98-367 Chapter Nine

Chapter 9: Understanding Physical Security

Topics Covered:

  • Comparing site security and computer security
  • Using Group Policy to enhance computer security
  • Exploring mobile device security
Comparing Site Security and Computer Security

Physical security includes all elements to protect facilities and IT resources. 2 contexts:

  • Site Security: All elements to control movement within an organization, starts at the property line.
  • Computer Security: This includes all the elements used to protect IT resources.

####### Understanding the Importance of Physical Security

“If an attacker has unrestricted physical access to a system, the attacker owns it”

An attacker with such access could:

  • Reset the Administrator Password
  • Install Unauthorized Software
  • Steal the system
  • Physically damage the system
  • Modify data
  • Steal data

####### Controlling Physical Access

Important to have layers of physical security such as perimeter fences, lobby checkpoints and restricted server rooms.

Proximity cards are small cards that have data embedded on them that identifies the carrier, when placed next to a reader
can grant access. With these cards times of entry and exit can be recorded and audited.

Tailgating: following an authorized user into a facilities, many people will hold the door for others to be polite. Man traps
help prevent tailgating. Turnstiles also serve a similar purpose. Proximity card readers can be programmed to only allow certain
employees such as IT staff into server rooms etc.

Using Switches Instead of Hubs

Hub sends data to all connections, switch only sends out to destination MAC which is more secure. If an attacker is sniffing a hub
they can see all traffic, not so on a switch.

Using Group Policy to Enhance Computer Security

Policy can be used to set restrictions on what devices can be used with computers (USB, DVD drives etc). Group policy can also
enhance physical security.

####### Understanding Default GPOs

OU (Organization Units) type of active directory object can organization objects within it.

Every domain has two default GPOs:

  • Default Domain Policy: Linked to the domain and applies to all users and computers in the domains, includes several default settings.
  • Default Domain Controllers Policy: GPO linked to Domain Controllers OU and applies to all domain controllers in the OU. When server
    is promoted to domain controller it is added into this OU.
Designing OUs and GPOs to Manage Users and Computers

You can create OUs in a domain, organizae objects in the OUs you create and create additional GPOs to manage users and computer in
these OUs.

Default domain policy is applied to domain.
Default Domain Controllers Policy is Applied to Domain Controllers OU.
Server Security GPO may be applied to Servers OU or Sales GPO may be applied to Sales OU etc.

How to set this up:

  • Create an OU
  • Moved Active Directory Objects into the OU
  • Create and link the GPO
  • Configure the GPO

####### Understanding Security Settings in a GPO

Most GPO settings apply when a GPO is linked to any OU but some exceptions:

  • Account Policies (Password Policy, Account Lockout, Kerberos) are applied only at the domain level.

You can still modify these Account Policy settings in a GPO and link the GPO to an OU however the setting are not applied
to any domain accounts unless the GPO is linked at the domain level. Server 2008 has Password Settings Objects that can be applied
to an administrators group to enhance the password policy.

Disabling Log On Locally with Group Policy

By default users in a domain can log into any domain computer except domain controllers.
Log on Locally: user sitting at computer and logging on to the console
Local Security Policy tool only affects the local computer, GPO applies across domain or OU

  • Allow Log on Locally: Identifies specific users and groups that are allowed to log on.
  • Deny Log On Locally: Identifies specific users and groups that are blocked from logging onto the system. Deny takes precedence.
    By default only Admins are allowed to log into domain controllers.

Things easier to manage when permissions are assigned to groups, and then people are added and removed from those groups.

####### Controlling Removable Storage Access with Group Policy

Control capabilities of removable devices and drives, has the following settings:

  • Time (In Seconds) To Force Reboot: Settings are not applied until system reboots, this policy sets time a reboot is forced
    after settings are changed.
  • CD and DVD: Controls all CD/DVD drive both internal and external
  • Custom Classes: Identify specific device using globally unique identifier, example deny specific type of flash drive.
  • Floppy Drives: Most systems control include them, this policy also covers external floppy drives.
  • Removable Disks: Any external drive connected via USB or FireWire, HDD and Flash Drives
  • Tape Drives: Internal and External Tape Drives
  • WPD Devices: Windows Portable Devices such as media players, smart phones etc.
Exploring Mobile Device Security

Mobile devices hold lots of personal information so important to secure them. First simple step
is password protect them. Can install AntiVirus on most phones now.

Protecting Mobile Devices Against Malware

Malware now appearing on phones, which can now do most of what computers can do. Infection via website, mail attachment etc.

Minimizing Risks with Bluetooth Devices

Bluetooth connects via process called pairing, to pair both devices must be in “discovery” mode.
After connecting discovery mode should be turned off.

Bluesnarfing: unauthorized access of information on a Bluetooth Device
Bluejacking: hijacks and sends messages, emails etc.

Chapter Review Questions:

  1. Of the following choices, what can be used to prevent tailgating?
    a. Cipher lock
    b. Proximity Card
    c. Mantrap
    d. Cameras
  2. You want to improve basic security with network devices. Which of the following steps can you take?
    a. Replace all hubs with switches
    b. Replace all switches with hubs
    c. Replace all routers with switches
    d. Replace all switches with routers
  3. True or false: You can create GPOs, modify their settings, link a GPO to an OU and manage all users and computers in the OU with the GPO settings
  4. True or false: The Default Domain Controllers policy applies to all users can computers in the domain.
  5. You want to restrict what computers and user can log onto. What Group Policy setting should you configure.
  6. You have modified the Password Policy settings for a GPO so that passwords must be at least 15 characters long. You have linked the GPO to an OU
    named IT, which includes administrators working in the IT department. What is the effect on these administrators?
    a. Unable to determine
    b. The administrators are required to have a password 15 chracters long
    c. This policy is ignored because only a password policy linked to the domain will be used.
    d. None. Group Policy settings do not apply to administrators
  7. A user named Joe is in the Administrators group. The Administrators group is added to the Allow Log On Locally Group Policy setting
    for a server. Joe’s account has been added to the Deny Log On Locally setting for this server. What is the effect for Joe?
    a. Unable to determine
    b. Joe is unable to log on because deny takes precedence
    c. Joe is able to log on because he is in the Administrators group
    d. Joe is able to log on locally, because he can’t log on remotely
  8. True or false: You can restrict access to removable devices with Group Policy
  9. What can be done to protect mobile devices such as mobile phones? (Choose all that apply)
    a. Password-protect them
    b. Install antivirus software
    c. Enable discovery mode
    d. Add Internet Access


  1. C
  2. A
  3. True
  4. False
  5. Allow Log On Locally
  6. C
  7. B
  8. True
  9. A, B

Relevant sections of Certification Exam


98-367 Chapter Eight

Chapter 8: Understanding Wireless Security

Topics Covered:

  • Comparing Wireless Devices
  • Configuring wireless security methods
  • Configuring wireless routers
  • Configuring Windows 7 for wireless
Comparing Wireless Devices
IEE Standard Speed Base Frequency
802.11a 54 Mbps 5Ghz
802.11b 11 Mbps 2.4 GHz
802.11g 54 Mbps 2.4 GHz
802.11n 300 Mbps 2.4 GHz or 5 GHz

802.11n uses multiple antennas in a MIMO (multiple input multiple outout) configuration to increase througput, can reach as high
as 600 Mbps. Security methods are not dependant on wireless radio.

Three types of devices (in general):

  • Wireless Adapters
  • Wireless Access Points
  • Wireless Routers
Wireless Adapters

Adapters can be added to devices via usb, or PCI etc.
Everything has wifi now

Wireless Access Points

Provides connectivity for wireless clients to wired devices. It bridges the wireless clients to the wired network. WAPs include
the following components:

  • At least one interface connecting it to a wired network
  • A transceiver that allows WAP to send and receive wireless transmissions
  • Bridging Software to bridge wireless and wired segments
Wireless Routers

Used in homes and smaller offices combines WAP with router in one device, also provide NAT and DHCP and some also have DNS.

