Que MCSE exam cram 2 implementing and administering security in a windows 2003 network exam 70299 may 2004 ISBN 078973138x

This book can be used as a sole study guide for those experienced with Windows 2003 security or it is the perfect supplement guide for more comprehensive training materials, instructor-l

troubleshoot security policies, patch

network communications, as well as how to plan, configure and troubleshoot

authentication, authorization, and PKI This book can be used as a sole study guide for those experienced with Windows 2003

security or it is the perfect supplement guide for more comprehensive training materials, instructor-led classes, and/or computer-

based training.

Copyright © 2004 by Que Publishing

All rights reserved No part of this book shall be reproduced,stored in a retrieval system, or transmitted by any means,

electronic, mechanical, photocopying, recording, or otherwise,without written permission from the publisher No patent

liability is assumed with respect to the use of the informationcontained herein Although every precaution has been taken inthe preparation of this book, the publisher and authors assume

no responsibility for errors or omissions Nor is any liabilityassumed for damages resulting from the use of the informationcontained herein

as affecting the validity of any trademark or service mark

Warning and Disclaimer

Every effort has been made to make this book as complete and

Bulk Sales

Que Publishing offers excellent discounts on this book whenordered in quantity for bulk purchases or special sales For

To my wife Terry, who has stood by me during the hours

involved over the holidays as I worked hard to make this book a reality.

Don Poulton

This Cram Sheet contains the distilled, key facts you need forExam 70-299, Implementing and Administering Security in aMicrosoft Windows Server 2003 Network Review this

information as the last thing you do before you enter the testingcenter, paying special attention to those areas in which you feelthat you need the most review You can transfer any of thesefacts from your head onto a blank sheet of paper given to you

by the testing center, immediately before you begin the exam

POLICIES

1 Groups can be defined as either security or distribution.

Security groups can be assigned permissions to resourcesthrough access control entries (ACEs) Distribution groupsare used for membership purposes only A security groupcan also be used as an email entity

2 A group can be converted from a security group to a

distribution group, and vice versa, only if the domain

functional level is set to Windows 2000 native or higher.Security groups with universal scope cannot be created inmixed mode Universal scope is supported only in domains

in which the functional level is set to native mode

3 A group's scope dictates who can be a member of the group

and what resources the group has access to Local requiresaccess to the specific computer where the local group iscreated Domain local groups can contain user, global, anduniversal groups Global groups can contain global groupsfrom the same domain Universal groups can contain otheruniversal and global groups from any domain but not

Manager and NTLM authentication), Hisecws and Hisecdc(highly secure), Rootsec (changes the root directory

permissions), and Notssid (removes the unnecessary

Terminal Server SIDs)

5 Three account policy areas can be configured: Password,

Account Lockout, and Kerberos policies Only one domainaccount policy can exist The policy is applied at the root ofthe domain and becomes the policy for any system that is amember of the domain When an account policy is

configured for an OU, these settings affect the local policysettings on the computers contained in the OU

6 The Members list defines who belongs to a restricted group

while the Member Of list states which other groups a

restricted group belongs to When a group is added to theRestricted Groups portion of a security template, only groupmembers listed in the template will remain once the

template is applied

7 The Network Access: Do Not Allow Anonymous Enumeration

of SAM Accounts and Shares and Network Access: Do NotAllow Anonymous Enumeration of SAM Accounts policiesreplace the Windows 2000 Additional Restrictions for

Anonymous Connections that managed the Registry valuecalled Restrict Anonymous

8 Gpupdate replaces the Windows 2000 command secedit/refreshpolicy The syntax is as follows: gpupdate

secedit /configure, secedit /export, secedit

/import, secedit /validate, and secedit

/GenerateRollback

10 Use loopback policy to override user-based Group Policy

with computer-based Group Policy This makes the desktopconfiguration the same regardless of who logs on

11 Use software restriction policies for more control over who

receives what software A default security level of

Unrestricted (allowed) or Disallowed (not allowed) for aGroup Policy object (GPO) is defined You can create thefollowing types of rules for exceptions: Hash, certificate,path, and Internet rules

