Testing Skills and Suggested Practices

The skills that you need to successfully master the Implementing, Managing, and Troubleshooting Security for Network Communications objective domain on Exam 70-299: Implementing and Administering Security in a Microsoft Windows Server 2003 Network include:

• Apply IPSec policies.

  • Practice 1: Requires two computers, both members of the same domain. Configure one computer with the Server (Request Security) local policy. Install a File Transfer Protocol (FTP) server by means of Internet Information Server (IIS) on this computer. Test that it works by connecting to the server from the local host. Configure a second computer without an IPSec security policy. Attempt to connect to the FTP server. You will be able to, although the connection will not be encrypted by IPSec.

  • Practice 2: Requires two computers, both members of the same domain. Configure one computer with the Secure Server (Require Security) local policy. Install an FTP server by means of IIS on this computer. Test that it works by connecting to the server from the local host. Configure a second computer without an IPSec security policy. Attempt to connect to the FTP server. When this does not work, edit the local policy on the second computer, and set the IPSec policy to Client (Respond Only). Attempt to connect to the FTP server from the second computer. This time the connection will work and traffic passing between the two systems will be encrypted.

• Create individual IPSec policies.

  • Practice 1: Requires two computers, both members of the same domain. On the first computer, edit the local policy object. In the Computer Configuration\Windows Settings\Security Settings\IP Security policies node, create a new IPSec policy by using the wizard. Activate the default response rule, which uses Active Directory default authentication. Add a new security rule. Do not specify a tunnel. Then Set Network Type as All Network Connections. Set Authentication to Active Directory default. Set the rule for all IP traffic. Set the filter action to Require Security. Ensure that the second computer has no IPSec policy set. Try to ping the first computer. Now configure a Client (Respond Only) policy on the second computer. Try to ping the first computer again. You should meet with success.

  • Practice 2: Requires two computers. The two computers do not need to be members of the same domain. On the first computer, edit the local policy object. In the Computer Configuration\Windows Settings\Security Settings\IP Security policies node, create a new IPSec policy by using the wizard. When asked for the Default Response Rule Authentication Method, select Preshared Key. Enter a key with the value “Quis Custodiet Custodes”. Add a new security rule. Do not specify a tunnel. Set Network Type as All Network Connections. Set Authentication to Select Preshared Key. Enter a key with the value “Quis Custodiet Custodes”. Set the rule for all IP traffic. Set the filter action to Require Security. Configure a Client (Respond Only) policy on the second computer. Try to ping the first computer. Because the Client (Respond Only) defaults to Active Directory authentication, no authentication will be able to be negotiated. On the second computer, edit the properties of the Client (Respond Only) IPSec policy. Edit the <Dynamic> rule. On the Authentication Methods tab, select Add, and then add the preshared key “Quis Custodiet Custodes”. Apply the policy. Try to ping the first computer again. Now that both computers have the same shared key, you should meet with success.

• Use the netsh ipsec utility.

  • Practice 1: Run a command prompt on a single computer running Windows Server 2003. Investigate the properties of the Secure Server (Require Security) policy by issuing the following commands:

    • netsh

    • ipsec

    • static

    • show policy "Secure Server (Require Security)" verbose

  • Practice 2: Assign one of the default IPSec policies to the local policy by using the command line. Examine the default local policy and ensure that no IPSec policies are set. Assign the Secure Server (Require Security) policy by issuing the following command sequence at the command prompt:

    • netsh

    • ipsec

    • static

    • set policy name="Secure Server (Require Security)" assign=yes

  • Verify that this procedure has worked by using the default local policy Microsoft Management Console (MMC) and checking that the Secure Server (Require Security) policy has been set.

• Troubleshoot IPSec.

