Home > Articles > Microsoft > MCSE

  • Print
  • + Share This
Like this article? We recommend Exam Objectives

Exam Objectives

This exam is broken up into four different categories. We will look at what you have to know in each category to pass the exam.

Implementing, Managing, and Troubleshooting Security Policies

  • Plan security templates based on computer role. Computer roles include SQL Server computer, Microsoft Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server.
  • Configure security templates.
  • There are many predefined security templates that are available to you in Windows 2003. You can define Account Policies, Local Policies, Event Log, Restricted Groups, Registry and File Systems using these templates.

    • Configure registry and file system permissions.
    • Permissions can be set for individual keys in the registry. You can also choose for new permissions to propagate to all subfolders and files.

    • Configure account policies.
    • You can modify account policies at the OU level. Maximum password age, minimum password length, password complexity are some of the items you can change in account policies.

    • Configure .pol files.
    • On pre-Windows 2000 computers, you used the System Policy Editor to make changes to the NTconfig.pol.

    • Configure audit policies.
    • The types of events you can audit are: Account Logon, Account Management, Object Access, Logon Events, Policy Change, and System Events.

    • Configure user rights assignment.
    • User Rights can be defined under Local Policies. This controls the rights that a user has to their computer.

    • Configure security options.
    • The Security Options define policies such as how much access a user has to their drives, driver installation, and digital encryption and signing.

    • Configure system services.
    • You can set system services to Automatic, Manual or Disable. You should always disable services that are not needed on any server to save resources and prevent possible exploitation of the service.

    • Configure restricted groups.
    • You can define who belongs in a restricted group in the Restricted Groups subnode.

    • Configure event logs.
    • Events logs should be checked daily and should be retained for a specific amount of time depending on the policies of your organization. You can determine the Maximum Log Size, Retention Method, and who gets to view the log files.

  • Deploy security templates. z
    • Deploy security templates by using command-line tools and scripting.
    • The Secedit command allows you to analyze and configure your system security from a command line.
    • Plan the deployment of security templates.
    • Deploy security templates by using Active Directory-based Group

    • Policy objects (GPOs).
    • Group Policy is used to deploy security settings throughout your organization’s Active Directory structure.

  • Troubleshoot security template problems. z
    • Troubleshoot security templates in a mixed operating system environment.
    • If you are still running Windows NT 4.0 or Windows 2000, applying Windows 2003 security templates in these environments can have unpredictable results.
    • Troubleshoot security policy inheritance.
    • Group policies are applied in the following order: local, site, domain, OU, and sub OU.

    • Troubleshoot removal of security template settings.
    • Changes to security templates do not always happen instantly. You may have to have a user logoff and back on before a change takes place to force Group Policy replication by using the gpupdate /force command.

  • Configure additional security based on computer roles. Server computer roles include SQL Server computer, Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. Client computer roles include desktop, portable, and kiosk.
    • Plan and configure security settings.
    • In your organization, you may have several different types of servers performing any number of roles. If you set security setting incorrectly, you may not be able to get to needed services.

    • Plan network zones for computer roles.
    • The four network zones are Restricted Site, Internet, Local Internet and Trusted Sites.

    • Plan and configure software restriction policies.
    • The Group Policy Object Editor allows you to specify four different policy rules: Certificate Rule, Hash Rule, Internet Zone Rule and Path Rule.

    • Plan and configure auditing and logging for a computer role. Considerations include Windows Events, Internet Information Services (IIS), firewall log files, Netlog, and RAS log files.
    • By studying your log files, you can learn to identify abnormal behavior. It is important that you have a baseline from which to compare current log events. There are many different log files, but mainly you need to be concerned with the log files you find in Event Viewer.

    • Analyze security configuration. Tools include Microsoft Baseline Security Analyzer (MBSA), the MBSA command-line tool, and Security Configuration and Analysis.
    • The Microsoft Baseline Security Analyzer checks to make sure that your computers have all the critical updates and patches installed. To run MBSA from the command line, use MBSAcli.exe.

Implementing, Managing, and Troubleshooting Patch Management Infrastructure

  • Plan the deployment of service packs and hotfixes.
  • A patch or hotfix normally deals with a specific issue and are issued by Microsoft continually. A service pack is a culmination of many patches, updates and may contain additional features.

    • Evaluate the applicability of service packs and hotfixes.
    • It may not be necessary to install all patches because some may not apply to your computers. Patches are given different levels: Critical, Important, Moderate and Low.

    • Test the compatibility of service packs and hotfixes for existing applications.
    • Many times a patch will break an application and cause it not to function properly. You should always have pre-deployment or pilot group of computers that allows you to test the patches before deploying to your entire network.

