Microsoft-Designing Security for a Windows Server 2003 Network Set 1

1.

Question 04 Case Study #9, Consolidated Messenger ---------------------------------------------------------------- You need to design security changes that provide maximum protection for customer data and courier assignments. What should you do? Case Study Title (Case Study): Case Study #9, Consolidated Messenger Overview Consolidated Messenger is a large courier service company in New York. The company dispatches messengers throughout the city to pick up packages for immediate delivery elsewhere in the city. Physical Locations The main office is near the center of the city. The main office includes a business office and a courier dispatch lounge where couriers pick up their assignments. Business Processes Business staff handles customer billing, accepts phone calls for new courier assignments, and enters the assignments into a custom, Active Directory-integrated, client-server application. Couriers use Web kiosk in the lounge to pick up their assignments. The Web kiosks run only Internet Explorer. Couriers use a password to log on to the subsystem, and they are supposed to log off after they read their assignments. Because couriers are paid by the assignment, they must log in and mark each assignment as complete to be paid. Couriers do not have physical access to the business office. The company always experiences a high rate of turnover among the courier staff. The information technology (IT) department has one senior administrator and two junior administrators who provide all IT support for company users and couriers. Business staff requires access to mail servers, file servers, and client-server applications on the company LAN. Couriers need access to only the specialized Web-based application that is available to them on the Web kiosk in the dispatch lounge. Currently, access to resources is secured by using NTFS permissions and Active Directory-integrated application-specific authentication. All customer billing and contact information must remain confidential. Directory Services The company's network consists of a single Active Directory domain. All users have domain user accounts. The senior IT administrator centrally manages all accounts. Network Infrastructure The network consists of the following three segments: * Segment 1 contains all server computers. * Segment 2 contains all business staff client computers. * Segment 3 contains all dispatch lounge courier kiosks. A router connects the three segments. The router also connects the LAN to the Internet and provides basic firewall services. The Internet connection has a range of 64 to 256 Kbps of bandwidth. There are five Windows Server 2003 computers on Segment 1. The courier dispatch lounge contains only Windows XP Professional client computers. The business office contains client computers that run the following operating systems: * Windows 2000 Professional * Windows 98 Second Edition * Windows NT Workstation 4.0 * Windows XP Professional * Windows 95 Problem Statements Access to customer data and courier assignments is not sufficiently secure. Couriers use simplistic passwords and often guess other couriers' passwords. In the past, couriers have gained unauthorized access to confidential customer data. The company has no means of discovering who gained unauthorized access. Chief Executive Officer Though some of our data is not confidential, we need to increase security for our data that is confidential. We have had major security problems in the past, including compromised confidential customer data. This is a problem because we are contractually obliged to protect customer data. We also need to able to identify users who do gain unauthorized access. To achieve our goals, we can spend money on security, but we cannot increase the number of employees. Chief Information Officer Our IT staff use their administrative accounts for everything which is acceptable on their own client computers. However, they often log on to business office client computers with their own administrative account, and they forget to log off after they are done. Consequently, business office users can perform tasks by using administrator privileges, which creates network problems. We also struggle to main client computers and services with current security patches. Though IT staff test security patches when they come out, they cannot always find the time to deploy them. We cannot use Windows Update on client computers because of our low Internet bandwidth. To conserve bandwidth, our firewall prevents client computers from accessing Windows Update. So, although servers have access to Windows Update administrators often forget to run it. Solutions to these problems cannot require any more ongoing work from IT staff. Senior IT Administrator The junior administrators need to help to create new user accounts. However, they are not currently authorized to create new administrative staff accounts or to edit any existing accounts. Although company policy allows junior administrators to only reset passwords, the domain permissions do not currently allow them to do so. Junior IT Administrator Our biggest security patch management problem is that our users are not administrators on their computers. Though we would need to track user administrative actions, I think we should make users administrators on their own computers. Courier Even though I know I should pick a difficult password, I can only remember so much. To simplify my life, I use the same password at every job. I have heard that couriers watch and steal other courier's passwords, but it has never happened to me. Consolidated Messenger's written security policy contains the following requirements: * We must monitor and track when business office users attempt to make system registry configuration changes to their computers. We do not need to monitor or track everyday actions on client computers. * We must monitor and track all access to sensitive company data, including most customer data and courier assignments. * We must maintain all computers with current security patches for critical updates. The senior IT administrator is responsible for first testing all patches and then releasing them to all client and server computers in the company. * We must limit the use of user accounts that have domain administrators or other administrator privileges. Only IT staff will have access to domain administrative accounts.

Create a separate domain for courier authentication. Implement smart card authentication for business office users and couriers, upgrading client operatingsystems as needed. Modify the Web kiosks to require smart card presence for continued access. Modify the Default Domain Policy Group Policy object (GPO) so that couriers must use complex useraccount passwords. Require all couriers to change their passwords the next time they log on to the Web application. Use Encrypting File System (EFS) to encrypt all files that contain customer data.