Comparing Wireless Security Methods

WPA2 is current and should be used, WEP is old and easily broken

Understanding Encryption Keys

Wireless security uses symetric encryption (very fast) which means there is a single key used by both client and AP.
Encryption uses algorithm and key
Algorithm: mathematical formula that scrambles, or ciphers the data
Key should change frequently and must remain private

Wired Equivalent Privacy

Intended to provide same level of privacy as wired clients. Problems with WEP:

  • Weak Encryption: RC4 cipher with reused keys. WPA/WPA2 use a block cipher which is much stronger than RC4 (stream cipher)
  • Poor Key Management: Keys are transmitted in plaintext at beginning of a session. Subsequent keys are predictable and reused
  • Attacker Tools Widely Available: Easy to find resources online
Wi-Fi Protected Access

WPA was introduced as a software solution to fix WEP while new standard was created. WPA does not need new hardware, WPA2 does.
WPA uses TKIP (Temporal Key Integrity Protocol) whcih regularly changes keys without requiring user to change passphrase.

WPA2 Provides 2 “Modes”:

  • Personal
  • Enterprise
Wi-Fi Protected Access Version 2

WPA2 supports FIPS 140-2 by default.

WPA/WPA2 Personal: Uses same PSK (Pre Shared Key) - Used in homes and small offices
WPA2 Enterprise: Uses 802.1X server for authentication, clients must authenticate and after they have done so get encryption keys sent

Enterprise Mode includes these elements:

  • Supplicant: Wireless Client requesting access
  • Authenticator: WAP acts as authenticator
  • Authentication Server: Verifies credentials, server 2008 can do this with Network Policy and Access Services role as an 802.1X Authentication server.
Extended Authentication Protocol

EAP provides framework to create multiple additional authentication methods such as PEAP and EAP-TLS
Smart cards use EAP-TLS.

Server 2008 supports two primary EAP methods:

  • EAP-TLS: Extensible Authentication Protocol Translport Layer Security uses certificates for authentication, supports smart cards
  • PEAP: Protected EAP provides encapsulation and encryption to the authentication channel. PEAP can use smart cards with certificates for authentication or passwords.
    When passwords are used PEAP uses EAP with MSCHAP-V2 (Microsoft Challenge Handshake Protocol Version 2)
Viewing Windows 7 Wireless Settings

Following Settings available in Windows 7:

  • No Authentication (Open): Open networks
  • Shared: WEP
  • WPA-Personal/WPA2-Personal: Use PSK
  • WPA-Enterprise/WPA2-Enterprise: 802.1X Authentication Server which authenticates clients before granting access to network
  • 802.1X: For WEP networks that support 802.1X, should not be used
Configuring Wireless Routers

Most routers have web based admin pages, can usually find at
Most have default admin account named “admin”, some with password “admin” and others no password

Changing the Default Administrator Password

Default should be changed, duh

Changing the SSID

Potentially Avoid using the model or brand name in the network name to not provide attackers easy info

To Broadcast or Not to Broadcast?

If disabled router will not “advertise” itsself periodically to clients, this should not be viewed as a security setting

####### Reasons to Disable SSID Broadcast

Makes network harder to locate but software can still capture SSID easily as it is still sent in plain text in packets. If clients cant see networks
they must spam out probes looking for the network which leaks info.

####### Leave SSID Broadcast Enabled

Microsoft Recommends leaving it enabled, so if you are writing a Microsoft exam HINT HINT!
SSID should not be treated as a secret, wireless frequencies are well documented and software can easily detect hidden network
because they are not really that hidden.
Primary protection should be strong security protocols, not hidden networks.

Using MAC Filters

Can be used to filter but there are some problems. MACs are sent over the air in plaintext so attacker can just spoof one
and then have network access

Configuring Windows 7 for Wireless

Some stuff about how to navigate windows 7 UI to add wireless network manually, boring.

AES is stronger than TKIP

Chapter Review Questions:

  1. True or false: A wireless access point always includes routing capabilities
  2. True or false: Algorithms used by WEP, WPA and WPA2 are publishes and accessible to anyone who wants to look at them, and they are’t changed
    from one transmission to another?
  3. Of the following choices, which one provides the best security for a wireless network?
    a. WEP
    b. WPA
    c. WPA2
    d. WPA3
  4. True or false: WPA2-Enterprise allows clients to authentication with smart cards
  5. You want to use WPA2-Enterprise. What element is needed for WPA2-Enterprise that isn’t needed for WPA2-Personal?
  6. You want to provide the strongest security possible for your wireless network. Which one of the following choices provides
    the strongest wireless security?
    a. WPA-Personal
    b. WPA2-Personal
    C. WPA-Enterprise
    d. WPA2-Enterprise
  7. A wireless network is identified by its name. The tireless network name is also know as __
  8. Of the following choices, what can you do with the SSID to increase security for a wireless network?
    a. Rename the default SSID
    b. Disable SSID broadcast
    c. Change the SSID password
    d. Remove the SSID
  9. True or false: WEP uses AES for encryption
  10. True or false: You can increase security in a network by disabling SSID broadcast


  1. False
  2. True
  3. c
  4. True
  5. 802.1X Authentication Server
  6. d
  7. SSID
  8. a
  9. False
  10. False

Relevant sections of Certification Exam


98-367 Chapter Twelve

Chapter 12: Understanding Internet Explorer Security

Topics Covered:

  • Exploring browser settings
  • Comparing security zones
  • Using IE tools to identify malicious websites
Exploring Browser Settings

Boring UI explanation of IE

Understanding IE Enhanced Security Configuration

Enabled by default and intended to provide an added layer of protection for the server by preventing many web based attacks.
It does this VIA blocking different types of web content and scripts.

Selecting Cookies Settings

Default setting of Medium. Cookies are small text files that websites place on computer to track preferences and activity.

Cookie Terms:

First-Party Cookie: placed by site you visit
Third-Party Cookie: placed by different site than the one you visited (advertisers)
Compact Privacy Policy: Summary of a companies privacy policy embedded in the web page in XML

Cookies can present risks if they store sensitive info in plaintext.

Manipulating the Pop-up Blocker

Popups are annoying, mostly bad and blocked but can enable for some websites.

Using InPrivate Filtering and InPrivate Browsing

InPrivate Filtering: analyzes content on a web page to determine if the same content is being used on a number of different websites.
If same content is found on other sites it is probably being provided by a third party which is likely gathering information about you.
InPrivate Filtering helps prevent this information gathering. Off by default.

InPrivate Browsing lets you browse websites without storing history, temporary files, form data, cookies or usernames and passwords. Useful
for public computers.

Deleting Browser History

IE stores history and info, can delete it.

Managing Add-ons

Addons provide extra functionality, can crash or conflict and make IE unstable. IE reset will elminate all addons and restore IE to defaults.

Exploring Advanced Security Settings

Can be set with GPO and locked so users cant change. Settings on Advanced tab apply to all security zones, other settings
can be configured for other specific zones.

Comparing Security Zones
  • Internet: Any website not on local computer, local intranet or are not assigned to another zone. Default for internet zone is Medium-High security level
  • Local Intranet: Website hosted on internal network. If accessed via UNC (Universal Naming Convention) using \servername\sharename\pagename
    it will be recognized as intranet zone. If site is placed in trusted or restricted zones those take precidence.
    IE will use Internet zone if you use an IP or FQDN. Default for local intranet zone is Medium-Low security level (Lowest security level of all four zones)
  • Trusted Sites: sometimes orgs host on internet due to employees being outside network or other reasons. THis allows sites to run scripts etc. When in trusted
    sites zone default security level is Medium
  • Restricted Sites: Sites known to host malware but still need to be visited

ActiveX control is a small program that can run in a web browser. Can be configured to only allow digitally signed controls.

Using IE Tools to Identify Malicious Websites

SmartScreen Filter helps identify malicious websites before the page is displayed.
Protected Mode helps protect your system from malicious activity if you do visit a malicious website.

####### Understanding the SmartScreen Filter

Helps protect against phishing. Is turned on by default. Email hyperlinks should be treated with suspicion.

