Exam Objectives
This exam is broken up into four different categories. We will look at what you have to know in each category to pass the exam.
Implementing, Managing, and Troubleshooting Security Policies
- Plan security templates based on computer role. Computer roles include SQL Server computer, Microsoft Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server.
- Configure security templates.
- Configure registry and file system permissions.
- Configure account policies.
- Configure .pol files.
- Configure audit policies.
- Configure user rights assignment.
- Configure security options.
- Configure system services.
- Configure restricted groups.
- Configure event logs.
- Deploy security templates.
z
- Deploy security templates by using command-line tools and scripting.
- The Secedit command allows you to analyze and configure your system security from a command line.
- Plan the deployment of security templates.
- Policy objects (GPOs).
Deploy security templates by using Active Directory-based Group
Group Policy is used to deploy security settings throughout your organization’s Active Directory structure.
- Troubleshoot security
template problems. z
- Troubleshoot security templates in a mixed operating system environment.
- If you are still running Windows NT 4.0 or Windows 2000, applying Windows 2003 security templates in these environments can have unpredictable results.
- Troubleshoot security policy inheritance.
- Troubleshoot removal of security template settings.
Group policies are applied in the following order: local, site, domain, OU, and sub OU.
Changes to security templates do not always happen instantly. You may have to have a user logoff and back on before a change takes place to force Group Policy replication by using the gpupdate /force command.
- Configure additional security based on computer roles. Server computer roles include SQL Server computer, Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. Client computer roles include desktop, portable, and kiosk.
- Plan and configure security settings.
- Plan network zones for computer roles.
- Plan and configure software restriction policies.
- Plan and configure auditing and logging for a computer role. Considerations include Windows Events, Internet Information Services (IIS), firewall log files, Netlog, and RAS log files.
- Analyze security configuration. Tools include Microsoft Baseline Security Analyzer (MBSA), the MBSA command-line tool, and Security Configuration and Analysis.
There are many predefined security templates that are available to you in Windows 2003. You can define Account Policies, Local Policies, Event Log, Restricted Groups, Registry and File Systems using these templates.
Permissions can be set for individual keys in the registry. You can also choose for new permissions to propagate to all subfolders and files.
You can modify account policies at the OU level. Maximum password age, minimum password length, password complexity are some of the items you can change in account policies.
On pre-Windows 2000 computers, you used the System Policy Editor to make changes to the NTconfig.pol.
The types of events you can audit are: Account Logon, Account Management, Object Access, Logon Events, Policy Change, and System Events.
User Rights can be defined under Local Policies. This controls the rights that a user has to their computer.
The Security Options define policies such as how much access a user has to their drives, driver installation, and digital encryption and signing.
You can set system services to Automatic, Manual or Disable. You should always disable services that are not needed on any server to save resources and prevent possible exploitation of the service.
You can define who belongs in a restricted group in the Restricted Groups subnode.
Events logs should be checked daily and should be retained for a specific amount of time depending on the policies of your organization. You can determine the Maximum Log Size, Retention Method, and who gets to view the log files.
In your organization, you may have several different types of servers performing any number of roles. If you set security setting incorrectly, you may not be able to get to needed services.
The four network zones are Restricted Site, Internet, Local Internet and Trusted Sites.
The Group Policy Object Editor allows you to specify four different policy rules: Certificate Rule, Hash Rule, Internet Zone Rule and Path Rule.
By studying your log files, you can learn to identify abnormal behavior. It is important that you have a baseline from which to compare current log events. There are many different log files, but mainly you need to be concerned with the log files you find in Event Viewer.
The Microsoft Baseline Security Analyzer checks to make sure that your computers have all the critical updates and patches installed. To run MBSA from the command line, use MBSAcli.exe.
Implementing, Managing, and Troubleshooting Patch Management Infrastructure
- Plan the deployment of service packs and hotfixes.
- Evaluate the applicability of service packs and hotfixes.
- Test the compatibility of service packs and hotfixes for existing applications.
- Plan patch deployment environments for both the pilot and production phases.
- Plan the batch deployment of multiple hotfixes.
- Plan rollback strategy.
- Assess the current status of service packs and hotfixes. Tools include MBSA and the MBSA command-line tool.
- Assess current patch levels by using the MBSA command-line tool with scripted solutions.
- Deploy service packs and hotfixes.
A patch or hotfix normally deals with a specific issue and are issued by Microsoft continually. A service pack is a culmination of many patches, updates and may contain additional features.
