Exam Reviews

70-293: Securing the Network Infrastructure

This new Windows Server 2003 exam requires expertise with TCP/IP, DNS, NLB, clustering and security—emphasis on security.

• By Andy Barkl
• 08/27/2003

Exam 70-293 is one step above 70-291, Implementing, Managing and Maintaining a Windows Server 2003 Network Infrastructure, because it requires knowledge of enterprise security and implementation. Whereas 70-291 tests your ability to manage and administer, this test requires planning and design experience. You'll find similarities between 70-293 and the Windows 2000 70-216 exam. Yet, you'll discover that it also introduces new topics not previously found on MCSE exams, such as network load balancing and clustering. Overall, however, the main theme of Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure is security. Let me count the ways.

Server Roles and Server Security
Microsoft claims that Windows Server 2003 includes 600 new security features. This exam doesn't test your knowledge of all 600, but it does go in-depth with security planning and configuration scenarios. These will require a fair amount of knowledge on your part to identify the correct answers.

The first exam objective for 70-293 is Planning and Implementing Server Roles and Server Security. Here you'll be tested on such endeavors as specifying baseline security settings for servers in specific network roles such as DC, Web, database and e-mail.

Microsoft Baseline Security Analyzer (MBSA) was released as a security scanning tool to be used with Windows 2000 and beyond. It's capable of detecting whether or not service packs and security updates are installed, logon and password restrictions are configured, unnecessary shares and services exist, and auditing is enabled. The most recent version for download, 1.1.1, also includes scanning capabilities for IIS and SQL servers. The best thing you can do to prepare for exam questions about MBSA is to download it and work with it while reading the help files (click here).

Creating Organizational Units (OUs) specifically for the purpose of assigning machine-based security templates with group policy helps tremendously when planning and configuring a baseline of security in a Windows Server 2003 network. Individual OUs for DCs are recommended. You should also use top-level member server OUs with child OUs for infrastructure, file, print, IAS, CA and Web servers. You can always use the block policy inheritance or no override options with GPOs to maintain a required inheritance policy. Group policies are applied and accumulated in the following order: local, site, domain, parent and child OU.

At the domain level, GPOs are used to define policies that include account and password, user rights assignments, auditing and event log configuration to name a few.

Tip: Remember that a Windows domain is both a security and administrative boundary, and only one password policy can exist per domain!

Table 1. Requirements for three of the certification paths toward the MCSE on Windows 2003. Exam 70-294 is required for those starting afresh and candidates who've already obtained an MCSA on Windows 2000. Candidates with an MCSE on Windows 2000 can bypass this exam.

Core Exams MCSE-Windows 2003 Normal Path MCSA-Windows 2000 Accelerated Path MCSE-Windows 2000 70-290: Managing and Maintaining a Windows Server 2003 Environment   70-292: Managing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 70-291: Implementing, Managing and Maintaining a Windows Server 2003 Network Infrastructure 70-293: Planning and Maintaining a Windows Server 2003 Network Infrastructure 70-296: Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 70-294: Planning, implementing and Maintaining a Windows Server 2003 Active Directory Infrastructure Core Client (take one)   70-210: Installing, Configuring and Administering Windows 2000 Professional No additional Core Client Exam required. No other core or elective requirements necessary for MCSE-Windows 2000. 70-270: Installing, Configuring and Administering Windows XP Professional xxxCore Design (take one) 70-297: Designing a Windows Server 2003 Active Directory and Network Infrastructure (Note: May be used as Design requirement or elective, but not both) 70-298: Designing Security for a Windows Server 2003 Network (Note: May be used as Design requirement or elective, but not both)

Making a Plan
The next exam objective, Planning, Implementing, and Maintaining a Network Infrastructure, pushes you to understand how to analyze, plan and create IP addressing requirements, routing and subnetting schemes. You can also expect questions on NAT, NetBIOS and host name resolution, WINS and DNS servers.

