MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security


Make the right design decisions to protect your business network—and prepare for the Microsoft® Certified Professional (MCP) exam—with this official Microsoft study guide. Work at your own pace through a system of case-study scenarios and tutorials to gain practical experience planning the security infrastructure for a Windows® 2000 network. As you build these real-world design skills, you’re also preparing for MCP Exam 70-220—a core credit on ...

See more details below
Available through our Marketplace sellers.
Other sellers (Paperback)
  • All (19) from $1.99   
  • New (4) from $1.99   
  • Used (15) from $1.99   
Sort by
Page 1 of 1
Showing 1 – 3 of 4
Note: Marketplace items are not eligible for any coupons and promotions
Seller since 2006

Feedback rating:



New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.

With CD! BRAND NEW 100% Money Back Guarantee. Shipped to over one million happy customers. Your purchase benefits world literacy!

Ships from: Mishawaka, IN

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
  • Express, 48 States
  • Express (AK, HI)
Seller since 2015

Feedback rating:


Condition: New
"New, Excellent customer service. Satisfaction guaranteed!! "

Ships from: Irving, TX

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
Seller since 2011

Feedback rating:


Condition: New
2001 Hardcover New Book New and in stock. *****PLEASE NOTE: This item is shipping from an authorized seller in Europe. In the event that a return is necessary, you will be able ... to return your item within the US. To learn more about our European sellers and policies see the BookQuest FAQ section***** Read more Show Less

Ships from: Morden, United Kingdom

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
Page 1 of 1
Showing 1 – 3 of 4
Sort by
Sending request ...


Make the right design decisions to protect your business network—and prepare for the Microsoft® Certified Professional (MCP) exam—with this official Microsoft study guide. Work at your own pace through a system of case-study scenarios and tutorials to gain practical experience planning the security infrastructure for a Windows® 2000 network. As you build these real-world design skills, you’re also preparing for MCP Exam 70-220—a core credit on the Windows 2000 MCSE track.


  • Analyzing business requirements, including strategies, structures, and processes
  • Evaluating your company’s existing and planned technical environment
  • Identifying security risks and requirements and defining security baselines
  • Planning an authentication strategy and Public Key Infrastructure
  • Controlling access to resources using EFS, NTFS, security groups, and Group Policy
  • Designing security for Windows 2000 network services: DNS, Remote Installation Services (RIS), SNMP, and Terminal Services
  • Developing an IPSec data encryption scheme and management strategy
  • Providing secure connections for users of remote access services, VPNs, extranets, or the Internet


  • Comprehensive self-paced training manual that maps to MCP exam goals and objectives
  • Case study-based exercises that help you apply what you learn to the job
  • Summaries and end-of-chapter review questions to help gauge your progress
  • 120-day evaluation version of Windows 2000 Advanced Server
  • All the book’s content—plus supplemental materials—on CD-ROM
  • NEW! Sample MCSE Readiness Review practice-test questions on line. See “About This Book” for details.

For complete information on MCSE core and elective requirements, go to:​ices/default.asp

A Note Regarding the CD or DVD

The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to

Read More Show Less

Editorial Reviews

This study guide reviews how to analyze an organization's business and technical requirements, and design security for a Windows 2000 network. The chapters cover authentication methods, domain name system and remote installation services, planning a public key infrastructure, application layer protocols, Internet protocol security, connections for remote users and networks, and securing Internet access. The CD-ROM contains white papers and an evaluation version of Windows 2000 advanced server. Annotation c. Book News, Inc., Portland, OR (
Read More Show Less

Product Details

  • ISBN-13: 9780735611344
  • Publisher: Microsoft Press
  • Publication date: 2/28/2001
  • Series: Microsoft Press Training Kit Series
  • Edition description: 2000 ed.
  • Pages: 864
  • Product dimensions: 7.38 (w) x 9.24 (h) x 1.75 (d)

Meet the Author

Developed by senior editors and content managers at Microsoft Corporation.

Read More Show Less

Read an Excerpt

Chapter 3: Designing Authentication for a Microsoft Windows 2000 Network

About This Chapter

All access to Microsoft Windows 2000 resources is based on the credentials that users provide when they authenticate with the network. This chapter will examine the authentication protocols that are used in Windows 2000, the ways to authenticate down-level clients, and the optimum placement of domain controllers (DCs) to facilitate the authentication process.

Before You Begin

To complete this chapter, you must read the chapter scenario. This scenario is used throughout the chapter to apply the design decisions discussed in each lesson.

Chapter Scenario: Market Florist

Market Florist is an Internet-based floral delivery company that allows customers to purchase floral arrangements over the Internet and have them delivered anywhere in North America. You have been called in as a security consultant to design an authentication strategy for the Market Florist internal network that will ensure that user credentials are protected during the authentication process.

