70-299 Exam Study Notes
About These Notes
These are notes that I took while studying for the 70-299 exam. I've boiled them down to what you need to know when you take the exam and added many links to web resources for good measure.
I strongly recommend reading your book first, if you haven't, already. Follow that up by studying all of the notes here and studying all of the pages that I've linked to (very important). That'll go a long way in preparing you for the exam.
I hope that these notes prove helpful to you and good luck on the exam!
General Advice
For this exam, I
highly recommend the
Microsoft 70-299 Training Kit. This is far and away one of the best study guides that I have ever read. Read this book and my notes here, both carefully, and you're sure to pass easily. Microsoft training kits are a little more expensive than other guides, but they're worth it in quality (most of the time, depends on the author) and in the number and quality of practice questions on CD. Their guide for this exam, though, is cheaper than most of theirs and one of the best-written guides you'll find.
This exam is not a very difficult one, but you shouldn't take it too lightly.
My main pieces of advice are:
- Consider taking your own notes while studying. Writing things down helps the memorization process. Besides, it's possible that a topic that I know well and didn't think to include is one that you may not be so strong in.
- Print these notes out and carry them with you (along with your own notes) on the day of the exam. Go over them on breaks, in the car and, most importantly, immediately before walking into the exam room (leave them outside, of course). For the most part, I've designed them to be succint and memorizable.
- Bring a pen with you and, should you fail the exam, as soon as you leave the testing center, write down (on the back of the printout or paper that you brought with you) everything from the exam that you can remember, especially questions and answers that you weren't sure of. Spend a good 15-30 minutes. You won't recall much even a few hours later, unless you have a better memory than I do. It really, really helps if you made good use of the "Select for Review" checkboxes while taking the test, since it means that all of the questions and answers that you weren't sure of are the freshest things in your mind when you leave the testing center. Use everything that you wrote down as the basis for your re-take studying.
Exam Format
Format: Multiple-choice, drag-and-drop, hotspot, etc.
Questions: 35
Time Limit: 95 minutes (+20 minutes for comments and reading the pre-exam disclaimers)
Passing score: 700
Resources
Microsoft Second Shot Offer - Microsoft periodically offers FREE exam re-takes. Important: you must sign up with Microsoft before scheduling the exam the
first time! You can't wait until after you've failed. Follow the link to see if the Second Shot offer is currently available. If the URL re-directs you elsewhere, then it's not.
Free (or demo) 70-299 practice exams:
Retail 70-299 practice exams:
Forums and newsgroups that cover 70-299:
Study Notes
Authentication refers to the process of identifying yourself to the network (ex. when logging into Windows). Authorization refers to which resources an authenticated user may access (ex. all employees may be authenticated, but all may not be authorized to print to the managers' printer). Make sure that you understand this distinction.
For domain authentication to be successful, clocks must not be out of sync more than 5 minutes for Kerberos (2000/XP/2003) or 30 minutes for NTLMv2 (pre-2000).
The key IIS authentication methods to know:
Basic Authentication - password sent in clear text. Use only for browser compatibility
Digest Authentication - requires the user's domain password to be stored with reversible encryption. Best choice for extranets
Advanced Digest Authentication - more secure than Digest, it requires both the IIS server and the domain controller to be 2003
Integrated Windows Authentication - does not require reversible encryption on the password. May require IE. Uses NTLM and Kerberos
See the first note under the preceding section for a definition of authorization and how it differs from authentication. Make sure that you understand this distinction.
Use auditing to troubleshoot complex authorization issues.
Know the audit policy settings really well! Microsoft loves giving questions on these. Particularly, understand when to use:
Audit account logon events - logging on over the network
Audit account management - creation, deletion and modification of security principles (users, groups, etc.)
Audit logon events - logging on locally
Audit object access - accessing files, folders, printers and the registry
Audit privilege use - exercising a user right (such as backup and restore privilege)
Network Access Quarantine Control (new in 2003) places a remote access client in quarantine mode (limited network access) until an administrator-approved script that checks for security (ex. up-to-date virus definitions) is run on the client and approves remote access.
Know the NTFS permissions. The only thing to memorize is that Write permission does not allow deletion of the file/folder; Modify permission does.
Know the share permissions. There are only three of them: Read, Change and Full Control.
Placing NTFS permissions on the %systemroot%\system32\Log Files folder is a valid method of securing log files.
Loopback Processing Mode can be used to restrict user settings on highly-managed (usually kiosk) computers. It does this by processing and applying the User Configuration section (in addition to Computer Configuration) of a computer-targeted group policy.
It would be a good idea to just go through all of the policy settings under
Security Options and get a feel for what each one does.
Patch management is a heavy emphasis of the exam, but because SUS is easy to setup and understand, you shouldn't need me telling you how to use it. Expect easy questions about basic setup and management. Make sure to deploy SUS in a test or production network prior to the exam. You can download SUS (1.0, the version used in the exam)
here. You do
not need to know later versions of SUS (known as WSUS).
As I'm sure you know by now, a security template is nothing more than a subset of GPO settings (mostly under Computer Configuration->Windows Settings) that have been exported to a text file. Don't let it confuse you.
