AD CS, AD FS, and AD RMS Flashcards

Implement Identity Federation and Access Solutions; Implement Active Directory Certificate Services

1
Q

What is WIA?

A

Windows-Integrated Authentication

This is the traditional method of authentication using Active Directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is FBA?

A

Forms-Based Authentication

When a server, such as a web application server, stores a user’s authentication information in a database specifically for that application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

For ADFS, what is Web Application Proxy?

A

This tool allows you to securely expose ADFS to the internet, so internet users can be redirected to it for authentication when accessing web applications.

With this, you don’t need to expose your ADFS server directly to the internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Microsoft Passport?

A

A former name for “Windows Hello for Business”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are password-less options for authentication in ADFS?

A
  • Azure MFA
  • Device Registration
  • Windows Hello for Business
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are new features for ADFS in 2016?

A
  • Password-less Access
  • Access Control Policies
  • LDAP directory support
  • Customized Sign-In page for each application
  • Improved upgrade process, when upgrading from previous ADFS versions
  • New features for developers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What steps to upgrade an AD FS farm from Version 3.0 / Server 2012 R2, to version 2016?

A
  • First, add an ADFS 2016 node to your existing 2012R2 ADFS farm.
  • If using WID: Make the ADFS 2016 Server the Primary Nodes, and the 2012R2 make Secondary. (Not necessary if using SQL.)
  • Extend your AD Schema to 2016
  • Remote all ADFS 2012 Nodes
  • Upgrade the Farm Behavior Level (FBL)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a mixed farm?

A

An ADFS farm that includes both 2012R2 ADFS nodes, and ADFS 2016 nodes.

Typically, this would be a transitional stage before upgrading the entire farm to 2016.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is FBL?

A

Farm Behavior Level

  • A new feature in ADFS 2016.
  • Refers to the version level that an ADFS farm operates at, whether 2012R2 or 2016.
  • A farm with an FBL of 2012R2 may include 2016 nodes, but cannot use the new features of ADFS 2016 until the FBL is upgraded.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are Primary and Secondary ADFS Servers?

A

In farms that use a WID:

  • The Primary server / node has a writeable copy of the database.
  • Secondary servers / nodes have a read-only replica of the database.

(This does not apply to farms that use a SQL database.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is AAD?

A

Azure Active Directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is required to synchronize on-premises ADFS with AAD?

A
  • Create a custom Domain Name in AAD (you cannot sync ADFS with the default .onmicrsoft.com domain you get with an Azure subscription)
  • Download and Install Azure AD Connect
  • Federate Azure AD with ADFS (this is selected as an option during the installation of Azure AD Connect)
  • During the installation, you will need the the credentials of an Azure AD user that is a Global Administrator, and an AD Domain Administrator account.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the default Domain Name that comes with an Azure Subscription?

A

.onmicrosoft.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What computer should Azure AD Connect be installed on?

A

It can be installed on any server in your environment, whether a domain controller, the ADFS server itself, or any other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How can you configure Azure MFA for authentication of on-prem applications using an on-prem Azure MFA Server?

A
  • You need to install an on-prem Azure MFA Server
  • You can install Azure MFA directly on the ADFS server; but if not, then you need the MFA Adapter for ADFS installed on the ADFS server.
  • AAD is not required; no synchronization needed.
  • This method supports either Server 2012R2 or 2016
  • This only supports MFA for SECONDARY authentication.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How can you configure Azure MFA for authentication of on-prem applications WITHOUT using an on-prem MFA Server?

A
  • ADFS in Server 2016 has a built-in Azure MFA Adapter (as such, this method only supports Server 2016).
  • You need AAD, and have it synchronized with your on-prem ADFS.
  • To facilitate this, you need Azure AD Premium.
  • This method supports MFA for either primary or secondary authentication.
  • If using it for primary, your clients will need to use the Microsoft Authenticator App on their phones.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the Azure MFA Provider, and how does it work?

