In conjunction with the new messaging titles that Microsoft announced this morning, the company has announced details on the Windows 2003 versions of the security specialist titles and officially announced two new Windows 2003-based security exams.
The MCSA: Security on Windows 2003 is similar to its Windows 2000 counterpart, requiring five exams. The Windows 2003 version has an obviously strong bias toward Windows 2003 exams and includes a new exam, 70-299, Implementing and Administering Security in a Windows Server 2003 Network, in the security specialization portion:
MCSA: Security on Windows 2003
Core: Client (1 required)
*70-210, Installing, Configuring, and Administering Windows 2000 Professional
or
*70-270, Installing, Configuring, and Administering Windows XP Professional
Core: Networking Systems
(2 required)
*70-290, Managing and Maintaining a Windows Server 2003 Environment
*70-291, Implementing, Managing, and Maintaining a
Windows Server 2003 Network Infrastructure
Security Specialization
(2 required or one )
*70-227, Installing, Configuring, and Administering Internet Security and Acceleration Server 2000, Enterprise Edition
and
*70-299, Implementing and Administering Security in a Windows Server 2003 Network
or
*SY0-101, CompTIA Security+
The MCSE: Security on Windows 2003 maps differently from its Windows 2000 counterpart. Whereas the Windows 2000 track lists four core and three specialization requirements, the newer version lists five core and three security specialist exams (eight total), as shown here:
MCSE: Security on Windows 2003
Core: Client (1 required)
*70-210, Installing, Configuring, and Administering Windows 2000 Professional
or
*70-270, Installing, Configuring, and Administering Windows XP Professional
Core: Networking Systems
(4 required)
*70-290, Managing and Maintaining a Windows Server 2003 Environment
*70-291, Implementing, Managing, and Maintaining a
Windows Server 2003 Network Infrastructure
*70-293, Planning and Maintaining a Windows Server 2003 Network Infrastructure
*70-294, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure
Security Specialization: Core Design
(1 required)
*70-298, Designing Security for a Windows Server 2003 Network
Security Specialization: Core Security
(2 required)
* 70-227, Installing, Configuring, and Administering Internet Security and Acceleration Server 2000, Enterprise Edition
and
* 70-299, Implementing and Administering Security in a Windows Server 2003 Network
or
* SY0-101, CompTIA Security
Implementing and Administering Security in a Microsoft Windows Server 2003 Network Skills measured by exam 70-299
Implementing, Managing, and Troubleshooting Security Policies
Plan security templates based on computer role. Computer roles include SQL Server computer, Microsoft Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server.
*Configure security templates.
*Configure registry and file system permissions.
*Configure account policies.
*Configure .pol files.
*Configure audit policies.
*Configure user rights assignment.
*Configure security options.
*Configure system services.
*Configure restricted groups.
*Configure event logs.
Deploy security templates.
*Plan the deployment of security templates.
*Deploy security templates by using Active Directory-based Group Policy objects (GPOs).
*Deploy security templates by using command-line tools and scripting.
Troubleshoot security template problems.
*Troubleshoot security templates in a mixed operating system environment.
*Troubleshoot security policy inheritance.
*Troubleshoot removal of security template settings.
Configure additional security based on computer roles. Server computer roles include SQL Server computer, Exchange Server computer, domain controller, Internet Authentication Service (IAS) server, and Internet Information Services (IIS) server. Client computer roles include desktop, portable, and kiosk.
*Plan and configure security settings.
*Plan network zones for computer roles.
*Plan and configure software restriction policies.
*Plan security for infrastructure services. Services include DHCP and DNS.
*Plan and configure auditing and logging for a computer role. Considerations include Windows Events, Internet Information Services (IIS), firewall log files, Netlog, and RAS log files.
*Analyze security configuration. Tools include Microsoft Baseline Security Analyzer (MBSA), the MBSA command-line tool, and Security Configuration and Analysis.
Implementing, Managing, and Troubleshooting Patch Management Infrastructure
Plan the deployment of service packs and hotfixes.
*Evaluate the applicability of service packs and hotfixes.
*Test the compatibility of service packs and hotfixes for existing applications.
*Plan patch deployment environments for both the pilot and production phases.
*Plan the batch deployment of multiple hotfixes.
*Plan rollback strategy.
Assess the current status of service packs and hotfixes. Tools include MBSA and the MBSA command-line tool.
*Assess current patch levels by using the MBSA GUI tool.
*Assess current patch levels by using the MBSA command-line tool with scripted solutions.
Deploy service packs and hotfixes.
*Deploy service packs and hotfixes on new servers and client computers. Considerations include slipstreaming, custom scripts, and isolated installation or test networks.
*Deploy service packs and hotfixes on existing servers and client computers.
Implementing, Managing, and Troubleshooting Security for Network Communications
Plan IPSec deployment.
*Decide which IPSec mode to use.
*Plan authentication methods for IPSec.
*Test the functionality of existing applications and services.
Configure IPSec policies to secure communication between networks and hosts. Hosts include domain controllers, Internet Web servers, databases, e-mail servers, and client computers.
*Configure IPSec authentication.
*Configure appropriate encryption levels. Considerations include the selection of perfect forward secrecy (PFS) and key lifetimes.
*Configure the appropriate IPSec protocol. Protocols include Authentication Header (AH) and Encapsulating Security Payload (ESP).
*Configure IPSec inbound and outbound filters and filter actions.
Deploy and manage IPSec policies.
