MCSA/MCSE: Windows 2000 Network Security Administration Study Guide (Exam# 70-214)


Here's the book you need to prepare for Exam 70-214, Implementing and Administering Security in a Microsoft Windows 2000 Network. This Study Guide provides:

  • In-depth coverage of every exam objective
  • Practical information on managing a secure Windows 2000 network
  • Hundreds of challenging practice questions, ...
See more details below
Hardcover (Study Guide)
$46.07 price
(Save 7%)$49.99 List Price
Other sellers (Hardcover)
  • All (16) from $1.99   
  • New (5) from $26.70   
  • Used (11) from $1.99   
Sending request ...


Here's the book you need to prepare for Exam 70-214, Implementing and Administering Security in a Microsoft Windows 2000 Network. This Study Guide provides:

  • In-depth coverage of every exam objective
  • Practical information on managing a secure Windows 2000 network
  • Hundreds of challenging practice questions, in the book and on the CD
  • Leading-edge exam preparation software, including a testing engine and electronic flashcards

Authoritative coverage of all exam objectives, including:

  • Implementing, Managing, and Troubleshooting Baseline Security
  • Implementing, Managing, and Troubleshooting Service Packs and Security Updates
  • Implementing, Managing, and Troubleshooting Secure Communication Channels
  • Configuring, Managing, and Troubleshooting Authentication and Remote Access Security
  • Implementing and Managing a Public Key Infrastructure (PKI) and Encrypting File System (EFS)
  • Monitoring and Responding to Security Incidents

Note: CD-ROM/DVD and other supplementary materials are not included as part of eBook file.

Read More Show Less

Product Details

  • ISBN-13: 9780782142068
  • Publisher: Wiley
  • Publication date: 5/5/2003
  • Edition description: Study Guide
  • Edition number: 1
  • Pages: 574
  • Sales rank: 1,467,478
  • Product dimensions: 7.70 (w) x 9.30 (h) x 1.55 (d)

Meet the Author

Bill English, MCSE, MCT, is President of Networknowledge, a training and consulting firm located in Minnesota. He has written numerous books, including the Administrator's Guide to SharePoint Portal Server 2001. Russ Kaufmann, MCSE, MCT, has over 11 years' IT experience, most recently with the Root Group as a Microsoft Practice Manager.

Read More Show Less

Read an Excerpt

MCSA/MCSE: Windows 2000 Network Security Administration Study Guide

By Bill English

John Wiley & Sons

ISBN: 0-7821-4206-0

Chapter One

Configuring, Deploying, and Troubleshooting Security Templates


  •   Configure security templates.

* Configure registry and file system permissions.
* Configure account policies.
* Configure audit policies.
* Configure user rights assignment.
* Configure security options.
* Configure system services.
* Configure restricted groups.
* Configure event logs.

  •   Deploy security templates. Deployment methods include using Group Policy and scripting.
  •   Troubleshoot security template problems. Considerations include Group Policy, upgraded operating systems, and mixed client-computer operating systems.

Windows 2000 Server provides a rich set of security features that enable administrators to secure information and activity on their Windows 2000-based networks. Through the use of Group Policy Objects (GPOs), you can push configurations out to each Windows-based machine on the network to help ensure network-wide security. You can quickly create GPOs to perform this task by applying a template. A template is a pre-configured set of values that can be used to create a GPO. Security templates are text-based .inf files that allow the administrator to create security configurations once and then apply those configurations to multiple servers. Templates also reduce the amount of administrative effort required to secure a group of Windows 2000 workstations and servers. These templates are administered through the Microsoft Management Console (MMC) and are applied to multiple servers using one or more Group Policies.

Because this exam emphasizes the use of GPOs, we are going to spend some time going over how GPOs work and how you can deploy them effectively. We understand that this may be review for many of you. If you are comfortable and confident in your GPO skills and depth of understanding, you can skip this section and start with the "Working with Security Templates" section.

