(Exam 70-298) Exam Cram 2 - Designing Security For A Windows Server 2003 Network

Designing Security™ for a Windows® Server™ 2003
Network Exam Cram™ 2 (Exam 70-298)
By Bill Ferguson
Published by Que
May 2004
Page 1 of 250
INDEX
A Note from Series Editor Ed Tittel ..........................................................................................4
About the Author ......................................................................................................................5
Acknowledgments ....................................................................................................................5
We Want to Hear from You! .....................................................................................................6
The 70-298 Cram Sheet...........................................................................................................7
TYPES OF SECURITY POLICIES ...................................................................................7
KEY PRINCIPLES OF SECURITY DESIGN ....................................................................7
TYPES OF DATA .............................................................................................................7
COMPONENTS OF A PUBLIC KEY INFRASTRUCTURE ..............................................7
MOST COMMON HIERARCHICAL DESIGNS FOR CERTIFICATION AUTHORITIES ..8
TYPES OF CAS ...............................................................................................................8
TYPES OF ACCOUNT POLICIES ...................................................................................8
TYPES OF TRUSTS ........................................................................................................8
ADMINISTRATIVE TOOLS THAT ENHANCE SECURITY ..............................................9
COMMON AUDIT POLICY SETTINGS............................................................................9
ENTERPRISE MANAGEMENT TOOLS...........................................................................9
TYPES OF EMERGENCY MANAGEMENT SITES .......................................................10
FEATURES OF SOFTWARE UPDATE SERVICES (SUS) ...........................................10
TOOLS THAT IDENTIFY THE CURRENT PATCH LEVEL OF COMPUTERS .............10
METHODS OF CONTROLLING TRAFFIC THROUGH A FIREWALL...........................11
SECURITY BENEFITS PROVIDED BY IPSEC .............................................................11
DEFAULT SETTINGS FOR IPSEC POLICY..................................................................11
METHODS OF PROTECTING DNS SERVERS ............................................................11
TYPES OF SECURITY IN WIRELESS NETWORKS.....................................................11
TYPES OF 802.1X WIRELESS SECURITY...................................................................12
TYPES OF COMMUNICATION LINKS BETWEEN OFFICES.......................................12
TYPES OF TUNNELING PROTOCOLS ........................................................................12
TOOLS FOR EXTRANET SECURITY ...........................................................................12
CROSS-CERTIFICATION STRATEGIES ......................................................................12
AUTHENTICATION METHODS FOR IIS .......................................................................13
SECURITY FEATURES OF IIS 6.0................................................................................13
TYPES OF GROUPS .....................................................................................................13
GROUP STRATEGIES...................................................................................................14
SHARE PERMISSIONS FOR FOLDERS.......................................................................14
NTFS PERMISSIONS FOR FOLDERS..........................................................................14
NTFS PERMISSIONS FOR FILES.................................................................................14
EFFECTIVE PERMISSIONS WHEN COMBINING NTFS AND SHARED FOLDER
PERMISSIONS...............................................................................................................15
TYPES OF CLIENT AUTHENTICATION .......................................................................15
COMPONENTS OF A REMOTE ACCESS POLICY ......................................................15
FEATURES OF INTERNET AUTHENTICATION SERVICES (IAS) ..............................15
Introduction.............................................................................................................................16
Taking a Certification Exam............................................................................................17
How to Prepare for an Exam ..........................................................................................17
Notes on This Book's Organization ................................................................................18
How This Book Helps You..............................................................................................19
Self-Assessment ....................................................................................................................20
MCSEs in the Real World...............................................................................................20
The Ideal MCSE Candidate............................................................................................20
Put Yourself to the Test ..................................................................................................22
Assessing Readiness for Exam 70-298..........................................................................26
Take the Challenge! .......................................................................................................26
Chapter 1. Creating the Conceptual Design for Network Infrastructure Security ...................27
Analyzing Business Requirements for Designing Security.............................................28
Designing a Framework for Designing and Implementing Security................................35
Page 2 of 250
Analyzing Challenges of Designing Security ..................................................................40
Exam Prep Questions.....................................................................................................45
Chapter 2. Creating the Logical Design for Network Infrastructure Security..........................48
Designing a Public Key Infrastructure (PKI) That Uses Certificate Services..................49
Designing a Logical Authentication Strategy ..................................................................60
Chapter 3. Designing Strategies for Security Management ...................................................70
Designing Security for Network Management ................................................................71
Designing a Security Update Infrastructure....................................................................83
Chapter 4. Creating the Physical Design for Network Infrastructure Security........................91
Designing Network Infrastructure Security .....................................................................92
Designing Security for Wireless Networks....................................................................100
Designing Security for Communication Between Networks .........................................102
Designing Security for Communication with External Organizations............................107
Exam Prep Questions...................................................................................................111
Chapter 5. Designing Server-Specific Security ....................................................................115
Designing User Authentication for Internet Information Services .................................116
Designing Security for IIS .............................................................................................122
Designing Security by Server Role...............................................................................129
Chapter 6. Designing an Access Control Strategy for Data .................................................137
Designing an Access Control Strategy for Directory Services......................................138
Designing an Access Control Strategy for Files and Folders .......................................145
Designing an Access Control Strategy for the Registry................................................152
Chapter 7. Creating the Physical Design for Client Infrastructure Security..........................158
Designing a Client Authentication Strategy ..................................................................159
Designing a Security Strategy for Client Remote Access.............................................163
Designing a Strategy for Securing Client Computers ...................................................169
Chapter 8. Practice Exam #1 ...............................................................................................174
Case 1: IntelliSync Inc. .................................................................................................174
Case 2: ComForce .......................................................................................................178
Case 3: GWC Inc..........................................................................................................182
Case 4: PowerTran.......................................................................................................186
Chapter 9. Answer Key to Practice Exam #1 .......................................................................190
Case 1: IntelliSync Inc. .................................................................................................190
Case 2: ComForce .......................................................................................................193
Case 3: GWC Inc..........................................................................................................195
Case 4: PowerTran ......................................................................................................197
Chapter 10. Practice Exam #2 .............................................................................................200
Case 1: AUM Inc. .........................................................................................................200
Case 2: BBF, Inc. .........................................................................................................204
Case 3: SysCon............................................................................................................208
Case 4: DC&H Consulting ............................................................................................212
Chapter 11. Answer Key to Practice Exam #2 .....................................................................216
Case 1: AUM Inc. ......................................................................................................... 216
Case 2: BBF, Inc. .........................................................................................................218
Case 3: SysCon............................................................................................................221
Case 4: DC&H Consulting ............................................................................................223
Appendix A Need to Know More? ........................................................................................ 226
Glossary ...............................................................................................................................227
Page 3 of 250
A Note from Series Editor Ed Tittel
You know better than to trust your certification preparation to just anybody. That's why
you, and more than 2 million others, have purchased an Exam Cram book. As Series
Editor for the new and improved Exam Cram 2 Series, I have worked with the staff at
Que Certification to ensure you won't be disappointed. That's why we've taken the
world's best-selling certification product—a two-time finalist for "Best Study Guide" in
CertCities' reader polls—and made it even better.
As a two-time finalist for the "Favorite Study Guide Author"

award as selected by CertCities readers, I know the value of
good books. You'll be impressed with Que Certification's
stringent review process, which ensures the books are high
quality, relevant, and technically accurate. Rest assured that
several industry experts have reviewed this material,
helping us deliver an excellent solution to your exam
preparation needs.
Exam Cram 2 books also feature a preview edition of PrepLogic's powerful, full-featured
test engine, which is trusted by certification students throughout the world.
As a 20-year-plus veteran of the computing industry and the original creator and editor
of the Exam Cram Series, I've brought my IT experience to bear on these books. During
my tenure at Novell from 1989 to 1994, I worked with and around its excellent education
and certification department. At Novell, I witnessed the growth and development of the
first really big, successful IT certification program—one that was to shape the industry
forever afterward. This experience helped push my writing and teaching activities heavily
in the certification direction. Since then, I've worked on nearly 100 certification related
books, and I write about certification topics for numerous Web sites and for Certification
magazine.
In 1996, while studying for various MCP exams, I became frustrated with the huge,
unwieldy study guides that were the only preparation tools available. As an experienced
IT professional and former instructor, I wanted "nothing but the facts" necessary to
prepare for the exams. From this impetus, Exam Cram emerged: short, focused books
that explain exam topics, detail exam skills and activities, and get IT professionals ready
to take and pass their exams.
In 1997 when Exam Cram debuted, it quickly became the best-selling computer book
series since "...For Dummies," and the best-selling certification book series ever. By
maintaining an intense focus on subject matter, tracking errata and updates quickly, and
following the certification market closely, Exam Cram established the dominant position
in cert prep books.
You will not be disappointed in your decision to purchase this book. If you are, please
contact me at etittel@jump.net. All suggestions, ideas, input, or constructive criticism are
welcome!
Page 4 of 250
About the Author
Bill Ferguson (MCT, MCSE, MCSA, MCP+I, CCSI, CCNA, A+, Network+, Server+,
Security+) has been in the computer industry for more than 15 years. Originally in
technical sales and sales management with Sprint, Bill made his transition to Certified
Technical Trainer in 1997 with ExecuTrain. Bill now runs his own company as an
independent contractor from Birmingham, Alabama, teaching classes for most of the
national training companies and some regional training companies. In addition, Bill writes
and produces technical training videos for Virtual Training Company, Inc. and Specialized
Solutions, Inc. His videos include A+, Network+, Windows 2000 Management, Windows
XP Management, Windows Server 2003 Management, Windows 2000 Security, Server+,
and Interconnecting Cisco Network Devices. Bill keeps his skills sharp by being a
technical reviewer for books and sample tests for Que Certification and McGraw Hill
Technical. He coauthored the 70-299 Exam Cram 2 for Que Publishing and produced a
training video for the 70-296 MCSE Skills Upgrade test for Virtual Training Company. Bill
says, "My job is to understand the material so well that I can make it easier for my
students to learn than it was for me to learn."
Acknowledgments
I'd like to first thank Que Publishing and LANWrights for giving me the opportunity to
write this book. Thanks to Jeff Riley for his continued faith in me as an author. Thanks to
Kim Lindros for helping me keep the project on schedule from beginning to end.
Finally, thanks to all who have encouraged me as a technical instructor and as a Sunday
School teacher and given me the determination to tackle something new. I sincerely
appreciate all of your thoughts and prayers.
—Bill Ferguson
Page 5 of 250
We Want to Hear from You!
As the reader of this book, you are our most important critic and commentator. We value
your opinion and want to know what we're doing right, what we could do better, what
areas you'd like to see us publish in, and any other words of wisdom you're willing to
pass our way.
As an executive editor for Que Publishing, I welcome your comments. You can email or
write me directly to let me know what you did or didn't like about this book—as well as
what we can do to make our books better.
Please note that I cannot help you with technical problems related to the topic of this
book. We do have a User Services group, however, where I will forward specific technical
questions related to the book.
When you write, please be sure to include this book's title and author as well as your
name, email address, and phone number. I will carefully review your comments and
share them with the author and editors who worked on the book.
Email: feedback@quepublishing.com
Mail: Jeff Riley
Executive Editor
Que Publishing
800 East 96th Street
Indianapolis, IN 46240 USA
For more information about this book or another Que Publishing title, visit our Web site
at www.examcram2.com. Type the ISBN (excluding hyphens) or the title of a book in the
Search field to find the page you're looking for.
Page 6 of 250
The 70-298 Cram Sheet
This Cram Sheet contains the distilled, key facts about Exam 70-298, Designing Security
for a Microsoft Windows Server 2003 Network. Review this information directly before
you enter the testing center, paying special attention to those areas that you feel need
the most review. You can transfer any of these facts from your head onto the provided
paper immediately before beginning the exam.
TYPES OF SECURITY POLICIES

• Administrative policies— Created and enforced by management
• Technical policies— Enforced by the operating system and its applications
• Physical policies— Enforced by implementing physical controls on the network
KEY PRINCIPLES OF SECURITY DESIGN

• Defense in depth
• Least privilege
• Minimized attack surface
• Security design versus security implementation
TYPES OF DATA
• Public
• Internal
• Confidential
• Secret
COMPONENTS OF A PUBLIC KEY

INFRASTRUCTURE
• Digital certificates— The public key holders that identify a user and the
resource he can use.
• Public keys— A string of bits that uniquely identifies a user. These can be used
to encrypt data so that only the user can decrypt the data.
• Private keys— A key that is held only by the user. Used to decrypt data that was
encrypted with the public key.
Page 7 of 250
• Key and certificate management tools— The tools, such as the Certificate
Services MMC or the http://localhost/certsrv site, that can be used to
administer and control certificates.
• CA— A trusted entity or service that issues digital certificates. This can be internal
to an organization, or external such as VeriSign.
• Certification publication point— The directory services on an intranet and the
Internet that are used to publish the certificate so that others are aware of it.
• Public key-enabled applications and services— The applications and services
that are set up to automatically recognize and use the public key for
authentication and encryption.
• CRL— A list of certificates that have been revoked before reaching their scheduled
expiration date.
MOST COMMON HIERARCHICAL DESIGNS FOR

CERTIFICATION AUTHORITIES
• Geographical— Based on region
• Organizational— Based on the person who manages them
• Functional— Based on the type of certificates that the CA issues
TYPES OF CAS
• Standalone— Does not require AD. A certificate administrator must evaluate
each certificate request.
• Enterprise— Requires AD. Can issue certificates automatically based on
authentication in AD.
TYPES OF ACCOUNT POLICIES

The following account policies are set at the domain level for all computers and users in a
domain:
• Password
• Account Lockout
• Kerberos
TYPES OF TRUSTS
• Implicit— Two-way, transitive trust between each parent and child domain and
between the roots of trees that are built in to Windows Server 2003 AD and
cannot be removed
• Shortcut— One-way, transitive trust that provides a shorter path for clients to a
resource in the forest that are not built in, but can be added and removed by the
enterprise administrator
Page 8 of 250
• External— One-way, nontransitive trust that exists between two domains in two
different forests and can be set up by the domain administrators in each forest
• Forest— Two-way, transitive trust relationships from all of the domains in one
forest to all of the domains in another forest; are only available when both forests
are in Windows Server 2003 functional level
ADMINISTRATIVE TOOLS THAT ENHANCE

SECURITY
• Run as command
• Restricted groups
• Security auditing
COMMON AUDIT POLICY SETTINGS

Setting Definition
Audit Account Audits domain controller's authentication of a logon from another
Logon Events computer; set on a domain controller
Audit Account Audits activity that should generally be associated with
Management administrators, such as creating or renaming users or groups, or
changing passwords
Audit Directory Audits objects in AD that have the SACL set for auditing
Service Access
Audit Logon Events Audits the local logon to a computer regardless of the role of the
computer
Audit Object Access Audits the access of resource objects, such as a file, folder, printer,
Registry key, and so on that have the SACL set for auditing
Audit Policy Change Audits changes to user rights assignment policies, audit policies, or
trust policies
Audit Privilege Use Audits each instance of a user exercising a user right
Audit Process Audits events usually associated with applications rather then
Tracking users, such as program activation and handle duplication
Audit System Audits a user's restarting or shutting down of the system or any
Events event that affects system security or the security log
ENTERPRISE MANAGEMENT TOOLS

• MMCs— Provides customized "toolboxes" that can be created and shared to
manage servers in multiple locations.
• Remote Desktop Connection— Replaces the Remote Administration mode for
Terminal Services in Windows 2000 Server. Uses RDP.
• Telnet— Provides limited command-line functionality to configure and manage
servers. Passwords are in clear text. Telnet is the least secure of the remote
administration options.
Page 9 of 250
• Remote Assistance— Provides the ability for administrators to assist a user
through this tool at the user's request. This might include taking control of the
mouse and keyboard and downloading or uploading files.
TYPES OF EMERGENCY MANAGEMENT SITES

• Hot site— An alternate location, as part of an organization's DRP, that is up and
running 24/7 with everything needed to keep the network in operational order.
• Warm site— A space with electrical outlets and communications lines that can be
used when a disaster strikes.
• Cold site— A prearranged space to be used when a disaster occurs.
FEATURES OF SOFTWARE UPDATE SERVICES

(SUS)
• Built-in security— The administrative pages of SUS are Web-based through IIS
and are restricted to local administrators on the computer that hosts the updates.
• Selective content approval— Updates are first downloaded to the server by
running SUS synchronization. You can approve the updates before they are made
available for download.
• Content synchronization options— You receive the latest critical updates and
service packs from Microsoft through the process of synchronization.
• Server-to-server synchronization— You can point your server to another
server running Microsoft SUS instead of to the Windows Update server.
• Remote administration via HTTP or HTTPS— The SUS administrative interface
is Web-based.
• Update status logging— You can specify the address of a Web server to which
the Automatic Updates client should send statistics about updates that have been
downloaded and installed.
TOOLS THAT IDENTIFY THE CURRENT PATCH

LEVEL OF COMPUTERS
• MBSA— A GUI and command-line-based tool that can perform scans for the latest
security patches and many security risks on a single client or multiple clients
• SMS and the SUS feature pack— The Security Update Inventory Tool in SMS
uses the MBSA program to scan all of the clients and servers and then creates a
detailed Web-based inventory report
Page 10 of 250
METHODS OF CONTROLLING TRAFFIC THROUGH A
FIREWALL
• Packet filtering— Reads the packet and makes a decision based on the type of
packet, such as the port number
• Stateful inspection— Reads detailed information about the packet and the
connection, including port number, source address, destination address, and
interface
• Circuit-level filtering— Inspects sessions as opposed to connections or packets;
a session can include multiple connections
• Application filtering— Examines each packet for the type of application to which
it applies; the most advanced type of IP filtering
SECURITY BENEFITS PROVIDED BY IPSEC

• Data integrity
• Data confidentiality
• Data authentication
• Replay protection
DEFAULT SETTINGS FOR IPSEC POLICY

• Server (Request Security)
• Secure Server (Require Security)
• Client (Respond Only)
METHODS OF PROTECTING DNS SERVERS

• Use IPSec between the clients and servers
• Monitor network activity
• Close all unused firewall ports
• Use secure dynamic updates
• Set quotas to limit registration of DNS resource records
• Delegate administration of DNS data
• Consider the use of stub zones and conditional forwarding
TYPES OF SECURITY IN WIRELESS NETWORKS

• Wired Equivalent Privacy (WEP)— The older method of wireless security
included in 802.11; not considered strong by today's standards
• Wi-Fi Protected Access— Produced by the Wi-Fi Alliance to unify and improve
security in wireless networking
Page 11 of 250
TYPES OF 802.1X WIRELESS SECURITY
• 802.1x with Dynamic Encryption Keys— Relies on RADIUS
• 802.1x with EAP-TLS— Provides a certificate-based system
• 802.1x with PEAP— Can use MS-CHAPv2 for user credential authentication
TYPES OF COMMUNICATION LINKS BETWEEN

OFFICES
• Leased private lines
• VPN
• DDR
TYPES OF TUNNELING PROTOCOLS

• PPTP— Can only use IP; has inherent MPPE encryption
• L2TP— Allows multiprotocol traffic; can use ESP for encryption
TOOLS FOR EXTRANET SECURITY

• Uses port 443 and can be accessed using the secure hypertext protocol https://
• Tunneling protocols, such as PPTP and L2TP
• Certificate-based authentication
• IPSec tunnel mode
• Multiple firewalls to create a perimeter network
• AD
CROSS-CERTIFICATION STRATEGIES
• Basic constraints— Define the certification path length required
• Name constraints— Specify which namespaces are permitted or excluded
• Issuance policies— Define the extent to which your organization trusts the
identity presented in a certificate
• Application policies— Define that a certificate can only be used by a specific
application(s)
• Policy mappings— Equate a policy in one organization to one in another
organization
Page 12 of 250
AUTHENTICATION METHODS FOR IIS
• Anonymous— All users use the same account that is installed with IIS and
named IUSR_computername, where computername is the name of the computer
on which IIS is installed.
• Basic— You should only use this method as a last resort because user credentials
are transferred in clear text.
• Digest— The user is prompted for credentials, which are then transferred
encrypted with an MD5 hash.
• Advanced Digest— This method is similar to Digest, but credentials are locally
stored encrypted with an MD5 hash to prevent brute force attacks.
• Integrated Windows— Credentials are obtained from the access token of a
logged-on user.
• Certificate— Certificates can be mapped to clients with one-to-one or many-to-
one mapping.
• UNC Passthrough— The system compares the metabase of the Web site with
the credentials of the user to determine if there is a match.
• RADIUS— Central authentication is provided through the use of IAS servers.
• .NET Passport— Authentication is provided by a third-party server owned and
managed by Microsoft or one of its partners.
SECURITY FEATURES OF IIS 6.0

• Not installed with the operating system
• Only static content is functional upon installation
• Web Services extensions
• Worker process isolation mode
TYPES OF GROUPS
• Global groups— Created in the AD of one domain but can be placed into Domain
Local groups in any domain or into a Universal group. Global groups can contain
users from the domain in which they are created. They can also contain other
Global groups if the domain is in at least Windows 2000 native mode functional
level.
• Domain Local groups— Created in the AD of one domain and control access to a
resource that is contained in that domain. Domain Local groups can contain users,
but this is not recommended by Microsoft. Instead, Domain Local groups should
contain only Global groups from any domain in an AD forest and Universal groups
if there are some domains that are in at least Windows 2000 native mode
functional level.
• Universal groups— Can only be created on a domain controller that is in at least
Windows 2000 native mode functional level. Universal groups are created in AD
but are not specific to any domain. Universal groups can, therefore, contain
members from any domain and can be used to give access to a resource in any
domain.
Page 13 of 250
GROUP STRATEGIES
• Without Universal groups— A-G-DL-P
• With Universal groups— A-G-U-DL-P
SHARE PERMISSIONS FOR FOLDERS

• Read— Allows a user to see a file or folder, execute the file, or open the folder;
the default permission for any file that is shared in Windows Server 2003
• Change— Allows all of the permissions of Read, but the user can also change or
add to the file or folder and can change the properties of the file or folder
• Full Control— Allows all of the permissions of Change, and the user can also take
ownership of the file or folder and assign other users permission for the file or
folder
NTFS PERMISSIONS FOR FOLDERS

• List Folder Contents— Allows the user to view a folder and the files and folders
within the folder, but the user cannot change the folder or its attributes, or view
the folder's attributes
• Read— Allows the user to view the folder but not the contents of the folder; in
addition, the user cannot change the folder or its properties
• Read & Execute— Allows all of the same permissions as Read, and the user can
view the folder's contents
• Write— Allows all of the same permissions as Read & Execute, and the user can
add files or folders to the folder
• Modify— Allows all of the permissions of Write, and the user can delete the folder
• Full Control— Allows all of the permissions of Modify, and the user can take
ownership of the folder and assign other users permission to the folder
NTFS PERMISSIONS FOR FILES

• Read— A user can view the file but cannot change, delete, or execute the file.
• Read & Execute— A user can view the file and double-click the file to execute it.
A user cannot change or delete the file.
• Write— A user can view, execute, and change a file and its properties. The user
cannot delete the file.
• Modify— A user has all of the same permissions as Write, and the user can delete
the file.
• Full Control— A user has all of the same permissions as Modify, and the user can
take ownership of the file and assign permissions to other users.THREE-STEP
METHOD FOR TERMINING
Page 14 of 250
EFFECTIVE PERMISSIONS WHEN COMBINING NTFS
AND SHARED FOLDER PERMISSIONS
1. Combine all of the share permissions.
2. Combine all of the NTFS permissions.
3. Take the more restrictive of the two combinations.
TYPES OF CLIENT AUTHENTICATION

• LM— Used only with Windows 95, Windows 98, and Windows Me clients
• NTLM— Developed by Microsoft for Windows NT 4.0 workstations and servers;
considered to be a much stronger protocol than LM for security purposes
• NTLMv2— Used with Windows NT 4.0 Workstation clients with SP4 or higher to
provide for greater security and protect against brute force attacks against the
server
• Kerberos— Used by Windows Server 2003, Windows 2000, and Windows XP
clients as the default authentication protocol
COMPONENTS OF A REMOTE ACCESS POLICY

• Conditions— Attributes of a policy that must be met to successfully initiate a
connection
• Permissions— AD permissions of each user for a connection
• Profile— Attributes of a policy that must be met to successfully initiate a
connection and must continue to be met to sustain the connection
FEATURES OF INTERNET AUTHENTICATION

SERVICES (IAS)
• IAS uses the RADIUS protocol.
• IAS can centralize authentication and accounting.
• Remote access servers become clients of IAS servers.
Page 15 of 250
Introduction
Welcome to the Exam Cram 2 series. The purpose of this book is to prepare you to take
Microsoft certification exam 70-298, "Designing Security for a Microsoft Windows Server
2003 Network."
Books in the Exam Cram 2 series are designed to help you understand the material you
will encounter on the exam. The purpose of this series is to cover the topics you are
likely to encounter on the exams, but the books do not teach you everything you need to
know about a topic. This book contains as much information as possible about the 70-
298 exam.
This book begins by providing useful information about how to prepare for the exam and
what to expect on your exam day. To begin, we recommend that you take the self-
assessment included in the book. This will help you to evaluate your current knowledge
base against what is required for a Microsoft Certified Systems Engineer (MCSE)
candidate. Then, you can determine where your training should begin, which may include
some classroom training or reading one of the several study guides available.
We also strongly recommended that you gain some hands-on experience with the
technologies being covered on the exam. Again, this may be through classroom training
or by installing and configuring the software on a home system. In any case, nothing
beats hands-on experience when it comes to learning essential exam topics.
Passing this exam can earn you credit toward the following certifications:
• Microsoft Certified Systems Engineer (MCSE)— This is one of the core exams
required to obtain MCSE status.
• Microsoft Certified Systems Engineer (MCSE): Security on Microsoft
Windows Server 2003— This is one of the core exams required to obtain MCSE:
Security on Windows Server 2003 status.
Page 16 of 250
Taking a Certification Exam
This section provides information on exam pricing and registration processes. Keep in
mind that Que Publishing is a sister company to Virtual University Enterprise (VUE)
Testing. Be sure to check with us at www.examcram2.com for any discount test vouchers
that might be available exclusively to Exam Cram 2 readers. This can be an added bonus
for your book.
After you've fully prepared for an exam and feel that you are ready for the next step,
you'll need to register with a testing center to take the exam. To do so, contact either
Prometric or VUE using the following information:
• Prometric— You can register for an exam online at www.prometric.com. You can
also register by phone at 1-800-775-3926 (within the United States and Canada).
If outside these two countries, call 1-410-843-8000.
• Virtual University Enterprise (VUE)— You can register online at www.vue.com
or call a local testing center. Testing centers local to your region can also be
located on the Web site.
You can register for an exam by contacting either of the parties just listed. You must
register at least one day in advance and any cancellations must be made by 7:00 a.m.
the day before you are scheduled to take the exam.
To make the registration process go more smoothly, be certain to have the following
required information handy:
• Your name, organization, and mailing address.

• Microsoft Test I.D. In the United States, this is your Social Security number. In
Canada, this is your Social Insurance number.
• The specific number of the exam you want to take.
• A method of payment. Credit card is usually the easiest method, although other
arrangements can be made.
After you register, you will be given the date, time, and location of where you are to take
the exam.
How to Prepare for an Exam

All Microsoft exams have a set of objectives outlining the topics you need to understand
to achieve exam success. This is a good place to start to give yourself a general idea of
the topics you can expect to encounter and for which you should obtain study material.
An abundance of resources are available both online and in print that can be used to
prepare for an exam. The Microsoft Web site is a good source of information pertaining to
both the exam itself and for in-depth coverage of exam topics. Due to the popularity of
the MCSE certification, a number of printed study guides and online resources are also
available. Some of the resources you may find useful include
• The Windows Server 2003 product CD has one of the best resources you can use
when preparing for an exam—the Help included with the operating system. It
usually covers different aspects of all the technologies included with the operating
system.
Page 17 of 250
• The Microsoft Training and Certification Web site at
www.microsoft.com/traincert/default.asp provides links to exam resources and
outlines how an individual should prepare for an exam.
• The Exam Cram 2 Web site at www.examcram2.com provides an abundance of
information about certification exams and how to prepare for them.
• The Microsoft Training Kits are also a great source of information. Microsoft Press
publishes study guides for the different certification exams, including exam 70-
298. You can find more information about the training kits at
www.mspress.microsoft.com/findabook/list/series_ak.htm.
• Microsoft TechNet is a monthly publication that provides information on the latest
technologies and topics, some of which pertain to the exam topics covered in
exam 70-298.
• Classroom training is offered by many companies that design courses to prepare
students to pass the various exams.
• The Exam Cram 2 series has always been a popular resource for exam
preparation.
Notes on This Book's Organization

This section highlights the different elements and pieces that can be found in your Exam
Cram 2. Items such as Exam Alerts, Tips, Notes, practice questions, and so on are
explained here:
• Terms you'll need to understand— Each chapter begins with a list of terms
that you must learn and understand to fully grasp the content being covered;
each of these terms is defined in the Glossary.
• Techniques you'll need to master— Following the important terms is a list of
concepts/tools/techniques that need to be understood before attempting to
challenge the exam.
• Chapter content— The introductory paragraph alerts you to the topics that are
covered throughout the chapter. Following this, a number of topics relating to the
chapter title are covered in detail.
• Exam Alerts— Concepts and topics that are likely to appear on the exam are
highlighted in a special layout known as an Exam Alert. An Exam Alert appears
within the chapter content like this:
Exam Alerts are included in each chapter to point your attention to a

particular concept or topic that you are likely to encounter on the
exam. As you are working through the chapter, be certain to pay
close attention to the topics addressed in the alerts. Exam Alerts can
also be a good way to refresh your memory with important
information right before taking the exam, although this information is
usually included in the Cram Sheet.
• This is not to say that the general content within a chapter is not important—it is.
However, the Exam Alerts flag the information that is more likely to appear in an
exam question.
• Tips and Notes— Throughout a chapter, you may also find information
highlighted in the special layouts of Tips and Notes. The layout and purpose of
each is as follows:
Tips are designed to give the reader some added piece of information
pertaining to a topic being covered, such as an alternative or more
efficient way of performing a certain task.
Page 18 of 250
Notes are designed to alert you to a piece of information related to the
topic being discussed.
• Exam prep questions and answers— At the end of each chapter, a series of 10
questions are designed to test your understanding of the topics covered
throughout the chapter. Detailed explanations are provided for each of the 10
questions, explaining both the correct and incorrect answers.
Other elements of the book worth mentioning are the Practice Exams and Answer Keys
found in Chapters 8 through 11. These questions cover all of the topics covered
throughout the book. The questions can be used for review purposes and to determine
exam readiness.
In addition, you'll find a glossary of key terms used throughout the book and an appendix
listing additional resources that you may find valuable.
Last but not least, mention must be made about the Cram Sheet included with this book.
The Cram Sheet distills all the important facts and topics covered and summarizes them
in a few short pages. These are the facts that we feel should be memorized for the exam.
The Cram Sheet is the last thing you should review before taking the exam. When you
enter the exam room, the first thing you should do is write down these important facts
on the piece of paper provided.
How This Book Helps You

The topics in this book have been structured around the objectives outlined by Microsoft
for exam 70-298. This ensures you are familiar with the topics that you'll encounter on
the exam.
Some of the topics covered later in the book might require an understanding of topics
covered in earlier chapters. Therefore, it's recommended that you read the book from
start to finish for your initial reading. When it comes time to brush up or to review
certain topics, you can always use the index to go directly to specific sections while
omitting others.
In preparing for exam 70-298, we think you'll find this book a very useful reference to
some of the most important topics and concepts of Designing Security for a Microsoft
Windows Server 2003 Network. It prepares you for the exam day by outlining what you
can expect. It covers all the important topics you can expect to find on the exam. Also, it
provides many sample exam questions to help you evaluate exam readiness and
understanding of the material as well as to familiarize yourself with the Microsoft testing
format.
Page 19 of 250
Self-Assessment
The reason we include a self-assessment in this Exam Cram 2 book is to help you
evaluate your readiness to tackle MCSE certification. It should also help you to
understand what you need to know to master the main topic of this book—namely, exam
70-298 "Designing Security for a Microsoft Windows Server 2003 Network." Before you
tackle this self-assessment, let's talk about concerns you might face when pursuing an
MCSE credential on Windows Server 2003, and what an ideal MCSE candidate might look
like.
MCSEs in the Real World

In the next section, we describe the ideal MCSE candidate. Keep in mind that only a few
real candidates will meet that ideal. In fact, our description of ideal candidates might
seem a bit intimidating, especially with the changes that have been made to the
Microsoft Certified Professional program to support Windows Server 2003 and Windows
XP. But take heart—although the requirements to obtain MCSE certification might seem
difficult, they are by no means impossible to attain. However, you need to be keenly
aware that getting through the process takes time, involves some expense, and requires
genuine effort.
Increasing numbers of people are achieving Microsoft certifications. You can get all the
real-world motivation you need from knowing that many others have gone before you,
allowing you to follow in their footsteps. If you're willing to tackle the process seriously
and do what it takes to obtain the necessary experience and knowledge, you can take—
and pass—all the certification tests involved in obtaining the MCSE credential. In fact, at
Que Publishing, we've designed the Exam Cram 2 series and the MCSE Training Guide
series to make it as easy for you as possible to prepare for these exams. We've also
greatly expanded our Web site, www.examcram2.com, to provide a host of resources to
help you prepare for the complexities of Windows Server 2003 and Windows XP.
The Ideal MCSE Candidate

To give you an idea of what an ideal MCSE candidate is like, here are some relevant
statistics about the background and experience such an individual might have:
Don't worry if you don't meet these qualifications exactly or come

extremely close—this world is far from ideal, and in the areas in which
you fall short, it simply means these are the areas in which you have
more work to do.
• Academic or professional training in network theory, concepts, and operations,

including everything from networking media and transmission techniques through
network operating systems, services, and applications.
• Two or more years of professional networking experience, including familiarity
with Ethernet, remote access, wireless, and various other networking media
types. This must include installation, configuration, upgrade, and troubleshooting
experience.
Page 20 of 250
The Windows Server 2003 MCSE program is similar to the Windows
2000 Server certification program, yet a bit more rigorous and
definitely more interactive than the Windows NT certification
program—you really need some hands-on experience if you want to
become certified. Some of the exams require you to solve real-world
case studies as well as security and network design issues, so the
more hands-on experience you have, the better.
• Two or more years in a networked environment that includes hands-on experience

with Windows Server 2003, Windows 2000 Server, Windows 2000/XP
Professional, and Windows NT 4.0 Server, Windows NT 4.0 Workstation, Windows
98, or Windows 95. A solid understanding of each system's architecture,
installation, configuration, maintenance, and troubleshooting is also essential.
• In-depth knowledge of the various methods for installing Windows Server 2003,
Windows XP, and Windows 2000 operating systems, including manual and
unattended installations.
• A thorough understanding of name resolution, networking protocols, and
addressing, specifically, the following: TCP/IP, IPX/SPX, and NetBEUI.
• A comprehensive understanding of users, groups, naming conventions, browsing,
and file and print services.
• Familiarity with key Windows Server 2003– and Windows 2000 Server–based
TCP/IP utilities and services, including HTTP, DHCP, WINS, and DNS, plus
familiarity with all of the following: Internet Information Services (IIS), Internet
Protocol Security (IPSec), Routing and Remote Access Services (RRAS), Internet
Security and Acceleration Server (ISA), Internet Authentication Service (IAS), and
Terminal Services.
• An understanding of how to implement security for key network data in a
Windows Server 2003 and a Windows 2000 Server environment, including smart
cards, Certificate Services, and Public Key Infrastructure (PKI).
• A basic understanding of NetWare and Unix operating systems and how to
integrate both with a Windows 2003 network.
• A solid operational understanding of Active Directory. The more you work with
Windows Server 2003 or Windows 2000 Server, the more you'll realize that as
technology has evolved, so have Microsoft operating systems, and with the
introduction of Active Directory, configuration is very different from what it was in
Windows NT. We recommend that you find out as much as you can about Active
Directory and acquire as much experience using this technology as possible. The
time you take learning about Active Directory is essential to understanding how
the operating system works.
The Windows Server 2003 MCSE program allows for specialization in

either messaging or security. Should you be interested in either of
these, you can visit the Microsoft Web site to determine the specific
areas on which you should concentrate.
These qualifications amount to a bachelor's degree in information systems or computer

science plus three years' work experience in PC networking design, installation,
administration, and troubleshooting. We believe that well under half of all certification
candidates meet these requirements. In fact, most meet less than half of these
requirements when they begin the certification process. Everyone who has already been
certified survived this ordeal, and you can too. All you have to do is heed what this Self-
Assessment chapter tells you about what you already know and what topics you need to
learn.
Page 21 of 250
Put Yourself to the Test
The following series of questions and observations is designed to help you determine how
much work you must do to pursue Microsoft certification and what kinds of resources you
may consult on your quest. Be brutally honest in your answers because otherwise you'll
end up wasting time and money on exams that you're not yet ready to take. There are
no right or wrong answers; these are simply steps along the way to certification. Only
you can decide where you really belong in the broad range of hopeful candidates. Two
things should be clear from the beginning, however:
• Even a modest background in networking technologies or information systems is

helpful.
• Hands-on installation and administration experience with Microsoft products and
technologies is an essential ingredient in certification success.
Educational Background
The following questions assess your educational background. Depending upon your
answers, you might need to review some additional resources to get yourself up to speed
for the types of questions that you will encounter on Microsoft certification exams.
1. Have you ever taken any computer-related classes? [Yes or No]
If Yes, proceed to Question 2; if No, proceed to Question 3.
2. Have you taken any classes on computer operating systems? [Yes or No]
If Yes, you will probably be able to handle the Microsoft architecture and system
component discussions. If you're rusty, brush up on basic operating system
concepts, especially virtual memory, multitasking regimes, user-mode versus
kernel-mode operation, and general computer security topics.
If No, consider doing some basic reading in this area. We strongly recommend a
good general operating systems book, such as Operating System Concepts by
Abraham Silberschatz and Peter Baer Galvin (John Wiley & Sons). If this book
doesn't appeal to you, check out reviews for other, similar books at your favorite
online bookstore.
3. Have you taken any networking concepts or technologies classes? [Yes or No]
If Yes, you will probably be able to handle the Microsoft networking terminology,
concepts, and technologies (brace yourself for frequent departures from normal
usage). If you're rusty, brush up on basic networking concepts and terminology,
especially networking media, transmission types, the OSI reference model, and
networking technologies, such as Ethernet, wide area network (WAN) links, and
wireless technologies.
If No, you might want to read one or two books in this topic area. The two best
books that we know of are Computer Networks by Andrew S. Tanenbaum
(Prentice-Hall) and Computer Networks and Internets by Douglas E. Comer and
Ralph E. Droms (Prentice-Hall).
For those of you specifically interested in security issues and Internet-related

topics, consider Practical Unix and Internet Security by Garfunkel, Spafford, and
Schwartz (O'Reilly) and Network Security Essentials by William Stallings (Prentice-
Page 22 of 250
Hall). Both books offer a comprehensive view of security even though they are
discussed in the context of the Unix environment.
Hands-on Experience
The most important key to success on all the Microsoft exams is hands-on experience,
especially when it comes to Windows Server 2003, Windows 2000, Windows XP, and the
many services and components around which many of the Microsoft certification exams
are centered. If we leave you with only one insight after you take this self-assessment, it
should be that there's no substitute for time spent installing, configuring, and using the
various Microsoft products on which you'll be tested. The more in-depth understanding
you have of how these software products work, the better your chance in selecting the
correct answers on the exam.
1. Have you installed, configured, and worked with the following:

o Windows Server 2003? [Yes or No]
If Yes, make certain you understand basic concepts as covered in exams

70-290 and 70-291. You also need to study the TCP/IP interfaces, utilities,
and services for exam 70-293.
If No, you must obtain one or two machines and a copy of Windows Server
2003. A trial version can be downloaded or a CD-ROM ordered on the
Microsoft Web site. Then, you need to learn about the operating system
and any other software components on which you'll be tested by installing
the operating system and practicing the objectives specified in the exam
preparation guide. In fact, it is a good idea to have two computers, each
with a network interface, that can be used to set up a small network on
which to practice. This practice network can be invaluable when it comes to
learning the skills necessary to pass the exams. With decent Windows
Server 2003–capable new computers selling for about $500 to $600 each
these days and used ones available for less, this shouldn't be too much of
a financial hardship. If you search the Microsoft Web site, you can usually
find low-cost options to obtain evaluation copies of most of the software
that you'll need.
o Windows 2000 Server? [Yes or No]
If Yes, make certain you understand the concepts covered in exams 70-
215, 70-216, and 70-220.
If No, consider acquiring a copy of Windows 2000 Server and learn how to
install, configure, and administer it. To learn about the operating system
and other software components, you can either use the objectives specified
in the exam preparation guide or purchase a well-written book to direct
you in your studies such as MCSE Windows 2000 Server Exam Cram 2.
You can download objectives, practice exams, and other data about
Microsoft exams from the Training and Certification page at
www.microsoft.com/learning/mcpexams/prepare/default.asp. You can
use the links to obtain specific exam, reference, or training
information.
o Windows XP/2000 Professional? [Yes or No]
If Yes, make certain you understand the concepts covered in exams 70-
270 and 70-210.
Page 23 of 250
If No, obtain a copy of Windows XP and Windows 2000 Professional and
learn how to install, configure, and maintain each system. Practice the
exam objectives relating to client systems or purchase a well-written book
to guide your activities and studies such as MCSE Windows XP Professional
Exam Cram 2.
Use One Computer to Simulate Multiple Machines

If you own a computer that has plenty of available disk space, lots of RAM, and
at least a Pentium 4-compatible processor, you may want to consider VMware
or Virtual PC. These software programs create an emulated computer
environment within separate windows that are hosted by your computer's main
operating system. You can have several different operating systems, such as
Windows Server 2003, Windows XP, and Windows 2000, running simultaneously
in different windows on a single computer. VMware is published by VMware, Inc.
More information is available on their Web site at www.vmware.com. Virtual PC
is published by Connectix Corporation. Microsoft acquired Connectix Corp.'s
Virtual PC products in early 2003.
For any and all of these Microsoft operating systems exams, the
Resource Kits for the topics involved always make good study
resources. You can purchase the Resource Kits from Microsoft Press
(you can search for them at htt://microsoft.com/mspress), but they
also appear on the TechNet CDs, DVDs, and Web site
(www.microsoft.com/technet/default.mspx). Along with the Exam
Cram 2 books, we believe that the Resource Kits are among the best
tools you can use to prepare for Microsoft exams.
2. For any specific Microsoft product that is not itself an operating system, such as
SQL Server, Exchange Server, or IIS, have you installed, configured, used, and
upgraded this software? [Yes or No]
If Yes, skip to the next section, "Testing Your Exam-Readiness." If No, you must
get some experience. Read on for suggestions about how to do this.
Experience is a must with any Microsoft product exam, be it something as simple

as FrontPage 2002 or as challenging as Exchange Server 2003. For trial copies of
other software, you can search the Microsoft Web site using the name of the
product as your search term. Also, you can search for bundles such as
"BackOffice," "Enterprise Servers," "Windows Server System," or "Small Business
Server."
If you have the funds, or if your employer is willing to pay your way,
consider taking a class at a Microsoft Certified Technical Education
Center (CTEC) or a Microsoft IT Academy. In addition to classroom
exposure to the topic of your choice, you might receive a copy of the
software that is the focus of your course, along with a trial version of
whatever operating system it needs, as part of the training materials
for that class.
Before you even think about taking any Microsoft exam, make sure you've spent
enough time with the related software to understand how it can be installed and
configured, how to maintain such an installation, and how to troubleshoot the
software when things go wrong. This will help you in the exam—and in real life!
Page 24 of 250
Testing Your Exam-Readiness
Whether you attend a formal class on a specific topic to get ready for an exam or use
written materials to study on your own, some preparation for the Microsoft certification
exams is essential. The cost is $125 per exam, whether you pass or fail, so you'll want to
do everything you can to pass on your first try. That's where studying comes in.
We have included two practice exams in this book. If you don't score very well on these
exams, you can study a bit more and then take the practice exams again. Keep in mind
that practice exams are designed to measure your skills in the areas that are tested on
the exam. Even if you get a 100% on the practice exams, it is not a guarantee that you
will pass the real exam. The more you practice, the better you get.
Be careful not to memorize the answers. This can trip you up on the
actual exam. You need to know the theory behind why the answer is
correct.
We also have practice questions that you can sign up for online through our Crammers
Club at www.examcram2.com. The PrepLogic CD-ROM included with this book has
sample questions and you might be able to download demos or purchase additional
questions for your exams at www.preplogic.com. If you still don't score at least 70%
after practicing with these exams or if it takes many tries to achieve a good score, it
might be time to investigate some of the other practice exam resources that are
mentioned in this section.
For any given subject, you should consider taking a class if you've reviewed the self-
study materials, taken the exam, and failed anyway. The opportunity to interact with an
instructor and fellow students can make all the difference in the world. For information
about Microsoft classes, visit the Training and Certification page at
www.microsoft.com/traincert/training/find/findcourse.asp to locate the nearest Microsoft
CTEC that offers courses in which you are interested.
If you can't afford to take a class, you should still visit the Training and Certification
pages because they include pointers to free practice exams, approved study guides, and
other self-study tools. In addition, you should consider investing in some low-cost
practice exams from commercial vendors. The Microsoft Training and Certification
"Assess Your Readiness" page at www.microsoft.com/learning/assessment/default.asp
offers several skills assessment evaluations that you can take online to show you how far
along you are in your certification preparation.
The next question deals with your personal testing experience:
1. Have you taken a practice exam on your chosen test subject? [Yes or No]
If Yes, and if you scored 70% or better, you're probably ready to tackle the real
thing. If your score isn't above that threshold, you should keep at it until you can
easily take the exam with a good passing score.
If No, you should obtain all the free and low-budget practice exams you can find
and get to work. You should keep at it until you can break the passing threshold
comfortably.
Page 25 of 250
When it comes to assessing your test-readiness, there is no better
way than to take a good-quality practice exam and pass with a score
of 70% or better. When we're preparing ourselves, we shoot for 80%
or higher, just to leave room for the "obscurity factor" that sometimes
shows up on Microsoft exams.
Assessing Readiness for Exam 70-298

In addition to the general exam-readiness information in the previous section, you can do
several other things to prepare for exam 70-298. As you're getting ready for the exam,
you should visit the Exam Cram 2 Web site at www.examcram2.com.
We also suggest that you join an active MCSE/MCSA email list or email newsletter that is
relevant to the exam. For example, Sunbelt Software has a weekly e-zine pertaining to
Windows news. You can sign up at www.sunbelt-software.com. You can also find
security-specific mailing lists managed by www.ntbugtraq.com or newsletters and articles
at www.sans.org.
Microsoft exam mavens also recommend that you check the Microsoft Knowledge Base,
which is available on its own CD as part of the TechNet collection or on the Microsoft Web
site, at http://support.microsoft.com. The knowledge base offers information that may
pertain to technical support issues that relate to your exam's topics. These articles are a
result of real-life situations and resolutions for Microsoft products.
Take the Challenge!

