Home > Articles > Microsoft > MCSE

Like this article? We recommend Exam Objectives

Exam Objectives

This exam is broken up into five different categories. We will look at what you have to know in each category to pass the exam.

Creating the Conceptual Design for Network Infrastructure Security by Gathering and Analyzing Business and Technical Requirements

  • Analyze business requirements for designing security. Considerations include existing policies and procedures, sensitivity of data, cost, legal requirements, end-user impact, interoperability, maintainability, scalability, and risk.
    • Analyze existing security policies and procedures.
    • You should be familiar with the policies and procedure of your company. Many businesses do not allow users to plug personally owned computers into the corporate network. Some do not allow flash drives, installing software, or even access to CD/DVD drives.
    • Analyze the organizational requirements for securing data.
    • Be aware of the purpose and sensitivity of the data, the impact of errors in the data and how much you trust third party sources that may have access to your data.
    • Analyze the security requirements of different types of data.
    • There are different classifications of data. Some data may be sensitive while other is classified. Classified data may compromise trade secrets or put your customers at risk. Securing data may include encryption.
    • Analyze risks to security within the current IT administration structure and security practices.
    • Most people in administration don’t realize all the tools you have at your disposal that allow you to secure data. You may have to work with the Human Resource department to help them understand how personnel data can be secure in a network environment.
  • Design a framework for designing and implementing security. The framework should include prevention, detection, isolation, and recovery.
    • Predict threats to your network from internal and external sources.
    • It is not allows hackers that pose a threat to your network. Careless network practices can cause as much damage as a hacker. Some of the worst problems can come from internal sources. You need to be able to identify and rate threats.
    • Design a process for responding to incidents.
    • If a breach of security happens on your watch, you need to have a plan in place to minimize and contain the risk.
    • Design segmented networks.
    • Firewall, routers and switches segment your network and limit the flow of data. The three types of segmented networks are: Bastion Host, Screen Host Gateway, and Screen Subnet Gateway.
    • Design a process for recovering services.
    • You should document your plan for recovering from a security incident. In order to minimize damage, you should make sure you have a good backup of your data as well as using redundant technologies such as load balancing and clustering. After the incident, you need to document what went wrong and then modify your procedure to prevent future incidents.
  • Analyze technical constraints when designing security.
    • Identify capabilities of the existing infrastructure.
    • It is possible that you are not employing a technology that can help your network security such as VLANs.
    • Identify technology limitations.
    • If you are using outdated technology, you may have to upgrade in order to prevent future incidents. In addition, technology cannot prevent incidents that are a result of social network where users are careless and don’t follow procedures.
    • Analyze interoperability constraints.

