1.

What are the Important Windows port numbers:

RDP 3389 (windows rdp port number and remote desktop port number)
FTP 21 (file transfer protocol)
TFTP 69 ( tftp port number )
Telnet 23 ( telnet port number)
SMTP 25 ( SMTP port number)
DNS 53 ( dns port number and Domain Name System port number)
DHCP 68 (DHCP port number and Dynamic Host Configuration Protocol port number )
POP3 110 ( post office Protocol 3 port )
HTTP 80 (http port number)
HTTPS 443 (https port number)
NNTP 119 ( Network News Transfer Protocol Port number )
NTP 123 (ntp port number and network Time Protocol and SNTP port number )
IMAP 143 (Internet Message Access Protocol port number)
SSMTP 465 ( SMTP Over SSl )
SIMAP 993 ( IMAP Over SSL )
SPOP3 995 ( POP# Over SS L)
Time 123 ( ntp port number and network Time Protocol and SNTP port number )
NetBios 137 ( Name Service )
NetBios 139 ( Datagram Service )
DHCP Client 546 (DHCP Client port number)
DHCP Server 547 (DHCP Server port number)
Global Catalog 3268 (Global Catalog port number)
LDAP 389 ( LDAP port number and Lightweight Directory Access Protocol port number )
RPC 135 (remote procedure call Port number)
Kerberos 88 ( Kerberos Port Number)
SSH 22 ( ssh port number and Secure Shell port number)
2. How to check tombstone lifetime value in your Forest
Tombstone lifetime value different from OS to OS, for windows server 2000/2003 its 60 days, In Windows
Server 2003 SP1, default tombstone lifetime (TSL) value has increased from 60 days to 180 days, again
in Windows Server 2003 R2 TSL value has been decreased to 60 days, Windows Server 2003 R2 SP2
and windows server 2008 its 180 days

If you migrating windows 2003 environment to windows 2008 then its 60 days
you can use the below command to check/view the current tombstone lifetime value for your
Domain/Forest
dsquery * cn=directory service,cn=windows nt,cn=services,cn=configuration,dc= scope base attr
tombstonelifetime
Replace forestDN with your domain partition DN, for domainname.com the DN would be
dc=domainname, dc=com
Source: http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx
3. How to find the domain controller that contains the lingering object
If we enable Strict Replication Consistency
Lingering objects are not present on domain controllers that log Event ID 1988. The source domain
controller contains the lingering object
If we doesnt enable Strict Replication Consistency
Lingering objects are not present on domain controllers that log Event ID 1388. Domain controller that
doesnt log Event ID 1388 and that domain controller contain the lingering object
You have a 100 Domain controllers which doesnt enable Strict Replication Consistency, then you will get
the Event ID 1388 on all the 99 Domain controllers except the one that contain the lingering object
Need to Remove Lingering Objects from the affected domain controller or decommission the domain
controller
You can use Event Comb tool (Eventcombmt.exe) is a multi-threaded tool that can be used to gather
specific events from the Event Viewer logs of different computers at the same time.
You can download these tools from the following location:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-
b18c4790cffd&DisplayLang=en
4. What are Active Directory ports:
List of Active Directory Ports for Active Directory replication and Active Directory authentication, this ports
can be used to configure the Firewall

Active Directory replication- There is no defined port for Active Directory replication, Active Directory
replication remote procedure calls (RPC) occur dynamically over an available port through RPCSS (RPC
Endpoint Mapper) by using port 135
File Replication Services (FRS)- There is no defined port for FRS, FRS replication over remote
procedure calls (RPCs) occurs dynamically over an available port by using RPCSS (RPC Endpoint
Mapper ) on port 135
Other required ports for Active Directory

TCP 53 DSN (DNS Download)
UDP 53 DSN (DNS Queries)
TCP 42- WINS
UDP 42- WINS
TCP 3389- RDP (Remote Desktop)
TCP 135 MS-RPC
TCP 1025 & 1026 AD Login & replication
TCP 389 LDAP
TCP 639 LDAP over SSL/TLS
TCP 3268 -Global Catalog
TCP 3268 Global Catalog over SSL/TSL
UDP 137 & 138 NetBIOS related
UDP 88 Kerberos v5
TCP 445 SMB , Microsoft-ds
TCP 139 SMB
5. How to do active directory health checks?
As an administrator you have to check your active directory health daily to reduce the active directory
related issues, if you are not monitoring the health of your active directory what will happen
Lets say one of the Domain Controller failed to replicate, first day you will not have any issue. If this will
continue then you will have login issue and you will not find the object change and new object, thats
created and changed in other Domain Controller this will lead to other issues
If the Domain Controller is not replicated more then 60 days then it will lead to Lingering issue
Command to check the replication to all the DCs(through this we can check Active Directory
Health)
Repadmin /replsum /bysrc /bydest /sort:delta
You can also save the command output to text file, by using the below command
Repadmin /replsum /bysrc /bydest /sort:delta >>c:\replication_report.txt
this will list the domain controllers that are failing to replicate with the delta value
You can daily run this to check your active directory health
6. GPRESULT falied with access denied error:
Unable to get the result from gpresult on windows 2003 server, gpresult return with the access denied
errors, you can able to update the group policy without issue
Run the following commands to register the userenv.dll and recompile the rsop mof file
To resolve the access denied error while doing the gpresult.
1. Open a cmd
1. re-register the userenv.dll
Regsvr32 /n /I c:\winnt\system32\userenv.dll
2. CD c:\windows\system32\wbem
3. Mofcomp scersop.mof
4. Gpupdate /force
5. Gpresult
Now you able to run the gpresult without error and even server reboot not required for this procedure
7. What is the command to find out site name for given DC
dsquery server NYDC01 -site
domain controller name = NYDC01
8. Command to find all DCs in the given site
Command to find all the Domain Controllers in the Default-First-Site-Name site
dsquery server -o rdn -site Default-First-Site-Name
Site name = Default-First-Site-Name
9. How many types of queries DNS does?
Iterative Query
Recursive Query




http://www.techiebird.com/windowshome.html

1. What are some of the new tools and features provided by Windows Server 2008?
Windows Server 2008 now provides a desktop environment similar to Microsoft Windows Vista and
includes tools also found in Vista, such as the new backup snap-in and the BitLocker drive encryption
feature. Windows Server 2008 also provides the new IIS7 web server and the Windows Deployment
Service.

