Active Directory Objects Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

DC have 4 main partiitions:

A
  1. domain directory - users, groups and network resources fo the domain
  2. configuration directory - forests, domain and domain trees
  3. Schema directory - relating to control on objects and attributes that exist in an AD. network resources stored on the AD are known as AD objects and consist of users, groups, computers, security policies, printers, contacts and other network devices.
  4. Application directory - part of DNS and stores AD integrated zones (not replicated by the global catalog)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

user accounts

A

also known as security principals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

3 user accounts are created by default on a new domain

A

Administrator
Guest
HelpAssistant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

InetOrgPerson class

A

used in LDAP and x.500 directory services to represent users in an organization, users on any platform can obtain directory information from LDAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

cope identifies how the group is applied to domain or forest, there are three groups

A

domain local - just permissions applied to domain
global - any domain in a forest
universal - can include other groups and accounts from any domain tree or forest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

2 types of groups AD DS - distribution and security.

A

Distribution lists cannot be added to the DACLs (Discretionary Access Control Lists)

addtl groups can be added by Account Operators, DC Admins, E Admins

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Each Computer Account has the following components

A

SAM (Security Accounts Manager)
DNS Suffix - DNS host name
SPN (Service Principal Name

DNS name is the full name of the computer:
bsalt.internal.mesacounty.us

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

UPN

A

User Principal Name
(login name and suffix

linz. th@
mesacounty. us is the UPN suffix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can import and export into AD DS two ways

A

LDIFDE -utility allows you to do AD objects along with passwords - files are saved with a .ldf extension
CSVDE - AD objects but not passwords

Admin group to perform this function

AD LDS doesn’t require a DC or DNS server
can be used to sync with directory servers and data management

cmd.exe prompt syntax:

ldifde [-i][-f filename][-s servername][-z]
[-b username domain password][-h]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ldifde Syntax commands

A
  • i = specifies an import function
  • v = enables the verbose mode
  • u = unicode format
  • t = port specifies ldap port. default is 3889 and global default 3268
  • j = path of file
  • s = server to bind with
  • f = filename
  • k = ignore errors during the import (constant violation and object already exist errors)
  • c = FromDN toDN replaces all occurrences of the DN above, this is used to replace the distinguished name of the export domain with that of the import domain when importing data from one domain to another.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

csvde syntax

A
  • f = filename
  • j = save a log file during import -j”C:\folder”
  • d = RootDN root of the ldap seach for data export
  • r = filter creates and ldap search filter for exporting data
  • p = Search Scope base, onelevel or subtree
  • l = list of attributes (if not specified all attributes are returned)
  • o = list attributes to be omitted
  • m = omits attributes that apply only to AD Objects
  • n = binary values should not be exported
  • a = userdistiguishedname password during import user name and password
  • b = Username domain password during import username, domain and password
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Using OUs

A

can reduce the number of domains used

Process for creating one includes:
assigning the OU owner
creating account and resource OUs
designing its structure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

assigning the OU owner

A

forest ownder assigns an OU owner in a domain. owners manage data and control a subtree of objects int eh AD DS. it governs functions, (how to delegate admin contorl, apply policies to objects within their OU. can create new subtrees and delegate admin control to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

creating account and resource OUs

A

Account OUs include users, groups and all computer objects. REsource are created to provide autonomy to the mgmt of data and computer equipment. Best practice is to create two separate OU structures in the domain

Resource OUs do not contain any default child OUs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

designing the OU structure

A

documenting the structure is important. list of names of the OUs, type, owners and origin.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

add an OU using cmd.exe

A

dsadd

dsadd ou Organizational UnitDN

ie: dsadd ou “OU=Tellers, dc=EasyNOmadTravel, dc=com”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

three configurations you can apply to a group

A
  1. Modifying group membership
  2. Changing the group type
  3. Changing the group scope
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

dsmod group GroupDN -addmbr MemberDN

A

use addmbr to add the member to the group from the cmd.exe dsmod command

dsmod group”CN=US INfo, OU=Mangers,DC=EasyNomadTravel,DC=com”
-addmber “CN=Jennifer Westlein, CN=Users,DC=EasyNomadTravel,DC=com” -secgrp no

use secgrp parameter for security group yes or no. Same as above - dsmod gorup GroupDN -secgrp [yes|no]

change scope parameter L, G or U
Domain local, global or universal

dsmod group GroupDN -scope L|G|U

IF you are on a global catalog server, you can only go from a universal to a local scope

