###BeginCaseStudy###
Case Study: 13
Blue Yonder Airlines
Scenario
COMPANY OVERVIEW
Blue Yonder Airlines has a main office and four branch offices. Each branch office has six
satellite offices. The main office is located in Sydney. The branch offices are located in
London, New York, Bangkok, and Istanbul. The main office has 1,000 users. Each branch
office has 500 users. Each satellite office has 50 to 100 users.
PLANNED CHANGES
Each satellite office will have a single server deployed. The servers will have the following
server roles installed:
• File server
• Print server
• Read-only Domain Controller (RODC)
Each satellite office will have a local support technician who performs the following tasks:
• Manages printers.
• Manages server backups.
• Manages updates on the server.
Each support technician will only be permitted to manage the server located in his office.
You plan to implement a backup and recovery solution to restore deleted Active Directory
objects. The solution must ensure that the attributes of the deleted objects are restored to the
same state they were in before they were deleted. You plan to deploy a custom sales
Application named App2 to the portable computers of all company sales consultants. The
setup program of App2 requires local administrative privileges. App2 will be updated
monthly.
BUSINESS GOALS
Blue Yonder Airlines has the following business goals:
• Minimize server downtime.
• Minimize administrative effort.
Minimize interruptions to users caused by WAN link failures.
EXISTING ENVIRONMENT
The network contains servers that run either Windows Server 2008 R2 or Windows Server
2008. All client computers were recently replaced with new computers that run Windows 7
Enterprise.
Users do not have local administrator rights on the client computers.
Existing Active Directory/Directory Services
The network contains a single Active Directory domain named blueyonderairlines.com. The
functional level of the domain is Windows Server 2008. All domain controllers run Windows
Server 2008.
Existing Network Infrastructure
All offices have wired and wireless networks.
The main office has a file server that stores large graphics files. The files are used by all of
the users in all of the offices.
A Group Policy is used to assign an Application named App1 to all of the users in the
domain.
The branch offices contain public computers on which temporary employees can browse the
Internet and view electronic brochures. When the employees log on to the public computers,
they must all receive the same user settings. App1 must not be installed on the public
computers. The computer accounts for all of the public computers are in an organizational
unit (OU) name Public.
REQUIREMENTS
Security Requirements
All computers in the domain must have a domain-level security Group Policy object (GPO)
App1ied.
You plan to implement Network Access Protection (NAP) by using switches and wireless
access points (WAPs) as NAP enforcement points.
The public computers must meet the following security requirements:
• Only authorized Applications must be run.
• Automatic updates must be enabled and App1ied automatically.
Users must be denied access to the local hard disk drives and the network shares from the
public computers.
Technical Requirements
The file server in each branch office is configured as shown in the following table.
Each user is allocated 1 GB of storage on the Users share in their local office. Each user must
be prevented from storing files larger than 500 MB on the Data share in their local office.
Blue Yonder Airlines must meet the following requirements for managing App2:
• Sales consultants must use the latest version of the Application.
• When a new version of App2 is installed, the previous version must be uninstalled. Sales
consultants must be able to run App2 when they are disconnected from the network.
###EndCaseStudy###
You need to recommend a NAP enforcement method that meets the company’s security
requirements. Which method should you recommend?
A.
802.1X
B.
DHCP
C.
IPSec
D.
VPN
Explanation:
Offices are both wired and wireless
Network Access Protection
You deploy Network Access Protection on your network as a method of ensuring that computers
accessing important resources meet certain client health benchmarks. These benchmarks include
(but are not limited to) having the most recent updates applied, having antivirus and anti-spyware
software up to date, and having important security technologies such as Windows Firewall
configured and functional. In this lesson, you will learn how to plan and deploy an appropriate
network access protection infrastructure and enforcement method for your organization.
802.1X NAP Enforcement
802.1X enforcement makes use of authenticating Ethernet switches or IEEE 802.11 Wireless Access
Points.
These compliant switches and access points only grant unlimited network access to computers that
meet the compliance requirement. Computers that do not meet the compliance requirement are
limited in their communication by a restricted access profile. Restricted access profiles work by
applying IP packet filters or VLAN (Virtual Local Area Network) identifiers. This means that hosts that
have the restricted access profile are allowed only limited network communication. This limited
network communication generally allows access to remediation servers. You will learn more about
remediation servers later in this lesson.
An advantage of 802.1X enforcement is that the health status of clients is constantly assessed.
Connected clients that become noncompliant will automatically be placed under the restricted
access profile. Clients under the restricted access profile that become compliant will have that
profile removed and will be able to communicate with other hosts on the network in an unrestricted
manner. For example, suppose that a new antivirus update comes out. Clients that have not installed
the update are put under a restricted access profile until the new update is installed. Once the new
update is installed, the clients are returned to full network access.
A Windows Server 2008 computer with the Network Policy Server role is necessary to support
802.1X NAP enforcement. It is also necessary to have switch and/or wireless access point hardware
that is 801.1xcompliant.
Client computers must be running Windows Vista, Windows Server 2008, or Windows XP Service
Pack 3 because these operating systems include the EAPHost EC.MORE INFO 802.1X enforcement step-by-step
For more detailed information on implementing 802.1X NAP enforcement, consult the following
Step-by-Step guide on TechNet: http ://go.microsoft.com/fwlink/?LinkId=86036.