2008 R2 ADS Vocabulary - Session 6 Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

Certificate Authorities

A

Secure communication of data over a network can be achieved by encrypting the data. You can encrypt the data before transmission by using a key and decipher it by using the same key after it reaches the desired location. You can ensure security of data by sharing the key only between trusted objects.
When configuring a CA you need to specify its type.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Enterprise Root CA or Enterprise Subordinate CA

A

Enterprise CAs are integrated in Active Directory Domain Services (AD DS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Enterprise CAs are integrated in

A

Active Directory Domain Services (AD DS). These CAs use certificate templates, and publish their certificates and CRLs to AD DS. Certificate templates are predefined configurations that enable a CA to create new certificates by using predefined settings. Information in an AD database is used to approve or deny a certificate enrollment request automatically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An enterprise CA can be specified as a

A

root or subordinate CA. Only one root enterprise CA is permissible in a root hierarchy. All the other CAs in the hierarchy should be enterprise subordinate CAs, which obtain certificates from the root enterprise CA and can issue certificates.root or subordinate CA. Only one root enterprise CA is permissible in a root hierarchy. All the other CAs in the hierarchy should be enterprise subordinate CAs, which obtain certificates from the root enterprise CA and can issue certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Stand-Alone Root CA or Stand-Alone Subordinate CA

A

Stand-alone CAs do not use certificate templates and do not require AD DS. These CAs do not respond to certificate enrollment requests automatically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A stand-alone CA can be specified as a

A

root CA with a stand-alone subordinate CA. If only one stand-alone CA is created then it should be a root CA, because every CA hierarchy should be traceable to a root CA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A root CA is the

A

first role service that is installed in AD CS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

After setting up a root CA, a subordinate CA can also be installed in the

A

hierarchy of the PKI of an organization to secure the root CA. The root CA can issue a certification to the subordinate, which in turn can then reply to requests for certificates from users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Setting up an enterprise subordinate CA requires

A

a network connection to a domain controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Configuring Autoenrollment

Two tasks need to be completed to automatically enroll clients for certificates in a domain environment:

A
  • Configure a certificate template with Auto-enroll permissions
  • Configure an autoenrollment group policy within the domain
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A CA evaluates

A

certificate requests and issues certificates, if the predefined conditions set for allocating certificates to requesters are fulfilled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The allocation of a certificate to an entity or a user is known as

A

certificate enrollment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

. A user needs to submit a request for a certificate to a

A

CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The format of the request, such as PKS #10 or PKS #7, should be able to specify

A

the identity of the user requesting the certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The CA issues the certificate to the

A

requester after verifying the identity of the requester.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When a CA receives an enrollment request, the following actions take place:

A
  • The CA decrypts the digital signature in the certificate
  • The CA performs a hash on the request
  • The CA digitally signs the user’s public key
  • The user distributes copies of its X.509 certificate
  • Entities authenticate the user’s X.509 certificate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Issuing the Certificate Template

After configuring a certificate template for autoenrollment and configuring the GPO settings, you need to

A

issue the certificate template. This will ensure that certificates requested based on the certificate template will be automatically processed by the CA. Some certificate templates, by default, are already configured to be issued.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

If the certificate template is not already configured, then you need to configure

A

configure the template in the Certification Authority console.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Configuring Default CA Settings

The administrator can configure two default actions that a CA can take on receiving a certificate request:

A
  • The certificate request can be automatically approved by the CA
  • The CA administrator can review the request, which changes the status of the request to pending in the CA, and take appropriate actions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Issued certificates can be stored locally on the

A

computer or device that requested the certificate. .

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Certificates that are issued by a CA are stored

A

in the CA’s certificate store

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When a certificate is issued, it is copied to

A

FileName.cer,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

where FileName is the

A

request ID of the certificate request. The file is copied to the CertEnroll folder on the CA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CONFIGURE CA SERVER SETTINGS

A

Assigning Roles to Users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Assigning Roles to Users

A

The administration of an organization or any other group can be divided according to roles. The administration of a CA can be organized by using separate CA roles. This administration is known as role-based administration.
In a CA, a role is assigned to a user by assigning the security settings of the role. Security settings associated with a role are specific for every role.