12 If you do not want the software restriction policies to apply

to local administrators, click All Users Except Local

Administrators under the Enforcement object of GroupPolicy

2 You can use Group Policy to distribute service pack

installations by making a new software installation package(.msi file) and linking it to a GPO through the computerconfiguration settings

3 MBSA references an Extensible Markup Language (XML) file

called Mssecure.xml When you run MBSA for the first time,

it obtains a copy of this Mssecure.xml file in a digitally

signed cab file The Mssecure.cab file ensures that onlythe signed cab file is used and prevents the downloading

of an out-of-date XML file

4 The Microsoft Network Security Hotfix Checker (HFNetChk)

tool can be used to scan for missing security updates andservice packs by using mbsacli.exe /hf with the

appropriate pararmeters

5 Qfecheck.exe has the ability to track and verify installedWindows 2000 and Windows XP hotfixes by reading the

Windows XP Professional, or Windows Server 2003

7 In WU and SUS environments, some Microsoft products

must be updated by using other services or by manuallyapplying software updates SMS does not have this

limitation and can be used to update any software product

on an SMS client

8 Slipstreaming simultaneously installs service packs with an

operating system The installation includes the componentsand updates as entries in the Svcpack.inf file Copy theinstallation files for the operating system and the updates to

a shared distribution folder, create the package, and thenrun Setup to deploy the installation either from the shareddistribution folder or a CD-ROM

FOR NETWORK COMMUNICATIONS

1 IPSec can now function through Network Address

Translation (NAT) as long as it is configured to allow UDPtraffic The Internet Key Exchange (IKE) protocol will detectthe presence of NAT and use UDP-ESP encapsulation to

allow the traffic to pass through

2

AH and ESP provide for authentication, integrity, and anti-replay of each packet ESP also provides for confidentiality.ESP does not sign the entire packet; only the IP payloaditself is encrypted

3 Transport mode IPSec is used for secure communication

between clients and servers on a LAN, and tunnel mode isused for secure communication between networks

4 Kerberos is the default authentication method for Windows

2000 Server and Windows Server 2003 It can only be usedwith Microsoft clients later than Windows 2000 Professional.Using Kerberos requires the least administrative effort

Authentication methods, Tunnel endpoint, and Connectiontype Know how to use the Edit button to modify filter

properties

7 Create, modify, and deploy IPSec policies using the IP

8 Group Policies are created in a domain and then linked to

the appropriate container Group Policies are processed inthe order of local, site, domain, OU, and then child OU

IPSec policies that conflict will be overridden by the nextlevel of processing

9 PPTP is the recommended protocol when tunneling with NAT

using Microsoft servers earlier than Windows Server 2003.Windows Server 2003 allows IPSec to be used through aNAT via IP NAT Traversal

10 If all computers belong to the Windows Server 2003 family,

you can deploy IPSec using the netsh ipsec command

Netsh ipsec static can create, modify, and assign IPSecpolicies without immediately affecting the active IPSec

policies Netsh ipsec dynamic displays the active state ofIPSec and immediately affects the configuration of the

active IPSec policy

AUTHENTICATION AND AUTHORIZATION FOR REMOTE ACCESS USERS

1 Open port 1723/tcp to allow PPTP traffic and port 1701/udp

to allow L2TP traffic to pass through a firewall Secure

Sockets Layer (SSL) traffic uses the HTTPS protocol andport 443

2 MS-CHAPv2 is supported by Windows XP, 2000, 98, Me, and

NT 4.0 Windows 95 clients support MS-CHAPv2 for virtualprivate networking (VPN) connections but not for dial-upconnections

6 Remote access policies consist of conditions, permissions,

and profile components that work together to allow or deny

a connection If multiple policies are configured, they will beprocessed in order from the top down Place the policy that

9 You can use Connection Manager Administration Kit (CMAK)

to fully customize a connection and provide additional

functionality for users

3 Only version 2 certificates support autoenrollment, and

require that users have the Read, Enroll, and Autoenrollpermissions to autoenroll certificates