Creating the Logical Design for Network Infrastructure Security

  • Design a public key infrastructure (PKI) that uses Certificate Services.
    • Design a certification authority (CA) hierarchy implementation. Types include geographical, organizational, and trusted.
    • There are four types of certificates supported by Windows 2003: Enterprise Root, Standalone Root, Enterprise Subordinate and Standalone Subordinate.
    • Design enrollment and distribution processes.
    • Required certificates must be distributed to users by use of Autoenrollment, manual enrollment, Web page or by using the Certreq.exe command.
    • Establish renewal, revocation and auditing processes.
    • All certificates have an expiration date and must have a process for renewing. If a certificate has been compromised, it will be necessary to revoke the certificate. To audit certificates, you must enable auditing of object class and then choose the type of events you wish to audit.
    • Design security for CA servers.
    • If a server, acting as a certificate authority, is compromised, it invalidates all certificates issued by that server. It is important to decide which individuals have access to the certificate server. The roles that an individual can have on a CA server are CA Administrator, Certificate Manager, Auditor and Backup Operator.
  • Design a logical authentication strategy.
    • Design certificate distribution.
    • Group Policy can be used to distribute certificates.
    • Design forest and domain trust models.
    • External trusts, Forest trusts, and Shortcut trusts are the types of trusts that can be setup in a forest. You must be careful how you setup trust relationships as they can carry risks.
    • Design security that meets interoperability requirements.
    • Your authentication strategy needs to take into account the different types of operating systems you may have on your network.
    • Establish account and password requirements for security.
    • If you are still using passwords instead of Smart Cards or biometric technology, it is important to make sure the passwords are complex. Your password policy should include uppercase, lowercase, numbers, special characters and be sufficiently long. Users should be forced to change passwords frequently and no user should have the, “Password Never Expires” checked. That option is normally used for service accounts.
  • Design security for network management.
    • Design the administration of servers by using common administration tools. Tools include Microsoft Management Console (MMC), Terminal Server, Remote Desktop for Administration, Remote Assistance, and Telnet.
    • There are several practices that should be used in regards to administration of servers. An administrator should not stay logged on using his administrative account. The RunAs is an option that can be used. Remote Desktop Administration should be used instead of Terminal Server on Windows 2003 networks. Only delegate the rights necessary for the user to perform their job.
    • Design security for Emergency Management Services.
    • Emergency Management Services allows an administrator to restart a server that is not responding, view stop errors, view POST messages. It also includes a command line tool called Special Administration Console, which can be used to perform administrative tasks.
    • Manage the risk of managing networks.
    • With every network, there are threats and risks. It is up to the administrator to weigh the threats and risks and take appropriate measure to secure the network.
  • Design a security update infrastructure.
    • Design a strategy for identifying computers that are not at the current patch level.
    • Microsoft released patches and hotfixes on a regular basis. On occasion, they release a service pack that combines many previous patches and hotfixes. All computers on your network need to be up-to-date with the latest patches in order to be safe from the latest threats.
    • Design a Software Update Services (SUS) infrastructure.
    • Windows Server Update Service (WSUS) allows you to distribute and manage patches from a single location.
    • Design Group Policy to deploy software updates.
    • Group Policy can be used to deploy software updates. You can use this to specify which local servers will act as the WSUS server.

Creating the Physical Design for Network Infrastructure Security

  • Design network infrastructure security.
    • Specify the required protocols for a firewall configuration.
    • By default, a firewall blocks all traffic. You must decide what type of traffic will be allowed into your network.
    • Design IP filtering.
    • TCP/IP filtering limits access to your server based on TCP/UDP ports.
    • Design an IPSec policy.
    • Customized IPSec policies can be created, but Group Policy provides for some default policies that can be used. There can only be one IPSec policy assign per GPO.
    • Secure a DNS implementation.
    • If your DNS is compromised, a hacker could redirect all traffic and give the hacker access to your data. To secure DNS on your network, you should Restrict Zone Transfers, Encrypt Replication Traffic, and keep your DNS servers physically secured.
    • Design security for data transmission.
    • Use IPSec for VLAN traffic, SSL for Web server traffic and PPTP in conjunction with L2TP to create a secure tunnel for data transmitted over the Internet.
  • Design security for wireless networks.
    • Design public and private wireless LANs.
    • Wireless networks can be some of the most vulnerable. If network data is going to travel wirelessly, be sure to encrypt using WEP, WAP or some other encryption method.
  • Design user authentication for Internet Information Services (IIS).
    • Design user authentication for a Web site by using certificates.
    • Design user authentication for a Web site by using IIS authentication.
    • Users can access Web sites using Anonymous access, Integrated Windows Authentication, Digest 5, Basic Authentication and .NET Passport Authentication.
    • Design user authentication for a Web site by using RADIUS for IIS authentication.
    • Remote Access Dial-in Users Service (RADIUS) can be used to authenticate users.
  • Design security for Internet Information Services (IIS).
    • Design security for Web sites that have different technical requirements by enabling only the minimum required services.
    • Since your Web server is your Internet presence, it resides on the outside of your firewall and can be a target for hackers. Be sure to disable all services that are not needed so they cannot be used to exploit your network.
    • Design a monitoring strategy for IIS.
    • Logging is a key component for your IIS server monitoring strategy. There are several logging formats that can be used.
    • Design an IIS baseline that is based on business requirements.
    • As with any server, you can set a baseline that is based upon normal traffic over a period of time. If the snapshot for your baseline is too short, you will not get an accurate picture.
    • Design a content management strategy for updating an IIS server.
    • There are many ways to update Web content; FTP, Front Page Extensions, DreamWeaver and File Sharing.
  • Design security for communication between networks.
    • Select protocols for VPN access.
    • Point-to-point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol over IPSec (L2TP/IPSEC), IPSec Tunnel Mode are the three protocols used by VPN.
    • Design VPN connectivity.
    • VPN allows a user to connect to the work network via a tunnel through the Internet. You must have a VPN server to authenticate those users. Some firewalls have VPN built in to them.
    • Design demand-dial routing between internal networks.
    • With Demand-dial routing, a server will dial out to the ISP or to a modem in a remote office. Once the connection is made, data can be exchanged between two networks.
  • Design security for communication with external organizations.
    • Design an extranet infrastructure.
    • An extranet is a computer network that allows controlled access from the outside, for specific business or educational purposes. You can communicate with extranets using VPN, or Web Applications using SSL.
    • Design a strategy for cross-certification of Certificate Services.
    • Cross-certification is when two or more organizations trust each other’s certifications.
  • Design security for servers that have specific roles. Roles include domain controller, network infrastructure server, file server, IIS server, terminal server, and POP3 mail server.
    • Define a baseline security template for all systems.
    • A security template is an .ini file containing hundreds of possible settings that can control a single or multiple computers. The security templates can control areas such as user rights, permissions, and password policies. Security templates can be deployed centrally using Group Policy object
    • Create a plan to modify baseline security templates according to role.
    • To design security by server role, you must identify the roles-or services that the server performs and define the security for the server role. Then you can tweak existing security templates to meet your needs.