NOTE This book jumps right in with the specific information you will need to pass the exam. If you need to get up to speed with the basics, try Network Security JumpStart by Matt Strebe (Sybex, 2002). For more on general networking theory and concepts, try Mastering Network Security, 2nd Edition by Chris Brenton and Cameron Hunt, (Sybex, 2002).

However, if you feel you need a refresher on Group Policies, read this section. You will need this information to do well on the exam and to better understand how to implement security in a Windows 2000 environment.

Group Policies and Windows 2000 Server

Policies are not new to Microsoft products. Since the release of Windows 95, policies have been a way to ensure that Registry settings are configured correctly across multiple computers with a single administrative act.

You can use GPOs to define a user's work environment and then implement changes to that environment without the user needing to reboot their workstation. User and computer settings are defined once in a GPO and then the object is used to push those settings out to the computers and user accounts you designate. Windows 2000 continually enforces the settings in the GPO, and as updates to the settings in the GPO are configured, these updates are pushed out to the Windows 2000 and XP computers on your network.


In addition to handling security concerns, you can use Group Policies to reduce lost productivity-which is often due to user error-by removing unnecessary programs and abilities that ship standard with the Windows 2000 platform. This also can lower the overall total cost of ownership (TCO).

GPOs are linked to a site, a domain, or an organizational unit (OU) container. When linked to a site or a domain container, GPOs allow you to centralize settings for an entire organization. When GPOs are linked to an OU container, you can apply different settings to different sets of user and/or computer accounts.

GPOs also ensure that users have the desktop environment necessary to perform their job effectively. You can configure settings to ensure that certain shortcuts, drive mappings, and other configurations exist whenever the user is logged on. Furthermore, you can automate software installations, negating the need to send a technician to the desktop to install or update software packages.

Corporate security and business policies can also be enforced through the use of GPOs. For example, you can ensure that security requirements for all users match the security required by corporate policy.

Configuring Group Policies

When a GPO is first opened, you'll find several types of settings that you can configure:

Administrative Templates These are Registry-based settings for configuring application and user desktop environments.

Security Your choices here are local computer, domain, and network settings. These settings control user access to the network, account and audit policies, and user rights.

Software Installation These settings centralize software management and deployment. Applications can be either published or assigned.

Scripts These settings specify when Windows 2000 runs a specific script.

Remote Installation Services These settings control the options available to users when running the Client Installation Wizard by Remote Installation Services (RIS).

Internet Explorer Maintenance These settings let you administrate and customize Internet Explorer configurations on Windows 2000 and XP computers.

Folder Redirection These settings store specific user profile information and take a shared folder on a server and make it look like a local folder on the desktop of the computer.

Now, a GPO comprises two elements: the Group Policy Container (GPC) and the Group Policy Template (GPT). The GPC is located in Active Directory (AD) and provides version information used by the domain controllers to discern which GPO is the most recent version. If a domain controller (DC) does not have the most recent version, it relies on replication with other DCs to obtain the latest GPO and thereby update its own GPC.

The GPT is a folder hierarchy in the shared sysvol folder on domain controllers. The GPT contains the settings that are applied to the computers on your network. Computers connect to the sysvol folder on the DC to read the settings in the GPT before applying them to their local Registry. The GPT is named after the Globally Unique Identifier (GUID) of the GPO. When the GPO is created, it is assigned a new GUID, and the GPT name is the GUID of the GPO.

Each GPO has two sets of configuration settings: one for computers and the other for users. This basic architecture has not changed since Windows 95, in which we used user.dat and system.dat as the basis for forming the policy file. This was also the case in Windows 98, but many additional configuration settings are available in Windows 2000.

The configuration settings for computers specify the following:

* Operating system behavior

* Desktop behavior

* Security settings

* Computer startup and shutdown scripts

* Application assignments, options, and settings

The configuration settings for users specify the following:

* Operating system behavior

* User-specific desktop settings

* User-specific security settings

* Assigned and published applications

* Folder redirection options

* User logon and logoff scripts

When a GPO is linked to a site, a domain, or an OU container, the user and computer accounts hosted in that object are affected by the policy. GPOs can be linked to more than one container such that the following statements are true:

* You can link one GPO to multiple sites, domains, and/or OUs.

