The important thing to remember about this exam is that deep product knowledge is a prerequisite. An understanding of security features and their appropriate usage is what the questions will require.

Baseline Security
If you haven’t digested the massive volume of information on how to use Security templates to create baseline security for Windows systems, go back and study Microsoft’s Win2K Security Operations Guide. Security templates can be used for everything from setting password policy to preventing the storage of LM password hashes in the local SAM. They can be implemented via the GUI, scripted for periodic refresh and imported into Group Policy. However, setting security isn’t the only issue here. You can establish baseline security policies—the written kind, not the Group Policy kind—for each role that a computer or user plays in a Win2K network, and then easily and automatically implement that policy by preparing a unique template for each role and applying it using Security Configuration and Analysis, Group Policy or your own scripts.

Tip: What might the phrase, “Configure additional security for client-computer operating systems by using Group Policy” mean? Because implementing templates via Group Policy is covered elsewhere in the objectives, you need to look at Administrative templates. These configuration files aren’t part of Security templates but contain many things that can be set in the GPO and used to harden client systems or just keep pesky users from doing things they shouldn’t.

Don’t forget these built-in opportunities: auditing security settings using Security Configuration and Analysis, modifying your installation program to bring up hardened systems and the availability of default templates and special templates available for other Microsoft products. Pay attention to special security considerations for these products. It’s not enough to know security for the OS; for this exam you need to understand something of security basics for Exchange (Which services are absolutely necessary and which can you turn off? Is relaying an issue?); SQL Server (Which authentication method should be used? How are permissions to access data determined?); Internet Information Server (Think about the URLScan tool, which prevents malformed requests from penetrating your defenses, as well as special lockdown templates and tools); Internet Authentication Service (This gateway guardian can manage remote access policies for multiple remote access servers); and—surprise, surprise!—mobile client computers.

Tip: Practice secedit command-line switches for applying and updating templates and be able to write a batch file or script to automate their implementation.

Baseline Security is the keystone that protects your network. It means you have the standard ready and applied and the know-how to manage it as the bulwark upon which other features are built. Without this secure foundation, your security infrastructure will fail—and so will you.

Nothing’s perfect. Can you figure out what went wrong when security settings don’t get applied? Do you know the meaning of “scecli” error messages in the event logs and the effect of No Override, Block Inheritance and Loopback? Don’t forget that troubleshooting is also a part of this objective. If you can list all the reasons a setting might not get applied, do so, then be able to explain how you would know that a specific issue was the problem.

Tip: Know what each setting in a template does and where it will actually have an effect. Do you know common location mistakes made in implementing password policies?

Service Packs and Security Updates
The FBI and others say the most important thing you can do to keep your systems secure is to keep them updated with service packs and patches. Microsoft has a boatload of tools that can help you, and you should be proficient in using them all. Remember that it’s possible to slipstream service packs into installation shares, then use RIS and distribute them with Group Policy. Practice your command lines for Hfnetchk.exe and understand how it’s used by the Microsoft Baseline Security Analyzer (MBSA). Can you use either to find out the status of patching on your machines? Do you know how to correct that situation?

Don’t forget small company (Windows Update), medium (Software Update Services or SUS) and enterprise (Feature Pack for SMS) solutions to patching machines. Determining that hotfixes are missing is a small part of the battle. How do these tools work? When should you use them? What do you do if they say you haven’t installed a fix that you know you have?

Tip: If MBSA stopped working after you hardened your systems using Microsoft’s baseline.inf template, would you know how to fix it?

Securing Data in Flight
In addition to securing data on storage systems, securing data as it goes across your network or around the world is an increasingly hot topic. The solutions are there. Do you know how they work? Make sure you understand the tools used to implement IPSec, SSL, SMB signing and wireless protocols. More than that, understand how these protocols work and how to know they’re working correctly. If you don’t, you’re asking for trouble in the real world (and shouldn’t an exam reflect that?).

Pay particular attention to the areas you know the least about. You may think that’s just good common sense, but I’m guessing you know least about IPSec. I’d say Microsoft is guessing that, too. Fully half of this objective’s items are IPSec-related; rules, ports, authentication, encryption levels, AH and ESP, certificates, firewall issues and router issues. Can you troubleshoot IPSec connections between domain controllers and clients?

Tip: Can you make SSL work with certificates from your Microsoft Certificate Authority? Should you?

In all cases, think globally but know how to do it locally. Is SSL a good way to secure data traveling between your Web server and your SQL server, or client browsers and Outlook Web Access? How would you implement both of these scenarios and what would you gain?

