70-299: Security Troubleshooter
You'll need experience with PKI, permissions, patch management, and troubleshooting under Windows 2003 before tackling this security exam.
The latest exam to come from Microsoft is aimed at administrators who
deal daily with maintaining security, and it requires specific knowledge
and hands-on experience with Windows Server 2003 PKI, permissions, patch
management, and troubleshooting. If you're familiar with Exam 70-214,
Implementing and Administering Security in a Windows 2000 Network, consider
299 an update of that exam.
In this review, I help you prepare by covering some of the objectives
as listed in the exam preparation guide.
Implementing, Managing, and Troubleshooting Security
Topics under this objective range from configuring, deploying, and troubleshooting
security templates to configuring permissions and security settings on
desktop and server computers.
The rule of thumb: Disable unnecessary services. This closes the listening
network port and reduces the attack surface of a computer. Windows Server
2003 has many new security templates and security settings beyond those
found in Windows 2000 Server--somewhere close to 600 additional settings.
And with the release of SP1 due out this year, security configuration
choices of servers will not only become more powerful but also more complex.
Group Policy Objects are where it's at. For almost any size of Windows
network, if you have deployed Active Directory, the killer feature is
GPO. Security templates are a quick and easy way of securing computers
in the domain with common configuration settings. When studying the Products
and Technologies link; Windows Server 2003 at the Security Guidance Center,
pay particular attention to the different requirements for securing domain
controllers, IAS servers, Exchange servers, SQL servers, and IIS servers.
Using GPOs, you can configure desktop and client computers for permissions.
One common method among Windows administrators is to assign a user local
administrator access to their desktop computer. This allows users to install
software and change system settings, but this method can sometimes bite
you in the butt!
Windows Server 2003 security templates now include software restriction
policies which are a smarter method of allowing users to install and run
tested and approved software on their desktop. SRPs are a collection of
policies that define what software can run based on group policy security
levels. Exceptions can be created based on the hash rule types; certificates,
paths, registries, and even Internet Explorer zones.
Administering Security (70-299)
This exam is an update of the Windows 2000 exam 70-214
and will test your knowledge of Windows Server 2003
PKI, permissions, patch management, and troubleshooting.
70-299: Implementing and Administering Security
in a Windows Server 2003 Network
Who Should Take It
Candidates for MCSA or MCSE on Windows Server 2003
Implementing and Administering Security in a Microsoft
Windows Server 2003 Network
Tip: Only one password policy using Group Policy Objects can be configured
Gpupdate replaces Secedit /refreshpolicy in Windows Server 2003. Gpupdate
can be used to force group policy settings for immediate compliance and
recover a computer with incorrect settings applied. To troubleshoot a
computer that has been locked down incorrectly to the point of where you
can't log on with the domain administrator account, restart the computer
in Safe Mode, log on as the local administrator, run gpupdate, restart
the computer in normal mode, and then log on normally.
Tip: Group policy loopback processing mode can be used to override
user-based settings on a computer with a computer policy.
Secedit at the command line, and the Security Configuration and Analysis
snap-in can be used in Windows Server 2003 to analyze, configure, and
validate computer security configuration settings.
Implementing, Managing, and Troubleshooting Patch
Topics included: planning the deployment of service packs and hotfixes,
verifying with MBSA, to SUS deployment and administration. This is certainly
a hot topic for many of us: patch management. Unless you're an administrator
who has been hiding in a server closet for the past 24 months, you've
no doubt had your challenges with patch management — a nightmare
if not done correctly. Patch management is one of the key aspects of securing
In the exam world — which can be completely different from the real world-
patch management of Windows computers must be done with Microsoft's free
tools: the Microsoft Baseline Security Analyzer and Software Update Services.
MBSA is a network-based scanning tool that runs on Windows 2000, XP, and
2003 operating systems; it looks for missing patches and security updates
on all flavors of Windows down to Windows NT 4.0. It also supports scanning
of IIS, SQL, and Exchange servers. MBSA comes in both a GUI wizard version
and a command line version called mbsacli.exe.