2.

Question 05 Case Study #9, Consolidated Messenger ---------------------------------------------------------------- You need to improve the company's security patch management process. Your solution must meet existing business requirements and it cannot increase the number of employees or unnecessarily increase ongoing administrative effort. What should you do? Case Study Title (Case Study): Case Study #9, Consolidated Messenger Overview Consolidated Messenger is a large courier service company in New York. The company dispatches messengers throughout the city to pick up packages for immediate delivery elsewhere in the city. Physical Locations The main office is near the center of the city. The main office includes a business office and a courier dispatch lounge where couriers pick up their assignments. Business Processes Business staff handles customer billing, accepts phone calls for new courier assignments, and enters the assignments into a custom, Active Directory-integrated, client-server application. Couriers use Web kiosk in the lounge to pick up their assignments. The Web kiosks run only Internet Explorer. Couriers use a password to log on to the subsystem, and they are supposed to log off after they read their assignments. Because couriers are paid by the assignment, they must log in and mark each assignment as complete to be paid. Couriers do not have physical access to the business office. The company always experiences a high rate of turnover among the courier staff. The information technology (IT) department has one senior administrator and two junior administrators who provide all IT support for company users and couriers. Business staff requires access to mail servers, file servers, and client-server applications on the company LAN. Couriers need access to only the specialized Web-based application that is available to them on the Web kiosk in the dispatch lounge. Currently, access to resources is secured by using NTFS permissions and Active Directory-integrated application-specific authentication. All customer billing and contact information must remain confidential. Directory Services The company's network consists of a single Active Directory domain. All users have domain user accounts. The senior IT administrator centrally manages all accounts. Network Infrastructure The network consists of the following three segments: * Segment 1 contains all server computers. * Segment 2 contains all business staff client computers. * Segment 3 contains all dispatch lounge courier kiosks. A router connects the three segments. The router also connects the LAN to the Internet and provides basic firewall services. The Internet connection has a range of 64 to 256 Kbps of bandwidth. There are five Windows Server 2003 computers on Segment 1. The courier dispatch lounge contains only Windows XP Professional client computers. The business office contains client computers that run the following operating systems: * Windows 2000 Professional * Windows 98 Second Edition * Windows NT Workstation 4.0 * Windows XP Professional * Windows 95 Problem Statements Access to customer data and courier assignments is not sufficiently secure. Couriers use simplistic passwords and often guess other couriers' passwords. In the past, couriers have gained unauthorized access to confidential customer data. The company has no means of discovering who gained unauthorized access. Chief Executive Officer Though some of our data is not confidential, we need to increase security for our data that is confidential. We have had major security problems in the past, including compromised confidential customer data. This is a problem because we are contractually obliged to protect customer data. We also need to able to identify users who do gain unauthorized access. To achieve our goals, we can spend money on security, but we cannot increase the number of employees. Chief Information Officer Our IT staff use their administrative accounts for everything which is acceptable on their own client computers. However, they often log on to business office client computers with their own administrative account, and they forget to log off after they are done. Consequently, business office users can perform tasks by using administrator privileges, which creates network problems. We also struggle to main client computers and services with current security patches. Though IT staff test security patches when they come out, they cannot always find the time to deploy them. We cannot use Windows Update on client computers because of our low Internet bandwidth. To conserve bandwidth, our firewall prevents client computers from accessing Windows Update. So, although servers have access to Windows Update administrators often forget to run it. Solutions to these problems cannot require any more ongoing work from IT staff. Senior IT Administrator The junior administrators need to help to create new user accounts. However, they are not currently authorized to create new administrative staff accounts or to edit any existing accounts. Although company policy allows junior administrators to only reset passwords, the domain permissions do not currently allow them to do so. Junior IT Administrator Our biggest security patch management problem is that our users are not administrators on their computers. Though we would need to track user administrative actions, I think we should make users administrators on their own computers. Courier Even though I know I should pick a difficult password, I can only remember so much. To simplify my life, I use the same password at every job. I have heard that couriers watch and steal other courier's passwords, but it has never happened to me. Consolidated Messenger's written security policy contains the following requirements: * We must monitor and track when business office users attempt to make system registry configuration changes to their computers. We do not need to monitor or track everyday actions on client computers. * We must monitor and track all access to sensitive company data, including most customer data and courier assignments. * We must maintain all computers with current security patches for critical updates. The senior IT administrator is responsible for first testing all patches and then releasing them to all client and server computers in the company. * We must limit the use of user accounts that have domain administrators or other administrator privileges. Only IT staff will have access to domain administrative accounts.

