* If you liked the Ebook visit GetPedia.com to support my Cat MEME * More than 500,000 Interesting Articles are waiting for you * The Ebook starts from the next page : Enjoy ! .MCSE Designing Security for a Windows Server 2003 Network Exam 70-298 Study Guide by Elias N Khnaser, Susan Snedak, Chris Peiris and Rob Amini ISBN:1932266550 Syngress Publishing © 2004 (774 pages) Use this guide to help you prepare for and pass Microsoft’s exam 70-298, Designing Security for a Microsoft Windows Server 2003 Network and acquire the knowledge and skills to prepare you for the real world of Microsoft computer networking Table of Contents MCSE Designing Security for a Windows Server 2003 Network?Exam 70-298 Study Guide Foreword Chapter - Designing a Secure Network Framework Chapter - Securing Servers Based on Function Chapter - Designing a Secure Public Key Infrastructure Chapter - Securing the Network Management Process Chapter - Securing Network Services and Protocols Chapter - Securing Internet Information Services Chapter - Securing VPN and Extranet Communications Chapter - Securing Active Directory Chapter - Securing Network Resources Chapter 10 - Securing Network Clients Appendix A - Self Test Questions, Answers, and Explanations Index List of Figures List of Tables List of Exercises List of Sidebars Back Cover The MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298 Study Guide gives you 100% coverage of the official Microsoft 70-298 exam objectives for the edge you need to pass the exam on your first try Completely Guaranteed Coverage of All Exam Objectives Fully Integrated Learning Step-by-Step Exercises Exam-Specific Chapter Elements Test What You Learned MCSE Designing Security for a Windows Server 2003 Network—Exam 70-298 Study Guide Elias N Khnaser Susan Snedaker Chris Peiris Rob Amini Laura E Hunter—Technical Editor Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents The Work is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress: The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY SERIAL NUMBER 001 JFE498MVVF 002 PO98KLSSSY 003 JKRED279I9 004 PLGEPL9989 005 CVPL23GHBV 006 VBPLOP93346 007 JDDD43WD3E 008 2987JJGGMK 009 629DJTKK88 010 ITJLLKR45W PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298 Study Guide & DVD Training System Copyright © 2004 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America 1234567890 ISBN: 1-932266-55-0 Acquisitions Editor: Catherine B Nolan' Technical Editor: Laura E Hunter Page Layout and Art: Patricia Lupien Cover Designer: Michael Kavish Copy Editor: Darlene Bordwell, Beth A Roberts Indexer: Nara Wood Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible Syngress books are now distributed in the United States by O’Reilly & Associates, Inc The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market: Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop, Tim Hinton, Kyle Hart, Sara Winge, C J Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, and to all the others who work with us The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books Kwon Sung June at Acorn Publishing for his support Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines To all the folks at Malloy who have made things easy for us and especially to Beth Drake and Joe Upton Technical Editor & DVD Presenter Laura E Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the university Her specialties include Microsoft Windows NT and 2000 design and implementation, troubleshooting, and security topics As an “MCSE Early Achiever” on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure Laura’s previous experience includes a position as the Director of Computer Services for the Salvation Army and as the LAN administrator for a medical supply firm She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of Web sites Laura has previously contributed to the Syngress Publishing’s Configuring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7) She has also contributed to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide & Training System series as a DVD presenter, contributing