Does this meet the goal?

###BeginCaseStudy###
Topic 6, Contoso Ltd, Case B
Background
OverviewContoso, Ltd., is a software development company. Contoso has a main office in London and two branch
offices, one in Madrid and the other in Dublin. The company is in the process of adopting Microsoft Azure to
host business critical resources and applications.
Contoso has an Active Directory Domain Services (AD DS) domain named contoso.com. All devices in the
three offices are members of the domain. Each office has a dedicated organizational unit (OU) in the root of
the domain named London. Madrid, and Dublin, respectively. Each office OU has three child OUs named
Computers, Users, and Groups.
The local Administrator account is disabled on all client devices in the domain by using a Group Policy object
(GPO) named SecurityConflguration that is linked to the root of the domain. Contoso’s security department
also has a GPO named WSUSConfiguration. WSUSConfiguration defines the configuration of Windows
Update Services on the Windows Server Update Services (WSUS) server named WSUS1.
You have a GPO named RemoteSales that uses a WMI filter. The GPO prevents users from launching
applications that are not approved.
DNS Services
Contoso uses a DNS service that is installed on two domain controllers in the main office. The domain
controllers are named DO and DC2. Both DO and DC2 run Windows Server 2008 R2. Both domain controllers
host Active Directory integrated zones named contoso.com and lab.contoso.com. The zones are configured
to allow only secure updates.
Research
Contoso creates a new research department to develop integration between Contoso’s software and public
cloud services.
Finance Department
Users in the finance department use a client-server application named App1. App1 uses custom Active
Directory attributes to store encryption keys. App1 is a business critical application that must be migrated to
Windows Azure.
A server named SERVER2 hosts Appl. SERVER2 runs Windows Server 2008 R2. The disk configuration for
SERVER2 is shown in the following table:

A server named SERVER1 hosts a database that is used by Appl. SERVER1 runs Windows Server 2008 R2 and
SQL Server 2008 R2. The disk configuration for SERVER1 is shown in the following table:

The Contoso management team plans to increase the use of Appl. To accommodate these plans, the size of
the datable must be increased
Sales Department
Users in the sales department use laptop computers when they travel. Salespeople use a legacy application
named ContosoSales on their laptop computers. Salespeople can use a pool of shared desktop computers in
each office.
The ContosoSales app is dependent on a specific registry key that is frequently overwritten by third-party
applications. This causes the ContosoSales app to stop working.
Business Requirements
All DNS servers must be placed in a physically secure location.
Software development department
All software developers must migrate their servers and workstations to the DNS domain lab.contoso.com to
ensure that frequent changes to DNS do not interfere with the production environment.
Finance department
All servers that host App1 must be migrated to Windows Azure. A new Azure virtual machine (VM) named
CL0UD2 must be deployed to Windows Azure.
Sales department
Users in the sales department should not be able to run applications on their laptop computers that are not
approved by the security department. Users in the sales department should have no such restrictions while
they work on the desktop computers in the office.
Technical Requirements
App1 requirements
You have the following requirements: The size of the database for App1 must be increased to 8 TB.
 The encryption keys for App1 should not be replicated to the offices where physical
server security is not guaranteed.
 The amount of disk space that is used by Windows Azure must be minimized.
Infrastructure requirements
You have the following requirements:
 The lab.contoso.com DNS domain zone must not be replicated or transferred to DNS
servers outside of the London office.
 A new DNS domain zone named research.contoso.com must be deployed for users in
the research department.
 The research.contoso.com DNS domain zone must be protected by using DNS
Security Extensions {DNSSEC).
 All computers in the London and Madrid offices must install Windows Updates from
the server WSUS1.
 A new domain controller for the contoso.com domain must be deployed in the
Madrid office.
 Replication traffic must be minimized when the new domain controllers are
deployed.
 New WMI filters must not conflict with existing WMI filters.

###EndCaseStudy###

You need To configure the Group Policy for salespeople.
Solution: You move all shared desktops to a separate organizational unit (OU). You create one Group Policy
object (GPO) that has an AppLocker policy rule and enable loopback policy processing within the GPO. You
link the GPO to the new OU.
Does this meet the goal?

