70-214: Security Workhorse
This exam measures your abilities with baseline security, service packs and updates, securing communication channels, authentication and more.
- By Roberta Bragg
WHEN I EMERGED from the three-hour beta exam for Implementing and Administering
Security in a Microsoft Windows 2000 Network, two old friends greeted
me. It was great to have a hug and see familiar faces. I met some old
friends during the exam, too—my buddies IPSec, PKI, CMAK, RIS, RAS, IIS,
ISA, IAS, CRL, CA, EAP-TLS and EAP-MD5, trusts, Kerberos, MS-CHAPv2, PAP,
NAT, SSL, SMB, AH and ESP.
The important thing to remember is that deep product knowledge is a prerequisite.
An understanding of security features and their appropriate usage is what
the questions will require.
If you haven’t digested the massive volume of information on how to use
Security templates to create baseline security for Windows systems, go
back and study Microsoft’s Win2K Security Operations Guide. Security templates
can be used for everything from setting password policy to preventing
the storage of LM password hashes in the local SAM. They can be implemented
via the GUI, scripted for periodic refresh and imported into Group Policy.
However, setting security isn’t the only issue here. You can establish
baseline security policies—the written kind, not the Group Policy kind—for
each role that a computer or user plays in a Win2K network, and then easily
and automatically implement that policy by preparing a unique template
for each role and applying it using Security Configuration and Analysis,
Group Policy or your own scripts.
Tip: What might the phrase, “Configure additional security for client-computer
operating systems by using Group Policy” mean? Because implementing templates
via Group Policy is covered elsewhere in the objectives, you need to look
at Administrative templates. These configuration files aren’t part of
Security templates but contain many things that can be set in the GPO
and used to harden client systems or just keep pesky users from doing
things they shouldn’t.
Don’t forget these built-in opportunities: auditing security settings
using Security Configuration and Analysis, modifying your installation
program to bring up hardened systems and the availability of default templates
and special templates available for other Microsoft products. Pay attention
to special security considerations for these products. It’s not enough
to know security for the OS; for this exam you need to understand something
of security basics for Exchange (Which services are absolutely necessary
and which can you turn off? Is relaying an issue?); SQL Server (Which
authentication method should be used? How are permissions to access data
determined?); Internet Information Server (Think about the URLScan tool,
which prevents malformed requests from penetrating your defenses, as well
as special lockdown templates and tools); Internet Authentication Service
(This gateway guardian can manage remote access policies for multiple
remote access servers); and—surprise, surprise!—mobile client computers.
70-214: Implementing and Administering Security in a
Microsoft Windows 2000 Network
Expected to go live in January 2003.
“If you work toward a comprehensive understanding of
a given topic and in the process learn how to implement
security for all scenarios, you’ll be a better security
administrator. Passing the exam will be the validation
of your expertise.”
Who Should Take It
Elective exam for Windows 2000 MCSE and MCSA
Tip: Practice secedit command-line switches for applying and updating
templates and be able to write a batch file or script to automate their
Baseline Security is the keystone that protects your network. It means
you have the standard ready and applied and the know-how to manage it
as the bulwark upon which other features are built. Without this secure
foundation, your security infrastructure will fail—and so will you.
Nothing’s perfect. Can you figure out what went wrong when security settings
don’t get applied? Do you know the meaning of “scecli” error messages
in the event logs and the effect of No Override, Block Inheritance and
Loopback? Don’t forget that troubleshooting is also a part of this objective.
If you can list all the reasons a setting might not get applied, do so,
then be able to explain how you would know that a specific issue was the
Tip: Know what each setting in a template does and where it will actually
have an effect. Do you know common location mistakes made in implementing
Service Packs and Security Updates
The FBI and others say the most important thing you can do to keep
your systems secure is to keep them updated with service packs and patches.
Microsoft has a boatload of tools that can help you, and you should be
proficient in using them all. Remember that it’s possible to slipstream
service packs into installation shares, then use RIS and distribute them
with Group Policy. Practice your command lines for Hfnetchk.exe and understand
how it’s used by the Microsoft Baseline Security Analyzer (MBSA). Can
you use either to find out the status of patching on your machines? Do
you know how to correct that situation?
Don’t forget small company (Windows Update), medium (Software Update
Services or SUS) and enterprise (Feature Pack for SMS) solutions to patching
machines. Determining that hotfixes are missing is a small part of the
battle. How do these tools work? When should you use them? What do you
do if they say you haven’t installed a fix that you know you have?
Tip: If MBSA stopped working after you hardened your systems using
Microsoft’s baseline.inf template, would you know how to fix it?
Securing Data in Flight
In addition to securing data on storage systems, securing data
as it goes across your network or around the world is an increasingly
hot topic. The solutions are there. Do you know how they work? Make sure
you understand the tools used to implement IPSec, SSL, SMB signing and
wireless protocols. More than that, understand how these protocols work
and how to know they’re working correctly. If you don’t, you’re asking
for trouble in the real world (and shouldn’t an exam reflect that?).
Pay particular attention to the areas you know the least about. You may
think that’s just good common sense, but I’m guessing you know least about
IPSec. I’d say Microsoft is guessing that, too. Fully half of this objective’s
items are IPSec-related; rules, ports, authentication, encryption levels,
AH and ESP, certificates, firewall issues and router issues. Can you troubleshoot
IPSec connections between domain controllers and clients?
Tip: Can you make SSL work with certificates from your Microsoft Certificate
Authority? Should you?
In all cases, think globally but know how to do it locally. Is SSL a
good way to secure data traveling between your Web server and your SQL
server, or client browsers and Outlook Web Access? How would you implement
both of these scenarios and what would you gain?
