IT Influencer Series SECURITY Windows...

Security Essentials for the MCSA: Security Candidate . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Exam Reviews:

Core (Client)

70-210: Administering Windows 2000 Professional . . . . . . . . . . . . . . . . . . . . . . . . . 5

70-270: Administering Windows XP Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Core (Networking)

70-290: Managing a Windows Server 2003 Environment. . . . . . . . . . . . . . . . . . . . 12

70-291: Managing a Windows Server 2003 Network . . . . . . . . . . . . . . . . . . . . . . . 16

Specializations

70-227: Managing ISA Server 2000 Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

70-299: Administering Windows 2003 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

MCSA: Security Checklist/Links for Further Study. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

IT Influencer Series

Co n t e n t s

This guide offers information forcompleting Microsoft’s prescribedpath toward obtaining the MCSA:Security on Windows 2003 credentialand provides expert information onsecurity issues that can be applied ina career as a security expert well aftercompleting the certification process.

SECURITYEditor: Michael Domingo

MCSA: Security on Windows 2003

http://www.GLOBALKNOWLEDGE.com

http://www.redmondmag.com

P a g e 1 • M C S A : S e c u r i t y o n W i n d o w s 2 0 0 3( c ) 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / c e r t c i t i e s . c o m , h t t p : / / m c p m a g . c o m

The MCSA: Security track is comprised offive exams. Three of them are core examscovering key topics. The other two exams aresecurity related. The exams that you can takeinclude the following:Core:• 70-270: Installing, Configuring, and

Administering Microsoft Windows XPProfessional

• (or 70-210: Installing, Configuring, andAdministering Microsoft Windows 2000Professional)

and• 70-290: Managing and Maintaining a

Microsoft Windows Server 2003Environment

and• 70-291: Implementing, Managing, and

Maintaining a Microsoft Windows Server2003 Network Infrastructure

Electives:• 70-299: Implementing and Administering

Security in a Microsoft Windows Server2003 Network

and• 70-227: Installing, Configuring, and

Administering Microsoft Internet Securityand Acceleration (ISA) Server 2000,Enterprise Edition

• (or CompTIA Security+)Each exam includes some portion of the

objectives that are related to security. Thereare some areas that are very complex andintense, such as Certificate Services, whereother areas are more tame, such as useraccounts. One thing is for certain: As youapproach each exam, you need to knowWindows security very well or the chancesof failing are percentages higher.

In this article, I will review key aspects of

the MCSA: Security certification track withregard to security required to be a qualified,certified MCSA: Security professional. Toget a full list of all areas that are covered oneach of these exams, be sure to check out theMicrosoft Web site at http://www.microsoft.com/learning, as well as the CompTIA Website at http://www.comptia.org/certifica-tion/security/default.aspx.

Resource AccessThere is much more to resource access thanmeets the eye as you tone up your knowl-edge on Microsoft security regardingresources. First, you need to be fully awareof the file system options that you have tochoose from: FAT, FAT32, and NTFS. Thisis one of the first decisions that you make ona production network too, since it affectsevery computer that is installed. The answer

M C S A : S e c u r i t y G u i d e

As you approach the MCSA: Security certification track,

you are sure to be up against some tough security

related topics. Microsoft has been dinged hard by the

public for not providing enough security features in

Windows, but you would never know it by the

certification track or the topics covered throughout all

of the certification exams on the MCSA: Security track.

By Derek Melber

Security Essentialsfor the MCSA: SecurityCandidate

http://www.microsoft.com/learning

http://www.microsoft.com/learning

http://www.comptia.org/certification/security/default.aspx




to which file system to choose is very simple:NTFS. Without NTFS, the computer does-n’t stand a chance at protecting files, folders,printers, Registry keys, or Active Directoryobjects.

Once the file system debate is taken careof, then the specifics of NTFS come intoplay. This will require knowledge of theNTFS permissions that control files andfolders. This knowledge needs to include thefollowing specifics:• Inheritance• Allow vs. Deny permissions• Effective permissions• NTFS permissions interaction with share

permissionsAnother key factor of resource access that

is key for success on your way to your certi-fication and for companies that want to pro-tect data is knowledge of Encrypting FileSystem (EFS). There have been radical

changes with EFS from Windows 2000 toWindows XP and Windows Server 2003:• Encryption without a data recovery agent

(DRA)• Multi-user access to encrypted files• Autoenrollment of EFS certificates using

Group Policy Objects (GPOs)

Network SecurityTwo key network security topics float to thetop of the objectives within the certificationtrack: Remote access and network trafficsecurity. The first, remote access, really dealswith three different ways to remotely accessresources and computers. • Dial-up or VPN access – When you are

trying to access your network from out-side the office, you have two options.Dial-up access will of course use thephone line, while VPN access typicallyuses the Internet. In both cases, Windows

Server 2003 uses RAS Policies to controlall aspects of the connection. Thisincludes authentication protocols, encryp-tion, and connection types which pro-mote security.

• Remote Desktop – If you are workingfrom your home office, but need to accessyour computer at the corporate office,you can use Remote Desktop. Of course,you don’t want just anyone to have theability to connect to your computer, soyou will need to configure the correctsecurity through the firewalls, as well asthe access to the computer itself.

• Remote Assistance – If you support desk-tops in your company, Remote Assistanceis tailor-made for you. With RemoteAssistance the user or the desktop supporttechnician can initialize a secure connec-tion to help the user through a problemor question with their computer.

The second network security topic is net-work traffic security. Here, you really havejust two options: IPSec and SMB signing.SMB signing has been around for quite sometime and is a proven method of protectingdata as it is sent across the network frompoint to point. However, a more securemethod of sending traffic across the networkis to use IPSec. IPSec is not used all thatoften, but is extremely powerful. One of thereasons that it is not used is that is it hard toadminister, due to the complexity of the con-figuration. With IPSec filters, rules, andauthentication choices, it can be hard toimplement and troubleshoot. Couple thatwith the fact that only Windows 2000 ornewer operating systems support IPSec makesit a hard sell across the entire network.

AuthenticationEvery domain user and computer accountmust authenticate to the domain when gain-ing access to resources. This authentication iskey to the security of all resources containedon domain controllers, file servers, and clientsthroughout the enterprise. When there ismore than one domain, trusts help bridge theauthentication gap between these domains.Domains within a single Active Directoryforest have automatic trusts, which don’trequire any management. However, when a

Without NTFS, the computer doesn’t stand a chanceat protecting files, folders, printers, Registry keys, orActive Directory objects.

domain is not within the forest, these truststhat span outside the forest must be managedand audited to ensure that the security ismaintained from domain to domain.

Another key security area that hits everynetwork is which authentication protocolshould be used. There are four to choose from:LAN Manager (LM), NT LAN Manager(NTLM), NTLMv2, and Kerberos. Knowingwhen and where each protocol can and shouldbe used is essential to protecting and securingpasswords and access to network resources.

Finally, authentication takes a step upwhen multi-factor authentication is imple-mented. You’ll typically find this where smartcards are used to authenticate users. Smartcards are an excellent step in the higher secu-rity direction but can be costly. The cost ofimplementation, support, and hardware canrule it out of the equation. However, knowingwhat is involved with smart card implementa-tion is key to successfully implementing it.

CertificatesOne of the critical aspects of deploying cer-tificates is to develop the correct CertificateAuthority (CA) hierarchy. Much of the secu-rity of the CA structure and certificates it pro-duces is in the protection and security of thehierarchy. Typically, there will be a root CA,intermediate CAs, and issuing CAs. The rootis typically taken offline, to protect the rootcertificate. The intermediate and issuing CAsdo the majority of the work for controllingcertificate revocation lists (CRLs), deployingcertificates and revoking certificates.

As for the deployment of certificates, akey factor that everyone should be aware of isthat GPOs can now auto-enroll and deploycertificates. These certificates can spanauthentication, encryption, and more.

Local SecurityA system administrator needs to know aboutlocal computer security, almost more than thenetwork security. The certification track mir-rors this requirement. First, the serviceadministrator needs to understand the con-cept of local users and groups. This is not justwhat the default accounts are, but what theyare used for and how they function with thedomain accounts. Protection of the local

Administrator account is the first step, butthere is much more than can be done withthe local accounts. • Rename Administrator account from

GPO• Disable Administrator account from a

GPO• Enforce group members and membership

from a GPOBeyond the users and groups of the local

computer, there are also security settings that

can be configured in the local GPO, or fromGPOs linked to Active Directory levels.These security settings span about 90 percentof the security areas that are considered to behigh risk.• Account Policies • Audit Policies• User Rights• Authentication protocols• LM hash control• Services• Group membership and members• Event Log settings• File system permissions• Registry permissions

To get more information about what isstored in the local SAM regarding security,refer to my article, “Don’t Forget to Audit theLocal SAM” at http://www.theiia.org/itau-dit/index.cfm?fuseaction=forum&fid=5529

AD SecuritySecurity at the Active Directory level is asimportant as it gets for both production net-works and knowledge for success on the cer-tification exams. I’ve said for years that it isimpossible to talk about Active Directorysecurity without talking about GPOs. TheGPOs control security on domain con-trollers and computers throughout thedomain. Knowledge of how GPOs functionand what their capabilities include is para-mount to a successful network. To start off,the two default GPOs must be known andunderstood: • Default Domain Policy GPO – This

GPO is designed to control the AccountPolicies for all domain users, as well aslocal SAM users by default. This GPO islinked to the domain node in ActiveDirectory.

• Default Domain Controller Policy GPO– This GPO is linked to the DomainControllers OU and is designed to set upthe default security of the domain con-trollers. The main security within thisGPO establishes the user rights for thedomain controllers.

Knowledge of the new user and groupaccounts that are created in Active Directoryis a must for passing these exams and for pro-tecting your network. Important security



Knowing when andwhere each protocol canand should be used isessential to protectingand securing passwordsand access to networkresources.

Additional Information

Official MCSA: Security on Windows

2003 Guide:

http://www.microsoft.com/learning/

mcp/mcsa/security/windows2000.asp

Security articles on TechNet:

http://www.microsoft.com/technet/

Security/default.mspx

Security Virtual Lab (allows you to try

your hand at securing a network):

http://www.microsoft.com/technet/

traincert/virtuallab/security.mspx

CompTIA Security+ Guide:

http://www.comptia.org/certification/

security/default.aspx

For more information on security job

titles, salaries and resources, see the

“Security Certification Resource Guide”

(part of the IT Influencer series) at

http://mcpmag.com/techlibrary/

resources.asp?id=4

http://www.microsoft.com/learning/mcp/mcsa/security/windows2000.asp

http://www.microsoft.com/technet/Security/default.mspx

http://www.microsoft.com/technet/traincert/virtuallab/security.mspx


http://mcpmag.com/techlibrary/resources.asp?id=4

http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5529

http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5529

groups that should be known and securedinclude:• Schema Admins• Enterprise Admins• Domain Admins• Administrators• DHCP Administrators • DNS Admins • Group Policy Creator Owners• Account Operators• Backup Operators• Server Operators• Pre-Windows 2000 Compatible Access

A final consideration that typically drivesthe move to Active Directory is delegation.Delegation of administrative control canreduce the overall administrative load on net-work and enterprise admins, making time formore important network security and man-agement issues. The concept of delegationprovides a domain administrator the ability todelegate individual tasks to a subset of admin-istrators or users. For example, a common taskthat is delegated is the ability to reset pass-words for all user accounts in a specific depart-ment. Knowing how to delegate, what can bedelegated, and best practices for delegationcan make you a star on your network.

