Professional Documents
Culture Documents
(Exam 70-298) Exam Cram 2 - Designing Security For A Windows Server 2003 Network
(Exam 70-298) Exam Cram 2 - Designing Security For A Windows Server 2003 Network
By Bill Ferguson
Published by Que
May 2004
Page 1 of 250
INDEX
A Note from Series Editor Ed Tittel ..........................................................................................4
About the Author ......................................................................................................................5
Acknowledgments ....................................................................................................................5
We Want to Hear from You! .....................................................................................................6
The 70-298 Cram Sheet...........................................................................................................7
TYPES OF SECURITY POLICIES ...................................................................................7
KEY PRINCIPLES OF SECURITY DESIGN ....................................................................7
TYPES OF DATA .............................................................................................................7
COMPONENTS OF A PUBLIC KEY INFRASTRUCTURE ..............................................7
MOST COMMON HIERARCHICAL DESIGNS FOR CERTIFICATION AUTHORITIES ..8
TYPES OF CAS ...............................................................................................................8
TYPES OF ACCOUNT POLICIES ...................................................................................8
TYPES OF TRUSTS ........................................................................................................8
ADMINISTRATIVE TOOLS THAT ENHANCE SECURITY ..............................................9
COMMON AUDIT POLICY SETTINGS............................................................................9
ENTERPRISE MANAGEMENT TOOLS...........................................................................9
TYPES OF EMERGENCY MANAGEMENT SITES .......................................................10
FEATURES OF SOFTWARE UPDATE SERVICES (SUS) ...........................................10
TOOLS THAT IDENTIFY THE CURRENT PATCH LEVEL OF COMPUTERS .............10
METHODS OF CONTROLLING TRAFFIC THROUGH A FIREWALL...........................11
SECURITY BENEFITS PROVIDED BY IPSEC .............................................................11
DEFAULT SETTINGS FOR IPSEC POLICY..................................................................11
METHODS OF PROTECTING DNS SERVERS ............................................................11
TYPES OF SECURITY IN WIRELESS NETWORKS.....................................................11
TYPES OF 802.1X WIRELESS SECURITY...................................................................12
TYPES OF COMMUNICATION LINKS BETWEEN OFFICES.......................................12
TYPES OF TUNNELING PROTOCOLS ........................................................................12
TOOLS FOR EXTRANET SECURITY ...........................................................................12
CROSS-CERTIFICATION STRATEGIES ......................................................................12
AUTHENTICATION METHODS FOR IIS .......................................................................13
SECURITY FEATURES OF IIS 6.0................................................................................13
TYPES OF GROUPS .....................................................................................................13
GROUP STRATEGIES...................................................................................................14
SHARE PERMISSIONS FOR FOLDERS.......................................................................14
NTFS PERMISSIONS FOR FOLDERS..........................................................................14
NTFS PERMISSIONS FOR FILES.................................................................................14
EFFECTIVE PERMISSIONS WHEN COMBINING NTFS AND SHARED FOLDER
PERMISSIONS...............................................................................................................15
TYPES OF CLIENT AUTHENTICATION .......................................................................15
COMPONENTS OF A REMOTE ACCESS POLICY ......................................................15
FEATURES OF INTERNET AUTHENTICATION SERVICES (IAS) ..............................15
Introduction.............................................................................................................................16
Taking a Certification Exam............................................................................................17
How to Prepare for an Exam ..........................................................................................17
Notes on This Book's Organization ................................................................................18
How This Book Helps You..............................................................................................19
Self-Assessment ....................................................................................................................20
MCSEs in the Real World...............................................................................................20
The Ideal MCSE Candidate............................................................................................20
Put Yourself to the Test ..................................................................................................22
Assessing Readiness for Exam 70-298..........................................................................26
Take the Challenge! .......................................................................................................26
Chapter 1. Creating the Conceptual Design for Network Infrastructure Security ...................27
Analyzing Business Requirements for Designing Security.............................................28
Designing a Framework for Designing and Implementing Security................................35
Page 2 of 250
Analyzing Challenges of Designing Security ..................................................................40
Exam Prep Questions.....................................................................................................45
Chapter 2. Creating the Logical Design for Network Infrastructure Security..........................48
Designing a Public Key Infrastructure (PKI) That Uses Certificate Services..................49
Designing a Logical Authentication Strategy ..................................................................60
Exam Prep Questions.....................................................................................................67
Chapter 3. Designing Strategies for Security Management ...................................................70
Designing Security for Network Management ................................................................71
Designing a Security Update Infrastructure....................................................................83
Exam Prep Questions.....................................................................................................87
Chapter 4. Creating the Physical Design for Network Infrastructure Security........................91
Designing Network Infrastructure Security .....................................................................92
Designing Security for Wireless Networks....................................................................100
Designing Security for Communication Between Networks .........................................102
Designing Security for Communication with External Organizations............................107
Exam Prep Questions...................................................................................................111
Chapter 5. Designing Server-Specific Security ....................................................................115
Designing User Authentication for Internet Information Services .................................116
Designing Security for IIS .............................................................................................122
Designing Security by Server Role...............................................................................129
Exam Prep Questions...................................................................................................133
Chapter 6. Designing an Access Control Strategy for Data .................................................137
Designing an Access Control Strategy for Directory Services......................................138
Designing an Access Control Strategy for Files and Folders .......................................145
Designing an Access Control Strategy for the Registry................................................152
Exam Prep Questions...................................................................................................154
Chapter 7. Creating the Physical Design for Client Infrastructure Security..........................158
Designing a Client Authentication Strategy ..................................................................159
Designing a Security Strategy for Client Remote Access.............................................163
Designing a Strategy for Securing Client Computers ...................................................169
Exam Prep Questions...................................................................................................171
Chapter 8. Practice Exam #1 ...............................................................................................174
Case 1: IntelliSync Inc. .................................................................................................174
Case 2: ComForce .......................................................................................................178
Case 3: GWC Inc..........................................................................................................182
Case 4: PowerTran.......................................................................................................186
Chapter 9. Answer Key to Practice Exam #1 .......................................................................190
Case 1: IntelliSync Inc. .................................................................................................190
Case 2: ComForce .......................................................................................................193
Case 3: GWC Inc..........................................................................................................195
Case 4: PowerTran ......................................................................................................197
Chapter 10. Practice Exam #2 .............................................................................................200
Case 1: AUM Inc. .........................................................................................................200
Case 2: BBF, Inc. .........................................................................................................204
Case 3: SysCon............................................................................................................208
Case 4: DC&H Consulting ............................................................................................212
Chapter 11. Answer Key to Practice Exam #2 .....................................................................216
Case 1: AUM Inc. ......................................................................................................... 216
Case 2: BBF, Inc. .........................................................................................................218
Case 3: SysCon............................................................................................................221
Case 4: DC&H Consulting ............................................................................................223
Appendix A Need to Know More? ........................................................................................ 226
Glossary ...............................................................................................................................227
Page 3 of 250
A Note from Series Editor Ed Tittel
You know better than to trust your certification preparation to just anybody. That's why
you, and more than 2 million others, have purchased an Exam Cram book. As Series
Editor for the new and improved Exam Cram 2 Series, I have worked with the staff at
Que Certification to ensure you won't be disappointed. That's why we've taken the
world's best-selling certification product—a two-time finalist for "Best Study Guide" in
CertCities' reader polls—and made it even better.
Exam Cram 2 books also feature a preview edition of PrepLogic's powerful, full-featured
test engine, which is trusted by certification students throughout the world.
As a 20-year-plus veteran of the computing industry and the original creator and editor
of the Exam Cram Series, I've brought my IT experience to bear on these books. During
my tenure at Novell from 1989 to 1994, I worked with and around its excellent education
and certification department. At Novell, I witnessed the growth and development of the
first really big, successful IT certification program—one that was to shape the industry
forever afterward. This experience helped push my writing and teaching activities heavily
in the certification direction. Since then, I've worked on nearly 100 certification related
books, and I write about certification topics for numerous Web sites and for Certification
magazine.
In 1996, while studying for various MCP exams, I became frustrated with the huge,
unwieldy study guides that were the only preparation tools available. As an experienced
IT professional and former instructor, I wanted "nothing but the facts" necessary to
prepare for the exams. From this impetus, Exam Cram emerged: short, focused books
that explain exam topics, detail exam skills and activities, and get IT professionals ready
to take and pass their exams.
In 1997 when Exam Cram debuted, it quickly became the best-selling computer book
series since "...For Dummies," and the best-selling certification book series ever. By
maintaining an intense focus on subject matter, tracking errata and updates quickly, and
following the certification market closely, Exam Cram established the dominant position
in cert prep books.
You will not be disappointed in your decision to purchase this book. If you are, please
contact me at etittel@jump.net. All suggestions, ideas, input, or constructive criticism are
welcome!
Page 4 of 250
About the Author
Bill Ferguson (MCT, MCSE, MCSA, MCP+I, CCSI, CCNA, A+, Network+, Server+,
Security+) has been in the computer industry for more than 15 years. Originally in
technical sales and sales management with Sprint, Bill made his transition to Certified
Technical Trainer in 1997 with ExecuTrain. Bill now runs his own company as an
independent contractor from Birmingham, Alabama, teaching classes for most of the
national training companies and some regional training companies. In addition, Bill writes
and produces technical training videos for Virtual Training Company, Inc. and Specialized
Solutions, Inc. His videos include A+, Network+, Windows 2000 Management, Windows
XP Management, Windows Server 2003 Management, Windows 2000 Security, Server+,
and Interconnecting Cisco Network Devices. Bill keeps his skills sharp by being a
technical reviewer for books and sample tests for Que Certification and McGraw Hill
Technical. He coauthored the 70-299 Exam Cram 2 for Que Publishing and produced a
training video for the 70-296 MCSE Skills Upgrade test for Virtual Training Company. Bill
says, "My job is to understand the material so well that I can make it easier for my
students to learn than it was for me to learn."
Acknowledgments
I'd like to first thank Que Publishing and LANWrights for giving me the opportunity to
write this book. Thanks to Jeff Riley for his continued faith in me as an author. Thanks to
Kim Lindros for helping me keep the project on schedule from beginning to end.
Finally, thanks to all who have encouraged me as a technical instructor and as a Sunday
School teacher and given me the determination to tackle something new. I sincerely
appreciate all of your thoughts and prayers.
—Bill Ferguson
Page 5 of 250
We Want to Hear from You!
As the reader of this book, you are our most important critic and commentator. We value
your opinion and want to know what we're doing right, what we could do better, what
areas you'd like to see us publish in, and any other words of wisdom you're willing to
pass our way.
As an executive editor for Que Publishing, I welcome your comments. You can email or
write me directly to let me know what you did or didn't like about this book—as well as
what we can do to make our books better.
Please note that I cannot help you with technical problems related to the topic of this
book. We do have a User Services group, however, where I will forward specific technical
questions related to the book.
When you write, please be sure to include this book's title and author as well as your
name, email address, and phone number. I will carefully review your comments and
share them with the author and editors who worked on the book.
Email: feedback@quepublishing.com
Mail: Jeff Riley
Executive Editor
Que Publishing
800 East 96th Street
Indianapolis, IN 46240 USA
For more information about this book or another Que Publishing title, visit our Web site
at www.examcram2.com. Type the ISBN (excluding hyphens) or the title of a book in the
Search field to find the page you're looking for.
Page 6 of 250
The 70-298 Cram Sheet
This Cram Sheet contains the distilled, key facts about Exam 70-298, Designing Security
for a Microsoft Windows Server 2003 Network. Review this information directly before
you enter the testing center, paying special attention to those areas that you feel need
the most review. You can transfer any of these facts from your head onto the provided
paper immediately before beginning the exam.
TYPES OF DATA
• Public
• Internal
• Confidential
• Secret
Page 7 of 250
• Key and certificate management tools— The tools, such as the Certificate
Services MMC or the http://localhost/certsrv site, that can be used to
administer and control certificates.
• CA— A trusted entity or service that issues digital certificates. This can be internal
to an organization, or external such as VeriSign.
• Certification publication point— The directory services on an intranet and the
Internet that are used to publish the certificate so that others are aware of it.
• Public key-enabled applications and services— The applications and services
that are set up to automatically recognize and use the public key for
authentication and encryption.
• CRL— A list of certificates that have been revoked before reaching their scheduled
expiration date.
TYPES OF CAS
• Standalone— Does not require AD. A certificate administrator must evaluate
each certificate request.
• Enterprise— Requires AD. Can issue certificates automatically based on
authentication in AD.
• Password
• Account Lockout
• Kerberos
TYPES OF TRUSTS
• Implicit— Two-way, transitive trust between each parent and child domain and
between the roots of trees that are built in to Windows Server 2003 AD and
cannot be removed
• Shortcut— One-way, transitive trust that provides a shorter path for clients to a
resource in the forest that are not built in, but can be added and removed by the
enterprise administrator
Page 8 of 250
• External— One-way, nontransitive trust that exists between two domains in two
different forests and can be set up by the domain administrators in each forest
• Forest— Two-way, transitive trust relationships from all of the domains in one
forest to all of the domains in another forest; are only available when both forests
are in Windows Server 2003 functional level
Page 9 of 250
• Remote Assistance— Provides the ability for administrators to assist a user
through this tool at the user's request. This might include taking control of the
mouse and keyboard and downloading or uploading files.
Page 10 of 250
METHODS OF CONTROLLING TRAFFIC THROUGH A
FIREWALL
• Packet filtering— Reads the packet and makes a decision based on the type of
packet, such as the port number
• Stateful inspection— Reads detailed information about the packet and the
connection, including port number, source address, destination address, and
interface
• Circuit-level filtering— Inspects sessions as opposed to connections or packets;
a session can include multiple connections
• Application filtering— Examines each packet for the type of application to which
it applies; the most advanced type of IP filtering
Page 11 of 250
TYPES OF 802.1X WIRELESS SECURITY
• 802.1x with Dynamic Encryption Keys— Relies on RADIUS
• 802.1x with EAP-TLS— Provides a certificate-based system
• 802.1x with PEAP— Can use MS-CHAPv2 for user credential authentication
CROSS-CERTIFICATION STRATEGIES
• Basic constraints— Define the certification path length required
• Name constraints— Specify which namespaces are permitted or excluded
• Issuance policies— Define the extent to which your organization trusts the
identity presented in a certificate
• Application policies— Define that a certificate can only be used by a specific
application(s)
• Policy mappings— Equate a policy in one organization to one in another
organization
Page 12 of 250
AUTHENTICATION METHODS FOR IIS
• Anonymous— All users use the same account that is installed with IIS and
named IUSR_computername, where computername is the name of the computer
on which IIS is installed.
• Basic— You should only use this method as a last resort because user credentials
are transferred in clear text.
• Digest— The user is prompted for credentials, which are then transferred
encrypted with an MD5 hash.
• Advanced Digest— This method is similar to Digest, but credentials are locally
stored encrypted with an MD5 hash to prevent brute force attacks.
• Integrated Windows— Credentials are obtained from the access token of a
logged-on user.
• Certificate— Certificates can be mapped to clients with one-to-one or many-to-
one mapping.
• UNC Passthrough— The system compares the metabase of the Web site with
the credentials of the user to determine if there is a match.
• RADIUS— Central authentication is provided through the use of IAS servers.
• .NET Passport— Authentication is provided by a third-party server owned and
managed by Microsoft or one of its partners.
TYPES OF GROUPS
• Global groups— Created in the AD of one domain but can be placed into Domain
Local groups in any domain or into a Universal group. Global groups can contain
users from the domain in which they are created. They can also contain other
Global groups if the domain is in at least Windows 2000 native mode functional
level.
• Domain Local groups— Created in the AD of one domain and control access to a
resource that is contained in that domain. Domain Local groups can contain users,
but this is not recommended by Microsoft. Instead, Domain Local groups should
contain only Global groups from any domain in an AD forest and Universal groups
if there are some domains that are in at least Windows 2000 native mode
functional level.
• Universal groups— Can only be created on a domain controller that is in at least
Windows 2000 native mode functional level. Universal groups are created in AD
but are not specific to any domain. Universal groups can, therefore, contain
members from any domain and can be used to give access to a resource in any
domain.
Page 13 of 250
GROUP STRATEGIES
• Without Universal groups— A-G-DL-P
• With Universal groups— A-G-U-DL-P
Page 14 of 250
EFFECTIVE PERMISSIONS WHEN COMBINING NTFS
AND SHARED FOLDER PERMISSIONS
1. Combine all of the share permissions.
2. Combine all of the NTFS permissions.
3. Take the more restrictive of the two combinations.
Page 15 of 250
Introduction
Welcome to the Exam Cram 2 series. The purpose of this book is to prepare you to take
Microsoft certification exam 70-298, "Designing Security for a Microsoft Windows Server
2003 Network."
Books in the Exam Cram 2 series are designed to help you understand the material you
will encounter on the exam. The purpose of this series is to cover the topics you are
likely to encounter on the exams, but the books do not teach you everything you need to
know about a topic. This book contains as much information as possible about the 70-
298 exam.
This book begins by providing useful information about how to prepare for the exam and
what to expect on your exam day. To begin, we recommend that you take the self-
assessment included in the book. This will help you to evaluate your current knowledge
base against what is required for a Microsoft Certified Systems Engineer (MCSE)
candidate. Then, you can determine where your training should begin, which may include
some classroom training or reading one of the several study guides available.
We also strongly recommended that you gain some hands-on experience with the
technologies being covered on the exam. Again, this may be through classroom training
or by installing and configuring the software on a home system. In any case, nothing
beats hands-on experience when it comes to learning essential exam topics.
Passing this exam can earn you credit toward the following certifications:
• Microsoft Certified Systems Engineer (MCSE)— This is one of the core exams
required to obtain MCSE status.
• Microsoft Certified Systems Engineer (MCSE): Security on Microsoft
Windows Server 2003— This is one of the core exams required to obtain MCSE:
Security on Windows Server 2003 status.
Page 16 of 250
Taking a Certification Exam
This section provides information on exam pricing and registration processes. Keep in
mind that Que Publishing is a sister company to Virtual University Enterprise (VUE)
Testing. Be sure to check with us at www.examcram2.com for any discount test vouchers
that might be available exclusively to Exam Cram 2 readers. This can be an added bonus
for your book.
After you've fully prepared for an exam and feel that you are ready for the next step,
you'll need to register with a testing center to take the exam. To do so, contact either
Prometric or VUE using the following information:
• Prometric— You can register for an exam online at www.prometric.com. You can
also register by phone at 1-800-775-3926 (within the United States and Canada).
If outside these two countries, call 1-410-843-8000.
• Virtual University Enterprise (VUE)— You can register online at www.vue.com
or call a local testing center. Testing centers local to your region can also be
located on the Web site.
You can register for an exam by contacting either of the parties just listed. You must
register at least one day in advance and any cancellations must be made by 7:00 a.m.
the day before you are scheduled to take the exam.
To make the registration process go more smoothly, be certain to have the following
required information handy:
After you register, you will be given the date, time, and location of where you are to take
the exam.
An abundance of resources are available both online and in print that can be used to
prepare for an exam. The Microsoft Web site is a good source of information pertaining to
both the exam itself and for in-depth coverage of exam topics. Due to the popularity of
the MCSE certification, a number of printed study guides and online resources are also
available. Some of the resources you may find useful include
• The Windows Server 2003 product CD has one of the best resources you can use
when preparing for an exam—the Help included with the operating system. It
usually covers different aspects of all the technologies included with the operating
system.
Page 17 of 250
• The Microsoft Training and Certification Web site at
www.microsoft.com/traincert/default.asp provides links to exam resources and
outlines how an individual should prepare for an exam.
• The Exam Cram 2 Web site at www.examcram2.com provides an abundance of
information about certification exams and how to prepare for them.
• The Microsoft Training Kits are also a great source of information. Microsoft Press
publishes study guides for the different certification exams, including exam 70-
298. You can find more information about the training kits at
www.mspress.microsoft.com/findabook/list/series_ak.htm.
• Microsoft TechNet is a monthly publication that provides information on the latest
technologies and topics, some of which pertain to the exam topics covered in
exam 70-298.
• Classroom training is offered by many companies that design courses to prepare
students to pass the various exams.
• The Exam Cram 2 series has always been a popular resource for exam
preparation.
• Terms you'll need to understand— Each chapter begins with a list of terms
that you must learn and understand to fully grasp the content being covered;
each of these terms is defined in the Glossary.
• Techniques you'll need to master— Following the important terms is a list of
concepts/tools/techniques that need to be understood before attempting to
challenge the exam.
• Chapter content— The introductory paragraph alerts you to the topics that are
covered throughout the chapter. Following this, a number of topics relating to the
chapter title are covered in detail.
• Exam Alerts— Concepts and topics that are likely to appear on the exam are
highlighted in a special layout known as an Exam Alert. An Exam Alert appears
within the chapter content like this:
• This is not to say that the general content within a chapter is not important—it is.
However, the Exam Alerts flag the information that is more likely to appear in an
exam question.
• Tips and Notes— Throughout a chapter, you may also find information
highlighted in the special layouts of Tips and Notes. The layout and purpose of
each is as follows:
Tips are designed to give the reader some added piece of information
pertaining to a topic being covered, such as an alternative or more
efficient way of performing a certain task.
Page 18 of 250
Notes are designed to alert you to a piece of information related to the
topic being discussed.
• Exam prep questions and answers— At the end of each chapter, a series of 10
questions are designed to test your understanding of the topics covered
throughout the chapter. Detailed explanations are provided for each of the 10
questions, explaining both the correct and incorrect answers.
Other elements of the book worth mentioning are the Practice Exams and Answer Keys
found in Chapters 8 through 11. These questions cover all of the topics covered
throughout the book. The questions can be used for review purposes and to determine
exam readiness.
In addition, you'll find a glossary of key terms used throughout the book and an appendix
listing additional resources that you may find valuable.
Last but not least, mention must be made about the Cram Sheet included with this book.
The Cram Sheet distills all the important facts and topics covered and summarizes them
in a few short pages. These are the facts that we feel should be memorized for the exam.
The Cram Sheet is the last thing you should review before taking the exam. When you
enter the exam room, the first thing you should do is write down these important facts
on the piece of paper provided.
Some of the topics covered later in the book might require an understanding of topics
covered in earlier chapters. Therefore, it's recommended that you read the book from
start to finish for your initial reading. When it comes time to brush up or to review
certain topics, you can always use the index to go directly to specific sections while
omitting others.
In preparing for exam 70-298, we think you'll find this book a very useful reference to
some of the most important topics and concepts of Designing Security for a Microsoft
Windows Server 2003 Network. It prepares you for the exam day by outlining what you
can expect. It covers all the important topics you can expect to find on the exam. Also, it
provides many sample exam questions to help you evaluate exam readiness and
understanding of the material as well as to familiarize yourself with the Microsoft testing
format.
Page 19 of 250
Self-Assessment
The reason we include a self-assessment in this Exam Cram 2 book is to help you
evaluate your readiness to tackle MCSE certification. It should also help you to
understand what you need to know to master the main topic of this book—namely, exam
70-298 "Designing Security for a Microsoft Windows Server 2003 Network." Before you
tackle this self-assessment, let's talk about concerns you might face when pursuing an
MCSE credential on Windows Server 2003, and what an ideal MCSE candidate might look
like.
Increasing numbers of people are achieving Microsoft certifications. You can get all the
real-world motivation you need from knowing that many others have gone before you,
allowing you to follow in their footsteps. If you're willing to tackle the process seriously
and do what it takes to obtain the necessary experience and knowledge, you can take—
and pass—all the certification tests involved in obtaining the MCSE credential. In fact, at
Que Publishing, we've designed the Exam Cram 2 series and the MCSE Training Guide
series to make it as easy for you as possible to prepare for these exams. We've also
greatly expanded our Web site, www.examcram2.com, to provide a host of resources to
help you prepare for the complexities of Windows Server 2003 and Windows XP.
Page 20 of 250
The Windows Server 2003 MCSE program is similar to the Windows
2000 Server certification program, yet a bit more rigorous and
definitely more interactive than the Windows NT certification
program—you really need some hands-on experience if you want to
become certified. Some of the exams require you to solve real-world
case studies as well as security and network design issues, so the
more hands-on experience you have, the better.
Page 21 of 250
Put Yourself to the Test
The following series of questions and observations is designed to help you determine how
much work you must do to pursue Microsoft certification and what kinds of resources you
may consult on your quest. Be brutally honest in your answers because otherwise you'll
end up wasting time and money on exams that you're not yet ready to take. There are
no right or wrong answers; these are simply steps along the way to certification. Only
you can decide where you really belong in the broad range of hopeful candidates. Two
things should be clear from the beginning, however:
Educational Background
The following questions assess your educational background. Depending upon your
answers, you might need to review some additional resources to get yourself up to speed
for the types of questions that you will encounter on Microsoft certification exams.
2. Have you taken any classes on computer operating systems? [Yes or No]
If Yes, you will probably be able to handle the Microsoft architecture and system
component discussions. If you're rusty, brush up on basic operating system
concepts, especially virtual memory, multitasking regimes, user-mode versus
kernel-mode operation, and general computer security topics.
If No, consider doing some basic reading in this area. We strongly recommend a
good general operating systems book, such as Operating System Concepts by
Abraham Silberschatz and Peter Baer Galvin (John Wiley & Sons). If this book
doesn't appeal to you, check out reviews for other, similar books at your favorite
online bookstore.
3. Have you taken any networking concepts or technologies classes? [Yes or No]
If Yes, you will probably be able to handle the Microsoft networking terminology,
concepts, and technologies (brace yourself for frequent departures from normal
usage). If you're rusty, brush up on basic networking concepts and terminology,
especially networking media, transmission types, the OSI reference model, and
networking technologies, such as Ethernet, wide area network (WAN) links, and
wireless technologies.
If No, you might want to read one or two books in this topic area. The two best
books that we know of are Computer Networks by Andrew S. Tanenbaum
(Prentice-Hall) and Computer Networks and Internets by Douglas E. Comer and
Ralph E. Droms (Prentice-Hall).
Page 22 of 250
Hall). Both books offer a comprehensive view of security even though they are
discussed in the context of the Unix environment.
Hands-on Experience
The most important key to success on all the Microsoft exams is hands-on experience,
especially when it comes to Windows Server 2003, Windows 2000, Windows XP, and the
many services and components around which many of the Microsoft certification exams
are centered. If we leave you with only one insight after you take this self-assessment, it
should be that there's no substitute for time spent installing, configuring, and using the
various Microsoft products on which you'll be tested. The more in-depth understanding
you have of how these software products work, the better your chance in selecting the
correct answers on the exam.
If No, you must obtain one or two machines and a copy of Windows Server
2003. A trial version can be downloaded or a CD-ROM ordered on the
Microsoft Web site. Then, you need to learn about the operating system
and any other software components on which you'll be tested by installing
the operating system and practicing the objectives specified in the exam
preparation guide. In fact, it is a good idea to have two computers, each
with a network interface, that can be used to set up a small network on
which to practice. This practice network can be invaluable when it comes to
learning the skills necessary to pass the exams. With decent Windows
Server 2003–capable new computers selling for about $500 to $600 each
these days and used ones available for less, this shouldn't be too much of
a financial hardship. If you search the Microsoft Web site, you can usually
find low-cost options to obtain evaluation copies of most of the software
that you'll need.
If Yes, make certain you understand the concepts covered in exams 70-
215, 70-216, and 70-220.
If No, consider acquiring a copy of Windows 2000 Server and learn how to
install, configure, and administer it. To learn about the operating system
and other software components, you can either use the objectives specified
in the exam preparation guide or purchase a well-written book to direct
you in your studies such as MCSE Windows 2000 Server Exam Cram 2.
You can download objectives, practice exams, and other data about
Microsoft exams from the Training and Certification page at
www.microsoft.com/learning/mcpexams/prepare/default.asp. You can
use the links to obtain specific exam, reference, or training
information.
If Yes, make certain you understand the concepts covered in exams 70-
270 and 70-210.
Page 23 of 250
If No, obtain a copy of Windows XP and Windows 2000 Professional and
learn how to install, configure, and maintain each system. Practice the
exam objectives relating to client systems or purchase a well-written book
to guide your activities and studies such as MCSE Windows XP Professional
Exam Cram 2.
For any and all of these Microsoft operating systems exams, the
Resource Kits for the topics involved always make good study
resources. You can purchase the Resource Kits from Microsoft Press
(you can search for them at htt://microsoft.com/mspress), but they
also appear on the TechNet CDs, DVDs, and Web site
(www.microsoft.com/technet/default.mspx). Along with the Exam
Cram 2 books, we believe that the Resource Kits are among the best
tools you can use to prepare for Microsoft exams.
2. For any specific Microsoft product that is not itself an operating system, such as
SQL Server, Exchange Server, or IIS, have you installed, configured, used, and
upgraded this software? [Yes or No]
If Yes, skip to the next section, "Testing Your Exam-Readiness." If No, you must
get some experience. Read on for suggestions about how to do this.
If you have the funds, or if your employer is willing to pay your way,
consider taking a class at a Microsoft Certified Technical Education
Center (CTEC) or a Microsoft IT Academy. In addition to classroom
exposure to the topic of your choice, you might receive a copy of the
software that is the focus of your course, along with a trial version of
whatever operating system it needs, as part of the training materials
for that class.
Before you even think about taking any Microsoft exam, make sure you've spent
enough time with the related software to understand how it can be installed and
configured, how to maintain such an installation, and how to troubleshoot the
software when things go wrong. This will help you in the exam—and in real life!
Page 24 of 250
Testing Your Exam-Readiness
Whether you attend a formal class on a specific topic to get ready for an exam or use
written materials to study on your own, some preparation for the Microsoft certification
exams is essential. The cost is $125 per exam, whether you pass or fail, so you'll want to
do everything you can to pass on your first try. That's where studying comes in.
We have included two practice exams in this book. If you don't score very well on these
exams, you can study a bit more and then take the practice exams again. Keep in mind
that practice exams are designed to measure your skills in the areas that are tested on
the exam. Even if you get a 100% on the practice exams, it is not a guarantee that you
will pass the real exam. The more you practice, the better you get.
Be careful not to memorize the answers. This can trip you up on the
actual exam. You need to know the theory behind why the answer is
correct.
We also have practice questions that you can sign up for online through our Crammers
Club at www.examcram2.com. The PrepLogic CD-ROM included with this book has
sample questions and you might be able to download demos or purchase additional
questions for your exams at www.preplogic.com. If you still don't score at least 70%
after practicing with these exams or if it takes many tries to achieve a good score, it
might be time to investigate some of the other practice exam resources that are
mentioned in this section.
For any given subject, you should consider taking a class if you've reviewed the self-
study materials, taken the exam, and failed anyway. The opportunity to interact with an
instructor and fellow students can make all the difference in the world. For information
about Microsoft classes, visit the Training and Certification page at
www.microsoft.com/traincert/training/find/findcourse.asp to locate the nearest Microsoft
CTEC that offers courses in which you are interested.
If you can't afford to take a class, you should still visit the Training and Certification
pages because they include pointers to free practice exams, approved study guides, and
other self-study tools. In addition, you should consider investing in some low-cost
practice exams from commercial vendors. The Microsoft Training and Certification
"Assess Your Readiness" page at www.microsoft.com/learning/assessment/default.asp
offers several skills assessment evaluations that you can take online to show you how far
along you are in your certification preparation.
1. Have you taken a practice exam on your chosen test subject? [Yes or No]
If Yes, and if you scored 70% or better, you're probably ready to tackle the real
thing. If your score isn't above that threshold, you should keep at it until you can
easily take the exam with a good passing score.
If No, you should obtain all the free and low-budget practice exams you can find
and get to work. You should keep at it until you can break the passing threshold
comfortably.
Page 25 of 250
When it comes to assessing your test-readiness, there is no better
way than to take a good-quality practice exam and pass with a score
of 70% or better. When we're preparing ourselves, we shoot for 80%
or higher, just to leave room for the "obscurity factor" that sometimes
shows up on Microsoft exams.
We also suggest that you join an active MCSE/MCSA email list or email newsletter that is
relevant to the exam. For example, Sunbelt Software has a weekly e-zine pertaining to
Windows news. You can sign up at www.sunbelt-software.com. You can also find
security-specific mailing lists managed by www.ntbugtraq.com or newsletters and articles
at www.sans.org.
Microsoft exam mavens also recommend that you check the Microsoft Knowledge Base,
which is available on its own CD as part of the TechNet collection or on the Microsoft Web
site, at http://support.microsoft.com. The knowledge base offers information that may
pertain to technical support issues that relate to your exam's topics. These articles are a
result of real-life situations and resolutions for Microsoft products.
