Exam Reviews

Security Smackdown

Microsoft has an exam on security at last. But before you climb into the ring and get flattened, make sure you're ready for the fight.

So Microsoft finally has a security exam—and not just any exam, a security design exam. To pass, you’re supposed to be some kind of security goddess… er, architect. Not only do you have to know how to lock down the operating system, secure the network, and protect the city from The Penguin—Microsoft wants you to be able to determine, from a few notes, the best way for Gotham City to layer security across the enterprise. And your design must match some contractor’s vision of security.

Do You Smell What They’re Cooking?

Remember, a certification exam should reward and recognize you for your competence in a particular area, not prepare you for a career. Microsoft’s Designing a Secure Windows 2000 Network exam is supposed to do the former. Since the exam wasn’t out at the time of this writing, I took the beta.

First, I’ll talk about my experience with the beta (remember, your experience may differ). Next, I’ll review the exam objectives with an eye to how you can best study. Finally, we’re including online (at www.mcpmag.com) an extended example of what the questions might be like on your exam. (Don’t worry, Microsoft, I’m not going to disclose any secrets. My example was written in December 1999, when this exam was a twinkle in someone’s eye, and long before we could have had any knowledge of content.)

Designing Security (70-220)
Reviewer’s Rating: “Frankly, I was a bit disappointed with the quality of the beta. I hope the released exam will be more thorough, more challenging, and a lot harder and more satisfying. But then, security is my life.”

Title: Designing a Secure Windows 2000 Network

Current Status: Went live in July 2000.

Who should take it? One of three available design exams for the MCSE Windows 2000 track; you must select one.

What course prepares you? No. 2150: Designing a Secure Windows 2000 Network

So You Want to Be a Star?

So you want to be either a security guru or a World Wrestling Foundation all-star? First step, jump into the ring and take the exam, right? Wrong. Remember, your experience with any exam should be a reflection of what you’ve already been doing, not how well you can cram and jam

The beta exam was a five-hour ordeal, but the released exam will be significantly shorter. Though the exam won’t take up your entire day, you may feel as if it has. As with the other design exams, there are several “testlets” or “design scenarios” with questions. If you haven’t seen one of these before, it’s as if a consulting firm has collected a batch of notes from the client about system requirements. You’re about to go over the proposed design with the client and are reviewing the notes to get a firm idea of what you’re dealing with. Since these are another consultant’s notes, you don’t have the luxury of asking questions. In the real world, to be honest, I’m hoping you’d collect better information.

Stick that exam cram guide you-know-where. It isn’t going to help you. Instead, study the exam objectives. Compare your own experiences to “Best Practices” offered in the documentation. Implement any related features that you haven’t had personal experience with. Examine your latest security designs. Could you explain why you used a particular technology in the way you did? And can you do so in terms of the exam objectives?

The first step in preparing for any certification exam is to uncover the objectives; they should match the on-the-job requirements. Otherwise, what purpose is there to passing the test? First lesson: The exam creators may not agree with you word-for-word. The job they have in mind may be broader or narrower than yours, but one thing is sure: You’ll be tested by their standards, not yours. With a lot of hard work from both of you, the exam objectives, the job requirements, and your experiences in the field will match. Passing the exam will be a reflection of your ability to design security solutions, not of your ability to take a test.

Tip: If you can see studying the objectives as a way to make you better at what you do, rather than to help you put new initials behind your name, you’re on the right track.

Challenge Me!

Frankly, I was a bit disappointed with the quality of the beta. If the exam writers worked for me, I’d send them back to the drawing board. It’s not that there weren’t some good questions, it’s just that I found myself muttering an awful lot about the rest of the questions. Here’s my criteria for judging an exam: I want to be challenged, but not by mediocrity. I love passing, but pass or fail, I should come out feeling that I took everything the exam developers could throw at me, and I can now proudly sport my broken ribs. I need to at least know what I have to do to get ready for my next attempt. The security beta didn’t quite do that. I hope the released exam will be more thorough, more challenging, and a lot harder and more satisfying.

Admittedly, security is both my business and my avocation, and I write a column about it monthly for this magazine. So again, your experience in the ring may differ.

—Roberta Bragg

Round 1: Know Your General Business Ed

What’s with all these requirements to know things like geographical scope, company mode, process engineering, communication flow, product life cycles, and how the company makes decisions? Who cares about the company’s priorities, projected growth, laws and regulations, cost of operations? All right, all right, I can see the reason for knowing about branch offices and the company’s tolerance of risk, but why all the other MBA core objectives? Do you really need a business degree to design security solutions?

Yep and here’s why. A good architect takes into account the status, opinions, beliefs, family size, and pocketbook when designing someone’s house. I’m not Stone Cold Steve Austin, Scottie Hottie or the Undertaker, and I’m not going to win any wrestling matches in the ring with them. But winning with security design is finding a solution that matches the business and the problem; that I can do. With that in mind, I certainly wouldn’t suggest a 100-percent Windows 2000 DNS solution to diehard Unix DNS gurus. Nor would I forget to look at Internet Authentication Services (IAS) if my customer has multiple locations and a traveling sales force. Finally, I wouldn’t want to make my design so expensive it would never get implemented. The trick is to weave general business knowledge in with security design where it’s warranted.