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

group policies can (GPOs)

A
modify permissions on a file system
modify permissions on a registry object
change settings in the registry
change assignment of user rights
configure and audit event logs
set account and password policies

applied on three levels
Domain level - specifies common user security requirements, such as account and password policies, which are applied on all the servers present on the domain -user acct and psswd

Baseline Level - specify server security req that are applied to all the servers in a domain structure - user accts account policy- applied to users and computers in a domain

Role specific Level - specify the security req for specific server roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

gpo default config

A

password policy
account lockout policy
kerberos policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

password policies contain the following options

A

1 enforce a password history - 0 and 24 default
2 configure a max password age - 42 days default
3 configure a min password age - 1 day default
4 configure a min password length (7 default)
5 ensure that a password meets complexity req
6 store a password using reversible encryption _passwords can be easily retrieved which is a security consideration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

5 kerberos policy settings

A

Enforce user logon restrictions
max lifetime for service ticket - 600 minutes by default
max lifetime for user ticket -TGT 10 hours by default
max lifetime for user ticket renewal - TGT 7 days default
max tolerance for computer clock synch -5 min default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

AD DS in 2008 have two new object classes

A

Password settings object - PSO has attributes that are used to define all the password settings, except kerberos for the default doamin policy

Password settings container - PSC contains PSOs (password settings objects) for a domain and is an object class created by default under the system container in the domain. You cannot modify and existing PSC but you can create addtl custom PSCs

PSOs have 3 lockout policies:
reset acct lockout counterafter,
account lockout threshold,
account lockout duration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

PSO links (2 attributes)

A
  1. msDS-PSOAppliesTo Attribute - contains forward link to users or group objects, multivalue attr enables you to apply PSO to multi users or groups. use to apply one password policy to different sets of users or groups.

2 msDS-PSOApplied attribute - backward link to the PSO. added to user and group objects in 2008 to enable them to have multi PSOs applied to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

RSoP - Resultant Set of Policy

A

msDS-REsultantPSO of the PSOs applied to a user or group to determine the RSoP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

PSO sets priority by using the msDS-PasswordSettingPrecedence

A

Has an default interger of value > zero

If it returns a lower value than what is set it will get a higher priority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Can determine the resultant PSO of a user or group by

A

directly - based on global membership - lowest value will take precedence

indirectly - pso is linked to groups of which the user is a member. no PSO is obtained by using the direct method. Default domain policy is applied to obtain a resultant PSO

each pso should be set with its own unique value at time of creation

multi PSOs with the same value are obtained, then the PSO with the smallest gloabally unique identifier (GUID) is applied to the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

by default, account lockout policies are

A

set to 30 minutes for lockout threshold and the reset account lockout coutner - local and domain policies default the same

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

to configure and manage fine grained password policies in AD - two tools

A

AD Users and Computers Console
ADSI Edit Tool - Active Directory Services Interface Editor Tool - adsiedit.msc

choose CN=Password Settings Container is where all the PSO objects are stored for the domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

GPO you can

A
  1. maange the desktop that displays to users and reduce support calls and total cost of ownership (TCO) by locking the desktops
  2. Install and manage software
  3. Manage the running state of services
  4. redirect My Documents Folder
  5. Configure Internet Explorer options and security settings
  6. Automate administrative tasks by using logon, logoff, startup and shutdown scripts

each gpo has 2 admin templates
computer settings
user settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Admin Templates identifies where registry based policy settings are stored in the registry.

A

DC known as the GPT (Group Policy Template) which is stored in a sysvol shared folder and enables config of group policy settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

2 types of GPOs

apply according to security, needs, roles and location of users and computers

last applied GPO takes precedence if a conflict and same for user and computer setting conflicts, the computer wins

A

Local (LGPO) apply only to computers where they are located.usaully where there is no AD DS or used to apply specific group policy to a specific computer.