2. What are the different editions of Windows Server 2008?
The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise Edition provides
a platform for large enterprisewide networks. The Datacenter Edition provides support for unlimited
Hyper-V virtualization and advanced clustering services. The Web Edition is a scaled-down version of
Windows Server 2008 intended for use as a dedicated web server. The Standard, Enterprise, and
Datacenter Editions can be purchased with or without the Hyper-V virtualization technology.

3. What two hardware considerations should be an important part of the planning process for a
Windows Server 2008 deployment?
Any server on which you will install Windows Server 2008 should have at least the minimum hardware
requirement for running the network operating system. Server hardware should also be on the Windows
Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operating
system incompatibility.

4. What are the options for installing Windows Server 2008?
You can install Windows Server 2008 on a server not currently configured with NOS, or you can upgrade
existing servers running Windows 2000 Server and Windows Server 2003.

5. How do you configure and manage a Windows Server 2008 core installation?
This stripped-down version of Windows Server 2008 is managed from the command line.

6. Which Control Panel tool enables you to automate the running of server utilities and other
applications?
The Task Scheduler enables you to schedule the launching of tools such as Windows Backup and Disk
Defragmenter.

7. What are some of the items that can be accessed via the System Properties dialog box?
You can access virtual memory settings and the Device Manager via the System Properties dialog box.

8. When a child domain is created in the domain tree, what type of trust relationship exists
between the new child domain and the trees root domain?
Child domains and the root domain of a tree are assigned transitive trusts. This means that the root
domain and child domain trust each other and allow resources in any domain in the tree to be accessed
by users in any domain in the tree.

9. What is the primary function of domain controllers?
The primary function of domain controllers is to validate users to the network. However, domain
controllers also provide the catalog of Active Directory objects to users on the network.

10. What are some of the other roles that a server running Windows Server 2008 could fill on the
network?
A server running Windows Server 2008 can be configured as a domain controller, a file server, a print
server, a web server, or an application server. Windows servers can also have roles and features that
provide services such as DNS, DHCP, and Routing and Remote Access.

11. Which Windows Server 2008 tools make it easy to manage and configure a servers roles and
features?
The Server Manager window enables you to view the roles and features installed on a server and also to
quickly access the tools used to manage these various roles and features. The Server Manager can be
used to add and remove roles and features as needed.

12. What Windows Server 2008 service is used to install client operating systems over the
network?
Windows Deployment Services (WDS) enables you to install client and server operating systems over the
network to any computer with a PXE-enabled network interface.

13. What domain services are necessary for you to deploy the Windows Deployment Services on
your network?
Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain

14. How is WDS configured and managed on a server running Windows Server 2008?
The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and
install images to the server.

15. What is the difference between a basic and dynamic drive in the Windows Server 2008
environment?
A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions (simple
volumes).
Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks
also support Windows Server 2008 RAID implementations.

16. What is RAID in Windows Server 2008?
RAID, or Redundant Array of Independent Disks, is a strategy for building fault tolerance into your file
servers. RAID enables you to combine one or more volumes on separate drives so that they are
accessed by a single drive letter. Windows Server 2008 enables you to configure RAID 0 (a striped set),
RAID 1 (a mirror set), and RAID 5 (disk striping with parity).

17. What conceptual model helps provide an understanding of how network protocol stacks such
as TCP/IP work?
The OSI model, consisting of the application, presentation, session, transport, network, data link, and
physical layers, helps describe how data is sent and received on the network by protocol stacks.

18. What protocol stack is installed by default when you install Windows Server 2008 on a network
server?
TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active Directory
implementations and provides for connectivity on heterogeneous networks.

19. How is a server running Windows Server 2008 configured as a domain controller, such as the
domain controller for the root domain or a child domain?
Installing the Active Directory on a server running Windows Server 2008 provides you with the option of
creating a root domain for a domain tree or of creating child domains in an existing tree. Installing Active
Directory on the server makes the server a domain controller.

20. What are some of the tools used to manage Active Directory objects in a Windows Server 2008
domain?
When the Active Directory is installed on a server (making it a domain controller), a set of Active Directory
snap-ins is provided. The Active Directory Users and Computers snap-in is used to manage Active
Directory objects such as user accounts, computers, and groups. The Active Directory Domains and
Trusts snap-in enables you to manage the trusts that are defined between domains. The Active Directory
Sites and Services snap-in provides for the management of domain sites and subnets.

21. How are domain user accounts created and managed?
The Active Directory Users and Computers snap-in provides the tools necessary for creating user
accounts and managing account properties. Properties for user accounts include settings related to logon
hours, the computers to which a user can log on, and the settings related to the user's password.

22. What type of Active Directory objects can be contained in a group?
A group can contain users, computers, contacts, and other nested groups.

23. What type of group is not available in a domain that is running at the mixed-mode functional
level?
Universal groups are not available in a mixed-mode domain. The functional level must be raised to
Windows 2003 or Windows 2008 to make these groups available.