70-293: Planning and Maintaining a Network Infrastructure Reviewer's rating "I found this one similar to the Windows 2000 70-216 exam, yet it also introduces new topics not previously found on MCSE exams such as network load balancing and clustering." Status Live as of August 28, 2003. Exam Title Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Who Should Take It Core for the MCSE on Windows Server 2003. Preparation Guide www.microsoft.com/traincert/ exams/70-293.asp

You will need to know how to subnet and calculate network and host requirements based on a given scenario. The difficulty level here is similar to what you'll find on the 70-291 exam.

Along the lines of routing protocols, Windows Server 2003 supports RIP versions 1 and 2 and OSPF. RIP v1 is generally only needed for backwards support and doesn't support classless routing. RIP v2 includes security and multicast for routing updates. OSPF uses areas and autonomous systems to control routing updates with the backbone area 0, ASBRs (Autonomous System Boundary Router) and ABRs (Area Border Router).

Network address translation (NAT) is the solution when the need for a separate private and public address space is needed. Network address translation services use source and destination IP and port mappings to keep track of host connections and sessions. Windows Server 2003 also includes support for NAT-Traversal, which allows VPN-based clients running IPSec over LT2P the ability to connect!

Tip: Don't forget the IP troubleshooting tool IPconfig and switches that have been available since Windows 2000: /displaydns, which shows local cache; /registerdns, which forces registration; and /flushdns, which clears local cache.

WINS and DNS services haven't changed much in Windows Server 2003. If you're comfortable with the "Microsoft way" it's always been done, you shouldn't have much problem with this exam's name resolution questions. Just remember the six NetBIOS and Host name methods available and their order. NetBIOS uses these methods in this order: name cache, WINS, broadcast, LMHosts, hosts and DNS. Host name resolution uses these in this order: local cache, hosts, DNS, WINS, broadcast and LMHosts.

Requirements Spelled Out Exam 70-293 is a core requirement for anyone wanting to be certified as an MCSE on Windows Server 2003 (see Table 1 for the other exams you must take). Of course, if you're already certified on Windows 2000, you can bypass this one and go straight to 70-292 and 70-296 for the MCSE upgrade. These exams won't encompass a beta testing period since they'll include questions from other Windows 2003 exams such as this one.

Routing and Remote Access
The third exam objective is Planning Implementing and Maintaining Routing and Remote Access. On my exam, I found only a few questions from these topics-Remote Access Policies with remote connection management using IPSec and, of course, troubleshooting. It's crucial that you understand RRAS in Windows and how to configure such things as IPSec authentication for VPNs using Kerberos, Certificates or Pre-Shared keys. RAPs allow you to define the remote connection type, limit, encryption and profile.

Configuration of remote connections can make your days long and your nights short but troubleshooting them can turn day into night! Using the tools, ping, tracert, route, pathping, netsh and Network Monitor can certainly make your work less painful. Don't forget the syntax used with the route command: route print or route add network, mask, gateway, metric. Pathping is a useful tool; it uses ICMP and combines the best of ping and tracert. Netsh can be handy for command-line network interface configurations and documentation.

Tech Tip: Netsh can be used in Windows Server 2003 to "reset" the TCP/IP protocol stack, which is not available for uninstall and reinstallation under local network connections.

Server Availability
The objective "Planning, Implementing, and Maintaining Server Availability" includes quite a few topics that I've never seen as part of the Windows 2000 MCSE track.

For example, you might experience a healthy number of clustering questions on this exam-all the way from planning to configuration and troubleshooting. With the industry proliferation of storage area networks, I suppose this is a fair MCSE exam requirement. There's one document you really need to review this document, especially if you have no experience with Microsoft Cluster Service (click here). It provides you with an explanation of the reasons for cluster services along with hardware, software, network requirements and configuration.

Tip: Clustering is only supported in Windows Server 2003 Enterprise and Data Center editions with up to eight node cluster sizes.

