You need to ensure that the computer can comply with the existing AppLockdown GPO settings

###BeginCaseStudy###
Case Study: 12
Tailspin Toys
Scenario:
Background
You are the desktop support technician for Tailspin Toys. Tailspin Toys manufacturers and
distributes children’s toys. The network environment includes a server infrastructure running
on Windows Server 2003 Service Pack (SP) 2 and Windows Server 2008 R2, Active
Directory with the forest and domain levels set at Windows Server 2003, and Active
Directory Certificate Services (AD CS) running on Windows Server 2008 R2. The company
has a Microsoft Enterprise Agreement (EA) with Software Assurance (SA). The company
sites, network connectivity, and site technologies are shown in the following table.

The company’s domain controller layout and details are shown in the following table.

The company’s client computer configuration details are shown in the following table.

The company uses Microsoft SharePoint 2010 as the company intranet and as a document
repository for company-related Microsoft Office documents. The URL for the intranet is
intranet.tailspintoys.com. There is a Group Policy object (GPO) that applies to all client
computers that allows employees who are connected to the corporate network to go to the
intranet site without having to enter authentication information.
All users are using Microsoft Internet Explorer 8. All users have enabled the Internet
Explorer SmartScreen Filter and the Internet Explorer phishing filter. All of the desktop
support technicians are members of a security group named Desktop Admins. The Desktop
Admins group is a member of the local Administrators group on all client computers. The

desktop support technicians use the Microsoft Diagnostics and Recovery Toolset to perform
various troubleshooting and repairs.
All Windows 7 client computers have a directory named tailspintoys\scripts in the root of the
operating system drive. The directory contains four unique .vbs files named scriptl.vbs,
script2.vbs, script3.vbs, and script4.vbs.
Software Environment
• An existing GPO named AppLockdown applies to Windows 7 machines and uses
AppLocker to ensure that:
No .bat files are allowed to be run by users and rules are enforced
• An existing GPO named RestrictApps applies to Windows XP client computers and
uses a Software Restriction Policy to ensure that:
No .bat files are allowed to be run by users and rules are enforced
Data Protection Environment
• Some users at the Manufacturing site use EFS to encrypt data.
• A user account named EFSAdmin has been designated as the Data Recovery Agent
(DRA).
• The DRA certificate and private key are stored on a portable USB hard drive.
As part of the yearly security compliance audits, a vendor is due to arrive at Tailspin Toys in
a month to perform the yearly audit. To prepare for the audit, management has asked you to
participate in an internal review of the company’s existing security configurations related to
network security and data security. The management team has issued the following
requirements:
New software requirements
• All installation programs must be digitally signed.
• Minimum permissions must be granted for installation of programs.
Internet Explorer requirements
• Users must not be able to bypass certificate warnings.
• Users must not be able to add Internet Explorer add-ons unless the add-ons are
approved by IT.
Data protection requirements
• All portable storage devices must use a data encryption technology. The solution must
meet the following requirements:
Allow all users a minimum of read access to the encrypted data while working from their
company client computers.
Encrypt entire contents of portable storage devices.
Minimize administrative overhead for users as files and folders are added to the portable
storage devices.
• Recovery information for client computer hard drives must be centrally stored and
protected with data encryption.
###EndCaseStudy###

A personal laptop named LAPTOP02 is used as a client computer at the Headquarters site. LAPTOP02
runs the 64-bit version of Windows 7 Professional. You ascertain that the AppLockdown GPO was
successfully applied to the computer. However, you notice that the user is still able to run .bat files.
You need to ensure that the computer can comply with the existing AppLockdown GPO settings.
What should you do?

###BeginCaseStudy###
Case Study: 12
Tailspin Toys
Scenario:
Background
You are the desktop support technician for Tailspin Toys. Tailspin Toys manufacturers and
distributes children’s toys. The network environment includes a server infrastructure running
on Windows Server 2003 Service Pack (SP) 2 and Windows Server 2008 R2, Active
Directory with the forest and domain levels set at Windows Server 2003, and Active
Directory Certificate Services (AD CS) running on Windows Server 2008 R2. The company
has a Microsoft Enterprise Agreement (EA) with Software Assurance (SA). The company
sites, network connectivity, and site technologies are shown in the following table.

