13-20 Chapter 13 Designing a Security Infrastructure
2. You are installing an IEEE 802.11b wireless network in a private home using com-
puters running Windows XP, and you decide that data encryption is not necessary,
but you want to use Shared Key authentication. However, when you try to config-
ure the network interface adapter on the clients to use Shared Key authentication,
the option is not available. Which of the following explanations could be the
cause of the problem?
a. WEP is not enabled.
b. Windows XP SP1 is not installed on the computers.
c. Windows XP does not support Shared Key authentication.
d. A PKI is required for Shared Key authentications.
3. Which of the following terms describe a wireless network that consists of two lap-
top computers with wireless network interface adapters communicating directly
with each other? (Choose all that apply.)
a. Basic service set
b. Infrastructure network
c. Ad hoc network
d. Access point
Lesson Summary
■ Most wireless LANs today are based on the 802.11 standards published by the IEEE.
■ WLANs have two primary security hazards: unauthorized access to the network
and eavesdropping on transmitted packets.
■ To secure a wireless network, you must authenticate the clients before they are
granted network access and encrypt all packets transmitted over the wireless link.
■ To authenticate IEEE 802.11 wireless network clients, you can use Open System
authentication, Shared Key authentication, or IEEE 802.1X.
■ To encrypt transmitted packets, the IEEE 802.11 standard defines the Wired Equiv-
alent Privacy (WEP) mechanism.
Lesson 3 Providing Secure Network Administration 13-21
Lesson 3: Providing Secure Network Administration
For administrators of large networks, one of the main objectives is to minimize the

amount of travel from site to site to work on individual computers. Many of the admin-
istration tools included with Windows Server 2003 are capable of managing services on
remote computers as well as on the local system. For example, most Microsoft Manage-
ment Console (MMC) snap-ins have this capability, enabling administrators to work on sys-
tems throughout the enterprise without traveling. These are specialized tools used primarily
for server administration, however, that can perform only a limited number of tasks. For
comprehensive administrative access to a remote computer, Windows Server 2003
includes two tools that are extremely useful to the network administrator, called
Remote Assistance and Remote Desktop.
After this lesson, you will be able to
■ Configure Windows Server 2003 Remote Assistance
■ List the security features protecting computers that use Remote Assistance
■ Configure Windows Server 2003 Remote Desktop
Estimated lesson time: 0 minutes 3
Using Remote Assistance
Remote Assistance is a feature of Windows XP and Windows Server 2003 that enables a
user (an administrator, trainer, or technical support representative) at one location to con-
nect to a distant user’s computer, chat with the user, and either view all the user’s activi-
ties or take complete control of the system. Remote Assistance can eliminate the need for
administrative personnel to travel to a user’s location for any of the following reasons:
Off the Record In Microsoft interfaces and documentation, the person connecting to a cli-
ent using Remote Assistance is referred to as an expert or a helper.
■ Technical support A system administrator or help desk operator can use
Remote Assistance to connect to a remote computer to modify configuration
parameters, install new software, or troubleshoot user problems.
■ Troubleshooting By connecting in read-only mode, an expert can observe a
remote user’s activities and determine whether improper procedures are the
source of problems the user is experiencing. The expert can also connect in inter-
active mode to try to recreate the problem or to modify system settings to resolve
it. This is far more efficient than trying to give instructions to inexperienced users