To recover from a cluster node failure, Microsoft recommends these steps:

1. Use Cluster Administrator to evict the lost node from the cluster and verify for each cluster group and resource that the evicted node no longer appears as a possible or preferred owner.
2. Physically remove the damaged node from the cluster and shared storage.
   Tech Tip: You don't have to rebuild the lost node to replicate the originally lost node. You can build an entirely new node (new computer name and new IP address) and join the existing cluster.
3. Install Windows Server 2003 and provide a new computer name during installation on the new node.
4. Join the same domain as before with the same administrative permissions given to the previous node.
5. Connect the new node to the same shared storage as the original node.
6. Set up the cluster service on the newly built server.
7. Join the new node to the cluster.

Along the same lines, you'll want to be extra-prepared for possible questions about network load balancing (NLB) planning, configuration and troubleshooting.

Tip: Clustering and NLB can't be configured on the same server at the same time.

With NLB, many incoming requests can be spread across multiple servers. This allows these servers and network services to be highly available and responsive to clients.

NLB detects when a server stops responding and quickly moves client traffic to remaining servers. This is the perfect scenario for creating redundant Web, multimedia, VPN and proxy servers. Don't forget to use the new NLB Manager for the hands-on experience-because you never know when you need to prove you know this stuff by selecting the correct checkbox or button on a simulated screen or two!

Likewise, be proficient in backup types: full, incremental, differential and Automated System Recovery (ASR). You can read more by clicking here. Also, be sure to try out ASR, including the recovery procedure, on a test server.

Tip: ASR doesn't include data backup!

Network Security
The next objective is Planning and Maintaining Network Security. The topics you should study include planning and configuring IPSec policies and IPSec for protocol security and data transmission as well as IPSec in a wireless network. Did I mention this exam includes IPSec?

IPSec is a common protocol used for LAN and WAN traffic encryption. It can be used to secure internal server to server or client to server communication. It's also widely used to secure VPN client-to-server communication across the Internet.

The best place to start your exam preparation is by reviewing the Microsoft "Threats and Countermeasures" guide (click here).

Becoming familiar with the new Group Policy Management Console and the Resultant Set of Policies tool is a must! (Click here to read the GPMC homepage.) A new add-on to group policies, RSoP allows you view IPSec policy assignments for a computer. You can use this to plan deployment of GPOs and troubleshoot policy precedence. To view IPSec policy assignments in RSoP, you would use the RSoP MMC console and run a query.

RSoP provides two types of queries: logging mode (for viewing IPSec policy assignments for a computer) and planning mode (for viewing IPSec policy assignments for computers). IPSec policies can be assigned with GPOs or they can be assigned and stored locally on a computer. When a computer is joined to a domain, the domain IPSec policy applies. If a computer isn't joined to a domain, only the local IPSec policy applies. When multiple IPSec policies are assigned, the last policy processed is the policy that is applied.

The best resource for understanding IPSec is "Deploying Network Services," a chapter in the Windows Server 2003 Deployment Kit. Click here for to read chapter six. You should also review chapter number 11, "Deploying a Wireless LAN," for this exam.

10 Things To Practice Deploy a Certificate Authority hierarchy and work with PKI. You can use VMware if you don't have multiple servers for this. Issue, publish and distribute certificates for EFS and IPSec. Learn how auto-enrollment works. Configure and deploy IPSec policies using the logging and planning modes of RSoP. You're going to need to know network load balancing inside and out. Read everything you can get your hands on and practice with the product. Work with Cluster Server. You can download an evaluation copy of Windows Server 2003 Enterprise edition and a VMware ESX 30-day trial. What are you waiting for? Clustering technology is cool! Deploy and view the results of the sample security templates included with the Windows Server 2003 Security Guide. Practice makes perfect! Use all the TCP/IP troubleshooting tools. Ping, tracert, IPconfig, netsh and Network Monitor are the tools of the trade. Use them on a daily basis and become a more effective troubleshooter. Configure, break and fix DNS. Have you made it this far without feeling 100 percent comfortable with DNS? Don't sell yourself short—every good network person knows DNS. Run Automated System Recovery and restore a server even if it's not broken. Choose a favorite method for remembering the six possible steps for both NetBIOS and host name resolution. Make sure you know how to subnet in your head so this small detail doesn't get in the way of the bigger picture.

