70-299: Security Troubleshooter -- Redmondmag.com

Exam Reviews

70-299: Security Troubleshooter

You'll need experience with PKI, permissions, patch management, and troubleshooting under Windows 2003 before tackling this security exam.

By Andy Barkl
10/21/2004

The latest exam to come from Microsoft is aimed at administrators who deal daily with maintaining security, and it requires specific knowledge and hands-on experience with Windows Server 2003 PKI, permissions, patch management, and troubleshooting. If you're familiar with Exam 70-214, Implementing and Administering Security in a Windows 2000 Network, consider 299 an update of that exam.

In this review, I help you prepare by covering some of the objectives as listed in the exam preparation guide.

Implementing, Managing, and Troubleshooting Security Policies
Topics under this objective range from configuring, deploying, and troubleshooting security templates to configuring permissions and security settings on desktop and server computers.

The rule of thumb: Disable unnecessary services. This closes the listening network port and reduces the attack surface of a computer. Windows Server 2003 has many new security templates and security settings beyond those found in Windows 2000 Server--somewhere close to 600 additional settings. And with the release of SP1 due out this year, security configuration choices of servers will not only become more powerful but also more complex.

Group Policy Objects are where it's at. For almost any size of Windows network, if you have deployed Active Directory, the killer feature is GPO. Security templates are a quick and easy way of securing computers in the domain with common configuration settings. When studying the Products and Technologies link; Windows Server 2003 at the Security Guidance Center, pay particular attention to the different requirements for securing domain controllers, IAS servers, Exchange servers, SQL servers, and IIS servers.

Using GPOs, you can configure desktop and client computers for permissions. One common method among Windows administrators is to assign a user local administrator access to their desktop computer. This allows users to install software and change system settings, but this method can sometimes bite you in the butt!

Windows Server 2003 security templates now include software restriction policies which are a smarter method of allowing users to install and run tested and approved software on their desktop. SRPs are a collection of policies that define what software can run based on group policy security levels. Exceptions can be created based on the hash rule types; certificates, paths, registries, and even Internet Explorer zones.

Administering Security (70-299)

Reviewer's Rating
This exam is an update of the Windows 2000 exam 70-214 and will test your knowledge of Windows Server 2003 PKI, permissions, patch management, and troubleshooting.

Exam Title
70-299: Implementing and Administering Security in a Windows Server 2003 Network

Who Should Take It
Candidates for MCSA or MCSE on Windows Server 2003

Course
2823: Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Exam Objectives
http://www.microsoft.com/traincert/exams/70-299.asp

Tip: Only one password policy using Group Policy Objects can be configured per domain.

Gpupdate replaces Secedit /refreshpolicy in Windows Server 2003. Gpupdate can be used to force group policy settings for immediate compliance and recover a computer with incorrect settings applied. To troubleshoot a computer that has been locked down incorrectly to the point of where you can't log on with the domain administrator account, restart the computer in Safe Mode, log on as the local administrator, run gpupdate, restart the computer in normal mode, and then log on normally.

Tip: Group policy loopback processing mode can be used to override user-based settings on a computer with a computer policy.

Secedit at the command line, and the Security Configuration and Analysis snap-in can be used in Windows Server 2003 to analyze, configure, and validate computer security configuration settings.

Implementing, Managing, and Troubleshooting Patch Management Infrastructure
Topics included: planning the deployment of service packs and hotfixes, verifying with MBSA, to SUS deployment and administration. This is certainly a hot topic for many of us: patch management. Unless you're an administrator who has been hiding in a server closet for the past 24 months, you've no doubt had your challenges with patch management — a nightmare if not done correctly. Patch management is one of the key aspects of securing a network.

In the exam world — which can be completely different from the real world- patch management of Windows computers must be done with Microsoft's free tools: the Microsoft Baseline Security Analyzer and Software Update Services. MBSA is a network-based scanning tool that runs on Windows 2000, XP, and 2003 operating systems; it looks for missing patches and security updates on all flavors of Windows down to Windows NT 4.0. It also supports scanning of IIS, SQL, and Exchange servers. MBSA comes in both a GUI wizard version and a command line version called mbsacli.exe.

