MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security

MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security

by Microsoft Corporation

Make the right design decisions to protect your business network—and prepare for the Microsoft® Certified Professional (MCP) exam—with this official Microsoft study guide. Work at your own pace through a system of case-study scenarios and tutorials to gain practical experience planning the security infrastructure for a Windows® 2000 network.


Make the right design decisions to protect your business network—and prepare for the Microsoft® Certified Professional (MCP) exam—with this official Microsoft study guide. Work at your own pace through a system of case-study scenarios and tutorials to gain practical experience planning the security infrastructure for a Windows® 2000 network. As you build these real-world design skills, you’re also preparing for MCP Exam 70-220—a core credit on the Windows 2000 MCSE track.


  • Analyzing business requirements, including strategies, structures, and processes
  • Evaluating your company’s existing and planned technical environment
  • Identifying security risks and requirements and defining security baselines
  • Planning an authentication strategy and Public Key Infrastructure
  • Controlling access to resources using EFS, NTFS, security groups, and Group Policy
  • Designing security for Windows 2000 network services: DNS, Remote Installation Services (RIS), SNMP, and Terminal Services
  • Developing an IPSec data encryption scheme and management strategy
  • Providing secure connections for users of remote access services, VPNs, extranets, or the Internet


  • Comprehensive self-paced training manual that maps to MCP exam goals and objectives
  • Case study-based exercises that help you apply what you learn to the job
  • Summaries and end-of-chapter review questions to help gauge your progress
  • 120-day evaluation version of Windows 2000 Advanced Server
  • All the book’s content—plus supplemental materials—on CD-ROM
  • NEW! Sample MCSE Readiness Review practice-test questions on line. See “About This Book” for details.

For complete information on MCSE core and elective requirements, go to:​ices/default.asp

A Note Regarding the CD or DVD

The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to

Editorial Reviews

This study guide reviews how to analyze an organization's business and technical requirements, and design security for a Windows 2000 network. The chapters cover authentication methods, domain name system and remote installation services, planning a public key infrastructure, application layer protocols, Internet protocol security, connections for remote users and networks, and securing Internet access. The CD-ROM contains white papers and an evaluation version of Windows 2000 advanced server. Annotation c. Book News, Inc., Portland, OR (

Product Details

Microsoft Press
Publication date:
Microsoft Press Training Kit Series
Edition description:
2000 ed.
Product dimensions:
7.38(w) x 9.24(h) x 1.75(d)

Related Subjects

Read an Excerpt

Chapter 3: Designing Authentication for a Microsoft Windows 2000 Network

About This Chapter

All access to Microsoft Windows 2000 resources is based on the credentials that users provide when they authenticate with the network. This chapter will examine the authentication protocols that are used in Windows 2000, the ways to authenticate down-level clients, and the optimum placement of domain controllers (DCs) to facilitate the authentication process.

Before You Begin

To complete this chapter, you must read the chapter scenario. This scenario is used throughout the chapter to apply the design decisions discussed in each lesson.

Chapter Scenario: Market Florist

Market Florist is an Internet-based floral delivery company that allows customers to purchase floral arrangements over the Internet and have them delivered anywhere in North America. You have been called in as a security consultant to design an authentication strategy for the Market Florist internal network that will ensure that user credentials are protected during the authentication process.

The Existing Network

Market Florist's head office is in Seattle, the Canadian office is in Winnipeg, and the Mexican office is in Monterrey. Market Florist's marketing department is in San Francisco.

Figure 3.1 shows the network links among Market Florist's four offices.

Figure 3.1 The Market Florist Wide Area Network

Market Florist Active Directory Design

Market Florist's Active Directory directory service design is comprised of three separate domains: marketflorist.tld, ca.marketflorist.tld, and mx.marketflorist.tld. The Seattle and San Francisco sites authenticate in the marketflorist.tld domain and the Winnipeg and Monterrey sites authenticate with their country's subdomain, as shown in Figure 3.2.

Figure 3.2 The Market Florist Active Directory structure

Market Florist Server Configuration

Market Florist has Windows 2000 servers distributed across its network as shown in Table 3.1.

Table 3.1 Windows 2000 Servers in the Market Florist Network

Location Windows 2000 Servers
Seattle Three Windows 2000 DCs for the marketflorist.tld domain.

Two of the DCs are configured as Active Directory-integrated Windows 2000 DNS servers hosting the marketflorist.tld DNS zone.

Two of the Windows 2000 DCs are configured as global catalog servers.

One Windows 2000 member server configured as a WINS server.

San Francisco Two Windows 2000 DCs for marketflorist.tld.

One of the Windows 2000 DCs is configured as a global catalog server.

Winnipeg Three Windows 2000 DCs for the ca.marketflorist.tld domain.

One of the DCS is configured as an Active Directory-integrated Windows 2000 DNS servers hosting the ca.marketflorist.tld zone.

Monterrey Two Windows 2000 DCs for the mx.marketflorist.tld domain.

One of the DCS is configured as an Active Directory-integrated Windows 2000 DNS server hosting the mx.marketflorist.tld zone.

