2/9/2005 -- This exam -- Implementing and Administering Security in a Microsoft Windows Server 2003 Network -- is a core exam for both the MCSE: Security and MCSA: Security and an elective for the regular MCSE and MCSA exams. In Certcities.com’s list of 10 Hottest Certifications for 2005, MCSE: Security ranked as the number #2 certification, indicating a great many of us will be planning to take this exam this year. Although your exam preparation should be guided by Microsoft’s preparation guide here are a few of the key areas you’ll need to keep in mind as you prep for this exam.

Tip #1: Know Your Group Policy
Although not specifically mentioned in the exam objectives, this exam assumes you that already have mastered group policy objects (GPOs) and can use them as needed. For example, security templates (Tip #2) feature heavily in the exam objectives, and group policy is usually the preferred way to easily deploy them.

-- advertisement (story continued below) --

As a refresher, GPOs are used to specify settings for computers and users. On a specific machine you use the new command gpupdate /force to make a policy change effective immediately rather than waiting for the scheduled refresh to take effect.

In order to review the effective policies in place, you can either review the results of the gpresult command, the Resultant Set of Policies (RSoP) MMC snap-in or in the Help and Support Center - Advanced System Information option.

GPOs can be deployed to the local machine or in AD at the site, domain or OU level. The order that policies are applied in is local, site, domain then OU. GPOs processed last have higher precedence.

Go here for a lengthy whitepaper that thoroughly discusses group policy in Windows 2003.

Tip #2: Manage Security Templates
The exam objectives expect that you are able to configure, deploy and troubleshoot security templates. These are templates are text files allow you set the following:

• Account policies (password policy, account lockout policy, Kerberos policy)
• Local policies (audit policies, user rights assignment, security options)
• Event logs (Application, Security, and System event logs)
• Restricted Group Policy
• Services
• Registry permissions
• File and folder permissions

There are a number of preconfigured templates that come with Windows 2003, or you can create your own. Because these existing templates progressively build on each other, it is recommended that you don’t edit these directly, but instead make a copy of one and edit and deploy your modified copy. Once you have these security templates they can be imported into Group Policy and deployed via Active Directory.

Go here for a Microsoft Knowledge Base article on starting to use the new Security Template snap-in. Microsoft expects MCSA: Security and MCSE: Security candidates to be comfortable in making settings changes for the categories listed above using a security template and then deploying them using all of the available methods.

The exam objectives also mention configuration of .pol files that are used for Windows 95/98/Me and NT 4.0. These are done with System Policy Editor (poledit.exe), which creates a Config.pol file for Windows 9x or Ntconfig.pol for NT 4.0 that then have to be copied to the Netlogon share on a domain controller once complete.

Tip #3: Tackle the Tools
The Security Configuration and Analysis snap-in imports security template(s) into a database, which can then be used to compare against the current settings on that computer. There is also the option to configure the computer settings by using the template.

Secedit.exe is the command line tool that performs the same function. Both tools only run against the local machine. In order to prepare for your exam you will need to be conversant with both tools.

Tip #4: Master MBSA
Microsoft Baseline Security Analyzer is Microsoft’s free tool to produce security reports for Windows and associated programs (IE, Office, Media Player, SQL Server, etc). It can be run as a GUI or instead via mbsacli.exe on the command line, which lends itself to scripting. While not without limitations, one of the cool things you can do with the tool is scan multiple machines within a subnet to find servers and report on their security status. Go here to download this tool and learn more about it, including understand the requirements to run it correctly and the various command line options available.

Tip #5: Learn To Manage SUS and Automatic Updates
Keeping our computers patched with Microsoft software is often the bane of our lives; however, Microsoft has released some free tools to use to ease the pain. Although in many cases you may use commercial tools with additional functionality to do this, since this is a Microsoft exam Microsoft expects candidates to know how to put an end to end patch solution together using these tools.

The Automatic Update client runs as a service that checks a server (either Microsoft’s site or your own SUS site) for updates. Depending on your client settings (you can set them at My Computer – Properties, Automated Updates tab), once enabled there are settings to:

• Notify user before downloading or installing.
• Download automatically and notify user before installing.
• Automatically download and install them on a schedule.

SUS (Software Update Services) is Microsoft’s product that runs on an IIS server to download patches from Microsoft and serves clients in your enterprise. Once installed you manage it using the Web interface at http://servername/SUSAdmin. The synchronization of patches from Microsoft can either be done via a schedule or immediately if needed. Once patches are downloaded from Microsoft onto your SUS server, you need to approve the updates to make them available for clients.

