Lesson Plans Administering Security in a Server 2003 Network

Lesson Plans Administering Security in a Server 2003 Network (Exam 70-299) Version 2.0

Table of Contents Table of Contents... 1 Course Overview... 2 Section 1.1: Course Introduction... 4 Section 1.2: Active Directory... 5 Section 1.3: Group Policy... 6 Section 2.1: Roles and Templates... 7 Section 2.2: Security Settings... 9 Section 2.3: Account Policies Facts... 11 Section 3.1: Encryption... 12 Section 3.2: Certificate Concepts... 13 Section 3.3: CA Installation... 14 Section 3.4: Certificate Templates... 16 Section 3.5: Certificate Autoenrollment... 18 Section 3.6: Certificate Management... 20 Section 3.7: CA Management... 22 Section 4.1: Authentication and Authorization Concepts... 24 Section 4.2: Authentication... 25 Section 4.3: Smart Cards... 27 Section 4.4: Groups... 28 Section 4.5: Folder and File Access... 30 Section 4.6: Trusts... 32 Section 4.7: Digital Signatures... 34 Section 5.1: IPSec Policies... 35 Section 5.2: IPSec Troubleshooting... 37 Section 6.1: Dialup and VPN... 38 Section 6.2: Remote Access Policies... 40 Section 6.3: RADIUS... 42 Section 7.1: IIS Security... 44 Section 7.2: SSL... 46 Section 8.1: Software Restrictions... 48 Section 8.2: Software Update Services... 50 Section 8.3: Software Deployment... 52 Section 9.1: Wireless Security... 54 Section 9.2: Network Zones... 56 Section 9.3: Server Hardening... 57 Section 10.1: Auditing... 58 Section 10.2: Auditing Security Configurations... 60 1

Course Overview This course prepares students for the Implementing and Administering Security in a Microsoft Windows Server 2003 Network certification Exam 70-299. It focuses on how to implement and maintain security in the Windows 2003 environment. Before studying for the Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam, you should have extensive working knowledge of the following: Active Directory Group Policy Remote access IIS NTFS permissions Module 1 Security Overview This module introduces the instructor, prerequisites, and course content. It also provides an overview of Active Directory, group policy, and basic server administration. Module 2 Security Templates Module 2 explains how to enhance security through the use of security templates, security settings, and password and account lockout settings. Module 3 Certificates Module 3 discusses the basics of planning, installing and managing certificates. Topics include, encryption, Certification Authority, Certificate Templates, Certificate Autoenrollment, and CA Management. Module 4 Authentication and Authorization Module 4 covers the concepts of authentication and authorization. Topics also include Kerberos, NTLM, smart cards, group scopes, file system policies, trusts, and digital signatures. Module 5 IPSec In Module 5 students will learn how to configure IPSec to secure data in transmission. Students will learn the tools to analyze and resolve IPSec problems. Module 6 Remote Access Module 6 explains methods to connect to a Remote Access Server (RAS), authentication protocols, authorization through remote access polices, and using a Remote authentication Dial-In User Server (RADIUS) to consolidate remote access policies. 2

Module 7 IIS Security In Module 7 students will learn the five security checks used to provide IIS security to secure transmission of data. Also discussed are Web permissions, SSL, and certificate mapping. Module 8 Software Management Module 8 covers the software management tools used to create software restrictions and deploy service packs. These include Group Policy, path and certificate rules, Software Update Services (SUS), Update.exe, Slipstreaming, WSUS and SMS. Module 9 Network Infrastructure Security Module 9 discusses the basics of wireless security, DMZ, NAT, and server hardening. Module 10 Security Auditing Module 10 explains the tools used to analyze system security. These include MBSA, Security configuration and Analysis, RSoP, and Regedit. 3

Section 1.1: Course Introduction This section introduces the video instructor, the prerequisites, and the topics that will be covered in this course. Review the prerequisites so that you can make sure the students are prepared to take the course. Before studying for the Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam, students should have extensive working knowledge of the following: Active Directory Group Policy Remote access IIS NTFS permissions Video/Demo 1.1.1 Course Introduction 1:03 About 5 minutes 4

Section 1.2: Active Directory In this section students will review the basics of Active Directory. Students should already have a broad working knowledge of Active Directory before taking this course. They will re-examine the Active Directory components used to organize network resources and simplify management. Students will learn how to: Create an Active Directory structure to simplify security administration by creating OUs and moving workstations and servers among OUs. Change the domain and forest functional levels. What is the difference between a tree and a forest? When is it appropriate to use multiple forests? What are the elements of a site? What is the difference between the default permissions of the Enterprise Admins group compared to the Domain Admins group? Which domain functional level must you use if you want to rename a domain controller? What is the difference between domain functional levels and forest functional levels? Video/Demo 1.2.1 Active Directory Design 9:55 1.2.4 Functional Levels 8:29 1.2.5 Configuring Functional Levels 2:01 Total 20:25 Lab/Activity Structure Active Directory Change the Functional Level About 35 minutes 5

