70-298 Designing Security for a MS Windows Server 2003 Network Practice Test

Demo Question 3.

City Central Utilities, Scenario Background City Central Utilities is one of the largest manufacturers of genuine quality approved utilities which are used across the world. Physical Locations City Central Utilities has its headquarters in Atlanta. City Central Utilities has a branch office in Brisbane which maintains a production facility and a retail branch office in Auckland which maintains a distribution facility. City Central Utilities also has a retail office in London. The City Central Utilities has 525 users in the Atlanta office, 25 users in the Brisbane office and 225 users in the Auckland office. Planned Changes City Central Utilities has hired you to design and implement a security plan which should be based on results of a security audit which was performed by a contractor of City Central Utilities. The security audit was conducted at City Central Utilities over a period of 4 months. The contractor hired by City Central Utilities has produced a report identifying several security issues. The security issues will have to be addressed in your security design. Existing Environment Directory Services The City Central Utilities company consists of a single Active Directory domain named citycentral.com. The functional level of the domain is set at Windows Server 2003. City Central Utilities has recently decided to create a site for each branch office and configure appropriate site links. The domain controllers of City Central Utilities remain in the default Domain Controllers container. The management has also decided to have the administrative user accounts remain in their default Users container. The network administrators of City Central Utilities make use of their client computers for accessing the network. It is imperative to City Central Utilities that interactively logging on to the servers and domain controllers be prohibited. Network Services City Central Utilities has deployed multiple domain controllers to ensure that there is fault tolerance. All servers on the citycentral.com network run Windows Server 2003 and all client computers run Windows 2000 Professional or Windows XP Professional. The City Central Utilities network has three servers located in different offices configured as file servers. The servers used by City Central Utilities are named CCU-SR01, CCU-SR02, CCU-SR03. The server named CCU-SR01 resides in the Atlanta office, CCU-SR02 resides in the Brisbane office and CCU-SR03 resides in the Auckland office. All of the file servers host a shared data folder shown below: City Central Utilities also has a member server residing in Brisbane named CCU-SR04. CCU-SAR04 is used to host an inventory control application which is accessed only by Auckland and Brisbane network users. The Management of City Central Utilities has also decided to deploy a Wireless network in Brisbane. City Central Utilities are planning to install multiple access points (APs) on each department to provide full wireless coverage in the facility. City Central Utilities has only issued 15 portable computers with wireless adapters. All the network portable computers run Windows XP Professional. Web Services City Central Utilities has an internal Website and a Web-based inventory tracking application which is hosted on a server named CCU-SR05. City Central Utilities has Web site content that is updated and created by network users in the Human Resources (HR) department. City Central Utilities makes use of the intranet Web site to communicate the company information with the citycentral.com employees. The City Central Utilities inventory tracking application is used by the City Central Utilities Sales staff and management. CCU-SR05 runs Windows Server 2003, Web Edition and resides on the internal network. The network users of City Central Utilities make use of Internet Explorer 5.5 for Internet and Intranet Web browsing. Wide Area Network (WAN) City Central Utilities makes use if the Atlanta main office to provide Internet connectivity to the Brisbane and Auckland branch offices via T-1 connection. The City Central Utilities network environment is shown in the Infrastructure exhibit: Organizational Unit (OU) Structure The City Central Utilities network OU structure is shown in the OU Structure exhibit: City Central Utilities has defined a top-level OU for each City Central Utilities location which contains three child OUs each location specific. City Central Utilities makes use of the OU named CCUCA to contain all the client computer accounts in the specific location. The child OU named CCUUA is used by City Central Utilities to contain all the user accounts and the child OU named CCUSA is used to contain the server accounts in the location. City Central Utilities has also defined a global security group for each location to simplify the assignment of permissions to non-administrative users. The City Central Utilities management wants the membership to these groups to be based upon the user's location. The City Central Utilities groups and membership parameters are below: 1. BUsers - is used to contain the Brisbane users 2. AUsers - is used to contain the Auckland users 3. ATUsers - is used to contain the Atlanta users The City Central Utilities company also has a global security group named CCUAdmin which is used to assign permissions and user rights to the technical support team. City Central Utilities also uses a global security group named CCUWebAdmin which is used to assign permissions and user rights to members of the IT administration responsible for the management of the internal Web server. The City Central Utilities Security Audit Report from the contractor City Central Utilities wants to have the following security issues considered: 1. Some of the City Central Utilities users have modified the initial security policy in Control Panel which allows unsafe ActiveX controls to be inadvertently downloaded and installed on their computers. The City Central Utilities also install applications on client computers without management approval. This leaves the City Central Utilities network administrators unable to provide support for a large number of applications currently deployed. 2. The City Central Utilities company has not defined a consistent baseline security configuration for either network domain controllers or member servers. The City Central Utilities wireless network is currently configured using a pre-shared key on each wireless access point and portable computer. City Central Utilities makes use of a simple key which is not changed on a regular basis. 