over the telephone.
13-22 Chapter 13 Designing a Security Infrastructure
■ Training Trainers and help desk personnel can demonstrate procedures to
users right on their systems, without having to travel to their locations.
To receive remote assistance, the computer running Windows Server 2003 or Windows XP
must be configured to use the Remote Assistance feature in one of the following ways:
■ Using Control Panel Display the System Properties dialog box from the Control
Panel and click the Remote tab. Then select the Turn On Remote Assistance And
Allow Invitations To Be Sent From This Computer check box (see Figure 13-9).
Tip By clicking the Advanced button in the Remote tab in the System Properties dialog box,
the user can specify whether to let the expert take control of the computer or simply view
activities on the computer. The user can also specify the amount of time that the invitation for
remote assistance remains valid.
Figure 13-9 The Remote tab in the System Properties dialog box
■ Using Group Policies Use the Group Policy Object Editor console to open a
GPO for an Active Directory domain or organizational unit object containing the
client computer. Browse to the Computer Configuration\Administrative Tem-
plates\System\Remote Assistance container and enable the Solicited Remote
Assistance policy (see Figure 13-10).
Tip The Solicited Remote Assistance policy also enables you to specify the degree of con-
trol the expert receives over the client computer, the duration of the invitation, and the
method for sending e-mail invitations. The Offer Remote Assistance policy enables you to
specify the names of users or groups that can function as experts, and whether those
experts can perform tasks or just observe.
Lesson 3 Providing Secure Network Administration 13-23
Figure 13-10 The Solicited Remote Assistance Properties dialog box
Creating an Invitation
To receive remote assistance, a client must issue an invitation and send it to a particular
expert. The client can send the invitation using e-mail, Microsoft Windows Messenger,
or can save it as a file to be sent to the expert in some other manner, using the interface

shown in Figure 13-11.
Figure 13-11 The Remote Assistance page of the Help And Support Center tool
13-24 Chapter 13 Designing a Security Infrastructure
Tip When users create invitations, they can specify a password that the expert has to sup-
ply to connect to their computers. You should urge your users to always require passwords for
Remote Assistance connections, and instruct them to supply the expert with the correct pass-
word using a different medium from the one they are using to send the invitation.
Once the expert receives the invitation, invoking it launches the Remote Assistance
application, which enables the expert to connect to the remote computer, as shown in
Figure 13-12. Using this interface, the user and the expert can talk or type messages to
each other and, by default, the expert can see everything that the user is doing on the
computer. If the client computer is configured to allow remote control, the expert can
also click the Take Control button and operate the client computer interactively.
Figure 13-12 The expert’s Remote Assistance interface
Securing Remote Assistance
Because an expert offering remote assistance to another user can perform virtually any
activity on the remote computer that the local user can, this feature can be a significant
security hazard. An unauthorized user who takes control of a computer using Remote
Assistance can cause almost unlimited damage. However, Remote Assistance is designed to
minimize the dangers. Some of the protective features of Remote Assistance are as follows:
■ Invitations No person can connect to another computer using Remote Assis-
tance unless that person has received an invitation from the client. Clients can
configure the effective lifespan of their invitations in minutes, hours, or days, to
prevent experts from attempting to connect to the computer later.
Lesson 3 Providing Secure Network Administration 13-25
■ Interactive connectivity When an expert accepts an invitation from a client
and attempts to connect to the computer, a user must be present at the client con-
sole to grant the expert access. You cannot use Remote Assistance to connect to an
unattended computer.
■ Client-side control The client always has ultimate control over a Remote

Assistance connection. The client can terminate the connection at any time, by
pressing the Esc key or clicking Stop Control (ESC) in the client-side Remote
Assistance page.
■ Remote control configuration Using the System Properties dialog box or
Remote Assistance group policies, users and administrators can specify whether
experts are permitted to take control of client computers. An expert who has read-
only access cannot modify the computer’s configuration in any way using Remote
Access. The group policies also enable administrators to grant specific users
expert status, so that no one else can use Remote Access to connect to a client
computer, even with the client’s permission.
■ Firewalls Remote Assistance uses Transmission Control Protocol (TCP) port
number 3389 for all its network communications. For networks that use Remote
Assistance internally and are also connected to the Internet, it is recommended
that network administrators block this port in their firewalls, to prevent users out-
side the network from taking control of computers that request remote assistance.
However, it is also possible to provide remote assistance to clients over the Inter-
net, which would require leaving port 3389 open.
Using Remote Desktop
While Remote Assistance is intended to enable users to obtain interactive help from
other users, Remote Desktop is an administrative feature that enables users to access
computers from remote locations, with no interaction required at the remote site.
Remote Desktop is essentially a remote control program for computers running
Windows Server 2003 and Windows XP; there are no invitations and no read-only
capabilities. When you connect to a computer using Remote Desktop, you can operate
the remote computer as though you were sitting at the console and perform most
configuration and application tasks.
Off the Record One of the most useful application of Remote Desktop is to connect to
servers, such as those in a locked closet or data center, that are not otherwise easily acces-
sible. In fact, some administrators run their servers without monitors or input devices once
the initial installation and configuration of the computer is complete, relying solely on Remote

