Chapter 8: Securing Active Directory | MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298

1.	Best Fit Inc is a clothing retailer that has been in business for over 25 years and grosses over 100 million dollars in annual sales. The company is experiencing tremendous growth and has added a Web store to reach customers in areas where it doesn t have a retail presence. This venture into the Web now poses a security issue for them. The company has asked the IT department to ensure proper procedure is in place so that they are informed anytime anyone attempts to access confidential data that s stored on the Web server. Which audit policy should you enable on the Web server? (Choose all that apply.) Audit success and failure of process tracking Audit success and failure of object access Audit success and failure of logon events Audit success and failure of directory service access
2.	Elineken is a new brand of beer that is being produced by the Eli bottling company, which employs over 35,000 employees worldwide. The corporate headquarters is in San Francisco and the company has production facilities in Holland, Ireland, Germany, and Hong Kong. After finding great response to their brand of beer and getting numerous awards, the company is now expanding its market into the Middle East and has acquired a large production facility in Lebanon. This new facility will be home to some 2000 employees who will service the needs of the area, and as such will require several file servers, Exchange servers, and DCs to be available on site for speedier authentication, mail delivery, and to avoid WAN reliability issues. The CIO is especially interested in the security procedures that will be in place to secure the local servers and has asked you to ensure the company is using best practices and that the servers will be as safe as possible. The CIO also has decided that the Lebanon facility will be incorporated into the existing domain model. How should you secure the new servers at the new Lebanon facility? Install the servers into a new OU and implement group policies at the site level. Install the servers into a new OU and implement group policies at the OU level. Install the servers into their own Active Directory tree and implement group policies at the domain level. Install the servers into the same Active Directory tree as stores and modify the schema.
3.	Ground Up Properties is the third largest shopping mall owner and operator in the world with over 300 malls in the United States alone spread out across all states. The company currently has over 4000 employees and is headquartered in New York. Ground Up has been experiencing tremendous growth in its sector and is ready to acquire a major European real estate company that owns and operates 50 malls in Europe. The acquired European company does not have any network in place, and your integration team has decided to incorporate the newly acquired malls into the existing infrastructure and treat them as sites within the existing domain. This means that every site would need a DC that will also act as a file and print server and an exchange server. Because of time difference and language barriers, the company decides to hire a few local techs in the Paris regional office to accommodate the needs of the users in these malls. The CIO is requesting that the local helpdesk personnel be give enough access to manage the users and groups in the newly acquired facilities. Which strategy should you use to accommodate the newly acquired malls? Add the helpdesk employee to the Domain Admins group. Add the helpdesk employee to the Enterprise Admins group. Delegate authority at the domain level to the Paris helpdesk employees to manage users and groups. Delegate authority to the Paris helpdesk employees to modify accounts and groups in the European malls OUs.
4.	Didisoft is a technology company with products for the security industry. The company is a new startup based in San Francisco and employs 500 employees. The CIO is very aggressive about security and intrusion detection and has requested that the Windows Server 2003 architect implement all the tools and features the operating system offers in that direction so that it can be combined with the Didisoft Intrusion Squasher software that, in his opinion, would render the system impenetrable. The CIO wants to ensure that the sensitive administrative-level domain groups are not tampered with. What can you do to ensure only the appropriate users are members of domain Admins? Implement ACLs on the domain Admins group. Implement ACLs on the OU in which the domain Admins group resides. Use Restricted groups in Group Policy to enforce the membership. Regularly check the domain Admins group membership to ensure no one has been modified.