Server and Client HardeningAs security hits the top of the to-do list formost administrators, more time and energyis spent “hardening” computers. This hard-ening of computers starts before the com-puter is installed, then is continued toensure the security settings maintain theirstatus during the life of the computer. Thereare numerous tools and files that are used inthe hardening of servers. These tools andfiles include the following.• Security templates – These files are used

to create a suite of security settings thatspan from account policies, to file systempermissions, to services. There are manyof these security templates created bydefault, or you can customize your own.

• Security Configuration and Analysis tool –This tool is used for two purposes: analyz-ing and configurating computer security.The tool uses the security templates tomeasure the current configuration of acomputer. If the computer is not properly

configured, the security template can thenbe deployed to the computer to make thesecurity settings comply with the securitypolicy for the computer.

There are also more efficient methods todeploy these security templates, since theSecurity Configuration and Analysis tool canonly configure one computer at a time.These other solutions include:• Using the SECEDIT command to deploy

the security templates in a logon script.• To create a customized script that config-

ures many computers with the securitytemplates.

• To use GPOs to roll out the security set-tings from within the security templates.

For more information on security tem-plates, baselining and deploying securitytemplates, refer to the following links:• “Understanding Windows Security

Templates”:http://www.windowsecurity.com/arti-cles/Understanding-Windows-Security-Templates.html

• “Baselining with security templates”:http://www.windowsecurity.com/arti-cles/Baselining-Security-Templates.html

Patching and Service PacksThe need to patch and deploy service packsis obvious after the latest round of attacksfrom Code Red, Slammer, and Nimda. Themajority of the problems associated withthese attacks could have been subdued, if thecomputers were properly patched before orimmediately after the attacks. However,there was not an efficient method to installthese patches and service packs until recent-ly. Now, Microsoft has released SoftwareUpdate Services (SUS), which deploys secu-rity patches and service packs to all comput-ers on the network.

If you are concerned about the currentstatus of the patch level of a computer oreven all computers on the network, you canuse a tool like Microsoft Baseline SecurityAnalyzer (MBSA). MBSA is designed to ana-lyze and report back which patches and serv-ice packs are missing from the computer.MBSA also provides meaningful securityreports on file system, services, shares, andinsecure passwords.

Safe and SecureThis gives you a quick overview of the keyareas that you will need to be familiar with tosuccessfully configure your production net-work. Understanding these concepts will helpyou maneuver the security topics on examsyou’ll be tackling on your way to completingyour certification goals. Microsoft has workedhard to ensure that they’re meeting the goalsand needs of the industry with regard to secu-rity. The exams back up the fact that the secu-rity possibilities are available, which willimmediately span over to your ability to pro-tect computers, users, and the network inyour production environment.

Derek L. Melber runs http://www.auditingwin-dows.com, dedicated to Windows security andhome to the only books on auditing Windows.



Everyone should be awarethat GPOs can now auto-enroll anddeploy certificates.

http://www.windowsecurity.com/articles/Understanding-Windows-Security-Templates.html

http://www.windowsecurity.com/articles/Baselining-Security-Templates.html

What are people saying about our MCSA Boot Camp?“The instructor provided a vast amount of information based on his own experience and experiences; he was

able to share from other students he has had. He is by far one of the best instructors I've ever had,” says J.A.,

a Department of Homeland Security team member. What will you say about your MCSA Boot

Camp experience? There’s only one way to find out: globalknowledge.com/spec

The instructor wasoutstanding.“ ”

GlobalKnow_MCSEad_10-04 10/28/04 3:45 PM Page 1

I’ve heard some people say 70-210 is tougherthan any of the Windows NT tests they’vetried. In general, I found the questions onthis exam to be less strange and tricky thansome of the NT 4.0 exams. However, they’realso longer; I’m talking about questions thatgo on for multiple paragraphs and requirecareful reading! It’s easy to miss critical infor-mation when items get as long as these do.

In addition to the usual multiple-choicequestions, you’re likely to have a few “Selectand Place” questions on the Windows 2000and Windows 2003 exams. The questionstarts with a scenario that explains the taskyou need to complete. You then launch the“Select and Place” application, which consistsof a graphic and a number of answer ele-ments that you must drag to the correct loca-tion on the graphic.

InstallationThe first set of objectives for this Win2K Proexam covers installation. As always, beforeyou start an installation, make sure the com-

puter meets all hardware requirements. You need to understand what occurs dur-

ing each of the four stages of set-up: SetupProgram, Setup Wizard, Install WindowsNetworking, and Complete Setup. The ini-tial set-up stage is the text-based portion ofSetup. The Win2K partition is created, youselect the file system format, and set-up filesare copied to the hard disk. If you have driv-ers for a custom HAL or third-party diskhardware, they’re loaded during this stage.When the text-based portion of set-up iscomplete, the computer reboots and startsthe graphical Setup Wizard, which asks forinformation such as user name, product keyand regional settings.

The next stage is to install Windows net-working. By default, TCP/IP, Client forMicrosoft Networks, and File and PrintSharing are installed. The default TCP/IPconfiguration is to obtain an IP address auto-matically. Once the networking componentsare installed, you can join a workgroup or adomain. If you want to join a Win2K


By Jill Gebelt

Windows 2000 Professional(70-210)

Full Exam Title70-210: Installing, Configuring,and Administering Windows 2000Professional

Reviewer’s Quick Take“I found the questions on this examto be less strange and tricky thansome of the NT 4.0 exams.However, they’re also longer!”

Official Objectiveshttp://www.microsoft.com/learning/exams/70-210.asp

Microsoft’s RecommendedTraining• Course 2151: Windows 2000

Network and Operating SystemEssentials

• Course 2152: ImplementingWindows 2000 Professional and Server

70-210:Administering Windows2000 ProfessionalThe Windows 2000 Professional exam tests yourknowledge of the desktop, the network, security-and your ability to read well.


http://www.microsoft.com/learning/exams/70-210.asp

domain, the network must be running ActiveDirectory, and the client computer needs tobe able to contact a DNS server that containsthe records for your AD domain. The finalinstallation stage completes set-up. The pro-gram copies files, configures the computer,saves the configuration, and removes thetemporary files.

You must be able to perform attendedand unattended installations. To start anattended installation, boot from the Win2KCD-ROM if the computer supports bootingfrom the CD. If your computer doesn’t sup-port booting from the CD-ROM, make bootdisks with makeboot.exe or makebt32.exe.You can also start an installation over the net-work. Set up a server with a file share contain-ing the contents of the \i386 folder. Boot theclient with a network boot disk and then con-nect to the shared folder. Start the installationby running Winnt.exe. Winnt.exe is usedwhen you’re running a 16-bit environment.This is typically the case when you create anetwork boot disk. If you’re running a 32-bitenvironment, use Winnt32.exe.

For an unattended installation, use theSetup Manager Wizard to create an answerfile. This file contains the informationrequired by Setup, so you don’t have to enteranything during the installation. You canperform an unattended installation whenbooting from the Win2K CD-ROM by con-necting to a distribution server that containsthe installation files or by using RemoteInstallation Services (RIS). To perform anunattended installation with the installationCD, save the answer file on a floppy with thename Winnt.sif. Boot from the CD and putthe floppy in the drive. An unattendedinstallation over the network is similar to anattended installation. Simply use the correctswitch to specify the answer file when youstart the installation (Winnt /u:answerfile orWinnt32 /unattend:answerfile).

RIS is new to Win2K. It’s used to auto-mate the installation of Win2K Pro. Beforeyou can install clients, you must set up theRIS server, which requires AD, DNS andDHCP. Client images are stored on anNTFS partition on the RIS server. This par-tition can’t be the system or boot partition.When you create the client image, you also

associate an answer filewith the image.

Tip: RIS clients need PXE-enabled network adapters.This type of NIC allows theclient to boot from the net-work. If the client computersdon’t have PXE-enabledNICs, you may be able tocreate boot disks using theRemote Boot FloppyGenerator tool, Rbfg.exe. Beaware that your NICs needto be supported by theRbfg.exe tool.

When a PXE client boots,it uses DHCP to request anIP address and the IPaddress of the RIS server.DHCP broadcasts aren’tnecessarily routed, so youneed to make sure clientscan contact the DHCP server. RFC 1542-compliant routers can send on DHCPrequests. If your routers don’t support this,you can install a DHCP Relay Agent on thenetwork segments without local DHCPservers.

Upgrading is another installation topic.You can upgrade directly to Win2K Pro fromWindows 95, Windows 98, NT Workstation3.51, and NT Workstation 4.0. If you’re run-ning NT Workstation 3.1 or 3.5, firstupgrade to NT Workstation 3.51 or 4.0,then upgrade to Win2K. Before upgrading acomputer to Win2K, run winnt32 /checkup-gradeonly to generate an upgrade compati-bility report. You can use the downloadableCHKUPGRD.EXE tool to verify the com-patibility of the machine to be upgraded.

Make sure you understand that you canrun Win2K service packs against your sharednetwork copies of the Win2K installationfiles by invoking update.exe with the -soption. In this way, after installing newWin2K features you no longer have to reap-ply the service pack.

Tip: Here are some useful Microsoft KnowledgeBase articles: 237556, “How to Troubleshoot

Win2K Hardware Abstraction Layer Issues”;234772, “Windows 2000 Hangs at ‘Setup IsStarting Windows 2000’ Message”; 224294,“Rights Needed for Remote Installation Serverto Create Machine Accounts”; 242920, Howthe Remote Installation Boot Disk Works”; and251335, “Domain Users Cannot JoinWorkstation or Server to a Domain.”

Resource AdministrationFor resource management, make sure youknow NTFS and share permissions insideand out. When you set permissions on a par-ent folder, new files and subfolders in thatfolder inherit those permissions. If you don’twant a file or subfolder to inherit permis-sions from the parent, you need to clear the“Allow inheritable permissions from parentto propagate to this object” check box. Knowthe rules for copying and moving files onNTFS partitions. When you copy a file ormove a file to a different partition, it inheritsthe permissions of the destination folder.When you move a file to a different folder onthe same partition, it retains its permissions.

Compression is an NTFS attribute, sowhen you copy and move files, it behaves likeNTFS permissions. However, there are a



Tip: Generally, you should disabledevices you don’t need under a specificprofile.

http://support.microsoft.com/?scid=kb;en-us;237556











couple of gotchas to be aware of. Encryptionand compression are mutually exclusive. Youcan’t compress an encrypted file and youcan’t encrypt a compressed file. Also, it’s anNTFS attribute, so when you try to copy acompress file to an FAT partition, it will beuncompressed. Encryption is a little differentfrom compression in that when an encryptedfile is copied or moved to a different Win2KNTFS drive, it always remains encrypted.This is even the case when copying to anNTFS drive on a remote Win2K machine.

Printing hasn’t changed much from NT4.0. You still need to know the basics ofprinter management (such as printer installa-tion), how to set permissions, how to config-ure options such as printer priorities, andhow to change the location of the spool fold-er. One new feature is Internet printing. Ifthe print server needs to be running IIS, youcan connect to a printer via a URL.

Tip: Use http://servername/printers to see a listof all printers on that server. Use http://server-name/printersharename to go directly to thepage for that printer.

Win2K supports FAT, FAT32, and NTFS.Keep in mind that the Windows 9x platformdoesn’t support NTFS. So if you’re settingup a dual-boot system, use FAT or FAT32for any partition that needs to be visible toboth operating systems.

Hardware Devices and DriversThe hardware management section of thisexam really relies on experience. If you’ve setup your share of computers, exam questionsthat cover these objectives will be prettystraightforward. If you haven’t, get yourhands on some hardware.

