This chapter focuses on two broad topics: deploying updates and monitoring computers running Windows Server 20080. The first section introduces Windows Server Update Services (WSUS) and explains how to use it to deploy updates to computers running Microsoft Windows. The remaining sections discuss gathering performance and configuration information. Some of the topics in this part of the exam were discussed in an earlier chapter, where that is the case I will either point you to the other chapter so you can review it or provide more detailed information on how to use the tools. One topic that does not really fit with everything else listed for this part of the exam is the Baseline Security Analyzer, Microsoft had to include this important application somewhere and I guess somebody thought this was the best place.

• Configure WSUS server settings.
• Capture performance data.
• Monitor event logs.
• Gather network data.

 Configure Windows Server Update Services Server Settings

Windows Server Update Services (WSUS) allows systems administrators to deploy updates and service packs for a range of Microsoft products. WSUS is flexible and it offers organizations many advantages over having computers download and install updates directly from Microsoft. It reduces consumption of Internet bandwidth because only the WSUS servers need to download the updates from Microsoft’s website rather than every computer running Microsoft Windows. It allows administrators to thoroughly test updates and verify that they are not incompatible with any important business applications before deploying them to users. WSUS can also generate reports illustrating what updates have been deployed and which computers have installed them.

Note: While WSUS offers a lot at no additional cost, its not a full-fledged configuration management solution. If you are already using Microsoft’s System Center Configuration Manager or Systems Management Server 2003 you could integrate WSUS with either. If you are using an enterprise management suite from a different vendor you may have little or no need to add WSUS to your arsenal.

Installing WSUS

The first thing you have to do is download Windows Server Update Services Service Pack 1 because its not included on the Windows Server 2008 installation disc. The WSUS server has some specific requirements, the web server role must be installed with the following role services:

• Common HTTP Features (including Static Content)
• ASP.NET, ISAPI Extensions, and ISAPI Features (a component of Application Development)
• Windows Authentication (a component of Security)
• IIS Metabase Compatibility (a component of IIS 6 Management Compatibility, which is below Management Tools)

You need to reconfigure IIS to support WSUS by modifying the configuration file located at %WINDIR%\system32\inetsrv\config\applicationhost.config. Modify the <system.webServer><modules> tag. If it is present, remove <add name="CustomErrorModule">, then add  <remove name="CustomErrorModule">. The tag should look something like this, however there may be other tags in addition to <modules>:

Your WSUS server will need Internet access to download updates from Microsoft. Perform a full install on a server in your practice lab, it will install the Windows Internal Database if a compatible version of SQL Server is not already installed on the computer. The WSUS Configuration Wizard will launch when the installation is complete. To complete the exercises in this section you can use the default settings, however for production environments you would want to plan the design of your WSUS deployment. Large organizations often use a two-layer architecture, one layer of a few WSUS servers to retrieve updates from Microsoft and a second, larger group that pulls updates from the first layer and provides them to clients. When choosing which products will be updated in your practice lab you may want to select only Windows Server 2008 and perhaps Windows Defender, the more products you pick the more data will be downloaded and stored by WSUS. For a production deployment you would select many if not all of the products. Complete the wizard and have WSUS synchronize updates immediately.

Tip: The WSUS Release Notes have little detail and are not much use to administrators who are not already experienced with WSUS. There are two excellent guides on TechNet to help you create a solid WSUS architecture and to deploy and manage WSUS, if the cryptic URLs are too awkward to type in manually you should have no problem finding them if you search by their titles on the TechNet website:

• Deploying Microsoft Windows Server Update Services 3.0.

•  Microsoft Windows Server Update Services 3.0 Operations Guide.

Configuring WSUS Clients

Use the domain controller to create a new group policy and link it to the root of the domain in your practice lab. Edit the group policy to change a single setting located at Computer Configuration\Administrative Templates\Windows Components\Windows Update, select Specify Intranet Microsoft update service location from the list of settings, then click Enabled and enter the URL of your new WSUS server in both text boxes. Click OK. Now you need to force each of the WSUS clients to download and apply the new group policy, open a command prompt with administrative privileges on the domain controller and enter gpupdate /enforce.