After you've assessed your readiness, done the right background studies, obtained the
proper hands-on experience, and reviewed various sources of information to help you
prepare for an exam, you'll be ready for a round of practice exams. When your scores
are high enough to get you through the exam, you're ready to go after the real thing. If
you follow our assessment regime, you'll not only know what you need to study, but
you'll also know when you're ready to set a test date at Prometric (www.prometric.com)
or Pearson VUE (www.vue.com). Good luck!
Page 26 of 250
Chapter 1. Creating the Conceptual
Design for Network Infrastructure
Security
Terms you'll need to understand:
• Security policies
• Least privilege
• Attack surface
• Microsoft Solutions Framework (MSF)
• Security design team
Techniques you'll need to master:
• Analyzing business requirements for designing security

• Designing a framework for designing and implementing security
• Analyzing challenges of designing security
The main reason that people create computer networks is to share information. Today's
networks use highly efficient routers, switches, and servers to relay information around
the world at the speed of light. These systems offer a flexibility of information exchange
that continues to grow and improve. Most companies cannot survive without their
computer networks and the valuable information that the networks contain. Because of
this, companies spend millions of dollars and thousands of man-hours securing this
valuable resource.
In this chapter, we discuss the process of creating the conceptual design to secure a
computer network. In later chapters, we discuss the tools that Microsoft Windows Server
2003 provides; however, in this chapter we focus on the process of securing any
network, regardless of the operating systems used. In particular, we focus on analyzing
business requirements and designing a framework for security within known technical
constraints. After we understand the challenges, we will be better able to understand the
solutions that are provided by Microsoft Windows Server 2003 security features.
Page 27 of 250
Analyzing Business Requirements for Designing
Security
You need to create a balance between the security used on a network and the resources
required to implement, enforce, and maintain that security. You also need to consider
that every additional security measure could have consequences in regard to the
interoperability of computers on the network. For this reason, you must give careful
consideration to all security measures and make certain that the security used is
appropriate for the sensitivity of the data that is being transferred.
Every network is unique and different; therefore, you must understand the needs of a
particular network before you can design its security. You need to consider many factors
when creating a conceptual design for security on a network. The most important factors,
as identified by Microsoft, are
• Security policies
• Organizational requirements
• Security of data
• Security of the network
We now discuss each of these factors and their effect on the conceptual design of our
network infrastructure.
Security Policies
Every organization should have a set of written security policies that govern what can
and cannot be done on its computer network. You need to make certain that these
policies are easy to understand and yet comprehensive enough to cover all types of
security. You should distribute this document to all users and ensure that it is read and
understood by everyone that uses the network. You must also have the users sign that
they have read and understood the document. You may also want to have a separate,
more detailed, document for network administrators.
In addition to the software that you use and the way that you design your network, you
can also apply security policies. There are three general types of security policies of
which you should be aware. These are determined based on their primary method of
enforcement and include
• Administrative policies
• Technical policies
• Physical policies
We now briefly discuss each type of policy and its effect on the analysis of business
requirements for designing security.
Administrative Policies
Administrative policies are enforced by management. These policies cannot be enforced

by the operating system or by any method of automation. They include legal documents,
such as nondisclosure agreements to protect your data. The successful implementation of
these types of policies depends on communication, training of users, and enforcement of
the rules they contain. Users will be able to sense how serious management is about
these policies by the way they are presented.
Page 28 of 250
Technical Policies
Technical policies are enforced by the operating system and its applications. Technical
policies include security templates, which control the actions of users and computers
throughout the network. Security templates can also be applied to only certain groups of
users for more granular control over security. The successful implementation of these
policies depends on the training level of the network administrators and the capability of
the operating system to distribute and control the settings.
Technical policies are enforced by the operating system and its

applications.
Physical Policies
Physical policies are enforced by implementing physical controls on the network. This
might include ensuring that all servers are kept behind locked doors and that all access
to the server room is controlled and monitored. Other physical policies might include the
use of smart cards to gain access to information in the computers. You can also use
biometric security, which requires a person to uniquely identify himself and prove his
identity with some part of his body, such as a fingerprint, handprint, or eye scan.
Successful implementation of these types of policies requires consideration before they
are installed to ensure that the correct level of security is being applied relative to the
sensitivity of the area that is being secured.
Smart cards are an example of physical security.
Organizational Requirements
In general, an organization will spend the time and money to implement security on a
network because the value of the assets being protected far exceeds the cost to protect
them. Another way of looking at it is that the potential loss from not protecting an
organization's assets far exceeds the cost of implementing and maintaining protection.
Assets might include trade secrets, source code, customer databases, e-commerce
transactions, credit information, medical information, and many other forms of sensitive
data.
Unfortunately, threats exist in today's computing environment that necessitate the

constant protection of this sensitive data. Threats can come from a variety of sources,
including an attacker trying to steal the information, a software application that has a
security flaw, or even a natural disaster, such as a fire or flood. You need to design your
network with these threats in mind and ensure that your design can respond to each
threat.
The amount of security that an organization needs is a balance between the cost of
implementation of the security and the potential cost and likelihood of each threat. Risk
management is a study of this balance, and takes into account the likelihood of the
threat occurring and its impact if it does versus the cost of implementing the protection
Page 29 of 250
to prevent the threat. Risk management can be used to analyze security options and
choose the appropriate options, as well as to persuade others to spend the money to
prevent future threats. We discuss risk management in greater detail later in this
chapter.
Although every network has unique needs, some principles of security design have
evolved from the experience of many network administrators. You should be aware of
these key principles of security design and incorporate them into your network design.
The key principles of security design are as follows:
• Least privilege
• Minimized attack surface
• Security design versus security implementation
We now discuss each of these principles and their relation to establishing organizational
requirements for security.
Defense in Depth
Your network design needs to include multiple layers of protection, referred to as defense
in depth. These layers can include accounts, operations, and security technologies.
Multiple layers have been proven to be much more effective at defending against threats
than single-layer designs, regardless of their individual strength. This is partly because
an attack that has broken through one layer can be detected and countered before the
attacker gains access to sensitive information.
Least Privilege
Each user should have only the bare minimum permissions necessary to gain access to
and use the parts of the network that he needs. This concept, called least privilege, is a
delicate balance because if the user cannot access the resource that he needs, his
productivity will be affected. Alternatively, if a user accesses data that he shouldn't see,
it's impossible to erase that data from his head after he has seen it. You need to give
serious consideration to the permissions that are set on users and on the groups in which
they are members. Do not simply accept the default permissions from the operating
system settings.
Minimized Attack Surface
An attack surface is a point of entry that an attacker could potentially exploit and thereby
enter the network. You can minimize the number of attack surfaces on your network by
requiring the use of firewalls and proxy servers. A user with a modem connected to the
fax line can create a potential vulnerability to the network without being aware of what
he is doing. You should use security policies to prevent Internet connections that can
create additional attack surfaces.
Virus Story
A student related to us that his company had gone to great lengths to protect its network
from viruses. All servers and client computers had antivirus software installed. This
software was configured to update virus definitions each night. All email messages were
scanned for viruses before being allowed to enter the network. This was an integral part
of the company's security plan.
When a virus entered the network and began to spread, the network administrators were
Page 30 of 250
at first perplexed as to how it could have gotten in the network. They reviewed all of
their security measures and could not find the hole. They decided to keep their eyes and
ears open to see what they could determine.
It was by coincidence that a network administrator happened to be in the area when a

user disconnected the fax machine line and plugged it into a modem that he had installed
in his desktop computer. When asked what he was doing, the user responded "I can't get
to the bulletin boards and some of the sites that I use if I go through your system."
These sites were, of course, blocked by the security policy because of their potential to
contain and spread viruses. The network administrators later found that the user had
disabled the antivirus software on his computer because, in his words, "It takes too long
to start up with that stuff on." They had found the source of their virus!
The moral of the story is, watch out for the user who knows just enough to be
dangerous!
Security Design Versus Security Implementation
You also need to understand the difference between security design and security
implementation. In the design phase, you identify all of the potential threats to a
network, conduct risk management, and develop security policies based on the needs of
the organization. This should be done within a framework so as not to miss anything. It
should involve a team of individuals from different parts of the organization so that it is
relevant to the organization as a whole.
Security implementation is the by-product of security design. It involves only the network
administrators and the security team. It applies all of the policies and procedures as they
were decided on by the security design team and ensures their implementation and
maintenance. Security implementation might involve rolling out and testing security
templates, setting permissions on files and folders, and delegating permissions to
network administrators for their assigned areas.
Security of Data
If there is one thing that all networks have plenty of, it's data! Data is information in
digital form on the computer or flowing through the network. It can be contained on hard
disks, in RAM, on a variety of other storage media, or simply flowing throughout the
wires of the network. Organizations might have many different forms of data, depending
on their function, but all organizations have basically four types of data on their
networks. You should be familiar with these four types of data and their inherent security
risks:
• Public data
• Internal data
• Confidential data
• Secret data
We now discuss each of these types of data and their inherent security concerns.
Public Data
Public data is information that is made available to anyone who wants access to it. You
might be thinking "How can there be a security risk with public data?" The risk comes in
the form of the identity and prestige of the company if the public data were to be altered
by an attacker. For example, if someone could add pictures or text to a company's Web
Page 31 of 250
site, he could potentially hurt the reputation of that company. Therefore, your design
needs to allow public data to be accessed and read by anyone but to be changed only by
a select few.
Internal Data
Internal data includes reports and information used on a day-to-day basis within an
organization. These reports are not confidential, but the business does rely on the
integrity of the information that the reports contain. An example of internal data is an
expense report template that automatically calculates mileage expense based on the
number of miles entered. There is nothing confidential about the template itself, but if
someone changes the mileage rate from .31 to 3.1, it would most likely cause a few
headaches in accounting! Internal data should only be available to users in the
organization and needs to be protected to maintain the integrity of the data.
Confidential Data
Confidential data is kept private from all but a few internal users. This data might include
payroll information, credit information, medical histories, and other sensitive and private
information. Typically, only a select group of users can access this information and even
fewer users can make changes to it. Your security design needs to allow for the storage
and transfer of confidential data.
Secret Data
Secret data is information that an organization relies on for their very existence. This
includes trade secrets, formulas, recipes, source codes, and other highly sensitive data
that is used to produce a product or service and compete in the marketplace. Secret data
should only be available to a select few and must be protected from unauthorized access
or change. Your security design needs to include provisions for this type of data.
Security of the Network

Many areas of a network require security. Because the network functions as a whole, a
security flaw in one area can have an effect on other areas as well. Your security design
needs to focus on each individual portion of the network's infrastructure and how each
relates to overall network security. The main areas of focus, as identified by Microsoft,
are the following:
• Physical security
• Computers
• Accounts
• Authentication
• Data transmission
• Network perimeters
We now discuss each of these areas and their impact on the security of the whole
network.
Physical Security
We mentioned previously that the servers on a network should be kept behind locked
doors. Although this is a given, it is only part of the physical security on a network.
Access to a hub, switch, router, or even a cable can represent an attack surface for an
attacker and thereby a network vulnerability. You should use care when routing cables
and hardware and ensure that only authorized personnel can gain access to them. You
Page 32 of 250
can also use fiber-optic cable for sensitive data to significantly reduce the chance of a
wire tap.
Fiber-optic cables use light instead of electricity and are, therefore,

immune to electrical wire tapping and very difficult to tap at all. They
are the best choice for a backbone in a high-security network.
Computers
Most computers are inherently nonsecure until you configure and install security
measures. You need to ensure that computers have already been configured for the
proper security to whatever degree is possible before you connect them to a network.
This will keep an attacker from taking advantage of the default security settings during
installation. You need to establish a baseline for security so that you know what the
network is supposed to look like and how it should perform. It's important to make
certain that you are not under an attack when you establish a baseline because the
attack could become part of the baseline, making it harder to detect future attacks.
Accounts
One of the most common security flaws in networks today is the use of weak passwords.
Most people simply don't want to have to remember a complex password. Unless you
force users to use complex passwords, most users will not use them. A complex
password typically has a combination of uppercase letters, lowercase letters, numbers,
and symbols. It forms a "word" or phrase that cannot be found in the dictionary. This
prevents an internal brute force attack, such as a dictionary attack in which one
computer runs through the dictionary until it finds the correct password for another
computer. You can force users to use complex passwords by using technical security
policies. You also must make certain that all administrative account names and
passwords are kept secure.
The use of weak passwords is considered one of the most common

threats to security.
Authentication
Authentication is the process of proving that you are who you say you are. What happens
when a user types in his password and it is sent into the network for authentication?
Well, if the password is not encrypted during transmission, it could be intercepted and
used by an attacker. Authentication is a necessary service on a network, but you need to
ensure that passwords are secure during the authentication phase. This becomes
especially challenging when users are authenticating remotely, such as over telephone
lines. Your network security design needs to incorporate solutions to these security risks.
Some operating systems do not encrypt passwords when they're sent

to the domain controller. In these systems, an attacker can use a
network sniffer to determine a password and impersonate the user.
This could be the attacker's first step into the network.
Page 33 of 250
Data Transmission
After a user authenticates successfully, it's time to use the network resources. This
means that data is going to flow through the cables so the computers can communicate
with each other. Because most data flow is a series of fluctuations of electric current, it is
easily interpreted by many types of network sniffers unless it is encrypted or further
encapsulated to prevent this sniffing. If an attacker is able to interpret data, such as IP
addresses and computer names, the attacker can make himself look like he belongs on
the network. This is known as spoofing and should be avoided by the use of
countermeasures. Attackers who can interpret data can also read the information
contained in it and even change the information while it is in transit. This data
modification can be damaging to an unsuspecting organization. Your network design
needs to address these types of security vulnerabilities.
Network Perimeters
If you are connected to the Internet, without a firewall or proxy server, the Internet is
connected to you. Most Internet communications open up a pipe of communication
between two or more computers. This means that each computer can get into the other
computer. Under normal circumstances, specified ports are used as logical addresses to
the correct applications and resources in the computer. An attacker uses the pipe to
exploit the connection and attempt access to other ports within the computer. The other
ports might allow the attacker to do anything from turning off critical services and
functions to remotely shutting down the client or server. You must take great care that
the servers and clients that you connect to the Internet are protected from these types of
attacks.
Page 34 of 250
Designing a Framework for Designing and
Implementing Security
As you can see, there are many aspects and considerations that make up a security
design. Therefore, to ensure that the final plan is comprehensive and that nothing is
missed, Microsoft recommends that you use a framework to guide your design decisions.
The Microsoft Solutions Framework (MSF) consists of people, processes, and risk
management. Each part of the framework plays a key role in the overall design. It is
essential that all involved people can communicate effectively. You should involve a
representative sample of management and other users to pull information from many
sources in your organization. These people should be able to assist in aligning technology
solutions with business requirements.
MSF is a suite of guidelines and principles that provide models to build and deploy a
distributed network. It consists of three phases that can each be repeated many times
over the life of a network. The three phases of the MSF are as follows:
• Planning
• Building
• Managing
We now discuss each of the three phases of the MSF and their relationship to creating
and maintaining a comprehensive security design.
Planning
In the planning phase, you need to assess your current security model and policies and
then decide what changes need to be made to fulfill the needs of the organization. This is
the time for all of the people involved to ask for what they need regardless of how it will
be provided. The goal is to create a vision for optimum security for the network. Each
person needs to understand the overall goal and the components to reach the goal. You
should establish a system of measurable metrics to help you stay on track toward the
goal. You might want to meet in a conference room with a white board or flip charts and
any relevant documentation. All ideas should be considered, no matter how far-fetched
they might seem at first.
Each organization has its own unique needs, but some parts of the planning phase are
essential for all organizations. As part of your planning phase, you need to
• Create a security design team.

• Consider common network vulnerabilities.
• Model threats.
• Create a risk management plan.
We now briefly discuss each of these essential pieces of the planning phase.
Creating a Security Design Team
Your security design team is responsible for creating policies and envisioning how
information will be secured. The more diverse your team is in regard to departments and
rank of individuals, the more comprehensive your design is likely to be. Your design team
needs to include an executive sponsor who can make decisions and who has the
authority to have those decisions carried out. Microsoft recommends that you form a core
team and an extended team to support the core team. Examples of potential members of
the core team are listed in Table 1.1.
Page 35 of 250
Table 1.1. Core Team Members for Security Design Team
Role on Design Team Responsibilities
Product management Align security with business requirements
Program management Manage development
Development Create and deploy security
Test Test and ensure quality control
User education Train staff and ensure usability
Logistics management Manage operations and deployment
The extended team members might not be involved in the design process on a daily basis
but will be used for support and consultation before final decisions are made. The
extended team helps ensure that the overall plan is feasible to implement and relative to
the organization's needs. Table 1.2 lists the recommended members of the extended
team.
Table 1.2. Extended Team Members for Security Design Team

Role on Extended Team Areas of Responsibility
Executive sponsor Support and authority
Legal Law and liability
Human Resources (HR) Employee rights and responsibilities
Managers Enforcement of policies
End users Practical feedback
Auditors Review of policies, procedures, and practices
Considering Common Network Vulnerabilities
Many attacks on a network are aimed at exploiting a well-known security weakness. Your
security design needs to address these weaknesses and provide measures to avoid
common attacks. Table 1.3 lists the most common security weaknesses on a network as
identified by Microsoft.
Table 1.3. Common Network Vulnerabilities

Vulnerability Method of Exploitation
Weak passwords Passwords are easy to guess and use.
Unpatched software or service Public information is available about the security
packs not applied weakness.
Incorrect configuration Users have too many privileges; applications run the
Local System account.
Page 36 of 250
Table 1.3. Common Network Vulnerabilities
Vulnerability Method of Exploitation
Social engineering The help desk resets a password without verifying the
identity of the caller.
Weak security on Internet Open ports and exposed resources exist, are identified,
connections and are used for malicious purposes.
Unencrypted data transfer Authentication and data are sent in clear text and are
intercepted by sniffers.
Modeling Threats
The process of modeling threats during the planning phase involves creating a living
document that predicts all of the threats that could come against the network and
highlights the areas of most importance. The design team uses the living document to
prioritize their decision-making process. A living document is one that changes over time.
You can count on the threats presented against your network to be an ever-changing
flow of challenges.
You can use a model to help you predict threats to a network. Many attacks on a network
follow the same pattern. Your design needs to be able to detect, respond to, and prevent
future attacks during each of the following stages of attack:
1. Footprint— At this stage, the attacker is only preparing for the attack. He might
have researched the company through the public Web sites. In addition, he might
have built a relationship with an employee of the company. This is also the stage
at which he might run port scans on all of the accessible computers and other
network devices.
2. Penetration— When he finds a security hole, the attacker tries to take advantage
of the vulnerability. This is the beginning of the actual attack.
3. Elevation of privilege— At this stage, the attacker uses his knowledge of well-
known security vulnerabilities to gain administrative control of the network. He
might, for example, exploit the Local System account to gain control of a process
and use the process to create an account with administrative privileges.
4. Exploitation— After elevated privileges are acquired, the attacker makes a
change on the network. This could be anything that he chooses—from deleting
data and configuration information to defacing the company Web site.
5. Cover-up— At this stage, the attacker is finished and wants to erase any
evidence that he was there. His prime motivation at this stage is to avoid
detection and prosecution.
Unfortunately, it's easier for attackers to come up with new ways to attack your network
than it is for you to protect it. The attacker generally has ample time; because you aren't
expecting him, the attack can go unnoticed for quite some time. In addition, he doesn't
follow any rules or regulations. You, on the other hand, have many tasks to do
throughout the day in addition to protecting your network. In addition, you have to follow
the rules and regulations to protect the privacy of users on your network as outlined by
Legal and HR. Finally, you have a finite amount of funds at your disposal to combat the
attacker.
Because of the challenge of protecting the network, you must use all of the tools at your
disposal to predict the threats. Microsoft recommends that you use the STRIDE threat
Page 37 of 250
model. This model provides a simple method of categorizing the most common security
threats to your organization. There are six categories in the model, but some threats
might belong in more than one category. Table 1.4 lists the categories of the STRIDE
threat model and some examples of each category.
Table 1.4. The STRIDE Model of Common Network Vulnerabilities

Types of Threats Examples
Spoofing Forge email addresses.
Replay authentication packets.

Tampering Alter data during transmission.
Change data in files.

Repudiation Delete a critical file and deny doing it.
Purchase a product and later deny doing it.

Information Expose information in messages.
disclosure
Expose code on Web sites.
Denial of Service Flood network with SYN packets.
(DoS)
Flood network with forged Internet Control Message Protocol
(ICMP) packets (pings).
Elevation of Exploit buffer overruns to gain system privileges.
privilege
Exploit the Local System account.
Creating a Risk Management Plan
We discussed risk management earlier in this chapter, but it bears repeating. If it costs
more to prevent something from happening than the cost of damage if it were to happen,
it is not worth securing a network against that threat. That seems like common sense
but, because modern technology has given us so many types of hardware and software
to combat threats, we tend to think that we want to combat them all. A risk management
plan analyzes the feasibility of any security design decision based on dollars and cents.
This is done by using a risk assessment formula. This formula helps you make a decision
and makes your decision much easier to "sell" to upper management.
The goal of the risk assessment formula is to estimate the loss of a successful attack and
then multiply that estimate by a percentage indicating the likelihood of the attack. This is
expressed in annualized terms and is referred to as the Annualized Rate of Occurrence.
You can obtain the Annualized Rate of Occurrence from a variety of sources, including
the police departments and computer crime monitoring agencies in your area. You need
to consider all of your costs of losing that asset, including the loss of productivity during
the time it is down and the additional cost to bring it back up to normal operation.
If the cost of protecting against this occurrence is far less than the calculated risk, you
should consider protecting against the occurrence. For example, suppose you are
considering additional virus protection on your Web server. You research the police
records in your area and find that the likelihood of your Web server being attacked with a
Page 38 of 250
virus and brought down is 20%. Furthermore, you find that, on the average, a Web
server stays down for about one day after the attack. You estimate a productivity loss for
one day to be at least $20,000. You then add the cost of the time to repair the server
and eradicate the virus, which is another $2,000. Figure 1.1 shows an example of the
risk assessment formula that you could use to determine the amount that you would be
willing to spend to prevent this occurrence.
Figure 1.1. A formula used in risk management.
Building
As you can imagine, the people responsible for building the security design are not the
same people who were involved in the planning phase. In the building process,
experienced network administrators, security specialists, and consultants use the
hardware and software at their disposal to attempt to create the security that the
security design team has envisioned.
These administrators create, deploy, and test security templates and policies. This phase
is usually performed in a testing lab to assess the impact of security decisions before
placing them into a production environment. This is done to protect the productivity of
the workers. After successful completion in a lab, the templates should be rolled out in
phases. You should use a test group to ensure that you haven't missed anything in the
lab before rolling the security out to the whole network. Knowledge of what is available
and how it relates to network security is the key component in the building phase.
Managing
After implementation of the security design, you are responsible for managing the design
to ensure that it provides the security that was envisioned by the security design team.
Some of their desires might have been found to be impossible or infeasible, but those
that were implemented are now yours to manage. If the network was never going to
grow or change again, this would be relatively simple. However, because the network is
constantly changing and growing, you must make certain that each change is carefully
considered in regard to its impact on your new security design. As mentioned previously,
a flaw in one area of the network can affect the entire network.
The help desk generally provides end-user support, but you are responsible for
monitoring the network to ensure that the new policies are being enforced. You will likely
detect security vulnerabilities and use the system's features to better protect the
network. You need to inform the appropriate managers of any misuse of the network to
ensure that the policies are enforced. Success in this phase depends on constant
monitoring and taking personal responsibility for the security of the network.
Page 39 of 250
Analyzing Challenges of Designing Security
If each component of the network functioned in a vacuum, separate from all other
components, security would be much easier to implement. One of the greatest challenges
of network security is that anything can potentially affect everything. The more we
understand about our network and the interoperability of the components that make up
our network, the better we will be at providing the correct security measures.
Another component that provides a challenge in designing security are the users
themselves. People are independent and sometimes unpredictable. Because most users
know very little about the computers on which they work, you have to make certain that
you protect the network against the innocent actions of users that could cause a
vulnerability. As mentioned previously, a user with a modem on a fax machine line could
circumvent your entire remote access policy.
Finally, some users purposely attack a network from within the organization itself. You
need to have security policies in force that monitor, detect, and prevent future attacks.
You must make it a priority to keep the network functioning well for the users who
depend on it. The productivity of your organization is at stake.
Although each network has its own unique set of security needs, all networks are secure
or nonsecure because of their policies and procedures for security. We can learn from the
mistakes of others to create a more secure network. The following are the most common
reasons, as identified by Microsoft, that security policies fail on a network:
• Not enforced
• Difficult to read
• Difficult to find
• Outdated
• Too vague
• Too strict
• Not supported by management
In the following sections, we briefly discuss each of these reasons for failure and how you
can avoid them in your security design.
Not Enforced
If you create a written security policy and have each of the users sign off on it, you must
enforce the policy when someone violates it. People tend to disregard a policy when they
see that no one is enforcing it. This creates a credibility issue that can have a
tremendous impact on your ability to enforce future policies. The bottom line is that the
offenders must be punished based on the terms of the policy. If this is not possible, the
policy needs to be adjusted to reflect some type of punishment that is enforceable.
Difficult to Read
Because IT, Legal, and HR should all be involved in producing a security policy, the
language of the policy could get very confusing if you're not careful. Remember that
users can't abide by an agreement that they can't understand. You should make every
attempt to create a policy that is relative to the organization's requirements yet concise
and simple for the users to understand and follow. Each user needs to be given a copy of
the security policy and must sign that he has read and understood it. Managers can
answer any questions that employees have before signing the policy. This also makes the
policy much easier to enforce when needed.
Page 40 of 250
Difficult to Find
Policies that are stored in some obscure location known only to upper management are of
little use to the organization. Each user needs to have his own copy of the policy
complete with his signature. In this way, no one can say that he forgot or that he
couldn't find it for reference.
Outdated
Security policies need to be updated at least once per year. Policies that are not kept up-
to-date will become insignificant as business practices and technologies change. Each
update must be distributed and signed off by all users of the system.
Too Vague
If your security policy leaves details open for interpretation, some users might
misunderstand a policy and inadvertently create a security vulnerability. Also, if you
haven't explicitly defined your security policies and procedures, it will be difficult to build
a template that rolls them out with consistency. Each manager might interpret his own
template based on your vague policy. For these reasons, security policies need to be as
specific as possible and leave little to one's interpretation.
Too Strict
A policy that issues a threat that is not likely to be carried out tends to be ignored by
employees and management. For example, if your policy states that "Any violation of this
agreement, intentional or otherwise, will result in the immediate termination of the
offender.", will you enforce the policy if an executive accidentally violates the agreement?
If you can't or won't enforce a policy, it is of no use. For this reason, take care when
producing a policy to equate the potential punishment with the crime. Involve HR to
determine the appropriate response.
Not Supported by Management

Employees tend to take their cue from management as to what is important and what is
not. Policies that are ignored by managers will likely be ignored by employees as well.
This is why you need to involve as many managers as possible in the planning phase so
that their ideas are heard and they are supporting their own idea on its implementation.
When people feel that something is being forced on them, they tend to fight it.
So now that we've talked about what "not to do," let's focus on what we should do in
regard to producing a comprehensive, concise, and feasible security policy. In addition to
what we have mentioned previously, each security policy should have the following
features:
• Clear, concise, and simple procedures

• Business continuity
• Incentives
• Enforcement through technology
Clear, Concise, and Simple Procedures

Your policy needs to not only state what is to be done on the network, but also how it will
be accomplished. State specifically what is allowed and what is not allowed by users and
administrators. This needs to be carefully phrased so that it can be understood by a
person with limited knowledge of computers.
Page 41 of 250
Business Continuity
Remember that the main goal of the security policy is to keep the network secure so that
the users can remain productive. The bottom line of business continuity in a policy is
always productivity of the users. If your security policy hampers productivity in any way,
it is a detriment to the network instead of an asset. Remember that the policy was
formed because of what might happen, but if it causes a problem, it's worse than the
potential problem it was designed to prevent. Your policy should, in most cases, be
transparent to users in regard to their ability to do their jobs.
Incentives
Consider rewarding employees for abiding by the policies and for bringing a security hole
or security violation to your attention. Alternatively, you might make an employee's
bonus contingent on following all security policies and procedures.
Enforcement Through Technology

Because technology is what caused the security problem in the first place, it's only fair
that it play an important role in solving it. You should remember that more technology is
not always the solution. Sometimes, simply informing users of security problems is the
best solution. Enforcement through technology can, however, prevent employees from
unwittingly violating security policies.
Technology offers its own challenges. Depending on the computer systems that we are
using, we can have more or less control over the enforcement of security policies.
However, there are many security challenges related to technology that are present in all
networks. Technology challenges that all network administrators face include
• Securing administrative access

• Securing user accounts and passwords
• Securing computers
• Securing file and print resources
• Securing communication channels
• Providing secure access for remote users
• Providing secure access to remote offices
• Providing secure access for users to the Internet
• Providing secure access for users from the Internet
• Providing secure access for business partners
We now briefly discuss each of these technical challenges and their relation to the overall
concept of security design for the network. As mentioned previously, we discuss the tools
that Windows Server 2003 provides to meet these challenges in the next chapter and
throughout the rest of this book.
Securing Administrative Access
Administrators have the ultimate of privileges on a network; therefore, administrative

access to the network needs to be protected at all times. Administrators should not log
on as an administrator to do normal nonadministrative activities, such as reading email
or accessing data files. Your security design needs to include guidelines for
administrators to prevent unauthorized access at an administrative level.
Page 42 of 250
Securing User Accounts and Passwords
Attackers will find whatever opportunity presents itself to begin to gain access to a
network. This may include guessing a user's password or watching the user type the
password. Training users on the proper use of passwords is the first step to stronger
security on a network, but you should also consider forcing users to use complex
passwords and to change their passwords frequently. Your security design needs to
include guidelines for usernames and passwords.
Securing Computers
Your security design needs to have guidelines and provisions for securing each computer
role. Roles include domain controllers, member servers, clients, file and print servers,
application servers, and Web servers, to name a few. You need a consistent policy that
"locks down" these computers to an appropriate extent based on their role in the
network.
Securing File and Print Resources
File servers store user data, some of which is sensitive. Your security policy needs to
establish the correct permissions for each file and folder based on a user's role or job
requirements. This security should be transparent to the user as long as he is doing what
his job requires. The security should become very apparent to the user if he decides to
try to access files and folders that he has no need to see or use.
One area that is often overlooked is that of the print server. If a confidential document is
sent to a print server, there are several potential security vulnerabilities. The most
obvious is the hard copy of the document coming off of the print device, but you need to
also consider the print server's spool as well as the network cables themselves. Your
security design needs to have guidelines for the printing of confidential and secret
documents.
Some print devices and faxes have a feature that holds a document
before printing it until the correct password is entered locally on the
device. You should consider this feature for confidential and secret
documents.
Securing Communication Channels
You have two challenges when securing communication between two computers. The first
is "How do you know that I am who I say I am?" (because you can't actually see me).
Your security design should address authentication, which is the process of one entity
proving that it is who it says it is. The second is "Now that we know each other, how do
we send information so that no one else sees it?" Your security design needs to also
address encryption, which is the process of scrambling data so that no one but the
intended recipient can interpret it. We discuss encryption technologies in detail in
Chapter 2, "Creating the Logical Design for Network Infrastructure Security."
Providing Secure Access to Remote Users
Securing a remote access connection is especially challenging because the connection is

likely to change technologies along the way. The most common remote access
connection is still the Public Switched Telephone Network (PSTN), which provides only a
56-Kbps connection. This network can be used as a dial-up connection in which one
Page 43 of 250
modem is used to dial another modem. Another method that uses the PSTN is a virtual
private network (VPN) connection in which the user connects to the Internet to make the
connection to an organization's remote access server. As you might imagine, these shifts
in technology cause the use of a totally different set of protocols, which are the rules that
govern the communications. Your security design needs to address remote access and
the protocols that are used to secure data transmissions from outside of the network.
Providing Secure Access to Remote Offices
Remote offices are generally connected to each other with routers. Modems might also
be used for a small remote office or for a backup line of a larger, remote office. Because
the Internet is inherently nonsecure, organizations use either leased private lines or
tunneling protocols that create a VPN through the Internet. These protocols can provide a
variety of security features depending on the type of tunneling protocol used. The most
common tunneling protocols are Point-to-Point Tunneling Protocol (PPTP) and Layer Two
Tunneling Protocol (L2TP). We discuss each of these in much greater depth in Chapter 4,
"Creating the Physical Design for Network Infrastructure Security." Your security design
needs to specify the correct tunneling protocol based on the needs of your organization.
Providing Secure Access for Users to the Internet
The challenge of providing access to the Internet is in giving your users access out to the
Internet while at the same time controlling the Internet's access back into your network.
You can use devices such as firewalls to create screened subnets that control traffic to
and from your network. You should consider Network Address Translation (NAT) to allow
users to access the Internet without revealing the internal addressing scheme on your
network. NAT also allows many users to connect to the Internet simultaneously and
independently using only one registered address. You can also use a proxy server to
make the connection on behalf of the client, and thereby provide NAT as well as a cache
of address information that you and clients can use. Proxy servers can also control a
user's access based on group memberships, sites accessed, or even time of day. Both of
these devices help to minimize your attack surface. Your network design needs to include
the use of a proxy or NAT for Internet access. We discuss remote access in detail in
Chapter 7, "Creating the Physical Design for Client Infrastructure Security."
Providing Secure Access to Users from the Internet
Whereas access to the Internet is from the "inside going out" access from the Internet is
from the "outside going in." Users who are on the outside of the organization might need
access to resources that are on the inside. Your security design needs to provide them
access to the resources just as if they were at their own desk, although it might be much
slower due to limited bandwidth. You can accomplish this using firewalls and by requiring
that authentication and encryption protocols are used on all connections. Your security
design needs to force the use of these protocols whenever possible.
Providing Secure Access to Business Partners
Sometimes, you might want to allow another organization to see some of your network
resources. You might do this to provide a service for your customer. This creates a
network referred to as an extranet. For example, you might want to allow a manufacturer
to which you supply parts to view your inventory and place orders through the Internet.
They might even use a computer software program that makes the process automatic at
defined levels. It's important that you can authenticate the manufacturer to make sure
that you aren't giving your competition a view of your inventory. It's also important that
the manufacturer is limited to accessing only that which you define. Your security design
needs to incorporate guidelines for managing extranets when needed.
Page 44 of 250
Exam Prep Questions
Case 1: BFE Inc.
BFE Inc. is a medium-size software development company in Birmingham, Alabama.
Administrators at BFE have recently become concerned with the overall security of their
network. You have been hired as a consultant to recommend a new design to ensure the
security of BFE.
BFE has several servers spread across three main locations, including Birmingham,
Atlanta, and Jacksonville. In addition, they have one satellite office with 10 clients but no
servers. All administration is conducted from Birmingham.
BFE has many security questions in regard to the physical and logical security of their
network and the data that it contains. They want you to develop a plan that includes
security policies and a framework to make certain nothing is missed.
Q1 Which type of security policies will you enforce with the software that you
recommend?
• A. Administrative
• B. Physical
• C. Technical
• D. Insurance
A1: Answer C is correct. Technical policies are enforced by the operating systems and
applications of a network. Administrative policies are enforced by management;
therefore, answer A is incorrect. Physical policies are enforced by locks, cameras,
and smart cards; therefore, answer B is incorrect. Insurance policies are not part of
network security; therefore, answer D is incorrect.
Q2 Which of the following are parts of administrative policies? (Choose two.)
• A. A security template enforced by the software

• B. A written agreement that an employee must read and sign
• C. A lock on a server room door
• D. A well-known rule about security that is posted on the company Web site
A2: Answers B and D are correct. Written policies and well-known rules make up the
administrative policies in an organization. A security template enforced by the
system is part of a technical policy; therefore, answer A is incorrect. A lock on a
server room door is part of a physical policy; therefore, answer C is incorrect.
Q3 Which key principle of security design uses multiple layers to enhance security?
• A. Minimized attack surface

• B. Defense in depth
• C. Least privilege
• D. Security design versus security implementation
A3: Answer B is correct. Defense in depth uses multiple layers to enhance security. If
one layer is breached, the other layers allow the detection of the attacker.
Minimized attack surface refers to reducing the physical and logical areas of
vulnerability on a network; therefore, answer A is incorrect. Least privilege refers to
a method of assigning the least permissions possible to each individual; therefore,
answer C is incorrect. Security design versus security implementation refers to the
assignment of individuals to design and then to build the security; therefore,
answer D is incorrect.
Page 45 of 250
Q4 Which are examples of the use of the key principle of minimized attack surface?
(Choose two.)
• A. Installing a proxy server

• B. Creating a new security group that can only back up and cannot restore
• C. Involving many different departments and ranks of individuals in your
security design meetings
• D. Installing a NAT server in a satellite office with many computers
connected to the Internet
A4: Answers A and D are correct. Minimizing the attack surface is a process of taking
away targets of opportunity for the attacker. A security group that can back up but
cannot restore is an example of least privilege; therefore, answer B is incorrect.
Involving many different departments and ranks of individuals in your security
design is an example of security design versus security implementation; therefore,
answer C is incorrect.
Q5 Which type of data can only be changed by a select few but used by any individuals
within your organization?
• A. Public
• B. Confidential
• C. Secret
• D. Internal
A5: Answer D is correct. Internal data can be used by any person within the
organization, but must be kept secure from change except by a select few. An
example is an employee expense report template. Public data can be used by
anyone in the organization or outside the organization; therefore, answer A is
incorrect. Confidential data is secured from the view of most individuals; therefore,
answer B is incorrect. Secret data is reserved for only a select few in an
organization; therefore, answer C is incorrect.
Q6 Which are examples of confidential data? (Choose two.)
• A. An expense report template

• B. Credit records
• C. Medical records
• D. The source code for the software that the company produces
A6: Answers B and C are correct. Confidential data is data that should only be seen by
a few individuals. This type of data is usually secured to protect an individual's
privacy. An expense report template is an example of internal data; therefore,
answer A is incorrect. The source code for the software that the company produces
is an example of secret data; therefore, answer D is incorrect.
Q7 Which phase of the Microsoft Solutions Framework (MSF) should involve as many
departments as possible and should encourage all ideas?
• A. Planning
• B. Building
• C. Managing
• D. Consulting
Page 46 of 250
A7: Answer A is correct. The planning phase should involve many different departments
and groups of people. The purpose is to get all ideas out in the open. The building
phase only involves administrators and security experts; therefore, answer B is
incorrect. The managing phase only involves administrators and security experts;
therefore, answer C is incorrect. Consulting is not a phase of the Microsoft Solutions
Framework (MSF); therefore, answer D is incorrect.
Q8 Which are examples of activities performed in the planning phase? (Choose two.)
• A. Creating a security design team

• B. Creating security templates
• C. Modeling threats
• D. Configuring changes in the firewall
A8: Answers A and C are correct. Creating a security design team and modeling threats
are part of the planning phase. Creating security templates is part of the building
phase; therefore, answer B is incorrect. Configuring changes in the firewall is part
of the building or managing phase; therefore, answer D is incorrect.
Q9 In which type of threat does the attacker attempt to appear to belong on the
network?
• A. Denial of Service
• B. Spoofing
• C. Tampering
• D. Repudiation
A9: Answer B is correct. Spoofing is the process of an attacker attempting to gain and
use information, such as IP addresses and or computer names, so as to appear to
belong on the network. Denial of Service attacks attempt to tie up computer
resources so they can't function; therefore, answer A is incorrect. Tampering is an
attempt by the attacker to change data and/or configuration on the system;
therefore, answer C is incorrect. Repudiation is an attempt by an attacker to use
the network for a resource and then later deny that he did; therefore, answer D is
incorrect.
Q10 Which are reasons that security policies fail as identified by Microsoft? (Choose
two.)
• A. Too simple
• B. Not enforced
• C. Not vague enough
• D. Too strict
A10: Answers B and D are correct. Security policies should be simple to read and
understand yet comprehensive and specific. They should also be enforceable based
on the terms expressed in the policy itself. A policy that is too strict is difficult to
enforce. Security policies do not fail because they are too simple; therefore, answer
A is incorrect. Security policies should not be vague; therefore, answer C is
incorrect.
Page 47 of 250
Chapter 2. Creating the Logical Design
for Network Infrastructure Security
• Public Key Infrastructure (PKI)

• Certification authority (CA)
• Kerberos
• Trust
• Account policies
• Gateway (and Client) Services for NetWare (GSNW)
• Client Services for NetWare (CSNW)
• Designing a Public Key Infrastructure (PKI) that uses Certificate Services

• Designing a logical authentication strategy
When you communicate over the computer with another person, you make the
assumption that you are communicating directly with that person and that no one else is
involved in the communication. However, you can't see the other person or the
communication path from your computer to hers. You don't know if you are
communicating with her or with someone else pretending to be her. In addition, you
don't know whether someone else has intercepted the communications and changed
what was said. It's essential for businesses to be able to rely on their communications
with other entities; therefore, you need to be familiar with systems that increase the
reliability of communications.
In this chapter, we discuss a system that enables you to protect the security of
communications in your organization. A Public Key Infrastructure (PKI) is a combination
of hardware, software, encryption protocols, and technologies that allow you to ensure
that you are "talking" to the person or organization that you appear to be and that no
one else is "listening in." We also discuss an authentication protocol—Kerberos—that is
built in to Windows Server 2003. This protocol allows a user or computer in your Active
Directory to prove its identity and use the resources provided by the network. In
addition, we discuss trusts, which are the communication links that tie domains and
forests together. Finally, we discuss the establishment of accounts and passwords to
maintain security in a Windows Server 2003 Active Directory environment.
Page 48 of 250
Designing a Public Key Infrastructure (PKI) That
Uses Certificate Services
If you want to make certain that someone is who he says he is, he needs to have
something that he can use to prove it. PKI provides a system of keys that allows an
entity to prove its identity over a communications link. These keys are contained in
certificates, which are exchanged between users and trusted resources. You can use
certificates and a PKI to manage security credentials of users within your network as well
as users outside of your network. Designing your PKI includes the following elements:
Defining components of a PKI
Designing a certification authority (CA) hierarchy implementation
Designing security for CA servers
Designing enrollment and distribution processes
Establishing renewal, revocation, and auditing processes
One of the major advantages of PKI is that it can be used to manage

the security of resources to entities that are outside of your
organization; that is, not your users.
Defining Components of a Public Key Infrastructure

To understand how PKI operates, you need to be familiar with all of its components. In
addition, you must understand how all of the components can be used in a hierarchical
design to create levels of authentication security. The major components of a PKI are as
follows:
Digital certificates
Public key
Private key
Key and certificate management tools
Certification authority
Certificate publication point
Public key–enabled applications and services
Certificate revocation list
In the following sections, we briefly discuss each of the components of PKI and their
function in the hierarchy.
Digital Certificates
Page 49 of 250
Digital certificates are the foundation of PKI. They are the key holders that allow the
system to function. A digital certificate contains a public key that uniquely identifies the
owner.
Public Key
A public key is an encryption key that is unique to a user. It can be provided through the
user's organization or through a trusted third party such as VeriSign. The public key is
used to encrypt data but cannot be used to decrypt data. The public key can also be used
to verify that a message came from the apparent sender.
Private Key
A private key is held by the user of the public key. The two keys make up a key pair. The
user's private key can be used to decrypt any data that is encrypted with the user's
public key. The user's private key is the only key that can decrypt this data.
Key and Certificate Management Tools
You can use the Certificates snap-in to manage and audit digital certificates. Figure 2.1
shows a Microsoft Management Console (MMC) with the Certificates snap-in installed.
You can also install the Certificate Services snap-in on a server to issue and track
certificates and revoke them, if necessary. Figure 2.2 shows the MMC with the Certificate
Services snap-in installed. Finally, you issue certificates using Internet Explorer and the
http://localhost/certsrv site. Figure 2.3 shows Internet Explorer on the certsrv
site.
Figure 2.1. You can use the Certificates snap-in to manage and
audit digital certificates.
Figure 2.2. You can track certificates and revoke them using the
Certificate Services snap-in in the MMC.
[View full size image]
Page 50 of 250
Figure 2.3. You can issue certificates using Internet Explorer.
Certification Authority
A certification authority (CA) is the trusted entity or service that issues digital
certificates. This can be a trusted third party, such as VeriSign, or servers in your
organization that have the tools installed.
Servers can be configured as enterprise CAs or as standalone CAs. Enterprise CAs require
the presence of Active Directory and can issue certificates automatically by referencing
Active Directory. In other words, if you have an account, you can get a certificate as well.
Standalone CAs require an administrator to monitor the requests and either approve or
decline the issuance of all certificates.
Certificate Publication Point
Because the public keys are supposed to be public, you need a directory service to store
this information and make certain that it is available to others. A user's key, which you
can use to send the user information in encrypted form so that the user is the only one
who can read it, should be published so that anyone who wants to use the key can do so.
With enterprise CAs, Active Directory provides the publication point. With third-party
CAs, certificates are published through services on the Internet.
Page 51 of 250
Public Key–Enabled Applications and Services
Many applications and services use public keys to ensure the reliable and secure transfer
of information. These applications and services use protocols that automatically make
use of the public and private keys so that the process is almost transparent to the end
user. Table 2.1 shows the most common public key–enabled applications and their use
on a network.
Table 2.1. Public Key–Enabled Applications and Services

Application or Service Use on the Network
Secure mail (Secure/Multipurpose Ensures integrity, origin, and confidentiality of
Internet Mail Extensions, or S/MIME) email messages
Software code signing Ensures the apparent vendor of the software
and the fact that it has not been altered
Secure Web communications Secure Provide authentication and encryption of
Sockets Layer (SSL) Transport Layer communication between servers and clients
Security (TLS)
Secure Web sites Authenticates access to private Web sites
Custom Security Solutions Ensures confidentiality, integrity,
authentication, and nonrepudiation for data
transfer and business transactions
Smart card logon process Authenticates a user during logon
IPSec client authentication Authenticates transmissions between two
computers after negotiating security
Encrypting File System (EFS) Encrypts files and folders with a user's public
key so they are secure in the event that the
computer or disk is lost or stolen
Certificate Revocation List
A certificate revocation list (CRL) is a list of certificates that have been revoked before
reaching the scheduled expiration date. This may have happened for a variety of
reasons, including misuse of the keys, fraudulent information, or simply a change in the
company that requires a new identity. The CRL should be published whenever it is
changed to ensure the security of the network. Figure 2.4 shows the Certificate Services
tool that you can use to revoke certificates.
Figure 2.4. You can use the Certificate Services tool to revoke
certificates.
Page 52 of 250
Designing a Certification Authority Hierarchy Implementation
Now that you understand the components that make up PKI, let's talk about how you can
organize the CAs to ensure security while allowing them to function as efficiently as
possible. CAs are generally arranged in a hierarchical design. This means that one CA
trusts another CA to issue certificates to the end users. The top CA is referred to as the
root CA. The only certificates that the root CA issues are to other CAs, called subordinate
CAs. In other words, the root CA issues and maintains certificates for subordinate CAs,
but does not issue certificates to end users. Figure 2.5 illustrates a CA hierarchy. In this
figure, CA1 issues certificates to CA2 and CA3, which, in turn, issue certificates to the
end users.
Figure 2.5. You should configure CAs in a hierarchical design.
A company can arrange a hierarchy in many ways. The three most common hierarchical
designs used for internal CAs are as follows:
Page 53 of 250
Geographical
Organizational
Functional
We now discuss the three most common hierarchical designs for internal CAs and their
relation to the function and the security of a PKI.
Geographical
If your company has many different locations or regions, you might consider a
geographical design for your CA hierarchy. In this case, you need to set up a CA in each
region for the express purpose of issuing certificates to other CAs in that region, which
issue certificates to end users. This method provides granular control of security in each
of the regions of your company. Figure 2.6 illustrates a geographical hierarchy of CAs.
The East server issues certificates to all of the other servers in the East region (E2 and
E3), and they issue certificates to the end users.
Figure 2.6. A geographical design works well in organizations with

multiple locations.
Organizational
Another method of controlling the issuance of certificates is by grouping selected servers

based on who manages them. In this case, you set up an additional hierarchy of servers
for each administrator who will manage them. In other words, there is no geographical
reason for their arrangement; rather, it's simply a division of your company's
management structure. Figure 2.7 illustrates an organizational hierarchy of CAs.
Manager1 administers all servers in the M1 hierarchy, regardless of where they are
located.
Figure 2.7. An organizational-based hierarchy works well with

multiple administrators or divisions.
Page 54 of 250
Functional
In very large companies, each function of the PKI is a "full-time job" for one server. In
this case, a hierarchical design based on the function of the servers to the end users
might be appropriate. Figure 2.8 illustrates a CA hierarchy that is based on function. The
secure email server, SE1, issues certificates to all servers that issue email certificates to
end users. Other servers would be used to issue certificates for other functions.
Figure 2.8. A functional hierarchical design works well in very

large organizations.
Designing Security for CA Servers

You might wonder why you shouldn't just have the top server in each of the hierarchies
issue the certificates. The reason is because the certificates that the servers issue each
other are related and make up a chain of authority and trust; therefore, if you have
multiple levels in your chain, you have greater security because an attacker has to work
Page 55 of 250
his way up the chain before he can penetrate your security. In this way, the hierarchical
design itself provides a security mechanism.
You must ensure that an attacker cannot start at the top of the chain, which would give
him total control of the whole hierarchy. You can accomplish this in one of two ways:
Removing the root CA
Using a trusted third party
In the following sections, we discuss each of these methods of securing a certificate

hierarchy.
Removing the Root CA
If the whole hierarchy's chain of authority and trust flows straight to the top, so does the
chain of vulnerability that the attacker might try to exploit. If the attacker were able to
penetrate your root CA and become trusted, he would then be trusted by all of the
subordinates. For this reason, you should remove the root CA from your network as soon
as you have created the subordinate CAs that will issue certificates. You can disconnect
the root CA and remove the network interface card (NIC). In this case, you could issue
new certificates using a floppy disk between the removed root and the new subordinates.
Alternatively, you could leave the NIC in the server but only connect the server when you
need to create a new subordinate CA or renew a subordinate CA's certificate. Remember,
the root CA does not issue certificates to end users, only to subordinate CAs.
The root CA in a CA hierarchy does not issue certificates to end users.

