Table of Contents Index Examples Implementing and Administering Security in a Windowsđ Server 2003 Network Exam Cram™ 2 (Exam 70-299) By Diane Barrett, Bill Ferguson, Don Poulton Publisher : Que Pub Date : May 25, 2004 ISBN : 0-7897-3138-X Pages : 384 The 70-299 exam measures your ability to implement, manage, maintain, and troubleshoot security in a Windows Server 2003 network infrastructure and also plan and configure a Windows Server 2003 PKI The MCSE 70-299 Exam Cram 2 gives you the essential information you need to know to learn how to implement, manage, and troubleshoot security policies, patch management infrastructure, security for network communications, as well as how to plan, configure and troubleshoot authentication, authorization, and PKI This book can be used as a sole study guide for those experienced with Windows 2003 security or it is the perfect supplement guide for more comprehensive training materials, instructor-led classes, and/or computerbased training • • • Table of Contents Index Examples Implementing and Administering Security in a Windows® Server™ 2003 Network Exam Cram™ 2 (Exam 70-299) By Diane Barrett, Bill Ferguson, Don Poulton Publisher : Que Pub Date : May 25, 2004 ISBN : 0-7897-3138-X Pages : 384 Copyright The 70-299 Cram Sheet IMPLEMENTING AND MANAGING SECURITY POLICIES IMPLEMENTING, MANAGING, AND TROUBLESHOOTING PATCH MANAGEMENT INFRASTRUCTURE IMPLEMENTING AND MANAGING SECURITY FOR NETWORK COMMUNICATIONS PLANNING AND CONFIGURING AUTHENTICATION AND AUTHORIZATION FOR REMOTE ACCESS USERS PLANNING, CONFIGURING, AND TROUBLESHOOTING PKI TROUBLESHOOTING SECURITY POLICIES AND IPSEC PLANNING AND IMPLEMENTING SECURITY FOR WIRELESS NETWORKS A Note from Series Editor Ed Tittel About the Authors About the Technical Editors Acknowledgments We Want to Hear from You! Introduction Taking a Certification Exam Arriving at the Exam Site In the Exam Room Notes on This Book's Organization How to Prepare for an Exam How This Book Helps You Self-Assessment MCSAs and MCSEs in the Real World The Ideal MCSA or MCSE Candidate Put Yourself to the Test Assessing Readiness for Exam 70-299 Take the Challenge! Chapter 1 Implementing and Managing Security Policies Managing Security Mechanisms in Windows Server 2003 Planning and Deploying Security Templates Planning Security for the DHCP and DNS Infrastructure Services Planning and Configuring Auditing and Logging Computer Roles Exam Prep Questions Configuring Extra Security Based on Server Roles Configuring Extra Security Based on Client Roles Analyzing Security Configuration Chapter 2 Implementing, Managing, and Troubleshooting Patch Management Infrastructure Planning, Evaluating, and Testing the Deployment of Service Packs and Hotfixes Using MBSA to Assess the Current Status of Service Packs and Hotfixes Troubleshooting Patch Management Infrastructure Exam Prep Questions Chapter 3 Implementing and Managing Security for Network Communications Planning an IPSec Deployment Configuring IPSec Policies Deploying and Managing IPSec Policies Exam Prep Questions Chapter 4 Planning and Configuring Authentication and Authorization for Remote Access Users Deploying, Managing, and Configuring SSL Certificates Configuring Security and Authentication for Remote Access Users Configuring and Troubleshooting Virtual Private Network (VPN) Protocols Exam Prep Questions Managing Client Configuration for Remote Access Security Chapter 5 Planning, Configuring, and Troubleshooting PKI Public Key Infrastructure (PKI) and Certification Authority (CA) Hierarchies Backing Up and Restoring the CA Managing CAs Troubleshooting Authentication, Authorization, and PKI Exam Prep Questions Chapter 6 Troubleshooting Security Policies and IPSec Troubleshooting Security Policies Troubleshooting IPSec Exam Prep Questions Chapter 7 Planning and Implementing Security for Wireless Networks Planning the Authentication Methods for a Wireless Network Planning the Encryption Methods for a Wireless Network Planning and Configuring Wireless Access Policies Configuring Wireless Encryption Exam Prep Questions Configuring SSL Certificates for Wireless Networks Installing and Configuring Wireless