Provide all users with the ability to access and use the Windows Update Web site. Upgrade all client computers to either Windows 2000 Professional or Windows XP Professional.Implement Software Update Services (SUS). Upgrade all client computers to either Windows 2000 Professional or Windows XP Professional. Makeall users members of the Power Users group on their client computers. Install the Active Directory Client Extensions on all Windows 95, Windows 98, and Windows NTWorkstation 4.0 computers. Manually download all security patches to a Distributed File System (DFS) replica. Instruct all users to use the DFS replica to install security patches. Install the Active Directory Client Extensions on all Windows 95, Windows 98, and Windows NTWorkstation 4.0 computers. Install a Software Update Services (SUS) server and make all users local administrators on their client computers.

3.

Question 01 Case Study #9, Consolidated Messenger ---------------------------------------------------------------- The company wants to evaluate making all business office users administrators on their client computers. You need to design a method to ensure that this change can be made in a manner that meets business and security requirements. What should you do? Case Study Title (Case Study): Case Study #9, Consolidated Messenger Overview Consolidated Messenger is a large courier service company in New York. The company dispatches messengers throughout the city to pick up packages for immediate delivery elsewhere in the city. Physical Locations The main office is near the center of the city. The main office includes a business office and a courier dispatch lounge where couriers pick up their assignments. Business Processes Business staff handles customer billing, accepts phone calls for new courier assignments, and enters the assignments into a custom, Active Directory-integrated, client-server application. Couriers use Web kiosk in the lounge to pick up their assignments. The Web kiosks run only Internet Explorer. Couriers use a password to log on to the subsystem, and they are supposed to log off after they read their assignments. Because couriers are paid by the assignment, they must log in and mark each assignment as complete to be paid. Couriers do not have physical access to the business office. The company always experiences a high rate of turnover among the courier staff. The information technology (IT) department has one senior administrator and two junior administrators who provide all IT support for company users and couriers. Business staff requires access to mail servers, file servers, and client-server applications on the company LAN. Couriers need access to only the specialized Web-based application that is available to them on the Web kiosk in the dispatch lounge. Currently, access to resources is secured by using NTFS permissions and Active Directory-integrated application-specific authentication. All customer billing and contact information must remain confidential. Directory Services The company's network consists of a single Active Directory domain. All users have domain user accounts. The senior IT administrator centrally manages all accounts. Network Infrastructure The network consists of the following three segments: * Segment 1 contains all server computers. * Segment 2 contains all business staff client computers. * Segment 3 contains all dispatch lounge courier kiosks. A router connects the three segments. The router also connects the LAN to the Internet and provides basic firewall services. The Internet connection has a range of 64 to 256 Kbps of bandwidth. There are five Windows Server 2003 computers on Segment 1. The courier dispatch lounge contains only Windows XP Professional client computers. The business office contains client computers that run the following operating systems: * Windows 2000 Professional * Windows 98 Second Edition * Windows NT Workstation 4.0 * Windows XP Professional * Windows 95 Problem Statements Access to customer data and courier assignments is not sufficiently secure. Couriers use simplistic passwords and often guess other couriers' passwords. In the past, couriers have gained unauthorized access to confidential customer data. The company has no means of discovering who gained unauthorized access. Chief Executive Officer Though some of our data is not confidential, we need to increase security for our data that is confidential. We have had major security problems in the past, including compromised confidential customer data. This is a problem because we are contractually obliged to protect customer data. We also need to able to identify users who do gain unauthorized access. To achieve our goals, we can spend money on security, but we cannot increase the number of employees. Chief Information Officer Our IT staff use their administrative accounts for everything which is acceptable on their own client computers. However, they often log on to business office client computers with their own administrative account, and they forget to log off after they are done. Consequently, business office users can perform tasks by using administrator privileges, which creates network problems. We also struggle to main client computers and services with current security patches. Though IT staff test security patches when they come out, they cannot always find the time to deploy them. We cannot use Windows Update on client computers because of our low Internet bandwidth. To conserve bandwidth, our firewall prevents client computers from accessing Windows Update. So, although servers have access to Windows Update administrators often forget to run it. Solutions to these problems cannot require any more ongoing work from IT staff. Senior IT Administrator The junior administrators need to help to create new user accounts. However, they are not currently authorized to create new administrative staff accounts or to edit any existing accounts. Although company policy allows junior administrators to only reset passwords, the domain permissions do not currently allow them to do so. Junior IT Administrator Our biggest security patch management problem is that our users are not administrators on their computers. Though we would need to track user administrative actions, I think we should make users administrators on their own computers. Courier Even though I know I should pick a difficult password, I can only remember so much. To simplify my life, I use the same password at every job. I have heard that couriers watch and steal other courier's passwords, but it has never happened to me. Written Security Policy Consolidated Messenger's written security policy contains the following requirements: * We must monitor and track when business office users attempt to make system registry configuration changes to their computers. We do not need to monitor or track everyday actions on client computers. * We must monitor and track all access to sensitive company data, including most customer data and courier assignments. * We must maintain all computers with current security patches for critical updates. The senior IT administrator is responsible for first testing all patches and then releasing them to all client and server computers in the company. * We must limit the use of user accounts that have domain administrators or other administrator privileges. Only IT staff will have access to domain administrative accounts.

