2008 R2 ADS Vocabulary - Session 6

Question 1

Certificate Authorities

Answer 1

Secure communication of data over a network can be achieved by encrypting the data. You can encrypt the data before transmission by using a key and decipher it by using the same key after it reaches the desired location. You can ensure security of data by sharing the key only between trusted objects.
When configuring a CA you need to specify its type.

Question 2

Enterprise Root CA or Enterprise Subordinate CA

Answer 2

Enterprise CAs are integrated in Active Directory Domain Services (AD DS).

Question 3

Enterprise CAs are integrated in

Answer 3

Active Directory Domain Services (AD DS). These CAs use certificate templates, and publish their certificates and CRLs to AD DS. Certificate templates are predefined configurations that enable a CA to create new certificates by using predefined settings. Information in an AD database is used to approve or deny a certificate enrollment request automatically.

Question 4

An enterprise CA can be specified as a

Answer 4

root or subordinate CA. Only one root enterprise CA is permissible in a root hierarchy. All the other CAs in the hierarchy should be enterprise subordinate CAs, which obtain certificates from the root enterprise CA and can issue certificates.root or subordinate CA. Only one root enterprise CA is permissible in a root hierarchy. All the other CAs in the hierarchy should be enterprise subordinate CAs, which obtain certificates from the root enterprise CA and can issue certificates.

Question 5

Stand-Alone Root CA or Stand-Alone Subordinate CA

Answer 5

Stand-alone CAs do not use certificate templates and do not require AD DS. These CAs do not respond to certificate enrollment requests automatically.

Question 6

A stand-alone CA can be specified as a

Answer 6

root CA with a stand-alone subordinate CA. If only one stand-alone CA is created then it should be a root CA, because every CA hierarchy should be traceable to a root CA.

Question 7

A root CA is the

Answer 7

first role service that is installed in AD CS.

Question 8

After setting up a root CA, a subordinate CA can also be installed in the

Answer 8

hierarchy of the PKI of an organization to secure the root CA. The root CA can issue a certification to the subordinate, which in turn can then reply to requests for certificates from users.

Question 9

Setting up an enterprise subordinate CA requires

Answer 9

a network connection to a domain controller.

Question 10

Configuring Autoenrollment

Two tasks need to be completed to automatically enroll clients for certificates in a domain environment:

Answer 10

• Configure a certificate template with Auto-enroll permissions
• Configure an autoenrollment group policy within the domain

Question 11

A CA evaluates

Answer 11

certificate requests and issues certificates, if the predefined conditions set for allocating certificates to requesters are fulfilled.

Question 12

The allocation of a certificate to an entity or a user is known as

Answer 12

certificate enrollment

Question 13

. A user needs to submit a request for a certificate to a

Answer 13

CA

Question 14

The format of the request, such as PKS #10 or PKS #7, should be able to specify

Answer 14

the identity of the user requesting the certificate.

Question 15

The CA issues the certificate to the

Answer 15

requester after verifying the identity of the requester.

Question 16

When a CA receives an enrollment request, the following actions take place:

Answer 16

• The CA decrypts the digital signature in the certificate
• The CA performs a hash on the request
• The CA digitally signs the user’s public key
• The user distributes copies of its X.509 certificate
• Entities authenticate the user’s X.509 certificate

Question 17

Issuing the Certificate Template

After configuring a certificate template for autoenrollment and configuring the GPO settings, you need to

Answer 17

issue the certificate template. This will ensure that certificates requested based on the certificate template will be automatically processed by the CA. Some certificate templates, by default, are already configured to be issued.

Question 18

If the certificate template is not already configured, then you need to configure

Answer 18

configure the template in the Certification Authority console.

Question 19

Configuring Default CA Settings

The administrator can configure two default actions that a CA can take on receiving a certificate request:

Answer 19

• The certificate request can be automatically approved by the CA
• The CA administrator can review the request, which changes the status of the request to pending in the CA, and take appropriate actions

Question 20

Issued certificates can be stored locally on the

Answer 20

computer or device that requested the certificate. .

Question 21

Certificates that are issued by a CA are stored

Answer 21

in the CA’s certificate store

Question 22

When a certificate is issued, it is copied to

Answer 22

FileName.cer,

Question 23

where FileName is the

Answer 23

request ID of the certificate request. The file is copied to the CertEnroll folder on the CA.

Question 24

CONFIGURE CA SERVER SETTINGS

Answer 24

Assigning Roles to Users

Question 25

Assigning Roles to Users

Answer 25

The administration of an organization or any other group can be divided according to roles. The administration of a CA can be organized by using separate CA roles. This administration is known as role-based administration.
In a CA, a role is assigned to a user by assigning the security settings of the role. Security settings associated with a role are specific for every role.