Section 1.3: Group Policy This section discusses the basics of Group Policy. Students will review how to apply group policy settings to users or computers. Students will learn how to: Implement a Group Policy strategy by creating GPOs and linking them to Active Directory objects. When is a computer policy applied? Where do you configure user rights? What happens to a setting that is applied by a GPO at the local level but is not applied by a GPO at the domain level? What is the result of GPO settings applied at the site level and separate GPO settings applied at the domain level? How is the Block Inheritance setting affected by the No Override setting? How can you create a configuration that creates the same working environment for a user no matter which computer the user logs on to? If an OU has four GPOs linked to it, what is the order in which the GPOs are applied? Video/Demo 1.3.1 GPO Review 15:32 1.3.2 Configuring a GPO 6:46 Total 22:18 Lab/Activity Create and Link a GPO Number of Exam Questions 2 questions About 35 minutes 6

Section 2.1: Roles and Templates This section covers creating customized security templates based on the role of the computer. Templates can be used to reduce exposure by disabling unnecessary services. Students will learn how to: Manage Group Policy by importing security templates to add or replace existing security settings. Reconfigure security settings through GPOs applied to OUs. Apply security templates to meet user requirements. Windows Server 2003 Objectives 101. Plan security templates based on computer role. Computer roles include SQL Server computer, Microsoft Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. 102. Configure security templates. 103. Deploy security templates. 104. Troubleshoot security template problems. If you add an additional security template to a GPO that already contains security settings, what happens to the existing settings? If a GPO applied to the local machine requires a user to change passwords every 90 days and a security template applied to the local machine requires the user to change passwords every 45 days, which setting is enforced? What may be the effect of applying Setup Security.inf through a GPO? What are the differences between Secure*.inf and Hisec*.inf? Which template would you apply in order to allow users to run a legacy application? 7

Video/Demo 2.1.1 Computer Roles 2:05 2.1.2 Security Templates 6:20 2.1.3 Configuring Security Templates 7:11 Total 15:36 Lab/Activity Import a Template 1 Import a Template 2 Number of Exam Questions 17 questions About 45 minutes 8

Section 2.2: Security Settings This section overviews the available Security Settings. The Security Setting Categories are presented with a description of each. Students will implement network security standards by configuring user rights assignments and security options. Students will learn how to: Implement network security standards by configuring user rights assignments and security options. Windows Server 2003 Objectives 102. Configure security templates. 403. Plan and configure authorization. When do account policies take effect? Which security setting allows you to you configure a user's ability to log on to the local machine? What is a major difference between user rights and security options? Video/Demo 2.2.1 Security Settings 4:39 2.2.2 Configuring Security Settings 11:01 Total 15:40 Lab/Activity Configure User Rights Modify a Security Template Configure Security Options 9

Number of Exam Questions 5 questions About 40 minutes 10

Section 2.3: Account Policies This section discusses how account policies control passwords and login properties. Both password and account lockout settings are explored. Students will learn how to: Use security templates and GPOs to enforce user account security standards. Windows Server 2003 Objectives 102. Configure security templates. Users in a network have to change their passwords every 30 days, but many users have reported that they simply enter the same password to make the change. Why can they do this? What is the effect of setting the minimum password age account policy to 5 days? How can you prevent users from creating passwords like desk, mom, chair, or office? What is the effect of setting the account lockout policy to 0? What type of an account should have the Password never expires option set? Lab/Activity Configure Account Policies Number of Exam Questions 1 question About 10 minutes 11

Section 3.1: Encryption In this section students will learn the basics of encryption. The three typical methods of encryption are described: hashing, symmetric encryption, and asymmetric encryption (PKI). Hashing provides integrity and ensures that data was not modified in transit. Common hashing algorithms are presented. What is the difference between symmetric encryption and asymmetric encryption? Why does hashing provide data integrity, but not reliable data encryption? Why is asymmetric encryption also called PKI? What is the relationship between collision vulnerability and a hashing algorithm? Video/Demo 3.1.1 Encryption Types 14:21 3.1.2 MD5 Hashing 3:47 Total 18:08 About 20 minutes 12

Section 3.2: Certificate Concepts This section discusses the concepts of a Certification Authority (CA). A Certification Authority is used to deploy out and issue certificates. Students will learn the factors to consider when planning the certification hierarchy of a certificate authority structure. Also presented are some of the common CA configurations and the conditions for their implementation. Windows Server 2003 Objectives 404. Install, manage, and configure Certificate Services. What advantage does a third-party CA have over an internal CA? What does a CA have to possess to issue certificates? Why would you choose to take your root CA offline? How does a CA verify the validity of the certificates it issues? Video/Demo 3.2.1 CA Hierarchies 9:58 3.2.3 Viewing Root CAs 9:40 3.2.4 Certificate Lifecycle 5:29 Total 25:07 About 30 minutes 13

