrecoverable state. If the media is physically destroyed like completely burnt or turned into fine powder then it won‘t be possible to recover the data. 15) How would you traced a spoofed email sent from spoofed IP address? Windows Server Administration Interview Questions
February 8, 2013 by: jdavid in: Application Support, Interview Questions, Windows 8, Windows Servers 1 Comment Welcome to the World of Linux Server Management, Windows Server Management, Kernel Programming, Ethical Hacking, Cloud Solutions, Vmware Vsphere ESXi, Xen Servers, Server hardening, Server administration etc., Windows admin interview questions
Describe how the DHCP lease is obtained. It‘s a four -step process consisting of (a) IP request, (b) IP offer , © IP selection and (d) acknowledgement.
I can’t seem to access the Internet, don’t have any access t o the corporate network and on ipconfig my address is 169.254.*.*. What happened? The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing).
We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it. The server must be authorized first with the Active Directory.
How can you force the client to give up the dhcp lease if you have access to the client PC? ipconfig /release
What authentication options do Windows 2000 Servers have for remote clients? PAP, SPAP, CHAP, MS-CHAP and EAP.
What are the networking protocol options for the Windows clients if for some reason you do not want to use TCP/IP? NWLink (Novell), NetBEUI, AppleTalk (Apple).
What is binding order? The order by which the network protocols are used for client-server communications. The most frequently used protocols should be at the top.
How do cryptography-based keys ensure the validity of data transferred across the network? Each IP packet is assigned a checksum, so if the checksums do not match on both receiving and transmitting ends, the data was modified or corrupted.
Should we deploy IPSEC-based security or certificate-based security? They are really two different technologies. IPSec secures the TCP/IP communication and protects the integrity of the packets. Certificate-based security ensures the validity of authenticated clients and servers.
What is LMHOSTS file? It‘s a file stored on a host machine that is used to resolve NetBIOS to specific IP addresses.
What’s the difference between forward lookup and reverse lookup in DNS? Forward lookup is name-to-address, the reverse lookup is address-to-name.
How can you recover a file encrypted using EFS? Use the domain recovery agent.
What is the Difference between Windows 2003 standard Enterprise, Premium, Data center and Web Edition? WEB EDITION: To position windows server 2003 more competitively against other web servers, Microsoft has released a stripped-down-yet-impressive edition of windows server 2003 designed specially for web services. the feature set and licensing allows customers easy deployment of web pages, web sites, web applications and web services.
Web Edition supports 2GB of RAM and a two-way symmetric multiprocessor(SMP). It provides unlimited anonymous web connections but only 10 inbound server message block(SMB) connections, which should be more than enough for content publishing. The server cannot be an internet gateway, DHCP or fax server. Although you can remotely administer the server with Remote Desktop, the server can not be a terminal server in the traditional sense. The server can belong to a domain, but cannot be a domain controller. The included version of the microsoft SQL server database Engine can support as many as 25 concurrent connections.
How do you recover an object in Active Directory, which is accidentally deleted by you, with no backup? Using ntdsutil.exe command,we can restored the AD objects.
What is the Logical / Physical Structures of the AD Environment? physical structure: Forest, Site, Domain, DC logical structure: Schema partition, configuration partition, domain partition and application partition
How to change the windows xp product key if wrongly installed with other product key but you have original product key? What you will do to Make your os as Genuine? Some third party software are available for this function or reinstall this system
If 512mb Ram is there what will be the minimum and maximum Virtual memory for the system? To workout the total virtual memory (page file) required for windows XP you should take the amount of ram in the system and + 25% (512MB + 25% (128MB) = 640MB total virtual memory. by setting both the min and max to 640MB you can increase the performances of the operating system.
What is LDAP? LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server.
What is the SYSVOL folder? The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest.
What are application partitions? When do we use them? Application Directory Partition is a partition space in Active Directory which an application can use to store that application specific data. This partition is then replicated only to some specific domain controllers.The application directory partition can contain any type of data except security principles (users, computers, groups).
How do we Backup Active Directory? Backing up Active Directory is essential to maintain an Active Directory database. You can back up Active Directory by using the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003 family provides.You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary.To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary.
How do we restore AD? You can‘t restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) is running. To restore AD, perform the following steps. Reboot the computer. The computer will boot into a special safe mode and won‘t start the DS. Be aware that during this time the machine won‘t act as a DC and won‘t perform functions such as authentication. 1. Start NT Backup. 2. Select the Restore tab. 3. Select the backup media, and select System State. 4. Click Start Restore.
5. Click OK in the confirmation dialog box. After you restore the backup, r eboot the computer and start in normal mode to use the restored infor mation. The computer might hang after the restore completes; I‘ve experienced a 30-minute wait on some machines.
What are GPOs? Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user‘s work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers.
What domain services are necessary for you to deploy the Windows Deployment Services on your network? Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain
What is the difference between a basic and dynamic drive in theWindowsServer2008environment? A basic disk embraces the MS-DOS disk structure; a basic disk can be divided int o partitions (simple volumes). Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.
What is the main purpose of a DNS server? DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa
Commonly Used DNS Records? A-Records (Host address) CNAME-Records (Canonical name for an alias) MX-Records (Mail exchange) NS-Records (Authoritative name server) PTR-Records (domain name pointer)
SOA-Records (Start of authority)