70-293: Securing the Network Infrastructure
This new Windows Server 2003 exam requires expertise with TCP/IP, DNS, NLB, clustering and security—emphasis on security.
Exam 70-293 is one step above 70-291, Implementing, Managing and Maintaining
a Windows Server 2003 Network Infrastructure, because it requires knowledge
of enterprise security and implementation. Whereas 70-291 tests your ability
to manage and administer, this test requires planning and design experience.
You'll find similarities between 70-293 and the Windows 2000 70-216 exam. Yet,
you'll discover that it also introduces new topics not previously found on MCSE
exams, such as network load balancing and clustering. Overall, however, the
main theme of Planning and Maintaining a Microsoft Windows Server 2003 Network
Infrastructure is security. Let me count the ways.
Server Roles and Server Security
Microsoft claims that Windows Server 2003 includes 600 new security features.
This exam doesn't test your knowledge of all 600, but it does go in-depth with
security planning and configuration scenarios. These will require a fair amount
of knowledge on your part to identify the correct answers.
The first exam objective for 70-293 is Planning and Implementing Server Roles
and Server Security. Here you'll be tested on such endeavors as specifying baseline
security settings for servers in specific network roles such as DC, Web, database
Microsoft Baseline Security Analyzer (MBSA) was released as a security scanning
tool to be used with Windows 2000 and beyond. It's capable of detecting whether
or not service packs and security updates are installed, logon and password
restrictions are configured, unnecessary shares and services exist, and auditing
is enabled. The most recent version for download, 1.1.1, also includes scanning
capabilities for IIS and SQL servers. The best thing you can do to prepare for
exam questions about MBSA is to download it and work with it while reading the
help files (click
Creating Organizational Units (OUs) specifically for the purpose of assigning
machine-based security templates with group policy helps tremendously when planning
and configuring a baseline of security in a Windows Server 2003 network. Individual
OUs for DCs are recommended. You should also use top-level member server OUs
with child OUs for infrastructure, file, print, IAS, CA and Web servers. You
can always use the block policy inheritance or no override options with GPOs
to maintain a required inheritance policy. Group policies are applied and accumulated
in the following order: local, site, domain, parent and child OU.
At the domain level, GPOs are used to define policies that include account
and password, user rights assignments, auditing and event log configuration
to name a few.
Tip: Remember that a Windows domain is both a security and administrative
boundary, and only one password policy can exist per domain!
Requirements for three of the certification paths toward the MCSE on Windows
2003. Exam 70-294 is required for those starting afresh and candidates who've
already obtained an MCSA on Windows 2000. Candidates with an MCSE on Windows
2000 can bypass this exam.
Exams MCSE-Windows 2003
Normal Path MCSA-Windows 2000
Path MCSE-Windows 2000
|70-290: Managing and Maintaining a Windows Server
||70-292: Managing and Maintaining a
Windows Server 2003 Environment for an MCSE Certified on Windows
|70-291: Implementing, Managing
and Maintaining a Windows Server 2003 Network Infrastructure
70-293: Planning and Maintaining a
Windows Server 2003 Network Infrastructure
|70-296: Planning, Implementing and
Maintaining a Windows Server 2003 Environment for an MCSE Certified
on Windows 2000
70-294: Planning, implementing and Maintaining
Windows Server 2003 Active Directory Infrastructure
Core Client (take one)
|70-210: Installing, Configuring and
Administering Windows 2000 Professional
||No additional Core Client
||No other core or elective
requirements necessary for MCSE-Windows 2000.
|70-270: Installing, Configuring and
Administering Windows XP Professional
Design (take one)
70-297: Designing a Windows Server 2003
Active Directory and Network Infrastructure
(Note: May be used as Design requirement or elective, but
70-298: Designing Security for a Windows
Server 2003 Network (Note: May be used as Design requirement
or elective, but not both)
Making a Plan
The next exam objective, Planning, Implementing, and Maintaining a Network Infrastructure,
pushes you to understand how to analyze, plan and create IP addressing requirements,
routing and subnetting schemes. You can also expect questions on NAT, NetBIOS
and host name resolution, WINS and DNS servers.
Planning and Maintaining
a Network Infrastructure
"I found this one similar to the Windows 2000 70-216
exam, yet it also introduces new topics not previously found
on MCSE exams such as network load balancing and clustering."
Live as of August 28, 2003.
Planning and Maintaining a Microsoft Windows Server 2003
Who Should Take It
Core for the MCSE on Windows Server 2003.
You will need to know how to subnet and calculate network and host requirements
based on a given scenario. The difficulty level here is similar to what you'll
find on the 70-291 exam.
Along the lines of routing protocols, Windows Server 2003 supports RIP versions
1 and 2 and OSPF. RIP v1 is generally only needed for backwards support and
doesn't support classless routing. RIP v2 includes security and multicast for
routing updates. OSPF uses areas and autonomous systems to control routing updates
with the backbone area 0, ASBRs (Autonomous System Boundary Router) and ABRs
(Area Border Router).