24. What types of Active Directory objects can be contained in an Organizational Unit?
Organizational Units can hold users, groups, computers, contacts, and other OUs. The Organizational
Unit provides you with a container directly below the domain level that enables you to refine the logical
hierarchy of how your users and other resources are arranged in the Active Directory.

25. What are Active Directory sites in Windows Server 2008?
Active Directory sites are physical locations on the network's physical topology. Each regional domain
that you create is assigned to a site. Sites typically represent one or more IP subnets that are connected
by IP routers. Because sites are separated from each other by a router, the domain controllers on each
site periodically replicate the Active Directory to update the Global Catalog on each site segment.

26. Can servers running Windows Server 2008 provide services to clients when they are not part
of a domain?
Servers running Windows Server 2008 can be configured to participate in a workgroup. The server can
provide some services to the workgroup peers but does not provide the security and management tools
provided to domain controllers.

27. What does the use of Group Policy provide you as a network administrator?
Group Policy provides a method of controlling user and computer configuration settings for Active
Directory containers such as sites, domains, and OUs. GPOs are linked to a particular container, and
then individual policies and administrative templates are enabled to control the environment for the users
or computers within that particular container.

28. What tools are involved in managing and deploying Group Policy?
GPOs and their settings, links, and other information such as permissions can be viewed in the Group
Policy Management snap-in.

29. How do you deal with Group Policy inheritance issues?
GPOs are inherited down through the Active Directory tree by default. You can block the inheritance of
settings from upline GPOs (for a particular container such as an OU or a local computer) by selecting
Block Inheritance for that particular object. If you want to enforce a higher-level GPO so that it overrides
directly linked GPOs, you can use the Enforce command on the inherited (or upline) GPO.

30. How can you make sure that network clients have the most recent Windows updates installed
and have other important security features such as the Windows Firewall enabled before they can
gain full network access?
You can configure a Network Policy Server (a service available in the Network Policy and Access
Services role). The Network Policy Server can be configured to compare desktop client settings with
health validators to determine the level of network access afforded to the client.

31. What is the purpose of deploying local DNS servers?
A domain DNS server provides for the local mapping of fully qualified domain names to IP addresses.
Because the DNS is a distributed database, the local DNS servers can provide record information to
remote DNS servers to help resolve remote requests related to fully qualified domain names on your
network.

In terms of DNS, what is a caching-only server?
A caching-only DNS server supplies information related to queries based on the data it contains in its
DNS cache. Caching-only servers are often used as DNS forwarders. Because they are not configured
with any zones, they do not generate network traffic related to zone transfers.

How the range of IP addresses is defined for a Windows Server 2008 DHCP server?
The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more than one
subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can
be included in an exclusion range.

Web Security Interview Questions [DOC]
By Ryan Barnett

The goal of this document is to provide appropriate questions for HR/Managers to pose to individuals who
are applying for web security related positions. These questions do not have right or wrong answers, but
rather spark relevant conversation between the applicant and the hiring staff.


Entry Level Questions

1. What do you see as the most critical and current threats effecting Internet accessible websites?

Goal of question To gauge the applicants knowledge of current web related threats. Topics such as
Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully
they will mention information provided by web security organizations such as the Web Application
Security Consortium (WASC) or the Open Web Application Security Project (OWASP).


2. What online resources do you use to keep abreast of web security issues? Can you give an
example of a recent web security vulnerability or threat?

Goal of question Determine if the applicant utilizes computer security resources such as CERT, SANS
Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also
good resources. Recent examples of threats will vary depending on current events, but issues such as
new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are
acceptable.


3. What do you see as challenges to successfully deploying/monitoring web intrusion detection?

Goal of question We are attempting to see if the applicant has a wide knowledge of web security
monitoring and IDS issues such as:
Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP)
Proper logging increasing the verboseness of logging (Mod_Security audit_log)
Remote Centralized Logging
Alerting Mechanisms
Updating Signatures/Policies

4. What is your definition of the term "Cross-Site Scripting"? What is the potential impact to
servers and clients?

Goal of question This question will determine if the applicant is well versed in the terminology used in web
security. The applicant needs to be able to articulate highly technological topics to a wide audience. The
second question will help to verify that the applicant fully understands how XSS attacks work and the
impact to client information. WASC has a web security glossary of terms that may be of help -
http://www.webappsec.org/glossary.html

Cross-Site Scripting: (Acronym XSS) An attack technique that forces a web site to echo client-supplied
data, which execute in a users web browser. When a user is Cross-Site Scripted, the attacker will have
access to all web browser content (cookies, history, application version, etc). XSS attacks do not typically
directly target the web server or application, but are rather aimed at the client. The web server is merely
used as a conduit for the XSS data to be presented to the end client. See also "Client-Side Scripting".


5. What are the most important steps you would recommend for securing a new web server? Web
application?

Goal of question Once again, there is no right or wrong answer, however we are interested in what the
applicant views as important.
Web Server Security:
Update/Patch the web server software
Minimize the server functionality disable extra modules
Delete default data/scripts
Increase logging verboseness
Update Permissions/Ownership of files
Web Application Security:
Make sure Input Validation is enforced within the code - Security QA testing
Configured to display generic error messages
Implement a software security policy
Remove or protect hidden files and directories




