•
•
•
TableofContents
Index
Examples
ImplementingandAdministering
SecurityinaWindows®Server™2003
NetworkExamCram™2(Exam70-299)
ByDianeBarrett,BillFerguson,
DonPoulton
Publisher :Que
PubDate :May25,2004
ISBN :0-7897-3138-X
Pages :384
The70-299exammeasuresyourabilityto
implement,manage,maintain,and
troubleshootsecurityinaWindowsServer
2003networkinfrastructureandalsoplan
andconfigureaWindowsServer2003PKI.
TheMCSE70-299ExamCram2givesyou
theessentialinformationyouneedtoknowto
learnhowtoimplement,manage,and
troubleshootsecuritypolicies,patch
managementinfrastructure,securityfor
networkcommunications,aswellashowto
plan,configureandtroubleshoot
authentication,authorization,andPKI.This
bookcanbeusedasasolestudyguidefor
thoseexperiencedwithWindows2003
securityoritistheperfectsupplementguide
formorecomprehensivetrainingmaterials,
instructor-ledclasses,and/orcomputerbasedtraining.
•
•
•
TableofContents
Index
Examples
ImplementingandAdministering
SecurityinaWindows®Server™2003
NetworkExamCram™2(Exam70-299)
ByDianeBarrett,BillFerguson,
DonPoulton
Publisher :Que
PubDate :May25,2004
ISBN :0-7897-3138-X
Pages :384
Copyright
The70-299CramSheet
IMPLEMENTINGANDMANAGINGSECURITYPOLICIES
IMPLEMENTING,MANAGING,ANDTROUBLESHOOTINGPATCHMANAGEMENT
INFRASTRUCTURE
IMPLEMENTINGANDMANAGINGSECURITYFORNETWORKCOMMUNICATIONS
PLANNINGANDCONFIGURINGAUTHENTICATIONANDAUTHORIZATIONFOR
REMOTEACCESSUSERS
PLANNING,CONFIGURING,ANDTROUBLESHOOTINGPKI
TROUBLESHOOTINGSECURITYPOLICIESANDIPSEC
PLANNINGANDIMPLEMENTINGSECURITYFORWIRELESSNETWORKS
ANotefromSeriesEditorEdTittel
AbouttheAuthors
AbouttheTechnicalEditors
Acknowledgments
WeWanttoHearfromYou!
Introduction
TakingaCertificationExam
ArrivingattheExamSite
IntheExamRoom
NotesonThisBook'sOrganization
HowtoPrepareforanExam
HowThisBookHelpsYou
Self-Assessment
MCSAsandMCSEsintheRealWorld
TheIdealMCSAorMCSECandidate
PutYourselftotheTest
AssessingReadinessforExam70-299
TaketheChallenge!
Chapter1.ImplementingandManagingSecurityPolicies
ManagingSecurityMechanismsinWindowsServer2003
PlanningandDeployingSecurityTemplates
PlanningSecurityfortheDHCPandDNSInfrastructureServices
PlanningandConfiguringAuditingandLoggingComputerRoles
ExamPrepQuestions
ConfiguringExtraSecurityBasedonServerRoles
ConfiguringExtraSecurityBasedonClientRoles
AnalyzingSecurityConfiguration
Chapter2.Implementing,Managing,andTroubleshootingPatchManagement
Infrastructure
Planning,Evaluating,andTestingtheDeploymentofServicePacksandHotfixes
UsingMBSAtoAssesstheCurrentStatusofServicePacksandHotfixes
TroubleshootingPatchManagementInfrastructure
ExamPrepQuestions
Chapter3.ImplementingandManagingSecurityforNetworkCommunications
PlanninganIPSecDeployment
ConfiguringIPSecPolicies
DeployingandManagingIPSecPolicies
ExamPrepQuestions
Chapter4.PlanningandConfiguringAuthenticationandAuthorizationforRemote
AccessUsers
Deploying,Managing,andConfiguringSSLCertificates
ConfiguringSecurityandAuthenticationforRemoteAccessUsers
ConfiguringandTroubleshootingVirtualPrivateNetwork(VPN)Protocols
ExamPrepQuestions
ManagingClientConfigurationforRemoteAccessSecurity
Chapter5.Planning,Configuring,andTroubleshootingPKI
PublicKeyInfrastructure(PKI)andCertificationAuthority(CA)Hierarchies
