MCSE: Windows(r) Server 2003 Network Security Design Study Guide (70-298)

2017-07-07 02:10:07

< Day Day Up >

If you want to acquire a solid foundation in designing security for a Windows Server 2003 network environment and your goal is to prepare for the exam by learning how to design a secure solution for a client using the new operating system, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp and plenty of help to achieve the high level of professional competency you need to succeed in your chosen field.

If you want to become certified as an MCSE, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding how Windows Server 2003 security works, this Study Guide is not for you. It is written for people who want to acquire hands-on skills and in-depth knowledge of Windows Server 2003 security design.

What’s in the Book?

What makes a Sybex Study Guide the book of choice for over 100,000 MCPs? We took into account not only what you need to know to pass the exam, but what you need to know to take what you’ve learned and apply it in the real world. Each book contains the following:

Objective-by-objective coverage of the topics you need to know Each chapter lists the objectives covered in that chapter.

Note
The topics covered in this Study Guide map directly to Microsoft’s official exam objectives. Each exam objective is covered completely.

Assessment Test Directly following this introduction is an Assessment Test that you should take. It is designed to help you determine how much you already know about designing security for Windows Server 2003. Each question is tied to a topic discussed in the book. Using the results of the Assessment Test, you can figure out the areas where you need to focus your study. Of course, we do recommend you read the entire book.

Exam Essentials To highlight what you learn, you’ll find a list of Exam Essentials at the end of each chapter. The Exam Essentials section briefly highlights the topics that need your particular attention as you prepare for the exam.

Key Terms and Glossary Throughout each chapter, you will be introduced to important terms and concepts that you will need to know for the exam. These terms appear in italic within the chapters, and a list of the Key Terms appears just after the Exam Essentials. At the end of the book, a detailed Glossary gives definitions for these terms, as well as other general terms you should know.

Review Questions, complete with detailed explanations Each chapter is followed by a set of Review Questions that test what you learned in the chapter. The questions are written with the exam in mind, which means that they will cover the important topics with regard to the exam.

Case Study Questions, complete with detailed explanations Each chapter also includes a Case Study that is similar in look and feel to the types of questions you will encounter on the design exams. The Case Study in each chapter is designed to test your knowledge of the topics covered in the chapter. Question types are the same as question types in the exam, including multiple choice, exhibits, and select-and-place.

Design Scenarios Throughout the chapter, you will find scenario-based exercises that are designed to help you think about how you will use the information presented in the chapter in the context of a scenario. They present a Case Study and a few questions that help you think about how you will use the information in the chapter in designing a solution with the Microsoft products.

Real World Scenarios Because reading a book isn’t enough for you to learn how to apply these topics in your everyday duties, we have provided Real World Scenarios in special sidebars. These explain when and why a particular solution would make sense, in a working environment you’d actually encounter.

Interactive CD Every Sybex Study Guide comes with a CD complete with additional questions, flashcards for use with an interactive device, and the book in electronic format. Details are in the following section.

What’s on the CD?

With this new member of our best-selling MCSE Study Guide series, we are including quite an array of training resources. The CD offers bonus exams and flashcards to help you study for the exam. We have also included the complete contents of the Study Guide in electronic form. The CD’s resources are described here:

The Sybex E-book for Windows Server 2003 Network Security Design Many people like the convenience of being able to carry their whole Study Guide on a CD. They also like being able to search the text via computer to find specific information quickly and easily. For these reasons, the entire contents of this Study Guide are supplied on the CD, in PDF. We’ve also included Adobe Acrobat Reader, which provides the interface for the PDF contents as well as the search capabilities.

The Sybex Test Engine This is a collection of questions that will help you prepare for your exam. The test engine features:

Eight Bonus Case Studies designed to simulate the actual live exam. Each Bonus Case Study contains a scenario with 10 questions tied to each Case Study.

All the Review and Case Study questions from the Study Guide, presented in a test engine for your review.

The Assessment Test.

Here are two sample screens from the Sybex Test Engine:

On the actual Microsoft exam, you will likely be presented with a total of four Case Studies, each with a varying number of questions that correspond to that Case Study. Your grade will be cumulative of all four Case Studies.

