You finish the work you were doing in the morning, and head out to the monthly meeting. During this meeting, the Vice President of Strategic Partner Relations informs the group of some news, "we have decided that we need to implement a new web site that is for our strategic partners only. This site will be used for various purposes, but will primarily be used as a means of information exchange."
"So, is this going to be a private site?" asks Blue.
"Absolutely. We will not want any public users on this website. It's just for the people we identify in our Strategic Partner Program. I need those of you in security to be sure that this site is secure."
"We can take care of that. How many people do you think will be accessing the site?" asks Blue.
"Not too many, perhaps around fifty."
"So, is it correct to assume that you know each of these fifty people?"
"Yes, that is correct."
"OK, well this should not be too hard. Wel get working on this right away."
The meeting ends, and you and Blue chat more about the web site issue.
"Well, we know that only around fifty people are going to access the, and we know who these fifty are. This should not cause too many problems," Blue says.
"I agree. Do you think it will be all right to spend any money outside of the site itself?" you ask.
"Since we are dealing with so few people, that shouldn be a problem. However, we cannot go overboard. Go ahead and write up a plan for this and get it back to me in a day or two."
Based on your knowledge of GlobalCorp, choose the best solution to the web site security issue.}
A. You decide that you will use digital certificates to secure the web site. You will first install a new private CA that the remote users can connect to and request their certificates. This CA will be protected with a very strong password. Each user will be given a user account to access the CA, also protected with a strong password.
Next, you install the new private web server. You then connect to the new CA and make a request for a certificate for the web site. Once you receive the certificate, you configure the web site to use the certificate to Require a Secure Channel (SSL). You then select the option to require client certificates, and you enable mapping for each user account.
Finally, you will call each person and instruct them on the process of connecting to the CA and requesting their certificate, which you will instruct them to store on their local machine. Once they have their certificate, you have them test access to the site, and when successful you move on to the next person.
B. You decide that you will use freely available PGP certificates to secure access to the website. You will first install a new IIS web server to hose the site. You then configure one user account, with a strong password. You map this account as the only account that has access to the website.
You then log on locally, as this user account, to the server and create a public\private key pair. From that account you then send an outgoing email to all fifty users with the account private key. You finish the configuration of the website by making changes in the Security properties of the website.
In the Security properties, you select the Advanced tab. On the Advanced tab, you check the box to map this account to a local digital certificate, and you select the new certificate you just created.
Next, you contact each remote user and instruct them to open the email from you. You have them store the key they receive in their personal certificate store. To verify the install is correct, you walk them through the process of viewing their certificates in the MMC. Once verified, you have the user connect to the website, and enter the location of their certificate when asked for authentication credentials.
C. You decide to use strong authentication via biometrics, specifically fingerprint scanning to secure the web site. You will first install a new IIS web server to host the site. You then configure fifty user accounts for the remote users, and assign those accounts very strong passwords.
You then ship one biometric mouse and software to each remote client. You call each user and walk them through the process of configuration of their equipment. First, you tell them to create a matching user account with the same user name and very strong password as you used on the IIS server. You then have them install the software, which you instruct them to configure so that the biometric will be linked to the user account.
Once the software is installed, you instruct them to connect the mouse to their system and load the appropriate driver. With the driver installed, you tell them how to load the program and enroll their fingerprint. Once they have their fingerprint enrolled, and it is matched to their user account, you let them know that their side of the configuration is complete, and that you will call them shortly to finish the process.
You return to the configuration of the IIS server. In the Security properties of the website, you select the Advanced authentication tab. On the Advanced tab, you check the box for mapping user accounts to external biometric devices, and you check the box to allow the remote machine to control the mapping. You finish the configuration by configuring the site to use 128-bit RSA to encrypt the data between the client and the server.
With the server configuration done, you call the client back and have them log in using their biometric mouse. Once logged in, you instruct them to connect to the website and verify the secure site is running.
D. You decide to use existing security technology of digital certificates and SSL to secure the site. You first install a new IIS server that will be the host of the web site. You then connect to the GlobalCorp CA for the executive building and request a new certificate for the web site.
You then configure the web site to Require a Secure Channel (SSL) and install the certificate. One you install the new certificate, you connect from the new server to the CA in each office where one or more of the fifty people that require access works. At that CA, you install the CA certificate, so that the new server will trust the certificates that each CA issues.
Next, you return to the configuration of the new web site. To make the site more secure, you require client certificates, and enable mappings for each user account. You call each user and ensure that they have a certificate from their own CA, which the new server now trusts. You walk them through the process of connecting to the site, and verify that secure access to them has been granted.
E. You decide to use digital certificates on smart cards to secure the web site. You will first install a new IIS web server to host the site. You then connect to the CA_SERVER and request a new certificate for the server. The server certificate will be used for authentication, and you have the certificate issued and stored on a portable USB drive.
You then configure a machine to function as the enrollment machine for smart cards. You are going to manage the smart cards yourself. At the machine that you are going to use for the smart cards, you first configure the system with an enrollment agent certificate from the CA_SERVER, and then you install the driver for the smart card reader.
Once the driver is installed, you make certificate requests for each of the fifty users. You start with the first user, by logging in to the CA and selecting the option to Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station radio button. You then select the Smartcard User template, and enter the user name. When prompted, you put a blank smart card in the reader and press the Enroll button, followed by entering the default PIN.
You then test access to the site from a remote machine using the smart card and PIN to be authenticated to the site. Once the test is complete, you write a short howto file and send it along with the smart card, smart card reader, and driver to each of the fifty users. You follow up with each user upon receipt to walk them through the configuration.