Top 42 Computer Security Interview Questions You Must Prepare 19.Mar.2024

In other SNMP­ enabled machines you can configure both an write and a read community name. On a Windows NT system you can only set one. Not having a community name does not disable the service, as one might expect.

CryptoAPI is a set of encryption APIs that allow developers to develop applications that work securely over non­secure networks, such as the Internet. CryptoAPI is shipped with NT version 4 and the Internet Explorer 3.@Version 2.0 of CryptoAPI comes with SP3 for NT4.

Strong passwords are longer than six characters, contains letters and numbers and even capital letters. Of course a password is useless if you forget it, but remember that using your birth date or name makes you an easy target for hackers.

Yes. In version 3.5 and 3.51, if the administrator decide to kick a user off, then the admin has a small time window to see the content of the users current screen and desktop.

SAM stands for Security Account Manager and is the one who maintains the security database, stored in the registry under HKLMSAM. It serves the Local Security Authority (LSA) with SIDs. The SAM maintains the user account database.

Impersonation is the ability of a thread to execute in a security context other than from that of the process that owns the thread. This enables a server to act on behalf of a client to access its own objects.

Users are susceptible to a number of attacks, such as dictionary password guessing. In Windows NT, one way to protect against those types of attacks is to set the number of failed logins before disabling the account temporary or until the system manager manually enables it again.

Each process has an associated access token which is used by the system to verify whether the process should be granted access to a particular object or not. The access token consists of a user SID, a list of group SIDs representing the groups the user belongs to, and a list of user rights (privileges) the user is blessed with.

Normally, the netstat program should report information on the status of the networking connections, routing information, etc. With the option ­A or ­a, it should list all TCP and UDP available connections and servers that are accepting connection. On Windows NT, even though the documentation states otherwise, this is not the case.

There are no simple way to check what services that are running with TCP ports opened to accept connections. Currently the only way to get some information about this is to use a port scanner program and test through each TCP port on the NT machine. This is not a fool proof way of dealing with the problem.

This is a serious problem if you plan to have NT based computers in the firewall environment. You cannot easily hardened them to become bastion hosts, since you are not confident what types of network services that might be reachable from the outside.

It is a confirmed bug in Windows NT 3.5, 3.51 and 4.@I do not expect Microsoft to fix it soon enough.

Update: netstat.exe is fixed as of NT4 SP3, but it still shows some strange behavior. For example, on a moderately loaded machine, you can find numerous duplicates of open connections. 

Most viruses travel through email or internet downloads. Never open attachments from unknown senders and be very cautious when downloading software from internet sources.

A Firewall is software that blocks unauthorized users from connecting to your computer. All computers at Bank Street are protected by a firewall which is monitored and updated by CIS.

There are several security issues related to ODBC usage :

  • Add hooks
  • Tracing ODBC connections

Any call with indirections, such as calls to ODBC data sources, are possible to intercept by attaching to pre­made hooks. By tracing ODBC connections, which is a completely legitime thing to do during software development, you can get access to sensitive data, such as user name for the connected database.

A privilege is used to control access to a service or object more strictly than is normal with discretionary access control.

This tool is part of the IIS Lockdown Wizard and it works by turning off unnecessary features of the IIS server and thereby reducing the attack surface available to an attacker. This tool also works in conjunction with URLscan to provide multiple layers of defense and protection. See the IIS Lockdown Tool page on TechNet describes its features and characteristics as well as provides steps for download and setup.

There are mixed reports whether or not NT is vulnerable to this attack. By using ping to send a large packet to certain systems, they might hang or crash.

Windows NT 3.51 seem to be vulnerable to this attack. A knowledge base article, Q132470, describes symptoms in Windows NT 3.51, and also include a pointer to a patch for this problem

CGI scripts are a major source of security holes. Although the CGI (Common Gateway Interface) protocol is not inherently insecure, CGI scripts must be written with just as much care as the server itself. Unfortunately some scripts fall short of this standard and trusting Web administrators install them at their sites without realizing the problems.

The Security Reference Monitor is the kernel mode component that does the actual access validation, as well as audit generation.

Most Spyware comes from free internet downloads such as screensavers and Peer­to­Peer programs (Kazaa, LimeWire, etc). The only way to avoid Spyware is to not install any of these malicious programs.

