Case Study Questions

1.

You need to design a resource access solution for the marketing department that meets business and technical requirements. A one-way trust has been created where the IntelliAgent forest trusts the JC Enterprises forest. Which actions should you perform? (Each answer presents part of the solution. Choose two options.)

1. Add the marketing department users to a new Global group named GlobalMktg in each domain. Add the GlobalMktg group from each domain to a new Universal group named AllMktg in the JC Enterprises forest.

2. Add the marketing department users to a new Global group named mktgGroup. Add the mktgGroup Global group to the Domain Local group for the customer data.

3. Add the marketing department users to a new Universal group named AllMktg. Add the AllMktg Universal group to the local groups on the Miami servers.

4. Add the marketing department users to a new Global group named GlobalMktg in each domain. Add the GlobalMktg group from each domain to a new Universal group named AllMktg in the IntelliAgent forest.

5. Add the AllMktg Universal group to the Domain Local group for the customer data and grant the permissions to the Domain Local group.

2.

You need to design a method to grant permissions to the office manager in each of the South American satellite offices so that they can reset passwords for other employees at each site. What should you do?

1. Add the office managers’ accounts to the Domain Administrator’s group for their respective domain.

2. Add the office managers’ accounts to the DACL for their respective site. Then assign the necessary permissions to this account.

3. Delegate the necessary permissions to the office managers’ accounts on their respective offices’ OU.

4. Grant the office managers’ accounts the ability to create new objects in their respective offices’ OU.

3.

You need to design a method to track changes that users make to the North America servers’ data. What should you do?

1. On the file servers in North America, enable Audit Privilege Use Success And Failure Auditing.

2. On the file servers in North America, use the Security Configuration And Analysis tool to enable Audit Directory Service Access Failure Auditing.

3. On each server, configure the NTConfig.pol file to restrict access to the Registry.

4. Create a Group Policy object (GPO) that will apply a custom security template that restricts access to the Registry. Apply the GPO to all of the servers in North America.

5. On the file servers in North America, enable success and failure auditing on each server’s shared folder.

4.

You need to design a method to track access to customer data. Your solution must comply with the written security policy. What should you do?

1. Write a script to evaluate effective permissions on the marketing files.

2. Schedule Microsoft Baseline Security Analyzer (MBSA) to run periodically.

3. Audit marketing files for successful and failed attempts to access the data by all users.

4. Audit marketing files for failed attempts to modify the data by all users.

5.

You need to design an access control strategy that meets business and security requirements. Your solution must minimize forestwide replication. What should you do?

1. Create a Global group for each location. Add users to their respective location groups as members. Assign the location Global groups to file and printer resources in their respective domains, and then assign permissions for the file resources using the location Global groups.

2. Create a Global group for each location and add the respective users as members. Create Domain Local groups for the file resources in each domain. Add the Global groups to the respective Domain Local groups. Then assign permissions to the file resources by using the Domain Local groups.

3. Create a local group on each server and add the authorized users as members. Assign appropriate permissions for the file and printer resources to the local groups.

4. Create a Universal group for each location and add the respective users as members. Assign the Universal groups to file and printer resources. Then assign permissions by using the Universal groups.

5. Create a Global group for each location and add the respective users as members. Create a Universal group and add the location Global groups as members. Create a Domain Local group on the Miami server and assign it the appropriate permissions to access the customer data. Add the Universal group to the Domain Local group as a member.

1.

D, E. Following best practices, options D and E are correct. Option A is incorrect because the Universal group is created in the JC Enterprises forest and not the forest that holds the resource to be shared. Option B is incorrect because it doesn’t minimize administration overhead. Option C is incorrect because accounts should not be members of a Universal group when the AG(G)UDLP best practice is followed.

2.

C. To minimize administrative overhead, you should use delegation to allow the office managers in the remote locations to reset the passwords for the employees in their respective offices. Granting the office managers administrator privileges gives them more than the required permissions, so it is not a secure solution. Granting the office managers’ accounts the permissions to create new objects in an OU does not allow them to reset the password for other employees at the site, so option D is incorrect.

3.

E. To track the changes made remotely to the data on the servers in North America, you should enable auditing on the shares on the server in Miami. Privilege use is too broad, therefore option A is incorrect. You need to track access to the file system, not access to the directory, therefore option B is incorrect. NTConfig.pol was used in Windows NT 4 for policies, which won’t play a role in Windows Server 2003. Creating a GPO restricting access to the Registry has no effect on the tracking of remote access to files, so option D is incorrect.

4.

C. You will need to audit successful and failed attempts to access the data rather than just the failed attempts as stated in option D. Option A has no impact on the tracking requirements in the written security policy. The MBSA will not do anything automatically as a result of it being run periodically.

5.

E. Using a Universal group with Global groups as its members means that, changes in membership in the Global groups will not cause forestwide replication to be required, only domainwide replication.