A

A service that runs in the cloud, which can communicate with mobile phones, either through text message, phone call, or mobile app.

  • It provides a code that is generated every 30 seconds for MFA purposes.
  • It is available for cloud applications within Azure.
  • To use it with on-prem applications, you need either an MFA Server, or an on-prem 2016 ADFS which is synchronized with AAD.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

For Device Registration, where are devices registered?

A
  • When device registration is turned on in ADFS for Server 2012R2, devices are registered in an on-prem AD.
  • When device registration is turned on in ADFS for Server 2016, they are registered in AAD, though it can sync back to the on-prem AD with AAD Connect.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How are devices registered with Device Registration?

A

For Windows 7, 8, and 8.1, they use “Workplace Join.”

In Windows 10, they use “Add a work or school account.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How is a Windows Hello PIN more secure than a password?

A
  • It is tied to the device, so even if an attacker knew your PIN, it cannot be used anywhere other than on the device
  • It’s backed by the TPM, when available
  • It is only stored on the device, not on any server
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is Windows Hello, and how does it work?

A

A form of two-factor authentication that is tried to a device (factor 1), and uses either a PIN or biometric authentication (factor 2).

The second factor of authentication is called a “Hello.” It could be a fingerprint, a gesture, or facial recognition.

Once unlocked by the “Hello,” the credential on the device is sent to ADFS.

This credential is based either on a certificate or a cryptographic key, which is bound to the TPM if the device has one, or otherwise is created in software.

(The public key is stored in AD or AAD.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

HOW THE FUCK DOES IT WORK?

A
  • From within Office 365, run the Directory Synchronization Wizard.
  • This first downloads a utility to evaluate your environment’s AD, domain, objects, etc.
  • Next, you must select or add a routable domain, which cannot be the default one that comes with AAD.
  • Add necessary records to your domain’s DNS, depending on what Office 365 services you want to use.
  • Use IDFix to look for and resolve any problems in your directory.
  • Run Azure AD Connect, selecting to Federate with ADFS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is AD LDS?

A

Active Directory Lightweight Directory Services

An LDAP directory that comes with Windows Server. Multiple instances of AD LDS can exist on a single server, each of which can have its own schema.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is ADFS Proxy?

A

An older technology, which Web Application Proxy has replaced since Server 2012 R2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What port does Web Application Proxy use to communicate with ADFS?

A

TCP 443

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How is WAP installed and configured?

A

Through Add Roles & Features:

  • Since 2012 R2, WAP is a role service under the Remote Access server role.
  • You can then use the configuration wizard to provide the ADFS server name, admin credentials for ADFS, and the certificate.

Through PowerShell:

  • Install-WindowsFeature Web-Application-Proxy
  • Install-WebApplicationProxy -FederationServiceName “adfsservername” -FederationServiceCredential $Credential -CertificateThumprint $Thumbprint
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the configuration for WAP stored?

A

On the ADFS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How can you provide High Availability for WAP?

A

It has nothing built-in, so you would have to put it behind a Network Load Balancer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What GUI tool is used to manage WAP?

A

Remote Access Management Console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

When publishing an application through WAP, what pre-authentication options are available?

A
  • ADFS: unauthenticated client requests are redirected to the ADFS server. After successful authentication, they are forwarded to the backend application server.
  • Pass-through: WAP does not perform any pre-authentication, and just forwards all requests to the backend application server. The application itself will need to do the authentication. (This could be useful for applications using FBA.)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are new features for WAP in Server 2016?

A
  • Preauthentication for HTTP Basic applications.
  • HTTP to HTTPS redirection. (Previously, you had to do a lot of complication manually configuration with IIS to make this work; now’s it just a check box in WAP.)
  • Wildcard domain publishing of applications.
  • HTTP Publishing
  • Publishing of Remote Desktop Gateway apps
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What must be provided when publishing an application to WAP?

