Home > Articles > Microsoft > MCSE

  • Print
  • + Share This
Like this article? We recommend Exam Objectives

Exam Objectives

This exam is broken up into four different categories. We will look at what you have to know in each category to pass the exam.

Implementing, Managing, and Troubleshooting Security Policies

  • Plan security templates based on computer role. Computer roles include SQL Server computer, Microsoft Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server.
  • Configure security templates.
  • There are many predefined security templates that are available to you in Windows 2003. You can define Account Policies, Local Policies, Event Log, Restricted Groups, Registry and File Systems using these templates.

    • Configure registry and file system permissions.
    • Permissions can be set for individual keys in the registry. You can also choose for new permissions to propagate to all subfolders and files.

    • Configure account policies.
    • You can modify account policies at the OU level. Maximum password age, minimum password length, password complexity are some of the items you can change in account policies.

    • Configure .pol files.
    • On pre-Windows 2000 computers, you used the System Policy Editor to make changes to the NTconfig.pol.

    • Configure audit policies.
    • The types of events you can audit are: Account Logon, Account Management, Object Access, Logon Events, Policy Change, and System Events.

    • Configure user rights assignment.
    • User Rights can be defined under Local Policies. This controls the rights that a user has to their computer.

    • Configure security options.
    • The Security Options define policies such as how much access a user has to their drives, driver installation, and digital encryption and signing.

    • Configure system services.
    • You can set system services to Automatic, Manual or Disable. You should always disable services that are not needed on any server to save resources and prevent possible exploitation of the service.

    • Configure restricted groups.
    • You can define who belongs in a restricted group in the Restricted Groups subnode.

    • Configure event logs.
    • Events logs should be checked daily and should be retained for a specific amount of time depending on the policies of your organization. You can determine the Maximum Log Size, Retention Method, and who gets to view the log files.

  • Deploy security templates. z
    • Deploy security templates by using command-line tools and scripting.
    • The Secedit command allows you to analyze and configure your system security from a command line.
    • Plan the deployment of security templates.
    • Deploy security templates by using Active Directory-based Group

    • Policy objects (GPOs).
    • Group Policy is used to deploy security settings throughout your organization’s Active Directory structure.

  • Troubleshoot security template problems. z
    • Troubleshoot security templates in a mixed operating system environment.
    • If you are still running Windows NT 4.0 or Windows 2000, applying Windows 2003 security templates in these environments can have unpredictable results.
    • Troubleshoot security policy inheritance.
    • Group policies are applied in the following order: local, site, domain, OU, and sub OU.

    • Troubleshoot removal of security template settings.
    • Changes to security templates do not always happen instantly. You may have to have a user logoff and back on before a change takes place to force Group Policy replication by using the gpupdate /force command.

  • Configure additional security based on computer roles. Server computer roles include SQL Server computer, Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. Client computer roles include desktop, portable, and kiosk.
    • Plan and configure security settings.
    • In your organization, you may have several different types of servers performing any number of roles. If you set security setting incorrectly, you may not be able to get to needed services.

    • Plan network zones for computer roles.
    • The four network zones are Restricted Site, Internet, Local Internet and Trusted Sites.

    • Plan and configure software restriction policies.
    • The Group Policy Object Editor allows you to specify four different policy rules: Certificate Rule, Hash Rule, Internet Zone Rule and Path Rule.

    • Plan and configure auditing and logging for a computer role. Considerations include Windows Events, Internet Information Services (IIS), firewall log files, Netlog, and RAS log files.
    • By studying your log files, you can learn to identify abnormal behavior. It is important that you have a baseline from which to compare current log events. There are many different log files, but mainly you need to be concerned with the log files you find in Event Viewer.

    • Analyze security configuration. Tools include Microsoft Baseline Security Analyzer (MBSA), the MBSA command-line tool, and Security Configuration and Analysis.
    • The Microsoft Baseline Security Analyzer checks to make sure that your computers have all the critical updates and patches installed. To run MBSA from the command line, use MBSAcli.exe.

Implementing, Managing, and Troubleshooting Patch Management Infrastructure

  • Plan the deployment of service packs and hotfixes.
  • A patch or hotfix normally deals with a specific issue and are issued by Microsoft continually. A service pack is a culmination of many patches, updates and may contain additional features.

    • Evaluate the applicability of service packs and hotfixes.
    • It may not be necessary to install all patches because some may not apply to your computers. Patches are given different levels: Critical, Important, Moderate and Low.

    • Test the compatibility of service packs and hotfixes for existing applications.
    • Many times a patch will break an application and cause it not to function properly. You should always have pre-deployment or pilot group of computers that allows you to test the patches before deploying to your entire network.