Windows Update is a client-side scanning tool that can check for installed and missing patches and service updates against the Windows Update web site or a locally installed SUS server. And along with Automatic Updates, Windows computers can be configured to download and install patches and service packs at scheduled intervals. Server and client computers can be configured to connect to and scan for available updates from SUS servers using Group Policy, SMS (Systems Management Server) with the SUS Feature Pack, or logon scripts if Active Directory has not been deployed. If users aren't granted local administrator level access to their desktop, Automatic Updates can be configured for a scheduled date and time to install the updates and restart the computer automatically.

SUS servers deployed within a network allow administrators to collect, approve and distribute critical updates for server and client computers. SUS parent servers can be configured to synchronize with the Microsoft Windows Update Web site and pass updates to child SUS servers, which, in turn, distribute the updates to the server and client computers on the network.

Tip: For failed deployments of patches or service packs with SUS, you must cancel approval of the update on the SUS server to prevent further installations.

Implementing, Managing, and Troubleshooting Security for Network Communications
Most of the topics here center on IPSec for securing network data. You'll also find a sprinkle of data security as it relates to wireless, SSL and remote access networks. My exam seemed to include many questions regarding IPSec authentication headers! I'll briefly cover each of the network data security protocols and methods.

IPSec is a rule-based security protocol that protects data traffic. It uses on-demand authentication and encryption between two end points. IPSec packets are signed with certificates, verified, encrypted and decrypted at the OSI network layer, making the process transparent to upper layer protocols. L2TP and IPSec can be used to create VPNs. IPSec can be used in two modes; AH (Authentication Header) and ESP (Encapsulating Security Payload). AH packets can be routed without loss or change to the header signature. ESP packets can use either DES (Data Encryption Standard) or 3DES in the Transport or Tunnel modes. In Transport mode, ESP encrypts the entire data packet with the exception of the header. In Tunnel mode, ESP encrypts the entire packet for VPN connections. Using AH and ESP together provides the most secure data transmission.

AH can be implemented using Kerberos, certificates, or preshared keys! IPSec is a wide-ranging protocol and includes many small details. Be sure and study it and IPSec policies thoroughly prior to the exam.

Tip: IPSec traffic cannot pass through older NAT servers.

SSL (Secure Sockets Layer) and TLS (Transport Level Security) both use public key and symmetric key encryption for TCP-based communications. They provide session encryption and integrity, and server authentication. This prevents eavesdropping, tempering, and message forging. Both SSL and TLS require digital certificates! SSL and TLS can be used to secure web, email, news, and FTP traffic.

PPTP over TCP/IP can be used to secure upper layer protocol traffic between clients and servers for such things as VPNs. It uses either PAP (Password Authentication Protocol) or MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) for the exchange process of credentials. PPTP traffic can pass through all NAT servers, but PPTP does not provide for data integrity.

SMB (Server Message Block) signing can be used to secure client-to-server file sharing traffic on a Windows network. SMB signing can be enabled using GPOs and uses a method of digital signing and a keyed hash to protect the integrity of each SMB packet.

WEP (Wired Equivalent Privacy) is used to secure wireless data traffic between wireless clients and access points connected to a wired network.

Remote client traffic can be secured using various methods and protocols. PPTP and IPSec/L2TP to create a VPN connection are becoming the most widely used.

EAP-TLS (for Extensible Authentication Protocol-Transport Level Security) is the most secure remote access method and protocol. Because of its support for two-factor authentication with the use of smart cards or USB keys, and certificates, it meets all the requirements of message and data CIA (Confidentiality Integrity Authentication).

Tip: If the network includes smart cards and certificate services is present to issue both user and computer certificates, use EAP-TLS for the most security.