A
  • the internal URL of the application / backend server
  • The thumbprint for the certificate for the application
  • the external URL that will be used by clients to access WAP for this application.
  • the name to be displayed in the WAP interface
  • the external pre-authentication method
  • The name of the Relying Party Trust in ADFS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

How do you configure HTTP to HTTPS redirect for WAP?

A

It’s a simple check box that you mark when publishing an application.

However, WAP does not open port 80 by default.

So, you also need to create a firewall rule to allow inbound traffic over TCP 80.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What does a client need to do to connect to a Remote Desktop Gateway (RDG) Application through WAP?

A

They need to be using a Microsoft Web Browser, such as IE, and they need to install the ActiveX control that they’re prompted for on the login screen.

If the Published App isn’t configured for Pass-through authentication, then the client will also need to log in twice, once to the WAP, and once to the Remote Desktop Gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is RDG?

A

Remote Desktop Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is AD RMS, and what does it do?

A

Active Directory Rights Management Services

A Server Role that allows you to create Information Rights Management policies.

The access policies are applied to documents and e-mail messages, and remain with the content as it moves, both online and offline.

Policies are enforced through encryption, certificates, and authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What AD RMS Policy rights can be configured?

A
  • Full Control
  • View
  • Edit
  • Save
  • Export (Save As)
  • Print
  • Extract (Copy)
  • Forward (for e-mail)
  • Reply (for e-mail)
  • Reply All (for e-mail)
  • Allow Macros
  • View Rights
  • Edit Rights
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

How do you install AD RMS using the GUI?

A

In Roles and Features, install the role “AD Rights Management Services”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Using the GUI, how do you configure an envrionment’s first AD RMS server?

A

After installing the role,

  • Open the configuration Wizard.
  • Create a new AD RMS root cluster.
  • Choose a SQL server, or use WID (only if you won’t be clustering).
  • Specify the service account that RMS will run under. It must be a domain user, but does not need any particular permissions.
  • Configure the AD RMS Cluster Key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is a CSP?

A

Cryptographic Service Provider

You can offload the processing required for cryptography to the CSP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is an SCP, and how does it work?

A

Service Connection Point

  • It is an object in AD that provides the intranet URL of the AD RMS cluster, allowing RMS-aware clients and applications to discover the cluster automatically.
  • Only one SCP can exist per forest in AD.
  • It is created automatically when the first AD RMS cluster is deployed (though you can opt not to create one). Any future changes to the SCP from then on must be made manually.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is included in a Distributed Rights Policy Template?

A
  • The name, and description (which is required)
  • Any number of users and groups, which are identified by e-mail address; and the rights assigned to each of them
  • The expiration settings for the content
  • Additional conditions
  • The revocation policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What happens if a file protected by a AD RMS policy goes past its expiration date?

A

There are two expirations that can be configured:

Content expiration: The content cannot be accessed until it is republished.

Use license expiration: The user will have to reconnect to the RMS server to obtain a new license. (The use license is cached on the client computer once it’s obtained).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

How does Revocation work in AD RMS?

A

If a revocation policy has been configured in a Rights Policy Template, it points to the URL of a location where the revocation list is published, and settings for how often to check the list, and the public key for the list.

The revocation list contains factors to deny permission to content. Factors include content ID, users, applications, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is the RMS Client 2.1?

A

The RMS Client comes installed on every version of Windows from Vista and newer, but 2.1 is a newer version.

For added functionality, it needs to be downloaded and installed. Even Windows 10 doesn’t include this newer version of the client.

One feature it adds, is that by editing the Registry, you can modify how frequently templates are refreshed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

How do you backup and restore AD RMS?

A

You need three three things:

  • A securely backup copy of the Cluster Key Password
  • An export of the Trusted Publishing Domain (exported as an XML file). (Can be exported using the AD RMS Administrative Console.)
  • A backup the RMS Configuration Database (which could be WID or SQL)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What three Databases does AD RMS use?