The Existing Network

Market Florist's head office is in Seattle, the Canadian office is in Winnipeg, and the Mexican office is in Monterrey. Market Florist's marketing department is in San Francisco.

Figure 3.1 shows the network links among Market Florist's four offices.

Figure 3.1 The Market Florist Wide Area Network

Market Florist Active Directory Design

Market Florist's Active Directory directory service design is comprised of three separate domains: marketflorist.tld, ca.marketflorist.tld, and mx.marketflorist.tld. The Seattle and San Francisco sites authenticate in the marketflorist.tld domain and the Winnipeg and Monterrey sites authenticate with their country's subdomain, as shown in Figure 3.2.

Figure 3.2 The Market Florist Active Directory structure

Market Florist Server Configuration

Market Florist has Windows 2000 servers distributed across its network as shown in Table 3.1.

Table 3.1 Windows 2000 Servers in the Market Florist Network

Location Windows 2000 Servers
Seattle Three Windows 2000 DCs for the marketflorist.tld domain.

Two of the DCs are configured as Active Directory-integrated Windows 2000 DNS servers hosting the marketflorist.tld DNS zone.

Two of the Windows 2000 DCs are configured as global catalog servers.

One Windows 2000 member server configured as a WINS server.

San Francisco Two Windows 2000 DCs for marketflorist.tld.

One of the Windows 2000 DCs is configured as a global catalog server.

Winnipeg Three Windows 2000 DCs for the ca.marketflorist.tld domain.

One of the DCS is configured as an Active Directory-integrated Windows 2000 DNS servers hosting the ca.marketflorist.tld zone.

Monterrey Two Windows 2000 DCs for the mx.marketflorist.tld domain.

One of the DCS is configured as an Active Directory-integrated Windows 2000 DNS server hosting the mx.marketflorist.tld zone.

Market Florist Client Computers

The Market Florist network uses a mix of Microsoft Windows 95, Windows NT 4.0 workstation, and Windows 2000 Professional client computers. All client computers were updated to the latest service pack version before January 1, 2000, to ensure that the Market Florist network was Year 2000 compliant.

Table 3.2 shows how the client computers are distributed across the network.

Table 3.2 Market Florist Client Computer Distribution

Location Client Computers
Seattle 700 Windows 2000 Professional clients
San Francisco 200 Windows 95 clients

300 Windows NT 4.0 workstations

100 Windows 2000 Professional clients

Winnipeg 200 Windows NT 4.0 clients

300 Windows 2000 Professional clients

Monterrey 300 Windows 95 clients

100 Windows 2000 Professional clients

Lesson 1: Designing Authentication in a Microsoft Windows 2000 Network

Authentication allows network administrators to determine who is accessing the network and to design restrictions so that each authenticated user can access only desired areas of the network. If you don't have a good authentication design, trusted users might be unable to access the network at all times.

After this lesson, you will be able to

  • Determine business and technical requirements that will affect your authentication design for a Windows 2000 network

Estimated lesson time: 20 minutes

Determining Business and Technical Requirements

When designing authentication for your Windows 2000 network, you must meet certain business and technical requirements. These requirements define how you can make sure that authentication mechanisms are secured within a Windows 2000 network. The business requirements include these areas:

  • Many organizations require that all projects should ultimately reduce the company's total cost of ownership. You can do this by using Group Policy to enforce standardized security configurations. In a Windows NT 4.0 network, you had to edit the registry manually to apply many advanced security settings. This required an administrator either to connect to each computer in the domain or to configure each computer in the domain manually. With Group Policy, Windows 2000 can ensure that common registry modifications are enforced centrally using Active Directory.
  • Identify security risks in the network. In a Windows NT network, many client computers were unable to use more secure methods of authentication. (Unless otherwise noted, "Windows NT" refers to versions 3.51 and 4.0.) For example, Windows 95 and Windows 98 clients used LAN Manager (LM) authentication. LM authentication gives attackers an easy way to crack passwords. LM passwords are easily solved because they can be attacked in seven character sections. With the installation of the Directory Services Client in a Windows 2000 network, Windows 95 and Windows 98 clients use the NTLMv2 authentication protocol, which gives higher authentication security and reduces the risk of password cracking.

In addition to business requirements, technical requirements also play a part in the design of your network's authentication strategy. These technical requirements might include the following:

  • Network authentication must be available even if WAN links are not. By deploying Domain Name System (DNS) servers, DCs, and global catalog servers at each remote site, you ensure that each site has the services needed to provide local authentication. While only Windows 2000 clients are site-aware by default, installing the Directory Services Client software on Windows 95, Windows 98, and Windows NT 4.0 clients makes these down-level client systems site-aware.
  • Network authentication must occur quickly. When authentication takes place over WAN links, authentication performance suffers. By ensuring that all clients are site-aware, you ensure that the clients will attempt to find network services on their local segment of the network. This solution requires you to deploy the Directory Services Client software to all down-level clients and to deploy Active Directory sites correctly.
  • DCs must not be overloaded with authentication requests. Microsoft provides a tool known as the Active Directory Sizer (ADSizer), which helps you plan the optimal number of DCs that you require for your network. This includes determining the ideal number of DCs and the processor and memory requirements for each one.
    You can get the ADSizer tool by going to and searching for "ADSizer tool."

