12/4/2002 -- Microsoft's 70-214: Implementing and Administering Security in a Microsoft Windows 2000 Network exam is a good measure of your knowledge of installing, configuring and deploying secured systems within a Windows 2000 Active Directory environment. However, in my opinion, Microsoft should have made this exam more detailed, more specific and more rigorous. As it stands, I'd say it is just slightly more difficult than the TICSA or CIW Security Analyst exams, and nowhere near as thorough as the CISSP exam. Even so, it's a worthwhile elective for either the MCSE or MCSA certifications. (Passing this exam will also earn you MCP status.)

I took the beta version of this exam. It had 90 questions, which took me nearly three hours to complete. In its final form,which will go live in Jan. 2003, it will have between 35 and 60 questions with a time limit of 90 to 120 minutes.

If you're close to completing your Win2K MCSE, this test should not be a stretch for you at all. So that you'll enter the testing center fully prepared, I've pulled together these 10 study tips to help focus your studies on the essential aspects. (To view Microsoft's detailed list of objectives, click here.)

Tip #1: Group Policy
Candidates should know pretty much everything there is to know about group policy. You have a solid grasp of:

• What group policy is.
• How to create and manage group policy objects (GPOs).
• How to assign GPOs to Active Directory containers and their application order (LSDOU local, site, domain, then organization unit).
• The usages of the Computer Configuration and User Configuration sections.
• How to use the inheritance rules, use of inheritance blocking and no override controls.
• When and why to use loopback processing.
• The individual controls throughout group policy, even the Administrative Templates section.

On a side note, with all the focus on GPOs, Im amazed that the both the official objective list and study guide barely mention them.

Tip #2: IPsec Everywhere
IPsec can be used to create a secured communication tunnel between two systems on the same network, between two systems on different networks, or between two networks. If there is an IPsec control anywhere in the operating system, be sure know about it, when to use it and what it does. Youll also need to understand how to configure IPsec from both the client and server sides.

Microsoft also expects candidates to know all about tunnel and transport modes, including when and why to use each, as well as understand the ESP and AH protocols and their uses. Also be sure you know how to use IPsec in conjunction with firewalls, routers, proxy servers and gateways.

Tip #3: PKI and Certificates
Public Key Infrastructure is just an infrastructure, but Microsoft treats it like the final solution to authentication and secured communications. Be sure you are well versed in Certificate Services and the deployment options of certificate authorities (CAs), including root, public, issuing, enterprise and standalone. Do you understand their uses and how they are managed? Do you know what a CRL is? How they are used for authentication? Do you understand SSL and EFS?

Tip #4: Templates and Baselines
Security templates are little more than GPOs saved into text files. But there is much to know about them. There are many tools available to create, audit and apply security templates, including the Security Configuration and Analysis snap-in for the MMC and the secedit command line tool.

Security baselines are "standardized" security templates that are used to evaluate the compliance of systems against a security policy. With a baseline you can quickly configure new systems to meet your overall minimum requirements, check active systems against the established system minimum and review the evolution of systems by comparing current configurations against a historical baseline.

Tip #5: Can You Upgrade Securely?
When migrating from a Windows NT environment to a Win2K Active Directory domain environment, there are many security issues to consider. You need to understand the uses of mixed and native mode, compatibility groups, and migration of users, as well as changes in security configuration controls between NT and 2000, and the addition of Kerberos as the default authentication protocol. Often, migrating from NT to 2000 requires a complete redesign of the network and the domain. The more complicated the NT network, the more redesign work will be required in order for the resultant 2000 network to be efficient and manageable. Keep in mind that Win2K uses two-way trusts, not the one-way trusts used by Windows NT. This one issue in and of itself should cause you some concern when migrating a network.

Tip #6: Service Packs and Hot Fixes
No surprise, but service packs and hot fixes can play a big role in maintaining the security of your network. Your skills should include understanding how to slipstream service pack installation, batch multiple hot fix installation, and to manage enterprise deployment of service packs and hot fixes through the Microsoft Software Update Services (SUS). As an administrator, you should also know how to work with Windows Update, Automated Update and the administrative tools of MBSA and HFNetChk to test for the presence of necessary security patches.

Tip #7: Going Remote
Remote communications, including WAN links, Internet connectivity and remote clients, are all significant issues on this exam. Microsoft wants candidates to understand the security mechanisms built into Routing and Remote Access, know about NAT (where and when to use), and be familiar with ISA Server (such as know it is a firewall and when firewalls should be deployed). You should have a basic understanding of routing, such as how packets get from one network to another, what the purposes of gateways are, subnetting basics, and private IP addresses.

Tip #8: Security Auditing
Auditing, logging, activity tracking, monitoring -- whatever you like to call it, you need to know about it. Understand how to manage the audit policy and how to manipulate audit events that are recorded for objects (for example, based on user or group, and on permission). Understand the use of Network Monitor as a sniffer and traffic analyzer, audit log retention, managing distributed audit logs with EventComb, analyzing audit logs, and responding to security incidents.

Tip #9: Client Variety
This exam recognizes that many networks are not homogeneous Windows 2000 environments and that both older and newer clients (along with non-Microsoft clients) may exist. You should understand security limitations of Windows 98 and how it does not fully participate in Active Directory, even with the update patch that allows it to authenticate to Windows 2000 Active Directory domain controllers. Also, dont be alarmed when Windows XP clients are thrown into the mix. Fortunately, Windows XP is AD compliant so it fits in nicely into a Windows 2000 domain.

Tip #10: Dont Forget About General Security Principles
General security principals are important too. You know, keep the bad guys out but let the good guys in, protect your assets, safeguards should be cost effective, security controls should be invisible to valid users, etc.

One final tip: The online version of TechNet is extremely helpful in tracking down study and resource documentation for the various topics on this exam. It's available at www.microsoft.com/technet/. Good luck!

Questions? Comments? Non-NDA-Violating Tips to Share? Post 'em below!

More articles by James Michael Stewart:

• Certification Exam Skills 101: Test Taking Tricks & Tips
  
• My Top 10 Tips for Passing the CISSP Exam
  
• My Top 10 Tips for Passing the CIW Security Professional Exam