A
  • Configuration Database
  • Directory Services Database
  • Logging Database
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What ports must be opened in the firewall between a WAP and the internet, and what are they for?

A
  • Port 443 for device authentication of remote users.
  • Port 49443 for certificate authentication of remote users.

If using AAD:

  • Port 80 for downloading certificate revocation lists to verify SSL certificates
  • Port 5985 as the WinRM listener.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

How do you add an AD RMS server to an existing RMS cluster with PowerShell?

A

Either with:

• New-PSDrive

or

• Install-ADRMS

or its alias,

• Install-RMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What is this cmdlet for?

Install-ADRMS

A

This is used to create a new AD RMS cluster, or join an existing cluster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What does a Certificate Authority do?

A

A CA binds public keys with the respective identities of entities.

  • This binding is done through a process of registration and issuance of certificates.
  • Certificates have a public key binded with them.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What is AD CS?

A

Active Directory Certificate Services

Provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What is the difference between a Standalone CA and an Enterprise CA?

A
  • A standalone can exist offline, but an Enterprise cannot exist offline.
  • Standalone does not depend on AD DS, but Enterprise does.
  • A standalone can only get certificates via manual procedure or web enrollment. Enterprise can use these, plus auto-enrollment, enrollment on behalf, or web services enrollment.
  • In standalone, all certificates must be approved manually. In Enterprise, they can be issued of denied automatically based on policy.
  • Standalone CAs do not support templates. (Therefore, no automatic key archival.)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What is a CRL?

A

Certificate Revocation List

It is published by a CA, and contains a list certificates that have been revoked. Clients check the CRL when they need to confirm certificates, to check whether the certificates are still valid.

The CRL is cached by clients, who will update it on a set schedule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What is the current standard, recommended key character length for CAs to use, and what is the actual minimum?

A

Standard: 4096.

The default is 2048.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What is a CDP?

A

CRL Distribution Point

(Certificate Revocation List Distribution Point)

• Included in a certificate, it tells clients where to look for the CRL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What is an AIA?

A

Authority Information Access

• Tells you where to find the authority for the CRL.

58
Q

What role services must be installed with IIS, when using IIS with CA?

A

In addition to the default selections, you must install these role service:

  • Basic Authentication
  • Windows Authentication
59
Q

What is IIS used for, when used with an offline, standalone root CA?

A

The CDP and the AIA of the root server are made available on the web server, since the standalone root CA will be offline.

60
Q

How do you use Group Policy to have all computers in your domain trust your CA root authority?

A

Group Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies

This contains several options, including a folder for “Trusted Root Certification Authorities.” Loading the CA Root certificate there will install the certificate on all domain computers.

61
Q

What is the default location for Certificate database files on a CA server?

A

The Certificate Database, and its Database Log, are located here by default:

C:\Windows\system32\CertLog\

62
Q

What is a .req file?

A

A certificate request, which is a request from a device to receive a certificate from a higher up CA.

63
Q

What is the name of the service for a CA server?

A

certsvc

64
Q

How do you install a certificate issued from a CA onto a computer using PowerShell?

A

certutil -installCert

65
Q

What additional configurations need to be made in your domain if a standalone root server is going to be offline?

A

By default, the CDP and the AIA are published on the root CA. If it is going to be offline, then those need to be located elsewhere.

Usually, you’ll locate them on a web server so they are always accessible.

To do so, you need to edit the properties of the root CA and modify the extensions.

66
Q

How do you modify the locations for the CDP and AIA?

A

MMC > Certification Authority > select Root CA server > Properties > Extensions >

  • Remove the local locations for both the CDP and the AIA, and add the web address, or whatever new location, you’ll be locating these certificate files…
  • then add necessary variables to the end of that path..
  • then end with the file extension: .crl for the CDP, and .crt for the AIA.

Or, in PowerShell, the cmdlets are:

  • Add-CACrlDistributionPoint
  • Add-CAAuthorityInformationAccess
67
Q

What is certutil.exe?