Page 26 of 250
Chapter 1. Creating the Conceptual
Design for Network Infrastructure
Security
Terms you'll need to understand:
• Security policies
• Defense in depth
• Least privilege
• Attack surface
• Microsoft Solutions Framework (MSF)
• Security design team
The main reason that people create computer networks is to share information. Today's
networks use highly efficient routers, switches, and servers to relay information around
the world at the speed of light. These systems offer a flexibility of information exchange
that continues to grow and improve. Most companies cannot survive without their
computer networks and the valuable information that the networks contain. Because of
this, companies spend millions of dollars and thousands of man-hours securing this
valuable resource.
In this chapter, we discuss the process of creating the conceptual design to secure a
computer network. In later chapters, we discuss the tools that Microsoft Windows Server
2003 provides; however, in this chapter we focus on the process of securing any
network, regardless of the operating systems used. In particular, we focus on analyzing
business requirements and designing a framework for security within known technical
constraints. After we understand the challenges, we will be better able to understand the
solutions that are provided by Microsoft Windows Server 2003 security features.
Page 27 of 250
Analyzing Business Requirements for Designing
Security
You need to create a balance between the security used on a network and the resources
required to implement, enforce, and maintain that security. You also need to consider
that every additional security measure could have consequences in regard to the
interoperability of computers on the network. For this reason, you must give careful
consideration to all security measures and make certain that the security used is
appropriate for the sensitivity of the data that is being transferred.
Every network is unique and different; therefore, you must understand the needs of a
particular network before you can design its security. You need to consider many factors
when creating a conceptual design for security on a network. The most important factors,
as identified by Microsoft, are
• Security policies
• Organizational requirements
• Security of data
• Security of the network
We now discuss each of these factors and their effect on the conceptual design of our
network infrastructure.
Security Policies
Every organization should have a set of written security policies that govern what can
and cannot be done on its computer network. You need to make certain that these
policies are easy to understand and yet comprehensive enough to cover all types of
security. You should distribute this document to all users and ensure that it is read and
understood by everyone that uses the network. You must also have the users sign that
they have read and understood the document. You may also want to have a separate,
more detailed, document for network administrators.
In addition to the software that you use and the way that you design your network, you
can also apply security policies. There are three general types of security policies of
which you should be aware. These are determined based on their primary method of
enforcement and include
• Administrative policies
• Technical policies
• Physical policies
We now briefly discuss each type of policy and its effect on the analysis of business
requirements for designing security.
Administrative Policies
Page 28 of 250
Technical Policies
Technical policies are enforced by the operating system and its applications. Technical
policies include security templates, which control the actions of users and computers
throughout the network. Security templates can also be applied to only certain groups of
users for more granular control over security. The successful implementation of these
policies depends on the training level of the network administrators and the capability of
the operating system to distribute and control the settings.
Physical Policies
Physical policies are enforced by implementing physical controls on the network. This
might include ensuring that all servers are kept behind locked doors and that all access
to the server room is controlled and monitored. Other physical policies might include the
use of smart cards to gain access to information in the computers. You can also use
biometric security, which requires a person to uniquely identify himself and prove his
identity with some part of his body, such as a fingerprint, handprint, or eye scan.
Successful implementation of these types of policies requires consideration before they
are installed to ensure that the correct level of security is being applied relative to the
sensitivity of the area that is being secured.
Organizational Requirements
In general, an organization will spend the time and money to implement security on a
network because the value of the assets being protected far exceeds the cost to protect
them. Another way of looking at it is that the potential loss from not protecting an
organization's assets far exceeds the cost of implementing and maintaining protection.
Assets might include trade secrets, source code, customer databases, e-commerce
transactions, credit information, medical information, and many other forms of sensitive
data.
The amount of security that an organization needs is a balance between the cost of
implementation of the security and the potential cost and likelihood of each threat. Risk
management is a study of this balance, and takes into account the likelihood of the
threat occurring and its impact if it does versus the cost of implementing the protection
Page 29 of 250
to prevent the threat. Risk management can be used to analyze security options and
choose the appropriate options, as well as to persuade others to spend the money to
prevent future threats. We discuss risk management in greater detail later in this
chapter.
Although every network has unique needs, some principles of security design have
evolved from the experience of many network administrators. You should be aware of
these key principles of security design and incorporate them into your network design.
The key principles of security design are as follows:
• Defense in depth
• Least privilege
• Minimized attack surface
• Security design versus security implementation
We now discuss each of these principles and their relation to establishing organizational
requirements for security.
Defense in Depth
Your network design needs to include multiple layers of protection, referred to as defense
in depth. These layers can include accounts, operations, and security technologies.
Multiple layers have been proven to be much more effective at defending against threats
than single-layer designs, regardless of their individual strength. This is partly because
an attack that has broken through one layer can be detected and countered before the
attacker gains access to sensitive information.
Least Privilege
Each user should have only the bare minimum permissions necessary to gain access to
and use the parts of the network that he needs. This concept, called least privilege, is a
delicate balance because if the user cannot access the resource that he needs, his
productivity will be affected. Alternatively, if a user accesses data that he shouldn't see,
it's impossible to erase that data from his head after he has seen it. You need to give
serious consideration to the permissions that are set on users and on the groups in which
they are members. Do not simply accept the default permissions from the operating
system settings.
An attack surface is a point of entry that an attacker could potentially exploit and thereby
enter the network. You can minimize the number of attack surfaces on your network by
requiring the use of firewalls and proxy servers. A user with a modem connected to the
fax line can create a potential vulnerability to the network without being aware of what
he is doing. You should use security policies to prevent Internet connections that can
create additional attack surfaces.
Virus Story
A student related to us that his company had gone to great lengths to protect its network
from viruses. All servers and client computers had antivirus software installed. This
software was configured to update virus definitions each night. All email messages were
scanned for viruses before being allowed to enter the network. This was an integral part
of the company's security plan.
When a virus entered the network and began to spread, the network administrators were
Page 30 of 250
at first perplexed as to how it could have gotten in the network. They reviewed all of
their security measures and could not find the hole. They decided to keep their eyes and
ears open to see what they could determine.
The moral of the story is, watch out for the user who knows just enough to be
dangerous!
You also need to understand the difference between security design and security
implementation. In the design phase, you identify all of the potential threats to a
network, conduct risk management, and develop security policies based on the needs of
the organization. This should be done within a framework so as not to miss anything. It
should involve a team of individuals from different parts of the organization so that it is
relevant to the organization as a whole.
Security implementation is the by-product of security design. It involves only the network
administrators and the security team. It applies all of the policies and procedures as they
were decided on by the security design team and ensures their implementation and
maintenance. Security implementation might involve rolling out and testing security
templates, setting permissions on files and folders, and delegating permissions to
network administrators for their assigned areas.
Security of Data
If there is one thing that all networks have plenty of, it's data! Data is information in
digital form on the computer or flowing through the network. It can be contained on hard
disks, in RAM, on a variety of other storage media, or simply flowing throughout the
wires of the network. Organizations might have many different forms of data, depending
on their function, but all organizations have basically four types of data on their
networks. You should be familiar with these four types of data and their inherent security
risks:
• Public data
• Internal data
• Confidential data
• Secret data
We now discuss each of these types of data and their inherent security concerns.
Public Data
Public data is information that is made available to anyone who wants access to it. You
might be thinking "How can there be a security risk with public data?" The risk comes in
the form of the identity and prestige of the company if the public data were to be altered
by an attacker. For example, if someone could add pictures or text to a company's Web
Page 31 of 250
site, he could potentially hurt the reputation of that company. Therefore, your design
needs to allow public data to be accessed and read by anyone but to be changed only by
a select few.
Internal Data
Internal data includes reports and information used on a day-to-day basis within an
organization. These reports are not confidential, but the business does rely on the
integrity of the information that the reports contain. An example of internal data is an
expense report template that automatically calculates mileage expense based on the
number of miles entered. There is nothing confidential about the template itself, but if
someone changes the mileage rate from .31 to 3.1, it would most likely cause a few
headaches in accounting! Internal data should only be available to users in the
organization and needs to be protected to maintain the integrity of the data.
Confidential Data
Confidential data is kept private from all but a few internal users. This data might include
payroll information, credit information, medical histories, and other sensitive and private
information. Typically, only a select group of users can access this information and even
fewer users can make changes to it. Your security design needs to allow for the storage
and transfer of confidential data.
Secret Data
Secret data is information that an organization relies on for their very existence. This
includes trade secrets, formulas, recipes, source codes, and other highly sensitive data
that is used to produce a product or service and compete in the marketplace. Secret data
should only be available to a select few and must be protected from unauthorized access
or change. Your security design needs to include provisions for this type of data.
• Physical security
• Computers
• Accounts
• Authentication
• Data transmission
• Network perimeters
We now discuss each of these areas and their impact on the security of the whole
network.
Physical Security
We mentioned previously that the servers on a network should be kept behind locked
doors. Although this is a given, it is only part of the physical security on a network.
Access to a hub, switch, router, or even a cable can represent an attack surface for an
attacker and thereby a network vulnerability. You should use care when routing cables
and hardware and ensure that only authorized personnel can gain access to them. You
Page 32 of 250
can also use fiber-optic cable for sensitive data to significantly reduce the chance of a
wire tap.
Computers
Most computers are inherently nonsecure until you configure and install security
measures. You need to ensure that computers have already been configured for the
proper security to whatever degree is possible before you connect them to a network.
This will keep an attacker from taking advantage of the default security settings during
installation. You need to establish a baseline for security so that you know what the
network is supposed to look like and how it should perform. It's important to make
certain that you are not under an attack when you establish a baseline because the
attack could become part of the baseline, making it harder to detect future attacks.
Accounts
One of the most common security flaws in networks today is the use of weak passwords.
Most people simply don't want to have to remember a complex password. Unless you
force users to use complex passwords, most users will not use them. A complex
password typically has a combination of uppercase letters, lowercase letters, numbers,
and symbols. It forms a "word" or phrase that cannot be found in the dictionary. This
prevents an internal brute force attack, such as a dictionary attack in which one
computer runs through the dictionary until it finds the correct password for another
computer. You can force users to use complex passwords by using technical security
policies. You also must make certain that all administrative account names and
passwords are kept secure.
Authentication
Authentication is the process of proving that you are who you say you are. What happens
when a user types in his password and it is sent into the network for authentication?
Well, if the password is not encrypted during transmission, it could be intercepted and
used by an attacker. Authentication is a necessary service on a network, but you need to
ensure that passwords are secure during the authentication phase. This becomes
especially challenging when users are authenticating remotely, such as over telephone
lines. Your network security design needs to incorporate solutions to these security risks.
Page 33 of 250
Data Transmission
After a user authenticates successfully, it's time to use the network resources. This
means that data is going to flow through the cables so the computers can communicate
with each other. Because most data flow is a series of fluctuations of electric current, it is
easily interpreted by many types of network sniffers unless it is encrypted or further
encapsulated to prevent this sniffing. If an attacker is able to interpret data, such as IP
addresses and computer names, the attacker can make himself look like he belongs on
the network. This is known as spoofing and should be avoided by the use of
countermeasures. Attackers who can interpret data can also read the information
contained in it and even change the information while it is in transit. This data
modification can be damaging to an unsuspecting organization. Your network design
needs to address these types of security vulnerabilities.
Network Perimeters
If you are connected to the Internet, without a firewall or proxy server, the Internet is
connected to you. Most Internet communications open up a pipe of communication
between two or more computers. This means that each computer can get into the other
computer. Under normal circumstances, specified ports are used as logical addresses to
the correct applications and resources in the computer. An attacker uses the pipe to
exploit the connection and attempt access to other ports within the computer. The other
ports might allow the attacker to do anything from turning off critical services and
functions to remotely shutting down the client or server. You must take great care that
the servers and clients that you connect to the Internet are protected from these types of
attacks.
Page 34 of 250
Designing a Framework for Designing and
Implementing Security
As you can see, there are many aspects and considerations that make up a security
design. Therefore, to ensure that the final plan is comprehensive and that nothing is
missed, Microsoft recommends that you use a framework to guide your design decisions.
The Microsoft Solutions Framework (MSF) consists of people, processes, and risk
management. Each part of the framework plays a key role in the overall design. It is
essential that all involved people can communicate effectively. You should involve a
representative sample of management and other users to pull information from many
sources in your organization. These people should be able to assist in aligning technology
solutions with business requirements.
MSF is a suite of guidelines and principles that provide models to build and deploy a
distributed network. It consists of three phases that can each be repeated many times
over the life of a network. The three phases of the MSF are as follows:
• Planning
• Building
• Managing
We now discuss each of the three phases of the MSF and their relationship to creating
and maintaining a comprehensive security design.
Planning
In the planning phase, you need to assess your current security model and policies and
then decide what changes need to be made to fulfill the needs of the organization. This is
the time for all of the people involved to ask for what they need regardless of how it will
be provided. The goal is to create a vision for optimum security for the network. Each
person needs to understand the overall goal and the components to reach the goal. You
should establish a system of measurable metrics to help you stay on track toward the
goal. You might want to meet in a conference room with a white board or flip charts and
any relevant documentation. All ideas should be considered, no matter how far-fetched
they might seem at first.
Each organization has its own unique needs, but some parts of the planning phase are
essential for all organizations. As part of your planning phase, you need to
We now briefly discuss each of these essential pieces of the planning phase.
Your security design team is responsible for creating policies and envisioning how
information will be secured. The more diverse your team is in regard to departments and
rank of individuals, the more comprehensive your design is likely to be. Your design team
needs to include an executive sponsor who can make decisions and who has the
authority to have those decisions carried out. Microsoft recommends that you form a core
team and an extended team to support the core team. Examples of potential members of
the core team are listed in Table 1.1.
Page 35 of 250
Table 1.1. Core Team Members for Security Design Team
Role on Design Team Responsibilities
Product management Align security with business requirements
Program management Manage development
Development Create and deploy security
Test Test and ensure quality control
User education Train staff and ensure usability
Logistics management Manage operations and deployment
The extended team members might not be involved in the design process on a daily basis
but will be used for support and consultation before final decisions are made. The
extended team helps ensure that the overall plan is feasible to implement and relative to
the organization's needs. Table 1.2 lists the recommended members of the extended
team.
Many attacks on a network are aimed at exploiting a well-known security weakness. Your
security design needs to address these weaknesses and provide measures to avoid
common attacks. Table 1.3 lists the most common security weaknesses on a network as
identified by Microsoft.
Page 36 of 250
Table 1.3. Common Network Vulnerabilities
Vulnerability Method of Exploitation
Social engineering The help desk resets a password without verifying the
identity of the caller.
Weak security on Internet Open ports and exposed resources exist, are identified,
connections and are used for malicious purposes.
Unencrypted data transfer Authentication and data are sent in clear text and are
intercepted by sniffers.
Modeling Threats
The process of modeling threats during the planning phase involves creating a living
document that predicts all of the threats that could come against the network and
highlights the areas of most importance. The design team uses the living document to
prioritize their decision-making process. A living document is one that changes over time.
You can count on the threats presented against your network to be an ever-changing
flow of challenges.
You can use a model to help you predict threats to a network. Many attacks on a network
follow the same pattern. Your design needs to be able to detect, respond to, and prevent
future attacks during each of the following stages of attack:
1. Footprint— At this stage, the attacker is only preparing for the attack. He might
have researched the company through the public Web sites. In addition, he might
have built a relationship with an employee of the company. This is also the stage
at which he might run port scans on all of the accessible computers and other
network devices.
2. Penetration— When he finds a security hole, the attacker tries to take advantage
of the vulnerability. This is the beginning of the actual attack.
3. Elevation of privilege— At this stage, the attacker uses his knowledge of well-
known security vulnerabilities to gain administrative control of the network. He
might, for example, exploit the Local System account to gain control of a process
and use the process to create an account with administrative privileges.
4. Exploitation— After elevated privileges are acquired, the attacker makes a
change on the network. This could be anything that he chooses—from deleting
data and configuration information to defacing the company Web site.
5. Cover-up— At this stage, the attacker is finished and wants to erase any
evidence that he was there. His prime motivation at this stage is to avoid
detection and prosecution.
Unfortunately, it's easier for attackers to come up with new ways to attack your network
than it is for you to protect it. The attacker generally has ample time; because you aren't
expecting him, the attack can go unnoticed for quite some time. In addition, he doesn't
follow any rules or regulations. You, on the other hand, have many tasks to do
throughout the day in addition to protecting your network. In addition, you have to follow
the rules and regulations to protect the privacy of users on your network as outlined by
Legal and HR. Finally, you have a finite amount of funds at your disposal to combat the
attacker.
Because of the challenge of protecting the network, you must use all of the tools at your
disposal to predict the threats. Microsoft recommends that you use the STRIDE threat
Page 37 of 250
model. This model provides a simple method of categorizing the most common security
threats to your organization. There are six categories in the model, but some threats
might belong in more than one category. Table 1.4 lists the categories of the STRIDE
threat model and some examples of each category.
We discussed risk management earlier in this chapter, but it bears repeating. If it costs
more to prevent something from happening than the cost of damage if it were to happen,
it is not worth securing a network against that threat. That seems like common sense
but, because modern technology has given us so many types of hardware and software
to combat threats, we tend to think that we want to combat them all. A risk management
plan analyzes the feasibility of any security design decision based on dollars and cents.
This is done by using a risk assessment formula. This formula helps you make a decision
and makes your decision much easier to "sell" to upper management.
The goal of the risk assessment formula is to estimate the loss of a successful attack and
then multiply that estimate by a percentage indicating the likelihood of the attack. This is
expressed in annualized terms and is referred to as the Annualized Rate of Occurrence.
You can obtain the Annualized Rate of Occurrence from a variety of sources, including
the police departments and computer crime monitoring agencies in your area. You need
to consider all of your costs of losing that asset, including the loss of productivity during
the time it is down and the additional cost to bring it back up to normal operation.
If the cost of protecting against this occurrence is far less than the calculated risk, you
should consider protecting against the occurrence. For example, suppose you are
considering additional virus protection on your Web server. You research the police
records in your area and find that the likelihood of your Web server being attacked with a
Page 38 of 250
virus and brought down is 20%. Furthermore, you find that, on the average, a Web
server stays down for about one day after the attack. You estimate a productivity loss for
one day to be at least $20,000. You then add the cost of the time to repair the server
and eradicate the virus, which is another $2,000. Figure 1.1 shows an example of the
risk assessment formula that you could use to determine the amount that you would be
willing to spend to prevent this occurrence.
Building
As you can imagine, the people responsible for building the security design are not the
same people who were involved in the planning phase. In the building process,
experienced network administrators, security specialists, and consultants use the
hardware and software at their disposal to attempt to create the security that the
security design team has envisioned.
These administrators create, deploy, and test security templates and policies. This phase
is usually performed in a testing lab to assess the impact of security decisions before
placing them into a production environment. This is done to protect the productivity of
the workers. After successful completion in a lab, the templates should be rolled out in
phases. You should use a test group to ensure that you haven't missed anything in the
lab before rolling the security out to the whole network. Knowledge of what is available
and how it relates to network security is the key component in the building phase.
Managing
After implementation of the security design, you are responsible for managing the design
to ensure that it provides the security that was envisioned by the security design team.
Some of their desires might have been found to be impossible or infeasible, but those
that were implemented are now yours to manage. If the network was never going to
grow or change again, this would be relatively simple. However, because the network is
constantly changing and growing, you must make certain that each change is carefully
considered in regard to its impact on your new security design. As mentioned previously,
a flaw in one area of the network can affect the entire network.
The help desk generally provides end-user support, but you are responsible for
monitoring the network to ensure that the new policies are being enforced. You will likely
detect security vulnerabilities and use the system's features to better protect the
network. You need to inform the appropriate managers of any misuse of the network to
ensure that the policies are enforced. Success in this phase depends on constant
monitoring and taking personal responsibility for the security of the network.
Page 39 of 250
Analyzing Challenges of Designing Security
If each component of the network functioned in a vacuum, separate from all other
components, security would be much easier to implement. One of the greatest challenges
of network security is that anything can potentially affect everything. The more we
understand about our network and the interoperability of the components that make up
our network, the better we will be at providing the correct security measures.
Another component that provides a challenge in designing security are the users
themselves. People are independent and sometimes unpredictable. Because most users
know very little about the computers on which they work, you have to make certain that
you protect the network against the innocent actions of users that could cause a
vulnerability. As mentioned previously, a user with a modem on a fax machine line could
circumvent your entire remote access policy.
Finally, some users purposely attack a network from within the organization itself. You
need to have security policies in force that monitor, detect, and prevent future attacks.
You must make it a priority to keep the network functioning well for the users who
depend on it. The productivity of your organization is at stake.
Although each network has its own unique set of security needs, all networks are secure
or nonsecure because of their policies and procedures for security. We can learn from the
mistakes of others to create a more secure network. The following are the most common
reasons, as identified by Microsoft, that security policies fail on a network:
• Not enforced
• Difficult to read
• Difficult to find
• Outdated
• Too vague
• Too strict
• Not supported by management
In the following sections, we briefly discuss each of these reasons for failure and how you
can avoid them in your security design.
Not Enforced
If you create a written security policy and have each of the users sign off on it, you must
enforce the policy when someone violates it. People tend to disregard a policy when they
see that no one is enforcing it. This creates a credibility issue that can have a
tremendous impact on your ability to enforce future policies. The bottom line is that the
offenders must be punished based on the terms of the policy. If this is not possible, the
policy needs to be adjusted to reflect some type of punishment that is enforceable.
Difficult to Read
Because IT, Legal, and HR should all be involved in producing a security policy, the
language of the policy could get very confusing if you're not careful. Remember that
users can't abide by an agreement that they can't understand. You should make every
attempt to create a policy that is relative to the organization's requirements yet concise
and simple for the users to understand and follow. Each user needs to be given a copy of
the security policy and must sign that he has read and understood it. Managers can
answer any questions that employees have before signing the policy. This also makes the
policy much easier to enforce when needed.
Page 40 of 250
Difficult to Find
Policies that are stored in some obscure location known only to upper management are of
little use to the organization. Each user needs to have his own copy of the policy
complete with his signature. In this way, no one can say that he forgot or that he
couldn't find it for reference.
Outdated
Security policies need to be updated at least once per year. Policies that are not kept up-
to-date will become insignificant as business practices and technologies change. Each
update must be distributed and signed off by all users of the system.
Too Vague
If your security policy leaves details open for interpretation, some users might
misunderstand a policy and inadvertently create a security vulnerability. Also, if you
haven't explicitly defined your security policies and procedures, it will be difficult to build
a template that rolls them out with consistency. Each manager might interpret his own
template based on your vague policy. For these reasons, security policies need to be as
specific as possible and leave little to one's interpretation.
Too Strict
A policy that issues a threat that is not likely to be carried out tends to be ignored by
employees and management. For example, if your policy states that "Any violation of this
agreement, intentional or otherwise, will result in the immediate termination of the
offender.", will you enforce the policy if an executive accidentally violates the agreement?
If you can't or won't enforce a policy, it is of no use. For this reason, take care when
producing a policy to equate the potential punishment with the crime. Involve HR to
determine the appropriate response.
So now that we've talked about what "not to do," let's focus on what we should do in
regard to producing a comprehensive, concise, and feasible security policy. In addition to
what we have mentioned previously, each security policy should have the following
features:
Page 41 of 250
Business Continuity
Remember that the main goal of the security policy is to keep the network secure so that
the users can remain productive. The bottom line of business continuity in a policy is
always productivity of the users. If your security policy hampers productivity in any way,
it is a detriment to the network instead of an asset. Remember that the policy was
formed because of what might happen, but if it causes a problem, it's worse than the
potential problem it was designed to prevent. Your policy should, in most cases, be
transparent to users in regard to their ability to do their jobs.
Incentives
Consider rewarding employees for abiding by the policies and for bringing a security hole
or security violation to your attention. Alternatively, you might make an employee's
bonus contingent on following all security policies and procedures.
Technology offers its own challenges. Depending on the computer systems that we are
using, we can have more or less control over the enforcement of security policies.
However, there are many security challenges related to technology that are present in all
networks. Technology challenges that all network administrators face include
We now briefly discuss each of these technical challenges and their relation to the overall
concept of security design for the network. As mentioned previously, we discuss the tools
that Windows Server 2003 provides to meet these challenges in the next chapter and
throughout the rest of this book.
Page 42 of 250
Securing User Accounts and Passwords
Attackers will find whatever opportunity presents itself to begin to gain access to a
network. This may include guessing a user's password or watching the user type the
password. Training users on the proper use of passwords is the first step to stronger
security on a network, but you should also consider forcing users to use complex
passwords and to change their passwords frequently. Your security design needs to
include guidelines for usernames and passwords.
Securing Computers
Your security design needs to have guidelines and provisions for securing each computer
role. Roles include domain controllers, member servers, clients, file and print servers,
application servers, and Web servers, to name a few. You need a consistent policy that
"locks down" these computers to an appropriate extent based on their role in the
network.
File servers store user data, some of which is sensitive. Your security policy needs to
establish the correct permissions for each file and folder based on a user's role or job
requirements. This security should be transparent to the user as long as he is doing what
his job requires. The security should become very apparent to the user if he decides to
try to access files and folders that he has no need to see or use.
One area that is often overlooked is that of the print server. If a confidential document is
sent to a print server, there are several potential security vulnerabilities. The most
obvious is the hard copy of the document coming off of the print device, but you need to
also consider the print server's spool as well as the network cables themselves. Your
security design needs to have guidelines for the printing of confidential and secret
documents.
Some print devices and faxes have a feature that holds a document
before printing it until the correct password is entered locally on the
device. You should consider this feature for confidential and secret
documents.
You have two challenges when securing communication between two computers. The first
is "How do you know that I am who I say I am?" (because you can't actually see me).
Your security design should address authentication, which is the process of one entity
proving that it is who it says it is. The second is "Now that we know each other, how do
we send information so that no one else sees it?" Your security design needs to also
address encryption, which is the process of scrambling data so that no one but the
intended recipient can interpret it. We discuss encryption technologies in detail in
Chapter 2, "Creating the Logical Design for Network Infrastructure Security."
Page 43 of 250
modem is used to dial another modem. Another method that uses the PSTN is a virtual
private network (VPN) connection in which the user connects to the Internet to make the
connection to an organization's remote access server. As you might imagine, these shifts
in technology cause the use of a totally different set of protocols, which are the rules that
govern the communications. Your security design needs to address remote access and
the protocols that are used to secure data transmissions from outside of the network.
Remote offices are generally connected to each other with routers. Modems might also
be used for a small remote office or for a backup line of a larger, remote office. Because
the Internet is inherently nonsecure, organizations use either leased private lines or
tunneling protocols that create a VPN through the Internet. These protocols can provide a
variety of security features depending on the type of tunneling protocol used. The most
common tunneling protocols are Point-to-Point Tunneling Protocol (PPTP) and Layer Two
Tunneling Protocol (L2TP). We discuss each of these in much greater depth in Chapter 4,
"Creating the Physical Design for Network Infrastructure Security." Your security design
needs to specify the correct tunneling protocol based on the needs of your organization.
The challenge of providing access to the Internet is in giving your users access out to the
Internet while at the same time controlling the Internet's access back into your network.
You can use devices such as firewalls to create screened subnets that control traffic to
and from your network. You should consider Network Address Translation (NAT) to allow
users to access the Internet without revealing the internal addressing scheme on your
network. NAT also allows many users to connect to the Internet simultaneously and
independently using only one registered address. You can also use a proxy server to
make the connection on behalf of the client, and thereby provide NAT as well as a cache
of address information that you and clients can use. Proxy servers can also control a
user's access based on group memberships, sites accessed, or even time of day. Both of
these devices help to minimize your attack surface. Your network design needs to include
the use of a proxy or NAT for Internet access. We discuss remote access in detail in
Chapter 7, "Creating the Physical Design for Client Infrastructure Security."
Whereas access to the Internet is from the "inside going out" access from the Internet is
from the "outside going in." Users who are on the outside of the organization might need
access to resources that are on the inside. Your security design needs to provide them
access to the resources just as if they were at their own desk, although it might be much
slower due to limited bandwidth. You can accomplish this using firewalls and by requiring
that authentication and encryption protocols are used on all connections. Your security
design needs to force the use of these protocols whenever possible.
Sometimes, you might want to allow another organization to see some of your network
resources. You might do this to provide a service for your customer. This creates a
network referred to as an extranet. For example, you might want to allow a manufacturer
to which you supply parts to view your inventory and place orders through the Internet.
They might even use a computer software program that makes the process automatic at
defined levels. It's important that you can authenticate the manufacturer to make sure
that you aren't giving your competition a view of your inventory. It's also important that
the manufacturer is limited to accessing only that which you define. Your security design
needs to incorporate guidelines for managing extranets when needed.
Page 44 of 250
Exam Prep Questions
Case 1: BFE Inc.
BFE Inc. is a medium-size software development company in Birmingham, Alabama.
Administrators at BFE have recently become concerned with the overall security of their
network. You have been hired as a consultant to recommend a new design to ensure the
security of BFE.
BFE has several servers spread across three main locations, including Birmingham,
Atlanta, and Jacksonville. In addition, they have one satellite office with 10 clients but no
servers. All administration is conducted from Birmingham.
BFE has many security questions in regard to the physical and logical security of their
network and the data that it contains. They want you to develop a plan that includes
security policies and a framework to make certain nothing is missed.
Q1 Which type of security policies will you enforce with the software that you
recommend?
• A. Administrative
• B. Physical
• C. Technical
• D. Insurance
A1: Answer C is correct. Technical policies are enforced by the operating systems and
applications of a network. Administrative policies are enforced by management;
therefore, answer A is incorrect. Physical policies are enforced by locks, cameras,
and smart cards; therefore, answer B is incorrect. Insurance policies are not part of
network security; therefore, answer D is incorrect.
A2: Answers B and D are correct. Written policies and well-known rules make up the
administrative policies in an organization. A security template enforced by the
system is part of a technical policy; therefore, answer A is incorrect. A lock on a
server room door is part of a physical policy; therefore, answer C is incorrect.
Q3 Which key principle of security design uses multiple layers to enhance security?
A3: Answer B is correct. Defense in depth uses multiple layers to enhance security. If
one layer is breached, the other layers allow the detection of the attacker.
Minimized attack surface refers to reducing the physical and logical areas of
vulnerability on a network; therefore, answer A is incorrect. Least privilege refers to
a method of assigning the least permissions possible to each individual; therefore,
answer C is incorrect. Security design versus security implementation refers to the
assignment of individuals to design and then to build the security; therefore,
answer D is incorrect.
Page 45 of 250
Q4 Which are examples of the use of the key principle of minimized attack surface?
(Choose two.)
A4: Answers A and D are correct. Minimizing the attack surface is a process of taking
away targets of opportunity for the attacker. A security group that can back up but
cannot restore is an example of least privilege; therefore, answer B is incorrect.
Involving many different departments and ranks of individuals in your security
design is an example of security design versus security implementation; therefore,
answer C is incorrect.
Q5 Which type of data can only be changed by a select few but used by any individuals
within your organization?
• A. Public
• B. Confidential
• C. Secret
• D. Internal
A5: Answer D is correct. Internal data can be used by any person within the
organization, but must be kept secure from change except by a select few. An
example is an employee expense report template. Public data can be used by
anyone in the organization or outside the organization; therefore, answer A is
incorrect. Confidential data is secured from the view of most individuals; therefore,
answer B is incorrect. Secret data is reserved for only a select few in an
organization; therefore, answer C is incorrect.
A6: Answers B and C are correct. Confidential data is data that should only be seen by
a few individuals. This type of data is usually secured to protect an individual's
privacy. An expense report template is an example of internal data; therefore,
answer A is incorrect. The source code for the software that the company produces
is an example of secret data; therefore, answer D is incorrect.
Q7 Which phase of the Microsoft Solutions Framework (MSF) should involve as many
departments as possible and should encourage all ideas?
• A. Planning
• B. Building
• C. Managing
• D. Consulting
Page 46 of 250
A7: Answer A is correct. The planning phase should involve many different departments
and groups of people. The purpose is to get all ideas out in the open. The building
phase only involves administrators and security experts; therefore, answer B is
incorrect. The managing phase only involves administrators and security experts;
therefore, answer C is incorrect. Consulting is not a phase of the Microsoft Solutions
Framework (MSF); therefore, answer D is incorrect.
Q8 Which are examples of activities performed in the planning phase? (Choose two.)
A8: Answers A and C are correct. Creating a security design team and modeling threats
are part of the planning phase. Creating security templates is part of the building
phase; therefore, answer B is incorrect. Configuring changes in the firewall is part
of the building or managing phase; therefore, answer D is incorrect.