BackingUpandRestoringtheCA
ManagingCAs
TroubleshootingAuthentication,Authorization,andPKI
ExamPrepQuestions
Chapter6.TroubleshootingSecurityPoliciesandIPSec
TroubleshootingSecurityPolicies
TroubleshootingIPSec
ExamPrepQuestions
Chapter7.PlanningandImplementingSecurityforWirelessNetworks
PlanningtheAuthenticationMethodsforaWirelessNetwork
PlanningtheEncryptionMethodsforaWirelessNetwork
PlanningandConfiguringWirelessAccessPolicies
ConfiguringWirelessEncryption
ExamPrepQuestions
ConfiguringSSLCertificatesforWirelessNetworks
InstallingandConfiguringWirelessSupportforClientComputers
Chapter8.PracticeExam#1
Chapter9.AnswerKeytoPracticeExam#1
Chapter10.PracticeExam#2
Chapter11.AnswerKeytoPracticeExam#2
AppendixA.CDContentsandInstallationInstructions
MultipleTestModes
RandomQuestionsandOrderofAnswers
AttentiontoExamObjectives
InstallingtheCD
DetailedExplanationsofCorrectandIncorrectAnswers
TechnicalSupport
AppendixB.SuggestedReadingandResources
GeneralResources
Chapter1
Chapter2
Chapter4
Chapter6
Chapter3
Chapter5
Chapter7
Glossary
Index
Copyright
Copyright©2004byQuePublishing
Allrightsreserved.Nopartofthisbookshallbereproduced,
storedinaretrievalsystem,ortransmittedbyanymeans,
electronic,mechanical,photocopying,recording,orotherwise,
withoutwrittenpermissionfromthepublisher.Nopatent
liabilityisassumedwithrespecttotheuseoftheinformation
containedherein.Althougheveryprecautionhasbeentakenin
thepreparationofthisbook,thepublisherandauthorsassume
noresponsibilityforerrorsoromissions.Norisanyliability
assumedfordamagesresultingfromtheuseoftheinformation
containedherein.
LibraryofCongressCatalogCardNumber:2003115432
PrintedintheUnitedStatesofAmerica
FirstPrinting:June2004
070605044321
Trademarks
Alltermsmentionedinthisbookthatareknowntobe
trademarksorservicemarkshavebeenappropriately
capitalized.QuePublishingcannotattesttotheaccuracyofthis
information.Useofaterminthisbookshouldnotberegarded
asaffectingthevalidityofanytrademarkorservicemark.
WarningandDisclaimer
Everyefforthasbeenmadetomakethisbookascompleteand
asaccurateaspossible,butnowarrantyorfitnessisimplied.
Theinformationprovidedisonan"asis"basis.Theauthorand
thepublishershallhaveneitherliabilitynorresponsibilitytoany
personorentitywithrespecttoanylossordamagesarising
fromtheinformationcontainedinthisbookorfromtheuseof
theCDorprogramsaccompanyingit.
BulkSales
QuePublishingoffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales.For
moreinformation,pleasecontact
U.S.CorporateandGovernmentSales
1-800-382-3419
ForsalesoutsideoftheU.S.,pleasecontact
InternationalSales
1-317-428-3341
Credits
Publisher
PaulBoger
ExecutiveEditor
JeffRiley
AcquisitionsEditor
JeffRiley
DevelopmentEditor
SteveRowe
ManagingEditor
CharlotteClapp
ProjectEditor
TriciaLiebig
CopyEditor
BenjaminBerg
Indexer
KenJohnson
Proofreader
LindaSeifert
TechnicalEditors
DavidNeilan
MarcSavage
TeamCoordinator
PamaleeNelson
MultimediaDeveloper
DanScherf
InteriorDesigner
GaryAdair
CoverDesigner
AnneJones
PageLayout
SusanGeiselman
Dedication
Tothememoryofmybrothers,StevenandRonald.
DianeBarrett
Thisbookisdedicatedtomymother,Suanne.Hercreative
spiritandheraccomplishmentsasawriterandateacherhave
beenaconstantsourceofencouragementtome.