Drive By Download: download initiated by website when user visits. No additional action such as clicking a download button required.
Downloads could include malicious software etc.

SmartScreen also blocks downloads reported as unsafe.

Modifying Protected Mode

Protected Mode runs IE with restrivted priviledges to provide a layer of protection from malicious websites. By default protected mode
is enabled for the Internet and restricted sites zone. It is possible to disable but not recommended. Admins can use GPO to make sure
protected mode is not turned off.

Chapter Review Questions:

  1. You have launched Internet Explorer on Windows Server 2008, and you have noticed that some webpages are not displaying correctly.
    What is causing this?
    a. InPrivate Filtering
    b. InPrivate Browsing
    c. IE Enhanced Security Configuration is enabled
    d. IE Enhanced Security Configuration is disabled
  2. True or false: A cookie is an executable file that tracks a users behavior
  3. What can be used to block all cookies from being stored on a user’s computer durring a browsing session?
    a. InPrivate Browsing
    b. InPrivate Filtering
    c. Pop-up blocker
    d. Protected Mode
  4. True or false: It is not possible to remove the history of browsing sessions
  5. An add-on is causing IE to become unstable, but you are not sure which one is causing the problem. What should you do?
  6. Which zone is used by default for a website with a fully qualified domain name?
    a. Internet
    b. Local intranet
    c. Restricted Sites
    d. Trusted Sites
  7. Which IE security zone has the most relaxed security settings?
  8. Which one of the following helps detect phishing sites?
    a. InPrivate Browsing
    b. InPrivate Filtering
    c. SmartScreen Filter
    d. Protected Mode


  1. C
  2. False
  3. A
  4. False
  5. Reset IE
  6. A
  7. Local Intranet
  8. C

Relevant sections of Certification Exam


98-367 Chapter Eleven

Chapter 11: Understanding Certificates and a PKI

Topics Covered:

  • Understanding a certificate
  • Exploring Components of a PKI
Understanding a Certificate

A certificate is a file that is used for a variety of security purposes such as:

  • Issued to a person and associated with an account and used with smart card
  • Issued to a device such as a server, mobile device or workstation

Certificates contain information such as

  • Who was it issued to
  • Who issued it
  • It purpose(s)
  • Validity dates (including an expiration date)
  • Unique Serial Number
  • Public Key

Common usages for Certifications:

  • Authentication: if from a trusted entity other party can be assured of identity
  • Encryption: may be used to encrypt and decrypt data
  • Digital Signatures: added to email to provide authentication, integrity, and non repudiation
  • Code Signing: used to identify/validate the author of the software

####### Comparing Public and Private Keys

If private key is compromised CA can revoke certificate that holds matching public key
Outlook can query Active Directory for a users certificate to encrypt an email etc.

####### Understanding Certificate Errors

Clients may check with CA if cert is valid (has not been revoked) or has not expired etc.

CA publishes CRL (Certification Revocation List). CRL contains serial number of all revoked certs and the date they were revoked on.

Certificate formatting may differ based on version. CRLs use a version 2 certificate.

Some errors that indicate a certificate has a problem:

  • This websites security certificate has been revoked: private key probably leaked
  • This websites security certificate is out of date
  • This websites security certificate isn’t from a trusted source: Not issued by trusted CA
  • Internet Explorer has found a problem with this websites security certificate: if cert was modified or tampered with
  • There is a problem with this websites security certificate: Cert was issued to one website but is being used by another.
Viewing Certificate Properties

In IE:
Tools > Internet Options > Content > Certificates

Certificate chains show path to root CA.

Exploring the Components of a PKI

PKI includes these components:

  • Public/Private Keypairs
  • Certificates
  • Certification Authority
  • Registration Authority: Optional, in large orgs this accepts cert request and validates credentials of the person making the request.
    After request has been verified the RA forwards the request to CA. RA does NOT issue certificates
  • Root CA: First certification in a chain. Can issue certificates to subordinate CAs which are considered to be in the same chain.
Understanding the Certificate Chain

Root CA is first CA in the chain, it issues itself a self-signed cert. Can issue certs to intermidiate CAs which can then issue
to subordinate CAs.

Comparing Certificate Services

AD CS (Active Directory Certificate Services) can be added as a role. Can be used in two modes:

  • Standalone CA: can be used to issue certificates within an organization or publicly
  • Enterprise CA: Used to issue certificates only within the organization

Enterprise CA can be configured to automatically enroll and issue certificates automatically to users or machines.
This can be configured based on types of certificates needed. Root CA needs to be in Trusted Root Certification Authority Store.

Chapter Review Questions:

  1. True or false: A server will give out its certificate containing its private key
  2. Which of the following are valid uses of a certificate (Choose all that apply)
    a. Authentication
    b. Encryption
    c. Digital Signatures
    d. Antivirus Scanning
  3. True or false: A certificate issued to a web server with one name can be used on another web server with another name without any problems.
  4. How are certificates uniquely identified?
    a. Public Key
    b. Issuer
    c. Version Number
    d. Serial Number
  5. You want all certificates issued by a CA to be trusted. Where should you place its root certificate?
  6. A CA issues itself the first certificate in the trust chain. What is the CA called?
    a. Root CA
    b. Self-signed CA
    c. Enterpriste subordinate CA
    d. Standalone subordinate CA
  7. An organization wants to create a CA that will be used internally with a Microsoft domain, with the ability to automatically enroll
    certificates for users. What should be created?
    a. Standalone CA
    b. Public CA
    c. Enterprise CA
    d. RA-enabled CA
  8. What role is added to a Windows Server 2008 server to create a CA?
    a. Certification Authority role
    b. Active Directory Domain Services
    c. Active Directory Certificate Services
    d. File services


  1. False
  2. A, B, C
  3. False
  4. D
  5. Trusted Root Certification Authority Store
  6. A
  7. C
  8. C

Relevant sections of Certification Exam


98-367 Chapter Ten

Chapter 10: Enforcing Confidentiality with Encryption

Topics Covered:

  • Comparing encryption methods
  • Securing email
  • Understanding EFS
  • Exploring BitLocker Drive Encryption
Comparing Encryption Methods

Reminder: algorithm provides mathmatical formula that identifies how data is to be encrypted.
Key is a number that provides randomization for the encryption.

Two categories: symmetric and asymmetric. Also hashing.

Chapter mostly deals with software encryption.

Understanding Symmetric Encryption

Uses single key to encrypt and decrypt data, both parties must know the key and it must be kept secret. Key can be changed frequently
to prevent all data being decrypted if a key is discovered. Larger keys may never use same key twice in lifetime but small keys
might. 16 bit key has 65,536 possible keys. 40 keys has just over 1 trillion. 256 bits has 1 followed by 77 zeros possible combinations.

Common symmetric encryption algorithms:

Advanced Encryption Standard (AES): Quick and efficient, widely used
Data Encryption Standard (DES): Cracked and not recommended for use
3DES (Tripple DES): Designed to improve DES, is slower than AES
International Data Encryption Algorithm (IDEA): Very popular for short period of time, used less because AES is more efficient
Blowfish and Twofish: Strong encryption but less used because AES is far more efficient.

Exploring AES

Picked from 15 competing algorithms by NIST (National Institute of Standards and Technology). Adopted as federal government
standard in 2002. Kerberos, WPA2, Bitlocker all use AES. AES algorithm is published and available to study, so not secret by any means.
Keys used to encrypt data are kept secret. AES can use 128, 194, 256 bit keys. More bits = more possible keys

AES can be brute forced but the amount of time needed makes it not realistic

Understanding Asymmetric Encryption

Also called public key encryption, uses public and private matching keys. Keys are only useful when used by the other pair.
When one is used to encrypt the other can only be used to decrypt. Asymmetric encryption is about 1000 times slower so its great to use
to encrypt the symmetric key and send that so you get best of both worlds.

Using Certificates to Share Public Keys

Certificates are digital files that include several pieces of key data used with cryptography. Good way to share a public key.