Support for Client Computers Chapter 8 Practice Exam #1 Chapter 9 Answer Key to Practice Exam #1 Chapter 10 Practice Exam #2 Chapter 11 Answer Key to Practice Exam #2 Appendix A CD Contents and Installation Instructions Multiple Test Modes Random Questions and Order of Answers Attention to Exam Objectives Installing the CD Detailed Explanations of Correct and Incorrect Answers Technical Support Appendix B Suggested Reading and Resources General Resources Chapter 1 Chapter 2 Chapter 4 Chapter 6 Chapter 3 Chapter 5 Chapter 7 Glossary Index Copyright Copyright © 2004 by Que Publishing All rights reserved No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher No patent liability is assumed with respect to the use of the information contained herein Although every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions Nor is any liability assumed for damages resulting from the use of the information contained herein Library of Congress Catalog Card Number: 2003115432 Printed in the United States of America First Printing: June 2004 07 06 05 04 4 3 2 1 Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Que Publishing cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied The information provided is on an "as is" basis The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it Bulk Sales Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales For more information, please contact U.S Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside of the U.S., please contact International Sales 1-317-428-3341 international@pearsontechgroup.com Credits Publisher Paul Boger Executive Editor Jeff Riley Acquisitions Editor Jeff Riley Development Editor Steve Rowe Managing Editor Charlotte Clapp Project Editor Tricia Liebig Copy Editor Benjamin Berg Indexer Ken Johnson Proofreader Linda Seifert Technical Editors David Neilan Marc Savage Team Coordinator Pamalee Nelson Multimedia Developer Dan Scherf Interior Designer Gary Adair Cover Designer Anne Jones Page Layout Susan Geiselman Dedication To the memory of my brothers, Steven and Ronald Diane Barrett This book is dedicated to my mother, Suanne Her creative spirit and her accomplishments as a writer and a teacher have been a constant source of encouragement to me Bill Ferguson To my wife Terry, who has stood by me during the hours involved over the holidays as I worked hard to make this book a reality Don Poulton The 70-299 Cram Sheet This Cram Sheet contains the distilled, key facts you need for Exam 70-299, Implementing and Administering Security in a Microsoft Windows Server 2003 Network Review this information as the last thing you do before you enter the testing center, paying special attention to those areas in which you feel that you need the most review You can transfer any of these facts from your head onto a blank sheet of paper given to you by the testing center, immediately before you begin the exam shared-secret authentication [See shared-key authentication] shortcuts MeasureUp practice test CD snap-ins Certificate Templates snap-in Autoenrollment column certificate enrollment IP Security Monitor snap-in 2nd 3rd 4th 5th software restriction policies certificate rules creating hash rules Internet zone rules loopback policies path rules SQL servers security, cofiguring WRMS SSID (service set identifiers) open authentication SSL LDAP 2nd SSL (Secure Sockets Layer) Active Directory 2nd certificates client configuration Web Server configuration 2nd standard connection outline SSL (Secure Sockets Layer) certificates communication integrity option communication privacy option IAS servers, configuring for 2nd 3rd mutual authentication option wireless network access policies wireless networks 2nd 3rd 4th EKU extensions standalone CA storing certificate templates 2nd certificates [See certificate stores] strings preshared keys Study mode (MeasureUp practice test CD) Subject Name tab (certificate templates) subordinate CA CRL suggested reading (certification exams) 2nd 3rd 4th 5th 6th 7th 8th 9th Summary of Selections page (RSoP custom console) Superseded Templates tab (certificate templates) System Services policies automatic setting disabled