All roles in a CA are assigned and modified by the members of local Administrators, Enterprise Admins, or Domain Admins groups. In an enterprise CA, the role of the administrator is assigned to the members of these groups by default.
In a stand-alone CA, the role of the CA administrator is only assigned to the members of the Local Administrators group. By default, the administrator role is also assigned to the members of the Domain Admins group in a stand-alone CA, if the stand-alone CA is joined to an Active Directory domain.

Question 26

There are four roles that can be assigned to users in a CA:

Answer 26

Certificate Manager
Auditor
CA Administrator
Backup Operator

Question 27

Certificate Manager

Answer 27

can approve certificate enrollment and revocation requests. This role can be configured by using the Certification Authority snap-in.

Question 28

Auditor

Answer 28

can configure, maintain, and view audit logs. This role is an operating system role.

Question 29

CA Administrator

Answer 29

The CA administrator can renew a CA certificate and assign all the other roles to the users. This role is a built-in account in a CA by default and it can be configured by using the Certification Authority snap-in.

Question 30

Backup Operator

Answer 30

can perform system backup and recovery.

Question 31

The Issue and Manage Certificates permission is assigned to this role.

Answer 31

Certificate Manager

Question 32

The Manage Auditing and Security Log permission is assigned to this role.

Answer 32

Auditor

Question 33

A user who has been assigned the CA administrator role can configure and maintain a

Answer 33

CA Administrator

Question 34

The Manage CA security permission is assigned to this role.

Answer 34

CA Administrator

Question 35

The Backup Files and Directories permission and the Restore Files and Directories permission are assigned to this role.

Answer 35

Backup Operator

Question 36

Backing Up and Restoring a CA

Answer 36

You need to back up the CA database to a different location so that it can be restored in the case of a system failure.

Question 37

The CA administrator, members of the Backup Operators group, or users with the same privileges can perform the

Answer 37

CA backup process.

Question 38

The CA administrator, members of the Backup Operators group, or users with the

Answer 38

the same privileges can perform the restoration process of a CA.

Question 39

The restoration process only needs to be carried out for a CA, because a CA can be restored without

Answer 39

without restoring the server.

Question 40

MANAGE CERTIFICATE TEMPLATES

Certificate Templates

Answer 40

AD CS in Windows Server 2008 R2 enables you to issue and manage certificates for a PKI. A PKI includes several CAs, directories, and resources that provide validation and revocation information for the certificates.

Question 41

If your computer is running Windows Server 2008 R2, AD CS will enable you to

Answer 41

• Receive requests for certificates from users and computers
• Verify the identity of a requestor
• Issue and revoke certificates
• Publish a CRL

Question 42

A CRL is a

Answer 42

digitally signed list of unexpired certificates revoked by a CA administrator.

Question 43

Certificate templates are a set of

Answer 43

rules and settings configured for a CA that are applied to incoming certificate requests.

Question 44

Enterprise Certificate templates are stored in

Answer 44

AD DS

Question 45

This enables them to be used by all CAs in a forest and ensures that the CAs have access to the current standard templates.

Answer 45

Enterprise Certificate templates

Question 46

Some default certificate templates available in Windows Server 2008 R2-based enterprise CAs are as follows:

Answer 46

• Computer
• Cross-Certification Authority
• Directory E-mail Replication
• CEP Encryption
• Code Signing
• Domain Controller
• Domain Controller Authentication
• EFS Recovery Agent

Question 47

Microsoft CAs support three types of certificate template versions:

Answer 47

• Version 1 - Windows Server 2000 and Windows Server 2003 Standard Edition CAs (support for version 1)
• Version 2 - Windows Server 2003 Datacenter and Enterprise Edition CAs (support for versions 1 and 2)
• Version 3 - Windows Server 2008 R2 CAs (support for versions 1, 2, and 3)

Question 48

The permissions that you can assign to a certificate template are as follows:

Answer 48

• Full Control
• Enroll
• Autoenroll
• Read
• Write

Question 49

MANAGE ENROLLMENTS

Configuring an RA and the NDES

Answer 49

Configuring an RA and the NDES

Question 50

The Simple Certificate Enrollment Protocol

Answer 50

(SCEP)

Question 51

The Simple Certificate Enrollment Protocol ) is a communication protocol that

Answer 51

that authenticates the software running on network devices such as routers and switches.

Question 52

Windows Server 2008 R2 implements SCEP through Network Device Enrollment Service (NDES).

Answer 52

(NDES).

Question 53

In addition to authenticating software running on network devices, NDES does the following:

Answer 53

• It recovers certification requests that are pending with a CA
• It accepts authentication requests
• It prepares and sends one-time enrollment passwords for administrators

Question 54

Enrolling for a certificate with NDES involves the

Answer 54

software used to manage the network device, the Registration Authority (RA), the computer hosting NDES, and the CA.

Question 55

To set up and use NDES, perform two steps:

Answer 55

configure a user account to act as an RA for certificate requests, and then configure and install NDES.

Question 56

To configure a user account to serve as the RA that NDES will use to authorize certificate requests,

Answer 56

add the user account to the IIS_IUSRS group.