Understanding Hashing

Message Digest 5 (MD5) is a popular hashing algorithm that creates 128 bit hashes, will always create a 128 bit hash regardless of what it is hashing.
SHA (Secure Hashing Algorithm) is also very popular and has several versions. If data not modified hash will always be the same, hashes dont use keys
and are one way meaning you cannot derive the contents of what was hashed from the hash output. Hashing important to verify integrity.
Useful for anti virus programs etc and they can compute and check hashes to see if files have changed.

Securing Email

Emails can be encrypted and signed using asymmetric encryption. Can also be used with hashing to ensure integrity and sender of the message.
Also provides non-repudiation, sender cannot deny they sent email if it was signed.

Secure/Multipurpose Internet Mail Extensions (S/MIME) is underlying standard used for most email security. Uses pub, private keys and digital signatures.

Email programs such as outlook can automate encryption/decryption. Can encrypt a key with asymmetric encryption and then encrypt rest of message contents
with encrypted symmetric key. Recipient can decrypt the key then use that key to decrypt message. Outlook can automate this.

Digitally Signing Email

Hash is calculated at the source and at the destination, then compared and if they are the same message has not changed.

Understanding EFS

GPO can be set so users cannot encrypt with EFS.

####### Encrypting and Decrypting Files with EFS



  1. EFS creates symmetric secret key, unique for each file
  2. EFS retrieves the users public key
  3. EFS encrypts the symmetric secret key with users public key
  4. Encrypted symmetric secret key is included in the header of the encrypted file


  1. Encrypted symmetric key is retrieved from the file
  2. Users private key decrypts the symmetric secret key
  3. EFS decrypts the file with decrypted symmetric secret key

If password for local user is reset (not domain user) the private key associated with the account is lost. Does not occur
if user changes password, only if password is reset by an admin. Also if users private key is ever corrupted files cannot be recovered.

Understanding the Recovery Agent

EFS includes recovery procedure to mitigate risk of data loss.
By default built in administrator is the designated recovery agent (DRA) for EFS. As the DRA an admin can decrypt files.
DRA can be disabled. Have to decided if chance of data theft from DRA account is worse than potential loss of data if private key is lost.

Understanding Behavior When Files are Moved or Copied

Reminder from chapter 4:

  • If you move a file on same partition, origionally assigned permissions are retained
  • Any other time original permissions are lost and only inherited permissions apply

EFS is slightly different, one rule with EFS is that encryption always wins. If C drive is encrypted and a file
is copied or moved off it will still be encrypted. This only works if target volume is also an NTFS drive. FAT32 cant store
headers that contain keys so EFS decrypts it and stores in unencrypted format. If unauthorized user copies to FAT drive it is stored
encrypted without the header so file is impossible to decrypt.

Exploring BitLocker Drive Encryption

BitLocker to go encrypts flash drives, BitLocker encrypts entire volumes within Windows 7, Vista, Server 2008

####### Understanding BitLocker Requirements

Not available by default in Server 2008 or Server 2008 R2, can be added as a feature. BitLocker uses AES to encrypt.
BitLocker can use a Trusted Platform Module (TPM) version 1.2 or a removable storage device to lock and unlock the drive. TPM in a
chip on motherboard that checks hardware on system for suspicious modifiecations and stored and protects key used to unlock volume.
TPM checks boot files, if they pass it releases the key. TPM chip runs software that performs these checks.
Most systems dont have TPM on motherboard and if they do it is usually disabled in BIOS. Removable disk can be used to store the startup key.
Recommended to not store this drive with PC or else can just steal or use both. Can also use following methods to increase security:

  • TPM and a Personal Identification Number (PIN): Must enter PIN at boot time
  • TPM and a USB Flash Drive: USB should be removed after system is booted
  • TPM, PIN and a USB Flash Drive: Inserts USB drive on boot and also enters a PIN
Understanding Recovery Keys

Key can be stored in a file or printed. If additional keys are required just unlock drive and make a copy of recovery key.

Chapter Review Questions:

  1. Name the type of encryption that uses a single key for encryption and decryption
  2. Name the key (or keys) used by asymmetric encryption
  3. Of the following choices, which one provides the strongest symmetric encryption?
    a. RSA
    b. AES
    c. DES
    d. MD5
  4. Of the following choices, which is a one-way hashing function:
    a. RSA
    b. AES
    c. SHA-1
    d. WPA2
  5. You want to provide confidentiality for email. What should you do?
    a. Encrypt it using S/MIME
    b. Digitally Sign It
    c. Encrypt it with BitLocker
    d. Encrypt it with EFS
  6. A user encrypted a file with EFS. The user’s certificate became corrupt and the user can no longer open the file. Who is anyone, can access the file?
    a. The user, with the users password-recovery disk
    b. Ad adminstrator as a designated recovery agent
    c. The user, with a recovery key
    d. Ad administrator, with a recovery key
  7. You have moved an encrypted file from one NTFS partition to another. What is the state of the encryption attribute?
  8. Of the following choices, what does a TPM do?
    a. Secure the key for BitLocker
    b. Secures the key for AES
    c. Secures the key for RSA
    d. Ensures that the private key is publicly available
  9. True or false: You can use BitLocker to encrypt a hard drive even if the system does not have a TPM
  10. True or false: BitLocker To Go can encrypt USB flash drives


  1. Symmetric Encryption
  2. Public and Private
  3. B
  4. C
  5. A
  6. B
  7. Still Encrypted
  8. A
  9. True
  10. True

Relevant sections of Certification Exam


98-367 Chapter Seven

Chapter 7: Protecting a Network

Topics Covered:

  • Identifying common attack methods
  • Exploring firewalls
  • Exploring Network Access Protection
  • Identifying protocol security methods
Identifying Common Attack Methods

Attackers use several well known methods to attempt to breach networks. Attacks are evolving, but usually fall into the category
of a common attack method. Many organizations use IDS to detect and mitigate attacks.

Denial of Service

Any attack designed to prevent a sustem from providing a service. Usually attacks involve consuming resources to exhaustion
such as SYN flood.


Flood with traffic from a botnet etc.

Sniffing Attack

Capture data in transit over a network, works well with plaintext protocols such as ftp, telnet etc.

Network cards can be put into promiscious mode (capture all traffic on network that reaches interface, regardless of destination)

Spoofing Attack

Attacker attempts to impersonate someone or something they are not. Local Area Network Denial changes soure IP so its same as destination causing system
to keep replying to itself.

Port Scan

Attempt to discover what ports are listening on a system, ports can be switched but some services use standardized ports
which can give attackers hint of whats running.

####### Exploring Firewalls

Types of firewalls:

  • Stateless: Examines each packet individually, does not take TCP session into account etc
  • Stateful: Able to examine connections as sessions
  • Content Filtering: Block traffic based on content (often used to block mail attachments etc)
  • Application Layer Filtering: Has component for each application protocol, example allowing HTTP GET but blocking HTTP PUT. CPU intensive, should be used sparingly or
    with dedicated hardware appliances
Comparing Hardware-Based and Software Based Firewalls

Hardware Firewalls: dedicated devices that provides security and helps isolate network from unwanted traffic.
Hardware devices can be designed as appliances, things you plug in and just use it. Defense in depth would dictate the use of
multiple layers of firewalls such as a hardware appliance on boundry and on client workstations.

####### UTM vs SCM

Bundle multiple capabilities in a firewall

Unified Threat Management: UTM includes email and web and also adds:

* basic routing
* packet filtering
* anti malware
* content filtering
* stateful filtering
* application layer filtering, 
* Intrusion Detection can block port scans and SYN flood and others
* Network Performance: Proxy can cache data to respond faster
* Remote Access: VPN component

Secure Content Management: Focused on filtering email and web based traffic, can also work as proxy servers

UTM is much more broad in scope, components are well integrated as it is a single product

Isolating Servers on Perimeter Networks

If placed directly on internet, face public threats. If placed on private internal network no one can access.
Perimeter network is protected from internet somewhat and also not directly connected to internal private network.
These Perimeter networks usually contain web servers, mail servers etc that need to get traffic from public internet.
Perimeter networks usually have an External and Internal Firewall (Three Pronged/Three legged Firewall) but sometimes just have an external (cheaper but single point of failure).