Section 3.3: CA Installation This section covers how to install a Standalone Root CA and a Subordinate CA. Students will learn the facts to consider when planning a CA installation. One important fact to remind the students is that after installing Certificate Services, you cannot change the computer name or domain membership. Students will have an opportunity to install and configure standalone and subordinate CAs and request, approve, and import a subordinate CA certificate. Students will learn how to: Install and configure standalone and subordinate CAs. Request, approve, and import a subordinate CA certificate. Windows Server 2003 Objectives 404. Install, manage, and configure Certificate Services. Why must you install a root CA before you install issuing CAs? Where does a root CA's certificate come from? What type of CA can publish a CRL to Active Directory? What must you do to a Windows 2000 forest to implement a Windows 2003 Enterprise CA? Video/Demo 3.3.1 Installing a Standalone Root CA 3:54 3.3.3 Installing a Subordinate CA 8:00 Total 11:54 Lab/Activity Install A Root CA Install a Subordinate CA Approve a CA Request Import a CA Certificate 14

Number of Exam Questions 6 questions About 40 minutes 15

Section 3.4: Certificate Templates This section discusses how certificate templates can be used to customize and deploy out certificates. Certificate templates are used to reduce the administrative complexity of requesting and issuing certificates. There are two versions for certificate templates. Version 1 templates are fixed templates and version 2 templates can be customized. You can copy a version 1 template to create a version 2 template with similar settings that can be customized. Users and computers must have appropriate permissions to the certificate template in order to request a certificate of that type. Students will learn how to: Create new certificate templates by duplicating existing templates. Modify certificate template permissions. Manage certificate templates deployed on a CA. Windows Server 2003 Objectives 404. Install, manage, and configure Certificate Services. What administrative advantages are provided by certificate templates? Which certificate template would you prepare if you wanted to validate a software product from your company? What is the difference between version 1 and version 2 templates? Why can only Enterprise CAs use certificate templates? Which smartcard certificate template should you prepare if users want to encrypt e-mail? Video/Demo 3.4.1 Certificate Templates 2:31 3.4.2 Managing Certificate Templates 10:35 Total 13:06 Lab/Activity Modify Issued Certificate Templates Modify a Certificate Template 16

Number of Exam Questions 1 question About 30 minutes 17

Section 3.5: Certificate Autoenrollment In this section students will learn how certificates can be managed without user intervention by using autoenrollment. They will learn the minimum requirements to set up autoenrollment and steps to configure it. Students will learn how to: Modify certificate template permissions and Group Policy settings to enable certificate autoenrollment. Windows Server 2003 Objectives 404. Install, manage, and configure Certificate Services. What permissions must users have for autoenrollment? If you want to use autoenrollment, what certificate template version are you required to use? How does this affect your CA requirements? You have modified a version 2 certificate template, configured it for autoenrollment, and published it to the CA. Users still cannot autoenroll. Why? How does autoenrollment affect certificate renewal? When does autoenrollment attempt to renew certificates? If you modify a certificate, how can you deploy it to users prior to the renewal period? Video/Demo 3.5.1 Certificate Autoenrollment 3:05 3.5.2 Configuring Autoenrollment 7:21 Total 10:26 Lab/Activity Enable Autoenrollment 18

Number of Exam Questions 4 questions About 20 minutes 19

Section 3.6: Certificate Management This section discusses certificate management, which includes approving or denying certificate requests, revoking or unrevoking certificates, and publishing certificate revocation lists (CRLs). Five different methods for requesting certificates are described. Students will learn how to: Approve, request, revoke, and unrevoke certificates. Configure CRL and delta CRL publication. Publish CRLs. Windows Server 2003 Objectives 404. Install, manage, and configure Certificate Services. Which switch must you use to request a certificate using Certreq? Why is Web-based enrollment easier than using the Certificates snap-in? When should you revoke a certificate? What is the location from which a CA derives CRL information? What is the difference between a delta CRL and a CRL? Video/Demo 3.6.1 Certificate Management 1:42 3.6.2 Requesting a Certificate 5:55 3.6.3 Managing Certificates 6:12 Total 13:49 Lab/Activity Manage Certificate Revocation 20

Number of Exam Questions 12 questions About 35 minutes 21

Section 3.7: CA Management This section covers the tasks to manage CAs. The permissions to manage a CA and its configuration are discussed. Management tasks can be performed through the Certification authority snap-in, or the Certutil.exe command line utility. Students will learn how to: Modify CA properties. Perform a manual backup of a CA. Windows Server 2003 Objectives 404. Install, manage, and configure Certificate Services. To delegate certificate approval to your assistant, what permissions do you need to give her? What permissions must your users have to request certificates? Why can't you implement key archival in a mixed mode environment? What must you restore after your CA server fails in order to get Certificate Services running on a new machine? You want to accept all certificates from a CA called CERT1. What kind of constraint can you use? What can you do to make sure two separate root CAs that need to trust each other's certificates achieve that trust? Video/Demo 3.7.1 Managing CAs 3:50 3.7.4 Qualified subordination 4:56 Total 8:46 Lab/Activity Back Up a CA 22