    • Plan patch deployment environments for both the pilot and production phases.
    • Once you have deployed patches to your pilot group, make sure that all applications function normally. It may be that you have to exclude certain updates for specific computers.

    • Plan the batch deployment of multiple hotfixes.
    • Qtool.exe is a command line utility that allows you to install multiple patches without having to reboot the computers between installations.

    • Plan rollback strategy.
    • In the event that the computers in your pilot group passes the test but production computers do not, you need to have some mechanism to remove patches after they have been deployed. Some of these mechanisms can include: Add/Remove Programs, System Restore, Group Policy or custom written script.

  • Assess the current status of service packs and hotfixes. Tools include MBSA and the MBSA command-line tool.
  • The MBSA command-line tool can help you determine if you are missing critical updates. It can even scan remote networks providing you have opened the proper ports on the firewall.

    • Assess current patch levels by using the MBSA command-line tool with scripted solutions.
    • It is possible to use a batch file or scripting code to run the MBSA tool. This script can then be scheduled to run using the Task Scheduler.

  • Deploy service packs and hotfixes.
  • Deploy service packs and hotfixes on new servers and client computers. Considerations include slipstreaming, custom scripts, and isolated installation or test networks.

    There are several methods for deploying patches. Even though installing patches manually may seem old hat, it may sometimes be necessary if your automated method is not working. Installing manually without silent switches can allow you to see how the update installed and what may be causing problems. You can also use Group Policy, scripting, SUS or SMS to install updates. You can also build updates into your initial operating system deployment using slip streaming.

Implementing, Managing, and Troubleshooting Security for Network Communications

  • Plan IPSec deployment.
  • Transport mode secures the traffic between two computers on the same network while Tunnel mode secures traffic between two computers on different networks.

    • Decide which IPSec mode to use.
    • IPSec supports Kerberos, Certificates and Preshared Keys.

    • Plan authentication methods for IPSec.
    • Kerberos is used for authentication in a Windows network. Certificates are used for access involving Internet access. Preshared Keys use plain text to transfer a character string and should not be used if possible.

    • Test the functionality of existing applications and services.
    • Similar to patches, you need to test your IPSec implementation to make sure it does not break any applications.

  • Configure IPSec policies to secure communication between networks and hosts.
  • Hosts include domain controllers, Internet Web servers, databases, e-mail servers, and client computers.
    • Configure IPSec authentication.

    The three default IPSec policies are Secure Server, Server and Client.

    • Configure appropriate encryption levels.

    Considerations include the selection of perfect forward secrecy (PFS) and key lifetimes.

    IPSec can use SHA1, MD5, DES and 3DES as its hashing algorithm. Perfect forward secrecy (PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised.

    • Configure the appropriate IPSec protocol. Protocols include Authentication Header (AH) and Encapsulating Security Payload (ESP).

    Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets but does not encrypt data. Encapsulation Security Payload (ESP) provides confidentiality, data origin authentication, connectionless integrity and encryption.

    • Configure IPSec inbound and outbound filters and filter actions.
  • Filters are the most important part of IPSec policy for a computer which is protected by IPSec. Not applying them properly can prevent your security from being provided.

  • Deploy and manage IPSec policies.
    • Deploy IPSec policies by using Local policy objects or Group Policy objects (GPOs).

    IPSec can be configured at any level of your Active Directory structure using a Group Policy.

    • Deploy IPSec policies by using commands and scripts. Tools include IPSecPol and Netsh.

    Two command-line utilities that can be used to deploy IPSec policies are IPSecpol.exe and Netsh with the IPSec switch.

    • Deploy IPSec certificates.

    Considerations include deployment of certificates and renewing certificates on managed and unmanaged client computers.

    Certificates are mainly used when providing security between Active Directory forests where there is no trust relationship.

  • Troubleshoot IPSec.
    • Monitor IPSec policies by using IP Security Monitor.

    The IPSec can be monitored using the IP Security Monitoring snap-in.

    • Configure IPSec logging. Considerations include Oakley logs and IPSec driver logging.

    IPSec logging doesn’t use much space, but make sure that you have at least 10MB free. To enable Oakley logging from a command prompt type, netsh ipsec dynamic set config ikelogging 1. To enable IPSec to write to the Event Viewer logs type, netsh ipsec dynamic set config ipsecdiagnostics 7.

    • Troubleshoot IPSec across networks.

    Considerations include network address translation, port filters, protocol filters, firewalls, and routers.

    In order to troubleshoot across networks, you must make sure that the ports 50, 51 and 500 are open for inbound and outbound traffic.

    • Troubleshoot IPSec certificates. Considerations include enterprise trust policies and certificate revocation list (CRL) checking.
  • Only if a certificate is explicitly mentioned in the CRL, it will fail. By typing netsh ipsec dynamic set config strongcrlcheck value=2 from a command prompt, you can specify strong CRL checking.

