Microsoft Exam 70-220 - Designing
Security for a Windows 2000 Network
Designing Security for a Microsoft®
Windows® 2000 Network
Each question on this exam will take the form of
a case study. First, you will be given background information
that will be provided in a graphic. These case studies graphic
will then be broken down into various sections, delineated by
tabs. For example, the tabs may contain things like the
background of the problem, the way the organization is laid
out, a statement of the problem you are facing, the way the
current technical environment is laid out, and the way the
technical environment will be laid out when you are finished
with the project. In addition, there will be one tab that
contains all the information. Be sure to read all the
information, and take notes on whatever you feel may be
pertinent to the questions.
Analyzing Business Requirements
This set of objectives and the set of objectives
on Analyzing Technical Requirements may not lead to direct
test questions, i.e. what company model is this enterprise
using, but it will be important information to assimilate as
criteria for making decisions in the scenarios.
Analyze the existing and planned business models
In this section, you are looking for information
about the way the business is currently being operated as well
as how the company may be operated in the future. You will be
asked to make decisions based on this information. Again,
there will not be questions asked specifically about this
objective, but you need to be sensitive to the information
Analyze the company model and geographical
scope. Models include regional, national, international,
subsidiary and branch offices
When you look at the company model, you are
primarily looking for information on how the company will be
managed and who the decision makers will be. In the real
world, this can be key to the success or failure of any
project. In the testing environment this section rears its
head as part of the Case Study when you background information
from various levels of management. The company model is
important in the way you weight the information provided. For
example, if the company CEO says there is a problem, that
opinion carries much more weight than someone from the
Very little impact on testing
Very little impact on testing scenario,
except when it comes to installing and configuring
Virtual Private Networks between
Important to testing scenario because
some technologies that can be used in the United States
and Canada may not be used in other
Important from a testing scenario
because a subsidiary is more likely to be a “stand
alone” or self-managed entity than a branch office. A
subsidiary may have different impacts on the design of
an active directory implementation. For example, a
subsidiary may be a separate tree in the
Usually the impact of branch offices
will be in the design of the Active Directory tree, for
example you may give the branch office an Organization
Unit, depending on the size of the office. May also
impact decisions relating to Group Policy
Analyze company processes. Processes include
information flow, communication flow, services and product
life cycles, and decision-making
As alluded to above, this objective is put here
to clue you into the corporate subtleties of problem
definition and long-term strategies. You should also pay
attention to information flow and communication flow,
especially if it tracks across different offices in different
locations. This may be a key that a VPN is called for, or it
may be a signal to explore how Kerberos can be used
Analyze the existing and planned organization
structures. Considerations include the management model;
company organization; vendor, partner and customer
relationships, and acquisition plans
This is another one of the informational,
red-flag kind of objectives. If you are reading through the
case study and you see things the CEO saying that he/she wants
to switch their businesses module from bricks and mortar to
point-and-click, you should key in on things like firewall
layout or protection of web sites, using special protocols for
e-business, or how are you going to allow a trusted partner to
access certain areas of the network while not having access to
other areas of the network. These are more of the red flags
that you should be writing down on your notepaper so they can
be addressed during the questions.
Analyze factors that influence company strategies
Identify company priorities
Identify the projected growth and growth strategy
Identify the relevant laws and regulations
Identify the company’s tolerance for risk
Identify the total cost of operations
This is another informational red-flag
objective. In this objective, the things to key on in the case
study are how is the company planning on growing? If the
company is planning on going on an acquisition binge, you may
get a tree design question that will need to take that
information into consideration. From a security perspective,
the things to feature will be if any information is crossing
International boundaries. If it is, there are certain
technologies that may not be appropriate due to treaty
Other things to key in on include the company’s
tolerance to risk. The solutions that may be put in place for
a small company may not be sufficient for a larger company
that is jumping on the e-business bandwagon. You should also
be able to make the jump between the company’s tolerance for
risk and the total cost of operations. For example, a
corporate executive may decide that a particular security
solution may not be appropriate after seeing what the impact
is on the cost of operation. The security solution may cost
more than the information or resource is worth to the company.
