###BeginCaseStudy###
Topic 6, Contoso Ltd, Case B
Background
OverviewContoso, Ltd., is a software development company. Contoso has a main office in London and two branch
offices, one in Madrid and the other in Dublin. The company is in the process of adopting Microsoft Azure to
host business critical resources and applications.
Contoso has an Active Directory Domain Services (AD DS) domain named contoso.com. All devices in the
three offices are members of the domain. Each office has a dedicated organizational unit (OU) in the root of
the domain named London. Madrid, and Dublin, respectively. Each office OU has three child OUs named
Computers, Users, and Groups.
The local Administrator account is disabled on all client devices in the domain by using a Group Policy object
(GPO) named SecurityConflguration that is linked to the root of the domain. Contoso’s security department
also has a GPO named WSUSConfiguration. WSUSConfiguration defines the configuration of Windows
Update Services on the Windows Server Update Services (WSUS) server named WSUS1.
You have a GPO named RemoteSales that uses a WMI filter. The GPO prevents users from launching
applications that are not approved.
DNS Services
Contoso uses a DNS service that is installed on two domain controllers in the main office. The domain
controllers are named DO and DC2. Both DO and DC2 run Windows Server 2008 R2. Both domain controllers
host Active Directory integrated zones named contoso.com and lab.contoso.com. The zones are configured
to allow only secure updates.
Research
Contoso creates a new research department to develop integration between Contoso’s software and public
cloud services.
Finance Department
Users in the finance department use a client-server application named App1. App1 uses custom Active
Directory attributes to store encryption keys. App1 is a business critical application that must be migrated to
Windows Azure.
A server named SERVER2 hosts Appl. SERVER2 runs Windows Server 2008 R2. The disk configuration for
SERVER2 is shown in the following table:
A server named SERVER1 hosts a database that is used by Appl. SERVER1 runs Windows Server 2008 R2 and
SQL Server 2008 R2. The disk configuration for SERVER1 is shown in the following table:
The Contoso management team plans to increase the use of Appl. To accommodate these plans, the size of
the datable must be increased
Sales Department
Users in the sales department use laptop computers when they travel. Salespeople use a legacy application
named ContosoSales on their laptop computers. Salespeople can use a pool of shared desktop computers in
each office.
The ContosoSales app is dependent on a specific registry key that is frequently overwritten by third-party
applications. This causes the ContosoSales app to stop working.
Business Requirements
All DNS servers must be placed in a physically secure location.
Software development department
All software developers must migrate their servers and workstations to the DNS domain lab.contoso.com to
ensure that frequent changes to DNS do not interfere with the production environment.
Finance department
All servers that host App1 must be migrated to Windows Azure. A new Azure virtual machine (VM) named
CL0UD2 must be deployed to Windows Azure.
Sales department
Users in the sales department should not be able to run applications on their laptop computers that are not
approved by the security department. Users in the sales department should have no such restrictions while
they work on the desktop computers in the office.
Technical Requirements
App1 requirements
You have the following requirements: The size of the database for App1 must be increased to 8 TB.
The encryption keys for App1 should not be replicated to the offices where physical
server security is not guaranteed.
The amount of disk space that is used by Windows Azure must be minimized.
Infrastructure requirements
You have the following requirements:
The lab.contoso.com DNS domain zone must not be replicated or transferred to DNS
servers outside of the London office.
A new DNS domain zone named research.contoso.com must be deployed for users in
the research department.
The research.contoso.com DNS domain zone must be protected by using DNS
Security Extensions {DNSSEC).
All computers in the London and Madrid offices must install Windows Updates from
the server WSUS1.
A new domain controller for the contoso.com domain must be deployed in the
Madrid office.
Replication traffic must be minimized when the new domain controllers are
deployed.
New WMI filters must not conflict with existing WMI filters.
###EndCaseStudy###
You need To configure the Group Policy for salespeople.
Solution: You create a Group Policy Object (GPO) with an AppLocker policy. You link the GPO to the
Computers OU for each location.
Does this meet the goal?
A.
Yes
B.
No
First, I don’t understand how “You have a GPO named RemoteSales that uses a WMI filter. The GPO prevents users from launching applications that are not approved” is done.
Then, Any one can help me understand why AppLocker doesn’t work? Using WMI filers to separate laptops from desktops can do the job, right?
I think it is saying that the App Locker Policy was created. But remember back to your 410 training – you need the Application Identity service running as well. It wasn’t stated that this service was turned on. At least that is the reason I formed to understand it.
So the given answer is correct.
Are the laptops they use outside the office and the desktops they use in the office both located in the Computers OU? If so, the same policy would apply to both, which does not achieve the goal.