Group Policy can be used to change your client configuration for Automatic Updates. When editing a GPO, select Computer Configuration, Administrative Templates, Windows Components, Windows Update then Configure Automatic Updates. You can change how clients download and install patches as per the settings described earlier, as well as the location of SUS server used instead of the default Microsoft site.

SUS can be downloaded from here. There is also a Microsoft white paper on patch management using SUS available here. Reading about these tools is one thing, but the best option is to put this together in your lab to really understand them in detail.

Tip # 6: Secure Servers by Role
One of the recurring themes in the exam objectives is securing Windows servers depending on the intended server role. Here is a link to a section on the Microsoft Web site that has some guidelines on managing security, including specific mentions of domain controller, Internet Authentication Service (IAS) server and Internet Information Services (IIS) server.

One key lesson in securing Windows servers is to only have the absolutely necessary services running on it, since every unused service can potentially be an area of possible exposure. Therefore you should have a good knowledge of the Windows services are so you can determine what you need and don’t need for each type of server role.

Tip #7: Get a Grip on Groups Basics
For many of us who have been working with the product for a while, we're well aware of the different group types (security and distribution) and the different scope types (universal, domain and local). Your domain needs to be at a minimum of Windows 2000-native level in order to use universal groups or nested groups.

The basics for granting access to resources hasn’t changed – this is commonly referred by the acronym AGDLP (put accounts into global groups; put these into domain local groups that are granted permission for the resource). So provided you remember the basic rules here, this area of the objectives should be a gimmie.

Tip #8: Conquer Certificate Services
The certificate services changes for Windows 2003 were fairly minor from Windows 2000; however, this is an area of great focus in all Windows 2003 exams.

There are two types of certification authority (CA): enterprise, which uses AD for storage and must run on a DC, and standalone, which doesn't use AD. Here are also two types of servers in a CA hierarchy: root or subordinate. The subordinate CA uses a certificate generated by the root CA.

I recommend hands-on practice with installing certificate services, requesting a certificate, deploying and revoking certificates when preparing for this exam. Know that Microsoft expects its MCSA: Security and MCSE: Security professionals to know how to create and publish CRL (Certificate Revocation List) in the Certification Authority administrative tool, which allows certificates from your CA to be validated as still being OK. It also expects candidates to know how to publish a CRL to an additional location, as well as the differences between a new CRL and a delta CRL, which is much smaller and contains only those revoked since the last time it was published.

Tip #9: Understand IPSec
IPSec is a standards-based extension to TCP/IP that facilitates secure network traffic between hosts and/or networks. It can also be used to filter network traffic to/from a server. This can be configured for the local computer policy or via GPO using the IP Security Policies snap-in or via command line tools. Go here for a Microsoft white paper that explains how IPSec works in Windows 2003 and some suggestions on when to use it (and when not to).

Tip #10: Try Reading the Manual!
There is a wealth of knowledge within the product documentation and resource kit. (Unfortunately, much of it we don’t read until something goes wrong!). Of course, some of this may well be overkill for the exam itself, but it may be very helpful background knowledge of the product for use in your day to day work -- which, after all, is one of the main reasons that we torture ourselves to take these exams in the first place! For example, here you'll find the Windows Security Collection within the Windows Server 2003 Technical Reference in the Resource Kit. This contains a lot of very pertinent information there that crosses the majority of the exam objectives.

BONUS TIP: While you're catching up on your reading, you might also want to read the 70-299 exam review published by our sister site, MCPmag.com.

As you can see, the exam covers a broad range of security-related topics for Windows 2003 Server. Because of that breadth, you won’t need to have expert level skills, but you will need to have a good working knowledge of all of the areas covered in the exam objectives. And don’t forget the unexpected – although I can’t talk about specific question content, I can say that you shouldn't be surprised if you're also tested on some non-specific security skills. This shouldn’t be a hurdle for those with a good working knowledge of the product (Microsoft aren’t kidding in the exam guide when they say that candidates should have 6-12 months admin experience), but may help weed out those candidates without practical experience. Good luck with your exam preparation – I’m now getting myself ready to take the 70-298 security design exam. I'll let you know how that goes.

More articles by Greg Neilson:

Microsoft Certification Changes Mostly Good

Architecture Certifications Point Toward Future

Microsoft’s New Simulation Questions: Report from the Field

A Tale of Two Certs