setting Edit Security option manual setting System.adm administrative templates [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] tabs Advanced tab (Internet Options dialog box) SSL certificate configuration Directory Security tab (IIS Manager tool) Certificate Wizard Group Policy tab Clear This Database Before Importing option Rules tab (IPSec policies) tasks running scheduling via AT command technical support templates administrative (Group Policy) Conf.adm Inetres.adm System.adm Wmplayer.adm Wuau.adm certificate templates certificate enrollment configuring configuring properties 2nd 3rd deploying Extensions tab 2nd General tab Issurance Requirements tab Request Handling tab 2nd Security tab storing 2nd Subject Name tab Superseded Templates tab version 1 2nd version 2 2nd 3rd 4th 5th Domain Controller configuring security 2nd highly secure templates Windows NT 4.0 2nd security account policies 2nd 3rd assigning user rights Compatws.inf 2nd customizing, file system permissions 2nd customizing, Registry permissions 2nd 3rd 4th DC security.inf deploying 2nd 3rd 4th 5th 6th 7th 8th 9th 10th Enterprise Client templates Event Log security policies High Security templates Hisecdc.inf Hisecws.inf importing into Group Policy Legacy Client templates local audit policies 2nd merging in SCA console Notssid.inf policy file configuration restricted group policies 2nd Rootsec.inf Securedc.inf Securews.inf security option policies 2nd Setup security.inf 2nd System Services policies 2nd 3rd 4th System Services policies;Edit Security option viewing settings security templates troubleshooting group policy applications 2nd 3rd troubleshooting in Windows 2000 2nd troubleshooting in Windows NT 4.0 2nd 3rd 4th troubleshooting manual editing troubleshooting security configuration/analysis 2nd tests MeasureUp practice test CD installing randomizing questions/answers shortcuts test modes 2nd multiple choice practice test 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th 13th 14th 15th 16th 17th 18th 19th 20th 21st 22nd 23rd 24th 25th 26th 27th 28th 29th 30th 31st 32nd 33rd 34th 35th 36th 37th 38th 39th 40th 41st 42nd 43rd 44th 45th 46th 47th 48th 49th 50th 51st 52nd 53rd 54th 55th 56th 57th 58th 59th 60th 61st 62nd 63rd 64th 65th 66th 67th 68th answer key 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th 13th 14th 15th 16th 17th 18th 19th 20th 21st 22nd 23rd 24th 25th 26th 27th 28th 29th 30th 31st 32nd 33rd 34th 35th 36th 37th 38th 39th suggested reading 2nd 3rd 4th 5th 6th 7th 8th 9th The Key is Provided Automatically option (WEP encryption) Third-Party Root Certification Authorities certificate stores This is a Computer-to-Computer (Ad Hoc) Network Wireless Access Points Are Not Used option (WEP encryption) three-tier CA hierarchies enterprise CA intermediate CA issuing CA 2nd root CA standalone CA subordinate CA TLS (Transport Layer Security) EAP transport mode (IPSec) 2nd AH transport mode 2nd ESP transport mode 2nd troubleshootin PKI 2nd 3rd troubleshooting Certificate Services 2nd 3rd CRL IPSec automatic certificate requests 2nd CRL 2nd driver logging 2nd 3rd enterprise trust policies (Group Policy) 2nd firewalls 2nd monitoring policies 2nd 3rd 4th 5th NAT 2nd Oakley logs 2nd 3rd port filters 2nd 3rd protocol filters 2nd 3rd routers 2nd RSVP security policies inheritance 2nd 3rd 4th 5th 6th 7th 8th security templates group policy applications 2nd 3rd in Windows 2000 2nd in Windows NT 4.0 2nd 3rd 4th manual editing security configuration/analysis 2nd Trusted People certificate stores Trusted Publishers certificate stores Trusted Root Certification Authorities certificate stores trusted sites zones security, configuring tunnel endpoints (IPSec policies) configuring tunnel mode (IPSec) 2nd AH tunnel mode ESP tunnel mode tunnel endpoints, configuring tunneling protocols L2TP 2nd 3rd 4th 5th 6th PPTP 2nd 3rd 4th 5th 6th 7th two-tier CA hierarchies enterprise CA issuing CA root CA standalone CA subordinate CA [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] universal group scope (Active Directory groups) Untrusted Publishers certificate stores Use Windows to Configure Wireless Network Settings for