Q9 In which type of threat does the attacker attempt to appear to belong on the
network?
• A. Denial of Service
• B. Spoofing
• C. Tampering
• D. Repudiation
A9: Answer B is correct. Spoofing is the process of an attacker attempting to gain and
use information, such as IP addresses and or computer names, so as to appear to
belong on the network. Denial of Service attacks attempt to tie up computer
resources so they can't function; therefore, answer A is incorrect. Tampering is an
attempt by the attacker to change data and/or configuration on the system;
therefore, answer C is incorrect. Repudiation is an attempt by an attacker to use
the network for a resource and then later deny that he did; therefore, answer D is
incorrect.
Q10 Which are reasons that security policies fail as identified by Microsoft? (Choose
two.)
• A. Too simple
• B. Not enforced
• C. Not vague enough
• D. Too strict
A10: Answers B and D are correct. Security policies should be simple to read and
understand yet comprehensive and specific. They should also be enforceable based
on the terms expressed in the policy itself. A policy that is too strict is difficult to
enforce. Security policies do not fail because they are too simple; therefore, answer
A is incorrect. Security policies should not be vague; therefore, answer C is
incorrect.
Page 47 of 250
Chapter 2. Creating the Logical Design
for Network Infrastructure Security
Terms you'll need to understand:
When you communicate over the computer with another person, you make the
assumption that you are communicating directly with that person and that no one else is
involved in the communication. However, you can't see the other person or the
communication path from your computer to hers. You don't know if you are
communicating with her or with someone else pretending to be her. In addition, you
don't know whether someone else has intercepted the communications and changed
what was said. It's essential for businesses to be able to rely on their communications
with other entities; therefore, you need to be familiar with systems that increase the
reliability of communications.
In this chapter, we discuss a system that enables you to protect the security of
communications in your organization. A Public Key Infrastructure (PKI) is a combination
of hardware, software, encryption protocols, and technologies that allow you to ensure
that you are "talking" to the person or organization that you appear to be and that no
one else is "listening in." We also discuss an authentication protocol—Kerberos—that is
built in to Windows Server 2003. This protocol allows a user or computer in your Active
Directory to prove its identity and use the resources provided by the network. In
addition, we discuss trusts, which are the communication links that tie domains and
forests together. Finally, we discuss the establishment of accounts and passwords to
maintain security in a Windows Server 2003 Active Directory environment.
Page 48 of 250
Designing a Public Key Infrastructure (PKI) That
Uses Certificate Services
If you want to make certain that someone is who he says he is, he needs to have
something that he can use to prove it. PKI provides a system of keys that allows an
entity to prove its identity over a communications link. These keys are contained in
certificates, which are exchanged between users and trusted resources. You can use
certificates and a PKI to manage security credentials of users within your network as well
as users outside of your network. Designing your PKI includes the following elements:
Digital certificates
Public key
Private key
Certification authority
In the following sections, we briefly discuss each of the components of PKI and their
function in the hierarchy.
Digital Certificates
Page 49 of 250
Digital certificates are the foundation of PKI. They are the key holders that allow the
system to function. A digital certificate contains a public key that uniquely identifies the
owner.
Public Key
A public key is an encryption key that is unique to a user. It can be provided through the
user's organization or through a trusted third party such as VeriSign. The public key is
used to encrypt data but cannot be used to decrypt data. The public key can also be used
to verify that a message came from the apparent sender.
Private Key
A private key is held by the user of the public key. The two keys make up a key pair. The
user's private key can be used to decrypt any data that is encrypted with the user's
public key. The user's private key is the only key that can decrypt this data.
You can use the Certificates snap-in to manage and audit digital certificates. Figure 2.1
shows a Microsoft Management Console (MMC) with the Certificates snap-in installed.
You can also install the Certificate Services snap-in on a server to issue and track
certificates and revoke them, if necessary. Figure 2.2 shows the MMC with the Certificate
Services snap-in installed. Finally, you issue certificates using Internet Explorer and the
http://localhost/certsrv site. Figure 2.3 shows Internet Explorer on the certsrv
site.
Figure 2.1. You can use the Certificates snap-in to manage and
audit digital certificates.
Figure 2.2. You can track certificates and revoke them using the
Certificate Services snap-in in the MMC.
[View full size image]
Page 50 of 250
Figure 2.3. You can issue certificates using Internet Explorer.
Certification Authority
A certification authority (CA) is the trusted entity or service that issues digital
certificates. This can be a trusted third party, such as VeriSign, or servers in your
organization that have the tools installed.
Servers can be configured as enterprise CAs or as standalone CAs. Enterprise CAs require
the presence of Active Directory and can issue certificates automatically by referencing
Active Directory. In other words, if you have an account, you can get a certificate as well.
Standalone CAs require an administrator to monitor the requests and either approve or
decline the issuance of all certificates.
Because the public keys are supposed to be public, you need a directory service to store
this information and make certain that it is available to others. A user's key, which you
can use to send the user information in encrypted form so that the user is the only one
who can read it, should be published so that anyone who wants to use the key can do so.
With enterprise CAs, Active Directory provides the publication point. With third-party
CAs, certificates are published through services on the Internet.
Page 51 of 250
Public Key–Enabled Applications and Services
Many applications and services use public keys to ensure the reliable and secure transfer
of information. These applications and services use protocols that automatically make
use of the public and private keys so that the process is almost transparent to the end
user. Table 2.1 shows the most common public key–enabled applications and their use
on a network.
A certificate revocation list (CRL) is a list of certificates that have been revoked before
reaching the scheduled expiration date. This may have happened for a variety of
reasons, including misuse of the keys, fraudulent information, or simply a change in the
company that requires a new identity. The CRL should be published whenever it is
changed to ensure the security of the network. Figure 2.4 shows the Certificate Services
tool that you can use to revoke certificates.
Figure 2.4. You can use the Certificate Services tool to revoke
certificates.
Page 52 of 250
Designing a Certification Authority Hierarchy Implementation
Now that you understand the components that make up PKI, let's talk about how you can
organize the CAs to ensure security while allowing them to function as efficiently as
possible. CAs are generally arranged in a hierarchical design. This means that one CA
trusts another CA to issue certificates to the end users. The top CA is referred to as the
root CA. The only certificates that the root CA issues are to other CAs, called subordinate
CAs. In other words, the root CA issues and maintains certificates for subordinate CAs,
but does not issue certificates to end users. Figure 2.5 illustrates a CA hierarchy. In this
figure, CA1 issues certificates to CA2 and CA3, which, in turn, issue certificates to the
end users.
A company can arrange a hierarchy in many ways. The three most common hierarchical
designs used for internal CAs are as follows:
Page 53 of 250
Geographical
Organizational
Functional
We now discuss the three most common hierarchical designs for internal CAs and their
relation to the function and the security of a PKI.
Geographical
If your company has many different locations or regions, you might consider a
geographical design for your CA hierarchy. In this case, you need to set up a CA in each
region for the express purpose of issuing certificates to other CAs in that region, which
issue certificates to end users. This method provides granular control of security in each
of the regions of your company. Figure 2.6 illustrates a geographical hierarchy of CAs.
The East server issues certificates to all of the other servers in the East region (E2 and
E3), and they issue certificates to the end users.
Organizational
Page 54 of 250
Functional
In very large companies, each function of the PKI is a "full-time job" for one server. In
this case, a hierarchical design based on the function of the servers to the end users
might be appropriate. Figure 2.8 illustrates a CA hierarchy that is based on function. The
secure email server, SE1, issues certificates to all servers that issue email certificates to
end users. Other servers would be used to issue certificates for other functions.
Page 55 of 250
his way up the chain before he can penetrate your security. In this way, the hierarchical
design itself provides a security mechanism.
You must ensure that an attacker cannot start at the top of the chain, which would give
him total control of the whole hierarchy. You can accomplish this in one of two ways:
If the whole hierarchy's chain of authority and trust flows straight to the top, so does the
chain of vulnerability that the attacker might try to exploit. If the attacker were able to
penetrate your root CA and become trusted, he would then be trusted by all of the
subordinates. For this reason, you should remove the root CA from your network as soon
as you have created the subordinate CAs that will issue certificates. You can disconnect
the root CA and remove the network interface card (NIC). In this case, you could issue
new certificates using a floppy disk between the removed root and the new subordinates.
Alternatively, you could leave the NIC in the server but only connect the server when you
need to create a new subordinate CA or renew a subordinate CA's certificate. Remember,
the root CA does not issue certificates to end users, only to subordinate CAs.
You can allow a trusted third party, such as VeriSign, to issue the certificates for your
servers or even for your end users. In this way, you do not expose your own security
vulnerabilities to an attacker. The trusted third party is responsible for verifying your
identity and/or the identity of your users or other trusted parties and issuing the
appropriate certificates. In other words, our servers trust someone because someone
that we trust trusts them! Later in this chapter, we discuss using a trusted third party to
issue certificates in greater detail.
If you host your own internal CAs, you decide what is required for proof of identity. If
you decide to use a third party, you also use their rules. The exact process varies based
on the CA and its policies, but can be outlined in the following six steps as defined by
Microsoft:
Page 56 of 250
Generate a key pair— Either the applicant generates his own public and private key
pair, or he is assigned a key pair by some other authority in the organization.
Request the certificate— The applicant receives the CA's public key and generates
a request containing his own public key and all of the required information. He
secures this request by encrypting it with the CA's public key as instructed by the
CA.
Verify the information— The CA reviews the information that the applicant has
provided and decides whether it will issue the certificate based on its own policies
and procedures.
Create the certificate— The CA creates a digital document that contains the
applicant's public key. The CA signs the document with its own private key,
thereby authenticating the binding of the applicant's public key to the applicant's
name.
Send or post the certificate— The CA sends the new certificate to the applicant
and/or posts the certificate in a directory.
As we discussed previously, there are two general types of CAs. The decision-making and
distribution processes of a CA are determined by its type. The two general types of CA
requests are as follows:
Standalone CA requests
Enterprise CA requests
In the following sections, we discuss each type of CA and the distribution process that it
uses.
Standalone CAs
A standalone CA does not require the presence of Active Directory because it does not
use Active Directory to make decisions in regard to issuing certificates. When a user
submits a request to a standalone CA, such as through a Web site, the request is
considered pending until the CA administrator reviews that request and either approves
or rejects the issuance of a certificate. After the CA administrator reviews the request
and makes a decision, the applicant is then notified as to the status of his certificate
request. Some organizations provide a Web site called the Certificate Services Web page
so the applicants can check the status of certificates.
Enterprise CAs
Page 57 of 250
You might wonder why, if the user is already logged on to a domain in your Active
Directory, he needs a certificate. The reason is because different services authenticate a
user in different ways. You use certificates in addition to or instead of other methods of
authentication that we discuss later in this chapter. The point is "If I would authenticate
you in any way, I should be willing to authenticate you with a certificate as well." That's
the premise that enterprise CAs use to issue certificates.
Enterprise CAs issue certificates to users when the administrator uses the Certificate
Request Wizard, which you start from the Certificates console. This allows the choice of
many different certificate types, such as secure email and secure Web. Figure 2.9 shows
the Certificate Types screen in the Certificate Request Wizard.
Figure 2.9. You can launch the Certificate Request Wizard from the
Certificates console.
Alternatively, a user can request a certificate by connecting to the certificates Web site at
http://servername/certsrv, where servername is a server with Certificate Services
installed. Figure 2.10 shows a certificate request through the certsrv Web site.
Figure 2.10. You can request certificates from the certsrv Web
site.
Finally, you can use Group Policy to configure the CA so that computers can
automatically request and receive certificates without user intervention. This automatic
enrollment can be configured for use with all Windows 2000 and later clients and servers.
Page 58 of 250
Figure 2.11 illustrates the configuration of autoenrollment of certificates in Windows
Server 2003 Group Policy.
You might decide to revoke a certificate before the certificate expires. This might be
necessary because of a change in your relationship with that entity or because you have
discovered new information about them. Revoking a certificate might also be required
because of a security-related event. Common reasons that Microsoft lists for revoking a
certificate include
Page 59 of 250
When you decide to revoke a certificate, you must get the news out to all of the servers
as soon as possible. This is accomplished using the Certification Authority snap-in to
publish a CRL. Servers review the CRL before allowing the use of a certificate to make
certain that the certificate that is being presented to them is not on the CRL. If the CRL is
not available, certificates cannot be verified and all access is denied. How often you
publish the CRL depends on a balance between your resources of bandwidth and server
load and your need to have the most accurate CRL at all times. In other words, the more
often you publish the CRL, the more up-to-date it will be, but the more resources you will
use. One of the benefits of Windows Server 2003 PKI is that only the changes to the CRL
are replicated, not the entire CRL. This saves bandwidth, and improves accuracy because
the list can be replicated more often.
Each CA server can maintain its own audit trail. The audit trail can be viewed using the
Certification Authority snap-in. It records all of the certificate requests and the issued
certificates that are still active. You can query the audit trail for information about any
certificate request or any certificate that has been issued. It includes certificates that are
pending, failed, issued, and revoked. The audit trail may be required to meet the security
obligations of your organization's policies.
Page 60 of 250
password, he can control the network and its resources. You should establish strong
account policies to ensure that passwords are protected.
The details of account policy settings are the decision of each domain administrator.
Some domains may require more stringent security than others. The account policies
that you set at the domain level apply to all of the users and computers in your domain.
The three main groups of account policies are as follows:
Password policy
Kerberos V5 policy
Account policies set at the domain level apply to all users and
computers in the domain, regardless of organizational unit (OU)
settings. This is an exception to the normal processing of Group Policy
objects (GPOs).
Password Policy
Your password policy determines the strength of your passwords. You can require a
defined level of complexity, a minimum password length, and a maximum password
lifetime, among other settings. The stronger your passwords are, the stronger the
security of your domain is.
If someone knows your username and if your password is something that can be
guessed, a person could keep guessing your password until he gets it right, unless
something locks him out after a certain number of tries. You can set the number of
guesses as well as the amount of time that a person is locked out before he can try
again. Keep in mind that if someone tries to guess your password and gets locked out,
you are then locked out too!
Kerberos V5 Policy
We discuss password policy, account lockout policy, and Kerberos in much greater detail
in Chapter 7, "Creating the Physical Design for Client Infrastructure Security."
Page 61 of 250
Designing Forest and Domain Trust Models
The authentication process begins when your user logs on to your domain with her
username and password. The logon process provides her with access to the resources in
your domain, to which she has permissions. It also allows you to audit her access to
resources.
The authentication process then continues when she receives access to resources in
other domains. The logical connections to the other domains are called trusts. If a
domain trusts her domain, she can use the resources in that domain, provided that she
has permissions. Some trusts are created automatically, whereas others can be created
by you. In Windows Server 2003, there are basically four kinds of trusts:
Implicit trusts
Shortcut trusts
External trusts
Forest trusts
We now briefly discuss each type of trust and its effect on your logical authentication
strategy.
Implicit Trusts
Implicit trusts are two-way, transitive trusts that are built in to Windows Server 2003
Active Directory. Figure 2.12 illustrates the concept of two-way, transitive trusts. Each
arrowhead indicates a domain that is trusted. Two-way means that if A trusts B, then B
trusts A. Transitive means that if A trusts B and A trusts C, then B trusts C through A.
Finally, two-way transitive means that C also trusts B through A.
Page 62 of 250
In Figure 2.12, note that B does not trust C directly, nor does C trust B
directly; but only through A.
Implicit trusts exist automatically between each tree in an Active Directory forest and
between each child domain and its parent domain. These trusts cannot be deleted. They
are required to connect domains of the forest and allow Active Directory to function.
Figure 2.13 illustrates the location of implicit trusts.
Page 63 of 250
We use a lettering system to name domains in our study of trusts. We
are using this system for simplification purposes only. Actual Windows
Server 2003 domains are named in a hierarchical fashion. For
example, training.microsoft.com is a child domain to
microsoft.com.
Shortcut Trusts
If a forest has a "deep" design, the authentication path might be very long for a client. In
this case, you can create a shortcut trust. A shortcut trust is a one-way, transitive trust
that provides a shorter path for clients to a resource in the forest. Figure 2.14 illustrates
a shortcut trust.
External Trusts
External trusts are one-way and nontransitive. You should use these trusts to connect
domains in two separate forests or to connect your forest to a Windows NT domain.
Figure 2.15 illustrates an external trust between a Windows NT domain and a domain in
a Windows Server 2003 forest. Only Domain X in the Windows Server 2003 forest named
Forest 2 trusts the Windows NT domain named NT. In addition, the NT domain does not
trust Domain X. Also, only Domain Y in the forest named Forest 2 trusts Domain C in
Forest 1.
Page 64 of 250
Forest Trusts
Forest trusts are new to Windows Server 2003. In fact, your forest must be in Windows
Server 2003 mode to use forest trusts. These trusts provide two-way, transitive trust
relationships from all of the domains in one forest to all of the domains in another forest.
The forest trusts themselves are not transitive between forests. For example, just
because Forest A trusts Forest B and Forest B trusts Forest C, this does not mean that
Forest A can trust Forest C through Forest B. However, you could set up a forest trust
between A and B as well as a forest trust between B and C. We discuss forest trusts in
greater detail in Chapter 7.
• Unix
• Novell NetWare
• Apple Macintosh
We now discuss the features that Windows Server 2003 provides to allow the secure
interoperation with each of these clients.
Microsoft Services for Unix is built in to Windows Server 2003. It provides tools to
enhance the secure interoperability between Unix clients and a Microsoft network. Unix
clients use a file system called network file system (NFS). Services for Unix provide NFS
software and allow Unix clients to connect to file services on a Windows Server 2003
server. It also provides an NFS gateway that allows Windows Server 2003 computers to
access Unix NFS resources. In addition, it provides services such as Telnet and
ActivePerl. Telnet can be used for remote management of Unix servers, and ActivePerl
can be used to develop scripts that automate administrative tasks. Finally, Services for
Unix provides tools to simplify account management and security in a mixed network. In
Chapter 7, we discuss the authentication methods that Unix clients can use in a Windows
Server 2003 network.
Client Services for NetWare can be installed on all Windows clients. It allows them to
connect directly to the NetWare server and use resources for which they are assigned
Page 65 of 250
permissions. Installing CSNW also installs NWLink, the Microsoft protocol that emulates
the Novell IPX/SPX protocol. This protocol is essential for CSNW to operate. The software
for CSNW can be found on all Windows clients later than Windows NT Workstation 4.0.
Gateway (and Client) Services for NetWare can be installed on Windows servers later
than Windows NT Server 4.0. It creates a bridge (or gateway) between the Windows
server and the NetWare server. Windows clients with NWLink installed on them can
connect to the Windows server and use the gateway to connect to the NetWare server.
Clients that use the GSNW service do not require CSNW. In other words, it's one or the
other.
Windows Server 2003 also includes Services for NetWare, which provides several utilities
to integrate NetWare networks and Windows networks. These include the following:
You can use AppleTalk network integration services built in to Windows Server 2003 to
create volumes that are accessible to Macintosh clients as well as to Windows clients. The
three components of AppleTalk network integration are as follows:
• File Services for Macintosh— Enables Macintosh clients and Windows clients to
share files on a computer running Windows.
• Print Services for Macintosh— Enables Macintosh clients to send and spool
documents to computers that are running Windows.
• AppleTalk Protocol— Enables internetwork routing, transaction and data stream
service, naming service, and comprehensive file and print sharing on Macintosh
clients. AppleTalk is a proprietary transport protocol developed by Apple. Windows
servers can support both TCP/IP and AppleTalk simultaneously. Most Macintosh
clients use TCP/IP in addition to or in place of the AppleTalk protocol.
Page 66 of 250
Exam Prep Questions
Case 1: HSBC Inc.
HSBC Inc. is a large company that distributes food and paper products to governmental
offices. For security reasons, some of these offices are secret. Therefore, all
communication between HSBC employees must be kept secure. HSBC currently has a
Windows Server 2003 network. They are considering using PKI to enhance security. You
have been hired to consult with HSBC about their security needs.
• A. PKI
• B. Kerberos
• C. CHAP
• D. Active Directory
Q2 Which of these might be reasons that HSBC should consider using a PKI?
(Choose two.)
A2: Answers B and C are correct. Secure email and secure access to Web sites are
valid reasons to use a PKI. Secure authentication on the network is provided by
Kerberos; therefore, answer A is incorrect. Secure logon is provided by Active
Directory and the Local Security Accounts (LSA) manager; therefore, answer D is
incorrect.
Q3 Which type of key is only used to encrypt messages and to verify digital
signatures?
• A. Private key
• B. Symmetric key
• C. Public key
• D. EFS
A3: Answer C is correct. The user's public key is used to encrypt messages so that
only the user's private key can decrypt them. A private key is used to decrypt
messages that were encrypted with a public key; therefore, answer A is
incorrect. A symmetric key can be used to encrypt and decrypt the same
message; therefore, answer B is incorrect. EFS is a service that is used to
encrypt data on a hard drive; therefore, answer D is incorrect.
Page 67 of 250
Q4 Which of the following might be reasons to revoke a user's certificate? (Choose
two.)
A4: Answers A and B are correct. A security event or revelation of new information
are possible reasons to revoke a user's certificate. Allowing a certificate to expire
is not the same as revoking it; therefore, answer C is incorrect. Certificates
cannot be overused; therefore, answer D is incorrect.
• A. Certificates snap-in
• B. Active Directory Users and Computers
• C. Certificate Services snap-in
• D. Internet Explorer
A5: Answer C is correct. The Certificate Services snap-in can be used to revoke
certificates. The Certificates snap-in is used to manage and audit certificates but
not to revoke them; therefore, answer A is incorrect. Active Directory Users and
Computers is used to manage the logical elements of Active Directory; therefore,
answer B is incorrect. Internet Explorer can be used to issue certificates but not
to revoke them; therefore, answer D is incorrect.
Q6 Which of the following are the two general types of certification authorities?
(Choose two.)
• A. Enterprise
• B. Subordinate
• C. Standalone
• D. VeriSign
A6: Answers A and C are correct. The two general types of CAs are enterprise and
standalone. Subordinate is a role that a CA can play in either type; therefore,
answer B is incorrect. VeriSign is an organization that provides third-party CAs;
therefore, answer D is incorrect.
• A. Standalone root
• B. Standalone subordinate
• C. Enterprise root
• D. All root servers
A7: Answer C is correct. Only enterprise CAs require Active Directory. Neither a
standalone root server nor a standalone subordinate server requires Active
Directory; therefore, answers A, B, and D are incorrect.
Page 68 of 250
Q8 Which of these domain-level policies automatically override any policy settings at
the OU level? (Choose two.)
• A. Password policy
• B. Account lockout policy
• C. Antivirus
• D. IPSec
A8: Answers A and B are correct. The account policies of password policy, account
lockout policy, and Kerberos V5 that are set at the domain level are used
regardless of any settings at the OU. Antivirus policies do not override policy
settings at the OU level unless the administrator specifically configures it;
therefore, answer C is incorrect. IPSec policy can be configured for each OU;
therefore, answer D is incorrect.
Q9 Which type of one-way, nontransitive trust should you use between your forest
and a Windows NT domain?
• A. Shortcut
• B. Implicit
• C. Forest
• D. External
A9: Answer D is correct. External trusts are one-way, nontransitive trusts that are
used between two domains in two different Active Directory forests or between
an Active Directory forest and a Windows NT domain. Shortcut trusts are one-
way, transitive trusts that are used to shorten trust paths in Active Directory
forests; therefore, answer A is incorrect. Implicit trusts are two-way, transitive
trusts that are installed by default; therefore, answer B is incorrect. Forest trusts
are two-way, nontransitive trusts between two Windows 2003 forests in Windows
2003 mode that set up two-way, transitive trusts between every domain in each
Windows Server 2003 forest; therefore, answer C is incorrect.
Q10 Which of the following might be used by your Microsoft Windows XP clients to
gain access to resources on a connected Novell NetWare server? (Choose two.)
A10: Answers B and D are correct. Clients can use Client Services for NetWare
(installed on the client) or Gateway (and Client) Services for NetWare (installed
on the server) to gain access to resources on a Novell NetWare server. File and
Print Services for NetWare is used by NetWare clients to gain access to resources
on a Microsoft server; therefore, answer A is incorrect. The IPX/SPX protocol is
proprietary to Novell, and Windows XP clients use the NWLink protocol instead;
therefore, answer C is incorrect.
Page 69 of 250
Chapter 3. Designing Strategies for
Security Management
Terms you'll need to understand:
Your network has enough enemies, including viruses, well-intentioned users, and not so
well-intentioned attackers. You must ensure that you don't become your own worst
enemy! You need to understand the risks associated with managing your network and
mitigate those risks with whatever tools you have available. In addition, you need to
keep your network up to date with the latest security patches. This process needs to be
as automatic as possible in your situation.
In this chapter, we discuss the tools that you can use to manage the risk of managing
the network. These include simple tools such as the Run as command as well as more
complex tools used to monitor and manage servers and services. We also discuss the
new tools in Windows Server 2003 that aid you in assessing the current patch level of
computers in your network and in keeping computers up to date with security patches
from the Microsoft Web site.
Page 70 of 250
Designing Security for Network Management
You need to understand the power of the Administrator account as well as other accounts
that provide rights on the network. In the right hands, these are tools you use to manage
a network. In the wrong hands, they are weapons that attackers can use against you. As
you manage your network, take care that these accounts do not fall into the wrong
hands. In addition, you need to understand the tools and services available to enhance
and monitor the security of your network. Designing security for network management
includes the following components:
We now discuss the tools that Windows Server 2003 provides to assist an administrator
in the safe management of the network. These tools include the following:
Even if you are an administrator, you need to log on every morning with the same type
of user account that everyone else uses. You don't need an administrative account to
check your email and browse the Web. You should only use an administrative account if
you are doing something on the network that requires the use of an administrative
account. This practice protects the network because the less you use an administrative
logon, the less chance there is for a Trojan horse virus or some type of worm to pick it
up and send it to an attacker. Also, if you walk away from a computer that you are
logged on to with an administrative account, another person could use the computer and
"play Administrator" for a while!
Although your users should only have one account, you and your other administrators
need to have at least two accounts. You should use a normal user account until it is
necessary to use the administrative account and, at that time, you can use the Run as
command to perform a secondary logon.
You can use the Run as command either through the GUI or at the command line. To use
the Run as command with a GUI tool, simply right-click the tool, click Run as, and then
log on with the account that you want to use to run that tool. You might need to hold
down the Shift key while you right-click, depending on the tool that you choose. Figure
3.1 shows the Run as command on the Start menu. Figure 3.2 shows the secondary
logon screen for the Run as command. When the tool is closed, the system reverts back
to the primary logon account.
Page 71 of 250
Figure 3.1. You can right-click the tool to use the Run as
command.
Page 72 of 250
To use the Run as command from a command prompt, type the following syntax:
where domain is the name of your domain, account name is the name of the account
with which you want to run the tool, and tool is the name of the tool that you want to
run.
After you enter this syntax correctly, you are then asked the password of the account
with which you want to run the program. Figure 3.3 shows the command line with the
entered command and the system's response. After you enter the correct password, the
system opens the tool. When the tool is closed, the system reverts back to your primary
logon account.
Figure 3.3. You can use the Run as command from a command-line
interface.
[View full size image]
You can check the %windir%\system32 folder on your servers for files
with .msc extensions. All files with .msc extensions can be used with
the Run as menu option. You can even create shortcuts on the
desktop or in your administrative tools using the same command.
Restricted Groups
Membership in a security group can give someone permissions and rights that she would
not have if she was not in that security group, especially if that group is a member of
another group that has more rights. This is the way the system is supposed to work. But,
what if someone is a member of a group that gives her administrative access and you are
not aware that she is a member? In this case, your own system is working against you.
Page 73 of 250
You might be thinking, "But I can just check all of the groups and make certain that I
know who the members are." Well, that's true, but there might be more groups to keep
track of than you think. You have to consider that every workstation and member server
has its own local groups as well! Wouldn't it be nice to just lock those groups down with
some type of template? Well, now you can!
Restricted Groups is a computer security policy that should be used primarily with
workstations and member servers. In other words, it is rarely used on domain
controllers. It allows you to define who can be a member in a particular security group on
a computer and what other groups that group can be a member of as well. After you
define who can be a member of that group, anybody else who currently is a member is
removed from membership as soon as the security policy is refreshed. This way, it's
impossible for you to miss anybody. You can also copy the template that you create and
use it on subsequent workstations and member servers.
You can create the template and apply the settings for Restricted Groups on a member
server running Windows 2000 Server or Windows Server 2003 in two ways. You can
either create the template in the local security settings for each of the computers that
you choose or you can create a Group Policy and roll it out to all of the computers in an
organizational unit (OU) or hierarchy of OUs. For Windows 2000 Professional and
Windows XP Professional clients, you can use Group Policy to enforce Restricted Groups.
As we mentioned previously, you should refrain from using Restricted Groups at the
domain level; however, it is possible to use this tool to provide a "reality check" if you
suspect that someone has obtained fraudulent access to administrative rights through
membership in a security group.
To configure Restricted Groups on one member server, perform the following steps:
6. Add the members that you want to be in the group and the groups of which that
group can be a member.
7. Click OK or Apply.
When you click OK or Apply, only the members that you have designated are still
members of the groups for which you have set Restricted Groups. Any other members
are removed from group membership. This takes effect the next time they log on to the
server locally.
To configure Restricted Groups with Group Policy, perform the following steps:
1. Open the Group Policy Management Console and Group Policy Object Editor tools
to create and configure a new Group Policy or edit an existing one.
Page 74 of 250
4. Click Add Group.
6. Add the members that you want to be in the group and the groups of which that
group can be a member.
7. Click OK or Apply.
When the Group Policy is linked to a container, the Restricted Groups settings become
effective for all computers in that container. You can force the policy to apply as soon as
you link it, using the gpupdate command, or you can simply wait until the policy is
refreshed automatically by the system.
Security Auditing
A wise person once said "You don't get what you expect, you get what you inspect." You
need to have a system in place that aids you in monitoring the security of your network.
This includes an audit policy that determines what is to be audited and a person or
persons responsible for regularly checking the security log to look for anything that
doesn't seem to fit.
Windows Server 2003 provides the tools for auditing logons, resource access, account
management, and more. Your audit policy determines what is written to the security log.
The security log can then be read, archived, and printed with Event Viewer. Figure 3.4
shows the settings for Audit Policy in the Microsoft Management Console (MMC) named
Default Domain Security Settings. Table 3.1 defines each of the settings that you could
use in your audit policy. You can audit each of these settings for success, failure, or
success and failure. Figure 3.5 shows an example of a security log in Event Viewer.
Page 75 of 250
Figure 3.5. You can view the results of a security audit in Event
Viewer.
Page 76 of 250
• Telnet
• Remote Assistance
Using Microsoft Management Consoles (MMCs), you can create your own custom
"toolboxes" that keep the tools you use most frequently all in one place. You can then
share these toolboxes with other administrators whom you trust, or you can create
another toolbox that has only the tools that they need. You can simply share the
completed MMC in a folder to which the other administrator has access, and he can then
use the MMC as well. Share it with Read permission so that the administrator who
receives the MMC cannot change the file without also changing the name and the
ownership of the file. To use the MMC tools, you must register the proper dynamic link
libraries (DLLs). You can easily register most DLLs by entering adminpak.msi at a
command prompt and following the Windows Server 2003 Administrative Tools
Installation Wizard.
An MMC itself has no administration capability; it's only a toolbox that contains the real
tools called snap-ins. These snap-ins are produced by Microsoft and many other vendors.
They include most of the tools that you need to configure, manage, and monitor your
network. Many of these tools can be used on the local computer or on a remote computer
connected to the management console. Figure 3.6 shows an MMC that has been
customized to hold tools for two different computers.
Figure 3.6. You can build MMCs that hold tools for multiple
computers.
Remote Desktop Connection replaces the Remote Administration Mode for Terminal
Services used in Windows 2000 Server. It provides a new interface that allows you to
safely manage any computer that is configured to allow users to connect remotely. You
can access Remote Desktop Connection by clicking Start, All Programs, Accessories,
Communications, Remote Desktop Connection. You can then connect to the computer by
entering the computer name and the password for that computer.
Page 77 of 250
You must also be a member of the Remote Desktop Users security
group to use Remote Desktop Connection. The administrator is a
member of this group by default and can add other members.
You can control the resolution and other aspects of the "user experience" on the Remote
Desktop Connection settings. Figure 3.7 shows the Remote Desktop Connection dialog
box. These options allow you to configure your remote session based on the allowed
bandwidth and other restrictions. Figure 3.8 shows the custom settings that you can
configure on the Experience tab. You should use Remote Desktop Connection when you
are making a connection to only one other computer or server.