Number of Exam Questions 5 questions About 25 minutes 23

Section 4.1: Authentication and Authorization Concepts Familiarize yourself with the concepts of authorization and authentication. Authentication determines that you are who you say you are and not a malicious user. Three authentication methods are discussed: what you know, what you have, and who you are. After authentication is determined authorization determines what you will be able to access and the level of access. Students will learn how to: View access token information. What is the relationship between authorization and authentication? How can you secure your network against malicious impersonation? What does a number that begins with S-1-5-21 identify? What does an access token contain? If you allow users to access only the applications they need to do their jobs, what kind of access are you allowing? Video/Demo 4.1.1 Authentication Concepts 2:15 4.1.2 Authorization Concepts 6:17 4.1.3 Access Tokens 3:34 Total 12:06 About 10 minutes 24

Section 4.2: Authentication This section discusses the two authentication mechanisms (Kerberos and NTLM) for logging on to the server or domain and when to use them. Delegated authentication allows a network service to assume the identity of a user and initiate requests to other services on behalf of the user. Students will learn how to: Configure NTLM authentication using Group Policy. Manage delegated authentication for users and computers. Windows Server 2003 Objectives 401. Plan and configure authentication. What advantages does Kerberos have over NTLM? With Kerberos, what is the function of a ticket? When is it appropriate to use NTLM v2 rather than Kerberos? Which policy setting would you use to disable ticket expiration? What is the best method for enforcing Kerberos policy settings? When would you use certificates rather than Kerberos? Which policy should you configure to prevent a user from using delegated authentication? What types of computers should not be trusted for delegated authentication? Video/Demo 4.2.1 Authentication Protocols 1:49 4.2.3 Configuring LM Levels 3:17 4.2.5 Using Delegated Authentication 4:18 Total 9:24 Lab/Activity Enforce NTLM v2 Enable Delegated Authentication 25

Number of Exam Questions 7 questions About 30 minutes 26

Section 4.3: Smart Cards In this section students will learn how smart cards are used to provide secure, multi-factor authentication. Also discussed are certificate template types used for smart card administration. Students will learn how to: Configure certificate templates for smart card authentication and autoenrollment. Use Group Policy to enforce smart card authentication policies. Windows Server 2003 Objectives 401. Plan and configure authentication. Why is an enrollment agent important for smart card use? What setting can you configure to prevent users from leaving machines running after they log on with their smart cards? What hardware requirements do smart cards have? Which certificate templates should you modify to implement smart card authentication? Lab/Activity Create a Certificate for Smart Cards Require Smart Cards for Logon Number of Exam Questions 5 questions About 15 minutes 27

Section 4.4: Groups This section reviews implementing groups to reduce administrative overhead and to increase security by controlling access to resources. Three types of group scopes are discussed with their membership and use. Recommended strategies for managing users, groups, and permissions is also included Students will learn how to: Manage group strategy by organizing groups according to user roles. Control local group membership using restricted groups in Group Policy. Windows Server 2003 Objectives 102. Configure security templates. 402. Plan group structure. What is the difference between a global group and a universal group? When is it appropriate to use universal groups? Where should you assign permissions to access resources when using UGLR or (J)UGULR? What is the difference between security and distribution groups? Video/Demo 4.4.1 Group Review 13:41 4.4.2 Configuring Groups 5:42 4.4.3 Group Strategy Examples 10:53 Total 30:16 Lab/Activity Implement a Group Strategy 1 Implement a Group Strategy 1 Configure Restricted Groups 28

Number of Exam Questions 12 questions About 60 minutes 29

Section 4.5: Folder and File Access This section discusses using File System policies in Group Policy to control NTFS permissions on folders or files that exist on multiple computers using File System policies in Group Policy. Also discussed is how the Encrypting File System (EFS) is used to protect data on files and folders stored on NTFS partitions. Students will learn how to: Manage file system access using file restrictions in Group Policy. Implement DRAs for EFS. Windows Server 2003 Objectives 102. Configure security templates. 403. Plan and configure authorization. How does inheritance affect permission assignments? Which account is the default EFS recovery agent? What is the biggest difference between EFS in Windows 2000 and Windows 2003? What can you do to open an EFS encrypted file if the owner is not available? Video/Demo 4.5.2 Configuring File System Policies 7:59 4.5.4 EFS 6:57 4.5.5 Using EFS 11:37 4.5.6 Configuring EFS DRAs 7:54 Total 34:27 Lab/Activity Restrict a Folder Modify the DRA Certificate Template Add OU DRAs 30

