Case Study

You should give yourself 20 minutes to review this testlet and complete the questions.

Background

Minneapolis Concrete Sawing and Drilling (MCSD) plans and completes custom concrete sawing and drilling in the greater Minneapolis area for several different industries.

The company’s main office is located in Minneapolis, Minnesota. The company has branch offices in Rochester, Minnesota, and Wilmington, Delaware.

MCSD is entering into a partnership with Custom Blades Inc. to supply all of the blades for the specialized saws. MCSD needs to be able to have encrypted communications with Custom Blades Inc.

Existing Environment

Users in the sales department require access to the sales data by using a custom ASP.NET application hosted on a server running IIS 6.

Sales and product information is stored on Microsoft SQL Server 2000 running in the Minneapolis office. There is an intranet web application that is used to access this data.

Each location has a file server with a sales and customer share that is to be accessible to only authorized users.

The following table lists the servers on the network with their location, role, and operating system version:

Firewalls are configured to allow web traffic originating from the Internet to only SrvWeb01.

The Custom Blades network consists of a Windows NT 4 domain in which all client computers are running Windows 2000 Professional.

The following problems must be evaluated:

• Administrators need to manually apply policies on individual servers and workstations using the Local Policy MMC snap-in on each computer.

• Configuration changes that cause the security to be relaxed are occasionally made to computers.

Interviews

Chief Executive Officer It is important to maintain a high level of collaboration with Custom Blades; however, we need to make sure that we are not allowing them to see too much information regarding our business plans. Custom Blades does business with several of our competitors.

Chief Information Officer The information that is being shared with Custom Blades needs to be secured and must be kept confidential.

The security policies need to be maintained, and as servers are moved or have their roles modified, the security policies need to be dynamically modified. The security architect has guaranteed that the security of our resources will be kept as our number one priority when it comes to our systems. With the exception of our web servers, we will even sacrifice functionality if it is for better security.

Security Architect We need to make sure the security infrastructure is kept at a higher priority than compatibility and interoperability.

Business Requirements

The following security requirements must be evaluated:

• Application functionality must not interfere with security.

• DNS records are not allowed to be transferred to external sources.

• The DNS cache should be as secure as possible.

• Security updates must be automatic.

• Security changes to the web servers should have a minimal effect, if any, on the functionality of our applications or services that are accessed from them.