70-299 exam -- Implementing and Administering Security in a Microsoft Windows Server 2003 Network -- is a core exam for both the MCSE: Security and MCSA: Security and an elective for the regular MCSE and MCSA exams. Here are some tips for you to pass this exam.
Although not specifically mentioned in the exam objectives, this exam assumes you that already have mastered group policy objects (GPOs) and can use them as needed. For example, security templates feature heavily in the exam objectives, and group policy is usually the preferred way to easily deploy them. As a refresher, GPOs are used to specify settings for computers and users. On a specific machine you use the new command gpupdate or force to make a policy change effective immediately rather than waiting for the scheduled refresh to take effect.
In order to review the effective policies in place, you can either review the results of the gpresult command, the Resultant Set of Policies (RSoP) MMC snap-in or in the Help and Support Center - Advanced System Information option. GPOs can be deployed to the local machine or in AD at the site, domain or OU level. The order that policies are applied in is local, site, domain then OU. GPOs processed last have higher precedence.
The Security Configuration and Analysis snap-in imports security template(s) into a database, which can then be used to compare against the current settings on that computer. There is also the option to configure the computer settings by using the template. Secedit.exe is the command line tool that performs the same function. Both tools only run against the local machine. In order to prepare for your exam you will need to be conversant with both tools.
Microsoft Baseline Security Analyzer is Microsoft's free tool to produce security reports for Windows and associated programs (IE, Office, Media Player, SQL Server, etc). It can be run as a GUI or instead via mbsacli.exe on the command line, which lends itself to scripting. While not without limitations, one of the cool things you can do with the tool is scan multiple machines within a subnet to find servers and report on their security status. Go here to download this tool and learn more about it, including understand the requirements to run it correctly and the various command line options available.
Group Policy can be used to change your client configuration for Automatic Updates. When editing a GPO, select Computer Configuration, Administrative Templates, Windows Components, Windows Update then Configure Automatic Updates. You can change how clients download and install patches as per the settings described earlier, as well as the location of SUS server used instead of the default Microsoft site.
SUS can be downloaded from here. There is also a Microsoft white paper on patch management using SUS available here. Reading about these tools is one thing, but the best option is to put this together in your lab to really understand them in detail.
One of the recurring themes in the exam objectives is securing Windows servers depending on the intended server role. Here is a link to a section on the Microsoft Web site that has some guidelines on managing security, including specific mentions of domain controller, Internet Authentication Service (IAS) server and Internet Information Services (IIS) server.
One key lesson in securing Windows servers is to only have the absolutely necessary services running on it, since every unused service can potentially be an area of possible exposure. Therefore you should have a good knowledge of the Windows services are so you can determine what you need and don't need for each type of server role.
For many of us who have been working with the product for a while, we're well aware of the different group types (security and distribution) and the different scope types (universal, domain and local). Your domain needs to be at a minimum of Windows 2000-native level in order to use universal groups or nested groups.
The basics for granting access to resources hasn’t changed – this is commonly referred by the acronym AGDLP (put accounts into global groups; put these into domain local groups that are granted permission for the resource). So provided you remember the basic rules here, this area of the objectives should be a gimmie.
The certificate services changes for Windows 2003 were fairly minor from Windows 2000; however, this is an area of great focus in all Windows 2003 exams. There are two types of certification authority (CA): enterprise, which uses AD for storage and must run on a DC, and standalone, which doesn't use AD. Here are also two types of servers in a CA hierarchy: root or subordinate. The subordinate CA uses a certificate generated by the root CA.
IPSec is a standards-based extension to TCP/IP that facilitates secure network traffic between hosts and/or networks. It can also be used to filter network traffic to/from a server. This can be configured for the local computer policy or via GPO using the IP Security Policies snap-in or via command line tools. Go here for a Microsoft white paper that explains how IPSec works in Windows 2003 and some suggestions on when to use it (and when not to).
