国产精品香蕉在线观看网,亚洲欧美精品综合在线观看,亚洲不卡av一区二区无码不卡,亚洲日本精品国产第一区二区

　　1. Why is password lockout an effective deterrent to cracking attempts? B

　　A. Passwords cannot be changed through brute-force methods

　　B. A limited number of login attempts before lockout reduces the number of guesses the potential

　　cracker can made

　　C. Passwords protected in this manner are impossible to find because they are locked out of the main

　　flow of information on the WAN

　　D. Password lockout provides no real improvement over traditional locking methods.

　　從網(wǎng)絡(luò)安全的課程學(xué)習(xí)中，我們了解了密碼的重要性。對來說要攻克一個系統(tǒng)的完全管理權(quán)限，他需要破解密碼(盡管還有其他的辦法來獲得管理員的權(quán)限，但是這里我們暫時只討論密碼)，黑客常用的破解密碼的方法有字典和窮舉法，最常用的軟件著名的John the Ripper (可以從www.openwall.com/john/免費(fèi)下載)它可以用來破解Linux的shadow和WindowsNT/2000的密碼。只要得到了SAM或者Shadow文件，破解密碼只是時間問題。因此，為了防止黑客輕易的破解密碼，我們需要增加密碼的強(qiáng)度(長度、復(fù)雜性)，更重要的一點(diǎn)是設(shè)置密碼策略，防止對密碼的猜測。在Windows2000中我們通過帳戶鎖定策略來防止對密碼的猜測(mmc-->添加/刪除管理單元-->帳戶策略-->帳戶鎖定策略，通過計算機(jī)管理工具來解除對密碼的鎖定。請注意，當(dāng)改變了安全策略后我們要運(yùn)行secedit /refreshpolicy machine_policy和

　　secedit /refreshpolicy user_policy來使策略更改生效!!)

　　記住，在黑客之前用John來測試你的系統(tǒng)中口令的強(qiáng)壯性。

　　Q. 2

　　Which of the following choices best defines the Windows NT security account manager? B

　　A. It is the portion of the GINA DLL that controls security

　　B. It is the database containing the identity of the users and their credentials

　　C. It is the name of the machine responsible for the management of all the security of the LAN

　　D. It is the interface that is responsible for logging on and user IDs

　　security account manager看上去比較陌生，如果大家有心去查查C:\WINNT\system32\config下的SAM和SAM.log中SAM的英文意思，這道題就不難了。實(shí)際上Windows系統(tǒng)是通過下面的方法進(jìn)行認(rèn)證的：

　　例如：用戶mytheory想要登陸系統(tǒng)

　　使用帳戶名稱/口令進(jìn)行認(rèn)證(與SAM數(shù)據(jù)庫進(jìn)行比較)

　　mytheory ==========================================================>> WinLogon

　　|成功

　　|

　　拿到令牌

　　user：mytheory的SID=S-1-5-21-1229272821-651377827-725345543-1004

　　Group=Everyone S-1-1-0

　　|

　　允許

　　|

　　想查看的文件----------------->> ACL(比較訪問控制列表中的數(shù)據(jù),看看mytheory是否有權(quán)限查看文件)

　　READ=mytheory S-1-5-21-1229272821-651377827-725345543-1004

　　WRITE=Administrators S-1-5-32-544

　　注:SAM數(shù)據(jù)庫的功能與Linux中的passwd(或者shadow)文件功能相似.

　　Q. 3

　　Under the level C2 security classification, what does “discretionary (自由決定)access control” mean?A

　　A. Discretionary access control means that the owner of a resource must be able to use that resource

　　B. Discretionary access control is the ability of the system administrator to limit the time any user

　　spends on a computer

　　C. Discretionary access control is a policy that limits the use of any resource to a group or a security

　　profile

　　D. Discretionary access control is a rule set by the security auditor to prevent others from downloading

　　unauthorized scripts or programs.

　　Q. 4

　　Michel wants to write a computer virus that will cripple UNIX systems. What is going to be the main

　　obstacle(障礙) preventing him from success?B

　　A. UNIX computers are extremely difficult to access illicitly over the internet, and therefore computer

　　viruses are not an issue with UNIX systems

　　B. Due to the file permission structure and the number of variations in the UNIX hardware architectures, a

　　virus would have to gain root privileges as well as identify the hardware and UNIX flavor in use.