Windows Update is a client-side scanning tool that can check for installed
and missing patches and service updates against the Windows Update web
site or a locally installed SUS server. And along with Automatic Updates,
Windows computers can be configured to download and install patches and
service packs at scheduled intervals. Server and client computers can
be configured to connect to and scan for available updates from SUS servers
using Group Policy, SMS (Systems Management Server) with the SUS Feature
Pack, or logon scripts if Active Directory has not been deployed. If users
aren't granted local administrator level access to their desktop, Automatic
Updates can be configured for a scheduled date and time to install the
updates and restart the computer automatically.
SUS servers deployed within a network allow administrators to collect,
approve and distribute critical updates for server and client computers.
SUS parent servers can be configured to synchronize with the Microsoft
Windows Update Web site and pass updates to child SUS servers, which,
in turn, distribute the updates to the server and client computers on
Tip: For failed deployments of patches or service packs with SUS,
you must cancel approval of the update on the SUS server to prevent further
Implementing, Managing, and Troubleshooting Security
for Network Communications
Most of the topics here center on IPSec for securing network data. You'll
also find a sprinkle of data security as it relates to wireless, SSL and
remote access networks. My exam seemed to include many questions regarding
IPSec authentication headers! I'll briefly cover each of the network data
security protocols and methods.
IPSec is a rule-based security protocol that protects data traffic. It
uses on-demand authentication and encryption between two end points. IPSec
packets are signed with certificates, verified, encrypted and decrypted
at the OSI network layer, making the process transparent to upper layer
protocols. L2TP and IPSec can be used to create VPNs. IPSec can be used
in two modes; AH (Authentication Header) and ESP (Encapsulating Security
Payload). AH packets can be routed without loss or change to the header
signature. ESP packets can use either DES (Data Encryption Standard) or
3DES in the Transport or Tunnel modes. In Transport mode, ESP encrypts
the entire data packet with the exception of the header. In Tunnel mode,
ESP encrypts the entire packet for VPN connections. Using AH and ESP together
provides the most secure data transmission.
AH can be implemented using Kerberos, certificates, or preshared keys!
IPSec is a wide-ranging protocol and includes many small details. Be sure
and study it and IPSec policies thoroughly prior to the exam.
Tip: IPSec traffic cannot pass through older NAT servers.
SSL (Secure Sockets Layer) and TLS (Transport Level Security) both use
public key and symmetric key encryption for TCP-based communications.
They provide session encryption and integrity, and server authentication.
This prevents eavesdropping, tempering, and message forging. Both SSL
and TLS require digital certificates! SSL and TLS can be used to secure
web, email, news, and FTP traffic.
PPTP over TCP/IP can be used to secure upper layer protocol traffic between
clients and servers for such things as VPNs. It uses either PAP (Password
Authentication Protocol) or MS-CHAP (Microsoft Challenge Handshake Authentication
Protocol) for the exchange process of credentials. PPTP traffic can pass
through all NAT servers, but PPTP does not provide for data integrity.
SMB (Server Message Block) signing can be used to secure client-to-server
file sharing traffic on a Windows network. SMB signing can be enabled
using GPOs and uses a method of digital signing and a keyed hash to protect
the integrity of each SMB packet.
WEP (Wired Equivalent Privacy) is used to secure wireless data traffic
between wireless clients and access points connected to a wired network.
Remote client traffic can be secured using various methods and protocols.
PPTP and IPSec/L2TP to create a VPN connection are becoming the most widely
EAP-TLS (for Extensible Authentication Protocol-Transport Level Security)
is the most secure remote access method and protocol. Because of its support
for two-factor authentication with the use of smart cards or USB keys,
and certificates, it meets all the requirements of message and data CIA
(Confidentiality Integrity Authentication).
Tip: If the network includes smart cards and certificate services
is present to issue both user and computer certificates, use EAP-TLS for
the most security.