The company’s domain controller layout and details are shown in the following table.

The company’s client computer configuration details are shown in the following table.

The company uses Microsoft SharePoint 2010 as the company intranet and as a document
repository for company-related Microsoft Office documents. The URL for the intranet is
intranet.tailspintoys.com. There is a Group Policy object (GPO) that applies to all client
computers that allows employees who are connected to the corporate network to go to the
intranet site without having to enter authentication information.
All users are using Microsoft Internet Explorer 8. All users have enabled the Internet
Explorer SmartScreen Filter and the Internet Explorer phishing filter. All of the desktop
support technicians are members of a security group named Desktop Admins. The Desktop
Admins group is a member of the local Administrators group on all client computers. The

desktop support technicians use the Microsoft Diagnostics and Recovery Toolset to perform
various troubleshooting and repairs.
All Windows 7 client computers have a directory named tailspintoys\scripts in the root of the
operating system drive. The directory contains four unique .vbs files named scriptl.vbs,
script2.vbs, script3.vbs, and script4.vbs.
Software Environment
• An existing GPO named AppLockdown applies to Windows 7 machines and uses
AppLocker to ensure that:
No .bat files are allowed to be run by users and rules are enforced
• An existing GPO named RestrictApps applies to Windows XP client computers and
uses a Software Restriction Policy to ensure that:
No .bat files are allowed to be run by users and rules are enforced
Data Protection Environment
• Some users at the Manufacturing site use EFS to encrypt data.
• A user account named EFSAdmin has been designated as the Data Recovery Agent
(DRA).
• The DRA certificate and private key are stored on a portable USB hard drive.
As part of the yearly security compliance audits, a vendor is due to arrive at Tailspin Toys in
a month to perform the yearly audit. To prepare for the audit, management has asked you to
participate in an internal review of the company’s existing security configurations related to
network security and data security. The management team has issued the following
requirements:
New software requirements
• All installation programs must be digitally signed.
• Minimum permissions must be granted for installation of programs.
Internet Explorer requirements
• Users must not be able to bypass certificate warnings.
• Users must not be able to add Internet Explorer add-ons unless the add-ons are
approved by IT.
Data protection requirements
• All portable storage devices must use a data encryption technology. The solution must
meet the following requirements:
Allow all users a minimum of read access to the encrypted data while working from their
company client computers.
Encrypt entire contents of portable storage devices.
Minimize administrative overhead for users as files and folders are added to the portable
storage devices.
• Recovery information for client computer hard drives must be centrally stored and
protected with data encryption.
###EndCaseStudy###

A personal laptop named LAPTOP02 is used as a client computer at the Headquarters site. LAPTOP02
runs the 64-bit version of Windows 7 Professional. You ascertain that the AppLockdown GPO was
successfully applied to the computer. However, you notice that the user is still able to run .bat files.
You need to ensure that the computer can comply with the existing AppLockdown GPO settings.
What should you do?

A.
Perform a clean installation of the 64-bit version of Windows 7 Enterprise.

B.
Add LAPTOP02 to the security filtering on the AppLockdown GPO.

C.
Perform a clean installation of the 32-bit version of Windows 7 Professional.

D.
Run the gpupdate /force command.

Explanation:
Chapter 24 p 1143
AppLocker is available in all editions of Windows Server2008R2 and in Windows7 Ultimate and
Windows7 Enterprise. Windows7 Professional can be used to create AppLocker rules. However,
AppLocker rules cannot be enforced on computers running Windows7 Professional. Organizations
should use AppLocker for all computers that support it.
http://technet.microsoft.com/en-us/library/dd759117.aspx



Leave a Reply 0

Your email address will not be published. Required fields are marked *