author, and technical reviewer Laura was recently awarded the prestigious MVP award as a Microsoft “Most Valued Professional.” Laura holds a bachelor’s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S Government and other participants dedicated to increasing the security of United States critical infrastructures Contributors Rob Amini (MCSE, MCDBA, MCT) is currently a systems manager for Marriott International in Salt Lake City, Utah He has a bachelor’s degree in computer science and has been breaking and fixing the darned machines since the Atari 800 was considered state of the art In 1993 he began his professional career by fixing quirky IBM mainframes and various unix-flavored boxes Then, after a long stint as a technician and systems admin, he gained fabled notoriety as a pun-wielding Microsoft trainer Rob has continued as an instructor for more than three years and although teaching is his first love, he tends to enjoy technical writing more than a well-adjusted person should When actually not working with and programming a variety of electronic gizmos, Rob enjoys spending every minute he can with his beautiful wife Amy and the rest of his supportive family Finally, Rob would like to thank his dad, who has always been a wonderful father and great example to him Elias N Khnaser (CCEA, MCSE, CCNA, CCA, MCP + I) is currently the Server Based Computing Architect for General Growth Properties General Growth Properties is headquartered in Chicago, IL and is the second largest shopping mall owner and operator in the world, counting over 160 malls worldwide and growing Elias provides senior-level network design, implementation, and troubleshooting of Citrix and Microsoft technologies for the company Elias is also a contributing author at Techrepublic.com Prior to working for General Growth Properties, Elias was a Senior Network Engineer at Solus in Skokie, IL, consulting for companies like Motorola, Prime Group Realty Trust, Black Entertainment Television (BET), Dominick’s Corporate, and Total Living Network (TLN Channel 38) Elias would like to acknowledge Steve Amidei and James Smith of General Growth Properties for their infinite support; to Stuart Gabel and Nial Keegan of Solus who opened the door of opportunity; to his friend Joseph K Eshoo for all his help and encouragement, and to John Sheesley of Techrepublic.com for helping him write better articles To his friends and family worldwide, this is for you! Finally, Elias would like to dedicate this work to his parents, especially his mother, and to the person that means everything in his life, Nadine Sawaya “Didi”, for loving and supporting him Chris Peiris (MVP, MIT) works as an independent consultant for NET and EAI implementations His latest role is with the Department of Employment and Workplace Relations (Australia) as a Systems Architect He also lectures on Distributed Component Architectures (.NET, J2EE & CORBA) at Monash University, Caulfield, Victoria, Australia He has been awarded the title “Microsoft Most Valuable Professional” (MVP) for his contributions to NET technologies Chris is designing and developing Microsoft solutions since 1995 His expertise lies in developing scalable, high-performance solutions for financial institutions, G2G, B2B and media groups Chris has written many articles, reviews and columns for various online publications including 15Seconds, Developer Exchange, and Wrox Press He co-authored the book C# Web Service with NET Remoting and ASP.NET by Wrox Press It was followed by C# for Java Programmers (Syngress, ISBN: 1-931836-54-X), and MCSA/MCSE Managing and Maintaining a Windows Server 2003 Environment: Exam 70-290 (Syngress, ISBN: 1-932266-60-7) Chris frequently presents at professional developer conferences on Microsoft technologies His core skills are C++, C#, XML Web Services, Java, NET, DNA, MTS, Data Warehousing, WAP, and SQL Server Chris has a Bachelor of Computing, Bachelor of Business (Accounting), and Masters of Information Technology degrees He is currently under taking a PhD on “Web Service Management Framework” He lives