This objective tests your ability to prioritize
projects and solutions.
Analyze business and security requirements of
the end user
This is another informational red-flag
objective. For this objective, make note of any special use
situations, or decide if there are ways Group Policy Objects
can be used to standardize security.
Analyze the structure of IT management.
Considerations include type of administration such as
centralized or decentralized; funding model; outsourcing;
decision making process, change management process
The Windows 2000 IT management model calls for
decentralized management wherever possible. Here are you
looking for ways to create security groups based on job
function or workgroup. Once this has been accomplished, you
can then assign ownership and management of that security
group to someone in the group, giving them the ability to
control the group.
Analyze the current physical model and
information security model
Analyze internal and external risks
To provide solutions that will map to this
objectives, you need to be on the lookout for areas where a
site may be defined. You can create sites by defining a group
of subnets connected by a high speed, reliable connection. The
network administrator determines what is a high-speed reliable
connection. Knowing when to create sites will assist you later
where you design and implement Group Policy Objects. GPO’s can
be assigned at the domain, organizational unit or site
Analyze Technical Requirements
Here, again, this entire group of objectives can
be described as for your information. These objectives are
based on project management of a large rollout. You need the
information contained here to make the decisions necessary to
Evaluate the company’s existing and planned
Analyze company size and user and resource distribution
Assess the available connectivity between the
geographic location of work sites and remote sites
Assess the net available bandwidth
Analyze performance requirements
Analyze the method of accessing data and systems
Analyze network roles and responsibilities.
Roles include administrative, user, service, resource
ownership and application
The things to key in on for these objectives are
Is there a natural distribution of users and resources
that would lead to the placement of a domain, organizational
unit or site?
Is there the high-speed reliable connection that would
give the ability to create a site?
Is there the connectivity that would make it possible to
create a virtual private network?
Is there anything special about the ways the users are
accessing data or systems that will have to be taken into
consideration when the security plan is in place?
Are there the personnel available to handle the
management of the security plan you may want to put in
Analyze the impact of the security design on
the existing and planned technical environment
Assess existing systems and applications
Identify existing and planned upgrades and rollouts
Analyze technical support structure
Analyze existing and planned network and
Here again, you are going through the case
studies, analyzing ways that you can put known security tools
to use. For example, in this objective, be on the lookout for
questions that may relate to the upgrade or rollout of
applications. In other words, how can you use the Windows 2000
security tools to guarantee that the rollout or upgrade of an
application will be using the real software? As you will see
in a later objective, you can use Authenticode to insure that
the users are getting what you want them to get.
Analyzing Security Requirements
We are getting closer to the real meat of the
test, honest! There is still just one more set of objectives
that will act as red flags for information to pay attention to
in the case study. Once we get by these, you will be actually
looking at some Windows 2000 security technology.
Design a security baseline for a Windows 2000
network that includes domain controllers, operations masters,
application servers, file and print servers, RAS servers,
desktop computers, portable computers and kiosks
Identify the required level of security for
each resource. Resources include printers, files, shares,
Internet access and dial in access
So, what kinds of red flags are you looking for
here? First of all, there are all sorts of things that may
have security implementations. For example, there are RAS
servers, dial in access and portable computers. RAS servers
and dial in access can be wonderful things, but they can also
cause a security concern if they are improperly placed. If you
see mention of portable computers in the case study, be alert
for mention of the Encapsulating File System (EFS). Much of
the Windows 2000 documentation stresses the way EFS can
protect a company against the loss of data due to the loss or
theft of a laptop computer.
Internet access is another area where you should
pay close attention to the case study. In this case, the
design issue may include firewalls, network address
translation, the use of a proxy server, or the use of a
virtual private network connection.