5.	Chocolate Chip is a chocolate-making company based in New Orleans. It employs 5000 employees. The company has recently experienced a security breach in which valuable information about the new chocolate flavor was stolen together with marketing strategy. The company had no security measures in place because the CIO claimed that security breaches are rare and overly exaggerated by the media and has assured management that no such thing would occur in the company. After the main competitor for Chocolate Chip released a product with a slightly different name and used the exact same marketing strategy that the Chocolate Chip company was planning to use, management found this a strange coincidence and started an investigation, only to be tipped off by an IT employee in the other company bragging about how easy it was to hack and steal from the Chocolate Chip network. The CIO immediately called a meeting of the IT staff and requested that auditing be enabled as a first step in a list of security measures that will follow. What should you include in an audit policy for the domain? Failure audit for account logon events Failure audit for directory service access Success and failure audit for policy change Success and failure audit for account management Failure audit for object access Failure audit for account logon events Failure audit for directory service access Success and failure audit for policy change Success and failure audit for object access Success and failure audit for policy change Success and failure audit for account logon events Success and failure audit for process tracking Success and failure audit for object access Success and failure audit for policy change Success and failure audit for account logon events Success and failure audit for directory service access
6.	SV Corporation is a computer chip manufacturer based in San Francisco. The company employs 500 employees and is one of the leading computer chip manufacturers. The company recently avoided a security breach in which sensitive information could have been compromised or stolen by an international competitor. This incident immediately prompted the company to hire an external organization to attempt a penetration test and discover the possible vulnerabilities that exist on the SV network. During the penetration test, the security consultants were able to penetrate the network and gain full access to it. The CIO gathers all the different teams within MIS to discuss this and requests that each group take immediate measures to ensure their systems are as secure as possible in accordance with industry best practices. Since you are responsible for the Windows environment at SV, which policies should you include in a security strategy for the domain? (Choose two.) Enable account lockout Disable password aging Disable account lockout Enforce strong passwords and password aging
7.	Best Pix Inc. is the largest chain of photography studios in the world, with several locations in every country in Europe and several locations in almost all states in the United States. They currently employ over 20,000 employees. The company is undergoing a major migration from Windows NT to Windows Server 2003. Every location currently has a manager with several employees. As part of the company s marketing strategy, they are interested in offering their customers access to their photos with the ability to order reprints over the Web. Security is a large concern for Best Pix, and they want to ensure that the service they are offering does not compromise security for their network. This service is also posing a challenge to the IT department in terms of how customer accounts will be created and deleted. Because the company is so big and widespread, the IT team has decided to grant the office manager at each location some kind of delegation to assist with this task and to be able to respond to customer needs in a timely fashion. That office manager can also respond to security threats on customer accounts in a quick and time-effective fashion. Which task should you delegate to the office managers? Modify the membership of a group Manage Group Policy links Create, delete, and manage customer accounts Create, delete, and manage groups
8.	Gourmet Distribution specializes in wholesale distribution of canned foods to supermarkets. The company has many distribution locations spread out across the United States. Every distribution site employs about 100 employees. The IT director has decided to place a DC, an Exchange server, and a file server at every location to meet each site s IT needs. An IT administrator will also be hired at every location to see to server maintenance. As part of the migration from Windows NT to Windows Server 2003, you have decided to adopt a single domain model with separate OUs for every location. How should you grant the necessary permissions to the IT administrator at each distribution center? Create a new administrator account for each distribution center s OU. Grant the necessary permissions to this account. Create an administrator group for each distribution center s OU. Add an existing user designated as an administrator to this account. Grant the necessary permissions to this group. Create a new administrator account for each distribution center s OU in the headquarters root. Grant the necessary permissions to each new administrator s account. Create an administrator group for each OU at the headquarters root. Add an existing user designated as an administrator from each OU to this group. Grant the necessary permissions to this group.

Answers

1.	¾ B, C. Audit success and failure of object access, and Audit success and failure of logon events, are correct. Auditing object access would allow you to monitor any changes that are made to objects, including files, printers and the Registry, while auditing logon events would help to determine if unauthorized users are attempting to access logon-restricted areas of the company Web server. x Answer A would not be appropriate in this case because you are asked to monitor changes to data, whereas auditing process tracking would monitor an application, when that application exists or duplicates, and so forth. Answer D is also incorrect because it is auditing access to objects in Active Directory, not on the Web server s file system.
2.	¾ B . Best practices calls for placing resources in an OU and implementing group policy at the OU level. x Answer A is incorrect because sites are typically used for separating traffic on the basis of geography and WAN connectivity ”you might decide to open another office in the same site that will require different security or delegation settings, and that would require you to completely overhaul your policy implementation. Answer C is incorrect because the CIO already made it clear that the Lebanon facility will be in the current domain. Answer D incorrect because you do not need to modify the Active Directory schema in order to secure resources.
