Test Name:Implementing and Supporting IIS 4.0

Test #: 70-087

I will be taking IIS 4.0 on 2/8/99 and will submit a braindump after the test. For now, here is a list of notes I took after I took all three Transcender IIS 4.0 tests. The list is based on questions I missed and questions I got right by the skin of my teeth. All answers should be accurate as I got them right from the test; however, as always, check them out anyway. Good luck!!

coyleta

 1. When accessing SQL server from web application, use Basic Authentication.

2. For areas of a web site that are only for certain employees with encryption, issue a certificate to each employee using Certificate Server; map each certificate to the appropriate account and grant the user account access permissions for the web site and configure the restricted web pages to use SSL encryption.

3. To generate as much info as possible about a web site, use: Images Report, Link Report and Site Summary Report.

4. The EnablePortAttack Registry parameter controls the range of TCP ports that can be used to connect to the FTP service.

5. Add your name to local Admins group to administer IIS computers on resource domains on a single master domain model network.

6. If you determine that an attacker’s computer is on an ISP, configure the web site to block that network.

7. To convert Megabytes per day to kilobits per second, use the following formula: Total MB*1024KB=KB per day; for every 8 bits there are 4 bits of overhead; KB per day * 12 bits=kb per day; kb per day/86,400 seconds=kbps. You can then determine the correct data link technology to match this speed.

33.6 kbps=dialup, 56 kbps=leased line, 128 kbps=ISDN, 1.54 Mbps=T1.

8. Install IE 4.0 on a PC or laptop to allow a user to access a web site using NT Challenge/Response and SSL encryption.

9. To monitor a web site and an FTP site for security and performance issues enable IIS logging to an ODBC-compliant database and SNMP monitoring.

10. If SMTP messages exceed the Max. Message size, the socket connection can remain open and the message transmitted as smaller messages so long as the Max. Session size is not exceeded.

11. Setting the encryption size to 40-bit or 128-bit affects the Session Key.

12. The IIS IDC requires a 32-bit ODBC driver.

13. Web browsers that receive an error upon attempting to install a digital certificate do not support client authentication.

14. HTTP/1.1 403 Access Forbidden=No execute rights

15. To log all accesses to an NNTP site on an IIS computer, enable logging on the News Site tab, specify the active log format, enable log access on the Home Directory tab and enable log access in each virtual directories properties tab.

16. To connect to an Administration Web site through a fire wall, specify the remote computer’s DNS name and the TCP port that is assigned to the Administration web site.

17. To overcome security problems on a virtual directory on a stand alone server, move the virtual directory to the IIS computer.

18. If both anonymous and domain users can access a secured area of a web site, IIS was installed on a PDC. When you install IIS on a PDC the anonymous account automatically becomes a member of the Domain Users group.

19. Effective permissions on a resource are calculated by taking the NTFS permissions and the IIS permissions and taking the most restrictive of the two.

20. Two block attacks to an SQL server (or any) use IPX between IIS and the other server.

21. When a virtual directory points to a share, a user account with rights to the share and the "log on locally" right to the server the share is on.

22. For a user to log on to a web site using Basic Authentication, he must have log on locally rights. When he does log on, he becomes a member of the Interactive special user group. When a user logs on to a web site using NTCR, he becomes a member of the Network group which has the Access this Computer from Network-Assigned to Everyone group by default. Basic Autentication=Interactive users group and NTCR=Network users group.

23. Local domains route mail to the drop directory on the local host. Remote domains route mail to other SMTP hosts.

24. The content index is configured by default to run using the System account.

25. When you save an MMC window from the console menu, the following are saved: Snap-in modules that are loaded, the MMC’s window size before it was maximized or minimized, whether the toolbar is displayed and whether the status bar is displayed.

26. FTP sites cannot use host headers (only web sites can). They can only use unique IP addresses and unique TCP ports.

27. Enabling HTTP Keep-Alives reduces time to download from a web site.

28. To move an NNTP sub-tree to another server, physically copy the sub-directory tree to the new server. On the IIS server create a virtual directory that point to the sub-directory on the new server. Rebuild the NNTP server using the Thorough option.

29. To keep people from performing seaches on a word that is included in sensitive documents, thus exposing those documents, place that word in the Index Server noise word file.

30. Lowering the connection timeout value for a web site will free more resources for active connections. Open connection that have been dropped or terminated will be closed sooner.

31. When SQL server is using the named pipes protocol, user’s must have a valid NT account to the database-even if the user has a valid SQL login ID. If SQL uses TCP/IP sockets, users can access SQL server directly-without have to be validated by NT.

32. FTP sites do not use SSL and NTCR

33. Index Server does not create its own log nor does it make use of IIS logging. Index Server’s errors are written to NT server’s Application event log under the CiFilter Service category.