* Linking at the site or domain level gives you centralized administrative abilities.

* Linking at the OU level decentralizes your administration, yet maintains uniformity for those objects affected by the GPO.

* You can link multiple GPOs to a single site, domain, and/or OU.

* Creating multiple GPOs allows you to easily administer each group of settings you want to apply.

* Link inheritance is maintained in AD: lower-level objects inherit the upper-level settings from a GPO. For example, all OUs in a domain inherit the settings of a GPO linked to the domain object.

* You cannot link GPOs to default AD containers including the Users, Computers, and Builtin containers.

After a GPO is created, it is not required to be linked to an object. GPOs can simply be created and then linked later to the desired object when the GPO's settings are needed. In addition, when you work on GPOs from a domain controller, by default, you work in the memory space of the domain controller that has been assigned the Flexible Single Master Operations (FSMO) role of primary domain controller (PDC) emulator. The PDC Emulator looks and feels like a PDC to Windows NT Backup Domain Controllers (BDC) and Windows NT workstations. The FSMO role of PDC Emulator is implemented for legacy compatibility purposes. You will use Active Directory Users and Computers (ADUC) to link a GPO to a domain or an OU. You will use Active Directory Sites and Services (ADSS) to link a GPO to a site. You must be a member of the Enterprise Admins security group to link a GPO to a site object.


If you would like to learn more about the PDC and BDC roles in Windows NT 4.0, please consult Mastering Windows NT Server 4, 7th Edition (Sybex, 2000).

Applying Group Policies

To be successful on the exam, you'll need to understand how GPOs are applied in AD. GPO inheritance constitutes the order in which policies are applied. GPOs are first applied to the site container, then to the domain container, and then to the OU container. As policies are applied, they override the previous policy, meaning that a policy setting at the OU level overrides the policy setting at the domain level and policy settings at the domain level override policy settings at the Site level. In other words, the most recently applied policy, the one that is applied last, has the greatest priority in setting the final configurations for objects hosting in the linked container.

However, bear in mind that inheritance is at work too. An OU could be inheriting multiple policies that have been linked to the site, domain, and upper-level OU objects. The policies are applied, even though no policy has been directly linked to the OU.

You'll also need to understand how GPOs are processed, which is different from how they are inherited or linked. When we talk about policies being processed, we are talking about the order in which policies are applied when multiple policies are linked to the same container. And because there are two parts to every GPO, it is important to understand which part of the GPO is processed first.

The computer settings of a GPO are processed and applied before the user settings. When Windows 2000 processes computer settings, the startup scripts run. When a user logs on, the logon scripts are processed, and the reverse happens when a user cleanly shuts down a workstation. Logoff scripts run first, and then shutdown scripts run.

If multiple polices are linked to the same container, the default setting is to process all policies synchronously. You can change the processing of a GPO to asynchronous by using a group policy setting for both computers and users. In asynchronous processing, all policies are processed simultaneously using multiple threads. In synchronous processing, one policy must finish processing before the next policy can begin processing. Also in synchronous processing, the desktop for the user does not appear until all policies are processed and applied. If you decide to use asynchronous processing, you might possibly sacrifice reliability in each policy being enforced correctly system-wide. Best practice is to leave policy processing at the default of synchronous.

Windows 2000 clients refresh their policies every 90 minutes with an additional, randomized offset of 30 minutes to ensure that the domain controller doesn't become overloaded with policy calls from clients. Domain controllers refresh every 5 minutes. Thus, new policy settings are applied more quickly to domain controllers than to workstations.

When multiple policies are applied to a single container, they are applied in the order listed in the Group Policy tab of the object's properties, from bottom to top. The GPO at the top of the list is applied last and thus can overwrite earlier settings and it has top priority in the application of the settings to the workstation or server. An exception occurs to the application priority when the most recent setting processed conflicts between user and computer settings. In this case, the computer setting overrides the user settings.