That’s it for client configuration, at least for your practice lab. You can see that there are more WSUS settings available in the Windows Update folder of GPO but you do not need to modify them to continue with your studies.

Tip: You can configure WSUS clients by directly editing the registry, however if you have deployed Active Directory you should use group policy because its much simpler. For environments without AD I encourage you to use the local GPO to configure WSUS clients. If you must manage them by modifying the registry the location is HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate. The WSUS client registry keys are documented in the WSUS deployment guide mentioned previously.

 Configuring WSUS Servers

Since exam 70-642 covers so many things you will not see more than a handful of questions relating to WSUS, I do not think that you need to memorize how to configure every feature available. Instead, focus on the most common management and troubleshooting tasks: configuring how WSUS will download and deploy updates, and configuring the clients to use the WSUS server.

To manage WSUS using the Update Services console click on Microsoft Windows Server Update Services 3.0 SP1 in the Administrative Tools folder. First, expand all of the nodes in the navigation tree, then click on Options. You can reconfigure everything you specified in the WSUS Configuration Wizard, there are also many other settings to manage. For example, click on Products and Classifications to specify which products will be updated and what kinds of updates will be downloaded and distributed, as shown in figure 1.

Figure 1: Selecting Products to Update.

You can determine whether updates where clients will retrieve updates, either from the WSUS server or Microsoft Update by clicking Update Files and Languages. Most software updates published by Microsoft have to be localized for different regions and languages. Localization is the term used to describe the process of translating user interface elements from one language to another. Cultural differences may also call for making other changes to the interface. You can specify what for what languages updates are downloaded by clicking the Update Languages tab. Other links in the details pane let you configure roll-up reporting from replica servers, email notifications, and to personalize the appearance of the Update Services console.

You also need to configure computer groups before continuing to the next section. To do this you specify how computers are assigned to groups, by either server-side or client-side targeting; then you create the groups and add computers to them. Click Computers in the details pane, select Use the Update Services console to assign the groups from the WSUS server, then click OK. You would choose the second option to use group policy or client settings. To create a new computer group click on All Computers in the navigation tree, then click Add Computer group in the actions pane, enter a name for the group and click Add. To assign computers to the new group right-click on the computer, select Change Membership, enter the names of the groups to which it will belong, and click OK. However, you cannot see any computers until you have configured one or more clients to point to the WSUS server, which was covered in the last section. Add the domain controller to your new group as shown in figure 2.

Figure 2: Assigning a Computer to a WSUS Group.

Processing Updates

By default, the sequence for a new update is for Microsoft to publish it on Microsoft Update, then the WSUS server download metadata for the new update, the administrator either approves or rejects the update, if its approved WSUS will download the full update and make it available to clients. There are some kinds of updates that you may want to have WSUS distribute immediately without the administrator needing to intervene, for example, critical security updates or revisions to previously approved updates. To updates to be automatically approved and deployed to clients click on Automatic Approvals in the details pane. You can enable the default rule or add your own on the Update Rules tab. Rules can be defined based on update classification and product, and the computers to which it applies. Click the Advanced tab to configure automatic updates for WSUS itself and revisions to updates that have already been approved.

To manually approve and decline updates click on All Updates, which is below the Updates node in the navigation tree. Use the Approval and Status dropdown lists to filter what updates are displayed in the details pane, as shown in figure 3.

Figure 3: Managing Updates.

 Click on an update in the list to see information about it in the details pane and commands for processing it in the actions pane. If you double-click an update WSUS will generate a report including a brief description and an approval summary. If you right-click on an update a menu with the same commands available in the actions pane appears. Ideally, in a production setting you would download and test each update on a variety of computers that are representative of those on your network, then approve them on the WSUS server. Clients would download and install them automatically.