Lesson Summary

You must design authentication for your network to meet all business and technical objectives defined by your organization. These objectives will provide the framework for your design. If you don't meet all objectives, it's quite possible that you will face a redesign in the near future. Ensure that you have collected all business and technical objectives before completing your authentication design.

Lesson 2: Designing Kerberos Authentication

Windows 2000 is designed to use Kerberos v5 as the default authentication protocol. Kerberos v5 provides more flexibility in authentication than the NTLM authentication protocol did.

After this lesson, you will be able to

  • Design a network to support Kerberos authentication for Windows 2000–based clients

Estimated lesson time: 45 minutes

Reviewing Kerberos Components

This lesson examines in detail how Kerberos authentication is used as the default authentication mechanism for Windows 2000–based computers. Before we start looking into design considerations of how Kerberos authentication works and how you can optimize and secure Kerberos authentication, let's look at the core components of Kerberos authentication. The components of the Kerberos v5 protocol include

  • Key distribution center (KDC). A network service that supplies both ticket-granting tickets (TGTs) and service tickets to users and computers on the network. The KDC manages the exchange of shared secrets between a user and a server when they authenticate with each other. The KDC contains two services: the Authentication Service and the Ticket Granting Service. The Authentication Service provides the initial authentication of the user on the network and provides the user with a TGT. Whenever users request access to a network service, they supply their TGT to the Ticket Granting Service. The Ticket Granting Service then provides the user with a service ticket for authentication with the target network service. In a Windows 2000 network, the KDC service is run at all Windows 2000 DCs....
Read More Show Less