2008 server feature allows multiple LGPOs on the same computer - apply to different users on the same computer.

AD GPOs - all users and computers in the AD container where they are linked. Can apply the GPO to specific OUs or sties, all users, computers in a domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

GPOs are processed in this order

GPMC - Group policy Management Console

A
  1. LGPOs
  2. GPOs linked to the site
  3. Domain Level GPOs
  4. GPOs linked to OUs

Exceptions: they are only applied if the speed of data transfer is 500 kpbs or higher between a computer and DC. Broken link can keep a GPO from being applied. 2008 uses NIaSvc - Network Location Awareness Service to detect slow networks and looses its connection to the DC

Credential caching - user logs on locally instead of Domain - GPOs not applied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

GPO default process order can be changed by

A

Changing Link order (give link 1 processed last)
Blocking inheritance
specifically enforcing particular policies - can cause security risks so test first
using GPO filtering (WMI tool allows you to filter)
disabling GPOs - can do it by site, comain or OU and can choose only user or computer settings
using loopback processing - ensures computer policies are applied regardless of user policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

GPCO members

A

do not have rights to link GPOs to containers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

2008 registry policy settings are stored in a file

A

ADMX that are XML based. replaces ADM files used previous versions of server. Has to be a vista or higher client

can store files in a centrally located place if in a domain accessible to anyone with create or edit GPOs rights

need to manually add ADMS or ADML files to the SYSVOL folder if a change is made to the local machine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

To GPOs you can add the following options

A
  1. disabling mobile storage devices (usb, mp3 players, camera’s)
  2. Controlling the functionality of specific windows features
  3. Adding or modifying registry keys
  4. Modifying the windows security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

security template

A

doesn’t introduce new security but organizes it.

text based file with .inf extension

contains all public key policies and security attributes.

This be used with security configuration and analysis snap-ins to examine a system for security holes or policy violations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Security Templates define:

A
  1. Account Policies
  2. Local Policies
  3. Event Log settings
  4. Restricted Groups
  5. System Services Settings
  6. File and Registry permissions

predefined templates are stored systemroot\security\templates directory

Windows 2008 doesn’t provide predefined security templates but you can download and install GPOAccelerator to obtain ones that were included in previous versions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Predefined Security templates include

A
  1. Default Secuirty (setup security.inf) - cannot be applied to DCs
  2. DC Default - DCsecurity.inf - Becomes a DC use the Security Configuration and Analysis snap-in or the Secedit command line tool.
  3. Compatible - compatws.inf - applies to Admin , power users and user
  4. Secure - secure*.inf - sends only NT lan Manager v2 responses and configures servers to refuse Lan manager responses
  5. Highly Secure - hisec.inf - secure data transmissions between server message block (SMB) clients and servers by imposing strict restrictions on the levels of encryption and authentication. superset of the secure.inf templates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

cmd for secedit tool

secedit/configure /db filename[/cfg file name][/overwrite][/areasArea1 Area2…][/logfilename][/quiet]

A

use tool to apply security templates local computer, analyze, export, validate

/configure to local computer security by applying the settings stored in a database

ie:
secedit /configure /db database1.sdb cfg/ template1.inf /overwrite /quiet

/db = database name
/cfg = specifies a template to be improted into db before computer is configured

/overwrite = clears db before import. if not in line them settings will accumulate in the db. if a conflict template settings take precedence.

/areas = security areas to be applied to the system. if not in the line, settins defined in the db will be applied to the system. to specify multiple areas use a space

/logfilename = if not specified in line, config data is automatically logged in the scesrv.log %windir%\security\logs

/quiet = process runs without prompt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

4 phases to software development

A

preparation, deployment, maintenance, and removal. YOu can use group policy gpedit.exe to manage each phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