How do you change your DNS settings in Linux/Windows?
Here youre looking for a quick comeback for any position that will involve system administration (see
system security). If they dont know how to change their DNS server in the two most popular operating
systems in the world, then youre likely working with someone very junior or otherwise highly abstracted
from the real world.
Whats the difference between encoding, encryption, and hashing?
Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its
original message upon arriving, and it isnt primarily a security function. It is easily reversible because the
system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for
confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is
one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.
Who do you look up to within the field of Information Security? Why?
A standard question type. All were looking for here is to see if they pay attention to the industry leaders,
and to possibly glean some more insight into how they approach security. If they name a bunch of
hackers/criminals thatll tell you one thing, and if they name a few of the pioneers thatll say another. If
they dont know anyone in Security, well consider closely what position youre hiring them for. Hopefully it
isnt a junior position.
Where do you get your security news from?
Here Im looking to see how in tune they are with the security community. Answers Im looking for include
things like Team Cymru, Reddit, Twitter, etc. The exact sources dont really matter. What does matter is
that he doesnt respond with, I go to the CNET website., or, I wait until someone tells me about
events.. Its these types of answers that will tell you hes likely not on top of things.
If you had to both encrypt and compress data during transmission, which would you do first, and
why?
If they dont know the answer immediately its ok. The key is how they react. Do they panic, or do they
enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the
interviewer that I didnt know the answer but that I needed just a few seconds to figure it out. I thought out
loud and within 10 seconds gave him my answer: Compress then encrypt. If you encrypt first youll have
nothing but random data to work with, which will destroy any potential benefit from compression.
Whats the difference between symmetric and public-key cryptography
Standard stuff here: single key vs. two keys, etc, etc.
In public-key cryptography you have a public and a private key, and you often perform both
encryption and signing functions. Which key is used for which function?
You encrypt with the other persons public key, and you sign with your own private. If they confuse the
two, dont put them in charge of your PKI project.
What kind of network do you have at home?
Good answers here are anything that shows you hes a computer/technology/security enthusiast and not
just someone looking for a paycheck. So if hes got multiple systems running multiple operating systems
youre probably in good shape. What you dont want to hear is, I get enough computers when Im at
work Ive yet to meet a serious security guy who doesnt have a considerable home networkor at
least access to one, even if its not at home.
Network Security
What port does ping work over?
A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to
immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesnt work over a port) A
good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as
those are layer 4 protocols.
How exactly does traceroute/tracert work at the protocol level?
This is a fairly technical question but its an important concept to understand. Its not natively a security
question really, but it shows you whether or not they like to understand how things work, which is crucial
for an Infosec professional. If they get it right you can lighten up and offer extra credit for the difference
between Linux and Windows versions.
The key point people usually miss is that each packet thats sent out doesnt go to a different place. Many
people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second
hop, gets a time, and keeps going until it gets done. Thats incorrect. It actually keeps sending packets to
the final destination; the only change is the TTL thats used. The extra credit is the fact that Windows
uses ICMP by default while Linux uses UDP.
What are Linuxs strengths and weaknesses vs. Windows?
Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an
immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux
with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security
world.
Cryptographically speaking, what is the main method of building a shared secret over a public
medium?
Diffie-Hellman. And if they get that right you can follow-up with the next one.
Whats the difference between Diffie-Hellman and RSA?
Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they get that far,
make sure they can elaborate on the actual difference, which is that one requires you to have key
material beforehand (RSA), while the other does not (DH). Blank stares are undesirable.
What kind of attack is a standard Diffie-Hellman exchange vulnerable to?
Man-in-the-middle, as neither side is authenticated.
Application Security
Describe the last program or script that you wrote. What problem did it solve?
All we want to see here is if the color drains from the guys face. If he panics then we not only know hes
not a programmer (not necessarily bad), but that hes afraid of programming (bad). I know its
controversial, but I think that any high-level security guy needs some programming skills. They dont need
to be a God at it, but they need to understand the concepts and at least be able to muddle through some
scripting when required.
How would you implement a secure login field on a high traffic website where performance is a
consideration?
Were looking for a basic understanding of the issue of wanting to serve the front page in HTTP, while
needing to present the login form via HTTPs, and how theyd recommend doing that. A key piece of the
answer should center around avoidance of the MiTM threat posed by pure HTTP. Blank stares here mean
that theyve never seen or heard of this problem, which means theyre not likely to be anything near pro
level.
What is Cross-Site Request Forgery?
Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired
answer: when an attacker gets a victims browser to make requests, ideally with their credentials included,
without their knowing. A solid example of this is when an IMG tag points to a URL associated with an
action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from
foo.com, and their browser would have made the action, not them (since browsers load all IMG tags
automatically).
How does one defend against CSRF?
Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method.
Again, were looking for recognition and basic understanding herenot a full, expert level dissertation on
the subject. Adjust expectations according to the position youre hiring for.
If you were a site administrator looking for incoming CSRF attacks, what would you look for?
This is a fun one, as it requires them to set some ground rules. Desired answers are things like, Did we
already implement nonces?, or, That depends on whether we already have controls in place
Undesired answers are things like checking referrer headers, or wild panic.
Whats the difference between HTTP and HTML?
Obviously the answer is that one is the networking/application protocol and the other is the markup