BillFerguson
TomywifeTerry,whohasstoodbymeduringthehours
involvedovertheholidaysasIworkedhardtomakethisbooka
reality.
DonPoulton
The70-299CramSheet
ThisCramSheetcontainsthedistilled,keyfactsyouneedfor
Exam70-299,ImplementingandAdministeringSecurityina
MicrosoftWindowsServer2003Network.Reviewthis
informationasthelastthingyoudobeforeyouenterthetesting
center,payingspecialattentiontothoseareasinwhichyoufeel
thatyouneedthemostreview.Youcantransferanyofthese
factsfromyourheadontoablanksheetofpapergiventoyou
bythetestingcenter,immediatelybeforeyoubegintheexam.
IMPLEMENTINGANDMANAGINGSECURITY
POLICIES
1. Groupscanbedefinedaseithersecurityordistribution.
Securitygroupscanbeassignedpermissionstoresources
throughaccesscontrolentries(ACEs).Distributiongroups
areusedformembershippurposesonly.Asecuritygroup
canalsobeusedasanemailentity.
2. Agroupcanbeconvertedfromasecuritygrouptoa
distributiongroup,andviceversa,onlyifthedomain
functionallevelissettoWindows2000nativeorhigher.
Securitygroupswithuniversalscopecannotbecreatedin
mixedmode.Universalscopeissupportedonlyindomains
inwhichthefunctionallevelissettonativemode.
3. Agroup'sscopedictateswhocanbeamemberofthegroup
andwhatresourcesthegrouphasaccessto.Localrequires
accesstothespecificcomputerwherethelocalgroupis
created.Domainlocalgroupscancontainuser,global,and
universalgroups.Globalgroupscancontainglobalgroups
fromthesamedomain.Universalgroupscancontainother
universalandglobalgroupsfromanydomainbutnot
domainlocalgroups.
4. Thepredefinedsecuritytemplatesarestoredin
Systemroot\Security\Templates.Thesehave.inf
extensionsandincludeSetupsecurityandDCsecurity
(defaultsecuritysettingsusedwhenanOSisinstalledora
serverpromoted),Compatws(compatiblewithmostlegacy
applications),SecurewsandSecuredc(limituseofLAN
ManagerandNTLMauthentication),HisecwsandHisecdc
(highlysecure),Rootsec(changestherootdirectory
permissions),andNotssid(removestheunnecessary
TerminalServerSIDs).
5. Threeaccountpolicyareascanbeconfigured:Password,
AccountLockout,andKerberospolicies.Onlyonedomain
accountpolicycanexist.Thepolicyisappliedattherootof
thedomainandbecomesthepolicyforanysystemthatisa
memberofthedomain.Whenanaccountpolicyis
configuredforanOU,thesesettingsaffectthelocalpolicy
settingsonthecomputerscontainedintheOU.
6. TheMemberslistdefineswhobelongstoarestrictedgroup
whiletheMemberOfliststateswhichothergroupsa
restrictedgroupbelongsto.Whenagroupisaddedtothe
RestrictedGroupsportionofasecuritytemplate,onlygroup
memberslistedinthetemplatewillremainoncethe
templateisapplied.
7. TheNetworkAccess:DoNotAllowAnonymousEnumeration
ofSAMAccountsandSharesandNetworkAccess:DoNot
AllowAnonymousEnumerationofSAMAccountspolicies
replacetheWindows2000AdditionalRestrictionsfor
AnonymousConnectionsthatmanagedtheRegistryvalue
calledRestrictAnonymous.
8. GpupdatereplacestheWindows2000commandsecedit
/refreshpolicy.Thesyntaxisasfollows:gpupdate
[/target:computer][/force][/wait:Value]
[/logoff][/boot].
9. Usethecommand-linetoolSecedit.exeinabatchfileor
scripttoconfiguresecurityonmultiplecomputersat
scheduledtimes.Thecommandsaresecedit/analyze,
secedit/configure,secedit/export,secedit
/import,secedit/validate,andsecedit
/GenerateRollback.
10. Useloopbackpolicytooverrideuser-basedGroupPolicy
withcomputer-basedGroupPolicy.Thismakesthedesktop
configurationthesameregardlessofwhologson.