2 components of windows installer

A
  1. Software installation package files .msi
  2. Windows Installer Service msiexec.exe

can enable users to install via

  1. file extension or com based activation
  2. start menu or a shortcut on the desktop
44
Q

publishing software does not install anything on the computer but to the user

A

no local registry changes are made, no shortcuts, but the attributes are stored in AD

use gpme gpedit

45
Q

patch file to a software install in gpedit

A

.msp (patach file

.msi

46
Q

GPMC Group Policy Manangement Console can be used to

A

search for GPOs in a forest
backing up and restoring GPO
importing settings from a backed up GPO to an existing GPO in the same forest

it is not installed by default. install it by using Server Manager interface (in features) or the command line cmd = servermanagercmd -install gpmc

launch by going to run gpmc.msc or run from cmd

47
Q

default file location for ADMX files is

A

c:\windows\policydefinitions

48
Q

AD DS maintains a log that stores old values for AD objects and their attributes, as well as new values when alterations are made. This feature is new in Windows Server 2008

A

new in Server 2008

49
Q

The controls used to incorporate auditing features in Windows Server 2008

A

global audit policy
a system access control list (SACL)
A control Schema

50
Q

To enable AD object Auditing

A

enable the audit directory service access audit policy then set it to audit successful events, failed events or both

51
Q

Audit Policies that you can choose to configure

A

audit:

logon events
account logon events
system events
account management
privilege use
directory service access
object access
policy change
process tracking
52
Q

2008 server introduced audit policy subcategories

A

better control
specific events
use auditpol command to display the current audit policy display selectable policy elements and to set audit policy subcategories

auditpol /get /subcategory:* or “Application Group Management” /success:disable /failure:disable

53
Q

Dns namespace hiearchy

A

internal.mesacounty.us

internal is the bottom level (all the way to the left)
mesacounty is the next level up

.us is the highest level and is called the root. Servers that maintain the root are called root servers (TLD)

13 root domains are presently being used to administer the global internet root namespace domain.

54
Q

2008 supports the following DNS zones

A

Primary - is writeable, update of zone info

Secondary - full read only copy of primary zone data, can’t be updated

Integrated - server 2000, storage of zone inf in AD, modify resource records on any DC associated with AD

Stub - has just enough info from the primary to allow for reach to authoritative DNS Servers- don’t increase network traffic during replication because they stay small

Only store 3 types of info:
1. Start of Authority (SOA) - first record in a zone

  1. Name Server (NS) - mapping of a domain name with all the authoritative DNS servers
  2. Address Record (A) - contains the IP Address.
55
Q

Features in DNS in 2008 include

A

DNAME resource record -allows for the creation of alias for multiple nodes at a time, aka non-terminal domain name redirection - you can use one DNAME record to rename a root and all its child nodes simultaneously.

RODCs
IPv6
GlobalName Zone - enables users to store single label host names. don’t need WINS

Integration with MIcrosoft networking services (AD, WINS, DHCP)

RFC compliant dynamic updates - RFC 2136 protocol dynamically update, only authenticated users can update records

global query block list - blocks queries from unauthorized requests

advanced features:

Forwarding
root hints
server scavanging

56
Q

DNS to use forwarding, configure either

A

forwarder - to an external server, it uses caching so a larger cache will be good and won’t effect performance

conditional forwarder - used to resolve queries between two organizations

57
Q

CAche.dns

A

%systemroot%\System32\DNS

name server and resource records are part of the file

58
Q

in-addr.arpa domain was created to

A

be used as a reserved internet Namespace for reverse lookups.

59
Q

dnscmd command line utility

A

convert host names into IP addresses,

add a forward lookup zone

60
Q

recursive queries - dns

A

its a forwarder,
client either gets an erroror gets an exact answer, if resolved send it to the client

if it can’t resolve it changes the query to a iterative query by searching a list of forwarders and sending iterative queries to each one of them.

61
Q

iterative queries -dns

A

dns serve is asked to resolve a query or make a best guess referral to a dns server that may be able to resolve it.