Page 78 of 250
To make multiple simultaneous connections, use the Remote Desktops snap-in. This tool
enables you to manage many servers as if you were sitting in front of each one of them.
You can control each of the connections and encrypt the connection over the Remote
Desktop Protocol (RDP). You can quickly switch between several remote desktops. Figure
3.9 shows an MMC with the Remote Desktops snap-in installed.
Figure 3.9. You can control multiple remote connections from one
interface with the Remote Desktops snap-in.
Telnet
In general, you use Remote Desktop Connection or the Remote Desktops snap-in to
connect with any computers that are running Microsoft operating systems. This provides
the most secure method of remote administration.
For other servers and network devices on your network, you can use Telnet. The Telnet
application is part of the TCP/IP suite, and any network that is using TCP/IP can use it.
The Telnet client is built in to Windows Server 2003 and provides a command-line
interface to another server and limited functionality to configure the server (see Figure
3.10). Telnet does not provide security—all passwords and data are transmitted in clear
text. If you use Telnet, you need to ensure that no sensitive information is being
transmitted.
Page 79 of 250
Telnet is not recommended for remote administration of Microsoft
computers because all data and commands are transmitted in clear
text.
To access a computer or network device with Telnet, perform the following steps:
1. Click Start.
2. Click Run.
3. Type telnet.
4. Type open.
5. Type the name of the host with which you want a connection.
The list of commands that are available are based on the type of host to which you have
connected. All commands are alphanumeric. In other words, you can't use your mouse or
any type of GUI with Telnet. Table 3.2 lists some Telnet commands and the actions that
they perform.
Remote Assistance
Clients can request your assistance using the Remote Assistance tools, provided by
Windows XP Professional, and you can respond to their requests and assist them through
your Window Server 2003 network. After you are connected, you can view the client's
computer and chat online. You can even take control of their mouse and keyboard with
their permission. You can also upload files to them or download their files to your
computer or central server. Remote Assistance communication can be based on Windows
Page 80 of 250
Messenger or Microsoft Outlook. Figure 3.11 shows the Remote Assistance console on a
Windows XP Professional client.
Figure 3.11. Clients can request your assistance using the Remote
Assistance console.
In the event of a disaster of this magnitude, the main goal is to get the computers back
up to the point that your company can do business before you go out of business
permanently! Your DRP should address a plan to rebuild the network to a functioning
state as quickly as possible, even if your whole building is destroyed. The details of this
plan will, of course, vary, depending on the size and complexity of the company, but the
main thing you need is a place to work. The types of alternative sites that you should
consider in your DRP are as follows:
• Hot site
• Warm site
• Cold site
Page 81 of 250
Hot Sites
A hot site is a location that is up and running 24/7 with everything that you need to
function. Its main advantage is that, in the event of a disaster, you can move into the
hot site and resume normal business operations in a matter of hours. Another advantage
is that it is possible to do a "dry run" and test the hot site.
The hot site should be close enough to be practical for employees, yet far enough away
so as not to be taken down by the same disaster that took down your main site. You can
maintain the hot site, or you can pay another company to provide the service. The main
disadvantage of a hot site is the large cost associated with it. Typically, the potential loss
of money is not enough to justify the cost of a hot site, so they are only used in
organizations in which people's lives are at stake, such as highly sensitive governmental
institutions or hospital networks.
Warm Sites
A warm site is a location that provides the space, electrical outlets, and communications
lines that will be needed in the event of a disaster. It is not customized for one
organization and might be used by many organizations in the event of a natural disaster.
Typically, no computers are in place because it is assumed that the company will provide
the computers when, and if, the time comes to use the site. The main advantage of this
type of site is that it costs considerably less to maintain than a hot site. The main
disadvantage of this type of site is that it is much more difficult to test your DRP from
time to time.
Cold Sites
A cold site is a location that basically has four walls, a ceiling, and a bathroom! Typically,
it's a prearranged agreement with another party to use their space if a disaster happens.
There is very little planning involved in a cold site. The main advantage is that it costs
very little. Two parties in different areas might even agree to let each other use a part of
their building in the event of a disaster, so there is no cost to either party. The main
disadvantage of a cold site is that it does not fully provide a quick transition back to
normal business operations.
Page 82 of 250
Designing a Security Update Infrastructure
Many of the latest attacks to computers and servers with Microsoft operating systems
have succeeded in spite of the fact that the patches to prevent these attacks were
available on the Microsoft Web site prior to the attack. The attacker succeeded because
the administrator had not yet installed the latest patches. Your design strategy should
include a system to automate the installation of patches that are critical to the security of
your network. You should be familiar with the tools that Microsoft provides with Windows
Server 2003. Designing a security update infrastucture includes
Your server needs to meet the following minimum hardware requirements to become a
SUS server:
You can use SUS to update clients running Windows 2000 Professional and Windows XP
Professional with the latest service packs. SUS enables an administrator to automatically
download, test, approve, and install the latest critical updates and service packs from the
Microsoft Windows Update Web site. Figure 3.12 shows the SUS administration site. You
need to be familiar with the features of SUS, as identified by Microsoft, including the
following:
• Built-in security
• Selective content approval
• Content synchronization options
• Server-to-server synchronization
• Multilanguage support
• Remote administration via Hypertext Transfer Protocol (HTTP) or Hypertext
Transfer Protocol Secure (HTTPS)
• Update status logging
Page 83 of 250
Figure 3.12. You can manage SUS through a secure Web site.
Built-in Security
This one speaks for itself! You can't enhance security if your enhancement creates holes.
The administrative pages of SUS are Web-based through IIS and are restricted to local
administrators on the computer that hosts the updates. The synchronization always
validates the digital certificates on any downloads to the update server. Any files that are
not from Microsoft are automatically deleted.
Updates are first downloaded to the server by running SUS synchronization. These,
however, are not automatically available to the computers that have been configured to
receive updates from that server. Instead, you can approve the updates before they are
made available for download. This allows you to test the packages before deploying
them.
You receive the latest critical updates and service packs from Microsoft through the
process of synchronization. You can set a schedule for automatic synchronization at
preset times. Alternatively, you can use the Synchronize Now button to manually
synchronize the server.
Server-to-Server Synchronization
You can point your server to another server running Microsoft SUS instead of to the
Windows update server. This creates a single point of entry for updates into the network,
without requiring that each SUS server download updates from the external Microsoft
source. In this way, updates can be more easily distributed across the enterprise.
Multilanguage Support
SUS supports the publishing of updates to multiple operating system language versions.
You can configure the list of languages for which you want to download updates. You only
need to download the languages that you will use. This greatly increases the speed of
synchronization.
The SUS administrative interface is Web-based. This allows you to manage it remotely as
if you were sitting in front of the server itself. Remote administration requires Internet
Explorer (IE) 5.5 or later.
Page 84 of 250
Update Status Logging
You can specify the address of a Web server to which the Automatic Updates client
should send statistics about updates that have been downloaded and installed. These
statistics are sent using HTTP. You can access them in the IIS log file of the Web server.
The easier way is to use Group Policy to change all of the computers that you need to
change—simultaneously. You should configure the Group Policy to set the computers to
the correct SUS server and then link the policy to the container in which the computer
objects are located. You can configure those computers to automatically download and
install the software or to notify the clients and let them make the decision to download
and install it. Figures 3.13 and 3.14 show the Group Policy settings for SUS updates. To
configure a Group Policy for SUS, perform the following steps:
1. Open the Group Policy Management Console (GPMC) or Group Policy tool.
2. Expand Computer Configuration in the properties of the policy.
3. Expand Administrative Templates.
4. Expand Windows Update.
5. Right-click Configure Automatic Updates to configure the settings for each
computer.
6. Right-click Specify Intranet Microsoft Update Service Location to configure the
server from which to receive the updates.
Figure 3.13. You can configure how and when clients receive
updates.
Page 85 of 250
Figure 3.14. You can configure the server from which the client
receives the updates.
You can use Microsoft Baseline Security Analyzer (MBSA) to scan for security-related
updates on multiple computers. MBSA Version 1.1.1 includes both a GUI tool and a
command-line interface tool. You can use these tools to perform scans of Windows
systems on your network. MBSA runs on Windows 2000, Windows XP, and Windows
Server 2003 systems. You can perform scans of all Windows NT-based clients, including
Windows NT Workstation and all later clients. You can also scan for updates to
applications running on the clients, including Internet Explorer and Office applications,
such as Office 2000 and later. The computer being scanned must be running IE 5.01 or
later and XML parser software. Parser software can be downloaded from the Microsoft
Web site at www.microsoft.com/downloads.
Systems Management Server (SMS) and the SUS feature pack enable you to manage
security updates throughout any size company. The SUS feature pack streamlines the
security patch management process for you. The SMS software can be used to customize
installations.
Page 86 of 250
The Security Update Inventory Tool in SMS uses the MBSA program to scan all of the
clients and servers and then creates a detailed Web-based inventory report. Then, you
can use the software distribution features built in to SMS to distribute the required
software to the clients and servers. The wizards built in to the tool ensure that only the
updates that are missing are installed. No redundant or unnecessary updates are
performed.
WPX has a constant need for remote management of the branch offices, which all contain
at least one server. In addition, the company is considering options in regard to a DRP
for the Atlanta office. Finally, WPX is concerned that its clients might not have all of the
latest critical updates for security. It wants a system that can analyze the current status
of its clients, install the software needed, and keep the clients up to date. You have been
hired as a consultant to assist WPX.
• A. Administrative account
• B. Default Administrator account
• C. Email address
• D. Regular user account
A1: Answer D is correct. Microsoft recommends that administrators use a regular user
account when they are not doing administrative work. She should not use her
administrative account unless she is actually doing administrative activity;
therefore, answer A is incorrect. The name of the Administrator account should be
changed; therefore, answer B is incorrect. She cannot use her email address to log
on; therefore, answer C is incorrect.
Q2 Which tools should you use to control the membership of the administrative
groups? (Choose two.)
• A. Restricted Groups
• B. Active Directory Users and Computers
• C. Active Directory Sites and Services
• D. Group Policies
Page 87 of 250
A2: Answers A and B are correct. Restricted Groups and Active Directory Users and
Computers can be used to control the membership of administrative groups. Active
Directory Sites and Services is used to control the physical aspects of Active
Directory; therefore, answer C is incorrect. Group Policies are used to control
security and access to resources; therefore, answer D is incorrect.
Q3 Which of the following should you use for remote administration of multiple
Windows Server 2003 servers in the same session?
A3: Answer B is correct. The Remote Desktops snap-in is the only tool listed that allows
multiple remote administration sessions. Remote Desktop Connection allows only
one session at a time; therefore, answer A is incorrect. Telnet is a command-line-
based administration tool that is not secure; therefore, answer C is incorrect. File
Transfer Protocol is not used to manage computers; therefore, answer D is
incorrect.
• A. Computer Management
• B. My Computer
• C. Windows Explorer
• D. Active Directory Users and Computers
A4: Answers A and D are correct. Computer Management and Active Directory Users
and Computers are both available as a Remote Desktops snap-in. My Computer is a
tool specific to one computer and not available as a snap-in; therefore, answer B is
incorrect. Windows Explorer is specific to one computer and not available as a
snap-in; therefore, answer C is incorrect.
Q5 Which tools should you use to set the actions and objects that will be audited?
(Choose two.)
• A. Security log
• B. Group Policy Object Editor
• C. Windows Explorer
• D. Active Directory Domains and Trusts
A5: Answer B and C are correct. You should use the Group Policy Object Editor to set
the actions of the audit (success or failure) and the Windows Explorer tool to set
the objects to be audited. The security log is a tool used to view the results of an
audit, not to set it up; therefore, answer A is incorrect. Active Directory Domains
and Trusts is a tool used to manage trusts between domains; therefore, answer D
is incorrect.
Q6 Which audit policy is set on a domain controller to audit its authentication of users
on other computers in the domain?
• A. Audit Logons
Page 88 of 250
• B. Audit Account Logons
• C. Audit Privilege Use
• D. Audit Process Tracking
A6: Answer B is correct. Audit Account Logons can only be set on a domain controller.
It audits that computer's authentication of another computer to the domain. Audit
Logons is set on the local computer to audit local logons; therefore, answer A is
incorrect. Audit Privilege Use is set to monitor a user's exercise of user rights;
therefore, answer C is incorrect. Audit Process Tracking is set to monitor an
application's use of system resources; therefore, answer D is incorrect.
Q7 You decide to lease a space for emergency purposes approximately 100 miles from
the Atlanta office. This space will be equipped and maintained with the power and
communications needs for the network in the event a natural disaster or fire
destroys the Atlanta office. It will not currently be equipped with any computers.
Which type of alternative site have you chosen?
• A. Hot site
• B. Cold site
• C. Spare site
• D. Warm site
A7: Answer D is correct. Because the site will not contain the actual servers and other
hardware, but will be equipped with the right power and communications
connections, it should be referred to as a warm site. A hot site is equipped with
computers and is ready to move in within hours; therefore, answer A is incorrect. A
cold site is a location that has no planned resources at all; therefore, answer B is
incorrect. A spare site is not a term that is used in this context; therefore, answer C
is incorrect.
Q8 Which tools should you use to synchronize a server with the Microsoft Windows
Update Web site and receive the latest critical updates and service packs? (Choose
two.)
• A. Windows Update
• B. Group Policy
• C. Active Directory Users and Computers
• D. Software Update Services
A8: Answers A and D are correct. Windows Update is used to synchronize an individual
computer with the latest updates on the Microsoft Web site. Software Update
Services can be used in a hierarchical arrangement to test and distribute the latest
Microsoft updates. Group Policies are used to control security and access to
resources; therefore, answer B is incorrect. Active Directory Users and Computers
is used to control the logical aspects of Active Directory; therefore, answer C is
incorrect.
Q9 Which tool should you use to scan clients and servers to determine whether they
have the latest updates installed?
Page 89 of 250
• D. Computer Management
A9: Answer A is correct. MBSA can be used to scan computers for the latest security
updates and other security weaknesses. SUS is used to install the latest updates,
but does not scan the computer; therefore, answer B is incorrect. The Group Policy
Management Console is used to create and manage Group Policies; therefore,
answer C is incorrect. Computer Management does not scan the computer for the
latest updates; therefore, answer D is incorrect.
Q10 Which of these clients can be configured with Group Policy to use Software Update
Services? Choose all that apply.
• A. Windows 98
• B. Windows XP Home Edition
• C. Windows XP Professional
• D. Windows 2000 Professional
A10: Answers C and D are correct. Windows XP Professional and Windows 2000
Professional are the only clients listed that can be configured with Group Policy.
Group Policy cannot be used to control Windows 98; therefore, answer A is
incorrect. Windows XP Home Edition does not support Group Policy; therefore,
answer B is incorrect.
Page 90 of 250
Chapter 4. Creating the Physical
Design for Network Infrastructure
Security
Terms you'll need to understand:
• Firewall
• IP filtering
• 802.1x
• Virtual private network (VPN)
• Demand-dial routing (DDR)
• Certificate Services
The security needs of a network vary widely depending on the components that make up
the network. Although the components that you choose are based on the needs of the
organization, some components require additional consideration in regard to security.
The manner in which you configure these physical components also has a dramatic effect
on your network's security.
In this chapter, we discuss the physical design for your network infrastructure and its
relation to your network's security. We also discuss options for securing connections
within your own network or connecting to other networks, and we examine the risks and
rewards associated with each option. Finally, we discuss the techniques and their impact
on the entire network.
Page 91 of 250
Designing Network Infrastructure Security
You are responsible for the security on your network. This includes protecting the
network from intruders from the Internet as well as protecting the communications
between computers on your network. To effectively protect your network, you need to
understand the following components:
Windows Server 2003 and Windows XP Professional have a built-in, host-based firewall
called Internet Connection Firewall (ICF), which protects an individual computer.
Although this is a good product for client computers, you should only use ICF with
Windows Server 2003 servers if no other firewalls are being used. Our discussion focuses
on firewalls that protect an entire network, not just one computer.
A firewall filters traffic by reading each packet and deciding whether to allow or deny the
traffic. You can configure the firewall to forward only certain types of traffic. With most
firewalls (including Microsoft Internet Security Acceleration [ISA] server), the criteria that
you can use to filter traffic are as follows:
• Source IP address
• Destination IP address
• IP protocol
• Source Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
ports
• Destination TCP and UDP ports
• The interface where the packet arrives
• The interface where the packet is destined
Designing IP Filtering
You establish your criteria based on the needs of your own organization. The goal is to
protect the network but still allow transparent access to all of the resources that the
users need. Remember that one of the main purposes of having security is to ensure
productivity of the users. If your security inhibits their productivity, it is of questionable
value.
Page 92 of 250
Exactly how you configure the firewall is determined by your organization's needs and
the specific type of firewall that you purchase. However, you need to be familiar with
some standards; the four basic methods of controlling traffic through a firewall are as
follows:
• Packet filtering
• Stateful inspection
• Circuit-level filtering
• Application filtering
Packet Filtering
Packet filtering involves reading the packet and making a decision based on the type of
packet. Table 4.1 lists services and applications that need to be considered when
configuring a firewall for packet filtering. This is by no means a complete list; only the
most common protocols and ports are included. For each service or application, the
specific ports that need to be configured are listed. You might also need to consider the
direction that the ports should be configured based on how an application will be used.
You should be familiar with the most common network services and
the ports that they use. These include HTTP, FTP, Telnet, DNS, and
others as listed in Table 4.1.
Stateful Inspection
In addition, you can gain more flexibility by using a firewall that allows you to filter by
the other criteria mentioned previously, such as source IP address, destination IP
address, and interface. These criteria can be used on their own or in addition to the port
number criterion. The process of holding the connection open while examining the
packets is called stateful inspection. A major advantage of this type of filtering is its
Page 93 of 250
flexibility and, therefore, its effectiveness. A major disadvantage is that it takes a
tremendous amount of processor resources.
Circuit-Level Filtering
Application Filtering
The most advanced type of IP filtering, application filtering, takes filtering to a new level
by examining each packet for the type of application to which it applies. The filter then
applies the right solution for that packet based on the application. This could include
screening, blocking, redirecting, or even modifying the data as it passes through the
firewall. This type of filtering can be used to protect against attacks on vital network
components, such as DNS and Web servers.
IPSec secures communications in a variety of ways. The main goal is to ensure that what
appears to be happening is actually happening. In other words, ensure that
communications are taking place as they appear to be. IPSec secures communications
within your network in the following ways:
Because IPSec works below the Transport layer, it applies to every application that runs
through it. This relieves you of the burden of setting up security for each application. It
uses industry-standard encryption algorithms and a comprehensive security management
approach to provide security for all TCP/IP communications on both sides of your firewall.
This results in an end-to-end security strategy for your entire network. IPSec can be set
in one of three ways for each container to which it is applied. The container can be your
domain or an organizational unit (OU) in your domain.
Microsoft gets you started with three default policies. You can alter them to meet your
individual needs or create your own policies. One of the main reasons that IPSec policies
fail is that their settings are incompatible with each other. For this reason, it's important
that you understand how the default policies operate before you alter them or create
your own.
Page 94 of 250
The three default policies are as follows:
The name of the policy only signifies how that policy operates, not
what type of computers it can control. In other words, you can control
servers with a client type of policy and vice versa.
When a policy is set to Server (Request Security), the server negotiates with a client in
an attempt to create the most secure communication possible. This negotiation might
include a type of authentication, encryption, connection, and so forth. The server then
communicates with the client at the highest level at which the client can communicate. If
the client cannot support IPSec, communication can still take place between the client
and the server.
When the policy is set to Secure Server (Require Security), the server queries the client
to ensure the client can provide all of the security that the server requires. This might
include a specific type of authentication, encryption, connection, and so forth. If the
client cannot provide all of the requirements, the server does not communicate with the
client any further
When the policy is set to Client (Respond Only), the client simply responds to the
server's requests or queries. This might include providing the correct type of
authentication, encryption, connection, and so forth. The client provides all that it can,
and the server then decides how and whether the communication will take place based
on answers that the client provides.
Figure 4.1 shows the IPSec policy settings in Windows Server 2003.
Figure 4.1. You can configure IPSec policy in one of three ways.
Page 95 of 250
Figure 4.2 shows how IPSec can be configured in the Edit Rule Properties dialog box to
negotiate authentication, encryption, and connection types.
Figure 4.2. You can use IPSec rules to negotiate many aspects of
communication, including authentication, encryption, and
communication types.
Because you can assign only one IPSec policy per container, you need
to ensure that the clients are in different OUs than the servers' OUs so
the IPSec policies can be applied to all computers in the OU.
Securing a DNS implementation requires that you understand the fundamentals of DNS
and the methods that an attacker might use to take down your network. By
understanding what is possible, you can then take the necessary steps to prevent attacks
from succeeding. The following are methods of attack against your DNS implementation:
Page 96 of 250
You can protect your DNS implementation from these attacks by protecting the integrity
of the DNS server's response to clients and by protecting the zone data contained and
transferred by the servers. The clients must be able to depend on the information that
they receive from their designated DNS servers. You can increase the integrity of this
information by practicing the following techniques:
When IPSec is enabled, all traffic can be encrypted between the DNS servers. This
ensures that no unauthorized entities are able to spoof the system. Also, IPSec can
specify the mutual authentication of the client and the server. Unless each can prove its
identity, no secure information is exchanged. Finally, all traffic between the client and the
server can be encrypted. This ensures that the client and server communication is free
from any type of tampering or misdirection.
A Denial of Service (DoS) attack floods a DNS server with so many client requests that
the DNS server cannot keep up with the legitimate requests, and it stops responding to
DNS queries. To guard against DoS attacks, watch for unusually high amounts of traffic
and look for anomalies such as a high volume from a single location or a high volume of
a single type of traffic. Establishing a security baseline before problems arise can help
you determine what amount of traffic should be considered unusually high.
The only ports that the DNS server needs to operate are 53/udp and 53/tcp. You need to
examine the configuration of a firewall protecting your DNS servers to ensure that all
ports that do not have to be open are shut. This provides a smaller attack surface for an
attacker.
You can protect the data that is stored on the DNS servers and transferred between them
by
Secure dynamic update is the default method of DNS update in both Windows 2000
Server and Windows Server 2003. It ensures that update requests are processed only if
Active Directory authorizes them. This prevents the type of DNS attack that involves
entering invalid data into the zone files. This is extremely important because if an
attacker can enter invalid data, he can disrupt your network and send your clients to
rogue servers without their knowledge. The attacker can also fill the server's disk space
with garbage data and, thereby, perform a type of DoS attack. Figure 4.3 illustrates the
configuration of secure dynamic updates.
Page 97 of 250
Figure 4.3. Active Directory integrated zones with secure dynamic
updates can greatly increase your DNS security.
By default, members of the Authenticated Users group have the ability to create resource
records on DNS servers that are in the domain of the client computer. This enables all
computers to dynamically update DNS zone data. A typical authenticated user registers a
maximum of 10 records in DNS. To ensure that malicious users or applications do not
create inappropriate resource records, you can set a default quota limit of 10 objects per
user. This ensures that all computers can update DNS appropriately but cannot start DoS
attacks.
Your DNS infrastructure is one of the most critical and sensitive systems on your
network. Keep this in mind when choosing the individuals who will manage it. These
administrators should have proven character and ability to ensure that they do not
intentionally or accidentally bring down the network.
By default, Administrators, Domain Admins, Enterprise Admins, and DNS Admins have
Full Control access to all components of DNS. Everyone else has Read access. You can
set permissions on zone containers to control access and management of each zone, as
shown in Figure 4.4.
Page 98 of 250
Figure 4.4. You can set permissions on zone containers.
Your DNS infrastructure can consist of many types of zones and servers. For the greatest
security, consider replacing secondary zones with Active Directory integrated zones, stub
zones, and conditional forwarding mechanisms. The data that is stored in a secondary
zone is not in Active Directory and is, therefore, a plain text file. It's possible to protect
the file using NTFS permissions, but it is better to eliminate it completely whenever
possible.
Page 99 of 250
Designing Security for Wireless Networks
It almost seems funny to discuss security and wireless in the same sentence. Wireless
networks have been notorious for their lack of security. Certainly the Institute of
Electrical and Electronic Engineers (IEEE) could not have imagined the security needs of
today's world when they developed the 802.11 standard for wireless communication.
Furthermore, government controls have made it difficult to use high-strength encryption
until recently. All of this results in a wireless standard that is still in its infancy in regard
to security. Windows Server 2003 has tools that assist you in setting up a wireless
security policy for your network. Figure 4.5 shows the Wireless Network policy
configuration tool in Windows Server 2003 security. This policy shows the default setting
Use Windows to configure wireless network settings for clients. With this setting enabled,
clients can connect to existing wireless networks, change wireless network connection
settings, configure new wireless connections, and specify preferred wireless networks
through the Wireless Networks tab on their computers equipped with a wireless network
interface card.
Figure 4.5. You can set wireless access policies to meet your
needs.
Although there is no way to keep a wireless network as secure as a wired network, the
benefits and convenience of wireless networks have caused many improvements in
security. Wireless security can be divided into two major varieties:
You can further secure your wireless network if you also use the strengths of Active
Directory and Certificate Services to your advantage. Microsoft recommends the use of
one of the three following methods:
802.1x with PEAP can use Microsoft Challenge Handshake Protocol version 2 (MS-
CHAPv2) to provide secure password authentication without the use of certificates. This
method works best in a small environment that does not have any certificate servers and
has no other uses for certificate servers. It can also be used as an interim strategy to
deploy a wireless network before implementing a certificate infrastructure.
The most secure form of communication between networks is leased private lines that
only one organization can use. These leased lines, however, can be very expensive to
obtain and to maintain. You would also require a separate leased line to every location in
your organization or any organization with which you do business. As you can see, this
could quickly become cost prohibitive.
Instead of leased private lines, many organizations have opted to use the Internet or
other types of telephone lines to make their connections between networks. We now
discuss the two main methods of communication between offices:
PPTP allows multiprotocol traffic to be encrypted and then encapsulated into an IP header
and sent across on organization's IP internetwork or a public IP internetwork such as the
Internet. PPTP encapsulates Point-to-Point Protocol (PPP) frames into IP datagrams, and
it can be used for remote access and for router-to-router communications between
networks. PPTP uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data between
two Microsoft systems. PPTP is documented in RFC 2637.
PPTP uses a TCP connection for tunnel management. It also uses a modified version of
Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data.
Furthermore, the payloads of the encapsulated PPP frames can be encrypted and/or
compressed. Figure 4.6 shows a packet encapsulated with PPTP.
L2TP allows multiprotocol traffic to be encrypted and then sent across any medium that
supports point-to-point datagram delivery, such as IP, X.25, Frame Relay, or
Asynchronous Transfer Mode (ATM). L2TP is a combination of PPTP and Layer 2
Forwarding (L2F), a technology proposed by Cisco Systems, Inc. It represents the best
features of PPTP and L2F. L2TP can be used through private networks or over the
Internet when configured with IP as its data transport protocol, as documented in RFC
2661.
L2TP over IP internetworks uses UDP and a series of L2TP messages for tunnel
management. It also uses UDP to send L2TP-encapsulated PPP frames as the tunneled
data. The payloads of encapsulated PPP frames can be encrypted and/or compressed.
The Microsoft implementation of L2TP does not use MPPE to encrypt the PPP payload and
instead can use IPSec with Encapsulating Security Payload (ESP) for encryption. This
combination is referred to as L2TP/IPSec and is described in RFC 3193. Figure 4.7 shows
a packet encapsulated with L2TP.
• Provides more complete security— IPSec ESP provides proof that the data was
sent by the authorized user, proof that the data was not modified in transit,
prevention from resending a stream of captured packets, and prevention from
interpreting captured packets without the encryption key. These are known as
Demand-Dial Routing
Another method of connecting offices without using expensive private lines is to use
other types of lines provided by your telephone service provider. These could be regular
telephone lines or even Integrated Services Digital Network (ISDN) lines. These lines are
much less expensive than other leased lines. You can configure your routers to
automatically make use of these lines when they need to deliver a packet that requires
their use. This concept is called demand-dial routing (DDR).
Although the concept of demand-dial routing is fairly simple, the actual configuration can
be relatively complex. This complexity is caused by the fact that the connections must be
able to find and authenticate to their respective network counterparts. This requires a
specific configuration. This configuration can be created on a router, or you can configure
a Windows Server 2003 computer to act as a router. Figure 4.8 shows some of the
connection settings in the Demand-Dial Interface Wizard for creating a demand-dial
interface in Routing and Remote Access.
Figure 4.8. You can use a wizard in Routing and Remote Access to
assist you in creating demand-dial routing connections.
• Authentication and authorization of the caller— Just as for a user calling in,
the outbound connection must be authorized and the user account must be
authenticated. Therefore, you must set up the credentials for the user account
within the configuration (see Figure 4.10). Authorization is based on dial-in
permissions and remote access policies for the user account that you create.
• Configuration of static routes— You should not use dynamic routing protocols
to configure temporary DDR connections. Therefore, you must add the static
routes to the routing tables so the routers will be aware of the subnet(s)
accessible by DDR (see Figure 4.12). You can accomplish this manually or by
using autostatic updates.
Figure 4.12. You need to configure the static routes that the
connection will use.
The basics of providing a secure extranet are to ensure that you are communicating with
the organization that you think you are and that the organization only has the access
that you authorize. For example, you probably would not want the partner to be able to
access payroll records or other confidential data. The extranet must allow them access to
what you configure but prohibit access to anything else.
Windows Server 2003 includes many tools to assist you in creating and maintaining a
secure extranet. You can use these tools individually or in combination with each other.
The tools that you need to be familiar with include the following:
The SSL protocol works at the Application layer of the OSI reference model and can
provide secure, Web-based connections and transactions. Your users and partners can
access the secure Web sites that you configure. SSL uses port 443 and can be accessed
using Hypertext Transfer Protocol Secure (HTTPS) indicated by https://. You can
require a user to input their username and password when entering a secure site.
Tunneling Protocols
As we discussed previously, you can use the tunneling protocols of PPTP and L2TP to
secure communications between networks. Your choice of protocol is determined by your
own server and client capabilities and those of your partner. You need to choose the
most secure protocol that is common to both.
Certificates assure you that the entity is who he says he is and allow you to authenticate
and authorize a connection. Certificates can be used to protect the integrity of a message
as well. The sender can use software to sign the message with his private key. When the
intended receiver receives the message, she can confirm the signature with the sender's
public key. If she cannot confirm the signature, either the message is not from the
sender or it has been changed in transit. We discuss more about using certificates in the
section titled "Designing a Strategy for Cross-Certification of Certificate Services" later in
this chapter.
IPSec
As mentioned previously, IPSec can be used to improve security within a network as well
as between networks. When you use IPSec between networks, you use tunnel mode. This
creates a logical path for the packets to follow and encrypts the packets while they are in
the tunnel. If you use the Server (Request Security) setting for IPSec, the computers
that are on the other network can negotiate the most secure connection possible.
Multiple Firewalls
You can use multiple firewalls or a firewall that is multipronged to set up an area that
isn't really inside your network or outside of your network. This area is referred to as a
perimeter network or demilitarized zone (DMZ). You should place servers that users and
partners need to access from inside the network as well as outside of the network into
the perimeter network. These might include Web servers, email servers, and FTP servers.
Other servers that might go in the perimeter network include an intrusion detection
system (IDS) server or a bastion host server. You should never place your domain
controllers or database servers in the perimeter network as they always need to be
protected on the inside of all firewalls. You can configure your firewalls with the correct
port filters to allow your partner access to the servers that they need while secluding
them from the rest of your network.
Active Directory
Active Directory has built-in security mechanisms that authenticate and authorize any
user who has an account. Why not use that to your advantage? You can create accounts
for your partner company in your Active Directory. You need to create these accounts in
a separate OU or even a separate domain so they can be managed and secured together.
You can assign these users permissions just as if they were your own employees. You
can create groups for these users or add them to your existing groups. You should make
your decisions based on delegation of authority over the accounts and distribution of
Group Policy to the accounts.
You can even create a trust between yourself and a partner who does not have a
Windows-based network. Because Active Directory is based on Kerberos authentication, a
Kerberos v5 realm in a non-Windows-based network is analogous to a Windows Server
2003 domain. You can, therefore, establish a trust with a Kerberos v5 realm using the
Active Directory Domains and Trusts tool shown in Figure 4.13.
You should use a separate domain for your partner if your partner
requires different account policies, such as password and account
lockout policies. You should use a separate OU in one of your domains
in all other instances for easier management.