An old engineer friend of mine once told me that good salespeople don’t “sell” you. Rather, they solve a problem you may have not known you had. Learning to create good security designs means listening to the heartbeat of the people you’re creating the design for. Approach these objectives as background.

Tip: You’ll need to know how to evaluate business operations and to consider the symbiotic relationship between business and technology.

Round 2: Analyze Technical Requirements

It should come as no surprise that you need to be adept at determining the current technical environment. This includes things like number of users, available connectivity between geographic locations, available bandwidth, performance requirements, data access methods, network roles (administrator, user, God).

Most of you will agree that you need this basic information if you’re going to build a security solution. You also need to consider the impact your design will have on the existing environment and find out if changes are in the works. Is the company planning to roll out smart cards and certificate services from a third-party vendor? How will your proposed IPSec implementation work within that structure? Does the company have a large investment in network monitoring devices and software? Does your plan to obfuscate data during transport prevent these tools from doing their job? Do users use terminals? Desktop PCs? Notebooks? Wireless devices? How is remote access determined? Dialup? Internet? Leased lines? Do they use NAT? Can your VPN tunnel accommodate them? (Quick, what’s the nugget I’ve hidden here that suggests a security design solution to you? See Answer 1 below.)

Round 3: Analyzing Security Requirements

Finally, at the bottom of the third page of objectives, we’re getting somewhere. Actually, there’s a reason half the objectives appear to be leading up to this category. You need to understand those other elements. If you understand them, you can take a little security knowledge and craft a security process. If you don’t, tons of security knowledge and years of experience in using products will get beaten out by the MBA with some common sense (or the teenager with good Internet skills).

When you hear Microsoft talk about a “security baseline,” you need to think “security templates.” Windows 2000 comes with a number of these devices, along with tools you can use to easily implement them. Templates for servers, secure servers, and extra servers are provided. There’s even one for IIS. It isn’t that Microsoft thinks its templates will answer all our prayers, or that to take this exam you need to be able to match templates and problems to find solutions. It’s that Microsoft heard you all loud and clear. You don’t have time to understand why you need to perform that registry tweak, then tweak it on 6,000 machines. You’d rather just know the why, then have a button to push.

Approach this objective with an eye to learning which template does what. The templates are somebody’s idea of what security means; you can learn something from that. They’ll queue you in to Microsoft’s idea of security. The templates can be modified; you’ll want to develop your own baselines for your systems.

Tip: Make sure you understand how to use Win2K templates and tools (Security Configuration and Analysis, Group Policy Editor) to implement templates.

Main Attraction: Designing a Windows 2000 Security Solution

This is the meat and potatoes of the exam; this objective covers huge amounts of ground. Do you know the elements that will allow you to design, implement, maintain, and audit security policies? Got authentication choices and defaults at your fingertips? When would you have to use EAP and when is it possible? Is the Encrypting File System a good choice for users who need to share secrets? What will be the effect of linking a Group Policy Object to the Domain controllers OU vs. linking it at the domain level? Can a Unix Kerberos client access resources in a Win2K domain? How do you keep just anyone from installing Win2K in your domain once you implement RIS? And finally, what are three security choices you can make that will require the availability of certificate services (see Answer 2 below)?

Tag Team: Secure Access Between Networks

Hold on, the show’s not over yet. It’s not enough anymore to secure your local area network—you have to protect all its many parts. That includes data as it tunnels across the net to and from your little corner. You need to know how to provide airtight security for the network and yet allow authorized users to reach you. You may not have to configure the corporate firewall, and but we’re talking about security design, so the firewall administrator will want to know what you’re doing. Quick: Do you know what ports need to be opened to allow new security configurations to work? Are special ports or protocol IDs used by the new technologies in Win2K? If you’re designing a VPN using Win2K Routing and Remote Access, which interface of the router needs configuration for IGMP routing? And which for IGMP proxy? To understand port settings, you’ll need to understand the technologies. A list of port and protocol IDs are in the Windows 2000 Server Resource Kit. Note, I’m not saying you should open up those ports. But the resource kit is a good reference in case you need to open ports for a protocol and don’t know the numbers.

Tip: To get a handle on this objective, look for factors that would cause you to recommend one technology over another. NAT is a good thing, and Windows 2000 does it, but when would you use Internet Connection Sharing, or Routing and Remote Access Services? What technology provides the greatest remote access security, but won’t work with NAT?

Final Event: Secure Communication Channels

Are you face down on the mat yet, stuck in a headlock and screaming uncle? If you aren’t, IPSec might be your swan song. It’s like meeting The Undertaker at the corner of Gibroni Avenue and Know Your Role Boulevard, at which point he checks you into the Smackdown Hotel. In a situation like that, a little chutzpah won’t save your championship belt; instead, you need to know a little bit more about your opponent. Make him your friend; bend him to your will. The simple trick to understanding securing communication channels with IPSec is to remember three policies:

  1. Client (Respond Only)—Don’t look for trouble, but be ready to negotiate security.

  2. Secure Server (Require Security)—You’re defending the title now. Your opponent can’t negotiate the proper security, because he doesn’t get close enough for a knockdown.