4 The Request Handling tab enables you to configure the

following certificate template properties for version 2

templates: Purpose (encryption, signature, and signatureand encryption), Minimum key size (512 to 16,384 bits), Dothe Following When the Subject Is Enrolled and When thePrivate Key Associated with This Certificate Is Used (optionsfor the amount of user input required), and CSPs

(cryptographic service providers that are used in certificaterequests)

5 You can control the issuance of certificate requests by

configuring permissions on the template from the Securitytab, preventing the CA from issuing that certificate type (bydeleting the template from the list in the CA snap-in), or byconfiguring the permissions on the CA

6 When you revoke a certificate, the revoked certificate is

published in the CRL Windows Server 2003 has added a

8 Using Ntbackup to back up the system state data will back

up the Certificate Services database Also back up IIS

because the proper functioning of the certificate server

depends on the Web enrollment pages You can back upCertificate Services by itself, which also provides a restorewizard

9 When problems occur with authentication, authorization, or

PKI, you should follow general troubleshooting practices byexamining event logs Ensure that IIS is operating properlyand is configured for execution of scripts

TROUBLESHOOTING SECURITY POLICIES AND IPSEC

1 Troubleshooting of Group Policy security templates and

other security settings involves the logging mode of RSoP.You use RSoP in logging mode only when the specified userhas logged on to the specified computer

2 You cannot use Group Policy to apply security templates to

computers running Windows NT 4.0 or 9x To manage

Windows 9x computers, use System Policy Editor to create

Config.pol files To manage Windows NT 4.0 computers,use a NTconfig.pol file

3 The Block Policy inheritance and No Override settings can

be used to control what policies apply A No Override

attribute has precedence over all the policies that are

applied thereafter The Block Policy inheritance attributeblocks all Group Policy settings that are passed down to thesite, domain, or OU from a parent Blocking does not affectlocal GPOs

4 You can run the IP Security Monitor snap-in on Windows

Server 2003 or Windows XP Professional computers only Ifyou run this snap-in on a Windows 2000 computer, you willreceive the error "The IPSec server is unavailable or

incompatible with the IPSec monitor."

5 Know which types of actions to audit for different scenarios.

The 70-299 exam presents a drag-and-drop interface inwhich you must select success and failure actions to achieve

a given objective

6 You can use the Gpresult command-line utility to perform

nearly all actions that are available in RSoP logging mode.One exception: Gpresult does not provide policy precedence

7 When applying SCA, you might encounter the error

message "Access is denied Import failed You do not haveadministrative rights Error 1208: An extended error hasoccurred Error opening." The error message indicates thatthe database may be configured with read-only

permissions

8 When a security policy won't take, one of the first places

you should check is the Event Viewer logs Errors with eventIDs 1000 and 1001 that repeat at 5- to 7-minute intervalsindicate problems with applying Group Policy

9 Client computers configured with the Hisecws.inf or

Securews.inf template cannot communicate with serversrunning Windows 2000 if their clocks differ by more than 30minutes

13 Windows XP and Windows Server 2003 record IPSec policy

agent events in the security log IKE events are recorded inthe Oakley log, and IPSec driver events are logged to thesystem log

FOR WIRELESS NETWORKS

1 Three means of wireless device authentication are currently

used: open authentication (anyone providing the correctservice set identifier [SSID] or wired equivalent privacy

[WEP] key for the access point), shared key authentication(client sends a request for access to the access point,

access point returns a challenge, and client returns an

encrypted response), and 802.1x authentication standard(EAP integrated with an authenticating server such as a

3 EAP-TLS uses certificate-based mutual authentication,

negotiation of the encryption method, and encrypted keys.Smart cards use EAP-TLS

4 EAP-MS-CHAPv2 provides mutual authentication based on

password-based user and computer authentication

5 Protected EAP (PEAP) provides these benefits within TLS: an

encrypted authentication channel, dynamic keying materialfrom TLS, fast reconnect using cached session keys, andserver authentication to protect against the setup of

unauthorized access points

6 PEAP with EAP-MS-CHAPv2 uses less effort to deploy

because you do not need certificates or smart cards PEAPwith EAP-TLS provides the highest level of security because

it uses certificates and smart cards

7 You can duplicate a version 1 certificate template to obtain

a version 2 copy, and then add certificate purposes to thecopied template as necessary