Using Honeypots

Server that is set up to entice attackers, appears to be holding actual data. Provides two primary benefits:

  • Lure attackers away from real systems
  • Learn more about attack methods and trends etc.
Isolating a Network with NAT

Private IP ranges as defined in RFC 1918

  • -
  • -
  • -

NAT translates public IPs into private IPs so computers are not directly accessible via the internet.

Exploring Network Access Protection

NAP is a part of the Network Policy and Access Services server role, can inspect clients attempting to connect to network
to determine if it meets requirements to connect. If it does not pass checks can be placed on isolated/restricted network or denied access.

Admins decide what is healthy such as updates intalled, anti virus software installed etc. Restricted clients have access to remediation servers
where resources on how to fix issue are found. NAP checks can also periodically validate healthy clients, example: firewall must be enabled. If firewall is disabled
NAP can place client on restricted network etc.

Understanding NAP Components
  • System Health Agents: run in background and check status of client. Server 2008 has no SHAs but 2008 R2 does.
  • System Health Validators: Where healthy state is defined on a NAP server.
  • Health Policy: Created on a health server, ideitify what SHVs to use for the different clients in the environment, also define
    how to respond to non healthy clients.
  • System Statement of Health: NAP server collects statements of health from clients and compares against the health policy. These statements are compiled into
    a single statement of health for each client. This System Statement of Health identifies if client is in compliance with health policy
  • Health Registration Authority: If healthy HRA retrieves a health certificate for the client
  • Health Certificate: Used by client to gain access to network resources
  • Restricted Network: Includes remediation server which can deploy updates to OS or AV software to make client healthy
Evaluation Client Health with VPN Enforcement

VPN clients can connect and also be validated by NAP

NAP can also validate the following:

  • DHCP: Health can be validated before any TCP/IP configuration is assigned
  • IPSec: Ensure IPSec policy is compliant
  • 802.1x Enforcement: Can check health before allowed to connect to wireless network
Identifying NAP Requirements

Some clients only support certain checks and features, servers must also be running 2008+ to support NAP

Here is a list of components and the required Roles/Services:

  • Network Access Protection health policy server requires Network Policy And Access Services, Network Access Protection
  • HRA server requires Network Policy and Access Services, HRA service, web server (IIS)
  • Virtual Private Network (VPN) enforcement server requires Network Policy and Access Service, Routing and Remote Access Services
  • DHCP enforcement server requires network Policy and Access Services, DHCP role

HRA can include a CA or can be issued by CA running on different OS. Remediation servers can be running whatever is required
to provide the remediation service. 802.1x requires managed switches.

Identifying Protocol Security Methods

######## IPSec

Encrypt data before transmitted on network to prevent sniffing, includes two primary mechanisms:

  • Authentication Header: Provides Authentication and Integrity, packets are hashed and hash is placed in AH field and sent. Recipient can hash packet and check
    against stored hash in AH and if they match can be sure packet was not altered in transit.

  • Encapsulating Security Protocol (ESP): Encrypts data

IPSec can be set on individual computers or multiple with Group Policy.

Three IPSec Policies:

  • Client (Respond Only): Computers can establish IPsec sessions but never initiate
  • Secure Server (Require Security): always require IPsec sessions, if other computer cant do IPsec connection is terminated
  • Server (Request Security): Attempt to establish IPsec, if unable continue to communicate unencrypted

IPSec can also be configured for specific traffic such as FTP to ensure it is always encrypted.

Comparing Tunneling Protocols
  • Point to Point Tunneling Protocol (PPTP): Older, vulnerable but still used by many applications. Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data in tunnel.
  • Layer 2 Tunneling Protocol (L2TP): Commonly uses IPSec, problem is that it cant pass through NAT because NAT corrupts IPsec traffic.
  • Secure Socket Tunneling Protocol (SSTP): Uses SSL and introduced in Server 2008

DNS does not have much built in security, DNSsec adds extra security. Provides three main benefits:

  • Origination Authentication of DNS Data: DNS records are digitally signed, signatures provide authentication between DNS servers
  • Data Integrity: Hashing used with DNS record to ensure was not modified, helps prevent cache poision attacks
  • Authenticated Denial of Existence: Protects against zone enumeration by encrypting the specific record for no match found (NSEC3)

Chapter Review Questions:

  1. True or false. A DDoS attack comes from a single computer
  2. An attacker is capture and analyzing network tarffic with a protocol analuzer. What type of attack is this?
  3. A __ attack is a specific type of spoofing attack. It spoofs the source address witin a TCP SYN packet and causes the system to repeatedly reply to itself
  4. You want to allow both LDAP and secure LDAP traffic through a firewall. What ports need to be opened?
    a. 161 and 162
    b. 389 and 3389
    c. 389 and 636
    d. 80 and 443
  5. True or false: A hardware based firewall is typically more efficient that a software based firewall
  6. An organization plans to host a web server accessible from the Internet. Where should the web sever be placed to provide the best protection?
    a. In the Intranet
    b. On the internet
    c. On a firewall
    d. In a perimeter network
  7. What type of firewall provides combined protection for multiple threats and can include firewall security features, routing features, and VPN components?
    a. SCM
    b. UTM
    c. Stateful Firewall
    d. Packet-Filtering Firewall
  8. Of the following choices, which client(s) can NAP inspect and isolate (Choose all that apply)
    a. Linux
    b. Windows XP SP3
    c. Windows Vista
    d. Windows 7
  9. Sensitive data is transmitted on your network from a server. You want to ensure that this data is encrypted. What would you use?
    a. SSTP
    b. PPTP
    c. IPsec
    d. L2TP
  10. What is used to digitally sign DNS records?


  1. False
  2. Sniffing Attack
  3. LAND (Local Area Network Denial)
  4. C (initially guessed A. LDAP uses 389 and secure LDAP uses 636)
  5. True
  6. D
  7. B
  8. B,C,D (I initially guessed C,D only)
  9. C
  10. DNS SEC (I initially put digital certificates)

Relevant sections of Certification Exam


Need to review table on page 152 (Commonly Used Ports)

98-367 Chapter Six

Chapter 6: Protecting Clients and Servers

Topics Covered:

  • Understanding User Account Control
  • Keeping Systems updated
  • Protecting clients
  • Protecting servers
  • Exploring DNS security issues

Some common techniques but servers and clients have different roles.

Understanding User Account Control

Provides protection by seperating privileges needed for administrative tasks and standard tasks.
When user logs into admin account they are assigned two tokens, one for regular activities and another for admin tasks.
When an admin token is used a UAC prompt will appear. Admin token is only used for the single approved task to prevent

Understanding the Dimmed Desktop

When UAC prompts, it “dimms” the desktop. While desktop is dimmed application activity is suspended to prevent
malware from triggering and responding to the UAC request.

Modifying User Account Control

UAC can be changed in control panel.

  • Always notify me when: notify when a program tries to install software or make changes. Recommended if you install
    lots of new software

  • Notify Me Only When Programs Try to Make Changes to My Computer (Default): notified only when changes are being made
    that require administrator permissions.

  • Notify Me Only When Program Try To Make Changes To My Computer (Do Not Dim My Desktop): Same as default only no dimming
    which is good for older systems with lower resources however not recommended due to security implications.

  • Never Notify Me When: This setting turns off UAC, really only for older applications that dont work with UAC. This weakens overall
    security and really not recommended at all.

Keeping Systems Updated

Process of discovery and resolution of security flaws:

  1. Flaw Discovered
  2. Vendor Notified
  3. Vendor Develops and Tests Solution
  4. Vendor Makes Update Available
  5. Updates Downloaded and Installed

Updates can be reverse engineered so important to actually download and apply patches.

Updating Systems with Automatic Updates

Updates can be downloaded and installed in a scheduled and automated way if configured to do so.