3. City Central Utilities does not apply security patches consistently to the network computers. Because of this some network computers were recently infected by a virus which could have been avoided if the security patches were up-to-date. Most of the City Central Utilities network users do not lock their computers when leaving it unattended over extended periods of time. This action has recently caused contents of a sensitive document to me made public because it was left open on the user portable computer. An unauthorized user has viewed the documents while delivering files to the office. 4. The City Central Utilities generally do not protect network credentials. The City Central Utilities in the past shared user names and passwords with other employees. Some of the network users even taped pieces of paper noting passwords to the monitor which are acquired by unauthorized individuals. The portable computers in the Brisbane network are particularly vulnerable to unauthorized access. The City Central Utilities intranet Web site currently allows access to the company information without user authentication. Interviews Chief Information Officer (CIO) "Our industry is not a high-security industry but an inconsistent revenue cycle requires City Central Utilities to increase and decrease staffing levels on a regular basis. These actions have caused City Central Utilities to be more vigilant protecting network access. The City Central Utilities network functions reliably and the upgrade to Windows Server 2003 occurred over time and was not designed to meet the City Central Utilities security requirements. Because of this the design has resulted in some security related events which were the impetus for the external security audit." "I want the network design to be modified to increase the security and resolve the issues specified in the audit. I also want any configurations to be centrally defined and applied to the network domain controllers and network server as well as client computers when possible." "The management of City Central Utilities has decided to continue issuing portable computers to the Brisbane users but the authentication to the wireless portion of the City Central Utilities network should be strictly controlled. City Central Utilities should ensure that user credentials for portable computers and desktop computers are tightly controlled using two-factor authentication. The City Central Utilities management has authorized the purchasing of additional equipment to secure all points of network access if required." Chief Security Officer "I want the users to be allowed to only view approved Internet Web sites. I also want only the administrators to be allowed to add and remove sites from the list of approved Web sites. The City Central Utilities network users should not be allowed to override these restrictions by modifying the Internet security settings in Control Panel." "We should have a consistent set of programs and applications to be defined and deployed. The City Central Utilities Domain users should not be able to update or install any software components other than those approved by members of the CCUAdmin group." "Our domain account policies must be as secure as the account policy settings dictated by the Securedc.inf security template at least. The security settings should also be customized to meet the City Central Utilities requirements and the current settings that are more secure than the security template should be retained and settings not required disabled." "Another concern of mine is that user access to the inventory tracking application on CCU-SR05 be secured by using certificate-based authentication. I want auditing enabled on CCU-SR05 to monitor all users accessing this application. You should then be able to verify who is logged on to the application and who the owner of the user account is." IT Administrator "I want access to the shared folders in each location to be secure. This requires non-administrative users only to be granted access to the files located on their local file server. The users in their respective locations should be able to edit files in the local shared folder but should not be able to take ownership or change permission of user files." "Another concern is that the security audit showed incidents where users were logged onto the network using logon credentials of other users. I want steps to be taken in order to prevent this in the future. I want to implement a process that will be used to track the incidents to identify all the unauthorized logon attempts." Project Requirements The following project parameters are to be considered for City Central Utilities: The City Central Utilities management wants the users who access the shared data over the network to only be able to view the files located on their specific file server. 1. City Central Utilities wants all the attempts by unauthorized users to access the data folders on the file server to be monitored. City Central Utilities Also wants the users to be required to authenticate using their Active Directory user account credentials when accessing the intranet Web site. The authentication will be required to be automatic requiring no user intervention during the authentication process 2. City Central Utilities wants the user accessing the intranet Web site to be prevented from executing scripts or applications on the site. City Central Utilities Also wants the users allowed to view a hypertext listing of all files and subdirectories in the Web site virtual directory. Topic 1, City Central Utilities (10 Questions) You need to start configuring the data stored on the file servers. You are required to reconfigure the NTFS permissions on the shared folders located on the file servers to restrict access to the data. What should you do? (Choose all that apply.)

A. You should remove the Everyone group and add the BUsers group and assign the group Full Control NTFS permission
B. You should remove the Everyone group and add the ATUsers group and assign the group Full Control permission
C. You should remove the Everyone group and add the ATUsers group and assign the group Modify permission
D. You should remove the Everyone group and add the BUsers group and assign the group Modify permission
E. You should remove the Everyone group and add the AUsers group and assign the group Modify permission


Display Answer

Answer: C, D, E

Explanation: You should consider taking the actions in the answers in the scenario because currently the effective permissions allow users to connect from all locations remotely and modify the contents of the shared folders. 1. The IT administrator of the City Central Utilities network wants access to the shared folders in each location to be secure. This requires non-administrative users only to be granted access to the files located on their local file server. The users in their respective locations should be able to edit files in the local shared folder but should not be able to take ownership or change permission of user files Incorrect