Desktop access for everyday monitoring and maintenance.
13-26 Chapter 13 Designing a Security Infrastructure
Exam Tip Be sure that you understand the differences between Remote Assistance and
Remote Desktop, and that you understand the applications for which each is used.
!
Remote Desktop For Administration is essentially an application of the Terminal
Services service supplied with Windows Server 2003. A desktop version called Remote
Desktop is included with Windows XP Professional. When you use Terminal Services
to host a large number of clients, you must purchase licenses for them. However,
Windows Server 2003 and Windows XP allow up to two simultaneous Remote Desktop
connections without the need for a separate license.
When you connect to a computer using Remote Desktop, the system creates a separate
session for you, independent of the console session. This means that even someone
working at the console cannot see what you are doing. You must log on when con-
necting using Remote Desktop, just as you would if you were sitting at the console,
meaning that you must have a user account and the appropriate permissions to access
the host system. After you log on, the system displays the desktop configuration asso-
ciated with your user account, and you can then proceed to work as you normally
would.
Activating Remote Desktop
By default, Remote Desktop is enabled on computers running Windows Server 2003
and Windows XP. Before you can connect to a computer using Remote Desktop, you
must enable it using the System Properties dialog box, accessed from the Control
Panel. Click the Remote tab and select the Allow Users To Connect Remotely To This
Computer check box, as shown earlier in Figure 13-9, and then click OK.
Note Because Remote Desktop requires a standard logon, it is inherently more secure
than Remote Assistance, and needs no special security measures, such as invitations and
session passwords. However, you can also click Select Remote Users in the Remote tab to
display a Remote Desktop Users dialog box, in which you can specify the names of the only
users or groups that are permitted to access the computer using Remote Desktop. All users

with Administrator privileges are granted access by default.
Using the Remote Desktop Client
Both Windows Server 2003 and Windows XP include the client program needed to
connect to a host computer using Remote Desktop (see Figure 13-13). In addition, both
operating systems include a version of the client that you can install on earlier
Windows operating systems.
Lesson 3 Providing Secure Network Administration 13-27
Figure 13-13 The Remote Desktop Connection client
Tip Windows Server 2003 also includes a Remote Desktops console (accessible from the
Administrative Tools program group) that you can use to connect to multiple Remote Desktop
hosts and switch between them as needed.
Practice: Configuring Remote Assistance
In this practice, you configure a computer running Windows Server 2003 to receive
remote assistance from another computer.
Exercise 1: Activating Remote Assistance Using Control Panel
In this exercise, you use the Control Panel’s System Properties dialog box to activate
Remote Assistance on the computer.
1. Log on to the computer as Administrator.
2. Click Start, point to Control Panel, and then click System. The System Properties
dialog box appears.
3. Click the Remote tab.
4. In the Remote Assistance group box, select the Turn On Remote Assistance And
Allow Invitations To Be Sent From This Computer check box.
5. Click Advanced. The Remote Assistance Settings dialog box appears.
6. Make sure that the Allow This Computer To Be Controlled Remotely check box is
selected.
13-28 Chapter 13 Designing a Security Infrastructure
7. In the Invitations group box, change the Set The Maximum Amount Of Time Invi-
tations Can Remain Open selector value to 1 hour, and then click OK.
8. Click OK to close the System Properties dialog box.