with his family in Civic, Canberra, ACT, Australia Chris dedicates this book to Kushanthi In his own words “thanks for the love, patience, advice, encouragement and your kindnes… and most of all, thanks for putting up with me and being a true friend” Susan Snedaker (MCP, MCT, MCSE+I, MBA) is a strategic business consultant specializing in business planning, development, and operations She has served as author, editor, curriculum designer, and instructor during her career in the computer industry Susan holds a master of business administration and a bachelor of arts in management from the University of Phoenix She has held key executive and technical positions at Microsoft, Honeywell, Keane, and Apta Software Susan has contributed chapters to five books on Microsoft Windows 2000 and 2003 Susan currently provides strategic business, management and technology consulting services (www.virtualteam.com) MCSE 70-298 Exam Objectives Map All of Microsoft’s published objectives for the MCSE 70-298 Exam are covered in this book To help you easily find the sections that directly support particular objectives, we’ve listed all of the exam objectives below, and mapped them to the Chapter number in which they are covered We’ve also assigned numbers to each objective, which we use in the subsequent Table of Contents and again throughout the book to identify objective coverage In some chapters, we’ve made the judgment that it is probably easier for the student to cover objectives in a slightly different sequence than the order of the published Microsoft objectives By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of Microsoft’s MCSE 70-298 Exam objectives Objective Map Objective Number Objective Chapter Number Creating the Conceptual Design for Network Infrastructure Security by Gathering and Analyzing Business and Technical Requirements 1, 1.1 Analyze business requirement for designing security Considerations include existing policies and procedures, sensitivity of data, cost, legal requirements, end-user impact, interoperability, maintainability, scalability, and risk 1.1.1 Analyze existing security policies and procedures 1.1.2 Analyze the organizational requirements for securing data 1.1.3 Analyze the security requirements of different types of data 1.1.4 Analyze risks to security 1.2 Design a framework for designing and implementing security The framework should include prevention, detection, isolation, and recovery Objective Number Objective Chapter Number 1.2.1 Predict threats to your network from internal and external sources 1.2.2 Design a process for responding to incidents 1.2.3 Design segmented networks 1.2.4 Design a process for recovering services 1.3 Analyze technical constraints when designing security 1.3.1 Identify capabilities of the existing infrastructure 1.3.2 Identify technology limitations 1.3.3 Analyze interoperability constraints Creating the Logical Design for Network Infrastructure Security 3, 2.1 Design a public key infrastructure (PKI) that uses Certificate Services 2.1.1 Design a certification authority (CA) hierarchy implementation Types include geographical, organizational, and trusted 2.1.2 Design enrollment and distribution processes 2.1.3 Establish renewal, revocation and auditing processes 2.1.4 Design security for CA servers 2.2 Design a logical authentication strategy 2.2.1 Design certificate distribution 2.2.2 Design forest and domain trust models 2.2.3 Design security that meets interoperability requirements 2.2.4 Establish account and password requirements for security Objective Number Objective Chapter Number 2.3 Design security for network management 2.3.1 Manage the risk of managing networks 2.3.2 Design the administration of severs by using common administration tools Tools include Microsoft Management Console (MMC) Terminal Server, Remote Desktop for Administration, Remote Assistance, and Telnet 2.3.3 Design security for Emergency Management Services 2.4 Design a security update infrastructure 2.4.1 Design a Software Update Services (SUS) infrastructure 2.4.2 Design Group Policy to