8 CAs on a server running Windows Server 2003, Standard

Edition can only issue certificates based on version 1

templates If you need to issue a certificate based on a

version 2 template, you must install the CA on a serverrunning Windows Server 2003, Enterprise Edition

9 WEP alone does not protect data very well If available, use

128-bit WEP and change the keys frequently Use dynamicWEP keys if possible (requires access points that can

provide them and wireless clients that can support them).Select the The Key Is Provided Automatically option to

provide dynamic WEP keys

10 Only Windows XP computers natively support 802.1x

authentication Microsoft provides an 802.1x AuthenticationClient download that allows Windows 2000 computers touse the 802.1x standard, and provides 802.1x

Authentication Clients for Windows 98 and NT 4.0

Workstation to customers with Premier and Alliance supportcontracts

Que Certification • 800 East 96th Street • Indianapolis, Indiana46240

You know better than to trust your certification preparation tojust anybody That's why you, and more than 2 million others,have purchased an Exam Cram book As series editor for thenew and improved Exam Cram 2 Series, I have worked with thestaff at Que Certification to ensure you won't be disappointed.That's why we've taken the world's best-selling certificationproducta two-time finalist for "Best Study Guide" in CertCities'reader pollsand made it even better

As a two-time finalist for the "Favorite Study Guide Author"

award as selected by CertCities readers, I know the value of good books You'll be impressed with Que Certification's stringent review process, which ensures the books are high quality, relevant, and technically accurate Rest assured that several industry experts have reviewed this material, helping us deliver an excellent solution to your exam preparation needs.

This Exam Cram 2 book also features a preview edition of

Measure Up's powerful, full-featured test engine, which is

trusted by certification students throughout the world

brought my IT experience to bear on these books During mytenure at Novell from 1989 to 1994, I worked with and aroundits excellent education and certification department At Novell, Iwitnessed the growth and development of the first really big,successful IT certification programone that was to shape theindustry forever afterward This experience helped push mywriting and teaching activities heavily in the certification

direction Since then, I've worked on nearly 100 certificationrelated books, and I write about certification topics for

numerous Web sites and for Certification magazine.

In 1996, while studying for various MCP exams, I became

frustrated with the huge, unwieldy study guides that were theonly preparation tools available As an experienced IT

professional and former instructor, I wanted "nothing but thefacts" necessary to prepare for the exams From this impetus,Exam Cram emerged: short, focused books that explain examtopics, detail exam skills and activities, and get IT professionalsready to take and pass their exams

selling computer book series since " For Dummies," and thebest-selling certification book series ever By maintaining anintense focus on subject matter, tracking errata and updatesquickly, and following the certification market closely, ExamCram established the dominant position in cert prep books

In 1997 when Exam Cram debuted, it quickly became the best-You will not be disappointed in your decision to purchase thisbook If you are, please contact me at etittel@jump.net Allsuggestions, ideas, input, or constructive criticism are welcome!

Ed Tittel, Series Editor

Diane Barrett (MCSE, CISSP, CCNA, A+, Net+, iNet+, and

Security+) has spent the last 11 years in the IT profession Sheworks at a local college where she taught in the computer

networking program for two years before becoming a director.She teaches online classes that include networking, security,and virus protection, and is the president of a security

awareness corporation that specializes in training Diane hasalso co-authored other security and networking books and iscurrently volunteering on ISSA's Generally Accepted

Information Security Principles Project in the ethical practicesworking group

Bill Ferguson (MCT, MCSE, MCSA, MCP+I, CCSI, CCNA, A+,

Network+, Server+, Security+) has been in the computer

industry for more than 15 years Originally in technical salesand sales management with Sprint, Bill made his transition toCertified Technical Trainer in 1997 with ExecuTrain Bill now

runs his own company as an independent contractor from

Birmingham, Alabama, teaching classes for most of the nationaltraining companies and some regional training companies Inaddition, Bill writes and produces technical training videos forVirtual Training Company, Inc and Specialized Solutions, Inc.His videos include A+, Network+, Windows 2000 Management,Windows XP Management, Windows Server 2003 Management,Windows 2000 Security, Server+, and Interconnecting CiscoNetwork Devices Bill keeps his skills sharp by being a technicalreviewer for books and sample tests for Que Certification and