language, but again, the main thing youre looking for is for him not to panic.
How does HTTP handle state?
It doesnt, of course. Not natively. Good answers are things like cookies, but the best answer is that
cookies are a hack to make up for the fact that HTTP doesnt do it itself.
What exactly is Cross Site Scripting?
Youd be amazed at how many security people dont know even the basics of this immensely important
topic. Were looking for them to say anything regarding an attacker getting a victim to run script content
(usually JavaScript) within their browser.
Whats the difference between stored and reflected XSS?
Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes
from the user in the form of a request (usually constructed by an attacker), and then gets run in the
victims browser when the results are returned from the site.
What are the common defenses against XSS?
Input Validation/Output Sanitization, with focus on the latter.
Corporate/Risk
Whats the goal of information security within an organization?
<
p>This is a big one. What I look for is one of two approaches; the first is the ber-lockdown approach, i.e.
To control access to information as much as possible, sir! While admirable, this again shows a bit of
immaturity. Not really in a bad way, just not quite what Im looking for. A much better answer in my view is
something along the lines of, To help the organization succeed.
This type of response shows that the individual understands that business is there to make money, and
that we are there to help them do that. It is this sort of perspective that I think represents the highest level
of security understanding-a realization that security is there for the company and not the other way
around.
Whats the difference between a threat, vulnerability, and a risk?
As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics
like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a
security professional. Ask as many of these as youd like, but keep in mind that there are a few differing
schools on this. Just look for solid answers that are self-consistent.
If you were to start a job as head engineer or CSO at a Fortune 500 company due to the previous
guy being fired for incompetence, what would your priorities be? [Imagine you start on day one
with no knowledge of the environment]
We dont need a list here; were looking for the basics. Where is the important data? Who interacts with
it? Network diagrams. Visibility touch points. Ingress and egress filtering. Previous vulnerability
assessments. Whats being logged an audited? Etc. The key is to see that they could quickly prioritize, in
just a few seconds, what would be the most important things to learn in an unknown situation.
As a corporate Information Security professional, whats more important to focus on: threats or
vulnerabilities?
This one is opinion-based, and we all have opinions. Focus on the quality of the argument put forth rather
than whether or not they they chose the same as you, necessarily. My answer to this is that vulnerabilities
should usually be the main focus since we in the corporate world usually have little control over the
threats.
Another way to take that, however, is to say that the threats (in terms of vectors) will always remain the
same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying
defense-in-depth based on threat modeling in addition to just keeping ourselves up to date.
Both are true, of course; the key is to hear what they have to say on the matter.
The Onion Model
The questions above are fairly straightforward. They are, generally, negative filters, i.e. theyre designed
to excluded candidates for having glaring weaknesses. If you are dealing with a more advanced
candidate then one approach I recommend taking is that of the onion model.
The Onion Model of interviewing starts at the surface level and then dives deeper and deeperoften to a
point that the candidate cannot go. This is terrifically revealing, as it shows not only where a candidates
knowledge stops, but also how they deal with not knowing something.
One component of this cannot be overstated: Using this method allows you to dive into the onion in
different ways, so even candidates who have read this list, for example, will not have perfect answers
even if you ask the same question.
An example of this would be starting with:
How does traceroute work?
They get this right, so you go to the next level.
What protocol does it use?
This is a trick question, as it can use lots of options, depending on the tool. Then you move on.
Describe a Unix traceroute hitting google.com at all seven layers of the OSI model.
Etc. Its deeper and deeper exploration of a single question. Heres a similar option for the end-phase of
such a question.
If Im on my laptop, here inside my company, and I have just plugged in my network cable. How
many packets must leave my NIC in order to complete a traceroute to twitter.com?
The key here is that they need to factor in all layers: Ethernet, IP, DNS, ICMP/UDP, etc. And they need to
consider round-trip times. What youre looking for is a realization that this is the way to approach it, and
an attempt to knock it out. A bad answer is the look of WTF on the fact of the interviewee.
This could be asked as a final phase of a multi-step protocol question that perhaps starts with the famous,
What happens when I go to Google.com?
How would you build the ultimate botnet?
Answers here can vary widely; you want to see them cover the basics: encryption, DNS rotation, the use
of common protocols, obscuring the heartbeat, the mechanism for providing updates, etc. Again, poor
answers are things like, I dont make them; I stop them.
Role-Playing as an Alternative to the Onion Model
Another option for going to increasing depth, is to role-play with the candidate. You present them a
problem, and they have to troubleshoot. I had one of these during an interview and it was quite valuable.
You would tell them, for example, that theyve been called in to help a client whos received a call from
their ISP stating that one or more computers on their network have been compromised. And its their job
to fix it. They are now at the client site and are free to talk to you as the client (interviewing them), or to
ask you as the controller of the environment, e.g. I sniff the external connection using tcpdump on port
80. Do I see any connections to IP 8.8.8.8. And you can then say yes or no, etc.
From there they continue to troubleshooting/investigating until they solve the problem or you discontinue
the exercise due to frustration or pity.
Conclusion
For more on hiring overall, I recommend doing a good amount of research. Most important to learn, as I
talked about above, is the limitations of interviews. Use other data available to you whenever possible,
and above everything else: Be extremely cautious of anyone who thinks they can spot the one because
theyre good at it..
Bias is a major problem in interviewing, and its likely that someone with a steadfast belief in his or her
interview brilliance is doing harm to your organization by introducing bad candidates. When possible, do
what Google did: Explore the data. Look at how candidates did in interviews relative to how they did on
the job. Wherever you have mismatches you have a problem with your process.
Feel free to contact me if you have any comments on the questions, or if you have an ideas for additions.