It is only used to issue and maintain certificates for subordinate CAs.
Using a Trusted Third Party
You can allow a trusted third party, such as VeriSign, to issue the certificates for your
servers or even for your end users. In this way, you do not expose your own security
vulnerabilities to an attacker. The trusted third party is responsible for verifying your
identity and/or the identity of your users or other trusted parties and issuing the
appropriate certificates. In other words, our servers trust someone because someone
that we trust trusts them! Later in this chapter, we discuss using a trusted third party to
issue certificates in greater detail.
Designing Enrollment and Distribution Processes

The foundation of your PKI is built on certificates. To use the PKI, the users and
computers must request and receive certificates from a CA. The process of requesting
and receiving these certificates is referred to as enrollment. A user typically starts the
enrollment process by providing unique information and a newly generated public key.
The CA is then responsible for authenticating the identity of the user before issuing the
certificate. In other words, you need some way to know for certain that they are who
they say they are.
If you host your own internal CAs, you decide what is required for proof of identity. If
you decide to use a third party, you also use their rules. The exact process varies based
on the CA and its policies, but can be outlined in the following six steps as defined by
Microsoft:
Page 56 of 250
Generate a key pair— Either the applicant generates his own public and private key
pair, or he is assigned a key pair by some other authority in the organization.
Collect enrollment information— The CA requests the applicant to prove his

identity. How he does this is defined by the policies of the CA and can include
anything that the CA decides; for example, the CA might request his email
address, birth certificate, tax ID number, Social Security number, fingerprints, or
notarized documents, just to name a few.
Request the certificate— The applicant receives the CA's public key and generates
a request containing his own public key and all of the required information. He
secures this request by encrypting it with the CA's public key as instructed by the
CA.
Verify the information— The CA reviews the information that the applicant has
provided and decides whether it will issue the certificate based on its own policies
and procedures.
Create the certificate— The CA creates a digital document that contains the
applicant's public key. The CA signs the document with its own private key,
thereby authenticating the binding of the applicant's public key to the applicant's
name.
Send or post the certificate— The CA sends the new certificate to the applicant
and/or posts the certificate in a directory.
As we discussed previously, there are two general types of CAs. The decision-making and
distribution processes of a CA are determined by its type. The two general types of CA
requests are as follows:
Standalone CA requests
Enterprise CA requests
In the following sections, we discuss each type of CA and the distribution process that it
uses.
Standalone CAs
A standalone CA does not require the presence of Active Directory because it does not
use Active Directory to make decisions in regard to issuing certificates. When a user
submits a request to a standalone CA, such as through a Web site, the request is
considered pending until the CA administrator reviews that request and either approves
or rejects the issuance of a certificate. After the CA administrator reviews the request
and makes a decision, the applicant is then notified as to the status of his certificate
request. Some organizations provide a Web site called the Certificate Services Web page
so the applicants can check the status of certificates.
Enterprise CAs
An enterprise CA relies on Active Directory to make decisions on whether to issue

certificates. The assumption is "If you are a user in my Active Directory, I know who you
are and you have already proven it." When a user who is logged on to a domain in your
Active Directory requests a certificate, the certificate is immediately approved, produced,
sent to the user, and published in Active Directory.
Page 57 of 250
You might wonder why, if the user is already logged on to a domain in your Active
Directory, he needs a certificate. The reason is because different services authenticate a
user in different ways. You use certificates in addition to or instead of other methods of
authentication that we discuss later in this chapter. The point is "If I would authenticate
you in any way, I should be willing to authenticate you with a certificate as well." That's
the premise that enterprise CAs use to issue certificates.
Enterprise CAs issue certificates to users when the administrator uses the Certificate
Request Wizard, which you start from the Certificates console. This allows the choice of
many different certificate types, such as secure email and secure Web. Figure 2.9 shows
the Certificate Types screen in the Certificate Request Wizard.
Figure 2.9. You can launch the Certificate Request Wizard from the
Certificates console.
Alternatively, a user can request a certificate by connecting to the certificates Web site at
http://servername/certsrv, where servername is a server with Certificate Services
installed. Figure 2.10 shows a certificate request through the certsrv Web site.
Figure 2.10. You can request certificates from the certsrv Web
site.
Finally, you can use Group Policy to configure the CA so that computers can
automatically request and receive certificates without user intervention. This automatic
enrollment can be configured for use with all Windows 2000 and later clients and servers.
Page 58 of 250
Figure 2.11 illustrates the configuration of autoenrollment of certificates in Windows
Server 2003 Group Policy.
Figure 2.11. You can use Group Policy on an enterprise CA to

autoenroll certificates for users and computers.
Establishing Renewal, Revocation, and Auditing Processes

Every certificate that is issued has a finite lifetime. This includes the certificates that CAs
issue to subordinate CAs. In fact, when a CA issues a certificate to a user or computer,
the lifetime of the certificate can be no longer than the lifetime of the CA's own
certificate. In other words, if your root CA has a certificate that was issued 1 year ago
and was good for 3 years, the longest period of time for which it can issue a certificate is
2 years. Therefore, a successful PKI relies on a balance created by issuing certificates for
a long enough period of time so that they don't have to be renewed too often but a short
enough period of time to protect the security of the network. The renewal process is very
much the same as the process of issuing a certificate. Information is updated to verify
that the user still qualifies to have the certificate.
You might decide to revoke a certificate before the certificate expires. This might be
necessary because of a change in your relationship with that entity or because you have
discovered new information about them. Revoking a certificate might also be required
because of a security-related event. Common reasons that Microsoft lists for revoking a
certificate include
The security of the CA that issued the certificates is compromised.
The recipient of the certificate leaves the organization.
The private key of the certificate is compromised.
The certificate was obtained fraudulently.
The certificate was issued to an individual who is no longer a trusted partner.
Page 59 of 250
When you decide to revoke a certificate, you must get the news out to all of the servers
as soon as possible. This is accomplished using the Certification Authority snap-in to
publish a CRL. Servers review the CRL before allowing the use of a certificate to make
certain that the certificate that is being presented to them is not on the CRL. If the CRL is
not available, certificates cannot be verified and all access is denied. How often you
publish the CRL depends on a balance between your resources of bandwidth and server
load and your need to have the most accurate CRL at all times. In other words, the more
often you publish the CRL, the more up-to-date it will be, but the more resources you will
use. One of the benefits of Windows Server 2003 PKI is that only the changes to the CRL
are replicated, not the entire CRL. This saves bandwidth, and improves accuracy because
the list can be replicated more often.
Each CA server can maintain its own audit trail. The audit trail can be viewed using the
Certification Authority snap-in. It records all of the certificate requests and the issued
certificates that are still active. You can query the audit trail for information about any
certificate request or any certificate that has been issued. It includes certificates that are
pending, failed, issued, and revoked. The audit trail may be required to meet the security
obligations of your organization's policies.
Designing a Logical Authentication Strategy

The main purpose for your network is to share data, information, and resources. If this
were not the case, you could simply unplug all of the NICs and everyone would be a lot
safer! You formed the network to share the resources, but now you also have to address
the security risks. A main component of addressing security risks on your network is
ensuring that only those to whom you give permission are permitted to use your
network. This is accomplished by requiring authentication to use your network. The
process of designing a logical authentication strategy should include the following:
Establishing account and password requirements for security
Designing forest and domain trust models
Designing security that meets interoperability requirements
In the following sections, we discuss each of the components of your logical

authentication strategy and its effect on the overall security of your network.
Establishing Account and Password Requirements for Security

At the base of the security of your whole network are the passwords that users and
administrators are required to use. If an attacker can determine a user's password, he
can spoof the network by appearing to belong in it. If he can obtain an administrator's
Page 60 of 250
password, he can control the network and its resources. You should establish strong
account policies to ensure that passwords are protected.
The details of account policy settings are the decision of each domain administrator.
Some domains may require more stringent security than others. The account policies
that you set at the domain level apply to all of the users and computers in your domain.
The three main groups of account policies are as follows:
Password policy
Account lockout policy
Kerberos V5 policy
Account policies set at the domain level apply to all users and
computers in the domain, regardless of organizational unit (OU)
settings. This is an exception to the normal processing of Group Policy
objects (GPOs).
Account policies that are set at an OU apply to a computer in the OU

when a person logs on locally to the computer.
We now briefly discuss each of the components of account policies.
Password Policy
Your password policy determines the strength of your passwords. You can require a
defined level of complexity, a minimum password length, and a maximum password
lifetime, among other settings. The stronger your passwords are, the stronger the
security of your domain is.
Account Lockout Policy
If someone knows your username and if your password is something that can be
guessed, a person could keep guessing your password until he gets it right, unless
something locks him out after a certain number of tries. You can set the number of
guesses as well as the amount of time that a person is locked out before he can try
again. Keep in mind that if someone tries to guess your password and gets locked out,
you are then locked out too!
Kerberos V5 Policy
As mentioned previously, Kerberos is the default authentication protocol in a Windows

Server 2003 network. Kerberos works by issuing ticket-granting tickets (TGTs), which
allow a user or computer to gradually gain access to resources in other domains. You can
set the lifetime of these tickets, although Microsoft highly recommends that you leave
the default settings in place.
We discuss password policy, account lockout policy, and Kerberos in much greater detail
in Chapter 7, "Creating the Physical Design for Client Infrastructure Security."
Page 61 of 250
Designing Forest and Domain Trust Models
The authentication process begins when your user logs on to your domain with her
username and password. The logon process provides her with access to the resources in
your domain, to which she has permissions. It also allows you to audit her access to
resources.
The authentication process then continues when she receives access to resources in
other domains. The logical connections to the other domains are called trusts. If a
domain trusts her domain, she can use the resources in that domain, provided that she
has permissions. Some trusts are created automatically, whereas others can be created
by you. In Windows Server 2003, there are basically four kinds of trusts:
Implicit trusts
Shortcut trusts
External trusts
Forest trusts
We now briefly discuss each type of trust and its effect on your logical authentication
strategy.
Implicit Trusts
Implicit trusts are two-way, transitive trusts that are built in to Windows Server 2003
Active Directory. Figure 2.12 illustrates the concept of two-way, transitive trusts. Each
arrowhead indicates a domain that is trusted. Two-way means that if A trusts B, then B
trusts A. Transitive means that if A trusts B and A trusts C, then B trusts C through A.
Finally, two-way transitive means that C also trusts B through A.
Figure 2.12. Windows Server 2003 has built-in, two-way,

transitive trusts.
Page 62 of 250
In Figure 2.12, note that B does not trust C directly, nor does C trust B
directly; but only through A.
You should understand the concepts of one-way versus two-way and

transitive versus nontransitive in relation to all types of trusts.
Implicit trusts exist automatically between each tree in an Active Directory forest and
between each child domain and its parent domain. These trusts cannot be deleted. They
are required to connect domains of the forest and allow Active Directory to function.
Figure 2.13 illustrates the location of implicit trusts.
Figure 2.13. Implicit trusts exist automatically between each tree

in an Active Directory forest and between each child domain and
its parent domain.
Page 63 of 250
We use a lettering system to name domains in our study of trusts. We
are using this system for simplification purposes only. Actual Windows
Server 2003 domains are named in a hierarchical fashion. For
example, training.microsoft.com is a child domain to
microsoft.com.
Shortcut Trusts
If a forest has a "deep" design, the authentication path might be very long for a client. In
this case, you can create a shortcut trust. A shortcut trust is a one-way, transitive trust
that provides a shorter path for clients to a resource in the forest. Figure 2.14 illustrates
a shortcut trust.
Figure 2.14. A shortcut trust provides a shorter trust path for

clients.
External Trusts
External trusts are one-way and nontransitive. You should use these trusts to connect
domains in two separate forests or to connect your forest to a Windows NT domain.
Figure 2.15 illustrates an external trust between a Windows NT domain and a domain in
a Windows Server 2003 forest. Only Domain X in the Windows Server 2003 forest named
Forest 2 trusts the Windows NT domain named NT. In addition, the NT domain does not
trust Domain X. Also, only Domain Y in the forest named Forest 2 trusts Domain C in
Forest 1.
Figure 2.15. External trusts to connect domains in two separate

forests or to connect your forest to a Windows NT domain.
Page 64 of 250
Forest Trusts
Forest trusts are new to Windows Server 2003. In fact, your forest must be in Windows
Server 2003 mode to use forest trusts. These trusts provide two-way, transitive trust
relationships from all of the domains in one forest to all of the domains in another forest.
The forest trusts themselves are not transitive between forests. For example, just
because Forest A trusts Forest B and Forest B trusts Forest C, this does not mean that
Forest A can trust Forest C through Forest B. However, you could set up a forest trust
between A and B as well as a forest trust between B and C. We discuss forest trusts in
greater detail in Chapter 7.
Forests must be in Windows Server 2003 mode to establish a forest

trust between them.
Designing Security That Meets Interoperability Requirements

Many of today's networks, especially large enterprise organizations, consist of servers
and computers that use different operating systems. It's important that these operating
systems can work with each other without creating security vulnerabilities. Windows
Server 2003 is designed to interoperate with many types of network clients. These
include the following:
• Unix
• Novell NetWare
• Apple Macintosh
We now discuss the features that Windows Server 2003 provides to allow the secure
interoperation with each of these clients.
Interoperating with Unix
Microsoft Services for Unix is built in to Windows Server 2003. It provides tools to
enhance the secure interoperability between Unix clients and a Microsoft network. Unix
clients use a file system called network file system (NFS). Services for Unix provide NFS
software and allow Unix clients to connect to file services on a Windows Server 2003
server. It also provides an NFS gateway that allows Windows Server 2003 computers to
access Unix NFS resources. In addition, it provides services such as Telnet and
ActivePerl. Telnet can be used for remote management of Unix servers, and ActivePerl
can be used to develop scripts that automate administrative tasks. Finally, Services for
Unix provides tools to simplify account management and security in a mixed network. In
Chapter 7, we discuss the authentication methods that Unix clients can use in a Windows
Server 2003 network.
Interoperating with Novell NetWare
To provide interoperability with a Novell NetWare network, Windows Server 2003

includes two services. These are Client Services for NetWare (CSNW) and Gateway (and
Client) Services for NetWare (GSNW). You should be familiar with each of these services.
Client Services for NetWare can be installed on all Windows clients. It allows them to
connect directly to the NetWare server and use resources for which they are assigned
Page 65 of 250
permissions. Installing CSNW also installs NWLink, the Microsoft protocol that emulates
the Novell IPX/SPX protocol. This protocol is essential for CSNW to operate. The software
for CSNW can be found on all Windows clients later than Windows NT Workstation 4.0.
Gateway (and Client) Services for NetWare can be installed on Windows servers later
than Windows NT Server 4.0. It creates a bridge (or gateway) between the Windows
server and the NetWare server. Windows clients with NWLink installed on them can
connect to the Windows server and use the gateway to connect to the NetWare server.
Clients that use the GSNW service do not require CSNW. In other words, it's one or the
other.
Windows Server 2003 also includes Services for NetWare, which provides several utilities
to integrate NetWare networks and Windows networks. These include the following:
• Microsoft Directory Synchronization Services (MSDSS)— Provides two-way

synchronization of directory information stored in Microsoft Active Directory and
Novell NetWare Directory Services.
• Microsoft File Migration Utility— Enables migration of files from NetWare file
and print servers to Windows.
• File and Print Services for NetWare (FPNW)— Enables a Windows computer
to provide file and print services to computers that have the NetWare client
installed. These clients can access volumes, files, and printers as though they
were a Windows client.
Interoperating with Macintosh Clients
You can use AppleTalk network integration services built in to Windows Server 2003 to
create volumes that are accessible to Macintosh clients as well as to Windows clients. The
three components of AppleTalk network integration are as follows:
• File Services for Macintosh— Enables Macintosh clients and Windows clients to
share files on a computer running Windows.
• Print Services for Macintosh— Enables Macintosh clients to send and spool
documents to computers that are running Windows.
• AppleTalk Protocol— Enables internetwork routing, transaction and data stream
service, naming service, and comprehensive file and print sharing on Macintosh
clients. AppleTalk is a proprietary transport protocol developed by Apple. Windows
servers can support both TCP/IP and AppleTalk simultaneously. Most Macintosh
clients use TCP/IP in addition to or in place of the AppleTalk protocol.
Page 66 of 250
Exam Prep Questions
Case 1: HSBC Inc.
HSBC Inc. is a large company that distributes food and paper products to governmental
offices. For security reasons, some of these offices are secret. Therefore, all
communication between HSBC employees must be kept secure. HSBC currently has a
Windows Server 2003 network. They are considering using PKI to enhance security. You
have been hired to consult with HSBC about their security needs.
Q1 Which authentication protocol is used by default on HSBC's network?
• A. PKI
• B. Kerberos
• C. CHAP
• D. Active Directory
A1: Answer B is correct. Kerberos is the built-in authentication protocol in Windows

Server 2003. PKI stands for Public Key Infrastructure and is not an
authentication protocol; therefore, answer A is incorrect. CHAP is an
authentication protocol that can be used for remote access and is not used by
default; therefore, answer C is incorrect. Active Directory is the directory
services system used by Windows Server 2003; therefore, answer D is incorrect.
Q2 Which of these might be reasons that HSBC should consider using a PKI?
(Choose two.)
• A. Secure authentication on their own network

• B. Secure email
• C. Secure access to Web sites
• D. Secure logon
A2: Answers B and C are correct. Secure email and secure access to Web sites are
valid reasons to use a PKI. Secure authentication on the network is provided by
Kerberos; therefore, answer A is incorrect. Secure logon is provided by Active
Directory and the Local Security Accounts (LSA) manager; therefore, answer D is
incorrect.
Q3 Which type of key is only used to encrypt messages and to verify digital
signatures?
• A. Private key
• B. Symmetric key
• C. Public key
• D. EFS
A3: Answer C is correct. The user's public key is used to encrypt messages so that
only the user's private key can decrypt them. A private key is used to decrypt
messages that were encrypted with a public key; therefore, answer A is
incorrect. A symmetric key can be used to encrypt and decrypt the same
message; therefore, answer B is incorrect. EFS is a service that is used to
encrypt data on a hard drive; therefore, answer D is incorrect.
Page 67 of 250
Q4 Which of the following might be reasons to revoke a user's certificate? (Choose
two.)
• A. The certificate was obtained fraudulently.

• B. The private key has been compromised.
• C. The certificate has expired.
• D. Overuse of keys is affecting the PKI.
A4: Answers A and B are correct. A security event or revelation of new information
are possible reasons to revoke a user's certificate. Allowing a certificate to expire
is not the same as revoking it; therefore, answer C is incorrect. Certificates
cannot be overused; therefore, answer D is incorrect.
Q5 Which tool should be used to revoke certificates, if necessary?
• A. Certificates snap-in
• B. Active Directory Users and Computers
• C. Certificate Services snap-in
• D. Internet Explorer
A5: Answer C is correct. The Certificate Services snap-in can be used to revoke
certificates. The Certificates snap-in is used to manage and audit certificates but
not to revoke them; therefore, answer A is incorrect. Active Directory Users and
Computers is used to manage the logical elements of Active Directory; therefore,
answer B is incorrect. Internet Explorer can be used to issue certificates but not
to revoke them; therefore, answer D is incorrect.
Q6 Which of the following are the two general types of certification authorities?
(Choose two.)
• A. Enterprise
• B. Subordinate
• C. Standalone
• D. VeriSign
A6: Answers A and C are correct. The two general types of CAs are enterprise and
standalone. Subordinate is a role that a CA can play in either type; therefore,
answer B is incorrect. VeriSign is an organization that provides third-party CAs;
therefore, answer D is incorrect.
Q7 Which type of CA requires Active Directory?
• A. Standalone root
• B. Standalone subordinate
• C. Enterprise root
• D. All root servers
A7: Answer C is correct. Only enterprise CAs require Active Directory. Neither a
standalone root server nor a standalone subordinate server requires Active
Directory; therefore, answers A, B, and D are incorrect.
Page 68 of 250
Q8 Which of these domain-level policies automatically override any policy settings at
the OU level? (Choose two.)
• A. Password policy
• B. Account lockout policy
• C. Antivirus
• D. IPSec
A8: Answers A and B are correct. The account policies of password policy, account
lockout policy, and Kerberos V5 that are set at the domain level are used
regardless of any settings at the OU. Antivirus policies do not override policy
settings at the OU level unless the administrator specifically configures it;
therefore, answer C is incorrect. IPSec policy can be configured for each OU;
Q9 Which type of one-way, nontransitive trust should you use between your forest
and a Windows NT domain?
• A. Shortcut
• B. Implicit
• C. Forest
• D. External
A9: Answer D is correct. External trusts are one-way, nontransitive trusts that are
used between two domains in two different Active Directory forests or between
an Active Directory forest and a Windows NT domain. Shortcut trusts are one-
way, transitive trusts that are used to shorten trust paths in Active Directory
forests; therefore, answer A is incorrect. Implicit trusts are two-way, transitive
trusts that are installed by default; therefore, answer B is incorrect. Forest trusts
are two-way, nontransitive trusts between two Windows 2003 forests in Windows
2003 mode that set up two-way, transitive trusts between every domain in each
Windows Server 2003 forest; therefore, answer C is incorrect.
Q10 Which of the following might be used by your Microsoft Windows XP clients to
gain access to resources on a connected Novell NetWare server? (Choose two.)
• A. File and Print Services for NetWare

• B. Gateway (and Client) Services for NetWare
• C. IPX/SPX protocol
• D. Client Services for NetWare
A10: Answers B and D are correct. Clients can use Client Services for NetWare
(installed on the client) or Gateway (and Client) Services for NetWare (installed
on the server) to gain access to resources on a Novell NetWare server. File and
Print Services for NetWare is used by NetWare clients to gain access to resources
on a Microsoft server; therefore, answer A is incorrect. The IPX/SPX protocol is
proprietary to Novell, and Windows XP clients use the NWLink protocol instead;
therefore, answer C is incorrect.
Page 69 of 250
Chapter 3. Designing Strategies for
Security Management
• Remote desktop administration

• Telnet
• Emergency Management Services
• Software Update Services (SUS)
• Systems Management Server (SMS)
• Disaster recovery plan (DRP)
• Designing security for network management

• Designing a security update infrastructure
Your network has enough enemies, including viruses, well-intentioned users, and not so
well-intentioned attackers. You must ensure that you don't become your own worst
enemy! You need to understand the risks associated with managing your network and
mitigate those risks with whatever tools you have available. In addition, you need to
keep your network up to date with the latest security patches. This process needs to be
as automatic as possible in your situation.
In this chapter, we discuss the tools that you can use to manage the risk of managing
the network. These include simple tools such as the Run as command as well as more
complex tools used to monitor and manage servers and services. We also discuss the
new tools in Windows Server 2003 that aid you in assessing the current patch level of
computers in your network and in keeping computers up to date with security patches
from the Microsoft Web site.
Page 70 of 250
Designing Security for Network Management
You need to understand the power of the Administrator account as well as other accounts
that provide rights on the network. In the right hands, these are tools you use to manage
a network. In the wrong hands, they are weapons that attackers can use against you. As
you manage your network, take care that these accounts do not fall into the wrong
hands. In addition, you need to understand the tools and services available to enhance
and monitor the security of your network. Designing security for network management
includes the following components:
• Managing the risk of managing networks

• Designing the administration of servers
• Designing security for Emergency Management Services
Managing the Risk of Managing Networks

Windows Server 2003 controls access to Active Directory and the ability to manage it
using security groups. Some groups are designed to give a person rights to manage an
aspect of the network, solely because they are associated with that group. These groups
include Administrators, Server Operators, Account Operators, Backup Operators, and
many others. Administrators who are members of these groups must understand the
power that the group membership gives them and use it wisely.
We now discuss the tools that Windows Server 2003 provides to assist an administrator
in the safe management of the network. These tools include the following:
• The Run as command

• Restricted groups
• Security auditing
The Run as Command
Even if you are an administrator, you need to log on every morning with the same type
of user account that everyone else uses. You don't need an administrative account to
check your email and browse the Web. You should only use an administrative account if
you are doing something on the network that requires the use of an administrative
account. This practice protects the network because the less you use an administrative
logon, the less chance there is for a Trojan horse virus or some type of worm to pick it
up and send it to an attacker. Also, if you walk away from a computer that you are
logged on to with an administrative account, another person could use the computer and
"play Administrator" for a while!
Although your users should only have one account, you and your other administrators
need to have at least two accounts. You should use a normal user account until it is
necessary to use the administrative account and, at that time, you can use the Run as
command to perform a secondary logon.
You can use the Run as command either through the GUI or at the command line. To use
the Run as command with a GUI tool, simply right-click the tool, click Run as, and then
log on with the account that you want to use to run that tool. You might need to hold
down the Shift key while you right-click, depending on the tool that you choose. Figure
3.1 shows the Run as command on the Start menu. Figure 3.2 shows the secondary
logon screen for the Run as command. When the tool is closed, the system reverts back
to the primary logon account.
Page 71 of 250
Figure 3.1. You can right-click the tool to use the Run as
command.
Figure 3.2. The Run as command provides a secondary logon for

that tool only.
Page 72 of 250
To use the Run as command from a command prompt, type the following syntax:
Runas /user:domain\account name "mmc %windir%\system32\tool.msc"
where domain is the name of your domain, account name is the name of the account
with which you want to run the tool, and tool is the name of the tool that you want to
run.
For example, Runas /user:bfe.vtc.com\administrator

"mmc%windir%\system32\dsa.msc" will run Active Directory Users and Computers in the
bfe.com domain by the account name of Administrator.
After you enter this syntax correctly, you are then asked the password of the account
with which you want to run the program. Figure 3.3 shows the command line with the
entered command and the system's response. After you enter the correct password, the
system opens the tool. When the tool is closed, the system reverts back to your primary
logon account.
Figure 3.3. You can use the Run as command from a command-line
interface.
You can check the %windir%\system32 folder on your servers for files
with .msc extensions. All files with .msc extensions can be used with
the Run as menu option. You can even create shortcuts on the
desktop or in your administrative tools using the same command.
We are only using the default name "Administrator" for the

administrative account for this training example. You should always
change the default names of administrative accounts.
Restricted Groups
Membership in a security group can give someone permissions and rights that she would
not have if she was not in that security group, especially if that group is a member of
another group that has more rights. This is the way the system is supposed to work. But,
what if someone is a member of a group that gives her administrative access and you are
not aware that she is a member? In this case, your own system is working against you.
Page 73 of 250
You might be thinking, "But I can just check all of the groups and make certain that I
know who the members are." Well, that's true, but there might be more groups to keep
track of than you think. You have to consider that every workstation and member server
has its own local groups as well! Wouldn't it be nice to just lock those groups down with
some type of template? Well, now you can!
Restricted Groups is a computer security policy that should be used primarily with
workstations and member servers. In other words, it is rarely used on domain
controllers. It allows you to define who can be a member in a particular security group on
a computer and what other groups that group can be a member of as well. After you
define who can be a member of that group, anybody else who currently is a member is
removed from membership as soon as the security policy is refreshed. This way, it's
impossible for you to miss anybody. You can also copy the template that you create and
use it on subsequent workstations and member servers.
You can create the template and apply the settings for Restricted Groups on a member
server running Windows 2000 Server or Windows Server 2003 in two ways. You can
either create the template in the local security settings for each of the computers that
you choose or you can create a Group Policy and roll it out to all of the computers in an
organizational unit (OU) or hierarchy of OUs. For Windows 2000 Professional and
Windows XP Professional clients, you can use Group Policy to enforce Restricted Groups.
As we mentioned previously, you should refrain from using Restricted Groups at the
domain level; however, it is possible to use this tool to provide a "reality check" if you
suspect that someone has obtained fraudulent access to administrative rights through
membership in a security group.
To configure Restricted Groups on one member server, perform the following steps:
1. Open the Local Security Policy through Administrative Tools.
2. Expand the Security Settings option.
3. Right-click Restricted Groups.
4. Click Add Group.
5. Type the name of the group that you need to manage.
6. Add the members that you want to be in the group and the groups of which that
group can be a member.
7. Click OK or Apply.
When you click OK or Apply, only the members that you have designated are still
members of the groups for which you have set Restricted Groups. Any other members
are removed from group membership. This takes effect the next time they log on to the
server locally.
To configure Restricted Groups with Group Policy, perform the following steps:
1. Open the Group Policy Management Console and Group Policy Object Editor tools
to create and configure a new Group Policy or edit an existing one.
2. Expand Computer Configuration.
3. Right-click Restricted Groups.
Page 74 of 250
4. Click Add Group.
5. Type the name of the group that you need to manage.
6. Add the members that you want to be in the group and the groups of which that
group can be a member.
7. Click OK or Apply.
When the Group Policy is linked to a container, the Restricted Groups settings become
effective for all computers in that container. You can force the policy to apply as soon as
you link it, using the gpupdate command, or you can simply wait until the policy is
refreshed automatically by the system.
When a Group Policy is linked to a container, you must ensure that no

other policies that could change the results of the Group Policy are
linked to the same container. Remember, the last one to "flip those
switches" wins!
Security Auditing
A wise person once said "You don't get what you expect, you get what you inspect." You
need to have a system in place that aids you in monitoring the security of your network.
This includes an audit policy that determines what is to be audited and a person or
persons responsible for regularly checking the security log to look for anything that
doesn't seem to fit.
Windows Server 2003 provides the tools for auditing logons, resource access, account
management, and more. Your audit policy determines what is written to the security log.
The security log can then be read, archived, and printed with Event Viewer. Figure 3.4
shows the settings for Audit Policy in the Microsoft Management Console (MMC) named
Default Domain Security Settings. Table 3.1 defines each of the settings that you could
use in your audit policy. You can audit each of these settings for success, failure, or
success and failure. Figure 3.5 shows an example of a security log in Event Viewer.
Figure 3.4. The settings in your audit policy determine what is

written to the security log.
Page 75 of 250
Figure 3.5. You can view the results of a security audit in Event
Viewer.
Table 3.1. Audit Policy Settings

Policy Definition
Audit Account Is set on a domain controller. Audits domain controller's
Logon Events authentication of a logon from another computer.
Audit Account Audits activity that is generally associated with administrators, such
Management as creating or renaming users or groups, or changing passwords.
Audit Directory Audits objects in Active Directory that have their system access
Service Access control list (SACL) set for auditing.
Audit Logon Events Audits the local logon to a computer regardless of the role of the
computer.
Audit Object Audits the access of resource objects, such as a file, folder, printer,
Access Registry key, and so on that have the system access control list
(SACL) set for auditing.
Audit Policy Audits changes to user rights assignment policies, audit policies, or
Change trust policies.
Audit Privilege Use Audits each instance of a user exercising a user right.
Audit Process Audits events usually associated with applications, rather than
Tracking users, such as program activation and handle duplication.
Audit System Audits a user's restarting or shutting down of the system or any
Events event that affects system security or the security log.
Designing the Administration of Servers

Managing an enterprise can be a cumbersome task, but Windows Server 2003 provides
many tools to assist you in the efficient and safe management of your network, no
matter how large it is. The tools with which you need to be familiar are as follows:
• Microsoft Management Consoles (MMCs)

• Remote Desktop Administration
Page 76 of 250
• Telnet
• Remote Assistance
Microsoft Management Consoles
Using Microsoft Management Consoles (MMCs), you can create your own custom
"toolboxes" that keep the tools you use most frequently all in one place. You can then
share these toolboxes with other administrators whom you trust, or you can create
another toolbox that has only the tools that they need. You can simply share the
completed MMC in a folder to which the other administrator has access, and he can then
use the MMC as well. Share it with Read permission so that the administrator who
receives the MMC cannot change the file without also changing the name and the
ownership of the file. To use the MMC tools, you must register the proper dynamic link
libraries (DLLs). You can easily register most DLLs by entering adminpak.msi at a
command prompt and following the Windows Server 2003 Administrative Tools
Installation Wizard.
An MMC itself has no administration capability; it's only a toolbox that contains the real
tools called snap-ins. These snap-ins are produced by Microsoft and many other vendors.
They include most of the tools that you need to configure, manage, and monitor your
network. Many of these tools can be used on the local computer or on a remote computer
connected to the management console. Figure 3.6 shows an MMC that has been
customized to hold tools for two different computers.
Figure 3.6. You can build MMCs that hold tools for multiple
computers.
Remote Desktop Administration
Remote Desktop Connection replaces the Remote Administration Mode for Terminal
Services used in Windows 2000 Server. It provides a new interface that allows you to
safely manage any computer that is configured to allow users to connect remotely. You
can access Remote Desktop Connection by clicking Start, All Programs, Accessories,
Communications, Remote Desktop Connection. You can then connect to the computer by
entering the computer name and the password for that computer.
Page 77 of 250
You must also be a member of the Remote Desktop Users security
group to use Remote Desktop Connection. The administrator is a
member of this group by default and can add other members.
You can control the resolution and other aspects of the "user experience" on the Remote
Desktop Connection settings. Figure 3.7 shows the Remote Desktop Connection dialog
box. These options allow you to configure your remote session based on the allowed
bandwidth and other restrictions. Figure 3.8 shows the custom settings that you can
configure on the Experience tab. You should use Remote Desktop Connection when you
are making a connection to only one other computer or server.
Figure 3.7. You can configure options for Remote Desktop

Connection.
Figure 3.8. You can configure custom settings on the Experience

tab.
Page 78 of 250
To make multiple simultaneous connections, use the Remote Desktops snap-in. This tool
enables you to manage many servers as if you were sitting in front of each one of them.
You can control each of the connections and encrypt the connection over the Remote
Desktop Protocol (RDP). You can quickly switch between several remote desktops. Figure
3.9 shows an MMC with the Remote Desktops snap-in installed.
Figure 3.9. You can control multiple remote connections from one
interface with the Remote Desktops snap-in.
Telnet
In general, you use Remote Desktop Connection or the Remote Desktops snap-in to
connect with any computers that are running Microsoft operating systems. This provides
the most secure method of remote administration.
For other servers and network devices on your network, you can use Telnet. The Telnet
application is part of the TCP/IP suite, and any network that is using TCP/IP can use it.
The Telnet client is built in to Windows Server 2003 and provides a command-line
interface to another server and limited functionality to configure the server (see Figure
3.10). Telnet does not provide security—all passwords and data are transmitted in clear
text. If you use Telnet, you need to ensure that no sensitive information is being
transmitted.
Figure 3.10. You can configure servers and network devices on a

command-line interface with Telnet.
Page 79 of 250
Telnet is not recommended for remote administration of Microsoft
computers because all data and commands are transmitted in clear
text.
To access a computer or network device with Telnet, perform the following steps:
1. Click Start.
2. Click Run.
3. Type telnet.
4. Type open.
5. Type the name of the host with which you want a connection.
6. Type ? for help with further commands.
The list of commands that are available are based on the type of host to which you have
connected. All commands are alphanumeric. In other words, you can't use your mouse or
any type of GUI with Telnet. Table 3.2 lists some Telnet commands and the actions that
they perform.
Table 3.2. Telnet Commands

Telnet Action Performed
Command
Open hostname Establishes session with host
Close Closes connection
Display Shows current settings for client
Send Gives additional commands as defined by the type of host
Set Allows you to configure options when used with additional arguments,
depending on the client
Unset Turns off options that were previously set
Status Determines connection status
? Shows Help menu based on host
Quit Closes Telnet client
Remote Assistance
Clients can request your assistance using the Remote Assistance tools, provided by
Windows XP Professional, and you can respond to their requests and assist them through
your Window Server 2003 network. After you are connected, you can view the client's
computer and chat online. You can even take control of their mouse and keyboard with
their permission. You can also upload files to them or download their files to your
computer or central server. Remote Assistance communication can be based on Windows
Page 80 of 250
Messenger or Microsoft Outlook. Figure 3.11 shows the Remote Assistance console on a
Windows XP Professional client.
Figure 3.11. Clients can request your assistance using the Remote
Assistance console.
Designing Security for Emergency Management Services

At this level, it almost goes without saying that you need to maintain redundant drives,
power supplies, and server components. You also need to create backups of all data and
configurations and keep copies offsite. This type of management activity is the day-to-
day operations that help to keep the network operating smoothly, but what if something
goes wrong?
Unfortunately, disasters, such as fires, floods, hurricanes, tornados, and earthquakes, do

happen from time to time. Your Emergency Management Services design needs to
include a disaster recovery plan (DRP) that takes these into account. Your DRP should
focus on the disasters that are most common for your area. For example, you probably
won't be concerned about earthquakes if you are located in Florida, and you wouldn't
worry much about hurricanes in South Dakota.
In the event of a disaster of this magnitude, the main goal is to get the computers back
up to the point that your company can do business before you go out of business
permanently! Your DRP should address a plan to rebuild the network to a functioning
state as quickly as possible, even if your whole building is destroyed. The details of this
plan will, of course, vary, depending on the size and complexity of the company, but the
main thing you need is a place to work. The types of alternative sites that you should
consider in your DRP are as follows:
• Hot site
• Warm site
• Cold site
Page 81 of 250
Hot Sites
A hot site is a location that is up and running 24/7 with everything that you need to
function. Its main advantage is that, in the event of a disaster, you can move into the
hot site and resume normal business operations in a matter of hours. Another advantage
is that it is possible to do a "dry run" and test the hot site.
The hot site should be close enough to be practical for employees, yet far enough away
so as not to be taken down by the same disaster that took down your main site. You can
maintain the hot site, or you can pay another company to provide the service. The main
disadvantage of a hot site is the large cost associated with it. Typically, the potential loss
of money is not enough to justify the cost of a hot site, so they are only used in
organizations in which people's lives are at stake, such as highly sensitive governmental
institutions or hospital networks.
Warm Sites
A warm site is a location that provides the space, electrical outlets, and communications
lines that will be needed in the event of a disaster. It is not customized for one
organization and might be used by many organizations in the event of a natural disaster.
Typically, no computers are in place because it is assumed that the company will provide
the computers when, and if, the time comes to use the site. The main advantage of this
type of site is that it costs considerably less to maintain than a hot site. The main
disadvantage of this type of site is that it is much more difficult to test your DRP from
time to time.
Cold Sites
A cold site is a location that basically has four walls, a ceiling, and a bathroom! Typically,
it's a prearranged agreement with another party to use their space if a disaster happens.
There is very little planning involved in a cold site. The main advantage is that it costs
very little. Two parties in different areas might even agree to let each other use a part of
their building in the event of a disaster, so there is no cost to either party. The main
disadvantage of a cold site is that it does not fully provide a quick transition back to
normal business operations.
Page 82 of 250
Designing a Security Update Infrastructure
Many of the latest attacks to computers and servers with Microsoft operating systems
have succeeded in spite of the fact that the patches to prevent these attacks were
available on the Microsoft Web site prior to the attack. The attacker succeeded because
the administrator had not yet installed the latest patches. Your design strategy should
include a system to automate the installation of patches that are critical to the security of
your network. You should be familiar with the tools that Microsoft provides with Windows
Server 2003. Designing a security update infrastucture includes
• Designing a Software Update Services (SUS) infrastructure

• Designing Group Policy to deploy software updates
• Designing a strategy for identifying computers that are not up to the current
patch level
Designing a Software Update Services Infrastructure

Software Update Services (SUS) is new to Windows Server 2003 but is backward
compatible to Windows 2000 servers running Service Pack 2 or higher. It is downloadable
from the Microsoft Web site at
www.microsoft.com/windows2000/windowsupdate/sus/default.asp. You should download
and install the SUS101SP1.exe file.
Your server needs to meet the following minimum hardware requirements to become a
SUS server:
• Pentium III 700MHz or higher

• 512MB RAM
• 6GB hard disk space
• Windows 2000 Server with SP2 or later or Windows Server 2003
• IIS 5.0 or later
• Internet Explorer 6.0 or later
You can use SUS to update clients running Windows 2000 Professional and Windows XP
Professional with the latest service packs. SUS enables an administrator to automatically
download, test, approve, and install the latest critical updates and service packs from the
Microsoft Windows Update Web site. Figure 3.12 shows the SUS administration site. You
need to be familiar with the features of SUS, as identified by Microsoft, including the
following:
• Built-in security
• Selective content approval
• Content synchronization options
• Server-to-server synchronization
• Multilanguage support
• Remote administration via Hypertext Transfer Protocol (HTTP) or Hypertext
Transfer Protocol Secure (HTTPS)
• Update status logging
Page 83 of 250
Figure 3.12. You can manage SUS through a secure Web site.
Built-in Security
This one speaks for itself! You can't enhance security if your enhancement creates holes.
The administrative pages of SUS are Web-based through IIS and are restricted to local
administrators on the computer that hosts the updates. The synchronization always
validates the digital certificates on any downloads to the update server. Any files that are
not from Microsoft are automatically deleted.
Selective Content Approval
Updates are first downloaded to the server by running SUS synchronization. These,
however, are not automatically available to the computers that have been configured to
receive updates from that server. Instead, you can approve the updates before they are
made available for download. This allows you to test the packages before deploying
them.
Content Synchronization Options
You receive the latest critical updates and service packs from Microsoft through the
process of synchronization. You can set a schedule for automatic synchronization at
preset times. Alternatively, you can use the Synchronize Now button to manually
synchronize the server.
Server-to-Server Synchronization
You can point your server to another server running Microsoft SUS instead of to the
Windows update server. This creates a single point of entry for updates into the network,
without requiring that each SUS server download updates from the external Microsoft
source. In this way, updates can be more easily distributed across the enterprise.
Multilanguage Support
SUS supports the publishing of updates to multiple operating system language versions.
You can configure the list of languages for which you want to download updates. You only
need to download the languages that you will use. This greatly increases the speed of
synchronization.
Remote Administration via HTTP or HTTPS
The SUS administrative interface is Web-based. This allows you to manage it remotely as
if you were sitting in front of the server itself. Remote administration requires Internet
Explorer (IE) 5.5 or later.
Page 84 of 250
Update Status Logging
You can specify the address of a Web server to which the Automatic Updates client
should send statistics about updates that have been downloaded and installed. These
statistics are sent using HTTP. You can access them in the IIS log file of the Web server.
Designing Group Policy to Deploy Software Updates

Now that you've got the latest critical updates for your servers and clients synchronized
into your SUS server, how do you get them into the clients and servers themselves?
There is a hard way and an easier way. The hard way is to go to each client and
manually change the Automatic Update settings within the properties of My Computer.
The easier way is to use Group Policy to change all of the computers that you need to
change—simultaneously. You should configure the Group Policy to set the computers to
the correct SUS server and then link the policy to the container in which the computer
objects are located. You can configure those computers to automatically download and
install the software or to notify the clients and let them make the decision to download
and install it. Figures 3.13 and 3.14 show the Group Policy settings for SUS updates. To
configure a Group Policy for SUS, perform the following steps:
1. Open the Group Policy Management Console (GPMC) or Group Policy tool.
2. Expand Computer Configuration in the properties of the policy.
3. Expand Administrative Templates.
4. Expand Windows Update.
5. Right-click Configure Automatic Updates to configure the settings for each
computer.
6. Right-click Specify Intranet Microsoft Update Service Location to configure the
server from which to receive the updates.
Figure 3.13. You can configure how and when clients receive
updates.
Page 85 of 250
Figure 3.14. You can configure the server from which the client
receives the updates.
Designing a Strategy for Identifying Computers That Are Not Up to the

Current Patch Level
To provide a complete security plan, you need to make certain that all of your computers
have the latest patches and security updates installed. You have many tools to choose
from to assist you in scanning computers for the latest updates. These are available from
Microsoft and other third parties. The Microsoft tools with which you should be familiar
• Microsoft Baseline Security Analyzer

• Systems Management Server (SMS) and the SUS Feature Pack
Microsoft Baseline Security Analyzer
You can use Microsoft Baseline Security Analyzer (MBSA) to scan for security-related
updates on multiple computers. MBSA Version 1.1.1 includes both a GUI tool and a
command-line interface tool. You can use these tools to perform scans of Windows
systems on your network. MBSA runs on Windows 2000, Windows XP, and Windows
Server 2003 systems. You can perform scans of all Windows NT-based clients, including
Windows NT Workstation and all later clients. You can also scan for updates to
applications running on the clients, including Internet Explorer and Office applications,
such as Office 2000 and later. The computer being scanned must be running IE 5.01 or
later and XML parser software. Parser software can be downloaded from the Microsoft
Web site at www.microsoft.com/downloads.
Systems Management Server and SUS Feature Pack
Systems Management Server (SMS) and the SUS feature pack enable you to manage
security updates throughout any size company. The SUS feature pack streamlines the
security patch management process for you. The SMS software can be used to customize
installations.
Page 86 of 250
The Security Update Inventory Tool in SMS uses the MBSA program to scan all of the
clients and servers and then creates a detailed Web-based inventory report. Then, you
can use the software distribution features built in to SMS to distribute the required
software to the clients and servers. The wizards built in to the tool ensure that only the
updates that are missing are installed. No redundant or unnecessary updates are
performed.
Exam Prep Questions

Case 1: WPX Inc.
WPX Inc. is a medium-size company with a main office in Atlanta and 12 remote offices
in the Southeast United States. WPX has six administrators who manage the main office
and the 12 branch offices with varying levels of authority and control. The company is
concerned about the local security of the network and the number of administrative
accounts required to manage the network. WPX is also considering options for emergency
management and a DRP.
WPX has a constant need for remote management of the branch offices, which all contain
at least one server. In addition, the company is considering options in regard to a DRP
for the Atlanta office. Finally, WPX is concerned that its clients might not have all of the
latest critical updates for security. It wants a system that can analyze the current status
of its clients, install the software needed, and keep the clients up to date. You have been
hired as a consultant to assist WPX.
Q1 Which of these types of accounts should an administrator use to log on to the

network and check her email?
• A. Administrative account
• B. Default Administrator account
• C. Email address
• D. Regular user account
A1: Answer D is correct. Microsoft recommends that administrators use a regular user
account when they are not doing administrative work. She should not use her
administrative account unless she is actually doing administrative activity;
therefore, answer A is incorrect. The name of the Administrator account should be
changed; therefore, answer B is incorrect. She cannot use her email address to log
on; therefore, answer C is incorrect.
Q2 Which tools should you use to control the membership of the administrative
groups? (Choose two.)
• A. Restricted Groups
• C. Active Directory Sites and Services
• D. Group Policies
Page 87 of 250
A2: Answers A and B are correct. Restricted Groups and Active Directory Users and
Computers can be used to control the membership of administrative groups. Active
Directory Sites and Services is used to control the physical aspects of Active
Directory; therefore, answer C is incorrect. Group Policies are used to control
security and access to resources; therefore, answer D is incorrect.
Q3 Which of the following should you use for remote administration of multiple
Windows Server 2003 servers in the same session?
• A. Remote Desktop Connection

• B. Remote Desktops snap-in
• C. Telnet
• D. File Transfer Protocol
A3: Answer B is correct. The Remote Desktops snap-in is the only tool listed that allows
multiple remote administration sessions. Remote Desktop Connection allows only
one session at a time; therefore, answer A is incorrect. Telnet is a command-line-
based administration tool that is not secure; therefore, answer C is incorrect. File
Transfer Protocol is not used to manage computers; therefore, answer D is
incorrect.
Q4 Which tools are available as a snap-in to be used with a Microsoft Management

Console? (Choose two.)
• A. Computer Management
• B. My Computer
• C. Windows Explorer
• D. Active Directory Users and Computers
A4: Answers A and D are correct. Computer Management and Active Directory Users
and Computers are both available as a Remote Desktops snap-in. My Computer is a
tool specific to one computer and not available as a snap-in; therefore, answer B is
incorrect. Windows Explorer is specific to one computer and not available as a
snap-in; therefore, answer C is incorrect.
Q5 Which tools should you use to set the actions and objects that will be audited?
(Choose two.)
• A. Security log
• B. Group Policy Object Editor
• C. Windows Explorer
• D. Active Directory Domains and Trusts
A5: Answer B and C are correct. You should use the Group Policy Object Editor to set
the actions of the audit (success or failure) and the Windows Explorer tool to set
the objects to be audited. The security log is a tool used to view the results of an
audit, not to set it up; therefore, answer A is incorrect. Active Directory Domains
and Trusts is a tool used to manage trusts between domains; therefore, answer D
is incorrect.
Q6 Which audit policy is set on a domain controller to audit its authentication of users
on other computers in the domain?
• A. Audit Logons
Page 88 of 250
• B. Audit Account Logons
• C. Audit Privilege Use
• D. Audit Process Tracking
A6: Answer B is correct. Audit Account Logons can only be set on a domain controller.
It audits that computer's authentication of another computer to the domain. Audit
Logons is set on the local computer to audit local logons; therefore, answer A is
incorrect. Audit Privilege Use is set to monitor a user's exercise of user rights;
therefore, answer C is incorrect. Audit Process Tracking is set to monitor an
application's use of system resources; therefore, answer D is incorrect.
Q7 You decide to lease a space for emergency purposes approximately 100 miles from
the Atlanta office. This space will be equipped and maintained with the power and
communications needs for the network in the event a natural disaster or fire
destroys the Atlanta office. It will not currently be equipped with any computers.
Which type of alternative site have you chosen?
• A. Hot site
• B. Cold site
• C. Spare site
• D. Warm site
A7: Answer D is correct. Because the site will not contain the actual servers and other
hardware, but will be equipped with the right power and communications
connections, it should be referred to as a warm site. A hot site is equipped with
computers and is ready to move in within hours; therefore, answer A is incorrect. A
cold site is a location that has no planned resources at all; therefore, answer B is
incorrect. A spare site is not a term that is used in this context; therefore, answer C
is incorrect.
Q8 Which tools should you use to synchronize a server with the Microsoft Windows
Update Web site and receive the latest critical updates and service packs? (Choose
two.)
• A. Windows Update
• B. Group Policy
• C. Active Directory Users and Computers
• D. Software Update Services
A8: Answers A and D are correct. Windows Update is used to synchronize an individual
computer with the latest updates on the Microsoft Web site. Software Update
Services can be used in a hierarchical arrangement to test and distribute the latest
Microsoft updates. Group Policies are used to control security and access to
resources; therefore, answer B is incorrect. Active Directory Users and Computers
is used to control the logical aspects of Active Directory; therefore, answer C is
incorrect.
Q9 Which tool should you use to scan clients and servers to determine whether they
have the latest updates installed?
• A. Microsoft Baseline Security Analyzer (MBSA)

