7.2 Win

Question 1

Session layer protocol

allow a program running on one computer to seamlessly execute code on a remote system.

Answer 1

RPC

Question 2

Endpoint mapper promiscuity
General Denial of Service (DoS) by attacking port 135 itself
Service specific attacks based on information gathered from querying port 135
Escalation of privileges based on information gathered from querying port 135

Answer 2

RPC Vulnerabilities

Question 3

Session Layer file and print sharing protocol used by legacy systems.

Answer 3

NetBios

Question 4

used for name resolution and registration (UDP port 137).

The first 15 characters/bytes are for names and the 16th character/byte indicates the function/service.

Answer 4

NetBios Name Service

Question 5

Workstation service

Answer 5

<00>

Question 6

Server service

Answer 6

<20>

Question 7

(UDP port 138) is used for browser and messenger services.

Answer 7

NetBIOS Datagram Service

Question 8

messaging service

Answer 8

<03>

Question 9

(TCP port 139) is primarily used for local network file and print sharing.

Answer 9

NetBios Session Service

Question 10

Application Layer protocol used for file and print sharing.

Answer 10

SMB

Question 11

provides file and print sharing services to SMB/CIFS clients and allows for seamless interoperability between *NIX servers and Windows clients.

Answer 11

Samba

Question 12

TCP port 3389 is a method of connecting to a remote system which allows a user to work as if on the remote computer’s desktop.

allows for an actual GUI desktop.

Answer 12

RDP

Question 13

service that implements the WS-Management protocol for remote management using ports 5985/5986.

using the standard HTTP/HTTPS protocols for transport.

Answer 13

WinRM

Question 14

Microsoft’s way forward in using networking protocols to connect to and manage network systems.

Answer 14

PS Remoting

Question 15

performs a function similar to NetBIOS but expands on those capabilities.

uses a variety of methods to gather resource information and may gather IP, MAC, and even OS information if configured appropriately.

Answer 15

Network Discovery

Question 16

Volumes on a Windows system are shared via hidden administrative shares (i.e., C$, E$, F$, etc.). Requires a privileged account for access.

Answer 16

Drive letter$

Question 17

The System Root on Windows systems is shared via administrative shares. Requires a privileged account for access.

Answer 17

ADMIN$

Question 18

Shares named pipes required for communication between computers and programs.

Answer 18

IPC$

Question 19

Used on Active Directory domain controllers for sharing domain policies and domain public files.

Answer 19

SYSVOL

Question 20

vulnerability most often found on legacy OSs.
Anonymously call a remote system’s RPC services for possible enumeration of the following:
-SAM accounts
-A list of machines on the system’s network
-A list of shares

A combination of Firewall, Registry, and policy settings may be used to secure null session vulnerabilities.

Answer 20

Null Session

Question 21

name resolution service that resolves NetBIOS names to IP addresses.

-local networks

Answer 21

WINS

Question 22

distributed database used on TCP/IP networks to assist in the location of computers and other resources.

Answer 22

DNS

Question 23

unique name used to identify a particular system in the namespace.

Answer 23

FQDN

Question 24

represent a discrete portion of the namespace for a particular domain and provide a way to partition the domain namespace into manageable sections.

Answer 24

zone

Question 25

host primary zones and may host secondary zones for another domain

Answer 25

Primary servers

Question 26

host secondary zones

Answer 26

Secondary servers

Question 27

contain only information for previously resolved queries and do not host any zones

Answer 27

Caching-only servers

Question 28

Contains a read/write copy of the entire namespace; all resource records for the zone. Primary zones are deployed either as standard primary zones or as ADI zones.

Answer 28

Primary Zone

Question 29

are deployed with various manufacturer DNS servers. There is only one primary server for the zone, which manages all changes to the zone.

Answer 29

Standard primary zones

Question 30

This integration allows Active Directory to be used as a data storage and replication engine for DNS, providing the capability of using multiple primary servers forthe same zone. Typically, most domain controllers are configured to serve as primary DNS servers for their domain or zone.

Answer 30

ADI zones

Question 31

Contains a read-only copy of the entire namespace; all resource records for the zone.When a secondary zone needs an update, it requests a zone transfer from a primary server.

Answer 31

Secondary Zone

Question 32

SOA is the first resource record. It indicates this DNS name server is the best source of information for this domain.

Serial Number
Refresh Time
Zone transfers

Answer 32

Start of Authority (SOA)Record

Question 33

announces the authoritative name servers for a particular zone,DNS servers that answer queries for their supported zone. Often indicates a secondary server for a domain.

Answer 33

Name Server(NS) Record

Question 34

maps the service name to the server name offering the service.

Answer 34

Service Location (SRV) Record

Question 35

Maps a host name to an IPv4 address for forward lookups.

Answer 35

Host (A) Record

Question 36

Maps a host name to an IPv6 address for forward lookups

Answer 36

Host (AAAA) Record

Question 37

Creates a pointer that maps an IP address to a host name for reverse lookups.