  • Plan and implement security for wireless networks.
    • Plan the authentication methods for a wireless network.

    There are three types of wireless authentication methods: Open System Authentication, Shared Key Authentication, and 802.1 Authentication.

    • Plan the encryption methods for a wireless network.

    The two methods Microsoft provides for wireless encryption are Wired Equivalent Privacy (WEP) and 802.1x.

    • Plan wireless access policies.

    Use the Wireless Network Policy Wizard to create a wireless policy.

    • Configure wireless encryption.

    After configuring your wireless network policy, you can set the policy to use to use WEP or IEEE 802.1x encryption.

    • Install and configure wireless support for client computers.

    Windows 2003 and Windows XP support Wireless Zero Configuration, which will cause them to automatically connect to wireless networks.

    Wireless Zero configuration will scan for all available wireless access points and automatically configure them. IEEE 802.1x encryption must be manually configured.

  • Deploy, manage, and configure SSL certificates, including uses for HTTPS, LDAPS, and wireless networks. Considerations include renewing certificates and obtaining self-issued certificates instead of publicly issued certificates.
    • Obtain self-issued certificates and publicly issued certificates.

    Using your Web server, you can get an SSL certificate from an external CA or from a self issued CA.

    • Install certificates for SSL.

    An SSL certificate is an encrypted text file that your Web server can understand. You should make a backup of your existing certificates before installing new ones.

    • Renew certificates.

    Certificates can be renewed choosing Renew when running the Web server’s certificate wizard.

    • Configure SSL to secure communication channels.
  • Communication channels include client computer to Web server, Web server to SQL Server computer, client computer to Active Directory domain controller, and e-mail server to client computer.

  • Configure security for remote access users.
    • Configure authentication for secure remote access.

    Authentication types include PAP, CHAP, MS-CHAP, MS-CHAP v2, EAP-MD5, EAP-TLS, and multifactor authentication that combines smart cards and EAP.

    • Configure and troubleshoot virtual private network (VPN) protocols.

    Considerations include Internet service provider (ISP), client operating system, network address translation devices, Routing and Remote Access servers, and firewall servers.

    • Manage client configuration for remote access security.

    Tools include remote access policy and the Connection Manager Administration Kit.

Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI

  • Plan and configure authentication.
    • Plan, configure, and troubleshoot trust relationships.

    A trust relationship allows users in one domain to access resources in another domain. All domains in the same forest trust each other by default. You can configure a new trust by running the New Trust Wizard.

    • Plan and configure authentication protocols.

    Kerberos is the protocol used by Windows 2003.

    • Plan and configure multifactor authentication.

    Using more than one form of authentication helps to secure your network. Usernames and passwords alone are more easily broken.

    • Plan and configure authentication for Web users.
  • Anonymous Access, Basic, and Digest are the three authentication methods used by IIS for Web authentication.

  • Plan group structure.
    • Decide which types of groups to use.

    Security groups are used for assigning rights or permissions to resources in Active Directory. Distribution groups are used for email distribution lists.

    • Plan security group scope.

    Universal, Global, and Domain Local are the three security group scopes.

    • Plan nested group structure.

    Nesting is when you add a group as a member of another group. While this is some cases can simplify permissions, it can also get confusing if you nest too far.

  • Plan and configure authorization.
    • Configure access control lists (ACLs).

    Access Control Lists set the permissions that a user has over an object. You can set these using the Security Tab in an object’s Properties or from a command prompt using Cacls.exe.

    • Plan and troubleshoot the assignment of user rights.

    If a user cannot gain access to an object or resource, it is necessary to determine which groups that user belongs and how you may have nested groups. Also remember there are NTFS rights and share permissions that must be considered.

    • Plan requirements for digital signatures.

    A digital signature assures you that the user who sent a document is truly that user. Digital signatures are not responsible for data encryption.

  • Install, manage, and configure Certificate Services.
    • Install and configure root, intermediate, and issuing certification authorities (CAs). Considerations include renewals and hierarchy.
    • Configure certificate templates.

    Certificates can be configured and managed using the MMC Certificate Authority snap-in Certtmpl.msc.

    • Configure, manage, and troubleshoot the publication of certificate revocation lists (CRLs).

    If a certificate becomes compromised, you can revoke it using the Certificate Authority snap-in.

    • Configure archival and recovery of keys.

    You should archive your keys in case they need to be recovered. The Certutil.exe can perform the key recovery.

    • Deploy and revoke certificates to users, computers, and CAs.
    • Backup and restore the CA.

    You can backup your certificates using the Certification Authority snap-in or by backing up the System State data.

  • + Share This
  • 🔖 Save To Your Account

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020