  3. Server (Request Security)—The boss says you have to take on all comers: Those who can will be secured; those who can’t, won’t be.

If I’ve thrown you down on the mat and leapt on you from the top of the ropes with this one, better go back and study some more. Some helpful information on default polices is in my column in this issue. [See Security Advisor.—Ed.] An excellent source is the resource kit, and white papers at www.microsoft.com/windows2000/library. The best teacher, of course, is experience.

Tip: Which servers and communications should be secured with packet authentication and encryption? Good choices include authorized access to the payroll database, or research and development files. Of course, you’re going to set NTFS DACLs and SACLs, but how about the data as it travels across your enterprise? Should it be encrypted? (You should note that files encrypted with EFS don’t remain encrypted as they travel across the wire.) Between Windows 2000 systems, use IPSec.

Additional Information

Answers to quiz:

  1. If your customer wants or needs to continue using NAT, you can't plan a solution using IPSec over L2TPVPN, since this can't be used with NAT. Recommend a PPTP solution.
  2. The need to replace the default EFS recover agent; use of IPSec encryption for VPN; implementation of smart cards.

Formatting Lessons

Think you know your stuff? Don’t get blown away by the format of the exam. As I’ve said, you’ll be faced with a description of a situation in need of a solution. You can visit Microsoft’s sample questions, which present information on the universe and then ask you to assemble answers from the data given. While they do introduce you to the format, they don’t really give you the flavor of the real exam—for example, there’s no real deductive reasoning required.

comments powered by Disqus

Reader Comments:

Mon, Jul 29, 2002 David Houston

I was going to take this test before I read the article. Now I am terrified I never did well with story questions but now I have more of an idea on what to study for. Although most of the companies I deal with do not require most of trhe techniques used on the test I reckon I should at least have some kind of idea as to what they are talking about. Thanks for the article and the heads up.

Thu, May 23, 2002 Tom WA

Enjoyed the review especially the wrestling coorelation--just passed the test today.

Tue, Mar 19, 2002 anonymous Anonymous

I think that the exam tests your reading comprehension rather than security knowledge. The questions were very long and confusing.

Thu, Jan 31, 2002 Anonymous Anonymous

Very good wake up call

Wed, Dec 26, 2001 Hector Tampa

Wow!
This will be my first security test and after this article I feel like a virgin. I guess I have some serious studing to do. If this is as good of a thrill as 70-240 was I am game.

Wed, Dec 19, 2001 Dan Guy Wales

I found this article very useful as I am looking at moving more towards the security side of things. I have spent most of my time securing routers and firewalls and 2000 is something I need to brush up on!!

Wed, Dec 19, 2001 Eric Soulliage Paris (France)

having passed this exam , and all of the "design" exams in MCSE and MCDBA cursus , i can say that this one was the MOST PAINFULL , i've studied with 6 different editions for this exam + white papers and serious diging in the technet , and still , even if i had passed i walked out of there terrified by what MS exams can be (not that it stopped me of doing my MCDBA cursus a couple months latter) , now when i have know-it-all that tell me that w2k MCSE is a paper certification i basically tell them to register to that exam , and if they pass it i pay ..... up to now i have'nt paid once ;)

Sun, Dec 16, 2001 mousse-man switzerland

Well-written, but I have taken the test and IMO, it tests your ability to read. I have my security knowledge from other sources than Microsoft. When taking the exam, I probably did almost everything the way the test designers wanted it, although I suspect that more than one solution is correct. The exam that I found most challenging was the 70-219, but now I'm taking the 70-221 and 225 to get all 'design' exams. I hope they'll be built a tad better.

Wed, Dec 5, 2001 RobH Canada

I always enjoy reading anything by Roberta Bragg, MCSE, MCT. Security is an especially vital area, particularly since the company's accounts database is no longer just a book locked away in the safe. Although the aspect of security is purely technological, I appreciate that she pointed out quite clearly that an in-depth understanding of business considerations is also required in order to design or implement security in any real-life situation. Security is something that all of us need to become more clued in about, as technology advances. I wonder if there any upcoming changes for this exam, now that 2002 is nearly upon us?

Wed, Nov 7, 2001 Johnny Denmark

Good

Fri, Oct 26, 2001 Anonymous Anonymous

I also wrote the beta... good analysis of what the 220 exam is all about - painful and frustrating - study, study, and study more - and then go do it!

Thu, Oct 11, 2001 zunni Madison

Roberta - projects a great deal of arrogance - comprehension of the business case is really crucial - it is not just a technological issue

Mon, Sep 10, 2001 Me Anonymous

If this test is anything like Network Infrastructure Design [70-221], PRAY! I found it more frustrating than technically difficult. It tests your reading comprehension and intimacy with Microsoft more than TCP/IP.

Tue, Aug 28, 2001 Anonymous Anonymous

Very good and well written. Have been considering the exam since I am involved with security in NT and 2000.

Thu, Aug 9, 2001 Anonymous Anonymous

Well written although it could have been a bit more in depth for me though.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.