11. Usesoftwarerestrictionpoliciesformorecontroloverwho
receiveswhatsoftware.Adefaultsecuritylevelof
Unrestricted(allowed)orDisallowed(notallowed)fora
GroupPolicyobject(GPO)isdefined.Youcancreatethe
followingtypesofrulesforexceptions:Hash,certificate,
path,andInternetrules.
12. Ifyoudonotwantthesoftwarerestrictionpoliciestoapply
tolocaladministrators,clickAllUsersExceptLocal
AdministratorsundertheEnforcementobjectofGroup
Policy.
IMPLEMENTING,MANAGING,AND
TROUBLESHOOTINGPATCHMANAGEMENT
INFRASTRUCTURE
1. YoucannowuseQChain.exetochainWindows2000postSP2updatestogetherandthelatestversionofafileis
installed,regardlessoftheordertheupdatesareinstalled.
Toinstallmultipleupdateswithonlyonerestart,runthe
updateinstallerusingthe-zswitch.
2. YoucanuseGroupPolicytodistributeservicepack
installationsbymakinganewsoftwareinstallationpackage
(.msifile)andlinkingittoaGPOthroughthecomputer
configurationsettings.
3. MBSAreferencesanExtensibleMarkupLanguage(XML)file
calledMssecure.xml.WhenyourunMBSAforthefirsttime,
itobtainsacopyofthisMssecure.xmlfileinadigitally
signed.cabfile.TheMssecure.cabfileensuresthatonly
thesigned.cabfileisusedandpreventsthedownloading
ofanout-of-dateXMLfile.
4. TheMicrosoftNetworkSecurityHotfixChecker(HFNetChk)
toolcanbeusedtoscanformissingsecurityupdatesand
servicepacksbyusingmbsacli.exe/hfwiththe
appropriatepararmeters.
5. Qfecheck.exehastheabilitytotrackandverifyinstalled
Windows2000andWindowsXPhotfixesbyreadingthe
informationthatisstoredthe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates
Registrykey.
6. SoftwareUpdateServices(SUS)allowseachsoftware
updatetobeapprovedbeforeitisinstalledinthe
environment,anddeploysWindows-relatedsecuritypatches
andupdatestoanycomputersrunningWindows2000,
WindowsXPProfessional,orWindowsServer2003.
7. InWUandSUSenvironments,someMicrosoftproducts
mustbeupdatedbyusingotherservicesorbymanually
applyingsoftwareupdates.SMSdoesnothavethis
limitationandcanbeusedtoupdateanysoftwareproduct
onanSMSclient.
8. Slipstreamingsimultaneouslyinstallsservicepackswithan
operatingsystem.Theinstallationincludesthecomponents
andupdatesasentriesintheSvcpack.inffile.Copythe
installationfilesfortheoperatingsystemandtheupdatesto
ashareddistributionfolder,createthepackage,andthen
runSetuptodeploytheinstallationeitherfromtheshared
distributionfolderoraCD-ROM.
9. AllSUSupdatesdownloadedtoyourserverneedtobe
approvedbeforetheservermakesthemavailableto
computersrunningtheAutomaticUpdatesclient.The
approvalprocessisdonethroughtheApproveUpdates
page.
10. ToconfigureautomaticupdatesthroughGrouppolicy,add
theWuau.admtemplatetotheGPO.
IMPLEMENTINGANDMANAGINGSECURITY
FORNETWORKCOMMUNICATIONS
1. IPSeccannowfunctionthroughNetworkAddress
Translation(NAT)aslongasitisconfiguredtoallowUDP
traffic.TheInternetKeyExchange(IKE)protocolwilldetect
thepresenceofNATanduseUDP-ESPencapsulationto
allowthetraffictopassthrough.
2. AHandESPprovideforauthentication,integrity,andantireplayofeachpacket.ESPalsoprovidesforconfidentiality.
ESPdoesnotsigntheentirepacket;onlytheIPpayload
itselfisencrypted.
3. TransportmodeIPSecisusedforsecurecommunication
betweenclientsandserversonaLAN,andtunnelmodeis
usedforsecurecommunicationbetweennetworks.