Information Security Interview Questions
Posted: May 8, 2013 in InfoSec
Tags: interview question and answers, web application security
11
The number of Information Security related jobs are growing extensively. There is a huge requirement
for skilled InfoSec professionals across the globe.. the jobs positions are available for freshers,
experienced guys and top management (typically CISO etc) This post is my attempt to collect typical
InfoSec interview question and answers to help those looking out opportunities in this field Ill keep on
updating the questions regularly.. You can also share/contribute any questions you might have faced
during your InfoSec interviews.
Category I: General Security Concepts / Network Security / OS Security
1) Is there any difference between Information Security and IT Security? If yes, please explain the
difference.
Ans- Yes. Information Security and IT Security are both different terms often used interchangeably. IT
Security focuses on purely technical controls (like implementing antivirus, firewall, hardening systems etc)
while Information Security is more wider term which implies securing information as an asset be it in any
form. (ex shredding of paper documents to prevent dumpster driving etc). So IT security can be
considered as a subset of Information Security.
2) What is the difference between Encoding, Encryption and Hashing?
Ans- At a very high level, all these 3 terms might appear to be similar and people often confuse between
them. But each of the technique is distinct and has different use case. The purpose of encoding is to
transform data so that it can be properly (and safely) consumed by a different type of system, e.g. binary
data being sent over email, or viewing special characters on a web page. The goal is not to keep
information secret, but rather to ensure that its able to be properly consumed. It does not require a key as
the only thing required to decode it is the algorithm that was used to encode it. Examples: ASCII,
Unicode, URL Encoding, Base64. The purpose of encryption is to transform data in order to keep it secret
from others. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in
order to perform the encryption operation. Examples: AES, Blowfish, RSA. The purpose of hashing is to
take arbitrary input and produce a fixed-length string that has the following attributes:
1. The same input will always produce the same output.
2. Multiple disparate inputs should not produce the same output.
3. It should not be possible to go from the output to the input.
4. Any modification of a given input should result in drastic change to the hash.
Examples- MD5, SHA1, SHA2 etc. Hashing is often used in computer forensics to verify integrity of the
digital evidence.
3) What is the difference between proxy, firewall, IDS and IPS?
A proxy server is a server (a computer system or an application) that acts as an intermediary for
requests from clients seeking resources from other servers. A client connects to the proxy server,
requesting some service, such as a file, connection, web page, or other resource available from a
different server and the proxy server evaluates the request as a way to simplify and control its complexity.
Firewall is basically meant for network traffic control/filtering mainly at layer-3. It allows/denies packets
and connections based on certain pre-defined rules. IDS- Intrusion Detection System is an application
which tries to detect intrusion attempts based on attack signature database it has. IPS- Intrusion
Prevention System detects the intrusion (like IDS) and goes one step ahead to prevent it as well. It simply
drops the packet it thinks suspicious (based on rules)
Examples:
1. proxy Squid
2. Firewall- IPTables, CISCO Pix, ZoneAlarm
3. IDS- SNORT
4. IPS- IBM Proventia
4) How does asymmetric encryption work?
5) How does SSL work?
6) What is port scanning? What are the countermeasures to prevent it?
7) What is Man in Middle attack? Can it be prevented?
8) What is the difference between false positive and false negative?
9) Explain the term Defense in depth.
10) What do you mean by stateful inspection by a firewall?
11) What is DMZ? Which systems should be placed in DMZ? What are common security precautions for
DMZ systems?
12) What is DLP? How does it work?
13) In what scenario, AD authentication should be used?
14) Is SSH completely secured? If not, can it be hardened more?
15) What is Virtualization? What are the security risks in it?
16) What do you mean by BYOD ? Explain security concerns related with it.
17) What are the different layers of OSI model? Can you list 1 vulnerability corresponding to each of the
OSI layer?
18) What are honeypots?
19) Tell about any of the major security incident that happened recently.
20) How do you keep yourself updated with latest trends in Information Security?
Ans: I refer to various security news sites , blogs etc (Like thehackernews, Rapid7 blog etc) Also I am
subscribed to various online security magazines like Pentest magazine, HackInsight etc and I surf
through the archives of various security conferences held worldwide.
21) Which OS do you feel is more secure? Linux or Windows?
Ans: No OS is secured unless and until its administrator is smart enough to secure it. Though Windows
has more publicly found security issues, it can still be hardened appropriately. Its all about perception and
having right sense of security. Linux definitely provides robust security, however a mis-configured Linux
box could really pose a big threat to security.
22) Explain in brief, Multi Factor authentication.
23) Explain in short how Kerberos works.
24) How to harden a Windows Machine?
25) How to harden a Linux Machine?
26) How can you prevent DOS/DDOS attack?
27) What is a 0-Day Vulnerability? Can it be prevented?
28) What is the biggest difference between Windows OS and Linux OS?
29) Can an IDS be used to prevent intrusions? (Ans is yes, ex- SNORT, one of the open source IDS if
configured in in-line mode in conjunction with IPTables, it can act as IPS)
30) Explain any type of Wi-Fi Attack and how to prevent it.
31) What is SIEM? Why it is useful?
32) What is rainbow attack? Is there a way to prevent it?
33) Explain the difference between hub, switch and router.
34) What do you mean by reverse shell in Linux?
35) Explain file ACLs (permissions) in Linux. What is the use of sticky bit?
36) What is NAT and PAT? Explain difference between them and how do they work.
37) Comment on security concerns in Cloud Computing.
38) What is the use of salt in reference to passwords? Are there any limitations of using it?
39) What is single sign-on? What are security risks with it?
Category II: VA/PT
1) What is the difference between Vulnerability Assessment and Penetration Testing? Which one needs
to be performed first?
2) What are the steps to perform VA/PT?
3) What precautions are required to be taken while performing VA/PT?
4) With whom would you share the findings of VA/PT and how would you convey the risk of the findings
effectively so that mitigation can be initiated immediately?
5) What tools do you normally use for VA and PT? Which tool you find the best and why?
6) What all should be included in report of VA/PT assessment?
7) Is it possible to hack into a system without using any tool? If yes, how would you do it? (Manually?)
8) How can you identify whether a remote machine is a Windows Machine or Linux Machine?
9) What is the difference between active and passive information gathering? (give 1 example of each)
10) How does sniffing works? Explain how can you sniff into a network. Can sniffing attack be prevented
and how?
11) What would you do if nmap port scans are blocked by network security administrator? How would you
gather host information in such case?
12) What are the different components of metasploit? Explain client side exploits/attacks.
Category III: Web Application Security
1) Why is Web Application Security Important?
2) Making the website HTTPS would make it secure share your comments on this.
3) What are cookies? What security threat do they pose?
4) What is SQL Injection attack? What are its types?
5) What are the ways to prevent SQL Injection?
6) What is XSS attack? What are its types?
7) What are the ways to prevent XSS attacks?
8) What is CSRF? How to prevent it?
9) What are the top 5 Web Application Vulnerabilities you know?
10) Explain any case wherein you found some critical web application vulnerability and you also provided
solution to fix the same.
11) How would you mitigate vulnerabilities in a legacy application where much of code change is not
feasible?
12) What tools do you use for performing Web Application security testing?
13) How do you test security for web services?
14) What is the difference between White Box Application Security testing and Blackbox Application
Security testing?
15) Do you have hands on knowledge of source code review? Give any example of vulnerability/bug you
found during source code review.
16) What standards do you refer for Web Application Security and related vulnerabilities?
17) What are the most important steps you would recommend to secure your new web server?
18) Will L-3 firewall be useful in protecting the web application against common attacks? If yes, then to
what extent?
19) What is Directory Listing? What is its impact? How to prevent it?
20) Can you explain any 2 vulnerabilities occurring due to poor session management?
21) Where should be the Web Server and Database server placed in network for optimal security?
21) Is there any risk when conducting Application Security testing on production instance?
Ans: Ideally, Application Security testing should never be performed on production instance. Automated
scanners can insert, modify or even delete data from the target application. This could be a big risk. So
the testing should be carried out on test instance which should contain exact replica of the application
code running on production instance. If at all you have to test on production instance, its owner must take
responsibility (in writing) of any data loss that may occur after testing.
22) How would you investigate or trace any security incident which occurred due to exploitation of some
vulnerability in your web application?
23) Please explain how would you test a mobile application for security vulnerabilities?
24) Explain about Database Security. What are common controls for securing Databases.
25) How would you convince the developer to fix the vulnerabilities you found in the Web Application?
Ans: It is a normal human mentality not to accept our mistakes. Same applies in this case. No developer
would easily accept that code written by him has serious security bugs. So, you have to demonstrate him
the vulnerability you discovered with proper PoC. And explain him the severity and impact if the
vulnerability gets exploited. You have to be polite while explaining and not get into arguments.
26) How does HTTP handles state?
Ans: HTTP is a stateless protocol.
Category IV: Risk Management/ Compliance/ Security Frameworks
1) What is Risk Assessment and Risk Management? Are they same?
2) What are the standards available for Risk Management?
3) What are the types of Risks?
4) What are the possible ways to treat the risk?
5) What is the difference between threat, vulnerability , exploit and risk?
5) What is residual risk? Can it be eliminated?
6) What is ISO 27001? Why an organization should adopt it?
7) What is the difference between ISO 27001 and ISO 27002?
8) What is PCI-DSS? Is there any similarity between PCI-DSS and ISO27001?
9) What type of organizations are required to be compliant with PCI-DSS?
10) What is the difference between a standard, policy, procedure?
11) What would you do to make security program / initiative successful in the organization?
12) How would you convince the senior management to invest in certain security initiative?
13) How much would you ideally spend on securing a Windows Server? (This is a very generic question,
but would really test whether the candidate is clear with the basics like asset value, impact analysis etc)
14) What is the difference between technical controls and procedural controls? (give 1 example of each)
15) Explain high level steps for initiating and implementing ISO27001.
Category V: Strategic / Scenario Based Questions
1) Please comment: Which one would be more securely built? Open Source software or
Commercial/Proprietary software?
2) Whom do you get inspired from in the field of Information Security?
3) How many packets would travel from a laptop if a user initiates a traceroute to facebook.com?
4) Consider a scenario, the network has become extremely slow, there are many escalations coming to
service desk, what would you do a as security professional? Do you see a possibility of any security
threat in this? How would you face this situation?
5) Suppose business team wants to launch an application or urgent basis, but you know its vulnerable to
some critical attacks, what would you do in such case? Should business requirement be given priority or
security should be the priority?
6) What are the latest trends in Information Security?
7) Is Internet Banking really safe and secure? What are your views on this?
8) Where do you see yourself (in which role/position) after 3-4 years?
9) Should social networking websites (like facebook) be allowed or blocked? Justify with proper reason.
10) Anonymous hackers are hacking into some critical infrastructure around the world. Can you comment
on how would they be doing this?
11) Have you heard about stuxnet? Explain your views on it and how could it have been prevented?
Category VI: Computer Forensics/Laws
1) What do you mean by checksum? What are the popular algorithms for calculating checksums? What is
its significance in computer forensics?
2) Describe steganography, its types and how to detect it?
3) What do you mean by file carving?
4) What is meant by bit stream image? Why it is important in forensics?
5) What is swap space? What is its relevance in forensics? What is page file?
6) Explain high level steps for seizing a live computer system.
7) What are the main challenges in computer forensics?
8) What is file shredding?
Ans: File Shredding is a technique used to securely erase/wipe or destroy the file (logical or physical) in
such a way that it cannot be re-constructed to derive its original meaning.
9) Can data be recovered after shredding is performed?
10) What are the famous tools used in computer forensics?
11) What hardware is necessary for performing computer forensics?
12) What care should be taken while packaging the seized evidence?
13) What is slack space?
14) List few situations wherein lost data cannot be recovered.
Ans: If the data is stored on magnetic media, and that media comes in contact with very strong magnetic
field then it may result in permanent loss of data. If data is on the disk is over-written more then 30 times,
it may get in unrecoverable state. If the media is physically destroyed like completely burnt or turned into
fine powder then it wont be possible to recover the data.
15) How would you traced a spoofed email sent from spoofed IP address?
Windows Server Administration Interview Questions
February 8, 2013 by: jdavid in: Application Support, Interview Questions, Windows 8, Windows Servers 1
Comment
Welcome to the World of Linux Server Management, Windows Server Management, Kernel
Programming, Ethical Hacking, Cloud Solutions, Vmware Vsphere ESXi, Xen Servers, Server hardening,
Server administration etc.,
Windows admin interview questions