Network address translation (NAT) is the solution when the need for a separate
private and public address space is needed. Network address translation services
use source and destination IP and port mappings to keep track of host connections
and sessions. Windows Server 2003 also includes support for NAT-Traversal, which
allows VPN-based clients running IPSec over LT2P the ability to connect!
Tip: Don't forget the IP troubleshooting tool IPconfig and switches
that have been available since Windows 2000: /displaydns, which shows local
cache; /registerdns, which forces registration; and /flushdns, which clears
WINS and DNS services haven't changed much in Windows Server 2003. If you're
comfortable with the "Microsoft way" it's always been done, you shouldn't
have much problem with this exam's name resolution questions. Just remember
the six NetBIOS and Host name methods available and their order. NetBIOS uses
these methods in this order: name cache, WINS, broadcast, LMHosts, hosts and
DNS. Host name resolution uses these in this order: local cache, hosts, DNS,
WINS, broadcast and LMHosts.
Exam 70-293 is a core requirement for anyone wanting to be
certified as an MCSE on Windows Server 2003 (see Table
1 for the other exams you must take). Of course,
if you're already certified on Windows 2000, you can bypass
this one and go straight to 70-292 and 70-296 for the MCSE
upgrade. These exams won't encompass a beta testing period
since they'll include questions from other Windows 2003 exams
such as this one.
Routing and Remote Access
The third exam objective is Planning Implementing and Maintaining Routing and
Remote Access. On my exam, I found only a few questions from these topics-Remote
Access Policies with remote connection management using IPSec and, of course,
troubleshooting. It's crucial that you understand RRAS in Windows and how to
configure such things as IPSec authentication for VPNs using Kerberos, Certificates
or Pre-Shared keys. RAPs allow you to define the remote connection type, limit,
encryption and profile.
Configuration of remote connections can make your days long and your nights
short but troubleshooting them can turn day into night! Using the tools, ping,
tracert, route, pathping, netsh and Network Monitor can certainly make your
work less painful. Don't forget the syntax used with the route command: route
print or route add network, mask, gateway, metric. Pathping is a useful tool;
it uses ICMP and combines the best of ping and tracert. Netsh can be handy for
command-line network interface configurations and documentation.
Tech Tip: Netsh can be used in Windows Server 2003 to "reset"
the TCP/IP protocol stack, which is not available for uninstall and reinstallation
under local network connections.
The objective "Planning, Implementing, and Maintaining Server Availability"
includes quite a few topics that I've never seen as part of the Windows 2000
For example, you might experience a healthy number of clustering questions
on this exam-all the way from planning to configuration and troubleshooting.
With the industry proliferation of storage area networks, I suppose this is
a fair MCSE exam requirement. There's one document you really need to review
this document, especially if you have no experience with Microsoft Cluster Service
here). It provides you with an explanation of the reasons for cluster
services along with hardware, software, network requirements and configuration.
Tip: Clustering is only supported in Windows Server 2003 Enterprise
and Data Center editions with up to eight node cluster sizes.
To recover from a cluster node failure, Microsoft recommends these steps:
- Use Cluster Administrator to evict the lost node from the cluster and verify
for each cluster group and resource that the evicted node no longer appears
as a possible or preferred owner.
- Physically remove the damaged node from the cluster and shared storage.
Tech Tip: You don't have to rebuild the lost node to replicate
the originally lost node. You can build an entirely new node (new computer
name and new IP address) and join the existing cluster.
- Install Windows Server 2003 and provide a new computer name during installation
on the new node.
- Join the same domain as before with the same administrative permissions
given to the previous node.
- Connect the new node to the same shared storage as the original node.
- Set up the cluster service on the newly built server.
- Join the new node to the cluster.
Along the same lines, you'll want to be extra-prepared for possible questions
about network load balancing (NLB) planning, configuration and troubleshooting.
Tip: Clustering and NLB can't be configured on the same server
at the same time.
With NLB, many incoming requests can be spread across multiple servers. This
allows these servers and network services to be highly available and responsive
NLB detects when a server stops responding and quickly moves client traffic
to remaining servers. This is the perfect scenario for creating redundant Web,
multimedia, VPN and proxy servers. Don't forget to use the new NLB Manager for
the hands-on experience-because you never know when you need to prove you know
this stuff by selecting the correct checkbox or button on a simulated screen
Likewise, be proficient in backup types: full, incremental, differential and
Automated System Recovery (ASR). You can read more by clicking
here. Also, be sure to try out ASR, including the recovery procedure,
on a test server.
Tip: ASR doesn't include data backup!
The next objective is Planning and Maintaining Network Security. The topics
you should study include planning and configuring IPSec policies and IPSec for
protocol security and data transmission as well as IPSec in a wireless network.
Did I mention this exam includes IPSec?
IPSec is a common protocol used for LAN and WAN traffic encryption. It can
be used to secure internal server to server or client to server communication.