3 Update Categories:

  • Important: Impacts security, privacy and stability (recommended to install automatically)
  • Recommended: Addresses non critical problems, can enhance experience with windows or software
  • Optional: Drivers, New Software etc

4 Update Settings:

  • Installed Updates Automatically (Recommended): Automatically downloaded and installed based on the schedule, used in
    most organizations.
  • Download Them But Let Me Choose Whether To Install Them: If you want to know exactly when updates are installed, you
    can use this option. You’re notified when updates have been downloaded and are ready for installation
  • Check For Updates But Let Me Choose Whether To Download and Install Them: what the title says
  • Never Check For Updates: Not Recommended
Updating System with WSUS or SCCM

Testing is done on updates but not with all possible hardward and software configurations. Tools allow
administrators to control flow of updates to allow testing etc.

  • Windows Server Update Services (WSUS): Free download, can be installed to server and used to manage updates to clients
  • System Center Configuration Manager (SCCM) is an add-on product, not free and does more than WSUS. Can schedule when
    updates are deployed to clients.

SCCM has extra features but basic functionality is the same.

Using Group Policy to Configure Clients

Group policy can be used to define update settings such a automatic update settings.

Protecting Clients

Client issue examples:

  • Offline folders (how to encrypt)
  • Prevent running unauthorized applications (software restriction policies)
Understanding Offline Folders

Offlinefolders allow a user to have access to shared data while disconnected from network. When a system reconnects
it re synchronizes, users are notified in the event of merge conflicts. Offline settings can also set files as read only.

Encrypting Offline Folders

When user accesses file encrypted with EFS it is decrypted, which is fine on local machine but over network it means data is sent to client
unencrypted. Also decrypted versions of the file are cached. Offline folders can be encrypted to prevent unencrypted data from being stored.

Using Software-Restriction Policies

Create policies for what software can be run

  • Disallowed (whitelist): Blocks all from running except for exceptions in the additional rules section. Usecase: Kiosk
  • Basic User: Only allow programs that need basic user rights to run
  • Unrestricted (blacklist): Default rule, allows all software to run as long as user has permissions. Only blocks explicitly defined software.

Applocker is similar to group restriction policies but allows control of what programs can be run based on group membership. App locker only works with Vista and
Windows 7.

Software-Restriction Policy Additional Rules:

  • Path: Blocks an application from the defined path from running, includes subfolders or can just specify full path to executable.
  • Network Zone: Internet, Local Computer, Local Intranet, Restricted Sites and Trusted Sites. Can set what is allowed to run based on these.
  • Certificate: Digitally Signed applications can be run if cert is allowed, applications must be signed
  • Hash: If matches a hash algorithm not allowed, useful because name and path do not matter
Protecting Servers
Using Separate VLANs

VLAN is a managed LAN that can be created on a Layer 3 switch. Provides security and increased performance by segregating network.
This limits broadcast traffic from servers, which is more secure and also improves network performance.

Separating Services

Servers can run multiple services but should not run things that have conflicting security goals. For example domain controllers
should not also be publicly accessible web servers because DCs should be private to local network and web servers need to accept
public traffic (usually).

  • Active Directory Services: Fine to combine Active Directory Services, such as AD DS, AD CS and fine to use Active Directory Integrated DNS server.
  • Application Server: If server hosting sensitive application that acts as a firewall would not be appropriate to also host a web application etc.
  • DHCP and DNS: Ok to have both, if DNS installed on DC can be integrated with Active Directory and enable secure dynamic updates
  • Network Policy and Access Services: Services in this role provide protection and should not be combined with Active Directory Roles. Can use this role for
    VPN or NAP.
  • Fax Server, File Services, Print Services: Can be combined unless one of roles is handling sensitive information.
  • Terminal Services (Remote Desktop): Should not be installed on server hosting Active Directory Roles
  • UDDI Services (Universal Description, Discovery and Integration): Used to share information about web services in an intranet
    or on an extranet. Common to host on web server but should not be combined with Active Directory.
  • Web Server (IIS): Best to limit to only web server role, however internal services could also host file services and print services.
    Active Directory Rights Management Services use and require this role.
  • Windows Deployment Services (WDS): Deploys images of operating systems to systems in a network, common to include DHCP but not recommended
    to host any active directory roles on WDS server.

TL:DR - Active Directory roles should usually be kept separately on not publicly accessible servers.

Using Read-Only Domain Controllers

RODC useful in branch that have less physical security, if server lost of stolen does not compromise sensitive info about domain.
RODCs have a PRP (Password Replication Policy) which controls which passwords can be stored on the RODC and which ones are always
checked across a WAN link with a real DC (and will not cache it).

Domains that support RODCs include the following two special groups.

  • Allowed RODC Password Replication Group: Users added to this group automatically have their passwords cached on each RODC,
    different from the PRP which affects only a single RODC.
  • Denied RODC Password Replication Group: Includes Enterprise Admins and Domain Admins, users in this group will never have passwords cached on RODC.
Exploring DNS Security Issues

Record Types:

  • A (Host) Records: Resolve a host name to an IP
  • PTR: Resolves an IP to a hostname
  • SRV (Service): Identifies computers running services such as domain controller etc
  • SPF (Sender Policy Framework): Identifies systems authorized to send email for a domain, prevents spam and email spoofing
Protecting Against Email Spoofing with SPF records

If no SPF record matches sender most email servers will just assume mail is spam/spoofed and discard it. If no SPF
record exists it is much easier to spoof email

Understanding Dynamic Updates

In microsoft networks a client can pull a different IP with DHCP so uses dynamic DNS records to keep track of clients (A records)

Using Secure Dynamic Updates
  • Only authenticated clients can create DNS records (must first authenticate to AD domain)
  • Can assign permissions to DNS zones as added layer of control

Secure Dynamic Updates Require:

  • DNS Zone must be an Active Directory Integrated Zone
  • DNS Must be installed on a Domain Controller, if DNS is running on another member server can only create primary
    and secondary zones

Chapter Review Questions:

  1. What causes the Windows 7 Desktop to dim when a user attempts an action requiring administrative approval?
  2. True or false: If files are encrypted on a server using EFS, they’re automatically encrypted when a user uses offline folders.
  3. Which of the following can’t be used to update a system?
    a. Automatic Updates
    b. WSUS
    c. SCCM
    d. DNS
  4. True or false: You can use Group Policy to configure all comptuers in a domain to use automatic updates?
  5. True or false: After Microsoft has released security updates, clients are no longer vulnerable to the exploits that the updates resolve?
  6. What kind of DNS records resolves and IP address to a host name?
    a. A record
    b. PTR record
    c. SPF record
    d. MX record
  7. You want to deploy a domain controller to a branch office. However the branch office has very little physical security. What should you do?
    a. Don’t deploy the domain controller
    b. Deploy DNS with the domain controller, and use secure dynamic updates
    c. Deploy a RODC
    d. Remove Administrator accounts before deploying the domain controller.
  8. True or false: You should separate DNS from Active Directory Domain Services for enhanced security?
  9. True or false: You should separate Terminal Services from Active Directory Domain Services for enhanced Security?
  10. True or false: You can enable secure dynamic updates only on DNS servers installed on a domain controller.


  1. User Account Control (UAC)
  2. False
  3. d
  4. True
  5. False
  6. b
  7. c
  8. False
  9. True
  10. True

Relevant sections of Certification Exam

Understanding Network Security, Understanding Security Software

Updating Desktop Hardware

Out of the desktop hardware loop

Old Specs:

  • Motherboard: ASRock z77 Extreme4 (LGA 1155)
  • RAM: Corsair Vengence 4GB (x4) 1600 MHz DDR3
  • CPU: Intel Core i5 2500k 3.7 GHz
  • GPU: Gigabyte GTX 970 WF3
  • Cooling: Noctua NH-D14

Motherboard died (tried multiple power supplies and removal of hardware to troubleshoot, wont post at all).
So I am salvaging what I can and looking to upgrade.
I have been out of the PC hardware market for so long that it was kind of
intimidating to look at what was out there. I decided it was time to review what
my requirements looking forward for new hardware would be and what might meet my needs.