    • Plan patch deployment environments for both the pilot and production phases.
    • Once you have deployed patches to your pilot group, make sure that all applications function normally. It may be that you have to exclude certain updates for specific computers.

    • Plan the batch deployment of multiple hotfixes.
    • Qtool.exe is a command line utility that allows you to install multiple patches without having to reboot the computers between installations.

    • Plan rollback strategy.
    • In the event that the computers in your pilot group passes the test but production computers do not, you need to have some mechanism to remove patches after they have been deployed. Some of these mechanisms can include: Add/Remove Programs, System Restore, Group Policy or custom written script.

  • Assess the current status of service packs and hotfixes. Tools include MBSA and the MBSA command-line tool.
  • The MBSA command-line tool can help you determine if you are missing critical updates. It can even scan remote networks providing you have opened the proper ports on the firewall.

    • Assess current patch levels by using the MBSA command-line tool with scripted solutions.
    • It is possible to use a batch file or scripting code to run the MBSA tool. This script can then be scheduled to run using the Task Scheduler.

  • Deploy service packs and hotfixes.
  • Deploy service packs and hotfixes on new servers and client computers. Considerations include slipstreaming, custom scripts, and isolated installation or test networks.

    There are several methods for deploying patches. Even though installing patches manually may seem old hat, it may sometimes be necessary if your automated method is not working. Installing manually without silent switches can allow you to see how the update installed and what may be causing problems. You can also use Group Policy, scripting, SUS or SMS to install updates. You can also build updates into your initial operating system deployment using slip streaming.

Implementing, Managing, and Troubleshooting Security for Network Communications

  • Plan IPSec deployment.
  • Transport mode secures the traffic between two computers on the same network while Tunnel mode secures traffic between two computers on different networks.

    • Decide which IPSec mode to use.
    • IPSec supports Kerberos, Certificates and Preshared Keys.

    • Plan authentication methods for IPSec.
    • Kerberos is used for authentication in a Windows network. Certificates are used for access involving Internet access. Preshared Keys use plain text to transfer a character string and should not be used if possible.

    • Test the functionality of existing applications and services.
    • Similar to patches, you need to test your IPSec implementation to make sure it does not break any applications.

  • Configure IPSec policies to secure communication between networks and hosts.
  • Hosts include domain controllers, Internet Web servers, databases, e-mail servers, and client computers.
    • Configure IPSec authentication.

    The three default IPSec policies are Secure Server, Server and Client.

    • Configure appropriate encryption levels.

    Considerations include the selection of perfect forward secrecy (PFS) and key lifetimes.

    IPSec can use SHA1, MD5, DES and 3DES as its hashing algorithm. Perfect forward secrecy (PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised.

    • Configure the appropriate IPSec protocol. Protocols include Authentication Header (AH) and Encapsulating Security Payload (ESP).

    Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets but does not encrypt data. Encapsulation Security Payload (ESP) provides confidentiality, data origin authentication, connectionless integrity and encryption.

    • Configure IPSec inbound and outbound filters and filter actions.
  • Filters are the most important part of IPSec policy for a computer which is protected by IPSec. Not applying them properly can prevent your security from being provided.

  • Deploy and manage IPSec policies.
    • Deploy IPSec policies by using Local policy objects or Group Policy objects (GPOs).

    IPSec can be configured at any level of your Active Directory structure using a Group Policy.

    • Deploy IPSec policies by using commands and scripts. Tools include IPSecPol and Netsh.

    Two command-line utilities that can be used to deploy IPSec policies are IPSecpol.exe and Netsh with the IPSec switch.

    • Deploy IPSec certificates.

    Considerations include deployment of certificates and renewing certificates on managed and unmanaged client computers.

    Certificates are mainly used when providing security between Active Directory forests where there is no trust relationship.

  • Troubleshoot IPSec.
    • Monitor IPSec policies by using IP Security Monitor.

    The IPSec can be monitored using the IP Security Monitoring snap-in.

    • Configure IPSec logging. Considerations include Oakley logs and IPSec driver logging.

    IPSec logging doesn’t use much space, but make sure that you have at least 10MB free. To enable Oakley logging from a command prompt type, netsh ipsec dynamic set config ikelogging 1. To enable IPSec to write to the Event Viewer logs type, netsh ipsec dynamic set config ipsecdiagnostics 7.

    • Troubleshoot IPSec across networks.

    Considerations include network address translation, port filters, protocol filters, firewalls, and routers.

    In order to troubleshoot across networks, you must make sure that the ports 50, 51 and 500 are open for inbound and outbound traffic.

    • Troubleshoot IPSec certificates. Considerations include enterprise trust policies and certificate revocation list (CRL) checking.
  • Only if a certificate is explicitly mentioned in the CRL, it will fail. By typing netsh ipsec dynamic set config strongcrlcheck value=2 from a command prompt, you can specify strong CRL checking.

