People’s Bank and Trust is a full-service, privately owned community bank. The bank is divided into the following departments: Customer Service, Loans, Business Services, and Investment Services. The bank is presently upgrading its servers from Windows Server 2003 to Windows Server 2008. Also, it is gradually upgrading client computers from a mix of Windows 2000 and XP to Windows Vista. The cash drawers at the tellers’ booths are connected to Windows XP computers, which are networked into the servers. The bank uses Active Directory with one small domain and with OUs for each department. All of the servers at the bank are configured as DCs.
In addition to walk-in and drive-up services, People’s Bank offers ATM services and Internet banking. The Internet banking is performed through a Windows Server 2003 Web server located at the bank. The bank also offers automated telephone banking services that are tied into its Windows servers.
The bank auditors have recently raised concerns in several areas of computer and network security that the bank wants to address at the same time as it upgrades the client and server computers. The IT director at the bank has retained you via Aspen Consulting to assist with the transition to Windows Server 2008 and to help resolve the security issues raised by the audit.
Case 1: Password Security
Inadequate password security is one of the areas that the auditors believe needs improvement. The audits raised the following concerns:
1 Some bank employees have used the same user account password for several years.
2 Many of the existing passwords are only four or five characters in length.
3 Several bank employees regularly change their passwords, but rotate between the same three or four passwords with each change.
4 An employee who has forgotten a password can keep trying different combinations for as long as they like, until they hit upon the password or give up trying.
What capabilities in Windows Server 2008 enable the bank to address the auditors’ concerns? Create a short report of your recommendations for the bank’s Audit Response Committee. Also, for the IT manager who is a committee member, note what tool can be used to implement your recommendations.
Case 2: Using Windows Server 2008 Auditing
The Audit Response Committee would like to know in what ways Windows Server 2008 can provide audit information, because no auditing is currently in use. The committee would like you to create a report that provides examples of what can be audited. Also, the IT director wants you to create a set of general instructions for how to set up auditing changes to files.
Case 3: Managing Client Computers
The auditors would like to see more standardization of each user’s desktop and curtail the ability to change some important settings. Specifically they would like to:
? Prevent Windows XP and Vista clients from using Control Panel after computers have been set up.
? Ensure that all Windows XP and Vista clients start the most recent version of Microsoft Excel when they click on a file with an .xls extension.
? Prevent users from changing information about their network connections.
? Remove the My Music icon from the Start menu.
For any of these that are possible, include general instructions for the IT Department about how to implement them.
Case 4: Solving a Problem with Security Updates
The bank auditors have mentioned in several places in the audit that the network is only as secure as its weakest link. One of their concerns is that many users never take the time to update their computers as a way to apply the latest security patches. They consider regular client computer updates to be as vital as applying regular operating system updates on the bank’s servers. What Windows Server 2008 capability can address this concern? Create a report for the Audit Response Committee with your recommendations and include a brief description of any security features that accompany the capability you discuss.