On all domain controllers, implement registry access auditing for all registry keys that are considered sensitive by the company's written security policy. On all client computers, implement logon auditing for all user account logons. On all client computers, configure registry access auditing for all registry keys that are consideredsensitive by the company's written security policy. On all domain controllers, implement logon auditing for all user account logons.

4.

Question 02 Case Study #9, Consolidated Messenger ---------------------------------------------------------------- You need to identify potential security threats. Which of the following security breaches might occur under the current IT and security practices? (Choose all that apply) Case Study Title (Case Study): Case Study #9, Consolidated Messenger Overview Consolidated Messenger is a large courier service company in New York. The company dispatches messengers throughout the city to pick up packages for immediate delivery elsewhere in the city. Physical Locations The main office is near the center of the city. The main office includes a business office and a courier dispatch lounge where couriers pick up their assignments. Business Processes Business staff handles customer billing, accepts phone calls for new courier assignments, and enters the assignments into a custom, Active Directory-integrated, client-server application. Couriers use Web kiosk in the lounge to pick up their assignments. The Web kiosks run only Internet Explorer. Couriers use a password to log on to the subsystem, and they are supposed to log off after they read their assignments. Because couriers are paid by the assignment, they must log in and mark each assignment as complete to be paid. Couriers do not have physical access to the business office. The company always experiences a high rate of turnover among the courier staff. The information technology (IT) department has one senior administrator and two junior administrators who provide all IT support for company users and couriers. Business staff requires access to mail servers, file servers, and client-server applications on the company LAN. Couriers need access to only the specialized Web-based application that is available to them on the Web kiosk in the dispatch lounge. Currently, access to resources is secured by using NTFS permissions and Active Directory-integrated application-specific authentication. All customer billing and contact information must remain confidential. Directory Services The company's network consists of a single Active Directory domain. All users have domain user accounts. The senior IT administrator centrally manages all accounts. Network Infrastructure The network consists of the following three segments: * Segment 1 contains all server computers. * Segment 2 contains all business staff client computers. * Segment 3 contains all dispatch lounge courier kiosks. A router connects the three segments. The router also connects the LAN to the Internet and provides basic firewall services. The Internet connection has a range of 64 to 256 Kbps of bandwidth. There are five Windows Server 2003 computers on Segment 1. The courier dispatch lounge contains only Windows XP Professional client computers. The business office contains client computers that run the following operating systems: * Windows 2000 Professional * Windows 98 Second Edition * Windows NT Workstation 4.0 * Windows XP Professional * Windows 95 Problem Statements Access to customer data and courier assignments is not sufficiently secure. Couriers use simplistic passwords and often guess other couriers' passwords. In the past, couriers have gained unauthorized access to confidential customer data. The company has no means of discovering who gained unauthorized access. Chief Executive Officer Though some of our data is not confidential, we need to increase security for our data that is confidential. We have had major security problems in the past, including compromised confidential customer data. This is a problem because we are contractually obliged to protect customer data. We also need to able to identify users who do gain unauthorized access. To achieve our goals, we can spend money on security, but we cannot increase the number of employees. Chief Information Officer Our IT staff use their administrative accounts for everything which is acceptable on their own client computers. However, they often log on to business office client computers with their own administrative account, and they forget to log off after they are done. Consequently, business office users can perform tasks by using administrator privileges, which creates network problems. We also struggle to main client computers and services with current security patches. Though IT staff test security patches when they come out, they cannot always find the time to deploy them. We cannot use Windows Update on client computers because of our low Internet bandwidth. To conserve bandwidth, our firewall prevents client computers from accessing Windows Update. So, although servers have access to Windows Update administrators often forget to run it. Solutions to these problems cannot require any more ongoing work from IT staff. Senior IT Administrator The junior administrators need to help to create new user accounts. However, they are not currently authorized to create new administrative staff accounts or to edit any existing accounts. Although company policy allows junior administrators to only reset passwords, the domain permissions do not currently allow them to do so. Junior IT Administrator Our biggest security patch management problem is that our users are not administrators on their computers. Though we would need to track user administrative actions, I think we should make users administrators on their own computers. Courier Even though I know I should pick a difficult password, I can only remember so much. To simplify my life, I use the same password at every job. I have heard that couriers watch and steal other courier's passwords, but it has never happened to me. Consolidated Messenger's written security policy contains the following requirements: * We must monitor and track when business office users attempt to make system registry configuration changes to their computers. We do not need to monitor or track everyday actions on client computers. * We must monitor and track all access to sensitive company data, including most customer data and courier assignments. * We must maintain all computers with current security patches for critical updates. The senior IT administrator is responsible for first testing all patches and then releasing them to all client and server computers in the company. * We must limit the use of user accounts that have domain administrators or other administrator privileges. Only IT staff will have access to domain administrative accounts.

