Microsoft has an exam on security at last. But before you climb into the ring and get flattened, make sure you're ready for the fight.
- By Roberta Bragg
So Microsoft finally has a security exam—and
not just any exam, a security design exam. To pass, you’re
supposed to be some kind of security goddess… er, architect.
Not only do you have to know how to lock down the operating
system, secure the network, and protect the city from
The Penguin—Microsoft wants you to be able to determine,
from a few notes, the best way for Gotham City to layer
security across the enterprise. And your design must match
some contractor’s vision of security.
Do You Smell What They’re Cooking?
Remember, a certification exam should reward and recognize
you for your competence in a particular area, not prepare
you for a career. Microsoft’s Designing a Secure Windows
2000 Network exam is supposed to do the former. Since
the exam wasn’t out at the time of this writing, I took
First, I’ll talk about my experience with the beta (remember,
your experience may differ). Next, I’ll review the exam
objectives with an eye to how you can best study. Finally,
we’re including online (at www.mcpmag.com) an extended
example of what the questions might be like on your exam.
(Don’t worry, Microsoft, I’m not going to disclose any
secrets. My example was written in December 1999, when
this exam was a twinkle in someone’s eye, and long before
we could have had any knowledge of content.)
Rating: “Frankly, I was a bit disappointed
with the quality of the beta. I hope the
released exam will be more thorough, more
challenging, and a lot harder and more
satisfying. But then, security is my life.”
a Secure Windows 2000 Network
Current Status: Went live in
Who should take it? One of three
available design exams for the MCSE
Windows 2000 track; you must select
What course prepares you? No.
2150: Designing a Secure Windows 2000
So You Want to Be a Star?
So you want to be either a security guru or a World Wrestling
Foundation all-star? First step, jump into the ring and
take the exam, right? Wrong. Remember, your experience
with any exam should be a reflection of what you’ve already
been doing, not how well you can cram and jam
The beta exam was a five-hour ordeal, but the released
exam will be significantly shorter. Though the exam won’t
take up your entire day, you may feel as if it has. As
with the other design exams, there are several “testlets”
or “design scenarios” with questions. If you haven’t seen
one of these before, it’s as if a consulting firm has
collected a batch of notes from the client about system
requirements. You’re about to go over the proposed design
with the client and are reviewing the notes to get a firm
idea of what you’re dealing with. Since these are another
consultant’s notes, you don’t have the luxury of asking
questions. In the real world, to be honest, I’m hoping
you’d collect better information.
Stick that exam cram guide you-know-where. It isn’t going
to help you. Instead, study the exam objectives. Compare
your own experiences to “Best Practices” offered in the
documentation. Implement any related features that you
haven’t had personal experience with. Examine your latest
security designs. Could you explain why you used a particular
technology in the way you did? And can you do so in terms
of the exam objectives?
The first step in preparing for any certification exam
is to uncover the objectives; they should match the on-the-job
requirements. Otherwise, what purpose is there to passing
the test? First lesson: The exam creators may not agree
with you word-for-word. The job they have in mind may
be broader or narrower than yours, but one thing is sure:
You’ll be tested by their standards, not yours. With a
lot of hard work from both of you, the exam objectives,
the job requirements, and your experiences in the field
will match. Passing the exam will be a reflection of your
ability to design security solutions, not of your ability
to take a test.
Tip: If you can see studying
the objectives as a way to make you better at what you
do, rather than to help you put new initials behind your
name, you’re on the right track.
Frankly, I was a bit disappointed
with the quality of the beta. If the
exam writers worked for me, I’d send
them back to the drawing board. It’s
not that there weren’t some good questions,
it’s just that I found myself muttering
an awful lot about the rest of the questions.
Here’s my criteria for judging an exam:
I want to be challenged, but not by
mediocrity. I love passing, but pass
or fail, I should come out feeling that
I took everything the exam developers
could throw at me, and I can now proudly
sport my broken ribs. I need to at least
know what I have to do to get ready
for my next attempt. The security beta
didn’t quite do that. I hope the released
exam will be more thorough, more challenging,
and a lot harder and more satisfying.
