Windows Client - Test 2

Lee Jensen, owner of a large manufacturing company on the West Coast, recently approved the purchase and installation of 50 Windows 8 Enterprise desktops for his organization. A month earlier, the company installed 25 Windows 8 Professional client computers. All the computers are part of the Windows 2012 Active Directory domain named jensenmfg.com. The company has a Line of Business app called jenMax it would like to make available to its internal employees via the Windows Store. He has asked you to research the process and requirements and report back. What are the potential issues/recommendations you should bring to his attention?

Distributing your LOB app via the Windows Store requires that you go through a certification process with Microsoft. Once your app is accepted, it will be made available via the Windows Store to the general public. LOB apps are usually designed for internal use only; therefore, making them available to the public is not the best approach. Instead, the solution is to use a process called sideloading. The Windows 8 Enterprise client computers are enabled for sideloading by joining them to the domain. The Windows 8 Professional client computers need to have the sideloading product activation key installed and activated for them to work correctly.

You have 50 Windows 8 Enterprise client computers on your network that are joined to the company’s Active Directory domain. You have several Group Policy objects linked to the domain including one GPO that has the “Turn off Automatic Download of updates" option set to Enabled. You open the Local Group Policy editor on one of the Windows 8 Enterprise client computers, navigate to the “Turn off Automatic Download of updates” option, and set it to Disabled. What would happen if you made this change?

The order of precedence determines which Group Policy settings are applied to a Windows 8 client computer that is a member of a domain. Because the Local Group Policy setting is applied first, policies at the Site, Domain, and Organizational Unit level will overwrite it if there is a conflict. In this scenario, the GPO linked to the domain has turned off automatic updates from the Windows Store; therefore, it will be applied after the local policy.

Updates are downloaded and installed automatically.

Sophie is planning on using AppLocker to control access to applications on a new network she has constructed for the Research and Development department at a major aerospace firm. The software developers in the department have recently deployed a new application called Virtual Wind Tunnel, which is based on government project research and is therefore classified. All of the full-time personnel have sufficient clearance to use the application, but the interns in the department do not. Sophie has placed the user accounts for everyone in the department into a security group called ResDev. The interns are also members of a group called RDint.

How can Sophie use AppLocker to provide everyone in the department with access to the Virtual Wind Tunnel application without changing the group memberships and without having to apply policies to individual users?

Sophie has to create two rules, an allow rule that grants the ResDev group access to the application, and a deny rule that applies only to the RDint group. Because deny rules take precedence over allow rules in AppLocker, the interns will not be able to access the application.

Several employees at the company you work for have recently been victims of identity theft. These incidents were the result of emails received by the victims requesting that they supply personal bank account information to a website or risk having their accounts closed. The website was, of course, not legitimate, and attackers used the information collected there to transfer funds from the victims’ accounts. The company has recently upgraded all company workstations to Windows 8, and you are examining the capabilities of the SmartScreen Filter in Internet Explorer 8. Your superiors have told you that you can use any of the new IE8 security features for the company workstations, as long as they do not consume any additional Internet bandwidth.

Explain to your supervisor the various methods IE8 uses to protect against phishing attacks, and specify which ones you intend to use for the company workstations.

The SmartScreen Filter in IE8 has three mechanisms for detecting phishing attempts. One is to analyze incoming web pages for patterns and phrases indicative of a phishing attempt. This mechanism uses no additional Internet bandwidth, so you can implement it on the company workstations. The other two mechanisms perform online lookups of phishing sites and down sites, using a database maintained by Microsoft. Because these mechanisms require Internet bandwidth, you cannot use them.

A web-based site is needed by all users on the company’s network in order to perform research on the company’s competitors. After installing Windows 8, calls start coming into the help desk indicating there are compatibility problems with the site. What are some techniques that can be tried to address the problem?

You can move the site to the Trusted zone in the users’ browser. Sites in the Trusted zone do not run in protected mode and receive elevated privileges. You could disable protected mode in IE (not recommended) or modify the application which is the most difficult and time-consuming option if the first option does not work.

You are a desktop technician in the IT department of a small corporation. Today is the day of the company picnic and, as the junior member of the department, you have been left in charge of the entire corporate network while everyone else is out of the office. Shortly after 2:00 PM, an email arrives from the company’s biggest customer, complaining that they can’t access the web server they use to place their orders. After checking the web server logs, it seems clear that the server is undergoing a denial-of-service attack, because there are suddenly hundreds of Internet computers repeatedly trying to access it. What temporary modifications could you make to Windows Firewall on the Windows 8 computer that stands between the web server and the Internet that would allow customers to access the web server while blocking the attackers?

You could require IPsec authentication for all incoming communications to TCP port 80, the well-known port for web server communications. Customers would then be able to authenticate and access the server, while the random, unauthenticated DoS connection attempts are blocked.

Ed is a desktop technician at a large law firm. Ed’s firm is a slow adopter of new technologies, and the organization has, to date, not deployed a wireless network. After bringing up the benefits of wireless networks at a recent meeting with the IT staff, Ed was told that the company will not be deploying a wireless network for several years, if ever.

The lack of an IT-configured wireless network has not entirely stopped their adoption, however. Yesterday, Ed noticed a junior attorney surfing the web with his laptop in the lunch room, without a network cable. When Ed asked the attorney how he was connected to the network, he confessed that he had plugged a consumer WAP into the network port in his office.

Explain the potential risks of having a rogue wireless network in the office.

An attacker with a wireless network card could join their Active Directory Domain Services domain. An attacker could use a wireless network card to capture traffic between two wired network hosts. An attacker could use the company’s Internet connection from the lobby of the building with a wireless-enabled mobile computer.