Exercise 2: Activating Remote Assistance Using Group Policies
In this exercise, you use group policies to activate remote assistance for all the com-
puters in the domain.
Note This exercise is an alternative to the individual computer configuration you performed
in Exercise 1. It is not necessary to do both.
1. Log on to the computer as Administrator.
2. Click Start, point to Administrative Tools, and then click Active Directory Users
And Computers. The Active Directory Users And Computers console appears.
3. Click the icon for the contoso.com domain in the scope pane, and from the Action
menu, select Properties. The Contoso.com Properties dialog box appears.
4. Click the Group Policy tab, and then click Edit. The Group Policy Object Editor
console appears.
5. Expand the Computer Configuration, Administrative Templates, and System con-
tainers, and then select the Remote Assistance container.
6. In the details pane, double-click the Solicited Remote Assistance policy. The Solic-
ited Remote Assistance Properties dialog box appears.
7. Click the Enabled option button, and then click OK to accept the default settings.
8. Close the Group Policy Object Editor console.
9. Click OK to close the Contoso.com Properties dialog box.
10. Close the Active Directory Users And Computers console.
Exercise 3: Creating an Invitation
In this exercise, you create an invitation for an expert to give you remote assistance. For
the purposes of this exercise, you will save the invitation to a file, but on an actual net-
work, you might e-mail it to the appropriate person or send it using Windows Messenger.
1. Click Start and then click Help And Support. The Help And Support Center page
appears.
2. Under Support, click the Remote Assistance hyperlink. The Remote Assistance
page appears.
Lesson 3 Providing Secure Network Administration 13-29
3. Click Invite Someone To Help You. The Pick How You Want To Contact Your

Assistant page appears.
4. Click Save Invitation As A File (Advanced). The Remote Assistance – Save Invita-
tion page appears.
5. Under Set The Invitation To Expire, set the duration of the invitation to 10 minutes,
and then click Continue.
6. Type a password of your choice in the Type Password text box, and again in the
Confirm Password text box, and then click Save Invitation. The Save As dialog box
appears.
7. Save the invitation file to the root of your computer’s C drive.
Tip If you are connected to a network, and another computer running Windows Server 2003
or Windows XP is available, you can use that computer to initiate a Remote Assistance ses-
sion with your server by double-clicking the invitation file.
8. Close the Help And Support Center window.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. Your company is installing a computer running Windows Server 2003 in a utility
closet that is only accessible to building maintenance personnel. Therefore, you
will have to depend on Remote Desktop for maintenance access to the server. You
do not have Administrator privileges to the server and your workstation is running
Windows 2000 Professional. Which of the following tasks must you perform
before you can connect to the server from your workstation using Remote Desk-
top? (Choose all that apply.)
a. Install the Remote Desktop Connection client on the workstation.
b. Activate Remote Desktop on the server using the System Control Panel.
c. Enable the Solicited Remote Assistance group policy for the domain.
d. Add your account name to the Remote Desktop users list.
13-30 Chapter 13 Designing a Security Infrastructure

2. You have just created a Remote Access invitation that you intended to send to a
person at the network help desk, but you sent it to someone else instead. Which
of the following measures would prevent the unintended recipient from connect-
ing to your computer?
a. Display the Remote Assistance Settings dialog box and reduce the duration of
the invitations created by your computer.
b. Press Esc.
c. Refuse the incoming connection when it arrives.
d. Change your user account password.
3. Which of the following operating systems includes the Remote Desktop Connec-
tion client program? (Choose all that apply.)
a. Windows 2000 Server
b. Windows XP
c. Windows Server 2003
d. Windows 98
Lesson Summary
■ Many of the administrative tools included with Windows Server 2003 can manage
services on computers all over the network.
■ Remote Assistance is a Windows Server 2003 and Windows XP feature that
enables users to request assistance from an expert at another location.
■ Experts connecting to a computer using Remote Assistance can chat with the user,
view the user’s actions on the computer, and take control of the computer to pro-
vide help.
■ Remote Assistance cannot easily be abused because users must request help
before experts can connect to their computers, and the users are always in control
of the Remote Assistance connection.
■ Remote Desktop enables administrators to connect to distant computers that are
unattended and work with them as though they are seated at the system console.
A Remote Desktop client must log on to the host computer using a standard user
account and receives only the permissions and rights granted to the account.

