###BeginCaseStudy###
Case Study: 18
Tailspin Toys
Scenario
General Background
You are the Windows server administrator for Tailspin Toys. Tailspin Toys has a main office
and a manufacturing office. Tailspin Toys recently acquired Wingtip Toys and is in the
beginning stages of merging the IT environments. Wingtip Toys has a main office and a sales
office.
Technical Background
The companies use the network subnets indicated in the following table.

The Tailspin Toys network and the Wingtip Toys network are connected by a point-to-point
dedicated 45 Mbps circuit that terminates in the main offices.
Tailspin toys
The current Tailspin Toys server topology is shown in the following table.

The Tailspin Toys environment has the following characteristics:
• All servers are joined to the tailspintoys.com domain.
• In the Default Domain Policy, the Retain old events Group Policy setting is enabled.
• An Active Directory security group named “Windows system administrators” is
used to control all files and folders on TT-PRINT01.
• A Tailspin Toys administrator named Marc has been delegated rights to multiple
organizational units (OUs) and object in the tailspintoys.com domain.
• Tailspin Toys developers use Hyper-V virtual machines (VMs) for development.
There are 20 development VMs named TT-DEV01 through TT-DEV20.
Wingtip Toys
The current Wingtip Toys server topology is shown in the following table.

All servers in the Wingtip Toys environment are joined to the wingtiptoys.com domain.
Infrastructure Services
You must ensure that the following infrastructure services requirements are met:
• All domain zones must be stored as Active Directory-integrated zones.
• Only DNS servers located in the Tailspin Toys main office may communicate with
DNS servers at Wingtip Toys.
• Only DNS servers located in the Wingtip Toys main office may communicate with
DNS servers at Tailspin Toys.
• All tailspintoys.com resources must be resolved from the Wingtip Toys offices.
• All wingtiptoys.com resources must be resolved from the Tailspin Toys offices.
• Certificates must be distributed automatically to all Tailspin Toys and Wingtip Toys
computers.
Delegated Administration
You must ensure that the following delegated administration requirements are met:
• Tailspin Toys IT security administrators must be able to create, modify, and delete
user objects in the wingtiptoys.com domain.
• Members of the Domain Admins group in the tailspintoys.com domain must have full
access to the wingtiptoys.com Active Directory environment.
• A delegation policy must grant minimum access rights and simplify the process of
delegating rights.
• Minimum permissions must always be delegated to ensure that the least privilege is
granted for a job or task.
• Members of the TAILSPINTOYS\HeIpdesk group must be able to update drivers and
add printer ports on TT-PRINT01.
• Members of the TAILSPINTOYS\Helpdesk group must not be able to cancel a print
job on TT-PRINT01.
• Tailspin Toys developers must be able to start, stop, and Apply snapshots to their
development VMs.
IT Security
You must ensure that the following IT security requirements are met:
• Server security must be automated to ensure that newly deployed servers
automatically have the same security configuration as existing servers.
• Auditing must be configured to ensure that the deletion of user objects and OUs is
logged.
• Microsoft Word and Microsoft Excel files must be automatically encrypted when
uploaded to the Confidential document library on the Tailspin Toys Microsoft SharePoint
site.
• Multifactor authentication must control access to Tailspin Toys domain controllers.
• All file and folder auditing must capture the reason for access.
• All folder auditing must capture all delete actions for all existing folders and newly
created folders.
• New events must be written to the Security event log in the tailspintoys.com domain
and retained indefinitely.
• Drive X:\ on TT-FILE01 must be encrypted by using Windows BitLocker Drive
Encryption and must automatically unlock.
###EndCaseStudy###

You need to recommend a solution to meet the following requirements:
• Meet the company auditing requirements.
• Ensure that further administrative action is not required when new folders are added to the
file server.
What should you recommend? (Choose all that Apply.)

A.
Enable the Audit File System Group Policy setting for Success.

B.
Enable the Audit object access Group Policy setting for Success.

C.
Enable the Audit File System Group Policy setting for Failure.

D.
Enable the Audit Handle Manipulation Group Policy setting for Success.

E.
Enable the File system option of the Global Object Access Auditing Group Policy setting.

F.
Enable the Audit Handle Manipulation Group Policy setting for Failure.

Explanation:

Security auditing allows you to track the effectiveness of your network defenses and identify
attempts to circumvent them. There are a number of auditing enhancements in Windows Server
2008 R2 and Windows 7 that increase the level of detail in security auditing logs and simplify the
deployment and management of auditing policies.
Auditing policy
Before you implement auditing policy, you must decide which event categories you want to audit.
The auditing settings that you choose for the event categories define your auditing policy. On
member servers and workstations that are joined to a domain, auditing settings for the event
categories are undefined by default. On domain controllers, auditing is turned on by default. By
defining auditing settings for specific event categories, you can create an auditing policy that suits
the security needs of your organization.
Audit Object Access
This security setting determines whether to audit the event of a user accessing an object–for
example, a file, folder, registry key, printer, and so forth–that has its own system access control list
(SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not
audit the event type at all. Success audits generate an audit entry when a user successfully accesses
an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user
unsuccessfully attempts to access an object that has a SACL specified.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define
these policy settings check box and clear the Success and Failure check boxes.
Note that you can set a SACL on a file system object using the Security tab in that object’s Properties
dialog box.
http ://technet.microsoft.com/en-us/library/cc776774%28v=ws.10%29.aspx
Audit Handle Manipulation Group Policy setting
This policy setting determines whether the operating system generates audit events when a handle
to an object is opened or closed. Only objects with configured SACLs generate these events, and only
if the attempted handle operation matches the SACL. Event volume can be high, depending on how
SACLs are configured.
When used together with the Audit File System or Audit Registry policy settings, the Audit Handle
Manipulation policy setting can provide an administrator with useful “reason for access,” audit data
detailing the precise permissions on which the audit event is based. For example, if a file is
configured as a read-only resource but a user attempts to save changes to the file, the audit event
will log not just the event itself but the permissions that were used, or attempted to be used, to save
the file changes.
Global Object Access Auditing Group Policy setting.

Global Object Access Auditing. In Windows Server 2008 R2 and Windows 7, administrators can
define computer-wide system access control lists (SACLs) for either the file system or registry. The
specified SACL is then automatically applied to every single object of that type. This can be useful
both for verifying that all critical files, folders, and registry settings on a computer are protected, and
for identifying when an issue with a system resource occurs.