• B. Software Update Services (SUS)
• C. Group Policy Management Console
Page 89 of 250
• D. Computer Management
A9: Answer A is correct. MBSA can be used to scan computers for the latest security
updates and other security weaknesses. SUS is used to install the latest updates,
but does not scan the computer; therefore, answer B is incorrect. The Group Policy
Management Console is used to create and manage Group Policies; therefore,
answer C is incorrect. Computer Management does not scan the computer for the
latest updates; therefore, answer D is incorrect.
Q10 Which of these clients can be configured with Group Policy to use Software Update
Services? Choose all that apply.
• A. Windows 98
• B. Windows XP Home Edition
• C. Windows XP Professional
• D. Windows 2000 Professional
A10: Answers C and D are correct. Windows XP Professional and Windows 2000
Professional are the only clients listed that can be configured with Group Policy.
Group Policy cannot be used to control Windows 98; therefore, answer A is
incorrect. Windows XP Home Edition does not support Group Policy; therefore,
answer B is incorrect.
Page 90 of 250
Chapter 4. Creating the Physical
Design for Network Infrastructure
Security
• Firewall
• IP filtering
• 802.1x
• Virtual private network (VPN)
• Demand-dial routing (DDR)
• Certificate Services
• Designing network infrastructure security

• Designing security for wireless networks
• Designing security for communication between networks
• Designing security for communication with external organizations
The security needs of a network vary widely depending on the components that make up
the network. Although the components that you choose are based on the needs of the
organization, some components require additional consideration in regard to security.
The manner in which you configure these physical components also has a dramatic effect
on your network's security.
In this chapter, we discuss the physical design for your network infrastructure and its
relation to your network's security. We also discuss options for securing connections
within your own network or connecting to other networks, and we examine the risks and
rewards associated with each option. Finally, we discuss the techniques and their impact
on the entire network.
Page 91 of 250
Designing Network Infrastructure Security
You are responsible for the security on your network. This includes protecting the
network from intruders from the Internet as well as protecting the communications
between computers on your network. To effectively protect your network, you need to
understand the following components:
• Specifying the required protocols for firewall configuration

• Designing IP filtering
• Designing the Internet Protocol Security (IPSec) policy for secure transmission of
data
• Securing a Domain Name System (DNS) implementation
Specifying the Required Protocols for Firewall Configuration

The main purpose of a firewall is to filter traffic to and from your network. Firewalls can
be hardware- or software-based, or a combination of the two. They can protect a single
computer or an entire network of computers. When you install a firewall, it keeps all
traffic from entering or leaving your network unless you specifically allow it.
Windows Server 2003 and Windows XP Professional have a built-in, host-based firewall
called Internet Connection Firewall (ICF), which protects an individual computer.
Although this is a good product for client computers, you should only use ICF with
Windows Server 2003 servers if no other firewalls are being used. Our discussion focuses
on firewalls that protect an entire network, not just one computer.
Windows XP is the only Microsoft client that has a built-in firewall—

Internet Connection Firewall.
A firewall filters traffic by reading each packet and deciding whether to allow or deny the
traffic. You can configure the firewall to forward only certain types of traffic. With most
firewalls (including Microsoft Internet Security Acceleration [ISA] server), the criteria that
you can use to filter traffic are as follows:
• Source IP address
• Destination IP address
• IP protocol
• Source Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
ports
• Destination TCP and UDP ports
• The interface where the packet arrives
• The interface where the packet is destined
Designing IP Filtering
You establish your criteria based on the needs of your own organization. The goal is to
protect the network but still allow transparent access to all of the resources that the
users need. Remember that one of the main purposes of having security is to ensure
productivity of the users. If your security inhibits their productivity, it is of questionable
value.
Page 92 of 250
Exactly how you configure the firewall is determined by your organization's needs and
the specific type of firewall that you purchase. However, you need to be familiar with
some standards; the four basic methods of controlling traffic through a firewall are as
follows:
• Packet filtering
• Stateful inspection
• Circuit-level filtering
• Application filtering
Packet Filtering
Packet filtering involves reading the packet and making a decision based on the type of
packet. Table 4.1 lists services and applications that need to be considered when
configuring a firewall for packet filtering. This is by no means a complete list; only the
most common protocols and ports are included. For each service or application, the
specific ports that need to be configured are listed. You might also need to consider the
direction that the ports should be configured based on how an application will be used.
Table 4.1. Common Network Services and Applications

Application or Service TCP or UDP Port
Web Server 80/tcp
Secure Sockets Layer (SSL) 443/tcp
File Transfer Protocol (FTP) 21/tcp
POP3 (email storage) 110/tcp
SMTP (email transfer) 25/tcp
RDP (Terminal Services) 3389/tcp
IMAP (advanced email services) 220/tcp 143/tcp
Telnet (remote administration) 23/tcp
SQL Server (database) 1433/tcp
LDAP (Active Directory) 389/tcp
DNS (Domain Name System) 53/tcp 53/udp
SNMP (network management) 161/udp
You should be familiar with the most common network services and
the ports that they use. These include HTTP, FTP, Telnet, DNS, and
others as listed in Table 4.1.
Stateful Inspection
In addition, you can gain more flexibility by using a firewall that allows you to filter by
the other criteria mentioned previously, such as source IP address, destination IP
address, and interface. These criteria can be used on their own or in addition to the port
number criterion. The process of holding the connection open while examining the
packets is called stateful inspection. A major advantage of this type of filtering is its
Page 93 of 250
flexibility and, therefore, its effectiveness. A major disadvantage is that it takes a
tremendous amount of processor resources.
Circuit-Level Filtering
Circuit-level filtering inspects sessions, as opposed to connections or packets. A session

can include multiple connections. This provides many benefits over and above stateful
inspection. First, sessions are established only in response to a user request, which
improves your security. Also, circuit-level filtering provides built-in support for protocols
with secondary connections, such as FTP and streaming media. Finally, you have the
ability to define the protocol's primary and secondary connection in the user interface,
without any programming or third-party tools, by specifying the port number or range,
protocol type, TCP or UDP, and inbound or outbound direction.
Application Filtering
The most advanced type of IP filtering, application filtering, takes filtering to a new level
by examining each packet for the type of application to which it applies. The filter then
applies the right solution for that packet based on the application. This could include
screening, blocking, redirecting, or even modifying the data as it passes through the
firewall. This type of filtering can be used to protect against attacks on vital network
components, such as DNS and Web servers.
Designing the IPSec Policy for Secure Transmission of Data

On Windows NT networks, most communications within a network are in clear text and
there is no built-in encryption method. On Windows 2000 Server and Windows Server
2003 networks, you can elect to use IPSec to secure communications within the network.
IPSec can also be used to secure communications between networks, which we discuss in
the section titled "Designing Security for Communication with External Organizations"
later in this chapter.
IPSec secures communications in a variety of ways. The main goal is to ensure that what
appears to be happening is actually happening. In other words, ensure that
communications are taking place as they appear to be. IPSec secures communications
within your network in the following ways:
• Data integrity— Keeps data safe from modification during transit

• Data confidentiality— Keeps data safe from viewing during transit
• Data authentication— Keeps the network safe from impersonation from
unauthorized parties
• Replay protection— Keeps data safe from capture and replay (such as with
passwords)
Because IPSec works below the Transport layer, it applies to every application that runs
through it. This relieves you of the burden of setting up security for each application. It
uses industry-standard encryption algorithms and a comprehensive security management
approach to provide security for all TCP/IP communications on both sides of your firewall.
This results in an end-to-end security strategy for your entire network. IPSec can be set
in one of three ways for each container to which it is applied. The container can be your
domain or an organizational unit (OU) in your domain.
Microsoft gets you started with three default policies. You can alter them to meet your
individual needs or create your own policies. One of the main reasons that IPSec policies
fail is that their settings are incompatible with each other. For this reason, it's important
that you understand how the default policies operate before you alter them or create
your own.
Page 94 of 250
The three default policies are as follows:
• Server (Request Security)

• Secure Server (Require Security)
• Client (Respond Only)
The name of the policy only signifies how that policy operates, not
what type of computers it can control. In other words, you can control
servers with a client type of policy and vice versa.
Server (Request Security)
When a policy is set to Server (Request Security), the server negotiates with a client in
an attempt to create the most secure communication possible. This negotiation might
include a type of authentication, encryption, connection, and so forth. The server then
communicates with the client at the highest level at which the client can communicate. If
the client cannot support IPSec, communication can still take place between the client
and the server.
Secure Server (Require Security)
When the policy is set to Secure Server (Require Security), the server queries the client
to ensure the client can provide all of the security that the server requires. This might
include a specific type of authentication, encryption, connection, and so forth. If the
client cannot provide all of the requirements, the server does not communicate with the
client any further
Client (Respond Only)
When the policy is set to Client (Respond Only), the client simply responds to the
server's requests or queries. This might include providing the correct type of
authentication, encryption, connection, and so forth. The client provides all that it can,
and the server then decides how and whether the communication will take place based
on answers that the client provides.
Figure 4.1 shows the IPSec policy settings in Windows Server 2003.
Figure 4.1. You can configure IPSec policy in one of three ways.
Page 95 of 250
Figure 4.2 shows how IPSec can be configured in the Edit Rule Properties dialog box to
negotiate authentication, encryption, and connection types.
Figure 4.2. You can use IPSec rules to negotiate many aspects of
communication, including authentication, encryption, and
communication types.
Because you can assign only one IPSec policy per container, you need
to ensure that the clients are in different OUs than the servers' OUs so
the IPSec policies can be applied to all computers in the OU.
Securing a DNS Implementation

DNS is one of the most important services on the network. It resolves easy-to-remember
hostnames to IP addresses that the network can use. It uses a database that contains
the names and IP address references of all of your clients, servers, and network printers.
Because of these facts, you need to make certain that your DNS servers are secure from
attack.
Securing a DNS implementation requires that you understand the fundamentals of DNS
and the methods that an attacker might use to take down your network. By
understanding what is possible, you can then take the necessary steps to prevent attacks
from succeeding. The following are methods of attack against your DNS implementation:
• Blocking or corrupting traffic between clients and servers

• Corrupting or changing data on the server
• Shutting down or disabling the server
• Intentionally sending clients to a rogue domain controller and collecting secure
information
Page 96 of 250
You can protect your DNS implementation from these attacks by protecting the integrity
of the DNS server's response to clients and by protecting the zone data contained and
transferred by the servers. The clients must be able to depend on the information that
they receive from their designated DNS servers. You can increase the integrity of this
information by practicing the following techniques:
• Using IPSec between the clients and servers

• Monitoring network activity
• Closing all unused firewall ports
Using IPSec Between the Clients and Servers
When IPSec is enabled, all traffic can be encrypted between the DNS servers. This
ensures that no unauthorized entities are able to spoof the system. Also, IPSec can
specify the mutual authentication of the client and the server. Unless each can prove its
identity, no secure information is exchanged. Finally, all traffic between the client and the
server can be encrypted. This ensures that the client and server communication is free
from any type of tampering or misdirection.
Monitoring Network Activity
A Denial of Service (DoS) attack floods a DNS server with so many client requests that
the DNS server cannot keep up with the legitimate requests, and it stops responding to
DNS queries. To guard against DoS attacks, watch for unusually high amounts of traffic
and look for anomalies such as a high volume from a single location or a high volume of
a single type of traffic. Establishing a security baseline before problems arise can help
you determine what amount of traffic should be considered unusually high.
Closing All Unused Firewall Ports
The only ports that the DNS server needs to operate are 53/udp and 53/tcp. You need to
examine the configuration of a firewall protecting your DNS servers to ensure that all
ports that do not have to be open are shut. This provides a smaller attack surface for an
attacker.
You can protect the data that is stored on the DNS servers and transferred between them
by
• Using secure dynamic updates

• Setting quotas to limit registration of DNS resource records
• Ensuring that the DNS administrators are trusted
• Delegating administration of DNS data
• Using the appropriate routing mechanism for your environment
Using Secure Dynamic Updates
Secure dynamic update is the default method of DNS update in both Windows 2000
Server and Windows Server 2003. It ensures that update requests are processed only if
Active Directory authorizes them. This prevents the type of DNS attack that involves
entering invalid data into the zone files. This is extremely important because if an
attacker can enter invalid data, he can disrupt your network and send your clients to
rogue servers without their knowledge. The attacker can also fill the server's disk space
with garbage data and, thereby, perform a type of DoS attack. Figure 4.3 illustrates the
configuration of secure dynamic updates.
Page 97 of 250
Figure 4.3. Active Directory integrated zones with secure dynamic
updates can greatly increase your DNS security.
Setting Quotas to Limit Registration of DNS Resource Records
By default, members of the Authenticated Users group have the ability to create resource
records on DNS servers that are in the domain of the client computer. This enables all
computers to dynamically update DNS zone data. A typical authenticated user registers a
maximum of 10 records in DNS. To ensure that malicious users or applications do not
create inappropriate resource records, you can set a default quota limit of 10 objects per
user. This ensures that all computers can update DNS appropriately but cannot start DoS
attacks.
Ensuring That the DNS Administrators Are Trusted
Your DNS infrastructure is one of the most critical and sensitive systems on your
network. Keep this in mind when choosing the individuals who will manage it. These
administrators should have proven character and ability to ensure that they do not
intentionally or accidentally bring down the network.
Delegating Administration of DNS Data
By default, Administrators, Domain Admins, Enterprise Admins, and DNS Admins have
Full Control access to all components of DNS. Everyone else has Read access. You can
set permissions on zone containers to control access and management of each zone, as
shown in Figure 4.4.
Page 98 of 250
Figure 4.4. You can set permissions on zone containers.
Using the Appropriate Routing Mechanism for Your Environment
Your DNS infrastructure can consist of many types of zones and servers. For the greatest
security, consider replacing secondary zones with Active Directory integrated zones, stub
zones, and conditional forwarding mechanisms. The data that is stored in a secondary
zone is not in Active Directory and is, therefore, a plain text file. It's possible to protect
the file using NTFS permissions, but it is better to eliminate it completely whenever
possible.
Page 99 of 250
Designing Security for Wireless Networks
It almost seems funny to discuss security and wireless in the same sentence. Wireless
networks have been notorious for their lack of security. Certainly the Institute of
Electrical and Electronic Engineers (IEEE) could not have imagined the security needs of
today's world when they developed the 802.11 standard for wireless communication.
Furthermore, government controls have made it difficult to use high-strength encryption
until recently. All of this results in a wireless standard that is still in its infancy in regard
to security. Windows Server 2003 has tools that assist you in setting up a wireless
security policy for your network. Figure 4.5 shows the Wireless Network policy
configuration tool in Windows Server 2003 security. This policy shows the default setting
Use Windows to configure wireless network settings for clients. With this setting enabled,
clients can connect to existing wireless networks, change wireless network connection
settings, configure new wireless connections, and specify preferred wireless networks
through the Wireless Networks tab on their computers equipped with a wireless network
interface card.
Figure 4.5. You can set wireless access policies to meet your
needs.
Although there is no way to keep a wireless network as secure as a wired network, the
benefits and convenience of wireless networks have caused many improvements in
security. Wireless security can be divided into two major varieties:
• Wired Equivalent Privacy (WEP)

• Wi-Fi Protected Access (WPA)
Page 100 of 250

Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) is the older method that has been included in 802.11 for
some time. It restricts network access and encrypts network traffic based on shared
keys. This method has significant disadvantages. First, the keys are not dynamically
managed, but instead must be configured by the administrator. Second, the encryption
mechanism is not strong by today's standards and can expose the keys to attackers.
Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) was produced by the Wi-Fi Alliance to unify and improve
security used in wireless networking. It uses a set of security methods that include
dynamic rekeying and high levels of encryption. This makes the discovery of the
encryption keys far less likely.
The IEEE is working on a new wireless standard. It will be called

802.11i, the Robust Security Network (RSN). RSN will bring even
higher levels of security to wireless networking, but is not expected to
be released for many years and will require hardware upgrades on
most computers.
You can further secure your wireless network if you also use the strengths of Active
Directory and Certificate Services to your advantage. Microsoft recommends the use of
one of the three following methods:
• 802.1x with dynamic encryption keys

• 802.1x with EAP-TLS
• 802.1x with PEAP
802.1x with Dynamic Encryption Keys
802.1x is an IEEE standards-based framework for authenticating access to a network

and, optionally, managing keys used to protect traffic. It relies on Remote Authentication
Dial-In User Service (RADIUS), a network authentication service, to verify the network
client's credentials. The RADIUS server relies on the domain controller to authenticate
the clients. 802.1x uses the Extensible Authentication Protocol (EAP) as a means of
securing the conversation between the servers and clients and generating keys.
802.1x with EAP-TLS
802.1x with EAP-TLS is a certificate-based system used to mutually authenticate wireless

clients and RADIUS servers. It uses strong cryptographic keys to protect wireless traffic.
This method requires public key certificates on the client and the RADIUS server. These
can be obtained from a third party or you can set up an enterprise server to
automatically enroll these certificates for clients authorized by Active Directory.
802.1x with PEAP
802.1x with PEAP can use Microsoft Challenge Handshake Protocol version 2 (MS-
CHAPv2) to provide secure password authentication without the use of certificates. This
method works best in a small environment that does not have any certificate servers and
has no other uses for certificate servers. It can also be used as an interim strategy to
deploy a wireless network before implementing a certificate infrastructure.
Page 101 of 250

Designing Security for Communication Between
Networks
To this point, we have focused on your network as if it was the only one in the world. We
have also assumed that your network existed in one geographical location. In reality, of
course, there are millions of networks in the world and yours is just one of them. In
addition, what we have referred to as your network might actually be several local area
networks (LANs) connected by communications links that create a wide area network
(WAN). These facts present their own sets of challenges in regard to security.
The most secure form of communication between networks is leased private lines that
only one organization can use. These leased lines, however, can be very expensive to
obtain and to maintain. You would also require a separate leased line to every location in
your organization or any organization with which you do business. As you can see, this
could quickly become cost prohibitive.
Instead of leased private lines, many organizations have opted to use the Internet or
other types of telephone lines to make their connections between networks. We now
discuss the two main methods of communication between offices:
• Virtual private network (VPN)

• Demand-dial routing (DDR)
Virtual Private Network

The Internet, as you know, is inherently insecure. For this reason, we use special
protocols that encapsulate and encrypt communications over the Internet and create a
network connection that is private through a medium that is not private. This connection
is referred to as a virtual private network (VPN). Two main protocols create the
encapsulation tunnel that is used on a VPN. Each has its own advantages and
disadvantages. These protocols are referred to as tunneling protocols and they include
the following:
• Point-to-Point Tunneling Protocol (PPTP)

• Layer 2 Tunneling Protocol (L2TP)
Point-to-Point Tunneling Protocol
PPTP allows multiprotocol traffic to be encrypted and then encapsulated into an IP header
and sent across on organization's IP internetwork or a public IP internetwork such as the
Internet. PPTP encapsulates Point-to-Point Protocol (PPP) frames into IP datagrams, and
it can be used for remote access and for router-to-router communications between
networks. PPTP uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data between
two Microsoft systems. PPTP is documented in RFC 2637.
PPTP uses a TCP connection for tunnel management. It also uses a modified version of
Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data.
Furthermore, the payloads of the encapsulated PPP frames can be encrypted and/or
compressed. Figure 4.6 shows a packet encapsulated with PPTP.
Page 102 of 250

Figure 4.6. PPTP uses a modified version of GRE.
Advantages of PPTP over L2TP include the following:
• PPTP does not require a certificate infrastructure as does L2TP.

• PPTP can be used with most clients, whereas L2TP is limited to Windows 2000
Professional and Windows XP Professional clients.
• PPTP clients can be placed behind Network Address Translation (NAT) without any
additional configuration.
Layer 2 Tunneling Protocol
L2TP allows multiprotocol traffic to be encrypted and then sent across any medium that
supports point-to-point datagram delivery, such as IP, X.25, Frame Relay, or
Asynchronous Transfer Mode (ATM). L2TP is a combination of PPTP and Layer 2
Forwarding (L2F), a technology proposed by Cisco Systems, Inc. It represents the best
features of PPTP and L2F. L2TP can be used through private networks or over the
Internet when configured with IP as its data transport protocol, as documented in RFC
2661.
L2TP over IP internetworks uses UDP and a series of L2TP messages for tunnel
management. It also uses UDP to send L2TP-encapsulated PPP frames as the tunneled
data. The payloads of encapsulated PPP frames can be encrypted and/or compressed.
The Microsoft implementation of L2TP does not use MPPE to encrypt the PPP payload and
instead can use IPSec with Encapsulating Security Payload (ESP) for encryption. This
combination is referred to as L2TP/IPSec and is described in RFC 3193. Figure 4.7 shows
a packet encapsulated with L2TP.
Figure 4.7. L2TP can use IPSec for encryption.
Advantages of L2TP over PPTP include the following:
• Provides more complete security— IPSec ESP provides proof that the data was
sent by the authorized user, proof that the data was not modified in transit,
prevention from resending a stream of captured packets, and prevention from
interpreting captured packets without the encryption key. These are known as
Page 103 of 250

data authenticity, data integrity, data replay protection, and data confidentiality.
By contrast, PPTP provides only per-packet data confidentiality.
• Provides stronger authentication methods— L2TP requires both computer-
level authentication (through certificates) and user-level authentication.
• Provides safer authentication methods— PPP packets that are exchanged
during user authentication have been previously encrypted and are never sent in
unencrypted form. This guards against other attacks such as offline dictionary
attacks.
Demand-Dial Routing
Another method of connecting offices without using expensive private lines is to use
other types of lines provided by your telephone service provider. These could be regular
telephone lines or even Integrated Services Digital Network (ISDN) lines. These lines are
much less expensive than other leased lines. You can configure your routers to
automatically make use of these lines when they need to deliver a packet that requires
their use. This concept is called demand-dial routing (DDR).
Although the concept of demand-dial routing is fairly simple, the actual configuration can
be relatively complex. This complexity is caused by the fact that the connections must be
able to find and authenticate to their respective network counterparts. This requires a
specific configuration. This configuration can be created on a router, or you can configure
a Windows Server 2003 computer to act as a router. Figure 4.8 shows some of the
connection settings in the Demand-Dial Interface Wizard for creating a demand-dial
interface in Routing and Remote Access.
Figure 4.8. You can use a wizard in Routing and Remote Access to
assist you in creating demand-dial routing connections.
The elements of a demand-dial routing configuration include all of the following:
• Connection endpoint addressing— Because the connection must be made over

public data telephone networks, the telephone is configured as an endpoint
identifier for each system (see Figure 4.9). The modem is configured to dial the
number of the destination server or router when the router receives packets
destined for that network and to send the packets through the telephone lines.
The modem holds the line open until the end of the transmission and then
terminates the connection when the transmission is finished.
Page 104 of 250

Figure 4.9. A telephone number is configured as the endpoint
identifier for a system.
• Authentication and authorization of the caller— Just as for a user calling in,
the outbound connection must be authorized and the user account must be
authenticated. Therefore, you must set up the credentials for the user account
within the configuration (see Figure 4.10). Authorization is based on dial-in
permissions and remote access policies for the user account that you create.
Figure 4.10. You need to create a user account that can

access the other network.
• Differentiation between remote access clients and routers— Your Routing

and Remote Access server can be used for remote access clients as well as for
demand-dial routing connections. You need to configure the connection with a
username that will not be used by a remote access client. Configuring both sides
of the connection with a unique username and password allows the system to
determine that the connection is a demand-dial routing connection and not a
remote access client.
Page 105 of 250

• Configuration of both ends of the connection— You must configure both ends
of the connection (see Figure 4.11), even if you are considering the connection to
be one way. This is due to the general nature of computer communications and
the fact that they send acknowledgments of received packets.
Figure 4.11. You need to configure both ends of the

connection, even if you consider the connection as one way.
• Configuration of static routes— You should not use dynamic routing protocols
to configure temporary DDR connections. Therefore, you must add the static
routes to the routing tables so the routers will be aware of the subnet(s)
accessible by DDR (see Figure 4.12). You can accomplish this manually or by
using autostatic updates.
Figure 4.12. You need to configure the static routes that the
connection will use.
Page 106 of 250

Designing Security for Communication with External
Organizations
Using technology, businesses are working closer with each other today than ever before.
Many companies have secure communication connections with their partners and
vendors. Computers talk to computers to automatically check inventories and create
orders to replenish stock, when necessary. These communication connections can
significantly increase the productivity of an organization. However, in the wrong hands,
they could also represent a significant security threat. We now discuss the two main
methods of creating a secure communication environment between yourself and a
partner organization:
• Designing an extranet infrastructure

• Designing a strategy for cross-certification of Certificate Services
Designing an Extranet Infrastructure

You might want to open a portion of your network to another organization, such as a
partner, vendor, supplier, or consultant. You might do this as a value-added service to
them as well as to make processes easier for you. For example, it might be
advantageous to you for your supplier to be able to track how much of a particular
product you have in your inventory and replace it when needed. To facilitate this, you
would give them access to your inventory database. This type of network arrangement is
referred to as an extranet.
The basics of providing a secure extranet are to ensure that you are communicating with
the organization that you think you are and that the organization only has the access
that you authorize. For example, you probably would not want the partner to be able to
access payroll records or other confidential data. The extranet must allow them access to
what you configure but prohibit access to anything else.
Windows Server 2003 includes many tools to assist you in creating and maintaining a
secure extranet. You can use these tools individually or in combination with each other.
The tools that you need to be familiar with include the following:
• Secure Sockets Layer (SSL) protocol

• Tunneling protocols
• Certificate-based authentication
• IPSec
• Multiple firewalls
• Active Directory
Secure Sockets Layer Protocol
The SSL protocol works at the Application layer of the OSI reference model and can
provide secure, Web-based connections and transactions. Your users and partners can
access the secure Web sites that you configure. SSL uses port 443 and can be accessed
using Hypertext Transfer Protocol Secure (HTTPS) indicated by https://. You can
require a user to input their username and password when entering a secure site.
Tunneling Protocols
As we discussed previously, you can use the tunneling protocols of PPTP and L2TP to
secure communications between networks. Your choice of protocol is determined by your
own server and client capabilities and those of your partner. You need to choose the
most secure protocol that is common to both.
Page 107 of 250

Certificate-Based Authentication
Certificates assure you that the entity is who he says he is and allow you to authenticate
and authorize a connection. Certificates can be used to protect the integrity of a message
as well. The sender can use software to sign the message with his private key. When the
intended receiver receives the message, she can confirm the signature with the sender's
public key. If she cannot confirm the signature, either the message is not from the
sender or it has been changed in transit. We discuss more about using certificates in the
section titled "Designing a Strategy for Cross-Certification of Certificate Services" later in
this chapter.
IPSec
As mentioned previously, IPSec can be used to improve security within a network as well
as between networks. When you use IPSec between networks, you use tunnel mode. This
creates a logical path for the packets to follow and encrypts the packets while they are in
the tunnel. If you use the Server (Request Security) setting for IPSec, the computers
that are on the other network can negotiate the most secure connection possible.
Multiple Firewalls
You can use multiple firewalls or a firewall that is multipronged to set up an area that
isn't really inside your network or outside of your network. This area is referred to as a
perimeter network or demilitarized zone (DMZ). You should place servers that users and
partners need to access from inside the network as well as outside of the network into
the perimeter network. These might include Web servers, email servers, and FTP servers.
Other servers that might go in the perimeter network include an intrusion detection
system (IDS) server or a bastion host server. You should never place your domain
controllers or database servers in the perimeter network as they always need to be
protected on the inside of all firewalls. You can configure your firewalls with the correct
port filters to allow your partner access to the servers that they need while secluding
them from the rest of your network.
Active Directory
Active Directory has built-in security mechanisms that authenticate and authorize any
user who has an account. Why not use that to your advantage? You can create accounts
for your partner company in your Active Directory. You need to create these accounts in
a separate OU or even a separate domain so they can be managed and secured together.
You can assign these users permissions just as if they were your own employees. You
can create groups for these users or add them to your existing groups. You should make
your decisions based on delegation of authority over the accounts and distribution of
Group Policy to the accounts.
You can even create a trust between yourself and a partner who does not have a
Windows-based network. Because Active Directory is based on Kerberos authentication, a
Kerberos v5 realm in a non-Windows-based network is analogous to a Windows Server
2003 domain. You can, therefore, establish a trust with a Kerberos v5 realm using the
Active Directory Domains and Trusts tool shown in Figure 4.13.
Page 108 of 250

Figure 4.13. You can create a trust between a Windows domain
and a Kerberos realm.
You should use a separate domain for your partner if your partner
requires different account policies, such as password and account
lockout policies. You should use a separate OU in one of your domains
in all other instances for easier management.
Designing a Strategy for Cross-Certification of Certificate Services

Suppose you already have a Public Key Infrastructure (PKI) in place in your company.
You use this PKI to give access to resources and to facilitate secure email
communications. Now, suppose that you are in a close business relationship with another
company that also has a PKI in place. The other company uses its PKI for many of the
same reasons. Why wouldn't you just issue the other company certificates in your PKI
and let it issue you certificates in its PKI?
Although this sounds rather simple, in practice it can get a bit tricky. You must ensure
the certificates that you issue do not create any unintended consequences. For example,
when you extend the boundaries of your PKI beyond your own organization, you could
inadvertently create an unplanned trust relationship. In other words, if you decide to
trust another company but it also trusts yet another company, you could end up trusting
an entity you don't even know about. If A is a trusted entity to B and B is a trusted entity
to C, couldn't A be a trusted entity to C as well? Also, because your certificates are for
your trusted employees, the certificates might be too encompassing to give to another
organization.
To protect against these unintended side effects of extending your PKI, you can use
certification authority (CA) constraints to define limits on your cross-certification
relationships. You can configure these constraints in Windows Server 2003 Certificate
Services.
Page 109 of 250

The constraints that you can configure include the following:
• Basic constraints
• Name constraints
• Issuance policies
• Application policies
• Policy mapping
Basic Constraints
Basic constraints define the certification path length required. They allow an application
to determine whether a certificate is a CA certificate or an end certificate. The certificate
chain uses CA certificates to build certificate paths. End certificates cannot be built upon.
You can also use basic constraints to limit the number of CAs that can be in the chain.
This eliminates the possibility of unintentionally creating a trust relationship with
someone of which you are not aware.
Name Constraints
Name constraints allow you to specify which namespaces are permitted or excluded from
using certificates produced by your qualified subordinate CA. You can use Lightweight
Directory Access Protocol (LDAP) names, hostnames, user principal names, Uniform
Resource Identifiers (URIs), or even IP addresses.
Issuance Policies
Issuance policies can be used to define the extent to which your organization trusts the
identity presented in a certificate. For example, you could set an issuance policy
stipulating that you only trust certificates that were issued during a face-to-face meeting
with a network administrator, such as when a smart card certificate is issued.
You can use object identifiers to describe the issuance policy that you define. When you
include an issuance policy object identifier in an issued certificate, you are indicating that
the certificate was issued in a manner that meets the issuance requirements associated
with the issuance policy object identifier. The object identifier indicates the extent to
which your organization trusts the identity presented in the certificate. These can be
considered as low, medium, or high. Each trust level has its own object identifier. Table
4.2 shows the object identifiers used in Windows Server 2003.
Table 4.2. Object Identifiers for Issuance Policies

Issuance Object Identifier Indication
Level
All Issuance 2.4.29.32.0 Contains all other issuances; used for
CA only
Low Assurance 1.3.6.1.4.1.311.21.8.x.y.z.1.400 Issued with no stringent security
requirements
Medium 1.3.6.1.4.1.311.21.8.x.y.z.1.401 Issued with some additional security
Assurance requirements
High Assurance 1.3.6.1.4.1.311.21.8.x.y.z.1.402 Issued with the most stringent
security requirements
Page 110 of 250

The x.y.z portion of the object identifier is a randomly generated
numeric sequence that is unique for each Windows Server 2003 forest.
Application Policies
Typically, certificates provide information that is more global in nature than one
application. You can use application policies to define that a certificate can be used only
by a specific application or applications. Applications can also be written to accept usage
only if the user presents a certain type of certificate. An application policy uses a specific
object identifier to indicate the applications with which the certificate can be used.
Policy Mapping
As mentioned previously, your policies are not likely to be exactly the same as another
organization's policies. Even if your basic requirements are the same, your object
identifiers are specific to your forest; therefore, any constraints that you use will be
different than theirs. You first need to negotiate with your partner organization as to
which policies can be considered equivalent. You might then need to install a common
subordinate CA that contains the policies, policy mappings, and any constraints on which
you have agreed.
Exam Prep Questions

Case 1: JCMW Inc.
You have been hired as a security consultant for JCMW Inc.—a medium-size company in
the software development business. JCMW works closely with many other companies to
produce software that is used to design and manufacture automobiles. JCMW currently
has 10 locations in the United States and two more in Europe. Because of its rapid
growth, JCMW is concerned with the security of its networks. The company's main
concern is with the security of its internal networks from attackers. This is further
complicated by the fact that it is beginning to use wireless networks in some offices.
JCMW is also concerned about secure communication between its offices. Finally, the
company wants to ensure that communications with its trusted partners are as secure as
possible.
Page 111 of 250

Q1 Which type of firewall filtering should JCMW use if it wants the firewall to identify
packets and modify the packets if necessary?
• A. Packet level
• B. Circuit level
• C. Stateful inspection
• D. Application level
A1: Answer D is correct. Application-level filtering can identify and modify packets.
Packet-level filtering identifies packets by their port address but does not modify
packets; therefore, answer A is incorrect. Circuit-level filtering examines the
session but does not modify packets; therefore, answer B is incorrect. Stateful
inspection can examine many aspects of the packet, including the source and
destination, but does not modify packets; therefore, answer C is incorrect.
Q2 In what ways can IPSec be used to secure data for JCMW? (Choose two.)
• A. Encrypts files stored on hard drives

• B. Encrypts data sent within a LAN
• C. Encrypts data sent between LANs
• D. Restricts users from logging on to servers
A2: Answers B and C are correct. IPSec can encrypt data sent within a LAN or
between LANs. IPSec does not encrypt data stored on hard drives, EFS does;
therefore, answer A is incorrect. IPSec does not restrict users from logging on to
servers—Active Directory Permissions do this—therefore, answer D is incorrect.
Q3 Which type of IPSec policy will allow each client to negotiate with the server to
determine the strongest levels of security for communication?
• A. Transport mode
• B. Secure Server
• C. Server
• D. Client (Respond Only)
A3: Answer C is correct. Server is a default IPSec policy that allows each client to
negotiate with the server to determine the strongest level of security common to
both. Transport mode is a configuration of IPSec that is used within a network
and is not a type of IPSec policy; therefore, answer A is incorrect. Secure Server
policies require a client to meet all of the requirements of the server for
communication to continue; therefore, answer B is incorrect. Client (Respond
Only) policies are set on the client to respond to the server's requests or
requirements; therefore, answer D is incorrect.
Q4 What methods should you recommend for JCMW to secure its DNS databases?
(Choose two.)
• A. Use secondary zones whenever possible.

• B. Delegate DNS management to OU Admins whenever possible.
• C. Use Active Directory integrated zones.
• D. Use conditional forwarding.
Page 112 of 250

A4: Answers C and D are correct. Active Directory integrated zones and conditional
forwarding protect DNS namespaces. Secondary zones contain zone information
in plain text form and are considered a security risk; therefore, answer A is
incorrect. DNS management is one of the most important administrative
functions on a network and should be performed by the most experienced
administrators; therefore, answer B is incorrect.
Q5 Which protocol should JCMW use to allow wireless clients to be authenticated by

Active Directory before they are given access to the wireless network?
• A. 802.11
• B. 802.1x
• C. 802.3
• D. 802.5
A5: Answer B is correct. 802.1x and a RADIUS server can be used for secure
authentication on a wireless network. 802.11 is a wireless protocol that provides
a link but does not provide security; therefore, answer A is incorrect. 802.3 is
the protocol specification that wired Ethernet uses and is not a wireless
specification; therefore, answer C is incorrect. 802.5 is the specification for the
Token Ring network; therefore, answer D is incorrect.
Q6 Which tunneling protocol should JCMW use to take advantage of the built-in
MPPE encryption mechanism and assure that even their pre-Windows 2000 client
can use the security?
• A. L2TP
• B. HTTP
• C. PPTP
• D. PPP
A6: Answer C is correct. PPTP uses a built-in MPPE encryption mechanism. L2TP does
not use MPPE; therefore, answer A is incorrect. HTTP is used for browsing the
World Wide Web and is not a tunneling protocol; therefore, answer B is incorrect.
PPP is used to send data over telephone lines; therefore, answer D is incorrect.
Q7 You decide to recommend creating accounts for some JCMW partners; however,
their accounts will not have the same account policies as yours. Into which type
of container should you place the new accounts?
• A. New domain
• B. Existing OU
• C. New OU
• D. New forest
A7: Answer A is correct. You should place the new accounts in a new domain to
control account policies. You cannot control domain account policies from an OU;
therefore, answers B and C are incorrect. You do not need a new forest and, in
fact, it would only complicate matters further; therefore, answer D is incorrect.
Q8 Which of the following are advantages of L2TP over PPTP? (Choose two.)
• A. Provides a built-in encryption mechanism

• B. Can be used on many types of networks, not just IP-based
Page 113 of 250

• C. Encrypts data well below the Application layer so that the application is
unaware of the encryption
• D. Can be used on all types of clients
A8: Answers B and C are correct. L2TP can be used on many types of networks, not
just those that are IP based. L2TP does encrypt data at the Data Link layer, well
below the Application layer. L2TP does not provide a built-in encryption
mechanism, but it can use IPSec; therefore, answer A is incorrect. L2TP with
IPSec cannot be used with pre-Windows 2000 Professional clients; therefore,
Q9 Which type of constraint should JCMW use on qualified secondary CAs to limit the
number of CAs in a chain and, thereby, eliminate unintended trusts?
• A. Basic
• B. Name
• C. Application policy
• D. Issuance policy
A9: Answer A is correct. Basic constraints can be used to identify a certificate as an

end certificate or limit the number of CAs in a chain. Name constraints are used
to specifically name those who can use a certificate or those who are excluded;
therefore, answer B is incorrect. Application policies specify an application that
can be used by a certificate; therefore, answer C is incorrect. Issuance policies
indicate the degree to which you trust another organization as identified by
object identifiers; therefore, answer D is incorrect.
Q10 Which tool should you use to create a relationship between a Windows Server
2003 domain and a Kerberos realm?
• A. Active Directory Users and Computers

• B. Computer Management
A10: Answer D is correct. Active Directory Domains and Trusts should be used to
create all trust relationships. Active Directory Users and Computers is used to
manage the logical aspects of Active Directory, such as domains and OUs;
therefore, answer A is incorrect. Computer Management is used to manage
network infrastructure and computer services; therefore, answer B is incorrect.
Active Directory Sites and Services is used to view the physical aspects of Active
Directory, such as sites and subnets; therefore, answer C is incorrect.
Page 114 of 250

Chapter 5. Designing Server-Specific
Security
• Internet Information Services (IIS)

• Authentication
• Remote Access Dial-In User Service (RADIUS)
• Server roles
• Designing user authentication for Internet Information Services

• Designing security for Internet Information Services
• Designing security by server role
Historically, Internet Information Services (IIS) has represented a large security

vulnerability. IIS 4.0 and 5.0 have been wide open in regard to services and protocols
with a default installation. This has allowed attackers easy access and has, therefore,
presented a large attack surface. The Nimda virus and Blaster virus in late 2002 were
part of the result of this large attack surface.
With Windows Server 2003 and IIS 6.0, Microsoft has turned the security paradigm
upside down. IIS 6.0 installs "locked down" in regard to most services and protocols.
Although this is a positive in regard to security, you need to know how to open up some
of the services so that you can use the server as it was intended.
In this chapter, we discuss server-specific security. We first discuss our options for user
authentication to IIS 6.0. Then, we discuss security methods used for IIS 6.0 in general.
Finally, we look at the concept of a security baseline in regard to Web servers and other
types of server roles, such as a domain controller, terminal server, and email server.
You can download a lockdown tool from the

www.microsoft.com/downloads site for use on IIS 4.0 and 5.0. This
tool enhances security by setting the protocols and services to the
minimum required.
Page 115 of 250

Designing User Authentication for Internet
Information Services
An IIS server is really nothing more than a file and application server that can be
accessed from the Internet. However, an IIS server represents a substantial security
concern. You need to design your IIS server so that it allows access to the resources that
your users need as transparently as possible. At the same time, you need to make
certain that unauthorized users do not have logical access to a resource to which they
actually have physical access. Not only that, but, in general, you aren't even certain you
know who or what you are protecting against because the rules of the game seem to
change over time.
Windows Server 2003 IIS 6.0 addresses the issue of authentication by providing multiple
methods for a user to prove that he is who he says he is. You can configure each Web
site in the Directory Security properties of the site. You choose the appropriate methods
based on your security policies and the other resources available on your network. The
authentication methods from which you can choose include the following:
• Anonymous
• Basic
• Digest
• Advanced Digest
• Integrated Windows
• Certificate
• UNC Passthrough
• RADIUS
• .NET Passport
Anonymous
Anonymous authentication allows users to access the resources on your Web or FTP site
without requiring a username or password. These are also referred to as credentials. All
users use the same account, which is installed with IIS and named IUSR_computername,
where computername is the name of the computer on which IIS is installed, as shown in
Figure 5.1. This user account is included in the Guests user group. You need to set the
permissions for this account so that anonymous users have very restricted access. The
main value of this account is that users do not have to use credentials to get to
information that was supposed to be available to them in the first place. Not having to
use their username and password (which might also apply to other resources) greatly
decreases the risk of someone stealing their credentials.
Page 116 of 250

Figure 5.1. With Anonymous authentication, all users use the same
IUSR_computername account.
Windows Server 2003 also has a default account named

IWAM_computername, where computername is the name of the IIS
server, for backward compatibility with IIS 5.0 servers and
applications.
Basic
You should use Basic authentication only as a last resort. With Basic authentication, the
user is prompted to enter his credentials. The system then compares the credentials with
the accounts in its database. If the credentials match one of the accounts, the user is
permitted access. If not, the user is given another chance to provide the proper
credentials. The main problem with this authentication method is that the credentials are
delivered in plain-text form and are not encrypted. Therefore, a person monitoring your
network with a sniffer could discover and then use the credentials. The system warns you
if you try to use only Basic authentication, as shown in Figure 5.2. The main advantage
of Basic authentication is that it can be used with all browsers.
Page 117 of 250

Figure 5.2. Basic authentication transmits a user's credentials in
clear text and should be used only as a last resort.
Basic authentication should only be used as a last resort to provide

access to a Web site regardless of the browser that the user is using,
and that the user's credentials will be transmitted in plain-text form,
not encrypted.
Digest
Digest authentication also prompts for a user's credentials, but the credentials are then
transmitted as an MD5 hash so that the credentials cannot be sniffed. The credentials are
then decrypted and compared with the plain-text version that is stored locally on the
domain controllers. This provides a significant advantage over Basic authentication. The
main disadvantage of Digest authentication is that not all browsers support it. Users
must be using Microsoft Internet Explorer 5.0 or later to use Digest authentication. Also,
Digest authentication requires the use of Active Directory and requires that the user has
an account in your Active Directory.
Advanced Digest
Advanced Digest authentication is very similar to Digest authentication except that the
credentials are stored on the domain controllers as an MD5 hash. This means that they
are protected even from someone who can gain physical access to the domain
controllers, such as a rogue administrator. Advanced Digest is new to Windows Server
2003 and requires that the domain controller and the IIS server are both running a
member of the Windows Server 2003 family. Clients need to have Internet Explorer 5.0
or later. Clients are prompted to enter a username and a password, which are encrypted.
Integrated Windows
When you use Integrated Windows authentication, clients who are already logged on to
the domain are not prompted for a username and password. Instead, the information
that they already have on their access token is used to determine whether they should
have access to the Web or FTP site. The system then uses the Kerberos authentication
system built in to Windows Server 2003 to validate the request and provide access to the
resource. Clients and servers prior to Windows 2000 can use the NTLM version of
Integrated Windows. Integrated Windows works best in a LAN environment because it
does not work over HTTP proxy connections. If Integrated Windows fails, the client is
prompted for his credentials. You can also use Integrated Windows authentication in
addition to Anonymous authentication, as shown in Figure 5.3. In this case, Integrated
Windows runs first and gives the user a chance to use higher credentials if they are
available with his current logon.
Page 118 of 250

Figure 5.3. You can use Integrated Windows in addition to
Anonymous authentication.
Certificate
You can use server certificates to allow users to authenticate your Web site and to prove
your identity to them before they offer private information, such as credit card numbers
and Social Security numbers. Likewise, you can use client certificates to authenticate
users who are requesting access to and information from your Web site. Secure Sockets
Layer (SSL) can be used to authenticate a client by checking the content of an encrypted
digital identification that the client has obtained from you or from a third party that is
trusted by both you and the client.
You can map a client certificate to a user account that you create on your server. That
way, when a client logs on with a client certificate, she can gain access to the resources
provided by the mapped account. You can use the tools provided by Internet Explorer 5.0
and IIS to prepare a certificate for mapping and then map the certificate to a user
account. You can use two types of mapping. Each has advantages and disadvantages:
• One-to-one mapping— This method maps each individual certificate to each

individual account. It is best used on small networks with few users. It can
provide greater control of certificate usage and revocation. This method could
become cumbersome on large networks.
• Many-to-one mapping— This method is best used on large networks. You can
create one or more matching rules that map certificates to one or more Windows
user accounts. The disadvantage of this method is that you could provide
unintended access to resources if you don't tightly manage the mappings.
Page 119 of 250

UNC Passthrough
With UNC Passthrough authentication, the system examines the credentials required to
gain access to the Universal Naming Convention (UNC) share on the remote computer.
The system then looks at the request from the user and examines the metabase to
determine whether the user possesses the appropriate credentials. If the username and
password match, the user is granted access. If the password is not valid, the user is
denied access to the share. If the username and password do not exist in the metabase,
the system relies on the other methods of authentication you specify.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is an industry-standard protocol
described in RFCs 2865 and 2866. It is used to provide centralized authentication,
authorization, and accounting between multiple remote access servers. To use RADIUS,
you first install the Internet Authentication Service (IAS) onto a member of the Windows
Server 2003 family. You then configure your remote access servers to become clients to
the server that hosts the IAS. The RADIUS protocol then coordinates with your Active
Directory to provide for the authentication of the remote access clients and provides for
the authorization to use resources. The main advantage of RADIUS authentication is that
organizations that have many RAS servers can centralize the authentication,
authorization, and accounting. Remote access policies can be maintained on one server
to ensure that they are uniform across an organization. Wireless access points (WAPs)
can also become RADIUS clients and allow for authentication through Active Directory.
RADIUS clients are typically dial-up servers, virtual private network

(VPN) servers, or WAPs.
.NET Passport
The .NET Passport authentication method is new to Windows Server 2003. Clients are
authenticated through the central servers provided by Microsoft. You only need to
configure the default domain to locate the user on the central servers. When the client
attempts to authenticate and the server is set to .NET Passport authentication, the
request is sent in encrypted form to the central servers maintained by Microsoft at
www.passport.net. The user is then authenticated based on the account information on
www.passport.net's servers at the default domain that you configured, as shown in
Figure 5.4. This does not give the client any permissions, but only authenticates the
client. The servers that host each Web site control permissions locally.
Page 120 of 250

Figure 5.4. .NET Passport uses central servers maintained by
Microsoft to authenticate a user.
You need to understand the difference between authentication and

authorization. authentication is a process of proving that you are who
you say you are. Authorization involves determining what you are
allowed to do based on permissions after you have been
authenticated.
Page 121 of 250