Chapter 13 Designing a Security Infrastructure 13-31
Case Scenario Exercise
You are the network infrastructure design specialist for Litware Inc., a manufacturer of
specialized scientific software products, and you have already created a network
design for their new office building, as described in the Case Scenario Exercise in
Chapter 1. You are deploying a wireless LAN as part of your Active Directory network,
which will enable users with laptop computers running Windows XP to roam any-
where in the building and remain connected to the network.
The wireless equipment you have selected conforms to the IEEE 802.11b standard and
consists of network interface cards for all the laptops and an access point for each floor
of the building. Because the laptop users might be working with sensitive data, you
want to make sure that the wireless network is secure. You have been considering a
number of security strategies for the WLAN, but have not made a final decision. Based
on the information provided, answer the following questions.
1. Which of the following tasks would wireless users not be able to do if you decided
to use Shared Key authentication?
a. Use WEP encryption for all wireless transmissions
b. Roam from one access point to another
c. Access resources on other wireless computers
d. Participate in an infrastructure network
2. Which of the following tasks would you need to perform to use IEEE 802.1X and
WEP to secure the WLAN? (Choose all that apply.)
a. Install IAS on a computer running Windows Server 2003.
b. Deploy a public key infrastructure on the network by installing Certificate
Services.
c. Install smart card readers in all the laptop computers.
d. Install SP1 on all the laptops running Windows XP.
3. If you elect to use Open System authentication with WEP encryption, to which of
the following vulnerabilities would the WLAN be subject?
a. Unauthorized users connecting to the network

b. Compromised passwords from unencrypted WLAN authentication messages
c. Interception of transmitted data by someone using a wireless protocol analyzer
d. Inability of wireless computers to access resources on the cabled network
13-32 Chapter 13 Designing a Security Infrastructure
Troubleshooting Lab
You have just installed Microsoft Baseline Security Analyzer on a member server run-
ning Windows Server 2003 and have scanned the system for security vulnerabilities.
The results of the scan displayed the vulnerabilities listed below. For each vulnerability
in the list, state how you would correct the problem.
1. Critical Windows operating system security updates are missing.
2. Some user accounts have non-expiring passwords.
3. The computer’s C drive is using the FAT file system.
4. The system is configured to use the Autologon feature, with the password stored
as plain text.
5. The Guest account is enabled on the computer.
Chapter Summary
■ Microsoft Baseline Security Analyzer is a tool that scans computers on a network
and examines them for security vulnerabilities, such as missing security updates,
improper passwords, and account vulnerabilities.
■ Microsoft Software Update Services is a tool that informs administrators when soft-
ware updates are released and functions as an intranet Windows Update server for
clients on the network, so that they can automatically install new updates.
■ Most wireless LANs in use today are based on the 802.11 standards published by
the IEEE.
Chapter 13 Designing a Security Infrastructure 13-33
■ To secure a wireless network, you must authenticate clients before they are
granted network access and also encrypt all packets transmitted over the wireless
link.
■ To authenticate IEEE 802.11 wireless network clients, you can use Open System
authentication, Shared Key authentication, or IEEE 802.1X.