Tip: Understand the differences between the various iterations of
801.x and how to configure clients such as Win2K, XP Professional and
Pocket PC. What role does WEP play?
Am I Who I Say I Am?
Authentication is proving that I’m really who I say I am. How can
I do so? Let me count the ways. There’s Kerberos (if you haven’t got this
nailed down, go take the A+ exam instead), LM, NTLM and NTLMv2 for starters.
When are they used? Can you prevent any of them from being used? Why is
that important? How are they configured in Win2K and above or on legacy
systems? These are all-important questions, but don’t forget the options.
Anonymous, basic, Windows-integrated, digest and client certificate mapping
are possible. When would you use them?
Consider also that remote access can be via dedicated remote access servers
and IAS servers. Now you have PAP, CHAP, MS-CHAP, EAP-MD5, EAP-TLS and
smart cards. Which is right for what? Which allow data to be encrypted
and which don’t? Are there some that should be avoided? How can an IAS
server best serve you? If computer connections cross untrusted networks,
when should a VPN be used?
Make yourself an “authentication” spreadsheet. Down one side, write every
authentication method possible in a Win2K network. Don’t forget to include
those possible with IPSec, remote access, local logon, and within Mixed
mode and Native mode domains. Across the top, make a list of possible
client locations (home, branch office, on the local network) and clients
(Win2K, XP, Windows legacy systems, Unix, Macs). Make sure for each client
you consider each of the possible locations. Then check for which client
situation each possible authentication process that can be used. Make
sure you can explain why, when and how each might be used and know how
to configure each.
Tip: Know what “trusted for delegation” means. Know why you might
want to use it, but also why you might not.
Your Key to Your Survival
PKI used to be the darling of large companies, exclusive product
purchases and highly-paid consultants. Now it’s your problem. Make sure
you understand the implications of installing the four Microsoft Certificate
Authorities (CAs): Enterprise Root, Standalone Root, Enterprise Subordinate
and Standalone Subordinate. Can they work together in a PKI? Don’t confuse
these official installation choices with the new Microsoft best practice
discussions, which talk about root, intermediary, and issuing servers.
One list represents installation choices; the other is a design choice.
Understand when to use each and how to configure it. Learn the appropriate
use of certificate templates and their role in controlling access as well
as what parts of the infrastructure to back up and how.
Tip: Which type of CA should you install as root in order to make
the most secure infrastructure? What special configuration and physical
security decisions need to be made to make it most secure?
Understanding the infrastructure is only part one of this journey. Be
able to spit out certificate specifics as if you were a baseball fanatic
and they’re batting averages. Know how to use certificates to send e-mail,
encrypt files and recover them. Think Exchange here, as well as Win2K.
Make sure you can explain and troubleshoot Encrypting File System issues.
Quick! Sally just reinstalled her Windows XP Professional system and can’t
open her encrypted files. Is there hope? Quick! You believe the issuing
CA has been compromised; which certificates need to be revoked? Will the
Certificate Revocation List (CRL) available to the clients immediately
reflect these additions?
Tip: How do you prevent just anyone from obtaining a recovery agent
Who You Gonna Call?
It’s not enough anymore to be able to harden systems and make them
work without giving up security. You must also be able to detect when
your systems are under attack and know what to do about it. You should
be able to go beyond ordinary auditing set-up to audit RAS and IIS. Here’s
a concept: Know what those entries in the security log mean!
Incident response also means understanding how to use Network Monitor
to aid in locating an attack, what was tried and whether or not it was
successful. Not every cause for concern means distress at the one-on-one
level. Consider how to respond to natural disasters, worms, denial-of-service
attacks and anything else that might disrupt service.
Things To Practice
- Define the best security settings for a Windows
2000 file server.
- Be able to write a script to implement a security
template at 2 p.m. every Friday.
- Know the meaning of security-related event log messages.
What, for example, does the scecli event log message
- Which patch assessment method is best for a network
of 400 computers? Which patch application method is
best? Implement your solutions.
- Assume smart cards have been implemented in a domain.
Use Group Policy to prevent users from being logged
on to more than one system at a time.
- There can only be one password policy for a domain.
It’s configured at the domain level and affects all
users who log onto the domain. Use Group Policy to
control the password policy for local accounts on
all file servers in the domain.
- Given two user accounts, each in a different OU,
and two computers each with an account in a third
OU, and assuming a GPO at the domain level and at
each OU, determine the effect of security settings
on each user when he or she logs on. OUs may have
No Override, Block Inheritance or loopback processing
- Make a list of keywords and acronyms mentioned in
the objectives. Memorize what all of them are.
- Configure a file permission scenario where USERA
can delete a file even though he or she has the “DENY
delete” permission in NTFS on the file.
- Use the Connection Manager Administrator Kit (CMAK)
and set up remote access for traveling employees.
(Exam objectives can be found at www.microsoft.com/traincert/exams/70-214.asp.)
If you’ve truly had real-world experience in securing a Win2K network,
then this exam shouldn’t trip you up. If you passed the Security Design
exam, 70-220, you might be lulled into thinking this new test will be
easy. After all, if you removed the business knowledge objectives from
the Security Design exam, wouldn’t you be left with this very list? This
exam is much broader in its technical objectives than the design exam;
there’s more to know about securing Windows networks and many new tools
have come out to help with the job.
To implement and administer security in a Win2K network, you should know
a lot and be able to do many things. The purpose of the exam is to set
objectives for the security administrator to learn and test his or her
understanding of them. Perhaps, after the exam, she can hug the old friends
she has crossed paths with again and cherish the wonderful new ones she
has met along the way. Good luck!