Designing a Windows 2000 Security Solution
Finally! By this stage of the objectives, you
should be ready to stop reading the case studies and ready to
get on to the task at hand, answering the questions!
Design an audit policy
Things to know about an audit policy
Know that you can turn on the Audit Directory Service
Access category to audit objects on a domain controller.
Know that you can turn on the Audit Object Access
category for auditing objects on a member server or a
Windows 2000 Professional System
Know that auditing is implemented from the Local
Security Policy selection of Administrative tools
Know that you audit the success or failure of an event.
Know that auditing is not deterministic, in other words
when an event gets written to the audit log, it will write
that Fred Flintstone accessed in file in this folder. It
does not determine whether Flintstone should have been able
to access to the file.
Know that auditing puts stress on the machine it is
Design a delegation of authority
This was mentioned above. The designers of the
Windows 2000 security curriculum are very big on distributing
administration and giving non-IT types the ability to manage
security groups. Remember this concept.
Design the placement and inheritance of
security policies for sites, domains and organizational units
Security policies can be implemented through
Group Policy Objects.
GPO’s can be implemented at the site, domain or
organizational unit level.
Know how security policies are implemented and what role
Know the priority of inheritance.
Know how an enterprise administrator can force
Know how inheritance of security policies can be blocked
and when you would use that.
Be able to pick out which policy will be in effect,
after inheritance, given a certain situation.
Design an Encrypting File System
Know that you can encrypt files or folders.
Know how to encrypt files or folders: From Microsoft
Explorer, highlight the folder or file, choose Properties
and select Advanced. There is a check box that will encrypt
the file or folder.
Know who can decrypt files or folders: The owner of the
file or the designated recovery agent (usually the
Know that the Recovery Agent will have access to the
Know that the encryption key should be exported to
removable media and stored in a locked, offsite location.
Know that you should keep a backlog of encryption keys.
Know that the EFS only works on Windows 2000 NTFS
Know that files are only encrypted when they are stored.
If you are going to store a file in an encrypted folder on a
server, the file is not encrypted in transit to the
Design an authentication strategy
Select authentication methods. Methods include
certificate-based authentication, Kerberos authentication,
clear-text passwords, digest authentication, smart cards, NTLM, RADIUS and
Know that Windows 2000 comes with the ability to provide
certificate-based authentication without use of a third
Know that Kerberos v5 is the default authentication
protocol of Windows 2000.
Know that you want to avoid clear text passwords at all
Know what a smart card is and when it should be used.
Know that NTLM is the backwardly compatible
authentication protocol that is used in mixed mode domains.
It provides authentication between NT 4 BDC’s and the
Windows 2000 security system.
Know that RADIUS is used to provide authentication in
Know that SSL is used to provide secure communication
between a web browser and a web site.
Design an authentication strategy for
integration with other systems
With Windows 2000, the default authentication
protocol is Kerberos v5. This protocol can be used for cross
Note: In the testing world, Kerberos v5 provides
for cross platform authentication. In the real world, you may
require the use of some third party solutions.
Design a security group strategy
This was mentioned above. The designers of the
Windows 2000 security curriculum are very big on distributing
administration and giving non-IT types the ability to manage
security groups. Remember this concept.
Know the different types of groups, including the
default security groups in Windows 2000 and how they are
Know how to group users and computers into special
groups so that they can be controlled.
Know the default security groups available in a Windows
Design a Public Key Infrastructure
Design Certificate Authority (CA)
Identify certificate server roles
Know that there are different types of certificates.
Know that you can control certain features of
certificates, including their time to live.
Know what to do if a certificate has been compromised,
and how to revoke a certificate.
Integrate with third-party CA’s
Certificate mapping is where a certificate issued by a
third party CA is assigned to a particular user and
associated with that user account in Active Directory.
Software like Internet Explorer can be used to
authenticate the user that is connecting to a resource over
the Internet using the functionality of Active Directory.