Tip: Understand the differences between the various iterations of 801.x and how to configure clients such as Win2K, XP Professional and Pocket PC. What role does WEP play?

Am I Who I Say I Am?
Authentication is proving that I’m really who I say I am. How can I do so? Let me count the ways. There’s Kerberos (if you haven’t got this nailed down, go take the A+ exam instead), LM, NTLM and NTLMv2 for starters. When are they used? Can you prevent any of them from being used? Why is that important? How are they configured in Win2K and above or on legacy systems? These are all-important questions, but don’t forget the options. Anonymous, basic, Windows-integrated, digest and client certificate mapping are possible. When would you use them?

Consider also that remote access can be via dedicated remote access servers and IAS servers. Now you have PAP, CHAP, MS-CHAP, EAP-MD5, EAP-TLS and smart cards. Which is right for what? Which allow data to be encrypted and which don’t? Are there some that should be avoided? How can an IAS server best serve you? If computer connections cross untrusted networks, when should a VPN be used?

Make yourself an “authentication” spreadsheet. Down one side, write every authentication method possible in a Win2K network. Don’t forget to include those possible with IPSec, remote access, local logon, and within Mixed mode and Native mode domains. Across the top, make a list of possible client locations (home, branch office, on the local network) and clients (Win2K, XP, Windows legacy systems, Unix, Macs). Make sure for each client you consider each of the possible locations. Then check for which client situation each possible authentication process that can be used. Make sure you can explain why, when and how each might be used and know how to configure each.

Tip: Know what “trusted for delegation” means. Know why you might want to use it, but also why you might not.

Your Key to Your Survival
PKI used to be the darling of large companies, exclusive product purchases and highly-paid consultants. Now it’s your problem. Make sure you understand the implications of installing the four Microsoft Certificate Authorities (CAs): Enterprise Root, Standalone Root, Enterprise Subordinate and Standalone Subordinate. Can they work together in a PKI? Don’t confuse these official installation choices with the new Microsoft best practice discussions, which talk about root, intermediary, and issuing servers. One list represents installation choices; the other is a design choice. Understand when to use each and how to configure it. Learn the appropriate use of certificate templates and their role in controlling access as well as what parts of the infrastructure to back up and how.

Tip: Which type of CA should you install as root in order to make the most secure infrastructure? What special configuration and physical security decisions need to be made to make it most secure?

Understanding the infrastructure is only part one of this journey. Be able to spit out certificate specifics as if you were a baseball fanatic and they’re batting averages. Know how to use certificates to send e-mail, encrypt files and recover them. Think Exchange here, as well as Win2K. Make sure you can explain and troubleshoot Encrypting File System issues. Quick! Sally just reinstalled her Windows XP Professional system and can’t open her encrypted files. Is there hope? Quick! You believe the issuing CA has been compromised; which certificates need to be revoked? Will the Certificate Revocation List (CRL) available to the clients immediately reflect these additions?

Tip: How do you prevent just anyone from obtaining a recovery agent certificate?

Who You Gonna Call?
It’s not enough anymore to be able to harden systems and make them work without giving up security. You must also be able to detect when your systems are under attack and know what to do about it. You should be able to go beyond ordinary auditing set-up to audit RAS and IIS. Here’s a concept: Know what those entries in the security log mean!

Incident response also means understanding how to use Network Monitor to aid in locating an attack, what was tried and whether or not it was successful. Not every cause for concern means distress at the one-on-one level. Consider how to respond to natural disasters, worms, denial-of-service attacks and anything else that might disrupt service.

Game Over
If you’ve truly had real-world experience in securing a Win2K network, then this exam shouldn’t trip you up. If you passed the Security Design exam, 70-220, you might be lulled into thinking this new test will be easy. After all, if you removed the business knowledge objectives from the Security Design exam, wouldn’t you be left with this very list? This exam is much broader in its technical objectives than the design exam; there’s more to know about securing Windows networks and many new tools have come out to help with the job.

To implement and administer security in a Win2K network, you should know a lot and be able to do many things. The purpose of the exam is to set objectives for the security administrator to learn and test his or her understanding of them. Perhaps, after the exam, she can hug the old friends she has crossed paths with again and cherish the wonderful new ones she has met along the way. Good luck!

This article was originally published in the January 2003 issue of Microsoft Certfied Professional Magazine. Reprinted with permission.

Have you taken this exam? How hard was it? Post your thoughts below!

More articles by Roberta Bragg:

• Testing Your Mettle: The Six-Hour, 250-Question CISSP Exam
  
• PKI Primer
  
• Becoming the Consummate Certified Security Professional