*Deploy IPSec policies by using Local policy objects or Group Policy objects (GPOs).
*Deploy IPSec policies by using commands and scripts. Tools include IPSecPol and NetSh.
*Deploy IPSec certificates. Considerations include deployment of certificates and renewing certificates on managed and unmanaged client computers.
Troubleshoot IPSec.
*Monitor IPSec policies by using IP Security Monitor.
*Configure IPSec logging. Considerations include Oakley logs and IPSec driver logging.
*Troubleshoot IPSec across networks. Considerations include network address translation, port filters, protocol filters, firewalls, and routers.
*Troubleshoot IPSec certificates. Considerations include enterprise trust policies and certificate revocation list (CRL) checking.
Plan and implement security for wireless networks.
*Plan the authentication methods for a wireless network.
*Plan the encryption methods for a wireless network.
*Plan wireless access policies.
*Configure wireless encryption.
*Install and configure wireless support for client computers.
Deploy, manage, and configure SSL certificates, including uses for HTTPS, LDAPS, and wireless networks. Considerations include renewing certificates and obtaining self-issued certificates instead of publicly issued certificates.
*Obtain self-issued certificates and publicly issued certificates.
*Install certificates for SSL.
*Renew certificates.
*Configure SSL to secure communication channels. Communication channels include client computer to Web server, Web server to SQL Server computer, client computer to Active Directory domain controller, and e-mail server to client computer.
Configure security for remote access users.
*Configure authentication for secure remote access. Authentication types include PAP, CHAP, MS-CHAP, MS-CHAP v2, EAP-MD5, EAP-TLS, and multifactor authentication that combines smart cards and EAP.
*Configure and troubleshoot virtual private network (VPN) protocols. Considerations include Internet service provider (ISP), client operating system, network address translation devices, Routing and Remote Access servers, and firewall servers.
*Manage client configuration for remote access security. Tools include remote access policy and the Connection Manager Administration Kit.
Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI
*Plan and configure authentication.
*Plan, configure, and troubleshoot trust relationships.
*Plan and configure authentication protocols.
*Plan and configure multifactor authentication.
*Plan and configure authentication for Web users.
*Plan and configure delegated authentication.
Plan group structure.
*Decide which types of groups to use.
*Plan security group scope.
*Plan nested group structure.
Plan and configure authorization.
*Configure access control lists (ACLs).
*Plan and troubleshoot the assignment of user rights.
*Plan requirements for digital signatures.
*Install, manage, and configure Certificate Services.
*Install and configure root, intermediate, and issuing certification authorities (CAs). *Considerations include renewals and hierarchy.
*Configure certificate templates.
*Configure, manage, and troubleshoot the publication of certificate revocation lists (CRLs).
*Configure archival and recovery of keys.
*Deploy and revoke certificates to users, computers, and CAs.
*Backup and restore the CA.
You'll need experience with PKI, permissions, patch management, and troubleshooting under Windows 2003 before tackling this security exam.
The latest exam to come from Microsoft is aimed at administrators who deal daily with maintaining security, and it requires specific knowledge and hands-on experience with Windows Server 2003 PKI, permissions, patch management, and troubleshooting. If you're familiar with Exam 70-214, Implementing and Administering Security in a Windows 2000 Network, consider 299 an update of that exam.
In this review, I help you prepare by covering some of the objectives as listed in the exam preparation guide.
Implementing,Managing, and Troubleshooting Security Policies
Topics under this objective range from configuring, deploying, and troubleshooting security templates to configuring permissions and security settings on desktop and server computers.
The rule of thumb: Disable unnecessary services. This closes the listening network port and reduces the attack surface of a computer. Windows Server 2003 has many new security templates and security settings beyond those found in Windows 2000 Server--somewhere close to 600 additional settings. And with the release of SP1 due out this year, security configuration choices of servers will not only become more powerful but also more complex.
Group Policy Objects are where it's at. For almost any size of Windows network, if you have deployed Active Directory, the killer feature is GPO. Security templates are a quick and easy way of securing computers in the domain with common configuration settings. When studying the Products and Technologies link; Windows Server 2003 at the Security Guidance Center, pay particular attention to the different requirements for securing domain controllers, IAS servers, Exchange servers, SQL servers, and IIS servers.
Using GPOs, you can configure desktop and client computers for permissions. One common method among Windows administrators is to assign a user local administrator access to their desktop computer. This allows users to install software and change system settings, but this method can sometimes bite you in the butt!
Windows Server 2003 security templates now include software restriction policies which are a smarter method of allowing users to install and run tested and approved software on their desktop. SRPs are a collection of policies that define what software can run based on group policy security levels. Exceptions can be created based on the hash rule types; certificates, paths, registries, and even Internet Explorer zones.
Administering Security (70-299)
Reviewer's Rating
This exam is an update of the Windows 2000 exam 70-214 and will test your knowledge of Windows Server 2003 PKI, permissions, patch management, and troubleshooting.
Exam Title
70-299: Implementing and Administering Security in a Windows Server 2003 Network
Who Should Take It
Candidates for MCSA or MCSE on Windows Server 2003
Course
2823: Implementing and Administering Security in a Microsoft Windows Server 2003 Network
Exam Objectives
http://www.microsoft.com/traincert/exams/70-299.asp
Tip: Only one password policy using Group Policy Objects can be configured per domain.