Designing Security for IIS
As mentioned previously, IIS 6.0 installs with security in mind. In fact, IIS 6.0 is not
installed by default by any member of the Windows Server 2003 family. This is to
prevent the unintentional installation of the service. When you install IIS, it is initially
installed in a locked-down mode and provides access only to static content. Features
such as Active Server Pages (ASP), ASP.NET, and Web Distributed Authoring and
Versioning (WebDAV) publishing do not work until you specifically enable them.
IIS does not install by default on any member of the Windows Server
2003 family.
Your goal is to enable only the services that your users require while maintaining as
much of the locked-down mode as possible. This requires that you understand and are
able to implement the following tasks:
• Designing security for Web sites

• Designing a monitoring strategy
• Designing an IIS baseline
• Designing a content management strategy
Designing Security for Web Sites

As mentioned previously, the default installation of IIS 6.0 only provides access to static
content on Web servers. This means that any site you create will function as long as the
users are simply gaining access to static content. If the site requires that applications
such as ASP, ASP.NET, WebDAV publishing, or server-side includes (SSI) to run, you
have to allow these services to run using the tools provided by IIS. You can control
access to Web sites and their use with the following tools:
• Web service extensions

• NTFS
• Web site permissions
• IP address restrictions
Web Service Extensions
To allow services such as ASP to run, open the Web Service Extensions node in IIS 6.0,
select the service, and then select Allow. In addition to the Web services extensions
listed by default, you can add new Web service extensions and specify the files required
to run them, as shown in Figure 5.5. In this way, you can enable only the necessary
executable files and DLLs to run. This allows you to run your applications while keeping
the system locked down to attackers who might otherwise attempt to run executables on
your servers.
Page 122 of 250

Figure 5.5. Web service extensions give you complete control of
the executable files that can be run on your IIS server.
NTFS
Just as with other files and directories, you can use NTFS permissions to limit a user's
access to files and directories stored on a Web server. Users should not have Read
access to any file that they have no permissions to use.
Web Site Permissions
Web site permissions are specific to a site and apply to all users accessing the site
regardless of any individual permissions they might have. Web permissions control
access to the virtual directories where the folders and files are stored. Web site
permissions are found on the Home Directory tab of a site's properties and include Read,
Write, Script source access, and Directory browsing, as shown in Figure 5.6.
Figure 5.6. Web site permissions are specific to a site and apply to
all users accessing the site regardless of any individual
permissions they might have.
Page 123 of 250

IP Address Restrictions
Using IP address restrictions, you can deny any IP address or subnet from gaining access
to the virtual directories of your Web site that store files and folders. In this way, you can
control access to users on your intranet and from the Internet as well. IP address
restriction settings are shown in Figure 5.7.
Figure 5.7. You can permit or deny access to your site by IP

address or subnet address.
Designing a Monitoring Strategy

You need to establish a monitoring strategy to ensure that the system remains as
functional as possible. Overused resources result in slow responses to the user. Your goal
should be to keep the response times to a minimum.
You can use the tools provided by Windows Server 2003 to establish a baseline, which
indicates what a "healthy" IIS server looks like in respect to the main resources that all
servers use. You can then use the baseline to determine whether the server is
performing as expected. The following is a list of tools that you can use to monitor the
IIS server and the general use of each tool:
• System Monitor— You can use this built-in Microsoft Management Console
(MMC) to establish a baseline. It can then be used to determine the cause of
bottlenecks and to fine-tune system and application performance by comparison
to the baseline.
• Event Viewer— You can use this tool to log service records, such as errors, or
even the successful starting of a service. Working automatically in the
background, this tool creates a log that you can use to determine the series of
events that preceded a problem.
• Network Monitor— You can use this tool to capture a packet stream and
examine the packets in detail. An abbreviated version is built in to Windows
Server 2003, but a complete version comes with Microsoft Systems Management
Server.
• Log Manager— You should design a Web site with growth in mind. This tool
provides for capacity planning and helps determine the parts of the IIS server that
are most likely to be affected by growth.
• Web Application Stress Tool— You can use this tool to generate loads on
various Internet services to simulate multiple browsers requesting pages. This
simulation can be used to test a system before its deployment to production or to
determine the likely effects of growth over time.
Page 124 of 250

Designing an IIS Baseline
Although every business has its own goals in relation to the performance of an IIS
server, you can follow some guidelines to enhance the productivity of any server. As
mentioned previously, you should measure the performance of your server over time
against a previously established baseline. To help ensure the validity of your baseline,
the following sections discuss guidelines for the critical resources of your server and the
tools built in to the server that you can use to maximize your resources.
System Monitor Performance Counters for IIS
As with any server, the main resources that IIS servers use are those of processor,
memory, disk subsystem, and network subsystem. Windows Server 2003 System Monitor
has many counters that relate to these critical resources. Tuning an IIS server is as much
of an art as it is a science. Sometimes, it's a matter of trial and error to get the right
balance. Having said that, there are some counters that have a standard learned over
time and tested by network administrators. You need to be familiar with the counters in
Table 5.1.
Table 5.1. System Monitor Performance Counters for IIS

Object / Counter Ideal Value
Memory\Pages/sec 0–20 (if over 80, this indicates a
problem)
Memory\Available Bytes At least 20MB
Memory\Committed Bytes Not more than about 75% of physical
memory size
Processor\% Processor Less than 75% of physical memory size
Processor\System Processor Queue Length Four or less
(Logical or Physical) Disk\% Disk Time As low as possible
(Logical or Physical) Disk\Avg. Disk Queue Less than 4
Length
(Logical or Physical) Disk\Avg. Disk Bytes As high as possible
Transfer/sec
WWW Service Cache\File Cache Hits As high as possible (indicates static
content)
WWW Service Cache\Kernel:URI Cache Misses As low as possible
WWW Service Cache\Kernel:URI Cache Hits % As high as possible (indicates static
content)
Active Server Pages\Request Wait Time As low as possible
Active Server Pages\Requests Queued As low as possible
Active Server Pages\Transactions/sec As high as possible
Page 125 of 250

Quality of Service Controls Built In to IIS
Quality of Service (QoS) is a general term that encompasses a set of standards and
methods that an organization uses to maintain a specific level of quality, integrity, and
performance in its servers. In regard to Microsoft IIS, QoS is a set of data transmission
standards that an IIS server must meet to be effective in a network. To assist in meeting
these standards and in making the most of any level of resources that a company
currently has, IIS 6.0 has controls built in to the software that can be used to conserve
resources where needed and provide more resources when needed. Most of these can be
controlled from the property tabs on a server or site. The following list describes the
controls and their general use to make the most of available resources:
• Limiting connections— You can restrict the number of simultaneous connections

to your Web server and to each site on your Web server, as shown in Figure 5.8.
Figure 5.8. You can limit the number of simultaneous

connections to a site that has restricted resources.
• Setting connection timeouts— You can force the server to time out and break
the connection after a set amount of idle time. This frees up the resources for
another user.
• Utilizing HTTP compression— You can provide faster transmission time
between compression-enabled browsers and IIS servers by using this service. It is
useful in situations with limited bandwidth; however, it uses processor cycles to
compress and decompress the transmissions.
• Throttling bandwidth— When your Web server hosts multiple services and/or
multiple sites, you can set the amount of bandwidth that is available for each site.
This is determined by experience on your own server. If used, it must be set to at
least 1024 kilobytes/second. Figure 5.9 shows bandwidth throttled to 2000
kilobytes/second.
Page 126 of 250

Figure 5.9. You can throttle the bandwidth on each site on
servers that host multiple sites or multiple services.
• Enabling HTTP keep-alives— You can browse to multiple elements on your

server or site without making a separate request for each element. It is enabled
by default on all servers and sites. You can disable this service as part of taking
down the site for changes or maintenance.
• Enabling CPU monitoring— You can monitor and automatically shut down
worker processes that consume large amounts of CPU time. It can be set by the
application pool.
• Configuring application pool queue length limits— You can protect the
requests that have already been sent to a server by limiting the number of
requests that the server will queue. Requests that are over the amount receive an
error 503 response and can try again. Those that are already in the queue are
processed and unaffected by the overrun of the queue limits.
Designing a Content Management Strategy

In previous versions of IIS, content management was more difficult than it is in IIS 6.0.
Without careful management, one application's crashing could bring down many
applications on the same server. One of the best new features of IIS 6.0 is its capability
to use Web application isolation to separate applications running on an IIS server by
process boundaries. These process boundaries prevent one application from affecting
another application. Web application isolation can be configured differently for each of
two IIS isolation modes—worker process isolation mode and IIS 5.0 isolation mode.
Worker Process Isolation Mode
With IIS 6.0 running in worker process isolation mode, you can group Web applications
into application pools. Application pools do two things. First, they allow the groups of
applications to be configured with uniform settings and security as needed by the related
applications. Second, they can be used to isolate one application from another so that
one application's failing has no effect on another, unrelated application, even if the two
applications are on the same server. You can add applications to existing pools or create
new pools in IIS Manager, as shown in Figure 5.10.
Page 127 of 250

Figure 5.10. You can add applications to existing pools or create
new pools in IIS Manager.
IIS 5.0 Isolation Mode
This mode is provided for backward compatibility with IIS 5.0 servers. You can use the
AppIsolated property setting for each application. Options are similar to IIS 5.0, and
include low, medium, and high isolation settings. You need to configure each application
in this mode and take great care in regard to security. Applications that are configured in
low isolation mode use the LocalSystem identity. This means that if an attacker were to
succeed in taking over the application, he would then have access to all of the resources
on the server. Because of the additional security risks with IIS 5.0 isolation mode, you
should use worker process isolation mode whenever possible.
Page 128 of 250

Designing Security by Server Role
Windows Server 2003 provides two new tools called the Configure Your Server Wizard
and the Manage Your Server Wizard, both of which assist you in configuring the
appropriate settings for functionality and security for any server role. The Configure Your
Server Wizard starts automatically following the installation of any member of the
Windows Server 2003 family. The wizard asks a series of questions and performs tasks
based on the role that you are configuring, as shown in Figure 5.11. After you have set
up the server role, the Manage Your Server Wizard starts automatically.
Figure 5.11. The “Configure Your Server Wizard” automatically

starts automatically on any Windows Server 2003 family.
The Manage Your Server Wizard lists the roles that the server is currently performing and
provides quick reference tools to assist in performing the role. For example, a server that
is performing as a print server has options for additional printers and additional drivers in
the Manage Your Server Wizard. These options are links that connect you to the normal
tools used to manage these configurations. The Manage Your Server Wizard also has a
quick link to Administrative Tools, Windows Update, Help and Support, and Microsoft
TechNet on the Web. Figure 5.12 shows the Manage Your Server Wizard.
Figure 5.12. The “Manage Your Server Wizard” lists the roles that
the server is currently performing.
Page 129 of 250

Although you use the Manage Your Server Wizard to create and update server roles, you
also need to be familiar with the most common security concerns of each server role.
This familiarity will help to ensure that you don't miss any important steps in
configuration by simply following the wizard. Therefore, you need to become familiar with
the following sections.
Defining a Baseline Security Template for All Systems

In today's environment of changing technological requirements, it's increasingly difficult
to keep up with the latest security updates. Microsoft has provided new tools to assist
you in making certain you have the latest security updates and patches on your clients
and servers. One of these tools, Software Update Services (SUS), was discussed in
Chapter 3, "Designing Strategies for Security Management." You need to have a system,
such as SUS, that keeps your servers' security up to date.
To automate the process of checking your systems to ensure that the latest service packs
and security updates are installed, Microsoft has provided another tool called the
Microsoft Baseline Security Analyzer (MBSA). MBSA is a tool that allows you to scan one
or more clients or servers for common security misconfigurations and the installation of
the latest security update. MBSA automatically checks the operating system and other
installed components such as IIS. MBSA can perform local or remote scans of all of the
servers in the Windows Server 2003 family. It can also perform local scans of other NT
kernel-based Microsoft operating systems, including Windows NT 4.0, Windows 2000,
and Windows XP. You can use MBSA in addition to SUS to ensure that all of your servers
and clients have the latest security updates. Figure 5.13 shows MBSA configured to scan
all applicable computers in an entire domain.
Figure 5.13. The MBSA tool.
Modifying Baseline Security Templates According to Server Roles

Although the process of providing general security for all servers can now be somewhat
automated, you still need to understand that the role of the server affects the emphasis
of security in regard to the information that it contains or the services that it provides. In
other words, the catchall security measures are important, but you also need to fine-tune
your security for each server based on its role on your network. Some servers play only
one role, whereas others might play multiple roles. It's important to understand each of
the roles that a server can play and how security templates might be affected in regard
to these roles.
Page 130 of 250

The main roles that a server can play on your network are as follows:
• Domain controller
• File server
• DNS server
• DHCP server
• WINS server
• Terminal server
• Mail server
• IIS server
Domain Controller
Domain controllers store directory data and manage communication between users and
domains. Domain controllers are responsible for logon processes, authentication, and
directory services. The system requires a partition formatted with NTFS for the Sysvol
folder, which is used to replicate domain information. You also need to format all other
partitions on a domain controller with the NTFS file system for additional security. You
can control the security of domain controllers through Group Policy. The domain
controller object is automatically created upon installation in its own organizational unit
(OU) called the Domain Controllers OU. You need to tightly manage the Domain
Controllers OU in regard to security.
File Server
File servers centrally store a user's data so it can be accessed from anywhere on the
network. In addition, file servers are more secure than local storage on a user's
computer because you generally back up a file server on a regular basis. Because file
servers often contain sensitive information, you need to use volumes formatted with
NTFS. You also need to secure the communications links between the file server and the
clients. Typically, a file server is a member server and not a domain controller. You can
control security of multiple file servers by placing them into the same OU and using
Group Policy.
Domain Name System Server
Domain Name System (DNS) servers are used to resolve user-friendly names to IP
addresses for communication on a network. With Windows 2000 Server and Windows
Server 2003, they also use special records called SRV records to locate servers and
services on the network. Because this information is security sensitive, you need to take
extra precautions in the management of your DNS servers. The DNS servers should only
be managed by the most trained and most trusted of administrators. They are critical to
the function of Active Directory and, therefore, to the entire network. For added security,
use Active Directory integrated DNS zones whenever possible. These provide the greatest
security and minimize zone transfer on a network.
Dynamic Host Configuration Protocol Server
Dynamic Host Configuration Protocol (DHCP) servers increase security and reduce
administrative effort by automatically assigning the appropriate IP address and other
communication address to clients on your network. Because accurate IP addressing
schemes are one of the main targets of an attacker who wants to spoof your network,
keep these servers very secure using NTFS partitions and tight management. In addition,
the communication between these servers and the clients needs to be protected
whenever possible.
Page 131 of 250

Windows Internet Naming Service Server
Windows Internet Naming Service (WINS) is specific to Microsoft and is used to resolve
NetBIOS names to IP addresses for legacy clients, servers, and applications. Windows
2000 Server and Windows Server 2003 have replaced NetBIOS names by using SRV
records, but you still need to use a WINS server if any of your clients, servers, or
applications still use NetBIOS names. Without a WINS server, the NetBIOS names would
be resolved only by broadcasting within each subnet. Because the information contained
on WINS servers can be sensitive, you need to secure your WINS servers and the
communications. As soon as you have no clients, servers, or applications using NetBIOS
name resolution, you should stop using the WINS server and uninstall the service.
Terminal Server
Terminal servers allow you to use client machines that could not otherwise support the
Windows Server 2003 operating system or installed applications. The client is, in
essence, a dumb terminal, and all of the processing is actually done on the terminal
server. Terminal Services provides for centralized management of applications because
they can be installed once on the terminal server and changed whenever a need arises.
Windows Server 2003 provides additional security for Terminal Services by requiring that
all Terminal Services users are members of the Remote Desktop Users security group.
You need to use NTFS-formatted volumes for all terminal servers and encrypt
communication between the server and the clients whenever possible. You can set the
encryption policy for terminal server use in Windows Server 2003 Group Policy.
Mail Server
Mail servers are used to implement the protocols of POP3 for mail retrieval and SMTP for
mail transfer. You need to secure communications at your mail server using NTFS
volumes. You can also require that sensitive emails are encrypted using
Secure/Multipurpose Internet Mail Extensions (S/MIME). Each user needs to have their
own mailbox and should be the only user with permissions for that mailbox.
Application Server
Some application servers are also IIS servers, as mentioned previously, but some are
local application servers that can be used for your local network alone. These servers and
the services that they provide need to be secured using NTFS permissions and Group
Policy. The goal is to provide the appropriate application to the appropriate users
transparently. Users who are not permitted to use these applications should not even
have Read permissions for them.
Page 132 of 250

Exam Prep Questions
Case 1: MTX Inc.
MTX Inc. is a medium-size software development company with several locations in the
United States. Because the software development requires extensive collaboration, MTX
wants to use file and application servers that can be easily accessed from anywhere via
the Web. MTX management is concerned about the security of these servers and about
the process of logging on to the servers and authenticating their users. Management is
also concerned that the servers will become a key component of the organization and
they want to stay ahead of the game in maintaining the integrity and the performance of
the servers. MTX has hired you as a consultant to ensure that it is on the right track
regarding IIS security.
Q1 Currently, MTX has many legacy types of browsers, including very early versions of
Internet Explorer and Netscape. If the company is not going to upgrade all
browsers, which authentication method should be used for access to files on a
public access FTP site?
• A. Anonymous
• B. Digest
• C. Advanced Digest
• D. Basic
A1: Answer A is correct. There is no reason to require a password to a public access FTP
site. Digest and Advanced Digest authentication can only be used with Microsoft
Internet Explorer 5.0 or later; therefore, answers B and C are incorrect. Basic
authentication transfers credentials in plain-text form and should only be used as a
last resort; therefore, answer D is incorrect.
Q2 MTX has decided to upgrade all Internet Explorer browsers to at least version 5.5.
The company wants to use IIS servers to authenticate users by the accounts in the
Active Directory. MTX does not want to involve any other servers. Which two
methods of authentication could be used?
• A. Certificates
• B. Digest
• C. Advanced Digest
• D. RADIUS
A2: Answers B and C are correct. Digest and Advanced Digest can authenticate the
users if they are logged on to Active Directory. Certificates would require additional
servers and would not necessarily authenticate users by their Active Directory
accounts; therefore, answer A is incorrect. RADIUS authentication would require
remote access servers and an Internet Authentication Server; therefore, answer D
is incorrect.
Q3 You have just installed a new Windows Server 2003, Standard Edition server for
MTX. You installed it with the default options, and you now want to configure the
server to use ASP applications. What should you do next?
• A. Enable ASP through Web services extensions.

• B. Open the ports for HTTP static content.
• C. Configure Web site permissions for ASP content.
Page 133 of 250

• D. Install IIS.
A3: Answer D is correct. With a default installation of any member of the Windows
Server 2003 family, IIS is not installed. Enabling ASP through Web services cannot
be accomplished without an installation of IIS; therefore, answer A is incorrect. ASP
is not static content, and a default installation of IIS opens the ports for static
content; therefore, answer B is incorrect. You cannot configure Web site
permissions without an installation of IIS; therefore, answer C is incorrect.
Q4 MTX has decided to install a certificate server and map accounts for third-party
users who sometimes collaborate on software development. Which two types of
certificate mapping could be used?
• A. One-to-one
• B. UNC Passthrough
• C. Many-to-one
• D. RADIUS
A4: Answers A and C are correct. One-to-one mapping associates each certificate to
each individual account. Many-to-one mapping allows multiple certificates to be
associated to one account or to multiple accounts with one certificate. UNC
Passthrough authentication is based on a username and password and is not a form
of certificate mapping; therefore, answer B is incorrect. RADIUS authentication
uses remote access servers, IAS servers, and domain controllers, and is not a form
of certificate mapping; therefore, answer D is incorrect.
Q5 You have decided to establish a baseline for server performance on your newly
installed Windows Server 2003 IIS 6.0 server. You need information on processor,
memory, disk subsystems, and network subsystems. Which tool should you use?
• A. Performance Monitor
• B. Network Monitor
• C. Event Viewer
• D. System Monitor
A5: Answer D is correct. System Monitor is the tool in Windows 2000 Server and
Windows Server 2003 that is used to create counters and to gather information so
as to establish a baseline of performance for memory, processor, disk subsystem,
and network subsystem. Performance Monitor was used in Windows NT 4.0;
therefore, answer A is incorrect. Network Monitor can be used to examine traffic at
the packet level but not to establish a baseline of performance; therefore, answer B
is incorrect. Event Viewer creates logs that are useful for troubleshooting but not
for creating a baseline; therefore, answer C is incorrect.
Q6 Which two counters should you try to minimize to obtain the best performance from
an IIS server?
• A. % disk time
• B. Disk avg. bytes transfer/sec
• C. File cache hits
• D. Request queued
Page 134 of 250

A6: Answers A and D are correct. Minimizing % disk time means that faster methods
such as memory caches are being used more often. Minimizing requests queued
means that requests are being processed fast enough so as not to have to wait.
You should maximize disk avg. bytes transfer/sec by using the fastest drives
available; therefore, answer B is incorrect. You should maximize file cache hits to
increase performance because cache is comparatively faster than other data
transfer methods; therefore, answer C is incorrect.
Q7 You want to ensure that after a user has authenticated to your server, he is free to
browse all of the sites to which he has permission without being asked to
authenticate again at each site. Which service should you ensure is enabled?
• A. Application pool queue length limits

• B. HTTP session timeout
• C. HTTP keep-alives
• D. HTTP compression
A7: Answer C is correct. HTTP keep-alives allows a user to authenticate to your server
once and browse all of the sites to which he has permission without requiring him
to authenticate again. Application pool queue length limits are used to ensure
maximum resource usage with application pools by setting a limit on users who can
wait for services; therefore, answer A is incorrect. Session timeouts control the
amount of time that a user can remain inactive but still be logged on to the server;
therefore, answer B is incorrect. HTTP compression speeds up connections as long
as the server and the browser are both configured for it and their processors can
handle the load; therefore, answer D is incorrect.
Q8 You have decided to upgrade all IIS servers to version 6.0. You have some
browsers that use version 5.0 and some that use 6.0. You want to use the most
secure and stable form of isolation for your IIS application servers. Which isolation
mode should you use?
• A. Worker process
• B. IIS 5.0
• C. MBSA
• D. Advanced Digest
A8: Answer A is correct. Because the IIS servers are using version 6.0, you can use
worker process isolation mode. This provides for complete isolation of the
application in its own application pools. You should use worker process isolation
mode instead of IIS 5.0 because you have IIS 6.0 on the server; therefore, answer
B is incorrect. MBSA is a baseline analyzer tool and not an isolation mode;
therefore, answer C is incorrect. Advanced Digest is a form of authentication for IIS
and not an isolation mode; therefore, answer D is incorrect.
Q9 You have decided to establish a baseline for security on all of your servers. You
want to ensure that you have the latest service packs and security updates for all
servers. You want to automate the process of scanning the servers for the
appropriate updates and for security misconfigurations. Which tool should you use?
• A. IIS lockdown tool

• B. MBSA
• C. SUS
• D. regedt32.exe
Page 135 of 250

A9: Answer B is correct. MBSA is a tool that automatically scans for the latest service
packs, security updates, and any security misconfigurations. The IIS lockdown tool
is used to secure IIS servers previous to version 6.0; therefore, answer A is
incorrect. SUS is a service that automatically updates servers and clients with the
latest service packs, not a tool used to scan for service packs and security
misconfigurations; therefore, answer C is incorrect. regedt32.exe is the executable
file used to access the Registry in the most secure mode; therefore, answer D is
incorrect.
Q10 Which servers resolve names to IP addresses and, therefore, require additional
security measures? (Choose two.)
• A. DNS
• B. WINS
• C. DHCP
• D. IIS
A10: Answers A and B are correct. DNS servers resolve user-friendly names to IP
addresses. WINS servers resolve NetBIOS names to IP addresses. Both, therefore,
require additional security measures to keep data safe from attackers. DHCP
servers assign IP addresses to clients but do not resolve IP addresses; therefore,
answer C is incorrect. IIS servers sometimes use IP addresses to assign a site or a
filter but do not resolve names to IP addresses; therefore, answer D is incorrect.
Page 136 of 250

Chapter 6. Designing an Access
Control Strategy for Data
• Delegation of Control
• Auditing
• A G U DL P
• Permissions
• Rights
• Designing an access control strategy for directory services

• Designing an access control strategy for files and folders
• Designing an access control strategy for the Registry
The main purpose of a network is to share resources, which include hardware, software,
applications, and information. Your network needs to be designed to allow for this as
transparently as possible for those who have authorization. At the same time, your
design needs to prevent those who are not authorized from using or even viewing the
objects in your directory. Windows Server 2003 provides a structure that assists you in
designing your access control strategy. In this chapter, we examine this built-in structure
and its relation to access control in the following key areas:
• Designing an access control strategy for directory services

• Designing an access control strategy for files and folders
• Designing an access control strategy for the Registry
Page 137 of 250

Designing an Access Control Strategy for Directory
Services
The design of each network is unique in regard to access control. Many factors can affect
your decisions, such as whether you want to manage the entire network yourself or
delegate some responsibility, and how sensitive the information is and how tightly you
need to control access to it. Some standards are built in to Windows Server 2003 servers
that you can follow. You need to understand access control strategy in regard to the
following concepts:
• Creating a delegation strategy

• Analyzing auditing requirements
• Designing an appropriate group strategy for accessing resources
• Designing a permission structure for directory service objects
Creating a Delegation Strategy

Your job as a network administrator is to control all aspects of the functionality and data
on your network. This can be a monumental task on a large network. For example, your
network might include many different geographical locations, making management by
one person a difficult task. Also, a manager at a remote location might know better than
you what type and level of network management is needed at that location. For these
reasons, network administrators sometimes delegate the ability to manage certain
aspects of a network to other managers.
Delegation of Control does not mean that you are shifting

responsibility. You are still responsible for overall network
management and need to follow up on any tasks that you delegate.
In Windows Server 2003, a user does not have to be a network administrator to handle
some network management tasks. You can use the structure of the system to delegate
the necessary control over only the appropriate objects and attributes for each user that
you designate. Windows Server 2003 Active Directory provides the means to control
every object's access to every other object. To create an effective delegation strategy,
you need to understand the concept and the use of the following components of Active
Directory:
• Objects
• Organizational units (OUs)
• Discretionary access control lists (DACLs)
• Delegation of Control Wizard
Objects
Basically, everything in Active Directory is an object. This includes users, computers,

resources, Group Policies, and even connections. Each of these objects is fully
controllable as to what it can do to other objects and what other objects can do to it. You
can place objects into containers, such as domains, OUs, and sites to better manage
those objects. You can create new objects when needed to represent the physical or
logical characteristics of your network. Each object is unique and is represented to your
Active Directory with a security descriptor. Even if you were to delete an object and re-
create an object with the same name, the new object would be totally new to your Active
Directory.
Page 138 of 250

Organizational Units
An organizational unit (OU) is a container that is used to group objects into logical units.
OUs have two primary purposes. First, OUs are used to control the distribution of Group
Policies to groups of computers and users. Second, OUs are used to delegate
administrative authority. You can delegate to a user the right to manage all of the
objects that are in a certain OU. You can then determine which objects you place into the
OU.
Discretionary Access Control Lists
As we discussed previously, every object in Active Directory is fully controllable. The

discretionary access control lists (DACLs) provide this control. Each object has its own
DACL, and each DACL has a set of access control entries (ACEs) that can be set to allow
or to deny permissions to another object in Active Directory. These permissions include
Full Control, Read, Write, Create All Child Objects, Delete All Child Objects, and many
other Special Permissions. You can implicitly deny permissions by simply not allowing
them, or you can explicitly deny permissions by selecting Deny. Figure 6.1 shows a
DACL.
Figure 6.1. Each object in Active Directory has its own

discretionary access control list.
You need to be careful about explicitly denying any permissions

because an explicit Deny applied to a user or group overrides any
other permissions that user might have had through another group
membership.
Page 139 of 250

Delegation of Control Wizard
As you might have noticed, the DACLs can be complex and confusing in regard to the
correct settings to apply for a desired result. For this reason, the Delegation of Control
Wizard focuses instead on the desired result. You simply select the tasks that you want
the user to be allowed to perform, and the wizard changes the DACLs so that the user
has the permissions to perform the selected tasks.
You access the Delegation of Control Wizard by right-clicking a selected container in

Active Directory Users and Computers or Active Directory Sites and Services and then
clicking Delegate Control. You can then choose the user or group to which you want to
delegate control. Next, you choose tasks from a list or you can create a custom task.
Figure 6.2 shows the Delegation of Control Wizard. You can only use the wizard to give
additional permissions, not to take them away. To take away control, you need to modify
the appropriate DACLs manually.
Figure 6.2. The Delegation of Control Wizard focuses on the tasks

being delegated and sets the DACLs automatically.
You can use the Delegation of Control Wizard to add tasks that a user
is delegated to perform, not to take away control. To remove control,
you need to modify the DACLs manually.
Analyzing Auditing Requirements

As mentioned previously, you are responsible for controlling access to all data on your
network. Some data is not confidential or sensitive and is simply the information that is
exchanged in day-to-day business in an organization. Other data might be more private
or even confidential, as we discussed in Chapter 1, "Creating the Conceptual Design for
Network Infrastructure Security." You need to prevent unauthorized access to
confidential and private data by assigning permissions only to the appropriate individuals.
We discuss strategies for assigning permissions in the section titled "Designing an Access
Control Strategy for Files and Folders" later in this chapter. In addition, you need to
create an audit policy to ensure that you know and can prove who has accessed the
servers, folders, and files that contain the confidential or private data.
Page 140 of 250

Your audit policy can contain entries to record the success and/or failure of gaining
access to any file, folder, or server on your network. Although auditing successes might
be helpful to prove that a user has breached your security, auditing failures is actually
more proactive because you might discover attempts to breach your security before a
security breach has actually occurred. All audit results are recorded in the security log of
Event Viewer.
You need to understand that you cannot audit everything because it isn't practical from a
resource standpoint. Auditing consumes resources, such as processor and memory, and
reviewing audit logs takes time. Therefore, you need to set your audit policy based on
your own experience and understanding of the security needs of your own network.
You can set the audit policy for a computer through the Local Security Policy settings on
that computer, or you can control multiple computers on your network using Group
Policy. You need to be familiar with the following audit policy settings that relate to
directory services:
• Account logon events

• Account management
• Directory service access
• Logon events
• Policy change
• Privilege use
Account Logon Events
This setting only applies to domain controllers. It audits the computer's validation of a
user account that was logging on from another computer. You need to apply this setting
on domain controllers if you suspect that individuals other than valid users are gaining
access or attempting to gain access to your network.
Account Management
Account management audits each event in which a user account or group is created,
renamed, disabled, enabled, deleted, or changed. In addition, it audits user password
changes. You can apply this setting to an individual computer or to a group of computers
using Group Policy. You need to apply this setting if you suspect that invalid accounts are
being created or accounts are being tampered with on your network.
Directory Service Access
This setting combines with the individual setting on an Active Directory object. If you
select this setting, the system will examine each object's system access control list
(SACL) to determine what auditing is required. You need to use this setting for specific
auditing of a particular object or group of objects.
Logon Events
Logon events apply to the local logon on the computer to which the policy is applied. You
need to apply this setting if you feel that a user is inappropriately logging on to a
computer and gaining access to data and information.
Policy Change
This setting determines whether you will audit any changes to user rights assignment
policies, audit policies, or trust policies. You need to apply this setting if you feel that a
Page 141 of 250

delegated administrator is attempting to change or is changing the policies that you have
created.
Privilege Use
Privilege use applies to a user exercising a user right. You only need to audit this setting
if you feel that a user is exceeding his given rights. In that case, you might want to apply
the setting to a specific container using Group Policy or to a specific suspected user. This
setting generates a large amount of data because the users are given many rights on a
typical network.
Designing an Appropriate Group Strategy for Accessing Resources

As a general rule, you need to avoid assigning permissions to individual users for each of
the resources that they use. Instead, assign permissions to groups of users. In the long
term, this method saves you time and makes troubleshooting permissions much easier.
The type of groups that you can use to assign permissions depends upon whether the
user accounts are located on a computer or in the Active Directory of a domain. For
domain accounts, your choice of groups also depends on the functional level of the
domain.
In most cases, with accounts located on a single computer in a workgroup, you simply
place the user account into a Local group that exists only on that computer and give the
Local group permissions for the resource. In this way, the user account gains the
permissions by being a member of the Local group. You can remember this method by
the letter sequence of A L P, which translates to "Accounts go into Local groups and then
the Local groups get Permissions."
Assigning permissions for domain accounts in Active Directory is more complicated. First,
the types of groups you can use depend on the functional level of the domain. Second,
the strategy that you use in regard to groups depends on what you want to isolate and
how you want to manage the groups. With domain accounts, in general, you can
remember the sequence of A G U DL P, which translates to "Accounts go into Global
groups, Global groups go into Universal groups, Universal groups go into Domain Local
groups, and the Domain Local groups get the Permissions." Figure 6.3 illustrates this
concept.
Figure 6.3. The acronym A G U DL P applies to domain account

group permission assignments.
Page 142 of 250

Let's take a closer look at all of the types of groups that we can use and how and when
we use them. You need to be familiar with the following domain group types:
• Global groups
• Domain Local groups
• Universal groups
Global Groups
Global groups are created in Active Directory of one domain but can be placed into
Domain Local groups in any domain or into a Universal group. Global groups can contain
users from the domain in which they are created. They can also contain other Global
groups if the domain is in at least Windows 2000 native mode functional level. This is
called nesting Global groups.
Domain Local Groups
Domain Local groups are created in the Active Directory of one domain and control
access to a resource that is contained in that domain. Domain Local groups can contain
users, but this is not recommended by Microsoft. Instead, Domain Local groups should
contain only Global groups from any domain in an Active Directory forest and Universal
groups if there are some domains that are in at least Windows 2000 native mode
functional level.
Universal Groups
Universal groups can only be created on a domain controller that is in at least Windows
2000 native mode functional level. Universal groups are created in Active Directory but
are not specific to any domain. Universal groups can, therefore, contain members from
any domain and can be used to give access to a resource in any domain. Users can be
members of Universal groups, but this is not recommended by Microsoft. Instead,
Universal group membership should be restricted to Global groups and other Universal
groups.
Designing a Permission Structure for Directory Service Objects

Windows Server 2003 servers are flexible in regard to the assignment of permissions for
Active Directory objects. As we said before, every object is controllable as to what it can
do to other objects and what other objects can do to it. Microsoft recommends best
practices when assigning permissions to Active Directory objects. These best practices
focus on the strengths of the system and are designed to provide the greatest security
with the least effort. You need to be familiar with the following best practices for
directory service access permissions:
• Avoid taking away the default permissions— Leave the default permissions in
place and add to them, if necessary. Taking away default permissions can cause
unexpected results.
• When delegating control, avoid granting Full Control— If you give a user
Full Control, she can undo the configuration that you have carefully put into place.
Page 143 of 250

Instead, give her the minimum permissions that she needs to perform the tasks
that you have assigned her.
• Remember the inheritance property and use it to your advantage— If you
allow a user to control a container and everything within it, he also has control of
anything within the containers that are within it. Each object, therefore, receives
an ACE. The processing of all of the ACEs can eventually have a detrimental effect
on network performance. Whenever possible, use the Apply Onto option (in
Advanced settings of permissions) to control inheritance and to minimize the
number of ACEs that apply to child objects.
• When possible, assign the same set of permissions to multiple objects—
When multiple objects have identical access, the servers need to store only one
instance of the ACL and can apply it to the multiple objects. If you change one
thing about an ACL, you create a new ACL.
• Assign the rights on the broadest level possible without overassigning
the rights— For example, use Create All Child Objects or Delete All Child Objects
rather than specifying all of the object types.
• Delegate permissions to groups rather than to individuals— Use the A G U
DL P principle and assign the permissions to a group, and then make the user a
member of the group.
Page 144 of 250

Designing an Access Control Strategy for Files and
Folders
The information that people use on computers is contained in the files and folders that
are available to them. Some of these files and folders are created by the users
themselves, whereas others are created for them by someone else. The users on your
network have the right to expect that the files and folders that they use are safe based
on the security policies of your organization. It's your responsibility to create a file and
folder structure that provides the security that the users expect, while allowing them to
access the files and folders that they need. Windows Server 2003 has built-in tools to
help you manage the security of files and folders. Your access control strategy should
address the following elements of security for files and folders:
• Designing a strategy for the encryption and decryption of files and folders
• Designing a permission structure for files and folders
• Designing security for a backup and recovery strategy
Designing a Strategy for the Encryption and Decryption of Files and

Folders
Windows Server 2003 has a built-in encryption mechanism called Encrypting File System
(EFS). This mechanism can be used on all volumes that are formatted with NTFS. EFS
uses a system of public and private key cryptography and, therefore, requires an
enterprise certificate server that is set to autoenroll the certificates, as discussed in
Chapter 2, "Creating the Logical Design for Network Infrastructure Security."
EFS should always be thoroughly tested in a lab or small group before

deploying it to a production environment.
A user can encrypt files and folders simply by changing the attribute of the file or folder
in the Advanced section of the General tab of its properties, as shown in Figure 6.4. This
automatically encrypts the file or folder with a symmetric key and then encrypts the
symmetric key (the decryption key) with the user's public key and a designated Recovery
Agent's public key. With this in place, only the user's private key or the Recovery Agent's
private key decrypts the decryption key, which can then be used to decrypt the file.
Typically, the designated Recovery Agent is the administrator of the network. In Windows
2000 Server, the original administrative account for a domain was, by default, the
Recovery Agent. In Windows Server 2003, there is no default Recovery Agent. You can
set the designated Recovery Agent in Group Policy.
Page 145 of 250

Figure 6.4. A user can set the encryption attribute on a file or
folder.
Windows Server 2003 has no default Recovery Agent for a domain.

You can set a Recovery Agent using Group Policy.
As you can see, this system is quite complex from an administrative standpoint but is
transparent to the user. You should consider using EFS on any removable drives or
portable computers. It is the only type of defense that remains in place if you lose
physical control of a hard drive. Without EFS, an attacker could simply take
administrative control of the computer and read the information.
With Windows Server 2003 and Windows XP, you can assign multiple users to the same
encrypted file or folder and give them access to it at a remote server. You need to keep
in mind that the transmission of the data from the server to the client is not encrypted.
To maintain encryption during transmission of the file or folder, you need to use Internet
Protocol Security (IPSec), as discussed in Chapter 4, "Creating the Physical Design for
Network Infrastructure Security."
If the user's key becomes corrupt and fails to decrypt the file or folder, the Recovery
Agent can decrypt the file or folder and return the information to the user. The file or
folder to be decrypted must be on the same computer as the key used to decrypt it. You
can either take the encrypted file to the Recovery Agent's computer or export the
Recovery Agent's key to a floppy disk and use it on the computer where the file exists.
You can also export the Recovery Agent's key from the network and store it on a floppy
disk in a secure location. That way, an attacker cannot possibly gain access to the key
over the network.
An attacker could take administrative control over a lost or stolen

laptop by simply reinstalling the operating system and making himself
the administrator. The attacker would then have access to all files and
folders on which no encryption has been used. EFS prevents an
attacker from viewing encrypted files and folders, even if he takes
administrative control.
Page 146 of 250

Microsoft recommends encrypting a folder, such as the My Documents folder, and then
storing the files that you want encrypted in that folder. Any files that are moved or
copied to an encrypted folder become encrypted, regardless of whether they are moved
from the same volume or from a different volume. However, should you decrypt a file or
folder that is already in an encrypted file or folder, that folder remains decrypted until
you explicitly encrypt it again. To avoid this confusion, simply encrypt the parent folder
and then move the files and folders (that you want to encrypt) into the parent folder.
Designing a Permission Structure for Files and Folders

Although your users might all share the same physical volumes to store their data, they
still have the expectation that the files and folders are secure. You provide this security
using the file systems built in to Windows Server 2003. You can control two types of
permissions—shares and NTFS. You need to be familiar with both types, and you need to
understand how to combine the two types for expected effective permissions.
As mentioned previously, a user can obtain permissions for an object based on groups of
which he is a member. Windows Server 2003 includes a new tool to assist you in
determining effective permissions when a user has NTFS permissions from multiple
sources. You need to be familiar with the following in regard to permissions structure for
files and folders:
• Share permissions for files and folders

• NTFS permissions for folders
• NTFS permissions for files
• Effective permissions
Share Permissions for Files and Folders
Share permissions allow a user to gain access to a resource through the network. If a file
or folder is not shared, the only access to that file or folder would be from the local
computer where the file exists. The following are levels of share permissions:
• Read— This is the default permission for any file that is shared in Windows Server
2003. With Read permissions, a user can see a file or folder and can execute the
file or open the folder. A user can also right-click the file or folder and view the
properties, but cannot make any changes to the file or folder or to its properties.
• Change— Change permissions allow all of the permissions of Read, but the user
can also change or add to the file or folder and can change the properties of the
file or folder, such as the name or other attributes. In addition, the user can also
delete the file or folder with Change permissions.
• Full Control— Full Control permissions allow all of the permissions of Change,
and the user can take ownership of the file or folder and, thereby, assign other
users permission for the file or folder.
NTFS Permissions for Folders
The following are NTFS permissions for folders:
• List Folder Contents— A user with List Folder Contents permissions can view a
folder and view the files and folders within the folder, but cannot change the
folder or its attributes or even view the attributes of the folder. If he were to
right-click the file and click Properties, he would get an Access Denied message.
• Read— A user with Read permissions for the folder can view the folder, but
cannot view the contents of the folder. In addition, he cannot change the folder or
its properties. He can view the properties of the folder by right-clicking the folder
and clicking Properties.
Page 147 of 250

• Read & Execute— A user with Read & Execute permissions has all of the same
permissions as a user with Read permissions, and he can double-click the folder
and view its contents.
• Write— A user with Write permissions has all of the same permissions as the
Read & Execute permissions, and he can add files or folders to the folder. Whether
he can delete files or folders from the folder depends on the individual
permissions of the files or folders within the folder. He cannot delete the folder
itself, but he can change its properties.
• Modify— A user who has Modify permissions to a folder has all of the permissions
of Write, and he can delete the folder.
• Full Control— A user who has Full Control permissions has all of the permissions
of Modify, and he can take ownership of the folder and, thereby, assign other
users permission to the folder.
NTFS Permissions for Files
The following are NTFS permissions for files:
• Read— A user who has only Read permissions for a file can view the file, but
cannot change, delete, or execute the file.
• Read & Execute— A user who has Read & Execute permissions can view the file
and double-click the file to execute it. He cannot change or delete the file.
• Write— A user who has Write permissions can view the file and execute it, and
can change the file and its properties. He cannot delete the file.
• Modify— A user who has Modify permissions has all of the same permissions as
Write, and he can delete the file.
• Full Control— A user who has Full Control permissions has all of the same
permissions of Modify, and he can take ownership of the file and, thereby, assign
permissions to other users.
In addition to the standard NTFS permissions for files and folders, you
can also select Special Permission in the Advanced security properties
of the file or folder. Special permissions allow you to tailor the specific
actions that a user is allowed to perform on a file or folder.
Effective Permissions
If a file or folder exists on an NTFS volume and is also shared through the network, the
share permissions might be different than the NTFS permissions for the file or folder. In
addition, if a user has permissions to the file from membership in multiple groups, the
permissions might differ by group. The effective permissions are, therefore, a
combination of all of the separate permissions. You need to remember this three-step
method of determining the effective permissions for a resource:
1. Combine all of the share permissions.
2. Combine all of the NTFS permissions.
3. The effective permissions are the combination that is the most restrictive.
A combination that includes NTFS Deny permissions always overrides

and results in permissions being denied. A combination that includes
share Deny permissions results in permissions being denied unless the
user is logging on locally to the resource, in which case the share
permissions would not apply.
Page 148 of 250

Windows Server 2003 contains a new tool called the Effective Permissions tool. This tool
automatically combines the NTFS permissions for a resource. You only need to select the
resource and then select the user on which you want to determine the effective
permissions. This tool only combines the NTFS permissions and does not take share
permissions into account. It is only accurate if the combined share permissions are of the
same restriction or less restrictive than the share permissions. Figure 6.5 illustrates the
Effective Permissions tool.
Figure 6.5. You can use the Effective Permissions tool to

determine the effective NTFS permissions.
Designing Security for a Backup and Recovery Strategy

An organized schedule of backups is an essential element in any network design.
Windows Server 2003 has a built-in backup utility that can assist you in creating normal,
incremental, and differential backups. You can also use third-party backup tools to
provide more flexibility for backups.
Windows Server 2003 has a new tool that assists you in recovering data on your servers.
This new tool is referred to as Volume Shadow Copy service. You need to be familiar with
the Volume Shadow Copy service and its potential effect on the productivity of your
users.
Although volume shadow copies are not a replacement for performing regular backups on
a system, they are an effective enhancement to the security of data. Volume shadow
copies are multiple versions of files on a file server that are automatically stored based a
schedule that you set. They are categorized by time. You can enable the Volume Shadow
Copies features in the properties of an NTFS volume, as shown in Figure 6.6. They are
not full copies of each file version, but rather just the changes from the previous version.
This system is used to conserve hard disk space while providing a backup of each
version. You can set the schedule for the copies, but Microsoft recommends that you set
it for no more than once per hour.
Page 149 of 250

Figure 6.6. You can enable the system to keep multiple shadow
copies of a file sorted by time created.
If a user accidentally modifies a file in such a way as to lose some of the information in
the file, he can use volume shadow copies to obtain a previous version of the file. This
can save the user a tremendous amount of time and, thereby, increase productivity.
Volume Shadow Copies to the Rescue

Let's pretend that you are a user who has been working on a PowerPoint
presentation for weeks, and your presentation now includes more than 500
slides. You want to send a "mini version" of your presentation to another user
for her opinion, so you delete 475 slides, intending to save the remainder of the
slides as a new file. However, you accidentally click Save instead of Save As and
you have now lost your original file and 475 slides!
Without volume shadow copies, your options would be quite limited at this
point. You could either ask the network administrator to restore the file from
backup tape, or you could begin re-creating the 475 slides that you deleted.
With volume shadow copies (and a little training), you simply right-click the file
that you still have and then select the Previous Versions tab of the file's
properties. You then select the version of the file that you had a couple of hours
ago before you made your mistake. Your file would return and life would go
back to normal. It's as simple as that.
Page 150 of 250

You need to be selective when auditing anything on a computer. Remember that auditing
consumes resources. Furthermore, if you audit too much, the review of the security logs
consumes a tremendous amount of human resources. Having said that, you can audit
specific files and folders to determine who is accessing or changing information in them.
Remember that all auditing is local; therefore, you have to set the auditing policy on the
computer on which you want the auditing to occur. This can be accomplished through the
Local Security Policy settings on the computer or through Group Policy, as shown in
Figure 6.7.
Figure 6.7. You can set the audit policy for a computer through the
Local Security Policy settings of the computer itself or through
Group Policy.
You need to be familiar with the following settings in regard to auditing files and folders:
• Auditing object access

• Setting auditing entries on the resource
Auditing Object Access
This setting combines with the individual audit setting on the SACL of the file, folder,
Registry key, or other resource on which you have applied audit settings. If you select
this setting, the system examines the SACLs of all resources to determine whether
auditing is required.
Setting Auditing Entries on the Resource
After you have set the audit policy to Audit Object Access, you can then set the resources
themselves to be audited. You can determine which users or groups you will audit for
each resource. In this way, you can create an audit report that gives you the information
that you need without having so much information so as to become unusable.
You can set the audit entries in the Advanced options of the Security tab for the object to
be audited, as shown in Figure 6.8. This creates a SACL that the system automatically
tracks and uses to create the entries for you in the security log of Event Viewer. If you
choose, you can audit an entire hierarchy of folders by allowing the audit entries to
propagate from the parent object to the child objects.
Page 151 of 250

Figure 6.8. You can set audit entries in the Advanced options of
the Security tab.
Designing an Access Control Strategy for the

Registry
By default, only administrators have permissions to view or change the Registry. You can
assign permissions to each of the keys in the Registry to allow certain users to make
changes to the keys. You can also use the system to audit the Registry to determine
which users have made changes or even attempted to make changes to the Registry.
Your access control strategy for the Registry should include the following:
• Designing a permission structure for Registry objects

Designing a Permission Structure for Registry Objects

In Windows Server 2003, all system information is centrally located in the Registry. The
information is stored in containers called keys. The two main keys are
HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. One incorrect edit to the information
contained in these keys can potentially disable the operating system. For this reason,
only administrators should have access to the Registry on most computers. Users
indirectly make changes to the Registry when they use GUI tools, such as Control Panel
or Display Settings. These changes are much safer than changes made directly to the
Registry.
Page 152 of 250

Some applications and some hardware require a Registry edit to function properly. You
might want to allow certain users to make the changes to the Registry so that you don't
have to make them every time. If you choose to allow a user to make changes to the
Registry, you need to ensure that he has the training and the knowledge to make the
changes correctly.
You can assign permissions on each key of the Registry in much the same way that you
assign permissions to files or folders. To do so, access the Registry using the
regedt32.exe or regedit.exe tool, right-click the key that you want to change, and click
Permissions. The Permissions dialog box opens, as shown in Figure 6.9. You can then add
a user and give him the permissions required to make the change. As always, you should
only give him the minimum level of permissions required to make the appropriate
changes. You can also use Group Policy to assign permissions to multiple users and
computers at the same time.
Figure 6.9. You can set permissions for each key in the Registry.
You should rarely need to give a user Full Control permissions on a

Registry key.