4. KerberosisthedefaultauthenticationmethodforWindows
2000ServerandWindowsServer2003.Itcanonlybeused
withMicrosoftclientslaterthanWindows2000Professional.
UsingKerberosrequirestheleastadministrativeeffort.
5. IfyouusemorethanonefilterinasingleIPSecpolicyrule,
theIPSecPolicyAgentreadsthepolicy.Filtersare
processedintooneorderedlistthatissortedfromthemost
totheleastspecific.
6. EachIPSecpolicyconsistsofrulesthatareconfiguredon
theRulestabofthepropertiesofanIPSecpolicy.Eachrule
cancontainsettingsforFilterlist,Filteraction,
Authenticationmethods,Tunnelendpoint,andConnection
type.KnowhowtousetheEditbuttontomodifyfilter
properties.
7. Create,modify,anddeployIPSecpoliciesusingtheIP
SecurityPolicyManagementconsole.
8. GroupPoliciesarecreatedinadomainandthenlinkedto
theappropriatecontainer.GroupPoliciesareprocessedin
theorderoflocal,site,domain,OU,andthenchildOU.
IPSecpoliciesthatconflictwillbeoverriddenbythenext
levelofprocessing.
9. PPTPistherecommendedprotocolwhentunnelingwithNAT
usingMicrosoftserversearlierthanWindowsServer2003.
WindowsServer2003allowsIPSectobeusedthrougha
NATviaIPNATTraversal.
10. IfallcomputersbelongtotheWindowsServer2003family,
youcandeployIPSecusingthenetshipseccommand.
Netshipsecstaticcancreate,modify,andassignIPSec
policieswithoutimmediatelyaffectingtheactiveIPSec
policies.Netshipsecdynamicdisplaystheactivestateof
IPSecandimmediatelyaffectstheconfigurationofthe
activeIPSecpolicy.
PLANNINGANDCONFIGURING
AUTHENTICATIONANDAUTHORIZATIONFOR
REMOTEACCESSUSERS
1. Openport1723/tcptoallowPPTPtrafficandport1701/udp
toallowL2TPtraffictopassthroughafirewall.Secure
SocketsLayer(SSL)trafficusestheHTTPSprotocoland
port443.
2. MS-CHAPv2issupportedbyWindowsXP,2000,98,Me,and
NT4.0.Windows95clientssupportMS-CHAPv2forvirtual
privatenetworking(VPN)connectionsbutnotfordial-up
connections.
3. TwotypesofEAPauthenticationarebuiltintoWindows
Server2003:MD5ChallengeandTLS.
4. EAP-TLSissupportedonlyonserversthatrunRoutingand
RemoteAccess,thatareconfiguredtouseWindows
Authentication,andthataremembersofadomain.
5. WindowsServer2003supportsPPTPandL2TP,butL2TP
canbeusedonlybyWindows2000Professionalandnewer
clients.
6. Remoteaccesspoliciesconsistofconditions,permissions,
andprofilecomponentsthatworktogethertoallowordeny
aconnection.Ifmultiplepoliciesareconfigured,theywillbe
processedinorderfromthetopdown.Placethepolicythat
ismostspecificatthetopofthelist.
7. MPPEisthemainencryptionprotocolusedinPPTPtunnels.
YoucannotuseCHAPauthenticationwhenusingMPPE.
8. Multifactorauthenticationworksonthepremisethatauser
canprovehisidentityinthreeways:somethingheknows
(passwordoraPIN),somethinghehas(smartcard),and
somethingheis(fingerprintorretinalscan).
9. YoucanuseConnectionManagerAdministrationKit(CMAK)
tofullycustomizeaconnectionandprovideadditional
functionalityforusers.
PLANNING,CONFIGURING,AND
TROUBLESHOOTINGPKI
1. OnlyonerootCAexistsinanyhierarchy.Youmustalways
installtherootCAfirst.Inanyhierarchy,therootCAis
alwaysthemosttrustedauthority.
2. WindowsServer2003supportstwoversionsofcertificate
templates.Version1areread-onlyandcanbeusedwith
clientcomputersrunningWindows2000andlater.Version2
areeditableandsupportautoenrollment.Theycanonlybe
usedonclientcomputersrunningWindowsXPorWindows
Server2003.
3. Onlyversion2certificatessupportautoenrollment,and
requirethatusershavetheRead,Enroll,andAutoenroll
permissionstoautoenrollcertificates.
4. TheRequestHandlingtabenablesyoutoconfigurethe
followingcertificatetemplatepropertiesforversion2
templates:Purpose(encryption,signature,andsignature
andencryption),Minimumkeysize(512to16,384bits),Do
theFollowingWhentheSubjectIsEnrolledandWhenthe
PrivateKeyAssociatedwithThisCertificateIsUsed(options
fortheamountofuserinputrequired),andCSPs
(cryptographicserviceprovidersthatareusedincertificate
requests).
5. Youcancontroltheissuanceofcertificaterequestsby
configuringpermissionsonthetemplatefromtheSecurity
tab,preventingtheCAfromissuingthatcertificatetype(by
deletingthetemplatefromthelistintheCAsnap-in),orby
configuringthepermissionsontheCA.
6. Whenyourevokeacertificate,therevokedcertificateis
publishedintheCRL.WindowsServer2003hasaddeda
deltaCRL(alistofcertificatesthathavebeenrevokedsince
thelastpublicationofafullCRL).UsingdeltaCRLs,youcan
publishCRLinformationmorefrequentlywithless
replicationtraffic.
7. Torevokeacertificate,selecttheIssuedCertificatesnodeof
theCertificationAuthoritysnap-in.Right-clickthecertificate
toberevokedandselectAllTasks,RevokeCertificate.
Selectareasoncodefromthosedisplayedinthedrop-down
listoftheCertificateRevocationdialogbox,andthenclick
Yes.
8. UsingNtbackuptobackupthesystemstatedatawillback
uptheCertificateServicesdatabase.AlsobackupIIS
becausetheproperfunctioningofthecertificateserver
dependsontheWebenrollmentpages.Youcanbackup
CertificateServicesbyitself,whichalsoprovidesarestore
wizard.
9. Whenproblemsoccurwithauthentication,authorization,or
PKI,youshouldfollowgeneraltroubleshootingpracticesby
examiningeventlogs.EnsurethatIISisoperatingproperly
andisconfiguredforexecutionofscripts.
TROUBLESHOOTINGSECURITYPOLICIESAND
IPSEC
1. TroubleshootingofGroupPolicysecuritytemplatesand
othersecuritysettingsinvolvestheloggingmodeofRSoP.
YouuseRSoPinloggingmodeonlywhenthespecifieduser
hasloggedontothespecifiedcomputer.
2. YoucannotuseGroupPolicytoapplysecuritytemplatesto
computersrunningWindowsNT4.0or9x.Tomanage
Windows9xcomputers,useSystemPolicyEditortocreate
Config.polfiles.TomanageWindowsNT4.0computers,
useaNTconfig.polfile.
3. TheBlockPolicyinheritanceandNoOverridesettingscan
beusedtocontrolwhatpoliciesapply.ANoOverride
attributehasprecedenceoverallthepoliciesthatare
appliedthereafter.TheBlockPolicyinheritanceattribute
blocksallGroupPolicysettingsthatarepasseddowntothe
site,domain,orOUfromaparent.Blockingdoesnotaffect
localGPOs.
4. YoucanruntheIPSecurityMonitorsnap-inonWindows
Server2003orWindowsXPProfessionalcomputersonly.If
yourunthissnap-inonaWindows2000computer,youwill
receivetheerror"TheIPSecserverisunavailableor
incompatiblewiththeIPSecmonitor."
5. Knowwhichtypesofactionstoauditfordifferentscenarios.
The70-299exampresentsadrag-and-dropinterfacein
whichyoumustselectsuccessandfailureactionstoachieve
agivenobjective.
6. YoucanusetheGpresultcommand-lineutilitytoperform
nearlyallactionsthatareavailableinRSoPloggingmode.
Oneexception:Gpresultdoesnotprovidepolicyprecedence
information.
7. WhenapplyingSCA,youmightencountertheerror
message"Accessisdenied.Importfailed.Youdonothave
administrativerights.Error1208:Anextendederrorhas
occurred.Erroropening."Theerrormessageindicatesthat
thedatabasemaybeconfiguredwithread-only
permissions.