Sybex MCSE Flashcards for PCs and Handheld Devices The “flashcard” style of question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the exam. The Sybex Flashcards set consists of more than 100 questions presented in a special engine developed specifically for this Study Guide series. Here’s what the Sybex Flashcards interface looks like:

Because of the high demand for a product that will run on handheld devices, we have also developed a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Handspring’s Visor).

How Do You Use This Book?

This book provides a solid foundation for the serious effort of preparing for the exam. To best benefit from this book, you may wish to use the following study method:

Take the Assessment Test to identify your weak areas.

Study each chapter carefully. Do your best to fully understand the information.

Read over the Design Scenarios and Real World Scenarios to improve your understanding of how to use what you learn in the book.

Study the Exam Essentials and Key Terms to make sure you are familiar with the areas you need to focus on.

Answer the Review and Case Studies at the end of each chapter. If you prefer to answer the questions in a timed and graded format, install the Sybex Test Engine from the book’s CD and answer the questions there instead of in the book.

Take note of the questions you did not understand, and study the corresponding sections of the book again.

Go back over the Exam Essentials and Key Terms.

Go through the Study Guide’s other training resources, which are included on the book’s CD. These include electronic flashcards, the electronic version of the Review and Case Study questions, and the eight Bonus Case Studies.

To learn all the material covered in this book, you will need to study regularly and with discipline. Try to set aside the same time every day to study, and select a comfortable and quiet place in which to do it. If you work hard, you will be surprised at how quickly you learn this material. Good luck!

Hardware and Software Requirements

Most of the exercises in this book are scenario based, which means you will think about the results rather than actually perform steps using the software. Where we felt it would be appropriate to show you how a technology is implemented to clarify its use, we included some hands-on exercises. You will be able to work through the hands-on exercises in this book by using a server with Windows Server 2003 installed as a domain controller. If you desire to gain more experience with the products, then you will need to set up at two computers, one running Windows Server 2003 and one running Windows XP. This will allow you to use various management tools and services to manage security on the network.

You should verify that your computer meets the minimum requirements for installing Windows Server 2003. We suggest that your computer meet or exceed the recommended requirements for a more enjoyable experience.

Contacts and Resources

To find out more about Microsoft Education and Certification materials and programs, to register with Prometric or VUE, or to obtain other useful certification information and additional study resources, check the following resources:

Microsoft Training and Certification Home Page

www.microsoft.com/traincert

This website provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification.

Microsoft TechNet Technical Information Network

www.microsoft.com/technet

800-344-2121

Use this website or phone number to contact support professionals and system administrators. Outside the United States and Canada, contact your local Microsoft subsidiary for information.

Prometric

www.prometric.com

800-755-3936

Contact Prometric to register to take an MCP exam at any of more than 800 Prometric Testing Centers around the world.

Virtual University Enterprises (VUE)

www.vue.com

888-837-8616

Contact the VUE registration center to register to take an MCP exam at one of the VUE Testing Centers.

MCP Magazine Online

www.mcpmag.com

Microsoft Certified Professional Magazine is a well-respected publication that focuses on Windows certification. This site hosts chats and discussion forums and tracks news related to the MCSE program. Some of the services cost a fee, but they are well worth it.

Windows & .NET Magazine

www.windows2000mag.com

You can subscribe to this magazine or read free articles at the website. The study resource provides general information on Windows Server 2003, Windows XP, and Windows 2000 Server.

Cramsession on Brainbuzz.com

cramsession.brainbuzz.com

Cramsession is an online community focusing on all IT certification programs. In addition to discussion boards and job locators, you can download one of several free cram sessions, which are nice supplements to any study approach you take.

