Hands-On Lab 2813A:

Applying Microsoft Security Guidance III

Length:1 Days
Published:June 20, 2005
Language(s):English
Audience(s):IT Professionals
Level:200
Technology:Microsoft Windows Server 2003
Type:Hands-On Lab
Delivery Method:Instructor-led (classroom)
About This Hands-On Lab
This one-day, instructor-led, hands-on lab allows students to apply information and guidance that can help in implementing and managing security in a network based on Microsoft Windows and that includes Microsoft Exchange Server, Microsoft Internet Security and Acceleration (ISA) Server 2004, Microsoft Windows Rights Management Services (RMS), or Certificate Services.
Audience Profile
Attendees will be current IT professionals with experience using Microsoft Windows 2000 Server or Microsoft Windows Server 2003 and with knowledge of security concepts including firewalls, virtual private networks (VPNs), encryption, and rights management. The students will be responsible for aspects of security management and deployment associated with their internal network infrastructure and Internet or intranet services.
At Hands-On Lab Completion
After completing this hands-on lab, students will be able to:
  • Help protect e-mail messages using S/MIME signing and encryption.
  • Manage e-mail attachment security using the Outlook Security Template.
  • Increase security for Microsoft Office Outlook 2003 by using remote procedure call (RPC) over HTTP(S).
  • Enhance security for Outlook Web Access (OWA) connections.
  • Install Rights Management Services (RMS) and understand the provisioning and enrollment process for the RMS server.
  • Install and activate the RMS client component to protect Microsoft Office 2003 documents and Outlook 2003 e-mail messages.
  • Perform administrative tasks such as deploying custom rights policy templates and troubleshooting client configurations using the RMS Administration Toolkit.
  • Sub-enroll and provision licensing servers to provide a distributed RMS infrastructure.
  • Implement a VPN solution that incorporates L2TP/IPSec and Network Access Quarantine.
  • Configure the remote access polices for VPN to support L2TP and PPTP remote access connections. You will also learn how to configure Certificate provisioning to support L2TP VPN connections.
  • Implement VPN Network Quarantine: configure a remote access policy for network quarantine and implement the Remote Access Quarantine Service.
  • Configure and deploy a Connection Manager profile for use with VPN Network Quarantine.
  • Install and configure a stand-alone Root Certification Authority (CA).
  • Install and configure a subordinate Enterprise CA.
  • Configure custom certificate templates, and deploy certificates using autoenrollment.
  • Increase security for e-mail communication and Web-site authentication by using digital certificates.
Hands-On Lab OutlineExercise 1: Implementing Messaging Security for Exchange Server Clients
In this lab, you learn various methods to help secure e-mail communication between Exchange Server and desktop clients. You also learn how to improve messaging security using Outlook 2003 attachment options and RPC over HTTP(S), and you learn how to improve security for remote clients using OWA.
Lab : Exercise 1 - Protecting E-Mail Messages Using S/MIME Signing and Encryption
  • Configure Certificate Services.
  • Obtain a digital certificate to be used for S/MIME.
  • Send and receive a digitally signed e-mail message.
  • Send and receive an encrypted e-mail message.
  • Test OWA functionality with signed and encrypted e-mail, and install the S/MIME Control.
Lab : Exercise 2 - Customizing Outlook Security Settings Using the Outlook Security Template
  • Install and configure the Outlook Security Template.
  • Modify the default security settings to block specific attachments from within Outlook 2003.
Lab : Exercise 3 - Securing Remote Outlook 2003 Connections Using RPC Over HTTPS
  • Install the RPC over HTTP Proxy network service.
  • Configure the RPC back-end server.
  • Configure ISA Server 2004 to listen for traffic destined for the RPC over HTTP service on the Exchange server.
  • Configure Outlook to use RPC over HTTPS to connect to the Exchange server.
Lab : Exercise 4 - Securing Outlook Web Access Connections
  • Configure OWA to require Secure Sockets Layer (SSL).
  • Configure ISA Server 2004 to provide secure access to OWA.
  • Enable OWA to use forms-based authentication.
  • Install the Outlook Web Access Administration tool.
Exercise 2: Protecting Data Using Rights Management Services
In this lab, you learn how to improve data protection using Rights Management Services (RMS). You learn how to configure Rights Management Services on Windows Server 2003, and you learn best practices for administering rights management servers and clients. You also learn how rights management is supported in Microsoft Office applications.
Lab : Exercise 1 - Installing and Provisioning Windows Rights Management Services
  • Install Windows RMS.
  • Use the Windows RMS Administration Web page to begin the RMS Provisioning process.
  • Enroll the RMS server, and request a new server licensor certificate (SLC).
  • Import the SLC (ServerCert.xml) to complete the enrollment process.
