Chapter 9: Exam 70-298 Prep and Practice
Terminal Services Security Options
• The 70-298 exam often discusses Terminal Services Security Options. Most
questions focus on the encryption settings, which can be set to three levels:
— High Level
— Low Level
— Client Compatible
• High-Level encryption means that RDP communications will be protected by
the maximum encryption key size supported by the server. If the client can-
not also accept this key length, it will not be allowed to connect. Low-Level
and Client-Level encryption means that RDP communications will be pro-
tected by the maximum key size supported by the client. In high-security sce-
narios, the administrator will want to ensure that the encryption level is set to
Terminal Services has dozens of other settings, some of which
could impact security indirectly. You should be familiar with all of
the configuration choices available in Group Policy for Terminal
This subsection is a summary of highlights from the “Windows Trust Models”
section in the Exam 70-298 Study Guide.
Windows trust security
• By default, every domain in a Windows 2000 and above domain trusts every
other domain in the same forest. Various types of trusts (e.g., forest, exter-
nal, etc.) can be established manually. Every authenticated user in a domain
is automatically added to the Everyone and Authenticated Users group in
every other domain in the same forest. This gives users (or intruders) in one
domain rights and permissions in the other domains that they would nor-
mally not have otherwise.
This subsection is a summary of highlights from the “IPSec” section in the Exam
70-298 Study Guide.
IPSec in general
• The open standard, IPSec, can be used fully patched in Windows 9x and
later, but was introduced initially in Windows 2000. It can only be used to
authenticate and encrypt TCP/IP traffic, as its name indicates.
• IPSec has two protocols: Authentication Header (AH) and Encapsulated
Security Payload (ESP). AH ensures authentication of the IP header, verifying
source and destination addresses, as well as the integrity of the entire packet
(with a few necessary exceptions). ESP can authenticate and/or encrypt the
network packet’s payload data, but does not protect the data’s IP header.