Urlscan is a powerful IIS security tool that works in conjunction with the IIS Lockdown Tool to give IIS Web site administrators the ability to restrict certain HTTP requests that the server will process, and thus prevents potentially harmful requests from reaching the server and causing damage. The URLScan Security Tool page on Microsoft TechNet describes its features and usage, provides wers to common questions, and details steps for download and installation.

Yes. To my knowledge, all IP based systems are possible victims for the attack.

A firewall is basically a software program that allows you full access to the Internet and/or your network, while restricting access to your computer system from outside intrusions.

Internet users are extremely vulnerable to hackers, especially if you have cable or ADSL access to the Internet. You definitely need to protect your computer system.

Once you install a firewall, you’ll be amazed at how many attempts to access your computer are blocked by your firewall.

Hackers can directly access your computer system by installing programs such as a key logger that can read every keystroke you make. This information is recorded and sent back to the hacker. Private information such as passwords and credit card numbers can easily be stolen.

A key logger is a small software program that quietly runs in the background.

As these programs quite often run in DOS, you will most­likely never realize it’s running. However, you can see if a key logger is running by pressing ‘control’ – ‘alt’ – ‘delete’ on your keyboard. This will launch a window that contains a list of all the programs currently running on your system. Review the list and watch for programs you don’t recognize.

If you really want to keep your computer safe, I recommend the following:

  1. Purchase a good virus program and keep it updated
  2. Purchase a good firewall program and keep it updated
  3. Purchase a program like Pest Patrol and keep it updated

Web Server Security:

  • Update/Patch the web server software
  • Minimize the server functionality – disable extra modules
  • Delete default data/scripts
  • Increase logging verboseness
  • Update Permissions/Ownership of files
  • Web Application Security:
  • Make sure Input Validation is enforced within the code – Security QA testing
  • Configured to display generic error messages
  • Implement a software security policy
  • Remove or protect hidden files and directories

On the CD­ROM that is included in the NT Resource Kit, there is a program called c2config that can be used for tighten the security of a NT based computer.

Be aware, that c2config will not work well on systems with localized environment, e.g. a german NT that uses ACLs in german, not in english.

NT 4 comes with built­in support for packet filtering. It is a simple but still usable filtering function that the administrator can configure to just let some IP packets reach the actual applications running on the system.

You find configuration panel for the filtering function on “Control Panel­ >Network­>TCP/IP­>Services­>Advanced­>Security”

Be aware that this simple filtering mechanism is not a substitute for a real firewall since it cannot do advanced stuff like protection against ip­spoofing, etc.

It can. Memory pages are swapped or paged to disk when an application needs physical memory. Even though the page file (see Control Panel­>System­ >Performance­>Virtual Memory) is not accessible while the system is running, it can be accessed by, for example, booting another OS.

There is a registry key that can be created so that the memory manager clears the page file when the system goes down:

  • HKLMSYSTEMCurrentControlSetControlSession
  • ManagerMemoryManagementClearPageFileAtShutdown: 1

Note that the clearing of the page file only is done when the system is brought down in a controlled fashion. If the machine is just switched off or brought  down in any other brute way, of course no clearing will be performed.

SID stands for Security Identifier and is an internal value used to uniquely identify a user or a group.

A SID contain:

  • User and group security descriptors
  • 48­bit ID authority
  • Revision level
  • Variable subauthority values

Access­Control Entries that is used to build Access­Control Lists (ACLs).

Each ACE contains the following information:

  • A SID, that identifies the trustee. A trustee can be a user account, group account, or a logon account for a program such as a Windows NT service.
  • An access mask specifying access rights controlled by the ACE.
  • Flags that indicates the type of ACE and flags that determine whether other objects or containers can inherit the ACE from the primary object to which the ACL is attached.

There are a bug in the utility shutdown.exe that are part of the NT Resource Kit. That bug disables the screen saver on a remote machine

To gauge the applicant’s knowledge of current web related threats. Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully they will mention information provided by web security organizations such as the Web Application Security Consortium (WASC) or the Open Web Application Security Project (OWASP).

This lets the interviewer determine how well the interviewee can interpret and voice back the results of a security scan, and how well they can communicate. The interviewer should already have worked with the scanner, its output, and should be able to work with the interviewee to determine the finer points of the data presented.