A virus that infects an IT administrator's client computer could gain domain administrator privileges. Couriers could gain access to domain administrator privileges. Business office staff could discover couriers' passwords and use them to access couriers' information. All users could use their user accounts to gain the ability to install untested security patches on theirclient computers.

5.

Question 03 Case Study #9, Consolidated Messenger ---------------------------------------------------------------- You need to design a method for junior IT administrators to perform more IT support tasks. Your solution must meet business and security requirements. What should you do? Case Study Title (Case Study): Case Study #9, Consolidated Messenger Overview Consolidated Messenger is a large courier service company in New York. The company dispatches messengers throughout the city to pick up packages for immediate delivery elsewhere in the city. Physical Locations The main office is near the center of the city. The main office includes a business office and a courier dispatch lounge where couriers pick up their assignments. Business Processes Business staff handles customer billing, accepts phone calls for new courier assignments, and enters the assignments into a custom, Active Directory-integrated, client-server application. Couriers use Web kiosk in the lounge to pick up their assignments. The Web kiosks run only Internet Explorer. Couriers use a password to log on to the subsystem, and they are supposed to log off after they read their assignments. Because couriers are paid by the assignment, they must log in and mark each assignment as complete to be paid. Couriers do not have physical access to the business office. The company always experiences a high rate of turnover among the courier staff. The information technology (IT) department has one senior administrator and two junior administrators who provide all IT support for company users and couriers. Business staff requires access to mail servers, file servers, and client-server applications on the company LAN. Couriers need access to only the specialized Web-based application that is available to them on the Web kiosk in the dispatch lounge. Currently, access to resources is secured by using NTFS permissions and Active Directory-integrated application-specific authentication. All customer billing and contact information must remain confidential. Directory Services The company's network consists of a single Active Directory domain. All users have domain user accounts. The senior IT administrator centrally manages all accounts. Network Infrastructure The network consists of the following three segments: * Segment 1 contains all server computers. * Segment 2 contains all business staff client computers. * Segment 3 contains all dispatch lounge courier kiosks. A router connects the three segments. The router also connects the LAN to the Internet and provides basic firewall services. The Internet connection has a range of 64 to 256 Kbps of bandwidth. There are five Windows Server 2003 computers on Segment 1. The courier dispatch lounge contains only Windows XP Professional client computers. The business office contains client computers that run the following operating systems: * Windows 2000 Professional * Windows 98 Second Edition * Windows NT Workstation 4.0 * Windows XP Professional * Windows 95 Problem Statements Access to customer data and courier assignments is not sufficiently secure. Couriers use simplistic passwords and often guess other couriers' passwords. In the past, couriers have gained unauthorized access to confidential customer data. The company has no means of discovering who gained unauthorized access. Chief Executive Officer Though some of our data is not confidential, we need to increase security for our data that is confidential. We have had major security problems in the past, including compromised confidential customer data. This is a problem because we are contractually obliged to protect customer data. We also need to able to identify users who do gain unauthorized access. To achieve our goals, we can spend money on security, but we cannot increase the number of employees. Chief Information Officer Our IT staff use their administrative accounts for everything which is acceptable on their own client computers. However, they often log on to business office client computers with their own administrative account, and they forget to log off after they are done. Consequently, business office users can perform tasks by using administrator privileges, which creates network problems. We also struggle to main client computers and services with current security patches. Though IT staff test security patches when they come out, they cannot always find the time to deploy them. We cannot use Windows Update on client computers because of our low Internet bandwidth. To conserve bandwidth, our firewall prevents client computers from accessing Windows Update. So, although servers have access to Windows Update administrators often forget to run it. Solutions to these problems cannot require any more ongoing work from IT staff. Senior IT Administrator The junior administrators need to help to create new user accounts. However, they are not currently authorized to create new administrative staff accounts or to edit any existing accounts. Although company policy allows junior administrators to only reset passwords, the domain permissions do not currently allow them to do so. Junior IT Administrator Our biggest security patch management problem is that our users are not administrators on their computers. Though we would need to track user administrative actions, I think we should make users administrators on their own computers. Courier Even though I know I should pick a difficult password, I can only remember so much. To simplify my life, I use the same password at every job. I have heard that couriers watch and steal other courier's passwords, but it has never happened to me. Consolidated Messenger's written security policy contains the following requirements: * We must monitor and track when business office users attempt to make system registry configuration changes to their computers. We do not need to monitor or track everyday actions on client computers. * We must monitor and track all access to sensitive company data, including most customer data and courier assignments. * We must maintain all computers with current security patches for critical updates. The senior IT administrator is responsible for first testing all patches and then releasing them to all client and server computers in the company. * We must limit the use of user accounts that have domain administrators or other administrator privileges. Only IT staff will have access to domain administrative accounts.