You only need to audit the Registry if you feel that someone is making changes to it
without your approval. If troubleshooting a problem seems to indicate that a change was
made to the Registry that could not have been made by another tool and could not have
been made by accident, auditing the Registry is in order. In this case, you should audit
the specific key where the change was made. You can set the auditing for the key in the
Advanced section of the permissions for the key, as shown in Figure 6.10. In this case,
Page 153 of 250

you might want to audit the Everyone group for access to the Registry key because the
list should not be large and because you want to ensure that everyone is included in the
audit.
Figure 6.10. You can set audit entries in Advanced Security

Settings for each key in the Registry.>
Exam Prep Questions

Answer the questions for the following case study based on the information provided in
the case study.
Case 1: HACA Inc.

HACA Inc. is a large retail outlet with 75 chain stores located throughout the United
States. HACA has recent concerns over the local security of the networks in each of its
stores. Currently, the only administration performed on any of the computers is remote
administration from the corporate offices in Birmingham, Alabama. HACA is considering
allowing some managers to perform some administration because they are closer to the
situation and know more about the local needs of the store. As part of this change, the
company wants to review all policies in regard to permissions and auditing of all network
resources. The managers might also be asked to review the security logs on a set
schedule. HACA has hired you as an independent consultant.
Q1 Which delegation tool should HACA use to focus on the task to be delegated and
let the system set the DACLs?
• A. Active Directory Users and Computers

• B. regedit.exe
• C. Delegation of Control Wizard
• D. Advanced permissions
Page 154 of 250

A1: Answer C is correct. The Delegation of Control Wizard focuses on the task itself
and sets the DACLs to the appropriate setting. Active Directory Users and
Computers is not a delegation tool; therefore, answer A is incorrect. regedit.exe
is a tool you can use to edit the Registry; therefore, answer B is incorrect.
Advanced permissions would focus on the DACLs themselves; therefore, answer
D is incorrect.
Q2 Which tools can you use to control the audit policy on computers on your
network? (Choose two.)
• A. Local Security
• B. Group Policy
• C. Advanced permission settings
• D. Event Viewer
A2: Answers A and B are correct. All auditing is local and should be set on the local
computer, but this can be accomplished through the Local Security tool on the
computer or through Group Policy. Advanced permission settings control the
creation of the SACL used to audit the objects themselves, not the audit policy;
therefore, answer C is incorrect. Event Viewer is a tool that you can use to view
the security log for the results of a security audit; therefore, answer D is
incorrect.
Q3 Which audit setting tracks local logons on a computer?
• A. Logon events
• B. Directory service access
• C. Account logon events
• D. Privilege use
A3: Answer A is correct. Logon events tracks local logons on a computer to which it
is applied. Directory service access tracks the viewing and changing of specific
Active Directory objects to which SACLs are applied; therefore, answer B is
incorrect. Account logon events is applied on domain controllers to track their
authorization of users who log on from other computers on the network;
therefore, answer C is incorrect. Privilege use tracks the actions of a user
exercising a user right; therefore, answer D is incorrect.
Q4 Which of the following are Microsoft recommendations for directory service

access permissions? (Choose two.)
• A. Remove the default permissions when assigning specific permissions.

• B. Use the settings with the broadest permissions possible without
overassigning.
• C. When possible, assign the same set of permissions to multiple objects.
• D. Assign Full Control permissions whenever possible.
A4: Answers B and C are correct. Using settings with broader permissions makes it
easier for the system to process the permissions. Using the same settings for
multiple objects creates less DACLs and makes it easier on the system as a
result. You should avoid removing the default permissions as this could have
unexpected results; therefore, answer A is incorrect. You should avoid assigning
Full Control because it allows the person with delegated permissions to change
your permission configurations; therefore, answer D is incorrect.
Page 155 of 250

Q5 Which type of group is named for the resource and must be contained in the
same domain as the resource?
• A. Global
• B. Domain Local
• C. Universal
• D. Nested
A5: Answer B is correct. A Domain Local group is created to give access to a

resource. It is, therefore, named for the resource and must be contained in the
same domain as the resource. Global groups are created to contain users and
other Global groups. They are generally named for the function of the user and
must be contained in the same domain as their members; therefore, answer A is
incorrect. Universal groups are created in the Active Directory of a domain that is
in at least Windows 2000 native mode. They are generally named for the overall
function of the members to be contained in them; therefore, answer C is
incorrect. Nested is not a type of group. A group is said to be nested if it is
contained within another group; therefore, answer D is incorrect.
Q6 Which permission are only NTFS permissions and not share permissions?
(Choose two.)
• A. List Folder Contents

• B. Change
• C. Read & Execute
• D. Full Control
A6: Answers A and C are correct. NTFS permissions include List Folder Contents,
Read, Read & Execute, Write, Modify, Full Control, and Special Permissions.
Change is a type of share permission; therefore, answer B is incorrect. Full
Control permissions allow a user to take ownership and are common to shares
and NTFS; therefore, answer D is incorrect.
Q7 Which NTFS permissions allow a user to change a file or folder but do not allow a
user to delete the file or folder?
• A. Modify
• B. Write
• C. Change
• D. Read & Execute
A7: Answer B is correct. Write permissions to a file or folder allow a user to change
the file or folder but do not allow him to delete it. Modify permissions are NTFS
permissions that allow a user to delete a file or folder; therefore, answer A is
incorrect. Change permissions are share permissions that allow a user to delete a
file or folder; therefore, answer C is incorrect. Read & Execute are NTFS
permissions that do not allow a user to change a file or folder; therefore, answer
D is incorrect.
Q8 Which two of the following are part of the three steps to determine effective
permissions?
• A. Determine the most restrictive of all permissions.

• B. Combine the NTFS permissions.
Page 156 of 250

• C. Determine the least restrictive of all permissions.
• D. Combine the share permissions.
A8: Answers B and D are correct. You should first combine the share permissions and
determine a result. Next, you should combine the NTFS permissions and
determine a result. The effective permissions will then be the most restrictive of
the two results. Determining the most restrictive of all of the permissions is not
one of the steps; therefore, answer A is incorrect. Determining the least
restrictive of all of the permissions is not one of the steps; therefore, answer C is
incorrect.
Q9 Which of the following is true about volume shadow copies?
• A. They are full copies of a file that are stored multiple times.
• B. They are automatically copied every 5 minutes.
• C. They replace the need to back up your servers.
• D. They can only be created on NTFS volumes.
A9: Answer D is correct. Volume shadow copies can only be created on NTFS
volumes. Volume shadow copies consist of a file and the "shadows" representing
only the changes to the file, not full copies of the file; therefore, answer A is
incorrect. Volume shadow copies are created on a schedule set by the
administrator. The default schedule is twice per day at 7:00 a.m. and 12:00
p.m.; therefore, answer B is incorrect. Volume shadow copies do not replace the
need to back up servers; therefore, answer C is incorrect.
Q10 Which of the following are true regarding the Registry? (Choose two.)
• A. The only way to change the Registry is with the Registry Editor tool.
• B. Users cannot usually make any changes to the Registry.
• C. You should audit the Registry only when you feel that it has been
attacked.
• D. By default, only the administrator of a computer has the right to make
changes directly to the Registry settings of that computer.
A10: Answers C and D are correct. You only need to audit the Registry when you feel
that it has been attacked because auditing consumes system resources and
reviewing the audits takes time. The administrator of a computer is, by default,
the only account that has the right to make changes to the Registry of that
computer. The Registry can be changed indirectly by users with the GUI tools;
therefore, answers A and B are incorrect.
Page 157 of 250

Chapter 7. Creating the Physical
Design for Client Infrastructure
Security
• Password policies
• Remote access policies
• Internet Authentication Services (IAS)
• Administrative templates
• Designing a client authentication strategy

• Designing a security strategy for client remote access
• Designing a strategy for securing client computers
You can't implement a secure network without placing the right types of servers in the
right places. In addition, the clients must all be as secure as possible because otherwise
they can be used as a "back door" by an attacker who actually wants access to the
servers. In this chapter, we discuss the types of servers that make up the physical design
of the network and the security tools that are built in to each type. We also discuss
methods of "hardening" the security of clients to enhance the overall security of the
network. You need to understand the following key areas of physical design for client
infrastructure security:
• Designing a client authentication strategy

• Designing a security strategy for client remote access
• Designing a strategy for securing client computers
Page 158 of 250

Designing a Client Authentication Strategy
The servers that authenticate clients on a Windows Server 2003 network are referred to
as domain controllers. Domains are logical groupings of users and computers; domain
controllers are the servers that are part of the physical design of the network. You must
have at least one domain controller to have a domain. You need to have at least two
domain controllers per domain to provide for fault tolerance, in the event one domain
controller fails.
Clients can authenticate to domains of which they are not a member. This is
accomplished through trusts. As we discussed in Chapter 2, "Creating the Logical Design
for Network Infrastructure Security," trusts are connections between domain controllers
over which authentication can occur. For example, if Domain A trusts Domain B, users in
Domain B can use resources in Domain A provided that they have the permissions to use
the resources. Remember that trusts do not provide permissions; they only provide the
connection.
Organizations that have domains in separate Active Directory forests can use a new trust
in Windows Server 2003 called a forest trust. With a forest trust in place, all of the
domains in both of the forests have a trust relationship. For example, if Forest A trusts
Forest B, users in Forest B's domains can use resources in Forest A's domains provided
that the users have the proper permissions. The main advantage of forest trusts is that
they can reduce the number of trusts that must be created in some instances.
Forest trusts are only available when both of the forests have been raised to the
Windows Server 2003 functional level. In addition, forest trusts are not transitive. In
other words, just because Forest A trusts Forest B and Forest B trusts Forest C does not
mean that users in Forest C have a connection to use resources in Forest A. The forest
trust relationship does not transit from C to A through B. If you need all users in Forest C
to be able to use resources in all domains in Forest A (for which they have permissions),
you must create a separate forest trust in which Forest A trusts Forest C.
Domain controllers replicate information about the domain and the forest configuration
on a consistent basis. Because of this, it is only necessary to change the settings on one
domain controller to affect all of the domain controllers in the domain. Specific domain
controller settings control authentication to a domain. These are part of the security
settings for the domain. You can adjust these settings using the tools provided by
Windows Server 2003. Designing a client authentication strategy includes the following
elements:
• Analyzing authentication requirements

• Establishing account and password security requirements
Analyzing Authentication Requirements

As we've discussed previously, authentication is the process of a client, server, or user
proving that it is who it says it is. In this section, we focus on the authentication methods
used by clients on client computers. In the next section, we discuss other options that
can enhance your authentication security.
Because authentication methods have evolved with technology, not all clients
authenticate in the same way as others. Windows Server 2003 is very flexible in regard
to authentication settings for clients. This setting can be adjusted in the Security Options
of Group Policy, as shown in Figure 7.1. Understanding how all of the protocols relate to
the type of clients on your network enables you to select the setting that allows for the
highest security that all of your clients can use.
Page 159 of 250

You need to become familiar with the following types of client authentication:
• LAN Manager (LM)

• NT LAN Manager (NTLM)
• NTLMv2
• Kerberos
Figure 7.1. You can configure authentication settings in the

Security Options of Group Policy.
LAN Manager
LAN Manager (LM) authentication was the first type of authentication used by Microsoft
clients. Beginning with Windows 3.11, LAN Manager was also used with Windows 95,
Windows 98, and Windows Me clients. It uses a challenge/response mechanism, but it is
not considered strong based on today's standards.
Windows 95, Windows 98, and Windows Millennium Edition (Me) are
often referred to as Windows 9x clients.
NT LAN Manager
Windows NT LAN Manager (NTLM) is an authentication protocol developed by Microsoft

with NT 4.0 workstations and servers. It is considered a much stronger protocol for
security purposes. However, because NT 4.0 was made to be backward compliant with
Windows 9x clients, NT 4.0 workstations and servers prior to SP4 still support LM and
NTLM by default. Windows NT servers and clients should, therefore, be upgraded to take
advantage of the higher security. Although NTLM is stronger, it is still very susceptible to
brute force attacks against the server itself. It has, therefore, been superseded by
NTLMv2.
NTLMv2
To provide for greater security and protect against brute force attacks against the server,
NTLMv2 uses a 128-bit key length. This long key length makes a brute force attack
infeasible as long as strong passwords are used. If strong passwords are not used, the
password can be "cracked" in a matter of seconds. We discuss strong passwords in the
next section.
Page 160 of 250

NTLMv2 also provides for mutual authentication of the client and the server. This ensures
that the client is not attempting to authenticate to a decoy server created by an attacker
to gather credentials for later use. To use NTLMv2, the client and the server must be
using at least NT 4.0 SP4; otherwise, LM is used.
Kerberos
Kerberos is the default authentication protocol used by all Windows 2000 and Windows
Server 2003 domains. It is named for the mythical three-headed dog that guards the
gates of Hades. Kerberos is a system that uses keys and Key Distribution Center (KDC)
servers to gradually authenticate a client to use a resource. Kerberos is considered the
most secure Microsoft authentication protocol. Only Windows 2000, Windows XP,
Windows Server 2003 servers, and Unix clients can use the Kerberos authentication
protocol.
Windows 2000 and Windows Server 2003 servers that are not part of
a domain still use NTLMv2.
Establishing Account and Password Security Requirements

The most common attacks on a network are aimed at the default Administrator account
and at client accounts with weak passwords. You should ensure that your network does
not fall into this trap. You can control your account policy settings through Group Policy,
as shown in Figure 7.2. You can strengthen your network security by implementing the
following policies and practices:
• Change the name of the default Administrator account— This needs to be

changed to something that is not easily guessed and does not stand out.
• Require the use of the Run As command for all administrators—
Administrators need to first log on with a regular user account and then use Run
As to accomplish administrative tasks. This provides for much greater security and
is just a matter of developing a good habit, rather than a bad one.
• Require the use of complex passwords for all users— Complex passwords
contain at least three of the following: uppercase letters, lowercase letters,
numbers, and special characters. In addition, they cannot contain the username.
Complex passwords are harder for users to remember, but they increase network
security tremendously.
• Set account lockout duration to 0— This setting determines how long a user
who repeatedly enters invalid credentials will be locked out of the system. A
setting of 0 indicates that the user will be locked out indefinitely until the
administrator unlocks the account.
• Require users to change their passwords at least once every 30 days—
The more often users are required to change their passwords, the more secure
your network becomes. This is because passwords that are discovered by an
attacker are valid for a shorter period of time. The default Maximum Password
Age setting is 42 days. A setting of 30 days increases security.
• Enforce password history— Password history tracks passwords that have been
used before and keeps the user from setting the same password again. It should
be used in conjunction with the Minimum Password Age setting. You can set the
number of passwords remembered from 0 to 24. (A setting of 0 indicates that
passwords will not be remembered.)
• Enable the use of the Minimum Password Age setting— This setting defines
how long a user must keep a password after setting it. Used in conjunction with
Page 161 of 250

the Enforce Password History setting, it prevents a user from changing his
password multiple times in one sitting to arrive back at his "favorite password."
Figure 7.2. You can control your account policy settings through
Group Policy.
You should know the requirements for a password to be considered

complex. Complex passwords contain at least three of the following:
uppercase letters, lowercase letters, numbers, and special characters.
In addition, they cannot contain the username.
Page 162 of 250

Designing a Security Strategy for Client Remote
Access
Remote access is connecting to a network from outside of the network by dialing in over
regular telephone lines or using the Internet to make a connection to a remote access
server. Your challenge is to make the resources of the network available to the users
while still maintaining security. Windows Server 2003 has many built-in tools to assist
you in this challenge. Your strategy for client remote access should include the following
key components:
• Designing remote access policies

• Designing access to internal resources
• Designing remote access with IAS
Designing Remote Access Policies

Remote access policies are a set of rules that determine whether a user will get a
connection or be rejected while trying to initiate a remote session. You can use multiple
remote access policies to control the access of different users and user groups. If you use
multiple remote access policies, the policies are checked from top to bottom. You can
reorder the policies for a desired result. You need to order the policies beginning with the
most specific policies at the top of the list. Figure 7.3 shows multiple remote access
policies in a single remote access server.
Figure 7.3. Multiple remote access policies are processed in order

from the top down.
Remote access policies are much more than just permissions to dial in to a network. In
fact, they contain three components that work together to accept or deny a connection to
the network. You can configure each of these components to achieve your desired result.
You need to know how to configure the three components of remote access policies,
which are
• Conditions
• Permissions
• Profile
Page 163 of 250

Conditions
Remote access policy conditions are attributes that must be met to satisfy the policy.
Conditions are only checked at the initial time of the connection attempt. They are the
first component that is checked on a connection attempt.
Conditions might include day and time restrictions, connection types, security group
memberships, and many others. If you set multiple conditions on the same remote
access policy, all of the conditions have to be met. Figure 7.4 illustrates remote access
policy conditions.
Figure 7.4. If you set multiple conditions on a remote access

policy, all of the conditions must be met.
The tricky part is that a policy can be configured to accept or deny the connection based
on the conditions. In other words, if the conditions state that a user must be in the Sales
group to satisfy the policy and the user is in the Sales group, the policy is satisfied.
However, if that policy states that all users who satisfy it are denied access, the users in
the Sales group would be denied access because they met the conditions of the policy.
Permissions
The dial-in permissions of the user are checked after the conditions are checked,
assuming that a condition to deny has not already been met. If your domain is in at least
Windows 2000 native mode functional level, the dial-in permissions for the user can be
set to Allow Access, Deny Access, or Control Access Through Remote Access Policy, as
shown in Figure 7.5. If your domain is in a lower functional level, the Control Access
Through Remote Access Policy option is not available. If you set the permissions to Allow
Access, the user is connected because he has already met the conditions previously. If
you set the permissions to Deny Access, the user is denied access, even though he met
the conditions previously. If you set the permissions to Control Access Through Remote
Access Policy, the user's connection is accepted or denied based on the next step.
Page 164 of 250

Figure 7.5. If your domain is in at least Windows 2000 native
mode functional level, the dial-in permissions for the user could be
Allow Access, Deny Access, or Control Access Through Remote
Access Policy.
Profile
If you set the user permissions to Control Access Through Remote Access Policy, the
profile settings on the policy must be met to obtain and to continue a connection. Profile
settings that you can select include day and time restrictions, idle-timeouts, session-
timeouts, encryption, authentication, connection types, and many more. If you set
multiple profile settings in a remote access policy, the user must meet and continue to
meet the restrictions that you set. Figure 7.6 shows the main dialog box for remote
access policy profiles. In this example, the user can stay connected for 120 minutes if he
remains active, but for only 15 minutes if he is idle.
Page 165 of 250

Figure 7.6. If you set multiple profile settings in a remote access
policy, the user must meet and continue to meet the restrictions
that you set.
Designing Access to Internal Resources

You provide remote access to the network to increase user productivity. As mentioned
previously, the challenge is to do this without sacrificing security. One tool that can assist
you in this challenge is IP filters. You can filter each remote access connection to control
a user's remote access to network resources. You need to become familiar with the
following IP filters:
• Input filters— These control the packets that the interface receives based on
identifying the destination address, destination mask, and protocol. You can set
the Filter Action setting to permit or deny the identified traffic, as shown in Figure
7.7.
Page 166 of 250

Figure 7.7. Input filters control packets that the interface
receives based on identifying the destination address,
destination mask, and protocol.
You should know the difference between filters and filter actions.
Filters are used to identify traffic. Filter actions determine whether a
packet is permitted or denied through an interface after it is
identified.
• Output filters— These control the packets that the interface sends based on
identifying the destination address, destination mask, and protocol. You can set
the Filter Action setting to permit or deny the identified traffic, as shown in Figure
7.8.
Figure 7.8. Output filters control traffic that the interface

sends based on identifying the destination address,
destination mask, and protocol.
Page 167 of 250

Designing Remote Access with Internet Authentication Services
As you can imagine, remote access policies can become rather complex and difficult to
manage in large organizations, especially when the organization uses multiple remote
access servers, each containing its own policies. To centralize management of multiple
remote access servers, you can use Internet Authentication Service (IAS). IAS servers
use the Remote Authentication Dial-In User Service (RADIUS) protocol to centralize
authentication and accounting.
After you install IAS on one server, you can configure all remote access servers to
authenticate requests through the IAS (RADIUS) server, as shown in Figure 7.9. You can
also create a central accounting log for all remote access to your network. This
centralization gives you better control and more accurate accounting of remote access.
All of the remote access policies that were configured on the remote access servers can
be managed from the IAS server, as shown in Figure 7.10.
Figure 7.9. You can centralize authentication and accounting using

an IAS server and the RADIUS protocol.
Figure 7.10. Your IAS server centralizes the management of

remote access policies.
Page 168 of 250

Designing a Strategy for Securing Client Computers
As the saying goes, "A chain is only as strong as its weakest link." This certainly applies
to your network security as well. If you spend all of your time and effort "beefing up"
security on the servers, but you don't do anything about the security of the clients
themselves, an attacker can easily find your "weakest link." Microsoft recognizes that
cyber crime is growing at an alarming rate and recommends that you protect your
network by securing the clients and securing the operating system features that control
the clients. Your strategy for securing client computers needs to include the following
components:
• Designing a strategy for hardening client operating systems

• Designing a strategy for restricting user access to operating system features
Designing a Strategy for Hardening Client Operating Systems

Each new release of a Microsoft client has security enhancements. If your network has all
of the latest client operating systems, you are way ahead of a network that does not.
Advancements in technology have paved the way for increased security in regard to
authentication, encryption, firewalls, and so on. The catch is that these often work with
their "partners," which means that the client has to have the latest technology to take
advantage of the advanced security capabilities of the server. Having said that, there are
also some practices that you can follow to enhance security, regardless of your type of
client operating systems. Your strategy for hardening client operating systems needs to
• When possible, upgrade to the latest client operating system— Windows XP

and Windows 2000 Professional are inherently much more secure than Windows
NT Workstation and Windows 95. In addition, Windows XP and Windows 2000
clients can be controlled by Group Policy, which gives you a wide array of security
options not available with previous clients.
• Install and continue to update the latest security patches and fixes on all
clients— Use Software Update Services (SUS) when possible, as we discussed in
Chapter 4, "Creating the Physical Design for Network Infrastructure Security."
• Use Microsoft Baseline Security Analyzer (MBSA) to scan clients and
determine security weaknesses— You can use MBSA to examine one or many
clients, as we discussed in Chapter 5, "Designing Server-Specific Security."
• Uninstall or disable all unused services or protocols— An attacker can
exploit these to gain entrance to your network and its resources.
• Use the host firewalls and filters built in to the newer clients— For
example, Windows XP has a built-in firewall to provide additional security at the
client. This should be used in addition to network security. You can control this
setting on multiple computers using Group Policy.
• Use antivirus software and update it regularly— You need to use antivirus
software on servers and clients to identify and eradicate viruses. You can use
Group Policy and scripting to distribute antivirus updates.
• Use Encrypting File System (EFS) to secure sensitive information on
laptops— EFS is the best way to secure files and folders in the event that the
laptop is lost or stolen.
You should know for the exam that any protocols or services that are
not being used should be uninstalled. This is because they represent a
potential security risk.
Page 169 of 250

Designing a Strategy for Restricting User Access to Operating System
Features
As part of your security strategy, you need to ensure that only administrators are able to
make changes that affect connectivity, performance, and security. This is obvious in
regard to servers, but it also applies to clients. For example, if you carefully configure a
proxy server to control all communication out of your network onto the Internet, the last
thing you need is for a user to install a modem and plug it into the fax machine
telephone line!
You can use Group Policy to control a user's access to operating system features that can
affect connectivity, performance, and security. Most of the settings that control this type
of access are in the User Configuration/Administrative Templates section, as shown in
Figure 7.11. These settings modify templates called .adm files, which are used to make
changes to the Registry in all of the computers to which the Group Policy applies.
Administrative Templates found in the User Configuration section include
• Windows Components— Includes Internet Explorer, Task Scheduler, Terminal

Services, and many more
• Start Menu and Taskbar— Controls the user's ability to see and to manipulate
items on the Start menu
• Desktop— Controls what a user sees on his desktop and his ability to search
Active Directory
• Control Panel— Controls a user's access to Control Panel
• Shared Folders— Controls the publishing of shared folders in Active Directory
• Network— Controls the ability to use Offline Files and Folders and to change the
settings
• System— Controls the ability to run scripts and to manage Group Policies
Figure 7.11. Administrative Template settings modify .adm files,

which are then used as templates to make changes to the Registry
of computers affected by the Group Policy.
Page 170 of 250

Exam Prep Questions
Case 1: MTC Inc.
MTC Inc. is a publishing company for technical materials. MTC has one large office with
more than 10 servers and more than 200 client computers. They have upgraded some
clients to Windows XP, but still have some client computers running Windows 2000
Professional, Windows 95, and Windows NT Workstation. Some users work from home
with laptops dialed in to the network through the remote access server.
MTC Inc. is concerned with the physical security of their network and the vulnerability of
their authentication systems both internal to the network as well as from outside of the
network. They have hired you as a consultant to assist in hardening their physical design
for client infrastructure security.
Q1 Which type of authentication do MTC's Windows 95 clients use?
• A. NTLM
• B. LM
• C. NTLMv2
• D. Kerberos
A1: Answer B is correct. Windows 95 clients can only use LAN Manager (LM)
authentication. By today's standards, LM authentication is very easy to crack. NTLM
authentication can only be used by Windows NT Workstation and newer clients;
therefore, answer A is incorrect. NTLMv2 can only be used by NT Workstation with
SP4 and newer clients; therefore, answer C is incorrect. Kerberos authentication can
only be used by Windows 2000, Windows XP, and Unix clients; therefore, answer D
is incorrect.
Q2 Which of the following practices would you recommend to increase security? (Choose
two.)
• A. Set the account lockout duration to 0.

• B. Enforce a password history of 0 passwords remembered.
• C. Require the use of complex passwords.
• D. Change the default Administrator account name to the actual name of the
administrator of the network.
A2: Answers A and C are correct. Setting the account lockout duration to 0 requires that
the administrator unlocks a locked-out user. Requiring the use of complex passwords
makes passwords much more difficult to guess or to crack with brute force attacks
against the server. Remembering passwords prevents users from continually using a
favorite password, thus increasing security. Enforcing a password history of 0
passwords causes no passwords to be remembered; therefore, answer B is incorrect.
You need to change the default Administrator account name to a name that does not
stand out and is not easily guessed about the administrator; therefore, answer D is
incorrect.
Q3 Which component of a remote access policy is continually monitored throughout a

user's session?
• A. Conditions
• B. Permissions
Page 171 of 250

• C. Profile
• D. Group Policy
A3: Answer C is correct. Profile is the only component of remote access policy that
continues to be monitored after a connection is made. The user must meet and
continue to meet the attributes in the profile settings. Conditions are only checked on
the initial connection attempt; therefore, answer A is incorrect. Permissions are only
checked on the initial connection attempt; therefore, answer B is incorrect. Group
Policy is not a component of remote access policy; therefore, answer D is incorrect.
Q4 If MTC's domain is in Windows 2000 mixed mode, which options do they have for
dial-in permissions? (Choose two.)
• A. Control Access Through Remote Access Policy

• B. Grant Access with Restrictions
• C. Allow Access
• D. Deny Access
A4: Answers C and D are correct. If the domain is in Windows 2000 mixed mode
functional level, the only options for dial-in permissions are Allow Access and Deny
Access. The option to Control Access Through Remote Access Policy is only available
if the domain is in at least Windows 2000 native mode functional level; therefore,
answer A is incorrect. Grant Access with Restrictions is not a dial-in permissions
option; therefore, answer B is incorrect.
Q5 Which setting determines whether a packet is permitted or denied access through an

interface based on its IP address?
• A. IP filter
• B. Group Policy
• C. DHCP
• D. IP filter action
A5: Answer D is correct. IP filter actions are set to permit or deny traffic identified by IP
filters. IP filters only identify traffic; therefore, answer A is incorrect. Group Policy
does not control IP traffic; therefore, answer B is incorrect. DHCP assigns IP
addresses in the network, but does not filter traffic; therefore, answer C is incorrect.
Q6 Which components does IAS centralize in a network with multiple remote access
servers? (Choose two.)
• A. Authentication
• B. Group Policies
• C. User administration
• D. Accounting
A6: Answers A and D are correct. IAS centralizes authentication and accounting in
networks with multiple RAS servers. IAS cannot centralize Group Policies; therefore,
answer B is incorrect. IAS cannot centralize user administration; therefore, answer D
is incorrect.
Page 172 of 250

Q7 Which of MTC's client operating systems have built-in host firewalls?
• A. Windows 2000 and Windows XP

• B. Only Windows XP
• C. All clients have host firewalls.
• D. Windows 95 and Windows XP
A7: Answer B is correct. Only Windows XP clients have a built-in host firewall. Windows
2000 does not have a built-in host firewall; therefore, answer A is incorrect. Only the
Windows XP clients have a built-in host firewall; therefore, answer C is incorrect.
Windows 95 does not have a built-in host firewall; therefore, answer D is incorrect.
Q8 Which settings can you use administrative templates in Group Policy to modify?
(Choose two.)
• A. IP addresses
• B. Hostnames
• C. Active Directory search capability
• D. Terminal Services
A8: Answers C and D are correct. Administrative templates can be used to modify many
settings, including Active Directory search capability and Terminal Services.
Administrative templates cannot be used to modify IP addresses; therefore, answer
A is incorrect. Administrative templates cannot be used to modify hostnames;
therefore, answer B is incorrect.
Q9 Which of the following should MTC use to secure files and folders on the users'
laptops?
• A. NTFS permissions
• B. Shares
• C. EFS
• D. Offline Files and Folders
A9: Answer C is correct. EFS is the best way to secure files and folders on a laptop that
could be lost or stolen. NTFS permissions could be overridden by reinstalling the
operating system; therefore, answer A is incorrect. Share permissions do not apply
in this situation; therefore, answer B is incorrect. Offline Files and Folders is a
service, not a way to secure files and folders; therefore, answer D is incorrect.
Q10 Which of the following are components of User Configuration/Administrative

Templates in Group Policy? (Choose two.)
• A. System
• B. Control Panel
• C. Security settings
• D. Folder redirection
A10: Answers A and B are correct. System and Control Panel are both components of
Administrative Templates for users in Group Policy. Security settings are a
component of Windows settings in Group Policy; therefore, answer C is incorrect.
Folder redirection is a component of Windows settings in Group Policy; therefore,
Page 173 of 250

Chapter 8. Practice Exam #1
Answer the questions following each case study based on the information provided in the
case study.
Case 1: IntelliSync Inc.

IntelliSync Inc. Overview
IntelliSync Inc. is a medium-size manufacturing company located primarily in the
southeastern United States. IntelliSync designs and builds robotic machines for use on
assembly lines. Because it uses the latest technology to design new machines that will
eventually receive a patent, security is of great concern to IntelliSync.
Geographical Design and Locations

In addition to the corporate headquarters in Atlanta, IntelliSync has five other locations,
including Birmingham, Jacksonville, Nashville, Memphis, and Houston. The company is
planning to open two new locations in Dallas and Miami.
Current Network Infrastructure

IntelliSync uses Windows NT Server servers on all of their networks. It currently has a
domain at each location. All domains are managed from the corporate location.
Administrators use Telnet to connect servers and make configuration changes. All
domains have the same account policies. Client computers run Windows 95, Windows NT
Workstation, Windows 2000 Professional, and Windows XP Professional. Users in the
various offices communicate with each other through Remote Access Service (RAS)
servers using dial-up connections to each office's RAS.
Proposed Network Infrastructure

IntelliSync plans to upgrade all Windows NT domain controllers to Windows Server 2003
within the next 12 months. The company is open to the prospect of upgrading its clients
as well; however, each client upgrade will have to be justified.
Security Concerns
The security team at IntelliSync has identified the following security concerns:
• Local area network communications are passed through the network in clear text;
someone with a minimum amount of knowledge could sniff these out.
• DNS updates are not secure, so there is concern about an attacker spoofing the
network.
• An administrator has inadvertently given a user full administrative rights by
mistakenly leaving his administrative account logged on to a user's computer.
• There is currently no real disaster recovery plan.
• There is no effective method of automatically distributing antivirus software
updates to all clients.
• Some clients cannot use the latest forms of authentication to RAS servers.
• Some laptops contain sensitive information. This information needs to be kept
secure at all times, even if a laptop is lost or stolen.
Page 174 of 250

Security Commentary
CEO: An administrator leaving himself logged on to a user's computer and accidentally
giving a user full administrative rights is unacceptable. I want a system in place that
prevents this from happening.
CIO: We spend a great amount of time fixing the trusts between the domains. I want to
reduce the number of domains to a necessary minimum.
Senior Administrator: I want a remote administration tool that allows me to view multiple
desktops and manage multiple servers from one location.
Q1 How many domains will IntelliSync need after they upgrade all domain controllers to
Windows Server 2003?
• A. 2
• B. 1
• C. 6
• D. There isn't enough information to determine this answer.
Q2 Which Windows Server 2003 feature should IntelliSync use to encrypt all local
communication between servers and clients?
• A. NTLMv2
• B. IPSec tunnel mode
• C. EFS
• D. IPSec transport mode
Q3 Which clients might use LM authentication? (Choose two.)
• A. Windows 95
• B. Windows NT Workstation
• C. Windows 2000 Professional
• D. Windows XP Professional
Q4 Which of the features in Windows Server 2003 can be used to satisfy the concern of
the CEO? (Choose two.)
• A. Group Policy
• B. Remote Administration
• C. Run as
• D. RSoP
Q5 With IntelliSync's current infrastructure, which clients can use Microsoft Challenge
Handshake Authentication Protocol version 2 (MS-CHAPv2) for dial-up authentication
to RAS servers?
• A. Only Windows XP
• B. Windows XP and Windows 2000 Professional
• C. All clients
• D. All clients except Windows 95
Page 175 of 250

Q6 Which technology should IntelliSync use to create more secure RAS connections and
eliminate the use of modems on the server?
• A. DDR
• B. VPN
• C. WINS
• D. NAT
Q7 If IntelliSync decides to use VPN, which of their clients will be able to use MS-
CHAPv2 to authenticate to the RAS servers through the VPN connection using an
L2TP tunnel?
• A. All clients
• B. All clients except for Windows 95
• C. Only Windows 2000 Professional and Windows XP Professional clients
• D. Only Windows XP clients
Q8 IntelliSync has decided to create a disaster recovery plan that will include an
alternate site for the corporate location. This site will be maintained with the
appropriate power, connectivity, and space requirements to facilitate the use of their
servers. The servers and other appropriate equipment will be quickly moved to this
location in the event of a disaster, such as a flood or blackout. Which type of site
have they chosen?
• A. Hot site
• B. Cold site
• C. Warm site
• D. It's impossible to tell from the information given.
Q9 Which Windows Server 2003 tool should the company use to automatically distribute
antivirus software updates to all clients?
• A. Remote Access Policy

• B. Access control lists
• C. Software Update Services
• D. Group Policy
Q10 Which type of DNS zones should IntelliSync use to ensure secure dynamic updates?
• A. Standard Primary
• B. Active Directory integrated
• C. Stub
• D. Standard Secondary
Q11 Which Windows Server 2003 tool should be used to satisfy the request of the Senior
Administrator?
• A. Remote Desktop Connection

• B. Remote Assistance
• C. Remote Desktops MMC
Page 176 of 250

Q12 Which of their clients can use Group Policies distributed by the new Windows Server
2003 servers?
• A. All clients
• B. Windows NT Workstation and newer clients
• C. Only Windows XP clients
• D. Windows 2000 Professional and newer clients
Q13 Which of their clients will only use NetBIOS name resolution to locate services on the
network? (Choose two.)
• A. Windows NT Workstation
• B. Windows XP Professional
• D. Windows 95
Q14 Which file system should be formatted onto the partitions of the laptops with the
sensitive information?
• A. EFS
• B. NTFS
• C. FAT32
• D. Any file system will work.
Q15 Which additional features might be used to justify the expense of upgrading
Windows 95 and Windows NT Workstation client computers? (Choose two.)
• A. Kerberos authentication
• B. System Policy Editor
• C. Layer Two Tunneling Protocol
• D. Point-to-Point Tunneling Protocol
Page 177 of 250

Case 2: ComForce
ComForce Overview
ComForce is a large communications company with locations in the United States and
seven other countries. The company currently has about 5,000 users and is growing
rapidly. ComForce develops modem software that increases the speed of a standard dial-
up connection to at least 10 times the normal 56-Kbps link. It is working on a similar
system for cable modems. The details of how this software operates are a closely
guarded secret. ComForce wants to keep it that way!

In addition to corporate offices in San Diego, ComForce has six satellite offices in
Sydney, Tokyo, Paris, Rome, London, and Singapore. Each location has a person
designated as a network administrator with full administrative rights.

Each location is a separate Windows NT 4.0 domain with a PDC and at least one BDC.
Two one-way trusts are used to form two-way trust relationships between each domain
and all other domains. Some Windows 2000 Server servers are used as member servers.
Client computers run Windows 98, Windows 2000 Professional, and Windows XP
Professional. Some users dial in with laptops from home.

ComForce wants to migrate all domain controllers to Windows Server 2003 within the
next 12 months. Client computers might be upgraded if the cost can be justified.
Security Concerns
The security team at ComForce has identified the following security concerns:
• The network administrators need to provide for secure extranet relationships.

• The network administrators need to develop a system that automatically assists in
locating and loading the latest security patches.
• File security on laptops must be improved, some of which still use Windows 98.
• The company needs a system that establishes centralized security policies for
each location according to its own needs.
• The network administrators need a tool to help manage permissions granted from
multiple groups.
• The network administrators need to design an efficient type of group management
for access to resources in each domain.
• All traffic within each location and between locations needs to be encrypted.
• Overall, administrative authority needs to come from corporate, with some
delegation at each of the other locations.
• All logons to each domain need to be audited. All logons to member servers need
to be audited.
Security Commentary
CEO: We cannot afford to have another episode like that Blaster virus—or whatever it
was called! We must keep up with the latest security updates from Microsoft.
Page 178 of 250

CIO: It's time-consuming to fix the trusts every time we want to do something. We need
separate domains for each country for legal reasons, but I still want to manage fewer
trusts.
Senior Administrator: I need a way to verify whether the latest security patches are on
the servers and clients.
Q1 After migrating all domain controllers to Windows Server 2003, how many trusts will
have to be added to facilitate managing all of the domains?
• A. 6
• B. 0
• C. 12
Q2 Which authentication technologies should ComForce consider in relation to providing

secure extranet access? (Choose two.)
• A. PKI
• B. EFS
• C. NAT
Q3 Which tool should ComForce use to ensure that its clients have the latest security
patches and to check for other known security vulnerabilities?
• A. SUS
• B. RSoP
• C. MBSA
• D. GPMC
Q4 Which services should be used on the servers at each location to manage the latest
security updates and distribute them to the appropriate clients? (Choose two.)
• A. Automatic Updates
• B. SUS
• C. Group Policy
• D. Remote Access Policy
Q5 Which clients can be centrally controlled at each location using Group Policy?
• A. All clients
• B. Windows XP only
• C. Windows 2000 only
• D. Windows 2000 and newer clients
Q6 Which suggestions should ComForce consider to improve security on the laptops?

(Choose two.)
• A. Upgrade the laptops to Windows XP.

• B. Change the account policies on the laptops.
Page 179 of 250

• C. Use Offline Files and Folders.
• D. Use EFS (after the upgrade).
Q7 Which service should ComForce use to encrypt all traffic within each of their
locations?
• A. IPSec tunnel mode

• B. NTFS
• C. EFS
Q8 Which service should ComForce use to eliminate the use of modems on the RAS
servers and to improve security?
• A. DHCP
• B. VPN
• C. NAT
• D. DDR
Q9 Which protocols should ComForce consider for tunneling VPN traffic between
locations? (Choose two.)
• A. L2TP
• B. PPTP
• C. PPP
Q10 Which tunneling protocol has an inherent form of encryption when used with
Microsoft servers and clients?
• A. L2TP
• B. PPP
• C. IPSec
• D. PPTP
Q11 Which events should be audited to satisfy the audit requirements? (Choose two.)
• A. Logon events on all domain controllers

• B. Logon events on all member servers
• C. Account logon events on all member servers
• D. Account logon events on all domain controllers
Q12 How should ComForce design group management for the most efficient control of
access to resources within each domain?
• A. Assign permissions directly to each user for the resources that he requires.
• B. Assign permissions to a Global group for users who need access to the
same resource and then place the users into the Global group.
• C. Assign permissions to Universal groups and then place the users into the
Universal groups.
• D. Place the users into Global groups based on their resource needs. Place the
Page 180 of 250

Global groups into the appropriate Domain Local groups. Assign permissions
to the Domain Local groups.
Q13 Which type of group should be assigned permissions for access to a resource on one
computer in a domain?
• A. Local
• B. Domain Local
• C. Global
• D. Universal
Q14 After migrating all domain controllers and raising them to Windows Server 2003
functional level, which strategy should the company use to give access to users
located in multiple domains in a forest if the resource also exists in multiple domains
in the forest? (Choose four. Each answer is part of the solution.)
• A. Place all of the user accounts into the same Global group.
• B. Place the user accounts into a Global group in their own domain.
• C. Give the Domain Local groups in each domain permissions for the resource
in their domain.
• D. Place all of the Global groups into the same Universal group.
• E. Place the universal groups into the Domain Local groups in each domain.
• F. Give the Domain Local groups in each domain permissions for the resource
in all domains.
Q15 Which permissions will the Effective Permissions tool assist ComForce in managing?
• A. Shares and NTFS permissions for all users and groups

• B. Shares and NTFS permissions for users only
• C. NTFS permissions for users only
• D. NTFS permissions for users and groups
Page 181 of 250

Case 3: GWC Inc.
GWC Inc. Overview
GWC Inc. is a medium-size distributor of auto parts located in the northeastern United
States. GWC has been in business for more than 20 years and has seen tremendous
changes in its business. It currently has a need to provide Web servers and FTP servers
for access by GWC employees and customers. In addition, GWC wants to tighten security
in several areas based on your recommendations.

In addition to the home office in Detroit, GWC has four satellite offices located in
Pittsburgh, Cleveland, Chicago, and Milwaukee. The company is currently considering
opening another location in Detroit.

GWC currently has one domain for the entire company. Domain controllers are servers
that run Windows 2000 Server. The company has one domain controller at each of the
satellite locations and two domain controllers in Detroit. Client computers run Windows
95, Windows NT Workstation, Windows 2000 Professional, and Windows XP Professional.

GWC is upgrading all of its domain controllers to Windows Server 2003. The company will
keep its one-domain design. After the upgrades, the domain functional level will be
raised to Windows Server 2003 functional level. The client computers will all be upgraded
to Windows XP Professional.
Security Concerns
The security team at GWC has identified the following security concerns:
• Applications that run on the current IIS servers are not stable. When one
application crashes, other applications can crash as well.
• Users have lost valuable information on file servers by accidentally altering and
saving a file.
• It is difficult to determine the resulting permissions of a user who is in multiple
groups.
• Users must be required to use complex passwords as defined by the new Windows
Server 2003 system.
• Some sensitive files, such as the payroll files, will need to be audited for access or
attempted access by any parties.
• EFS is in common use on the laptops. A Recovery Agent computer will be set up
as part of the upgrade. There is concern about the process of recovering files
when a user's private key becomes corrupt.
• All services that are no longer used after the upgrade must be uninstalled.
• DNS updates must be automatic and secure for all clients and servers after the
upgrade.
Security Commentary
CFO: If we are going to spend a lot of money, we need to take advantage of every new
feature in Windows Server 2003.
Page 182 of 250

CIO: I need a tool to quickly determine all of the roles that a server currently has and
make changes if necessary.
Cleveland Office Manager: I don't want to be a network administrator, but it would be

nice to be able to manage some of the users and computers in my own office.
Q1 Which new features in Windows Server 2003 IIS will address the stability concern
with regard to Web applications? (Choose two.)
• A. Application pools
• B. IIS 5.0 isolation mode
• C. Worker process isolation mode
• D. HTTP keep-alives
Q2 Which new feature in Windows Server 2003 can address the concern of losing
information in files that are accidentally altered and saved?
• A. Incremental backups
• B. Differential backups
• C. Volume shadow copies
• D. ASR
Q3 Which new tool in Windows Server 2003 can be used to determine the resulting
NTFS permissions of a user or group that is a member of multiple groups?
• A. GPMC
• B. RSoP
• C. Effective permissions
• D. Access control lists
Q4 Which tools can be used to set the requirement for complex passwords? (Choose
two.)
• A. Active Directory Sites and Services

• B. Group Policy Editor MMC
• C. Domain Security Policy
Q5 Which steps are involved in setting the auditing of sensitive files and folders to
satisfy GWC's auditing requirements? (Choose three. Each answer is part of the
solution.)
• A. Set Audit Privilege Use for success.

• B. Set Audit Object Access for success.
• C. Set the ACLs for the files and folders to be audited.
• D. Set Audit Object Access for failure.
• E. Set the SACLs for the files and folders to be audited.
• F. Set Audit Privilege Access for failure.
Page 183 of 250

Q6 After all of the clients are upgraded to Windows XP, which service might GWC
consider uninstalling, provided that no application is using it?
• A. DNS
• B. NetLogon
• C. DHCP
• D. WINS
Q7 Which two methods could be used by the Recovery Agent to recover encrypted
files when the user's private key has become corrupt, without risking exposure of
the information contained in the files? (Choose two.)
• A. Take the encrypted file to the Recovery Agent computer using

removable media.
• B. Export the Recovery Agent's private key onto a floppy disk and take it to
the user's computer.
• C. Exchange the user's key to the file with the Recovery Agent's key.
• D. Copy the encrypted file through the network to the Recovery Agent
computer.
Q8 Which tool should the CIO use to quickly determine all of the roles of a server and
make changes if necessary?
• A. Manage Your Server

• C. Computer Management console
• D. System Monitor
Q9 Which tools could you use to give the Cleveland Office Manager limited
administrative rights for users and computers in Cleveland? (Choose two.)
• A. Access control lists

• B. Active Directory Sites and Services
• C. Remote Desktops MMC
• D. Delegation of Control Wizard
Q10 After the migration to Windows Server 2003, which type of DNS zones should be
used to ensure secure dynamic updates?
• A. All zone types are secure in Windows Server 2003.

• B. Standard Primary zones only.
• C. Active Directory integrated zones only.
• D. Active Directory integrated and Standard Primary zones.
Q11 Which new Windows Server 2003 tool should GWC use to distribute Group
Policies?
• A. GPMC
• B. Group Policy Editor MMC
• C. RSoP
• D. Gpupdate
Page 184 of 250

Q12 After the upgrade, which protocols can GWC use to authenticate customers to
their Web site? (Choose two.)
• A. .NET Passport
• B. Certificates
• C. NTLM
• D. MS-CHAPv2
Q13 Which Web server authentication protocols can only be used if a user has an
account in Active Directory? (Choose two.)
• A. Integrated Windows
• B. Certificate
• C. Basic
• D. Digest
Q14 Which type of authentication should be used as a last resort because the
username and password are sent over the wire in clear text?
• A. Anonymous
• B. Basic
• C. Digest
• D. Certificate
Q15 Which types of Web authentication do not require the user to enter a username or
password? (Choose three.)
• A. Digest
• B. Integrated Windows
• C. Certificates
• D. Anonymous access
• E. Basic
Page 185 of 250

Case 4: PowerTran
PowerTran Overview
PowerTran is a medium-size company that uses sophisticated software to buy and resell
electricity at a profit. It operates primarily in the southeastern United States. PowerTran
management is very concerned about security.

In addition to the corporate office in Atlanta, PowerTran has five satellite offices in
Birmingham, New Orleans, Jacksonville, Nashville, and Orlando. The company is
currently considering a location in Miami.

All domain controllers run Windows NT 4.0. Each location was created as its own domain
and has a PDC and a BDC. All users are in the Master domain in Atlanta. All other
locations are resource domains that trust the Atlanta domain. The Atlanta domain does
not trust the resource domains. Most client computers run Windows 95, Windows NT
Workstation, Windows 2000 Professional, and Windows XP Professional. A few clients are
Unix-based.