McGraw Hill Technical He authored the 70-298 Exam Cram 2

for Que Publishing and produced a training video for the 70-296MCSE Skills Upgrade test for Virtual Training Company Bill says,

"My job is to understand the material so well that I can make iteasier for my students to learn than it was for me to learn."

with computers since the days of 80-column punch cards After

a career of more than 20 years in environmental science, Donswitched careers and trained as a Windows NT 4.0 MCSE Hehas been involved in consulting with a couple of small trainingproviders as a technical writer, during which time he wrote

training and exam prep materials for Windows NT 4.0, Windows

2000, and Windows XP

In addition, he has worked on programming projects, both inhis days as an environmental scientist, and more recently withVisual Basic to update an older statistical package used for

David Neilan is an experienced MCSE (+Security) who has

been working in the computer/network industry for more than

12 yearsthe last 6 years dealing primarily with network/Internetconnectivity and security He is currently running a business,Security Technologies, in the network/security realm, workingwith local companies to enable and secure their networks Hehas been designing network infrastructures to support secureLAN/WAN connectivity for various companies utilizing Microsoft

2000 and Cisco products, and the Internet to create secure

virtual private networks David is currently involved in manyinfrastructure upgrades, including domain and email systems

David has also been beta testing Microsoft operating systemssince Windows for Workgroups (WFW3.11), and has worked as

a technical editor on numerous Microsoft/networking/securitybooks

David and his wife Susan (also in the computer industry) live inWinnipeg, Canada They and their two dogs love spending time

at the cabin in the great outdoors

Marc Savage is the senior national technical advisor and

technical trainer for Polar Bear Corporate Education Solutions.Combined with more than seven years experience in

Thank you to everyone who was involved in making this bookpossible, starting with Que Publishing Everyone at LANWrights,especially Ed Tittel and Kim Lindros, deserve thanks for keeping

us all on track To co-authors Don Poulton and Bill Ferguson,thank you for your outstanding and timely contributions Specialthanks to my husband, Bill and my Dad; for without them I

wouldn't be the person I am today

Diane Barrett

I'd like to first thank Que Publishing and LANWrights for giving

me the opportunity to write this book Thanks to Jeff Riley forhaving faith me in me and giving me the green light Thanks toKim Lindros for "cracking the whip" (in a very nice way) to

make sure that we stayed on schedule

Finally, thanks to all who have encouraged me as a technicalinstructor and as a Sunday School teacher and given me thedetermination to tackle something new I sincerely appreciateall of your thoughts and prayers

Bill Ferguson

Many thanks to the guidance and help offered me by Kim

Lindros, Diane Barrett, and the tech editing/copy editing team

at Que who provided their technical expertise and suggestionsfor improvement of this manuscript

Don Poulton

As the reader of this book, you are our most important critic

and commentator We value your opinion and want to know

what we're doing right, what we could do better, what areasyou'd like to see us publish in, and any other words of wisdomyou're willing to pass our way

As an executive editor for Que, I welcome your comments Youcan email or write me directly to let me know what you did ordidn't like about this bookas well as what we can do to makeour books better

Please note that I cannot help you with technical problems

related to the topic of this book We do have a User Services group, however, where I will forward specific technical

questions related to the book.