Question 57

This group is a built-in security group that

Answer 57

HS uses to establish and work with remote connections. No user is a member of the IIS_IUSRS group by default.

Question 58

Installing the Web Enrollment Service

Answer 58

Certification Authority Web Enrollment service enables users outside a domain to obtain new and renewed certificates from a CA over the Internet or over an intranet connection, via a web-based enrollment process.

Question 59

Submitting Certificate Requests

Answer 59

As a user, you access the AD CS web page for enrolling with a CA by opening a web browser and navigating to the URL for the certificate server. The URL can include the server’s name or IP address, followed by /certsrv.

Question 60

Configuring Enrollment Agents

Answer 60

In an organization with multiple branches and Enterprise CAs in the PKI, you can enable enrollment agents to send enrollment requests on behalf of clients. Enrollment agents may be members of the corporate security, IT security, or helpdesk teams.
Each of the enrollment agents must be issued with an enrollment agent certificate from a CA.

Question 61

Windows Server 2008 R2 enables different types of enrollment agents by making use of various certificate templates:

Answer 61

Enrollment Agent
Enrollment Agent (computer)
Exchange Enrollment Agent (offline request)
Configuring Smart Card Enrollment

Question 62

Enrollment Agent

Answer 62

Agent template enables a user to request certificates on behalf of other users.

Question 63

Enrollment Agent (computer)

Answer 63

template enables a user to request certificates for computers.

Question 64

Exchange Enrollment Agent (offline request)

Answer 64

The Exchange Enrollment Agent (offline request) template enables a user to request certificates on behalf of another user and to provide the subject name in the request. This template is used by NDES for its enrollment agent certificate.
Only members of the Enterprise Admins and CA administrator groups, or those with equivalent privileges, can configure an enrollment agent.

Question 65

Configuring Smart Card Enrollment

Answer 65

A smart card is a small electronic device that contains electronic information. A PKI certificate can be granted for a smart card to secure smart card transactions, such as computer logons.
J In Windows Server 2008 R2, users can request smart card certificates via a smart card enrollment station.

Question 66

Smart card enrollment stations are useful because they

Answer 66

• Simplify the physical preparation of the cards that need to be issued
• Reduce the possibility of certificate service interruption
• Prevent users from validating their own identification and issuing their own certificates

Question 67

CERTIFICATE REVOCATION

Install an Online Responder

Answer 67

Windows Server 2008 R2 provides built-in CA digital signature technology within AD CS.
When any certificate is issued, it has a validity period defined by a CA administrator. Usually this is one or two years. The certificate contains the digital signature of the certificate issuer, and a user’s public key and identity. The user is also issued a corresponding private key.

Question 68

A CRL is a

Answer 68

a digitally signed list of unexpired certificates that a particular CA has revoked.

Question 69

. A CA may revoke an otherwise valid certificate if, for example,

Answer 69

the private key associated with the certificate has been compromised.

Question 70

A CRL, like a certificate, is valid only for a

Answer 70

specified period to ensure that it does not apply after a certain amount of time.

Question 71

The AD CS supports two types of CRLs.

Answer 71

A Base CRL

A Delta CRL

Question 72

A Base CRL

Answer 72

is a full, initial set of revoked certificates

Question 73

A Delta CRL

Answer 73

lists only certificates that have been revoked since the last full Base CRL was implemented.

Question 74

A CRL Distribution Point

Answer 74

(CDP)

Question 75

(CDP)

Answer 75

) is a certificate extension that indicates where the CRL for a particular CA can be retrieved. For each revoked certificate, you need to identify a corresponding CDP.

Question 76

A CRL can be published to different

Answer 76

different locations using Lightweight Directory Access Protocol (LDAP), HTTP, or file paths. Using CDPs enables PKI administrators to locate and access a relevant CRL so that they can manually update the entries it contains. These entries are valid only for a specified time period.

Question 77

A CDP may be located in the following places:

Answer 77

Active Directory (AD)

Question 78

Active Directory (AD)

Answer 78

You use the AD as the CDP to publish and store CRLs for enterprise CAs, which use certificate templates. PKI users can retrieve CRL data from an AD CDP using LDAP.

Question 79

A Local Directory

Answer 79

You use the local directory of a CA server as the CDP to store CRLs on stand-alone CAs, which do not require AD or the use of certificate templates. By default, stand-alone CAs hold all certificate requests in a pending queue until a CA approves them.

Question 80

Configure an Online Responder

To enable an Online Responder to enroll for signing certificates, you need to do the following:

Answer 80

• Configure the OCSP Response Signing template
• Include the URL for the Online Responder in the AIA extensions of the certificates
• Assign the OCSP Response Signing template to the CA
• Create a revocation configuration

Question 81

Publishing a CRL Manually

By default, AD CS automatically publishes

Answer 81

publishes an updated CRL within a publish period, which you set as the CA administrator. Clients that have a cached copy of the previously published CRL or Delta CRL will continue using it until its validity period has expired.