All domain controllers will be upgraded to Windows Server 2003. Clients might be
upgraded as needed, but the cost will have to be justified.
Security Concerns
The security team at PowerTran has identified the following security concerns:
• Reduce the number of domains to the minimum number needed.

• All clients need to be able to use the Kerberos protocol.
• Group Policies will be used to control security.
• Multiple firewalls will be used to create a perimeter area for some servers.
• Run the best possible automatic backups of files on the file servers.
• IIS 6.0 will be used for Web applications.
• The company is considering secure methods of access for extranet partners and
clients.
• Demand-dial routing will be used for some remote offices.
• Some offices are beginning to use wireless networking.
• The HKEY_LOCAL_MACHINE settings on some member servers need to be audited
for changes or even attempted changes.
Security Commentary
CEO: I'm concerned about the wireless networks. I've read that they are not secure. If
we need to use wireless technology, make it as secure as possible.
CIO: After the upgrade, I want to establish a baseline of performance on our new IIS
servers.
Page 186 of 250

Network Administrator: I am willing to let a designated user at each location perform
some basic network administration. We need to organize the network to make that
possible.
Q1 How many domains does PowerTran need after their migration to Windows Server
2003?
• A. 6
• B. 1
• C. 2
• D. There is not enough information to know.
Q2 Which of PowerTran's current clients can use the Kerberos protocol? (Choose three.)
• A. Windows 95
• D. Windows NT Workstation
• E. Unix
Q3 Which types of servers should be placed into the perimeter network (between the
internal and external firewalls)?
• A. Domain controllers
• B. DHCP servers
• C. Web servers
• D. FTP servers
Q4 With a default installation of Windows Server 2003, Standard Edition, which services
will IIS 6.0 provide?
• A. Only static content

• B. All services
• C. ASP and .NET applications
• D. No services
Q5 With a default installation of IIS 6.0, which services will be provided?
• A. Only static content

• B. All services
• D. No services
Q6 Which security feature can be applied to certificates issued to extranet partners to

avoid unintended consequences?
• A. CA constraints
• B. NTFS permissions
• C. Connection timeouts
• D. HTTP compression
Page 187 of 250

Q7 Which service should PowerTran use to automatically and temporarily connect
remote offices to the network when needed?
• A. NAT
• B. Proxy
• C. Firewall
• D. DDR
Q8 Which counters might be used to establish a baseline of performance on the IIS 6.0
servers?
• A. Processor Queue Length

• B. Memory Available Bytes
• C. CRC Errors
• D. Serial Overrun Errors
Q9 Which type of wireless networking should PowerTran use to provide the strongest
security?
• A. WEP
• B. Wi-Fi
• C. RADIUS
• D. PEAP
Q10 Which tools can the network administrator use to give some specific administrative
rights to a user in each location's OU?
• A. ACLs
• B. Delegation of Control Wizard
Q11 Which tools should PowerTran use to create an automatic copy of files and folders on
the file servers? (Choose two.)
• A. Disk Management
• C. Volume Shadow Copy service
• D. Backup or Restore Wizard
Q12 What should you do to audit the HKEY_LOCAL_MACHINE settings on the selected
member servers? (Choose three. Each answer is part of the solution.)
• A. Set the audit policy for the domain to Audit Object Access.
• B. Set the SACL of HKEY_LOCAL_MACHINE to Full Control for Success.
• C. Set the audit policy for the member servers to Audit Object Access.
• D. Set the ACL of HKEY_LOCAL_MACHINE to Full Control for Success.
• E. Set the SACL of HKEY_LOCAL_MACHINE to Full Control for Failure.
• F. Set the ACL of HKEY_LOCAL_MACHINE to Full Control for Failure.
Page 188 of 250

Q13 Which are secure methods of giving network access to extranet partners? (Choose
two.)
• A. Certificates
• B. Active Directory
• C. Basic authentication
• D. NTLMv2
Q14 Which Web server authentication protocols can only be used if PowerTran gives
clients an account in Active Directory?
• A. Basic
• B. Certificate
• C. Integrated Windows
• D. Digest
Q15 Which new Windows Server 2003 tool should PowerTran use to distribute Group
Policies?
• A. Group Policy Editor MMC

• B. GPMC
• C. Gpresult
• D. Gpupdate
Page 189 of 250

Chapter 9. Answer Key to Practice
Exam #1
Case 2: ComForce
Case 3: GWC Inc.
Case 4: PowerTran

1. B 9. D
2. D 10. B
3. A, B 11. C
4. B, C 12. D
5. D 13. A, D
6. B 14. B
7. C 15. A, C
8. C
Q1 The correct answer is B. Only one domain is required because the overview states
that the account policies of all domains are the same and because there is no
physical limitation. Two domains are not required in this scenario; therefore,
answer A is incorrect. Six domains (one per location) are not required in this
scenario; therefore, answer C is incorrect. It is possible to determine the number
of domains that will be required; therefore, answer D is incorrect.
Q2 The correct answer is D. IPSec transport mode should be used to encrypt

communications between two computers on a LAN. NTLMv2 is an authentication
protocol used within a LAN; therefore, answer A is incorrect. IPSec tunnel mode is
a protocol used to encrypt communications between two networks; therefore,
answer B is incorrect. EFS is a protocol used to encrypt information stored on
drives; therefore, answer C is incorrect.
Q3 Answers A and B are correct. Windows 95 clients use LAN Manager (LM)
authentication. Windows NT Workstation clients prior to Service Pack 4 also use
LM authentication. Windows 2000 Professional clients use Kerberos in a domain or
NTLMv2 in a workgroup; therefore, answer C is incorrect. Windows XP Professional
clients use Kerberos in a domain or NTLMv2 in a workgroup; therefore, answer D
is incorrect.
Page 190 of 250

Q4 Answers B and C are correct. The Remote Administration console can be used to
allow administrators to make changes to a user's computer without logging on to
it locally. The Run as command can be used to prevent the user from having full
administrator privileges, even if an administrator mistakenly leaves himself logged
on to a particular tool through a user's computer. Group Policy controls user and
computer settings but does not apply in this situation; therefore, answer A is
incorrect. RSoP can be used to model changes to a Group Policy but does not
affect this scenario; therefore, answer D is incorrect.
Q5 The correct answer is D. Because IntelliSync currently uses RAS servers with dial-
up connections, Windows 95 cannot authenticate with MS-CHAPv2. MS-CHAPv2 is
not limited to Windows XP clients; therefore, answer A is incorrect. MS-CHAPv2 is
not limited to Windows 2000 Professional and Windows XP Professional clients;
therefore, answer B is incorrect. Windows 95 clients cannot use MS-CHAP to
authenticate on dial-up connections; therefore, answer C is incorrect.
Q6 The correct answer is B. VPN connections through a RAS server are more secure
and eliminate the use of modems on the server. DDR is a technology that uses
modems to temporarily connect routes to remote offices; therefore, answer A is
incorrect. WINS is a name resolution service that resolves NetBIOS names to IP
addresses; therefore, answer C is incorrect. NAT is a service that allows one
registered IP address to be translated to multiple private IP addresses; therefore,
Q7 The correct answer is C. All of their clients can use MS-CHAPv2 for the VPN
connection; but only Windows 2000 Professional and Windows XP clients can use
L2TP. Windows 95 and Windows NT Workstation cannot use L2TP; therefore,
answer A is incorrect. Windows NT Workstation cannot use L2TP; therefore,
answer B is incorrect. Windows 2000 Professional clients can use L2TP; therefore,
Q8 The correct answer is C. A warm site consists of a building that has the correct
power, connectivity, and space requirements for the network equipment necessary
for a company to survive. A hot site is a location that has the backup servers and
other network equipment installed and operational; therefore, answer A is
incorrect. A cold site is basically a building that has been set aside to be used in
case of an emergency, with no real consideration given to power, connectivity, or
space requirements; therefore, answer B is incorrect. The description of
IntelliSync's site is that of a warm site; therefore, answer D is incorrect.
Q9 The correct answer is D. Group Policy should be used to assign the antivirus
software and then distribute the updates. Remote Access Policy controls access to
the network from outside of the network; therefore, answer A is incorrect. ACLs
control permissions to Active Directory objects; therefore, answer B is incorrect.
SUS is used to keep up with the latest Microsoft security updates. To this date,
Microsoft does not sell antivirus software; therefore, answer C is incorrect.
Q10 The correct answer is B. Only Active Directory integrated zones have secure
dynamic updates. This means that they only communicate with another object
that is authenticated and authorized by Active Directory. Standard Primary zones
do not allow for secure dynamic updates; therefore, answer A is incorrect. Stub
zones assist in name resolution in large networks, but do not facilitate secure
dynamic updates; therefore, answer C is incorrect. Standard Secondary zones are
read-only copies of Standard Primary zones and do not allow for secure dynamic
updates; therefore, answer D is incorrect.
Page 191 of 250

Q11 The correct answer is C. The Remote Desktops MMC allows an administrator to
view the desktops and manage multiple servers and clients from a single location.
Remote Desktop Connection allows an administrator or user to view and control
the desktop of one remote computer; therefore, answer A is incorrect. Remote
Assistance allows an administrator to provide remote help for a user as requested
by the user; therefore, answer B is incorrect. Computer Management allows an
administrator to manage many computers, but does not allow him to see the
desktop; therefore, answer D is incorrect.
Q12 The correct answer is D. Windows 2000 Professional and newer clients can use
Group Policies distributed from Windows 2000 Server servers or Windows Server
2003 servers. Windows 9x and Windows NT Workstation clients cannot use Group
Policies; therefore, answer A is incorrect. Windows NT Workstation cannot use
Group Policies; therefore, answer B is incorrect. Windows 2000 Professional clients
can use Group Policies from Windows Server 2003 servers; therefore, answer C is
incorrect.
Q13 Answers A and D are correct. Clients prior to Windows 2000 Professional only use
NetBIOS name resolution to locate services on the network. Windows XP clients
use DNS name resolution with SRV records by default; therefore, answer B is
incorrect. Windows 2000 Professional clients use SRV records by default;
Q14 The correct answer is B. The partitions must be formatted with NTFS so that EFS
can be used to encrypt the sensitive data. EFS is not a file system that is
formatted onto a partition; therefore, answer A is incorrect. FAT32 does not
support EFS; therefore, answer C is incorrect. Only NTFS version 5 and higher file
systems support EFS; therefore, answer D is incorrect.
Q15 Answers A and C are correct. Only Windows 2000 Professional and newer clients
can use Kerberos authentication and L2TP. Both of these features would enhance
security for IntelliSync. System Policy Editor is a tool used to control system
policies for users and computers in Windows NT domains; therefore, answer B is
incorrect. PPTP is a tunneling standard that can be used by all Microsoft clients;
Page 192 of 250

Case 2: ComForce
1. B 9. A, B
2. A, D 10. D
3. C 11. B, D
4. B, C 12. D
5. D 13. A
6. A, D 14. B, C, D, E
7. D 15. D
8. B
Q1 The correct answer is B. The domain controllers should all be in the same forest.
Implicit trust relationships automatically connect all of the domains. There is no
need to create any trusts; therefore, answers A and C are incorrect. Implicit trusts
are created automatically between the parent and child domains; therefore,
Q2 Answers A and D are correct. PKI can be used to control the issuance and use of
certificates to authenticate the extranet users. Active Directory can be used to
provide secure extranet access by adding the extranet users to a separate domain
or a separate OU. EFS is a service used to protect information on local drives, not
an authentication technology; therefore, answer B is incorrect. NAT can conserve
public addresses by translating one public address to many private addresses for
use on the Internet; therefore, answer C is incorrect.
Q3 The correct answer is C. MBSA checks clients and servers for the latest security
updates and other known vulnerabilities. SUS can be used to systematically apply
the latest security updates to all servers and clients, but it does not check for
other security vulnerabilities; therefore, answer A is incorrect. RSoP can be used
to model the effect of a change in a Group Policy; therefore, answer B is incorrect.
GPMC is a tool used to create, distribute, and manage Group Policies; therefore,
Q4 Answers B and C are correct. SUS should be used on the servers to locate and
approve the latest updates for servers and clients. Group Policy should then be
used to distribute the updates. Automatic updates should be used on the client as
controlled by the Group Policy; therefore, answer A is incorrect. Remote Access
Policy does apply in this scenario; therefore, answer D is incorrect.
Q5 The correct answer is D. Windows 2000 Professional and newer clients can be
controlled using Group Policy. Windows 98 clients cannot use Group Policy;
therefore, answer A is incorrect. Windows 2000 Professional clients can use Group
Policy; therefore, answer B is incorrect. Windows XP clients can use Group Policy;
Q6 Answers A and D are correct. Upgrading the laptops to Windows XP would improve
security by allowing NTFS files on the drives as well as EFS. Account policies are
set on the domain controllers; therefore, answer B is incorrect. Offline Files and
Folders is a service that caches files and folders for use offline. It does not
improve security; therefore, answer C is incorrect.
Page 193 of 250

Q7 The correct answer is D. IPSec transport mode can encrypt traffic between two
computers on the same network. IPSec tunnel mode encrypts traffic between two
networks; therefore, answer A is incorrect. NTFS is a file system used to secure
local files and folders; therefore, answer B is incorrect. EFS is a service used to
encrypt local files and folders; therefore, answer C is incorrect.
Q8 The correct answer is B. VPN can be used to eliminate the use of the modems on
the RAS servers and improve security. DHCP is a service that allocates IP
addresses to clients; therefore, answer A is incorrect. NAT is a service that
conserves public IP addresses; therefore, answer C is incorrect. DDR is a service
that uses modems to create temporary connections to remote offices; therefore,
Q9 Answers A and B are correct. L2TP can be used on clients that are Windows 2000
Professional or newer. PPTP can be used on all clients. PPP is a transport protocol
used over telephone lines, not a tunneling protocol; therefore, answer C is
incorrect. IPSec transport mode can be used to encrypt traffic within the same
network; therefore, answer D is incorrect.
Q10 The correct answer is D. PPTP has inherent Microsoft Point-to-Point Encryption
(MPPE) when used with Microsoft servers and clients. L2TP does not have an
inherent form of encryption, but can use IPSec; therefore, answer A is incorrect.
PPP is not a tunneling protocol; therefore, answer B is incorrect. IPSec is not a
tunneling protocol; therefore, answer C is incorrect.
Q11 Answers B and D are correct. Auditing logon events on all member servers tracks
the local logons to the member servers. Auditing account logon events on the
domain controllers tracks each domain controller's validation of a user's logon to
the domain. The audit policy does not require tracking local logons to the domain
controllers; therefore, answer A is incorrect. It is not possible to audit account
logon events on member servers because they do not validate logon requests;
Q12 Answer D is correct. They should use the A G U DL P strategy. They should place
the accounts into Global groups, place the Global groups into Domain Local
groups, and then give the Domain Local groups the permissions to the resources.
Permissions should not be assigned directly to a user. This might seem efficient in
the short term, but it is confusing and inefficient in the long term; therefore,
answer A is incorrect. Permissions should not be assigned to Global groups;
therefore, answer B is incorrect. Permissions should not be assigned to Universal
groups; therefore, answer C is incorrect.
Q13 The correct answer is A. Local groups can be created on member servers and
clients to give access to a resource located on that specific computer. Local groups
cannot be created on domain controllers. Domain Local groups are created in
Active Directory and can give access to a resource located anywhere in the
domain; therefore, answer B is incorrect. Global groups are created in Active
Directory and are generally not assigned permissions; therefore, answer C is
incorrect. Universal groups are created in Active Directory and are generally not
assigned permissions; therefore, answer D is incorrect.
Q14 Answers B, C, D, and E are correct. They should use the A G U DL P strategy.
They should place all the user accounts into Global groups in their own domain,
place all the Global groups into a Universal group, place the Universal group into a
Domain Local group in each domain, and give permissions to the Domain Local
group for the resource in its own domain. All members of Global groups must be
local to one domain; therefore, answer A is incorrect. Domain Local groups can
only be assigned permissions for resources located in their own domain;
therefore, answer F is incorrect.
Page 194 of 250

Q15 The correct answer is D. The Effective Permissions tool can be used to determine
the effective NTFS permissions of a user or group to a resource. Effective
permissions do not take shares into account; therefore, answer A is incorrect.
Effective permissions do not take shares into account and do take NTFS
permissions for groups into account; therefore, answer B is incorrect. The
Effective Permissions tool can be used to determine the effective NTFS
permissions for users and groups; therefore, answer C is incorrect.
Case 3: GWC Inc.

1. A, C 9. A, D
2. C 10. C
3. C 11. A
4. B, C 12. A, B
5. B, D, E 13. A, D
6. D 14. B
7. A, B 15. B, C, D
8. A
Q1 Answers A and C are correct. Application pools and worker process isolation mode
can be used to isolate each application so that one application's failing does not
affect other applications. IIS 5.0 isolation mode is not a new feature in Windows
Server 2003, which uses IIS 6.0; therefore, answer B is incorrect. HTTP keep-
alives allow a user to browse to different pages of your Web site without requiring
additional authentication; therefore, answer D is incorrect.
Q2 The correct answer is C. Volume shadow copies can be configured to create a copy
of all files at specified intervals. The user can revert back to the old version with
minimal effort and training. Incremental and differential backups are not a new
feature in Windows Server 2003; therefore, answers A and B are incorrect. ASR
can be used to recover a server in the event of a failure; therefore, answer D is
incorrect.
Q3 The correct answer is C. The Effective Permissions tool is new to Windows Server
2003 and can assist you in determining the resulting NTFS permissions for a user
or group that is in multiple groups. The GPMC is a new tool for Windows Server
2003 that is used to create, distribute, and manage Group Policies; therefore,
answer A is incorrect. RSoP is a new tool that allows you to model the effect of
changes in Group Policies; therefore, answer B is incorrect. ACLs can be used to
determine permissions, but are not new to Windows Server 2003; therefore,
Page 195 of 250

Q4 Answers B and C are correct. Password policies are part of account policies, which
can be controlled using the Domain Security Policy MMC or by editing the Default
Domain Policy using the Group Policy Editor tool. Active Directory Sites and
Services is used to control the physical aspects of Active Directory, such as sites
and subnets; therefore, answer A is incorrect. Active Directory Domains and
Trusts is used to control one domain's access to and from other domains;
Q5 Answers B, D, and E are correct. You should first set the audit policy to Audit
Object Access for Success and Failure. You should then set the system access
control lists (SACLs) for each of the files and folders. Audit Privilege Use is used to
audit a user's exercise of a user right and is not relevant in this scenario;
therefore, answers A and F are incorrect. ACLs are used to specify permissions for
an object, not for auditing; therefore, answer C is incorrect.
Q6 The correct answer is D. WINS resolves NetBIOS names to IP addresses. After all
of the clients are upgraded to Windows XP, the service is no longer required as
long as there are no legacy applications that are still using NetBIOS names. DNS
is an integral part of Active Directory and should not be uninstalled; therefore,
answer A is incorrect. NetLogon is a built-in service that cannot be installed;
therefore, answer B is incorrect. DHCP is a service that is used to allocate IP
addresses and is not used by applications; therefore, answer C is incorrect.
Q7 Answers A and B are correct. The key and the files or folders to be decrypted must
be on the same computer. This can be accomplished safely by copying the
encrypted file onto removable media and taking it to the Recovery Agent
computer or by exporting the Recovery Agent's private key onto a floppy disk and
taking the floppy to the user's computer. After the recovery, the disk should be
destroyed or stored in a secure location. The keys are specific to the user and
cannot be exchanged; therefore, answer C is incorrect. The file does not remain
encrypted when it is sent through the network; therefore, answer D is incorrect.
Q8 The correct answer is A. The Manage Your Server Wizard assists you in
determining the current roles of a server and making changes when necessary.
Active Directory Users and Computers is used to control the logical aspects of
Active Directory but not to manage server roles; therefore, answer B is incorrect.
The Computer Management Console can be used to control many aspects of
computer hardware and software, but not to manage roles; therefore, answer C is
incorrect. System Monitor can be used to create a baseline using counters that
track system performance; therefore, answer D is incorrect.
Q9 Answers A and D are correct. You could modify the ACLs manually or you could
use the Delegation of Control Wizard. Active Directory Sites and Services is used
to control the physical aspects of Active Directory; therefore, answer B is
incorrect. Remote Desktops MMC can be used to control multiple servers from one
location; therefore, answer C is incorrect.
Q10 The correct answer is answer C. The only type of zone that can be set for secure
dynamic updates in Windows 2000 or Windows Server 2003 is an Active Directory
integrated zone. Only Active Directory integrated zones can be set for secure
dynamic updates; therefore, answer A is incorrect. Standard Primary zones cannot
be configured for secure dynamic updates; therefore, answers B and D are
incorrect.
Q11 The correct answer is A. GPMC is a new tool in Windows Server 2003 that can be
used to distribute Group Policies. The Group Policy Editor MMC was introduced
with Windows 2000 Server and is used to modify the setting of Group Policies in
Windows Server 2003; therefore, answer B is incorrect. RSoP is used to model the
effects of changes to Group Policies; therefore, answer C is incorrect. Gpupdate is
Page 196 of 250

a command-line tool used to force an immediate update of a Group Policy on a
local machine; therefore, answer D is incorrect.
Q12 Answers A and B are correct. Customers can use certificates issued by GWC or a
third party, such as VeriSign. Customers could also be authenticated by Microsoft
using .NET Passport. NTLM authentication is used by NT servers for LANS;
therefore, answer C is incorrect. MS-CHAPv2 is used to authenticate a connection
to a remote access server; therefore, answer D is incorrect.
Q13 Answers A and D are correct. Only users with an account in Active Directory can
use Integrated Windows authentication and Digest authentication. Certificates can
be used by anyone who is issued the certificate and does not require an account;
therefore, answer B is incorrect. Basic authentication can be used by anyone who
knows the username and password; therefore, answer C is incorrect.
Q14 The correct answer is B. Basic authentication sends the username and password
over the wire in clear text. This is not considered secure because a network sniffer
could be used to view the password. Anonymous access does not require the use
of a username or password; therefore, answer A is incorrect. Digest authentication
encrypts the user's credentials before sending them over the wire; therefore,
answer C is incorrect. Certificate authentication does not require a username or
password; therefore, answer D is incorrect.
Q15 Answers B, C, and D are correct. Integrated Windows checks the credentials of the
current logon. Certificate authentication does not require user and password
credentials because the certificate is the credential. Anonymous access does not
require the user to enter a username and password and authenticates them to use
a default account. Digest authentication does require a username and password;
therefore, answer A is incorrect. Basic authentication does require a username
and password, which are sent in clear text; therefore, answer E is incorrect.
Case 4: PowerTran
1. B 9. B
2. B, C, E 10. A, B
3. C, D 11. C, D
4. D 12. B, C, E
5. A 13. A, B
6. A 14. C, D
7. D 15. B
8. A, B
Page 197 of 250

Q1 The correct answer is B. Because all of the users are currently in the master
domain, there can only be one account policy; therefore, they need only one
domain. There is no need to have six domains; therefore, answer A is incorrect.
There is no need to have two domains; therefore, answer C is incorrect. All of the
accounts are already in one domain and no other factors are mentioned that
would create a need for more than one domain; therefore, answer D is incorrect.
Q2 Answers B, C, and E are correct. Windows XP Professional, Windows 2000

Professional, and Unix clients can all use the Kerberos authentication protocol.
Windows 95 clients use the LAN Manager authentication protocol and cannot use
Kerberos; therefore, answer A is incorrect. Windows NT Workstation clients use
the NTLM or NTLMv2 authentication protocol and cannot use the Kerberos
protocol; therefore, answer D is incorrect.
Q3 Answers C and D are correct. Servers that do not contain sensitive information,
and are likely to be used from both internal clients and external clients, should be
placed in the perimeter network. Domain controllers contain sensitive Active
Directory information; therefore, answer A is incorrect. DHCP servers contain
sensitive information regarding IP address allocation; therefore, answer B is
incorrect.
Q4 The correct answer is D. As an additional security measure for Windows Server

2003, IIS is not installed as part of a default installation; therefore, no IIS 6.0
services would be provided. IIS 6.0 is not installed on a default installation;
therefore, answers A, B, and C are incorrect.
Q5 The correct answer is A. As a security measure, only static content is available

with the default installation of IIS 6.0. Only static content is available with a
default installation of IIS 6.0; therefore, answers B and C are incorrect. Static
content is available with a default installation; therefore, answer D is incorrect.
Q6 The correct answer is A. CA constraints can be used to define limits on your cross-
certification relationships. NTFS permissions cannot be applied to a certificate;
therefore, answer B is incorrect. Connection timeouts are settings applied to a
connection, not to a certificate; therefore, answer C is incorrect. HTTP
compression makes better use of available bandwidth; therefore, answer D is
incorrect.
Q7 The correct answer is D. DDR is used to automatically establish a route, when

necessary, by using a less-expensive ISDN connection or even a regular dial-up
connection. NAT is a service that translates one or many public IP addresses to
one or many private IP addresses; therefore, answer A is incorrect. Proxy is a
service that controls a user's access to another network, such as the Internet, and
provides a more secure connection; therefore, answer B is incorrect. A firewall is a
type of filtering hardware or software that allows some traffic to pass through and
filters other traffic based on the settings; therefore, answer C is incorrect.
Q8 Answers A and B are correct. Processor Queue Length and Memory Available Bytes
are counters that might be used to establish a performance baseline. CRC Errors
and Serial Overrun Errors are RAS counters that are used for troubleshooting;
therefore, answers C and D are incorrect.
Q9 The correct answer is B. Wi-Fi Protected Access uses higher levels of encryption
and dynamic rekeying to improve security. WEP is not as secure as Wi-Fi;
therefore, answer A is incorrect. RADIUS is an authentication protocol that uses
Active Directory and can be used by wired and wireless networks; therefore,
answer B is incorrect. PEAP is an authentication protocol that uses secure
passwords and can be used for wired or wireless networking; therefore, answer D
Page 198 of 250

is incorrect.
Q10 Answers A and B are correct. The administrator can either use the Delegation of
Control Wizard to modify the ACLs or manually modify the ACLs on his own. Active
Directory; therefore, answer C is incorrect. Active Directory Domains and Trusts is
used to configure the connections between domains; therefore, answer D is
incorrect.
Q11 Answers C and D are correct. The Backup or Restore Wizard can be scheduled to
perform regular backups. The Volume Shadow Copy service can be scheduled to
make restorable shadows of files at multiple times. Disk Management is not used
to create backups; therefore, answer A is incorrect. Computer Management is not
used to perform backups; therefore, answer B is incorrect.
Q12 Answers B, C, and E are correct. You set the audit policy on each of the member
servers because this allows for the least possible auditing. You should then set the
SACL for HKEY_LOCAL_MACHINE to Full Control for Success and Failure. Setting the
audit policy for the domain is not recommended because the auditing is specific to
the member servers; therefore, answer A is incorrect. ACLs are used to control
access to objects, not for auditing; therefore, answers D and F are incorrect.
Q13 Answers A and B are correct. You can use certificates or you can give the extranet
users an account in Active Directory. Basic authentication is a type of IIS
authentication that is not secure because the credentials are sent in clear text;
therefore, answer C is incorrect. NTLMv2 is a local form of authentication used by
clients prior to Windows 2000 Professional; therefore, answer D is incorrect.
Q14 Answers C and D are correct. Clients can only use Integrated Windows and Digest
authentication if they are given an account in Active Directory. Basic
authentication can be used by anyone who has a password, but it is not
recommended because it sends the password in clear text; therefore, answer A is
incorrect. Certificate authentication does not require an account in Active
Directory; therefore, answer B is incorrect.
Q15 The correct answer is B. GPMC is a new tool in Windows Server 2003 that is used
to distribute Group Policies. Group Policy Object Editor MMC is a tool used to edit
Group Policies but not to distribute them; therefore, answer A is incorrect.
Gpresult is a command-line tool used to determine the results of multiple policies
on a computer and user; therefore, answer C is incorrect. Gpupdate is a
command-line tool that is used to make policies effective on a local machine;
Page 199 of 250

Chapter 10. Practice Exam #2
Answer the questions following each case study based on the information provided in the
case study.
Case 1: AUM Inc.

AUM Inc. Overview
AUM Inc. is a medium-size distribution company located primarily in the western United
States. AUM distributes plastic containers of all shapes and sizes. Most of AUM's business
is with governmental agencies; therefore, security is a key concern.

In addition to their corporate headquarters in San Diego, AUM has three other locations,
including Seattle, San Francisco, and Tucson.

AUM uses Windows NT Server servers on all of its networks. The company currently has
a domain at each location. All domains are managed from the corporate location. All
domains have the same account policies. Client computers run Windows 95, Windows NT
Workstation, Windows 2000 Professional, Unix, and Windows XP Professional. Clients
communicate with other offices through Remote Access Service (RAS) servers using dial-
up connections to each office's RAS. Administrators use Telnet to connect servers and
make configuration changes.

AUM plans on upgrading all NT domain controllers to Windows Server 2003 within the
next six months. They are open to the prospect of upgrading their clients as well;
however, each client upgrade must be justified.
Security Concerns
The security team at AUM has identified the following security concerns:
• LAN communications are not secure.

• Emergency Management Services need to be strengthened.
• DNS updates are not secure. There is concern about attackers using them as a
target.
• Administrators sometimes must log on to a user's computer with an
administrative account to make changes.
• There is no effective method of automatically distributing antivirus software
updates to all clients.
• Some clients cannot use the latest forms of authentication to RAS servers.
• Some laptops contain sensitive information. This information needs to be kept
secure at all times, even if a laptop is lost or stolen.
Page 200 of 250

Security Commentary
CEO: We must keep all data secure within the organization. We will lose our government
contracts if we cannot remain secure.
CIO: Administrators cannot log on to users' computers with an administrative password,

even for a few minutes.
Senior Administrator: I would like some options in regard to secure remote management.
Q1 How many domains will AUM need after they upgrade all domain controllers to Windows
Server 2003?
• A. 1
• B. 2
• C. 4
Q2 Which Windows Server 2003 feature should AUM use to encrypt all local communication
between servers and clients?

• B. IPSec transport mode
• C. EFS
• D. NTLM
Q3 Which clients might use NTLM authentication? (Choose two.)
• A. Windows 95
• D. Unix
Q4 Which feature in Windows Server 2003 can be used to satisfy the concern of the CIO?

• B. Complex passwords
• C. Run as command
• D. Account policies
Q5 With AUM's current infrastructure, which clients can use MS-CHAP for authentication to
RAS servers?
• A. All Microsoft clients

• B. Windows XP and Windows 2000 Professional
• C. Only Windows XP
Page 201 of 250

Q6 Which technology should AUM use to create inexpensive temporary routes using
modems?
• A. NAT
• B. VPN
• C. WINS
• D. DDR
Q7 If AUM decides to use VPN, which of their clients will be able to use MS-CHAPv2 to
authenticate to the remote access servers through the VPN connection using a PPTP
tunnel?
• A. All clients
• B. All Microsoft clients
• C. Only Windows 2000 Professional and Windows XP Professional clients
Q8 AUM has decided to create a disaster recovery plan that will include an alternate site for
the corporate location. This site will be maintained by a system of servers and network
equipment similar to those in the actual site. The site will be tested regularly to make
certain it is ready in the event of a disaster, such as a flood or blackout. Which type of
site have they chosen?
• A. Cold site
• B. Hot site
• C. Replica site
• D. It's impossible to tell from the information given.
Q9 Which Windows Server 2003 tool should be used for granular control of Active Directory
permissions on objects?
• A. ACLs
• B. Group Policy
• C. SUS
Q10 Which type of DNS zones should be used to ensure secure dynamic updates?
• A. Standard Primary
• B. Stub
• C. Active Directory integrated
• D. Standard Secondary
Q11 Which Windows Server 2003 tools should be used to satisfy the request of the Senior
Administrator? (Choose two.)
• A. Routing and Remote Access Services

• B. Remote Desktops MMC
• C. Remote Access Policy
Page 202 of 250

Q12 Which of AUM's clients can use Group Policies distributed by the new Windows Server
2003 servers?
• A. Only Windows 2000 Professional and Windows XP Professional clients

• B. Windows NT Workstation and newer clients
• C. Only Windows XP clients
• D. All clients
Q13 Which of AUM's clients can use SRV records to locate services on the network? (Choose
two.)
• A. Windows XP Professional
• D. Only Windows 95
Q14 Which encryption system can be used to secure the information on the laptops, even if
they are lost or stolen?
• A. MD5
• B. NTFS
• C. EFS
• D. L2TP
Q15 Which additional features might be used to justify the expense of upgrading AUM's
Windows 95 and Windows NT Workstation client computers? (Choose two.)
• A. Group Policy
• B. Remote Access Policy
• C. Kerberos authentication
• D. Share permissions
Page 203 of 250

Case 2: BBF, Inc.
BBF Overview
BBF is a medium-size company with four locations in the United States. The company
currently has about 500 users and is growing rapidly. BBF develops training manuals for
the U.S. government. These training manuals contain information that is considered
confidential. They must remain secure at all times.

In addition to corporate offices in Birmingham, Alabama, BBF has three satellite offices in
Atlanta, Jacksonville, and Nashville. Each location has its own network that is managed
locally.

Each location has a separate Windows NT 4.0 domain with a primary domain controller
and one backup domain controller. Two one-way trusts are used to form two-way trust
relationships between each domain and all other domains. Some Windows 2000 Server
servers are used as member servers. Client computers run Windows 98, Windows 2000
Professional, and Windows XP Professional. Some users dial in with laptops from home.

BBF wants to migrate all domain controllers to Windows Server 2003 within the next six
months. All locations will then be migrated to one domain. Client computers might be
upgraded if the cost can be justified. Secure Web sites will be developed to assist in
collaboration on manuals.
Security Concerns
The security team at BBF has identified the following security concerns:
• Most network management will be centralized to Birmingham, but managers with

network experience will still perform local management tasks, such as managing
user accounts.
• Administrators need to develop an automatic system that assists in locating and
loading the latest security patches.
• File security on laptops must be improved, some of which still use Windows 98.
• Administrators need a tool to help manage NTFS permissions granted from
multiple groups.
• All traffic within each location and between locations should be encrypted.
• All logons to each domain controller should be audited. All logons to member
servers should be audited.
• All traffic to secure Web sites should require a certificate and a mapped account.
Security Commentary
CEO: We must ensure that we have the very latest in security. If that means we have to
upgrade every client and every server, so be it.
CIO: We will increase security when we increase control from Birmingham. We have to
take back most of the management tasks from the satellite offices and assign few rights
to them from now on.
Page 204 of 250

Q1 After migrating all four of its domains into one domain with four sites, how many
trusts will BBF have to manage?
• A. There isn't enough information to determine the answer.

• B. 4
• C. 1
• D. 0
Q2 Which authentication methods should BBF consider to provide secure Web access?
(Choose two.)
• A. Basic
• C. Mapped certificates
• D. MD5
Q3 Which tool should BBF use to automate the process of applying security patches
on Windows 2000 Professional and Windows XP Professional clients?
• A. Computer Management
• B. RSoP
• C. MBSA
• D. SUS
Q4 Which technology should be used to encrypt traffic within each location?

• B. PPTP
• C. MPPE
Q5 Which clients can be centrally controlled using Windows Server 2003 Group
Policy?
• A. Windows 2000 and newer clients

• B. Windows XP only
• C. Windows 2000 Professional only
• D. All clients
Q6 Which suggestions should BBF consider to improve security on the laptops?

(Choose two.)
• A. Strengthen Account Lockout policy.

• B. Use stronger domain passwords.
• C. Upgrade the laptops to Windows XP.
• D. Use EFS (after upgrade).
Page 205 of 250

Q7 Which services could BBF use to encrypt all traffic between its locations? (Choose
two.)

• B. NTFS
• C. MPPE
Q8 After the migration, which tools can be used to accomplish the goals of the CIO?
(Choose two.)

• B. Group Policy
• C. Delegation of Control Wizard
• D. ACLs
Q9 Which new technologies might be used as justification for upgrading all of BBF's
clients to at least Windows 2000 Professional? (Choose two.)
• A. PPTP
• B. L2TP
• C. Kerberos
• D. Share permissions
Q10 Which of the following is the inherent form of encryption used by PPTP?
• A. L2TP
• B. PPP
• C. IPSec
• D. MPPE
Q11 Which events should be audited to satisfy the audit requirements? (Choose two.)
• A. Logon events on all domain controllers

• B. Logon events on all member servers
• C. Account logon events on all member servers
• D. Account logon events on all domain controllers
Q12 How should BBF design group management for the most efficient control of access
to resources?
• A. Place the users into Global groups based on their resource needs. Place
the Global groups into the appropriate Domain Local groups. Assign
permissions to Domain Local groups.
• B. Assign permissions to a Global group for users who need access to the
same resource and then place the users into the Global group.
• C. Assign permissions to Universal groups and then place the users into the
Universal groups.
• D. Assign permissions to each user for the resources that he requires.
Page 206 of 250

Q13 Which type of group should be assigned permissions for access to a resource
located anywhere in a domain?
• A. Local
• B. Universal
• C. Global
• D. Domain Local
Q14 Which types of certificate mapping could be used to authenticate users with
certificates to the secure Web sites? (Choose two.)
• A. One-to-one
• C. Many-to-one
• D. Digest
Q15 Which tool should BBF use to determine the combined NTFS permissions for users
in multiple security groups?
• A. Effective Permissions
• B. Delegation Wizard
• C. Group Policy Management Console
• D. Active Directory Users and Computers
Page 207 of 250

Case 3: SysCon
SysCon Overview
SysCon is a medium-size manufacturer of specialized electronics used to control rocketry.
The company has many government contracts and is beginning to work with the private
sector as well. SysCon's engineers develop and employ the very latest in technology in
their industry; therefore, security is of great concern to SysCon management.

In addition to a home office in Houston, SysCon has two satellite offices located in
Huntsville and Cape Canaveral. Secure communications between the offices is necessary.

SysCon currently has one domain for the entire company. Domain controllers are
Windows 2000 Server servers. Two domain controllers are at each location. Each location
represents its own Active Directory site. Leased T-1 communications lines provide secure
communication between the sites, but the lines are expensive to maintain. Secure Web
sites provide access to line-of-business applications and allow for collaboration on some
projects. Client computers run Windows 98, Windows NT Workstation, Windows 2000
Professional, and Windows XP Professional.

SysCon is upgrading all of its domain controllers to Windows Server 2003. The company
will stay with a one-domain design. After the upgrades, the domain functional level will
be raised to Windows Server 2003 functional level. Client computers will all be upgraded
to Windows XP Professional.
Security Concerns
The security team at SysCon has identified the following security concerns:
• Some applications running on the secure Web sites are not stable. One
application's crashing can cause other applications to crash as well.
• Engineers have lost valuable information on file servers by accidentally altering
and saving a file.
• It is difficult to determine the resulting permissions of a user who is in multiple
groups.
• Users must be required to use complex passwords as defined by the new Windows
Server 2003 system.
• Some sensitive files will need to be audited for access or attempted access by any
parties.
• EFS will be used for all laptop computers. Some folders will require encryption.
• All services that are no longer used after the upgrade must be uninstalled.
• DNS updates must be automatic and secure for all clients and servers after the
upgrade.
Page 208 of 250

Security Commentary
CFO: We are opening some new offices soon. I'm not sure that we want the expense of a
T-1 if we can use the Internet instead; of course, the link has to be secure.
CIO: We have to make the IIS servers more stable for our line-of-business applications.
Q1 Which new features in Windows Server 2003 IIS will address the CIO's stability
concern with regard to Web applications? (Choose two.)
• A. Application pools
• B. Worker process isolation mode
• C. Bandwidth throttling
• D. HTTP keep-alives
Q2 Which methods can address the concern of losing information in files that are
accidentally altered and saved on file servers? (Choose two.)
• A. Perform regular backups.

• B. Use default NTFS permissions.
• C. Use volume shadow copies.
• D. Update the ASR disk.
Q3 Which new tool in Windows Server 2003 can be used to create, manage, and
delegate Group Policies?
• A. GPMC
• B. RSoP
• C. Effective Permissions
• D. Group Policy Object Editor
Q4 At which level should the requirement for complex passwords be set?
• A. OU
• B. Site
• C. Domain
• D. All are valid choices.
Q5 Which steps are involved in setting the auditing of sensitive files and folders to
satisfy SysCon's auditing requirements? (Choose three. Each answer is part of the
solution.)
• A. Set Audit Privilege Use for Success.

• B. Set Audit Object Access for Success.
• C. Set the SACLs for the files and folders to be audited.
• D. Set Audit Object Access for Failure.
• E. Set the ACLs for the files and folders to be audited.
• F. Set Audit Privilege Access for Failure.
Page 209 of 250

Q6 Which name resolution service might be unnecessary after all clients are upgraded
to Windows XP Professional?
• A. DNS
• B. WINS
• C. DHCP
• D. RAS
Q7 Which features of Windows Server 2003 must SysCon use to encrypt folders on
the laptop computers? (Choose two.)
• A. Offline Files and Folders

• B. Folder compression
• C. NTFS file system
• D. EFS
Q8 Which technologies should be considered to address the concerns of the CFO?

(Choose two.)
• A. PPTP
• B. L2TP
• C. Group Policy
Q9 Immediately following a default installation of Windows Server 2003, Standard

Edition, which types of services will IIS 6.0 perform?
• A. Access to static content only

• B. None
• C. All except ASP
• D. All except WebDAV
Q10 After the migration to Windows Server 2003, which type of DNS zones should be
used to ensure secure dynamic updates?
• A. Active Directory integrated zones only.

• B. Standard Primary zones only.
• C. All zone types are secure in Windows Server 2003.
• D. Active Directory integrated and Standard Primary zones.
Q11 Which new Windows Server 2003 command should SysCon use to update Group
Policies on a local computer?
• A. secedit /refreshpolicy machine_policy

• B. gpresult
• C. netsh
• D. gpupdate
Page 210 of 250

Q12 After the upgrade, which secure types of authentication should SysCon consider
for its Web site? (Choose two.)
• A. .NET Passport
• B. Basic
• C. NTLMv2
• D. Digest
Q13 Which Web server authentication protocols should be used in addition to

certificates to ensure security? (Choose two.)
• A. MS-CHAPv2
• C. IPSec
• D. Digest
Q14 Which type of authentication logs the user on to a default account with very
limited permissions?
• A. Basic
• B. Digest
• C. Anonymous
• D. Integrated Windows
Q15 Immediately following a default installation of IIS 6.0, which types of services will
it perform?
• A. Access to static content only

• B. None
• C. All except ASP
• D. All except WebDAV
Page 211 of 250

Case 4: DC&H Consulting
DC&H Overview
DC&H is a medium-size company that performs legal and financial consulting for large
multinational corporations. Due to the sensitive nature of the information the company
must retain about each client, security is a very high priority at DC&H.

In addition to a corporate office in Washington D.C., DC&H has three satellite offices in
New York, Dallas, and Miami. They are currently considering a location in Seattle.

All domain controllers run Windows NT 4.0. Each location has its own domain with a
primary domain controller and a backup domain controller.
Each office is managed locally. Two one-way trusts connect each domain to every other
domain to allow access to all resources. Microsoft client computers run Windows 95,
Windows NT Workstation, Windows 2000 Professional, and Windows XP Professional.
There are also a few Unix-based clients.

All domain controllers will be upgraded to Windows Server 2003. Clients will be upgraded
as needed, but the cost must be justified. Remote access servers will be installed to
provide secure and monitored access to the networks from outside of the office.
Security Concerns
The security team at DC&H has identified the following security concerns:
• Reduce the number of domains to the minimum number needed.

• All clients must be able to use the Kerberos protocol. Clients that cannot use
Kerberos will have to be upgraded.
• Authentication on all of the remote access servers will be centralized to the
Washington D.C. office.
• Group Policies will be used to control security.
• Multiple firewalls will be used to create a perimeter area for some servers.
• DC&H wants the best possible automatic backups of files on the file servers.
• IIS 6.0 will be used for Web applications.
• DDR will be used for some remote offices.
• The HKEY_CURRENT_USER settings on some member servers should be audited for
changes or even attempted changes.
Security Commentary
CEO: If we are going to allow users to dial in from home, we need to make certain we
know who they are.
CIO: After the upgrade, I want a minimum of 12 characters in all user passwords in
Washington D.C. only; I require the other offices to use a minimum of six characters.
Page 212 of 250

Network Administrator: I can handle all of the big changes from Washington D.C., but I
still need some local managers with limited rights to manage the network.
Q1 How many domains does DC&H need after its migration to Windows Server 2003?
• A. 1
• B. 4
• C. 2
• D. There is not enough information to answer the question.
Q2 Which of DC&H's current clients will have to be upgraded? (Choose two.)
• A. Unix
• E. Windows 95
Q3 Which types of servers should be placed onto the perimeter network (between the
internal and external firewalls)? (Choose two.)
• A. Proxy servers
• B. DHCP servers
• C. Web servers
• D. Domain controllers
Q4 With a default installation of Windows Server 2003, which services will IIS 6.0
provide?
• A. None
• B. All services
• D. Only static content
Q5 With a default installation of IIS 6.0, which services will be provided?
• A. None
• B. All services
• D. Only static content
Q6 Which authentication protocols should DC&H avoid using on their secure Web
sites? (Choose two.)
• A. Basic
• C. .NET Passport
• D. Anonymous access
Page 213 of 250

Q7 Which service should DC&H use to automatically and temporarily connect remote
offices to the network when needed?
• A. DDR
• B. Proxy
• C. Firewall
• D. NAT
Q8 Which counters might be used to establish a baseline of performance on the IIS

6.0 servers? (Choose two.)
• A. Serial Overrun Errors

• B. Memory Available Bytes
• C. CRC Errors
• D. Processor Queue Length
Q9 Which of DC&H's current clients cannot be controlled by Windows Server 2003

Group Policy? (Choose three.)
• A. Windows 95
• B. Unix
• E. Windows XP Professional
Q10 Which tool can the network administrator use to adjust and remove administrative
rights of a user who has already been delegated the rights?
• A. ACLs
• B. Delegation of Control Wizard
Q11 Which tools should DC&H use to create an automatic backup of files and folders on
the file servers? (Choose two.)
• A. Backup or Restore Wizard

• C. Volume Shadow Copy service
• D. Disk Management
Q12 What should you do to audit the HKEY_CURRENT_USER settings on the selected
member servers? (Choose three. Each answer is part of the solution.)
• A. Set the audit policy for the member servers to Audit Object Access.
• B. Set the SACL of HKEY_CURRENT_USER to Full Control for Success.
• C. Set the audit policy for the domain to Audit Object Access.
• D. Set the ACL of HKEY_CURRENT_USER to Full Control for Success.
• E. Set the SACL of HKEY_CURRENT_USER to Full Control for Failure.
• F. Set the ACL of HKEY_CURRENT_USER to Full Control for Failure.
Page 214 of 250

Q13 Which service should DC&H use to centralize authorization to Washington D.C. for
all of its new RAS servers?
• A. Routing and Remote Access Services

• B. Active Directory Sites and Services
• C. Internet Authentication Services
Q14 Which Web server authentication protocols can only be used if DC&H gives clients
an account in Active Directory?
• A. Digest
• B. Certificate
• C. Integrated Windows
• D. Basic
Q15 Which new Windows Server 2003 tool should DC&H use to configure settings on
Group Policies?
• A. Group Policy Object Editor MMC

• B. GPMC
• C. Gpresult
• D. Gpupdate
Page 215 of 250

Chapter 11. Answer Key to Practice
Exam #2
Case 1: AUM Inc.
Case 2: BBF, Inc.
Case 3: SysCon
Case 1: AUM Inc.