Gpupdate replaces Secedit /refreshpolicy in Windows Server 2003. Gpupdate can be used to force group policy settings for immediate compliance and recover a computer with incorrect settings applied. To troubleshoot a computer that has been locked down incorrectly to the point of where you can't log on with the domain administrator account, restart the computer in Safe Mode, log on as the local administrator, run gpupdate, restart the computer in normal mode, and then log on normally.
Tip: Group policy loopback processing mode can be used to override user-based settings on a computer with a computer policy.
Secedit at the command line, and the Security Configuration and Analysis snap-in can be used in Windows Server 2003 to analyze, configure, and validate computer security configuration settings.
Implementing, Managing, and Troubleshooting Patch Management Infrastructure
Topics included: planning the deployment of service packs and hotfixes, verifying with MBSA, to SUS deployment and administration. This is certainly a hot topic for many of us: patch management. Unless you're an administrator who has been hiding in a server closet for the past 24 months, you've no doubt had your challenges with patch management — a nightmare if not done correctly. Patch management is one of the key aspects of securing a network.
In the exam world — which can be completely different from the real world- patch management of Windows computers must be done with Microsoft's free tools: the Microsoft Baseline Security Analyzer and Software Update Services. MBSA is a network-based scanning tool that runs on Windows 2000, XP, and 2003 operating systems; it looks for missing patches and security updates on all flavors of Windows down to Windows NT 4.0. It also supports scanning of IIS, SQL, and Exchange servers. MBSA comes in both a GUI wizard version and a command line version called mbsacli.exe.
Windows Update is a client-side scanning tool that can check for installed and missing patches and service updates against the Windows Update web site or a locally installed SUS server. And along with Automatic Updates, Windows computers can be configured to download and install patches and service packs at scheduled intervals. Server and client computers can be configured to connect to and scan for available updates from SUS servers using Group Policy, SMS (Systems Management Server) with the SUS Feature Pack, or logon scripts if Active Directory has not been deployed. If users aren't granted local administrator level access to their desktop, Automatic Updates can be configured for a scheduled date and time to install the updates and restart the computer automatically.
SUS servers deployed within a network allow administrators to collect, approve and distribute critical updates for server and client computers. SUS parent servers can be configured to synchronize with the Microsoft Windows Update Web site and pass updates to child SUS servers, which, in turn, distribute the updates to the server and client computers on the network.
Tip: For failed deployments of patches or service packs with SUS, you must cancel approval of the update on the SUS server to prevent further installations.
Implementing, Managing, and Troubleshooting Security for Network Communications
Most of the topics here center on IPSec for securing network data. You'll also find a sprinkle of data security as it relates to wireless, SSL and remote access networks. My exam seemed to include many questions regarding IPSec authentication headers! I'll briefly cover each of the network data security protocols and methods.
IPSec is a rule-based security protocol that protects data traffic. It uses on-demand authentication and encryption between two end points. IPSec packets are signed with certificates, verified, encrypted and decrypted at the OSI network layer, making the process transparent to upper layer protocols. L2TP and IPSec can be used to create VPNs. IPSec can be used in two modes; AH (Authentication Header) and ESP (Encapsulating Security Payload). AH packets can be routed without loss or change to the header signature. ESP packets can use either DES (Data Encryption Standard) or 3DES in the Transport or Tunnel modes. In Transport mode, ESP encrypts the entire data packet with the exception of the header. In Tunnel mode, ESP encrypts the entire packet for VPN connections. Using AH and ESP together provides the most secure data transmission.
AH can be implemented using Kerberos, certificates, or preshared keys! IPSec is a wide-ranging protocol and includes many small details. Be sure and study it and IPSec policies thoroughly prior to the exam.
Tip: IPSec traffic cannot pass through older NAT servers.
SSL (Secure Sockets Layer) and TLS (Transport Level Security) both use public key and symmetric key encryption for TCP-based communications. They provide session encryption and integrity, and server authentication. This prevents eavesdropping, tempering, and message forging. Both SSL and TLS require digital certificates! SSL and TLS can be used to secure web, email, news, and FTP traffic.
PPTP over TCP/IP can be used to secure upper layer protocol traffic between clients and servers for such things as VPNs. It uses either PAP (Password Authentication Protocol) or MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) for the exchange process of credentials. PPTP traffic can pass through all NAT servers, but PPTP does not provide for data integrity.
SMB (Server Message Block) signing can be used to secure client-to-server file sharing traffic on a Windows network. SMB signing can be enabled using GPOs and uses a method of digital signing and a keyed hash to protect the integrity of each SMB packet.
WEP (Wired Equivalent Privacy) is used to secure wireless data traffic between wireless clients and access points connected to a wired network.
Remote client traffic can be secured using various methods and protocols. PPTP and IPSec/L2TP to create a VPN connection are becoming the most widely used.
EAP-TLS (for Extensible Authentication Protocol-Transport Level Security) is the most secure remote access method and protocol. Because of its support for two-factor authentication with the use of smart cards or USB keys, and certificates, it meets all the requirements of message and data CIA (Confidentiality Integrity Authentication).
Tip: If the network includes smart cards and certificate services is present to issue both user and computer certificates, use EAP-TLS for the most security.
For the exam you'll also need to be familiar with CMAK (Connection Manager Administration Kit), a tool for managing remote connections and remote access policies. CMAK allows administrators to pre-configure remote access clients, add custom behavior and appearance and provide an updateable phonebook that users can turn to and find the most convenient dial-up access numbers. When gaining that all-important hands-on experience for this exam, be sure to load up CMAK and create a profile or two.