Although this sounds rather simple, in practice it can get a bit tricky. You must ensure
the certificates that you issue do not create any unintended consequences. For example,
when you extend the boundaries of your PKI beyond your own organization, you could
inadvertently create an unplanned trust relationship. In other words, if you decide to
trust another company but it also trusts yet another company, you could end up trusting
an entity you don't even know about. If A is a trusted entity to B and B is a trusted entity
to C, couldn't A be a trusted entity to C as well? Also, because your certificates are for
your trusted employees, the certificates might be too encompassing to give to another
organization.
To protect against these unintended side effects of extending your PKI, you can use
certification authority (CA) constraints to define limits on your cross-certification
relationships. You can configure these constraints in Windows Server 2003 Certificate
Services.
• Basic constraints
• Name constraints
• Issuance policies
• Application policies
• Policy mapping
Basic Constraints
Basic constraints define the certification path length required. They allow an application
to determine whether a certificate is a CA certificate or an end certificate. The certificate
chain uses CA certificates to build certificate paths. End certificates cannot be built upon.
You can also use basic constraints to limit the number of CAs that can be in the chain.
This eliminates the possibility of unintentionally creating a trust relationship with
someone of which you are not aware.
Name Constraints
Name constraints allow you to specify which namespaces are permitted or excluded from
using certificates produced by your qualified subordinate CA. You can use Lightweight
Directory Access Protocol (LDAP) names, hostnames, user principal names, Uniform
Resource Identifiers (URIs), or even IP addresses.
Issuance Policies
Issuance policies can be used to define the extent to which your organization trusts the
identity presented in a certificate. For example, you could set an issuance policy
stipulating that you only trust certificates that were issued during a face-to-face meeting
with a network administrator, such as when a smart card certificate is issued.
You can use object identifiers to describe the issuance policy that you define. When you
include an issuance policy object identifier in an issued certificate, you are indicating that
the certificate was issued in a manner that meets the issuance requirements associated
with the issuance policy object identifier. The object identifier indicates the extent to
which your organization trusts the identity presented in the certificate. These can be
considered as low, medium, or high. Each trust level has its own object identifier. Table
4.2 shows the object identifiers used in Windows Server 2003.
Application Policies
Typically, certificates provide information that is more global in nature than one
application. You can use application policies to define that a certificate can be used only
by a specific application or applications. Applications can also be written to accept usage
only if the user presents a certain type of certificate. An application policy uses a specific
object identifier to indicate the applications with which the certificate can be used.
Policy Mapping
As mentioned previously, your policies are not likely to be exactly the same as another
organization's policies. Even if your basic requirements are the same, your object
identifiers are specific to your forest; therefore, any constraints that you use will be
different than theirs. You first need to negotiate with your partner organization as to
which policies can be considered equivalent. You might then need to install a common
subordinate CA that contains the policies, policy mappings, and any constraints on which
you have agreed.
• A. Packet level
• B. Circuit level
• C. Stateful inspection
• D. Application level
A1: Answer D is correct. Application-level filtering can identify and modify packets.
Packet-level filtering identifies packets by their port address but does not modify
packets; therefore, answer A is incorrect. Circuit-level filtering examines the
session but does not modify packets; therefore, answer B is incorrect. Stateful
inspection can examine many aspects of the packet, including the source and
destination, but does not modify packets; therefore, answer C is incorrect.
Q2 In what ways can IPSec be used to secure data for JCMW? (Choose two.)
A2: Answers B and C are correct. IPSec can encrypt data sent within a LAN or
between LANs. IPSec does not encrypt data stored on hard drives, EFS does;
therefore, answer A is incorrect. IPSec does not restrict users from logging on to
servers—Active Directory Permissions do this—therefore, answer D is incorrect.
Q3 Which type of IPSec policy will allow each client to negotiate with the server to
determine the strongest levels of security for communication?
• A. Transport mode
• B. Secure Server
• C. Server
• D. Client (Respond Only)
A3: Answer C is correct. Server is a default IPSec policy that allows each client to
negotiate with the server to determine the strongest level of security common to
both. Transport mode is a configuration of IPSec that is used within a network
and is not a type of IPSec policy; therefore, answer A is incorrect. Secure Server
policies require a client to meet all of the requirements of the server for
communication to continue; therefore, answer B is incorrect. Client (Respond
Only) policies are set on the client to respond to the server's requests or
requirements; therefore, answer D is incorrect.
Q4 What methods should you recommend for JCMW to secure its DNS databases?
(Choose two.)
• A. 802.11
• B. 802.1x
• C. 802.3
• D. 802.5
A5: Answer B is correct. 802.1x and a RADIUS server can be used for secure
authentication on a wireless network. 802.11 is a wireless protocol that provides
a link but does not provide security; therefore, answer A is incorrect. 802.3 is
the protocol specification that wired Ethernet uses and is not a wireless
specification; therefore, answer C is incorrect. 802.5 is the specification for the
Token Ring network; therefore, answer D is incorrect.
Q6 Which tunneling protocol should JCMW use to take advantage of the built-in
MPPE encryption mechanism and assure that even their pre-Windows 2000 client
can use the security?
• A. L2TP
• B. HTTP
• C. PPTP
• D. PPP
A6: Answer C is correct. PPTP uses a built-in MPPE encryption mechanism. L2TP does
not use MPPE; therefore, answer A is incorrect. HTTP is used for browsing the
World Wide Web and is not a tunneling protocol; therefore, answer B is incorrect.
PPP is used to send data over telephone lines; therefore, answer D is incorrect.
Q7 You decide to recommend creating accounts for some JCMW partners; however,
their accounts will not have the same account policies as yours. Into which type
of container should you place the new accounts?
• A. New domain
• B. Existing OU
• C. New OU
• D. New forest
A7: Answer A is correct. You should place the new accounts in a new domain to
control account policies. You cannot control domain account policies from an OU;
therefore, answers B and C are incorrect. You do not need a new forest and, in
fact, it would only complicate matters further; therefore, answer D is incorrect.
Q8 Which of the following are advantages of L2TP over PPTP? (Choose two.)
A8: Answers B and C are correct. L2TP can be used on many types of networks, not
just those that are IP based. L2TP does encrypt data at the Data Link layer, well
below the Application layer. L2TP does not provide a built-in encryption
mechanism, but it can use IPSec; therefore, answer A is incorrect. L2TP with
IPSec cannot be used with pre-Windows 2000 Professional clients; therefore,
answer D is incorrect.
Q9 Which type of constraint should JCMW use on qualified secondary CAs to limit the
number of CAs in a chain and, thereby, eliminate unintended trusts?
• A. Basic
• B. Name
• C. Application policy
• D. Issuance policy
Q10 Which tool should you use to create a relationship between a Windows Server
2003 domain and a Kerberos realm?
A10: Answer D is correct. Active Directory Domains and Trusts should be used to
create all trust relationships. Active Directory Users and Computers is used to
manage the logical aspects of Active Directory, such as domains and OUs;
therefore, answer A is incorrect. Computer Management is used to manage
network infrastructure and computer services; therefore, answer B is incorrect.
Active Directory Sites and Services is used to view the physical aspects of Active
Directory, such as sites and subnets; therefore, answer C is incorrect.
With Windows Server 2003 and IIS 6.0, Microsoft has turned the security paradigm
upside down. IIS 6.0 installs "locked down" in regard to most services and protocols.
Although this is a positive in regard to security, you need to know how to open up some
of the services so that you can use the server as it was intended.
In this chapter, we discuss server-specific security. We first discuss our options for user
authentication to IIS 6.0. Then, we discuss security methods used for IIS 6.0 in general.
Finally, we look at the concept of a security baseline in regard to Web servers and other
types of server roles, such as a domain controller, terminal server, and email server.
Windows Server 2003 IIS 6.0 addresses the issue of authentication by providing multiple
methods for a user to prove that he is who he says he is. You can configure each Web
site in the Directory Security properties of the site. You choose the appropriate methods
based on your security policies and the other resources available on your network. The
authentication methods from which you can choose include the following:
• Anonymous
• Basic
• Digest
• Advanced Digest
• Integrated Windows
• Certificate
• UNC Passthrough
• RADIUS
• .NET Passport
Anonymous
Anonymous authentication allows users to access the resources on your Web or FTP site
without requiring a username or password. These are also referred to as credentials. All
users use the same account, which is installed with IIS and named IUSR_computername,
where computername is the name of the computer on which IIS is installed, as shown in
Figure 5.1. This user account is included in the Guests user group. You need to set the
permissions for this account so that anonymous users have very restricted access. The
main value of this account is that users do not have to use credentials to get to
information that was supposed to be available to them in the first place. Not having to
use their username and password (which might also apply to other resources) greatly
decreases the risk of someone stealing their credentials.
Basic
You should use Basic authentication only as a last resort. With Basic authentication, the
user is prompted to enter his credentials. The system then compares the credentials with
the accounts in its database. If the credentials match one of the accounts, the user is
permitted access. If not, the user is given another chance to provide the proper
credentials. The main problem with this authentication method is that the credentials are
delivered in plain-text form and are not encrypted. Therefore, a person monitoring your
network with a sniffer could discover and then use the credentials. The system warns you
if you try to use only Basic authentication, as shown in Figure 5.2. The main advantage
of Basic authentication is that it can be used with all browsers.
Digest
Digest authentication also prompts for a user's credentials, but the credentials are then
transmitted as an MD5 hash so that the credentials cannot be sniffed. The credentials are
then decrypted and compared with the plain-text version that is stored locally on the
domain controllers. This provides a significant advantage over Basic authentication. The
main disadvantage of Digest authentication is that not all browsers support it. Users
must be using Microsoft Internet Explorer 5.0 or later to use Digest authentication. Also,
Digest authentication requires the use of Active Directory and requires that the user has
an account in your Active Directory.
Advanced Digest
Advanced Digest authentication is very similar to Digest authentication except that the
credentials are stored on the domain controllers as an MD5 hash. This means that they
are protected even from someone who can gain physical access to the domain
controllers, such as a rogue administrator. Advanced Digest is new to Windows Server
2003 and requires that the domain controller and the IIS server are both running a
member of the Windows Server 2003 family. Clients need to have Internet Explorer 5.0
or later. Clients are prompted to enter a username and a password, which are encrypted.
Integrated Windows
When you use Integrated Windows authentication, clients who are already logged on to
the domain are not prompted for a username and password. Instead, the information
that they already have on their access token is used to determine whether they should
have access to the Web or FTP site. The system then uses the Kerberos authentication
system built in to Windows Server 2003 to validate the request and provide access to the
resource. Clients and servers prior to Windows 2000 can use the NTLM version of
Integrated Windows. Integrated Windows works best in a LAN environment because it
does not work over HTTP proxy connections. If Integrated Windows fails, the client is
prompted for his credentials. You can also use Integrated Windows authentication in
addition to Anonymous authentication, as shown in Figure 5.3. In this case, Integrated
Windows runs first and gives the user a chance to use higher credentials if they are
available with his current logon.
Certificate
You can use server certificates to allow users to authenticate your Web site and to prove
your identity to them before they offer private information, such as credit card numbers
and Social Security numbers. Likewise, you can use client certificates to authenticate
users who are requesting access to and information from your Web site. Secure Sockets
Layer (SSL) can be used to authenticate a client by checking the content of an encrypted
digital identification that the client has obtained from you or from a third party that is
trusted by both you and the client.
You can map a client certificate to a user account that you create on your server. That
way, when a client logs on with a client certificate, she can gain access to the resources
provided by the mapped account. You can use the tools provided by Internet Explorer 5.0
and IIS to prepare a certificate for mapping and then map the certificate to a user
account. You can use two types of mapping. Each has advantages and disadvantages:
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is an industry-standard protocol
described in RFCs 2865 and 2866. It is used to provide centralized authentication,
authorization, and accounting between multiple remote access servers. To use RADIUS,
you first install the Internet Authentication Service (IAS) onto a member of the Windows
Server 2003 family. You then configure your remote access servers to become clients to
the server that hosts the IAS. The RADIUS protocol then coordinates with your Active
Directory to provide for the authentication of the remote access clients and provides for
the authorization to use resources. The main advantage of RADIUS authentication is that
organizations that have many RAS servers can centralize the authentication,
authorization, and accounting. Remote access policies can be maintained on one server
to ensure that they are uniform across an organization. Wireless access points (WAPs)
can also become RADIUS clients and allow for authentication through Active Directory.
.NET Passport
The .NET Passport authentication method is new to Windows Server 2003. Clients are
authenticated through the central servers provided by Microsoft. You only need to
configure the default domain to locate the user on the central servers. When the client
attempts to authenticate and the server is set to .NET Passport authentication, the
request is sent in encrypted form to the central servers maintained by Microsoft at
www.passport.net. The user is then authenticated based on the account information on
www.passport.net's servers at the default domain that you configured, as shown in
Figure 5.4. This does not give the client any permissions, but only authenticates the
client. The servers that host each Web site control permissions locally.
IIS does not install by default on any member of the Windows Server
2003 family.
Your goal is to enable only the services that your users require while maintaining as
much of the locked-down mode as possible. This requires that you understand and are
able to implement the following tasks:
To allow services such as ASP to run, open the Web Service Extensions node in IIS 6.0,
select the service, and then select Allow. In addition to the Web services extensions
listed by default, you can add new Web service extensions and specify the files required
to run them, as shown in Figure 5.5. In this way, you can enable only the necessary
executable files and DLLs to run. This allows you to run your applications while keeping
the system locked down to attackers who might otherwise attempt to run executables on
your servers.
NTFS
Just as with other files and directories, you can use NTFS permissions to limit a user's
access to files and directories stored on a Web server. Users should not have Read
access to any file that they have no permissions to use.
Web site permissions are specific to a site and apply to all users accessing the site
regardless of any individual permissions they might have. Web permissions control
access to the virtual directories where the folders and files are stored. Web site
permissions are found on the Home Directory tab of a site's properties and include Read,
Write, Script source access, and Directory browsing, as shown in Figure 5.6.
Figure 5.6. Web site permissions are specific to a site and apply to
all users accessing the site regardless of any individual
permissions they might have.
Using IP address restrictions, you can deny any IP address or subnet from gaining access
to the virtual directories of your Web site that store files and folders. In this way, you can
control access to users on your intranet and from the Internet as well. IP address
restriction settings are shown in Figure 5.7.
You can use the tools provided by Windows Server 2003 to establish a baseline, which
indicates what a "healthy" IIS server looks like in respect to the main resources that all
servers use. You can then use the baseline to determine whether the server is
performing as expected. The following is a list of tools that you can use to monitor the
IIS server and the general use of each tool:
• System Monitor— You can use this built-in Microsoft Management Console
(MMC) to establish a baseline. It can then be used to determine the cause of
bottlenecks and to fine-tune system and application performance by comparison
to the baseline.
• Event Viewer— You can use this tool to log service records, such as errors, or
even the successful starting of a service. Working automatically in the
background, this tool creates a log that you can use to determine the series of
events that preceded a problem.
• Network Monitor— You can use this tool to capture a packet stream and
examine the packets in detail. An abbreviated version is built in to Windows
Server 2003, but a complete version comes with Microsoft Systems Management
Server.
• Log Manager— You should design a Web site with growth in mind. This tool
provides for capacity planning and helps determine the parts of the IIS server that
are most likely to be affected by growth.
• Web Application Stress Tool— You can use this tool to generate loads on
various Internet services to simulate multiple browsers requesting pages. This
simulation can be used to test a system before its deployment to production or to
determine the likely effects of growth over time.
As with any server, the main resources that IIS servers use are those of processor,
memory, disk subsystem, and network subsystem. Windows Server 2003 System Monitor
has many counters that relate to these critical resources. Tuning an IIS server is as much
of an art as it is a science. Sometimes, it's a matter of trial and error to get the right
balance. Having said that, there are some counters that have a standard learned over
time and tested by network administrators. You need to be familiar with the counters in
Table 5.1.
Quality of Service (QoS) is a general term that encompasses a set of standards and
methods that an organization uses to maintain a specific level of quality, integrity, and
performance in its servers. In regard to Microsoft IIS, QoS is a set of data transmission
standards that an IIS server must meet to be effective in a network. To assist in meeting
these standards and in making the most of any level of resources that a company
currently has, IIS 6.0 has controls built in to the software that can be used to conserve
resources where needed and provide more resources when needed. Most of these can be
controlled from the property tabs on a server or site. The following list describes the
controls and their general use to make the most of available resources:
• Setting connection timeouts— You can force the server to time out and break
the connection after a set amount of idle time. This frees up the resources for
another user.
• Utilizing HTTP compression— You can provide faster transmission time
between compression-enabled browsers and IIS servers by using this service. It is
useful in situations with limited bandwidth; however, it uses processor cycles to
compress and decompress the transmissions.
• Throttling bandwidth— When your Web server hosts multiple services and/or
multiple sites, you can set the amount of bandwidth that is available for each site.
This is determined by experience on your own server. If used, it must be set to at
least 1024 kilobytes/second. Figure 5.9 shows bandwidth throttled to 2000
kilobytes/second.
With IIS 6.0 running in worker process isolation mode, you can group Web applications
into application pools. Application pools do two things. First, they allow the groups of
applications to be configured with uniform settings and security as needed by the related
applications. Second, they can be used to isolate one application from another so that
one application's failing has no effect on another, unrelated application, even if the two
applications are on the same server. You can add applications to existing pools or create
new pools in IIS Manager, as shown in Figure 5.10.
This mode is provided for backward compatibility with IIS 5.0 servers. You can use the
AppIsolated property setting for each application. Options are similar to IIS 5.0, and
include low, medium, and high isolation settings. You need to configure each application
in this mode and take great care in regard to security. Applications that are configured in
low isolation mode use the LocalSystem identity. This means that if an attacker were to
succeed in taking over the application, he would then have access to all of the resources
on the server. Because of the additional security risks with IIS 5.0 isolation mode, you
should use worker process isolation mode whenever possible.
The Manage Your Server Wizard lists the roles that the server is currently performing and
provides quick reference tools to assist in performing the role. For example, a server that
is performing as a print server has options for additional printers and additional drivers in
the Manage Your Server Wizard. These options are links that connect you to the normal
tools used to manage these configurations. The Manage Your Server Wizard also has a
quick link to Administrative Tools, Windows Update, Help and Support, and Microsoft
TechNet on the Web. Figure 5.12 shows the Manage Your Server Wizard.
Figure 5.12. The “Manage Your Server Wizard” lists the roles that
the server is currently performing.
To automate the process of checking your systems to ensure that the latest service packs
and security updates are installed, Microsoft has provided another tool called the
Microsoft Baseline Security Analyzer (MBSA). MBSA is a tool that allows you to scan one
or more clients or servers for common security misconfigurations and the installation of
the latest security update. MBSA automatically checks the operating system and other
installed components such as IIS. MBSA can perform local or remote scans of all of the
servers in the Windows Server 2003 family. It can also perform local scans of other NT
kernel-based Microsoft operating systems, including Windows NT 4.0, Windows 2000,
and Windows XP. You can use MBSA in addition to SUS to ensure that all of your servers
and clients have the latest security updates. Figure 5.13 shows MBSA configured to scan
all applicable computers in an entire domain.
• Domain controller
• File server
• DNS server
• DHCP server
• WINS server
• Terminal server
• Mail server
• IIS server
Domain Controller
Domain controllers store directory data and manage communication between users and
domains. Domain controllers are responsible for logon processes, authentication, and
directory services. The system requires a partition formatted with NTFS for the Sysvol
folder, which is used to replicate domain information. You also need to format all other
partitions on a domain controller with the NTFS file system for additional security. You
can control the security of domain controllers through Group Policy. The domain
controller object is automatically created upon installation in its own organizational unit
(OU) called the Domain Controllers OU. You need to tightly manage the Domain
Controllers OU in regard to security.
File Server
File servers centrally store a user's data so it can be accessed from anywhere on the
network. In addition, file servers are more secure than local storage on a user's
computer because you generally back up a file server on a regular basis. Because file
servers often contain sensitive information, you need to use volumes formatted with
NTFS. You also need to secure the communications links between the file server and the
clients. Typically, a file server is a member server and not a domain controller. You can
control security of multiple file servers by placing them into the same OU and using
Group Policy.
Domain Name System (DNS) servers are used to resolve user-friendly names to IP
addresses for communication on a network. With Windows 2000 Server and Windows
Server 2003, they also use special records called SRV records to locate servers and
services on the network. Because this information is security sensitive, you need to take
extra precautions in the management of your DNS servers. The DNS servers should only
be managed by the most trained and most trusted of administrators. They are critical to
the function of Active Directory and, therefore, to the entire network. For added security,
use Active Directory integrated DNS zones whenever possible. These provide the greatest
security and minimize zone transfer on a network.
Dynamic Host Configuration Protocol (DHCP) servers increase security and reduce
administrative effort by automatically assigning the appropriate IP address and other
communication address to clients on your network. Because accurate IP addressing
schemes are one of the main targets of an attacker who wants to spoof your network,
keep these servers very secure using NTFS partitions and tight management. In addition,
the communication between these servers and the clients needs to be protected
whenever possible.
Windows Internet Naming Service (WINS) is specific to Microsoft and is used to resolve
NetBIOS names to IP addresses for legacy clients, servers, and applications. Windows
2000 Server and Windows Server 2003 have replaced NetBIOS names by using SRV
records, but you still need to use a WINS server if any of your clients, servers, or
applications still use NetBIOS names. Without a WINS server, the NetBIOS names would
be resolved only by broadcasting within each subnet. Because the information contained
on WINS servers can be sensitive, you need to secure your WINS servers and the
communications. As soon as you have no clients, servers, or applications using NetBIOS
name resolution, you should stop using the WINS server and uninstall the service.
Terminal Server
Terminal servers allow you to use client machines that could not otherwise support the
Windows Server 2003 operating system or installed applications. The client is, in
essence, a dumb terminal, and all of the processing is actually done on the terminal
server. Terminal Services provides for centralized management of applications because
they can be installed once on the terminal server and changed whenever a need arises.
Windows Server 2003 provides additional security for Terminal Services by requiring that
all Terminal Services users are members of the Remote Desktop Users security group.
You need to use NTFS-formatted volumes for all terminal servers and encrypt
communication between the server and the clients whenever possible. You can set the
encryption policy for terminal server use in Windows Server 2003 Group Policy.
Mail Server
Mail servers are used to implement the protocols of POP3 for mail retrieval and SMTP for
mail transfer. You need to secure communications at your mail server using NTFS
volumes. You can also require that sensitive emails are encrypted using
Secure/Multipurpose Internet Mail Extensions (S/MIME). Each user needs to have their
own mailbox and should be the only user with permissions for that mailbox.
Application Server
Some application servers are also IIS servers, as mentioned previously, but some are
local application servers that can be used for your local network alone. These servers and
the services that they provide need to be secured using NTFS permissions and Group
Policy. The goal is to provide the appropriate application to the appropriate users
transparently. Users who are not permitted to use these applications should not even
have Read permissions for them.
Q1 Currently, MTX has many legacy types of browsers, including very early versions of
Internet Explorer and Netscape. If the company is not going to upgrade all
browsers, which authentication method should be used for access to files on a
public access FTP site?
• A. Anonymous
• B. Digest
• C. Advanced Digest
• D. Basic
A1: Answer A is correct. There is no reason to require a password to a public access FTP
site. Digest and Advanced Digest authentication can only be used with Microsoft
Internet Explorer 5.0 or later; therefore, answers B and C are incorrect. Basic
authentication transfers credentials in plain-text form and should only be used as a
last resort; therefore, answer D is incorrect.
Q2 MTX has decided to upgrade all Internet Explorer browsers to at least version 5.5.
The company wants to use IIS servers to authenticate users by the accounts in the
Active Directory. MTX does not want to involve any other servers. Which two
methods of authentication could be used?
• A. Certificates
• B. Digest
• C. Advanced Digest
• D. RADIUS
A2: Answers B and C are correct. Digest and Advanced Digest can authenticate the
users if they are logged on to Active Directory. Certificates would require additional
servers and would not necessarily authenticate users by their Active Directory
accounts; therefore, answer A is incorrect. RADIUS authentication would require
remote access servers and an Internet Authentication Server; therefore, answer D
is incorrect.
Q3 You have just installed a new Windows Server 2003, Standard Edition server for
MTX. You installed it with the default options, and you now want to configure the
server to use ASP applications. What should you do next?
A3: Answer D is correct. With a default installation of any member of the Windows
Server 2003 family, IIS is not installed. Enabling ASP through Web services cannot
be accomplished without an installation of IIS; therefore, answer A is incorrect. ASP
is not static content, and a default installation of IIS opens the ports for static
content; therefore, answer B is incorrect. You cannot configure Web site
permissions without an installation of IIS; therefore, answer C is incorrect.
Q4 MTX has decided to install a certificate server and map accounts for third-party
users who sometimes collaborate on software development. Which two types of
certificate mapping could be used?
• A. One-to-one
• B. UNC Passthrough
• C. Many-to-one
• D. RADIUS
A4: Answers A and C are correct. One-to-one mapping associates each certificate to
each individual account. Many-to-one mapping allows multiple certificates to be
associated to one account or to multiple accounts with one certificate. UNC
Passthrough authentication is based on a username and password and is not a form
of certificate mapping; therefore, answer B is incorrect. RADIUS authentication
uses remote access servers, IAS servers, and domain controllers, and is not a form
of certificate mapping; therefore, answer D is incorrect.
Q5 You have decided to establish a baseline for server performance on your newly
installed Windows Server 2003 IIS 6.0 server. You need information on processor,
memory, disk subsystems, and network subsystems. Which tool should you use?
• A. Performance Monitor
• B. Network Monitor
• C. Event Viewer
• D. System Monitor
A5: Answer D is correct. System Monitor is the tool in Windows 2000 Server and
Windows Server 2003 that is used to create counters and to gather information so
as to establish a baseline of performance for memory, processor, disk subsystem,
and network subsystem. Performance Monitor was used in Windows NT 4.0;
therefore, answer A is incorrect. Network Monitor can be used to examine traffic at
the packet level but not to establish a baseline of performance; therefore, answer B
is incorrect. Event Viewer creates logs that are useful for troubleshooting but not
for creating a baseline; therefore, answer C is incorrect.
Q6 Which two counters should you try to minimize to obtain the best performance from
an IIS server?
• A. % disk time
• B. Disk avg. bytes transfer/sec
• C. File cache hits
• D. Request queued
Q7 You want to ensure that after a user has authenticated to your server, he is free to
browse all of the sites to which he has permission without being asked to
authenticate again at each site. Which service should you ensure is enabled?
A7: Answer C is correct. HTTP keep-alives allows a user to authenticate to your server
once and browse all of the sites to which he has permission without requiring him
to authenticate again. Application pool queue length limits are used to ensure
maximum resource usage with application pools by setting a limit on users who can
wait for services; therefore, answer A is incorrect. Session timeouts control the
amount of time that a user can remain inactive but still be logged on to the server;
therefore, answer B is incorrect. HTTP compression speeds up connections as long
as the server and the browser are both configured for it and their processors can
handle the load; therefore, answer D is incorrect.
Q8 You have decided to upgrade all IIS servers to version 6.0. You have some
browsers that use version 5.0 and some that use 6.0. You want to use the most
secure and stable form of isolation for your IIS application servers. Which isolation
mode should you use?
• A. Worker process
• B. IIS 5.0
• C. MBSA
• D. Advanced Digest
A8: Answer A is correct. Because the IIS servers are using version 6.0, you can use
worker process isolation mode. This provides for complete isolation of the
application in its own application pools. You should use worker process isolation
mode instead of IIS 5.0 because you have IIS 6.0 on the server; therefore, answer
B is incorrect. MBSA is a baseline analyzer tool and not an isolation mode;
therefore, answer C is incorrect. Advanced Digest is a form of authentication for IIS
and not an isolation mode; therefore, answer D is incorrect.
Q9 You have decided to establish a baseline for security on all of your servers. You
want to ensure that you have the latest service packs and security updates for all
servers. You want to automate the process of scanning the servers for the
appropriate updates and for security misconfigurations. Which tool should you use?
Q10 Which servers resolve names to IP addresses and, therefore, require additional
security measures? (Choose two.)
• A. DNS
• B. WINS
• C. DHCP
• D. IIS
A10: Answers A and B are correct. DNS servers resolve user-friendly names to IP
addresses. WINS servers resolve NetBIOS names to IP addresses. Both, therefore,
require additional security measures to keep data safe from attackers. DHCP
servers assign IP addresses to clients but do not resolve IP addresses; therefore,
answer C is incorrect. IIS servers sometimes use IP addresses to assign a site or a
filter but do not resolve names to IP addresses; therefore, answer D is incorrect.
• Delegation of Control
• Auditing
• A G U DL P
• Permissions
• Rights
The main purpose of a network is to share resources, which include hardware, software,
applications, and information. Your network needs to be designed to allow for this as
transparently as possible for those who have authorization. At the same time, your
design needs to prevent those who are not authorized from using or even viewing the
objects in your directory. Windows Server 2003 provides a structure that assists you in
designing your access control strategy. In this chapter, we examine this built-in structure
and its relation to access control in the following key areas:
In Windows Server 2003, a user does not have to be a network administrator to handle
some network management tasks. You can use the structure of the system to delegate
the necessary control over only the appropriate objects and attributes for each user that
you designate. Windows Server 2003 Active Directory provides the means to control
every object's access to every other object. To create an effective delegation strategy,
you need to understand the concept and the use of the following components of Active
Directory:
• Objects
• Organizational units (OUs)
• Discretionary access control lists (DACLs)
• Delegation of Control Wizard
Objects
An organizational unit (OU) is a container that is used to group objects into logical units.
OUs have two primary purposes. First, OUs are used to control the distribution of Group
Policies to groups of computers and users. Second, OUs are used to delegate
administrative authority. You can delegate to a user the right to manage all of the
objects that are in a certain OU. You can then determine which objects you place into the
OU.
As you might have noticed, the DACLs can be complex and confusing in regard to the
correct settings to apply for a desired result. For this reason, the Delegation of Control
Wizard focuses instead on the desired result. You simply select the tasks that you want
the user to be allowed to perform, and the wizard changes the DACLs so that the user
has the permissions to perform the selected tasks.
You can use the Delegation of Control Wizard to add tasks that a user
is delegated to perform, not to take away control. To remove control,
you need to modify the DACLs manually.
You need to understand that you cannot audit everything because it isn't practical from a
resource standpoint. Auditing consumes resources, such as processor and memory, and
reviewing audit logs takes time. Therefore, you need to set your audit policy based on
your own experience and understanding of the security needs of your own network.
You can set the audit policy for a computer through the Local Security Policy settings on
that computer, or you can control multiple computers on your network using Group
Policy. You need to be familiar with the following audit policy settings that relate to
directory services:
This setting only applies to domain controllers. It audits the computer's validation of a
user account that was logging on from another computer. You need to apply this setting
on domain controllers if you suspect that individuals other than valid users are gaining
access or attempting to gain access to your network.
Account Management
Account management audits each event in which a user account or group is created,
renamed, disabled, enabled, deleted, or changed. In addition, it audits user password
changes. You can apply this setting to an individual computer or to a group of computers
using Group Policy. You need to apply this setting if you suspect that invalid accounts are
being created or accounts are being tampered with on your network.
This setting combines with the individual setting on an Active Directory object. If you
select this setting, the system will examine each object's system access control list
(SACL) to determine what auditing is required. You need to use this setting for specific
auditing of a particular object or group of objects.
Logon Events
Logon events apply to the local logon on the computer to which the policy is applied. You
need to apply this setting if you feel that a user is inappropriately logging on to a
computer and gaining access to data and information.
Policy Change
This setting determines whether you will audit any changes to user rights assignment
policies, audit policies, or trust policies. You need to apply this setting if you feel that a
Privilege Use
Privilege use applies to a user exercising a user right. You only need to audit this setting
if you feel that a user is exceeding his given rights. In that case, you might want to apply
the setting to a specific container using Group Policy or to a specific suspected user. This
setting generates a large amount of data because the users are given many rights on a
typical network.
In most cases, with accounts located on a single computer in a workgroup, you simply
place the user account into a Local group that exists only on that computer and give the
Local group permissions for the resource. In this way, the user account gains the
permissions by being a member of the Local group. You can remember this method by
the letter sequence of A L P, which translates to "Accounts go into Local groups and then
the Local groups get Permissions."
Assigning permissions for domain accounts in Active Directory is more complicated. First,
the types of groups you can use depend on the functional level of the domain. Second,
the strategy that you use in regard to groups depends on what you want to isolate and
how you want to manage the groups. With domain accounts, in general, you can
remember the sequence of A G U DL P, which translates to "Accounts go into Global
groups, Global groups go into Universal groups, Universal groups go into Domain Local
groups, and the Domain Local groups get the Permissions." Figure 6.3 illustrates this
concept.