1. A 9. A
2. B 10. C
3. B, C 11. B, D
4. C 12. A
5. A 13. A, C
6. D 14. C
7. B 15. A, C
8. B
Q1 The correct answer is A. Only one domain is required because the overview states
that the account policies of all domains are the same and because there is no
physical limitation. Two domains are not required in this scenario; therefore,
answer B is incorrect. Four domains (one per location) are not required in this
scenario; therefore, answer C is incorrect. It is possible to determine the number
of domains that will be required; therefore, answer D is incorrect.
Q2 The correct answer is B. IPSec transport mode should be used to encrypt

communications between two computers on a LAN. IPSec tunnel mode is a
protocol used to encrypt communications between two networks; therefore,
answer A is incorrect. EFS is a protocol used to encrypt information stored on
drives; therefore, answer C is incorrect. NTLM is an authentication protocol used
within a LAN; therefore, answer D is incorrect.
Q3 Answers B and C are correct. Windows 2000 Professional clients use NTLM
authentication when not connected to a domain. Windows NT Workstation clients
also use NTLM authentication. Windows 95 clients use LM authentication, not
NTLM; therefore, answer A is incorrect. Unix clients do not use NTLM
authentication; therefore, answer D is incorrect.
Page 216 of 250

Q4 The correct answer is C. The Run as command can be used to leave the user as
the primary logon and access a tool with a secondary logon that only works for
that tool. Remote Access Policy controls dial-up and VPN connections and does not
apply in this scenario; therefore, answer A is incorrect. Complex passwords should
be used on a high-security network, but do not apply in this scenario; therefore,
answer B is incorrect. Account policies include password policy, account lockout
policy, and Kerberos policy, but do not apply in this scenario; therefore, answer D
is incorrect.
Q5 The correct answer is A. All of AUM's Microsoft clients can use MS-CHAP. The Unix
clients could use CHAP, but not MS-CHAP. AUM's Windows 95 client can also use
MS-CHAP; therefore, answer B is incorrect. Windows 95 and Windows 2000
Professional client can also use MS-CHAP; therefore, answer C is incorrect.
Windows 95 clients can use MS-CHAP; therefore, answer D is incorrect.
Q6 The correct answer is D. DDR creates a temporary route using one modem to dial
another modem. NAT is a service that allows one registered IP address to be
translated to multiple private IP addresses; therefore, answer A is incorrect. A
VPN uses the Internet to provide more secure connections and eliminate the use
of modems on the server; therefore, answer B is incorrect. WINS is a name
resolution service that resolves NetBIOS names to IP addresses; therefore,
Q7 The correct answer is B. All of the Microsoft clients can use MS-CHAPv2 for the
VPN connection and PPTP, but the Unix clients cannot use MS-CHAPv2 for
authentication. Unix clients cannot use MS-CHAPv2; therefore, answer A is
incorrect. Windows NT Workstation and Windows 95 can use MS-CHAPv2 for
authentication through PPTP tunnels; therefore, answers C and D are incorrect.
Q8 The correct answer is B. In Emergency Management Services terms, a hot site is

an alternate location that has the hardware necessary for business operations. It
is tested regularly to ensure that it will be available if and when it is needed. A
cold site is simply a building that has been set aside to be used in the event of an
emergency, with no real consideration given to power, connectivity, or space
requirements; therefore, answer A is incorrect. A replica site is not a type of site
used for Emergency Management Services; therefore, answer C is incorrect. The
definition of the site fits that of a hot site; therefore, answer D is incorrect.
Q9 The correct answer is A. ACLs and the ACEs contained in them provide granular
control of each Active Directory object. Group Policies are groups of policies that
are used to control sites, domains, and OUs; therefore, answer B is incorrect. SUS
is used to keep up with the latest Microsoft security updates; therefore, answer C
is incorrect. Remote Access Policy controls access to the network from outside of
the network; therefore, answer D is incorrect.
Q10 The correct answer is C. Only Active Directory integrated zones have secure
dynamic updates. This means that they only communicate with other objects that
are authenticated and authorized by Active Directory. Standard Primary zones do
not allow for secure dynamic updates; therefore, answer A is incorrect. Stub zones
assist in name resolution on large networks but do not facilitate secure dynamic
updates; therefore, answer B is incorrect. Standard Secondary zones are read-
only copies of Standard Primary zones and do not allow for secure dynamic
updates; therefore, answer D is incorrect.
Q11 Answers B and D are correct. The Remote Desktops MMC allows an administrator
to view the desktops and manage multiple servers and clients from a single
location. Computer Management allows the administrator to control the computer
settings remotely. RRAS is a tool used to control RAS, such as dial-up and VPN
Page 217 of 250

connections; therefore, answer A is incorrect. Remote access policy includes
controls in RRAS that are used to limit a user's use of remote access connections;
Q12 The correct answer is A. Only AUM's Windows 2000 Professional and Windows XP
Professional clients can use Windows Server 2003 Group Policy. Windows NT
Workstation cannot use Group Policies; therefore, answer B is incorrect. Windows
2000 Professional clients can use Group Policies from Windows Server 2003
servers; therefore, answer C is incorrect. Windows 95, Windows NT Workstation,
and Unix clients cannot use Windows Server 2003 Group Policy; therefore, answer
D is incorrect.
Q13 Answers A and C are correct. Windows 2000 Professional and Windows XP
Professional clients can use DNS and SRV records to locate services on the
network. Windows NT Workstation clients use NetBIOS name resolution services;
therefore, answer B is incorrect. Windows 95 clients use NetBIOS name resolution
and Unix clients can use SRV records; therefore, answer D is incorrect.
Q14 The correct answer is C. EFS can be used to encrypt the sensitive data to ensure
that it remains secure even if the laptop is lost or stolen. MD5 is an encryption
method used to secure and validate communication over a wire; therefore, answer
A is incorrect. NTFS is a file system used to secure files and folders with
permissions; therefore, answer B is incorrect. L2TP is a tunneling protocol used to
create a VPN; therefore, answer D is incorrect.
Q15 Answers A and C are correct. Only Windows 2000 Professional and newer clients
can use Group Policy and Kerberos authentication. Both of these features could
enhance security for AUM. Remote Access Policy on Windows Server 2003 can be
used to control all clients; therefore, answer B is incorrect. All of AUM's current
clients can already use share permissions; therefore, answer D is incorrect.
Case 2: BBF, Inc.

1. D 9. B, C
2. B, C 10. D
3. D 11. A, B
4. D 12. A
5. A 13. D
6. C, D 14. A, C
7. A, C 15. A
8. C, D
Page 218 of 250

Q1 The correct answer is D. Trusts are connections between domains. If it only has one
domain, the company is not managing any trusts. Trusts are connections between
domains, not sites; therefore, four trusts are not required and answer B is incorrect.
Trusts are connections between domains; with only one domain, zero (0) trusts are
needed to be managed. Therefore, answer C is incorrect.
Q2 Answers B and C are correct. Integrated Windows authentication uses Active

Directory to secure Web access. Mapped certificates can be used to combine the
authentication of a certificate with the additional authentication and authorization of
Active Directory. Basic authentication sends the password in clear text; therefore,
answer A is incorrect. MD5 is an encryption method, not an authentication method;
Q3 The correct answer is D. SUS can be used to automate the process of applying the
latest security patches to Windows 2000 and Windows XP Professional clients.
Computer Management can be used to make changes to client computer settings but
not to install patches; therefore, answer A is incorrect. RSoP can be used to model
the effect of a change in a Group Policy; therefore, answer B is incorrect. MBSA is a
tool used to check for the latest security updates and for security vulnerabilities, but
it does not install the updates; therefore, answer C is incorrect.
Q4 The correct answer is D. IPSec transport mode is used to encrypt communications

between computers on the same network. IPSec tunnel mode is used to encrypt
communications between two networks; therefore, answer A is incorrect. PPTP is a
tunneling protocol used to create a VPN between two networks; therefore, answer B
is incorrect. MPPE is used to encrypt communications when using PPTP; therefore,
Q5 The correct answer is A. Windows 2000 Professional and newer clients can be
controlled using Group Policy. Windows 2000 Professional and Windows XP clients
can be controlled using Group Policy; therefore, answers B and C are incorrect.
Windows 98 clients cannot be controlled using Group Policy; therefore, answer D is
incorrect.
Q6 Answers C and D are correct. Upgrading the laptops to Windows XP would improve
security by allowing NTFS files on the drives as well as EFS. Account lockout policies
determine the number of times that a person can attempt, unsuccessfully, to log on
to a domain before he is locked out; therefore, answer A is incorrect. Using stronger
domain passwords would have no effect on domain security; therefore, answer B is
incorrect.
Q7 Answers A and C are correct. IPSec tunnel mode can encrypt traffic between two
networks. MPPE is the encryption protocol used by PPTP when used with Microsoft
clients and servers. NTFS is a file system that can be used to control permissions to
files and folders; therefore, answer B is incorrect. IPSec transport mode can encrypt
traffic between computers on the same network; therefore, answer D is incorrect.
Q8 Answers C and D are correct. The Delegation of Control Wizard or the ACLs for
objects can be used to assign some permissions to local network managers. Remote
Access Policy controls a user's access to remote access connections, such as dial-up
or VPN connections; therefore, answer A is incorrect. Group Policies are used to
control sites, domains, and OUs but not to delegate administrative authority;
therefore, answer B is incorrect.
Q9 Answers B and C are correct. L2TP and Kerberos authentication can be used only on
clients that are Windows 2000 Professional or newer. PPTP can be used on all clients;
therefore, answer A is incorrect. Share permissions can be used on all clients;
Page 219 of 250

Q10 The correct answer is D. MPPE is the inherent form of encryption used by PPTP. L2TP
is another tunneling protocol; therefore, answer A is incorrect. PPP is not a form of
encryption; therefore, answer B is incorrect. IPSec is not an inherent form of
encryption with PPTP; therefore, answer C is incorrect.
Q11 Answers A and B are correct. Auditing logon events on the domain controllers tracks
the local logons to domain controllers. Auditing logon events on all member servers
tracks the local logons to the member servers. It is not possible to audit account
logon events on member servers because they do not validate logon requests;
therefore, answer C is incorrect. The audit policy does not require tracking a domain
controller's validation of logons from other computers; therefore, answer D is
incorrect.
Q12 The correct answer is A. They should use the A G DL P strategy. They should place
the accounts into Global groups, place the Global groups into Domain Local groups,
and then give the Domain Local groups the permissions to the resources. Permission
should not be assigned to Global groups; therefore, answer B is incorrect.
Permissions should not be assigned to Universal groups; therefore, answer C is
incorrect. Permissions should not be assigned directly to a user. This might seem
efficient in the short term, but it is confusing and inefficient in the long term;
Q13 The correct answer is D. Domain Local groups are used to assign permission to a
resource located anywhere in a domain. Local groups are created on one computer
to give access to resources located on that computer; therefore, answer A is
incorrect. Universal groups are created in Active Directory and are generally not
assigned permissions; therefore, answer B is incorrect. Global groups are created in
Active Directory and are generally not assigned permissions; therefore, answer C is
incorrect.
Q14 Answers A and C are correct. One-to-one mapping maps each type of certificate to
each user. Many-to-one mapping can map multiple certificates for a user or multiple
users for a certificate. Integrated Windows and Digest are forms of Web
authentication that do not involve certificates; therefore, answers B and D are
incorrect.
Q15 The correct answer is A. The Effective Permissions tool can be used to determine the
effective NTFS permissions of a user or group to a resource. The Delegation Wizard
is used to give some users partial management rights; therefore, answer B is
incorrect. The GPMC is used to create and manage Group Policies; therefore, answer
C is incorrect. Active Directory Users and Computers is used to manage the logical
aspects of Active Directory; therefore, answer D is incorrect.
Page 220 of 250

Case 3: SysCon
1. A, B 9. B
2. A, C 10. A
3. A 11. D
4. C 12. A, D
5. B, C, D 13. B, D
6. B 14. C
7. C, D 15. A
8. A, B
Q1 Answers A and B are correct. Application pools and worker process isolation mode
can be used to isolate each application so that one application's failing does not
affect other applications. Bandwidth throttling might be used to help stabilize
servers with multiple applications, but it is not a new feature in Windows Server
2003 IIS; therefore, answer C is incorrect. HTTP keep-alives allow a user to
browse to different pages of your Web site without requiring additional
authentication; therefore, answer D is incorrect.
Q2 Answers A and C are correct. Regular backups ensure that the data is still
available. Volume shadow copies can be configured to create a copy of all files at
specified intervals. The user can revert back to the old version with minimal effort
and training. Default NTFS permissions would not affect this scenario; therefore,
answer B is incorrect. ASR can be used to recover a server in the event of a
failure, but does not contain user data; therefore, answer D is incorrect.
Q3 The correct answer is A. GPMC can be used to create, manage, and delegate
Group Policies. RSoP is a new tool that allows you to model the effect of changes
in Group Policies; therefore, answer B is incorrect. The Effective Permissions tool
is new to Windows Server 2003 and can assist you in determining the resulting
NTFS permissions for a user or group that is in multiple groups; therefore, answer
C is incorrect. The Group Policy Object Editor can only be used to edit existing
Group Policies; therefore, answer D is incorrect.
Q4 The correct answer is C. Password policies are part of account policies, which can
be controlled at the domain level only. Password policies set at the OU level apply
only to the local user accounts on a computer; therefore, answer A is incorrect.
Password policies are not applied to a site; therefore, answer B is incorrect. All
choices are not valid. Only answer C is a valid choice; therefore, answer D is
incorrect.
Q5 Answers B, C, and D are correct. You should first set the audit policy to Audit
Object Access for Success and Failure. You should then set the SACLs for each of
the files and folders. Audit Privilege Use is used to audit a user's exercise of a user
right and is not relevant in this scenario; therefore, answers A and F are incorrect.
ACLs are used to specify permissions for an object, not for auditing; therefore,
answer E is incorrect.
Page 221 of 250

Q6 The correct answer is B. WINS resolves NetBIOS names to IP addresses. After all
of the clients are upgraded to Windows XP Professional, the service is no longer
required as long as there are no legacy applications that are still using NetBIOS
names. DNS is an integral part of Active Directory and should not be uninstalled;
therefore, answer A is incorrect. DHCP is not a name resolution service; therefore,
answer C is incorrect. RAS is a service that can be used to create and control dial-
up and VPN connections to a network; therefore, answer D is incorrect.
Q7 Answers C and D are correct. The partition that contains the folders to be
encrypted with EFS must first be formatted with the NTFS file system. Offline Files
and Folders is not required for encryption; therefore, answer A is incorrect. Folder
compression is not required for encryption and, in fact, the folder to be encrypted
cannot be compressed; therefore, answer B is incorrect.
Q8 Answers A and B are correct. PPTP and L2TP can be used to create virtual private
networks through the Internet. Assuming that the bandwidth will meet its
requirements, this could represent a savings to SysCon when compared with the
cost of leased lines. Group Policy is used to control security and settings for
computers and users in sites, domains, and OUs; therefore, answer C is incorrect.
Active Directory is the underlying technology built in to Windows Server 2003;
Q9 The correct answer is B. A default installation of Windows Server 2003, Standard

Edition does not install IIS 6.0; therefore, no services are available. IIS 6.0 is not
installed on a default installation of Windows Server 2003; therefore, answers A,
C, and D are incorrect.
Q10 The correct answer is answer A. The only type of zone that can be set for secure
dynamic updates in Windows 2000 Professional or Windows Server 2003 is an
Active Directory integrated zone. Standard Primary zones cannot be configured for
secure dynamic updates; therefore, answers B and D are incorrect. Only Active
Directory integrated zones can be set for secure dynamic updates; therefore,
Q11 The correct answer is D. The Windows Server 2003 command gpupdate replaces
the Windows 2000 command secedit /refreshpolicy machine_policy and is
used to force an immediate update of a Group Policy on a local machine. The
secedit command is replaced by the gpupdate command in Windows Server
2003; therefore, answer A is incorrect. The gpresult command can be used to
determine the policies that apply to a computer and user; therefore, answer B is
incorrect. The netsh command is used for troubleshooting connectivity problems;
Q12 Answers A and D are correct. .NET Passport and Digest authentication are both
secure methods of authentication. Basic authentication is not secure because the
user's password is sent over the wire in clear text; therefore, answer B is
incorrect. NTLM is a secure form of authentication that is used for local area
networks, not Web sites; therefore, answer C is incorrect.
Q13 Answers B and D are correct. Integrated Windows authentication and Digest
authentication can be used in addition to certificates to increase security. MS-
CHAPv2 is an authentication protocol used for remote access, not Web servers;
therefore, answer A is incorrect. IPSec is a security method used on networks and
between networks, but not on Web servers; therefore, answer C is incorrect.
Q14 The correct answer is C. Anonymous access logs the user on to a default account
called IUSER_servername, which has very limited permissions. Basic
authentication requires a username and a password (credentials) and then sends
Page 222 of 250

it over the wire in clear text; therefore, answer A is incorrect. Digest
authentication checks a user's credentials with Active Directory; therefore, answer
B is incorrect. Integrated Windows authentication does not require a user to enter
credentials, but instead it reads them from the access token of a logged on user;
Q15 The correct answer is A. Immediately following a default installation of IIS 6.0,
only access to static content is available. Access to static content is available;
therefore, answer B is incorrect. All services other than access to static content
are disabled; therefore, answers C and D are incorrect.

1. C 9. A, B, D
2. D, E 10. A
3. A, C 11. A, C
4. A 12. A, B, E
5. D 13. C
6. A, D 14. A, C
7. A 15. A
8. B, D
Q1 The correct answer is C. The Washington D.C. office must be a separate domain
because it needs a different password policy. The other three offices should be
combined into one domain and represented by OUs. One domain is not sufficient
because of the need for a different password policy in Washington D.C.; therefore,
answer A is incorrect. Four domains (one for each location) is not required or
recommended because representing each office as an OU makes delegation of
administrative authority more complex; therefore, answer B is incorrect. There is
enough information to determine the correct answer; therefore, answer D is
incorrect.
Q2 Answers D and E are correct. Windows 95 and Windows NT Workstation cannot

use Kerberos authentication and must be upgraded. Unix clients can use Kerberos
authentication; therefore, answer A is incorrect. Windows XP Professional clients
can use Kerberos authentication; therefore, answer B is incorrect. Windows 2000
Professional clients can use Kerberos authentication; therefore, answer C is
incorrect.
Q3 Answers A and C are correct. Servers that do not contain sensitive information,
and are likely to be used from both internal clients and external clients, should be
placed on the perimeter network. DHCP servers contain sensitive information
regarding IP address allocation; therefore, answer B is incorrect. Domain
controllers contain sensitive Active Directory information; therefore, answer D is
incorrect.
Page 223 of 250

Q4 The correct answer is A. As an additional security measure for Windows Server
2003, IIS is not installed as part of a default installation; therefore, no IIS 6.0
services are provided. IIS 6.0 is not installed during a default installation of
Windows Server 2003; therefore, answers B, C, and D are incorrect.
Q5 The correct answer is D. As a security measure, only static content is available

with a default installation of IIS 6.0. Static content is available with a default
installation; therefore, answer A is incorrect. Only static content is available with a
default installation of IIS 6.0; therefore, answers B and C are incorrect.
Q6 Answers A and D are correct. Basic authentication is not secure because the
password is sent over the wire in clear text. Anonymous access should only be
used for access to nonsecure public sites. Integrated Windows is a secure form of
authentication that relies on an Active Directory logon; therefore, answer B is
incorrect. .NET Passport is a secure form of authentication that relies on Microsoft
servers for authentication; therefore, answer C is incorrect.
Q7 The correct answer is A. DDR is used to automatically establish a route, when

necessary, by using a less-expensive ISDN connection or even a regular dial-up
connection. Proxy is a service that controls a user's access to another network,
such as the Internet, and provides a more secure connection; therefore, answer B
is incorrect. A firewall is a type of filtering hardware or software that allows some
traffic to pass through and filters other traffic based on the settings; therefore,
answer C is incorrect. NAT is a service that translates one or many public IP
addresses to one or many private IP addresses; therefore, answer D is incorrect.
Q8 Answers B and D are correct. Memory Available Bytes and Processor Queue
Length are counters that might be used to establish a performance baseline.
Serial Overrun Errors and CRC Errors are RAS counters that are used for
troubleshooting; therefore, answers A and C are incorrect.
Q9 Answers A, B, and D are correct. Windows 95, Unix, and Windows NT Workstation
cannot be controlled by Windows Server 2003 Group Policy. Windows 2000
Professional clients can be controlled by Group Policy; therefore, answer C is
incorrect. Windows XP Professional clients can be controlled by Group Policy;
therefore, answer E is incorrect.
Q10 The correct answer is A. The administrator would have to use the ACLs to adjust
delegated rights. The Delegation of Control Wizard can only be used to give rights,
not to adjust them or remove them; therefore, answer B is incorrect. Active
Directory; therefore, answer C is incorrect. Active Directory Domains and Trusts is
used to configure the connections between domains; therefore, answer D is
incorrect.
Q11 Answers A and C are correct. The Backup or Restore Wizard can be scheduled to
perform regular backups. The Volume Shadow Copy service can be scheduled to
make restorable shadows of files at multiple times. Computer Management is not
used to perform backups; therefore, answer B is incorrect. Disk Management is
not used to create backups; therefore, answer D is incorrect.
Q12 Answers A, B, and E are correct. You should set the audit policy on each of the
member servers because this allows for the least possible auditing. You should
then set the SACL for HKEY_CURRENT_USER to Full Control for Success and Failure.
Setting the audit policy for the domain is not recommended because the auditing
is specific to the member servers; therefore, answer C is incorrect. The ACLs are
used to control access to objects, not for auditing; therefore, answers D and F are
incorrect.
Page 224 of 250

Q13 The correct answer is C. IAS should be used to centralize authentication to
Washington D.C. RRAS is used to create and control the remote access
connections but not to centralize authentication; therefore, answer A is incorrect.
Active Directory Sites and Services is a tool used to control the physical aspects of
Active Directory; therefore, answer B is incorrect. Remote Access Policy is used to
control a user's access to a connection, but not to centralize authentication;
Q14 Answers A and C are correct. Clients can only use Digest and Integrated Windows
authentication if they are given an account in Active Directory. Certificate
authentication does not require an account in Active Directory; therefore, answer
B is incorrect. Basic authentication can be used by anyone who has a password,
but it is not recommended because it sends the password in clear text; therefore,
Q15 The correct answer is A. The Group Policy Object Editor MMC can be used to
configure and edit Group Policy settings. GPMC is new tool in Windows Server
2003 that is used to distribute Group Policies, not to configure settings; therefore,
answer B is incorrect. Gpresult is a command-line tool used to determine the
results of multiple policies on a computer and user; therefore, answer C is
incorrect. Gpudate is a command-line tool that is used to make policies effective
on a local machine; therefore, answer D is incorrect.
Page 225 of 250

Appendix A Need to Know More?
TechNet Windows 2003 Resources:
www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserv
er2003/default.asp
Microsoft Training and Certifications: Exams:

www.microsoft.com/traincert/mcpexams/default.asp
Microsoft Training and Certifications: View new and upcoming exams at:
www.microsoft.com/traincert/mcpexams/status/new.asp
Federal Bureau of Investigation: www.sans.org/top20.htm
Howard, Michael. Designing Secure Web-Based Applications for Microsoft

Windows 2000. Redmond, Washington: Microsoft Press, 2000.
TechNet Windows 2003 Resources:

www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows200
0serv/default.asp

www.microsoft.com/traincert/mcpexams/default.asp
Microsoft Training and Certifications: View new and upcoming exams at:
www.microsoft.com/traincert/mcpexams/status/new.asp
Federal Bureau of Investigation: www.sans.org/top20.htm
TechNet Windows 2003 Resources: http://www.microsoft.com/technet

http://www.microsoft.com/traincert/mcpexams/default.asp
Microsoft Training and Certifications: View new and upcoming Exams at:
http://www.microsoft.com/traincert/mcpexams/status/new.asp
Page 226 of 250

Glossary
Numbers
802.1x
The IEEE networking standard governing authentication in wireless

communication.
A
A G U DL P
The Microsoft recommended strategy for using groups to control access to a

resource. Accounts are placed into Global groups, Global groups are placed into
Universal groups, Universal groups are placed into Domain Local groups, and
Domain Local groups are then given Permissions.
access control entry (ACE)
A setting in a discretionary access control list that permits or denies a user to

access or perform actions upon the specified object.
access control list (ACL)
A security setting list for every object in Active Directory that controls what
actions other objects can perform on the object specified.
account policies
The security policies, including password, account lockout, and Kerberos policies.
These are set at the domain level when applied to a domain.
administrative policies
The security requirements that are enforced by management. These are not
enforced by the operating system, but rather by documentation and training.
administrative templates
The Group Policy settings that are used to change the HKEY_LOCAL_SYSTEM and
HKEY_CURRENT_USER Registry keys in multiple computers on a network.
Page 227 of 250

application filtering
An advanced form of firewall filtering that identifies the application of each packet
and makes decisions based on the application.
application isolation
The process of placing each Web application into its own application pool with its
own resources. This is done to ensure that one application's crashing does not
cause other applications to crash as well.
attack surface
A point of entry that an attacker could exploit and thereby enter a network. The
goal of an organization should be to minimize its attack surfaces.
auditing
The process of monitoring and recording logons, resource access, privilege use,
and so forth on a computer.
authentication
The process of a user or computer proving its identity to a device on the network.
Authentication should be required before a user is authorized to use network
resources.
B
bastion host server
A special server that is placed on a perimeter network to protect other servers.

Most of the services on a bastion host server are disabled. Users can gain access
to the servers that have the resources enabled, but only by satisfying the bastion
host server first.
brute force attack
A local attack against a server in an attempt to go around security measures of a

network.
built-in account
A user account that is created during the installation of Windows Server 2003, the
implementation of Active Directory, or the installation of additional services.
Page 228 of 250

C
calculated risk
The estimated cost of an attack on a resource, including the loss of productivity,

the cost of replacement, and the opportunity cost.
certificate
A digital document that is used to authenticate the origin, identity, and purpose of
the public half of a public/private key pair. A certificate ensures that the data sent
and received is kept secure.
certificate revocation list (CRL)
A list maintained by certification authorities that lists all certificates that are no
longer valid but have not yet reached their configured expiration date. Clients
validating a certificate can check the CRL to determine if a presented certificate is
still valid.
Certificate Services
A Microsoft snap-in tool that is used to issue and manage digital certificates within
a network's PKI.
certification authority (CA)
A service that issues digital certificates to users and computers. In addition, CAs
maintain a current list of revoked certificates that are no longer considered valid.
circuit-level filtering
The process of inspecting an entire session's attributes rather than the packets
themselves. You can configure acceptable port numbers and protocols for the
session.
client certificate
A digital document that contains a client's public key and allows the client to
prove his identity.
Page 229 of 250

Client Services for NetWare (CSNW)
A service that allows Microsoft clients to connect directly to a NetWare server and
use resources for which they are assigned permissions.
cold site
An alternate location used for Emergency Management Services that consists of a

building that is set aside in the event of a catastrophic loss, such as a fire,
tornado, earthquake, and so on. A cold site does not have any computer
equipment and cannot be tested or implemented in a short period of time.
computer role
The main use of a computer on a network. Roles include domain controllers,

member servers, file and print servers, Web servers, and many more.
confidential data
The information that is stored on a network but is only accessible to a few

selected internal users. This data could include payroll information, credit
information, medical histories, and other sensitive information.
countermeasures
The policies and methods that an organization uses to combat an attacker.
credentials
A method of proving one's identity. On a network, credentials could consist of a

username and password, a smart card and PIN, a certificate, or any other method
that proves that an entity is who it says it is.
Page 230 of 250

D
data modification
The process of an attacker changing a message while it is in the network between

two parties. Companies should use protocols that prevent data modification.
Delegation of Control
The process by which you can allow nonadministrative users to have some
responsibility for some portion of Active Directory, such as delegating the ability
to change users' passwords or add computers to the domain.
demand-dial routing
The process of automatically and temporarily connecting a network segment using

modems and PSTN or ISDN lines.
disaster recovery plan (DRP)
A detailed document that outlines the procedures for restoring computer services
and communications to a network in the event of a catastrophic loss.
discretionary access control list (DACL)
An internal list that is attached to files and folders on NTFS-formatted volumes

that is configured to specify the level of permissions that are to be allowed for
different users and groups.
domain controller
A server that holds a writable copy of the Active Directory data and manages
information contained within the Active Directory database. Domain controllers
also function as DNS servers when Active Directory integrated zones are used.
The Kerberos Key Distribution Center (KDC) is located on every domain controller
as well.
Domain Name System (DNS)
A service that dynamically provides name and address resolution services in a

TCP/IP environment.
Page 231 of 250

domain user account
A user account that exists within an Active Directory network and allows the user
to log on to any computer in the network for which he has the required rights.
drag-and-drop questions
An exam question type that requires you to drag source objects into their proper
place in the work area.
E
Emergency Management Services
The hardware, software, and policies that make up an organization's disaster

recovery plan.
Encapsulating Security Payload (ESP)
A protocol that is used in the IPSec suite to handle data encryption. ESP is usually
used with Authentication Header to provide the maximum level of security and
integrity for data transmitted in IPSec transmissions. ESP uses DES encryption by
default, but it can be configured to use 3DES.
encryption
A mechanism for securing data in which data is mathematically scrambled so that

it can only be unscrambled with the correct mathematical key.
end certificate
A type of certificate constraint that identifies a certificate as one that cannot be

entrusted to any other organization.
enrollment
The process of providing key pairs and certificates for use with PKI. Windows
Server 2003 can automatically enroll users who are authenticated by Active
Directory.
Page 232 of 250

Extensible Authentication Protocol (EAP)
An extension to the PPP as specified in RFC 2284 that provides a means for the
primary authentication method to be negotiated during the initiation of the PPP
session.
extranet
A value-added service that consists of one organization giving another

organization partial access to its network resources.
F
filtering
The process of configuring the DACL for a GPO such that only specific users or
groups can read and apply the GPO settings.
firewall
A hardware or software device that can prevent specified types of traffic from
entering or leaving a network.
framework
A suggested method for the purpose of organizing a project and preventing the
omission of any important steps. Microsoft recommends that companies use a
framework in regard to their security plan.
functional levels
The levels of functionality for Active Directory forests and Active Directory
domains that determine which unique features they can possess, such as
Windows 2000 mixed, Windows Server 2003, and others.
Page 233 of 250

G
Gateway (and Client) Services for NetWare (GSNW)
The services that allow Microsoft clients to connect to a NetWare server through a
Microsoft server using a gateway user account.
global catalog (GC)
A partial replica of every object in an Active Directory database that is used to

assist in searching Active Directory.
Gpresult
A command-line utility that can display the Group Policy settings and RSOP for a
user or a computer.
Gpupdate
A command-line utility that is used to refresh local and Active Directory Group
Policy settings, including security settings. The gpupdate command replaces the
/refreshpolicy option for the secedit command.
Group Policy Editor
A subset of the Active Directory Users and Computers console that allows the
editing of Group Policy Objects.
Group Policy Object (GPO)
A collection of security and configuration settings that are applied to a container in

an Active Directory domain.
H
help desk
An individual or department in a company that assists users with minor problems

on their computers.
hot site
An alternate location that is part of a disaster recovery plan and consists of a

functioning network to be used in the event of a catastrophic failure in the
primary network. A hot site should be tested on a regular basis and updated when
necessary.
Page 234 of 250

I
IIS baseline
A known standard of performance on an IIS server that is functioning well. The

baseline should contain counters for processor, memory, disks, and network.
internal data
The information that is used within an organization on a daily basis.
Internet Authentication Service (IAS)
The software that can be installed on a server to provide for central authentication
and logging of multiple remote access servers.
Internet Connection Firewall (ICF)
A host-based firewall that filters traffic based on port numbers. This type of
firewall is built in to Windows XP Professional clients and Windows Server 2003
servers. It should be used on the clients, but should only be used as a last resort
on the servers.
Internet Information Services (IIS)
The software that is built in to Microsoft server operating systems that provides
for the creation and secure management of Web sites and other Internet
functions.
Internet Protocol (IP)
The portion of the TCP/IP protocol suite that is used to provide packet routing.
intrusion detection system (IDS)
A device composed of hardware and software that can identify a network threat
and begin to defend against the threat while also alerting the network
administrator.
IP address
The 32-bit binary address that is used to identify a TCP/IP host's network and
host ID. IPv6 IP addresses are 128 bits in length.
Page 235 of 250

IP filtering
The identifying of packets based on their source and destination IP addresses.
IP Security (IPSec)
A Layer 3 TCP/IP protocol that provides end-to-end security for data in transit.
ISAKMP/Oakley (Internet Security Association and Key Management

Protocol/Oakley)
A protocol that is used to share a public key between sender and receiver of a
secure connection. ISAKMP/Oakley allows the receiving system to retrieve a public
key and then authenticate the sender using digital certificates.
K
Kerberos v5
An identity-based security protocol based on Internet security standards and used

by Windows Server 2003 to authenticate users.
key pair
A user's public key that can be used by anyone to encrypt data that is to be sent
to the user and by the user to verify his identity. Combined with a user's private
key that is held only by the user, the user can decrypt the data that was
encrypted using the public key.
key principles of security design
The methods of securing a network that have evolved from the experience of
many network administrators. These include defense in depth, least privilege,
minimized attack surface, and others.
Page 236 of 250

L
L2F
A media independent L2TP offered in Cisco IOS software.
Layer 2 Tunneling Protocol (L2TP)
A VPN protocol that is created by combining the PPTP and L2F tunneling protocols.
L2TP is used as the transport protocol in the Windows Server 2003 VPN service in
conjunction with IPSec.
local user account
A user account that exists only within the scope of the local computer and can
only be used to authenticate against the local computer Security Accounts
Manager (SAM) database.
living document
A written plan that attempts to predict all of the threats that could come against a
network and highlights the areas of importance. It is said to be "living" because
the threats are constantly changing and, therefore, the document must be
updated frequently.
M
MD5 hash
A type of encryption algorithm that can be used to encrypt authentication and

data. This ensures the confidentiality and integrity of a message.
member server
A server that is part of the Active Directory domain, but is not functioning as a
domain controller. Member servers might be SQL servers, Exchange servers, file
servers, print servers, and so on.
Microsoft Baseline Security Analyzer (MBSA)
A utility that can scan computers on a network and report missing security
updates and weak security configurations. MBSA can be run either from the
command line or from within the GUI.
Page 237 of 250

Microsoft Management Console (MMC)
A Microsoft Windows tool used for hosting snap-in tools that are used for
administration.
Microsoft Solutions Framework (MSF)
A suite of guidelines and principles that provide models to build and deploy a
distributed network.
multiple-choice, multiple answers
A standard exam question type that requires you to choose two or more correct
answers from a given list of possibilities.
multiple-choice, single answer
A standard exam question type that requires you to choose one correct answer
from a given list of possibilities.
N
nesting Global groups
The process of placing a Global group into another Global group from the same
domain to simplify administration. This can only be accomplished if the domain is
at the Windows 2000 native mode functional level at a minimum.
Network Address Translation (NAT)
A method of conserving public IP address space by translating one public IP

address to many private IP addresses.
NTFS permissions
The security permissions assigned to users and groups for files and folders that are
contained on the computers in a network.
Page 238 of 250

O
Open Systems Interconnection (OSI) reference model
A seven-layer model that has been used since the early 1980s to define the
process of communication between two computers on a network.
organizational unit (OU)
A container that provides for the logical grouping of objects within Active
Directory to ease administration and configuration tasks.
P
packet filtering
The process of examining each packet in a data stream for its source, destination,
and protocol.
password policies
A part of the account policies of a computer or a domain. Password policies control

the requirements for passwords, such as minimum length, maximum lifetime,
complexity, and so on.
permissions
A user's ability or inability to gain access to and use a resource on a computer or

on a network.
physical policies
The security policies that are enforced by implementing physical controls on the
network.
physical security
The security standards that relate to the structure of the network and the devices
that it contains.
Page 239 of 250

pipe
A term used to indicate two-way communication without filters. A pipe opened by

an application can cause a security risk.
Point-to-Point Tunneling Protocol (PPTP)
A protocol that is used by Microsoft and others to create VPNs.
principle of least privilege
An administrative principle which states that users should be given only the
minimum privileges required to perform the specific set of tasks they have been
assigned.
private IP address
An IP address range reserved for private (non-Internet-connected) networks.

There are private address ranges in the Class A, Class B, and Class C address
blocks.
private key
A component of a key pair in PKI. The private key remains with the user and is
used to decrypt any messages that are encrypted with the public key.
print server
Any computer that has printer software installed and shared. Typically, this is a
server dedicated to printing or to file service and printing.
protocols
The rules and regulations as to how data and communications will be conducted
on a network or between two parties.
proxy server
A server that can make a connection to the Internet on behalf of another entity or
many other entities. Proxy servers can be used to control access to the Internet
or to specific sites on the Internet.
Page 240 of 250

public data
The information about a company that is not confidential or secret. This

information should be accessible to anyone who wants to read it, but only
specified individuals should be able to change it. Pubic Web sites are an example
of public data.
public key
A component of a key pair in PKI. The public key is used to identify the user and
to encrypt messages so that only the user can decrypt them.
Public Key Infrastructure (PKI)
A system that includes servers, clients, and software and allows a user to be
uniquely recognized and authenticated to gain access to resources on a network
or on multiple networks.
Public Switched Telephone Network (PSTN)
The normal telephone lines that are generally used for voice communications
throughout the world.
R
registered IP address
Any block of addresses registered with Internet Assigned Names and Numbers
Authority (IANA).
Remote Access Dial-in User Service (RADIUS)
An industry-standard security protocol that is used to authenticate client

connections.
remote access policies
The combinations of attributes that can be configured on a remote access server.

These attributes must be met for a user to successfully create and maintain a
connection to a remote access server.
Page 241 of 250

remote access server
T T
A server that is dedicated to providing and controlling access to dial-up and VPN
connections to a network.
Remote Assistance
T T
A new tool in Windows Server 2003 and in Windows XP clients that allows an
administrator to connect to and configure a user's computer, including
downloading and uploading files.
Remote Desktop Administration

T T
A Remote Desktop Protocol-based service that allows administrators to remotely

connect to and administer Windows XP and Windows Server 2003 computers.
Remote Desktop Administration replaces Terminal Services Administration mode
in Windows 2000.
Remote Desktop Connection

T T
A new MMC snap-in tool in Windows Server 2003, based on the Remote Desktop
Protocol, that allows an administrator to securely manage multiple computers
from one remote location.
Remote Desktop Protocol (RDP)

T T
A terminal communications protocol based on the industry standard T.120

multichannel conferencing protocol.
revoked certificate
T T
A digital certificate that has been taken out of usage before its configured end of
lifetime. Certificates can be revoked for any number of reasons, including loss of
keys or employee termination.
rights
T T
The ability of a user to access and use a network and/or the tools used to manage
the network.
Page 242 of 250

risk assessment formula
T T
A calculation that equals the estimated loss in the event of an attack on a

resource multiplied by a percentage that indicates the likelihood of the attack
occurring.
root CA
T T
A certification authority that forms the top of the CA hierarchy.
S
secret data
T T
The information upon which an organization relies for its very existence. This
could include trade secrets, formulas, recipes, source codes, and other highly
sensitive data.
secure implementation
T T
A process whereby network engineers create the security environment that was
decided upon by the security design team.
Secure Sockets Layer (SSL)

T T
A service that uses a PKI to secure access and secure communications to Web
sites on the Internet or on an intranet.
Security Configuration and Analysis snap-in

T T
An MMC snap-in that is used to configure, analyze, and implement security

templates on a local computer. It can be used to create templates that are
imported into GPOs for application to larger groups of computers.
security descriptor
T T
A unique identification for an object on a network or in a domain, such as a

Security Identifier (SID).
Page 243 of 250

security design team
T T
A group of people selected from throughout an organization who will be

responsible for creating security policies and deciding on which resources should
be secured.
security log
T T
A log that is found in Event Viewer and that contains auditing entries.
security templates
T T
The text files that contain settings that configure the security of the computer or
computers to which they are applied. Several preconfigured security templates
come with Windows Server 2003. You can edit and create your own custom ones
as required.
server certificate
T T
A digital document that contains the server's public key and allows the server to
prove its identity on the network.
server roles
T T
The functions that a server provides on a network; for example, domain

controller, remote access server, file server, DNS server, and so on.
share permissions
T T
The permissions granted to folders on a computer to give users access to the

folders from another computer through the network.
site
T T
A component of Active Directory that identifies a well-connected TCP/IP subnet.
smart card
T T
A physical device that a user must possess to log on to a network.
Page 244 of 250

snap-in
T T
An administrative tool that you can add to the MMC.
sniffers
T T
The network monitoring devices that can be used by network engineers as a

troubleshooting tool or by an attacker as a weapon to obtain information for
exploitation.
Software Update Services (SUS)

T T
An add-on service for Windows 2000 and Windows Server 2003 networks that
provides the functionality of a Windows Update Web server on the internal
network. SUS allows you to select which available updates are authorized for
distribution to network clients, thus ensuring that only the updates you have
tested and approved are installed.
spoof
T T
A type of attack in which the attacker tries to gain and manipulate enough
information about a network to make it appear as if he belongs there.
spool
T T
A special section of a computer's hard drive that holds information to be printed to

a print device.
SRV records
T T
The special records used in a DNS database to identify the most important servers
on a network, such as domain controllers and global catalog servers.
standalone CA
T T
A certification authority that can be used with or without Active Directory.

Certificate requests are set to pending until an administrator approves the
request.
stateful inspection
T T
A process whereby a firewall holds a connection open while examining a packet

for its source address, destination address, and port number.
Page 245 of 250

stub zone
T T
A new DNS zone type in Windows Server 2003 that contains only the required
resource records that are needed to identify the authoritative DNS servers for
another zone.
subordinate CA
T T
Typically, the lowest level in a certification authority hierarchy. Subordinate CAs

issue certificates directly to users and network hosts.
system access control list (SACL)

T T
A security setting list on every object in Active Directory that controls the
system's ability to audit user and computer access to that object.
Systems Management Server (SMS)

T T
A Microsoft software tool used to gather information about a network and make
configuration changes to servers and clients. SMS is often used in large enterprise
networks.
Sysvol
T T
A shared folder on an NTFS partition on every Active Directory domain controller

that contains information (scripts, Group Policy information, and so on) that is
replicated to other domain controllers in the domain. The Sysvol folder is created
during the installation of Active Directory.
T
technical policies
T T
The security policies that can be enforced by the operating system and the
applications that are installed.
Telnet
T T
An inherent protocol in the TCP/IP suite. Telnet uses port 23/tcp to provide limited
command-line functionality to configure and manage servers. Passwords are sent
over the wire in clear text.
Page 246 of 250

testlet (quizlet) exam format
T T
An examination format that typically consists of 10 or more questions of varying

types as well as a significant amount of background material that must be read
and understood to successfully answer the questions. The testlet format is also
known as the quizlet or case study format.
threats
T T
The possible attackers or attacks that could lessen or destroy the productivity of a
network or a network resource. Threats can also be caused by misconfigured
security settings or inherent security weaknesses.
ticket-granting tickets (TGTs)

T T
The tokens used with Kerberos authentication to give a user controlled access to
resources in multiple domains.
Transmission Control Protocol/Internet Protocol (TCP/IP)

T T
The suite of communications protocols used to connect hosts on the Internet.
transport mode
T T
The usage of IPSec not in a tunnel (with two configured endpoints). Commonly
used on a private network between two hosts.
trusts
T T
The logical connections between domains and forests over which permissions can
be assigned for the use of the resources contained in each domain or forest.
tunnel mode
T T
The usage of IPSec in a mode in which two endpoints have been configured to
create a tunnel, such as when a VPN tunnel is created.
Page 247 of 250

U
Universal group
T T
A Windows 2003 security group that can be used anywhere within a domain tree
or forest. Universal groups can only be used when a domain is in Windows 2000
native mode functional level or higher.
Universal group caching

T T
A feature that can be used after a domain has been raised to the Windows 2003
functional level that allows users in Universal groups to log on without the
presence of a GC server.
Universal Naming Convention (UNC)

T T
A naming convention that is used to define a resource on a Windows Server 2003

server network. A share named DOCS on the server SERVER1 could be accessed
using the UNC path of \\SERVER1\DOCS.
V
virtual private network(ing) (VPN)
T T
A mechanism for providing secure, private communications, utilizing a public

network (such as the Internet) as the transport method. VPNs use a combination
of encryption and authentication technologies to ensure data integrity and
security.
volume shadow copy

T T
A new feature in Windows Server 2003 that provides distinctly different functions.
The first function allows the Windows Backup utility (or ntbackup from the
T T
command line) to back up open files as if they were closed. The second feature
provides a means to create and store up to 64 historical versions of files located
within a network share. Users can be trained to easily revert back to a previous
version of a file.
Page 248 of 250

W
warm site
T T
An alternate location that is part of a disaster recovery plan and consists of a

building that has the correct power requirements and connectivity requirements to
support the servers and network components that are critical for the business's
continued operation. In the event of a disaster, such as a tornado or flood, the
servers can be quickly moved to the warm site.
Windows 2000 mixed mode functional level

T T
This functional level allows Windows NT 4.0 domain controllers, Windows 2000
domain controllers, and Windows Server 2003 domain controllers to exist and
function within a Windows 2003 domain. This is the default setting when Active
Directory is installed. Some advanced services are not available in this functional
level.
Windows 2000 native mode functional level

T T
This functional level allows Windows 2000 domain controllers and Windows Server
2003 domain controllers to exist and function in a Windows 2003 domain.
Windows NT 4.0 domain controllers cannot be used in this functional level. An
administrator explicitly puts Active Directory into native mode, at which time it
cannot be returned to mixed mode without removing and reinstalling Active
Directory.
Windows 2003 functional level

T T
The highest functional level of either the domain or forest in Windows Server
2003. Only Windows Server 2003 domain controllers can be used. This functional
level implements all of the new features of Windows 2003 Active Directory.
Windows Installer
T T
The MSIEXEC.EXE service that manages the installation of software on computers.
wire tap
T T
A method of obtaining information from a network by listening to the

electromagnetic signals in the cables of the network. Fiber-optic cables are much
more difficult to tap.
Page 249 of 250

wireless LAN (WLAN)
T T
A local area network that uses one of the 802.11 standards, such as 802.11b or
802.11a.
workgroup
T T
A grouping of computers and resources that uses a decentralized authentication

and management system.
Z
zone
T T
A namespace for which a DNS server is authoritative.
zone transfer
T T
The process of copying DNS resource records from a primary zone to a secondary
zone.
Page 250 of 250

(Exam 70-298) Exam Cram 2 - Designing Security For A Windows Server 2003 Network

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Exam 70-298) Exam Cram 2 - Designing Security For A Windows Server 2003 Network

Uploaded by

Copyright:

Available Formats

Designing Security™ for a Windows® Server™ 2003

Network Exam Cram™ 2 (Exam 70-298)

As a two-time finalist for the "Favorite Study Guide Author"

TYPES OF SECURITY POLICIES

KEY PRINCIPLES OF SECURITY DESIGN

COMPONENTS OF A PUBLIC KEY

MOST COMMON HIERARCHICAL DESIGNS FOR

TYPES OF ACCOUNT POLICIES

ADMINISTRATIVE TOOLS THAT ENHANCE

COMMON AUDIT POLICY SETTINGS

ENTERPRISE MANAGEMENT TOOLS

TYPES OF EMERGENCY MANAGEMENT SITES

FEATURES OF SOFTWARE UPDATE SERVICES

TOOLS THAT IDENTIFY THE CURRENT PATCH

SECURITY BENEFITS PROVIDED BY IPSEC

DEFAULT SETTINGS FOR IPSEC POLICY

METHODS OF PROTECTING DNS SERVERS

TYPES OF SECURITY IN WIRELESS NETWORKS

TYPES OF COMMUNICATION LINKS BETWEEN

TYPES OF TUNNELING PROTOCOLS

TOOLS FOR EXTRANET SECURITY

SECURITY FEATURES OF IIS 6.0

SHARE PERMISSIONS FOR FOLDERS

NTFS PERMISSIONS FOR FOLDERS

NTFS PERMISSIONS FOR FILES

TYPES OF CLIENT AUTHENTICATION

COMPONENTS OF A REMOTE ACCESS POLICY

FEATURES OF INTERNET AUTHENTICATION

• Your name, organization, and mailing address.

How to Prepare for an Exam

Notes on This Book's Organization

Exam Alerts are included in each chapter to point your attention to a

How This Book Helps You

MCSEs in the Real World

The Ideal MCSE Candidate

Don't worry if you don't meet these qualifications exactly or come

• Academic or professional training in network theory, concepts, and operations,

• Two or more years in a networked environment that includes hands-on experience

The Windows Server 2003 MCSE program allows for specialization in

These qualifications amount to a bachelor's degree in information systems or computer

• Even a modest background in networking technologies or information systems is

1. Have you ever taken any computer-related classes? [Yes or No]

If Yes, proceed to Question 2; if No, proceed to Question 3.

For those of you specifically interested in security issues and Internet-related

1. Have you installed, configured, and worked with the following:

If Yes, make certain you understand basic concepts as covered in exams

o Windows 2000 Server? [Yes or No]

o Windows XP/2000 Professional? [Yes or No]

Use One Computer to Simulate Multiple Machines

Experience is a must with any Microsoft product exam, be it something as simple

The next question deals with your personal testing experience:

Assessing Readiness for Exam 70-298

Take the Challenge!

Techniques you'll need to master:

• Analyzing business requirements for designing security

Administrative policies are enforced by management. These policies cannot be enforced

Technical policies are enforced by the operating system and its

Smart cards are an example of physical security.

Unfortunately, threats exist in today's computing environment that necessitate the

Minimized Attack Surface

It was by coincidence that a network administrator happened to be in the area when a

Security Design Versus Security Implementation