| Introduction |
|
xiii | |
| Organization of this book |
|
xiii | |
| Microsoft certifications |
|
xiv | |
| Acknowledgments |
|
xiv | |
| Free ebooks from Microsoft Press |
|
xiv | |
| Microsoft Virtual Academy |
|
xiv | |
| Quick access to online references |
|
xv | |
| Errata, updates, & book support |
|
xv | |
| We want to hear from you |
|
xv | |
| Stay in touch |
|
xv | |
| Preparing for the exam |
|
xvii | |
|
Chapter 1 Implement server hardening solutions |
|
|
1 | (58) |
|
Skill 1.1 Configure disk and file encryption |
|
|
1 | (15) |
|
Determine hardware and firmware requirements for Secure Boot and encryption key functionality |
|
|
2 | (2) |
|
Deploy BitLocker Drive Encryption |
|
|
4 | (6) |
|
|
|
10 | (1) |
|
Implement the BitLocker Recovery Process |
|
|
11 | (4) |
|
Manage Encrypting File System |
|
|
15 | (1) |
|
Skill 1.2 Implement server patching and updating solutions |
|
|
16 | (10) |
|
Install and configure WSUS |
|
|
17 | (3) |
|
Create computer groups and configure Automatic Updates |
|
|
20 | (2) |
|
Manage updates using WSUS |
|
|
22 | (1) |
|
|
|
23 | (2) |
|
Troubleshoot WSUS configuration and deployment |
|
|
25 | (1) |
|
Skill 1.3 Implement malware protection |
|
|
26 | (14) |
|
Implement an antimalware solution with Windows Defender |
|
|
27 | (3) |
|
Integrate Windows Defender with WSUS and Windows Update |
|
|
30 | (1) |
|
Implement AppLocker rules |
|
|
31 | (4) |
|
Implement Control Flow Guard |
|
|
35 | (1) |
|
Implement Device Guard policies |
|
|
36 | (4) |
|
Skill 1.4 Protect credentials |
|
|
40 | (6) |
|
Determine requirements for Credential Guard |
|
|
41 | (1) |
|
Configure Credential Guard |
|
|
42 | (3) |
|
|
|
45 | (1) |
|
Skill 1.5 Create security baselines |
|
|
46 | (13) |
|
Install and Configure Security Compliance Manager |
|
|
47 | (3) |
|
Create and import security baselines |
|
|
50 | (3) |
|
Deploy configurations to domain and non-domain-joined servers |
|
|
53 | (1) |
|
|
|
54 | (3) |
|
|
|
57 | (1) |
|
Thought experiment answers |
|
|
57 | (2) |
|
Chapter 2 Secure a Virtualization Infrastructure |
|
|
59 | (30) |
|
Skill 2.1 Implement a Guarded Fabric solution |
|
|
60 | (14) |
|
Install and configure the Host Guardian Service |
|
|
60 | (3) |
|
Configure admin and TPM-trusted attestation |
|
|
63 | (3) |
|
Configure Key Protection Service Using HGS |
|
|
66 | (1) |
|
Configuring the guarded host |
|
|
67 | (1) |
|
Migrate shielded VMs to other guarded hosts |
|
|
68 | (4) |
|
Troubleshoot guarded hosts |
|
|
72 | (2) |
|
Skill 2.2 Implement shielded and encryption-supported VMs |
|
|
74 | (15) |
|
Determine requirements and scenarios for implementing shielded VMs |
|
|
75 | (1) |
|
Create a shielded VM using Hyper-V |
|
|
76 | (4) |
|
Enable and configure vTPM |
|
|
80 | (3) |
|
Determine requirements and scenarios for implementing encryption-supported VMs |
|
|
83 | (1) |
|
|
|
84 | (2) |
|
|
|
86 | (1) |
|
|
|
87 | (1) |
|
Thought experiment answers |
|
|
87 | (2) |
|
Chapter 3 Secure a network infrastructure |
|
|
89 | (42) |
|
Skill 3.1 Configure Windows Firewall |
|
|
89 | (20) |
|
Configure Windows Firewall with Advanced Security |
|
|
90 | (8) |
|
Configure network location profiles and deploy profile rules using Group Policy |
|
|
98 | (2) |
|
Configure connection security rules using Group Policy, the GUI console, or Windows PowerShell |