deploy software updates 2.4.3 Design a strategy for identifying computers that are not at the current patch level Creating the Physical Design for Network Infrastructure Security 2, 5, 6, 3.1 Design network infrastructure security 3.1.1 Specify the required protocols for a firewall configuration 3.1.2 Design IP filtering 3.1.3 Design an IPSec policy 3.1.4 Secure a DNS implementation 3.1.5 Design security for data transmissions 3.2 Design security for wireless networks 3.2.1 Design public and private wireless LANs Objective Number Objective Chapter Number 3.2.2 Design 802.1x authentication for wireless networks 3.3 Design user authentication for Internet Information Services (IIS) 5, 3.3.1 Design user authentication for a Web site by using certificates 3.3.2 Design user authentication for a Web site by using IIS authentication 3.3.3 Design user authentication for a Web site by using RADIUS for IIS authentication 3.4 Design security for Internet Information Services (IIS) 3.4.1 Design security for Web sites that have different technical requirements by enabling only the _minimum required services 3.4.2 Design a monitoring strategy for IIS 3.4.3 Design an IIS baseline that is based on business requirements 3.4.4 Design a content management strategy for updating an IIS server 3.5 Design security for communication between networks 3.5.1 Select protocols for VPN access 3.5.2 Design VPN connectivity 3.5.3 Design demand-dial routing between internal networks 3.6 Design security for communication with external organizations 3.6.1 Design a extranet infrastructure Figure 4.12: Transitivity of Forest Trusts Figure 4.13: Realm Trusts Figure 4.14: Using a Shortcut Trust Figure 4.15: Figure for Question Chapter 5: Securing Network Services and Protocols Figure 5.1: IPSec Transport Mode with Authentication Header Figure 5.2: IPSec Tunnel Mode with Authentication Header Figure 5.3: IPSec Transport Mode with ESP Figure 5.4: IPSec Tunnel Mode with ESP Figure 5.5: Key Exchange Security Methods Dialog Figure 5.6: Disabling Default Response Rule Figure 5.7: Interaction of IPSec Components Figure 5.8: IPSec Process Figure 5.9: Export IPSec Policy via IP Security Policy Management Snap-In Figure 5.10: Default Policies in Active Directory Figure 5.11: Default Settings for Key Exchange Security Methods for Default IPSec Policy Figure 5.12: Web Site Properties Dialog Figure 5.13: Require Secure Channel (SSL) Configuration Figure 5.14: Server Message Block Signing Options Figure 5.15: Sample Domain Wireless Policy Properties Dialog Figure 5.16: Adding a New Preferred Network Figure 5.17: Wireless Policy Defined in Default Domain Figure 5.18: IEEE 802.1X Properties in the Selected Preferred Network Figure 5.19: Smart Card or Other Certificate Properties Options Figure 5.20: Protected EAP Properties Options Figure 5.21: Functional Diagram of Wireless Access Infrastructure Figure 5.22: IPSec Settings Figure 5.23: Network Configuration Chapter 6: Securing Internet Information Services Figure 6.1: IIS 6.0 Worker Process Model Figure 6.2: IIS 5.0 Isolation Model Figure 6.3: Directory Security Tab of IIS 6.0 Figure 6.4: Enable Secure Communication Figure 6.5: One-to-One Mapping Screen Figure 6.6: Select Credentials for Mapping Figure 6.7: Add a Wildcard Rule Figure 6.8: The Rules Window Figure 6.9: Enter Rule Information Figure 6.10: Enter Credentials for Many-to-One Mapping Figure 6.11: Enable Anonymous Access Figure 6.12: Basic Authentication Warning Figure 6.13: Basic Authentication Settings Figure 6.14: Digest Authentication Warning Figure 6.15: RADIUS Architecture in Windows Server 2003 Figure 6.16: Select Network Services Figure 6.17: Select Internet Authentication Service Figure 6.18: IAS MMC Snap-In Figure 6.19: Properties of Remote Access Policies Figure 6.20: Edit the Default Policy Settings Figure 6.21: Web Service Extensions View Figure 6.22: Enabling the Internet Connection Firewall Figure 6.23: Available Protocol Configuration Window Figure 6.24: Entering Machine Name or IP Address to Configure the Firewall Figure 6.25: Enable Logging for