70-298 Exam Study Notes

70-298: Designing Security for a Microsoft Windows Server 2003 Network

About These Notes

These are notes that I took while studying for the 70-298 exam. I've boiled them down to what you need to know when you take the exam and added many links to web resources for good measure.

I strongly recommend reading your book first, if you haven't, already. Follow that up by studying all of the notes here and studying all of the pages that I've linked to (very important). That'll go a long way in preparing you for the exam.

I hope that these notes prove helpful to you and good luck on the exam!

General Advice

I highly recommend studying for and taking 70-299 before this exam. You should always take the administration exams before their design counterparts, anyways. In addition, there is a severe lack of good study material for this exam, but 70-299 has many (especially Microsoft's training kit, which is one of the best study guides that I've ever used). After passing 70-299, you should be able to pass 70-298 within the next week.

I used the ExamCram 70-298 study guide, but realize that this is a weak guide that you should use only if you feel you know everything in 70-299 and want a quick read to help you pass 70-298 a few days later.

This exam is a moderately difficult one, so you shouldn't take it too lightly. My main pieces of advice are:

See if Microsoft is offering their "Second Shot" (free re-take) promotion and take advantage of it (even if you think that you'll pass. There's no reason not to, since you can use it more than once. You must sign up with Microsoft and use the special promotion code when scheduling your first sitting in order to be eligible to re-take it free (should you fail).
Consider taking your own notes while studying. Writing things down helps the memorization process. Besides, it's possible that a topic that I know well and didn't think to include is one that you may not be so strong in.
Print these notes out and carry them with you (along with your own notes) on the day of the exam. Go over them on breaks, in the car and, most importantly, immediately before walking into the exam room (leave them outside, of course). For the most part, I've designed them to be succint and memorizable.
Bring a pen with you and, should you fail the exam, as soon as you leave the testing center, write down (on the back of the printout or paper that you brought with you) everything from the exam that you can remember, especially questions and answers that you weren't sure of. Spend a good 15-30 minutes. You won't recall much even a few hours later, unless you have a better memory than I do. It really, really helps if you made good use of the "Select for Review" checkboxes while taking the test, since it means that all of the questions and answers that you weren't sure of are the freshest things in your mind when you leave the testing center. Use everything that you wrote down as the basis for your re-take studying.

Exam Format

Format: Case study. Total of 5 case studies with answers in multiple-choice and drag-and-drop

Questions: 35

Time Limit: 120 minutes (+20 minutes for comments and reading the pre-exam disclaimers)

Passing score: 700

This exam is presented in case study format, a format that you should already be familiar with at this point. You will have 5 different businesses to work with, answering 4-10 questions each according to their business requirements.

Though this format is a little extra challenging, don't let it scare you. It's really not that hard if you know what to expect and what to look for. Here are some tips:

Don't read through the entire case study at the start. By this I mean don't spend a lot of time on it reading it carefully like it's a novel; it's too long to memorize. Some people find skimming through the case study helps them and others (like me) prefer to start immediately on the questions and reference the case study for each question. It's mostly a matter of personal preference, but just don't spend more than a couple minutes on the case study at the start or you may really handcuff yourself when it comes to time.
Pay special note to what the question asks. Very often, the question will tell you exactly where in case study to find your answer. For example, it'll say "...that complies with the business requirements" or "...that addresses the concerns of the Chief Information Officer," telling you exactly where to look. Just keep in mind that, sometimes, you won't find the complete answer there.
Skim through the Background and Existing Infrastructure sections of the case study, but don't waste too much time reading them. All of your questions will involve implementing new infrastructure and procedures. I usually don't check these sections until I can't find the answer elsewhere or if I suspect that the answer may hinge on the pre-existing infrastructure (such as legacy systems that can't be upgraded or the number of people in each office).
The "meat" of most case studies is the Business Requirements section. This is the section that you'll be referencing the most. Also, if you're not sure where to look to find an answer, try there first. The Technical Requirements section is a close second.
After you complete all questions for a case study, choose the Review All button and check all of your answers. This is much more important for case study exams because buried in the case study might be a piece of information that changes your answer to question #2 and that you didn't happen to stumble upon until you were on question #7.