The Security Infrastructure
The final objective in this exam, Planning, Implementing, and Maintaining Security Infrastructure, includes PKI, PKI and more PKI planning questions using Certificate Services. First you should review chapter 16, "Designing a Public Key Infrastructure," in the Windows Server 2003 Deployment Kit: Designing and Deploying Directory and Security Services—unless you have years of experience as a security infrastructure engineer. Click here for the guide.

You'll also need to practice, practice and practice some more the correct implementation of Microsoft Certificate Services. I suggest VMware on a box with lots of RAM and several hours of spare time. There's no shortcutting hands-on experience!

PKI includes a carefully planned, deployed and maintained security services infrastructure to support authentication, integrity and confidentiality. CA servers are a big part of this infrastructure. They allow distribution of both user and computer certificates for use with the following: email and document signing, encrypting file system, secure communication between computers, smart cards and 802.1x wireless client authentication.

Some of the terms you should know include: digital certificates, certification authorities (CA), certificate policy and procedures, certificate repositories, certificate trust lists (CTL) and certificate revocation lists (CRL).

Choose your CA type. Enterprise CAs require Active Directory, and they publish certificates and certificate revocation lists to AD. Enterprise CAs use information stored in AD, including user accounts and security groups, to approve or deny certificate requests. Enterprise CAs use certificate templates. When a certificate is issued, the enterprise CA uses information in the certificate template to generate a certificate with the attributes for that certificate type.

If you need to enable automated certificate approval and automatic user certificate enrollment, choose enterprise CAs.

Stand-alone CAs don't require AD and don't use certificate templates. If you choose a stand-alone CA, its information about the requested certificate type is included in the certificate request. You can choose to configure stand-alone CAs to issue certificates automatically upon request.

Tech Note: Stand-alone CAs with automatic issuance enable you to issue certificates at a faster rate than you can by using enterprise CAs.

Stand-alone CAs work best when used with PKI applications on extranets and the Internet when it's not feasible to assign users Windows Server 2003 accounts.

Tip: There are root CAs, subordinate CAs, issuing CAs and offline CAs. Root CAs use a self-issuing certificate. Subordinates receive their certificate from root CAs, which in turn issue certificates to users and computers.

There's plenty more to CAs and certificates. Make this a major area of your study.

Additional Information The exam guidelines are available by clicking here. Study resources for Windows Server 2003 can be found within the help and documentation of the product. Of course, you'll also want as much hands-on practice as you can obtain. If your company hasn't made the move yet, work with the 180-day evaluation (click here). There's also a lot of information available online from Microsoft such as at the Windows Server Community (click here). One of the best study resources I found for this exam is the "Windows Server 2003 Security Guide," which you can download by clicking here. You can also take the Microsoft official training course at your local CTEC from an MCT: 2278: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (5 days) Microsoft Press offers this self-study material: MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, ISBN 0-7356-1893-3 MCSE Self-Paced Training Kit: Microsoft Windows Server 2003 Core Requirements, Exams 70-290, 70-291, 70-293, ISBN 0-7356-1953-0

Final Report
If you missed my point about this exam, I'll repeat myself: You must become a security maven to get through 70-293. That takes many forms. You can't expect to consider yourself a systems engineer if you don't know the many nuances of security. Use the exam preparation guidelines issued by Microsoft, as well as the advice I offer in this article, to set up a study program. That's how you'll be best prepared to tackle this test. Good luck!

Stay tuned for my next article, where I will help you prepare for exam 70-294: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure. This exam is similar to the current MCSE exam, 70-217.