Win2K supports a new type of disk,called the dynamic disk. When you firstinstall a hard drive, it’s a basic disk. Toupgrade to a dynamic disk, you need at least1MB of unallocated space. Know the vocab-ulary for both types of disks. For example,you create partitions on basic disks and vol-umes on dynamic disks.

As a new feature, Win2K supports mul-tiple monitors. You need a PCI or AGP videocard for each monitor you want to install.

After installing the second monitor, useDisplay properties to extend the desktop tothat monitor.

Tip: A useful Knowledge Base article is238886, “How to Set Up and TroubleshootMultiple Monitors in Win2K.”

Many other hardware topics are fair game,too. Take a look at the different icons avail-able in the Control Panel, includingModems, USB devices, IrDA devices, andPC Cards. See the official prep guide for acomplete list of devices.

Tip: You can install many devices even ifthey’re not connected to your computer. Youdon’t have a modem? Open Phone and ModemOptions in the Control Panel and simply adda standard modem. Then take a look at theconfiguration options on a typical modem!

You also need to know how to update driv-ers. Use Device Manager to open the prop-erties for devices you want to update and usethe Update Driver command. You shouldalso be familiar with Windows Update onthe Microsoft Web site.

System Performance and ReliabilityDriver signing is new to Win2K. Microsofthas digitally signed drivers to help ensurequality. Drivers need to meet certain testingcriteria before they can be signed. As anadministrator, you can configure how thecomputer responds to signed and unsigneddrivers. The default is to display a warningwhen it detects an unsigned driver. Other

options include ignoring unsigned driversand preventing their installation.

Know how to configure offline files. Bydefault, Win2K Pro is enabled to use offlinefiles while Server isn’t. Even though Win2KPro is enabled to use offline files, you stillneed to select the folders and files you want tomake available offline. Use SynchronizationManager to control how those files synchro-nize with the network. You can synchronizefiles at log-on or log-off, when your comput-er is idle or according to a specific schedule.You can also create different synchronizationrules, depending on the network connectionthe computer is currently using.

Optimizing your computer’s perform-ance is similar to the way it’s done with NT4.0. System Monitor is essentiallyPerformance Monitor in new clothes-theMMC. Understand when you need an addi-tional CPU or just more memory. Hardwareprofiles are also similar to NT. They’re mostoften used with laptop computers to managea docked vs. undocked environment.

Tip: Generally, you should disable devices youdon’t need under a specific profile.

Windows Backup is your basic tool forbacking up data and the system state data.The system state data on a Win2K Pro com-puter includes the registry, boot files, andCOM objects. Be aware that you can backup and restore data locally or remotely.Backup or restoration of the system statedata must be done locally.

There are new options for troubleshoot-ing boot problems. Safe mode loads a mini-mal driver set during start up. You can alsoboot to the command line RecoveryConsole. The Recovery Console can be usedto start and stop services, read and write dataon a local drive, and format disks.

The Desktop EnvironmentNew desktop options include RegionalOptions, Faxing, and Accessibility Options.Take a look at each of these topics. WithRegional Options, you can configure thecomputer to read and write documents inmultiple languages. Fax tools include FaxQueue, which is used to view, cancel,



Tip: Although you don’tneed an in-depth under-standing of AD to passthis exam, you do need

to a basic understandingof its features, includingdomains, trees, forests,OUs and group policy.


resume or pause a sent fax, and Fax ServiceManagement, which is used to configureyour fax device.

Another important topic: WindowsInstaller packages. This includes knowledgeof AD, because Windows Installer packagescan be deployed to users or computersthrough Group Policy.

Tip: Although you don’t need an in-depthunderstanding of AD to pass this exam, you doneed to a basic understanding of its features,including domains, trees, forests, OUs andgroup policy.

Know the file types associated with aWindows Installer package and the use foreach type of file. .MSI files are Windowsinstaller packages; .MST files transform aninstallation. Make sure you understand thedifference between assigning an applicationto a user or a computer and publishing anapplication to a user. When you publish anapplication, it appears in Add/RemovePrograms in Control Panel, and the applica-tion will automatically install if the user triesto open a document supported by thatapplication (document invocation).

What’s the difference between assigningan application to a user and publishing anapplication to a user? Assigning creates short-cuts to the application in the user’s Startmenu, which will automatically install theapplication the first time a user attempts touse it; publishing doesn’t. Also, applicationsthat don’t support the new WindowsInstaller format can’t be assigned; they canonly be published. Applications assigned tocomputers are automatically installed thenext time the computer boots.

Network Protocols and ServicesIf you’ve taken the NT 4.0 Workstationexam or one of the Windows 9x exams, youmay be surprised by the amount of network-ing knowledge needed to pass this test. In thepreparation guide, Microsoft states that thisexam is intended for people who have at leasta year of experience working with desktopoperating systems in a network environment.As a result, you need a solid understanding ofTCP/IP and network services. For example,

while you may not be asked how to config-ure a DHCP server, you certainly need tounderstand how DHCP works and how totroubleshoot a DHCP client.

Dial-up networking is alphabet soup.You need to know authentication protocolsbackwards and forwards, including EAP, MSCHAP v2, MS CHAP v1, CHAP, SPAP, andPAP. You also need to know the PPTP andL2TP VPN protocols. When you create adial-up connection, you can share it withICS, Internet Connection Sharing.Understand how to set up ICS and how itworks. This is a really neat feature for con-necting a small network, like the one in yourhouse, to the Internet.

SecurityEFS, the Encrypting File System, is a newfeature of NTFS. Be aware that you can’tcompress encrypted files. Only the personwho encrypted a file or the designatedRecovery Agent can decrypt that file. Notethat this will cause problems if you try toshare an encrypted file! Only the owner ofthe file or Recovery Agent will be able toopen it. Because EFS is an NTFS feature,encrypted files and folders are decrypted ifyou copy them to FAT or FAT32 volumes.Also, be careful when you copy encryptedfiles and folders to a different computer. Theencryption certificate and private key thatare used to decrypt the files are needed onthat computer. If not, you won’t be able toopen the files.

Be aware that the test objectives mentionboth local and domain user accounts. Localuser accounts are stored on the local comput-er and typically used in a workgroup envi-ronment. Domain user accounts are storedin AD and allow the user access to domainresources. This may “only” be the Pro exam,but you still need to spend a little time look-ing into AD accounts.

Other security topics include auditing,account policy and user rights. These areconfigured on the local computer throughLocal Security Policy. Account policyincludes password settings, such as the min-imum password length, and lockout set-tings, such as the number of failed logonattempts before the system locks you out.

User rights include items such as the rightsto back up files and directories and to shutdown the system. When you create an auditpolicy, be aware that auditing files, folders orprinters requires two things: you need toaudit object access, and configure auditingon the specific file, folder or printer youwant to audit.

Finally, take a look at security templates.You use them to apply security settings to thecomputer. There are standard templates forbasic, secure and high security installations(basicws.inf, securews.inf and hisecws.inf,respectively). Don’t use the hisec templatesunless you have a Win2K-only environment.Computers running the hisec templates can’tcommunicate with older Windows clients!

Tip: You’ll find theseKnowledge Base articles useful: 234926, “Windows2000 Security Templates AreIncremental,” and223316, “Best Practices forEncrypting File System.”

A Few Final Exam TipsWhen you’re facing your exam, remember toread carefully. Questions tend to be long. It’seasy to miss the one sentence in the middle ofthe question that changes everything. Also,know both how things work and the recom-mended approach. One question may ask thebest way to perform a task. When you readthe set of possible answers, more than oneanswer will always satisfy the requirements ofthe question. In this case, you need to choosethe best answer. Another question may sim-ply ask you to choose the correct answer. Thelist of possible answers doesn’t provide thebest possible solution, but one of the answersdoes solve the problem.

Jill Gebelt has been a computer science instruc-tor and a river guide, and is an independentcontractor in northern California.







Exam 70-270 is true to the Microsoft natureof certification exams: tricky but fair. Eventhough this test isn’t nearly as difficult assome of the others I’ve faced, it certainlywarrants a reasonable amount of preparationto pass. Don’t assume because you knowWindows 2000 Professional inside and outthat you’ll get through this ordeal on thatknowledge alone. Consider it much more atest of Windows XP’s features than tried-and-true, client-side concepts.

The Quest Begins with InstallationOur trek through Windows XP starts atinstallation. Before you venture into thetense world of Windows administration,you have to install the software. What arethe absolute minimum requirements for XP?Also, what’s involved in upgrading an exist-ing machine to XP? Part of this task is know-ing which operating systems can be upgrad-ed and which can’t.

Study up on the ins and outs of installa-tion. For example, do you truly understandlicensing and activation for XP Professional?

Be certain you can perform unattendedinstallations by using any of the methodsavailable in Win2K Professional, such assysprep and RIS.

Tip: Look into the command-line methods forrunning installs. It’s probably a good idea toexamine exactly what’s different betweeninstalls of Win2K Professional and XPProfessional.

The Journey Continues with PermissionsOnce you’ve successfully installed XPProfessional, you can look forward to havingall sorts of fun at your next stop — permis-sions. File permissions are tremendouslyimportant for securing your machines.Make sure you understand the differencebetween share-level and NTFS permissions,and remember the “most restrictive” rule.

Also know how to configure and trou-bleshoot printers. Remember that a printer isthe software that’s installed on the machine,and the print device is the actual printer.Make sure you understand the different levels


By Chris Golubski

Administering Windows XPProfessional (70-270)

Full Exam Title70-270: Installing, Configuring, andAdministering Windows XPProfessional

Reviewer’s Quick Take“This exam covers everything you’dneed to know about Windows XPadministration. But don’t take thisone until you’ve had some solidserver experience.”


Microsoft’s Recommended TrainingCourse 2272: Implementing andSupporting Windows XPProfessional (5 days) Course 2285: Installing, Configuring,and Administering Windows XPProfessional (2 days)

Although it’s not the toughest in Microsoft’s pocket, this examthoroughly tests your knowledge of the company’s populardesktop client.

70-270: Installing,Configuring, andAdministering WindowsXP Professional



P a g e 1 0 • M C S A : S e c u r i t y o n W i n d o w s 2 0 0 3( c ) 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / c e r t c i t i e s . c o m , h t t p : / / m c p m a g . c o m


1. Perform an attended installation of Windows XP. Notethe differences between the Windows 2000 Professionalinstallation and this one. Once installed, take notice ofthe activation process.

2. Install a Win2K Server with DHCP, DNS and ActiveDirectory. Install XP by using RIS.

3. Run an upgrade from Win2K Professional to XP. Notewhich settings are migrated and which aren’t.

4. Create a series of shared folders on an NTFS partition.Assign different share permissions to a group as well asdifferent NTFS permissions and note the interactionbetween the two.

5. Install and configure fax support for both an internalmodem and an external fax machine, if available.Configure XP to answer incoming calls on bothdevices.

6. Install a Win2K Server and write a group policy toallow Offline Files.

7. Install XP Professional and configure it to receiveWindows Update packages from a local network shareinstead of the Microsoft Web site.

8. Install multiple USB devices using a USB root hub.

9. Install an invalid video or other driver. Use the DriverRollback function to restore the system to its originalstate.

10. Back up an existing copy of XP Professional. Format thehard drive and restore the backup to return the systemto its previous state.

11. Create a standard profile to be displayed to all users ofthe workstation. Create the profile in mandatory andnon-mandatory form.

12. Configure a Win2K Routing and Remote Access Server.Create a VPN connection on the XP machine to con-nect to the server. If possible, do this with several oper-ating systems and experiment with different types ofsecurity.

