You are the security analyst for your company. The company’s written security policy does not allow direct dial-in connections to the network. During a routine security audit, you discover a Windows Server 2003 server named Server1 that has a modem installed and is connected to an outside analog phone line.
You investigate and discover that Server1 is also running Routing and Remote Access and is used by the sales department. The modem supports the caller ID service. This remote access connection is used by an application at a partner company to upload product and inventory information to Server1. Each day at midnight, the partner application connects to Server1 and uploads the information.
The connection never lasts longer than 30 minutes. The application is currently using the sales manager’s domain user account to make the connection. The partner application does not support incoming connections. The partner company has no plans to update this application to support your written security policy, and the sales department requires this updated product and inventory information to be available each morning.
Company management directs you to design a solution that provides the highest level of security for this connection until a more secure solution can be developed by the two companies. You need to design and implement a solution that will ensure that only the partner’s application can connect to your network over the dial-up connection.
Your solution must prevent the connection from being used by unauthorized users, and it must allow only the minimum amount of access to the network.
Which two actions should you take? (Each correct answer presents part of the solution. Choose two.)
A.
Configure a remote access policy on Server1 that allows the connection for only the specified user account between midnight and 1:00 A.M. Configure the policy to require callback authentication to the partner company’s server.
B.
Create an local account named PartnerDialup on Server1, and add this account to the local Users group. Grant this user account permissions for the folder to which the sales information is uploaded. Direct the partner company to use this account for remote access.
C.
Create an account named PartnerDialup in the domain, and add this account to the Domain Guests group. Grant this user account permissions for the folder to which the sales information is uploaded. Direct the partner cofmpany to use this account for remote access.
D.
Configure a remote access policy on Server1 that allows the connection for only the specifed user account between midnight and 1:00 A.M. Configure the policy to allow only the specific calling station identifier of the partner company’s computer.
Explanation:
A local user account for Microsoft Windows Server 2003 is a user account a domain provides for a user whose global account is not in a trusted domain. A local account is not required where trust relationships exist between domains.“A Composite Solution With Just One Click” – Certification Guaranteed 12 Microsoft 70-293 Exam
IP address A 32-bit address assigned to Transmission Control Protocol/Internet Protocol (TCP/IP) client computers and other network equipment that uniquely identifies that device on the network. For a computer to be accessible from the Internet, it must have an IP address containing a network identifier registered with the Internet Assigned Numbers Authority (IANA). Thus options B and D will prevent the connection from being used by unauthorized users and with the minimum amount of access to the network.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 9: