MCSE: Windows Server 2003 Network Security Design Study Guide (Exam 70298) ISBN:0782143296 by Brian Reisman and Mitch Ruebush Sybex © 2004 (736 pages) Based on practical examples and insights drawn from real-world experience, this Study Guide provides understandable and succinct information on designing a secure Windowsbased network, and will help you pass the MCSE Exam 70-298 Table of Contents MCSE—Windows Server 2003 Network Security Design Study Guide (Exam 70-298) Introduction Analyzing Security Policies, Procedures, Chapter 1 and Requirements Identifying and Designing for Potential Chapter 2 Security Threats Chapter 3 - Designing Network Infrastructure Security Designing an Authentication Strategy for Chapter 4 Active Directory Designing an Access Control Strategy for Chapter 5 Network Resources Designing a Public Key Infrastructure with Chapter 6 - Certificate Services Designing Security for Internet Information Services Designing Security for Servers with Chapter 8 Specific Roles Designing an Infrastructure for Updating Chapter 9 Computers Designing Secure Network Management Chapter 10 Infrastructure Glossary Index List of Figures List of Tables List of Scenarios List of Sidebars Chapter 7 - MCSE: Windows Server 2003 Network Security Design Study Guide (Exam 70-298) Brian Reisman Mitch Ruebush SYBEX San Francisco • London Associate Publisher: Neil Edde Acquisitions Editor: Maureen Adams Developmental Editor: Jeff Kellum Production Editor: Elizabeth Campbell Technical Editors: Kevin Lundy, Warren Wyrostek Copyeditor: Judy Flynn Compositor and Graphic Illustrator: Happenstance Type-O-Rama CD Coordinator: Dan Mummert CD Technician: Kevin Ly Proofreaders: Laurie O’Connell, Nancy Riddiough Indexer: Lynnzee Elze Book Designers: Bill Gibson and Judy Fung Cover Designer: Archer Design Cover Photographer: Photodisc and Victor Arre Copyright © 2004 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501 World rights reserved No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher Library of Congress Card Number: 2003115675 ISBN: 0782143296 Screen reproductions produced with FullShot 99 FullShot 99 © 19911999 Inbit Incorporated All rights reserved FullShot is a trademark of Inbit Incorporated The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997-1999 Macromedia Inc For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com Microsoft đ Internet Explorer â 1996 Microsoft Corporation All rights reserved Microsoft, the Microsoft Internet Explorer logo, Windows, Windows NT, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries SYBEX is an independent entity from Microsoft Corporation, and not affiliated with Microsoft Corporation in any manner This publication may be used in assisting students to prepare for a Microsoft Certified Professional Exam Neither Microsoft Corporation, its designated review company, nor SYBEX warrants that use of this publication will ensure passing the relevant exam Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s) The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 Dedication To my Family, supporting me as always: Tami, Thatcher, and Collin whom I cannot live without I would also like to dedicate this work to my father for never giving up in his fight with cancer —Brian To my loving wife, Jennifer, and my son and daughter, Elliott and Avery, whom I adore I love you and I am sure you are delighted to have me back —Mitch Acknowledgments I would like to extend my enormous appreciation for everyone who worked on this book: our Acquisitions Editor: Maureen Adams for putting this whole thing together, our Production Editor: Elizabeth Campbell for keeping the project running and being so understanding with all of my "distractions" during the process, our Editor: Judy Flynn who made our sentences coherent, the folks who put together the CD test engine: Dan Mummert and Kevin Ly, and last and certainly not least our Developmental Editor: Jeff Kellum who has become more than an editor in my eyes, rather a friend He’s tough when he needs to be and supportive all of the time I don’t think I could have made it through all of this without him always there… Thanks Jeff! I would, of course, like to thank my friends and family for putting up with(out) me during the majority of the process: Tami, my wife, and the bravest woman I know, Thatcher, the sweetest 5 year-old in the world, and his little brother Collin who just sat up this morning for the first time I’d also like to thank my Mom and Dad, Alice and Joel Reisman, who were very understanding of all of the times I couldn’t make it over to visit, My in-laws, Jim and Kay Fuglie, for just being wonderful people and grandparents and always there to help —Brian Reisman We would like to acknowledge all the people without whose hard work and patience this book would not have been possible The staff at Sybex, including Judy Flynn, Maureen Adams, Elizabeth Campbell, Jeff Kellum as our Editors We would also like to thank our technical editors, Kevin Lundy and Warren Wyrostek, who reviewed the chapters and provided valuable feedback to make it a better book We would also like to thank