Case Study Questions

1.

You need to design a patch management solution that distributes and applies security patches. Your solution must meet business and security requirements. What should you do?

1. Use one new SUS server in each of the four offices to download all security patches. Test the security patches. Use SUS to deploy the security patches to computers in each office.

2. Use one new SUS server in Philadelphia and one in Los Angeles to download all security patches. Use a GPO that is based on user configuration for each domain to deploy security patches to servers in each geographic location.

3. Use a new SUS server in Philadelphia, Los Angeles, and Minneapolis to download all security patches. Use SUS to deploy security patches to computers in their respective offices. Configure the Wilmington computers to use the SUS server in Philadelphia.

4. Use one new SUS server in Philadelphia and one in Los Angeles to download all security patches. Test the security patches. Deploy security patches to servers in each geographic region.

2.

You need to design the configuration of IIS and SQL Server machines to meet the requirements in the written security policy. What should you do?

1. Log on to a domain controller and use MBSA to scan all servers for Windows vulnerabilities.

2. Create a startup script in a GPO and link it to the SQL Server machines and Web Servers

3. U and GPO that runs MBSA when the computer starts up.

4. Create a script that runs the MBSA against the SQL Server and IIS servers and schedule it to run weekly.

5. Log on to each SQL Server machine and each IIS machine and use MBSA to scan each server locally.

3.

You need to make sure that the executives’ laptops are secured and that the configuration that secures them is different than the configuration used to secure the desktops that they use. All client computer accounts are in the ClientComputers OU. What should you do to ease the application of the configuration information in a GPO to the laptops without causing the same settings to be applied to the desktops?

1. Create an OU for laptops and move all of the laptop objects into it.

2. Create a software restriction policy that prevents laptop computers from executing software that isn’t allowed.

3. Use the Security Configuration And Analysis tool and set the -portable switch so that it will apply only to laptop computers.

4. Use the MBSA utility and set the -portable switch so that it will apply only to laptop computers.

4.

You need to deploy patches to the computers in each department, and you need to make sure that your solution meets with the approval of the system administrator. What should you do?

1. Create a single SUS server to approve patches for the enterprise.

2. Create a single SUS server for each department to approve patches.

3. Create a single SUS server for each site to approve patches.

4. Create a single SUS server for each office to approve patches.

5.

Due to an acquisition, a new office has been added to your infrastructure in Phoenix. The Phoenix site has a high-speed link directly to the Los Angeles office. You need to redesign the Software Update Services (SUS) infrastructure for the company. You will need to decide whether or not each of the new SUS servers will be receiving new updates directly from Microsoft servers on the Internet or from another SUS server within the company. Your solution must use the fewest number of SUS servers that retrieve their updates from the Internet while still preserving Internet bandwidth. What should you do?

To answer place the appropriate SUS server with the appropriate site. Some options may be used more than once, others may not be used at all.

1.

C. To minimize Internet traffic, each site should connect to the Microsoft Windows Update site and download the patches that they require independently of one another. Because the Wilmington office has a high-speed connection to the Philadelphia office, there is no need for it to get the updates from the Internet, nor does it need to maintain its own SUS server. Option A is incorrect because Wilmington doesn’t need to access the Internet or be running a SUS server. Options B and D are incorrect because the link between Los Angeles and Minneapolis is over the Internet and there would be a significant increase in Internet traffic if all patches were deployed across the site link.

2.

C. Option C allows each of the required servers to be scanned on a regular basis, which is why it is correct. Option A is incorrect because all of the servers are scanned, not just the SQL Server and IIS servers, as stated in the security requirements. Option B evaluates the servers only when they start up, which should not happen very frequently, and therefore it is incorrect. Option D puts too much of a burden on the administrator to manually run the MBSA utility.

3.

A. Moving the laptop computers into their own container, or OU, is the best solution for applying the GPO only to them. Software restriction policies will not affect the security configuration on the computers. The Security Configuration And Analysis tool can be used to analyze only one computer at a time, whereas a template can be used to analyze multiple computers. The MBSA utility is used only for auditing and reporting and will not make configuration changes to any of the computers.

4.

B. According to the system administrator, each department needs the ability to approve different security patches; therefore, each department needs its own SUS server. Only option B allows a set of patches to be approved for each department. Option A is incorrect because it only allows one set of updates to be approved for all computers in the enterprise. Options C and D are also incorrect because they don’t allow different patches per department.

5.

Wilmington and Phoenix, because of their high-speed link to a main site, do not require a SUS server that retrieves the updates from the Internet. The Wilmington SUS server will retrieve its updates from the Philadelphia SUS server, and the Phoenix SUS server will retrieve its updates from the Los Angeles SUS server. Each site requires its own SUS server for patch approval. Philadelphia, Minneapolis, and Los Angeles will retrieve their downloads from the Microsoft Internet site.