3.	¾ D . The best answer is to delegate authority to the Paris helpdesk employees to modify accounts and groups in the European malls OUs, thus limiting their scope to the users they are supposed to be accommodating . x Answer A is technically correct but gives them excessive rights that they should not have access to. Answer B also is technically correct but gives the local helpdesk the ability to make major changes domain and enterprise wide and should be seen as an example of what never to do. Answer C also grants the helpdesk group more authority and rights than are needed to go about their daily tasks .
4.	¾ C . The use of Restricted groups is the ideal method by which you can enforce which users are members of a group. Using this method every time Group Policy refreshes, it checks to see if any of the authentic users are members of the group. If they have been removed, Group Policy adds them back; if a new user was added to the group using a method other than Group Policy, it removes him or her from that group. It is the ideal and automatic way to monitor sensitive administrative groups. x Answer A is incorrect because if attackers or malicious users gain domain Admin level that would allow them to add themselves to the Admin group, they can modify the ACL and deny you access to it. Answer B is incorrect because security on the OU might be compromised, and as such the attacker can then prevent you from accessing the OU. Answer D is incorrect because it is not an effective and quick method of enforcing your policies.
5.	¾ D . This choice configures an audit policy for success and failure on object access so that if someone is trying to manipulate or even read the recipes files, that person can be detected , or at least you can have a trail of evidence. Auditing success and failure of policy ensures no one is modifying the policy to disable some settings so that he or she doesn t leave a trail when stealing information, such as disabling auditing on object access to hide the evidence of it. Account logon audits are great as a means of intrusion detection for user accounts and can be used to stop an attack if you get the information in a timely manner. Success and failure audits on directory service access means any changes to the auditing that you have in place on objects in Active Directory is logged and thus a trail is left if any Active Directory objects are modified. x Answer A is incorrect because it is monitoring only failure or success in some instances, where best practices always calls for monitoring success and failure attempts so that if someone successfully logs in you can at least figure out how it happened . Answer B again is only monitoring a limited subset of the information that should be included in a comprehensive auditing plan. Answer C is monitoring success and failure, but if you closely examine the last choice, you will find that auditing success and failure for process tracking is not the most appropriate in this case. Process tracking monitors applications and is more appropriate in detecting viruses or Trojan horses.
6.	¾ A , D . Enable account lockout ensures that after a specified number of attacks are made against an account to crack its password, the account should be disabled. Answer D is also correct because strong passwords should be implemented with password complexity so that users don t choose easily crackable passwords that would create an opportunity for attackers to gain access to the network by guessing a weak password. Password aging is also much recommended so that users cannot use a password they used the last three, four, or five times they changed their passwords. x Answer B is incorrect because it disables password aging, which would allow the user to keep selecting one or two passwords. This is a security hole and should be viewed as an example of what not to do. Answer C is incorrect because this particular scenario has an emphasis on stopping hackers who have intent to steal data. In this case, account lockout is good because as soon as the hacker sees there is no way he or she is getting access to these accounts, the hacker will most likely walk away. If we were concerted with hackers who just want to disrupt productivity, then this might have been a good answer because hackers can sometimes use your policies against you; in this case, hit all the user accounts until they get locked out and users can t log in.
7.	¾ C . The office manager should be able to create, delete, and manage customer accounts, which is necessary to run the office and provide the service set forth by the company to its customers. x Answer A is incorrect because the office manager has no business modifying group memberships; as part of the branch office setup you should also set up the appropriate groups and those groups should only be modified by you. Group creation is also not a task that would stop or even delay customers gaining access to their data, especially after the initial setup. Answer B is not relevant to the manager s job function; he or she does not need to manage GP links to get customers an account to view their pictures. Answer D is incorrect because an office manager does not need to create groups. It does not affect their ability to service their customers, and as such any such changes should come from the central IT department.
8.	¾ B . Answer B is correct and adheres to best practices; an administrative account should be placed inside a group and then given permission on the appropriate OU. x Answer A is technically correct but does not adhere to best practices because the administration of user accounts on an individual becomes a nightmare, especially if you have to set permissions on resources and so on. It becomes more complicated if the IT administrator leaves and a new one is hired, since you would need to redo security on all the resources, whereas if you had created a group, added the user to the group, and then set security on the group, you would only need to add the new user to the appropriate group. Answer C is incorrect because it is granting excessive rights to the IT administrators of every distribution center. Answer D is incorrect because it does not adhere to the best practices suggested by Microsoft for delegation of authority using group objects.