Answer 37

Pointer (PTR) Record

Question 38

MX Record specifies a mail exchange server for domain.

Answer 38

Mail Exchanger (MX)Record

Question 39

Sets an alias for a host name. Often used to associate “www” with the web server name.

Answer 39

Alias (CNAME)Record

Question 40

the client makes additional DNS queries,if necessary, to other DNS servers to find the requested name to IP resolution.

Answer 40

iterative query

Question 41

the DNS server make queries to other DNS servers on behalf of the client who made the original name to IP resolution request.

Answer 41

recursive query

Question 42

• Secure dynamic updates to only allow updates fromsystems authorized to make them
• Limitzone transfers to authoritativename servers andother authorized systems
• Secure against DNS cache poisoning/pollution

Answer 42

ways to secure DNS

Question 43

set of Internet-based services for servers for use with Windows. By default, it supports FTP on port 21,HTTP on port 80,and HTTPS on port 443.

Answer 43

IIS

Question 44

This account permits users to connect anonymously to web sites hosted on the server.

Answer 44

IUSR

Question 45

IIS Admin Service (W3SVC and FTPSVC services depend on the IISADMIN service).

Answer 45

IISADMIN

Question 46

WWW Publishing Service used for HTTP hosting.

Answer 46

W3SVC

Question 47

Microsoft FTP Publishing Service used for FTP hosting.

Answer 47

FTPSVC

Question 48

Web sites are commonly identified and hosted in the following ways:

Answer 48

IP Address
Port Address
Host Header

Question 49

if a single system goes down, the other systems in the cluster take over the processing load with little to no loss of access or capability.

Answer 49

Windows Clustering

Question 50

are unique communications that are typically isolated from the traditional network and are used for many things,including computer clusters and load balancing of system resources.

Answer 50

Heartbeat Networks

Question 51

defines how clients access the directory server and perform database operations over an IP network.

Answer 51

LDAP

TCP 389

Question 52

Most fundamental item in a directory; these are items such as users, folders, and computers.

Answer 52

Objects

Question 53

Characteristics of objects (i.e., printer object can have attributes: name, location, model, etc.).

Answer 53

Attributes

Question 54

Set of rules or structure that defines objects.

Answer 54

Schema

Question 55

Logical grouping of objects or type of class of object (by organizational structure, groups, etc.).

Answer 55

Classes

Question 56

Used for organizing objects, but cannot have group policies linked directly to them.

Answer 56

Container

Question 57

Used for organizing objects and can have group policies linked to them.

Answer 57

Organizational Unit

Question 58

Contain OUs, containers, and objects and provides the ability to associate a group policy to them as a single entity.

Answer 58

Domains

Question 59

based on the structure of the directory, which is also known as the schema.

Answer 59

Information Model

Question 60

May be used as user logon name for the domain. Combines username and DNS name; commonly used as an email address.

Answer 60

User Principal Name (UPN)

Question 61

Contains the relative distinguished name (RDN) and location within the LDAP directory.

Answer 61

Distinguished Name (DN)

Question 62

Portion of the name that does not relate to the directory structure. It is unique at each level.

Answer 62

Relative Distinguished Name (RDN)

Question 63

deals with organization of the data and the objects within a database. The hierarchical structure provides unique uniform naming conventions for objects and an organizational framework.

Answer 63

Naming Model

Question 64

Provides information that details what can be done with the database.Data modification and searches are the most common.

• Authentication
• Interrogation
• Update

Answer 64

Functional Model

Question 65

Operations are for initiating and authenticating a session to the LDAP server. The primary operation performed is bind.

Answer 65

Authentication

Question 66

How the database or directory is searched. Search is the primary operation.

Answer 66

Interrogation

Question 67

Used for data modification including add, modify, and delete.

Answer 67

Update

Question 68

primarily focused on how directory information is protected.

Answer 68

Security Model

Question 69

Flexible querying
Integration with DNS
Extensibility
Policy-based administration
Scalability
Replication
Security
Interoperability

Answer 69

Benefits of Active Directory:

Question 70

used to represent the physical topology of the network. Active Directory uses sites and site links to configure and optimize replication between physically dispersed domain controllers.

Answer 70

Sites

Question 71

• Enables clients to efficiently discover services (published shares, logon services) that are close to the physical location of the client
• Enables network traffic control to optimize replication between domain controllers and maximize data availability.
• Enables policy application; Group Policy Objects may be linked to sites.

Answer 71

Site configurations

Question 72

one or more domains sharing a common schema, where the first domain created is the forest’s root domain.

Answer 72

forest

Question 73

consists of one or more domains that may be grouped together to form hierarchical structures.

Each top-level domain of a tree in a forest may have disjointed namespaces.

Child domains within a tree must have contiguous namespaces that build upon the parent’s.

Answer 73

tree

Question 74

relationship established between domains to enable users in one domain to access resources in another domain.

