Exercise 1 Developing a Security Plan

Implement a training plan to make sure that all staff members know where to store data and how to save data to file servers.. Information from HR database stolen by internal staff Must m

Copyright  2002 Microsoft Corporation All Rights Reserved

Exercise 1 Developing a Security Plan

Design Worksheet A

Virus infection from

the Internet

All incoming files must

be scanned by a virus scanner

Use Group Policy to deploy a desktop virus scanner and configure scanning preferences Virus scanner must scan files being downloaded from the Internet

Loss of internal

data from file

servers due to

accidental deletion

of data

Cannot tolerate a loss of more than one day’s worth of data

Implement a training plan to make sure that all staff members know where to store data and how to save data to file servers Implement disaster recovery plan and make sure that the backup strategy can recover at least all of the data from the previous day

Information from

HR database stolen

by internal staff

Must make sure that access to HR database

is granted on an as-needed basis

Make sure that permissions on the HR database secure the information

Information from

HR database stolen

by external partners

Must make sure that external partners have access only to the information that they need in the HR database

Partition the information available in the HR database so that information that can be accessed externally is in a different section of the database from internal information Set permissions

on the internal information to deny access to external partners

Compromise of

data on internal

servers due to VPN

connection to the

Internet

Must not allow attacks from the Internet to compromise HR data

Implement certificate-based authentication for partners Use remote access policies and require strong encryption of data Grant VPN access

on an as-needed basis

Copyright  2002 Microsoft Corporation All Rights Reserved

Design Worksheet B

Design solution Strategy for maintenance

Use Group Policy to deploy a desktop virus

scanner and configure scanning preferences

The virus scanner must scan e-mail

Monitor virus information sources and make sure that virus scanner files are up-to-date Monitor audit logs to identify attacks before

they happen to minimize the chance of a

successful attack Make sure that all file

server security issues are implemented on all

internal servers

Monitor security information sources for software updates and configuration changes that affect file server security Test and apply updates to file servers as security issues become known Regularly check audit logs to identify attacks before they cause problems Train staff on which printer to use for each

form of data Use permissions to restrict

access to printers for staff members who

have access to confidential data Use scripts

to configure printer connections for staff with

access to confidential information

Update courseware as changes occur and make sure that staff members receive notifications of updates Perform audits on print servers to make sure that staff members have print permissions as needed Regularly audit who has access to confidential data

Use Group Policy to deploy a desktop virus

scanner and configure scanning preferences

The virus scanner must scan files being

downloaded from the Internet

Monitor information sites regarding attacks, and monitor event logs for evidence of DoS attacks and attempted DoS attacks

Implement a training plan to make sure that

all staff members know where to store data

and how to save data to file servers

Implement a disaster recovery plan and make

sure that the backup strategy can recover at

least all of the data from the previous day

Regularly update the training plan and advise internal users of the changes Test the backup strategy and recovery plan regularly to ensure that it meets your policies

Make sure that permissions on the HR

database secure the information

Perform regular security audits on permissions Perform regular checks on the physical security of servers to ensure that they are secure Perform checks on passwords to make sure that users are not using easily breakable passwords

Partition the information available in the HR

database so that information that can be

accessed externally is in a different section of

the database from internal information Set

permissions on the internal information to

deny access to external partners

Monitor for remote access software updates, and make sure that all dial-up clients have correct dial-up settings

Implement certificate-based authentication for

partners Use remote access policies and

require strong encryption of data Grant VPN

access on an as-needed basis

Monitor firewall event logs to determine whether DoS attacks are occurring, and whether they are being prevented Monitor for software updates to firewall and Web

software