A

A command line utility for managing AD Certificate Services.

It is the only tool that can be used for several tasks and configurations.

68
Q

What is this command?

certutil -dump

A

Lists information on the issuing certificates themselves, as well as a little info about the CA.

69
Q

What PowerShell modules are used for configuring Certificate Services?

A

ADCSDeploy

ADCSAdministration

These are limited, and there’s actually not a lot of things you can do in PowerShell for configuring Certificate Services.

70
Q

What Security Permissions are available for CA?

A

• Read
(Can locate CA and see some contents)

• Request Certificates

• Issue and Manage Certificates
(Approve, Deny, and Revoke)

• Manage CA
(Manage and configure all CA options)

71
Q

What Security Permissions are available for CA?

A

For users and groups, each of these can be set to Allow or Deny:

• Read
(Can locate CA and see some contents)

• Request Certificates

• Issue and Manage Certificates
(Approve, Deny, and Revoke)

• Manage CA
(Manage and configure all CA options)

72
Q

What are Certificate Managers?

A

Any user or group who has been granted security permission to issue and manage certificates on a CA.

• This means they have “Allow” permissions for the “Issue and Manage Certificates” access on the CA.

73
Q

How do you restrict a Certificate Manager?

A

In the “Certificate Managers” tab of a CA’s properties, is the option to restrict.

• You select users and groups (as configured in the Security tab) and may restrict their management access to particular certificate templates, or particular users/groups.

74
Q

What is the PowerShell cmdlet used to publish an application with WAP?

A

Add-WebApplicationProxyApplication

75
Q

What is wildcard domain publishing?

A
  • A new feature of WAP for 2016.
  • Allows you to publish multiple applications from the same DNS domain.
  • To support scenarios such as SharePoint 2013, the external URL for the application can now include a wildcard to enable you to publish multiple applications from within a specific domain, for example, https://*.sp-apps.contoso.com.
  • This will simplify publishing of SharePoint apps.
76
Q

How do you join a new AD RMS server to an existing AD RMS cluster?

A
  • After installing the AD RMS role, you need to configure it by identifying the database instance, and the cluster key.
  • (Clusters keep their database files on a SQL Server instance.)
77
Q

What advantages does a SQL database have over a WID database for use with AD RMS?

A
  • Most significantly, a SQL database allows clustering of AD RMS across multiple nodes.
  • It also has more extensive options for backup and maintenance tasks, etc.
78
Q

What PowerShell cmdlets can you use ADFS to authenticate LDAP users to an application?

A

You would need to do all three of the following:

  • New-ADfsLdapServerConnection
  • New-AdfsLdapAttributeToClaimMapping
  • Add-AdfsLocalClaimsProviderTrust
79
Q

What does this command do?

Adprep /forestprep

A

It extends the AD schema for Server 2016, meaning it makes it able to accomodate new attributes.

80
Q

What is Azure AD Application Proxy?

A

Provides single sign-on remote access to on-prem web applications that use Azure AD for authentication.

All that is required to install on-prem is a small connector software agent.

All federated identity and secure authentication flow is handled by Azure AD Application Proxy.

81
Q

What does KRA stand for?

A

Key Recovery Agent

82
Q

What is PKIView?

A

Public Key Infrastructure View

A GUI utility for managing CAs, certificates, AIAs, CDPs, etc.

83
Q

What is the difference between using the Certification Authority console to manager a computer locally vs. remotely?

A

These options are only available when working on the CA computer locally, rather than connecting remotely:

  • Back up CA
  • Restore CA
  • Renew CA Certificate

For this reason, your root CA should always be a server with full Desktop Experience, rather than Server Core.

84
Q

When do you need to renew the certificate for your CA?

A

• When the lifetime of the certificates you are currently issuing is reduced.

This is because a CA cannot issue certificates with expiration dates beyond its own certificate’s expiration date.

So, typically, you’ll want to renew the CA’s certificate at least one year before it expires.