Market Florist Client Computers

The Market Florist network uses a mix of Microsoft Windows 95, Windows NT 4.0 workstation, and Windows 2000 Professional client computers. All client computers were updated to the latest service pack version before January 1, 2000, to ensure that the Market Florist network was Year 2000 compliant.

Table 3.2 shows how the client computers are distributed across the network.

Table 3.2 Market Florist Client Computer Distribution

Location Client Computers
Seattle 700 Windows 2000 Professional clients
San Francisco 200 Windows 95 clients

300 Windows NT 4.0 workstations

100 Windows 2000 Professional clients

Winnipeg 200 Windows NT 4.0 clients

300 Windows 2000 Professional clients

Monterrey 300 Windows 95 clients

100 Windows 2000 Professional clients

Lesson 1: Designing Authentication in a Microsoft Windows 2000 Network

Authentication allows network administrators to determine who is accessing the network and to design restrictions so that each authenticated user can access only desired areas of the network. If you don't have a good authentication design, trusted users might be unable to access the network at all times.

After this lesson, you will be able to

  • Determine business and technical requirements that will affect your authentication design for a Windows 2000 network

Estimated lesson time: 20 minutes

Determining Business and Technical Requirements

When designing authentication for your Windows 2000 network, you must meet certain business and technical requirements. These requirements define how you can make sure that authentication mechanisms are secured within a Windows 2000 network. The business requirements include these areas:

  • Many organizations require that all projects should ultimately reduce the company's total cost of ownership. You can do this by using Group Policy to enforce standardized security configurations. In a Windows NT 4.0 network, you had to edit the registry manually to apply many advanced security settings. This required an administrator either to connect to each computer in the domain or to configure each computer in the domain manually. With Group Policy, Windows 2000 can ensure that common registry modifications are enforced centrally using Active Directory.
  • Identify security risks in the network. In a Windows NT network, many client computers were unable to use more secure methods of authentication. (Unless otherwise noted, "Windows NT" refers to versions 3.51 and 4.0.) For example, Windows 95 and Windows 98 clients used LAN Manager (LM) authentication. LM authentication gives attackers an easy way to crack passwords. LM passwords are easily solved because they can be attacked in seven character sections. With the installation of the Directory Services Client in a Windows 2000 network, Windows 95 and Windows 98 clients use the NTLMv2 authentication protocol, which gives higher authentication security and reduces the risk of password cracking.

In addition to business requirements, technical requirements also play a part in the design of your network's authentication strategy. These technical requirements might include the following:

  • Network authentication must be available even if WAN links are not. By deploying Domain Name System (DNS) servers, DCs, and global catalog servers at each remote site, you ensure that each site has the services needed to provide local authentication. While only Windows 2000 clients are site-aware by default, installing the Directory Services Client software on Windows 95, Windows 98, and Windows NT 4.0 clients makes these down-level client systems site-aware.
  • Network authentication must occur quickly. When authentication takes place over WAN links, authentication performance suffers. By ensuring that all clients are site-aware, you ensure that the clients will attempt to find network services on their local segment of the network. This solution requires you to deploy the Directory Services Client software to all down-level clients and to deploy Active Directory sites correctly.
  • DCs must not be overloaded with authentication requests. Microsoft provides a tool known as the Active Directory Sizer (ADSizer), which helps you plan the optimal number of DCs that you require for your network. This includes determining the ideal number of DCs and the processor and memory requirements for each one.

    You can get the ADSizer tool by going to and searching for "ADSizer tool."

Lesson Summary

You must design authentication for your network to meet all business and technical objectives defined by your organization. These objectives will provide the framework for your design. If you don't meet all objectives, it's quite possible that you will face a redesign in the near future. Ensure that you have collected all business and technical objectives before completing your authentication design.

Lesson 2: Designing Kerberos Authentication

Windows 2000 is designed to use Kerberos v5 as the default authentication protocol. Kerberos v5 provides more flexibility in authentication than the NTLM authentication protocol did.

After this lesson, you will be able to

  • Design a network to support Kerberos authentication for Windows 2000–based clients

Estimated lesson time: 45 minutes

Reviewing Kerberos Components

This lesson examines in detail how Kerberos authentication is used as the default authentication mechanism for Windows 2000–based computers. Before we start looking into design considerations of how Kerberos authentication works and how you can optimize and secure Kerberos authentication, let's look at the core components of Kerberos authentication. The components of the Kerberos v5 protocol include

  • Key distribution center (KDC). A network service that supplies both ticket-granting tickets (TGTs) and service tickets to users and computers on the network. The KDC manages the exchange of shared secrets between a user and a server when they authenticate with each other. The KDC contains two services: the Authentication Service and the Ticket Granting Service. The Authentication Service provides the initial authentication of the user on the network and provides the user with a TGT. Whenever users request access to a network service, they supply their TGT to the Ticket Granting Service. The Ticket Granting Service then provides the user with a service ticket for authentication with the target network service. In a Windows 2000 network, the KDC service is run at all Windows 2000 DCs....

Meet the Author

Developed by senior editors and content managers at Microsoft Corporation.

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >