This course provides students with the knowledge and skills necessary to design a security framework for small, medium, and enterprise networks by using Microsoft Windows 2000 technologies. This course contains four units that describe how to help protect specific areas of the network:

• Unit 1, Providing Security-Enhanced Access to Local Network Users
• Unit 2, Providing Security-Enhanced Access to Remote Users and Remote Offices
• Unit 3, Providing Security-Enhanced Access Between Private and Public Networks
• Unit 4, Providing Security-Enhanced Access to Partners

After completing this course, students will be able to:

• Identify the security risks associated with managing resource access and data flow on the network.
• Describe how key technologies within Windows 2000 are used to help protect a network and its resources.
• Plan a Windows 2000 administrative structure so that permissions are granted only to appropriate users.
• Plan an Active Directory™ directory service structure that facilitates security-enhanced and verifiable user account creation and administration.
• Define minimum security requirements for Windows 2000–based domain controllers, application servers, file and print servers, and workstations.
• Design a strategy for to help protect local storage of data and provide security-enhanced network access to file and print resources.
• Design end-to-end security for the transmission of data between hosts on the network.
• Design a strategy to help provide security-enhanced access for non-Microsoft clients within a Windows 2000–based network.
• Design a strategy to help protect local resources accessed by remote users who use dial-up or virtual private network (VPN) technologies.
• Design a strategy to help protect local resources accessed by remote offices within a wide area network (WAN) environment.
• Help protect private network resources from public network users.
• Design a strategy to help protect private network user access to public networks.
• Design a strategy for authenticating trusted users over public networks.
• Design a strategy to help protect data and application access for the private network when accessed by trusted partners.
• Plan for an e-commerce implementation between your organization and external business partners that facilitates business communication.
• Design a structured methodology for securing a Windows 2000 network.

Before attending this course, students must have:

• Working knowledge of Windows 2000 Directory Services
• Completion of Course 1560, Upgrading Support Skills from Microsoft Windows NT 4.0 to Microsoft Windows 2000

OR

• Completion of Course 2154, Implementing and Administering Windows 2000 Directory Services

OR

• Equivalent knowledge

This course will help the student prepare for this Microsoft Certified Professional exam:

• Exam 70-220, Designing Security for a Microsoft Windows 2000 Network

The student kit includes a comprehensive workbook and other necessary materials for this class.

The following software is provided in the student kit.

• Windows 2000 Advanced Server
• Network Monitor 2.0 (for classroom use)

Module 1: Module 1: Assessing Security Risks

Topics:

• Identifying Risks to Data
• Identifying Risks to Services
• Identifying Potential Threats
• Introducing Common Security Standards
• Planning Network Security

Skills:

Students will be able to:

• Describe the potential risks to different types of stored data.
• Describe the potential risks from a denial of service.
• Describe potential threats against network security.
• Describe common industry standards for measuring network security.
• Discuss methodologies to help protect a Windows 2000 network.

Module 2: Introducing Windows 2000 Security

Topics:

• Introducing Security Features in Active Directory
• Authenticating User Accounts
• Securing Access to Resources
• Introducing Encryption Technologies
• Encrypting Stored and Transmitted Data
• Introducing Public Key Infrastructure Technology

Skills:

Students will be able to:

• Describe how security features in Active Directory provide a framework for designing a security-enhanced Windows 2000 network.
• Describe the authentication methods that Windows 2000 provides for user and computer accounts.
• Identify the methods that can be used to help protect resource access in Windows 2000 networks.
• Identify the encryption technologies that Windows 2000 supports.
• Describe how encryption technologies are used to help protect stored and transmitted data in a Windows 2000 network.
• Describe how a Public Key Infrastructure (PKI) can be used to create a security-enhanced network.

Unit 1: Providing Security-Enhanced Access to Local Network Users

Module 3: Planning Administrative Access

Topics:

• Determining the Appropriate Administrative Model
• Designing Administrative Group Strategies
• Planning Local Administrative Access
• Planning Remote Administrative Access

Lab:

• Planning Security-Enhanced Administrative Access

Skills:

Students will be able to:

• Select an administrative model for an organization.
• Plan memberships in Windows 2000 administrative groups.
• Plan security-enhanced local administrative access to the network.
• Plan security-enhanced remote administrative access to the network.