13. Install and configure Internet Connection Sharing onan XP Professional machine. Then configure anothermachine to access the Internet with the shared con-nection.

14. Install and configure Internet Connection Firewall onan XP Professional machine to allow only HTTP trafficin (port 80).Then configure a Web site on that machineand attempt to connect to that site from anothermachine.

15. Configure Encrypting File System (EFS) on the system.Attempt to open encrypted files with a normal useraccount different from the file’s owner and the admin-istrator account.

16. Apply different security policies to an XP Professionalmachine, such as BASICWKS and HISECWKS. Note thedifferences between the policies.

17. Configure Internet Explorer to use different securitysettings. Attempt to view Web pages with differentitems, such as ActiveX controls, Java applets, and pagesthat allow cookies.

18. Install and configure a printer on an XP Professionalmachine. Experiment with the Full Control, ManageDocuments and Print permissions.

19. Install and configure XP Professional to use multiplelanguages for different users. Enable multiple users toswitch between languages while they’re logged in.

20. Install and configure Remote Assistance on an XPProfessional machine. Connect to it with another PC.

20 Things to Practice 70-270

of permissions on printers.You should also have a basic understand-

ing of how to manage IIS. Know how to cre-ate Web folders to be shared on an intranetand how to enable the different mechanismsof authentication. Anybody with knowledgeand experience with Win2K Server shouldlikewise have expertise with IIS.

It’s also imperative that you understandthe file systems. Remember, FAT32 doesn’thave file-system-level permissions and is usedfor backward compatibility with Windows95 and 98. In almost all circumstances,you’re probably going to want to use NTFS.Know how to use the convert command incase you need to do a file system conversion.

In addition to regular file systems, youneed to understand how to configure andadminister Offline Files. Offline Files allowusers to synchronize with the network, thendisconnect and go about their business.When they connect back to the network,voila! The files are “automagically” synchro-nized with the ones on the server.

Tip: Know the nitty-gritty details of file systemconversions. Make sure you can handle dualboot situations as well.

Climbing Higher with HardwareThe next stop on your journey involveshardware installation and configuration. Ofcourse, being a network or support profes-sional, you already know how to install andconfigure a sound card. Learn how to handlethe really nifty devices like USB root hubs,infrared devices and digital cameras. Makesure you understand how to recognize anyproblems that may occur and take theappropriate action. For instance, you shouldstudy up on the differences between LastKnown Good Configuration, Safe Mode,and the new Driver Rollback feature. DriverRollback is used to replace an upgradeddriver with its previous version.

Just like in Win2K, it’s important tounderstand how driver signing works. Becertain you can modify security settings onthe machine or domain to implement a pol-icy that allows or disallows a user to installsigned drivers. In some cases, it may be con-venient to allow users to install customized

unsigned drivers; on the other hand, it mayprovide myriad disasters.

Also, take a look at video issues. Be sureyou can detect whether there’s a problemwith the refresh rate of the monitor orwhether the driver is corrupted. And if youdo detect the problem, make sure you knowthe appropriate solution.

Along with expert administration andsupport ability comes the skill of performancetuning and optimization. This particular taskinvolves monitoring the processor, memory,disk and other components that are used on

the system and ensuring they run efficientlyand effectively. Make sure you know how touse System Monitor and can identify when aparticular section of the machine is perform-ing acceptably (and when it’s not).

Tip: Just because the processor runs at a highutilization rate doesn’t mean that the processoris the item that needs to be upgraded orreplaced. Insufficient memory or a slow harddrive may cause the problem.

Getting Closer to UsersIf you work for a large organization, it’s pos-sible that you have users who travel interna-tionally or speak multiple languages. That’swhy you need to have a firm understandingof multinational settings. Be sure you canconfigure XP Professional to give users accessto different languages. Learn how to instructusers to implement this functionality.

While we’re on the topic of user settings,make sure you understand user profiles andhow to implement both varieties: local androaming. Know how to enable accessibilitysettings for any users with physical impair-ments. Also, review Windows Installer set-tings for application installation and deploy-ment. Remember, Windows Installer pack-ages are usually installed by a group policy

that’s implemented on a Win2K Server.Also critical to any kind of environment

are network settings, especially TCP/IP. Ifyou don’t know about name resolutionmethods like DNS and WINS, I’d recom-mend getting some knowledge on them.Make sure you understand the basics of trou-bleshooting, like how a subnet mask operatesand what a default gateway is. Can youunderstand a network diagram and trou-bleshoot a given problem?

In addition to local area network settings,you need to be able to configure remoteaccess networks. For instance, if your com-puter uses a smart card to log on, you’ll needto use the EAP protocol. Study the differentlevels of encryption supported by XP as wellas other operating systems.

Tip: Be able to configure a client to use a VPNthat’s Win2K-based.

Almost There with ICF and EFSOne of the most prominent features to beadded to XP is the Internet ConnectionFirewall (ICF, for short). The ICF serves as apersonal firewall for clients. Know how toconfigure and troubleshoot the ICF on amachine. You should be familiar with thecommon ports used for Internet protocols.Ports 80, 443, 21, and 389 should all ring abell — in order, HTTP, SSL, FTP, and LDAP.

XP Professional also has some of thetried-and-true functionality of Win2K, suchas Encrypting File System, or EFS. EFSallows users to encrypt files that nobody elsecan use. By default, not even the administra-tor can use them unless he or she is acting asthe Recovery Agent! You should have a basicunderstanding of EFS and know the bestway to implement it for a given situation.For example, it might not be necessary toencrypt an entire directory when only oneencrypted file is needed. Everything shouldbe evaluated on a case-by-case basis. Makesure you know how to recover from a disas-ter and access encrypted files from users whohave left your company.

Tip: Make sure you look over Internet Explorersecurity settings as well. Know the differencebetween the levels that are offered.



Tip: Be able to configure a client to use a VPN that’s Win2K-based.

Windows Server 2003 offers many new fea-tures and services beyond those found inWindows 2000 and the 70-290 examreflects some of those differences. If you’vetaken exams in the past and you’ve alreadyrun across Exam 70-218, Managing aMicrosoft Windows 2000 NetworkEnvironment, you can expect some familiartopics: AD, EFS, IIS, DNS and DCHP toname a few.

The 70-290 exam is similar in manyrespects as far as content, but includes addi-tional topics such as DNS zone types offeredin Windows Server 2003 and IAS andRRAS, which aren’t as heavily tested in theWindows 2000 exam. Exam 70-290 concen-trates on using Windows Server 2003 andnetwork management. You’ll need todemonstrate expertise in the areas of permis-sions, profiles, system backup, disk manage-ment and a familiarity with new product fea-tures such as Automated System Recovery

(ASR) and Volume Shadow Copy. You’ll alsoneed to dive into security from a Microsoftperspective to prepare for this exam, since it’sbecome more of a focus for the product.

What you probably won’t be impressedwith in this exam is its engine. The text islengthy, scroll bars are touchy and the screenis often split into three sections with lots ofwhite space that you must scroll around in tomove to the next question.

I tackled 70-290 in its beta form, but thelive exam is similar. However, my intent inthis review is to help you prepare for the testby covering some of the objectives listed inthe exam preparation guide.

Working with DevicesYou’ll need to demonstrate expertise withmanaging and maintaining physical and log-ical devices. As an administrator or engineeryou should be expected to understand Basicand Dynamic disks, RAID configuration



70-290: Managing a Windows Server 2003 EnvironmentYou might consider yourself a security expert. Even so, thisexam makes sure you’re ready by testing you on a mix ofsecurity, permissions, and backup topics, with a heapingscoop of Windows 2003-specific features thrown in.

By Andy BarklManaging a Windows 2003Environment (70-290)

Full Exam Title70-290: Managing and Maintaininga Windows Server 2003Environment

Reviewer’s Quick Take“This exam is ‘wordy’ and requiresexpertise with Windows permissions,profiles, system backup, disk man-agement and a familiarity with a fewnew server management features,ASR and Volume Shadow Copy.”

Official Objectiveshttp://www.microsoft.com/traincert/exams/70-290.asp

Microsoft’s Recommended Training• Course 2274: Managing a Windows

Server 2003 Environment (5 days)• Course 2275: Maintaining a

Windows Server 2003Environment (3 days)


and troubleshooting, driver signing and theuse of tools such as Device Manager andHardware Troubleshooting Wizard.

As a reminder, basic disks can be convert-ed to dynamic with no data loss but requirebackup and restore to revert back to basic.Dynamic disks are required for DiskStriping, mirroring and striping with parity.

Tip: When repair is necessary for a RAID 1member, the mirror is first removed, failedmember disk replaced, and the mirror recreated.

When updating drivers with DeviceManager, the system driver signing includesthe options for Ignore, Warn (the default)and Block. Familiarize yourself with DeviceManager and the warning and disabledicons found when problems are present oninstalled devices.

Users, Computers and GroupsThe next objective, ‘Managing Users,Computers and Groups,’ includes manytopics, so you should be prepared to facemany questions that fall into this category.

Taking the 70-210 or 70-270 client OSexam before 70-290 will help. That ensuresyou’ll have a healthy introduction to profilemanagement, user and group accounts, per-missions and troubleshooting.

The difference for this exam is you’llneed to think more on a server and networklevel rather than from the lone client desktopperspective.

Tip: These new exams include topics not nec-essarily on the list of official exam objectives asposted from Microsoft. Better get used to it!For example, although there’s no mention ofprinters in the official exam objectives, youshould be prepared! After all, printers arebound to be part of a production Windows2003 network.

ADUC, Active Directory Users andComputers, is the MMC snap-in used tocreate user and group accounts, manage userprofiles and group membership. It includesthe Delegation of Control Wizard, which isused to assign administrative permission atthe Organizational Unit (OU) level.



1. Configure and troubleshoot shared folders permissions-again, and again andagain. Create different scenarios for your family and friends group accounts.Be the network administrator!

2. Configure Volume Shadow Copy Service on your server and don’t turn it off.(This has got to be one of the coolest new features of Windows Server 2003!)Load the client component and restore previously deleted files.

3. Run Automated System Recovery, even if you don’t want to simulate a deadserver. Be sure to follow the steps I outline in the main article and in the helpfiles.

4. Download and install Software Update Services on your server. Download thelatest Windows updates and configure the client to use your SUS server.

5. Run server backups if only to a file as the destination. Just as important,restore the backups and verify EFS, compression and NTFS permissions remainthe same.

6. Create and assign permissions to printer users and change them for fun! Findout what happens when you stop the printer spooler service.

7. Create a few group policies and explore the different computer and user set-tings available. Link a GPO to a parent OU and view the results of computerand user accounts changes within child OUs with and without Block PolicyInheritance and No Override.

8. Create user accounts in Active Directory for your family and friends.Add themto groups and log on with their accounts from a client or a second server.Change group scope and membership, practice using the AGUDLP.

9. Configure inheritance and inheritance blocking with AD objects. Set permis-sions and view their effects when accessed by different family members andfriends.

10. Configure and recover RAID arrays. Get at least three small hard drives andcreate a stripe, mirror and stripe set with parity configuration. Disconnect oneof the RAID 1 or 5 drives and reconnect for a recovery scenario. Watch howWindows 2003 behaves and the warning and error messages it displays.

70-29070-290: 10 Things to Practice

Windows 2000 and 2003 both includetwo types of groups, Security andDistribution. Security groups are used in thetraditional sense to group users for permis-sions to network resources. Distributiongroups are used for e-mail only.

