70-298 Designing Security for a MS Windows Server 2003 Network Practice Exams

Demo Question 2.

TestLabs, Inc., Scenario Background TestLabs, Inc. is national company that specialized in the development and retail of pharmaceutical medicines. The company is closely aligned to the Medical Science department at the University of Chicago. Physical Locations TestLabs, Inc. has its headquarters in Chicago and a branch office in Detroit. The two offices are connected by a 128 Kbps ISDN line. TestLab, Inc. users and departments are distributed among the two offices as shown in the following table: Business Processes Members of the IT department use client computers to remotely administer all servers and domain controllers on the TestLabs, Inc. network. Users update an internal tracking Web application that tracks the testing and development of new pharmaceutical drugs. The tracking Web application is available on an internal Web site that is hosted on a Web server named TL-SR07. TL-SR07 is running Internet Information Services (IIS) 6.0. Directory Services The TestLabs, Inc. network consists of a single Active Directory domain named testlabs.com. All servers on the TestLabs, Inc. network run Windows Server 2003, Enterprise Edition. The IT department in Chicago is responsible for the administration of Active Directory. Each office is organized into a separate organizational unit (OU) with the user and computer accounts located in child OUs as shown in the Organizational Unit Hierarchy exhibit. The ChicagoAdmins, HRAdmins, ResearchAdmins, and ManufacturingAdmins global user groups are located in their respective OUs and have full control of that OU. Network Infrastructure The HR department uses a legacy application that can run only on Windows NT Workstation 4.0. The client computers for all other departments run Windows XP Professional. The testlabs.com domain has a public key infrastructure (PKI) that comprises of an internal root certification authority (C

A. and an internal subordinate enterprise C The internal subordinate enterprise CA issues certificates to users and computers. The Chicago office has three domain controllers named TL-DC01, TL-DC02, and TL-DC03. The Detroit office has one domain controller named TL-DC04. The Chicago office has a Microsoft Internet Security and Acceleration (IS Server 2000 computer named TL-SR05, and wireless access points (APs). TL-SR05 and the wireless APs support wireless desktop and portable client computers in the Research department. IEEE 802.1x, RADIUS, and Wired Equivalent Privacy (WEP) is implemented in the wireless network infrastructure. Problem Statements Chief Information Officer: "Security is my main concern. We must improve security on client computers, servers, and domain controllers. We should implement a secure password policy. Legislation requires that the servers in the Research department display a logon message that tells users that access to the server is restricted to authorized users." System Administrator: "Our current patch management solution is problematic. It requires too much time, consumes too much bandwidth and leads to too much down time. Each department needs different security patches. We need a test network to test security patches and updates before they are deployed to the rest of the network. After testing a patch, it must be deployed automatically to servers in the appropriate department. We need to limit the network bandwidth used to obtain and deploy security patches." Chief Security Officer: "My main concern is permission escalation and unauthorized access to the wireless network. We need to know when an administrator changes the user permissions on server or on a domain controller and when the local security account manager objects on any server are changed." "We must also improve the secure of the wireless network in the Chicago office. We must ensure that only Research department users can connect to the wireless network. We need to implement the most secure method for authenticating users that access the wireless networks and we need to protect the data that is transmitted between the wireless client computers and the wireless access points. We must also ensure that our wireless client computers receive the required wireless network access security settings automatically." Backup Operator: "We run backups of all users' My Document folders but some users in the Detroit office have changed the location of their My Documents folders to network folders on one to the servers in their office. We should prevent them from doing this so that we can effectively backup user data." Research Department Manager: "Members of the ResearchAdmins group is a problem. I suspect we have unauthorized users in this group. We need to restrict membership to this group to authorized users." "We store documents in a network share named Projects on a file server named TL-SR06. Users in my department need to encrypt data in the Projects folder from our client computers but we can't. Every time we try to we receive an error message stating that we cannot encrypt data located in the Projects folder. We need to be able to encrypt this data." Written Security Policy The following requirements are included in the written security policy for TestLabs, Inc. 1. Passwords must be at least eight characters long and must contain uppercase and lowercase letters and numbers. 2. Passwords may not contain all or part of the user's account name. 3. Passwords must have a minimum password age must be 15 days and a maximum password age of 45 days. 4. Access to data on servers in the Manufacturing department must be logged. 5. All servers on the TestLabs, Inc. network, including domain controllers, must be configured and managed from the Chicago office. 6. A standard set of security settings must be deployed to all servers in the HR, Research, and Development departments. 7. The services on domain controllers and the administrators that have permission to stop and start services must be managed from the Chicago office. 8. All servers must be examined regularly for missing security patches and service packs. 9. All servers must be examined regularly to ensure that they are not running any unnecessary services. 10. The TL-SR07 must be examined regularly for missing IIS Security patches. 11. The Web site users and the files they download must be logged to a Microsoft SQL Server database server named TL-DB05. 12. Medical Science department users from the University of Chicago who use Windows 95 or Windows 98 client computers must have the Active Directory Client Extensions software installed to be able to authenticate to domain controllers on the TestLabs, Inc. network. Topic 2, TestLabs, Inc. (11 Questions) You are designing a certificate distribution method to meet the requirements of the Chief Security Officer. What should you do? (Each correct answer presents part of the solution. Choose THREE. ) Instruct the users in the Research department to submit a request for user certificates from the CA Web site enrollment page.
B. Create a Group Policy object (GPO) and configure it to allow autoenrollment of user and computer certificates.
C. Link the Group Policy object (GPO) to the Research OU.
D. Instruct the users in the Research department to run the gpupdate command.
E. Link the Group Policy object (GPO) to the testlabs.com domain.
F. Configure certificate templates.


Display Answer

Answer: B, C, F

Explanation: The Auto-enrollment features are set by CA administrators in the certificate templates and will automatically issue certificates. Group Policy Object (GPO) is a set or sets of rules for managing client configuration settings that pertain to desktop lockdowns and the launching of applications. GPOs are data structures that are attached in a specific hierarchy to selected Active Directory Objects. It can be applied to sites, domains, or organizational units. This reduces the administrative effort required to apply the same policies on an individual basis. In this scenario we need to apply the GPO to the Research department OU as only members in the Research department must be able to access the wireless network. Incorrect