My interesting

If you are familiar with other user databases, you will probably be surprised to learn that every object within Active Directory can have unique permissions assigned. Just as each folder and file in a file system has its own permissions, each organizational unit (OU) and user in Active Directory has permissions.  ec0-350  642-691    MB6-508   MB3-527  VCP-310

This isn’t the case with the local user database present in Windows Server 2003 member computers. However, Active Directory is much more than a simple user database, and configuring object permissions is important not only for security reasons, but to ease management of Active Directory.

The most common permissions-related task is to delegate administrative control over portions of Active Directory. This reduces the workload placed on a single administrator because other members of the support team can manage portions of Active Directory without handing them the keys to the corporate network. The most efficient way to assign permissions to objects in Active Directory is to open the Active Directory Users And Computers console, right-click the object, and then click Delegate Control. You can also assign permissions to objects by using ADSI Edit. To use ADSI Edit, open a blank Microsoft Management Console (MMC) console and add the ADSI Edit snap-in.

Following are the standard permissions that can be applied to Active Directory objects:

Full Control. Users can perform any action on the Active Directory object, including creating and deleting new child objects and modifying permissions.

Read. Users can view all object properties, the object permissions, and the object’s contents (if any).  1Y0-A01   1z0-043

Write. Users can edit object properties.

Create All Child Objects. If the object is a container, such as an organizational unit, users can create any type of child object in the container. You can use special permissions to limit the types of objects that a user can create. For example, special permissions can be used to allow a user to create users, but not groups or computers.

Delete All Child Objects. If the object is a container, such as an organizational unit, users can delete any type of child object in the container. You can use special permissions to limit the types of objects that a user can delete. For example, special permissions can be used to allow a user to delete users, but not groups or computers.

Special Permissions. There are more than twenty special permissions that can be assigned to a user or group. This permission shows as selected if the set of selected special permissions does not match a standard permission.  70-536    MB7-515 642-456   310-055  1z0-042 

Before taking the exam, review the key topics and terms that are presented in this chapter. You need to know this information.  70-536  642-691  VCP-310  MB6-508  1Y0-A01

Key Topics  MB7-515
Understand when it is appropriate to use SSL certificates to protect communications.

Know the advantages and disadvantages of publicly and privately issued certificates.

Explain how client certificates can be used to authenticate users.

Be able to configure SSL certificates to encrypt Web, LDAP, SQL, and e-mail communications.

Applications can use SSL to provide authentication, data integrity, and encryption for network communications.

When an SSL session is established, the client retrieves the server’s public key and uses it to encrypt a shared secret. The shared secret is then used to encrypt the rest of the session.

SSL and IPSec provide similar functionality. However, SSL is more commonly used on the Internet because it does not require the client to have a public key certificate.

You can obtain SSL certificates from public CAs or issue them yourself by using Windows Server 2003 Certificate Services.

When SSL is used to protect a session, the communications use a different TCP port number. You will have to reconfigure your firewall to allow traffic on the different port number.

Although only the server requires an SSL certificate to establish an HTTPS session, you can use client certificates to authenticate users.

Allowing LDAP queries to be encrypted requires only enrolling the domain controllers with a computer certificate. No manual configuration is required.

SSL certificates can be used to encrypt SQL queries. However, encryption must either be required on the computer running SQL Server or enabled in the SQL client application configuration.  642-456   1z0-042  310-055  1z0-043  ec0-350 

The best way to encrypt messaging communications is to install a computer certificate on the mail server and then configure the mail clients to use SSL encryption.

Deploy, manage, and configure Secure Sockets Layer (SSL) certificates, including uses for Hypertext Transfer Protocol Secure (HTTPS), Lightweight Directory Access Protocol (LDAP) over SSL (LDAPS), and wireless networks. Considerations include renewing certificates and obtaining self-issued certificates instead of publicly issued certificates.  642-974  jn0-562   640-863  646-363  MB3-527

Obtain self-issued certificates and publicly issued certificates.