Assessment Test

1.	The process of analyzing an organization’s assets and determining what needs to be protected versus the cost of protecting the asset and the likelihood that it will be attacked is known as what? Security threat analysis Security cost analysis Security risk analysis Secure asset analysis
2.	Which of the following is a document that explains what assets your organization needs to secure, how to secure them, and what to do if the security is compromised? Security brief Security documentation Security policy Security manual
3.	Threats to the security of a network only come from external attackers. True False
4.	In order to create a protected network segment, you could include which of the following firewall configurations in your network design? (Choose all that apply.) Back-to-back configuration Firewire configuration Bastion host configuration Switch configuration Three-pronged configuration
5.	What is the purpose of the IP Security (IPSec) protocol with regard to security? (Choose all that apply.) It provides encryption of IP packets. It provides verification that the packets have not been changed in transit. It provides translation of packets through a firewall. It provides filtering of packets at the firewall.
6.	What are the main vulnerabilities to data transmitted across the network? (Choose all that apply.) Network monitoring Identity spoofing Data modification (man-in-the-middle attack) Denial of service
7.	What two techniques are used to determine if an account is allowed to access a resource? (Choose all that apply.) Authorization Replication Encryption Authentication
8.	A Windows Server 2003 domain cannot trust a Windows NT 4 domain. True False
9.	Which of the following class of user account pose the greatest threat to security? Normal user Power user Administrative user Temporary user
10.	Trusts between domains within a single tree are transitive. True False
11.	What feature does Active Directory enable that allows you to give users only the permissions that they require for a specific task? Encryption Impersonation Delegation Authorization
12.	The Encrypting File System makes sure that data is encrypted when it is passed over a network. True False
13.	What does the acronym PKI stand for? Public knowledge infrastructure Private key infrastructure Public key infrastructure Public key institution
14.	What document is used to verify the identity of a machine or user? Signature Digital certificate Encryption Password
15.	Which of the following is a method of authentication in Internet Information Server 6? Pluggable Authentication Module (PAM) Microsoft Passport .NET Extensible Authentication Protocol (EAP) MS-CHAPv2
16.	What methods can be used update content on an IIS Server? (Choose all that apply.) WebDAV FTP FrontPage Server Extensions File shares
17.	The Security Configuration And Analysis MMC snap-in is used to create and modify security templates. True False
18.	Which of the following methods is the most appropriate to deploy security settings to a group of computers? Security Configuration And Analysis MMC snap-in Group Policy Local Policy MMC snap-in secutil.exe
19.	What server role would be a candidate for the predefined hisecws.inf security template? (Choose all that apply.) Domain controller Database server Mail server Web server Global Catalog server
20.	What technologies supported by Windows Server 2003 can be used to apply patches to a computer? (Choose all that apply.) Microsoft Windows Update website Software Update Services (SUS) Systems Management Server 2003 Group Policy
21.	In order to analyze the security patches that have been applied to a computer, you could use the Microsoft Baseline Security Analyzer (MBSA) utility. True False
22.	What technology could you use so that employees can run only approved applications? Microsoft Baseline Security Analyzer (MBSA) Security Configuration And Analysis MMC snap-in Software restriction policy Software Update Services (SUS)
23.	What technology provides a graphical remote terminal and can be used to securely manage a remote server as if you were sitting at the console? Secure Shell Telnet Remote Desktop for Administration Remote Assistance
24.	What is the main security concern when using remote management tools to manage a server? Remote management tools allow data and passwords to pass unencrypted over the network. Remote management tools don’t work over slow network connections. Remote management tools don’t work through firewalls or secure routers. Remote management tools must use remote procedure calls.