###BeginCaseStudy###
Topic 6, Contoso Ltd, Case B
Background
OverviewContoso, Ltd., is a software development company. Contoso has a main office in London and two branch
offices, one in Madrid and the other in Dublin. The company is in the process of adopting Microsoft Azure to
host business critical resources and applications.
Contoso has an Active Directory Domain Services (AD DS) domain named contoso.com. All devices in the
three offices are members of the domain. Each office has a dedicated organizational unit (OU) in the root of
the domain named London. Madrid, and Dublin, respectively. Each office OU has three child OUs named
Computers, Users, and Groups.
The local Administrator account is disabled on all client devices in the domain by using a Group Policy object
(GPO) named SecurityConflguration that is linked to the root of the domain. Contoso’s security department
also has a GPO named WSUSConfiguration. WSUSConfiguration defines the configuration of Windows
Update Services on the Windows Server Update Services (WSUS) server named WSUS1.
You have a GPO named RemoteSales that uses a WMI filter. The GPO prevents users from launching
applications that are not approved.
DNS Services
Contoso uses a DNS service that is installed on two domain controllers in the main office. The domain
controllers are named DO and DC2. Both DO and DC2 run Windows Server 2008 R2. Both domain controllers
host Active Directory integrated zones named contoso.com and lab.contoso.com. The zones are configured
to allow only secure updates.
Research
Contoso creates a new research department to develop integration between Contoso’s software and public
cloud services.
Finance Department
Users in the finance department use a client-server application named App1. App1 uses custom Active
Directory attributes to store encryption keys. App1 is a business critical application that must be migrated to
Windows Azure.
A server named SERVER2 hosts Appl. SERVER2 runs Windows Server 2008 R2. The disk configuration for
SERVER2 is shown in the following table:

A server named SERVER1 hosts a database that is used by Appl. SERVER1 runs Windows Server 2008 R2 and
SQL Server 2008 R2. The disk configuration for SERVER1 is shown in the following table:

The Contoso management team plans to increase the use of Appl. To accommodate these plans, the size of
the datable must be increased
Sales Department
Users in the sales department use laptop computers when they travel. Salespeople use a legacy application
named ContosoSales on their laptop computers. Salespeople can use a pool of shared desktop computers in
each office.
The ContosoSales app is dependent on a specific registry key that is frequently overwritten by third-party
applications. This causes the ContosoSales app to stop working.
Business Requirements
All DNS servers must be placed in a physically secure location.
Software development department
All software developers must migrate their servers and workstations to the DNS domain lab.contoso.com to
ensure that frequent changes to DNS do not interfere with the production environment.
Finance department
All servers that host App1 must be migrated to Windows Azure. A new Azure virtual machine (VM) named
CL0UD2 must be deployed to Windows Azure.
Sales department
Users in the sales department should not be able to run applications on their laptop computers that are not
approved by the security department. Users in the sales department should have no such restrictions while
they work on the desktop computers in the office.
Technical Requirements
App1 requirements
You have the following requirements: The size of the database for App1 must be increased to 8 TB.
 The encryption keys for App1 should not be replicated to the offices where physical
server security is not guaranteed.
 The amount of disk space that is used by Windows Azure must be minimized.
Infrastructure requirements
You have the following requirements:
 The lab.contoso.com DNS domain zone must not be replicated or transferred to DNS
servers outside of the London office.
 A new DNS domain zone named research.contoso.com must be deployed for users in
the research department.
 The research.contoso.com DNS domain zone must be protected by using DNS
Security Extensions {DNSSEC).
 All computers in the London and Madrid offices must install Windows Updates from
the server WSUS1.
 A new domain controller for the contoso.com domain must be deployed in the
Madrid office.
 Replication traffic must be minimized when the new domain controllers are
deployed.
 New WMI filters must not conflict with existing WMI filters.

###EndCaseStudy###

You need To configure the Group Policy for salespeople.
Solution: You move all shared desktops to a separate organizational unit (OU). You create one Group Policy
object (GPO) that has an AppLocker policy rule and enable loopback policy processing within the GPO. You
link the GPO to the new OU.
Does this meet the goal?

A.
Yes

B.
No



Leave a Reply 4

Your email address will not be published. Required fields are marked *


Rogue

Rogue

Again, no mention of the Application Identity service being started.

Halloween

Halloween

Disregarding Application Identity Service, (as I believe that’s a bit of a stretch to factor that into the question), is there another reason this wouldn’t work?

I believe the answer should be yes.

Banes

Banes

I don’t see a reason to apply an AppLocker Policy to an OU that contains the desktops that shouldn’t have app restrictions.

Ashton

Ashton

Users in the sales department should have no such restrictions while
they work on the desktop computers in the office.

The solution attempts to restricted apps from running on desktop computers
so No doesn’t meet the goal