Familiarity with Microsoft's Internet Security and Acceleration server is also a must for this exam. ISA server provides perimeter firewall services, proxy caching services, policy-based access control, secure web publishing, and intrusion detection services.
Tip: Client computers may need to install the ISA server firewall client to access the internal or external network.
Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI
This objective includes topics such as authentication, authorization, security groups, and certificate services. Know your group types, distribution and security, scopes; universal, domain local, global, local, and the recommended group strategy; A-G-DL-P Accounts get placed into Global groups which get placed into Domain Local groups which are assigned Permissions.
Tip: Group nesting is supported when a domain is at functional level Windows 2000 native or higher.
The special group type, Self, represents the permissions assigned to the ACE (Access Control Entry) of a user, group, or computer and is a placeholder for that security principal.
Trust relationships are something you should be familiar with at this point in your MCSA/MCSE studies. Remember that an external trust can be used to connect to a domain in another forest, and a shortcut trust is used to speed authentication between domains — they are both one way trusts! Forest-level trusts can be set up between Windows Server 2003 forests.
Certificate services-related questions are present on many of the Windows 2003 MCSA and MCSE exams. If this exam is your first exposure to Microsoft certification, you'll need to study everything about certificate services to pass. Configuring, deploying, revoking, and managing user and computer certificates is necessary for many of the security-related technologies discussed thus far. A digital certificate verifies the identity of a user, computer, or program. It contains information about the issuer and subject and is signed by the CA. Certificate templates define the format and content for the certificate's intended use. Only enterprise CAs can issue certificates based on certificate templates! Certificate templates can be issued for a variety of reasons; web servers, email, EFS (Encrypting File System), smart cards, remote access, and IPSec to name just a few.
Certificate deployment can be handled using various methods such as autoenrollment, enrollment agents, and Web-based enrollment. Web-based is a popular method, whereby the user connects to the CA and requests a certificate, relies on the CA administrator to approve the request, then installs the certificate on the computer. Autoenrollment can be controlled using GPOs for computers running Windows 2000, XP, and 2003. This type of certificate can be used for smart card logon, EFS, and IPSec authentication.
Certificate revoking is performed by the CA administrator when a certificate is compromised. The Certificate Revocation List (CRL) is published to the network. Certificates can be lost due to a deleted user profile, reinstallation of the user's operating system, a corrupted disk, or a stolen computer. Data Recovery Agents can be used to decrypt EFS data originally encrypted by a user's missing certificate. DRAs aren't necessary in Windows Server 2003 due to the newer Key Recovery Agents. KRAs can retrieve the original certificate along with the private and public keys. Certificates can also be exported for safe keeping and to prevent loss using Microsoft Outlook, Internet Explorer, the certificates console, or using the command line utility Certutil.exe.
10 Things to Practice
1. Explore and configure account and password policy settings for the domain GPO on your network.
2. Configure a Windows 2003 server to act as a VPN server and explore the various connection protocols supported.
3. Download, install, and configure MBSA on your test network.
4. Explore the various certificate templates and practice importing one using the Security Configuration and Analysis snap-in to compare against your existing security settings.
5. Install, configure, and enroll workstations using certificate services.
6. Install CMAK and create a profile or two.
7. Enable the three types of IPSec policies (client respond, request security, and require security) between two networked computers and observe the results.
8. Install and configure an SUS server on your test network--download updates and approve them for workstations.
9. Create a couple of SRPs using hash, path, and certificates. Apply them.
10. Configure GPOs to secure the various server roles in a Windows network: DCs, Member Servers, Workstations, Exchange, IIS, and IAS.
As all of us know well that Microsoft is one of the leading vendor in both system software and applications software. It develops, manufactures wide range of software applications for computers usage. Microsoft is well known in developing Microsoft windows operating system and Microsoft Office Operating System. Its headquarters is in Redmond, Washington, USA and it was founded in 1980s to develop and sell basic applications for Attair 8800 with a mission “computer on every desk and in every home with Microsoft software”. Its founders were Bill Gates and Paul Allen.
What is MCSE Certification?
MCSE stands for Microsoft Certified System Engineer which is one of the most popular certification offered by Microsoft along with MCSA and MCSD.
Having MCSE certification is a proof for your expertise in installing, managing and troubleshooting infrastructure for business solutions based on Microsoft Windows 2000 Server platform and Windows Server System.
MCSE Syllabus:
To get MCSE you must pass 7 exams.
· Four core exams on networking systems
· One core exam on client operating system
· One Core design exam
· One elective exam
Four Core Exams on Networking Systems (All Necessary)
Exam 70-290 (Managing and Maintaining a Windows Server 2003 Environment)
Exam 70-291 (Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure).