For the exam you'll also need to be familiar with CMAK (Connection Manager Administration Kit), a tool for managing remote connections and remote access policies. CMAK allows administrators to pre-configure remote access clients, add custom behavior and appearance and provide an updateable phonebook that users can turn to and find the most convenient dial-up access numbers. When gaining that all-important hands-on experience for this exam, be sure to load up CMAK and create a profile or two.

Familiarity with Microsoft's Internet Security and Acceleration server is also a must for this exam. ISA server provides perimeter firewall services, proxy caching services, policy-based access control, secure web publishing, and intrusion detection services.

Tip: Client computers may need to install the ISA server firewall client to access the internal or external network.

Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI
This objective includes topics such as authentication, authorization, security groups, and certificate services. Know your group types, distribution and security, scopes; universal, domain local, global, local, and the recommended group strategy; A-G-DL-P Accounts get placed into Global groups which get placed into Domain Local groups which are assigned Permissions.

Tip: Group nesting is supported when a domain is at functional level Windows 2000 native or higher.

The special group type, Self, represents the permissions assigned to the ACE (Access Control Entry) of a user, group, or computer and is a placeholder for that security principal.

Trust relationships are something you should be familiar with at this point in your MCSA/MCSE studies. Remember that an external trust can be used to connect to a domain in another forest, and a shortcut trust is used to speed authentication between domains — they are both one way trusts! Forest-level trusts can be set up between Windows Server 2003 forests.

Certificate services-related questions are present on many of the Windows 2003 MCSA and MCSE exams. If this exam is your first exposure to Microsoft certification, you'll need to study everything about certificate services to pass. Configuring, deploying, revoking, and managing user and computer certificates is necessary for many of the security-related technologies discussed thus far. A digital certificate verifies the identity of a user, computer, or program. It contains information about the issuer and subject and is signed by the CA. Certificate templates define the format and content for the certificate's intended use. Only enterprise CAs can issue certificates based on certificate templates! Certificate templates can be issued for a variety of reasons; web servers, email, EFS (Encrypting File System), smart cards, remote access, and IPSec to name just a few.

Certificate deployment can be handled using various methods such as autoenrollment, enrollment agents, and Web-based enrollment. Web-based is a popular method, whereby the user connects to the CA and requests a certificate, relies on the CA administrator to approve the request, then installs the certificate on the computer. Autoenrollment can be controlled using GPOs for computers running Windows 2000, XP, and 2003. This type of certificate can be used for smart card logon, EFS, and IPSec authentication.

Certificate revoking is performed by the CA administrator when a certificate is compromised. The Certificate Revocation List (CRL) is published to the network. Certificates can be lost due to a deleted user profile, reinstallation of the user's operating system, a corrupted disk, or a stolen computer. Data Recovery Agents can be used to decrypt EFS data originally encrypted by a user's missing certificate. DRAs aren't necessary in Windows Server 2003 due to the newer Key Recovery Agents. KRAs can retrieve the original certificate along with the private and public keys. Certificates can also be exported for safe keeping and to prevent loss using Microsoft Outlook, Internet Explorer, the certificates console, or using the command line utility Certutil.exe.

10 Things to Practice

1. Explore and configure account and password policy settings for the domain GPO on your network.

2. Configure a Windows 2003 server to act as a VPN server and explore the various connection protocols supported.

3. Download, install, and configure MBSA on your test network.

4. Explore the various certificate templates and practice importing one using the Security Configuration and Analysis snap-in to compare against your existing security settings.

5. Install, configure, and enroll workstations using certificate services.

6. Install CMAK and create a profile or two.

7. Enable the three types of IPSec policies (client respond, request security, and require security) between two networked computers and observe the results.

8. Install and configure an SUS server on your test network--download updates and approve them for workstations.

9. Create a couple of SRPs using hash, path, and certificates. Apply them.

10. Configure GPOs to secure the various server roles in a Windows network: DCs, Member Servers, Workstations, Exchange, IIS, and IAS.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.