Number of Exam Questions 5 questions About 60 minutes 31

Section 4.6: Trusts In this section students will learn about using a trust relationship to enable members in one domain to access resources in another domain. Students will learn how to: Create trust relationships between domains and between forests. Windows Server 2003 Objectives 401. Plan and configure authentication. What is the relationship between the direction of trust and the direction of access? If you have users in three domains that need access to resources in each domain, which kind of a trust do you need to establish? When should you use a shortcut trust? What is the difference between the creation of tree root trusts and forest root trusts? Which authentication method allows you to secure resources in a forest trust? Video/Demo 4.6.1 Trusts 14:36 4.6.2 Trust Authentication 4:09 4.6.3 Creating a Forest Trust 13:04 Total 31:49 Lab/Activity Create an External Trust Create a Forest Root Trust Create a Shortcut Trust 32

Number of Exam Questions 6 questions About 60 minutes 33

Section 4.7: Digital Signatures This section presents how digital signatures are used to provide integrity and nonrepudiation of data. Windows Server 2003 Objectives 403. Plan and configure authorization. How can a digital signature confirm the origin of a message? How can a digital signature help you feel confident that the message wasn't altered? Video/Demo 4.7.1 Digital Signatures 4:05 4.7.2 Using Digital Signatures 5:09 Total 9:14 About 10 minutes 34

Section 5.1: IPSec Policies This section discusses using Internet Protocol Security (IPSec) policies to control IPSec. The characteristics of Windows default IPSec policies are described. IPSec policies use rules to define the type of traffic secured with IPSec. Settings that can be configured for a rule are presented. Students will learn how to: Assign IPSec policies using Group Policy. Create and modify IPSec policies. Windows Server 2003 Objectives 301. Plan IPSec deployment. 302. Configure IPSec policies to secure communication between networks and hosts. Hosts include domain controllers, Internet Web servers, databases, e-mail servers, and client computers. 303. Deploy and manage IPSec policies. What happens if a client configured to use IPSec contacts a server that is not configured to use IPSec? What happens if a server configured to request IPSec is contacted by a client that does not use IPSec? Where do you configure IPSec to apply only to remote access connections? How does tunnel mode affect the need for a client to be able to use IPSec? Video/Demo 5.1.1 Default IPSec Policies 4:52 5.1.2 IPSec Policy Settings 11:18 5.1.3 Configuring IPSec Policies 12:41 Total 28:51 35

Lab/Activity Enforce IPSec Create an IPSec Certificate Template Number of Exam Questions 23 questions About 70 minutes 36

Section 5.2: IPSec Troubleshooting In this section students learn how to resolve IPSec problems using troubleshooting tools. Students will need to understand how the three modes of the IPSec driver affects the way IPSec policies are applied. Students will learn how to: Analyze IPSec traffic using IPSec Monitor. Resolve IPSec problems using troubleshooting tools. Windows Server 2003 Objectives 301. Plan IPSec deployment. 304. Troubleshoot IPSec. Which IPSec logging level records outbound per-packet drop events? Where do you go to view IPSec logging events? Where do you enable Oakley logging? What is the difference between Main Mode and Quick Mode? Video/Demo 5.2.1 IPSec Troubleshooting 0:52 5.2.2 Troubleshooting IPSec Policies 11:40 Total 12:32 Number of Exam Questions 12 questions About 30 minutes 37

Section 6.1: Dialup and VPN This section discusses two ways to connect to a Remote Access Server (RAS): Dialup and VPN. Dialup uses SLIP and PPP connection protocols. VPN uses a VPN tunneling protocol to protect data as it travels through an unprotected network. Also discussed, are authentication protocols used to ensure that remote users have the necessary credentials for remote access. Students will learn how to: Configure remote access and VPN ports. Configure the remote access authentication and VPN protocol for a given scenario. Windows Server 2003 Objectives 307. Configure security for remote access users. Which protocol should you choose to authenticate Windows XP machines to your new wireless network? If you have a system that includes non-microsoft machines along with Windows 9x and Windows 2000 machines, which authentication protocol should you use? How does a service profile facilitate network connections? What does a service profile contain? Video/Demo 6.1.1 Dialup and VPN 5:35 6.1.2 Remote Access Authentication 4:35 6.1.3 Configuring Remote Access Authentication 6:22 Total 16:32 Lab/Activity Configure VPN Ports 38

Number of Exam Questions 9 questions About 40 minutes 39

Section 6.2: Remote Access Policies In this section students will learn how authorization is handled through remote access policies. Students will learn how to: Apply the principles of RAPCAP to create remote access connections for specific users with specific needs. Analyze remote access connection policies to isolate and fix connection problems or irregularities. Windows Server 2003 Objectives 307. Configure security for remote access users. Where are Remote Access Policies stored? What is the difference between conditions and profile settings in a remote access policy? If you have conditions that allow all users access during business hours and conditions that all sales users access any time, why should you put the sales conditions first? Video/Demo 6.2.1 Remote Access Authorization 7:20 6.2.2 Configuring Remote Access Policies 11:59 Total 19:19 Lab/Activity Create a Remote Access Policy 1 Create a Remote Access Policy 2 Troubleshoot Remote Access Policies 1 Troubleshoot Remote Access Policies 2 Troubleshoot Remote Access Policies 3 40