Tip: Remember AGUDLP If you’re not famil-iar with the way Windows is designed for man-aging folder and file permissions, you need tostudy! Accounts are placed into Global Groups,which are placed into Universal Groups, whichare placed into Domain Local Groups wherePermissions are assigned. Accounts can also beplaced directly into DL groups.

Active Directory objects such as user, groupand computer accounts all have permissionsassigned that can be inherited from higherlevels or removed by using Block Inheritance.

If you’ve worked with Windows 2000,then you know that Group Policies enablecentralized management of user and com-puter settings throughout the network. GPObjects or GPOs can be used to perform avariety of administrative tasks, includingconfiguration of desktop settings, control ofsecurity settings, assignment of scripts, redi-rection of folders and software distribution.Group Policies are inherited by childdomains from sites or child OUs withindomains unless you enable Block PolicyInheritance, which can be reversed with NoOverride at a higher level. You can also filterinheritance with Read and Apply GroupPolicy permissions at the user or group level.

ResourcesThe objective Managing and MaintainingAccess to Resources encompasses sharedfolder permissions and Terminal Services,among other topics.

Administrators and Server operatorshave the default rights to create and manageshared folders. Read, Change and FullControl are still present and cumulative.NTFS permissions are also cumulative butthe most restrictive prevails when combinedwith shared folder permissions. Deny over-rides all other permissions!

Files and folders can be encrypted withEFS, which requires NTFS. Don’t forget to

brush up on how folder and file permissionscan change or stay the same when copying ormoving within a drive or between drives.

The names have changed slightly.Windows 2000 Terminal Services remoteadministration mode is called RemoteDesktop for Administration in WindowsServer 2003. There have been manyimprovements made to Terminal Services,but it still operates the same, and dailyadministration hasn’t changed much.However, expect coverage on the examaround such areas as licensing and remoteconnection management.

The Server EnvironmentIn the objective Managing and Maintaining aServer Environment you’ll find coverage oftopics such as Event Viewer, System Monitor,software updates (including the functionalityof Microsoft’s Software Update Service orSUS), Remote Assistance, disk quotas, printqueues, performance objects and IIS 6.0.

Event Viewer is the first resource mostadministrators refer to when checking, mon-itoring and troubleshooting application,security and system events. It allows you tofilter displayed logged events by date, time,user and many other options.

System Monitor is the tool of choicewhen monitoring system activity in realtime. Make sure you understand the mostpopular object counters such as % ProcessorTime, % Disk Time, Pages/Second andPage/Faults for memory objects.

New to the Windows Server 2003 examsis SUS. Although it’s an add-on componentin a Windows network, it’s required thesedays for deploying and managing client andserver critical updates. Through theAutomatic Updates option built in sinceWindows 2000, client computers can beredirected to internal SUS servers instead ofwindowsupdate.microsoft.com. This allowsadministrators to better plan, test and trackchanges.



Tip: When repair is necessary for a RAID 1 member,the mirror is first removed, failed member diskreplaced, and the mirror recreated.

Tip: SUS requires IIS!

Speaking of IIS, another new version hasarrived: 6.0. It’s more secure by design andout of the box. In the course of your studiesand experimentation, remember: This examis about server and network administration.Spend time understanding IIS topics aroundWeb sites, Virtual and physical directories,files and host and cname records in DNS.

Tip: Multiple Web sites can be hosted on a sin-gle IIS server with unique IP addresses, portnumbers or host headers.

Disaster RecoveryIncluded in the final objective on the list,Managing and Implementing DisasterRecovery, you’ll find coverage of ASR, VSS,backing up files and system state data, con-figuring security for backup operators, veri-fying backup jobs, managing media, restor-ing and scheduling backups and recoveringfrom server hardware failures.

Automated System Recovery (ASR)allows you quickly and automatically tobring a non-bootable machine to a statewhere you can run a restore program torecover data. ASR will configure the newstorage devices and restore the operating sys-tem, all applications and settings. Theprocess for recovering a system using ASR isas follows:

Boot from a Windows Server CD andchoose Automated System Recovery.

Provide access to the backup media and apre-prepared ASR floppy.

Take a break. You’ll come back to a work-ing server with the operating system. To use ASR, you have to prepare an ASRbackup first. An ASR backup is a regularsystem backup plus the ASR floppy disk.This disk contains important configurationinformation about the server’s storage sys-tem as well as information on how torestore the backup.

When you boot from the product CDand press the F8 key, you’ll enter the ASRbootstrap program. The ASR code inWindows setup knows how to read the ASRfloppy disk to reconfigure the server’s storage

system. ASR will automatically invoke therestore program to restore the rest of the datafrom the ASR backup.

Volume Shadow Copy Service (VSS) isanother new feature, which allows adminis-trators to create a point-in-time copy of userfiles that the user can access and restore whenprevious versions are needed. These snap-shots can save both IT staff and users a wholelot of time usually spent waiting for manualrestore operations of accidentally deleted filesfrom tape. As the server administrator youcan schedule the copy time-for instancetwice a day at 0700 and 1200 hours, fivedays a week. If the amount of user data isgreat and changes often, you can even storethis data on alternate server volumes!

If you have hosts other than WindowsServer 2003 such as XP, Windows 2000 withSP3 or Windows 98, you’ll need to install theshadow copy volume component available onthe XP product CD (%Windir%\System32\Clients\Twclient\X86 or download it fromhttp://www.microsoft.com) to enable the useof previous file access and restore. Once con-figured per volume, users will find thePrevious Versions tab in the properties selec-tion for files and folders on a network shares.Users can then select View, Copy or Restore;they’ll be presented with a list of read-only fileand folder copies they can access. For moreinformation see the white paper,“Introduction to Shadow Copies of SharedFolders,” at http://download.microsoft.com/download/f/3/d/f3da10e8-c9fd-454d-9a54-c765d738449d/SCR.doc.

Data and system backups are still a mustwith Windows 2003 even with all the newfile management services. Make sure youunderstand the nuances of backup, such aswhich is the fastest backup type (full, incre-mental or differential) and which is thefastest to restore or uses the fewest number oftapes? The answers to these questions are thesame as they’ve always been! Incremental isthe fastest but starts with a full backup.Differential offers the fastest restore, but fullbackup use the least amount of tape perbackup cycle.

Tip: Backup of the System State includes thesystem files, the registry, Component Servicesand the Active Directory database CertificateServices.

Running the backup program still requireseither Administrator or Backup operatorpermission. To run the backup programusing Task Scheduler, you’ll need to be amember of the administrator, backup opera-tor or server operator group.

Server hardware failures happen!Windows 2003 offers ASR, but that doesn’taddress all troubleshooting and repair needsan administrator may have. Other resourcesinclude Performance console, Task Managerand Recovery Console. Make sure youunderstand which tool to use when the fataltime comes as well as how each serves a dif-ferent purpose. Be sure to study each oneand get the hands-on necessary to show yourexpertise!



Tip: These new exams include topics not necessarily on thelist of official exam objectives as posted from Microsoft.Better get used to it!

http://www.microsoft.com

http://download.microsoft.com/download/f/3/d/f3da10e8-c9fd-454d-9a54-c765d738449d/SCR.doc

http://download.microsoft.com/download/f/3/d/f3da10e8-c9fd-454d-9a54-c765d738449d/SCR.doc

Like Exam 70-290, this exam has similaritiesto 70-218, Managing a Microsoft Windows2000 Network Environment, which isrequired for Windows 2000 MCSAs. Theexam requires that you know the gamut ofsecurity-related abbreviations, including:TCP/IP, DNS, DHCP, RRAS. Never hadexperience with Microsoft ISA Server? Youmay encounter it in this exam, so you shouldget cozy with it too. Herewith, a review ofthe study areas I believe you should focus onin your preparation.

IP AddressingThe first exam objective that Microsoft lists isImplementing, Managing, and MaintainingIP Addressing. For this test you’ll be expectedto demonstrate knowledge of TCP/IPaddressing and all facets of DHCP, includingscopes, relay agents, reservations, databases,Automatic Private IP Addressing (APIPA)and a little troubleshooting of all the above.

You may find a few subnetting questions,misconfigured subnet masks and gateways,the ever present APIPA “default” addressing(169.254.x.x) and IPconfig results witherrors to diagnose.

When it comes to DHCP, not much haschanged in Windows 2003. You’ll need todisplay knowledge of server placement

(local, remote or in the middle). If you placeservers locally, DORA (Discover, Offer,Request and Acknowledgements) trafficremains on the segment; but if the localserver is unavailable or out of addresses, therecommended 75/25 rule should be fol-lowed: Place 75 percent of your scopesaddresses on the local server and 25 percentas backup on a remote-segment server.

Tip: Windows 2003 DHCP can use WindowsClustering. This allows two or more servers tobe managed as a single system and allows alocal backup server.

You should know how to calculate, config-ure and troubleshoot such a split.Configuring scopes with options such asrouter (003), DNS server address anddomain name and WINS (044 and 046)options and understanding default nameresolution order is required knowledge forthis exam. The DNS name resolution orderis: local cache, hosts file, DNS, WINS,broadcast and LMHOSTS file.

Name ResolutionThe next heading exam objective listed isImplementing, Managing and MaintainingName Resolution. This is all about DNS.



70-291: Managing a WindowsServer 2003 NetworkThis exam requires you to show expertise with TCP/IP, DNS,DHCP, RRAS and ISA Server-as well as a few services notmentioned on the objectives list.

By Andy Barkl

Managing a Windows 2003Network (70-291)Full Exam Title70-291: Implementing, Managingand Maintaining a Windows Server2003 Network Infrastructure

Reviewer’s Quick Take“This exam requires you to showexpertise with TCP/IP, DNS, DHCP,RRAS, ISA Server and a few topics notlisted within the exam objectives,such as deploying wireless LANs.”


Microsoft’s Recommended Training• Course 2276: Implementing a

Windows Server 2003 NetworkInfrastructure: Network Hosts (2 days)

• Course 2277: Implementing,Managing, and Maintaining aWindows Server 2003 NetworkInfrastructure: Network Services (5 days)

• Course 2208: Updating Your SupportSkills from Windows NT 4.0 toWindows Server 2003 (3 days)


Windows 2003 offers a new zone type thatyou’ll want to study and try out — stub —and a feature called Conditional Forwarding.

Windows guru and author Bill Boswellexplains in his book, Inside Windows Server2003, that a “stub zone is used in place ofdelegation records when configuring a par-ent DNS server to send referrals to delegat-ed DNS servers in a child domain.” A stubzone contains a copy of a zone with only theoriginal zone’s start of authority (SOA) andname server (NS) records — the authorita-tive servers for the zone and resource recordsneeded to identify the authoritative servers.

A DNS server that is hosting a stub zoneis configured with the IP address of theauthoritative server from which it loads.When this server receives a query for a name-to-IP resolution in the zone to which thestub zone refers, the server uses the IPaddress to query the authoritative server andreturns a referral to the DNS server listed inthe stub zone.

When a DNS server loads a stub zone, itqueries the zone’s primary servers for SOArecords, NS records at the zone’s root andhost records. To update its records, the stub-DNS server queries the primary servers forthe resource records.

You can use stub zones to ensure that theserver that is authoritative for a parent zoneautomatically receives updates about theservers that are authoritative for a child zone.To do this, you add the stub zone to the serv-er that is hosting the parent zone. Stub zonescan be either stand-alone or ActiveDirectory-integrated.

Although Microsoft recommends condi-tional forwarding for making servers awareof other namespaces, you can use stub zonesinstead.

Conditional forwarding allows control ofthe name resolution process beyond thedefault forwarding that occurs between non-root and root name servers.