Default Web Site Figure 6.26: Customizing Log Fields Figure 6.27: Local Audit Policy Settings Figure 6.28: Enable Success or Failure Audit Options Figure 6.29: Enable Health Detection Chapter 7: Securing VPN and Extranet Communications Figure 7.1: Configuring Routing and Remote Access Figure 7.2: Routing and Remote Access Server Setup Wizard Figure 7.3: RRAS Custom Configuration Screen Figure 7.4: Setting Up a New Routing Protocol Figure 7.5: Choosing RIP Figure 7.6: General Tab of the RIP Property Interface Sheet Figure 7.7: Security Tab of the RIP Property Interface Sheet Figure 7.8: Neighbors Tab of the RIP Property Interface Sheet Figure 7.9: Two Sites Connected via VPN Tunnel Figure 7.10: Diagram of a PPTP Packet Figure 7.11: Configuration Screen of the Routing and Remote Access Setup Wizard Figure 7.12: Remote Access Screen of the Routing and Remote Access Setup Wizard Figure 7.13: VPN Connection Screen of the Routing and Remote Access Setup Wizard Figure 7.14: IP Address Assignment Screen of the Routing and Remote Access Setup Wizard Figure 7.15: DHCP Relay Agent Reminder Figure 7.16: Setting Up a Demand Dial Interface Figure 7.17: Connection Type Screen of the Demand Dial Wizard Figure 7.18: VPN Type Screen of the Demand Dial Wizard Figure 7.19: Destination Address Screen of the Demand Dial Wizard Figure 7.20: Protocols and Security Screen of the Demand Dial Wizard Figure 7.21: Dial In Credentials Screen of the Demand Dial Wizard Figure 7.22: Dial Out Credentials Screen of the Demand Dial Wizard Figure 7.23: Diagram of an L2TP Packet Figure 7.24: Security Tab of the Answering Router’s Properties Sheet Figure 7.25: Authentication Methods Screen Figure 7.26: Choosing Properties of a Demand Dial Interface Figure 7.27: Security Tab of the Demand Dial Interface Figure 7.28: Advanced Security Settings Screen of the Security Tab Figure 7.29: Smart Card or Other Certificates Properties Screen Figure 7.30: Setting Credentials on the Demand Dial Interface Figure 7.31: Remote Access Policy Settings Screen Figure 7.32: Authentication Tab of the Remote Access Profile Screen Figure 7.33: Encryption Tab of the Remote Access Profile Screen Figure 7.34: Dial-in Constraints Tab of the Remote Access Profile Screen Figure 7.35: IP Tab of the Remote Access Profile Screen Chapter 8: Securing Active Directory Figure 8.1: NTFS Permissions Configuration Window Figure 8.2: Setting Permissions on Folders via Group Policy Figure 8.3: Files and Folder Permissions Configured in Group Policy Figure 8.4: Changing the Account a Service Uses to Start Figure 8.5: Account Policies Window in Group Policy Figure 8.6: Configuring Restricted Groups in Group Policy Figure 8.7: Kerberos Policy Configuration Figure 8.8: Enabling Reversible Encryption on a Per-Account Basis Figure 8.9: Configuring Password Complexity Figure 8.10: Logon Events Registration Process Figure 8.11: Setting Auditing on an Object Figure 8.12: Advanced Auditing Settings Figure 8.13: Delegation of Control Wizard Chapter 9: Securing Network Resources Figure 9.1: Access Control List with Access Control Entries Figure 9.2: Access Mask Compared with Access Request Figure 9.3: Nested Group Hierarchy Figure 9.4: LDAP Query Figure 9.5: Result of LDAP Query Figure 9.6: Delegating Control of the Finance OU in Active Directory Users and Computers Figure 9.7: Adding Users to Delegate Control Figure 9.8: Selecting Tasks to Delegate Figure 9.9: Completion of Delegation of Control Wizard Figure 9.10: Shared Folder Permissions Access Control List Figure 9.11: Modifying Default Permissions on Registry Key Figure 9.12: Advanced Registry Settings for HKEY_CURRENT_USER Figure 9.13: Auditing Tab Options Figure 9.14: Effective Permissions Options Figure 9.15: Registry Node in Group Policy Object Editor Snap-In Figure 9.16: Adding Key to Registry Access Figure 9.17: Selecting the Software Node Figure 9.18: View or Modify Permissions for Registry Key Figure 9.19: Users Permissions Set to Read Only by Default Figure 9.20: Advanced Settings Options Figure 9.21: Modifying Permissions for the RegEdt32 Registry