Exam 70-293 (Planning and Maintaining a Windows Server 2003 Network Infrastructure)
Exam 70-294 (Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure)
One Core Exam on Client Operating System (choose one)
Exam 70-620 (Windows Vista, Configuring)
Exam 70-270 (Installing, Configuring, and Administering Windows XP Professional)
Exam 70-210 (Installing, Configuring, and Administering Microsoft Windows 2000 Professional)
One Core Design Exam (choose one)
Exam 70-297 (Designing a Windows Server 2003 Active Directory and Network Infrastructure)
Exam 70-298(Designing Security for a Windows Server 2003 Network)
One Elective Exam (choose one)
70-086 Exam (Implementing and Supporting Microsoft Systems Management Server 2.0)
70-089 Exam (Planning, Deploying, and Managing Microsoft Systems Management Server 2003)
70-227 Exam (Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition)
70-228 Exam (Installing, Configuring, and Administering Microsoft SQL Server 2000 Enterprise Edition)
70-229 Exam (Designing and Implementing Databases with Microsoft SQL Server 2000 Enterprise Edition)
70-235 Exam (Developing Business Process and Integration Solutions Using Microsoft BizTalk Server)
70-236 Exam (Microsoft Exchange Server 2007, Configuring)
70-262 Exam (Microsoft Office Live Communications Server 2005 – Implementing, Managing, and Troubleshooting)
70-281 Exam (Planning, Deploying, and Managing an Enterprise Project Management Solution)
70-282 Exam (Designing, Deploying, and Managing a Network Solution for a Small- and Medium-Sized Business)
70-284 Exam (Implementing and Managing Microsoft Exchange Server 2003)
70-285 Exam (Designing a Microsoft Exchange Server 2003 Organization)
70-297 Exam (Designing a Windows Server 2003 Active Directory and Network Infrastructure)
70-298 Exam (Designing Security for a Windows Server 2003 Network)
70-299 Exam (Implementing and Administering Security in a Windows Server 2003 Network)
70-301 Exam (Managing, Organizing, and Delivering IT Projects by Using Microsoft Solutions Framework 3.0)
70-350 Exam (Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004)
70-351 Exam (Microsoft Internet Security and Acceleration (ISA) Server 2006, Configuring)
70-400 Exam (Microsoft System Center Operations Manager 2007, Configuring)
70-401 Exam (Microsoft System Center Configuration Manager 2007, Configuring)
70-431 Exam (Microsoft SQL Server 2005 – Implementation and Maintenance)
70-445 Exam (Microsoft SQL Server 2005 Business Intelligence – Implementation and Maintenance)
70-500 Exam (Microsoft Windows Mobile Designing, Implementing, and Managing)
70-557 Exam (Microsoft Forefront Client and Server, Configuration)
70-620 Exam (Windows Vista, Configuring)
70-624 Exam (Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops)
70-630 Exam (Microsoft Office SharePoint Server 2007, Configuring)
70-631 Exam (Windows SharePoint Services 3.0, Configuring)
70-638 Exam (Microsoft Office Communications Server 2007, Configuring)
70-649
MCSE Benefits:
After becoming certified you may stands out with employers with your credential proof to get job in IT industry worldwide. MCSE engineer can earn from $55,000 to 90,000 per annum in USA and also MCSE certified has great respect in IT industry because of being well qualified and sound knowledge with skills. Also there are some other benefits to MCSE certified like 50% discount on TechNet during 5 years of certification, discount on products and services from selected organizations as well.
MCSE Training Resources
For any type of learning Internet is your best partner. However you may find Microsoft training material online for any Microsoft certification training. You may download authentic material here prepared by experienced and certified IT experts.
MCSE industry value?
Microsoft Windows Server strength in market these days shows the demand of related IT expertise and it clearly shows demands for years to come. MCSE certification is necessary for both business owners and employees. If you are hiring manager, team member then you should have good related knowledge. MCSE credential is a proof to show your ability to analyze the business needs for information system solutions along with designing and implementing infrastructure based on Windows Server 2003.
What is MCSE Certified Salary?
As I have mentioned above that MCSE Certified can earn from $55,000 to 90,000 per annum.
What are the prerequisites?
There are not prerequisites for MCSE certification at all. You just need little experience of using computer which I think every already got.
To learn how to go about applying and administering security in a Microsoft Windows Server 2003 Network, Microsoft has arisen with the 70-299 Exam. This exam is obtainable in a diversity of languages including English, French, German, Japanese, Spanish, and still a simplified version of Chinese. Like mainly other Microsoft exams, this one is also geared towards as long as core credits for a Microsoft certification, which in this container is MCSA OR Microsoft Certified System Administrator. Microsoft has a assortment of certifications for beginners and IT professionals, two of the most well-known being MCSA 2003 Certification and MCSE 2003 Certification or Microsoft Certified Systems Engineer.Each certification has a set of exams linked with it, and when a person clears all these exams, he/she gets the documentation.
This 70-299 Exam provides the applicant with a MCP Certification or Microsoft Certified Professional position after clearing it. It also provides with core credits for MCSA, and
MCSE: Security on Microsoft Windows Server 2003. Moreover, it also gives not obligator credits for MCSA, and MCSE on Microsoft Windows Server 2003. There is a diversity of technical tasks that you need to identify in order to clear this demanding exam. Thus, the skills measured comprise implementing, managing and troubleshooting security policies; implementing, managing and troubleshooting scrap management infrastructure; implementing, managing and troubleshooting security for networkcommunications;and preparation,onfiguring and troubleshooting authentication, authorization and PKI. All Microsoft exams are fairly challenging to clear, and the 70-299 one is not dissimilar.Microsoft recommends that people have thorough hypothetical as well as practical information with hands- on experience and practice.
There is classroom training on hand for the exam along with a variety of online possessions that candidates appearing for the exam can access. Apart from these, there are various other kinds of preparation equipment too that one can easily find in the marketplace.The Microsoft 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam is one of the more difficult of the core exams for the Microsoft Certified Systems Engineer (MCSE) certifications based on Windows Server 2003. This Microsoft 70-299 exam measures the skills related to planning, implementing, and maintaining security in medium to very large network environments based on the Windows Server 2003 operating system. This Microsoft 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam is intended for MCSE candidates who work in medium to very large computing environments supporting 250 to more than 5000 users and use Windows Server 2003 as its network operating system and Windows XP Professional or Windows 2000 Server Professional on its client computers.