  • Register the RMS service connection point.
Lab : Exercise 2 - Installing and Activating an RMS Client to Protect Microsoft Office Files and E-Mail Messages
  • Install the RMS client.
  • Protect a Microsoft Office Word 2003 document using rights management.
  • Protect an Outlook 2003 e-mail message using rights management.
  • Install and configure the Information Rights Management Add-on for Internet Explorer.
  • Open a rights-protected document using Microsoft Internet Explorer and the Information Rights Management Add-on for Internet Explorer.
Lab : Exercise 3 - Administering an RMS Deployment
  • Create a custom rights policy template.
  • Distribute the custom rights policy template.
  • Use the IRMCheck tool to obtain information about the RMS client.
  • Use the GetRMScp tool to verify that the service connection point can be located from the client.
  • Use the RMS Log Viewer to view RMS-related events.
Lab : Exercise 4 - Sub-Enrolling Additional Licensing Servers
  • Configure permissions on the Certification pipeline.
  • Install Windows RMS.
  • Access the Windows RMS Administration Web page to begin the RMS Provisioning process.
  • Verify the configuration of the sub-enrolled licensing server.
  • Remove the modified permissions on the Certification pipeline.
Exercise 3: Improving Remote Access Security
In this lab, you learn how to improve security for clients that connect remotely to your network. You learn how to implement VPN connections to encrypt data communications and how to create a "quarantine" zone in which remote clients can be placed while they are inspected for installed security and software updates.
Lab : Exercise 1 - Configuring Network Services to Support VPN Security
  • Install and configure Internet Authentication Services.
  • Configure Certificate Services.
  • Configure Routing and Remote Access (RRAS).
  • Install the Connection Manager Administration Kit (CMAK).
Lab : Exercise 2 - Configuring VPN Remote Access Policy and Certificate Provisioning
  • Create a remote access policy for L2TP/IPSec VPN connections.
  • Create a remote access policy for PPTP VPN connections.
  • Configure Active Directory for autoenrollment of certificates.
  • Create and issue certificate templates for L2TP/IPSec VPN access.
  • Configure the Certification Authority to issue the new certificates.
Lab : Exercise 3 - Implementing VPN Network Quarantine
  • Create a remote access policy for network quarantine.
  • Install the Network Access Quarantine Service.
Lab : Exercise 4 - Creating the Quarantine Connection Manager Profile
  • Create a new Connection Manager Profile using CMAK.
  • Add custom actions to the Connection Manager profile to perform quarantine policy checks for VPN users.
  • Connect to the VPN, and verify that a network client is now compliant with the company security policy.
Exercise 4: Deploying a Windows Public Key Infrastructure
In this lab, you learn how to implement a Windows Server 2003 PKI to enable security enhancements for messaging and network communications. You also learn how to implement certificates for SSL-enhanced Web sites and how digital certificates can be deployed to enable client authentication and improve e-mail security.
Lab : Exercise 1 - Creating a Certification Authority Hierarchy
  • Configure a CAPolicy.inf file.
  • Install a stand-alone root CA.
  • Define CRL and AIA Publication Settings.
  • Publish the CRL and CA certificate to Active Directory directory service.
Lab : Exercise 2 - Implementing a Subordinate Enterprise CA
  • Install Certificate Services as a subordinate Enterprise CA.
  • In the Certification Authority console, request a new certificate by using the request.req request file.
  • Use the PKI Health Tool to verify that the offline root CA's CDP and AIA extensions are properly configured.
Lab : Exercise 3 - Deploying Certificates to Secure E-Mail
  • Create the Autoenrollment Group Policy object, and link it to the domain.
  • Create an S/MIME signing certificate template.
  • Create an S/MIME encryption certificate template.
  • Configure the CA to issue the S/MIME certificates.
  • Send and receive a digitally signed and encrypted e-mail message.
Lab : Exercise 4 - Securing Web Sites Using SSL Encryption
  • Enable SSL on the default Web site.
  • Configure authentication for a Web site.
  • Enable certificate mapping for a Web site.
These labs require that you meet the following prerequisites:
  • Hands-on experience with Windows 2000 or Windows Server 2003
  • Experience with Active Directory and Group Policy
  • Basic understanding of Windows authorization and authentication concepts
  • Working knowledge of Internet protocols, including POP3, IMAP4, SMTP, and HTTP
  • Basic understanding of public key infrastructure (PKI) concepts and technologies
Have Questions? For advice about training and certification, connect with peers: For questions about a specific certification, chat with a Microsoft Certified Professional (MCP): To find out about recommended blogs, Web sites, and upcoming Live Meetings on popular topics, visit our community site:
Course index

Find Training Near You

Location:
Eg: Seattle, WA or Paris, France

Related Services