If you have problems synchronizing the WSUS server with Microsoft Update make sure that the server is able to reach Microsoft Update or an upstream WSUS server. Verify that any firewalls and proxy servers are configured to support the WSUS server. If the WSUS server is configured to synchronize with an upstream WSUS server verify that the URL is correctly configured. WSUS clients may run into similar issues, verify that URL is correctly spelled in the GPO and that the client computers are within the GPO’s scope of management.

Note: You can also manage WSUS 3.0 from a command prompt using the wsusutil tool, however its unlikely that this will appear on the exam.

Everything Plus the Kitchen Sink!

It sometimes seemed that that is what the vendors of enterprise management suites were promising their potential customers. They could monitor, centralize log management, deploy software and updates, maintain a configuration management database, and predict stock market trends months in advance! Remember that ISP I worked for that I mentioned in chapter 19? The ISP’s senior executives bought one of those multi-million dollar suites (not Microsoft’s SMS either, by the way). The idea was that the suite could be used to manage all of the platforms that the ISP offered in its managed web hosting business; that included several flavors of UNIX, a couple more of Linux, and Windows NT.  Then they hired a team of 4 or 5 engineers dedicated to deploying and managing the suite. They paid the vendor millions more for consultants. After three years they were able to ping monitor the servers, i.e. ping all of the web servers across the 10 datacenters to make sure they were still running. Woot!

A year later they had managed to get more working on the UNIX and Linux servers, but they still couldn’t deploy updates to the ones running Windows. Management refused to buy another product to manage the Windows servers, the engineers were going to get the damned suite to work! NIMDA and Code Red hit a year after that. That’s when the running joke amongst my former colleagues appeared: the securest servers were those compromised by script kiddies since they were installing the latest updates to keep other attackers out. Dozens of Windows servers were lost. The ISP brought in consultants and support engineers from Microsoft to help with the recovery, which took months. I still wonder how many customers they lost just because they didn’t have the tools to deploy patches across thousands of servers. It did not surprise me when my former employer went into bankruptcy the following year.

  Capture Performance Data

Tracking system performance proactively can help you to avoid future problems. Knowing how to do so when the server is not operating as you expect makes it possible for you to more accurately determine what components are at fault. Open Reliability and Performance Monitor from the Administrative Tools folder. Using this tool to monitor system performance was covered briefly in Maintaining the Active Directory Environment, this section will cover it in greater detail. You use Reliability and Performance Monitor to track how Windows is utilizing system resources, it can help you to track down potential performance bottlenecks such as CPU utilization or lack of physical RAM. You can also determine how applications are consuming the various system resources. A thorough analysis can help you to decide the best path to improve performance:

• Scale up by upgrading hardware in the server.
• Scale out by distributing the workload across additional servers.
• Improve the application’s efficiency by modifying code or making configuration changes.

Using Performance Monitor

Reliability and Performance Monitor displays a summary of resource usage when you select the parent node, Reliability and Performance, in the navigation tree. Grey bars for CPU, disk, network, and memory are also visible, each has a white triangle at the extreme right that toggles between summary and detailed view. This view is useful for monitoring resource usage across the entire system. For a better look at the power of this tool click on Performance Monitor in the navigation tree. To dig into the details of resource utilization you add performance counters by clicking on the add button (the green plus symbol) at the top of the graph or by right-clicking anywhere on the graph and selecting Add counters. Scroll down the Available Counters list until PhysicalDisk is visible, click on the plus symbol to expand the category, as shown in figure 4.

Figure 4: Adding Performance Counters.

Click on Disk Read Bytes/sec, then control-click on Disk Reads/sec, Disk Write Bytes/sec, and Disk Writes/sec. Select 0 C: (or whatever the system volume is on the server) from the list of Instances of selected object. Click Add then click OK. You can see colored lines for each counter in the graph, and the list of counters below the graph including that line represent each. You can hide a counter from the graph by toggling the checkbox in the Show column. The default view shows the last two minutes of data, you can switch to histogram view if you want to see a real-time view of activity for each counter by selecting the Change graph type button at the top of the graph. There are other buttons above the graph to change the graph’s appearance, to freeze the display, are to resume the display.