Admittedly, security is
both my business and my avocation, and
I write a column about it monthly for
this magazine. So again, your experience
in the ring may differ.
Round 1: Know Your General Business Ed
What’s with all these requirements to know things like
geographical scope, company mode, process engineering,
communication flow, product life cycles, and how the company
makes decisions? Who cares about the company’s priorities,
projected growth, laws and regulations, cost of operations?
All right, all right, I can see the reason for knowing
about branch offices and the company’s tolerance of risk,
but why all the other MBA core objectives? Do you really
need a business degree to design security solutions?
Yep and here’s why. A good architect takes into account
the status, opinions, beliefs, family size, and pocketbook
when designing someone’s house. I’m not Stone Cold Steve
Austin, Scottie Hottie or the Undertaker, and I’m not
going to win any wrestling matches in the ring with them.
But winning with security design is finding a solution
that matches the business and the problem; that I can
do. With that in mind, I certainly wouldn’t suggest a
100-percent Windows 2000 DNS solution to diehard Unix
DNS gurus. Nor would I forget to look at Internet Authentication
Services (IAS) if my customer has multiple locations and
a traveling sales force. Finally, I wouldn’t want to make
my design so expensive it would never get implemented.
The trick is to weave general business knowledge in with
security design where it’s warranted.
An old engineer friend of mine once told me that good
salespeople don’t “sell” you. Rather, they solve a problem
you may have not known you had. Learning to create good
security designs means listening to the heartbeat of the
people you’re creating the design for. Approach these
objectives as background.
Tip: You’ll need to know
how to evaluate business operations and to consider the
symbiotic relationship between business and technology.
Round 2: Analyze Technical Requirements
It should come as no surprise that you need to be adept
at determining the current technical environment. This
includes things like number of users, available connectivity
between geographic locations, available bandwidth, performance
requirements, data access methods, network roles (administrator,
Most of you will agree that you need this basic information
if you’re going to build a security solution. You also
need to consider the impact your design will have on the
existing environment and find out if changes are in the
works. Is the company planning to roll out smart cards
and certificate services from a third-party vendor? How
will your proposed IPSec implementation work within that
structure? Does the company have a large investment in
network monitoring devices and software? Does your plan
to obfuscate data during transport prevent these tools
from doing their job? Do users use terminals? Desktop
PCs? Notebooks? Wireless devices? How is remote access
determined? Dialup? Internet? Leased lines? Do they use
NAT? Can your VPN tunnel accommodate them? (Quick, what’s
the nugget I’ve hidden here that suggests a security design
solution to you? See Answer 1 below.)
Round 3: Analyzing Security Requirements
Finally, at the bottom of the third page of objectives,
we’re getting somewhere. Actually, there’s a reason half
the objectives appear to be leading up to this category.
You need to understand those other elements. If you understand
them, you can take a little security knowledge and craft
a security process. If you don’t, tons of security knowledge
and years of experience in using products will get beaten
out by the MBA with some common sense (or the teenager
with good Internet skills).
When you hear Microsoft talk about a “security baseline,”
you need to think “security templates.” Windows 2000 comes
with a number of these devices, along with tools you can
use to easily implement them. Templates for servers, secure
servers, and extra servers are provided. There’s even
one for IIS. It isn’t that Microsoft thinks its templates
will answer all our prayers, or that to take this exam
you need to be able to match templates and problems to
find solutions. It’s that Microsoft heard you all loud
and clear. You don’t have time to understand why you need
to perform that registry tweak, then tweak it on 6,000
machines. You’d rather just know the why, then have a
button to push.
Approach this objective with an eye to learning which
template does what. The templates are somebody’s idea
of what security means; you can learn something from that.
They’ll queue you in to Microsoft’s idea of security.
The templates can be modified; you’ll want to develop
your own baselines for your systems.
