What should you do to minimize the effect of denial-of-service attacks on the Server that is used by company executives for remote e-mail access?
A. Enable SSL connections on the Exchange 2000 Server computer that runs Outlook Web Access and place the Server in an Internet perimeter network (DMZ).
B. Use two storage groups on the Exchange 2000 Server computer that runs Outlook Web Access.
C. Enable IPSec on the Exchange 2000 Server computer that runs Outlook Web Access.
D. Place two front-end Exchange 2000 Server computers in an Internet perimeter network (DMZ).
Answer: D
Explanation:
Basic security an PKI knowledge question. We have a NLB cluster Server in our perimeter network. This mean that external users are accessing to our OWA site over SSL. Although we can use MS certificate services to secure our Web server. This certificates need to be distributed to any client in order to avoid the typical error. Avoid ROOT authority unknown. In this way we will need to obtain just one certificate for our NLB cluster and put the same certificate in each Web server that are in the cluster.
IPSEC Protection against attacks
IPSec protects data so that an attacker finds it extremely difficult or impossible to interpret it. The level of protection provided is determined by the strength of the security levels specified in your IPSec policy structure.
IPSec has a number of features that significantly reduce or prevent the following attacks:
* Sniffers (lack of confidentiality)
The Encapsulating Security Payload (ESP) protocol in IPSec provides data confidentiality by encrypting the payload of IP packets.
* Data modification
IPSec uses cryptography-based keys, shared only by the sending and receiving computers, to create a cryptographic checksum for each IP packet. Any modification to the packet data alters the checksum, which indicates to the receiving computer that the packet was modified in transit.
* Identity spoofing, password-based, and application-layer attacks
IPSec allows the exchange and verification of identities without exposing that information to interpretation by an attacker. Mutual verification (authentication) is used to establish trust between the communicating systems and only trusted systems can communicate with each other.
After identities are established, IPSec uses cryptography-based keys, shared only by the sending and receiving computers, to create a cryptographic checksum for each IP packet. The cryptographic checksum ensures that only the computers that have knowledge of the keys could have sent each packet.
* Man-in-the-middle attacks
IPSec combines mutual authentication with shared, cryptography-based keys.
* Denial-of-service attacks
IPSec uses IP packet filtering methodology as the basis for determining whether communication is allowed, secured, or blocked, according to the IP address ranges, IP protocols, or even specific TCP and UDP ports.
Microsoft network client: Digitally sign communications (always)Description This security setting determines whether packet signing is required by the SMB client component.
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent manin- the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
Using NTLMv2 helps eliminate man-in-the-middle attacks
A security attack in which an attacker intercepts and possibly modifies data that is transmitted between two users. The attacker pretends to be the other person to each user. In a successful manin- the-middle attack, the users are unaware that there is an attacker between them, intercepting and modifying their data. Also referred to as a bucket brigade attack.in which an attacker tries to force authentication using the less secure Lan Manager (LM) Authentication protocol.
Reference:
Windows 2000 Server Help
Exchange Server 2000 Resource KIT
Exchange server help
How to Configure Certificate Server for Use with SSL on IIS KB 218445
HOW TO: Load Balance a Web Server Farm Using One SSL Certificate in IIS KB 313299