Where Do I Go From Here?

In the real world it can be challenging to determine which counters to track and what the normal range is for each. You do not need to know exactly what each means for the exam, however I want to give you some practical guidance on how to utilize Performance Monitor. I suggest that you monitor the servers you manage when they are performing normally under various situations, record short logs of key counters such as CPU, disk, network, and memory when the server is under heavy load, normal load, and light load. What else should you track? That depends on the server role. If it’s a DC counters for Server, Server Work Queues, and Netlogon would be a good start. If it’s a web server look for counters relating to IIS, Web Service, HTTP, .NET, and ASP.NET. For a Network Access Control infrastructure server you would want to watch counters available under the various NPS categories, if IPSec is used for NAC enforcement you may also want to watch the IPSec counters. What is important is that you gather a minute or two of data under various conditions when things are working, then when that dreaded day arrives and things get too interesting you can compare the data from the heaving server with that idyllic day so long ago. Microsoft has some useful guidance online to help with this type of troubleshooting, one article is noted at the end of the chapter. Searching the TechNet and main Microsoft websites for the term ‘troubleshooting with performance monitor’ will bring up a long list of others.

Using Data Collector Sets

You employ Data Collector Sets to store performance counters that can be reused on the same computer or copied to others. You create a set by right-clicking on User Defined in the navigation tree and selecting New, then Data Collector Set. Enter a name for the set and make sure Create from a template (Recommended) is selected then click Next. Select the Systems Diagnostics template, then click Next, complete the wizard using the default values. To begin recording data right-click on your set in the navigation tree and select Start. Now right-click on the set and select Properties. You use the various tabs to configure a schedule to start the set; conditions to stop the set, and a schedule task to execute when the set is as shown in figure 5. This means that you could collect performance data at various times as described earlier without having to be present at the server console.

Figure 5: Viewing the Properties of a Data Collector Set.

 Using Reliability Monitor

Reliability Monitor presents a very different view of the computer. It automatically records data about events that might impact system stability starting when the installation of the operating system is complete. It tracks the installation and removal of applications, updates, and service packs. It also records information about failures such as application crashes and hardware errors. Click on Reliability Monitor in the navigation tree of Reliability and Performance Monitor. You can select a date by clicking on it in the System Stability Chart or you can click the dropdown list in the upper right corner of the details pane to select one. Consider figure 6 for example, you can see that the system time was changed and that several updates were installed.

Figure 6: Using Reliability Monitor.

The numerical value for Index, to the right of the chart, is the System Stability Index for that date. The System Stability Index is recorded on the chart as a black line. Days with significant events a marked with an icon, a small blue bubble with the letter i. Rows appear at the bottom of the chart to show what class of significant event happened on that day. Click on an icon to display the System Stability Report for that date.

 Monitor Event Logs

Using Event Viewer was discussed in Maintaining the Active Directory Environment, please read that section before proceeding. Instead that reiterating the basic tasks described in that earlier chapter this section will provide more detailed information on advanced ones. Open Event Viewer from the Administrative Tools folder. There are two nodes in the navigation tree that you need to explore more thoroughly: Custom Views and Subscriptions.

Custom Views

First, let’s briefly review filtering, expand the Windows Logs node and click Application in Event Viewer. Click Filter Current Log in the actions pane to display the Filter Current Log dialog box, as shown in figure 7. Note all of the options for limiting what events are displayed, learning how to filter effectively significantly increases the value of the information in the event logs. For example, if backups are failing you can quickly drill down to events that are likely to be related by configuring Event sources to only include Backup and VSS. You can save a filter as a custom view by clicking Save Filter to Custom View in the actions pane. Specify which folder to save it to by navigating the folder tree, you can also click New Folder to create additional folders.

Figure 7: Filtering Event Logs.