Tip: Make sure you understand
how to use Win2K templates and tools (Security Configuration
and Analysis, Group Policy Editor) to implement templates.
Main Attraction: Designing a Windows
2000 Security Solution
This is the meat and potatoes of the exam; this objective
covers huge amounts of ground. Do you know the elements
that will allow you to design, implement, maintain, and
audit security policies? Got authentication choices and
defaults at your fingertips? When would you have to use
EAP and when is it possible? Is the Encrypting File System
a good choice for users who need to share secrets? What
will be the effect of linking a Group Policy Object to
the Domain controllers OU vs. linking it at the domain
level? Can a Unix Kerberos client access resources in
a Win2K domain? How do you keep just anyone from installing
Win2K in your domain once you implement RIS? And finally,
what are three security choices you can make that will
require the availability of certificate services (see
Answer 2 below)?
Tag Team: Secure Access Between Networks
Hold on, the show’s not over yet. It’s not enough anymore
to secure your local area network—you have to protect
all its many parts. That includes data as it tunnels across
the net to and from your little corner. You need to know
how to provide airtight security for the network and yet
allow authorized users to reach you. You may not have
to configure the corporate firewall, and but we’re talking
about security design, so the firewall administrator will
want to know what you’re doing. Quick: Do you know what
ports need to be opened to allow new security configurations
to work? Are special ports or protocol IDs used by the
new technologies in Win2K? If you’re designing a VPN using
Win2K Routing and Remote Access, which interface of the
router needs configuration for IGMP routing? And which
for IGMP proxy? To understand port settings, you’ll need
to understand the technologies. A list of port and protocol
IDs are in the Windows 2000 Server Resource Kit. Note,
I’m not saying you should open up those ports. But the
resource kit is a good reference in case you need to open
ports for a protocol and don’t know the numbers.
Tip: To get a handle on
this objective, look for factors that would cause you
to recommend one technology over another. NAT is a good
thing, and Windows 2000 does it, but when would you use
Internet Connection Sharing, or Routing and Remote Access
Services? What technology provides the greatest remote
access security, but won’t work with NAT?
Final Event: Secure Communication Channels
Are you face down on the mat yet, stuck in a headlock
and screaming uncle? If you aren’t, IPSec might be your
swan song. It’s like meeting The Undertaker at the corner
of Gibroni Avenue and Know Your Role Boulevard, at which
point he checks you into the Smackdown Hotel. In a situation
like that, a little chutzpah won’t save your championship
belt; instead, you need to know a little bit more about
your opponent. Make him your friend; bend him to your
will. The simple trick to understanding securing communication
channels with IPSec is to remember three policies:
Client (Respond Only)—Don’t look for trouble, but
be ready to negotiate security.
Secure Server (Require Security)—You’re defending
the title now. Your opponent can’t negotiate the proper
security, because he doesn’t get close enough for
Server (Request Security)—The boss says you have
to take on all comers: Those who can will be secured;
those who can’t, won’t be.
If I’ve thrown you down on the mat and leapt on you from
the top of the ropes with this one, better go back and
study some more. Some helpful information on default polices
is in my column in this issue. [See Security
Advisor.—Ed.] An excellent source is the resource
kit, and white papers at www.microsoft.com/windows2000/library.
The best teacher, of course, is experience.
Tip: Which servers and communications
should be secured with packet authentication and encryption?
Good choices include authorized access to the payroll
database, or research and development files. Of course,
you’re going to set NTFS DACLs and SACLs, but how about
the data as it travels across your enterprise? Should
it be encrypted? (You should note that files encrypted
with EFS don’t remain encrypted as they travel across
the wire.) Between Windows 2000 systems, use IPSec.
Think you know your stuff? Don’t get blown away by the
format of the exam. As I’ve said, you’ll be faced with
a description of a situation in need of a solution. You
can visit Microsoft’s sample questions, which present
information on the universe and then ask you to assemble
answers from the data given. While they do introduce you
to the format, they don’t really give you the flavor of
the real exam—for example, there’s no real deductive reasoning