■ To encrypt transmitted packets, the IEEE 802.11 standard defines the Wired Equiv-
alent Privacy (WEP) mechanism.
■ Remote Assistance is a Windows Server 2003 and Windows XP feature that
enables users to request assistance from an expert at another location.
■ Remote Assistance cannot easily be abused because users must request help
before experts can connect to their computers, and the users are always in control
of the Remote Assistance connection.
■ Remote Desktop enables administrators to connect to distant computers that are
unattended and work with them as though seated at the system console. A Remote
Desktop client must log on to the host computer using a standard user account,
and receives only the permissions and rights granted to the account.
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice, and review the “Further Reading” sections in Part 2 for pointers to more informa-
tion about topics covering the exam objectives.
Key Points
■ Microsoft Baseline Security Analyzer is a tool that can scan multiple computers on
a network and examine them for security vulnerabilities, such as missing security
updates, improper passwords, and account vulnerabilities. However, MBSA can-
not modify the systems or download security updates.
■ Microsoft Software Update Services is a tool that informs administrators when soft-
ware updates are released and functions as an intranet Windows Update server for
clients on the network, so that they can automatically install new updates.
■ Because wireless network transmissions are omnidirectional, signals may be
accessed by unauthorized users. The two primary dangers are that unauthorized
computers can connect to the WLAN and that they can intercept transmitted pack-
ets and read the data inside. To prevent these occurrences, you must authenticate
users when they connect to the WLAN and encrypt all traffic transmitted over the
WLAN.

13-34 Chapter 13 Designing a Security Infrastructure
■ To authenticate IEEE 802.11 wireless network clients, you can use Open System
authentication, Shared Key authentication, or IEEE 802.1X. To encrypt transmitted
packets, the IEEE 802.11 standard defines the Wired Equivalent Privacy (WEP)
mechanism. Microsoft recommends the use of IEEE 802.1X authentication, in com-
bination with WEP encryption.
■ Remote Assistance is a Windows Server 2003 and Windows XP feature that
enables users to request assistance from an expert at another location. Because the
user requesting help must be present and is always in control of the connection,
Remote Assistance is relatively secure.
■ Remote Desktop enables administrators to connect to distant computers that are
unattended and work with them as though seated at the system console. A Remote
Desktop client must log on to the host computer using a standard user account,
and receives only the permissions and rights granted to the account.
Key Terms
Ad hoc network A network in which wireless computers communicate directly with
each other.
Infrastructure network A network in which wireless computers communicate with
an access point that is connected to a cabled network, providing access to both
bounded and unbounded network resources.
Basic service area (BSA) The effective transmission range in which wireless devices
can communicate. A new wireless device cannot connect to an existing wireless
network until it enters its BSA.
Basic service set (BSS) A group of wireless devices communicating with a basic ser-
vice area
Questions and Answers 13-35
Questions and Answers
Page Lesson 1 Review
13-10
1. Which of the following tools can tell you when a computer is missing an important

security update? (Choose all that apply.)
a. Security Configuration and Analysis
b. Hfnetchk.exe
c. Microsoft Software Update Services
d. Microsoft Baseline Security Analyzer
b and d
2. You have just implemented a Microsoft Software Update Services server on your
network, and you want workstations running Windows 2000 and Windows XP
operating systems to automatically download all the software updates from the
SUS server and install them. Which of the following procedures can you use to
configure all the workstations at once?
a. Configure the SUS server to push the updates to specified computers.
b. Use group policies to configure Automatic Updates on the workstations.
c. Use Microsoft Baseline Security Analyzer to configure Automatic Updates on
the workstations.
d. Create a login script for the workstations that downloads the update files and
installs them.
b
3. Which of the following are valid reasons for using Microsoft Software Update Ser-
vices instead of Windows Update to update your network workstations? (Choose
all that apply.)
a. To automate the update deployment process
b. To conserve Internet bandwidth
c. To enable administrators to test updates before deploying them
d. To determine which updates must be deployed on each workstation
b and c
13-36 Chapter 13 Designing a Security Infrastructure
Page Lesson 2 Review
13-19
1. Which of the following authentication mechanisms enables clients to connect to a