  • Practice 1: Open a Microsoft Management Console (MMC). Using the Add/ Remove snap-in feature, add the IP Security Monitor console. Configure an IPSec policy on the server on which you are running the console. Configure a similar policy on another computer within your test domain. In the IP Security Monitor console, view the Security Associations node under the Main Mode node. Enable some Transmission Control Protocol/Internet Protocol (TCP/IP) traffic to pass between the two computers within your test domain (and ensure that both are not using client-only policies). View information about the connections in the Security Associations node.

  • Practice 2: Run netsh from the command line on a computer running Windows Server 2003 and set the computer to the ipsec dynamic context. After you have done this, run the show config command to display config behavior. Run the show mmsas command to view the security associations.

• Implement security for wireless networks.

  • Practice 1: Log on to a domain controller and create a new GPO. Navigate to the Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies node. Right-click the node and then click Create A New Wireless Policy. This will launch the Welcome To The Wireless Network Policy Wizard. Continue to click Next until you reach the Properties tab. Set the Networks To Access to Access Point (Infrastructure) Networks Only.

  • Practice 2: Edit the properties of the wireless network policy you created in practice 1. Click the Preferred Networks tab. Click Add. View the WEP properties. Select the IEEE 802.1x key. View the different Extensible Authentication Protocol (EAP) types available by clicking the Settings button. It does not matter if you don’t actually have access to a wireless network; the purpose of this practice is to familiarize yourself with the options available in the policies.

• Install and reenroll SSL certificates.

  • Practice 1: Install an enterprise root certification authority (CA) in your test domain. Log on to the CA by using the Web browser on another computer running Windows Server 2003. Use the URL http://enterprisecaname.domain /certsrv. Once you have logged on, select the Request A Certificate option. Then submit an Advanced Certificate Request. Next, select Create And Submit A Request To This CA. In the Advanced Certificate Request form, note the various types of certificates available. In this case, request a Server Authentication certificate.

  • Practice 2: On the enterprise root CA in your test domain, run the Certificate Templates console. This can be done by clicking Start, clicking Run, and then typing certtmpl.msc. After you have run the Certificate Templates console, right-click the Domain Controller Authentication certificate template and click Reenroll All Certificate Holders.

• Configure remote access security.

  • Practice 1: Install Routing and Remote Access (RRAS) on one of your test computers running Windows Server 2003. This can be done from the Administrative Tools menu by running the Routing and Remote Access MMC. Right- click the server and then click Configure Routing and Remote Access to run the Routing And Remote Access Server Setup Wizard. Set up the RRAS server for remote access (dial-up or VPN); it doesn’t matter if you don’t have a modem installed on the server. Select the Dial-up check box. Set IP addresses to be assigned from a range, and choose a range of five free IP addresses on your network. Click Next. Let Routing and Remote Access authenticate connection requests. Click Finish. Once the server is configured, right-click the Remote Access Policies node in the Routing and Remote Access console and then click New Remote Access Policy. Select the Use The Wizard To Set Up A Typical Policy For A Common Scenario option, and give the policy the name TEST2. Click Next. Use dial-up as the access method for which the policy is created. Grant access based on permissions specified in the user account. Set the Authentication Methods to MS-CHAP v2 Only. Set the Policy Encryption Level to Strongest Encryption Only. Click Finish.

  • Practice 2: Install and run the Connection Manager Administration Kit (CMAK). The kit can be installed by running the Add/Remove Windows Components Wizard in Management And Monitoring tools. After the kit is installed, run it from the Administrative Tools menu. Create a new profile, click Next, and then give the profile the service name and file name test1. Click Next. Do not add a realm name. Click Next. Click Next again when you get to the Merging Profile Information page. Click Next on the VPN Support page. Clear the Automatically Download Phonebook Updates check box, and then click Next. On the Dial-up Networking Entries page, edit the test1<default> profile. On the Security tab, set the security setting to Use Advanced Security Settings. Configure the advanced security settings to require encryption. Clear the CHAP check box. Click OK. Click OK again to return to the Dial-up Networking Entries page. Continue to click Next until the service profile is built, taking note of the different options available.