Designing an Access Control Strategy for Data

  • Design an access control strategy for directory services.
    • Create a delegation strategy.

    Depending on the size of your organization, you may have several administrators. Delegation of control should always as strict as possible while still allowing the user to perform their job.

    • Design the appropriate group strategy for accessing resources.

    You should always assign permissions to resources based on groups instead of individuals.

    • Design a permission structure for directory service objects.
  • You should always assign permissions to objects based on groups instead of individuals.

  • Design an access control strategy for files and folders.
    • Design a strategy for the encryption and decryption of files and folders.

    Electronic File Encryption (EFS) should be used for encrypting files and folders. If you encrypt a folder, all the files created in that folder will be encrypted. EFS does not encrypt data that is transmitted across your network.

    • Design a permission structure for files and folders.

    There are two type of permission; NTFS and Share. The most restrictive of the combined permissions will be used. For instance, if a user has Read share permissions to a folder called Temp and Full Control to a file inside the folder, the user’s effective permission is Read.

    • Design security for a backup and recovery strategy.

    Since your backup data contains copies of all your company’s information, it is essential to secure your backups as well as your live data. Your backup media should be properly stored and labeled; preferably in an offsite location. As with any backup procedure, you must test the restore to ensure the integrity of the data.

    • Analyze auditing requirements.

    Some data, whether live or on a backup drive, must be kept a certain amount of time. You must ensure that you store your data according to your company’s requirements.

  • Design an access control strategy for the registry.
    • Design a permission structure for registry objects.

    The registry of a computer contains all of its vital settings. If the registry is compromised, an intruder can modify, delete or add registry entries that could do enormous damage. Each item in the registry can be secured with permissions; much the same as a data file or folder.

    • Analyze auditing requirements.

    Using Group Policy, you can design an auditing policy so items can be written to the Event Viewer’s Security Log.

Creating the Physical Design for Client Infrastructure Security

  • Design a client authentication strategy.
    • Analyze authentication requirements.

    In a modern office, you have not only PCs, but laptops, VPN clients, wireless clients and servers. You must take all of these into consideration when developing an authentication strategy. RADIUS, biometric, smartcard and passwords are some of the authentication methods.

    • Establish account and password security requirements.
  • User accounts and passwords are authentication methods that are most widely used. You should make sure that your passwords are complex and changed frequently. It is not a good practice to set any user password to never expire.

  • Design a security strategy for client remote access.
  • Design remote access policies.
  • Design access to internal resources.
  • Design an authentication provider and accounting strategy for remote network access by using Internet Authentication Service (IAS).
  • Design a strategy for securing client computers. Considerations include desktop and portable computers.
    • Design a strategy for hardening client operating systems.

    There are many ways using Group Policy to harden your operating system. Account policies such as, Do Not Show Last Login can be used. You can also specify which applications can run on your systems.

    • Design a strategy for restricting user access to operating system features.

    You can choose to prevent users from installing software, accessing flash drives, installing printers or using the CD-ROM. You can also place users in default groups that will limit their access privileges.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020