Key Figure 9.22: Default Domain Policy with RegEdt32 Permissions Specified Figure 9.23: Advanced Attributes for EFS Folder Encryption Figure 9.24: File Attribute Indicating Encryption Figure 9.25: EFS File Sharing Dialog Figure 9.26: Adding User for Shared EFS File Figure 9.27: No User Certificate Available Figure 9.28: cipher.exe Commands, Part Figure 9.29: cipher.exe Commands, Part Figure 9.30: cipher.exe /R to Create Recovery Agent Key and Certificate Figure 9.31: Structure of an Encrypted File Figure 9.32: Encrypting File System Properties Dialog Figure 9.33: Select Recovery Agents Dialog Figure 9.34: Importing Certificate for Recovery Agent Figure 9.35: Windows Warning Regarding Certificate Status Figure 9.36: Default Domain Policy Encrypting File System Node Figure 9.37: Key Backup from Microsoft Management Console Figure 9.38: Export File Format for Certificate Only (Excludes Private Key) Figure 9.39: Export File Format Including Private Key with Certificate Figure 9.40: Certificate Export Wizard Successful Completion Figure 9.41: Export Successful Notice Figure 9.42: Create Secure Printer Figure 9.43: SpoolDirectory in Registry Figure 9.44: Startup and Recovery Options for Local Computer via Control Panel Figure 9.45: Startup and Recovery Options Chapter 10: Securing Network Clients Figure 10.1: Enabling Syskey Encryption Figure 10.2: Selecting Syskey Encryption Options Figure 10.3: Confirmation of Syskey Success Figure 10.4: Interactive Logons Using Local vs Domain Accounts Figure 10.5: Passport Sign-On through www.ebay.com Figure 10.6: Passport on www.expedia.com Figure 10.7: Creating a Remote Access Policy Figure 10.8: Remote Access Authentication Methods Figure 10.9: Remote Access Policy Conditions Figure 10.10: Installing the Internet Authorization Service Figure 10.11: The IAS Administrative Console Figure 10.12: Configuring Permissions for IAS Figure 10.13: Question Illustration Figure 10.14: Administrator Properties Sheet Appendix A: Self Test Questions, Answers, and Explanations Figure 2.22: Security Analysis Results Figure 4.15: Figure for Question Figure 5.22: IPSec Settings Figure 5.23: Network Configuration Figure 10.13: Question Illustration Figure 10.14: Administrator Properties Sheet List of Tables Chapter 1: Designing a Secure Network Framework Table 1.1: Hardware Requirements for Windows Server 2003 Table 1.2: ksetup Parameters for UNIX Kerberos Integration Chapter 2: Securing Servers Based on Function Table 2.1: Comparison of Client and Server Authentication Settings in Group Policy Table 2.2: Comparison of the secure*.inf and hisec*.inf Predefined Security Templates Table 2.3: Strong Password Requirements Table 2.4: Active Directory Client Services Extensions Features Table 2.5: Security Analysis Results Icons Table 2.6: secedit.exe configure Switch Parameters Table 2.7: secedit Security Areas Descriptions Table 2.8: secedit.exe Analyze Switch Parameters Table 2.9: secedit.exe Import Switch Parameters Table 2.10: secedit Export Switch Parameters Table 2.11: secedit generaterollback Switch Parameters Table 2.12: gpupdate Switch Parameters Table 2.13: Managing Anonymous Access in Windows Server 2003 Table 2.14: Securing Infrastructure Servers Best Practices Table 2.15: Encryption Levels in Terminal Services Table 2.16: Remote Access Policy Encryption Options Table 2.17: Summary of Services for Server Roles Table 2.18: Server Roles and Recommended Security Templates Chapter 4: Securing the Network Management Process Table 4.1: Domain Functional Levels Within Windows Server 2003 Table 4.2: Controllers Supported by Different Forest Functional Levels Chapter 5: Securing Network Services and Protocols Table 5.1: IPSec Encryption Algorithms Table 5.2: IPSec Hash Algorithms Table 5.3: IPSec Authentication Methods Table 5.4: Diffie-Hellman Groups Table 5.5: Comparison of Authentication Header and Encapsulated Security Payload Protocol s Table 5.6: AH Header Description Table 5.7: Encapsulated Security Payload Header Descriptions Table 5.8: Predefined IPSec Policies Table 5.9: Security Negotiation Order