|
|
100 | (5) |
|
Configure Windows Firewall to allow or deny applications |
|
|
105 | (2) |
|
Configure authenticated firewall exceptions |
|
|
107 | (2) |
|
Skill 3.2 Implement a software-defined Distributed Firewall |
|
|
109 | (6) |
|
Determine requirements and scenarios for Distributed Firewall implementation with Software Defined Networking |
|
|
109 | (3) |
|
Determine usage scenarios for Distributed Firewall policies and network security groups |
|
|
112 | (3) |
|
Skill 3.3 Secure network traffic |
|
|
115 | (16) |
|
Determine SMB 3.1.1 protocol security scenarios and implementations |
|
|
115 | (2) |
|
Enable SMB encryption on SMB shares |
|
|
117 | (1) |
|
Configure SMB signing and disable SMB 1.0 |
|
|
118 | (1) |
|
Secure DNS traffic using DNSSEC and DNS policies |
|
|
119 | (5) |
|
Install and configure Microsoft Message Analzyer to analyze network traffic |
|
|
124 | (2) |
|
|
|
126 | (1) |
|
|
|
127 | (1) |
|
Thought experiment answer |
|
|
127 | (4) |
|
Chapter 4 Manage Privileged Identities |
|
|
131 | (58) |
|
Skill 4.1 Implement an Enhanced Security Administrative Environment administrative forest design approach |
|
|
131 | (7) |
|
Determine usage scenarios and requirements for implementing ESAE forest design architecture to create a dedicated administrative forest |
|
|
132 | (3) |
|
Determine usage scenarios and requirements for implementing clean source principles in an Active Directory architecture |
|
|
135 | (3) |
|
Skill 4.2 Implement Just-in-Time administration |
|
|
138 | (13) |
|
Create a new administrative (bastion) forest in an existing Active Directory environment using Microsoft Identity Manager |
|
|
139 | (1) |
|
Configure trusts between production and bastion forests |
|
|
140 | (3) |
|
Create shadow principals in bastion forest |
|
|
143 | (1) |
|
Configure the MIM web portal |
|
|
144 | (1) |
|
Request privileged access using the MIM web portal |
|
|
145 | (1) |
|
Determine requirements and usage scenarios for Privileged Access Management solutions |
|
|
145 | (2) |
|
Create and implement MIM policies |
|
|
147 | (1) |
|
Implement just-in-time administration principals using time-based policies |
|
|
148 | (2) |
|
Request privileged access using Windows PowerShell |
|
|
150 | (1) |
|
Skill 4.3 Implement Just-Enough-Administration |
|
|
151 | (14) |
|
Enable a JEA solution on Windows Server 2016 |
|
|
152 | (2) |
|
Create and configure session configuration files |
|
|
154 | (2) |
|
Create and configure role capability files |
|
|
156 | (4) |
|
|
|
160 | (1) |
|
Connect to a JEA endpoint on a server for administration |
|
|
161 | (1) |
|
|
|
161 | (2) |
|
Download WMF 5.1 to a Windows Server 2008 R2 |
|
|
163 | (1) |
|
Configure a JEA endpoint on a server using Desired State Configuration |
|
|
164 | (1) |
|
Skill 4.4 Implement Privileged Access Workstations and User Rights Assignments |
|
|
165 | (12) |
|
Implement a PAWS solution |
|
|
165 | (4) |
|
Configure User Rights Assignment group policies |
|
|
169 | (4) |
|
Configure security options settings in group policy |
|
|
173 | (2) |
|
Enable and configure Remote Credential Guard for remote desktop access |
|
|
175 | (2) |
|
Skill 4.5 Implement Local Administrator Password Solution |
|
|
177 | (12) |
|
Install and configure the LAPS tool |
|
|
177 | (4) |
|