Dan Mummert and Kevin Ly for their work on valuable CD resource provided with this book I would like to thank my family: my wife Jenn, who has been very supportive but says I should never write a book again My three year old son Elliott, who just really wants to play, and my 7 month old daughter, Avery, who wanted to participate and helped me write some of the book (these parts were later edited out) I love you all —Mitch Ruebush To Our Valued Readers: Thank you for looking to Sybex for your Microsoft Windows 2003 certification exam prep needs We at Sybex are proud of the reputation we’ve established for providing certification candidates with the practical knowledge and skills needed to succeed in the highly competitive IT marketplace Sybex is proud to have helped thousands of Microsoft certification candidates prepare for their exams over the years, and we are excited about the opportunity to continue to provide computer and networking professionals with the skills they’ll need to succeed in the highly competitive IT industry With its release of Windows Server 2003, and the revised MCSA and MCSE tracks, Microsoft has raised the bar for IT certifications yet again The new programs better reflect the skill set demanded of IT administrators in today’s marketplace and offers candidates a clearer structure for acquiring the skills necessary to advance their careers The authors and editors have worked hard to ensure that the Study Guide you hold in your hand is comprehensive, in-depth, and pedagogically sound We’re confident that this book will exceed the demanding standards of the certification marketplace and help you, the Microsoft certification candidate, succeed in your endeavors As always, your feedback is important to us Please send comments, questions, or suggestions to At Sybex we’re continually striving to meet the needs of individuals preparing for IT certification exams Good luck in pursuit of your Microsoft certification! Neil Edde Associate Publisher—Certification Sybex, Inc Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the “Software”) to be used in connection with the book SYBEX hereby grants to you a license to use the Software, subject to the terms that follow Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the “Owner(s)”) You are hereby granted a single-user license to use the Software for your personal, noncommercial use only You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties (“End-User License”), those EndUser Licenses supersede the terms and conditions herein as to that particular Software component Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material, but they are not supported by SYBEX Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility This notice concerning support for the Software is provided for your information only SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s) Warranty SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase The Software is not available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com If you discover a defect in the media during this warranty period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to: SYBEX Inc Product Support Department 1151 Marina Village Parkway Alameda, CA 94501 Web: http://www.sybex.com After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX Disclaimer SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting The exclusion of implied warranties is not permitted by some states Therefore, the above exclusion may not apply to you This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions Shareware Distribution This Software may contain various programs that are distributed as shareware Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights If you try a shareware program and continue using it, you are expected to register it Individual programs differ on details of trial periods, registration, and payment Please observe the requirements stated in appropriate files Copy Protection The Software in whole or in part may or may not be copy-protected or encrypted However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein List of Scenarios Chapter 1: Analyzing Security Policies, Procedures, and Requirements Design Scenario: Analyzing Security Risks Real World Scenario: Adjusting Security Policies to Comply with Government Regulations Real World Scenario: Pencils and Server Room Doors Design Scenario: Analyzing Security Policies and Procedures Design Scenario: Analyzing the Requirements for Securing Data Real World Scenario: Exchange 2000 and Active Directory Distribution List Design Scenario: Technical Constraints when Designing Security Chapter 2: Identifying and Designing for Potential Security Threats Design Scenario: Predicting Internal Threats to Your Network Design Scenario: Predicting External Threats to Your Network Real World Scenario: A Incident Response Procedure Will Prevent Mistakes Design Scenario: Designing a Response to an Incident Real World Scenario: Recovering Services by Making Hard Decisions Real World Scenario: The Importance of Perimeter Security Design Scenario: Segmenting Networks for Security Chapter 3: Designing Network Infrastructure Security Design Scenario: Designing for SSL on a Windows Server 2003 Network Design Scenario: Designing for PPTP on a Windows Server 2003 Network Real World Scenario: A W32.Slammer Worm Attack Prevented Because of Filters Design Scenario: Designing for Filtering Design Scenario: Choosing an Authentication Strategy Design Scenario: Designing a VPN Solution Design Scenario: Designing a Demand-Dial Solution for a Branch Office Design Scenario: Designing a Connection Strategy with an External Organization Design Scenario: Designing Wireless Security Chapter 4: Designing an Authentication Strategy for Active Directory Real World Scenario: Cleartext Passwords Across a Network Real World Scenario: Stored Credentials Are Easy to Exploit Design Scenario: Evaluating Windows Authentication Methods Design Scenario: Designing Client Authentication Design Scenario: Designing Trust Models Design Scenario: Analyzing Accounts Design Scenario: Analyzing Account Risks by Cost Analysis Design Scenario: Analyzing and Securing Accounts with Account Policies Chapter 5: Designing an Access Control Strategy for Network Resources Real World Scenario: Avoiding Deny Permissions Design Scenario: Designing an Access Control Strategy for Active Directory Objects Real World Scenario: Taking Advantage of Universal Groups Design Scenario: Planning an Appropriate Group Strategy Design Scenario: Delegating Permissions Design Scenario: Designing an Access Control Strategy for Files and Folders Real World Scenario: Preventing Internal Attacks through Auditing Design Scenario: Designing an Audit Policy Chapter 6: Designing a Public Key Infrastructure with Certificate Services Design Scenario: Choosing Where to Host Certificates Design Scenario: Choosing a CA Hierarchy Real World Scenario: Establishing a Cross-Certificate Trust Design Scenario: Designing an Enrollment and Distribution Strategy Design Scenario: Designing a Renewing and Revocation Strategy Design Scenario: Designing Security for a CA Chapter 7: Designing Security for Internet Information Services Design Scenario: Designing a Baseline Based on Business Requirements Real World Scenario: Code Red Worm Design Scenario: Designing for Minimum Services with IIS Design Scenario: Designing an Authentication Strategy with IIS Authentication Design Scenario: Designing an Authentication Strategy with FormsBased Authentication Design Scenario: Designing an Authentication Strategy with Certificate Authentication Design Scenario: Designing an Authentication Strategy with RADIUS Design Scenario: Designing a Monitoring and Auditing Strategy for IIS Design Scenario: Designing a Content Update Strategy Chapter 8: Designing Security for Servers with Specific Roles Design Scenario: Determining the Security Environment Design Scenario: Defining Custom Templates for Servers with Specific Roles Real World Scenario: Preventing Attacks by Securing DNS Updates Design Scenario: Securing the DNS Infrastructure Chapter 9: Designing an Infrastructure for Updating Computers Design Scenario: Designing an OU Model Design Scenario: Designing Software Restriction Policies Design Scenario: Using Groups to Restrict Access to the Operating System Design Scenario: Selecting the Appropriate Template Setting Design Scenario: Designing a Patch Management Solution Design Scenario: Auditing Your Security Patch Solution Chapter 10: Designing Secure Network Management Infrastructure Design Scenario: Evaluating Remote Management Needs Real World Scenario: Designing for Remote Access Design Scenario: Evaluating Remote Management Security Needs Design Scenario: Risks of Managing Networks Real World Scenario: Using MMC to Manage Windows Server 2003 Real World Scenario: Designing for Secure Server Management with MMC Real World Scenario: Using Remote Desktop for Administration Design Scenario: Designing for Secure Server Management with Remote Desktop for Administration Real World Scenario: Using Remote Assistance to Support Users Design Scenario: Designing for Secure Remote Assistance Real World Scenario: Using EMS to Manage Servers Design Scenario: Designing for Emergency Management Services List of Sidebars Introduction MCSE versus MCSA Windows 2000 and Windows 2003 Certification Exam Question Development Chapter 3: Designing Network Infrastructure Security Smart Cards Chapter 8: Designing Security for Servers with Specific Roles Windows 2003 DNSSEC Support (RFC 2535) ... plus one of the following design exams: Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure (70-297) Designing Security for a Microsoft Windows Server 2003 Network plus one of a number of electives, including:... while the MCSE job tasks involve more strategic concerns of design and planning The Designing Security for a Microsoft Windows Server 2003 Network Exam The Designing Security for a Microsoft Windows Server 2003 Network. .. knowledge you need to prepare for one of the core design requirements of the MCSE certification in the Windows Server 2003 track: Designing Security for a Microsoft Windows Server 2003 Network (70-297) The Microsoft Certified Professional Program