Some delay can occur

a time out setting on the dns server determines the max wait time for a response

62
Q

unmanaged decayed dns records can cause the following problems:

A
  1. unnecessarily long zone transfers
  2. degradation of the performance and response time of the DNS server with the accumulation of stale records
  3. Possible conflicts, if an ip address in a dynamic DNS environment is assigned to a different host

scavenging is disabled by default

enable in the zone and DNS server

63
Q

a dns serer sets the data time value to start scavenging on a per zone basis when

Start scavenging time =
current server time
+
refresh interval

A

users enable dynamic updates for the zone

primary zone that is enabled to use the scavenging technique is loaded by a DNS server

DNS server starts

zone resumes its service after it has been paused

administrator manually activates the Scavenge stale resource records function

64
Q

dns round robin technique -enabled by default on windows 2008 servers

A

dns server rotates the records for each incoming request so that successive visitors are directed to different web servers

drawbacks:

doesn’t offer any failover functionality
does not control the order in which connections are rotated - not true load balancing

65
Q

Zone transfer can occur when

A
  1. the refresh interval has expired for a zone
  2. notification to make changes in the zone file is sent by the primary server to a secondary server
  3. Secondary server queries the primary DNS server for a change inthe zone
  4. A DNS console ata secondary server for the zone manually initiates a transfer from the primary server.

Transfers maybe
Full Zone Transfer - entire dns db is transferred using an asynchronous full transfer zone (AXFR) query to update the zoen data on another DNS server. This is used prior to 2003 or when a new DNS server is configured for the first time.

An INcremental Zone Transfer (IXFR)
query is used to request data from primary and compared to secondary db, if the same no transfer, if different on the needed updated parts are transferred.
Server keeps records of the incremental changes so it can answer the IXFR queries. These are fast and crewate less traffice and are standard in server 2008

66
Q

Steps occur to complete an incremental zone transfer

A
  1. SOA query is sent from secondary DNS
  2. Prmiary responds
  3. Secondary compares the serial # against its own
  4. Secondary server sends an IXFR or AXFR query
  5. Primary responds with transfer
67
Q

When AD is installed or upgraded on a DC - 2 specific DNS partitions are created

A

Forest DNS Zone
Domain DNS Zone

if zones are not created when installed, every time service is started they will be created again automatically

68
Q

Zone replication scopes can you set an AD DS integrated DNS zone to use?

A
  1. All DNS servers in a domain
  2. all DC in domain
  3. all DC in the scope of a specified app directory partition
  4. All DNS servers in a forest
69
Q

You can install windows server 2008 support tools for AD DS integrated DNS zone

A

Server 2008 dvd - Support\Tools and click on suptools.msi

70
Q

to create custom app directory partition that enables replication of zone data between 2 domains , access the command prompt and then

A
  1. Create an app directory part on a DC
  2. Configure and addtl dc
  3. Check that the app dir part was created successfully
    4 Activate the Knowledge Consistency Checker (KCC) to create a connection object on each DC
  4. Verify AD replication over the new replica link that you have created
  5. Configure the replication scope of the relevant DNS zones to that of the new app dir part
71
Q

dnscmd commands

A

/createdirectory partition FQDN

/ServerName/enlistdirectorypartition FQDN_of_partition - cibfu ab addtk dc ti beysed as a dbs server ti gist tge created app dir part

/enumdirectorypartitions - checks if app dir part was created successfully

/directorypartitioninfo FQDN - displays detailed info about the app dir part on a DC

72
Q

repadmin /kcc DCName

A

create a KCC connection object for ea of the DCs

use this on the first DC
Do it on the second one and a replication link is created

73
Q

repadmin /showrepl ServerName

A

to verify that AD replication can occur over the new replica link

if new namning context is not displayed this may indicate uninstantiated replicas that occur when:

temp naming context head is configured by the KCC until the next AD DS replication cycle occures

AD DS replication has not yet occurred.

74
Q

To Add Certificate snap in

A

open the mmc

75
Q

When a CA receives an enrollment request, the following actions take place

A
  1. CA decrypts the digital sig in the cert
  2. CA performs a hash on the request
  3. CA digitally signs the user’s public key
  4. User distributes copies of its x.509 cert
  5. entities authenticate the user’s x.509 cert
76
Q

to configure autoenrollment

A
  1. confi the cert template for it
  2. specify the group policy settings

to config template go to cert template
Choose CA Exchange, properties, security tab, Add Enroll and Autoenroll to authenticated users group