The Microsoft 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam tests a candidates ability to plan, implement, and maintain security in a Windows Server 2003 network in medium to very large network environments. It is advised that you have a minimum of six to twelve months experience in administering clients and network operating systems in medium to very large corporations. There are no prerequisites for the Microsoft 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam. Once you pass the Microsoft 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam the candidate will achieve Microsoft Certified Professional (MCP) status if it is the first MCSE Certification that you pass.
Is Windows 2003 Implementing Security exam right for you?
This prepares you for various job roles, which include systems engineer, systems administrator, network administrator, information systems administrator, technical support engineers, systems analysts, network analysts and technical consultants. If you would like to know more about the Windows 2003 Security Admin 70-299 test please visit the Microsoft website.
The test is appropriate for you if you are working or want to work in a typically complex computing environment of medium-to-large organizations. There are no specific prerequisites for this test, although it is recommended that you should have at least one year of experience in implementing and administering network operating systems in network environments.
What to expect in Windows 2003 Implementing Security exam?
This test consists of Multiple Choice, Hot Area, Drag, and Drop, Build list and reorder, and Build a Tree questions. The test can be adaptive and simulation
questions might be asked. This test includes Case study type questions. You will be required to attempt approximately 50 questions in 150 minutes. To pass,
you need a score of 700.
How to prepare for Windows 2003 Implementing Security exam?
The Microsoft exam 70-299 exam measures an individual’s ability to implement and administer security in a Microsoft Windows Server 2003 Network.
Before taking the 70-299 exam, you should practice the following:
*Plan security templates based on computer roles
*Troubleshoot security template problems in a mixed operating system environment
*Configure registry and file system permissions, account policies, policies files, audit policies, user rights assignment, security options, system services,restricted groups, and event logs
*Deploy security templates by using Active Directory-based Group Policy objects (GPOs) and by using command-line tools and scripting
Microsoft Windows Vista configuring exam will consis of Simulations, MCQs, Drag & Drop, Tree questions and hot area questions. Microsoft 70-620 certification exam is available in different languages such as English, Italian, Korean, Chinese, Spanish and Portuguese etc.
The Microsoft Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam tests a candidates ability to plan, implement, and maintain security in a Windows Server 2003 network in medium to very large network environments. It is advised that you have a minimum of six to twelve months experience in administering clients and network operating systems in medium to very large corporations.
There are no prerequisites for the Microsoft 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam. Once you pass the Microsoft 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam the candidate will achieve Microsoft Certified Professional (MCP) status if it is the first Microsoft certification exam that you pass.
The Microsoft 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam is one of the more difficult of the core exams for the Microsoft Certified Systems Engineer (MCSE) certifications based on Windows Server 2003. This Microsoft 70-299 exam measures the skills related to planning, implementing, and maintaining security in medium to very large network environments based on the Windows Server 2003 operating system. This Microsoft and Administering Security in a Microsoft Windows Server 2003 Network exam is intended for MCSE candidates who work in medium to very large computing environments supporting 250 to more than 5000 users and use Windows Server 2003 as its network operating system and Windows XP Professional or Windows 2000 Server Professional on its client computers.
You'll need experience with PKI, permissions, patch management, and troubleshooting under Windows 2003 before tackling this security exam.
The latest exam to come from Microsoft is aimed at administrators who deal daily with maintaining security, and it requires specific knowledge and hands-on experience with Windows Server 2003 PKI, permissions, patch management, and troubleshooting. If you're familiar with Exam 70-214, Implementing and Administering Security in a Windows 2000 Network, consider 299 an update of that exam.
In this review, I help you prepare by covering some of the objectives as listed in the exam preparation guide.
Implementing, Managing, and Troubleshooting Security Policies
Topics under this objective range from configuring, deploying, and troubleshooting security templates to configuring permissions and security settings on desktop and server computers.
The rule of thumb: Disable unnecessary services. This closes the listening network port and reduces the attack surface of a computer. Windows Server 2003 has many new security templates and security settings beyond those found in Windows 2000 Server--somewhere close to 600 additional settings. And with the release of SP1 due out this year, security configuration choices of servers will not only become more powerful but also more complex.
Group Policy Objects are where it's at. For almost any size of Windows network, if you have deployed Active Directory, the killer feature is GPO. Security templates are a quick and easy way of securing computers in the domain with common configuration settings. When studying the Products and Technologies link; Windows Server 2003 at the Security Guidance Center, pay particular attention to the different requirements for securing domain controllers, IAS servers, Exchange servers, SQL servers, and IIS servers.
Using GPOs, you can configure desktop and client computers for permissions. One common method among Windows administrators is to assign a user local administrator access to their desktop computer. This allows users to install software and change system settings, but this method can sometimes bite you in the butt!
Windows Server 2003 security templates now include software restriction policies which are a smarter method of allowing users to install and run tested and approved software on their desktop. SRPs are a collection of policies that define what software can run based on group policy security levels. Exceptions can be created based on the hash rule types; certificates, paths, registries, and even Internet Explorer zones.