Expand the Custom Views folder, then expand the Server Roles folder and select File Server in the navigation tree. This is one of a handful of custom views built into Windows Server 2008. Right-click the Custom Views folder and select Create Custom View, a dialog box appears that is virtually identical to the one shown in figure 7. An important difference is that you can pull events from multiple logs by clicking the Event logs dropdown list and specifying which to include. Another difference is that the User and Computer text boxes are disabled, however, if you save a custom view and later edit it you can specify values in each. To modify a saved custom view right-click on it, select Properties, then click Edit Filter, as shown in figure 8.

Figure 8: Modifying a Custom View.

If you want to reuse a custom view on a different computer export it by right-clicking on the custom view and selecting Export Custom View. Then copy the file to a location on the other computer and use the Import Custom View command in Event Viewer to use it on the second system.

Subscriptions

A subscription allows you to collect and store events from a different computer. To enable this capability you must first make several configuration changes on each system.

1. On the source computer, open a command prompt with administrative privileges.
2. Enter winrm quickconfig, enter y when prompted to verify the command.
3. On the collecting computer, open a command prompt with administrative privileges.
4. Enter wecutil qc, enter y when prompted to verify the command.

You also need to add the computer account of the collecting computer to the couple of groups on the source computer, to do so perform the following actions:

1. Open the Computer Management console on the source computer,
2. Expand Local Users and Groups, select Groups, right-click on Administrators, and select Properties.
3. Click Add,
4. Click Object Types, enable Computers, click OK.
5. Type the name of the collecting computer in the Enter the object names to select text box, click OK twice more to close the dialog boxes.
6. Repeat steps 2 through 5 to add the collecting computer to the Event Log Readers group.

You can now create subscriptions on the collecting computer. To create a new subscription do the following:

1. Right-click on Subscriptions in the navigation tree in Event Viewer and select Create Subscription.
2. Enter a name for the subscription, and optionally a description, as shown in figure 9.

Figure 9: Creating a Subscription

3. Make sure Collector initiated is selected, then click Select Computers.
4. Click Add Domain Computers, type the name of the source computer in the Enter the object name to select text box and click OK twice.
5. Click Select Events and use the Query Filter dialog box, which is identical to the Create Custom View dialog box, to specify what events to record.
6. Verify By log is enabled, then select System log form the Event Logs dropdown list as shown in figure 10.

Figure 10: Configuring a Query Filter.

7. Click OK twice.

Click on the Forwarded Events log in the Windows Logs folder, it will probably be empty. Stop and restart several non-critical system services on the source computer then refresh the view of the Forwarded Events log on the collecting computer. Note that it may take a few minutes for the collecting server to pull the events from the source server. Although collecting log file in a centralized location using this method requires some effort it’s a powerful administrative capability that is not included in Windows Server 2003 or Windows 2000 Server. By collecting events from numerous servers in a central location you can greatly simplify analyzing and responding to situations as they emerge. You can configure automated tasks such as sending email alerts or executing scripts for events that merit an immediate response.

  Gather Network Data

Maintaining the Active Directory Environment includes detailed information about how to configure and utilize Network Monitor, take a look at the section entitled “Using Network Monitor.” This section will focus on configuring the Simple Network Management Protocol (SNMP) and using the Microsoft Baseline Security Analyzer (MBSA).

Implementing Simple Network Management Protocol

SNMP is a firmly established protocol that has been supported by a wide range of information technology products for many years. It has one glaring weakness though: no concerns about security appear to have crossed the minds of those who created the standard. All communications are done in plaintext and there is no authentication mechanism. A rudimentary form of authentication is provided by the use of community strings, devices supporting SNMP only respond to requests from other devices that share the same string, this isn’t true authentication though and since the string is easily seen in plaintext in each SNMP message it provides no protection from malicious users. You can also configure devices to only respond to requests from specific host names, this is a small hurdle for a skilled attacker though. SNMP can be used to configure devices on the network I strongly recommend that you disable this capability on all SNMP-capable devices you manage. I remember when the first version of the protocol was evolving in 1988, the computer trade magazines seemed to compete with one another predicting how SNMP would resolve virtually all management problems. If only! However, SNMP does have value: it can be used to gather configuration information from systems for reporting and diagnostics purposes. In SNMP there are managed devices that run SNMP agents and network management systems that can send requests to the agents. Windows Server 2008 includes an SNMP agent but you will need an SNMP-capable network management system to access system information via SNMP. The SNMP agent supports both IPv4 and IPv6.