Authenticode is a way to ensure users that code they download from the net has not been tampered with and gives the code an etched in ID of the software publisher. Microsoft is pushing this as a new way of getting better security into software distribution over the net

For the interviewer the URL is http://isc.s.org and is usually green. The reason for asking the question is to find out if the candidate is on top of what the internet looks like today. You can substitute the ISS rating one through five  http://www.iss.net which is usually one, but most security folks know about the ISC and will spend time there.

They may attempt default usernames/passwords or attempt SQL Injection queries that provide an SQL true statement (such as – ‘ OR 1=1#). If they provide SQL examples, then offer them the following Error document information and ask them what this indicates.

ODBC Error Code = 37000 (Syntax error or access violation) 

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 4: Incorrect syntax near ‘=’.  

Data Source = “ECommerceTheArchSupport2”

SQL = “SELECT QuickJump_Items.ItemId FROM QuickJump_Items WHERE

QuickJump_Items.ItemId <> 0 AND QuickJumpId =”

The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (1:1) to (1:42) in the template file K:InetPubclientsloginhttpailment.cfm

The specific sequence of files included or processed is:

K:INETPUBCLIENTSLOGINHTTPAILMENT.CFM 

This error message indicates that the target web application if running Microsoft SQL and discloses directory structures

We are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS issues such as:

  • Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP)
  • Proper logging – increasing the verboseness of logging (Mod_Security audit_log)
  • Remote Centralized Logging
  • Alerting Mechanisms
  • Updating Signatures/Policies

The Microsoft Baseline Security Analyzer (MBSA) is a graphical and commandline interface developed by Microsoft that can perform local or remote sc of Windows systems, assessing any missing hotfixes and vulnerabilities in certain Microsoft products.

One way to make it harder for the local user to do any harm to the system is to have a local PC without any hard disk or floppy disk. To boot, the system will need to talk to a boot server over the network.

The best way to protect your personal computer is to install Anti­Virus and Firewall software. CIS does not support home computers however below are some helpful links to information about safeguarding your computer at home.

Security is a huge concern for anyone involved in business processes, management, and administration. A good resource of information on maintaining security in Windows 2000 and IIS is the security section of the Windows 2000 site. Also see Internet Information Services (IIS) on the Microsoft TechNet site, where you can find information on securing IIS servers in addition to resources that will help you maintain a secure system and stay current with any releases, updates, and tools.

First of all, you should really, really reconsider if this is such a good idea to let NBT traffic through your firewall. Especially if the firewall is between your internal network and Internet. 

The problem with NBT is that at once you open it up through the firewall, people will have potential access to all NetBios services, not just a selection of them, such as printing.

The following is a list of the ports used by NBT:

  • netbios­ns 137/tcp NETBIOS Name Service
  • netbios­ns 137/udp NETBIOS Name Service
  • netbios­dgm 138/tcp NETBIOS Datagram Service
  • netbios­dgm 138/udp NETBIOS Datagram Service
  • netbios­ssn 139/tcp NETBIOS Session Service
  • netbios­ssn 139/udp NETBIOS Session Service

Spyware is software that is installed without your knowledge. The purpose of Spyware is to monitor your computing activities and report this data back to companies for marketing purposes. Besides being an invasion of privacy, this software can cause serious performance issues.

A NULL session connection, also known as Anonymous Logon, is a way of letting a not logged on user to retrieve information such as user names and shares over the network. It is used by applications such as explorer.exe to enumerate shares on remote servers. The sad part is that it lets non­authorized users to do more than that. Particularly interesting is remote registry access, where the NULL session user has the same permissions as built­in group Everyone.

With SP3 for NT4.0 or a fix for NT3.51, a system administrator can restrict the NULL session access, see $$$: Q14347@With this fix, a new well­known SID is defined, named “Authenticated Users”, which is Everyone except NULL session connected users. Replacing Everyone in all ACLs on the machine with this Authenticated User would be a good thing.

To do this in a controlled fashion, one can use cacls.exe for the file system, but have to rely on some third party product for the registry ACLs. Using explorer.exe/winfile.exe or regedt32.exe will most certainly break the system. The cause for this is that these tools replace the ACL instead of editing it.