Resources

Microsoft Preparation Guide for 70-298 -- List of exam objectives.

MCSEWorld 70-298 Exam Review - Good overview of what to expect, including exam topics

CramSession - Server 2003 Network Security Admin - Lots of good user comments.

Exam Cram 2 - IPsec (free, sample chapter from Exam Cram 2's 70-299 IPsec chapter!)

Free (or demo) 70-299 practice exams:

PrepLogic

Retail 70-298 practice exams:

RedmondExams ($29)
MeasureUp ($71)
PrepLogic ($89)
SelfTest Software ($109)
Transcender ($199)

Forums and newsgroups that cover 70-298:

Study Notes

Authentication refers to the process of identifying yourself to the network (ex. when logging into Windows). Authorization refers to which resources an authenticated user may access (ex. all employees may be authenticated, but all may not be authorized to print to the managers' printer). Make sure that you understand this distinction.

Smart cards are an example of two-factor authentication and are tested on quite a bit in the exam! Microsoft loves to throw out "two-factor authentication" instead of "smart cards" to see if you realize that one almost always means the other.

You will be using EAP-TLS if smart cards or public key certificates are used. EAP-TLS requires 2000, XP or 2003.

The key IIS authentication methods to know:
Basic Authentication - password sent in clear text. Use only for browser compatibility.
Digest Authentication - requires the user's domain password to be stored with reversible encryption. Best choice for extranets.
Advanced Digest Authentication - more secure than Digest, it requires both the IIS server and the domain controller to be 2003.
Integrated Windows Authentication - does not require reversible encryption on the password. May require IE. Uses NTLM and Kerberos.

For domain authentication to be successful, clocks must not be out of sync more than 5 minutes for Kerberos (2000/XP/2003) or 30 minutes for NTLMv2 (pre-2000).

Might be a good idea to be familiar with what SID filtering is and why you might disable it. Microsoft Documentation - Configuring SID Filtering Settings

See the first note under the preceding section for a definition of authorization and how it differs from authentication. Make sure that you understand this distinction.

Use auditing to troubleshoot complex authorization issues.

Know the audit policy settings well. Microsoft loves giving questions on these. Particularly, understand when to use:
Audit account logon events - logging on over the network
Audit account management - creation, deletion and modification of security principles (users, groups, etc.)
Audit logon events - logging on locally
Audit object access - accessing files, folders, printers and the registry
Audit privilege use - exercising a user right (such as backup and restore privilege)

The Audit privilege use policy setting will not audit backing up and restoring by itself. It also requires the Audit: Audit the use of Backup and Restore privilege policy to be enabled under Security Options. Microsoft Documentation - Audit the use of Backup and Restore privilege

Network Access Quarantine Control (new in 2003) places a remote access client in quarantine mode (limited network access) until an administrator-approved script that checks for security (ex. up-to-date virus definitions) is run on the client and approves remote access.

Know the NTFS permissions. The only thing to memorize is that Write permission does not allow deletion of the file/folder; Modify permission does.

Know the share permissions. There are only three of them: Read, Change and Full Control.

Placing NTFS permissions on the %systemroot%\system32\Log Files folder is a valid method of securing log files.

Selective Authentication is a new mode for trusts that restricts cross-trust access to resources until the Allowed to Authenticate access control (ACL) right is granted on the resource.

Loopback Processing Mode can be used to restrict user settings on highly-managed (usually kiosk) computers. It does this by processing and applying the User Configuration section (in addition to Computer Configuration) of a computer-targeted group policy.