What am I doing?

Besides games, which I am not really playing that much in the past few years
most of my issues were with RAM and CPU speed. Running multiple VMs for school
is quite common and I have had a few sticks of RAM go bad over the years, I have
been running on 8GB for a few years and it has been painful.


  • Virtual Machines (Windows Server, Kali, Ubuntu)
  • Application and Web Development: Android Studio, Jetbrains IDEs etc
  • Firefox with tons of tabs open

Aiming for 16GB of RAM


I dont need a new GPU, case, PSU, SSDs etc. I just need: motherboard, cpu, ram

Budgeting $700

WTF is a ryzen/threadripper/coffee lake

AMD has apparently become relevant again which makes this decision much harder.
Intel is traditionally more expensive and I would like to support more competition
in this market so lets take a look at what AMD is offering these days.

Ryzen 5 seems to be the competitor for the 7th gen Intel core i5 so lets check it out.


From reading these two appear to be what I am looking for:

  • X370 (Enthusiast)
  • B350 (Mainstream)

I think pretty much everything now has UEFI BIOS so that is good

First Pass:


  • CPU: AMD - Ryzen 5 1600X 3.6GHz 6-Core Processor $283.99 Amazon Canada
  • Motherboard: Asus - STRIX B350-F GAMING ATX AM4 Motherboard $145.00 Vuugo ($20.00 mail-in rebate)
  • Memory: Corsair - Vengeance LPX 16GB (2 x 8GB) DDR4-3000 Memory $219.99

Total: $648.98

Still on budget

98-367 Chapter Five

Chapter 5: Using Audit Policies and Network Auditing

Topics Covered:

  • Exploring audit policies
  • Enabling auditing
  • Viewing audit information
  • Managing security logs
  • Auditing a network with MBSA

Auditing: tracking/recording something. Could be activies or vulnerabilities.

Exploring Audit Policies

Three As of Security (AAA): Authentication, authorization, and accounting

Reliable accountability provides non-repudiation: prevents someone from denying they took an action.

Auditing can be enabled for both Success and Failure events.

Default Audit Policies

These audit settings are the default for all servers

Audit Policy Setting Default Behaviour Comments
Object Access No events recorded Records access to objects such as NTFS files, printers. Auditing must also be enabled on object
Logon Successful events recorded User logs in locally or access a resource over network
Account Management Successful events recorded Records creation, modification, deletion of user accounts and groups
System Events Successful if a domain controller Records when user restarts or shuts down a system, also any action that affects system security such as audit log
Privilege Use No events recorded Records the use of specific user rights eg. user takes ownership of a file
Policy Change Successful if a domain controller Records changes to User Rights Assignment, Audit or Trust policies
Process Tracking No events recorded Records events such as program activation, process exit etc.
Domain Controller Specific Audit Policies
Audit Policy Setting Default Behaviour Comments
Account Logon Successful events recorded Authenticates to Active Directory
Directory Service Access Successful events recorded Records access to any Active Directory object (only works if auditing is also enabled on object)
Logon vs Account Logon

Logon IS NOT THE SAME AS Account Logon. Account Logon is Active Directory Authentication only. Logon is local and any network logons

Exploring Object Access Auditing

Object access auditing has to be enabled in two places to work:

  • Audit Policy
  • System Access Control List (SACL) for the object

Cant use auditing on FAT based filesystem

Exploring Directory Service Access Auditing

Directory Service Access Auditing allows for audit logging when any active directory object is accessed. Setting is
only available on domain controllers or Active Directory hosts as they contain these databases.

This auditing, similar to Object Access auditing must be turned on in two places. First in audit policy setting, then
on specific object to be audited.

Windows Server 2008 introduced feature to log events in easier to interpret ways such as listing accounts by name
not by GUID etc.

Understanding Account Management Auditing

Account management auditing tracks account modifications on a local system by monitoring the SAM account database.
If enabled on an active directory domain controller it tracks changes to accounts in active directory.

Account management auditing can track changes to User Accounts, Groups and Computer Accounts (not in AD, local only to SAM file)

Understanding System Events Auditing

System events such as shutdowns, reboots etc can be logged for audit. Many attackers will attempt to clear logs to
erase tracks. The clearing of the log will be entered as an event so an admin will at least know if log has been tampered with.
Logs should be regularly archived and cleared so an attacker cannot clear out all information. Event subscriptions forward events
from one server to another.

Unscheduled reboots should be investigated as an attacker could use a bootable drive etc to access information they should not have.

Understanding Privilege Use Auditing

Priviledge Use auditing records when users exercise specific rights. Many events that do require priv are not logged for
performance reasons (log would fill up very quickly).

Understanding Policy Change Auditing

This type of auditing records changes to policies. Default on domain controllers is to record successful events.

Understanding Process Tracking

Records events related to applications and processes, can be good for debugging. Not used by admins very much but
developers may find it very useful.

Enabling Auditing

Enable local system auditing though local security policy. For multi system auditing use group policy.

Enabling Object Access Auditing

Auditing can be enabled for any file or folder on an NTFS drive. First enable policy then enable auditing on desired object.
Inheritance works the same for auditing as it does for permissions.

Enabling Directory Service Access Auditing

If enabled need to also enable auditing on specific objects in AD and select what should be audited.

Viewing Audit Information

Security log can get quite large, important to filter for specific events to find relevant information. Event ID lists are online
as there are thouands of codes and difficult to remember them all.

Managing Security Logs

Max sizes should be set and if logs need to be retained they should be archived. Settings such as overwrite as needed, archive when full
or do not overwrite, clear manually can define behaviour. Events can be forwarded to other systems using event subscriptions
allows monitoring at a single place vs reading logs on all computers independently.

Securing Audit Information

Important logs are kept/archived and not modified. Some ways to do this:

  • Create Backups
  • Store on another server
  • Store on WORM media (Write Once Read Many)
  • Protect logs with permissions
  • Enable Auditing on Archived files

Some industries may have very strict legal guidelines regarding logs.

Auditing a Network with MBSA

Microsoft Baseline Secutiry Analyzer checks systems for unpatched vulnerabilities, weak passwords, administrative vulnerabilities
, SQL vulnerabilities and security updates. It can scan IP ranges etc to ensure all machines on network are tested.

Chapter Review Questions:

  1. What are the three As (AAA) of security?
    a. Authentication, authorization and accounting
    b. Authentication, accountability and accounting
    c. Accountability, access control and accounting
    d. Authorization, access control and auditing

    1. True or false: If you want to auditing all access to a folder, all you have to do is enable Object Access auditing in the Audit Policy.

    2. Which Audit Policy selection records any time a user logs onto a local system
      a. Logon Events
      b. Account Logon Events
      c. System Events
      d. Process Tracking

  2. Which audit policy selection records modifications to Active Directory?
    a. Privilege Use
    b. Account Management Events
    c. Directory Service Access
    d. Policy Change

  3. If you want to ensure that an audit-log entry records each time a system is shut down, you should enable successful entries for _

  4. What tool can you use to view audited events?

  5. Which of the following choices can be used to automatically collect events on a single server from multiple servers?
    a. Process Tracking Events auditing
    b. MBSA
    c. Automatic archiving
    d. Event subscriptions

  6. True or false: You can secure audit logs with WORM media.

  7. Where can you get MBSA?

  8. True or false: MBSA can detect weak passwords for accounts on Microsoft Systems


  1. a
  2. false
  3. a
  4. c
  5. System Events
  6. Event Viewer
  7. d
  8. true
  9. Microsoft Website
  10. true

Relevant sections of Certification Exam

Understanding Operating System Security, Understanding Audit Policies, Understanding Server Protection,

98-367 Chapter Four

Chapter 4: Securing Access with Permission

Topics Covered:

  • Comparing NTFS permissions
  • Exploring share permissions
  • Identifying Active Directory permissions
  • Assigning Registry Permissions

Permissions are the primary method of restricting access to resources in a Microsoft Domain.