• Also, you’d need a new certificate if the signing key was compromised.

85
Q

When you renew your CA’s certificate, do you always need a new signing key?

A

You only need a new signing key when:

  • The signing key is compromised
  • You have a program that requires a new signing key to be used with a new CA certificate
  • The current CRL is too big, and you want to move some of the info to a new CRL
86
Q

How can you audit your CA?

A

It is audited through Event Viewer.

First, you must enabled the “Audit object access” setting in Group Policy.

Then, in the CA’s properties > Auditing tab, check off what items you want to audit.

87
Q

What is the limit on how long a subordinate CA’s certificate may be good for?

A

5 years.

88
Q

How do you back up a CA?

A

• Using the CA Backup Wizard:

  • Backup the Private key and CA certificates
  • It will make you create a password for the key backup
  • Backup the certificate database and certificate database log

• Then, in Registry Editor:
- Export the CertSvc\Configuration partition

• On an Enterprise CA, you need to record all published templates.

89
Q

How do you restore a CA from backup?

A
  • When installing Certificate Services on the new machine, select the option to “use an existing private key,” and select the certificate and key which were been backed up.
  • For the restore to work, the database and its log must have identical paths to how they were in the backup.
  • Stop the certsvc service
  • Merge the CertSvc/Configuration registry entries

• Use the Restore CA wizard from the CA snap-in
- You’ll need the password for the key restore

90
Q

What is a PKI Certificate?

A

An electronic document used to prove the ownership of a public key. It serves to validate the sender’s authorization and name.

91
Q

What is a Key Storage Provider?

A

Literally just provides storage for your cryptographic keys.

92
Q

How do Certificate Template permissions work?

A

Permissions can apply to groups only, no users.

Permissions include these options:

  • Read
  • Write
  • Enroll (also requires read)
  • Autoenroll (requires read and enroll)
  • Full Control
93
Q

How do the different versions of Certificate Templates work?

A

Version 1
- The default. These templates cannot be changed

Version 2

  • Created by duplicating a V1 template
  • Allows autoenrollment
  • V2 templates, even default ones, can be modified

Version 3

  • created by duplicating a V1 or V2 template
  • Allows Cryptography Next Generation
  • V3 templates can be modified

Version 4

  • requires Server 2012 or later
  • Allows use of CSP and key storage providers
  • V4 templates can be modified
94
Q

How do you allow for autoenrollment of a certificate?

A
  • The CA’s Request Handling Policy must NOT be set to require manual administrator approval of all requests.
  • The certificate template must allow these permissions to the group that will be enrolling:
  • Read
  • Enroll
  • Autoenroll

• Autoenrollment must be enabled in GPO Public Key Policies

95
Q

What is a .pfx file?

A

Personal Information Exchange (*.pfx)

A file that stores exported certificate keys.

When it is created, it can have password protection built into it, as well as access restricted to select users or groups.

96
Q

How can you recover a deleted certificate?

A
  • The key needs to have been archived, either manually, or through having enabled auto-archiving in the template for the certificate it was created with. A KRA must have been specified when archiving.
  • From the certificate issuer, get the Serial number of the certificate.
  • Then, use these cmdlets:

Certutil -getkey [serial number] outputblob

Certutil -recoverkey outputblob [newfilename].pfx

• You can then right-click the .pfx file and select Install.

97
Q

What establishing an SSL connection, what may cause a warning message to appear?

A
  • If the CA is not trusted
  • If the Subject Name or Subject Alternate Name does not match the name of the website or service that you are connecting to.
98
Q

What are the steps of an SSL handshake when connecting to a website?

A
  1. The browser clicks on an HTTPS website
  2. The browser requests a certificate from the web server
  3. The web server sends its certificate, and included in that certificate is its public key
  4. The browser checks the certificate and if it trusts the issuing CA, and whether the certificate is revoked
  5. The browser generates a symmetric encryption key, encrypts it and then sends it
  6. The web server decrypts the symmetric key and secures the communication
99
Q

What is a “Certificate Hold”?