Certificates can be mapped only to individual user
accounts, not to security group accounts.
Design Windows 2000 network services
Design Windows 2000 DNS security
Know that Windows 2000 uses dynamic DNS.
Know that DNS is integrated into the Active Directory.
Know that DNS zone replication is now handled by Active
Know that DNS zones can be configured to use a secure
Know that groups of users can be configured to be able
to update DNS through judicious use of the ACL.
Design Windows 2000 Remote Installation
Know that RIS is used to build Windows 2000
Know how to connect to the RIS server.
Know that the administrator can configure if the RIS
server will even talk to clients.
Know that there are RIS Group Policy Options that can be
applied to RIS installations. This will help define what can
and cannot connect to the RIS server.
Design Windows 2000 SNMP security
SNMP Manager - The host that gathers information and,
depending on the implementation, displays alerts if
SNMP Agent - The reporting piece of the puzzle. The
agent can be hardware or software. The agent reports to the
manager on any kind of a defined event like startup, shut
down, access, etc.
Management Information Base (MIB) - The defined events
that the agents will use for reporting.
SNMP works with either IP or IPX
SNMP agents are gathered in communities. Communities
report to SNMP managers using TRAP messages. Information is
usually sent in a plain text format.
SNMP Security is defined by the way Community Managers
can be granted permissions to get information from agents.
There are five levels of permissions that can be used to
provide SNMP security:
None - No communication will occur.
Notify - The same as None.
Read Only - The agent will only process requests that
get information. It will not process configuration
Read Create - The agent will process requests to get
information and also for configuration.
Read Write - The same as read create
SNMP messages can also be configured to make use of IPSec, providing data encryption while the message is on the
Design Windows 2000 Terminal Server
The Terminal Services security features
Encryption - Data transmitted between the Terminal
Server and host session can be encrypted to Low, Medium or
High levels depending on the administrator’s choices.
Administrators can limit logon attempts as well as limit
Security can be added to the connections by way of
permissions applied to group. The default groups
User connections can be managed using Terminal Server
Terminal Servers use Remote Desktop Protocol (RDP) which
uses port 3389. If there is a firewall in play, that port
should be opened.
Designing a Security Solution for Access
This objective starts by looking at the ways you
can control access to the Internet from your private network,
so read that as Proxy Server or network address
The remaining parts of this objective could be
considered Virtual Private Network basic training. These
objectives look at ways to implement a Virtual Private
Virtual Private Networks can be created to
assist with two scenarios
Remote client connecting to private network using the
public network (usually the Internet) as a backbone.
Connecting two sections of a private network using
tunneling. This can be done using either sections of the
public network or sections of the private network for
Virtual Private Networks create a tunnel between
the server and the client. All data sent through the tunnel is
Provide secure access to public networks from a
Many companies feel that one of the greatest
security costs they bear is controlling access to the
Internet. Companies can suffer tremendous losses due to lost
productivity because of employees surfing the Internet.
This can be controlled by using a proxy server
or firewall to control where on the Internet users can go and
when they can go there.
Another problem with Internet use is the user
can unknowingly provide information about the private network.
This can include the internal addressing scheme of the private
network. In this case, using Network Address Translation (NAT)
can help protect the private network. The only address that is
“published” is that of the gateway. NAT also helps provide
large number of IP addresses for the private network.
Provide external users with secure access to
private network resources
In this case, the external user creates a VPN
session between the client workstation station, and a VPN
server using the public network as a transport medium. The
public network is usually the Internet. The VPN server can be
located in front of the corporate firewall, behind the
corporate firewall, or in a screened subnet. A screened subnet
is also referred to as a DMZ.