Answer 74

trust

Question 75

When domain Atrusts domain Band domain B trusts domain C, then A can access resources in C if they have the correct permissions. Configured between parent/child domains and between root domains in a forest.

Answer 75

Transitive Trusts

Automatic

Question 76

Forest- Between two forests, manually created.

Shortcut-Between two distant child domains; used to improve logon.

External- Access between two Active Directory domains located in different forests (no forest trust exists)

Answer 76

Non-transitive Trusts

External trusts configured manually

Question 77

1) Client queries DNS for LDAP SRV record.
2) Once the LDAP service is identified, client connects to port 389. In Windows Active Directory Domains, the connection is made to a domain controller.
3) Client authenticates and performs the search.

Answer 77

Domain-wide Queries

Question 78

• A search for a resource in a forest that contains more than one domain
• A UPN logon in a forest that contains more than one domain
• An email address book lookup from the Global Address List (GAL)

Answer 78

forest-wide queries that require the GC service:

Question 79

1) Client queries DNS for GC SRV record.
2) Once the GC service is identified, client connects to port 3268 or 3269. This connection is made to a domain controller running the GC service.
3) Client authenticates and performs search

Answer 79

Steps for a forest-wide query

Question 80

is similar to an SSH or Telnet connection providing a CLI on a single remote computer.

Answer 80

1-to-1 remoting

Question 81

enables commands (or a list of commands) to be sent in parallel to a single computer or a group of remote computers.

Answer 81

1-to-Many remoting

Question 82

Remoting cmdlets like Invoke-Commandor Enter-PSSession specify a computer name by using the -ComputerName parameter. PS establishes a session, executes commands, and then shuts down the connection.

Answer 82

Ad-Hoc Session

Question 83

A PS remoting session that persists until manually terminated by the user. The New-PSSession cmdlet establishes a persistent session. The session has a unique ID and may be used repeatedly by referencing the ID. The remove-pssession cmdlet removes the session when no longer needed. To view current persistent PS sessions, use the get-pssession cmdlet

Answer 83

Persistent Session

Question 84

primary authentication package used in Windows Domain (Active Directory) environments. It is implemented via two .dll files. On the client side,kerberos.dll enables secure communication and authentication with kdcsvc.dll on the server side.

Answer 84

Kerberos

Question 85

• Provides faster authentication using a ticketing system.
• Supports mutual authentication where the client and server each have to authenticate to each other.

Provides single sign-on between Active Directory systems, including non-Windows OSs that support Kerberos.

Relies on a simpler and faster symmetric keying algorithm where sender and receiver share a single, common key used to encrypt and decrypt messages.

Answer 85

Some advantages of Kerberos:

Question 86

kdcsvc.dll to provide two main services, Authentication Service and Ticket Granting Service.

Answer 86

Key Distribution Center (KDC)

Question 87

domain

Answer 87

Realm

Question 88

verifying the validity of the client computer and the user. The AS issues the Ticket Granting Ticket (TGT)

Answer 88

Authentication Service (AS)

Question 89

users’ proof that they provided correct credentials during their initial login.

Answer 89

Ticket Granting Ticket (TGT)

Question 90

responsible for issuing Service Tickets (ST) which allow a user to access specific resources on the network.

Answer 90

Ticket Granting Service (TGS)

Question 91

verified by a resource provider to allow a user access to specific resources.

Answer 91

Service Ticket (ST)

Question 92

Krbtgt is the account used by the KDC.

Answer 92

Krbtgt account

Question 93

is the password hash of the user attempting to login. Additional keys are generated during the exchanges.

Answer 93

Session Key (SK)

Question 94

Apply policy settings to computers and users in an Active Directory domain.

Answer 94

Group Policy

Question 95

collection of settings contained in a file that efficiently apply user and computer configurations for the domain.

• Sites
• Domain
• OUs

Answer 95

GPOs

Question 96

Default Domain Policy
-Policy for the domain and linked to the domain.

Default Domain Controllers Policy
-Domain controller policy and linked to the domain controller’s OU.

Answer 96

two default GPOs:

Question 97

collection of folders that exist on each domain controller to store elements of GPOs and domain public files.

Answer 97

System Volume (SYSVOL)

Question 98

1. Local policies
2. Site GPOs
3. Domain GPOs
4. OU GPOs

Answer 98

Group Policy Processing Order:

Question 99

collection of predefined policy settings in a single file. Predefined templates provide a policy starting point and may be customized to meet organizational requirements.

Answer 99

Security templates

Question 100

WEF provides two advantages: it keeps a backup of log entries from the source systems and minimizes man hours spent on physically accessing those machines and obtaining their logs.

Answer 100

Windows Event Forwarding (WEF)

Question 101

collects log entries from one or more source systems (forwarders) on the network and is based on the Web Services (WS)-Management protocol, the WinRM service,and the Windows Event collector service (WECSVC).

Answer 101

WEC