|
| 1 | +### YamlMime:ModuleUnit |
| 2 | +uid: learn.devrel.secure-harden-internet-information-services.knowledge-check |
| 3 | +title: Knowledge check |
| 4 | +metadata: |
| 5 | + title: Knowledge Check |
| 6 | + description: Check your knowledge. |
| 7 | + ms.date: 03/31/2026 |
| 8 | + author: Orin-Thomas |
| 9 | + ms.author: orthomas |
| 10 | + ms.topic: unit |
| 11 | +durationInMinutes: 6 |
| 12 | +quiz: |
| 13 | + title: Check your knowledge |
| 14 | + questions: |
| 15 | + - content: "Your organization has an intranet web application hosted on IIS that should be accessible only to domain-joined users using their Windows credentials, with no credential prompt appearing. Which IIS authentication method should you configure?" |
| 16 | + choices: |
| 17 | + - content: "Anonymous Authentication" |
| 18 | + isCorrect: false |
| 19 | + explanation: "Anonymous access allows unauthenticated users to reach the site, which contradicts the requirement that only domain-joined users be able to access it." |
| 20 | + - content: "Basic Authentication" |
| 21 | + isCorrect: false |
| 22 | + explanation: "Basic Authentication typically prompts for a username and password and doesn't provide seamless single sign-on with Windows credentials." |
| 23 | + - content: "Windows Authentication (Integrated)" |
| 24 | + isCorrect: true |
| 25 | + explanation: "Integrated Windows Authentication uses Kerberos/NTLM to automatically pass domain credentials for domain-joined clients, avoiding a credential prompt." |
| 26 | + - content: "Digest Authentication" |
| 27 | + isCorrect: false |
| 28 | + explanation: "Digest Authentication isn't the standard approach for seamless intranet SSO and has extra requirements (such as domain support) without providing the typical transparent experience of Windows Authentication." |
| 29 | + - content: "You need to restrict access to a /reports directory on your IIS site so that only members of the CONTOSO\\ReportViewers group can access it. Which IIS feature should you configure?" |
| 30 | + choices: |
| 31 | + - content: "IP Address and Domain Restrictions" |
| 32 | + isCorrect: false |
| 33 | + explanation: "This feature restricts access by client IP/DNS, not by Active Directory group membership." |
| 34 | + - content: "Authorization Rules" |
| 35 | + isCorrect: true |
| 36 | + explanation: "Authorization Rules allow or deny access to specific paths based on Windows users/groups (for example, allowing CONTOSO\\ReportViewers and denying others)." |
| 37 | + - content: "Request Filtering" |
| 38 | + isCorrect: false |
| 39 | + explanation: "Request Filtering blocks patterns (extensions, verbs, query strings) but doesn't implement AD group-based access control." |
| 40 | + - content: "SSL Settings" |
| 41 | + isCorrect: false |
| 42 | + explanation: "SSL Settings control HTTPS requirements and certificate behavior, not which Windows groups may access a directory." |
| 43 | + - content: "What is the recommended Application Pool identity type for most IIS deployments to follow the principle of least privilege?" |
| 44 | + choices: |
| 45 | + - content: "Local System" |
| 46 | + isCorrect: false |
| 47 | + explanation: "Local System is highly privileged and violates the principle of least privilege for most web applications." |
| 48 | + - content: "Network Service" |
| 49 | + isCorrect: false |
| 50 | + explanation: "Network Service is more privileged and less isolated than ApplicationPoolIdentity; multiple apps can end up sharing the same account context." |
| 51 | + - content: "ApplicationPoolIdentity" |
| 52 | + isCorrect: true |
| 53 | + explanation: "ApplicationPoolIdentity provides a unique, low-privilege virtual account per app pool, improving isolation and reducing required permissions." |
| 54 | + - content: "Local Service" |
| 55 | + isCorrect: false |
| 56 | + explanation: "Local Service isn't the recommended default for IIS app pools and doesn't provide the per-pool isolation that ApplicationPoolIdentity does." |
| 57 | + - content: "You're hosting three HTTPS websites on a single IIS server with one IP address. Each site has its own TLS certificate. What feature must be enabled on each HTTPS binding to support this configuration?" |
| 58 | + choices: |
| 59 | + - content: "Application Pool Isolation" |
| 60 | + isCorrect: false |
| 61 | + explanation: "Separate app pools improve process isolation, but they don't solve the 'multiple certificates on one IP:443' requirement." |
| 62 | + - content: "SSL Offloading" |
| 63 | + isCorrect: false |
| 64 | + explanation: "SSL offloading refers to terminating TLS on a load balancer or proxy, not selecting different certificates for multiple hostnames on the same IIS IP/port." |
| 65 | + - content: "Server Name Indication (SNI)" |
| 66 | + isCorrect: true |
| 67 | + explanation: "SNI includes the hostname in the TLS handshake, allowing IIS to choose the correct certificate for each site while sharing a single IP address." |
| 68 | + - content: "HTTP Strict Transport Security (HSTS)" |
| 69 | + isCorrect: false |
| 70 | + explanation: "HSTS forces clients to use HTTPS for a hostname, but it doesn't enable hosting multiple certificates on one IP address." |
| 71 | + - content: "Your IIS server hosts a web application that only accepts form submissions (POST) and serves pages (GET). Which configuration reduces attack surface by restricting the HTTP methods the server accepts?" |
| 72 | + choices: |
| 73 | + - content: "Configure IP Address and Domain Restrictions to block external requests" |
| 74 | + isCorrect: false |
| 75 | + explanation: "IP restrictions control where requests come from, not which HTTP methods (verbs) the server accepts." |
| 76 | + - content: "Configure Request Filtering to deny all HTTP verbs except GET and POST" |
| 77 | + isCorrect: true |
| 78 | + explanation: "Request Filtering can explicitly allow only the verbs your app needs (such as GET/POST) and deny unused or risky verbs like TRACE, PUT, and DELETE." |
| 79 | + - content: "Remove the Windows Authentication module from the site" |
| 80 | + isCorrect: false |
| 81 | + explanation: "Authentication modules control how users authenticate, not which HTTP methods are permitted." |
| 82 | + - content: "Set the Maximum URL Length in Request Limits to 256 bytes" |
| 83 | + isCorrect: false |
| 84 | + explanation: "URL length limits reduce risk from oversized requests but don't restrict which HTTP verbs the server accepts." |
0 commit comments