Install certificates for SSL.

Renew certificates.

Configure SSL to secure communication channels. Communication channels include client computer to Web server, Web server to Microsoft SQL Server computer, client computer to Active Directory domain controller, and e-mail server to client computer.

Enabling EAP authentication might or might not be enough to allow your users to authenticate with a smart card or public key certificate. If you are using an enterprise CA and your Routing And Remote Access servers are members of the same domain, they will be automatically configured to allow EAP authentication for certificates signed by the enterprise CA. To verify that certificate or smart card authentication is enabled for a remote access policy, follow this procedure:  ec0-350  1z0-043  1Y0-A01  642-456

1. Open the Routing And Remote Access console.

2. In the left pane, expand the server node, and then click Remote Access Policies.

3. In the right pane, right-click the RAP that applies to the users who will authenticate with certificates, and then click Properties. If the RAP does not yet exist, create one.

4. Click Edit Profile, and then click the Authentication tab.

5. Click the EAP Methods button.

   The Select EAP Providers list appears.

6. If Smart Card Or Other Certificate is not listed in the EAP Types list, click Add. Click Smart Card Or Other Certificate, and then click OK.

7. Click Smart Card Or Other Certificate, and then click Edit.

8. Click the Certificate Issued To list, and then click the certificate you will use to identify the Routing And Remote Access server. Click OK four times.

If your certificates are not issued by an enterprise CA, or if your computer has more than one certificate, you should add a remote access policy specifically for authenticating users with a smart card or other certificate. To do so, follow this procedure:

1. Open the Routing And Remote Access console.

2. In the left pane, expand the server node. Right-click Remote Access Policies, and then click New Remote Access Policy.

   The New Remote Access Policy Wizard appears.

3. Click Next.

4. On the Policy Configuration Method page, in the Policy Name box, type a name for the policy. Click Next.

5. On the Access Method page, click either VPN or Dial-Up. Click Next.

6. On the User Or Group Access page, select your preferred authorization method. Click Next.

7. On the Authentication Methods page, select Extensible Authentication Protocol (EAP). Click the Type list, and then click Smart Card Or Other Certificate.

8. Click the Configure button. Click the Certificate Issued list, and then click the certificate you will use to identify the Routing And Remote Access server. Click OK.

9. Clear Microsoft Encrypted Authentication Version 2 (MS-CHAPv2). Click Next.

10. On the Policy Encryption Level page, select the encryption levels you want to allow. Click Next, and then click Finish.

11. In the left pane, click Remote Access Policies. In the right pane, right-click the new policy, and then click Properties.   MB7-515  1z0-042  000-071  310-055

12. Click Grant Remote Access Permission, and then click OK.

MS-CHAP v1  640-553  1z0-264  70-272  VCP-310
The Windows Server 2003 family includes support for MS-CHAP v1. MS-CHAP v1 is a one-way authentication method offering both authentication encryption and data encryption. However, this encryption is relatively weak because MS-CHAP v1 bases the cryptographic key on the user’s password and will use the same cryptographic key as long as the user has the same password. This gives an attacker more data with which to crack the encryption, making the cryptography weak.

MS-CHAP v1’s sole advantage is that it is supported by earlier Windows clients, such as Windows 95 and Windows 98, without additional software upgrades. By default, Windows Server 2003 Routing And Remote Access will accept MS-CHAP v1 authentication if the client requests it, enabling clients that haven’t been upgraded to connect successfully. You can choose to disable this authentication method if all clients can use MS-CHAP v2.

MS-CHAP v2
The Windows Server 2003 family includes support for MS-CHAP v2, the preferred method for authenticating remote access connections that do not use smart cards or public key certificates. Unlike MS-CHAP v1, MS-CHAP v2 authenticates both the client and the server. Additionally, MS-CHAP v2 uses much stronger cryptography than MS- CHAP v1, including the use of a new cryptographic key for each connection and each direction of transmission.