To install the SNMP agent use the Add Features Wizard in Server Manager, select SNMP Services and both of the sub-features, SNMP Service and SNMP WMI Provider from the list of available features. You configure SNMP settings locally from the properties dialog box for the SNMP Service from the Services console. You can also configure a few SNMP settings using group policy in the following location: Computer Configuration\Administrative Templates\Network\SNMP. To configure SNMP do the following:

1. Open Services from the Administrative Tools folder.
2. Right-click on SNMP Service and select Properties.
3. Click the Agent tab.

You can specify a contact person, the physical location of the system, and which types of information the SNMP service will collect.

4. Click the Traps tab.

You can specify the community name and a list of hosts where event notifications, called SNMP traps, will be sent.

5. Type a name in the Community name text box and click Add to list.
6. If you have a network management system click Add and enter its host name or IP address.
7. Click the Security tab,

You can define the list of accepted community names and whether to accept requests from a specific list of hosts (recommended) or from any host (NOT RECOMMENDED).

8. Click Add below Accepted community names to specify a new community name to allow. Note carefully the Community rights drop down list, by default it is set to READ ONLY, be sure to implement security measures beyond what SNMP supports before selecting READ WRITE or READ CREATE, as shown in figure 11.

Figure 11: Configuring the SNMP Service.

9. By default SNMP requests are only accepted from localhost, which is assigned the IP address 127.0.0.1 in the HOSTS file, the address of the local computer. To add other hosts click Add below Accept SNMP packets from these hosts, as shown in figure 12.

Figure 12: Filtering SNMP Hosts

Important: If you use SNMP you can significantly increase the security of your network by implementing authentication and encryption at a lower layer of the network stack. For example, use IPsec so that all of the SNMP messages are encrypted and to ensure that SNMP agents only respond to requests from authorized network management systems.

 Using the Microsoft Baseline Security Analyzer to Monitor Server Security Configuration

MBSA is a free download available at the Microsoft Download Center. That’s a horrible URL to have to type into your browser, you can find it quickly by searching for “MBSA 2.1” on the Microsoft website. Install MBSA with the default settings then click on Microsoft Baseline Security Analyzer 2.1 on the Start menu to launch it. Click Scan a computer, enable Advanced Update Services Options and select Scan using assigned Windows Server Update Services (WSUS) servers only, as shown in figure 13. This allows MBSA to determine what updates should be installed by contacting your WSUS server rather than Microsoft Update. If you enable Configure computer for Microsoft Update and scanning prerequisites MBSA will automatically install or update the Windows Update Agent on each computer that is scanned.

Figure 13: Configuring an MBSA Scan.

After the scan is complete MBSA will display a report of the results. Carefully examine the report, you should be skeptical any item which is marked as failed because MBSA assumes many things which may or may not be valid for your environment. For example, MBSA asserts that there should be no more than two administrators on a computer, this may be true in many scenarios, however there are numerous situations where its normal to have more than two accounts with administrative privileges. For example, we added the computer account of the collecting computer to the Administrators group to enable event log subscriptions. I do not mean to suggest that MBSA is not useful, it can be very useful, but you have to know how to interpret the results and you have to invest some time doing so. This holds true for any vulnerability assessment tool, blindly accepting the results can lead to stressful overreactions. When I was working at that ISP years ago I had a furious customer call because they had hired consultants to scan their systems for security problems. The consultants were worthless, all they did was run a commercial scanning tool with the default settings and print out a 1000 page report showing nearly 100 critical issues for each of their 8 servers. I spent hours reading through each issue and documenting why the results were as expected. In many cases the results were patently absurd, the fact that SQL Server was not installed on the system causes a couple of dozen errors because various SQL Server-specific settings were not configured. Why would they be configured if the software is not installed? Other issues in the report were mitigated by compensating controls, e.g. SMB was enabled, but only on the backend management network, not on the public facing network. I learned a lot going through the report, and then spent a great deal of time educating the customer on how to interpret it. Because of the effort we did discover and correct a couple of legitimate issues so the scanning tool was useful, my frustration arose from the lack of professionalism displayed by the consultants who made no effort to help the customer understand the report.