It's also widely used to secure VPN client-to-server communication across the
The best place to start your exam preparation is by reviewing the Microsoft
"Threats and Countermeasures" guide (click
Becoming familiar with the new Group Policy Management Console and the Resultant
Set of Policies tool is a must! (Click
here to read the GPMC homepage.) A new add-on to group policies,
RSoP allows you view IPSec policy assignments for a computer. You can use this
to plan deployment of GPOs and troubleshoot policy precedence. To view IPSec
policy assignments in RSoP, you would use the RSoP MMC console and run a query.
RSoP provides two types of queries: logging mode (for viewing IPSec policy
assignments for a computer) and planning mode (for viewing IPSec policy assignments
for computers). IPSec policies can be assigned with GPOs or they can be assigned
and stored locally on a computer. When a computer is joined to a domain, the
domain IPSec policy applies. If a computer isn't joined to a domain, only the
local IPSec policy applies. When multiple IPSec policies are assigned, the last
policy processed is the policy that is applied.
The best resource for understanding IPSec is "Deploying Network Services,"
a chapter in the Windows Server 2003 Deployment Kit. Click
here for to read chapter six. You should also review chapter number
11, "Deploying a Wireless LAN," for this exam.
Things To Practice
- Deploy a Certificate Authority hierarchy and work with
PKI. You can use VMware if you don't have multiple servers
for this. Issue, publish and distribute certificates for
EFS and IPSec. Learn how auto-enrollment works.
- Configure and deploy IPSec policies using the logging
and planning modes of RSoP.
- You're going to need to know network load balancing inside
and out. Read everything you can get your hands on and practice
with the product.
- Work with Cluster Server. You can download an evaluation
copy of Windows
Server 2003 Enterprise edition and a VMware
ESX 30-day trial. What are you waiting for?
Clustering technology is cool!
- Deploy and view the results of the sample security templates
included with the Windows Server 2003 Security Guide. Practice
- Use all the TCP/IP troubleshooting tools. Ping, tracert,
IPconfig, netsh and Network Monitor are the tools of the
trade. Use them on a daily basis and become a more effective
- Configure, break and fix DNS. Have you made it this far
without feeling 100 percent comfortable with DNS? Don't
sell yourself short—every good network person knows
- Run Automated System Recovery and restore a server even
if it's not broken.
- Choose a favorite method for remembering the six possible
steps for both NetBIOS and host name resolution.
- Make sure you know how to subnet in your head so this
small detail doesn't get in the way of the bigger picture.
The Security Infrastructure
The final objective in this exam, Planning, Implementing, and Maintaining Security
Infrastructure, includes PKI, PKI and more PKI planning questions using Certificate
Services. First you should review chapter 16, "Designing a Public Key Infrastructure,"
in the Windows Server 2003 Deployment Kit: Designing and Deploying Directory
and Security Services—unless you have years of experience as a security
infrastructure engineer. Click
here for the guide.
You'll also need to practice, practice and practice some more the correct implementation
of Microsoft Certificate Services. I suggest VMware on a box with lots of RAM
and several hours of spare time. There's no shortcutting hands-on experience!
PKI includes a carefully planned, deployed and maintained security services
infrastructure to support authentication, integrity and confidentiality. CA
servers are a big part of this infrastructure. They allow distribution of both
user and computer certificates for use with the following: email and document
signing, encrypting file system, secure communication between computers, smart
cards and 802.1x wireless client authentication.
Some of the terms you should know include: digital certificates, certification
authorities (CA), certificate policy and procedures, certificate repositories,
certificate trust lists (CTL) and certificate revocation lists (CRL).
Choose your CA type. Enterprise CAs require Active Directory, and they publish
certificates and certificate revocation lists to AD. Enterprise CAs use information
stored in AD, including user accounts and security groups, to approve or deny
certificate requests. Enterprise CAs use certificate templates. When a certificate
is issued, the enterprise CA uses information in the certificate template to
generate a certificate with the attributes for that certificate type.
If you need to enable automated certificate approval and automatic user certificate
enrollment, choose enterprise CAs.
Stand-alone CAs don't require AD and don't use certificate templates. If you
choose a stand-alone CA, its information about the requested certificate type
is included in the certificate request. You can choose to configure stand-alone
CAs to issue certificates automatically upon request.
Tech Note: Stand-alone CAs with automatic issuance enable you
to issue certificates at a faster rate than you can by using enterprise CAs.
Stand-alone CAs work best when used with PKI applications on extranets and
the Internet when it's not feasible to assign users Windows Server 2003 accounts.
Tip: There are root CAs, subordinate CAs, issuing CAs and offline
CAs. Root CAs use a self-issuing certificate. Subordinates receive their certificate
from root CAs, which in turn issue certificates to users and computers.
There's plenty more to CAs and certificates. Make this a major area of your
If you missed my point about this exam, I'll repeat myself: You must become
a security maven to get through 70-293. That takes many forms. You can't expect
to consider yourself a systems engineer if you don't know the many nuances of
security. Use the exam preparation guidelines issued by Microsoft, as well as
the advice I offer in this article, to set up a study program. That's how you'll
be best prepared to tackle this test. Good luck!
Stay tuned for my next article, where I will help you prepare for exam 70-294:
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active
Directory Infrastructure. This exam is similar to the current MCSE exam, 70-217.