1. Explain how does HTTP handle state?
It doesn't, of course. Not natively. Good answers are things like “cookies”, but the best answer is that cookies are a hack to make up for the fact that HTTP doesn't do it itself.
2. Do you know what is salting, and why is it used?
You purposely want to give the question without context. If they know what salting is just by name, they've either studied well or have actually been exposed to this stuff for a while.
3. Tell me what are your first three steps when securing a Windows server?
Their list isn't key here (unless it's bad); the key is to not get panic.
4. Tell me what kind of attack is a standard Diffie-Hellman exchange vulnerable to?
Man-in-the-middle, as neither side is authenticated.
5. Do you know what exactly is Cross Site Scripting?
You'd be amazed at how many security people don't know even the basics of this immensely important topic. We're looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser.
6. Tell me what are your first three steps when securing a Linux server?
Their list isn't key here (unless it's bad); the key is to not get panic.
7. Explain what's the difference between stored and reflected XSS?
Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim's browser when the results are returned from the site.
8. Tell me do you prefer filtered ports or closed ports on your firewall?
Look for a discussion of security by obscurity and the pros and cons of being visible vs. not. There can be many signs of maturity or immaturity in this answer.
9. Explain how would you login to Active Directory from a Linux or Mac box?
While it may sound odd, it is possible to access Active Directory from a non-Windows system. Active Directory uses an implementation of the SMB protocol, which can be accessed from a Linux or Mac system by using the Samba program. Depending on the version, this can allow for share access, printing, and even Active Directory membership.
10. Do you know how to change your DNS settings in Linux/Windows?
Here you're looking for a quick comeback for any position that will involve system administration (see system security). If they don't know how to change their DNS server in the two most popular operating systems in the world, then you're likely working with someone very junior or otherwise highly abstracted from the real world.