• Global groups
• Domain Local groups
• Universal groups
Global Groups
Global groups are created in Active Directory of one domain but can be placed into
Domain Local groups in any domain or into a Universal group. Global groups can contain
users from the domain in which they are created. They can also contain other Global
groups if the domain is in at least Windows 2000 native mode functional level. This is
called nesting Global groups.
Domain Local groups are created in the Active Directory of one domain and control
access to a resource that is contained in that domain. Domain Local groups can contain
users, but this is not recommended by Microsoft. Instead, Domain Local groups should
contain only Global groups from any domain in an Active Directory forest and Universal
groups if there are some domains that are in at least Windows 2000 native mode
functional level.
Universal Groups
Universal groups can only be created on a domain controller that is in at least Windows
2000 native mode functional level. Universal groups are created in Active Directory but
are not specific to any domain. Universal groups can, therefore, contain members from
any domain and can be used to give access to a resource in any domain. Users can be
members of Universal groups, but this is not recommended by Microsoft. Instead,
Universal group membership should be restricted to Global groups and other Universal
groups.
• Avoid taking away the default permissions— Leave the default permissions in
place and add to them, if necessary. Taking away default permissions can cause
unexpected results.
• When delegating control, avoid granting Full Control— If you give a user
Full Control, she can undo the configuration that you have carefully put into place.
• Designing a strategy for the encryption and decryption of files and folders
• Designing a permission structure for files and folders
• Designing security for a backup and recovery strategy
• Analyzing auditing requirements
A user can encrypt files and folders simply by changing the attribute of the file or folder
in the Advanced section of the General tab of its properties, as shown in Figure 6.4. This
automatically encrypts the file or folder with a symmetric key and then encrypts the
symmetric key (the decryption key) with the user's public key and a designated Recovery
Agent's public key. With this in place, only the user's private key or the Recovery Agent's
private key decrypts the decryption key, which can then be used to decrypt the file.
Typically, the designated Recovery Agent is the administrator of the network. In Windows
2000 Server, the original administrative account for a domain was, by default, the
Recovery Agent. In Windows Server 2003, there is no default Recovery Agent. You can
set the designated Recovery Agent in Group Policy.
As you can see, this system is quite complex from an administrative standpoint but is
transparent to the user. You should consider using EFS on any removable drives or
portable computers. It is the only type of defense that remains in place if you lose
physical control of a hard drive. Without EFS, an attacker could simply take
administrative control of the computer and read the information.
With Windows Server 2003 and Windows XP, you can assign multiple users to the same
encrypted file or folder and give them access to it at a remote server. You need to keep
in mind that the transmission of the data from the server to the client is not encrypted.
To maintain encryption during transmission of the file or folder, you need to use Internet
Protocol Security (IPSec), as discussed in Chapter 4, "Creating the Physical Design for
Network Infrastructure Security."
If the user's key becomes corrupt and fails to decrypt the file or folder, the Recovery
Agent can decrypt the file or folder and return the information to the user. The file or
folder to be decrypted must be on the same computer as the key used to decrypt it. You
can either take the encrypted file to the Recovery Agent's computer or export the
Recovery Agent's key to a floppy disk and use it on the computer where the file exists.
You can also export the Recovery Agent's key from the network and store it on a floppy
disk in a secure location. That way, an attacker cannot possibly gain access to the key
over the network.
As mentioned previously, a user can obtain permissions for an object based on groups of
which he is a member. Windows Server 2003 includes a new tool to assist you in
determining effective permissions when a user has NTFS permissions from multiple
sources. You need to be familiar with the following in regard to permissions structure for
files and folders:
Share permissions allow a user to gain access to a resource through the network. If a file
or folder is not shared, the only access to that file or folder would be from the local
computer where the file exists. The following are levels of share permissions:
• Read— This is the default permission for any file that is shared in Windows Server
2003. With Read permissions, a user can see a file or folder and can execute the
file or open the folder. A user can also right-click the file or folder and view the
properties, but cannot make any changes to the file or folder or to its properties.
• Change— Change permissions allow all of the permissions of Read, but the user
can also change or add to the file or folder and can change the properties of the
file or folder, such as the name or other attributes. In addition, the user can also
delete the file or folder with Change permissions.
• Full Control— Full Control permissions allow all of the permissions of Change,
and the user can take ownership of the file or folder and, thereby, assign other
users permission for the file or folder.
• List Folder Contents— A user with List Folder Contents permissions can view a
folder and view the files and folders within the folder, but cannot change the
folder or its attributes or even view the attributes of the folder. If he were to
right-click the file and click Properties, he would get an Access Denied message.
• Read— A user with Read permissions for the folder can view the folder, but
cannot view the contents of the folder. In addition, he cannot change the folder or
its properties. He can view the properties of the folder by right-clicking the folder
and clicking Properties.
• Read— A user who has only Read permissions for a file can view the file, but
cannot change, delete, or execute the file.
• Read & Execute— A user who has Read & Execute permissions can view the file
and double-click the file to execute it. He cannot change or delete the file.
• Write— A user who has Write permissions can view the file and execute it, and
can change the file and its properties. He cannot delete the file.
• Modify— A user who has Modify permissions has all of the same permissions as
Write, and he can delete the file.
• Full Control— A user who has Full Control permissions has all of the same
permissions of Modify, and he can take ownership of the file and, thereby, assign
permissions to other users.
In addition to the standard NTFS permissions for files and folders, you
can also select Special Permission in the Advanced security properties
of the file or folder. Special permissions allow you to tailor the specific
actions that a user is allowed to perform on a file or folder.
Effective Permissions
If a file or folder exists on an NTFS volume and is also shared through the network, the
share permissions might be different than the NTFS permissions for the file or folder. In
addition, if a user has permissions to the file from membership in multiple groups, the
permissions might differ by group. The effective permissions are, therefore, a
combination of all of the separate permissions. You need to remember this three-step
method of determining the effective permissions for a resource:
3. The effective permissions are the combination that is the most restrictive.
Windows Server 2003 has a new tool that assists you in recovering data on your servers.
This new tool is referred to as Volume Shadow Copy service. You need to be familiar with
the Volume Shadow Copy service and its potential effect on the productivity of your
users.
Although volume shadow copies are not a replacement for performing regular backups on
a system, they are an effective enhancement to the security of data. Volume shadow
copies are multiple versions of files on a file server that are automatically stored based a
schedule that you set. They are categorized by time. You can enable the Volume Shadow
Copies features in the properties of an NTFS volume, as shown in Figure 6.6. They are
not full copies of each file version, but rather just the changes from the previous version.
This system is used to conserve hard disk space while providing a backup of each
version. You can set the schedule for the copies, but Microsoft recommends that you set
it for no more than once per hour.
If a user accidentally modifies a file in such a way as to lose some of the information in
the file, he can use volume shadow copies to obtain a previous version of the file. This
can save the user a tremendous amount of time and, thereby, increase productivity.
Without volume shadow copies, your options would be quite limited at this
point. You could either ask the network administrator to restore the file from
backup tape, or you could begin re-creating the 475 slides that you deleted.
With volume shadow copies (and a little training), you simply right-click the file
that you still have and then select the Previous Versions tab of the file's
properties. You then select the version of the file that you had a couple of hours
ago before you made your mistake. Your file would return and life would go
back to normal. It's as simple as that.
Figure 6.7. You can set the audit policy for a computer through the
Local Security Policy settings of the computer itself or through
Group Policy.
You need to be familiar with the following settings in regard to auditing files and folders:
This setting combines with the individual audit setting on the SACL of the file, folder,
Registry key, or other resource on which you have applied audit settings. If you select
this setting, the system examines the SACLs of all resources to determine whether
auditing is required.
After you have set the audit policy to Audit Object Access, you can then set the resources
themselves to be audited. You can determine which users or groups you will audit for
each resource. In this way, you can create an audit report that gives you the information
that you need without having so much information so as to become unusable.
You can set the audit entries in the Advanced options of the Security tab for the object to
be audited, as shown in Figure 6.8. This creates a SACL that the system automatically
tracks and uses to create the entries for you in the security log of Event Viewer. If you
choose, you can audit an entire hierarchy of folders by allowing the audit entries to
propagate from the parent object to the child objects.
You can assign permissions on each key of the Registry in much the same way that you
assign permissions to files or folders. To do so, access the Registry using the
regedt32.exe or regedit.exe tool, right-click the key that you want to change, and click
Permissions. The Permissions dialog box opens, as shown in Figure 6.9. You can then add
a user and give him the permissions required to make the change. As always, you should
only give him the minimum level of permissions required to make the appropriate
changes. You can also use Group Policy to assign permissions to multiple users and
computers at the same time.
Figure 6.9. You can set permissions for each key in the Registry.
Q1 Which delegation tool should HACA use to focus on the task to be delegated and
let the system set the DACLs?
Q2 Which tools can you use to control the audit policy on computers on your
network? (Choose two.)
• A. Local Security
• B. Group Policy
• C. Advanced permission settings
• D. Event Viewer
A2: Answers A and B are correct. All auditing is local and should be set on the local
computer, but this can be accomplished through the Local Security tool on the
computer or through Group Policy. Advanced permission settings control the
creation of the SACL used to audit the objects themselves, not the audit policy;
therefore, answer C is incorrect. Event Viewer is a tool that you can use to view
the security log for the results of a security audit; therefore, answer D is
incorrect.
• A. Logon events
• B. Directory service access
• C. Account logon events
• D. Privilege use
A3: Answer A is correct. Logon events tracks local logons on a computer to which it
is applied. Directory service access tracks the viewing and changing of specific
Active Directory objects to which SACLs are applied; therefore, answer B is
incorrect. Account logon events is applied on domain controllers to track their
authorization of users who log on from other computers on the network;
therefore, answer C is incorrect. Privilege use tracks the actions of a user
exercising a user right; therefore, answer D is incorrect.
A4: Answers B and C are correct. Using settings with broader permissions makes it
easier for the system to process the permissions. Using the same settings for
multiple objects creates less DACLs and makes it easier on the system as a
result. You should avoid removing the default permissions as this could have
unexpected results; therefore, answer A is incorrect. You should avoid assigning
Full Control because it allows the person with delegated permissions to change
your permission configurations; therefore, answer D is incorrect.
• A. Global
• B. Domain Local
• C. Universal
• D. Nested
Q6 Which permission are only NTFS permissions and not share permissions?
(Choose two.)
A6: Answers A and C are correct. NTFS permissions include List Folder Contents,
Read, Read & Execute, Write, Modify, Full Control, and Special Permissions.
Change is a type of share permission; therefore, answer B is incorrect. Full
Control permissions allow a user to take ownership and are common to shares
and NTFS; therefore, answer D is incorrect.
Q7 Which NTFS permissions allow a user to change a file or folder but do not allow a
user to delete the file or folder?
• A. Modify
• B. Write
• C. Change
• D. Read & Execute
A7: Answer B is correct. Write permissions to a file or folder allow a user to change
the file or folder but do not allow him to delete it. Modify permissions are NTFS
permissions that allow a user to delete a file or folder; therefore, answer A is
incorrect. Change permissions are share permissions that allow a user to delete a
file or folder; therefore, answer C is incorrect. Read & Execute are NTFS
permissions that do not allow a user to change a file or folder; therefore, answer
D is incorrect.
Q8 Which two of the following are part of the three steps to determine effective
permissions?
A8: Answers B and D are correct. You should first combine the share permissions and
determine a result. Next, you should combine the NTFS permissions and
determine a result. The effective permissions will then be the most restrictive of
the two results. Determining the most restrictive of all of the permissions is not
one of the steps; therefore, answer A is incorrect. Determining the least
restrictive of all of the permissions is not one of the steps; therefore, answer C is
incorrect.
• A. They are full copies of a file that are stored multiple times.
• B. They are automatically copied every 5 minutes.
• C. They replace the need to back up your servers.
• D. They can only be created on NTFS volumes.
A9: Answer D is correct. Volume shadow copies can only be created on NTFS
volumes. Volume shadow copies consist of a file and the "shadows" representing
only the changes to the file, not full copies of the file; therefore, answer A is
incorrect. Volume shadow copies are created on a schedule set by the
administrator. The default schedule is twice per day at 7:00 a.m. and 12:00
p.m.; therefore, answer B is incorrect. Volume shadow copies do not replace the
need to back up servers; therefore, answer C is incorrect.
Q10 Which of the following are true regarding the Registry? (Choose two.)
• A. The only way to change the Registry is with the Registry Editor tool.
• B. Users cannot usually make any changes to the Registry.
• C. You should audit the Registry only when you feel that it has been
attacked.
• D. By default, only the administrator of a computer has the right to make
changes directly to the Registry settings of that computer.
A10: Answers C and D are correct. You only need to audit the Registry when you feel
that it has been attacked because auditing consumes system resources and
reviewing the audits takes time. The administrator of a computer is, by default,
the only account that has the right to make changes to the Registry of that
computer. The Registry can be changed indirectly by users with the GUI tools;
therefore, answers A and B are incorrect.
• Password policies
• Remote access policies
• Internet Authentication Services (IAS)
• Administrative templates
You can't implement a secure network without placing the right types of servers in the
right places. In addition, the clients must all be as secure as possible because otherwise
they can be used as a "back door" by an attacker who actually wants access to the
servers. In this chapter, we discuss the types of servers that make up the physical design
of the network and the security tools that are built in to each type. We also discuss
methods of "hardening" the security of clients to enhance the overall security of the
network. You need to understand the following key areas of physical design for client
infrastructure security:
Clients can authenticate to domains of which they are not a member. This is
accomplished through trusts. As we discussed in Chapter 2, "Creating the Logical Design
for Network Infrastructure Security," trusts are connections between domain controllers
over which authentication can occur. For example, if Domain A trusts Domain B, users in
Domain B can use resources in Domain A provided that they have the permissions to use
the resources. Remember that trusts do not provide permissions; they only provide the
connection.
Organizations that have domains in separate Active Directory forests can use a new trust
in Windows Server 2003 called a forest trust. With a forest trust in place, all of the
domains in both of the forests have a trust relationship. For example, if Forest A trusts
Forest B, users in Forest B's domains can use resources in Forest A's domains provided
that the users have the proper permissions. The main advantage of forest trusts is that
they can reduce the number of trusts that must be created in some instances.
Forest trusts are only available when both of the forests have been raised to the
Windows Server 2003 functional level. In addition, forest trusts are not transitive. In
other words, just because Forest A trusts Forest B and Forest B trusts Forest C does not
mean that users in Forest C have a connection to use resources in Forest A. The forest
trust relationship does not transit from C to A through B. If you need all users in Forest C
to be able to use resources in all domains in Forest A (for which they have permissions),
you must create a separate forest trust in which Forest A trusts Forest C.
Domain controllers replicate information about the domain and the forest configuration
on a consistent basis. Because of this, it is only necessary to change the settings on one
domain controller to affect all of the domain controllers in the domain. Specific domain
controller settings control authentication to a domain. These are part of the security
settings for the domain. You can adjust these settings using the tools provided by
Windows Server 2003. Designing a client authentication strategy includes the following
elements:
Because authentication methods have evolved with technology, not all clients
authenticate in the same way as others. Windows Server 2003 is very flexible in regard
to authentication settings for clients. This setting can be adjusted in the Security Options
of Group Policy, as shown in Figure 7.1. Understanding how all of the protocols relate to
the type of clients on your network enables you to select the setting that allows for the
highest security that all of your clients can use.
LAN Manager
LAN Manager (LM) authentication was the first type of authentication used by Microsoft
clients. Beginning with Windows 3.11, LAN Manager was also used with Windows 95,
Windows 98, and Windows Me clients. It uses a challenge/response mechanism, but it is
not considered strong based on today's standards.
Windows 95, Windows 98, and Windows Millennium Edition (Me) are
often referred to as Windows 9x clients.
NT LAN Manager
NTLMv2
To provide for greater security and protect against brute force attacks against the server,
NTLMv2 uses a 128-bit key length. This long key length makes a brute force attack
infeasible as long as strong passwords are used. If strong passwords are not used, the
password can be "cracked" in a matter of seconds. We discuss strong passwords in the
next section.
Kerberos
Kerberos is the default authentication protocol used by all Windows 2000 and Windows
Server 2003 domains. It is named for the mythical three-headed dog that guards the
gates of Hades. Kerberos is a system that uses keys and Key Distribution Center (KDC)
servers to gradually authenticate a client to use a resource. Kerberos is considered the
most secure Microsoft authentication protocol. Only Windows 2000, Windows XP,
Windows Server 2003 servers, and Unix clients can use the Kerberos authentication
protocol.
Windows 2000 and Windows Server 2003 servers that are not part of
a domain still use NTLMv2.
Figure 7.2. You can control your account policy settings through
Group Policy.
Remote access policies are much more than just permissions to dial in to a network. In
fact, they contain three components that work together to accept or deny a connection to
the network. You can configure each of these components to achieve your desired result.
You need to know how to configure the three components of remote access policies,
which are
• Conditions
• Permissions
• Profile
Remote access policy conditions are attributes that must be met to satisfy the policy.
Conditions are only checked at the initial time of the connection attempt. They are the
first component that is checked on a connection attempt.
Conditions might include day and time restrictions, connection types, security group
memberships, and many others. If you set multiple conditions on the same remote
access policy, all of the conditions have to be met. Figure 7.4 illustrates remote access
policy conditions.
The tricky part is that a policy can be configured to accept or deny the connection based
on the conditions. In other words, if the conditions state that a user must be in the Sales
group to satisfy the policy and the user is in the Sales group, the policy is satisfied.
However, if that policy states that all users who satisfy it are denied access, the users in
the Sales group would be denied access because they met the conditions of the policy.
Permissions
The dial-in permissions of the user are checked after the conditions are checked,
assuming that a condition to deny has not already been met. If your domain is in at least
Windows 2000 native mode functional level, the dial-in permissions for the user can be
set to Allow Access, Deny Access, or Control Access Through Remote Access Policy, as
shown in Figure 7.5. If your domain is in a lower functional level, the Control Access
Through Remote Access Policy option is not available. If you set the permissions to Allow
Access, the user is connected because he has already met the conditions previously. If
you set the permissions to Deny Access, the user is denied access, even though he met
the conditions previously. If you set the permissions to Control Access Through Remote
Access Policy, the user's connection is accepted or denied based on the next step.
Profile
If you set the user permissions to Control Access Through Remote Access Policy, the
profile settings on the policy must be met to obtain and to continue a connection. Profile
settings that you can select include day and time restrictions, idle-timeouts, session-
timeouts, encryption, authentication, connection types, and many more. If you set
multiple profile settings in a remote access policy, the user must meet and continue to
meet the restrictions that you set. Figure 7.6 shows the main dialog box for remote
access policy profiles. In this example, the user can stay connected for 120 minutes if he
remains active, but for only 15 minutes if he is idle.
• Input filters— These control the packets that the interface receives based on
identifying the destination address, destination mask, and protocol. You can set
the Filter Action setting to permit or deny the identified traffic, as shown in Figure
7.7.
You should know the difference between filters and filter actions.
Filters are used to identify traffic. Filter actions determine whether a
packet is permitted or denied through an interface after it is
identified.
• Output filters— These control the packets that the interface sends based on
identifying the destination address, destination mask, and protocol. You can set
the Filter Action setting to permit or deny the identified traffic, as shown in Figure
7.8.
After you install IAS on one server, you can configure all remote access servers to
authenticate requests through the IAS (RADIUS) server, as shown in Figure 7.9. You can
also create a central accounting log for all remote access to your network. This
centralization gives you better control and more accurate accounting of remote access.
All of the remote access policies that were configured on the remote access servers can
be managed from the IAS server, as shown in Figure 7.10.
You should know for the exam that any protocols or services that are
not being used should be uninstalled. This is because they represent a
potential security risk.
You can use Group Policy to control a user's access to operating system features that can
affect connectivity, performance, and security. Most of the settings that control this type
of access are in the User Configuration/Administrative Templates section, as shown in
Figure 7.11. These settings modify templates called .adm files, which are used to make
changes to the Registry in all of the computers to which the Group Policy applies.
Administrative Templates found in the User Configuration section include
MTC Inc. is concerned with the physical security of their network and the vulnerability of
their authentication systems both internal to the network as well as from outside of the
network. They have hired you as a consultant to assist in hardening their physical design
for client infrastructure security.
• A. NTLM
• B. LM
• C. NTLMv2
• D. Kerberos
A1: Answer B is correct. Windows 95 clients can only use LAN Manager (LM)
authentication. By today's standards, LM authentication is very easy to crack. NTLM
authentication can only be used by Windows NT Workstation and newer clients;
therefore, answer A is incorrect. NTLMv2 can only be used by NT Workstation with
SP4 and newer clients; therefore, answer C is incorrect. Kerberos authentication can
only be used by Windows 2000, Windows XP, and Unix clients; therefore, answer D
is incorrect.
Q2 Which of the following practices would you recommend to increase security? (Choose
two.)
A2: Answers A and C are correct. Setting the account lockout duration to 0 requires that
the administrator unlocks a locked-out user. Requiring the use of complex passwords
makes passwords much more difficult to guess or to crack with brute force attacks
against the server. Remembering passwords prevents users from continually using a
favorite password, thus increasing security. Enforcing a password history of 0
passwords causes no passwords to be remembered; therefore, answer B is incorrect.
You need to change the default Administrator account name to a name that does not
stand out and is not easily guessed about the administrator; therefore, answer D is
incorrect.
• A. Conditions
• B. Permissions
A3: Answer C is correct. Profile is the only component of remote access policy that
continues to be monitored after a connection is made. The user must meet and
continue to meet the attributes in the profile settings. Conditions are only checked on
the initial connection attempt; therefore, answer A is incorrect. Permissions are only
checked on the initial connection attempt; therefore, answer B is incorrect. Group
Policy is not a component of remote access policy; therefore, answer D is incorrect.
Q4 If MTC's domain is in Windows 2000 mixed mode, which options do they have for
dial-in permissions? (Choose two.)
A4: Answers C and D are correct. If the domain is in Windows 2000 mixed mode
functional level, the only options for dial-in permissions are Allow Access and Deny
Access. The option to Control Access Through Remote Access Policy is only available
if the domain is in at least Windows 2000 native mode functional level; therefore,
answer A is incorrect. Grant Access with Restrictions is not a dial-in permissions
option; therefore, answer B is incorrect.
• A. IP filter
• B. Group Policy
• C. DHCP
• D. IP filter action
A5: Answer D is correct. IP filter actions are set to permit or deny traffic identified by IP
filters. IP filters only identify traffic; therefore, answer A is incorrect. Group Policy
does not control IP traffic; therefore, answer B is incorrect. DHCP assigns IP
addresses in the network, but does not filter traffic; therefore, answer C is incorrect.
Q6 Which components does IAS centralize in a network with multiple remote access
servers? (Choose two.)
• A. Authentication
• B. Group Policies
• C. User administration
• D. Accounting
A6: Answers A and D are correct. IAS centralizes authentication and accounting in
networks with multiple RAS servers. IAS cannot centralize Group Policies; therefore,
answer B is incorrect. IAS cannot centralize user administration; therefore, answer D
is incorrect.
A7: Answer B is correct. Only Windows XP clients have a built-in host firewall. Windows
2000 does not have a built-in host firewall; therefore, answer A is incorrect. Only the
Windows XP clients have a built-in host firewall; therefore, answer C is incorrect.
Windows 95 does not have a built-in host firewall; therefore, answer D is incorrect.
Q8 Which settings can you use administrative templates in Group Policy to modify?
(Choose two.)
• A. IP addresses
• B. Hostnames
• C. Active Directory search capability
• D. Terminal Services
A8: Answers C and D are correct. Administrative templates can be used to modify many
settings, including Active Directory search capability and Terminal Services.
Administrative templates cannot be used to modify IP addresses; therefore, answer
A is incorrect. Administrative templates cannot be used to modify hostnames;
therefore, answer B is incorrect.
Q9 Which of the following should MTC use to secure files and folders on the users'
laptops?
• A. NTFS permissions
• B. Shares
• C. EFS
• D. Offline Files and Folders
A9: Answer C is correct. EFS is the best way to secure files and folders on a laptop that
could be lost or stolen. NTFS permissions could be overridden by reinstalling the
operating system; therefore, answer A is incorrect. Share permissions do not apply
in this situation; therefore, answer B is incorrect. Offline Files and Folders is a
service, not a way to secure files and folders; therefore, answer D is incorrect.
• A. System
• B. Control Panel
• C. Security settings
• D. Folder redirection
A10: Answers A and B are correct. System and Control Panel are both components of
Administrative Templates for users in Group Policy. Security settings are a
component of Windows settings in Group Policy; therefore, answer C is incorrect.
Folder redirection is a component of Windows settings in Group Policy; therefore,
answer D is incorrect.
Security Concerns
The security team at IntelliSync has identified the following security concerns:
• Local area network communications are passed through the network in clear text;
someone with a minimum amount of knowledge could sniff these out.
• DNS updates are not secure, so there is concern about an attacker spoofing the
network.
• An administrator has inadvertently given a user full administrative rights by
mistakenly leaving his administrative account logged on to a user's computer.
• There is currently no real disaster recovery plan.
• There is no effective method of automatically distributing antivirus software
updates to all clients.
• Some clients cannot use the latest forms of authentication to RAS servers.
• Some laptops contain sensitive information. This information needs to be kept
secure at all times, even if a laptop is lost or stolen.
CIO: We spend a great amount of time fixing the trusts between the domains. I want to
reduce the number of domains to a necessary minimum.
Senior Administrator: I want a remote administration tool that allows me to view multiple
desktops and manage multiple servers from one location.
Q1 How many domains will IntelliSync need after they upgrade all domain controllers to
Windows Server 2003?
• A. 2
• B. 1
• C. 6
• D. There isn't enough information to determine this answer.
Q2 Which Windows Server 2003 feature should IntelliSync use to encrypt all local
communication between servers and clients?
• A. NTLMv2
• B. IPSec tunnel mode
• C. EFS
• D. IPSec transport mode
• A. Windows 95
• B. Windows NT Workstation
• C. Windows 2000 Professional
• D. Windows XP Professional
Q4 Which of the features in Windows Server 2003 can be used to satisfy the concern of
the CEO? (Choose two.)
• A. Group Policy
• B. Remote Administration
• C. Run as
• D. RSoP
Q5 With IntelliSync's current infrastructure, which clients can use Microsoft Challenge
Handshake Authentication Protocol version 2 (MS-CHAPv2) for dial-up authentication
to RAS servers?
• A. Only Windows XP
• B. Windows XP and Windows 2000 Professional
• C. All clients
• D. All clients except Windows 95
• A. DDR
• B. VPN
• C. WINS
• D. NAT
Q7 If IntelliSync decides to use VPN, which of their clients will be able to use MS-
CHAPv2 to authenticate to the RAS servers through the VPN connection using an
L2TP tunnel?
• A. All clients
• B. All clients except for Windows 95
• C. Only Windows 2000 Professional and Windows XP Professional clients
• D. Only Windows XP clients
Q8 IntelliSync has decided to create a disaster recovery plan that will include an
alternate site for the corporate location. This site will be maintained with the
appropriate power, connectivity, and space requirements to facilitate the use of their
servers. The servers and other appropriate equipment will be quickly moved to this
location in the event of a disaster, such as a flood or blackout. Which type of site
have they chosen?
• A. Hot site
• B. Cold site
• C. Warm site
• D. It's impossible to tell from the information given.
Q9 Which Windows Server 2003 tool should the company use to automatically distribute
antivirus software updates to all clients?
Q10 Which type of DNS zones should IntelliSync use to ensure secure dynamic updates?
• A. Standard Primary
• B. Active Directory integrated
• C. Stub
• D. Standard Secondary
Q11 Which Windows Server 2003 tool should be used to satisfy the request of the Senior
Administrator?
• A. All clients
• B. Windows NT Workstation and newer clients
• C. Only Windows XP clients
• D. Windows 2000 Professional and newer clients
Q13 Which of their clients will only use NetBIOS name resolution to locate services on the
network? (Choose two.)
• A. Windows NT Workstation
• B. Windows XP Professional
• C. Windows 2000 Professional
• D. Windows 95
Q14 Which file system should be formatted onto the partitions of the laptops with the
sensitive information?
• A. EFS
• B. NTFS
• C. FAT32
• D. Any file system will work.
Q15 Which additional features might be used to justify the expense of upgrading
Windows 95 and Windows NT Workstation client computers? (Choose two.)
• A. Kerberos authentication
• B. System Policy Editor
• C. Layer Two Tunneling Protocol
• D. Point-to-Point Tunneling Protocol
Security Concerns
The security team at ComForce has identified the following security concerns:
Security Commentary
CEO: We cannot afford to have another episode like that Blaster virus—or whatever it
was called! We must keep up with the latest security updates from Microsoft.
Senior Administrator: I need a way to verify whether the latest security patches are on
the servers and clients.
Q1 After migrating all domain controllers to Windows Server 2003, how many trusts will
have to be added to facilitate managing all of the domains?
• A. 6
• B. 0
• C. 12
• D. There isn't enough information to determine this answer.
• A. PKI
• B. EFS
• C. NAT
• D. Active Directory
Q3 Which tool should ComForce use to ensure that its clients have the latest security
patches and to check for other known security vulnerabilities?
• A. SUS
• B. RSoP
• C. MBSA
• D. GPMC
Q4 Which services should be used on the servers at each location to manage the latest
security updates and distribute them to the appropriate clients? (Choose two.)
• A. Automatic Updates
• B. SUS
• C. Group Policy
• D. Remote Access Policy
Q5 Which clients can be centrally controlled at each location using Group Policy?
• A. All clients
• B. Windows XP only
• C. Windows 2000 only
• D. Windows 2000 and newer clients
Q7 Which service should ComForce use to encrypt all traffic within each of their
locations?
Q8 Which service should ComForce use to eliminate the use of modems on the RAS
servers and to improve security?
• A. DHCP
• B. VPN
• C. NAT
• D. DDR
Q9 Which protocols should ComForce consider for tunneling VPN traffic between
locations? (Choose two.)
• A. L2TP
• B. PPTP
• C. PPP
• D. IPSec transport mode
Q10 Which tunneling protocol has an inherent form of encryption when used with
Microsoft servers and clients?
• A. L2TP
• B. PPP
• C. IPSec
• D. PPTP
Q11 Which events should be audited to satisfy the audit requirements? (Choose two.)
Q12 How should ComForce design group management for the most efficient control of
access to resources within each domain?
• A. Assign permissions directly to each user for the resources that he requires.
• B. Assign permissions to a Global group for users who need access to the
same resource and then place the users into the Global group.
• C. Assign permissions to Universal groups and then place the users into the
Universal groups.
• D. Place the users into Global groups based on their resource needs. Place the
Q13 Which type of group should be assigned permissions for access to a resource on one
computer in a domain?
• A. Local
• B. Domain Local
• C. Global
• D. Universal
Q14 After migrating all domain controllers and raising them to Windows Server 2003
functional level, which strategy should the company use to give access to users
located in multiple domains in a forest if the resource also exists in multiple domains
in the forest? (Choose four. Each answer is part of the solution.)
• A. Place all of the user accounts into the same Global group.
• B. Place the user accounts into a Global group in their own domain.
• C. Give the Domain Local groups in each domain permissions for the resource
in their domain.
• D. Place all of the Global groups into the same Universal group.
• E. Place the universal groups into the Domain Local groups in each domain.
• F. Give the Domain Local groups in each domain permissions for the resource
in all domains.
Q15 Which permissions will the Effective Permissions tool assist ComForce in managing?
Security Concerns
The security team at GWC has identified the following security concerns:
• Applications that run on the current IIS servers are not stable. When one
application crashes, other applications can crash as well.
• Users have lost valuable information on file servers by accidentally altering and
saving a file.
• It is difficult to determine the resulting permissions of a user who is in multiple
groups.
• Users must be required to use complex passwords as defined by the new Windows
Server 2003 system.
• Some sensitive files, such as the payroll files, will need to be audited for access or
attempted access by any parties.
• EFS is in common use on the laptops. A Recovery Agent computer will be set up
as part of the upgrade. There is concern about the process of recovering files
when a user's private key becomes corrupt.
• All services that are no longer used after the upgrade must be uninstalled.
• DNS updates must be automatic and secure for all clients and servers after the
upgrade.
Security Commentary
CFO: If we are going to spend a lot of money, we need to take advantage of every new
feature in Windows Server 2003.
Q1 Which new features in Windows Server 2003 IIS will address the stability concern
with regard to Web applications? (Choose two.)
