As with any exam, it will vary from person to person what is deemed to be difficult. Some of the common trouble spots include NTFS and share permissions, password policy, VLANS, VPN, server updates, hardware vs. software firewall, threat and risk, social engineering. Each of these topics is outlined below.
NTFS and Share Permissions
There are two levels of security you must be familiar with: Share and NTFS. The Share permissions that let you protect your resources are Read, Change, Full Control, and No Access. NTFS permissions are List, No Access, Change, Add, and Read and Add. Share permissions can only apply to the subdirectory level, but NTFS permissions are applied to the file level and are in affect whether the user is logged on locally or across a network. When NTFS and shared folder permissions are combined, the most restrictive set of permissions takes precedence. When logging on locally, a user's level of access for a folder is determined by his least restrictive level of access. The least restrictive level would be the level of permission a user has for accessing an NTFS folder locally. When No Access permission is combined with any other permission, an access level of No Access is always the result. Only drives formatted as NTFS will have the Permissions tab.
Hidden shares are created by using a $ at the end of the share name. They can only be accessed using the share name$. This is a good idea if you have special software that you want to limit access to, but do not feel that using NTFS permissions is the best way to accomplish this. If you have created a hidden share, you would access it by typing \\servername\hiddensharename$ from the Start/Run prompt. You can also right click on My Computer and Map a Drive to a hidden share.
Administrative shares are shares created by the system on Windows Workstations and Servers and cannot be changed without a registry edit.
There is an administrative share on each drive letter. To access an administrative share, from the Start/Run command, type \\servername\drive letter$. Accessing a server via administrative shares allows you to delete, copy, or move files or folders and to create files or folders. You can also administer NTFS permission, but not share permissions. A good use of this is to open an administrative share in one window and create a folder. Then go to My Computer and copy files between the server and workstation. You can also right click on My Computer and Map a Drive to an administrative share.
Passwords have become much more complex since users started logging in. You must determine how you will setup the password requirements in your organization. You can set your password length, prevent users from changing their passwords, make a password never expire, require a password to have upper and lower case, require it to have a numeral, and require it to have special characters. You can control your password policy using a Group Policy.
Virtual Local Area Networks (VLANS)
A VLAN is a network that does not exist physically. It is a way of using your existing infrastructure to create two different networks over the same Local Area Network (LAN). By doing this, you keep traffic from one network separate from the other network. Most VLANs are created on a switch, which keeps track of the traffic and of the network on which it transverses by placing some type of a VLAN tag on the packets. A router is used to allow two different networks or VLANS to communicate.
Virtual Private Network (VPN)
A Virtual Private Network (VPN) is used to connect two private networks across the Internet. You must have a VPN server to authenticate users connecting via VPN. Some firewalls have VPN built in to them.
Keeping your servers up to date with the latest patches, hotfixes and service packs from Microsoft is vital. You can do this manually, but if you have many servers in an enterprise network, it would be too time consuming. Microsoft offers a solution in their Windows Server Update Service (WSUS). Loading WSUS on a server allows it to be a central point of contact for Microsoft updates. This server would receive the updates and then distribute them across your network to the other servers you have specified.
Hardware vs. Software Firewall
Every broadband internet connections should be protected with a firewall. A hardware firewall is an actual device that resided on your network such as a switch or router that you use to permit or deny traffic in or out of your network. Hardware firewalls are more robust, but cost more than software firewalls. A hardware firewall controls traffic at the packet and port level and are not concerned with applications. A software firewall is a piece of software that is usually installed on a PC that is used to permit or deny network traffic. Depending on the number of PCs you have, it can be a cumbersome to manage.
Threat and Risk
Managing threat and risk can be a delicate balancing act. You want to keep your network safe, but keep the expense low. Since the cost of eliminating all threats is virtually impossible, you have to decide the amount of risk you are willing to take. For instance, if you wanted to remove all threat of being in a car accident, you would never travel by car. You assume a certain amount of risk each time you travel, but you help to minimize the risk of accidents by trying to follow the rules of good driving. It is the same with networking: the only way to eliminate all threats would be to turn all devices on your network off. As a network administrator, you have to determine what measures you can afford to put in place and manage, which will protect your network.
Social engineering is manipulating people instead of hacking networks to get information. Since people are usually the weakest link in a network environment, by manipulating someone into performing an action or divulging confidential information, you can easily get what you need to compromise a network. This type of corporate espionage is one of the oldest and most effect ways to infiltrate a company.