• Configure registry and file system permissions.
• Configure account policies.
• Configure .pol files.
• Configure audit policies.
• Configure user rights assignment.
• Configure security options.
• Configure system services.
• Configure restricted groups.
• Configure event logs.

• Analyze existing security policies and procedures.
• Analyze the organizational requirements for securing data.
• Analyze the security requirements of different types of data.
• Analyze risks to security within the current IT administration structure and security practices.

• Plan the deployment of security templates.
• Deploy security templates by using Active Directory-based Group Policy objects (GPOs).
• Deploy security templates by using command-line tools and scripting.

• Troubleshoot security templates in a mixed operating system environment.
• Troubleshoot security policy inheritance.
• Troubleshoot removal of security template settings.

• Plan and configure security settings.
• Plan network zones for computer roles.
• Plan and configure software restriction policies.
• Plan security for infrastructure services. Services include DHCP and DNS.
• Plan and configure auditing and logging for a computer role. Considerations include Windows Events, Internet Information Services (IIS), firewall log files, Netlog, and RAS log files.
• Analyze security configuration. Tools include Microsoft Baseline Security Analyzer (MBSA), the MBSA command-line tool, and Security Configuration and Analysis.

• Evaluate the applicability of service packs and hotfixes.
• Test the compatibility of service packs and hotfixes for existing applications.
• Plan patch deployment environments for both the pilot and production phases.
• Plan the batch deployment of multiple hotfixes.
• Plan rollback strategy.

• Assess current patch levels by using the MBSA GUI tool.
• Assess current patch levels by using the MBSA command-line tool with scripted solutions.

• Deploy service packs and hotfixes on new servers and client computers. Considerations include slipstreaming, custom scripts, and isolated installation or test networks.
• Deploy service packs and hotfixes on existing servers and client computers.

Implementing, Managing, and Troubleshooting Security for Network Communications

• Decide which IPSec mode to use.
• Plan authentication methods for IPSec.
• Test the functionality of existing applications and services.

• Configure IPSec authentication.
• Configure appropriate encryption levels. Considerations include the selection of perfect forward secrecy (PFS) and key lifetimes.
• Configure the appropriate IPSec protocol. Protocols include Authentication Header (AH) and Encapsulating Security Payload (ESP).
• Configure IPSec inbound and outbound filters and filter actions.

• Deploy IPSec policies by using Local policy objects or Group Policy objects (GPOs).
• Deploy IPSec policies by using commands and scripts. Tools include IPSecPol and NetSh.
• Deploy IPSec certificates. Considerations include deployment of certificates and renewing certificates on managed and unmanaged client computers.

• Monitor IPSec policies by using IP Security Monitor.
• Configure IPSec logging. Considerations include Oakley logs and IPSec driver logging.
• Troubleshoot IPSec across networks. Considerations include network address translation, port filters, protocol filters, firewalls, and routers.
• Troubleshoot IPSec certificates. Considerations include enterprise trust policies and certificate revocation list (CRL) checking.

• Plan the authentication methods for a wireless network.
• Plan the encryption methods for a wireless network.
• Plan wireless access policies.
• Configure wireless encryption.
• Install and configure wireless support for client computers.

• Obtain self-issued certificates and publicly issued certificates.
• Install certificates for SSL.
• Renew certificates.
• Configure SSL to secure communication channels. Communication channels include client computer to Web server, Web server to SQL Server computer, client computer to Active Directory domain controller, and e-mail server to client computer.

• Configure authentication for secure remote access. Authentication types include PAP, CHAP, MS-CHAP, MS-CHAP v2, EAP-MD5, EAP-TLS, and multifactor authentication that combines smart cards and EAP.
• Configure and troubleshoot virtual private network (VPN) protocols. Considerations include Internet service provider (ISP), client operating system, network address translation devices, Routing and Remote Access servers, and firewall servers.
• Manage client configuration for remote access security. Tools include remote access policy and the Connection Manager Administration Kit.

Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI

• Plan, configure, and troubleshoot trust relationships.
• Plan and configure authentication protocols.
• Plan and configure multifactor authentication.
• Plan and configure authentication for Web users.
• Plan and configure delegated authentication.

• Decide which types of groups to use.
• Plan security group scope.
• Plan nested group structure.

• Configure access control lists (ACLs).
• Plan and troubleshoot the assignment of user rights.
• Plan requirements for digital signatures.

• Install and configure root, intermediate, and issuing certification authorities (CAs). Considerations include renewals and hierarchy.
• Configure certificate templates.
• Configure, manage, and troubleshoot the publication of certificate revocation lists (CRLs).
• Configure archival and recovery of keys.
• Deploy and revoke certificates to users, computers, and CAs.
• Backup and restore the CA.