When you use conditional forwarding,DNS servers can be configured to forwardqueries to different servers based on thedomain name in the query. This eliminatessteps in forwarding and reduces networktraffic. This is especially useful during a net-work merger.

Tip: Integrated DNS zones offer fault toler-ance through Active Directory.

DNS AD-integrated zones support thesecure dynamic update option, which pre-vents computers and users not listed in thezone’s ACL to change zone records.

NSlookup, Event Viewer, SystemMonitor and DNS logs are the tools includ-ed with Windows Server to troubleshootname resolution problems. NSlookup is thebest bet; it’s used to manually query nameservers for resolution. The DNS log in Event

Viewer often holds the key to ongoing orpast problems. System Monitor is a “live”tool to find performance problems. DNSlogs can indicate management problems suchas failed zone transfers.

Network SecurityNext up: Implementing, Managing andMaintaining Network Security. Here youmay find questions about security templates,IPSec monitoring and troubleshooting withEvent Viewer and Network Monitor.

To apply an IPSec policy in a domainenvironment, you must understand IPSec



1. Enable RRAS on your server. Practice configuring and managing dialup and VPNconnections. Using a null-modem cable and a crossover network cable, you caneasily simulate remote-dialup and VPN connections.

2. Deploy and distributing Certificate Services computer and user certificates.Install a CA, issue certificates to computers and users and publish them to ADwhile you’re there.

3. Install, configure and manage all DNS zone types. You need to practice creat-ing, managing and maintaining AD anyhow — create the DNS zones manuallyand understand how each is used. Practice troubleshooting problems!

4. Understand and configure DNS conditional forwarding. Practice this one inconjunction with #3 and configure one of your servers using conditional for-warding.

5. Practice subnetting and understand IP addressing. You’ll need to know subnet-ting for this exam and how to recognize addressing misconfigurations. Haven’tyou put it off long enough?

6. Install and configure IAS with RRAS. This is not a difficult task and you’ll behappy you mastered it for this exam.

7. Install and configure ISA Server. You can download an evaluation copy for free.Even if you don’t need Microsoft’s proxy and firewall server on your network,understanding the basics of ISA Server is a must for this exam.

8. Create and manage DHCP scopes and options. Creating a scope is an easy task,but do you really understand DHCP servers and how to maintain them?Configure one of your servers as a router and place a server and client on oppo-site segments to learn about relay agents and DHCP server management.

9. Use and understand the capabilities of Network Monitor.This can be boring forsome, but after the initial pain, analyzing network packets can be fun! Learnhow to use this tool if nothing else.

10. Use and understand Event Viewer and System Monitor. Easy enough-but doyou really understand how to use these tools to their fullest? Hands-on andhelp files will get you through.


policy precedence. Unlike most GroupPolicy settings, which are cumulative, onlyone IPSec policy can be assigned to a com-puter at a time. If there are multiple IPSecpolicies assigned at different levels, the lastone applied is the one that takes effect. IPSecpolicy uses the same precedence sequence asother Group Policy settings, which is fromlowest to highest—local, GPO, site, domainand then OU.

New to Windows 2003, you can useRSoP (Resultant Set of Policy) to analyzeIPSec policy assignments. RSoP is a GroupPolicy snap-in used to view IPSec policyassignments for a computer.

Tip: Using the Event Viewer Application log,you can begin the process of troubleshootingwhen it comes to IPSec. Read carefully, under-stand the question and view the exhibit tohelp make sense of the vague Event Viewerscreenshots!

Network Monitor is a preferred tool for view-ing real-time captured network data. It canalso assist when troubleshooting IPSec. Knowthe basics of this tool for this exam and makesure to get hands-on experience, which willallow you to retain what you have learned.

Routing and Remote AccessImplementing, Managing, and MaintainingRouting and Remote Access was the objec-tive where I found the most questions on thebeta exam. You may find questions in thisarea about ISA Server and wireless LANs.

Windows 2003 RRAS includes supportfor PPTP and L2TP-based VPNs. However,if you use L2TP-based clients or serversbehind a network address translation(NAT) router, both must support IPSecNAT traversal, which is now available.Either way, you need to understand a littleabout certificate services to deploy secureVPN connections.

Once a certification authority is presenton the network, a client computer in aWindows 2003 domain can use auto-enrollment or the Certificates snap-in toinstall a certificate. Or users can use theirWeb browsers to connect to the CA serverat servername/certsrv. They follow the steps

to request a certificate and install it on theircomputers. Certificates are managed fromthe CA server, which includes theCertificate Revocation List (CRL). Thiscan be used to revoke certificates for VPNremote access when security is compro-mised.

Controlling access to RRAS can be donewith remote access policies. They include theability to filter by such things as time of dayand profiles to limit connections for a specif-ic type of authentication.

Tip: You can increase the security and manage-ability of RRAS servers by using InternetAuthentication Service (IAS) to centralizeVPN or dial-up networking authentication,authorization and accounting.

IAS now provides support for the authenti-cation, authorization, and accounting whenconnections that use the IEEE 802.1X stan-dard for wireless are required.

This new standard adds another layer ofsecurity to wireless networks and is alsobuilt-in to Windows XP (Wireless ZeroConfiguration (WZC) is also included,which is a great feature).

Tech Note: The 802.1X standard definesport-based network access control to provideauthenticated access for Ethernet networks.This port-based network access control uses thephysical characteristics of the switched LANinfrastructure to authenticate devices attachedto a LAN port. Access to the port can be deniedif the authentication process fails.

The wireless AP used must support con-figuration as a RADIUS client and WiredEquivalent Privacy (WEP) with 802.1Xauthentication. The Microsoft 802.1XAuthentication Client provides support forcomputers running many different versions ofWindows all the way back to NT. (You candownload this supported client from http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp.)

New GPO settings allow you to pre-con-figure a user’s WLAN network connectiontype, ad hoc or infrastructure, networkname (SSID), WEP settings, access controlusing 802.1X and authentication methodsand settings.

Tip: To support a secure wireless solution withWindows 2003, you need: AD, DNS, DHCP,RADIUS, a PKI and EAP-TLS or PEAP.

Windows 2003 supports the RIP versions 1and 2 and OSPF routing protocols.

Configuration is accomplished afteradding support in the RRAS console.Troubleshooting tools include the tradition-al ping, tracert and route commands.Understand what each tool offers for thisexam and how to decipher the output ofeach.

Tip: The interfaces container in RRAS is usedto add additional interfaces for routing.

ISA Server is a proxy caching and firewallserver first released for Windows 2000. TheISA Server SP1 update is required to install iton Windows 2003, and it includes integra-tion for protecting IIS and Exchange servers.There’s a specific exam for ISA Server (70-227), but 70-291 includes a few questionswith regards to its capabilities.

Maintaining a Network InfrastructureThe final objective on 70-291 is Maintaininga Network Infrastructure. Here you’ll findtopics such as monitoring network traffic,using Network Monitor and SystemMonitor, troubleshooting Internet connec-tivity and server services.

Network Monitor is a preferred tool forfinding network traffic that is expected orunexpected! Using capture and display fil-ters, you can locate and diagnose TCP/IP,DNS, DHCP, RRAS and WLAN client andserver traffic.

IPSec monitoring and logging can beuseful when locating VPN connection errorsor viewing current security associations.

Tip: SNMP is also a network managementtool often used to diagnose and help resolve net-work traffic issues.

Restarting services such as DNS, DHCP andRRAS can be a “quick fix” in some cases afterlocating the problem. For more advancedtroubleshooting, Event Viewer and SystemMonitor come to the rescue once again!



http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp

Internet Security & Acceleration Server2000, a direct descendent of MicrosoftProxy Server, is aimed at adding security toa network environment that has a presenceon the Internet. You can install it in one ofthree modes: cache, firewall or integrated.In cache mode, ISA Server acts as a central-ized point for Web access and keeps fre-quently accessed Web content on its localhard drive, thus lowering the amount ofenterprise bandwidth expended on Internetdownloads. In firewall mode, ISA Serverbecomes a corporate firewall, which allowsconfiguration of packet filtering, VPNaccess, and restriction of access to otherInternet protocols. Finally, integrated modeallows the best of both worlds.

In this article I’ll discuss strategies forgetting through the ISA Server exam.Remember that this test covers ISA Server2000, Enterprise Edition.

Building a Fire(wall) Our first task in the exploration of ISA Serveris its preconfiguration and installation. Beforewe can install ISA Server, we have to ensurethat we can connect to the Internet. Therecipe for a successful installation is as fol-lows: a dash of network card installation, apinch of DNS troubleshooting, and a sprin-kle of verifying connectivity on a TCP/IPsubnet. Sound easy enough? It gets harder.

In addition to the basic preconfigurationtasks, you need to know the installation ofISA Server inside and out. Know how andwhen to install ISA Server in each of the sup-ported modes. For example, you have to runthe ISA Enterprise Initialization Tool beforeISA Server can be installed in an array. TheEnterprise Initialization Tool modifies theWindows 2000 Active Directory schema tosupport objects that ISA Server requires tohave a multiserver configuration.



Microsoft’s ISA Server Enterprise exam tests your knowledge ofsecurity, policy-setting and troubleshooting — and your abilityto read carefully.

By Chris Golubski

Managing ISA Server (70-227)Full Exam Title 70-227: Installing, Configuring, andAdministering Internet Security andAcceleration Server (ISA) 2000,Enterprise Edition

Reviewer’s Quick Take“If you have expert TCP/IP knowl-edge, a good foundation in Windows2000, and know the details of howthis product works, you should beable to pass.”


Microsoft’s Recommended TrainingCourse 2159: Deploying andManaging Internet Security andAcceleration Server 2000 (2 days)

70-227: Managing ISA Server 2000 Enteprise


Tip: Make sure you know how to back up yourProxy Server 2.0 configuration, includingusing MMC to do this.

Also know how to configure and trou-bleshoot Local Address Table (LAT) prob-lems. Simply put, the LAT is the range of IPaddresses that make up your internal net-work. Make sure you don’t accidentally putan external address in your LAT. It couldspell disaster!

Crafty Configuration and ThoroughTroubleshooting Once ISA Server is installed, you have toknow how to configure and troubleshoot it.Think you can puzzle out most problems?Don’t get overconfident—in life or the test-ing center. Read each question carefully andmake sure you understand exactly whatyou’re being asked.

Make sure you understand how to con-figure ISA Server to keep the bad guys outand the good guys in. Once you have a fire-wall set up, how do you allow Web trafficthrough securely? Easy enough: You config-ure Web publishing. ISA Server supportsWeb publishing and server proxy, whichdirects Web requests to another machine.You can even configure ISA Server to for-ward SSL requests and maintain the integri-ty of the encryption. By the way, you shouldknow how to configure all of this.

Once you have your Web servers work-ing, how do you get your custom Web appli-cation going — especially since it’s behindthe firewall and uses several ports? Well,folks, ISA Server has the answer to this one,too. The solution is called server publishing.You can set up ISA Server to allow applica-tions to function that use multiple ports andoffer services on a machine inside the fire-wall, but still have the protection of theexternal ISA Server.

Tip: Read Anil Desai’s article, “Private andSecure: The VPN Solution,” on MCPmag.comto get a quick familiarity with VPN installation.

While you’re at it, make sure you under-stand virtual private networks (VPNs) andhow to configure them. If you’re a Win2K

network infrastructure whiz, you’re boundto do well here. Know how to configureISA Server to allow VPN traffic through.Make sure you also know what needs to beset up within ISA Server’s configurationutility and what needs to be set upthrough the Routing and Remote AccessServer console.