All roles in a CA are assigned and modified by the members of local Administrators, Enterprise Admins, or Domain Admins groups. In an enterprise CA, the role of the administrator is assigned to the members of these groups by default.
In a stand-alone CA, the role of the CA administrator is only assigned to the members of the Local Administrators group. By default, the administrator role is also assigned to the members of the Domain Admins group in a stand-alone CA, if the stand-alone CA is joined to an Active Directory domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

There are four roles that can be assigned to users in a CA:

A

Certificate Manager
Auditor
CA Administrator
Backup Operator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Certificate Manager

A

can approve certificate enrollment and revocation requests. This role can be configured by using the Certification Authority snap-in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Auditor

A

can configure, maintain, and view audit logs. This role is an operating system role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

CA Administrator

A

The CA administrator can renew a CA certificate and assign all the other roles to the users. This role is a built-in account in a CA by default and it can be configured by using the Certification Authority snap-in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Backup Operator

A

can perform system backup and recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The Issue and Manage Certificates permission is assigned to this role.

A

Certificate Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The Manage Auditing and Security Log permission is assigned to this role.

A

Auditor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A user who has been assigned the CA administrator role can configure and maintain a

A

CA Administrator

34
Q

The Manage CA security permission is assigned to this role.

A

CA Administrator

35
Q

The Backup Files and Directories permission and the Restore Files and Directories permission are assigned to this role.

A

Backup Operator

36
Q

Backing Up and Restoring a CA

A

You need to back up the CA database to a different location so that it can be restored in the case of a system failure.

37
Q

The CA administrator, members of the Backup Operators group, or users with the same privileges can perform the

A

CA backup process.

38
Q

The CA administrator, members of the Backup Operators group, or users with the

A

the same privileges can perform the restoration process of a CA.

39
Q

The restoration process only needs to be carried out for a CA, because a CA can be restored without

A

without restoring the server.

40
Q

MANAGE CERTIFICATE TEMPLATES

Certificate Templates

A

AD CS in Windows Server 2008 R2 enables you to issue and manage certificates for a PKI. A PKI includes several CAs, directories, and resources that provide validation and revocation information for the certificates.

41
Q

If your computer is running Windows Server 2008 R2, AD CS will enable you to

A
  • Receive requests for certificates from users and computers
  • Verify the identity of a requestor
  • Issue and revoke certificates
  • Publish a CRL
42
Q

A CRL is a

A

digitally signed list of unexpired certificates revoked by a CA administrator.

43
Q

Certificate templates are a set of

A

rules and settings configured for a CA that are applied to incoming certificate requests.

44
Q

Enterprise Certificate templates are stored in

A

AD DS

45
Q

This enables them to be used by all CAs in a forest and ensures that the CAs have access to the current standard templates.

A

Enterprise Certificate templates

46
Q

Some default certificate templates available in Windows Server 2008 R2-based enterprise CAs are as follows:

A
  • Computer
  • Cross-Certification Authority
  • Directory E-mail Replication
  • CEP Encryption
  • Code Signing
  • Domain Controller
  • Domain Controller Authentication
  • EFS Recovery Agent
47
Q

Microsoft CAs support three types of certificate template versions:

A
  • Version 1 - Windows Server 2000 and Windows Server 2003 Standard Edition CAs (support for version 1)
  • Version 2 - Windows Server 2003 Datacenter and Enterprise Edition CAs (support for versions 1 and 2)
  • Version 3 - Windows Server 2008 R2 CAs (support for versions 1, 2, and 3)
48
Q

The permissions that you can assign to a certificate template are as follows:

A
  • Full Control
  • Enroll
  • Autoenroll
  • Read
  • Write
49
Q

MANAGE ENROLLMENTS

Configuring an RA and the NDES

A

Configuring an RA and the NDES

50
Q

The Simple Certificate Enrollment Protocol

A

(SCEP)

51
Q

The Simple Certificate Enrollment Protocol ) is a communication protocol that

A

that authenticates the software running on network devices such as routers and switches.

52
Q

Windows Server 2008 R2 implements SCEP through Network Device Enrollment Service (NDES).

A

(NDES).

53
Q

In addition to authenticating software running on network devices, NDES does the following:

A
  • It recovers certification requests that are pending with a CA
  • It accepts authentication requests
  • It prepares and sends one-time enrollment passwords for administrators
54
Q

Enrolling for a certificate with NDES involves the

A

software used to manage the network device, the Registration Authority (RA), the computer hosting NDES, and the CA.

55
Q

To set up and use NDES, perform two steps:

A

configure a user account to act as an RA for certificate requests, and then configure and install NDES.

56
Q

To configure a user account to serve as the RA that NDES will use to authorize certificate requests,

A

add the user account to the IIS_IUSRS group.

57
Q

This group is a built-in security group that

A

HS uses to establish and work with remote connections. No user is a member of the IIS_IUSRS group by default.