Then config the group GPO both users and computers to auto issue a cert on receipt of cert request. If requester selects the autoenroll cert option, the cert will automatically be issued

go to gpmc, select default policy
under security settings choose public key policies folder, then the option on r. menu of “Certificate Services Client - Auto Entrollment”

Enable

same for computer and user

for computer do the additional steps:
Automatic Certificate Request Settings folder in r. menu, action, new request and do the wizard

Now you need to issue a new certificate template
Certificate Template folder in the mmc
Actions, new, choose from list CA exchange
This will bring the template into the Certificate Templates folder in the mmc ca

77
Q

2 ways an admin can config default actions that a CA can take when received cert request

A
  1. can be automatically approved by CA
  2. CA admin can review the request - which changes the status of the request ot pending in the CA and take appropriate actions

after config you need to stop and start services

78
Q

When a cert is issued it is copied to a file

A

FileName.cer and then copied to the CertENroll folder on the CA

79
Q

Four Roles can be assigned to users in a CA

A
  1. Certificate Manager - can approve certs and revocation requests. use the cedrt auth snap in mmc - The issue and manage cert permissionis assigned to this role
  2. Auditor - can config, maintain, view, and audit logs. O/S Role. Manage Auditing and Security Log permission is assigned to this role.
  3. CA Administrator - config and maintain a CA, can do everything. Account is built in by default on the CA. Manage CA security permission is assigned to this role.
  4. Backup Operator - can perform system backup and recovery. Backup Files and Directories and Restore files and directories permissions are assigned to this role.
80
Q

A CA is used to issue digital certificates and the directories are used to store policies and certificates

A

CRL (Certificate Revocation List) list is a digitally isgned list of unexpired certs revoked by CA

81
Q

Certificates are stored

A

in AD DS - the forest will have access and because they are in one place the subordinates will get the most up to date cert template to use.

Maintains consistency

82
Q

default cert templates in 2008 enterprise are

A
  1. Computer - cannot be publishe to AD
  2. Cross Certification Authority - issueing CA to a sub CA that is linked to 2 root CA’s to verify identity of the CA the cert is issued
  3. Directory Email Replication - is used to replicate emails with AD DS . It is assigned to a DirEmailREp CA and can be published to AD DS
  4. CEP Encryption - enables holders to perform as a registration auth for SCEP Simple Certificate Enrollment Protocol requests. issues and revockes digital certs for software running on netowrk devices, routers, switches. this protocol is assigned to computer and cannot be published to AD DS
  5. Code Signing- used to digitally sign software. It is assigned to users and cannot be published in AD DS
  6. DC - all purpose certs. Assigned to the Dir EmailRep CA and can be published to the AD DS
  7. DC Authentication - authenticate AD computers and users. cannot be published to AD DS
  8. EFS Recovery Agent - enables users to decrypt files that were encrypted File system (EFS). assigned to users and cannot be published to AD DS
83
Q

Microsoft CAs support 3 cert types of templates

backwards compatible

A

Version1 - 2000 PKI and 2003 Standard Edition, not customizable

Version 2 - customizable settings and permissions. ONly Enterprise CAs on 2003 or higher

Version 3 - enable an admin to add the advanced Suite B cryptographic settings to their certs. advanced options for digital sigs, encryption, hashing, and key exchange. Admin can only issue certs based on version 3 certs templates on 2008 CAs Only used on 2008 or Vista and higher

84
Q

Permission you can assign to a cert template are

A

Full Control - user, machine or service full control
Enroll - need read as well to enroll for certs
Autoenroll
Read - needs this to enroll or autoenroll, certificate server to access the cert templates on the AD (user group has this by default and usually enterprise CA in included in users group
Write

85
Q

KRA

A

Key Recovery Agent. key archival which allows the agent to tetrieve private keys, original certs, public keys from a db, to help prevent data loss due to a a lost key.