• A. Application pools
• B. IIS 5.0 isolation mode
• C. Worker process isolation mode
• D. HTTP keep-alives
Q2 Which new feature in Windows Server 2003 can address the concern of losing
information in files that are accidentally altered and saved?
• A. Incremental backups
• B. Differential backups
• C. Volume shadow copies
• D. ASR
Q3 Which new tool in Windows Server 2003 can be used to determine the resulting
NTFS permissions of a user or group that is a member of multiple groups?
• A. GPMC
• B. RSoP
• C. Effective permissions
• D. Access control lists
Q4 Which tools can be used to set the requirement for complex passwords? (Choose
two.)
Q5 Which steps are involved in setting the auditing of sensitive files and folders to
satisfy GWC's auditing requirements? (Choose three. Each answer is part of the
solution.)
• A. DNS
• B. NetLogon
• C. DHCP
• D. WINS
Q7 Which two methods could be used by the Recovery Agent to recover encrypted
files when the user's private key has become corrupt, without risking exposure of
the information contained in the files? (Choose two.)
Q8 Which tool should the CIO use to quickly determine all of the roles of a server and
make changes if necessary?
Q9 Which tools could you use to give the Cleveland Office Manager limited
administrative rights for users and computers in Cleveland? (Choose two.)
Q10 After the migration to Windows Server 2003, which type of DNS zones should be
used to ensure secure dynamic updates?
Q11 Which new Windows Server 2003 tool should GWC use to distribute Group
Policies?
• A. GPMC
• B. Group Policy Editor MMC
• C. RSoP
• D. Gpupdate
• A. .NET Passport
• B. Certificates
• C. NTLM
• D. MS-CHAPv2
Q13 Which Web server authentication protocols can only be used if a user has an
account in Active Directory? (Choose two.)
• A. Integrated Windows
• B. Certificate
• C. Basic
• D. Digest
Q14 Which type of authentication should be used as a last resort because the
username and password are sent over the wire in clear text?
• A. Anonymous
• B. Basic
• C. Digest
• D. Certificate
Q15 Which types of Web authentication do not require the user to enter a username or
password? (Choose three.)
• A. Digest
• B. Integrated Windows
• C. Certificates
• D. Anonymous access
• E. Basic
Security Concerns
The security team at PowerTran has identified the following security concerns:
Security Commentary
CEO: I'm concerned about the wireless networks. I've read that they are not secure. If
we need to use wireless technology, make it as secure as possible.
CIO: After the upgrade, I want to establish a baseline of performance on our new IIS
servers.
Q1 How many domains does PowerTran need after their migration to Windows Server
2003?
• A. 6
• B. 1
• C. 2
• D. There is not enough information to know.
Q2 Which of PowerTran's current clients can use the Kerberos protocol? (Choose three.)
• A. Windows 95
• B. Windows XP Professional
• C. Windows 2000 Professional
• D. Windows NT Workstation
• E. Unix
Q3 Which types of servers should be placed into the perimeter network (between the
internal and external firewalls)?
• A. Domain controllers
• B. DHCP servers
• C. Web servers
• D. FTP servers
Q4 With a default installation of Windows Server 2003, Standard Edition, which services
will IIS 6.0 provide?
• A. CA constraints
• B. NTFS permissions
• C. Connection timeouts
• D. HTTP compression
• A. NAT
• B. Proxy
• C. Firewall
• D. DDR
Q8 Which counters might be used to establish a baseline of performance on the IIS 6.0
servers?
Q9 Which type of wireless networking should PowerTran use to provide the strongest
security?
• A. WEP
• B. Wi-Fi
• C. RADIUS
• D. PEAP
Q10 Which tools can the network administrator use to give some specific administrative
rights to a user in each location's OU?
• A. ACLs
• B. Delegation of Control Wizard
• C. Active Directory Sites and Services
• D. Active Directory Domains and Trusts
Q11 Which tools should PowerTran use to create an automatic copy of files and folders on
the file servers? (Choose two.)
• A. Disk Management
• B. Computer Management
• C. Volume Shadow Copy service
• D. Backup or Restore Wizard
Q12 What should you do to audit the HKEY_LOCAL_MACHINE settings on the selected
member servers? (Choose three. Each answer is part of the solution.)
• A. Set the audit policy for the domain to Audit Object Access.
• B. Set the SACL of HKEY_LOCAL_MACHINE to Full Control for Success.
• C. Set the audit policy for the member servers to Audit Object Access.
• D. Set the ACL of HKEY_LOCAL_MACHINE to Full Control for Success.
• E. Set the SACL of HKEY_LOCAL_MACHINE to Full Control for Failure.
• F. Set the ACL of HKEY_LOCAL_MACHINE to Full Control for Failure.
• A. Certificates
• B. Active Directory
• C. Basic authentication
• D. NTLMv2
Q14 Which Web server authentication protocols can only be used if PowerTran gives
clients an account in Active Directory?
• A. Basic
• B. Certificate
• C. Integrated Windows
• D. Digest
Q15 Which new Windows Server 2003 tool should PowerTran use to distribute Group
Policies?
Case 2: ComForce
Case 4: PowerTran
2. D 10. B
3. A, B 11. C
4. B, C 12. D
5. D 13. A, D
6. B 14. B
7. C 15. A, C
8. C
Q1 The correct answer is B. Only one domain is required because the overview states
that the account policies of all domains are the same and because there is no
physical limitation. Two domains are not required in this scenario; therefore,
answer A is incorrect. Six domains (one per location) are not required in this
scenario; therefore, answer C is incorrect. It is possible to determine the number
of domains that will be required; therefore, answer D is incorrect.
Q3 Answers A and B are correct. Windows 95 clients use LAN Manager (LM)
authentication. Windows NT Workstation clients prior to Service Pack 4 also use
LM authentication. Windows 2000 Professional clients use Kerberos in a domain or
NTLMv2 in a workgroup; therefore, answer C is incorrect. Windows XP Professional
clients use Kerberos in a domain or NTLMv2 in a workgroup; therefore, answer D
is incorrect.
Q5 The correct answer is D. Because IntelliSync currently uses RAS servers with dial-
up connections, Windows 95 cannot authenticate with MS-CHAPv2. MS-CHAPv2 is
not limited to Windows XP clients; therefore, answer A is incorrect. MS-CHAPv2 is
not limited to Windows 2000 Professional and Windows XP Professional clients;
therefore, answer B is incorrect. Windows 95 clients cannot use MS-CHAP to
authenticate on dial-up connections; therefore, answer C is incorrect.
Q6 The correct answer is B. VPN connections through a RAS server are more secure
and eliminate the use of modems on the server. DDR is a technology that uses
modems to temporarily connect routes to remote offices; therefore, answer A is
incorrect. WINS is a name resolution service that resolves NetBIOS names to IP
addresses; therefore, answer C is incorrect. NAT is a service that allows one
registered IP address to be translated to multiple private IP addresses; therefore,
answer D is incorrect.
Q7 The correct answer is C. All of their clients can use MS-CHAPv2 for the VPN
connection; but only Windows 2000 Professional and Windows XP clients can use
L2TP. Windows 95 and Windows NT Workstation cannot use L2TP; therefore,
answer A is incorrect. Windows NT Workstation cannot use L2TP; therefore,
answer B is incorrect. Windows 2000 Professional clients can use L2TP; therefore,
answer D is incorrect.
Q8 The correct answer is C. A warm site consists of a building that has the correct
power, connectivity, and space requirements for the network equipment necessary
for a company to survive. A hot site is a location that has the backup servers and
other network equipment installed and operational; therefore, answer A is
incorrect. A cold site is basically a building that has been set aside to be used in
case of an emergency, with no real consideration given to power, connectivity, or
space requirements; therefore, answer B is incorrect. The description of
IntelliSync's site is that of a warm site; therefore, answer D is incorrect.
Q9 The correct answer is D. Group Policy should be used to assign the antivirus
software and then distribute the updates. Remote Access Policy controls access to
the network from outside of the network; therefore, answer A is incorrect. ACLs
control permissions to Active Directory objects; therefore, answer B is incorrect.
SUS is used to keep up with the latest Microsoft security updates. To this date,
Microsoft does not sell antivirus software; therefore, answer C is incorrect.
Q10 The correct answer is B. Only Active Directory integrated zones have secure
dynamic updates. This means that they only communicate with another object
that is authenticated and authorized by Active Directory. Standard Primary zones
do not allow for secure dynamic updates; therefore, answer A is incorrect. Stub
zones assist in name resolution in large networks, but do not facilitate secure
dynamic updates; therefore, answer C is incorrect. Standard Secondary zones are
read-only copies of Standard Primary zones and do not allow for secure dynamic
updates; therefore, answer D is incorrect.
Q12 The correct answer is D. Windows 2000 Professional and newer clients can use
Group Policies distributed from Windows 2000 Server servers or Windows Server
2003 servers. Windows 9x and Windows NT Workstation clients cannot use Group
Policies; therefore, answer A is incorrect. Windows NT Workstation cannot use
Group Policies; therefore, answer B is incorrect. Windows 2000 Professional clients
can use Group Policies from Windows Server 2003 servers; therefore, answer C is
incorrect.
Q13 Answers A and D are correct. Clients prior to Windows 2000 Professional only use
NetBIOS name resolution to locate services on the network. Windows XP clients
use DNS name resolution with SRV records by default; therefore, answer B is
incorrect. Windows 2000 Professional clients use SRV records by default;
therefore, answer C is incorrect.
Q14 The correct answer is B. The partitions must be formatted with NTFS so that EFS
can be used to encrypt the sensitive data. EFS is not a file system that is
formatted onto a partition; therefore, answer A is incorrect. FAT32 does not
support EFS; therefore, answer C is incorrect. Only NTFS version 5 and higher file
systems support EFS; therefore, answer D is incorrect.
Q15 Answers A and C are correct. Only Windows 2000 Professional and newer clients
can use Kerberos authentication and L2TP. Both of these features would enhance
security for IntelliSync. System Policy Editor is a tool used to control system
policies for users and computers in Windows NT domains; therefore, answer B is
incorrect. PPTP is a tunneling standard that can be used by all Microsoft clients;
therefore, answer D is incorrect.
2. A, D 10. D
3. C 11. B, D
4. B, C 12. D
5. D 13. A
6. A, D 14. B, C, D, E
7. D 15. D
8. B
Q1 The correct answer is B. The domain controllers should all be in the same forest.
Implicit trust relationships automatically connect all of the domains. There is no
need to create any trusts; therefore, answers A and C are incorrect. Implicit trusts
are created automatically between the parent and child domains; therefore,
answer D is incorrect.
Q2 Answers A and D are correct. PKI can be used to control the issuance and use of
certificates to authenticate the extranet users. Active Directory can be used to
provide secure extranet access by adding the extranet users to a separate domain
or a separate OU. EFS is a service used to protect information on local drives, not
an authentication technology; therefore, answer B is incorrect. NAT can conserve
public addresses by translating one public address to many private addresses for
use on the Internet; therefore, answer C is incorrect.
Q3 The correct answer is C. MBSA checks clients and servers for the latest security
updates and other known vulnerabilities. SUS can be used to systematically apply
the latest security updates to all servers and clients, but it does not check for
other security vulnerabilities; therefore, answer A is incorrect. RSoP can be used
to model the effect of a change in a Group Policy; therefore, answer B is incorrect.
GPMC is a tool used to create, distribute, and manage Group Policies; therefore,
answer D is incorrect.
Q4 Answers B and C are correct. SUS should be used on the servers to locate and
approve the latest updates for servers and clients. Group Policy should then be
used to distribute the updates. Automatic updates should be used on the client as
controlled by the Group Policy; therefore, answer A is incorrect. Remote Access
Policy does apply in this scenario; therefore, answer D is incorrect.
Q5 The correct answer is D. Windows 2000 Professional and newer clients can be
controlled using Group Policy. Windows 98 clients cannot use Group Policy;
therefore, answer A is incorrect. Windows 2000 Professional clients can use Group
Policy; therefore, answer B is incorrect. Windows XP clients can use Group Policy;
therefore, answer C is incorrect.
Q6 Answers A and D are correct. Upgrading the laptops to Windows XP would improve
security by allowing NTFS files on the drives as well as EFS. Account policies are
set on the domain controllers; therefore, answer B is incorrect. Offline Files and
Folders is a service that caches files and folders for use offline. It does not
improve security; therefore, answer C is incorrect.
Q8 The correct answer is B. VPN can be used to eliminate the use of the modems on
the RAS servers and improve security. DHCP is a service that allocates IP
addresses to clients; therefore, answer A is incorrect. NAT is a service that
conserves public IP addresses; therefore, answer C is incorrect. DDR is a service
that uses modems to create temporary connections to remote offices; therefore,
answer D is incorrect.
Q9 Answers A and B are correct. L2TP can be used on clients that are Windows 2000
Professional or newer. PPTP can be used on all clients. PPP is a transport protocol
used over telephone lines, not a tunneling protocol; therefore, answer C is
incorrect. IPSec transport mode can be used to encrypt traffic within the same
network; therefore, answer D is incorrect.
Q10 The correct answer is D. PPTP has inherent Microsoft Point-to-Point Encryption
(MPPE) when used with Microsoft servers and clients. L2TP does not have an
inherent form of encryption, but can use IPSec; therefore, answer A is incorrect.
PPP is not a tunneling protocol; therefore, answer B is incorrect. IPSec is not a
tunneling protocol; therefore, answer C is incorrect.
Q11 Answers B and D are correct. Auditing logon events on all member servers tracks
the local logons to the member servers. Auditing account logon events on the
domain controllers tracks each domain controller's validation of a user's logon to
the domain. The audit policy does not require tracking local logons to the domain
controllers; therefore, answer A is incorrect. It is not possible to audit account
logon events on member servers because they do not validate logon requests;
therefore, answer C is incorrect.
Q12 Answer D is correct. They should use the A G U DL P strategy. They should place
the accounts into Global groups, place the Global groups into Domain Local
groups, and then give the Domain Local groups the permissions to the resources.
Permissions should not be assigned directly to a user. This might seem efficient in
the short term, but it is confusing and inefficient in the long term; therefore,
answer A is incorrect. Permissions should not be assigned to Global groups;
therefore, answer B is incorrect. Permissions should not be assigned to Universal
groups; therefore, answer C is incorrect.
Q13 The correct answer is A. Local groups can be created on member servers and
clients to give access to a resource located on that specific computer. Local groups
cannot be created on domain controllers. Domain Local groups are created in
Active Directory and can give access to a resource located anywhere in the
domain; therefore, answer B is incorrect. Global groups are created in Active
Directory and are generally not assigned permissions; therefore, answer C is
incorrect. Universal groups are created in Active Directory and are generally not
assigned permissions; therefore, answer D is incorrect.
Q14 Answers B, C, D, and E are correct. They should use the A G U DL P strategy.
They should place all the user accounts into Global groups in their own domain,
place all the Global groups into a Universal group, place the Universal group into a
Domain Local group in each domain, and give permissions to the Domain Local
group for the resource in its own domain. All members of Global groups must be
local to one domain; therefore, answer A is incorrect. Domain Local groups can
only be assigned permissions for resources located in their own domain;
therefore, answer F is incorrect.
2. C 10. C
3. C 11. A
4. B, C 12. A, B
5. B, D, E 13. A, D
6. D 14. B
7. A, B 15. B, C, D
8. A
Q1 Answers A and C are correct. Application pools and worker process isolation mode
can be used to isolate each application so that one application's failing does not
affect other applications. IIS 5.0 isolation mode is not a new feature in Windows
Server 2003, which uses IIS 6.0; therefore, answer B is incorrect. HTTP keep-
alives allow a user to browse to different pages of your Web site without requiring
additional authentication; therefore, answer D is incorrect.
Q2 The correct answer is C. Volume shadow copies can be configured to create a copy
of all files at specified intervals. The user can revert back to the old version with
minimal effort and training. Incremental and differential backups are not a new
feature in Windows Server 2003; therefore, answers A and B are incorrect. ASR
can be used to recover a server in the event of a failure; therefore, answer D is
incorrect.
Q3 The correct answer is C. The Effective Permissions tool is new to Windows Server
2003 and can assist you in determining the resulting NTFS permissions for a user
or group that is in multiple groups. The GPMC is a new tool for Windows Server
2003 that is used to create, distribute, and manage Group Policies; therefore,
answer A is incorrect. RSoP is a new tool that allows you to model the effect of
changes in Group Policies; therefore, answer B is incorrect. ACLs can be used to
determine permissions, but are not new to Windows Server 2003; therefore,
answer D is incorrect.
Q5 Answers B, D, and E are correct. You should first set the audit policy to Audit
Object Access for Success and Failure. You should then set the system access
control lists (SACLs) for each of the files and folders. Audit Privilege Use is used to
audit a user's exercise of a user right and is not relevant in this scenario;
therefore, answers A and F are incorrect. ACLs are used to specify permissions for
an object, not for auditing; therefore, answer C is incorrect.
Q6 The correct answer is D. WINS resolves NetBIOS names to IP addresses. After all
of the clients are upgraded to Windows XP, the service is no longer required as
long as there are no legacy applications that are still using NetBIOS names. DNS
is an integral part of Active Directory and should not be uninstalled; therefore,
answer A is incorrect. NetLogon is a built-in service that cannot be installed;
therefore, answer B is incorrect. DHCP is a service that is used to allocate IP
addresses and is not used by applications; therefore, answer C is incorrect.
Q7 Answers A and B are correct. The key and the files or folders to be decrypted must
be on the same computer. This can be accomplished safely by copying the
encrypted file onto removable media and taking it to the Recovery Agent
computer or by exporting the Recovery Agent's private key onto a floppy disk and
taking the floppy to the user's computer. After the recovery, the disk should be
destroyed or stored in a secure location. The keys are specific to the user and
cannot be exchanged; therefore, answer C is incorrect. The file does not remain
encrypted when it is sent through the network; therefore, answer D is incorrect.
Q8 The correct answer is A. The Manage Your Server Wizard assists you in
determining the current roles of a server and making changes when necessary.
Active Directory Users and Computers is used to control the logical aspects of
Active Directory but not to manage server roles; therefore, answer B is incorrect.
The Computer Management Console can be used to control many aspects of
computer hardware and software, but not to manage roles; therefore, answer C is
incorrect. System Monitor can be used to create a baseline using counters that
track system performance; therefore, answer D is incorrect.
Q9 Answers A and D are correct. You could modify the ACLs manually or you could
use the Delegation of Control Wizard. Active Directory Sites and Services is used
to control the physical aspects of Active Directory; therefore, answer B is
incorrect. Remote Desktops MMC can be used to control multiple servers from one
location; therefore, answer C is incorrect.
Q10 The correct answer is answer C. The only type of zone that can be set for secure
dynamic updates in Windows 2000 or Windows Server 2003 is an Active Directory
integrated zone. Only Active Directory integrated zones can be set for secure
dynamic updates; therefore, answer A is incorrect. Standard Primary zones cannot
be configured for secure dynamic updates; therefore, answers B and D are
incorrect.
Q11 The correct answer is A. GPMC is a new tool in Windows Server 2003 that can be
used to distribute Group Policies. The Group Policy Editor MMC was introduced
with Windows 2000 Server and is used to modify the setting of Group Policies in
Windows Server 2003; therefore, answer B is incorrect. RSoP is used to model the
effects of changes to Group Policies; therefore, answer C is incorrect. Gpupdate is
Q12 Answers A and B are correct. Customers can use certificates issued by GWC or a
third party, such as VeriSign. Customers could also be authenticated by Microsoft
using .NET Passport. NTLM authentication is used by NT servers for LANS;
therefore, answer C is incorrect. MS-CHAPv2 is used to authenticate a connection
to a remote access server; therefore, answer D is incorrect.
Q13 Answers A and D are correct. Only users with an account in Active Directory can
use Integrated Windows authentication and Digest authentication. Certificates can
be used by anyone who is issued the certificate and does not require an account;
therefore, answer B is incorrect. Basic authentication can be used by anyone who
knows the username and password; therefore, answer C is incorrect.
Q14 The correct answer is B. Basic authentication sends the username and password
over the wire in clear text. This is not considered secure because a network sniffer
could be used to view the password. Anonymous access does not require the use
of a username or password; therefore, answer A is incorrect. Digest authentication
encrypts the user's credentials before sending them over the wire; therefore,
answer C is incorrect. Certificate authentication does not require a username or
password; therefore, answer D is incorrect.
Q15 Answers B, C, and D are correct. Integrated Windows checks the credentials of the
current logon. Certificate authentication does not require user and password
credentials because the certificate is the credential. Anonymous access does not
require the user to enter a username and password and authenticates them to use
a default account. Digest authentication does require a username and password;
therefore, answer A is incorrect. Basic authentication does require a username
and password, which are sent in clear text; therefore, answer E is incorrect.
Case 4: PowerTran
1. B 9. B
2. B, C, E 10. A, B
3. C, D 11. C, D
4. D 12. B, C, E
5. A 13. A, B
6. A 14. C, D
7. D 15. B
8. A, B
Q3 Answers C and D are correct. Servers that do not contain sensitive information,
and are likely to be used from both internal clients and external clients, should be
placed in the perimeter network. Domain controllers contain sensitive Active
Directory information; therefore, answer A is incorrect. DHCP servers contain
sensitive information regarding IP address allocation; therefore, answer B is
incorrect.
Q6 The correct answer is A. CA constraints can be used to define limits on your cross-
certification relationships. NTFS permissions cannot be applied to a certificate;
therefore, answer B is incorrect. Connection timeouts are settings applied to a
connection, not to a certificate; therefore, answer C is incorrect. HTTP
compression makes better use of available bandwidth; therefore, answer D is
incorrect.
Q8 Answers A and B are correct. Processor Queue Length and Memory Available Bytes
are counters that might be used to establish a performance baseline. CRC Errors
and Serial Overrun Errors are RAS counters that are used for troubleshooting;
therefore, answers C and D are incorrect.
Q9 The correct answer is B. Wi-Fi Protected Access uses higher levels of encryption
and dynamic rekeying to improve security. WEP is not as secure as Wi-Fi;
therefore, answer A is incorrect. RADIUS is an authentication protocol that uses
Active Directory and can be used by wired and wireless networks; therefore,
answer B is incorrect. PEAP is an authentication protocol that uses secure
passwords and can be used for wired or wireless networking; therefore, answer D
Q10 Answers A and B are correct. The administrator can either use the Delegation of
Control Wizard to modify the ACLs or manually modify the ACLs on his own. Active
Directory Sites and Services is used to control the physical aspects of Active
Directory; therefore, answer C is incorrect. Active Directory Domains and Trusts is
used to configure the connections between domains; therefore, answer D is
incorrect.
Q11 Answers C and D are correct. The Backup or Restore Wizard can be scheduled to
perform regular backups. The Volume Shadow Copy service can be scheduled to
make restorable shadows of files at multiple times. Disk Management is not used
to create backups; therefore, answer A is incorrect. Computer Management is not
used to perform backups; therefore, answer B is incorrect.
Q12 Answers B, C, and E are correct. You set the audit policy on each of the member
servers because this allows for the least possible auditing. You should then set the
SACL for HKEY_LOCAL_MACHINE to Full Control for Success and Failure. Setting the
audit policy for the domain is not recommended because the auditing is specific to
the member servers; therefore, answer A is incorrect. ACLs are used to control
access to objects, not for auditing; therefore, answers D and F are incorrect.
Q13 Answers A and B are correct. You can use certificates or you can give the extranet
users an account in Active Directory. Basic authentication is a type of IIS
authentication that is not secure because the credentials are sent in clear text;
therefore, answer C is incorrect. NTLMv2 is a local form of authentication used by
clients prior to Windows 2000 Professional; therefore, answer D is incorrect.
Q14 Answers C and D are correct. Clients can only use Integrated Windows and Digest
authentication if they are given an account in Active Directory. Basic
authentication can be used by anyone who has a password, but it is not
recommended because it sends the password in clear text; therefore, answer A is
incorrect. Certificate authentication does not require an account in Active
Directory; therefore, answer B is incorrect.
Q15 The correct answer is B. GPMC is a new tool in Windows Server 2003 that is used
to distribute Group Policies. Group Policy Object Editor MMC is a tool used to edit
Group Policies but not to distribute them; therefore, answer A is incorrect.
Gpresult is a command-line tool used to determine the results of multiple policies
on a computer and user; therefore, answer C is incorrect. Gpupdate is a
command-line tool that is used to make policies effective on a local machine;
therefore, answer D is incorrect.
Security Concerns
The security team at AUM has identified the following security concerns:
Senior Administrator: I would like some options in regard to secure remote management.
Q1 How many domains will AUM need after they upgrade all domain controllers to Windows
Server 2003?
• A. 1
• B. 2
• C. 4
• D. There isn't enough information to determine this answer.
Q2 Which Windows Server 2003 feature should AUM use to encrypt all local communication
between servers and clients?
• A. Windows 95
• B. Windows NT Workstation
• C. Windows 2000 Professional
• D. Unix
Q4 Which feature in Windows Server 2003 can be used to satisfy the concern of the CIO?
Q5 With AUM's current infrastructure, which clients can use MS-CHAP for authentication to
RAS servers?
• A. NAT
• B. VPN
• C. WINS
• D. DDR
Q7 If AUM decides to use VPN, which of their clients will be able to use MS-CHAPv2 to
authenticate to the remote access servers through the VPN connection using a PPTP
tunnel?
• A. All clients
• B. All Microsoft clients
• C. Only Windows 2000 Professional and Windows XP Professional clients
• D. All clients except Windows 95
Q8 AUM has decided to create a disaster recovery plan that will include an alternate site for
the corporate location. This site will be maintained by a system of servers and network
equipment similar to those in the actual site. The site will be tested regularly to make
certain it is ready in the event of a disaster, such as a flood or blackout. Which type of
site have they chosen?
• A. Cold site
• B. Hot site
• C. Replica site
• D. It's impossible to tell from the information given.
Q9 Which Windows Server 2003 tool should be used for granular control of Active Directory
permissions on objects?
• A. ACLs
• B. Group Policy
• C. SUS
• D. Remote Access Policy
Q10 Which type of DNS zones should be used to ensure secure dynamic updates?
• A. Standard Primary
• B. Stub
• C. Active Directory integrated
• D. Standard Secondary
Q11 Which Windows Server 2003 tools should be used to satisfy the request of the Senior
Administrator? (Choose two.)
Q13 Which of AUM's clients can use SRV records to locate services on the network? (Choose
two.)
• A. Windows XP Professional
• B. Windows NT Workstation
• C. Windows 2000 Professional
• D. Only Windows 95
Q14 Which encryption system can be used to secure the information on the laptops, even if
they are lost or stolen?
• A. MD5
• B. NTFS
• C. EFS
• D. L2TP
Q15 Which additional features might be used to justify the expense of upgrading AUM's
Windows 95 and Windows NT Workstation client computers? (Choose two.)
• A. Group Policy
• B. Remote Access Policy
• C. Kerberos authentication
• D. Share permissions
Security Concerns
The security team at BBF has identified the following security concerns:
Security Commentary
CEO: We must ensure that we have the very latest in security. If that means we have to
upgrade every client and every server, so be it.
CIO: We will increase security when we increase control from Birmingham. We have to
take back most of the management tasks from the satellite offices and assign few rights
to them from now on.
Q2 Which authentication methods should BBF consider to provide secure Web access?
(Choose two.)
• A. Basic
• B. Integrated Windows
• C. Mapped certificates
• D. MD5
Q3 Which tool should BBF use to automate the process of applying security patches
on Windows 2000 Professional and Windows XP Professional clients?
• A. Computer Management
• B. RSoP
• C. MBSA
• D. SUS
Q5 Which clients can be centrally controlled using Windows Server 2003 Group
Policy?
Q8 After the migration, which tools can be used to accomplish the goals of the CIO?
(Choose two.)
Q9 Which new technologies might be used as justification for upgrading all of BBF's
clients to at least Windows 2000 Professional? (Choose two.)
• A. PPTP
• B. L2TP
• C. Kerberos
• D. Share permissions
Q10 Which of the following is the inherent form of encryption used by PPTP?
• A. L2TP
• B. PPP
• C. IPSec
• D. MPPE
Q11 Which events should be audited to satisfy the audit requirements? (Choose two.)
Q12 How should BBF design group management for the most efficient control of access
to resources?
• A. Place the users into Global groups based on their resource needs. Place
the Global groups into the appropriate Domain Local groups. Assign
permissions to Domain Local groups.
• B. Assign permissions to a Global group for users who need access to the
same resource and then place the users into the Global group.
• C. Assign permissions to Universal groups and then place the users into the
Universal groups.
• D. Assign permissions to each user for the resources that he requires.
• A. Local
• B. Universal
• C. Global
• D. Domain Local
Q14 Which types of certificate mapping could be used to authenticate users with
certificates to the secure Web sites? (Choose two.)
• A. One-to-one
• B. Integrated Windows
• C. Many-to-one
• D. Digest
Q15 Which tool should BBF use to determine the combined NTFS permissions for users
in multiple security groups?
• A. Effective Permissions
• B. Delegation Wizard
• C. Group Policy Management Console
• D. Active Directory Users and Computers
Security Concerns
The security team at SysCon has identified the following security concerns:
• Some applications running on the secure Web sites are not stable. One
application's crashing can cause other applications to crash as well.
• Engineers have lost valuable information on file servers by accidentally altering
and saving a file.
• It is difficult to determine the resulting permissions of a user who is in multiple
groups.
• Users must be required to use complex passwords as defined by the new Windows
Server 2003 system.
• Some sensitive files will need to be audited for access or attempted access by any
parties.
• EFS will be used for all laptop computers. Some folders will require encryption.
• All services that are no longer used after the upgrade must be uninstalled.
• DNS updates must be automatic and secure for all clients and servers after the
upgrade.
CIO: We have to make the IIS servers more stable for our line-of-business applications.
Q1 Which new features in Windows Server 2003 IIS will address the CIO's stability
concern with regard to Web applications? (Choose two.)
• A. Application pools
• B. Worker process isolation mode
• C. Bandwidth throttling
• D. HTTP keep-alives
Q2 Which methods can address the concern of losing information in files that are
accidentally altered and saved on file servers? (Choose two.)
Q3 Which new tool in Windows Server 2003 can be used to create, manage, and
delegate Group Policies?
• A. GPMC
• B. RSoP
• C. Effective Permissions
• D. Group Policy Object Editor
• A. OU
• B. Site
• C. Domain
• D. All are valid choices.
Q5 Which steps are involved in setting the auditing of sensitive files and folders to
satisfy SysCon's auditing requirements? (Choose three. Each answer is part of the
solution.)
• A. DNS
• B. WINS
• C. DHCP
• D. RAS
Q7 Which features of Windows Server 2003 must SysCon use to encrypt folders on
the laptop computers? (Choose two.)
• A. PPTP
• B. L2TP
• C. Group Policy
• D. Active Directory
Q10 After the migration to Windows Server 2003, which type of DNS zones should be
used to ensure secure dynamic updates?
Q11 Which new Windows Server 2003 command should SysCon use to update Group
Policies on a local computer?
• A. .NET Passport
• B. Basic
• C. NTLMv2
• D. Digest
• A. MS-CHAPv2
• B. Integrated Windows
• C. IPSec
• D. Digest
Q14 Which type of authentication logs the user on to a default account with very
limited permissions?
• A. Basic
• B. Digest
• C. Anonymous
• D. Integrated Windows
Q15 Immediately following a default installation of IIS 6.0, which types of services will
it perform?
Each office is managed locally. Two one-way trusts connect each domain to every other
domain to allow access to all resources. Microsoft client computers run Windows 95,
Windows NT Workstation, Windows 2000 Professional, and Windows XP Professional.
There are also a few Unix-based clients.
Security Concerns
The security team at DC&H has identified the following security concerns:
Security Commentary
CEO: If we are going to allow users to dial in from home, we need to make certain we
know who they are.
CIO: After the upgrade, I want a minimum of 12 characters in all user passwords in
Washington D.C. only; I require the other offices to use a minimum of six characters.
Q1 How many domains does DC&H need after its migration to Windows Server 2003?
• A. 1
• B. 4
• C. 2
• D. There is not enough information to answer the question.
• A. Unix
• B. Windows XP Professional
• C. Windows 2000 Professional
• D. Windows NT Workstation
• E. Windows 95
Q3 Which types of servers should be placed onto the perimeter network (between the
internal and external firewalls)? (Choose two.)
• A. Proxy servers
• B. DHCP servers
• C. Web servers
• D. Domain controllers
Q4 With a default installation of Windows Server 2003, which services will IIS 6.0
provide?