Know the difference between the following policy settings:
Microsoft network server: Digitally sign communications (always) - signs SMB packets for services that it, itself, is hosting
Microsoft network client: Digitally sign communications (always) - signs SMB packets for services that it is requesting of others
Domain member: Digitally encrypt or sign secure channel data (always) - requires that either encryption or signing is present in all secure channel data
Note: if you're modifying a policy that will apply to a domain controller or file server, you'll most often be tinkering with the Microsoft network server policies.

Know the following policy settings and what they provide security for:
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts

It would be a good idea to just go through all of the policy settings under Security Options and get a feel for what each one does.

Patch management is a heavy emphasis of the exam, but because SUS is easy to setup and understand, you shouldn't need me telling you how to use it. Expect easy questions about basic setup and management. Make sure to deploy SUS in a test or production network prior to the exam. You can download SUS (1.0, the version used in the exam) here. You do not need to know later versions of SUS (known as WSUS).

Know that SUS servers can be set to syncronize with other SUS servers. Unless otherwise directed, have one SUS server per site download updates from Microsoft and any other SUS servers syncronize with the original server. This reduces utilization of the internet connection.

Know that the Microsoft Baseline Security Analyzer (MBSA) and its command-line version, mbsacli.exe, can be used to scan computers remotely. WindowsNetworking - Microsoft Security Baseline Analyzer

As I'm sure you know by now, a security template is nothing more than a subset of GPO settings (mostly under Computer Configuration->Windows Settings) that have been exported to a text file. Don't let it confuse you.

Know that importing into a GPO is the best way to deploy a security template.

The Restricted Groups portion of a template/GPO allows you to control group membership on the computer that applies the GPO.

The System Services portion of a template/GPO allows you set startup options and permissions for system services.

The Registry portion of a template/GPO allows you to set permissions on registry keys.

The Software Restriction Policies portion of a template/GPO allows you to define which programs should and should not be allowed to run on your network.

Refresh yourself on the different rules available in Software Restriction Policies. Particularly understand certificate, path and hash rules and in which situations to use each.

Windows 2000 does not support Software Restriction Policies and will ignore them if found.

Windows 2000 does not support WMI filters and will ignore them if found.

Client certificates can be made more secure by using client certificate mapping and certificate trust lists.

Client certificate mapping comes in two types:
One-to-one - each user needs to be manually mapped to their personal certificate. Useful for intranets with enterprise CAs.
Many-to-one - one mapping matches to many certificates based on criteria (ex. any client certificate with "Microsoft" in the organization field could be allowed to authenticate). Useful for partnering companies over the internet that manage their own CA because it delegates access control to the partners' administrators.

Subordinate CAs that are children of commercial CAs are the best option for e-commerce use (because web clients will trust the certificate and get no safety warning).

Certificate trust lists deployed via GPO allow you to manage which certificate authorities a computer will trust.

Version 1 certificate templates cannot be modified. You must create a version 2 certificate template that supersedes the old template. Version 2 certificate templates are new in 2003.

Standalone CAs do not support auto-enrollment and thus always require an administrator to approve certificate requests.

Windows 2000 Group Policy permits auto-enrollment of computer certificates, but not user certificates.

There are two methods (both using Group Policy) of enabling auto-enrollment of certificates:
Automatic Certificate Request Settings - version 1 templates only, 2000/XP/2003; computer certificates only
Autoenrollment Settings - version 2 templates only; XP/2003; both user and computer certificates

A new feature of Windows Server 2003 Certificate Services is private key archiving. Microsoft Documentation - Configure a Certificate for Key Archival and Recovery

Key archival and recovery requires version 2 templates, 2003 server, XP/2003 clients, enterprise CAs and 2003 schema extensions applied to the forest (with adprep.exe /forestprep).

Enterprise CAs cannot be taken offline because they are integrated with Active Directory. Create a root standalone CA if you plan to take it offline.

After revocation, a deployed certificate will continue to be valid until you publish the Certificate Revocation List (CRL).

You'll likely be asked how to encrypt data in transit (use IPSec) and/or encrypt data on a volume (use EFS).