Also become familiar with configuringH.323 gatekeeper rules. In case you’re notfamiliar with the technology, H.323 is usedfor audio and video conferencing. In thiscase, we’re talking about NetMeeting. Knowabout the types of DNS records you needand how to configure destinations.

Tip: Make sure that you use the external IPaddress of the ISA Server machine in DNS forany services you advertise on the Internet.

Last, be certain you have a passing familiar-

ity with redundancy services like NetworkLoad Balancing (NLB) and how it helps anISA Server array. Visit Microsoft’s Web siteand download the white paper, “NetworkLoad Balancing Technical Overview,” onhow to configure NLB on Windows 2000Advanced Server.

Setting Policy Dealing with ISA Server policies is probablyone of the most common tasks you’ll have asan administrator. You’ll have to performmany tasks efficiently and accurately in orderto create a secure network environment.

Know how to configure packet filter-ing. Know common ports for commonservices like SMTP, HTTP, POP3, andLDAP, and understand how to trou-bleshoot common access problems withthem. You should be familiar with how todo this in a variety of environments. For



Tip: You can’t add items to a policy lower than theenterprise level if the enterprise policy doesn’t alreadyhave what you want. So it’s in your best interests todefine policies liberally at the enterprise level andrestrict at the lower levels.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/nlbovw.mspx

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/nlbovw.mspx

http://mcpmag.com/features/article.asp?EditorialsID=1

http://mcpmag.com/features/article.asp?EditorialsID=1

example, know how to deal with packet fil-tering configuration in a network with asingle ISA Server, as well as a screened sub-net or a DMZ (demilitarized zone). ADMZ is a subnet on the network betweentwo ISA Server machines that usually con-tains Web servers and e-mail servers.

Along the same lines, you need to be ableto troubleshoot problems that users havewhile trying to access resources. Be ready todetermine whether the problem is client-sideor server-side.

When it comes to learning ISA Server,spend time on configuring policies. It’s amajor part of understanding the product.Policies consist of different kinds of rules.First come site and content rules. Theseallow you to restrict what sites and address-es the user can access. Second are protocolrules, which allow you to set which proto-cols can be used. As a side note, be able toconfigure custom protocols as well. If onlythings were as easy as accepting the defaultsettings! Bandwidth rules allow you to setpriorities for traffic, thus allowing you torestrict what kinds of traffic can enter andexit ISA Server.

Other items in a policy make your life alittle bit easier, such as a schedule. A scheduledoes exactly what you’d expect it to do: set atime period in which a policy is effective.Two similar items, destination sets and clientaddress sets, allow you to group resourcestogether, so you don’t have to list hundredsof items in each policy over and over. You cancreate a set of clients or destinations and referto them in each policy.

Tip: You can’t add items to a policy lower thanthe enterprise level if the enterprise policy does-n’t already have what you want. So it’s in yourbest interests to define policies liberally at the

enterprise level and restrict at the lower levels.Finally, you need to be able to configurepolicies on an enterprise basis. If you havean array of ISA Servers, you need to be ableto write an enterprise policy and apply thepolicy to the array. Make sure you under-stand how an enterprise policy works andhow it relates to policies that are applied atthe array level and local level.

Client Configuration Another important aspect of administrationis the configuration of clients to use the serv-ices provided by ISA Server. For example, ifyou’re using ISA Server as a firewall, youneed to install the Firewall Client on theclient machine. Know the operating systemson which the Firewall Client can beinstalled. Make sure you understand thelimitations of the Firewall Client as well.

Also know how to configure clients to useISA Server as a proxy server. Spend time learn-ing how an ISA Server client can auto-detectan ISA Server in firewall or integrated mode.

Tip: Make sure you understand what Unixclients can and can’t do. Think about whatsoftware can be installed on a Unix machinevs. a Windows machine.

Be certain you can distinguish what role theclient plays at any given time with the givenresources. For example, a client can accessWeb content through the firewall client orthe proxy server configuration in the brows-er. Understand the ramifications of each.

Monitoring and Maintenance Now that you have ISA Server installed andconfigured, you should be able to monitorand optimize the environment to enhanceperformance. Can you enable intrusion detec-

tion and take corrective action when securityis breached? Can you gauge when you havetoo much security in place? For example, youneed to know what security holes you mayhave to allow in order to have streaming audioand media present in your network.

Alerts allow you to automate the sendingof a notification when a problem arises.Know how to configure ISA Server to sendan e-mail message if this occurs. Also befamiliar with ISA logging and how to makethe log files write to an ODBC data source,particularly Microsoft SQL Server.

It’s useful when working with ISA Serverto remember the tried and true command-line utilities like PING, NSLOOKUP andNETSTAT. You should be able to viewincoming connections and understand howto stop them if necessary. Also learn how touse telnet to access a specific port to ensure it’sfunctioning properly. Know how to fix proto-cols when they’re not responding as well.

Tip: Study intrusion detection and all of itssettings very well.

Of course, keeping the boss informed aboutcorporate security and proxy server use isalso important. ISA Server comes with somecanned reports, which means you won’t haveto explain esoteric technical concepts. Theyprovide a simple graphical view of what’soccurring at the specified time. Learn howto run reports and export them.

Finally, make sure you understand gener-al tuning practices of the Win2K Server fam-ily. Be able to spot when to add memory, anew hard drive, a faster hard drive, or anadditional processor to a Win2K server thathas ISA Server installed.

Spend Time with ISA Server Before tackling the test, I’d recommendinstalling ISA Server several times and seewhat it can do. Configure policies, set uppacket filtering and install clients. Workwith the configuration of the caching func-tionality, as easy as it is. As always, experi-ence is the best teacher.

Chris Golubski is an IT professional in theDallas area.



Tip: Make sure that you use the external IP address of theISA Server machine in DNS for any services you advertiseon the Internet.

What are people saying about our MCSA Boot Camp?“The instructor provided a vast amount of information based on his own experience and experiences; he was

able to share from other students he has had. He is by far one of the best instructors I've ever had,” says J.A.,

a Department of Homeland Security team member. What will you say about your MCSA Boot

Camp experience? There’s only one way to find out: globalknowledge.com/spec

The instructor wasoutstanding.“ ”

GlobalKnow_MCSEad_10-04 10/28/04 3:45 PM Page 1

The latest exam to come from Microsoft isaimed at administrators who deal daily withmaintaining security, and it requires specificknowledge and hands-on experience withWindows Server 2003 PKI, permissions,patch management, and troubleshooting. Ifyou’re familiar with Exam 70-214,Implementing and Administering Security ina Windows 2000 Network, consider 299 anupdate of that exam.

In this review, I help you prepare by cov-ering some of the objectives as listed in theexam preparation guide.

Implementing, Managing, andTroubleshooting Security PoliciesTopics under this objective range from con-figuring, deploying, and troubleshootingsecurity templates to configuring permis-sions and security settings on desktop andserver computers.

The rule of thumb: Disable unnecessaryservices. This closes the listening network

port and reduces the attack surface of a com-puter. Windows Server 2003 has many newsecurity templates and security settingsbeyond those found in Windows 2000Server—somewhere close to 600 additionalsettings. And with the release of SP1 due outthis year, security configuration choices ofservers will not only become more powerfulbut also more complex.

Group Policy Objects are where it’s at.For almost any size of Windows network, ifyou have deployed Active Directory, thekiller feature is GPO. Security templatesare a quick and easy way of securing com-puters in the domain with common config-uration settings. When studying theProducts and Technologies link; WindowsServer 2003 at the Security GuidanceCenter, pay particular attention to the dif-ferent requirements for securing domaincontrollers, IAS servers, Exchange servers,SQL servers, and IIS servers.

Using GPOs, you can configure desktop



70-299: Administering WindowsServer 2003 SecurityYou’ll need experience with PKI, permissions, patch management,and troubleshooting under Windows 2003 before tackling thissecurity exam.

By Andy Barkl

Administering Windows 2003Security (70-299)

Full Exam Title70-299: Implementing andAdministering Security in aWindows Server 2003 Network

Reviewer’s ratingThis exam is an update of theWindows 2000 exam 70-214, andwill test your knowledge of WindowsServer 2003 PKI, permissions, patchmanagement, and troubleshooting.

Exam Objectiveshttp://www.microsoft.com/traincert/exams/70-299.asp

Microsoft’s Recommended TrainingCourse 2823: Implementing andAdministering Security in a WindowsServer 2003 Network (5 days)


and client computers for permissions. Onecommon method among Windows adminis-trators is to assign a user local administratoraccess to their desktop computer. This allowsusers to install software and change systemsettings, but this method can sometimes biteyou in the butt!

Windows Server 2003 security templatesnow include software restriction policieswhich are a smarter method of allowing usersto install and run tested and approved soft-ware on their desktop. SRPs are a collectionof policies that define what software can runbased on group policy security levels.Exceptions can be created based on the hashrule types; certificates, paths, registries, andeven Internet Explorer zones.

Tip: Only one password policy using GroupPolicy Objects can be configured per domain.

Gpupdate replaces Secedit /refreshpolicy inWindows Server 2003. Gpupdate can beused to force group policy settings forimmediate compliance and recover a com-puter with incorrect settings applied. Totroubleshoot a computer that has beenlocked down incorrectly to the point ofwhere you can’t log on with the domainadministrator account, restart the computerin Safe Mode, log on as the local administra-tor, run gpupdate, restart the computer innormal mode, and then log on normally.

Tip: Group policy loopback processing modecan be used to override user-based settings on acomputer with a computer policy.

Secedit at the command line, and theSecurity Configuration and Analysis snap-incan be used in Windows Server 2003 to ana-lyze, configure, and validate computer secu-rity configuration settings.

Implementing, Managing, andTroubleshooting Patch ManagementInfrastructureTopics included: planning the deploymentof service packs and hotfixes, verifying withMBSA, to SUS deployment and administra-tion. This is certainly a hot topic for manyof us: patch management. Unless you’re an

administrator who has been hiding in a serv-er closet for the past 24 months, you’ve nodoubt had your challenges with patch man-agement – a nightmare if not done correct-ly. Patch management is one of the keyaspects of securing a network.

In the exam world – which can be com-pletely different from the real world– patchmanagement of Windows computers mustbe done with Microsoft’s free tools: theMicrosoft Baseline Security Analyzer andSoftware Update Services. MBSA is a net-work-based scanning tool that runs onWindows 2000, XP, and 2003 operating sys-tems; it looks for missing patches and securi-ty updates on all flavors of Windows down toWindows NT 4.0. It also supports scanningof IIS, SQL, and Exchange servers. MBSAcomes in both a GUI wizard version and acommand line version called mbsacli.exe.

Windows Update is a client-side scan-ning tool that can check for installed andmissing patches and service updates againstthe Windows Update web site or a locallyinstalled SUS server. And along withAutomatic Updates, Windows computerscan be configured to download and installpatches and service packs at scheduled inter-vals. Server and client computers can be con-figured to connect to and scan for availableupdates from SUS servers using GroupPolicy, SMS (Systems Management Server)with the SUS Feature Pack, or logon scripts

if Active Directory has not been deployed. Ifusers aren’t granted local administrator levelaccess to their desktop, Automatic Updatescan be configured for a scheduled date andtime to install the updates and restart thecomputer automatically.

SUS servers deployed within a networkallow administrators to collect, approve anddistribute critical updates for server andclient computers. SUS parent servers can beconfigured to synchronize with theMicrosoft Windows Update Web site andpass updates to child SUS servers, which, inturn, distribute the updates to the server andclient computers on the network.

Tip: For failed deployments of patches or serv-ice packs with SUS, you must cancel approvalof the update on the SUS server to prevent fur-ther installations.