wireless network using smart cards?
a. Open System authentication
b. Shared Key authentication
c. IEEE 802.1X authentication using EAP-TLS
d. IEEE 802.1X authentication using PEAP-MS-CHAP v2
c
2. You are installing an IEEE 802.11b wireless network in a private home using com-
puters running Windows XP, and you decide that data encryption is not necessary,
but you want to use Shared Key authentication. However, when you try to config-
ure the network interface adapter on the clients to use Shared Key authentication,
the option is not available. Which of the following explanations could be the
cause of the problem?
a. WEP is not enabled.
b. Windows XP SP1 is not installed on the computers.
c. Windows XP does not support Shared Key authentication.
d. A PKI is required for Shared Key authentications.
a
3. Which of the following terms describe a wireless network that consists of two lap-
top computers with wireless network interface adapters communicating directly
with each other? (Choose all that apply.)
a. Basic service set
b. Infrastructure network
c. Ad hoc network
d. Access point
a and c
Questions and Answers 13-37
Page
13-29
Lesson 3 Review
1. Your company is installing a computer running Windows Server 2003 in a utility

closet that is only accessible to building maintenance personnel. Therefore, you
will have to depend on Remote Desktop for maintenance access to the server. You
do not have Administrator privileges to the server and your workstation is running
Windows 2000 Professional. Which of the following tasks must you perform
before you can connect to the server from your workstation using Remote Desk-
top? (Choose all that apply.)
a. Install the Remote Desktop Connection client on the workstation.
b. Activate Remote Desktop on the server using the System Control Panel.
c. Enable the Solicited Remote Assistance group policy for the domain.
d. Add your account name to the Remote Desktop users list.
a, b, and d
2. You have just created a Remote Access invitation that you intended to send to a
person at the network help desk, but you sent it to someone else instead. Which
of the following measures would prevent the unintended recipient from connect-
ing to your computer?
a. Display the Remote Assistance Settings dialog box and reduce the duration of
the invitations created by your computer.
b. Press Esc.
c. Refuse the incoming connection when it arrives.
d. Change your user account password.
c
3. Which of the following operating systems includes the Remote Desktop Connec-
tion client program? (Choose all that apply.)
a. Windows 2000 Server
b. Windows XP
c. Windows Server 2003
d. Windows 98
b and c
13-38 Chapter 13 Designing a Security Infrastructure
Page Case Scenario Exercise

13-31
Based on the information provided in the Case Scenario Exercise, answer the following
questions:
1. Which of the following tasks would wireless users not be able to do if you decided
to use Shared Key authentication?
a. Use WEP encryption for all wireless transmissions
b. Roam from one access point to another
c. Access resources on other wireless computers
d. Participate in an infrastructure network
b
2. Which of the following tasks would you need to perform to use IEEE 802.1X and
WEP to secure the WLAN? (Choose all that apply.)
a. Install IAS on a computer running Windows Server 2003.
b. Deploy a public key infrastructure on the network by installing Certificate
Services.
c. Install smart card readers in all the laptop computers.
d. Install SP1 on all the laptops running Windows XP.
a and d
3. If you elect to use Open System authentication with WEP encryption, to which of
the following vulnerabilities would the WLAN be subject?
a. Unauthorized users connecting to the network
b. Compromised passwords from unencrypted WLAN authentication messages
c. Interception of transmitted data by someone using a wireless protocol analyzer
d. Inability of wireless computers to access resources on the cabled network
a
Questions and Answers 13-39
Page
13-32
Troubleshooting Lab
Based on the information provided in the Troubleshooting Lab, answer the following

questions:
1. Critical Windows operating system security updates are missing.
Access the Windows Update Web site to download the required security updates.
2. Some user accounts have non-expiring passwords.
In the Computer Management console, access the Local Users And Groups snap-in and, in the
Properties dialog box for each user account, deselect the Password Never Expires check box.
3. The computer’s C drive is using the FAT file system.
Use the Convert.exe command line utility to convert the C drive from FAT to NTFS.
4. The system is configured to use the Autologon feature, with the password stored
as plain text.
U sing t he Windows Registr y E ditor (Regedit.exe), set the value of the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winl-
ogon\AutoAdminLogon key to 0 and delete the DefaultUserName and DefaultPassword keys.
5. The Guest account is enabled on the computer.
In the Computer Management console, access the Local Users And Groups snap-in and, in the
Properties dialog box for the Guest account, select the Account Is Disabled check box.