When you write, please be sure to include this book's title andauthor as well as your name, email address, and phone number

I will carefully review your comments and share them with theauthor and editors who worked on the book

Email: feedback@quepublishing.com

Mail: Jeff Riley

Executive Editor Que Publishing

800 East 96th Street Indianapolis, IN 46240 USA

For information about the Exam Cram 2 series, visit

www.examcram2.com Type the ISBN (excluding hyphens) or

the title of a book in the Search field to find the page you'relooking for.

as much information as possible about the 70-299 exam

This book begins by providing useful information about how toprepare for the exam and what to expect on your exam day Tobegin, we recommend that you take the self-assessment

included in the book This will help you to evaluate your currentknowledge base against what is required for a Microsoft

Certified Systems Engineer (MCSE) candidate Then you canyou determine where your training should begin, which mayinclude some classroom training or reading one of the severalstudy guides available

We also strongly recommended that you gain some hands-onexperience with the technologies being covered on the exam.Again, this may be through classroom training or by installingand configuring the software on a home system In any case,nothing beats hands-on experience when it comes to learningessential exam topics

Passing this exam can earn you credit toward the following

certifications:

Microsoft Certified Systems Administrator (MCSA) on

one of the electives required to achieve MCSA on WindowsServer 2003 status

This section provides information on the exam registration

process Keep in mind that Que Publishing is a sister company

to Virtual University Enterprise (VUE) Testing Be sure to checkwith us at www.examcram2.com for any discount test vouchersthat might be available exclusively to Exam Cram 2 readers

After you've fully prepared for an exam and feel that you areready for the next step, you need to register with a testing

center to take the exam Contact one of the following testingcenters for current pricing and registration information, as

pricing and testing centers can change over time In the UnitedStates and Canada, exams are administered by Prometric andVUE Here's how you can contact them:

Prometric You can register for an exam online at

www.prometric.com800-755-3926 (within the United States and Canada) Ifyou are outside of these two countries, call 1-410-843-8000

You can also register by phone at 1-VUE You can register online at www.vue.com/ms or call alocal testing center Testing centers local to your region canalso be located on the Web site

You can register for an exam by contacting either of the partiesjust listed You must register at least one day in advance andany cancellations must be made by 7 a.m the day before youare scheduled to take the test

To make the registration process go more smoothly, make sureyou have the following required information handy:

Microsoft Test I.D In the United States, this is your SocialSecurity number In Canada, this is your Social Insurancenumber

The specific number of the exam you want to take

A method of payment Credit card is usually the easiestmethod, although other arrangements can be made

After you register, you will be given the date, time, and location

of where you are to take the exam

It is generally a good idea to arrive at the exam site at least 15minutes before you are scheduled to take the exam Make sureyou bring two pieces of identification with you, one of whichmust be a photo I.D., such as a driver's license You must showthe identification when you sign in

Although the pressures and environment of actually being in theexam room with a live exam in front of you cannot be

mimicked, this section does try to detail what being in the examroom is like

After you've signed in for the exam, you'll be directed into anexam room You will not be permitted to take anything into theexam room with you You will be given a few blank pieces ofpaper and pen upon entering the room This is when the facts

on the Cram Sheet can be very handy If you read over the

distilled facts prior to the exam, this is a good time to write

down as many of them as you can remember

After you complete the exam, your score will be tabulated andyou will know immediately whether you passed or failed If youneed to retake the exam, contact VUE or Prometric to schedule

a new exam (and, unfortunately, this also means paying theprice of another exam)

If you fail an exam, you can retake the exam as soon as youare ready, even the same day If you fail the same exam a

second time, you must wait at least 14 days before you will beallowed to reschedule

All Microsoft exams have a set of objectives outlining the topicsyou need to understand to achieve exam success This is a goodplace to start to give yourself a general idea of the topics youcan expect to encounter and for which you should obtain studymaterial

An abundance of resources are available both online and in

print that can be used to prepare for an exam The MicrosoftWeb site is a good source of information pertaining to both theexam itself and for in-depth coverage of exam topics Due tothe popularity of the MCSE certification, a number of printedstudy guides and online resources are also available Some ofthe resources you may find useful include the following:

The Windows Server 2003 product CD has one of the bestresources you can use when preparing for an examthe Helpincluded with the operating system It usually covers

different aspects of all the technologies included with theoperating system

The Microsoft Training and Certification Web site at

www.microsoft.com/traincert/default.asp provides links toexam resources and outlines how an individual should

prepare for an exam

The InformIT Web site at

www.informit.com/examcram2/index.asp provides an

abundance of information about certification exams andhow to prepare for them

Microsoft Training Kits are published by Microsoft Press andinclude study guides for the different certification exams,