If you do not change any of the default settings, Windows VPN remote access clients will use MS-CHAP v2 to authenticate. Windows 95 with the Windows Dial-Up Networking Performance & Security Upgrade supports MS-CHAP v2, but only for VPN connections, not for dial-up connections. MS-CHAP (version 1 and version 2) is the only authentication protocol provided with the Windows Server 2003 family that supports password change during the authentication process. If you use a different authentication method, the user will have to connect to a domain controller through a mechanism other than a VPN to change the password.  NS0-501  640-863  70-652  xk0-002

 Tip  If you have users who always work remotely, not being able to change a password during authentication can be a real problem because they cannot simply change the password the next time they are in the office. One way to allow remote users to change their passwords is to set up a computer with Terminal Services. Have the users connect to the Terminal Services server when a password change is required. When they log in, they will be prompted to change their passwords.
 

CHAP
CHAP is a challenge-response authentication protocol that uses the industry-standard MD5 hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers and clients. A computer running Windows Server 2003 and Routing And Remote Access does not allow CHAP authentication by default. However, you can enable CHAP authentication so that remote access clients that support CHAP but do not support MS-CHAP can be authenticated.

CHAP does not support encryption of connection data. Because CHAP requires the use of reversibly encrypted passwords, you should avoid using it whenever possible. Enabling reversibly encrypted passwords makes it easier for an attacker to identify users’ passwords if the attacker gains access to your user database. If a remote access user uses CHAP for authentication and his or her password expires, the user cannot change the password during the remote access authentication process. The user will need to authenticate by using MS-CHAP or connect to your internal network directly.  

SPAP
The Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva. A computer running Windows XP Professional, when connecting to a Shiva LAN Rover, uses SPAP, as does a Shiva client that connects to a server running Routing And Remote Access. This form of authentication is more secure than plaintext but less secure than CHAP or MS-CHAP. SPAP is not enabled by default on computers running Windows Server 2003 and Routing And Remote Access, and it should not be enabled unless specifically required.

 Security Alert  When you enable SPAP as an authentication protocol, any particular user password is always sent in the same reversibly-encrypted form. This makes SPAP authentication susceptible to replay attacks, in which an attacker captures the packets of the authentication process and replays the responses to gain authenticated access to your intranet. Don’t use SPAP unless absolutely necessary.
 

PAP
Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. Anyone capturing the packets of the authentication process can easily read the password and use it to gain unauthorized access to your intranet. The use of PAP is highly discouraged, especially for VPN connections. It is disabled by default, and it should only be used if the remote access client and the remote access server cannot negotiate a more secure form of validation.

Unauthenticated access
The Windows Server 2003 family supports unauthenticated access, which means that user credentials (a user name and password) are not required. There are some situations in which unauthenticated access is useful. Specifically, if you are using a RAP to control access by another means, such as callback or caller ID, you might decide that additional authentication is not required. Alternatively, you might encounter a scenario in which you want to allow guests to connect to a remote access server without requiring any form of authentication.

Preshared keys
Preshared key authentication is the only way to use L2TP/IPSec without installing a computer certificate on the remote access server. Preshared keys are never the preferred authentication method for enterprises because managing preshared keys on large numbers of computers is time consuming. If the preshared key on a remote access server is changed, a client with a manually configured preshared key will be unable to connect to that server until the preshared key on the client is changed. If the preshared key was distributed to the client within a Connection Manager profile, that profile must be reissued with the new preshared key and reinstalled on the client computer.

Additionally, because the same preshared key must be distributed to all clients, the likelihood of the preshared key being discovered by an attacker is very high. Unless you distribute the preshared key within a Connection Manager profile, each user must manually type the preshared key. This limitation further reduces security and increases the probability of error. Preshared keys are unlike certificates in that the origin and history of a preshared key cannot be determined. For these reasons, the use of preshared keys to authenticate L2TP/IPSec connections is considered a relatively weak authentication method.