• A. None
• B. All services
• C. ASP and .NET applications
• D. Only static content
• A. None
• B. All services
• C. ASP and .NET applications
• D. Only static content
Q6 Which authentication protocols should DC&H avoid using on their secure Web
sites? (Choose two.)
• A. Basic
• B. Integrated Windows
• C. .NET Passport
• D. Anonymous access
• A. DDR
• B. Proxy
• C. Firewall
• D. NAT
• A. Windows 95
• B. Unix
• C. Windows 2000 Professional
• D. Windows NT Workstation
• E. Windows XP Professional
Q10 Which tool can the network administrator use to adjust and remove administrative
rights of a user who has already been delegated the rights?
• A. ACLs
• B. Delegation of Control Wizard
• C. Active Directory Sites and Services
• D. Active Directory Domains and Trusts
Q11 Which tools should DC&H use to create an automatic backup of files and folders on
the file servers? (Choose two.)
Q12 What should you do to audit the HKEY_CURRENT_USER settings on the selected
member servers? (Choose three. Each answer is part of the solution.)
• A. Set the audit policy for the member servers to Audit Object Access.
• B. Set the SACL of HKEY_CURRENT_USER to Full Control for Success.
• C. Set the audit policy for the domain to Audit Object Access.
• D. Set the ACL of HKEY_CURRENT_USER to Full Control for Success.
• E. Set the SACL of HKEY_CURRENT_USER to Full Control for Failure.
• F. Set the ACL of HKEY_CURRENT_USER to Full Control for Failure.
Q14 Which Web server authentication protocols can only be used if DC&H gives clients
an account in Active Directory?
• A. Digest
• B. Certificate
• C. Integrated Windows
• D. Basic
Q15 Which new Windows Server 2003 tool should DC&H use to configure settings on
Group Policies?
Case 3: SysCon
2. B 10. C
3. B, C 11. B, D
4. C 12. A
5. A 13. A, C
6. D 14. C
7. B 15. A, C
8. B
Q1 The correct answer is A. Only one domain is required because the overview states
that the account policies of all domains are the same and because there is no
physical limitation. Two domains are not required in this scenario; therefore,
answer B is incorrect. Four domains (one per location) are not required in this
scenario; therefore, answer C is incorrect. It is possible to determine the number
of domains that will be required; therefore, answer D is incorrect.
Q3 Answers B and C are correct. Windows 2000 Professional clients use NTLM
authentication when not connected to a domain. Windows NT Workstation clients
also use NTLM authentication. Windows 95 clients use LM authentication, not
NTLM; therefore, answer A is incorrect. Unix clients do not use NTLM
authentication; therefore, answer D is incorrect.
Q5 The correct answer is A. All of AUM's Microsoft clients can use MS-CHAP. The Unix
clients could use CHAP, but not MS-CHAP. AUM's Windows 95 client can also use
MS-CHAP; therefore, answer B is incorrect. Windows 95 and Windows 2000
Professional client can also use MS-CHAP; therefore, answer C is incorrect.
Windows 95 clients can use MS-CHAP; therefore, answer D is incorrect.
Q6 The correct answer is D. DDR creates a temporary route using one modem to dial
another modem. NAT is a service that allows one registered IP address to be
translated to multiple private IP addresses; therefore, answer A is incorrect. A
VPN uses the Internet to provide more secure connections and eliminate the use
of modems on the server; therefore, answer B is incorrect. WINS is a name
resolution service that resolves NetBIOS names to IP addresses; therefore,
answer C is incorrect.
Q7 The correct answer is B. All of the Microsoft clients can use MS-CHAPv2 for the
VPN connection and PPTP, but the Unix clients cannot use MS-CHAPv2 for
authentication. Unix clients cannot use MS-CHAPv2; therefore, answer A is
incorrect. Windows NT Workstation and Windows 95 can use MS-CHAPv2 for
authentication through PPTP tunnels; therefore, answers C and D are incorrect.
Q9 The correct answer is A. ACLs and the ACEs contained in them provide granular
control of each Active Directory object. Group Policies are groups of policies that
are used to control sites, domains, and OUs; therefore, answer B is incorrect. SUS
is used to keep up with the latest Microsoft security updates; therefore, answer C
is incorrect. Remote Access Policy controls access to the network from outside of
the network; therefore, answer D is incorrect.
Q10 The correct answer is C. Only Active Directory integrated zones have secure
dynamic updates. This means that they only communicate with other objects that
are authenticated and authorized by Active Directory. Standard Primary zones do
not allow for secure dynamic updates; therefore, answer A is incorrect. Stub zones
assist in name resolution on large networks but do not facilitate secure dynamic
updates; therefore, answer B is incorrect. Standard Secondary zones are read-
only copies of Standard Primary zones and do not allow for secure dynamic
updates; therefore, answer D is incorrect.
Q11 Answers B and D are correct. The Remote Desktops MMC allows an administrator
to view the desktops and manage multiple servers and clients from a single
location. Computer Management allows the administrator to control the computer
settings remotely. RRAS is a tool used to control RAS, such as dial-up and VPN
Q12 The correct answer is A. Only AUM's Windows 2000 Professional and Windows XP
Professional clients can use Windows Server 2003 Group Policy. Windows NT
Workstation cannot use Group Policies; therefore, answer B is incorrect. Windows
2000 Professional clients can use Group Policies from Windows Server 2003
servers; therefore, answer C is incorrect. Windows 95, Windows NT Workstation,
and Unix clients cannot use Windows Server 2003 Group Policy; therefore, answer
D is incorrect.
Q13 Answers A and C are correct. Windows 2000 Professional and Windows XP
Professional clients can use DNS and SRV records to locate services on the
network. Windows NT Workstation clients use NetBIOS name resolution services;
therefore, answer B is incorrect. Windows 95 clients use NetBIOS name resolution
and Unix clients can use SRV records; therefore, answer D is incorrect.
Q14 The correct answer is C. EFS can be used to encrypt the sensitive data to ensure
that it remains secure even if the laptop is lost or stolen. MD5 is an encryption
method used to secure and validate communication over a wire; therefore, answer
A is incorrect. NTFS is a file system used to secure files and folders with
permissions; therefore, answer B is incorrect. L2TP is a tunneling protocol used to
create a VPN; therefore, answer D is incorrect.
Q15 Answers A and C are correct. Only Windows 2000 Professional and newer clients
can use Group Policy and Kerberos authentication. Both of these features could
enhance security for AUM. Remote Access Policy on Windows Server 2003 can be
used to control all clients; therefore, answer B is incorrect. All of AUM's current
clients can already use share permissions; therefore, answer D is incorrect.
2. B, C 10. D
3. D 11. A, B
4. D 12. A
5. A 13. D
6. C, D 14. A, C
7. A, C 15. A
8. C, D
Q3 The correct answer is D. SUS can be used to automate the process of applying the
latest security patches to Windows 2000 and Windows XP Professional clients.
Computer Management can be used to make changes to client computer settings but
not to install patches; therefore, answer A is incorrect. RSoP can be used to model
the effect of a change in a Group Policy; therefore, answer B is incorrect. MBSA is a
tool used to check for the latest security updates and for security vulnerabilities, but
it does not install the updates; therefore, answer C is incorrect.
Q5 The correct answer is A. Windows 2000 Professional and newer clients can be
controlled using Group Policy. Windows 2000 Professional and Windows XP clients
can be controlled using Group Policy; therefore, answers B and C are incorrect.
Windows 98 clients cannot be controlled using Group Policy; therefore, answer D is
incorrect.
Q6 Answers C and D are correct. Upgrading the laptops to Windows XP would improve
security by allowing NTFS files on the drives as well as EFS. Account lockout policies
determine the number of times that a person can attempt, unsuccessfully, to log on
to a domain before he is locked out; therefore, answer A is incorrect. Using stronger
domain passwords would have no effect on domain security; therefore, answer B is
incorrect.
Q7 Answers A and C are correct. IPSec tunnel mode can encrypt traffic between two
networks. MPPE is the encryption protocol used by PPTP when used with Microsoft
clients and servers. NTFS is a file system that can be used to control permissions to
files and folders; therefore, answer B is incorrect. IPSec transport mode can encrypt
traffic between computers on the same network; therefore, answer D is incorrect.
Q8 Answers C and D are correct. The Delegation of Control Wizard or the ACLs for
objects can be used to assign some permissions to local network managers. Remote
Access Policy controls a user's access to remote access connections, such as dial-up
or VPN connections; therefore, answer A is incorrect. Group Policies are used to
control sites, domains, and OUs but not to delegate administrative authority;
therefore, answer B is incorrect.
Q9 Answers B and C are correct. L2TP and Kerberos authentication can be used only on
clients that are Windows 2000 Professional or newer. PPTP can be used on all clients;
therefore, answer A is incorrect. Share permissions can be used on all clients;
therefore, answer D is incorrect.
Q11 Answers A and B are correct. Auditing logon events on the domain controllers tracks
the local logons to domain controllers. Auditing logon events on all member servers
tracks the local logons to the member servers. It is not possible to audit account
logon events on member servers because they do not validate logon requests;
therefore, answer C is incorrect. The audit policy does not require tracking a domain
controller's validation of logons from other computers; therefore, answer D is
incorrect.
Q12 The correct answer is A. They should use the A G DL P strategy. They should place
the accounts into Global groups, place the Global groups into Domain Local groups,
and then give the Domain Local groups the permissions to the resources. Permission
should not be assigned to Global groups; therefore, answer B is incorrect.
Permissions should not be assigned to Universal groups; therefore, answer C is
incorrect. Permissions should not be assigned directly to a user. This might seem
efficient in the short term, but it is confusing and inefficient in the long term;
therefore, answer D is incorrect.
Q13 The correct answer is D. Domain Local groups are used to assign permission to a
resource located anywhere in a domain. Local groups are created on one computer
to give access to resources located on that computer; therefore, answer A is
incorrect. Universal groups are created in Active Directory and are generally not
assigned permissions; therefore, answer B is incorrect. Global groups are created in
Active Directory and are generally not assigned permissions; therefore, answer C is
incorrect.
Q14 Answers A and C are correct. One-to-one mapping maps each type of certificate to
each user. Many-to-one mapping can map multiple certificates for a user or multiple
users for a certificate. Integrated Windows and Digest are forms of Web
authentication that do not involve certificates; therefore, answers B and D are
incorrect.
Q15 The correct answer is A. The Effective Permissions tool can be used to determine the
effective NTFS permissions of a user or group to a resource. The Delegation Wizard
is used to give some users partial management rights; therefore, answer B is
incorrect. The GPMC is used to create and manage Group Policies; therefore, answer
C is incorrect. Active Directory Users and Computers is used to manage the logical
aspects of Active Directory; therefore, answer D is incorrect.
2. A, C 10. A
3. A 11. D
4. C 12. A, D
5. B, C, D 13. B, D
6. B 14. C
7. C, D 15. A
8. A, B
Q1 Answers A and B are correct. Application pools and worker process isolation mode
can be used to isolate each application so that one application's failing does not
affect other applications. Bandwidth throttling might be used to help stabilize
servers with multiple applications, but it is not a new feature in Windows Server
2003 IIS; therefore, answer C is incorrect. HTTP keep-alives allow a user to
browse to different pages of your Web site without requiring additional
authentication; therefore, answer D is incorrect.
Q2 Answers A and C are correct. Regular backups ensure that the data is still
available. Volume shadow copies can be configured to create a copy of all files at
specified intervals. The user can revert back to the old version with minimal effort
and training. Default NTFS permissions would not affect this scenario; therefore,
answer B is incorrect. ASR can be used to recover a server in the event of a
failure, but does not contain user data; therefore, answer D is incorrect.
Q3 The correct answer is A. GPMC can be used to create, manage, and delegate
Group Policies. RSoP is a new tool that allows you to model the effect of changes
in Group Policies; therefore, answer B is incorrect. The Effective Permissions tool
is new to Windows Server 2003 and can assist you in determining the resulting
NTFS permissions for a user or group that is in multiple groups; therefore, answer
C is incorrect. The Group Policy Object Editor can only be used to edit existing
Group Policies; therefore, answer D is incorrect.
Q4 The correct answer is C. Password policies are part of account policies, which can
be controlled at the domain level only. Password policies set at the OU level apply
only to the local user accounts on a computer; therefore, answer A is incorrect.
Password policies are not applied to a site; therefore, answer B is incorrect. All
choices are not valid. Only answer C is a valid choice; therefore, answer D is
incorrect.
Q5 Answers B, C, and D are correct. You should first set the audit policy to Audit
Object Access for Success and Failure. You should then set the SACLs for each of
the files and folders. Audit Privilege Use is used to audit a user's exercise of a user
right and is not relevant in this scenario; therefore, answers A and F are incorrect.
ACLs are used to specify permissions for an object, not for auditing; therefore,
answer E is incorrect.
Q7 Answers C and D are correct. The partition that contains the folders to be
encrypted with EFS must first be formatted with the NTFS file system. Offline Files
and Folders is not required for encryption; therefore, answer A is incorrect. Folder
compression is not required for encryption and, in fact, the folder to be encrypted
cannot be compressed; therefore, answer B is incorrect.
Q8 Answers A and B are correct. PPTP and L2TP can be used to create virtual private
networks through the Internet. Assuming that the bandwidth will meet its
requirements, this could represent a savings to SysCon when compared with the
cost of leased lines. Group Policy is used to control security and settings for
computers and users in sites, domains, and OUs; therefore, answer C is incorrect.
Active Directory is the underlying technology built in to Windows Server 2003;
therefore, answer D is incorrect.
Q10 The correct answer is answer A. The only type of zone that can be set for secure
dynamic updates in Windows 2000 Professional or Windows Server 2003 is an
Active Directory integrated zone. Standard Primary zones cannot be configured for
secure dynamic updates; therefore, answers B and D are incorrect. Only Active
Directory integrated zones can be set for secure dynamic updates; therefore,
answer C is incorrect.
Q11 The correct answer is D. The Windows Server 2003 command gpupdate replaces
the Windows 2000 command secedit /refreshpolicy machine_policy and is
used to force an immediate update of a Group Policy on a local machine. The
secedit command is replaced by the gpupdate command in Windows Server
2003; therefore, answer A is incorrect. The gpresult command can be used to
determine the policies that apply to a computer and user; therefore, answer B is
incorrect. The netsh command is used for troubleshooting connectivity problems;
therefore, answer C is incorrect.
Q12 Answers A and D are correct. .NET Passport and Digest authentication are both
secure methods of authentication. Basic authentication is not secure because the
user's password is sent over the wire in clear text; therefore, answer B is
incorrect. NTLM is a secure form of authentication that is used for local area
networks, not Web sites; therefore, answer C is incorrect.
Q13 Answers B and D are correct. Integrated Windows authentication and Digest
authentication can be used in addition to certificates to increase security. MS-
CHAPv2 is an authentication protocol used for remote access, not Web servers;
therefore, answer A is incorrect. IPSec is a security method used on networks and
between networks, but not on Web servers; therefore, answer C is incorrect.
Q14 The correct answer is C. Anonymous access logs the user on to a default account
called IUSER_servername, which has very limited permissions. Basic
authentication requires a username and a password (credentials) and then sends
Q15 The correct answer is A. Immediately following a default installation of IIS 6.0,
only access to static content is available. Access to static content is available;
therefore, answer B is incorrect. All services other than access to static content
are disabled; therefore, answers C and D are incorrect.
2. D, E 10. A
3. A, C 11. A, C
4. A 12. A, B, E
5. D 13. C
6. A, D 14. A, C
7. A 15. A
8. B, D
Q1 The correct answer is C. The Washington D.C. office must be a separate domain
because it needs a different password policy. The other three offices should be
combined into one domain and represented by OUs. One domain is not sufficient
because of the need for a different password policy in Washington D.C.; therefore,
answer A is incorrect. Four domains (one for each location) is not required or
recommended because representing each office as an OU makes delegation of
administrative authority more complex; therefore, answer B is incorrect. There is
enough information to determine the correct answer; therefore, answer D is
incorrect.
Q3 Answers A and C are correct. Servers that do not contain sensitive information,
and are likely to be used from both internal clients and external clients, should be
placed on the perimeter network. DHCP servers contain sensitive information
regarding IP address allocation; therefore, answer B is incorrect. Domain
controllers contain sensitive Active Directory information; therefore, answer D is
incorrect.
Q6 Answers A and D are correct. Basic authentication is not secure because the
password is sent over the wire in clear text. Anonymous access should only be
used for access to nonsecure public sites. Integrated Windows is a secure form of
authentication that relies on an Active Directory logon; therefore, answer B is
incorrect. .NET Passport is a secure form of authentication that relies on Microsoft
servers for authentication; therefore, answer C is incorrect.
Q8 Answers B and D are correct. Memory Available Bytes and Processor Queue
Length are counters that might be used to establish a performance baseline.
Serial Overrun Errors and CRC Errors are RAS counters that are used for
troubleshooting; therefore, answers A and C are incorrect.
Q9 Answers A, B, and D are correct. Windows 95, Unix, and Windows NT Workstation
cannot be controlled by Windows Server 2003 Group Policy. Windows 2000
Professional clients can be controlled by Group Policy; therefore, answer C is
incorrect. Windows XP Professional clients can be controlled by Group Policy;
therefore, answer E is incorrect.
Q10 The correct answer is A. The administrator would have to use the ACLs to adjust
delegated rights. The Delegation of Control Wizard can only be used to give rights,
not to adjust them or remove them; therefore, answer B is incorrect. Active
Directory Sites and Services is used to control the physical aspects of Active
Directory; therefore, answer C is incorrect. Active Directory Domains and Trusts is
used to configure the connections between domains; therefore, answer D is
incorrect.
Q11 Answers A and C are correct. The Backup or Restore Wizard can be scheduled to
perform regular backups. The Volume Shadow Copy service can be scheduled to
make restorable shadows of files at multiple times. Computer Management is not
used to perform backups; therefore, answer B is incorrect. Disk Management is
not used to create backups; therefore, answer D is incorrect.
Q12 Answers A, B, and E are correct. You should set the audit policy on each of the
member servers because this allows for the least possible auditing. You should
then set the SACL for HKEY_CURRENT_USER to Full Control for Success and Failure.
Setting the audit policy for the domain is not recommended because the auditing
is specific to the member servers; therefore, answer C is incorrect. The ACLs are
used to control access to objects, not for auditing; therefore, answers D and F are
incorrect.
Q14 Answers A and C are correct. Clients can only use Digest and Integrated Windows
authentication if they are given an account in Active Directory. Certificate
authentication does not require an account in Active Directory; therefore, answer
B is incorrect. Basic authentication can be used by anyone who has a password,
but it is not recommended because it sends the password in clear text; therefore,
answer D is incorrect.
Q15 The correct answer is A. The Group Policy Object Editor MMC can be used to
configure and edit Group Policy settings. GPMC is new tool in Windows Server
2003 that is used to distribute Group Policies, not to configure settings; therefore,
answer B is incorrect. Gpresult is a command-line tool used to determine the
results of multiple policies on a computer and user; therefore, answer C is
incorrect. Gpudate is a command-line tool that is used to make policies effective
on a local machine; therefore, answer D is incorrect.
Microsoft Training and Certifications: View new and upcoming exams at:
www.microsoft.com/traincert/mcpexams/status/new.asp
Microsoft Training and Certifications: View new and upcoming exams at:
www.microsoft.com/traincert/mcpexams/status/new.asp
Microsoft Training and Certifications: View new and upcoming Exams at:
http://www.microsoft.com/traincert/mcpexams/status/new.asp
A
A G U DL P
A security setting list for every object in Active Directory that controls what
actions other objects can perform on the object specified.
account policies
The security policies, including password, account lockout, and Kerberos policies.
These are set at the domain level when applied to a domain.
administrative policies
The security requirements that are enforced by management. These are not
enforced by the operating system, but rather by documentation and training.
administrative templates
The Group Policy settings that are used to change the HKEY_LOCAL_SYSTEM and
HKEY_CURRENT_USER Registry keys in multiple computers on a network.
An advanced form of firewall filtering that identifies the application of each packet
and makes decisions based on the application.
application isolation
The process of placing each Web application into its own application pool with its
own resources. This is done to ensure that one application's crashing does not
cause other applications to crash as well.
attack surface
A point of entry that an attacker could exploit and thereby enter a network. The
goal of an organization should be to minimize its attack surfaces.
auditing
The process of monitoring and recording logons, resource access, privilege use,
and so forth on a computer.
authentication
The process of a user or computer proving its identity to a device on the network.
Authentication should be required before a user is authorized to use network
resources.
B
bastion host server
built-in account
A user account that is created during the installation of Windows Server 2003, the
implementation of Active Directory, or the installation of additional services.
certificate
A digital document that is used to authenticate the origin, identity, and purpose of
the public half of a public/private key pair. A certificate ensures that the data sent
and received is kept secure.
A list maintained by certification authorities that lists all certificates that are no
longer valid but have not yet reached their configured expiration date. Clients
validating a certificate can check the CRL to determine if a presented certificate is
still valid.
Certificate Services
A Microsoft snap-in tool that is used to issue and manage digital certificates within
a network's PKI.
A service that issues digital certificates to users and computers. In addition, CAs
maintain a current list of revoked certificates that are no longer considered valid.
circuit-level filtering
The process of inspecting an entire session's attributes rather than the packets
themselves. You can configure acceptable port numbers and protocols for the
session.
client certificate
A digital document that contains a client's public key and allows the client to
prove his identity.
A service that allows Microsoft clients to connect directly to a NetWare server and
use resources for which they are assigned permissions.
cold site
computer role
confidential data
countermeasures
credentials
Delegation of Control
The process by which you can allow nonadministrative users to have some
responsibility for some portion of Active Directory, such as delegating the ability
to change users' passwords or add computers to the domain.
demand-dial routing
A detailed document that outlines the procedures for restoring computer services
and communications to a network in the event of a catastrophic loss.
domain controller
A server that holds a writable copy of the Active Directory data and manages
information contained within the Active Directory database. Domain controllers
also function as DNS servers when Active Directory integrated zones are used.
The Kerberos Key Distribution Center (KDC) is located on every domain controller
as well.
A user account that exists within an Active Directory network and allows the user
to log on to any computer in the network for which he has the required rights.
drag-and-drop questions
An exam question type that requires you to drag source objects into their proper
place in the work area.
E
Emergency Management Services
A protocol that is used in the IPSec suite to handle data encryption. ESP is usually
used with Authentication Header to provide the maximum level of security and
integrity for data transmitted in IPSec transmissions. ESP uses DES encryption by
default, but it can be configured to use 3DES.
encryption
end certificate
enrollment
The process of providing key pairs and certificates for use with PKI. Windows
Server 2003 can automatically enroll users who are authenticated by Active
Directory.
An extension to the PPP as specified in RFC 2284 that provides a means for the
primary authentication method to be negotiated during the initiation of the PPP
session.
extranet
F
filtering
The process of configuring the DACL for a GPO such that only specific users or
groups can read and apply the GPO settings.
firewall
A hardware or software device that can prevent specified types of traffic from
entering or leaving a network.
framework
A suggested method for the purpose of organizing a project and preventing the
omission of any important steps. Microsoft recommends that companies use a
framework in regard to their security plan.
functional levels
The levels of functionality for Active Directory forests and Active Directory
domains that determine which unique features they can possess, such as
Windows 2000 mixed, Windows Server 2003, and others.
The services that allow Microsoft clients to connect to a NetWare server through a
Microsoft server using a gateway user account.
Gpresult
A command-line utility that can display the Group Policy settings and RSOP for a
user or a computer.
Gpupdate
A command-line utility that is used to refresh local and Active Directory Group
Policy settings, including security settings. The gpupdate command replaces the
/refreshpolicy option for the secedit command.
A subset of the Active Directory Users and Computers console that allows the
editing of Group Policy Objects.
H
help desk
hot site
internal data
The software that can be installed on a server to provide for central authentication
and logging of multiple remote access servers.
A host-based firewall that filters traffic based on port numbers. This type of
firewall is built in to Windows XP Professional clients and Windows Server 2003
servers. It should be used on the clients, but should only be used as a last resort
on the servers.
The software that is built in to Microsoft server operating systems that provides
for the creation and secure management of Web sites and other Internet
functions.
The portion of the TCP/IP protocol suite that is used to provide packet routing.
A device composed of hardware and software that can identify a network threat
and begin to defend against the threat while also alerting the network
administrator.
IP address
The 32-bit binary address that is used to identify a TCP/IP host's network and
host ID. IPv6 IP addresses are 128 bits in length.
IP Security (IPSec)
A Layer 3 TCP/IP protocol that provides end-to-end security for data in transit.
A protocol that is used to share a public key between sender and receiver of a
secure connection. ISAKMP/Oakley allows the receiving system to retrieve a public
key and then authenticate the sender using digital certificates.
K
Kerberos v5
key pair
A user's public key that can be used by anyone to encrypt data that is to be sent
to the user and by the user to verify his identity. Combined with a user's private
key that is held only by the user, the user can decrypt the data that was
encrypted using the public key.
The methods of securing a network that have evolved from the experience of
many network administrators. These include defense in depth, least privilege,
minimized attack surface, and others.
A VPN protocol that is created by combining the PPTP and L2F tunneling protocols.
L2TP is used as the transport protocol in the Windows Server 2003 VPN service in
conjunction with IPSec.
A user account that exists only within the scope of the local computer and can
only be used to authenticate against the local computer Security Accounts
Manager (SAM) database.
living document
A written plan that attempts to predict all of the threats that could come against a
network and highlights the areas of importance. It is said to be "living" because
the threats are constantly changing and, therefore, the document must be
updated frequently.
M
MD5 hash
member server
A server that is part of the Active Directory domain, but is not functioning as a
domain controller. Member servers might be SQL servers, Exchange servers, file
servers, print servers, and so on.
A utility that can scan computers on a network and report missing security
updates and weak security configurations. MBSA can be run either from the
command line or from within the GUI.
A Microsoft Windows tool used for hosting snap-in tools that are used for
administration.
A suite of guidelines and principles that provide models to build and deploy a
distributed network.
A standard exam question type that requires you to choose two or more correct
answers from a given list of possibilities.
A standard exam question type that requires you to choose one correct answer
from a given list of possibilities.
N
nesting Global groups
The process of placing a Global group into another Global group from the same
domain to simplify administration. This can only be accomplished if the domain is
at the Windows 2000 native mode functional level at a minimum.
NTFS permissions
The security permissions assigned to users and groups for files and folders that are
contained on the computers in a network.
A seven-layer model that has been used since the early 1980s to define the
process of communication between two computers on a network.
A container that provides for the logical grouping of objects within Active
Directory to ease administration and configuration tasks.
P
packet filtering
The process of examining each packet in a data stream for its source, destination,
and protocol.
password policies
permissions
physical policies
The security policies that are enforced by implementing physical controls on the
network.
physical security
The security standards that relate to the structure of the network and the devices
that it contains.
An administrative principle which states that users should be given only the
minimum privileges required to perform the specific set of tasks they have been
assigned.
private IP address
private key
A component of a key pair in PKI. The private key remains with the user and is
used to decrypt any messages that are encrypted with the public key.
print server
Any computer that has printer software installed and shared. Typically, this is a
server dedicated to printing or to file service and printing.
protocols
The rules and regulations as to how data and communications will be conducted
on a network or between two parties.
proxy server
A server that can make a connection to the Internet on behalf of another entity or
many other entities. Proxy servers can be used to control access to the Internet
or to specific sites on the Internet.
public key
A component of a key pair in PKI. The public key is used to identify the user and
to encrypt messages so that only the user can decrypt them.
A system that includes servers, clients, and software and allows a user to be
uniquely recognized and authenticated to gain access to resources on a network
or on multiple networks.
The normal telephone lines that are generally used for voice communications
throughout the world.
R
registered IP address
Any block of addresses registered with Internet Assigned Names and Numbers
Authority (IANA).
A server that is dedicated to providing and controlling access to dial-up and VPN
connections to a network.
Remote Assistance
T T
A new tool in Windows Server 2003 and in Windows XP clients that allows an
administrator to connect to and configure a user's computer, including
downloading and uploading files.
A new MMC snap-in tool in Windows Server 2003, based on the Remote Desktop
Protocol, that allows an administrator to securely manage multiple computers
from one remote location.
revoked certificate
T T
A digital certificate that has been taken out of usage before its configured end of
lifetime. Certificates can be revoked for any number of reasons, including loss of
keys or employee termination.
rights
T T
The ability of a user to access and use a network and/or the tools used to manage
the network.
root CA
T T
S
secret data
T T
The information upon which an organization relies for its very existence. This
could include trade secrets, formulas, recipes, source codes, and other highly
sensitive data.
secure implementation
T T
A process whereby network engineers create the security environment that was
decided upon by the security design team.
A service that uses a PKI to secure access and secure communications to Web
sites on the Internet or on an intranet.
security descriptor
T T
security log
T T
A log that is found in Event Viewer and that contains auditing entries.
security templates
T T
The text files that contain settings that configure the security of the computer or
computers to which they are applied. Several preconfigured security templates
come with Windows Server 2003. You can edit and create your own custom ones
as required.
server certificate
T T
A digital document that contains the server's public key and allows the server to
prove its identity on the network.
server roles
T T
share permissions
T T
site
T T
smart card
T T
sniffers
T T
An add-on service for Windows 2000 and Windows Server 2003 networks that
provides the functionality of a Windows Update Web server on the internal
network. SUS allows you to select which available updates are authorized for
distribution to network clients, thus ensuring that only the updates you have
tested and approved are installed.
spoof
T T
A type of attack in which the attacker tries to gain and manipulate enough
information about a network to make it appear as if he belongs there.
spool
T T
SRV records
T T
The special records used in a DNS database to identify the most important servers
on a network, such as domain controllers and global catalog servers.
standalone CA
T T
stateful inspection
T T
A new DNS zone type in Windows Server 2003 that contains only the required
resource records that are needed to identify the authoritative DNS servers for
another zone.
subordinate CA
T T
A security setting list on every object in Active Directory that controls the
system's ability to audit user and computer access to that object.
A Microsoft software tool used to gather information about a network and make
configuration changes to servers and clients. SMS is often used in large enterprise
networks.
Sysvol
T T
T
technical policies
T T
The security policies that can be enforced by the operating system and the
applications that are installed.
Telnet
T T
An inherent protocol in the TCP/IP suite. Telnet uses port 23/tcp to provide limited
command-line functionality to configure and manage servers. Passwords are sent
over the wire in clear text.
threats
T T
The possible attackers or attacks that could lessen or destroy the productivity of a
network or a network resource. Threats can also be caused by misconfigured
security settings or inherent security weaknesses.
The tokens used with Kerberos authentication to give a user controlled access to
resources in multiple domains.
transport mode
T T
The usage of IPSec not in a tunnel (with two configured endpoints). Commonly
used on a private network between two hosts.
trusts
T T
The logical connections between domains and forests over which permissions can
be assigned for the use of the resources contained in each domain or forest.
tunnel mode
T T
The usage of IPSec in a mode in which two endpoints have been configured to
create a tunnel, such as when a VPN tunnel is created.
A Windows 2003 security group that can be used anywhere within a domain tree
or forest. Universal groups can only be used when a domain is in Windows 2000
native mode functional level or higher.
A feature that can be used after a domain has been raised to the Windows 2003
functional level that allows users in Universal groups to log on without the
presence of a GC server.
V
virtual private network(ing) (VPN)
T T
A new feature in Windows Server 2003 that provides distinctly different functions.
The first function allows the Windows Backup utility (or ntbackup from the
T T
command line) to back up open files as if they were closed. The second feature
provides a means to create and store up to 64 historical versions of files located
within a network share. Users can be trained to easily revert back to a previous
version of a file.
This functional level allows Windows NT 4.0 domain controllers, Windows 2000
domain controllers, and Windows Server 2003 domain controllers to exist and
function within a Windows 2003 domain. This is the default setting when Active
Directory is installed. Some advanced services are not available in this functional
level.
This functional level allows Windows 2000 domain controllers and Windows Server
2003 domain controllers to exist and function in a Windows 2003 domain.
Windows NT 4.0 domain controllers cannot be used in this functional level. An
administrator explicitly puts Active Directory into native mode, at which time it
cannot be returned to mixed mode without removing and reinstalling Active
Directory.
The highest functional level of either the domain or forest in Windows Server
2003. Only Windows Server 2003 domain controllers can be used. This functional
level implements all of the new features of Windows 2003 Active Directory.
Windows Installer
T T
wire tap
T T
A local area network that uses one of the 802.11 standards, such as 802.11b or
802.11a.
workgroup
T T
Z
zone
T T
zone transfer
T T
The process of copying DNS resource records from a primary zone to a secondary
zone.