Exam 70-298 Highlighters Index | 501
• You can only choose one log rotation option. If one of the two latter choices
is enabled, and the logfile meets its maximum logfile size, new events will not
be added to the log until something is corrected. With the latter option, the
administrator can optionally choose for the system to halt (i.e., blue screen) if
the logfile becomes full. Although halting used to be the default option, now
a second Security Option called “Shutdown system immediately if unable to
log security audits” must be enabled.
• Microsoft provides several programs for centralized collection, including
Microsoft Audit Collection System, Log Parser, SMS, and MOM.
Security Infrastructure Technologies
This subsection is a summary of highlights from the “Security Infrastructure Tech-
nologies” section in the Exam 70-298 Study Guide.
Steps to secure any infrastructure server
• Restrict physical access to the server(s).
• Minimize who can log into the server locally and remotely.
• Mandate long and complex passwords for infrastructure server administrators.
• Uninstall or disable unneeded services and applications.
• Do not install IIS, Microsoft Office, or other high-risk applications.
• Do not browse to untrusted sites using Internet Explorer; limit Internet
browsing as much as possible.
• Separate server roles where possible (e.g., try not to let the domain controller
also be the DNS server, don’t let the Certificate Services server run IIS for web
• Provide redundant servers for critical services (e.g., Active Directory, DNS,
• Manage an infrastructure server using its own high-security GPOs.
• Keep server security patches up to date.
• Consider enabling a host-based firewall to minimize unneeded port
• Use IPSec to minimize traffic connections.
• Disable booting on anything besides the primary hard drive.
• Implement a thorough auditing policy, recording as much activity as possible
in case it is needed for forensic investigations.
• Internal DNS domains should not be commingled with externally reachable
DNS domains. DNS administrators want to make sure that private IP
addresses and internal hostnames are not reachable by external, unautho-
rized users. Every entity should have separate internal and external DNS
domains, and where appropriate, separate DNS servers for internal and exter-
• DNS servers should be configured to ensure secure zone transfers between
primary (Active Directory-Integrated or standard) and secondary DNS