Answers

1.	C. Security analysis is the first step in creating an effective security policy. First you determine the cost of the asset in business terms (actual loss, loss of productivity, competitive advantage) and then the risk (the likelihood that a threat would be carried out against the asset). For more information, see Chapter 1.
2.	C. This type of document is called a security policy. You would create a security policy after analyzing the risks to the assets on your network. It helps you make decisions about what type of security to implement by defining what an organization’s security goals are. For more information, see Chapter 1.
3.	B. Vulnerabilities are actually more likely to come from within your organization rather than from outside of it. See Chapter 2 for more information.
4.	A, C, E. Back-to-back configuration, three-pronged configuration, and bastion host are all ways to physically secure a network segment using one or more firewalls. Routers and switches do not typically provide this type of functionality. See Chapter 2 for more information.
5.	A, B. IPSec provides for the encryption of data and for verification that the packets have not been changed in transit. It does not have anything to do with moving packets through a firewall or filtering packets, although IPSec can be filtered and have translation issues on a firewall. See Chapter 3 for more information.
6.	A, B, C, D. All of the options are correct. If packets on a network are captured, their content could be revealed. Identity spoofing involves changing the source IP address, the From address on e-mail, or ICMP packets to fool the receiver. The modification of a packet in transit can make it hard to trust the information or can be used to fool servers into allowing access to privileged data. A denial of service attack involves sending a large volume of packets to a server or sending a special type of packet that will prevent legitimate users from accessing the resource. See Chapter 3 for more information.
7.	A, D. Authentication is determining the identity of the account, and authorization is then determining what that account is permitted to access. Replication and encryption do not provide this functionality. See Chapter 4 for more information.
8.	B. A trust relationship can be created between a Windows Server 2003 domain and a Windows NT 4 domain. See Chapter 4 for more information.
9.	C. An account with administrative permissions will pose the greatest threat because it has the least restrictions on it. See Chapter 4 for more information.
10.	A. Trusts between domains within a single tree are transitive. See Chapter 4 for more information.
11.	C. Delegation is a feature provided by Active Directory that allows you to give a user explicit control over explicit resources. See Chapter 5 for more information.
12.	B. The Encrypting File System keeps data encrypted on disk, not across the network. See Chapter 5 for more information.
13.	C. PKI stands for public key infrastructure, which is a means of authenticating users through public and private key combinations and digital certificates. See Chapter 6 for more information.
14.	B. You can use a digital certificate to validate a machine’s or user’s identity. It provides information about the machine or user and contains the signature of the root CA which you can trust or not. See Chapter 6 for more information.
15.	B. You can use Microsoft Passport .NET authentication to authenticate with users’ Passports, which allows them to have a single logon for the Internet sites that support Microsoft Passport. In addition to using Passport .NET authentication, you can use basic, integrated Windows (which supports NTLM and Kerberos authentication), digest, and forms-based authentication methods or using RADIUS. Extensible Authentication Protocol and MS-CHAPv2 are protocols used to authenticate a VPN or dial-up connection. PAM is a way of providing authentication on the Apache web server, a competitor to IIS. For more information, see Chapter 7.
16.	A, B, C, D. All of these methods are available to update an IIS server. The appropriate method that you will use will depend on your security needs and the ease-of-use requirements of your content providers. It can also vary depending on the environment of the server (production, staging, development) and the tools in use. For more information, see Chapter 7.
17.	B. The Security Settings MMC snap-in is used to create and modify security templates. The Security Configuration And Analysis MMC snap-in is used to analyze and apply templates. See Chapter 8 for more information.
18.	B. The best technique to apply security settings is by setting the security on a Group Policy object and linking it to a container. Once you link the template settings to a GPO, the security settings will be refreshed automatically with Group Policy. See Chapter 8 for more information.
19.	B, C, D. Domain controllers would use the hisecdc.inf security template instead of the hisecws.inf because it has built-in configuration settings for domain controllers. See Chapter 8 for more information.
20.	A, B, C, D. All of the listed technologies can be used to apply patches to a computer. See Chapter 9 for more information.
21.	A. The Microsoft Baseline Security Analyzer (MBSA) can be scheduled to audit several computers and report their security configuration as well as which critical patches have been applied. See Chapter 9 for more information.
22.	C. Software restriction policies allow administrators to explicitly allow or deny software the ability to execute. See Chapter 9 for more information.
23.	C. Remote Desktop for Administration is the most common mechanism used to manage Windows Server 2003. It provides secure mechanisms for authentication, and by default, 128-bit encryption is enabled for communications. For more information, see Chapter 10.
24.	A. You should be concerned about the secure authentication mechanisms and encryption mechanisms provided by the tools. If a remote management tool does not provide these mechanisms, you should consider another tool or means of providing secure authentication and encryption. For more information, see Chapter 10.