A

One of the Reason codes that can be selected when revoking a certificate in CA

Unlike with any other reason code, certificates that have been revoked this way can be Unrevoked.

100
Q

In a certificate template, what permissions must be granted to enable automatic renewal of certificates with a AD CA?

A

Read and Enroll.

Autoenroll permission is not required for automatic renewal.

101
Q

What are the steps to configure automatic key archival?

A
  1. Configure a key recovery agent certificate template.
  2. Add the key recovery agent cert template to an enterprise CA.
  3. Enroll one or more key recovery agents.
  4. Configure the VA for key archival and recovery.
102
Q

What is an Enrollment Agent?

A

An Enrollment Agent is a user that has been granted permission to request certificates on behalf of another user.

103
Q

What is an Online Responder?

A

An AD CS role feature that responds to client requests for information about specific certificates.

This service provides support for Online Certificate Status Protocol (OCSP) validation and revocation checking.

This service makes it possible to check the revocation status of a single certificate, rather than downloading and checking the complete CRL.

104
Q

In AD CS, what does this default Certificate template do?

Smart Card Logon

A

Allows the holder to authenticate its identity by using a smart card

105
Q

In AD CS, what does this default Certificate template do?

Smart Card User

A

Allows the holder to authenticate its identity and protect e-mail by using a smart card

Capable of:
• Authentication
• Signing
• Encryption

106
Q

In AD CS, what does this default Certificate template do?

Subordinate CA

A

Used to prove the identity of the subordinate CA; it is issued by the parent or root CA

Capable of:
• Authentication only

107
Q

In AD CS, what does this default Certificate template do?

Authenticated Session

A

Allows subjects to authenticate to a Web server

108
Q

In AD CS, what does this default Certificate template do?

Computer

A

Allows a computer to authenticate itself on the network

109
Q

In AD CS, what does this default Certificate template do?

Enrollment Agent

A

Used to request certificates on behalf of another user

110
Q

In AD CS, what does this default Certificate template do?

Key Recovery Agent (KRA)

A

Recovers private keys that are archived on the CA

111
Q

In AD CS, what does this default Certificate template do??

Web Server

A

Proves the identity of a Web server

112
Q

In AD CS, what does this default Certificate template do?

Workstation Authentication

A

Enables client computers to authenticate their identity to servers for mutual authentication.

113
Q

What is Certificate Authority Web Enrollment?

A

A role service that provides a set of web pages that allow interaction with the CA role service.

• It’s used to supports enrollment and renewal requests for computers that:

  • run non-Windows OSs,
  • are not a domain member,
  • or are not connected to your domain network.

• Allows you to connect to a CA using a web browser to perform common tasks, such as:

  • Request a new cert from the CA, or a renewal
  • Check a pending cert request
  • Request the CA’s cert
  • Retrieve the CA’s CRL
114
Q

What is the Enterprise Trust certificate store intended to contain?

A

Self-signed root certificates from other organizations.

115
Q

Where is the CRL stored?

A

If your root CA is an Enterprise CA, then CRLs are published to AD DS.

With a standalone root CA, it is stored on the CA itself by default, but can be changed and published to a location you specify.

You’ll need to update the CDP extension to indicate the CRL’s location.

116
Q

What is the Certificate Enrollment Web Service (CES) ?

A

Certificate Enrollment Web Service

CES acts as a proxy for the CA for issuing and renewing certificates, and provides for retrieval of CRLs for computers running Windows 7 or later.

• It also supports auto-renewal for non-domain members, and members of untrusted domains.

117
Q

What is the Certificate Enrollment Policy Web Service (CEP) ?

A

Certificate Enrollment Policy Web Service

CEP allows users and clients to retrieve certificate enrollment policy information.

118
Q

What is Network Device Enrollment Service?