Implementing, Managing, andTroubleshooting Security for NetworkCommunicationsMost of the topics here center on IPSec forsecuring network data. You’ll also find asprinkle of data security as it relates to wire-less, SSL and remote access networks. Myexam seemed to include many questionsregarding IPSec authentication headers! I’llbriefly cover each of the network data secu-rity protocols and methods.

IPSec is a rule-based security protocol



Tip: Only one password policy using Group PolicyObjects can be configured per domain.

that protects data traffic. It uses on-demandauthentication and encryption between twoend points. IPSec packets are signed withcertificates, verified, encrypted and decrypt-ed at the OSI network layer, making theprocess transparent to upper layer protocols.L2TP and IPSec can be used to create VPNs.IPSec can be used in two modes; AH(Authentication Header) and ESP(Encapsulating Security Payload). AH pack-ets can be routed without loss or change tothe header signature. ESP packets can useeither DES (Data Encryption Standard) or3DES in the Transport or Tunnel modes. InTransport mode, ESP encrypts the entiredata packet with the exception of the header.In Tunnel mode, ESP encrypts the entirepacket for VPN connections. Using AH andESP together provides the most secure datatransmission.

AH can be implemented using Kerberos,certificates, or preshared keys! IPSec is awide-ranging protocol and includes manysmall details. Be sure and study it and IPSecpolicies thoroughly prior to the exam.

Tip: IPSec traffic cannot pass through olderNAT servers.

SSL (Secure Sockets Layer) and TLS(Transport Level Security) both use publickey and symmetric key encryption for TCP-based communications. They provide ses-sion encryption and integrity, and serverauthentication. This prevents eavesdrop-ping, tempering, and message forging. BothSSL and TLS require digital certificates! SSLand TLS can be used to secure web, email,news, and FTP traffic.

PPTP over TCP/IP can be used to secureupper layer protocol traffic between clientsand servers for such things as VPNs. It useseither PAP (Password AuthenticationProtocol) or MS-CHAP (Microsoft ChallengeHandshake Authentication Protocol) for theexchange process of credentials. PPTP trafficcan pass through all NAT servers, but PPTPdoes not provide for data integrity.

SMB (Server Message Block) signing canbe used to secure client-to-server file sharingtraffic on a Windows network. SMB signingcan be enabled using GPOs and uses a



1. Configure GPOs to secure the various server roles in a Windows network: DCs,Member Servers, Workstations, Exchange, IIS, and IAS.

2. Create a couple of SRPs using hash, path, and certificates. Apply them.

3. Install and configure an SUS server on your test network—download updatesand approve them for workstations.

4. Enable the three types of IPSec policies (client respond, request security, andrequire security) between two networked computers and observe the results.

5. Install CMAK and create a profile or two.

6. Install, configure, and enroll workstations using certificate services.

7. Explore the various certificate templates and practice importing one using theSecurity Configuration and Analysis snap-in to compare against your existingsecurity settings.

8. Download, install, and configure MBSA on your test network.

9. Configure a Windows 2003 server to act as a VPN server and explore the various connection protocols supported.

10. Explore and configure account and password policy settings for the domainGPO on your network.


method of digital signing and a keyed hashto protect the integrity of each SMB packet.

WEP (Wired Equivalent Privacy) is usedto secure wireless data traffic between wire-less clients and access points connected to awired network.

Remote client traffic can be securedusing various methods and protocols. PPTPand IPSec/L2TP to create a VPN connectionare becoming the most widely used.

EAP-TLS (for Extensible AuthenticationProtocol-Transport Level Security) is themost secure remote access method and pro-tocol. Because of its support for two-factorauthentication with the use of smart cards orUSB keys, and certificates, it meets all therequirements of message and data CIA(Confidentiality Integrity Authentication).

Tip: If the network includes smart cards andcertificate services is present to issue both userand computer certificates, use EAP-TLS forthe most security.

For the exam you’ll also need to be familiarwith CMAK (Connection ManagerAdministration Kit), a tool for managingremote connections and remote access poli-cies. CMAK allows administrators to pre-configure remote access clients, add custombehavior and appearance and provide anupdateable phonebook that users can turnto and find the most convenient dial-upaccess numbers. When gaining that all-important hands-on experience for thisexam, be sure to load up CMAK and createa profile or two.

Familiarity with Microsoft’s InternetSecurity and Acceleration server is also a mustfor this exam. ISA server provides perimeterfirewall services, proxy caching services, poli-cy-based access control, secure web publish-ing, and intrusion detection services.

Tip: Client computers may need to install theISA server firewall client to access the internalor external network.

Planning, Configuring, andTroubleshooting Authentication,Authorization, and PKIThis objective includes topics such as

authentication, authorization, securitygroups, and certificate services. Know yourgroup types, distribution and security,scopes; universal, domain local, global, local,and the recommended group strategy; A-G-DL-P Accounts get placed into Globalgroups which get placed into Domain Localgroups which are assigned Permissions.

Tip: Group nesting is supported when adomain is at functional level Windows 2000native or higher.

The special group type, Self, represents thepermissions assigned to the ACE (AccessControl Entry) of a user, group, or computerand is a placeholder for that security principal.

Trust relationships are something youshould be familiar with at this point in yourMCSA/MCSE studies. Remember that anexternal trust can be used to connect to adomain in another forest, and a shortcuttrust is used to speed authentication betweendomains – they are both one way trusts!Forest-level trusts can be set up betweenWindows Server 2003 forests.

Certificate services-related questions arepresent on many of the Windows 2003MCSA and MCSE exams. If this exam isyour first exposure to Microsoft certifica-tion, you’ll need to study everything aboutcertificate services to pass. Configuring,deploying, revoking, and managing user andcomputer certificates is necessary for manyof the security-related technologies dis-cussed thus far. A digital certificate verifiesthe identity of a user, computer, or program.It contains information about the issuer andsubject and is signed by the CA. Certificatetemplates define the format and content forthe certificate’s intended use. Only enter-prise CAs can issue certificates based on cer-

tificate templates! Certificate templates canbe issued for a variety of reasons; webservers, email, EFS (Encrypting FileSystem), smart cards, remote access, andIPSec to name just a few.

Certificate deployment can be handledusing various methods such as autoenroll-ment, enrollment agents, and Web-basedenrollment. Web-based is a popular method,whereby the user connects to the CA andrequests a certificate, relies on the CA admin-istrator to approve the request, then installsthe certificate on the computer.Autoenrollment can be controlled usingGPOs for computers running Windows2000, XP, and 2003. This type of certificatecan be used for smart card logon, EFS, andIPSec authentication.

Certificate revoking is performed by theCA administrator when a certificate is com-promised. The Certificate Revocation List(CRL) is published to the network.Certificates can be lost due to a deleted userprofile, reinstallation of the user’s operatingsystem, a corrupted disk, or a stolen comput-er. Data Recovery Agents can be used todecrypt EFS data originally encrypted by auser’s missing certificate. DRAs aren’t neces-sary in Windows Server 2003 due to thenewer Key Recovery Agents. KRAs canretrieve the original certificate along with theprivate and public keys. Certificates can alsobe exported for safe keeping and to preventloss using Microsoft Outlook, InternetExplorer, the certificates console, or using thecommand line utility Certutil.exe.

Andy Barkl owns MCT & Associates LLC, atechnical training and consulting firm inPhoenix, Arizona and is a contributing editorto MCPmag.com, CertCities.com andTCPmag.com.



Tip: IPSec traffic cannot pass through older NAT servers.

Core: Client (pass 1)

70-210: Installing, Configuring, and Administering Windows 2000 Professional (A)

70-270: Installing, Configuring, and Administering Windows XP Professional (A)

Core: Networking (pass 2)



MCSA: Security Training and Exam ChecklistPrint and hang up this handy guide to keep an eye on your MCSA: Security goals.

Need More Training? Microsoft offers its official instructor-ledtraining at Microsoft Certified Partners forLearning Solutions Centers worldwide forthe following exams: 70-210:• Course 2151: Windows 2000 Network

and Operating System Essentials• Course 2152: Implementing Windows

2000 Professional and Server 70-270:• Course 2272: Implementing and

Supporting Windows XP Professional (5 days)

• Course 2285: Installing, Configuring, andAdministering Windows XP Professional(2 days)

70-227:• Course 2159: Deploying and Managing

Internet Security and Acceleration Server2000 (3 days)

70-290:• Course 2273: Managing and Maintaining

a Windows Server 2003 Environment • Course 2274: Managing a Windows Server

2003 Environment

• Course 2275: Maintaining a WindowsServer 2003 Environment

70-291:• Course 2276: Implementing a Windows

Server 2003 Network Infrastructure:Network Hosts (2 days)

• Course 2277: Implementing, Managing,and Maintaining a Windows Server 2003Network Infrastructure: Network Services(5 days)

• Course 2208: Updating Your SupportSkills from Windows NT 4.0 to MicrosoftWindows Server 2003 (3 days)

70-299:• Course 2823: Implementing and

Administering Security in a WindowsServer 2003 Network

CompTIA Security+:• Course 2810: Fundamentals of Network

Security (4 days)

Links for Further StudyRead Microsoft’s official MCSA: Security forWindows 2003 Guide at http://www.microsoft.com/learning/mcp/mcsa/securi-ty/windowsserver2003.asp

Two Paths to MCSA: Security

Note: (A) Review included in this guide; otherwise, click on link to read the review online.

For more details on courses listed above,type in the course number at http://www.microsoft.com/learning/training/find/find-course.mspx

Find your nearest Microsoft CertifiedPartners for Learning Solutions center athttp://directory.microsoft.com/mprd/Search.aspx?SearchGroup=TrainingRadio&languageDropDown=173

Microsoft TechNet is one of the bestfree sources of security information. Go tohttp://www.microsoft.com/technet/securi-ty/default.mspx for the latest security head-lines and most recent security bulletins. TheSecurity Guidance Center at http://www.microsoft.com/security/guidance/default.mspx steps you through planning and manag-ing security on desktops and servers and canhelp you with the ongoing security patchingprocess.

Global Knowledge offers a dearth ofsecurity training for the Microsoft IT profes-sional at www.globalknowledge.com/msinfo

Date Exam Exam DateCompleted Completed

Windows 2000 Windows 2003

70-215: Installing, Configuring,Administering Windows 2000 Server

70-290: Managing, Maintaining WindowsServer 2003 (A)

70-218: Managing a Windows 2000 Network Environment

70-291: Implementing, Managing, Maintaininga Windows Server 2003 Network(A)

70-214: Implementing Windows 2000 Security 70-299: Implementing, Administering Securityin a Windows Server 2003 Network (A)

Specialization (pass 2)

70-227: Internet and Security Acceleration Server 2000 (A) or SY0-101: CompTIA Security+

http://mcpmag.com/reviews/exams/article.asp?editorialsis=50



http://certcities.com/editorial/exams/story.asp?EditorialsID=66

http://www.microsoft.com/learning/mcp/mcsa/security/windowsserver2003.asp

http://www.microsoft.com/learning/mcp/mcsa/security/windowsserver2003.asp

http://www.microsoft.com/learning/training/find/findcourse.mspx

http://www.microsoft.com/learning/training/find/findcourse.mspx

http://directory.microsoft.com/mprd/Search.aspx?SearchGroup=TrainingRadio&languageDropDown=173

http://www.microsoft.com/technet/security/default.mspx

http://www.microsoft.com/technet/security/default.mspx

http://www.microsoft.com/security/guidance/default.mspx



www.globalknowledge.com/msinfo

IT Influencer Series SECURITY Windows...

Documents

Transcript of IT Influencer Series SECURITY Windows...