Number of Exam Questions 5 questions About 55 minutes 41

Section 6.3: RADIUS This section covers using a Remote Authentication Dial-In User Service (RADIUS) server to consolidate remote access policies. Policies stored on the RADIUS server can then be applied to multiple remote access servers. Students will learn how to: Configure RADIUS clients in IAS. Configure remote access policies on an IAS server. Configure a remote access server as a RADIUS client for authentication and accounting. Windows Server 2003 Objectives 307. Configure security for remote access users. How can you centralize remote access policies? What is the relationship between the remote access server and the RADIUS server? What is the relationship between RADIUS and IAS? How does a RADIUS client authenticate to a RADIUS server? What is the difference between a remote access client and a RADIUS client? Video/Demo 6.3.1 RADIUS Concepts 5:45 6.3.2 Configuring RADIUS 6:27 Total 12:12 Lab/Activity Configure a RADIUS Server Configure a RADIUS Client 42

Number of Exam Questions 4 questions About 30 minutes 43

Section 7.1: IIS Security This section discusses the five security checks that attempts to get to a Web page must go through. Also discussed are authentication methods available with IIS and IIS permissions you can set for Web sites or Web folders. Students will learn how to: Configure Web site, virtual directory, or file authentication. Secure Web resources using Web and NTFS permissions. Windows Server 2003 Objectives 401. Plan and configure authentication. What are the features of the Basic Authentication? What is the disadvantage of Integrated Windows Authentication? If you grant the NTFS Full Control permission to a folder and the IIS Read and Write permissions to the same folder for the same group, what is the group's effective set of permissions? Video/Demo 7.1.1 IIS Security 5:29 7.1.2 Configuring IIS Security 10:45 Total 16:14 Lab/Activity Configure Web Site Authentication Configure Virtual Directory Permissions 44

Number of Exam Questions 2 questions About 35 minutes 45

Section 7.2: SSL In this section students will learn how to use SSL to provide secure transmissions of data. Three different methods of certificate mapping are presented; One-toone, Many-to-one, and Directory Service. Students will learn how to: Request a Web server certificate. Require SSL for a Web site or virtual directory. Configure certificate mapping. Windows Server 2003 Objectives 306. Deploy, manage, and configure SSL certificates, including uses for HTTPS, LDAPS, and wireless networks. Considerations include renewing certificates and obtaining self-issued certificates instead of publicly issued certificates. 401. Plan and configure authentication. What is the difference between 1-to-1 mapping and many-to-1 mapping? You configured the server to accept client certificates. Your clients still cannot authenticate. What can you do to fix the problem? What type of mapping can you use to allow Active Directory to store the certificates? You've been told to allow clients who have certificates from three trusted CAs to authenticate to the system. What can you do to ease your administrative burden? How can you add security to basic authentication? Video/Demo 7.2.1 SSL and Certificate Mapping 5:59 7.2.2 Enabling SSL in IIS 7:57 Total 13:56 46

Lab/Activity Enable SSL Configure Client Mapping Number of Exam Questions 2 questions About 30 minutes 47

Section 8.1: Software Restrictions This section discusses how software restrictions are used to control which software is allowed for computers and users. Students will learn how to: Create and configure software restrictions in Group Policy. Configure software restrictions using path and certificate rules. Manage software restriction settings such as defining new software types and modifying certificate validation settings. Enable certificate verification in Group Policy. Windows Server 2003 Objectives 105. Configure additional security based on computer roles. Server computer roles include SQL Server computer, Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. Client computer roles include desktop, portable, and kiosk. Several users on your network downloaded a music sharing application to their local machines. You want to restrict the software. Which rule type should you use if users store the application in different locations? After you configure a certificate rule, what else must you do to make the rule take effect? What is the advantage to applying software restrictions through their own GPOs? Which option do you use to verify that a publisher's certificate has not expired? What type of software is controlled through Internet zone rule restrictions? Video/Demo 8.1.1 Software Restrictions 4:49 8.1.2 Configuring Software Restrictions 4:26 Total 9:15 48

Lab/Activity Restrict Running Scripts Control User Applications Allow Signed Software Number of Exam Questions 3 questions About 30 minutes 49

Section 8.2: Software Update Services This section discusses using Software Update Services (SUS) to configure where updates are stored, who approves updates, and how to distribute load. Students will learn how to: Install, configure, and deploy a SUS solution. Manage SUS settings for servers and workstations using Group Policy. Windows Server 2003 Objectives 201. Plan the deployment of service packs and hotfixes. 203. Deploy service packs and hotfixes. Why would you choose to have clients download updates locally rather than from Microsoft? If your large organization's security policy requires client computers to have the same configuration, which SUS configuration should you deploy? If your users continually ignore your directive to leave their machines on at night when updates download and install, what can you do to make sure their machines still receive updates? Which policy allows you to send different sets of updates to different sets of users? Video/Demo 8.2.1 SUS Concepts 6:55 8.2.3 Installing SUS 4:55 8.2.4 Synchronizing SUS 1:52 8.2.5 Configuring Automatic Updates 9:50 Total 23:32 50