For the exam you'll also need to be familiar with CMAK (Connection Manager
Administration Kit), a tool for managing remote connections and remote
access policies. CMAK allows administrators to pre-configure remote access
clients, add custom behavior and appearance and provide an updateable
phonebook that users can turn to and find the most convenient dial-up
access numbers. When gaining that all-important hands-on experience for
this exam, be sure to load up CMAK and create a profile or two.
Familiarity with Microsoft's Internet Security and Acceleration server
is also a must for this exam. ISA server provides perimeter firewall services,
proxy caching services, policy-based access control, secure web publishing,
and intrusion detection services.
Tip: Client computers may need to install the ISA server firewall
client to access the internal or external network.
Planning, Configuring, and Troubleshooting Authentication,
Authorization, and PKI
This objective includes topics such as authentication, authorization,
security groups, and certificate services. Know your group types, distribution
and security, scopes; universal, domain local, global, local, and the
recommended group strategy; A-G-DL-P Accounts get placed into Global groups
which get placed into Domain Local groups which are assigned Permissions.
Tip: Group nesting is supported when a domain is at functional level
Windows 2000 native or higher.
The special group type, Self, represents the permissions assigned to
the ACE (Access Control Entry) of a user, group, or computer and is a
placeholder for that security principal.
Trust relationships are something you should be familiar with at this
point in your MCSA/MCSE studies. Remember that an external trust can be
used to connect to a domain in another forest, and a shortcut trust is
used to speed authentication between domains — they are both one way trusts!
Forest-level trusts can be set up between Windows Server 2003 forests.
Certificate services-related questions are present on many of the Windows
2003 MCSA and MCSE exams. If this exam is your first exposure to Microsoft
certification, you'll need to study everything about certificate services
to pass. Configuring, deploying, revoking, and managing user and computer
certificates is necessary for many of the security-related technologies
discussed thus far. A digital certificate verifies the identity of a user,
computer, or program. It contains information about the issuer and subject
and is signed by the CA. Certificate templates define the format and content
for the certificate's intended use. Only enterprise CAs can issue certificates
based on certificate templates! Certificate templates can be issued for
a variety of reasons; web servers, email, EFS (Encrypting File System),
smart cards, remote access, and IPSec to name just a few.
Certificate deployment can be handled using various methods such as autoenrollment,
enrollment agents, and Web-based enrollment. Web-based is a popular method,
whereby the user connects to the CA and requests a certificate, relies
on the CA administrator to approve the request, then installs the certificate
on the computer. Autoenrollment can be controlled using GPOs for computers
running Windows 2000, XP, and 2003. This type of certificate can be used
for smart card logon, EFS, and IPSec authentication.
Certificate revoking is performed by the CA administrator when a certificate
is compromised. The Certificate Revocation List (CRL) is published to
the network. Certificates can be lost due to a deleted user profile, reinstallation
of the user's operating system, a corrupted disk, or a stolen computer.
Data Recovery Agents can be used to decrypt EFS data originally encrypted
by a user's missing certificate. DRAs aren't necessary in Windows Server
2003 due to the newer Key Recovery Agents. KRAs can retrieve the original
certificate along with the private and public keys. Certificates can also
be exported for safe keeping and to prevent loss using Microsoft Outlook,
Internet Explorer, the certificates console, or using the command line
Things to Practice
1. Explore and configure account and password
policy settings for the domain GPO on your network.
2. Configure a Windows 2003 server to act as
a VPN server and explore the various connection protocols
3. Download, install, and configure MBSA on
your test network.
4. Explore the various certificate templates
and practice importing one using the Security Configuration
and Analysis snap-in to compare against your existing
5. Install, configure, and enroll workstations
using certificate services.
6. Install CMAK and create a profile or two.
7. Enable the three types of IPSec policies
(client respond, request security, and require security)
between two networked computers and observe the results.
8. Install and configure an SUS server on your
test network--download updates and approve them for
9. Create a couple of SRPs using hash, path,
and certificates. Apply them.
10. Configure GPOs to secure the various server
roles in a Windows network: DCs, Member Servers, Workstations,
Exchange, IIS, and IAS.