As long as there are no conflicts or overwrites during the application of multiple policies, the settings in all policies linked to a given container are cumulative for all objects that reside in that container.

Modifying Group Policy Inheritance

Policy inheritance is not absolute, however. Inheritance can be blocked and modified. You can prevent a child container from inheriting any GPOs from the parent containers by enabling Block Inheritance on the child container. Enabling Block Inheritance lets you set new policies for the child container. However, you need to bear the following in mind:

* You cannot selectively choose which GPOs to block. It is an all-or-nothing proposition.

* GPOs can be configured with the No Override setting, which means that the GPO is applied even if inheritance is blocked. You can use this setting to push down necessary settings even if an OU administrator doesn't like the settings. GPOs that represent critical, corporate-wide rules should have the No Override option enabled.

* The No Override option is really set on the link, not on the GPO itself. Thus, if you have a GPO that is linked to multiple containers, you can configure the No Override option on each container and gain administrative flexibility to decide to which containers the GPO will always be applied.

If you want to block some GPOs on a child container but apply others, best practice is to block inheritance and then create new links on the child container to the desired GPOs.

You can also link a GPO to a container and then filter the application of the GPO to certain objects within the container. By default, for any given container, the GPO settings are applied to all objects within the container. However, you might not want this. You might want certain objects not to inherit the settings. Well, you can control or filter the application of those settings by using the Discretionary Access Control List (DACL) in the properties of the objects you want to filter.

By default, the DACL contains two Access Control Entries (ACEs):

Authenticated users Allow Read and Allow Apply Group Policy

Domain Admins, Enterprise Admins, and SYSTEM Allow Read, Allow Write, Allow Create All Child Objects, Allow Delete All Child Objects

You can modify these permissions in two ways. You can explicitly deny the Apply Group Policy permission for the group that contains the user or computer account for whom you want to filter. Or you can remove Authenticated Users from the ACL. When you do so, Authenticated Users have no explicit permission on the GPO. However, if you remove Authenticated Users, you will need to create a security group for the other accounts in the container to whom the GPO should apply and then use that group account in place of the Authenticated Users security group account.

You can also set a Loopback processing mode, which essentially ensures that the computer GPO is applied last rather than the user GPO. This setting might be useful if applications that are assigned to a user should not be automatically available on a server. Hence, you use the Loopback processing mode to ensure that the computer portion of the GPO is applied last.

Now that we've reviewed GPOs, we'll look at security administrative templates for much of the rest of this chapter. Templates are a collection of settings that modify the Registry on the target computer. You use administrative templates to configure user and computer Registrybased settings that control the user's desktop environment. Specifically, the template settings modify the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER registry trees.

Microsoft provides a number of preconfigured templates for security purposes that we will discuss in detail. It is important to understand what these templates do and their purposes since they will be a focus on this exam.


Excerpted from MCSA/MCSE: Windows 2000 Network Security Administration Study Guide by Bill English Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Assessment Test
Ch. 1 Configuring, Deploying, and Troubleshooting Security Templates 1
Ch. 2 Configuring Security Based on Computer Roles 43
Ch. 3 Installing, Managing, and Troubleshooting Hotfixes and Service Packs 79
Ch. 4 Configuring IPSec and SMB Signing 123
Ch. 5 Implementing Security for Wireless Networks 161
Ch. 6 Deploying, Managing, and Configuring SSL Certificates 201
Ch. 7 Configure, Manage, and Troubleshoot Authentication 255
Ch. 8 Configuring and Troubleshooting Virtual Private Network Protocols 301
Ch. 9 Installing, Configuring, and Managing Certificate Authorities 339
Ch. 10 Managing Client-Computer and Server Certificates and EFS 387
Ch. 11 Configuring and Managing Auditing 431
Ch. 12 Responding to Security Incidents 471
Glossary 493
Index 511
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)