Use IPSec transport mode when connecting to a single host and tunnel mode when connecting to an entire network. You should know exactly which mode to use in each situation. Diagrams (such as the ones in the document at the bottom of this section) really help to get a picture of when to use each.

Main Mode IKE negotiation is where most CPU utilization occurs.

Understand IPSec filters. They're a good way to filter traffic when the firewall isn't able to, due to the traffic being encapsulated.

IPSec policy rules are made of two things: IP filter lists (which traffic to look for) and filter actions (what to do with the traffic).

If Kerberos IPSec authentication fails across domains, ensure that each domain trusts the other or switch to certificate authentication.

Protected EAP (PEAP) is usually used with passwords. EAP-TLS requires a Public Key Infrastructure (PKI).

The three default IPSec policies are:
Client (Respond Only) - Use IPSec only if asked by another computer.
Server (Request Security) - Request IPSec but fall back to unsecured if the other computer does not support IPsec.
Secure Server (Require Security) - Require IPSec for all communications.

The service name for IPSec is Policy Agent (hence, use net start/stop PolicyAgent).

Article: Microsoft Documentation - IPSec for Microsoft Windows Server 2003 (good overview, lots of network diagrams)

Use the Connection Manager Administration Kit (CMAK) to create an executable file that adds a dial-up or VPN connection to a client. This is a good method of creating network connections on portable computers. For example, you could mail the executable to portable users rather waiting for them to bring their computers in or connect to your network.

VPN

L2TP is more secure than PPTP and is the preferred method of securing a VPN. L2TP requires 2000, XP or 2003, whereas PPTP is supported on all Microsoft clients.

L2TP can use IPSec; PPTP cannot.

L2TP requires a certificate infrastructure; PPTP does not.

When possible, the DMZ is the best place for a VPN server to be placed.

Dial-in

MS-CHAPv2 is 2003's default authentication protocol for dial-in remote access.

MS-CHAPv1 (also called just MS-CHAP) is supported on 95/98/Me/NT4 without additional upgrades.

CHAP, SPAP and PAP are disabled in 2003 by default and their use is strongly discouraged.

Know RADIUS/802.1x authentication.

In a RADIUS implementation for wireless networks, the authentication server is the RADIUS server and the wireless access points are the RADIUS clients. The wireless computers that connect wirelessly are not RADIUS clients.

Know Wireless Network Policies and that they are the best way to configure clients with wireless network settings. Microsoft Documentation - Configuring Wireless Settings Using Group Policy in Windows Server 2003

To encrypt a file with EFS on a remote server, the server must have Trust this computer for delegation enabled! MSD2D.com - Enabling EFS on Remote Servers

Refresh yourself on Encrypting File System and data recovery agents. Know how to disable EFS with Group Policy for 2003 and 2000.

Know the different log formats supported by IIS. Particularly, understand NCSA Common Log File Format and ODBC Logging! Know what they are able to log and where to (file or database). Microsoft Documentation - IIS Log File Formats

Be sure to understand the Password Policy settings and how changes to them affect the level of security!
Enforce password history - how many previous passwords are remembered. The higher it is, the more security.
Maximum password age - # of days that a user may use a password before being forced to change it. Should be at least 30 days, but not exceedingly high.
Minimum password age - # of days that a user must use a password before he/she may change it. Should be higher than 1, but not higher than the maximum age.
Store password using reversible encryption - allows the password in the store to be decrypted. Enabling reversible encryption reduces security.

Though not as useful as gpresult.exe or RSoP, the Application event log in Event Viewer can be used to check if Group Policy was applied.

You will get a few questions dealing with perimeter networks, complete with diagrams. Make sure that you understand the basic purpose of perimeter networks and enabling traffic through filters, including VPN traffic. Take a look at the document at the bottom of the IPSec section above for some of this information.

The SQL Profiler tool can be used to audit SQL Server database activity (such as access and queries).