Can identify one by issueing a KRA cert. A KRA agent requires membership with Domain Admins or something similar

86
Q

To config a KRA environment

A

Config a KRA cert template and enroll the KRA for a KRA cert - use the key Recovery Agent in the manage certs

Enable key archival for a CA - configure the KRA cert template you just created and enroll the key recovery agent for a KRA certificate

Admin of CA enables key archival for a cA

87
Q

Who can perform a CA backup

A

Backup Operators Group

The CA Administrator

88
Q

Steps for enabling key archival for a CA

A
  1. Add the cert auth snap in
  2. access the properties for the CA
  3. Set the number of key recovery agents that will be used to encrypt the archived key
  4. Choose the key recovery cert you want to use
  5. Restart the CA
89
Q

SCEP

NDES - only on Enterprise and Datacenter 2008
Has to have IIS

A

Simple Certification Enrollment Protocol

Network Device Enrollment Service
recovers cert requests that are pending
accepts auth requests
prepares and sends one time enrollment passwords for admin

90
Q

Enrolling for a cert with NDES requires

A

software used to manage the network device, registartion auth (RA) and computer hosting NDES and the CA

91
Q

To install NDEs you need to do 2 things

A

Config user account to act as a RA
Config and install NDES

RA is part of a PKI - verifies requests for digital certs and records all the info that a CA requires for certs and then sends to a CA who issues the cert

92
Q

Configure RA

A

add user account to the IIS_IUSRS Group

IIS_IUSRS is a security group IIS uses to establish and work with remote connections, no user is a member by default users and computers in AD

93
Q

web enrollment domain page allows you to

A
  1. submit a cert request
  2. Check the status of a pending request
  3. download a CA cert, cert chain, cert revocation list (CRL)

have users via the web, not on your domain request certs

94
Q

2008 enables enrollment agents by using cert templates:

Can restrict enrollment rights - new in 2008
not on standard editions of CAs

A

Enrollment Agent
Enrollment Agent Computer
Exchange Enrollment Agent (offline request)

95
Q

2 types of revoked certs

A

on the CRL
base is a full set of revoked certs
Delta CRL is only certs since the last full Base CRL was implemented

CRL Distribution Piont (CDP)need to have this file extension in order to locate and retrieve the list. for each revoked cert you need a CDP

96
Q

CDPs can be located in

A

AD

local directory

97
Q

config online responders tabs
certificates

Online responder should not be installed on a CA so it can perform more efficiently but needs to be on a IIS system

A

Web Proxy
Audit
Security

98
Q

enable an online responder to enroll for signing certs you need to

A
  1. Configure the OCSP response signing template
  2. include the URL for the online responder in the AIA extensions of the cert
  3. Assign the OCSP response signing template to the CA
  4. Create a revocation configuration
99
Q

To test and online responder configuration you can

A

issue a new certificate
revoke a certificate
publish a CRL
remove CRL CDP extensions from the issuing CA
confirm that client computers can obtain revocation data

100
Q

YOu can publish a new CRL or Delta CRL update to make a certificate change or revocation effective immediately

A

Open admin tools, cert auth, issued cert folder

Pick cert and choose your action date and time.

PUblish, command line certutil -crl (crl to be published

can also use the windows interface -
go to cert auth, pick revoked cert folder, actions, all tasks, Publish, choose type, new or delta crl

101
Q

Steps to configure OCSP online responder

A

Configure the OCSP Response Signing Template and assign ti to a certificate authority -CA

need to include the URL for the Online Repsonder in the AIA extensions of the certificates and create a revocation config

A cert revocation list (CRL) is automatically published at a specified interval. or you can manually publish it and you can choose to overwrite or update an existing CRL

102
Q

setup RA account by

A

going to AD for users and computers choosing built in and adding user to the IIS_Users

103
Q

On a windows server 2008 CA domain

A

an RA account setup for NDES
Cert Auth Web Enrollment service installed
restricted enrollment agent has been configured
OCSP has been installed

104
Q

Sequence the steps you follow to configure the NDES

A
  1. Server Manager, access the list of roles installed for AD DS
  2. Launch the Add Role services Wizard
  3. Choose the NDES role
  4. Specify the username and account of the RA for NDES
  5. Alter the default RA info and cryptography settings if necessary, and install NDES
105
Q

steps to config a smart card enrollment station

A
  1. Access the Certificates snap in via mmc
  2. Select the folder that contains personal certs
  3. Request a new cert
  4. Specify the Enrollment Agent cert type and enroll the cert