It may not be necessary to install all patches because some may not apply to your computers. Patches are given different levels: Critical, Important, Moderate and Low.
Many times a patch will break an application and cause it not to function properly. You should always have pre-deployment or pilot group of computers that allows you to test the patches before deploying to your entire network.
Once you have deployed patches to your pilot group, make sure that all applications function normally. It may be that you have to exclude certain updates for specific computers.
Qtool.exe is a command line utility that allows you to install multiple patches without having to reboot the computers between installations.
In the event that the computers in your pilot group passes the test but production computers do not, you need to have some mechanism to remove patches after they have been deployed. Some of these mechanisms can include: Add/Remove Programs, System Restore, Group Policy or custom written script.
The MBSA command-line tool can help you determine if you are missing critical updates. It can even scan remote networks providing you have opened the proper ports on the firewall.
It is possible to use a batch file or scripting code to run the MBSA tool. This script can then be scheduled to run using the Task Scheduler.
Deploy service packs and hotfixes on new servers and client computers. Considerations include slipstreaming, custom scripts, and isolated installation or test networks.
There are several methods for deploying patches. Even though installing patches manually may seem old hat, it may sometimes be necessary if your automated method is not working. Installing manually without silent switches can allow you to see how the update installed and what may be causing problems. You can also use Group Policy, scripting, SUS or SMS to install updates. You can also build updates into your initial operating system deployment using slip streaming.
Implementing, Managing, and Troubleshooting Security for Network Communications
- Plan IPSec deployment.
- Decide which IPSec mode to use.
- Plan authentication methods for IPSec.
- Test the functionality of existing applications and services.
- Configure IPSec policies to secure communication between networks and hosts.
- Hosts include domain controllers,
Internet Web servers, databases,
e-mail servers, and client computers.
- Configure IPSec authentication.
The three default IPSec policies are Secure Server, Server and Client.
- Configure appropriate encryption levels.
Considerations include the selection of perfect forward secrecy (PFS) and key lifetimes.
IPSec can use SHA1, MD5, DES and 3DES as its hashing algorithm. Perfect forward secrecy (PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised.
- Configure the appropriate IPSec protocol. Protocols include Authentication Header (AH) and Encapsulating Security Payload (ESP).
Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets but does not encrypt data. Encapsulation Security Payload (ESP) provides confidentiality, data origin authentication, connectionless integrity and encryption.
- Configure IPSec inbound and outbound filters and filter actions.
- Deploy and manage IPSec policies.
Transport mode secures the traffic between two computers on the same network while Tunnel mode secures traffic between two computers on different networks.
IPSec supports Kerberos, Certificates and Preshared Keys.
Kerberos is used for authentication in a Windows network. Certificates are used for access involving Internet access. Preshared Keys use plain text to transfer a character string and should not be used if possible.
Similar to patches, you need to test your IPSec implementation to make sure it does not break any applications.
Filters are the most important part of IPSec policy for a computer which is protected by IPSec. Not applying them properly can prevent your security from being provided.
- Deploy IPSec policies by using Local policy objects or Group Policy objects (GPOs).
- Deploy IPSec policies by using commands and scripts. Tools include IPSecPol and Netsh.
- Deploy IPSec certificates.
- Troubleshoot IPSec.
- Monitor IPSec policies by using IP Security Monitor.
The IPSec can be monitored using the IP Security Monitoring snap-in.
- Configure IPSec logging. Considerations include Oakley logs and IPSec driver logging.
IPSec logging doesn’t use much space, but make sure that you have at least 10MB free. To enable Oakley logging from a command prompt type, netsh ipsec dynamic set config ikelogging 1. To enable IPSec to write to the Event Viewer logs type, netsh ipsec dynamic set config ipsecdiagnostics 7.
- Troubleshoot IPSec across networks.
Considerations include network address translation, port filters, protocol filters, firewalls, and routers.
In order to troubleshoot across networks, you must make sure that the ports 50, 51 and 500 are open for inbound and outbound traffic.
- Troubleshoot IPSec certificates. Considerations include enterprise trust policies and certificate revocation list (CRL) checking.
- Plan and implement security for wireless networks.
IPSec can be configured at any level of your Active Directory structure using a Group Policy.
Two command-line utilities that can be used to deploy IPSec policies are IPSecpol.exe and Netsh with the IPSec switch.
Considerations include deployment of certificates and renewing certificates on managed and unmanaged client computers.
Certificates are mainly used when providing security between Active Directory forests where there is no trust relationship.
