###BeginCaseStudy###
Case Study: 1
Humongous Insurance
Scenario:
COMPANY OVERVIEW
Humongous Insurance has a main office and 20 branch offices. The main office is located in
New York. The branch offices are located throughout North America. The main office has
8,000 users. Each branch office has 2 to 250 users.
PLANNED CHANGES
Humongous Insurance plans to implement Windows BitLocker Drive Encryption (BitLocker)
on all servers.
EXISTING ENVIRONMENT
The network contains servers that run either Windows Server 2003, Windows Server 2008, or
Windows Server 2008 R2. All client computers run either Windows 7 Enterprise or Windows
Vista Enterprise.
Business Goals
Humongous Insurance wants to minimize costs whenever possible.
Existing Active Directory/Directory Services
The network contains a single Active Directory forest named humongousinsurance.com. The
forest contains two child domains named north.humongousinsurance.com and
south.humongousinsurance.com. The functional level of the forest is Windows Server 2008
R2.
Existing Network Infrastructure
Each child domain contains a Web server that has Internet Information Services (IIS)
installed. The forest root domain contains three Web servers that have IIS installed. The Web
servers in the forest root domain are configured in a Network Load Balancing (NLB) cluster.
Currently, all of the Web servers use a single domain user account as a service account.
Windows Server Update Services (WSUS) is used for company-wide patch management. The
WSUS servers do not store updates locally. The network contains Remote Desktop servers
that run Windows Server 2008 R2. Users in the sales department access a line-of-business
Application by using Remote Desktop. Managers in the sales department use the Application
to generate reports. Generating the reports is CPU intensive. The sales managers report that
when many users are connected to the servers, the reports take a long time to process.
Humongous Insurance has the following standard server builds:
• Class 1 – Dual x64 CPUs, 4-GB RAM, Windows Web Server 2008 R2
• Class 2 – Dual x64 CPUs, 4-GB RAM, Windows Server 2008 R2 Standard
• Class 3 – Quad x64 CPUs, 8-GB RAM, Windows Server 2008 R2 Standard
• Class 4 – Quad x64 CPUs, 8-GB RAM, Windows Server 2008 R2 Enterprise
Current Administration Model
Humongous Insurance currently uses the following technologies to manage the network:
• Microsoft Desktop Optimization Pack
• Microsoft Forefront EndPoint Protection
• Microsoft System Center Operations Manager
• Microsoft System Center Configuration Manager
TECHNICAL REQUIREMENTS
Humongous Insurance must meet the following technical requirements:
• A certificate must be required to recover BitLocker-protected drives.
• Newly implemented technologies must minimize the impact on LAN traffic.
• Newly implemented technologies must minimize the storage requirements.
• The management of disk volumes and shared folders must be performed remotely
whenever possible.
• Newly implemented technologies must minimize the amount of bandwidth used on
Internet connections.
• All patches and updates must be tested in a non-production environment before they
are App1ied to production servers.
• Multiple versions of a Group Policy object (GPO) must be maintained in a central
archive to facilitate a rol required.
The management of passwords and service principal names (SPNs) for all service accounts
must be automated whenever possible.
###EndCaseStudy###
You need to recommend a BitLocker recovery method that meets the company’s technical
requirements. Which recovery method should you recommend?
A.
a data recovery agent
B.
a recovery key
C.
a recovery password printed and stored in a secure location
D.
a recovery password stored in Active Directory
Explanation:
http ://technet.microsoft.com/en-us/library/dd875560%28WS.10%29.aspx
Data recovery agents are accounts that are able to decrypt BitLocker-protected drives by using their
smart card certificates and public keys. Recovery of a BitLocker-protected drive can be accomplished
by a data recovery agent that has been configured with the proper certificate. Before a data
recovery agent can be configured for a drive, you must add the data recovery agent to Public Key
Policies\BitLocker Drive Encryption in either the Group Policy Management Console (GPMC) or the
Local Group Policy Editor. You must also enable and configure the Provide the unique identifiers for
your organization policy setting to associate a unique identifier to a new drive that is enabled with
BitLocker. An identification field is a string that is used to uniquely identify a business unit or
organization. Identification fields are required for management of data recovery agents on
BitLocker-protected drives. BitLocker will only manage and update data recovery agents when an
identification field is present on a drive and is identical to the value configured on the computer.