Know that importing into a GPO is the best way to deploy a security template.
The Restricted Groups portion of a template/GPO allows you to control group membership on the computer that applies the GPO.
The System Services portion of a template/GPO allows you set startup options and permissions for system services
The Registry portion of a template/GPO allows you to set permissions on registry keys.
After revocation, a deployed certificate will continue to be valid until you publish the Certificate Revocation List (CRL).
Client certificates can be made more secure by using client certificate mapping and certificate trust lists.
Client certificate mapping comes in two types:
One-to-one - each user needs to be manually mapped to their personal certificate. Useful for intranets with enterprise CAs.
Many-to-one - one mapping matches to many certificates based on criteria (ex. any client certificate with "Microsoft" in the organization field could be allowed to authenticate). Useful for partnering companies over the internet that manage their own CA because it delegates access control to the partners' administrators.
Subordinate CAs that are children of commercial CAs are the best option for e-commerce use (because web clients will trust the certificate and get no safety warning).
Certificate trust lists deployed via GPO allow you to manage which certificate authorities a computer will trust.
SSL uses public key encryption for authentication and shared key encryption for data for data encryption.
Version 1 certificate templates cannot be modified. You must create a version 2 certificate template that supersedes the old template. Version 2 certificate templates are new in 2003.
Windows 2000 Group Policy permits auto-enrollment of computer certificates, but not user certificates.
There are two methods (both using Group Policy) of enabling auto-enrollment of certificates:
Automatic Certificate Request Settings - version 1 templates only; 2000/XP/2003; computer certificates only
Autoenrollment Settings - version 2 templates only; XP/2003; both user and computer certificates
Key archival and recovery requires version 2 templates, 2003 server, XP or 2003 clients, enterprise CAs and 2003 schema extensions applied to the forest (with adprep.exe /forestprep).
Use IPSec transport mode when connecting to a single host and tunnel mode when connecting to an entire network. You should know exactly which mode to use in each situation. Diagrams (such as the ones in the document at the bottom of this section) really help to get a picture of when to use each.
L2TP is more secure than PPTP and is the preferred method of securing a VPN. L2TP requires 2000, XP or 2003.
You will be using EAP if smart cards or public key certificates are used. EAP requires 2000, XP or 2003.
Know when to use the different IPSec authentication methods: Kerberos, certificate and pre-shared key.
Main Mode IKE negotiation is where most CPU utilization occurs.
Understand IPSec filters. They're a good way to filter traffic when the firewall isn't able to, due to the traffic being encapsulated.
Netsh is 2003's tool for IPSec, IPSecCmd is XP's and IPSecPol is 2000's.
The service name for IPSec is Policy Agent (hence, use net start/stop PolicyAgent).
If Kerberos IPSec authentication fails across domains, ensure that each domain trusts the other or switch to certificate authentication.
Protected EAP (PEAP) is usually used with passwords. EAP-TLS requires a Public Key Infrastructure (PKI).
The three default IPsec policies are:
Client (Respond Only) - Use IPsec only if asked by another computer.
Server (Request Security) - Request IPsec but fall back to unsecured if the other computer does not support IPsec.
Secure Server (Require Security) - Require IPsec for all communications.
IPsec policy rules are made of two things: IP filter lists (which traffic to look for) and filter actions (what to do with the traffic).
NAT-Traversal, the new standard for using IPsec through NAT devices, wasn't implemented in XP until SP2, so pretend that it doesn't exist when taking 70-299! As far as the exam is concerned, Encapsulated Payload (ESP) transport mode and Authentication Header (AH) cannot be used across NATs. ESP tunnel mode is the only form of IPsec that will work
Know RADIUS/802.1x authentication.
In a RADIUS implementation for wireless networks, the authentication server is the RADIUS server and the wireless access points are the RADIUS clients. The wireless computers that connect wirelessly are not RADIUS clients.
Use the Connection Manager Administration Kit (CMAK) to create an executable file that adds a dial-up or VPN connection to a client. This is a good method of creating network connections on portable computers. For example, you could mail the executable to portable users rather waiting for them to bring their computers in or connect to your network.
MS-CHAPv2 is 2003's default authentication protocol for remote access. 95 supports it for VPN, but not dial-up.
MS-CHAPv1 is supported on 95/98/Me/NT4 without additional upgrades. It requires passwords to be stored with reversible encryption.
CHAP is disabled in 2003 by default. It requires passwords to be stored with reversible encryption.
SPAP and PAP are disabled in 2003 by default and their use is strongly discouraged.
Though not as useful as gpresult.exe or RSoP, the Application event log in Event Viewer can be used to check if Group Policy was applied.
Refresh yourself on Encrypting File System and data recovery agents. Know how to disable EFS with Group Policy for
2003 and
2000.
You will get a few questions dealing with perimeter networks, complete with diagrams. Make sure that you understand the basic purpose of perimeter networks and enabling traffic through filters, including VPN traffic. Take a look at the document at the bottom of the IPSec section above for some of this information.
The SQL Profiler tool can be used to audit SQL Server database activity (such as access and queries).
WMI filtering can be used to limit the scope of a GPO to certain computers (ex. install this application only if at least 256MB of RAM is present).