To learn how to go about applying and administering security in a Microsoft Windows Server 2003 Network, Microsoft has arisen with the exam 70-299. This exam is obtainable in a diversity of languages including English, French, German, Japanese, Spanish, and still a simplified version of Chinese. Like mainly other Microsoft exams, this one is also geared towards as long as core credits for a Microsoft certification, which in this container is MCSA OR Microsoft Certified System Administrator. Microsoft has a assortment of certifications for beginners and IT professionals, two of the most well-known being MCSA 2003 Certification and MCSE 2003 Certification or Microsoft Certified Systems Engineer. Each certification has a set of exams linked with it, and when a person clears all these exams, he/she gets the documentation.
This 70-299 Exam provides the applicant with a MCP Certification or Microsoft Certified Professional position after clearing it. It also provides with core credits for MCSA, and MCSE: Security on Microsoft Windows Server 2003. Moreover, it also gives not obligatory credits for MCSA, and MCSE on Microsoft Windows Server 2003.
There is a diversity of technical tasks that you need to identify in order to clear this demanding exam. Thus, the skills measured comprise implementing, managing and troubleshooting security policies; implementing, managing and troubleshooting scrap management infrastructure; implementing, managing and troubleshooting security for network communications; and preparation, configuring and troubleshooting authentication, authorization and PKI.
All Microsoft exams are fairly challenging to clear, and the 70-299 one is no dissimilar. Microsoft recommends that people have thorough hypothetical as well as practical information with hands- on experience and practice. There is classroom training on hand for the exam along with a variety of online possessions that candidates appearing for the exam can access. Apart from these, there are various other kinds of preparation equipment too that one can easily find in the marketplace.
Is Windows 2003 Implementing Security exam right for you?
This test prepares you for various job roles, which include systems engineer, systems administrator, network administrator, information systems administrator, technical support engineers, systems analysts, network analysts and technical consultants. If you would like to know more about the Windows 2003 Security Admin 70-299 test please visit the Microsoft website.
The test is appropriate for you if you are working or want to work in a typically complex computing environment of medium-to-large organizations. There are no specific prerequisites for this test, although it is recommended that you should have at least one year of experience in implementing and administering network operating systems in network environments.
What to expect in Windows 2003 Implementing Security exam?
This test consists of Multiple Choice, Hot Area, Drag, and Drop, Build list and reorder, and Build a Tree questions. The test can be adaptive and simulation questions might be asked. This test includes Case study type questions. You will be required to attempt approximately 50 questions in 150 minutes. To pass, you need a score of 700.
How to prepare for Windows 2003 Implementing Security exam?
The Microsoft exam 70-299 exam measures an individual’s ability to implement and administer security in a Microsoft Windows Server 2003 Network. Before taking the 70-299 exam, you should practice the following:
*Plan security templates based on computer roles
*Troubleshoot security template problems in a mixed operating system environment
*Configure registry and file system permissions, account policies, .pol files, audit policies, user rights assignment, security options, system services, restricted groups, and event logs
*Deploy security templates by using Active Directory-based Group Policy objects (GPOs) and by using command-line tools and scripting
Implementing and Administering Security in a Microsoft Windows Server 2003 Network -- is a core exam for both the MCSE: Security and MCSA: Security and an elective for the regular MCSE and MCSA exams. In Certcities.com’s list of 10 Hottest Certifications for 2005, MCSE: Security ranked as the number #2 certification, indicating a great many of us will be planning to take this exam this year. Although your exam preparation should be guided by Microsoft’s preparation guide here are a few of the key areas you’ll need to keep in mind as you prep for this exam.
Tip #1: Know Your Group Policy
Although not specifically mentioned in the exam objectives, this exam assumes you that already have mastered group policy objects (GPOs) and can use them as needed. For example, security templates (Tip #2) feature heavily in the exam objectives, and group policy is usually the preferred way to easily deploy them.
As a refresher, GPOs are used to specify settings for computers and users. On a specific machine you use the new command gpupdate /force to make a policy change effective immediately rather than waiting for the scheduled refresh to take effect.
In order to review the effective policies in place, you can either review the results of the gpresult command, the Resultant Set of Policies (RSoP) MMC snap-in or in the Help and Support Center - Advanced System Information option.
GPOs can be deployed to the local machine or in AD at the site, domain or OU level. The order that policies are applied in is local, site, domain then OU. GPOs processed last have higher precedence.
Go here for a lengthy whitepaper that thoroughly discusses group policy in Windows 2003.
Tip #2: Manage Security Templates
The exam objectives expect that you are able to configure, deploy and troubleshoot security templates. These are templates are text files allow you set the following:
*Account policies (password policy, account lockout policy, Kerberos policy)
*Local policies (audit policies, user rights assignment, security options)
*Event logs (Application, Security, and System event logs)
*Restricted Group Policy
*Services
*Registry permissions
*File and folder permissions
There are a number of preconfigured templates that come with Windows 2003, or you can create your own. Because these existing templates progressively build on each other, it is recommended that you don’t edit these directly, but instead make a copy of one and edit and deploy your modified copy. Once you have these security templates they can be imported into Group Policy and deployed via Active Directory.
Go here for a Microsoft Knowledge Base article on starting to use the new Security Template snap-in. Microsoft expects MCSA: Security and MCSE: Security candidates to be comfortable in making settings changes for the categories listed above using a security template and then deploying them using all of the available methods.