Module 4: Planning User Accounts

Topics:

• Designing Account Policies and Group Policy
• Planning Account Creation and Location
• Planning Delegation of Authority
• Auditing User Account Actions

Lab:

• Planning a Security-based OU Structure

Skills:

Students will be able to:

• Design an account policy and Group Policy strategy for user accounts.
• Plan for the creation and location of user accounts within the domain and organizational unit (OU) structure.
• Plan delegation of authority to user accounts.
• Design an audit strategy that will track changes made to objects in Active Directory.

Module 5: Securing Windows 2000–Based Computers

Topics:

• Planning Physical Security for Windows 2000–based Computers
• Evaluating Security Requirements
• Designing Security Configuration Templates
• Evaluating Security Configuration
• Deploying Security Configuration Templates

Labs:

• Analyzing a Security Template
• Designing Customized Security Templates

Skills:

Students will be able to:

• Plan physical measures to help protect Windows 2000–based computers.
• Evaluate the security requirements for Windows 2000–based computers with respect to their roles in the network.
• Design security configuration templates to enforce security settings.
• Evaluate the existing security configuration of a Windows 2000–based computer.
• Determine how to deploy security templates in a Windows 2000 network.

Module 6: Securing File and Print Resources

Topics:

• Examining Windows 2000 File System Security
• Protecting Resources Using DACLs
• Encrypting Data Using EFS
• Auditing Resource Access
• Helping Protect Backup and Restore Procedures
• Helping Protecting Data from Viruses

Labs:

• Managing EFS Recovery Keys
• Planning Data Security

Skills:

Students will be able to:

• Describe the security provided in the file systems supported by Windows 2000.
• Design a security strategy to help protect data such as files, folders, print resources, and the registry by using discretionary access control lists (DACLs).
• Design a strategy for the protection and recovery of file resources encrypted with Encrypting File System (EFS).
• Design an audit strategy to monitor file and print resource access.
• Design a security-enhanced backup and restore procedure that allows for disaster recovery.
• Plan for virus protection in a network security design.

Module 7: Securing Communication Channels

Topics:

• Assessing Network Data Visibility Risks
• Designing Application-Layer Security
• Designing IP-Layer Security
• Deploying Network Traffic Encryption

Lab:

• Planning Transmission Security

Skills:

Students will be able to:

• Assess potential risks to transmitted data on the network wire in the local area network (LAN).
• Design a strategy to help provide authentication and data privacy by applying security at the application layer.
• Design a strategy to help provide authentication and data privacy by applying security at the Internet Protocol (IP) layer.
• Design an Internet Protocol Security (IPSec) strategy for encrypting private network data transmissions.

Module 8: Providing Security-Enhanced Access to Non-Microsoft Clients

Topics:

• Providing Security-Enhanced Network Access to UNIX Clients
• Providing Security-Enhanced Network Access to NetWare Clients
• Providing Security-Enhanced Access to Macintosh Clients
• Helping to Protect Network Services in a Heterogeneous Network
• Monitoring for Security Breaches

Lab:

• Securing Telnet Transmissions

Skills:

Students will be able to:

• Identify the risks associated with allowing UNIX clients access to a Windows 2000 network.
• Identify the risks associated with allowing NetWare clients access to a Windows 2000 network.
• Identify the risks associated with allowing Macintosh clients access to a Windows 2000 network.
• Help protect common network services that are operating in a heterogeneous network.
• Monitor a heterogeneous network for security breaches and identify the risks of unauthorized network monitoring.

Unit 2: Providing Security-Enhanced Access to Remote Users and Offices

Module 9: Providing Security-Enhanced Access to Remote Users

Topics:

• Identifying the Risks of Providing Remote Access
• Designing Security for Dial-Up Connections
• Designing Security for VPN Connections
• Centralizing Remote Access Security Settings

Lab:

• Using RADIUS Authentication

Skills:

Students will be able to:

• Identify the risks associated with providing network access to remote users.
• Design a security-enhanced network for remote users who access the network by using dial-up connections.
• Design a security-enhanced network for remote users who access the network by using VPN connections.
• Design a security-enhanced network for remote users by centralizing the security configuration of remote access servers.