Part 2
Prepare for the Exam
14 Planning and Implementing
Server Roles and Server
Security (1.0)
Servers are the lifeblood of a data network, and they require more protection than work-
stations. Servers performing different tasks also require different levels and types of secu-
rity. Part of designing a network infrastructure is creating security configurations that are
appropriate for each server role used on the network. The process of creating these con-
figurations includes examining the security features provided by the operating systems
that you intend to use and determining the organization’s security requirements.
Tested Skills and Suggested Practices

The skills that you need to successfully master the Planning and Implementing Server
Roles and Server Security objective domain on the 70-293 exam include:
■ Configure security for servers that are assigned specific roles.
❑ Practice 1: Compare the methods you can use to configure security parame-
ters on a computer running the Microsoft Windows Server 2003 operating sys-
tem, including Group Policy Objects (GPOs) and security templates, and
devise scenarios for which each configuration method would be appropriate.
❑ Practice 2: Examine the settings in the security templates included with
Windows Server 2003 using the Security Templates snap-in. Then use the
Security Configuration And Analysis snap-in to compare the secure
(Securedc.inf) and highly secure (Hisecdc.inf) templates to your server and
study the differences between them.
■ Plan a secure baseline installation.
❑ Practice 1: Examine the default security settings on a workstation running
Microsoft Windows XP Professional and a server running Windows Server
2003 and evaluate the level of security they provide. Create a list of configu-
ration changes you could make to support a maximum security environment.
❑ Practice 2: Create a Group Policy Object (GPO) to apply to an Active Direc-
tory directory service domain that contains a set of baseline security settings
suitable for all the computers on a maximum security network.
14-3
14-4 Chapter 14 Planning and Implementing Server Roles and Server Security (1.0)
■ Plan security for servers that are assigned specific roles. Roles might include
domain controllers, Web servers, database servers, and mail servers.
❑ Practice 1: Using the Group Policy Object Editor console, examine the
default security configuration settings for the Domain Controllers organiza-
tional unit in an Active Directory tree, and compare them to the settings in the
default policy for the domain object. Notice how the domain controllers have
a higher level of security than other types of servers.
❑ Practice 2: Create a list of Windows Server 2003 security parameters and con-

sider what settings would be appropriate for each of the four server roles
listed in this objective.
■ Evaluate and select the operating system to install on computers in an enterprise.
❑ Practice 1: Study the product literature for various operating systems pro-
vided on manufacturers’ Web sites to determine what security features each
operating system provides.
❑ Practice 2: Examine the security configuration parameters of the computer
you are currently using, and list the changes you could make to increase the
security of the system.
Further Reading
This section lists supplemental readings by objective. We recommend that you study
these sources thoroughly before taking exam 70-293.
Objective 1.1 Review Lessons 1, 2, and 3 in Chapter 10, “Deploying Security
Configurations.”
Microsoft Corporation. Securing Windows 2000 Server. Review Chapter 7, “Hardening
Specific Server Roles.” Although written for Microsoft Windows 2000 Server, the con-
cepts in this chapter are also applicable to Windows Server 2003. Available on
Microsoft’s Web site at
SecWin2k/07ssrole.asp.
Objective 1.2 Review Lessons 1, 2, and 3 in Chapter 8, “Planning a Secure Baseline
Installation,” and Lesson 1 in Chapter 9, “Hardening Servers.”
Microsoft Corporation. Securing Windows 2000 Server. Review Chapter 6, “Hardening
the Base Windows 2000 Server.” Although written for Windows 2000 Server, the con-
cepts in this chapter are also applicable to Windows Server 2003. Available on
Microsoft’s Web site at
SecWin2k/06basewn.asp.