Exam Reviews

Security Smackdown

Microsoft has an exam on security at last. But before you climb into the ring and get flattened, make sure you're ready for the fight.

• By Roberta Bragg
• 09/01/2000

So Microsoft finally has a security exam—and not just any exam, a security design exam. To pass, you’re supposed to be some kind of security goddess… er, architect. Not only do you have to know how to lock down the operating system, secure the network, and protect the city from The Penguin—Microsoft wants you to be able to determine, from a few notes, the best way for Gotham City to layer security across the enterprise. And your design must match some contractor’s vision of security.

Do You Smell What They’re Cooking?

Remember, a certification exam should reward and recognize you for your competence in a particular area, not prepare you for a career. Microsoft’s Designing a Secure Windows 2000 Network exam is supposed to do the former. Since the exam wasn’t out at the time of this writing, I took the beta.

First, I’ll talk about my experience with the beta (remember, your experience may differ). Next, I’ll review the exam objectives with an eye to how you can best study. Finally, we’re including online (at www.mcpmag.com) an extended example of what the questions might be like on your exam. (Don’t worry, Microsoft, I’m not going to disclose any secrets. My example was written in December 1999, when this exam was a twinkle in someone’s eye, and long before we could have had any knowledge of content.)

So You Want to Be a Star?

So you want to be either a security guru or a World Wrestling Foundation all-star? First step, jump into the ring and take the exam, right? Wrong. Remember, your experience with any exam should be a reflection of what you’ve already been doing, not how well you can cram and jam

The beta exam was a five-hour ordeal, but the released exam will be significantly shorter. Though the exam won’t take up your entire day, you may feel as if it has. As with the other design exams, there are several “testlets” or “design scenarios” with questions. If you haven’t seen one of these before, it’s as if a consulting firm has collected a batch of notes from the client about system requirements. You’re about to go over the proposed design with the client and are reviewing the notes to get a firm idea of what you’re dealing with. Since these are another consultant’s notes, you don’t have the luxury of asking questions. In the real world, to be honest, I’m hoping you’d collect better information.

Stick that exam cram guide you-know-where. It isn’t going to help you. Instead, study the exam objectives. Compare your own experiences to “Best Practices” offered in the documentation. Implement any related features that you haven’t had personal experience with. Examine your latest security designs. Could you explain why you used a particular technology in the way you did? And can you do so in terms of the exam objectives?

The first step in preparing for any certification exam is to uncover the objectives; they should match the on-the-job requirements. Otherwise, what purpose is there to passing the test? First lesson: The exam creators may not agree with you word-for-word. The job they have in mind may be broader or narrower than yours, but one thing is sure: You’ll be tested by their standards, not yours. With a lot of hard work from both of you, the exam objectives, the job requirements, and your experiences in the field will match. Passing the exam will be a reflection of your ability to design security solutions, not of your ability to take a test.

Tip: If you can see studying the objectives as a way to make you better at what you do, rather than to help you put new initials behind your name, you’re on the right track.

Round 1: Know Your General Business Ed

What’s with all these requirements to know things like geographical scope, company mode, process engineering, communication flow, product life cycles, and how the company makes decisions? Who cares about the company’s priorities, projected growth, laws and regulations, cost of operations? All right, all right, I can see the reason for knowing about branch offices and the company’s tolerance of risk, but why all the other MBA core objectives? Do you really need a business degree to design security solutions?

Yep and here’s why. A good architect takes into account the status, opinions, beliefs, family size, and pocketbook when designing someone’s house. I’m not Stone Cold Steve Austin, Scottie Hottie or the Undertaker, and I’m not going to win any wrestling matches in the ring with them. But winning with security design is finding a solution that matches the business and the problem; that I can do. With that in mind, I certainly wouldn’t suggest a 100-percent Windows 2000 DNS solution to diehard Unix DNS gurus. Nor would I forget to look at Internet Authentication Services (IAS) if my customer has multiple locations and a traveling sales force. Finally, I wouldn’t want to make my design so expensive it would never get implemented. The trick is to weave general business knowledge in with security design where it’s warranted.

An old engineer friend of mine once told me that good salespeople don’t “sell” you. Rather, they solve a problem you may have not known you had. Learning to create good security designs means listening to the heartbeat of the people you’re creating the design for. Approach these objectives as background.

Tip: You’ll need to know how to evaluate business operations and to consider the symbiotic relationship between business and technology.

Round 2: Analyze Technical Requirements

It should come as no surprise that you need to be adept at determining the current technical environment. This includes things like number of users, available connectivity between geographic locations, available bandwidth, performance requirements, data access methods, network roles (administrator, user, God).

Most of you will agree that you need this basic information if you’re going to build a security solution. You also need to consider the impact your design will have on the existing environment and find out if changes are in the works. Is the company planning to roll out smart cards and certificate services from a third-party vendor? How will your proposed IPSec implementation work within that structure? Does the company have a large investment in network monitoring devices and software? Does your plan to obfuscate data during transport prevent these tools from doing their job? Do users use terminals? Desktop PCs? Notebooks? Wireless devices? How is remote access determined? Dialup? Internet? Leased lines? Do they use NAT? Can your VPN tunnel accommodate them? (Quick, what’s the nugget I’ve hidden here that suggests a security design solution to you? See Answer 1 below.)