Secure local administrator passwords using LAPS |
|
|
181 | (2) |
|
Manage password parameters and properties using LAPS |
|
|
183 | (2) |
|
|
|
185 | (1) |
|
|
|
186 | (1) |
|
Thought experiment answers |
|
|
187 | (2) |
|
Chapter 5 Implement threat detection solutions |
|
|
189 | (56) |
|
Skill 5.1 Configure advanced audit policies |
|
|
189 | (24) |
|
Determine the differences and usage scenarios for using local audit policies and advanced auditing policies |
|
|
190 | (8) |
|
Implement auditing using Group Policy and Auditpol.exe |
|
|
198 | (8) |
|
Implement auditing using Windows PowerShell |
|
|
206 | (1) |
|
Create expression-based audit policies |
|
|
207 | (1) |
|
Configure the audit PNP activity policy |
|
|
208 | (1) |
|
Configure the Audit Group Membership policy |
|
|
209 | (1) |
|
Enable and configure module, script block, and transcription logging in Windows PowerShell |
|
|
210 | (3) |
|
Skill 5.2 Install and configure Microsoft Advanced Threat Analytics |
|
|
213 | (17) |
|
Determine usage scenarios for ATA |
|
|
213 | (2) |
|
Determine deployment requirements for ATA |
|
|
215 | (5) |
|
Install and Configure ATA Gateway on a Dedicated Server |
|
|
220 | (4) |
|
Install and Configure ATA Lightweight Gateway Directly on a Domain Controller |
|
|
224 | (1) |
|
Configure alerts in ATA Center when suspicious activity is detected |
|
|
224 | (3) |
|
Review and edit suspicious activities on the Attack Time Line |
|
|
227 | (3) |
|
Skill 5.3 Determine threat detection solutions using Operations Management Suite |
|
|
230 | (15) |
|
Determine Usage and Deployment Scenarios for OMS |
|
|
230 | (6) |
|
Determine security and auditing functions available for use |
|
|
236 | (3) |
|
Determine log analytics usage scenarios |
|
|
239 | (3) |
|
|
|
242 | (1) |
|
|
|
243 | (1) |
|
Thought experiment answers |
|
|
244 | (1) |
|
Chapter 6 Implement workload-specific security |
|
|
245 | (66) |
|
Skill 6.1 Secure application development and server workload infrastructure |
|
|
245 | (22) |
|
Determine usage scenarios, supported server workloads, and requirements for Nano Server deployments |
|
|
246 | (1) |
|
Install and configure Nano Server |
|
|
247 | (13) |
|
Implement security policies on Nano Servers using Desired State Configuration |
|
|
260 | (3) |
|
Determine usage scenarios and requirements for Windows Server and Hyper-V containers |
|
|
263 | (2) |
|
Install and configure Hyper-V containers |
|
|
265 | (2) |
|
Skill 6.2 Implement a Secure File Services infrastructure and Dynamic Access Control |
|
|
267 | (44) |
|
Install the File Server Resource Manager role service |
|
|
267 | (2) |
|
|
|
269 | (7) |
|
|
|
276 | (2) |
|
Configure Storage Reports |
|
|
278 | (2) |
|
Configure File Management Tasks |
|
|
280 | (3) |
|
Configure File Classification Infrastructure using FSRM |
|
|
283 | (7) |
|
|
|
290 | (3) |
|
Configure user and device claim types |
|
|
293 | (2) |
|
Create and configure resource properties and lists |
|
|
295 | (3) |
|
Create and configure central access rules and policies |
|
|
298 | (6) |
|
Implement policy changes and staging |
|
|
304 | (1) |
|
Configure file access auditing |
|
|
305 | (1) |
|
Perform access-denied remediation |
|
|
306 | (3) |
|
|
|
309 | (1) |
|
|
|
309 | (1) |
|
Thought experiment answers |
|
|
310 | (1) |
| Index |
|
311 | |
Daugiau apie elektronines knygas