Provide secure access between private
Provide secure access within a LAN
Provide secure access within a WAN
Provide secure access across a public
Here again, you are expected to be able to pick
out ways that VPN’s can be utilized. You would use a VPN
across a LAN to provide a secure connection between two
departments where interdepartmental communication must be
Secure access across a WAN could see a VPN put
into play for the very same reason, to connect two
departments. It can also be used to protect information
traveling between two different locations (regional offices,
The most common use of a VPN is to provide
secure access across a public network. This would be a
demonstration of how to create a VPN between two routers,
using the Internet as the corporate backbone.
Design Windows 2000 security for remote access
This objective did not deal with the intricacies
of RAS configuration and permissions as much as it dealt with
the proper placement and use of a RAS server. Too often,
administrators will configure a secure network with properly
placed and designed firewalls, only to have a RAS server that
is pretty much open to the world located behind the firewall.
This objective deals with placing the RAS server
in the DMZ between firewalls, and controlling the access from
the RAS server to the rest of the private network.
Designing Security for Communication
Design an SMB-signing solution
Server Message Blocks (SMB) are ways of
bypassing constraints between NTFS and the Network File System
(NFS) used in the Unix world. Know when it would be
Design an IPSec solution
IP Security (IPSec) is the default transport
protocol used in the creation of a VPN. This is the way that
you can configure the security it provides.
Design an IPSec encryption scheme
You can define the level of encryption in IPSec.
The key thing to remember for testing purposes is that the
encryption level must be the same on both the client and the
server or communication cannot occur. Remember all the ways
back to the first objective, about defining whether you are
dealing with an International company? Here is where it comes
to play. Suppose you have an IPSec solution that uses 128-bit
encryption. If you have to add an International connection to
the mix, suddenly you have to provide a lower level of
encryption due to treaty constraints, or provide for another
Design an IPSec Management strategy
Due to the nature of the IPSec connection, they
can be very intensive. After all, the tunnel has to be
created, which means that somehow, someone must provide a list
of IP addresses for the server to give out, and then once the
connection has been established it must be maintained.
Maintenance not only means making sure the connection stays
up, but it means that the system must encrypt and decrypt all
these packets. The IPSec management strategy is to define who
can use IPSec connections, how they can use them and what
level of encryption will be used.
Design negotiation policies
When an IPSec server and client start talking
they negotiate the way the communication will be handled. This
can include things like key length, key life, whether the key
will be dynamically changed during the course of the
connection and whether to use Authentication Headers (AH) or
Encapsulating Security Payloads (ESP) for the protocol. Again,
the client and the server must agree for communication to
occur. The negotiation policy defines the parameters of these
Design security policies
There are several default group policies that
can be used to secure IPSec communications. These policies are
configured using the MMC, for example for local computer
policy. You can configure the system as to how it handles
requests from non-IPSec aware clients or how it handles
communications from IPSec aware clients. Again, you are simply
defining the base parameters for the beginning of
communications. For testing purposes remember that if both
sides do no agree, communication will not occur.
Design IP filters
IP filters help the IPSec server to decide who
it is going to talk too. The IP filter will either allow or
deny access to the IPSec server depending on the address of
the specific computer or the subnet it resides on.
There are also some port filters to be aware of.
IPSec uses IP ports 50 and 51 and UDP port 500. These ports
should be opened at the firewall if communication is going to
occur between a remote user and the VPN server behind a
Define security levels
These security levels are
Accept unsecured communication, but always respond using
IPSec -- This communication setting allows unsecured
communication initiated by another computer but requires the
computers to which this policy applies to always use secure
communication when replying or initiating.
Allow unsecured communication with non-IPSec-aware
computers -- This communication setting allows unsecured
communications to or from another computer. This is used if
the computers in the IP filter list are not IPSec enabled.
If negotiation for security fails, this will disable IPSec
for all communication to which this rule applies.
Session Key Perfect Forward Secrecy -- This
communication setting ensures that session keys or keying
material are not reused. Selecting Session Key Perfect
Forward Secrecy also ensures that new Diffie-Hellman
exchanges will take place after the session key lifetimes