Solution Guide
Store 65
Consider the following suggestions:
• Place the examination servers and data storage inside a dedicated
examination laboratory space. In this way, all servers, data warehouses,
physical cabling, switches, and routers are physically protected by the same
security measures that restrict laboratory access.
• Use entry control protocols, such as fingerprint or retinal scans, or smart card
access.
• Route all examination traffic through network switches dedicated to and
connected physically to only examination servers and workstations.
Administrative Control Layer and Active Directory
Your solution configuration will run on a Windows operating system, and thus
the remainder of this chapter discusses Windows and its Active Directory Group
and User security features. Active Directory is built on group security and its
related features. A group is a collection of users or computers within a domain.
The two basic types of groups are distribution groups (used for E-mail
distribution) and security groups. Establishing security groups allows you to
create and apply security-related policies, including:
• Access to shared resources and the level of that access
• User rights including password requirements
• Account lockout policies
• Software restriction policies
• Distribution of security patches to notebooks, desktops, and servers
For example, you can create a group containing administrative workstations and
a second group containing administrative users. Then, you can use Group Policy
Objects (GPOs) to limit access to those workstations and members of the
administrative users group. (See "Applying Security Policies Using Group
Policy Objects" on page 69 for information on working with group policy
objects.)
Computer-Based Security Layer and Active Directory
Active Directory also provides Kerberos, a network authentication security
protocol that allows nodes communicating over non-secure networks to prove
their identity to one another in a secure manner. See "Active Directory User