 Summary

This chapter showed you how to administer tools for monitoring networked Windows Servers. It also introduced two to implement several technologies not discussed in previous chapters: SNMP, WSUS, and the Baseline Security Analyzer. With the information you learned in this chapter you should have a solid foundation to prepare you for exam 70-642, however I encourage you to dig more deeply into what was presented in the References section at the end of the chapter.

Chapter Review

This section presents a list of review questions designed to help reinforce the knowledge presented earlier in the chapter. To persuade you to explore the management tools more deeply a few questions may require you to examine those tools further rather than rereading the chapter.

Questions

1. You download WSUS from Microsoft’s website and attempt to install it but you encounter an error message before the installation is complete. What is the most likely issue?
   1. You downloaded an out-of-date version of WSUS.
   2. Windows Server 2008 does not support the version of WSUS available online, you need to install it using the Add Features Wizard in Server Manager instead.
   3. You have not installed web server role and server role services required by WSUS.
   4. You are trying to install WSUS on a server that has the Active Directory Certificate Services role installed, they are not compatible.
2. Which of the following is something that you do not need perform manually before installing WSUS on a computer running Windows Server 2008?
   1. Install the Web Server role.
   2. Install the ISAPI Features, ISAPI Extensions, and ASP.NET role services.
   3. Edit the applicationhost.config file.
   4. Install the Management Service role service.
3. You install WSUS on a member server, you configure Microsoft Update on the client computers with the address of the WSUS server, you synchronize WSUS with Microsoft Update to pull down updates, you change the status of several updates to Approved. No Windows Vista clients are pulling updates from the WSUS server, which of the following is the most likely issue?
   1. You did not add the clients to any WSUS groups on the server.
   2. You did not install the WSUS agent software on the client computers.
   3. You did not reboot the WSUS server after synchronizing it.
   4. You did not install the Web Server role and the necessary role services on the WSUS server.
4. You manage a public facing web server and start to hear reports that the server seems slow sometimes, even late at night when you would expect fewer visitors, what should you do to help isolate the issue?
   1. Stay at work overnight and use Performance and Reliability Monitor to observe the relevant performance counters in real time.
   2. Manually examine the IIS log files.
   3. Purchase several more computers and install the same software as what is on the current web server, use load balancing to distribute the workload across all of the systems.
   4. Create a new data collector set and schedule it to run periodically then analyze the logged data.
5. Which of the following tools would not help you to determine when a particular Windows update was installed on a computer?
   1. Reliability and Performance Monitor.
   2. WSUS.
   3. Device Manager.
   4. Event Viewer.
   5. Windows Update in Control Panel.
6. Your organization uses WSUS to deploy updates to computers running Windows Vista. Your manager has instructed you to configure automated deployment of patches for a vendor of a popular program for reading portable documents that users often download from the Internet and receive via email from other people. The vendor of this application is not Microsoft. What should you do?
   1. Use the Import Updates command in WSUS to pull the updates from the vendor’s website.
   2. Use the Products and Classifications dialog box in WSUS to add the vendor’s product to the list of products to be synchronized.
   3. Open a command prompt on the WSUS server and execute wsuscmd /URL:%address% where %address% is the address where the vendor publishes patches.
   4. Use group policy to distribute the patches.
7. You have been using Event Viewer to analyze audit events recorded in the security event log, while doing so you spent a significant amount of time customizing the filter to ensure that only the events relevant to your analysis are visible. You need to perform a similar analysis on several other servers, what should you do?
   1. Save the filter as a custom view, import the custom view on the other servers.
   2. Create a group policy that includes the filter settings.
   3. Create a script using eventvwr.exe that includes the desired filter settings.
   4. Use the Save Events As command from the action pane of event viewer.
8. You want to collect events from a remote server. You execute the command line utilities winrm on the remote computer and wecutil on the collecting computer. You then create a subscription on the collecting computer but when you check its status you notice a access denied error message. What is the most likely problem?
   1. You used the wrong syntax when you used the winrm utility.
   2. You are not logged on with an account that has administrative privileges.
   3. You need to stop and restart the Windows Event Log service on the remote computer.
   4. You need to add the computer account of the collecting computer to the local administrators group on the remote computer.
9. What two features provide all of the security built into the SNMP service? (pick 2)
   1. Accepted community names.
   2. MS-CHAP.
   3. SNMP agent name.
   4. Authentication traps.
   5. Trap destinations.
   6. IPsec.
10. You want to use SNMP for some aspects of managing and monitoring computers running Windows Server 2003. You are concerned about unauthorized configuration changes, what are some things you could do to minimize the risk of compromise?
    1. Configure the community rights to NONE.
    2. Configure the community rights to READ ONLY.
    3. Deploy IPsec on the servers and management systems.
    4. Implement Windows Authentication for the SNMP service.
    5. Implement Secure Sockets Layer (SSL) authentication and encryption on the servers and management systems.
11. What should you do when analyzing an MBSA report?
    1. Highlight all critical failures and immediately report them to your organization’s executive management team.
    2. Click on the How to correct this link for each failed item and immediate implement the suggested course of action.
    3. Look for a new position in a different organization.
    4. Do nothing, MBSA reports are only for compliance reporting.
    5. Examine each failed item and consider its significance in your unique environment, take corrective actions when it makes sense while following your organization’s policies.