The exam objectives also mention configuration of .pol files that are used for Windows 95/98/Me and NT 4.0. These are done with System Policy Editor (poledit.exe), which creates a Config.pol file for Windows 9x or Ntconfig.pol for NT 4.0 that then have to be copied to the Netlogon share on a domain controller once complete.
Tip #3: Tackle the Tools
The Security Configuration and Analysis snap-in imports security template(s) into a database, which can then be used to compare against the current settings on that computer. There is also the option to configure the computer settings by using the template.
Secedit.exe is the command line tool that performs the same function. Both tools only run against the local machine. In order to prepare for your exam you will need to be conversant with both tools.
Tip #4: Master MBSA
Microsoft Baseline Security Analyzer is Microsoft’s free tool to produce security reports for Windows and associated programs (IE, Office, Media Player, SQL Server, etc). It can be run as a GUI or instead via mbsacli.exe on the command line, which lends itself to scripting. While not without limitations, one of the cool things you can do with the tool is scan multiple machines within a subnet to find servers and report on their security status. Go here to download this tool and learn more about it, including understand the requirements to run it correctly and the various command line options available.
Tip #5: Learn To Manage SUS and Automatic Updates
Keeping our computers patched with Microsoft software is often the bane of our lives; however, Microsoft has released some free tools to use to ease the pain. Although in many cases you may use commercial tools with additional functionality to do this, since this is a Microsoft exam Microsoft expects candidates to know how to put an end to end patch solution together using these tools.
The Automatic Update client runs as a service that checks a server (either Microsoft’s site or your own SUS site) for updates. Depending on your client settings (you can set them at My Computer – Properties, Automated Updates tab), once enabled there are settings to:
*Notify user before downloading or installing.
*Download automatically and notify user before installing.
*Automatically download and install them on a schedule.
SUS (Software Update Services) is Microsoft’s product that runs on an IIS server to download patches from Microsoft and serves clients in your enterprise. Once installed you manage it using the Web interface at http://servername/SUSAdmin. The synchronization of patches from Microsoft can either be done via a schedule or immediately if needed. Once patches are downloaded from Microsoft onto your SUS server, you need to approve the updates to make them available for clients.
Group Policy can be used to change your client configuration for Automatic Updates. When editing a GPO, select Computer Configuration, Administrative Templates, Windows Components, Windows Update then Configure Automatic Updates. You can change how clients download and install patches as per the settings described earlier, as well as the location of SUS server used instead of the default Microsoft site.
SUS can be downloaded from here. There is also a Microsoft white paper on patch management using SUS available here. Reading about these tools is one thing, but the best option is to put this together in your lab to really understand them in detail.
Tip # 6: Secure Servers by Role
One of the recurring themes in the exam objectives is securing Windows servers depending on the intended server role. Here is a link to a section on the Microsoft Web site that has some guidelines on managing security, including specific mentions of domain controller, Internet Authentication Service (IAS) server and Internet Information Services (IIS) server.
One key lesson in securing Windows servers is to only have the absolutely necessary services running on it, since every unused service can potentially be an area of possible exposure. Therefore you should have a good knowledge of the Windows services are so you can determine what you need and don’t need for each type of server role.
Tip #7: Get a Grip on Groups Basics
For many of us who have been working with the product for a while, we're well aware of the different group types (security and distribution) and the different scope types (universal, domain and local). Your domain needs to be at a minimum of Windows 2000-native level in order to use universal groups or nested groups.
The basics for granting access to resources hasn’t changed – this is commonly referred by the acronym AGDLP (put accounts into global groups; put these into domain local groups that are granted permission for the resource). So provided you remember the basic rules here, this area of the objectives should be a gimmie.
Tip #8: Conquer Certificate Services
The certificate services changes for Windows 2003 were fairly minor from Windows 2000; however, this is an area of great focus in all Windows 2003 exams.
There are two types of certification authority (CA): enterprise, which uses AD for storage and must run on a DC, and standalone, which doesn't use AD. Here are also two types of servers in a CA hierarchy: root or subordinate. The subordinate CA uses a certificate generated by the root CA.
I recommend hands-on practice with installing certificate services, requesting a certificate, deploying and revoking certificates when preparing for this exam. Know that Microsoft expects its MCSA: Security and MCSE: Security professionals to know how to create and publish CRL (Certificate Revocation List) in the Certification Authority administrative tool, which allows certificates from your CA to be validated as still being OK. It also expects candidates to know how to publish a CRL to an additional location, as well as the differences between a new CRL and a delta CRL, which is much smaller and contains only those revoked since the last time it was published.
Tip #9: Understand IPSec
IPSec is a standards-based extension to TCP/IP that facilitates secure network traffic between hosts and/or networks. It can also be used to filter network traffic to/from a server. This can be configured for the local computer policy or via GPO using the IP Security Policies snap-in or via command line tools. Go here for a Microsoft white paper that explains how IPSec works in Windows 2003 and some suggestions on when to use it (and when not to).
Tip #10: Try Reading the Manual!
There is a wealth of knowledge within the product documentation and resource kit. (Unfortunately, much of it we don’t read until something goes wrong!). Of course, some of this may well be overkill for the exam itself, but it may be very helpful background knowledge of the product for use in your day to day work -- which, after all, is one of the main reasons that we torture ourselves to take these exams in the first place! For example, here you'll find the Windows Security Collection within the Windows Server 2003 Technical Reference in the Resource Kit. This contains a lot of very pertinent information there that crosses the majority of the exam objectives.
| Advertisement |
|
|
 |