Only if a certificate is explicitly mentioned in the CRL, it will fail. By typing netsh ipsec dynamic set config strongcrlcheck value=2 from a command prompt, you can specify strong CRL checking.
- Plan the authentication methods for a wireless network.
- Plan the encryption methods for a wireless network.
- Plan wireless access policies.
- Configure wireless encryption.
- Install and configure wireless support for client computers.
- Deploy, manage, and
configure SSL certificates,
including uses for HTTPS, LDAPS,
and wireless networks. Considerations
include renewing certificates
and obtaining self-issued certificates
instead of publicly issued certificates.
- Obtain self-issued certificates and publicly issued certificates.
Using your Web server, you can get an SSL certificate from an external CA or from a self issued CA.
- Install certificates for SSL.
An SSL certificate is an encrypted text file that your Web server can understand. You should make a backup of your existing certificates before installing new ones.
- Renew certificates.
Certificates can be renewed choosing Renew when running the Web server’s certificate wizard.
- Configure SSL to secure communication channels.
- Configure security for remote access users.
There are three types of wireless authentication methods: Open System Authentication, Shared Key Authentication, and 802.1 Authentication.
The two methods Microsoft provides for wireless encryption are Wired Equivalent Privacy (WEP) and 802.1x.
Use the Wireless Network Policy Wizard to create a wireless policy.
After configuring your wireless network policy, you can set the policy to use to use WEP or IEEE 802.1x encryption.
Windows 2003 and Windows XP support Wireless Zero Configuration, which will cause them to automatically connect to wireless networks.
Wireless Zero configuration will scan for all available wireless access points and automatically configure them. IEEE 802.1x encryption must be manually configured.
Communication channels include client computer to Web server, Web server to SQL Server computer, client computer to Active Directory domain controller, and e-mail server to client computer.
- Configure authentication for secure remote access.
- Configure and troubleshoot virtual private network (VPN) protocols.
- Manage client configuration for remote access security.
Authentication types include PAP, CHAP, MS-CHAP, MS-CHAP v2, EAP-MD5, EAP-TLS, and multifactor authentication that combines smart cards and EAP.
Considerations include Internet service provider (ISP), client operating system, network address translation devices, Routing and Remote Access servers, and firewall servers.
Tools include remote access policy and the Connection Manager Administration Kit.
Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI
- Plan and configure
authentication.
- Plan, configure, and troubleshoot trust relationships.
A trust relationship allows users in one domain to access resources in another domain. All domains in the same forest trust each other by default. You can configure a new trust by running the New Trust Wizard.
- Plan and configure authentication protocols.
Kerberos is the protocol used by Windows 2003.
- Plan and configure multifactor authentication.
Using more than one form of authentication helps to secure your network. Usernames and passwords alone are more easily broken.
- Plan and configure authentication for Web users.
- Plan group structure.
Anonymous Access, Basic, and Digest are the three authentication methods used by IIS for Web authentication.
- Decide which types of groups to use.
- Plan security group scope.
- Plan nested group structure.
- Plan and configure authorization.
Security groups are used for assigning rights or permissions to resources in Active Directory. Distribution groups are used for email distribution lists.
Universal, Global, and Domain Local are the three security group scopes.
Nesting is when you add a group as a member of another group. While this is some cases can simplify permissions, it can also get confusing if you nest too far.
- Configure access control lists (ACLs).
- Plan and troubleshoot the assignment of user rights.
- Plan requirements for digital signatures.
- Install, manage, and configure Certificate Services.
Access Control Lists set the permissions that a user has over an object. You can set these using the Security Tab in an object’s Properties or from a command prompt using Cacls.exe.
If a user cannot gain access to an object or resource, it is necessary to determine which groups that user belongs and how you may have nested groups. Also remember there are NTFS rights and share permissions that must be considered.
A digital signature assures you that the user who sent a document is truly that user. Digital signatures are not responsible for data encryption.
- Install and configure root, intermediate, and issuing certification authorities (CAs). Considerations include renewals and hierarchy.
- Configure certificate templates.
- Configure, manage, and troubleshoot the publication of certificate revocation lists (CRLs).
- Configure archival and recovery of keys.
- Deploy and revoke certificates to users, computers, and CAs.
- Backup and restore the CA.
Certificates can be configured and managed using the MMC Certificate Authority snap-in Certtmpl.msc.
If a certificate becomes compromised, you can revoke it using the Certificate Authority snap-in.
You should archive your keys in case they need to be recovered. The Certutil.exe can perform the key recovery.
You can backup your certificates using the Certification Authority snap-in or by backing up the System State data.