34. Create additional catalogs in Index Server to increase the percentage of useful hits in a query.

35. Stop the IIS Admin service to stop the web and ftp sites on an IIS server.

36. An annealing merge is a special shadow merge that occurs when CPU usage falls below a certain level that is defined in the registry. Configure your server so that annealing merges occur more frequently-taking advantage of low CPU usage times.

37. To obtain information on referring URLS: enable logging in the Microsoft IIS Log File format, install the ISAPI Hyper Extended Logging Filter and restart the WWW Publishing Service.

38. It is possible to throttle the bandwidth of individual web sites, but not FTP sites. The best way to limit FTP traffic and/or reserve a specific amount of bandwidth on your Internet connection, configure a router on the Internet connection.

39. To create a log with a minimum amount of information being logged, use the W3C Extended Log File format because you can select the fields to be logged. All other log file formats are fixed.

40. A web application must have the .idc extension in order to invoke the Httpodbc.dll interpreter.

41. To add a root certificate (also known as a Certificate Authority (CA) certificate), you must use Internet Explorer 4.0 or later to download the certificate or retrieve it from a disk. Then, run the lisca.exe utility which will transfer the certificate information to IIS. Finally, stop and start all web services.

42. Either Basic or NTCR authentication must be used to remotely administer your IIS computer using Internet Service Manager (HTML).

43. Using ISAPI applications instead of CGI applications will improve performance on your IIS computer.

44. When bandwidth throttling is enabled for a web site, its Maximum Network Use overrides the value set for the IIS computer.

45. If the Event Log indicates that Index Server data is corrupted, stop and restart the Content Index service.

46. To limit the number of connections to multiple web content directories, you must create a web site for each directory, configure the content directories as home directories for each corresponding site and ensure that no other content directories are configured for the sites. You can then limit the connections for each web site’s home directory (the content directory in this case).

47. If you stop all web, ftp, smtp and nntp sites by stopping the IIS admin service, you can start them all again by using the MMC to start any one web site, ftp site, smtp site and any one nntp site.

48. In earlier versions of IIS, the error "HTTP/1.0 404 Object Not Found" could be caused by a virtual directory name having spaces in it (example: Fort Lauderdale as opposed to Fort_Lauderdale). Later versions of IIS corrected this; but, if you don’t put a forward slash (/) after the virtual directory name you could get the error "HTTP Error 400 Bad Request.

49. If @UNFILTERED=TRUE is contained in a query, the results list will include files that are corrupt or protected by a password.

50. To allow users to view the list of files available on a web site, assign read access to the share, allow directory browsing and disable the default document.

51. A site that has been assigned a host header name cannot be accessed by its IP address or NETBIOS name-even if the IP address is unique.

52. IIS caches user tokens for 10 min. (default TTL) for users logging on with either Basic or Anonymous Authentication. Users logging on with NTCR do not get user tokens cached. Therefore, if user configuration changes are made for Basic or Anonymous users, you must stop and restart all IIS services for the changes to take effect immediately. Otherwise, you will have to wait 10 min.

53. To run a query on a web site with Index Server and a query on a SQL database simultaneously off of one button on the web page, you can use an Active Server Pages application.

54. For a directory that contains files with the UNIX-style directory listing assigned, the file name and size and the time the file was last modified will be listed.

55. Microsoft Windows NT Server 4.0, Workstation 4.0 and Windows 95 with DCOM support all support Microsoft Transaction Server.

56. The IIS default web site is configured to use friendly error messages by default.

57. To find out how many hits a web site had on a particular day, examine the log files for the web site.

58. An .idc file contains the name of an ODBC data source, user name, name and location of an HTML extension (.htx) file and any SQL statements that are needed to exchange data with the selected database. The .htx file is a template for the database information that is returned. The .idc file controls how the database is accessed and the .htx file controls how the Web page returned to the browser is constructed.

59. If you use the Certreq utility to request a certificate and you receive an error, the Certificate Authority service may not be running.

60. To perform a search in the language defined by the users web browser, set the CiLocale variable to null in the .idq file. Ex: CiLocale=. This way, when the user’s browser sends the HTTP_Accept_Language parameter, the locale of the user’s browser is used.

61. HTTPS, which is used for SSL communication, does not support host headers and port 443 is the TCP port used for SSL; so a unique IP address must be assigned for multiple SSL sites. Any host header name must be mapped through a DNS Server of hosts file.

62. To replace IP addresses with DNS names in a log file, use the Convlog utility to convert the log to NCSA Common Log File format. Log file information such as IP addresses can be changed during the conversion.

63. One way to enable directory annotations in a FTP directory is to set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters\AnnotateDirectories key to 1. Directory annotations are stored in the ~ftpsvc~.ckm file which is stored in the respective directory.