Exam Profile: MCSE: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (70-293)
This exam is broken up into six different categories. We will look at what you have to know in each category to pass the exam.
Planning and Implementing Server Roles and Server Security
- Configure security for servers that are assigned specific roles.
- Plan security for servers that are assigned specific roles. Roles might include domain controllers, Web servers, database servers, and mail servers.
- Evaluate and select the operating system to install on computers in an enterprise.
Plan a secure baseline installation. Installing service packs, anti-virus, firewalls, removing unused service are part of securing your server.
Plan a strategy to enforce system default security settings on new systems. The best way to implement security for all systems or a group of systems is to use Group Policies.
Identify client operating system default security settings. If your environment contains different client operating systems, you need to consider them all when designing the default security settings. Windows 9X operates quite differently from Windows XP.
Identify all server operating system default security settings. As with clients, you may have several different operating systems on your servers with each of them having different types of security available.
Deploy the security configuration for servers that are assigned specific roles. There are many different roles for servers such as DNS, DHCP, Domain Controller, etc. The type of security you employ will depend on the server’s role.
Create custom security templates based on server roles. Windows 2003 provides you with default security templates. You can incorporate them as is or you can modify them to meet your needs.
Identify the minimum configuration to satisfy security requirements. To make your life less complex, you should choose the minimum security requirements that meet your needs.
Planning, Implementing, and Maintaining a Network Infrastructure
- Plan a TCP/IP network infrastructure strategy.
- Plan an Internet connectivity strategy.
- Plan network traffic monitoring. Tools might include Network Monitor and System Monitor.
- Troubleshoot connectivity to the Internet.
- Troubleshoot TCP/IP addressing.
- Plan a host name resolution strategy.
- Plan a NetBIOS name resolution strategy.
- Troubleshoot host name resolution.
Analyze IP addressing requirements. There are many things to consider when deciding an IP structure, including the number of hosts, the number of subnets, private vs. public.
Plan an IP routing solution. Manageable switches are almost always used instead of hubs for client computers. Routers are only needed to connect different networks. Normally you have at least one router on the edge of your network to communicate with the Internet. It is possible for some switches to be configured with virtual LANs.
Create an IP subnet scheme. Subnetting is the process of dividing the total available IP addresses for a network into subnetworks, or subnets. You may also see IP addresses and subnet masks represented in the format 188.8.131.52/28. The 28 tells you that there are 28 bits used for the subnet mask, which leave 4 bits for the hosts.
Plan the physical placement of network resources. Servers, switches and routers should always be placed in a secure area where only network administrators have access.
Identify network protocols to be used. TCP/IP is the primary protocol used on Windows network and the only protocol used on the Internet. Some other protocols are IPX/SPX used by Novell Netware and Appletalk used by Apple computers.
Once you connect your network to the Internet, your security concerns increase exponentially. You must take adequate protection such as implementing firewalls but must also train users as to the acceptable practices. If your company uses private IP addresses internally, you must use public IP addresses to access the Internet. It is possible using Network Address Translation (NAT) to hide your private network IP addresses.
Diagnose and resolve issues related to client configuration. Use the IPconfig command to ensure that your client PC has received an IP address from the DHCP server.
Diagnose and resolve issues related to Network Address Translation (NAT). You must make sure that your DHCP server is configured properly and not issuing IP addresses that conflict with your NAT.
Diagnose and resolve issues related to client computer configuration. Use the IPconfig command to ensure that your client PC has received an IP address from the DHCP server.
Diagnose and resolve issues related to DHCP server address assignment. The DHCP server’s scopes must be setup correctly in order for the clients to receive the proper IP address. In addition, the DNS and Router must be configured properly in the DHCP server.
Plan a DNS namespace design. A host file is a static file on a server or PC that contains host names and IP addresses. This method is not dynamic or efficient. The preferred method for name resolution is to use a DNS server that clients register to automatically.
Plan a forwarding configuration. If a DNS server cannot resolve a name from an IP address, it has the potential to forward that request to another DNS server for resolution.
Plan for DNS security. Active Directory must authorize any changes to DNS. Otherwise, if invalid data were entered, your users could be sent to the wrong server or site.
Plan a WINS replication strategy. WINS is being phased out by Microsoft in favor of DNS only, but it still can be used to resolve NetBIOS names.
Plan NetBIOS name resolution by using the Lmhosts file. Similar to a Host file, you can use a static Lmhosts file to resolve NetBIOS names. This file has to be managed manually and creates administrative overhead.
Diagnose and resolve issues related to DNS services. If DNS is not working properly, you will not be able to get to servers or sites. You can use the Event Viewer on your DNS server to troubleshoot problems.
Diagnose and resolve issues related to client computer configuration. Use the IPconfig command to ensure the user has a correct IP address.
Planning, Implementing, and Maintaining Routing and Remote Access
- Plan a routing strategy.
- Identify routing protocols to use in a specified environment.
- Plan routing for IP multicast traffic.
- Plan security for remote access users.
- Plan remote access policies.
- Analyze protocol security requirements.
- Plan authentication methods for remote access clients.
- Implement secure access between private networks.
- Create and implement an IPSec policy.
- Troubleshoot TCP/IP routing. Tools might include the route, tracert, ping, pathping, and netsh commands and Network Monitor.
You only have to route traffic if it is on a different network or subnet, in which case you will have to install a router.
RIP version 1 and 2 and OSPF are the routing protocols with which you need to be familiar.
Multicast IP address ranges are from 184.108.40.206 to 220.127.116.11. IP addresses in these ranges are for use on internal networks and cannot be routed on the Internet.