of Preference Table 5.10: Security Methods for the Require Security Setting Table 5.11: New IPSec Features in Windows Server 2003 Table 5.12: Filter List and Filter Actions Recommendations Table 5.13: Commonly Used TCP and UDP Ports Table 5.14: Common Threats to DNS Table 5.15: Securing the DNS Server Service Table 5.16: Default Users, Groups, and Permissions for the DNS Server Service on a Domain Controller Table 5.17: Default Users, Groups, and Permissions for DACLs in Active Directory-Integrated Zones Table 5.18: Default DNS Resource Record Permissions for Users and Groups in Active Directory Table 5.19: Server Message Block Signing Options Table 5.20: Common Threats to Wireless Networks Table 5.21: WLAN Network Infrastructure Requirements Table 5.22: Computer-Based Authentication Scenarios Chapter 9: Securing Network Resources Table 9.1: Benefits and Limitations of User/ACL Method Table 9.2: Benefits and Limitations of the Account Group/ACL Method Table 9.3: Benefits and Limitations of the AG/RG Method Table 9.4: Benefit and Limitations of Role-Based Authorization Method Table 9.5: Logon Event IDs and Descriptions Table 9.6: Privilege Use Event IDs Table 9.7: cipher.exe Command-Line Switches Table 9.8: Safeguarding Your Systems Table 9.9: Best Practices for Backups Table 9.10: Disaster Recovery Best Practices Table 9.11: Firmware Console Redirection Table 9.12: Windows Components that Support Console Redirection Table 9.13: Securing Emergency Management Services Out-of-Band Connections Table 9.14: Recovery Console Environment Variables Chapter 10: Securing Network Clients Table 10.1: The Microsoft Security Bulletin Classification System Table 10.2: Key Differences between SUS and SMS Table 10.3: Remote Access Conditions List of Exercises Chapter 1: Designing a Secure Network Framework Exercise 1.01: Running an RSoP Query Chapter 2: Securing Servers Based on Function Exercise 2.01: Adding The Security Configuration and Analysis and Security Templates Snap-ins Exercise 2.02: Saving a Console and Security Templates Exercise 2.03: Using Group Policy Editor to Apply Security Templates for a Workstation or Server Joined to a Domain Exercise 2.04: Apply Security Templates on a Domain Controller for a Domain or OU Exercise 2.05: Using the Resultant Set of Policy MMC Snap-in Exercise 2.06: Analyzing and Comparing Security Configurations Exercise 2.07: Using the Configure Your Server Wizard Exercise 2.08: Applying Security Templates via Croup Policy Chapter 3: Designing a Secure Public Key Infrastructure Exercise 3.01: Installing a CA on Windows Server 2003 Exercise 3.02: Request a Certificate from the Web Enrollment Interface Exercise 3.03: Approve or Deny a Certificate from the CA Pending Queue Exercise 3.04: Revoking a Certificate Exercise 3.05: Enable Auditing on a CA Server Exercise 3.06: Renewal of CA Keys Chapter 4: Securing the Network Management Process Exercise 4.01: Creating an Organizational Unit and Delegating Control to a Local Administrator Exercise 4.02: Changing the Default Terminal Services Client Port Chapter 5: Securing Network Services and Protocols Exercise 5.01: View Predefined IPSec Policy – Server (Request Security) Exercise 5.02: Exploring the IP Security Policies snap-in Exercise 5.03: Objective 3.3: Configuring IIS to Use SSL Exercise 5.04: Create a Wireless Network Policy Chapter 6: Securing Internet Information Services Exercise 6.01: Implementing One-to-One Mapping Exercise 6.02: Implement Many-to-One Mapping Exercise 6.03: Configure Anonymous Authentication Exercise 6.04: Configure Basic Authentication Exercise 6.05: Configure Digest Authentication Exercise 6.06: Configure Integrated Windows Authentication Exercise 6.07: Install Internet Authentication Server Exercise 6.08: Configure Protocols in Internet Connection Firewall Exercise 6.09: Configure IIS Logging Exercise 6.09: Enabling Audit Policy on a Local Machine Exercise 6.10: Enable Health Detection Chapter 7: Securing VPN and Extranet Communications Exercise 7.01: Configuring Routing and Remote Access Services Exercise 7.02: Configuring