Module 10: Providing Security-Enhanced Access to Remote Offices

Topics:

• Defining Private and Public Networks
• Helping Protect Connections Using Routers
• Helping Protect VPN Connections Between Remote Offices
• Identifying Security Requirements

Labs:

• Planning Security-Enhanced Connections for Remote Offices

Skills:

Students will be able to:

• Describe the difference between a private network and a public network.
• Plan a security-enhanced connection between two remote networks by using routers.
• Plan a security-enhanced connection between two remote networks by using a VPN.
• Identify the security requirements that must be considered while planning security-enhanced connections between remote offices.

Unit 3: Providing Security-Enhanced Access Between Private and Public Networks

Module 11: Providing Security-Enhanced Network Access to Internet Users

Topics:

• Identifying Potential Risks from the Internet
• Using Firewalls to Help Protect Network Resources
• Using Screened Subnets to Help Protect Network Resources
• Helping to Protect Public Access to a Screened Subnet

Lab:

• Designing a Screened Subnet

Skills:

Students will be able to:

• Analyze the potential threats that are introduced when a private network is connected to the Internet.
• Design a firewall strategy to help protect private network resources.
• Design a security-enhanced method for exposing private network resources to the Internet.
• Plan to help protect public access to a screened subnet.

Module 12: Providing Security-Enhanced Internet Access to Network Users

Topics:

• Helping Protect Internal Network Resources
• Planning Internet Usage Policies
• Managing Internet Access Through Proxy Server Configuration
• Managing Internet Access Through Client-Side Configuration

Lab:

• Securing the Internal Network When Accessing the Internet

Skills:

Students will be able to:

• Design a strategy to help protect private network resources from the public network.
• Plan which users, computers, and protocols are allowed access to the Internet.
• Design the Microsoft Proxy Server settings for maintaining security when local network users access the Internet.
• Design the client-side requirements for maintaining security when local network users access the Internet.

Unit 4: Providing Security-Enhanced Access to Partners

Module 13: Extending the Network to Partner Organizations

Topics:

• Providing Access to Partner Organizations
• Securing Applications Used by Partners
• Securing Connections Used by Remote Partners
• Structuring Active Directory to Manage Partner Accounts
• Authenticating Partners from Trusted Domains

Lab:

• Planning Partner Connectivity

Skills:

Students will be able to:

• Describe the connection methods that can be used to provide access to partner organizations.
• Describe the ways to provide security-enhanced access to data, applications, and communications shared with trusted partners.
• Design a security-enhanced framework that allows partners to use tunnel connections, dial-up connections, and Terminal Services to access the private network.
• Design an Active Directory directory service structure for partners.
• Design a framework for authenticating partners from trusted domains.

Module 14: Designing a Public Key Infrastructure

Topics:

• Introducing a Public Key Infrastructure
• Using Certificates
• Examining the Certificate Life Cycle
• Choosing a Certification Authority
• Planning a Certification Authority Hierarchy
• Mapping Certificates to User Accounts
• Managing CA Maintenance Strategies

Lab:

• Using Certificate-based Authentication

Skills:

Students will be able to:

• Describe the basic components of a PKI.
• Define how certificates can be used in a PKI to certify applications and services.
• Define the basic functions of certificates within a certificate life cycle.
• Choose between public and private certification authorities (CAs).
• Plan a hierarchy for organizing CAs in a network.
• Use certificate mapping to apply user permissions to users who are not included in your organization’s Active Directory directory service.
• Plan recovery and maintenance strategies for CAs.

Module 15: Developing a Security Plan

Topics:

• Designing a Security Plan
• Defining Security Requirements
• Maintaining the Security Plan

Lab:

• Developing a Security Plan

Skills:

Students will be able to:

• Design a security plan that will meet the security requirements of an organization.
• Define the security requirements for local and remote networks, public and private networks, and trusted business partners.
• Develop strategies to maintain the network security plan.