Access Control in 2008 R2 Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

NPS

A

Network Policy Server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

apply the hsared secret clients template to the a radius client

A
  1. Open NPS
  2. Access the radius clients and server nodes
  3. Select Radius clients
  4. Access the properties for server
  5. Apply the Shared Secret template to radius client
  6. save the changes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Match ea phase of authentication mechanism assurance implementation with its key procedure

A

configure the group claims to map to the corrrect group in AD DS - Config Federation Servers

  1. Configure the settings for certificate templates - Create Certificates
  2. Verify addtl group membership - Download and test certs
  3. Ensure group memberships are correct on the claims-aware app
  4. Setup AD module cmdlets - link cert policies to groups
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AppLocker 2008 R2

A

enables to stop the installation and execution of unauthorized software while allowing authorized applications, installations and scripts

how users access and use apps ie: exe, scripts, etc.

can stipulate exactly what is allowed to run on all users desktop pc’s

  1. prevent specified apps from executing( whitelist or blacklist them)
  2. access apps properties
  3. define rules based on file attributes
  4. define rules based on file attributes
  5. assign a rule to a group or an indivual user
  6. Create exceptions for .exe files
  7. identify unavailable fiels
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Applocker benefits

A
  1. enables greter control ov erht # and type of files allowed to run, keep viruses down

lowers cost of ownership, standardized workstations and run only approved apps

reduces risk of sensitive info being accessed under flaws in unauthorized software

only works on windows 7 or higher
by default applocker will not allow apps to open or run unless specified - need to maintain an updated list

need to inform users what is allowed or blocked so aviod unneeded service requests

Can be applied local or domain GPO
local on to that machine, domain - all computers

can use the audit specific actions to test in a log.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

app locker console has 3 sections

A

getting started - warnings listed
Configure Rule Enforcement, what will be enforced and app identity service msut be running, can learn more about the feature

Overview - access each rule collection manely executable rules, windows installer rules and Script Rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

app locker properites - enforcement tab

A

has 3 parts:

Executable rules
Windows Installer rules
Script rules

app rules are not configured by default by simply creating on it will be enforced even if you don’t have the configured checkbox selected for it.

When creating - best practice to check box and then from the drop down pick audit only so you don’t lock yourself out of windows

enforcement will occur if Enforce Rules or Not configured is choosen

should enable default rules first but keep you from locking your self out of windows - r. click the rule and choose Create Default Rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

BitLocker

A

drive encryption
security feature
prevents sensitive data accessed by unathorized users who get hold of lost, stolen or improperly decommissioned computers

prevents hdd from offline attacks

must have password or smart card to read or write data to a fixed or removable hdd and must read the data on a bitlocker computer with the correct keys

OS with it,

2 factor authentication,
single factor authentication by storing key on a usb flash drive or using a TPM (trusted platform Module and a pin or startup keY)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

TPM

A

computers that run it must have a compatible TPM microchip and Bios

ensures secure bootup and integrity,
behind the scenes, users are not aware

If info changes bitlocker goes into recovery mode and you need the password for access

to unlock you get 3 options:

fixed drive, automatically unlock the encrypted OS driver
Unlock after a password is given
unlock after a smart card is inserted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

before the drive is encrypted

A

wizard suggetst methods to store the recovery key. flash drive, network drive or location or print it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

bitlocker to go

A

bit level, full volume encryption on usb keys

creates a system volume info folder on drive
unlock password
unlock with smartcard

takes a while to encrypt since it is volume driven and not data size driven

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

bitlocker and to go prevent loss or data theft by

A
  1. protecting your data - encryption
  2. facilitating mgmt - GPO
  3. Facilitating Setup - internal hdd by auto creating hidden root partition to protect the OS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AD DS new feature