a PPTP LAN-to-LAN VPN Exercise 7.03: Configuring an L2TP RRAS Server to Accept Certificates Chapter 8: Securing Active Directory Exercise 8.01: Setting Permissions Using Group Policy Exercise 8.02: Configuring Restricted Groups in Active Directory Chapter 9: Securing Network Resources Exercise 9.01: LDAP Query for Obsolete Groups Exercise 9.02: Using the Delegation of Control Wizard Exercise 9.03: Viewing Registry Access Permissions Exercise 9.04: Setting Registry Access Permissions via Group Policy Exercise 9.05: Implementing EFS on the Local Computer Exercise 9.06: Add a Recovery Agent for the Local Computer Exercise 9.07: Using the cipher Command to Add Data Recovery Agent Exercise 9.08: Backing Up Certificates with Private Keys Exercise 9.09: Creating an Automatic System Recovery Backup Set Exercise 9.10: Configuring System for Startup and Recovery Options Chapter 10: Securing Network Clients Exercise 10.01: Using the Syskey Utility Exercise 10.02: Creating a Remote Access Policy Exercise 10.03: Configuring IAS on a Domain Controller List of Sidebars Chapter 1: Designing a Secure Network Framework Head of the Class? Combating Network Attacks Designing & Planning? Blended Threats Head of the Class? Computer Forensics Chapter 2: Securing Servers Based on Function Designing & Planning? Working with Different Operating Systems and the Group Policy Management Console Designing & Planning? Defining, Implementing and Securing Server Roles Head of the Class? Microsoft Exchange Server 2003 Chapter 3: Designing a Secure Public Key Infrastructure Head of the Class? TLS, S/MIME, and IPSec Designing & Planning? Distinguishing Root CAs and Subordinate CAs Head of the Class? Enterprise and Stand-Alone CAs Designing & Planning? Scalability of Windows Server 2003 PKI Head of the Class? Impact of Offline CAs Head of the Class? CA Web Enrollment Support System Chapter 4: Securing the Network Management Process Designing & Planning? Putting It All Together: Designing the Network Management Policy Head of the Class? Windows Server 2003 Domain and Forest Functionality Chapter 5: Securing Network Services and Protocols Designing & Planning? What?s New in IP Security in Windows Server 2003 Head of the Class? Understanding WEP Flaws, Threats, and Countermeasures Chapter 6: Securing Internet Information Services Head of the Class? Is the Worker Process Model the Same as IIS 5.0 Isolation Mode? Head of the Class Sub-Authentication Component Head of the Class? Security Issues with IAS Access Head of the Class? Default IIS Access Options Designing & Planning? Firewall Protection for Web Servers Head of the Class? Periodically Back Up Audit Information Chapter 7: Securing VPN and Extranet Communications Head of the Class? Summarization Routes Head of the Class? Numbered and Unnumbered Connections Designing & Planning? PPTP versus L2TP Chapter 8: Securing Active Directory Configuring & Implementing? A Decoy Administrative Account? Rename the Original but Keep a Fake Designing & Planning? Educating Users on Password Best Practices: User Password Tips Chapter 9: Securing Network Resources Head of the Class? New EFS Features in Windows Server 2003 Head of the Class? Anatomy of an Encrypted File Designing & Planning? Printing Encrypted Files Head of the Class? In-Band and Out-of-Band Management Chapter 10: Securing Network Clients Head of the Class? Microsoft Passport Authentication Designing & Planning? New Features in Internet Authentication Service ... sometimes affecting a company’s network access altogether Data availability can be affected by more than just network attackers and can affect system and network availability Environmental factors... different location In addition, end-user and administrative training can guard against an attacker using a so-called “social engineering” attack to obtain access to an employee’s username and password... preparing for and actually taking the exam Exam preparation begins before exam day Ensure that you know the concepts and terms well and feel confident about each of the exam objectives Many test-takers