Table of Contents

About This Book xxix
Intended Audience xxx
Prerequisites xxx
Reference Materials xxxi
About the Supplemental Course Materials CD-ROM xxxi
Features of This Book xxxii
Chapter and Appendix Overview xxxiii
Getting Started xl
About the Online Book xlviii
Sample Readiness Review Questions xlviii
The Microsoft Certified Professional Program xlix
Technical Support liv
Chapter 1 Introduction to Microsoft Windows 2000 Security 1
Chapter Scenario: Lucerne Publishing 2
Lesson 1 Microsoft Windows 2000 Security Services Overview 4
Lesson 2 Designing Security Business Requirements 10
Lesson 3 Designing Security to Meet Technical Requirements 15
Review 20
Chapter 2 Designing Active Directory for Security 21
Chapter Scenario: Wide World Importers 23
Lesson 1 Designing Your Forest Structure 25
Lesson 2 Designing Your Domain Structure 33
Lesson 3 Designing an OU Structure 40
Lesson 4 Designing an Audit Strategy 52
Activity: Designing an Audit Strategy 56
Lab 2-1 Designing Active Directory for Security 57
Review 62
Chapter 3 Designing Authentication for a Microsoft Windows 2000 Network 63
Chapter Scenario: Market Florist 65
Lesson 1 Designing Authentication in a Microsoft Windows 2000 Network 68
Lesson 2 Designing Kerberos Authentication 70
Lesson 3 NTLM Authentication 85
Lesson 4 Authenticating Down-Level Clients 88
Lesson 5 Planning Server Placement for Authentication 94
Activity: Analyzing Authentication Network Infrastructure 101
Lab 3-1 Designing Authentication for the Network 102
Review 106
Chapter 4 Planning a Microsoft Windows 2000 Administrative Structure 107
Chapter Scenario: Hanson Brothers 108
Lesson 1 Planning Administrative Group Membership 111
Lesson 2 Securing Administrative Access to the Network 123
Activity: Administering the Network 134
Lab 4-1 Designing Administration for a Microsoft Windows 2000 Network 136
Review 142
Chapter 5 Designing Group Security 143
Chapter Scenario: Hanson Brothers 144
Lesson 1 Designing Microsoft Windows 2000 Security Groups 146
Activity: Reviewing Group Memberships 155
Lesson 2 Designing User Rights 158
Lab 5-1 Designing Security Groups and User Rights 166
Review 171
Chapter 6 Securing File Resources 173
Chapter Scenario: Wide World Importers 174
Lesson 1 Securing Access to File Resources 177
Activity: Evaluating Permissions 189
Lesson 2 Securing Access to Print Resources 191
Lesson 3 Planning EFS Security 194
Lab 6-1: Securing File and Print Resources 203
Review 210
Chapter 7 Designing Group Policy 211
Chapter Scenario: Wide World Importers 212
Lesson 1 Planning Deployment of Group Policy 215
Lesson 2 Troubleshooting Group Policy 225
Activity: Troubleshooting Group Policy Application 229
Lab 7-1 Planning Group Policy Deployment 230
Review 237
Chapter 8 Securing Microsoft Windows 2000-Based Computers 239
Chapter Scenario: Market Florist 240
Lesson 1 Planning Microsoft Windows 2000 Security Templates 243
Activity: Evaluating a Security Template 261
Lesson 2 Analyzing Security Settings with Security Configuration and Analysis 263
Lesson 3 Planning the Deployment of Security by Using Security Templates 269
Lab 8-1 Planning Security Templates 275
Review 283
Chapter 9 Designing Microsoft Windows 2000 Services Security 285
Chapter Scenario: Lucerne Publishing 287
Lesson 1 Designing DNS Security 290
Activity: Designing DNS for Internal and External Use 295
Lesson 2 Designing DHCP Security 297
Lesson 3 Designing RIS Security 302
Lesson 4 Designing SNMP Security 309
Lesson 5 Designing Terminal Services Security 314
Lab 9-1 Planning Security for Network Services 319
Review 329
Chapter 10 Planning a Public Key Infrastructure 331
Chapter Scenario: Blue Yonder Airlines 332
Lesson 1 Planning a Certification Authority Hierarchy 336
Lesson 2 Managing Certification Authorities 363
Activity: Planning Certificate Renewal Settings 372
Lesson 3 Using Certificates for Authentication 373
Lab 10-1 Planning a PKI Deployment 381
Review 386
Chapter 11 Securing Data at the Application Layer 389
Chapter Scenario: Fabrikam Inc. 390
Lesson 1 Planning Authenticity and Integrity of Transmitted Data 393
Lesson 2 Planning Encryption of Transmitted Data 407
Activity: Determining Key Usage 417
Lab 11-1 Providing Application-Layer Security for Contoso Ltd. 419
Review 424
Chapter 12 Securing Data with Internet Protocol Security (IPSec) 427
Chapter Scenario: Fabrikam Inc. 428
Lesson 1 Designing IPSec Policies 430
Activity: Evaluating IPSec Scenarios 455
Lesson 2 Planning IPSec Deployment 457
Lab 12-1 Designing IPSec Security 467
Review 475
Chapter 13 Securing Access for Remote Users and Networks 477
Chapter Scenario: Hanson Brothers 478
Lesson 1 Planning Remote Access Security 481
Lesson 2 Designing Remote Access Security for Users 495
Lesson 3 Designing Remote Access Security for Networks 502
Lesson 4 Designing Remote Access Policy 511
Activity: Designing Remote Access Policy 519
Lesson 5 Planning RADIUS Security 521
Lab 13-1 Designing Security for Remote Access Users 529
Review 537
Chapter 14 Securing an Extranet 539
Chapter Scenario: Market Florist 540
Lesson 1 Identifying Common Firewall Strategies 543
Activity: Identifying Firewall Features 557
Lesson 2 Securing Internet-Accessible Resources in a DMZ 559
Lesson 3 Securing Data Flow Through a DMZ 569
Lab 14-1 Designing Firewall Rules 594
Review 605
Chapter 15 Securing Internet Access 607
Chapter Scenario: Wide World Importers 608
Lesson 1 Designing an Internet Acceptable Use Policy 612
Lesson 2 Securing Access to the Internet by Private Network Users 615
Activity: Identifying Security Design Risks 630
Lesson 3 Restricting Access to Content on the Internet 634
Lesson 4 Auditing Internet Access 641
Lab 15-1 Designing Secure Internet Access 644
Review 651
Chapter 16 Securing Access in a Heterogeneous Network Environment 653
Chapter Scenario: Blue Yonder Airlines 655
Lesson 1 Providing Interoperability Between Windows 2000 and Heterogeneous Networks 657
Lesson 2 Securing Authentication in a Heterogeneous Network 661
Activity: Identifying Authentication Risks in a Heterogeneous Network Environment 668
Lesson 3 Designing Directory Synchronization and Integration 669
Lesson 4 Securing Access to Windows 2000 Resources 676
Lesson 5 Securing Windows 2000 User Access to Heterogeneous Networks 683
Lab 16-1 Securing Heterogeneous Clients 692
Review 699
Chapter 17 Designing a Security Plan 701
Chapter Scenario: Fabrikam Inc. 702
Lesson 1 Defining a Security Policy 705
Lesson 2 Developing a Security Plan 709
Lesson 3 Maintaining a Security Plan 713
Review 716
Appendix Answers 717
Index 771
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)