Lab/Activity Enforce SUS Number of Exam Questions 4 questions About 40 minutes 51

Section 8.3: Software Deployment This section presents several different methods to deploy service packs. They include; Update.exe, Slipstreaming, Group Policy, SUS, WSUS, and SMS. Four types of file extensions used with installer packages are discussed so the student will understand the purpose of each type. Also discussed, is how Group Policy can be used to either assign or publish software. Assigning software installs it automatically. Publishing software makes it available for installation by adding it to Add/Remove Programs. Students will learn how to: Use Group Policy to distribute software. Windows Server 2003 Objectives 201. Plan the deployment of service packs and hotfixes. 203. Deploy service packs and hotfixes. Why would you install a non-critical, recommended update? What's the difference between a service pack and a security rollup package? Why might you decide not to install a critical update? What's the difference between a recommended update and a feature pack? Where would you find the Knowledge Base article number for an update you recently installed? What is the difference between assigning and publishing software? Video/Demo 8.3.1 Operating System Updates 2:59 Lab/Activity Distribute a Patch Distribute Antivirus Software 52

Number of Exam Questions 8 questions About 40 minutes 53

Section 9.1: Wireless Security This section introduces the basics of wireless security including; network types, methods of authentication, and methods of encryptions. Students will learn how to: Create users and groups for 802.1x authentication. Create certificates that allow autoenrollment for 802.1x authentication. Use Group Policy to secure the 802.1x policy and enable autoenrollment. Configure RADIUS to support 802.1x authentication. Windows Server 2003 Objectives 305. Plan and implement security for wireless networks. How do WEP and WPA differ? If you have 5 clients (4 Windows XP, 1 Windows Me), which encryption solution should you choose? In 802.1x authentication, what is the RADIUS client? Why would you choose PEAP-EAP-TLS over EAP-TLS? Video/Demo 9.1.1 Wireless Concepts 2:05 9.1.2 802.1x Authentication 6:34 9.1.4 Configuring Users and Groups 3:26 9.1.5 Configuring Autoenrollment 5:06 9.1.6 Configuring the IAS (RADIUS) Server 5:21 9.1.7 Configuring the WAP 2:10 9.1.8 Configuring a Wireless GPO 3:55 9.1.9 Connecting to the Network 2:57 Total 31:34 54

Lab/Activity Create a Wireless Certificate Template Configure Wireless Access on the IAS Server Create a Wireless Network Policy Number of Exam Questions 13 questions About 70 minutes 55

Section 9.2: Network Zones This section discusses a demilitarized zone (DMZ) and Network Translation (NAT). DMZ is used to protect publicly accessible resources and help isolate resources from the internal network. NAT is used to connect a private network to the Internet without obtaining registered address for every host. Windows Server 2003 Objectives 105. Configure additional security based on computer roles. Server computer roles include SQL Server computer, Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. Client computer roles include desktop, portable, and kiosk. Where should a Web server be placed when using a DMZ? Where would you place a database server to allow customers to look up product information? How does NAT provide security for networks? Why are VPNs sometimes incompatible with NAT? Video/Demo 9.2.1 Demilitarized Zones (DMZs) 4:42 9.2.3 Network Address Translation (NAT) 4:30 Total 9:12 Number of Exam Questions 2 questions About 15 minutes 56

Section 9.3: Server Hardening This section covers the general rules to use to secure devices and software by reducing the security exposure and tightening security controls. Students will learn how to: Use System Services in Group Policy to prevent unnecessary services from running. Windows Server 2003 Objectives 105. Configure additional security based on computer roles. Server computer roles include SQL Server computer, Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. Client computer roles include desktop, portable, and kiosk. What can you do to secure the FTP service? What can you use to track DHCP traffic? How are security considerations different for DHCP and DNS servers? What security advantage does network access quarantine provide? What security vulnerability does the SA account pose? Which service permission would you grant to allow a user to modify the startup behavior of a service? Video/Demo 9.3.1 Server Hardening 7:14 Lab/Activity Restrict Services Number of Exam Questions 1 question About 15 minutes 57

Section 10.1: Auditing This section discusses the concept of auditing as an element of administration. Auditing allows the administrator to monitor access or attempted access of resources. Students will learn how to: Configure auditing for network security and specific objects and actions. Audit Certificate Authority processes. Windows Server 2003 Objectives 102. Configure security templates. 105. Configure additional security based on computer roles. Server computer roles include SQL Server computer, Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. Client computer roles include desktop, portable, and kiosk. What is the difference between auditing for success and auditing for failure? What is the difference between Account Logon and Logon auditing? What additional step must you complete in order to audit NTFS file access? Which IIS log file type allows you to customize the log file contents? What are the advantages for using an ODBC format for IIS logging? Video/Demo 10.1.1 Auditing 6:50 10.1.2 Configuring Auditing 12:57 Total 19:47 58