  • Plan and implement security for wireless networks.
    • Plan the authentication methods for a wireless network.

    There are three types of wireless authentication methods: Open System Authentication, Shared Key Authentication, and 802.1 Authentication.

    • Plan the encryption methods for a wireless network.

    The two methods Microsoft provides for wireless encryption are Wired Equivalent Privacy (WEP) and 802.1x.

    • Plan wireless access policies.

    Use the Wireless Network Policy Wizard to create a wireless policy.

    • Configure wireless encryption.

    After configuring your wireless network policy, you can set the policy to use to use WEP or IEEE 802.1x encryption.

    • Install and configure wireless support for client computers.

    Windows 2003 and Windows XP support Wireless Zero Configuration, which will cause them to automatically connect to wireless networks.

    Wireless Zero configuration will scan for all available wireless access points and automatically configure them. IEEE 802.1x encryption must be manually configured.

  • Deploy, manage, and configure SSL certificates, including uses for HTTPS, LDAPS, and wireless networks. Considerations include renewing certificates and obtaining self-issued certificates instead of publicly issued certificates.
    • Obtain self-issued certificates and publicly issued certificates.

    Using your Web server, you can get an SSL certificate from an external CA or from a self issued CA.

    • Install certificates for SSL.

    An SSL certificate is an encrypted text file that your Web server can understand. You should make a backup of your existing certificates before installing new ones.

    • Renew certificates.

    Certificates can be renewed choosing Renew when running the Web server’s certificate wizard.

    • Configure SSL to secure communication channels.
  • Communication channels include client computer to Web server, Web server to SQL Server computer, client computer to Active Directory domain controller, and e-mail server to client computer.

  • Configure security for remote access users.
    • Configure authentication for secure remote access.

    Authentication types include PAP, CHAP, MS-CHAP, MS-CHAP v2, EAP-MD5, EAP-TLS, and multifactor authentication that combines smart cards and EAP.

    • Configure and troubleshoot virtual private network (VPN) protocols.

    Considerations include Internet service provider (ISP), client operating system, network address translation devices, Routing and Remote Access servers, and firewall servers.

    • Manage client configuration for remote access security.

    Tools include remote access policy and the Connection Manager Administration Kit.

Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI

  • Plan and configure authentication.
    • Plan, configure, and troubleshoot trust relationships.

    A trust relationship allows users in one domain to access resources in another domain. All domains in the same forest trust each other by default. You can configure a new trust by running the New Trust Wizard.

    • Plan and configure authentication protocols.

    Kerberos is the protocol used by Windows 2003.

    • Plan and configure multifactor authentication.

    Using more than one form of authentication helps to secure your network. Usernames and passwords alone are more easily broken.

    • Plan and configure authentication for Web users.
  • Anonymous Access, Basic, and Digest are the three authentication methods used by IIS for Web authentication.

  • Plan group structure.
    • Decide which types of groups to use.

    Security groups are used for assigning rights or permissions to resources in Active Directory. Distribution groups are used for email distribution lists.

    • Plan security group scope.

    Universal, Global, and Domain Local are the three security group scopes.

    • Plan nested group structure.

    Nesting is when you add a group as a member of another group. While this is some cases can simplify permissions, it can also get confusing if you nest too far.

  • Plan and configure authorization.
    • Configure access control lists (ACLs).

    Access Control Lists set the permissions that a user has over an object. You can set these using the Security Tab in an object’s Properties or from a command prompt using Cacls.exe.

    • Plan and troubleshoot the assignment of user rights.

    If a user cannot gain access to an object or resource, it is necessary to determine which groups that user belongs and how you may have nested groups. Also remember there are NTFS rights and share permissions that must be considered.

    • Plan requirements for digital signatures.

    A digital signature assures you that the user who sent a document is truly that user. Digital signatures are not responsible for data encryption.

  • Install, manage, and configure Certificate Services.
    • Install and configure root, intermediate, and issuing certification authorities (CAs). Considerations include renewals and hierarchy.
    • Configure certificate templates.

    Certificates can be configured and managed using the MMC Certificate Authority snap-in Certtmpl.msc.

    • Configure, manage, and troubleshoot the publication of certificate revocation lists (CRLs).

    If a certificate becomes compromised, you can revoke it using the Certificate Authority snap-in.

    • Configure archival and recovery of keys.

    You should archive your keys in case they need to be recovered. The Certutil.exe can perform the key recovery.

    • Deploy and revoke certificates to users, computers, and CAs.
    • Backup and restore the CA.

    You can backup your certificates using the Certification Authority snap-in or by backing up the System State data.

  • + Share This
  • 🔖 Save To Your Account