Page 1 of 4Security+ Certification QuestionsChapter 6: Host HardeningIdentify non-essential services and protocols and know what actions to take to reduce the risksof those services and protocols (3 questions)QUESTION NO: 1Which of the following represents the best method for securing a web browser?A. Do not upgrade, as new versions tend to have more security flaws.B. Disable any unused features of the web browser.C. Connect to the Internet using only a VPN (Virtual Private Network) connection.D. Implement a filtering policy for illegal, unknown and undesirable sites.Answer: BExplanation:Features that make web surfing more exciting like: ActiveX, Java, JavaScript, CGI scripts, andcookies all pose security concerns. Disabling them (which is as easy as setting your browsersecurity level to High) is the best method of securing a web browser, since its simple, secure, andwithin every users reach.Incorrect answers:A: As newer versions one expects them to be better than the predecessors. However, this is notthe best method to secure a web browser.C: VPN tunnels through the Internet to establish a link between two remote private networks.However, these connections are not considered secure unless a tunneling protocol, such as PPTP,and an encryption protocol, such as IPSec is used.D: This does not represent the best method for securing a web browser.QUESTION NO: 2How many ports in TCP/IP (Transmission Control Protocol/Internet Protocol) arevulnerable to being scanned, exploited, or attached?A. 32B. 1,024C. 65,535D. 16,777,216Answer: CExplanation:Internet Control Message Protocol (ICMP) abuse and port scans represent known attacksignatures. The Ping utility uses ICMP and is often used as a probing utility prior to an attack ormay be the attack itself. If a host is being bombarded with ICMP echo requests or other ICMPtraffic, this behavior should set off the IDS. Port scans are a more devious form ofattack/reconnaissance used to discover information about a system. Port scanning is not an attackbut is often a precursor to such activity. Port scans can be sequential, starting with port 1 andscanning to port 65535, or random. A knowledge-based IDS should recognize either type of scanand send an alert.MIS 4850 Systems SecurityPage 2 of 4QUESTION NO: 3Which of the following ports does a DNS (Domain Name Service) server require?A. 21B. 23C. 53D. 55Answer: CExplanation:Port 53 is used for Domain Name System (DNS) Name QueriesIncorrect answers:A: Ports 20 and 21 are associated with FTP, where 20 are used for file transfer data and 21 forcommand and control data.B: Telnet uses port 23.D: DHCP makes use of port 55.QUESTION NO: 4For security purposes, which of the following should be implemented after installing a newoperating system?A. Create application user accounts.B. Rename the guest account.C. Rename the administrator account, disable the guest accounts.D. Create a secure administrator account.Answer: CExplanation:Renaming the administrator account name and disabling the guest account will reduce the risk ofa computer being attacked, because administrator accounts typically have full rights to allnetwork resources.Incorrect answers:A: This can be done after application has been installed.B: The guest account is not as vulnerable or exploitable as an administrator account.D: Creating a secure administrator account is still an administrator account that can be exploitedif it is not renamed after installing a new operating system.QUESTION NO: 9Which of the following can limit exposure and vulnerability exposed by port scans?A. Disable the ability to remotely scan the registry.B. Leave all processes running for possible future use.C. Close all programs or processes that use a UDP (User Datagram Protocol) or TCP(Transmission Control Protocol) port.D. Uninstall or disable any programs or processes that are not needed for the proper use of theserver.Leading the way in IT testing and certification tools, www.testking.in- 184 -Answer: DExplanation:Hackers perform port scans to find out which of the 65,535 ports are being used in hope ofMIS 4850 Systems SecurityPage 3 of 4finding an application with a vulnerability. By uninstalling and disabling any program orprocesses that aren't really necessary, one greatly reduces the likelihood of an attack.Incorrect answers:A, B and C: Disabling all the unnecessary programs and processes is the best way ofsafeguarding yourself against vulnerabilities that can be exploited via port scans.QUESTION NO: 10Which of the following represents an advantage of using the NTFS file system over theFAT16 and FAT32 file systems?A. Integral support for streaming audio files.B. Integral support for UNIX compatibility.C. Integral support for dual-booting with Red Hat Linux.D. Integral support for file and folder level permissions.Answer: DExplanation:The NTFS was introduced with Windows NT to address security problems. With NTFS files,directories, and volumes can each have their own security.Incorrect answers:A, B and C: Unlike any of the FAT file systems, NTFS supports file-and folder-levelpermissions. FAT file systems provide complete access locally to the entire FAT partition.Network access can be achieved regardless of the file system used; therefore, answer B isincorrect. Support for multiple operating systems is not a feature of NTFS over FAT filesystems; therefore, answer C is incorrect. Streaming video is not a function of the type of filesystem; therefore, answer A is incorrect.QUESTION NO: 12Which of the following can help secure DNS (Domain Name Service) information?A. Block all unnecessary traffic by using port filtering.B. Prevent unauthorized zone transfers.C. Require password changes every 30 days.D. Change the default password.Answer: BExplanation:Leading the way in IT testing and certification tools, www.testking.in- 186A DNS zone is an area in the DNS hierarchy that is managed as a single unit. If a domain nameserver allows zone transfer, it will allow another DNS server (one from a different domain) toaccess its DNS library of IP addresses and names; which could fall into hackers' hands if theywere to pose as a DNS server.Incorrect answers:A: Blocking all unnecessary traffic will not help secure DNS information.C: Password changes are not meant to secure DNS information.D: The default password, whether changed or not, will not secure DNS information.QUESTION NO: 18What should be a system administrator's line of action when a patch is released for aserver?MIS