Market Florist, an Internet–based company, plans to design the application of consistent security settings to all Windows 2000–based computers on its network. A recent attack on its Web site revealed that some of the servers in the Web farm weren't properly secured. An attacker used the vulnerable servers to falsify flower orders.
Market Florist has three domains within their Active Directory directory service structure, shown in Figure 8.1: marketflorist.tld, ca.marketflorist.tld, and mx.marketflorist.tld. Computers in the Seattle and San Francisco locations have their computer accounts stored in the marketflorist.tld domain, the computers in the Winnipeg office are in the ca.marketflorist.tld domain, and the computers in the Monterrey office are in the mx.marketflorist.tld domain.
Figure 8.1 The Market Florist domain structure
Market Florist is moving toward a pure Windows 2000 network. The progress of the migration is as follows:
Market Florist has identified the following roles that Windows 2000–based computers will play on the network, shown in Table 8.1.
Table 8.1 Windows 2000–based Computer Roles for Market Florist
|Computer Type||Numbers and Locations|
|Domain controllers (DCs)|| |
Three DCs for the marketflorist.tld domain in Seattle.
Two DCs for the marketflorist.tld domain in San Francisco.
Three DCs for the ca.marketflorist.tld domain in Winnipeg.Two DCs for the mx.marketflorist.tld domain in Monterrey.
|File and print servers|| |
Four file and print servers in the Seattle office. Configured as members of the marketflorist.tld domain.
Two file and print servers in the San Francisco office. Configured as members of the marketflorist.tld domain.
Two file and print servers in the Winnipeg office. Configured as members of the ca.marketflorist.tld domain.
One file and print server in the Monterrey office.
|SQL servers|| |
Three SQL servers are in the Seattle office. Two are used for internal database applications and the third is used as the database for the Internet Web site.
|External Web servers|| |
The ww.marketflorist.tld Web site is hosted by four Web servers configured as a Windows 2000 Network Load Balancing Service (NLBS) cluster to provide high availability. These Web servers are members of a workgroup.
|Client computers running Windows 2000 Professional (new installations)|| |
700 client computers in the Seattle office configured as members of the marketflorist.tld domain.
100 client computers in the San Francisco office con– figured as members of the marketflorist.tld domain.
300 client computers in the Winnipeg office configured as members of the ca.marketflorist.tld domain.100 client computers in the Monterrey office config– ured as members of the mx.marketflorist.tld domain.
|Client computers running Windows 2000 Professional (upgraded from Microsoft Windows 95)|| |
200 client computers in the San Francisco office configured as members of the marketflorist.tld domain.300 client computers in the Monterrey office configured as members of the mx.marketflorist.tld domain.
|Client computers running Windows 2000 Professional (upgraded from Windows NT 4.0)|| |
300 client computers in the San Francisco office configured as members of the marketflorist.tld domain.200 client computers in the Winnipeg office configured as members of the ca.marketflorist.tld domain.
|Laptop computers running Windows 2000 Professional (new installations)||300 client laptop computers in each of the three domains used by the remote sales force.|
Market Florist wants to ensure the highest level of security on the internal network. Once the upgrades to Windows 2000 are completed on the client computers, Market Florist wants to prevent down-level clients' computers from accessing resources on the network.
For the external Web site, Market Florist wants to ensure that only necessary services are running on the Web servers in the NLBS cluster. Market Florist wants to use security templates to disable unnecessary services on the Web servers.
Market Florist has developed an application that allows customers to create and then reference user accounts when purchasing flowers over the Internet. To access the software, the customer must complete a form on the ww.marketflorist.tld Web site and provide credit card information. Once the form is completed and the customer information is verified, the customer is able to download the Flower Power application. The application, an ActiveX Control launched within the Web page, allows customers to order flowers quickly without providing credentials other than their customer numbers.
The Flower Power back-end application is installed on the external Web servers. The application requires additional NT file system (NTFS) permissions to be defined for the Flower Power folder structure and for the registry entries created by the Flower Power application.
Additionally, the Flower Power application provides the ability to change the port that the application listens on for connections. Periodically, Market Florist will want to change the port that the Flower Power application listens on for connections. The change will only be made in conjunction with an update to the ActiveX control. Once clients have downloaded the updated ActiveX control, they will connect using the newly defined port.
The port definition is stored in the registry in the following location:
Within the Parameters key, the value Port will be used to define the listening port for the Flower Power application. The Port value is a REG_DWORD value type.
Although computers with different roles on the network require different security settings, the Market Florist IT department wants all computers with similar roles to have the same security configurations. They don't want inconsistent security configurations like those discovered on the external Web site.