Clients option (Wireless Network Policy Wizar user rights assigning logon rights User Selection page (RSoP custom console) Error Information tab General tab [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] version 1 certificate templates EKU extensions version 2 certificate templates autoenrollment 2nd 3rd editing viewing certificate purposes client logs Event Viewer filters IPSec Monitor console security template settings VPN (virtual private networks) configuring client support 2nd firewall support ISP support NAT device support 2nd 3rd Remote Access server support Routing server support tunneling protocols L2TP 2nd 3rd 4th 5th 6th PPTP 2nd 3rd 4th 5th 6th 7th [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] Web servers SSL standard connection outline SSL certificate configuration 2nd WEP (Wired Equivalent Privacy) encryption (wireless networks) configuring 2nd Network Authentication (Shared Mode) option 2nd The Key is Provided Automatically option This is a Computer-to-Computer (Ad Hoc) Network Wireless Access Points Are Not Used option WEP (wired equivalent privacy) keys open authentication Windows 2000 security templates troubleshooting in 2nd Wireless Zero Configuration Windows CE NET Wireless Zero Configuration Windows Component Wizard intermediate CA installing 2nd 3rd root CA installing 2nd 3rd Windows NT 4.0 file/folder permissions 2nd Group Policy highly secure templates 2nd security templates troubleshooting in 2nd 3rd 4th Windows Server 2003 manual configuration (wireless networks) 2nd 3rd Wireless Zero Configuration 2nd modifying settings Windows XP IEEE 802.1x authentication manual configuration (wireless networks) 2nd 3rd Wireless Zero Configuration 2nd 3rd modifying settings wireless networks access policies building in Group Policy configuring in Group Policy guidelines 2nd managing via IAS 2nd 3rd 4th SSL certificates authentication 802.1x authentication standard 2nd EAP-MS-CHAPv2 authentication 2nd 3rd EAP-TLS authentication 2nd 3rd 4th 5th open authentication PEAP authentication 2nd 3rd 4th shared-key authentication encryption 802.1x 2nd 3rd IPSec WEP 2nd 3rd IEEE 802.11 standards 2nd 3rd manual configuration 2nd 3rd open-system authentication SSL certificates 2nd 3rd 4th configuring IAS servers for 2nd 3rd EXU extensions Wireless Zero Configuration 2nd modifying settings Wireless Zero Configuration 2nd 3rd modiyfing settings Wirelss Network Policy Wizard Automatically Connect to Non-preferred Networks option Check for Policy Changes Every option Networks to Access option Use Windows to Configure Wireless Network Settings for Clients option wizards Certificate Export Wizard certificate backups Certificate Wizard (IIS Manager tool) SSL certificate configuration CertificateImport Wizard certificates with private keys 2nd Certification Authority Restore Wizard CMAK installing IIS Lockdown Wizard IP Filter Wizard (IPSec) Resultant Set of Policy Wizard (RSoP custom console) Windows Component Wizard installing intermediate CA 2nd 3rd installing root CA 2nd 3rd Wireless Network Policy Wizard Automatically Connect to Non-preferred Networks option Check for Policy Changes Every option Networks to Access option Use Windows to Configure Wireless Network Settings for Clients option WMIC (WMI Command-Line interface) security templates, deploying Wmplayer.adm administrative templates workstations auditing World Wide Web Publishing Service (IIS servers) WRMS (Windows Rights Management Services) Wuau.adm administrative templates ... Examples Implementing and Administering Security in a Windows Server 20 03 Network Exam Cram 2 (Exam 70 -29 9) By Diane Barrett, Bill Ferguson, Don Poulton Publisher : Que Pub Date : May 25 , 20 04 ISBN. .. Pages : 384 Copyright The 70 -29 9 Cram Sheet IMPLEMENTING AND MANAGING SECURITY POLICIES IMPLEMENTING, MANAGING, AND TROUBLESHOOTING PATCH MANAGEMENT INFRASTRUCTURE IMPLEMENTING AND MANAGING SECURITY FOR NETWORK COMMUNICATIONS... Birmingham, Alabama, teaching classes for most of the national training companies and some regional training companies In addition, Bill writes and produces technical training videos for Virtual Training Company, Inc