A

This service is used to issue and renew certificates for network devices such as routers and switches.

  • It allows these devices to obtain certificates without direct interaction.
  • Requests are made under the context of the service account specified when you configure NDES.
119
Q

Why do standalone CA’s, by default, require an administrator to manually approve certificate requests?

A

Because a standalone CA does not verify a certificate requester’s credentials.

120
Q

What are some primary uses of Group Policy for supporting Certificate Services?

A

These are configure in Group Policy:

  • Auto-Enrollment policy
  • Automated update and renewal of certificates
  • Automatic trusting of root CA
  • Enable auditing of a CA
121
Q

In AD CS, what does this default Certificate template do?

Domain Controller Authentication

A

Used to authenticate AD users and computers.

122
Q

In AD CS, what does this default Certificate template do?

User

A

Used for security with e-mail and encrypting file services.

123
Q

In AD CS, what does this default Certificate template do?

User Signature Only

A

Used to enable users to digitally sign data.

124
Q

What GUI utility can you use to export the Trusted Publishing Domains?

A

The AD RMS Administrative Console.

It is exported as an XML file.

125
Q

What is a TPD?

A

Trusted Publishing Domain

TPDs allow one AD RMS server to issue use licenses that correspond with a publishing license issued by another AD RMS server.

A TPD is added by importing the server licensor certificate and private key of the server to be trusted.

126
Q

In WAP, what could this method of pre-authentication be used for?

MSOFBA

A

Microsoft Office clients needing to access data on a backend server

127
Q

In WAP, what could this method of pre-authentication be used for?

OAuth

A

Clients that need to use Windows Store Apps

128
Q

In WAP, what could this method of pre-authentication be used for?

HTTP Basic

A

Rich clients (such as smartphones) that need to connect to Exchange or another backend server.

(ActiveSync uses HTTP Basic pre-authentication)

129
Q

What is this AD RMS Certificate used for?

Server Licensor Certificate (SLC)

A

Is created when you install and configure your first AD RMS server in a cluster.

Other servers in the cluster share the same SLC.

130
Q

What is this AD RMS Certificate used for?

Client Licensor Certificate (CLC)

A

Gives a user the ability to publish protected content, even when the client is not currently connected to the AD RMS server.

131
Q

What is this AD RMS Certificate used for?

Machine certificate

A

Identifies a computer or other supported device.

132
Q

What is this AD RMS Certificate used for?

Rights Account certificate (RAC)

A

Identifies a specific user based on either account credentials only (temporary RAC), or on account and device credentials (standard RAC).

133
Q

What is this AD RMS Certificate used for?

Publishing license

A

Specifies applied rights on protected content, including:

  • the users that can open it
  • under what conditions it may be opened
  • the rights each user will have to the content
134
Q

What is this AD RMS Certificate used for?

Use license

A

Gives a user the ability to access protected content based on user account credentials. The license is tired to the user’s RAC.

(If the user’s RAC is not present or valid, the user is not given access to the content.)

135
Q

What is the difference between a Standard RAC and a Temporary RAC?

A

Standard RAC:

  • identifies a user by account credentials and device credentials together.
  • has a validity time measured in number of days. (the default is 365 days)

Temporary RAC:

  • identifies a user based on account credentials only.
  • has a validity time measured in number of minutes. (the default is 15 minutes)
136
Q

What is the PowerShell command to upgrade FBL?

A

Invoke-AdfsFarmBehaviorLevelRaise

137
Q

What command could you use to delete certificates from the certificate store?

A

certutil.exe -viewdelstore

138
Q

What command could you use to revoke a certificate?

A

certutil.exe -revoke

139
Q

What is the command to promote an ADFS Node to Primary Computer in a farm?

A

Set-AdfsSyncProperties -Role PrimaryComputer

140
Q

What types of Exclusion policies can be configured in AD RMS?

A
  • User – block specific users
  • Application – block specific applications
  • Lockbox version – block specific Windows versions