Authentication Mechanism Assurance

A

when activated a admin defined universal group membership is added to ausers access token. Activated when a user enters credentials during a cert based logon event

controlling access to resources, ea user logon determines if there is access and restrictions

different cert policies can be linked to same user/single accts, admin is able to determine what ea user has used at login

without it, not enabled there is no distinction of type of login

can be used with AD FS for further restrictions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

min implementation req for authentication mechanism

A

One or more AD DS DCs
Clients or server
smart card reader
logon certs from a cert issuance policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

smart card reader

A

can use ADFSClient instead
virtual if you have virtual smart cards and readers you can use ADFSClient, connect to client virtual or physical computer to the domain

install the 3rd part smart card reader, can use several different ones with different levels of Access or certs rewrites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

implementation phases for authentication mechanism

A
  1. Create Certs
  2. link cert policies to groups
  3. Download and test certs
  4. Configure the Federation servers
  5. Access the sample application from the client computer

Must have 2008R2 domain function level
AD certificate services installed and configured to create certs
Create and enable new certificate templates

17
Q

Link certificate policies to group

phase 3

A

Create test user accounts (2 accounts)
prepare the scripts - 2 AD module cmdlts
a. show which issuance policies are available on the CA
b. setups a group and an OU and links the cert issuance plicies to them
link certificate policies to groups
must be logged in as admin - sets up groups and maps them to the policy that applies (groups are stored in the OU)

link them - see powershell cmds

ends 2nd phase

18
Q

default setting for AD module prompt is

created cmdets are stored here as well

A

%userprofile%

19
Q

Powershell cmds

A

specify cert are linked to policies & groups:

.\get-IssuancePolicy.psl -LinkedToGroup:All
(not yet linked)

Create the link

.\set-IssuancePolicyToGroupLink.psl IssuancePolicyDisplayName:”HIgh Assurance” -groupOU: “Auth MechAssurance Groups” -groupName: “High Level Access”

20
Q

Download and test certificates

A

must config computer to have smart card reader with 2 different smart cards, download the necessary certs from the CA

to complete this phase 3,
obtain the certs
verify addtl group membersip
verify admin credentials

21
Q

4th Phase

config FS

A

setup # of organization group claims in the AD FS

config mapping group claims to AD DS groups

Create client mappings in ea organization to asscociate with the claims you’ve already completed.

22
Q

Access Sample application from the client computer

A

open claims aware apps, can view group membership to ensure setup.

accept the sample application without smart card which is low assurance access, then with medium access, finally high access

23
Q

2008R2 NPS and NAP

A

Network Policy Server - remote authentication dial in user service or RADIUS that maintains and enforces network secuirty by regulating the access of remote clients

NPS can authorize and anthenticae remote connection requests and evaluate client computers agains NAP health policies
Network Access Protection - health policies

24
Q

NPS enhance Functionality

A
  1. IMprovements in the logging of NPS accounting data - can log to file or SQL db or both and as a failover option
  2. Multiple config of a NAP SHV
  3. template configuration
  4. Migration of IAS server settings
  5. Automated NPS SQL Logging

NPS is only applied when when template is applied is the clients NPS change the server

25
Q

SQL server logging capabilitiy enabled NPS benefits

A
  1. MUltiple NPS servers can log, store db
  2. Dynamic data views can be created using queries and reportgs
  3. High speed optimization for lg db
  4. multiple bulk operations can be performed at high speed.
  5. Can log user and authentication
  6. RADIUS requests from client can be
    logged
    accounting-on when online and ready to accept connections
    accounting off when going offline
    accounting-start to start a user session
    accounting-stop to end session
    accounting interm, periodically sent during a user session
26
Q

IAS

A

Internet Authentication Service used in 2003

27
Q

6 NPS templates

A
  1. Shared Secrets
  2. Radius clients
  3. Remote radius Servers
  4. Health Policies
  5. Remediation Server Groups
  6. IP Filters
28
Q

NAP WSHV

action center only in 2008R2 on windows 7
and are colored coated for levels of urgency

A

Windows Security Health Validator which requires that security precautions are enabled for NAP Clients

Firewall
virus protection
spyware protection
auto updates
security patch updates
29
Q

phase 1

A

domain function level 2008 R2
AD CA is installed
CAs config on the DC ADFSAccount
Config certs that can be assigned to users or smart card holders

30
Q

Phase 2

A

setup user accts and test the user access token differences
AD module cmdlets
Activate AD module cmdlets
Map the 1st cert to 1st policy