Users may need to access the network remotely using VPN or RRAS.
A remote access policy is set to determine how users will connect remotely. You can have several different policies in place, but once one is matched, the user is connected and the other policies are ignored.
RRAS supports the TCP/IP, IPX, NetBEUI, AppleTalk protocols as well as SLIP and PPP asynchronous connections.
Remote authentication methods include the following from least secure: PAP, SPAP, CHAP, MS-CHAP, MS-CHAP v2.
IPSec is a standard protocol that Microsoft uses in conjunction with Kerberos as its default method for authentication.
In Active Directory, use Group Policy to apply IPSec policies. Client, Server and Secure Server are the three built in policies that Microsoft provides. You should modify these policies to meet your needs.
Research the above commands by typing them at a command line using the /? for help.
Planning, Implementing, and Maintaining Server Availability
- Plan services for high availability.
- Plan a high-availability solution that uses clustering services.
- Plan a high-availability solution that uses Network Load Balancing.
- Identify system bottlenecks, including memory, processor, disk, and network related bottlenecks.
- Identify system bottlenecks by using System Monitor.
- Recover from cluster node failure.
- Manage Network Load Balancing. Tools might include the Network Load Balancing Monitor Microsoft Management Console (MMC) snap-in and the WLBS cluster control utility.
- Plan a backup and recovery strategy.
- Identify appropriate backup types. Methods include full, incremental, and differential.
- Plan a backup strategy that uses Volume Shadow Copy (VSS).
High availability means not having a single point of failure. Windows Server 2003 Enterprise and Windows Server 2003 Datacenter Server support this feature.
Clustering is connecting several computers together to act as a single computer that provides high availability.
Network Load Balancing, a clustering technology included in the Microsoft Windows 2000 Advanced Server and Datacenter Server operating systems, enhances the scalability and availability of mission-critical, TCP/IP-based services, such as Web, Terminal Services, virtual private networking, and streaming media servers.
Eliminating system bottlenecks ensures your servers are operating efficiently. When choosing your hardware, always make sure you have sufficient RAM and processor power.
System Monitor is a Windows tool that can be used to identify and diagnose bottleneck problems.
In a cluster, it is possible to lose a node or the entire cluster. You can use tools such as Confdisk.exe, ClusterRecovery.exe, ASR, and System State Restore.
Any backup strategy, whether it is tape or hard disk, should be tested.
A full backup will backup all of your data. A differential backup will backup all of the data that has changed since the last full backup. An incremental backup will backup all data since the last incremental backup. An incremental backup is the quickest, but also requires more time to restore.
Shadow Copy must be enabled on the server and will keep copies of files that can be restored directly from the server. It provides a way for the end user to restore files, which can be quicker than waiting for the tech department to restore a file.
Planning and Maintaining Network Security
- Configure network protocol security.
- Configure IPSec policy settings.
- Plan for network protocol security.
- Some protocols are more vulnerable than others. For instance, FTP, Telnet and HTTP use clear text to transmit data.
- Specify the required ports and protocols for specified services.
- Port numbers that you need
to be familiar with are as follows:
- DHCP67 and 68
- Plan secure network administration methods.
- Create a plan to offer Remote Assistance to client computers.
- Plan for remote administration by using Terminal Services.
- Plan security for wireless networks.
- Plan security for data transmission.
- Troubleshoot security for data transmission. Tools might include the IP Security Monitor MMC snap-in and the Resultant Set of Policy (RSoP) MMC snap-in.
Each different protocol has its own vulnerabilities which must be taken into account during implementation.
As mentioned before, Client, Server and Secure Server are the three built in policies that Microsoft provides. You should modify these policies to meet your needs.
To save time and resources, you should be able to solve as many problems as you can remotely. Tools such as Remote Desktop for Windows users and Telnet for switches and routers will help you with this.
As mentioned above, Remote Desktop allows you to assist users by controlling their desktop.
Microsoft Server Terminal Services Client (MSTSC.exe) can be used to remote into servers.
Wireless networks need to be secured using encryption such as Wired Equivalent Privacy (WEP)
Virtual Private Networks (VPN) uses PPTP and IPSec protocols for security.
Planning, Implementing, and Maintaining Security Infrastructure.
- Configure Active Directory service for certificate publication.
- Plan a public key infrastructure (PKI) that uses Certificate Services.
- Identify the appropriate type of certificate authority to support certificate issuance requirements.
- Plan the enrollment and distribution of certificates.
- Plan for the use of smart cards for authentication.
- Plan a framework for planning and implementing security.
- Plan for security monitoring.
- Plan a change and configuration management framework for security.
- Plan a security update infrastructure. Tools might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services.
Directory Access Control Lists are used to by Active Directory to approve or deny certificate requests.
PKI provides computers a secure way to communicate. It relies on digital signatures and encryption.
Windows 2003 can issue certificates or you can use a third party vendor such as Verisign.
If your Windows 2003 server is running Certificate Services, it is able to issue a certificate.
Smart cards include an actual micro processor that contains information about the user. The smart card is used in conjunction with a Personal Identification Number (PIN).
The Microsoft Solution Framework (MSF) outlines an overall process for planning and implementing security.
Each network is different and will have different requirement for security monitoring. You should be able to detect changes in common patterns and be familiar with new security threats that have developed. Microsoft Baseline Security Analyzer (MBSA) is a security tool that can be used to scan for security updates.
This includes topics such as making sure that you apply patches and upgrades, checking user, data and security settings.