Case Study Questions

1.

You need to design a security solution for the application servers in your organization. The solution must meet the business requirements. Which of the following tasks should you complete in order to create a custom server baseline?

1. Use the Microsoft Baseline Security Analyzer (MBSA) to generate the custom template and apply it to the servers.

2. Use the Security Configuration And Analysis MMC snap-in to customize the High Security template.

3. Use the Security Templates MMC snap-in to customize the High Security template.

4. Use Notepad to modify the DNSSEC template.

2.

You need to design a method to standardize and deploy a baseline security configuration for your Microsoft SQL Server machines. Your solution must meet business requirements. What should you do?

1. Create a script that installs the hisecdc.inf security template.

2. Use a Group Policy object (GPO) to distribute and apply the hisec.inf security template.

3. Use the System Policy Editor to configure each server’s security settings.

4. Use a Group Policy object (GPO) to distribute and apply a custom security template.

3.

You need to design the configuration of DNS to meet business requirements. What should you do? (Choose all that apply.)

1. Disable recursion for the DNS service.

2. Configure the DNS server to prevent cache pollution.

3. Configure dynamic DNS to allow only secure updates for the internal DNS servers and disable updates for the Internet DNS servers.

4. Restrict zone transfers on all DNS servers to specific internal DNS IP addresses.

5. Configure DNSSEC on all DNS servers.

4.

You need to use a template to secure Server3 using the Security Configuration And Analysis snap-in. Which template would you use?

1. securews.inf

2. securedc.inf

3. hisecdc.inf

4. hisecws.inf

5.

Match each predefined template to the server it should be applied to. You might not need to use all templates.

1.

C. The Security Templates MMC snap-in is the tool that you will use to customize or create security templates. The Microsoft Baseline Security Analyzer (MBSA)—covered in Chapter 9, “Designing an Infrastructure for Updating Computers”—is used to detect which, if any, insecure settings are configured or security patches have not been applied. The Security Configuration And Analysis MMC snap-in is used to compare the current settings with those defined in a template. There is no predefined template named DNSSEC; DNSSEC is a security standard that is not fully supported by the Windows Server 2003 DNS service.

2.

D. A custom security template needs to be created and deployed using Group Policy as stated in option D. The hisecdc.inf security template is not sufficient for the Microsoft SQL Server machines because it is a predefined template and will not have settings defining SQL Server–specific configurations. There is no predefined template named hisec.inf. There is a hisecdc.inf and a highsecws.inf template for servers and workstations, respectively. Therefore, option B is incorrect. Using the System Policy Editor on each server would not minimize administrative overhead, so it would not meet the business requirements.

3.

B, C, D. The business requirements specify that only authorized users should be able to update the local DNS servers. Therefore, you must enable secure dynamic updates. To secure zone transfers from being used against your organization, you should allow them to be sent to predefined DNS servers by address only. The business requirements state that the DNS cache should be as secure as possible, which includes trying to prevent the poisoning or pollution of the DNS cache, therefore answer B is correct. Disabling recursion for the DNS service will not meet the specified business requirements. Windows Server 2003 does not fully support the DNSSEC standard.

4.

D. The hisecws.inf has the highest level of security in a predefined template that could be applied to a file server. The securews.inf file is not as secure as the hisecws.inf file; therefore option A is incorrect because it is not the best answer. The securedc.inf and the hisecdc.inf are to be applied to domain controllers, not file servers, so options B and C are incorrect.

5.

The business requirements state that all security changes to web servers should have a minimal effect on them. Therefore, all web servers (SrvWeb01 and Server83) are not able to use the hisecws.inf or hisecdc.inf templates. Server83 is a web server and a domain controller. Therefore, the only template the meets the requirements is the securedc.inf, not the hisecdc.inf.

The CIO stated that security takes a higher priority than functionality, with the exception of the web servers. Therefore, all other servers should be using the securews.inf or securedc.inf templates. Server3, and Server54 are domain controllers and thus the hisecdc.inf template should be applied. All other servers should have the hisecws.inf template applied.