Permissions can be assigned via:

  • NTFS drives/shares
  • Active Directory Objects
  • Registry

Many permission concepts for theses resources. Each can be configured as Allow or Deny, can inherit permissions from parent to child.
In NTFS drives/shares a child could be a file or subfile, in AD and registry also have child objects.

Basic NTFS Permissions
  • Read: can read contents of a file or folder
  • Read & Execute: read contents of file or folder, if it is an executable program use can start (execute) it
  • List folder contents: Applies to folders, grants permissions to list items in folder and child folders
  • Write: Permissions to make and save changes to file, add file to folder. Cannot delete files just with this permission
  • Modify: Granted all Read and Write permissions + ability to delete files and folders
  • Full control: All permissions including advanced permissions
Advanced NTFS Permissions
  • Full Control: Includes all 13 permissions. Includes Change Permissions and Take Ownership. These two cannot be assigned independently.
  • Traverse Folder/Execute File: access child folders even if dont have permission to access parent folder. For File: can run file
  • List Folder/Read Data: Can read file and folder names within a folder. Open and read contents of file
  • Read Attributes: View values of Read-Only and Hidden etc.
  • Read Extended Attributes: can view extended attributes provided by some applications
  • Creates files/Write data: for folders: create files in a folder but not delete them. For files: modify contents of a file but not delete entire file.
  • Create folders/append data: folders: create folders within the folder. file: add data to end of file but cannot modify existing data.
  • Write Attributes: can change basic attributes of a file
  • Write Extended Attributes: can change extended attributes of a file
  • Delete subfolders and Files: delete subfolders and files within a folder
  • Delete: can delete a file or an empty folder
  • Read Permissions: read permissions assigned to file or folder
  • Take Ownership: become the owner, who can assign permissions to anyone else
Combining Permissions

Easier to assign permissions to groups then add and remove users from those groups. Users can belong to many groups. Users
get cumulative permissions of all groups they are in. If any permission is set to Deny then this takes precidence over other permissions.
Example one group has read and the other is denied read, user is denied read.

Enabling/Disabling Permission Inheritance

Dimmed permissions mean they are inherited and cannot be modified until inheritance is disabled. Permissions assigedat the drive level
are inherited by all root folders on the drive.

When disabling inheritance have three options:

  • Copy: copies all inherited permissions which can then be modified
  • Remove: All inherited permissions are removed (only removes inherited permissions, directly assiged ones will remain)
  • Cancel: cancels request and makes no changes
Moving and Copying Files

If file is moved (copied is different) within the same partition (same drive letter) explicitly assigned permissions remain.
Any other time permissions are inherited from the new location and original permissions are lost.

Move from C:\Data to C:\Art -> keeps permissions
Copy from C:\Data to C:\Art -> original permissions lost
Move from C:\Data to D:\Sales -> original permissions lost
Copy from C:\Data to D:\Audit -> original permissions lost


FAT has no security, FAT32 uses 32 bits to address file and therefore cannot address files larger than 4GB

Share Permissions

Folder or file is shared with others on network. Can be shared through mapped drives or UNC (Universal Naming Convention).
UNC format: \servername\sharename

Shares only have three permissions and only apply when accessing over network, do not apply if file is accessed locally.

  • Read: read and files or folders in the share
  • Change: can read, write, modify and delete files and folders (same as NTFS modify)
  • Full control: Do anything, includes changing permissions

Some versions of windows server also allow assigning roles (permission groups) to users.

Combining NTFS and Share Permissions

When accessing share over network both share and NTFS permissions are applied. Three steps to determine combine permissons:

  • Determine cumulative NTFS permissions
  • Determine cumulative share permissions
  • Identify which permissions are more restrictive

The more restrictive permissions are the ones used. Share permissions only apply over network though so when accessed locally
only NTFS permissions are used.

Active Directory Permissions

Active directory has objects to represent resources, groups, computers, users etc. These objects are organized
using OUs (organizational units) and simple containers. Could have an OU for sales dept and one for IT. Computer and user objects could
then be placed in the appropriate OU. Permissions can be applied to OUs to allow users and groups to do/access things.

Comparing NTFS and Active Directory Permissions

Both have:

  • Cumulative permissions: if belong to many groups have the total permissions of all groups
  • Deny takes precidence
  • Permissions are inherited: Permissions assigned to an OU or container are inherited by all objects in the OU or container. Includes child OUs
  • Inheritance can be disabled: similar process to disabling NTFS permissions
Active Directory Permissions
  • Full Control: do anything
  • Read: view object and its properties
  • Write: modify properties of object. Includes renaming user account and resetting user password
  • Create all child objects: create objects such as new users, computers, groups and child OUs
  • Delete all child objects: delete any objects in the container
  • Generate resultant set of policy (logging): determine which settings apply to a specific user when logged into a specific computer.
  • Generate resultant set of policy (planning): pose what ifs and determine resulant group policy settings.

Active directory has thousands of advanced permissions, unlike NTFS advanced which only has 13.

Assigning Registry Permissions

Registry is a database of settings used in windows


  • HKEY_CURRENT_USER: stores user profile for user logged into local system. Profile contains environment variables, desktop settings etc.
  • HKEY_USERS: profile information for all user profile data on system
  • HKEY_LOCAL_MACHINE: info about local machine such as hardware, memory, devices etc
  • HKEY_CURRENT_CONFIG: hardware info used to start up the system
  • HKEY_CLASSES_ROOT: info about applications and file associations

Permissions can be assigned by right clicking keys.

Chapter Review Questions:

  1. True or false: If a user is granted the basic Read Permission for a folder, the user can read both basic and extended attributes
  2. Maria is a member of the Finance group and the Budget group. The Finance group is granted modify permissions for an NTFS
    folder called Funding. The Budget group is granted the Read permission for the same folder. What is Maria’s permission to the Funding Folder?
    a. Impossible to determine
    b. Read
    c. Modify
    d. Full control
  3. True or false: the difference between modify and write permissions is that users with write permissions can delete files, but users with modify
    permissions cant delete files.
  4. A user is assigned Allow Full Control to a file as a member of a group. The same user is assigned Deny Full Control as a member of
    another group. What permission does the user have?
    a. None. Deny takes precidence
    b. Allow Full Control
    c. Denied Full Control, but allowed read
    d. Denied Full Control, unless the user is an administrator, in which case allow full control
  5. If a user is granted Full control permissions for a folder, the user also has Full Control permissions to files in the folder because of __?
  6. Permissions assigned to the C:\Projects folder are Full Control for the IT group. Permissions assigned to the C:\Budget folder are Full Control
    for the Finance group. You copy the costs.xlsx document from C:\Projects to C:\Budget. What is the permission for this document?
    a. Unable to determine
    b. IT group full control
    c. Finance group full control
    d. Both groups full control
  7. Permissions assigned to the C:\Projects folder are Full Control for the IT group. Permissions assigned to the D:\Budget folder
    are full control for the Finance Group. You move the costs.xlsx document from C:\Projects to D:\Budget. What is the permission for this document?
    a. Unable to determine
    b. IT group full control
    c. Finance group full control
    d. Both groups full control
  8. The NTFS permissions assigned to the C:\Projects folder are Full Control for the IT group. The folder is shared and the Share permissions
    are Read for the Finance Group. What permissions do members of the finance group have when accessing the share?
    a. Unable to determine
    b. Read
    c. Full control
    d. Unrestricted Read
  9. True or false: You can assign permssions for a group giving them the ability to reset passwords for user accounts within a specific OU.
  10. True or false: Permission inheritance is enabled by default for all keys in the Registry


  1. True. Basic read permission includes Read Data, Read Permissions, Read Attributes and Read Extended Attributes
  2. c. Permissions are cumulative so effective permissions are modify
  3. False
  4. a
  5. inheritance
  6. c
  7. c
  8. b
  9. True
  10. False

Relevant sections of Certification Exam

Understand Permissions: Comparing NTFS Permissions, Exploring Share Permissions, Identifying Active Directory Permissions, Assigning Registry Permissions