Describe how the DHCP lease is obtained.
Its a four-step process consisting of (a) IP request, (b) IP offer, IP selection and (d)
acknowledgement.

I cant seem to access the Internet, dont have any access to the corporate network and on
ipconfig my address is 169.254.*.*. What happened?
The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is
not available. The name for the technology is APIPA (Automatic Private Internet Protocol
Addressing).

Weve installed a new Windows-based DHCP server, however, the users do not seem to be getting
DHCP leases off of it.
The server must be authorized first with the Active Directory.

How can you force the client to give up the dhcp lease if you have access to the client PC?
ipconfig /release

What authentication options do Windows 2000 Servers have for remote clients?
PAP, SPAP, CHAP, MS-CHAP and EAP.

What are the networking protocol options for the Windows clients if for some reason you do not
want to use TCP/IP?
NWLink (Novell), NetBEUI, AppleTalk (Apple).

What is binding order?
The order by which the network protocols are used for client-server communications. The most frequently
used protocols should be at the top.

How do cryptography-based keys ensure the validity of data transferred across the network?
Each IP packet is assigned a checksum, so if the checksums do not match on both receiving and
transmitting ends, the data was modified or corrupted.

Should we deploy IPSEC-based security or certificate-based security?
They are really two different technologies. IPSec secures the TCP/IP communication and protects the
integrity of the packets. Certificate-based security ensures the validity of authenticated clients and
servers.

What is LMHOSTS file?
Its a file stored on a host machine that is used to resolve NetBIOS to specific IP addresses.

Whats the difference between forward lookup and reverse lookup in DNS?
Forward lookup is name-to-address, the reverse lookup is address-to-name.

How can you recover a file encrypted using EFS?
Use the domain recovery agent.

What is the Difference between Windows 2003 standard Enterprise, Premium, Data center and
Web Edition?
WEB EDITION:
To position windows server 2003 more competitively against other web servers, Microsoft has released a
stripped-down-yet-impressive edition of windows server 2003 designed specially for web services. the
feature set and licensing allows customers easy deployment of web pages, web sites, web applications
and web services.
Web Edition supports 2GB of RAM and a two-way symmetric multiprocessor(SMP). It provides
unlimited anonymous web connections but only 10 inbound server message block(SMB) connections,
which should be more than enough for content
publishing. The server cannot be an internet gateway, DHCP or fax server. Although you can remotely
administer the server with Remote Desktop, the server can not be a terminal
server in the traditional sense. The server can belong to a domain, but cannot be a domain controller. The
included version of the microsoft SQL server database Engine can support as many as 25
concurrent connections.

How do you recover an object in Active Directory, which is accidentally deleted by you, with no
backup?
Using ntdsutil.exe command,we can restored the AD objects.

What is the Logical / Physical Structures of the AD Environment?
physical structure:
Forest, Site, Domain, DC
logical structure:
Schema partition, configuration partition, domain partition and application partition

How to change the windows xp product key if wrongly installed with other product key but you
have original product key? What you will do to Make your os as Genuine?
Some third party software are available for this function or reinstall this system

If 512mb Ram is there what will be the minimum and maximum Virtual memory for the system?
To workout the total virtual memory (page file) required for windows XP you should take the amount of
ram in the system and + 25% (512MB + 25% (128MB) = 640MB total virtual memory. by setting both the
min and max to 640MB you can increase the performances of the operating system.

What is LDAP?
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs
use to look up information from a server.

What is the SYSVOL folder?
The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain
controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system
(NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system
(DFS) forest.

What are application partitions? When do we use them?
Application Directory Partition is a partition space in Active Directory which an application can use
to store that application specific data. This partition is then replicated only to some specific domain
controllers.The application directory partition can contain any type of data except security principles
(users, computers, groups).

How do we Backup Active Directory?
Backing up Active Directory is essential to maintain an Active Directory database. You can back up
Active Directory by using the Graphical User Interface (GUI) and command-line tools that the
Windows Server 2003 family provides.You frequently backup the system state data on domain
controllers so that you can restore the most current data. By establishing a regular backup schedule, you
have a better chance of recovering data when necessary.To ensure a good backup includes at least the
system state data and contents of the system disk, you must be aware of the tombstone lifetime. By
default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup
at least two domain controllers in each domain, one of at least one backup to enable an authoritative
restore of the data when necessary.

How do we restore AD?
You cant restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS)
is running. To restore AD, perform the following steps.
Reboot the computer.
The computer will boot into a special safe mode and wont start the DS. Be aware that during this time the
machine wont act as a DC and wont perform functions such as authentication.
1. Start NT Backup.
2. Select the Restore tab.
3. Select the backup media, and select System State.
4. Click Start Restore.
5. Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use the restored
information. The computer might hang after the restore completes; Ive experienced a 30-minute wait on
some machines.

What are GPOs?
Group Policy gives you administrative control over users and computers in your network. By using
Group Policy, you can define the state of a users work environment once, and then rely on Windows
Server 2003 to continually force the Group Policy settings that you apply across an entire organization or
to specific groups of users and computers.

What domain services are necessary for you to deploy the Windows Deployment Services on
your network?
Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain

What is the difference between a basic and dynamic drive in theWindowsServer2008environment?
A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions (simple
volumes).
Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks
also support Windows Server 2008 RAID implementations.

What is the main purpose of a DNS server?
DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa

Commonly Used DNS Records?
A-Records (Host address)
CNAME-Records (Canonical name for an alias)
MX-Records (Mail exchange)
NS-Records (Authoritative name server)
PTR-Records (domain name pointer)
SOA-Records (Start of authority)