Delegate appropriate Active Directory permissions to the junior IT administrators. Add the junior IT administrators' user accounts to the Domain Admins user group. Create a custom Microsoft Management Console (MMC) that uses taskpad views to enable theappropriate tasks for the junior IT administrators. Make the junior IT administrators' domain user accounts member of the local Administrators group onall client computers. Create new domain user accounts for each junior IT administrator. Make the new accounts members ofthe Domain Admins group and instruct junior IT administrators to use the new accounts only for appropriate administrative tasks.

6.

Question 04 Case Study #9, Consolidated Messenger ---------------------------------------------------------------- You need to design security changes that provide maximum protection for customer data and courier assignments. What should you do? Case Study Title (Case Study): Case Study #9, Consolidated Messenger Overview Consolidated Messenger is a large courier service company in New York. The company dispatches messengers throughout the city to pick up packages for immediate delivery elsewhere in the city. Physical Locations The main office is near the center of the city. The main office includes a business office and a courier dispatch lounge where couriers pick up their assignments. Business Processes Business staff handles customer billing, accepts phone calls for new courier assignments, and enters the assignments into a custom, Active Directory-integrated, client-server application. Couriers use Web kiosk in the lounge to pick up their assignments. The Web kiosks run only Internet Explorer. Couriers use a password to log on to the subsystem, and they are supposed to log off after they read their assignments. Because couriers are paid by the assignment, they must log in and mark each assignment as complete to be paid. Couriers do not have physical access to the business office. The company always experiences a high rate of turnover among the courier staff. The information technology (IT) department has one senior administrator and two junior administrators who provide all IT support for company users and couriers. Business staff requires access to mail servers, file servers, and client-server applications on the company LAN. Couriers need access to only the specialized Web-based application that is available to them on the Web kiosk in the dispatch lounge. Currently, access to resources is secured by using NTFS permissions and Active Directory-integrated application-specific authentication. All customer billing and contact information must remain confidential. Directory Services The company's network consists of a single Active Directory domain. All users have domain user accounts. The senior IT administrator centrally manages all accounts. Network Infrastructure The network consists of the following three segments: * Segment 1 contains all server computers. * Segment 2 contains all business staff client computers. * Segment 3 contains all dispatch lounge courier kiosks. A router connects the three segments. The router also connects the LAN to the Internet and provides basic firewall services. The Internet connection has a range of 64 to 256 Kbps of bandwidth. There are five Windows Server 2003 computers on Segment 1. The courier dispatch lounge contains only Windows XP Professional client computers. The business office contains client computers that run the following operating systems: * Windows 2000 Professional * Windows 98 Second Edition * Windows NT Workstation 4.0 * Windows XP Professional * Windows 95 Problem Statements Access to customer data and courier assignments is not sufficiently secure. Couriers use simplistic passwords and often guess other couriers' passwords. In the past, couriers have gained unauthorized access to confidential customer data. The company has no means of discovering who gained unauthorized access. Chief Executive Officer Though some of our data is not confidential, we need to increase security for our data that is confidential. We have had major security problems in the past, including compromised confidential customer data. This is a problem because we are contractually obliged to protect customer data. We also need to able to identify users who do gain unauthorized access. To achieve our goals, we can spend money on security, but we cannot increase the number of employees. Chief Information Officer Our IT staff use their administrative accounts for everything which is acceptable on their own client computers. However, they often log on to business office client computers with their own administrative account, and they forget to log off after they are done. Consequently, business office users can perform tasks by using administrator privileges, which creates network problems. We also struggle to main client computers and services with current security patches. Though IT staff test security patches when they come out, they cannot always find the time to deploy them. We cannot use Windows Update on client computers because of our low Internet bandwidth. To conserve bandwidth, our firewall prevents client computers from accessing Windows Update. So, although servers have access to Windows Update administrators often forget to run it. Solutions to these problems cannot require any more ongoing work from IT staff. Senior IT Administrator The junior administrators need to help to create new user accounts. However, they are not currently authorized to create new administrative staff accounts or to edit any existing accounts. Although company policy allows junior administrators to only reset passwords, the domain permissions do not currently allow them to do so. Junior IT Administrator Our biggest security patch management problem is that our users are not administrators on their computers. Though we would need to track user administrative actions, I think we should make users administrators on their own computers. Courier Even though I know I should pick a difficult password, I can only remember so much. To simplify my life, I use the same password at every job. I have heard that couriers watch and steal other courier's passwords, but it has never happened to me. Consolidated Messenger's written security policy contains the following requirements: * We must monitor and track when business office users attempt to make system registry configuration changes to their computers. We do not need to monitor or track everyday actions on client computers. * We must monitor and track all access to sensitive company data, including most customer data and courier assignments. * We must maintain all computers with current security patches for critical updates. The senior IT administrator is responsible for first testing all patches and then releasing them to all client and server computers in the company. * We must limit the use of user accounts that have domain administrators or other administrator privileges. Only IT staff will have access to domain administrative accounts.