Round 3: Analyzing Security Requirements

Finally, at the bottom of the third page of objectives, we’re getting somewhere. Actually, there’s a reason half the objectives appear to be leading up to this category. You need to understand those other elements. If you understand them, you can take a little security knowledge and craft a security process. If you don’t, tons of security knowledge and years of experience in using products will get beaten out by the MBA with some common sense (or the teenager with good Internet skills).

When you hear Microsoft talk about a “security baseline,” you need to think “security templates.” Windows 2000 comes with a number of these devices, along with tools you can use to easily implement them. Templates for servers, secure servers, and extra servers are provided. There’s even one for IIS. It isn’t that Microsoft thinks its templates will answer all our prayers, or that to take this exam you need to be able to match templates and problems to find solutions. It’s that Microsoft heard you all loud and clear. You don’t have time to understand why you need to perform that registry tweak, then tweak it on 6,000 machines. You’d rather just know the why, then have a button to push.

Approach this objective with an eye to learning which template does what. The templates are somebody’s idea of what security means; you can learn something from that. They’ll queue you in to Microsoft’s idea of security. The templates can be modified; you’ll want to develop your own baselines for your systems.

Tip: Make sure you understand how to use Win2K templates and tools (Security Configuration and Analysis, Group Policy Editor) to implement templates.

Main Attraction: Designing a Windows 2000 Security Solution

This is the meat and potatoes of the exam; this objective covers huge amounts of ground. Do you know the elements that will allow you to design, implement, maintain, and audit security policies? Got authentication choices and defaults at your fingertips? When would you have to use EAP and when is it possible? Is the Encrypting File System a good choice for users who need to share secrets? What will be the effect of linking a Group Policy Object to the Domain controllers OU vs. linking it at the domain level? Can a Unix Kerberos client access resources in a Win2K domain? How do you keep just anyone from installing Win2K in your domain once you implement RIS? And finally, what are three security choices you can make that will require the availability of certificate services (see Answer 2 below)?

Tag Team: Secure Access Between Networks

Hold on, the show’s not over yet. It’s not enough anymore to secure your local area network—you have to protect all its many parts. That includes data as it tunnels across the net to and from your little corner. You need to know how to provide airtight security for the network and yet allow authorized users to reach you. You may not have to configure the corporate firewall, and but we’re talking about security design, so the firewall administrator will want to know what you’re doing. Quick: Do you know what ports need to be opened to allow new security configurations to work? Are special ports or protocol IDs used by the new technologies in Win2K? If you’re designing a VPN using Win2K Routing and Remote Access, which interface of the router needs configuration for IGMP routing? And which for IGMP proxy? To understand port settings, you’ll need to understand the technologies. A list of port and protocol IDs are in the Windows 2000 Server Resource Kit. Note, I’m not saying you should open up those ports. But the resource kit is a good reference in case you need to open ports for a protocol and don’t know the numbers.

Tip: To get a handle on this objective, look for factors that would cause you to recommend one technology over another. NAT is a good thing, and Windows 2000 does it, but when would you use Internet Connection Sharing, or Routing and Remote Access Services? What technology provides the greatest remote access security, but won’t work with NAT?

Final Event: Secure Communication Channels

Are you face down on the mat yet, stuck in a headlock and screaming uncle? If you aren’t, IPSec might be your swan song. It’s like meeting The Undertaker at the corner of Gibroni Avenue and Know Your Role Boulevard, at which point he checks you into the Smackdown Hotel. In a situation like that, a little chutzpah won’t save your championship belt; instead, you need to know a little bit more about your opponent. Make him your friend; bend him to your will. The simple trick to understanding securing communication channels with IPSec is to remember three policies:

1. Client (Respond Only)—Don’t look for trouble, but be ready to negotiate security.

2. Secure Server (Require Security)—You’re defending the title now. Your opponent can’t negotiate the proper security, because he doesn’t get close enough for a knockdown.

3. Server (Request Security)—The boss says you have to take on all comers: Those who can will be secured; those who can’t, won’t be.

If I’ve thrown you down on the mat and leapt on you from the top of the ropes with this one, better go back and study some more. Some helpful information on default polices is in my column in this issue. [See Security Advisor.—Ed.] An excellent source is the resource kit, and white papers at www.microsoft.com/windows2000/library. The best teacher, of course, is experience.

Tip: Which servers and communications should be secured with packet authentication and encryption? Good choices include authorized access to the payroll database, or research and development files. Of course, you’re going to set NTFS DACLs and SACLs, but how about the data as it travels across your enterprise? Should it be encrypted? (You should note that files encrypted with EFS don’t remain encrypted as they travel across the wire.) Between Windows 2000 systems, use IPSec.

Formatting Lessons

Think you know your stuff? Don’t get blown away by the format of the exam. As I’ve said, you’ll be faced with a description of a situation in need of a solution. You can visit Microsoft’s sample questions, which present information on the universe and then ask you to assemble answers from the data given. While they do introduce you to the format, they don’t really give you the flavor of the real exam—for example, there’s no real deductive reasoning required.