　　C. Due to availability of effective free anti-virus tools, computer viruses are caught early and often.

　　Michel’s virus would have to evade detection for it to succeed.

　　D. Due to the extensive use of ANSI “C” in the programming of UNIX, the virus would have to mimic

　　some of the source code used in the infected iteration of the UNIX operating system

　　UNIX和類UNIX系統(tǒng)對用戶.組.文件所有權(quán)有明確的定義.在這類系統(tǒng)中只影響運(yùn)行它的用戶,這一點(diǎn)與Windows不同,在Windows中,運(yùn)行任何的程序?qū)C(jī)器都有完全的控制權(quán),甚至能夠讀寫機(jī)器的啟動扇區(qū)(MBR),這一點(diǎn)使得開發(fā)UNIX系統(tǒng)的病毒相當(dāng)困難,但是已經(jīng)出現(xiàn)了一些概念性的病毒,但他們只有當(dāng)以root運(yùn)行時才能夠傳播(所以我們只有在必須使用root權(quán)限的情況下使用root登陸,否則不要使用root),最著名的Internet蠕蟲病毒是1988年11月由Robert Morris,一個美國安全官員的兒子創(chuàng)建.

　　Q. 5

　　Which of the following best describes the problem with share permissions and share points in Windows

　　NT?D

　　A. Share points must be the same value as the directory that serves the share point

　　B. Share points contains permissions; and any file under the share point must possess the same permissions

　　C. Share permissions are exclusive to root directories and files; they do not involve share points, which

　　define user permissions

　　D. Share points are set when connection is established, therefore the static nature of file permissions can

　　conflict with share points if they are not set with read and write permissions for everyone.

　　在WindowsNT/2000中，當(dāng)共享權(quán)限和NTFS權(quán)限沖突時，取最小的權(quán)限。例如對于一個共享文件夾的共享權(quán)限是讀寫，而NTFS權(quán)限是讀，那么用戶最終得到的權(quán)限是只讀。

　　Q. 6

　　What do the discretionary ACL (access control list) and the system ACL in Windows NT have in

　　common? A

　　A. Both share properties for storing object identifiers

　　B. Both can grant or deny permissions to parts of the system

　　C. Both are installed by default on the system in different sections of the client/server model

　　D. Both are responsible for creation of the master access control list

　　WindowsNT安全子系統(tǒng)由五個關(guān)鍵部分組成：安全標(biāo)致符、訪問令牌、安全描述符、 訪問控制列表、和訪問控制條目。利用這些組件的交互作用來控制用戶的活動。

　　安全標(biāo)識符

　　安全標(biāo)識符(SID)是統(tǒng)計上地唯一的數(shù)組分配給所有的用戶、組、和計算機(jī)。統(tǒng)計上的唯一指的是兩個數(shù)組發(fā)生重復(fù)的可能性是極為罕見的。每次當(dāng)一個新用戶或組被建立的時候，它們都會接收到一個唯一的SID。每當(dāng)WindowsNT安裝完畢并啟動的時候，也會有一個新的SID分配給這臺計算機(jī)。SID標(biāo)識了用戶、組和計算機(jī)的唯一性，不僅僅是在某臺特定的電腦上還包括和其它計算機(jī)交互的時候。 為了確保SID的唯一性，它們是綜合計算機(jī)名字，當(dāng)前時間、以及處理當(dāng)前用戶模式線程所花費(fèi)CUP的時間所建立起來的。一個SID看上去就像這樣：

　　S-1-5-163499331-18283675290-12989372637-500

　　SID是WindowsNT安全結(jié)構(gòu)的基礎(chǔ)。

　　訪問令牌

　　登陸的過程主要目的-部分是在用戶被驗(yàn)證之后分配給他們訪問令牌。訪問令牌是由用戶的SID、用戶所屬于組的SID、用戶名、用戶所在組的組名構(gòu)成的。訪問令牌就好比用戶能夠訪問計算機(jī)資源的入場券。無論何時用戶企圖進(jìn)行訪問，都要向WindowsNT出示訪問令牌。Windows NT檢查訪問令牌之間的對于對象請求訪問控制列表。如果用戶使用此對象的認(rèn)證通過，將賦予相關(guān)的權(quán)限訪問。 訪問令牌只有在登陸的過程中才會發(fā)布，所以一旦對用戶的訪問權(quán)限作了改動的話就要重新登陸后才能收到一個更新后的訪問令牌。