Create a separate domain for courier authentication. Implement smart card authentication for business office users and couriers, upgrading client operatingsystems as needed. Modify the Web kiosks to require smart card presence for continued access. Modify the Default Domain Policy Group Policy object (GPO) so that couriers must use complex useraccount passwords. Require all couriers to change their passwords the next time they log on to the Web application. Use Encrypting File System (EFS) to encrypt all files that contain customer data.

7.

Question 05 Case Study #9, Consolidated Messenger ---------------------------------------------------------------- You need to improve the company's security patch management process. Your solution must meet existing business requirements and it cannot increase the number of employees or unnecessarily increase ongoing administrative effort. What should you do? Case Study Title (Case Study): Case Study #9, Consolidated Messenger Overview Consolidated Messenger is a large courier service company in New York. The company dispatches messengers throughout the city to pick up packages for immediate delivery elsewhere in the city. Physical Locations The main office is near the center of the city. The main office includes a business office and a courier dispatch lounge where couriers pick up their assignments. Business Processes Business staff handles customer billing, accepts phone calls for new courier assignments, and enters the assignments into a custom, Active Directory-integrated, client-server application. Couriers use Web kiosk in the lounge to pick up their assignments. The Web kiosks run only Internet Explorer. Couriers use a password to log on to the subsystem, and they are supposed to log off after they read their assignments. Because couriers are paid by the assignment, they must log in and mark each assignment as complete to be paid. Couriers do not have physical access to the business office. The company always experiences a high rate of turnover among the courier staff. The information technology (IT) department has one senior administrator and two junior administrators who provide all IT support for company users and couriers. Business staff requires access to mail servers, file servers, and client-server applications on the company LAN. Couriers need access to only the specialized Web-based application that is available to them on the Web kiosk in the dispatch lounge. Currently, access to resources is secured by using NTFS permissions and Active Directory-integrated application-specific authentication. All customer billing and contact information must remain confidential. Directory Services The company's network consists of a single Active Directory domain. All users have domain user accounts. The senior IT administrator centrally manages all accounts. Network Infrastructure The network consists of the following three segments: * Segment 1 contains all server computers. * Segment 2 contains all business staff client computers. * Segment 3 contains all dispatch lounge courier kiosks. A router connects the three segments. The router also connects the LAN to the Internet and provides basic firewall services. The Internet connection has a range of 64 to 256 Kbps of bandwidth. There are five Windows Server 2003 computers on Segment 1. The courier dispatch lounge contains only Windows XP Professional client computers. The business office contains client computers that run the following operating systems: * Windows 2000 Professional * Windows 98 Second Edition * Windows NT Workstation 4.0 * Windows XP Professional * Windows 95 Problem Statements Access to customer data and courier assignments is not sufficiently secure. Couriers use simplistic passwords and often guess other couriers' passwords. In the past, couriers have gained unauthorized access to confidential customer data. The company has no means of discovering who gained unauthorized access. Chief Executive Officer Though some of our data is not confidential, we need to increase security for our data that is confidential. We have had major security problems in the past, including compromised confidential customer data. This is a problem because we are contractually obliged to protect customer data. We also need to able to identify users who do gain unauthorized access. To achieve our goals, we can spend money on security, but we cannot increase the number of employees. Chief Information Officer Our IT staff use their administrative accounts for everything which is acceptable on their own client computers. However, they often log on to business office client computers with their own administrative account, and they forget to log off after they are done. Consequently, business office users can perform tasks by using administrator privileges, which creates network problems. We also struggle to main client computers and services with current security patches. Though IT staff test security patches when they come out, they cannot always find the time to deploy them. We cannot use Windows Update on client computers because of our low Internet bandwidth. To conserve bandwidth, our firewall prevents client computers from accessing Windows Update. So, although servers have access to Windows Update administrators often forget to run it. Solutions to these problems cannot require any more ongoing work from IT staff. Senior IT Administrator The junior administrators need to help to create new user accounts. However, they are not currently authorized to create new administrative staff accounts or to edit any existing accounts. Although company policy allows junior administrators to only reset passwords, the domain permissions do not currently allow them to do so. Junior IT Administrator Our biggest security patch management problem is that our users are not administrators on their computers. Though we would need to track user administrative actions, I think we should make users administrators on their own computers. Courier Even though I know I should pick a difficult password, I can only remember so much. To simplify my life, I use the same password at every job. I have heard that couriers watch and steal other courier's passwords, but it has never happened to me. Consolidated Messenger's written security policy contains the following requirements: * We must monitor and track when business office users attempt to make system registry configuration changes to their computers. We do not need to monitor or track everyday actions on client computers. * We must monitor and track all access to sensitive company data, including most customer data and courier assignments. * We must maintain all computers with current security patches for critical updates. The senior IT administrator is responsible for first testing all patches and then releasing them to all client and server computers in the company. * We must limit the use of user accounts that have domain administrators or other administrator privileges. Only IT staff will have access to domain administrative accounts.