58
Q

Installing the Web Enrollment Service

A

Certification Authority Web Enrollment service enables users outside a domain to obtain new and renewed certificates from a CA over the Internet or over an intranet connection, via a web-based enrollment process.

59
Q

Submitting Certificate Requests

A

As a user, you access the AD CS web page for enrolling with a CA by opening a web browser and navigating to the URL for the certificate server. The URL can include the server’s name or IP address, followed by /certsrv.

60
Q

Configuring Enrollment Agents

A

In an organization with multiple branches and Enterprise CAs in the PKI, you can enable enrollment agents to send enrollment requests on behalf of clients. Enrollment agents may be members of the corporate security, IT security, or helpdesk teams.
Each of the enrollment agents must be issued with an enrollment agent certificate from a CA.

61
Q

Windows Server 2008 R2 enables different types of enrollment agents by making use of various certificate templates:

A

Enrollment Agent
Enrollment Agent (computer)
Exchange Enrollment Agent (offline request)
Configuring Smart Card Enrollment

62
Q

Enrollment Agent

A

Agent template enables a user to request certificates on behalf of other users.

63
Q

Enrollment Agent (computer)

A

template enables a user to request certificates for computers.

64
Q

Exchange Enrollment Agent (offline request)

A

The Exchange Enrollment Agent (offline request) template enables a user to request certificates on behalf of another user and to provide the subject name in the request. This template is used by NDES for its enrollment agent certificate.
Only members of the Enterprise Admins and CA administrator groups, or those with equivalent privileges, can configure an enrollment agent.

65
Q

Configuring Smart Card Enrollment

A

A smart card is a small electronic device that contains electronic information. A PKI certificate can be granted for a smart card to secure smart card transactions, such as computer logons.
J In Windows Server 2008 R2, users can request smart card certificates via a smart card enrollment station.

66
Q

Smart card enrollment stations are useful because they

A
  • Simplify the physical preparation of the cards that need to be issued
  • Reduce the possibility of certificate service interruption
  • Prevent users from validating their own identification and issuing their own certificates
67
Q

CERTIFICATE REVOCATION

Install an Online Responder

A

Windows Server 2008 R2 provides built-in CA digital signature technology within AD CS.
When any certificate is issued, it has a validity period defined by a CA administrator. Usually this is one or two years. The certificate contains the digital signature of the certificate issuer, and a user’s public key and identity. The user is also issued a corresponding private key.

68
Q

A CRL is a

A

a digitally signed list of unexpired certificates that a particular CA has revoked.

69
Q

. A CA may revoke an otherwise valid certificate if, for example,

A

the private key associated with the certificate has been compromised.

70
Q

A CRL, like a certificate, is valid only for a

A

specified period to ensure that it does not apply after a certain amount of time.

71
Q

The AD CS supports two types of CRLs.

A

A Base CRL

A Delta CRL

72
Q

A Base CRL

A

is a full, initial set of revoked certificates

73
Q

A Delta CRL

A

lists only certificates that have been revoked since the last full Base CRL was implemented.

74
Q

A CRL Distribution Point

A

(CDP)

75
Q

(CDP)

A

) is a certificate extension that indicates where the CRL for a particular CA can be retrieved. For each revoked certificate, you need to identify a corresponding CDP.

76
Q

A CRL can be published to different

A

different locations using Lightweight Directory Access Protocol (LDAP), HTTP, or file paths. Using CDPs enables PKI administrators to locate and access a relevant CRL so that they can manually update the entries it contains. These entries are valid only for a specified time period.

77
Q

A CDP may be located in the following places:

A

Active Directory (AD)

78
Q

Active Directory (AD)

A

You use the AD as the CDP to publish and store CRLs for enterprise CAs, which use certificate templates. PKI users can retrieve CRL data from an AD CDP using LDAP.

79
Q

A Local Directory

A

You use the local directory of a CA server as the CDP to store CRLs on stand-alone CAs, which do not require AD or the use of certificate templates. By default, stand-alone CAs hold all certificate requests in a pending queue until a CA approves them.

80
Q

Configure an Online Responder

To enable an Online Responder to enroll for signing certificates, you need to do the following:

A
  • Configure the OCSP Response Signing template
  • Include the URL for the Online Responder in the AIA extensions of the certificates
  • Assign the OCSP Response Signing template to the CA
  • Create a revocation configuration
81
Q

Publishing a CRL Manually

By default, AD CS automatically publishes

A

publishes an updated CRL within a publish period, which you set as the CA administrator. Clients that have a cached copy of the previously published CRL or Delta CRL will continue using it until its validity period has expired.