Finally, the use of preshared keys is supported with only Windows Server 2003 and Windows XP clients. While preshared key authentication is useful for testing purposes, if you want a long-term, strong authentication method for L2TP/IPSec, you should use public key certificates.  000-994  MB3-527  MB6-508  156-215.1

Windows Server 2003 provides two main types of remote access methods: dial-up and VPN. For each remote access type, there are several authentication and encryption protocols to choose from. You will have to choose the remote access type and security protocols based on the clients that will be connecting to your internal network and based on your existing infrastructure. This lesson will describe the two remote access methods and the various encryption and authentication protocols to allow you to make educated recommendations. 70-536   1Y0-A01   ec0-350  000-071

After this lesson, you will be able to

Describe the advantages and disadvantages of dial-up and VPN remote access methods.

Choose between Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP), given an organization’s requirements.

List the various methods for authenticating remote access users, and describe scenarios in which each authentication method should be used.

Estimated lesson time: 20 minutes

Remote Access Methods  MB6-508  VCP-310  642-456 70-536  1z0-042
There are two primary methods for connecting remote users to a private network: dial- up networking and virtual private networking. Dial-up networking enables a remote access client to establish a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider, such as analog phone lines, Integrated Services Digital Network (ISDN), or X.25. The most common use of dial-up networking is that of a dial-up networking client that dials the phone number of a modem attached to the remote access server. This establishes a circuit between the two devices.

642-812 Exam Value
* Comprehensive questions and answers with high quality about 640-553 exam
* Verified Answers researched by Industry Experts and most 100% correct
* 642-845 exam questions updated on regular basis
* 1z0-047 exam preparation is in multiple-choice questions
* Try free NS0-501 exam demo before you decide to buy it in passforsure
Guaranteed Success
 We guarantee you can pass the popular Cisco 640-863 (Certified Internet Associate  (JNCIA-SSL)) Certification Exam at your first try.
 With only 10-15 hours study of our 70-272 exam guides, you are 100% ready to pass the exams most efficiently with high scores and get certified with ease.
 If you failed the jn0-562 exam on your first attempt we will give you 100% Money Back Guarantee.

Please Note:
 If you failure with 7days after the purchase date or upgrading exam, you can get one free exam from Pass4sure.
 For those who give up the right of claiming refund but want to exchange into other exams, Pass4sure would like to provide two free exams for compensation.  642-974

With the coming of 2009,Pass4sure has a surprise on offer which is first oriented to Products on Microsoft, CompTIA and IBM. According to the official news, the promotion starts from January 15th,2009 and ends on January 20th,2009.During the promotion, every daythe top 15 customers can purchase the printing copy of the certification products with a super-low price – 5$!!!( no extra charge ).
The similar promotion is tentatively fixed to start in early February.

Pass4sure starts offering printing copy on January 10, 2009. ALl the customers who have purchased Q&As products of Pass4sure will get a printed copy, you only need to pay for the postage for deliverying the printed copy.   jn0-562 1Y0-259   70-272  640-553 642-812

customers who has purchased Q&As products of Pass4sure also enjoy this privilege only if the product you bought is still in the 3 months’ term of valid. If so, you only need to connect our livechat, and you will get the printed copy after you pay for the postage.

customers who have never purchased Q&As products of Pass4sure can also get the printed copy if you want. You only have to pay for the Q&As products and the postage for deliverying the printed copy.

customers who have purchased Q&As products of Pass4sure but the products have exceeded the term of valid can also get the printed copy. You only have to pay for the upgrading costs and the postage.
Besides the privileges mentioned above, we will offer extra Strengthening excises in the printed copy in the products of certain factories, e.g. Microsoft products.
The printed copy will be delivered through EMS and arrive in 5-10 days.
If you travel frequentlyare surf online unconviniently, or you prefer the printed copy, suggest that you purchase the printed copy right now!  646-363  MB7-515  000-223  1z0-043