Provide all users with the ability to access and use the Windows Update Web site. Upgrade all client computers to either Windows 2000 Professional or Windows XP Professional.Implement Software Update Services (SUS). Upgrade all client computers to either Windows 2000 Professional or Windows XP Professional. Makeall users members of the Power Users group on their client computers. Install the Active Directory Client Extensions on all Windows 95, Windows 98, and Windows NTWorkstation 4.0 computers. Manually download all security patches to a Distributed File System (DFS) replica. Instruct all users to use the DFS replica to install security patches. Install the Active Directory Client Extensions on all Windows 95, Windows 98, and Windows NTWorkstation 4.0 computers. Install a Software Update Services (SUS) server and make all users local administrators on their client computers.

8.

Question 03 Case Study #10, Fabrikam ---------------------------------------------------------------- You need to design a patch management strategy that meets business requirements. What should you do? Case Study Title (Case Study): Overview: Fabrikam, Inc., is a personnel recruiting agency for contract employees. The company supports technology companies' needs for contract consultants, network administrators, and information technology (IT) professionals. Physical Locations: The company's main office is located in London. The company has two branch offices. For each of its largest customers, Fabrikam, Inc., provides one to five on-site employees from the sales department to work full-time at the customer's office. Existing Environment Business Processes: The London office consists of the following departments:

Install Systems Management Server (SMS) on a computer on the internal network. Use the Default Domain Policy GPO to distribute the SMS client software to all computers in the domain. Install Microsoft Operations Manager (MOM) on a computer on the internal network. Use the DefaultDomain Policy GPO to distribute the MOM client software to all computers in the domain. Install Software Update Services (SUS) on a Web server, and configure it to synchronize and approveupdates nightly. Configure client computers to receive automatic updates from the Web server. Ensure that users restart their client computers daily. Install Software Update Services (SUS) on a domain controller, and configure it to synchronize andapprove updates nightly. Configure client computers to receive automatic updates from the domain controller. Ensure that users restart their client computers daily.

9.

Question 08 Case Study #10, Fabrikam ---------------------------------------------------------------- You need to design an access control strategy for the financial data used by the accounting department. Your solution must meet business requirements. What should you do? Case Study Title (Case Study): Overview: Fabrikam, Inc., is a personnel recruiting agency for contract employees. The company supports technology companies' needs for contract consultants, network administrators, and information technology (IT) professionals. Physical Locations: The company's main office is located in London. The company has two branch offices. For each of its largest customers, Fabrikam, Inc., provides one to five on-site employees from the sales department to work full-time at the customer's office. Existing Environment Business Processes: The London office consists of the following departments:

Modify the properties of the computer object named P_FS2 to enable the Trust computer for delegation attribute. Instruct accounting department users to use Encrypting File System (EFS) to encrypt files. Modify the properties of all accounting department user accounts to enable the Account is trusted fordelegation attribute. Instruct accounting department users to use Encrypting File System (EFS) to encrypt files. Modify the properties of accounting department computers to enable the Trust computer for delegationattribute. Configure accounting department client computers to use IPSec to communicate with P_FS2. Modify the properties of all administrator accounts in the forest to enable to Account is trusted fordelegation attribute. Configure accounting department client computers to use IPSec to communicate with P_FS2.

10.

Question 01 Case Study #10, Fabrikam ---------------------------------------------------------------- You need to design a security solution for the internally developed Web applications that meets business requirements. What should you do?(Case Study missing} Case Study Title (Case Study): Overview: Fabrikam, Inc., is a personnel recruiting agency for contract employees. The company supports technology companies' needs for contract consultants, network administrators, and information technology (IT) professionals. Physical Locations: The company's main office is located in London. The company has two branch offices. For each of its largest customers, Fabrikam, Inc., provides one to five on-site employees from the sales department to work full-time at the customer's office. Existing Environment Business Processes: The London office consists of the following departments:

Install and configure a stand-alone root certification authorative (CA) that is trusted by all company client computers. Issue encryption certificates to all developers. Install and configure root certification authority (CA) that is trusted by all company client computers.Issue code-signing certificates to all developers. Purchase a root certification from a trusted commercial certification authority (CA). Install the rootcertificated on all developers' computers. Purchase a code-signing certificate from a trusted commercial certification authority (CA). Install thecertificate on all company client computers.

Microsoft-Designing Security for a Windows Server 2003 Network Set 1

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Congratulations

COMPANY

Products

OTHERS

Partner

Microsoft-Designing Security for a Windows Server 2003 Network Set 1

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Answer & Solution

Answer: Option B

Solution:

Congratulations

Detail Form

COMPANY

Products

OTHERS

Partner