Lab/Activity Configure Auditing Audit the Certificate Authority Number of Exam Questions 3 questions About 40 minutes 59

Section 10.2: Auditing Security Configurations This section discusses several of the tools available to analyze security vulnerabilities on the network. Tools include patch level assessment tools and security auditing tools. Students will learn how to: Analyze a computer's security compliance with your security policy using MBSA and Security Configuration and Analysis. Verify that computers have the necessary patches and hot fixes installed. Use RSoP to troubleshoot effective security settings. Windows Server 2003 Objectives 104. Troubleshoot security template problems. 105. Configure additional security based on computer roles. Server computer roles include SQL Server computer, Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. Client computer roles include desktop, portable, and kiosk. 202. Assess the current status of service packs and hotfixes. Tools include MBSA and the MBSA command-line tool. What is the difference between MBSA 1.2.1 and MBSA 2.0? When using MBSA, where can you find the results of a scan you do locally? How can you find out if your users are creating strong passwords? What can Regedit tell you about Group Policy? What does RSoP tell you that you can't otherwise learn by using Security Configuration and Analysis to compare a computer to a template? 60

Video/Demo 10.2.1 Using MBSA 13:25 10.2.3 Patch Levels 3:33 10.2.4 Assessing Patch Levels 9:33 10.2.6 Analyzing Security Settings 7:22 10.2.8 Resultant Set of Policy (RSoP) 2:26 Total 36:19 Number of Exam Questions 10 questions About 55 minutes 61

Practice Exams This section provides information to help prepare students to take the exam and to register for the exam. Students will also have the opportunity of testing their mastery of the concepts presented in this course to reaffirm that they are ready for the certification exam. For example, all questions that apply to Objective 100. Security Policies are grouped together and presented in practice exam 100. Security Policies, All Questions. Students will typically take about 30-90 minutes to complete each of the following practice exams. 100. Security Policies, All Questions (45 questions) 200. Patch Management, All Questions (15 questions) 300. Network Communications, All Questions (75 questions) 400. Authentication, Authorization, and PKI, All Questions (54 questions) The Certification Practice Exam consists of 35 questions that are randomly selected from the above practice exams. Each time the Certification Practice Exam is accessed different questions may be presented. The Certification Practice Exam has a time limit of 90 minutes -- just like the real certification exam. A passing score of 95% should verify that the student has mastered the concepts and is ready to take the real certification exam. 62

Appendix A: Approximate for the Course The total time for the LabSim for Microsoft s Administering Security in a Server 2003 Network Exam 70-299 course is approximately 23 hours and 54 minutes. The time is calculated by adding the approximate time for each section which is calculated using the following elements: Video/demo times Approximate time to read the text lesson (the length of each text lesson is taken into consideration) Simulations (5 minutes assigned per simulation) Questions (1 minute per question) Module Sections Minute HR:MM 1.0 Security Overview 1.1 Course Introduction 5 1.2 Active Directory 35 1.3 Group Policy 35 75 1:15 2.0 Security Templates 2.1 Roles and Templates 45 2.2 Security Settings 40 2.3 Account Policies 10 95 1:35 3.0 Certificates 3.1 Encryption 20 3.2 Certificate Concepts 30 3.3 CA Installation 40 3.4 Certificate Templates 30 3.5 Certificate Autoenrollment 20 3.6 Certificate Management 35 3.7 CA Management 25 200 3:20 4.0 Authentication and Authorization 4.1 Authentication and Authorization Concepts 10 4.2 Authentication 30 4.3 Smart Cards 15 4.4 Groups 60 4.5 Folder and File Access 60 4.6. Trusts 60 4.7 Digital Signatures 10 245 4:05 63

5.0 IPSec 5.1 Backup and Restore 70 5.2 System Recovery 30 100 1:40 6.0 Remote Access 6.1 Dialup and VPN 40 6.2 Remote Access Policies 55 6.3 RADIUS 30 125 2:05 7.0 IIS Security 7.1 IIS Security 35 7.2 SSL 30 65 1:05 8.0 Software Management 8.1 Software Restrictions 30 8.2 Software Update Services 40 8.3 Software Deployment 40 110 1:50 9.0 Network Infrastructure Security 9.1 Wireless Security 70 9.2 Network Zones 15 9.3 Server Hardening 15 100 1:40 10.0 Security Auditing 10.1 Auditing 40 10.2 Auditing Security Configurations 55 95 1:35 Practice Exams 100: Security Policies (45 questions) 45 200: Patch Management (15 questions) 15 300: Network Communications (75 questions) 75 400: Authentication, Authorization, and PKI (54 questions) 54 Certification Practice Exam (35 questions) 35 224 3:44 Total 1434 23:54 64