8. Whenasecuritypolicywon'ttake,oneofthefirstplaces
youshouldcheckistheEventViewerlogs.Errorswithevent
IDs1000and1001thatrepeatat5-to7-minuteintervals
indicateproblemswithapplyingGroupPolicy.
9. ClientcomputersconfiguredwiththeHisecws.infor
Securews.inftemplatecannotcommunicatewithservers
runningWindows2000iftheirclocksdifferbymorethan30
minutes.
10. Ifyouareusingpresharedkeysasameansof
authenticatingIPSecacrossaVPN,youcanusetheCMAK
toconfigureaconnectionthatincludesapresharedkey.
11. Useofthehighlysecuretemplates(Hisec*.inf)prevents
mostcommunicationbetweenWindowsServer2003
computersandcomputersrunningWindowsNT4.0or
earlier.
12. Windows9xcomputerssupportNTLMv2authentication
onlywhentheActiveDirectoryClientExtensionsPackis
installed.
13. WindowsXPandWindowsServer2003recordIPSecpolicy
agenteventsinthesecuritylog.IKEeventsarerecordedin
theOakleylog,andIPSecdrivereventsareloggedtothe
systemlog.
PLANNINGANDIMPLEMENTINGSECURITY
FORWIRELESSNETWORKS
1. Threemeansofwirelessdeviceauthenticationarecurrently
used:openauthentication(anyoneprovidingthecorrect
servicesetidentifier[SSID]orwiredequivalentprivacy
[WEP]keyfortheaccesspoint),sharedkeyauthentication
(clientsendsarequestforaccesstotheaccesspoint,
accesspointreturnsachallenge,andclientreturnsan
encryptedresponse),and802.1xauthenticationstandard
(EAPintegratedwithanauthenticatingserversuchasa
RADIUSserver).
2. WindowsServer2003usesthe802.1xstandardfor
authenticatingaccesstowiredEthernetnetworksand
wireless802.11networks.ItprovidessupportforEAPused
inconjunctionwiththesemethodsforwirelesscomputers:
EAP-TLS,EAP-MS-CHAPv2,andProtectedEAP.
3. EAP-TLSusescertificate-basedmutualauthentication,
negotiationoftheencryptionmethod,andencryptedkeys.
SmartcardsuseEAP-TLS.
4. EAP-MS-CHAPv2providesmutualauthenticationbasedon
password-baseduserandcomputerauthentication.
5. ProtectedEAP(PEAP)providesthesebenefitswithinTLS:an
encryptedauthenticationchannel,dynamickeyingmaterial
fromTLS,fastreconnectusingcachedsessionkeys,and
serverauthenticationtoprotectagainstthesetupof
unauthorizedaccesspoints.
6. PEAPwithEAP-MS-CHAPv2useslessefforttodeploy
becauseyoudonotneedcertificatesorsmartcards.PEAP
withEAP-TLSprovidesthehighestlevelofsecuritybecause
itusescertificatesandsmartcards.
7. Youcanduplicateaversion1certificatetemplatetoobtain
aversion2copy,andthenaddcertificatepurposestothe
copiedtemplateasnecessary.
8. CAsonaserverrunningWindowsServer2003,Standard
Editioncanonlyissuecertificatesbasedonversion1
templates.Ifyouneedtoissueacertificatebasedona
version2template,youmustinstalltheCAonaserver
runningWindowsServer2003,EnterpriseEdition.
9. WEPalonedoesnotprotectdataverywell.Ifavailable,use
128-bitWEPandchangethekeysfrequently.Usedynamic
WEPkeysifpossible(requiresaccesspointsthatcan
providethemandwirelessclientsthatcansupportthem).
SelecttheTheKeyIsProvidedAutomaticallyoptionto
providedynamicWEPkeys.
10. OnlyWindowsXPcomputersnativelysupport802.1x
authentication.Microsoftprovidesan802.1xAuthentication
ClientdownloadthatallowsWindows2000computersto
usethe802.1xstandard,andprovides802.1x
AuthenticationClientsforWindows98andNT4.0
WorkstationtocustomerswithPremierandAlliancesupport
contracts.