Answers

1. C is correct. While the WSUS installation wizard will install the Windows Internal Database if necessary, there are several other required components that it will not install.
2. D is correct, all of the other procedures must be performed before the wizard is launched.
3. A is correct. B is wrong because computers running Windows Vista should be able to retrieve updates from WSUS; C is wrong because you do not need to reboot the server after synchronizing, and clearly D is wrong because the installation of WSUS was successful.
4. D is correct. A might work, but its probably premature to take that step. B is wrong because while the IIS log files do contain a lot of information they probably do not contain what you need, I say ‘probably’ because its possible that the log files will show an unexpected pattern of usage by visitors or even a malicious attack. Another way you could eliminate B from the list of likely answers is the fact that IIS is not a significant part of this exam, but rather exam 70-643. C is wrong because you have not yet determined that scaling out is the most efficient way to resolve the issue.
5. C is correct. There are often multiple ways to accomplish a task or gather data in Windows Server 2008, you could also check the system registry with regedit, use WMI,  or use Windows Explorer to examine the files in %systemroot%\servicing\Packages, however I think that Windows Update is the easiest to check a computer while you are at the console and WSUS if you when remote.
6. D is correct, none of the other possibilities will work because WSUS is not designed to support third-party software.
7. A is correct.
8. D is correct. This is one of the manual steps required to enable subscriptions in Event Viewer.
9. A and D are correct, its not much. There is no challenge-response handshake, password hashing, or encryption involved and the community name is transmitted in plaintext.
10. B and C are correct. Setting the community rights to NONE will configure the server to stop processing SNMP requests, SNMP does not support Windows Authentication, and while SSL is used often for securing web-based transactions its not integrated with the SNMP service.
11. E is correct, MBSA is useful but effective interpretation of a report requires a solid understanding of the technology, familiarity with the organization’s configuration, and awareness of any compensating controls that mitigate reported vulnerabilities.

References

Microsoft Windows Server Update Services.

Download Windows Server Update Services Service Pack 1.

Step-by-Step Guide for Performance and Reliability Monitoring in Windows Server 2008.

Events and Errors is an online list of all of the events that might appear in the built-in event logs with descriptions of each.

Microsoft Baseline Security Analyzer.