Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

MCSA 70-411 - Global Knowledge > Configuring Encryption and Advanced Auditing > Flashcards

Configuring Encryption and Advanced Auditing Flashcards

1
Q

BitLocker is supported on what operating systems?

A

Windows Vista & above

Windows Server 2008 & Above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the PowerShell CmdLet Do?

Add-BitLockerKeyProtector

A

Adds a key protector for a BitLocker volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does the PowerShell CmdLet Do?

Backup-BitLockerKeyProtector

A

Saves a key protector for a BitLocker volume in AD DS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does the PowerShell CmdLet Do?

Clear-BitLockerAutoUnlock

A

Removes BitLocker automatic unlocking keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does the PowerShell CmdLet Do?

Disable-BitLocker

A

Disables BitLocker encryption for a volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does the PowerShell CmdLet Do?

Disable-BitLockerAutoUnlock

A

Disables automatic unlocking for a BitLocker volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does the PowerShell CmdLet Do?

Enable-BitLocker

A

Enables encryption for a BitLocker volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does the PowerShell CmdLet Do?

Enable-BitLockerAutoUnlock

A

Enables automatic unlocking for a BitLocker volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does the PowerShell CmdLet Do?

Get-BitLockerVolume

A

Gets information about volumes that BitLocker can protect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the PowerShell CmdLet Do?

Lock-BitLocker

A

Prevents access to encrypted data on a BitLocker volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does the PowerShell CmdLet Do?

Remove-BitLockerKeyProtector

A

Removes a key protector for a BitLocker volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does the PowerShell CmdLet Do?

Resume-BitLocker

A

Restores Bitlocker encryption for the specified volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does the PowerShell CmdLet Do?

Suspend-BitLocker

A

Suspends Bitlocker encryption for the specified volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does the PowerShell CmdLet Do?

Unlock-BitLocker

A

Restores access to data on a BitLocker volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How would you enable bitlocker for a device using a PIN and TPM?

A
  1. Run the following:
    1. $SecureString = ConvertTo-SecureString “1234” -AsPlainText -Force
    2. Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is bitlocker for?

A

Bitlocker is drive Encryption. It can only be used for NTFS formated drives. It do full drive encryption or used space encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Bitlocker has what characteristics?

A
  • Can be used to encrypt entire hard drive or only the used parts of a hard drive
  • Can be combined with EFS (Encrypted File System)
  • Protects the integrity of the Windows boot process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. If the windows version is 2008 or Vista what do you need to do to provision bitlocker?
  2. If the windows version is 2008r or Windows 7 what do you need to do to provision bitlocker?
A
  1. Create a partition before deploying bitlocker
  2. It creates the partition for you. There is nothing to do
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

If you are enabling group policy to configure BitLocker what GPO should you set so that you will not encrypt the computer without the Recovery key in AD:

  1. If you are using Windows Server 2008R2/Windows 7 or above?
  2. If you are using Windows Server 2008/Windows Vista?
A
  1. Enable the GPO: Choose how Bitlocker-protect operating system drives can be recovered
    • Select the option: Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
  2. Enable the GPO: Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
    • The option need: “Require Bitlocker backup to AD DS” is enabled by default once the policy is enabled
20
Q

What would you configure to set up a TPM and another source to unlock the computer?

A

The GPO: Require additional authentication at startup

This allows you to let computers use a usb instead of TPM if there is not a TPM chip. This will also be

21
Q
  1. If you dont want to use EFS how would you disable all users ability to use it?
  2. If a CA is not avalible for EFS what happens?
A
  1. If you dont want to use EFS how would you disable all users ability to use it?
    • Remove any recovery agent and disallow self signed certs.
      • You can do this by navigating to Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System and right-clicking selecting properties, on the general tab don not allow EFS
  2. If a CA is not avalible for EFS what happens?

It generates a self-signed cert. If it is not deselected.

22
Q

Where can you back up the key for EFS Certificates?

A

You can go into the file or folder properties:

  • On the General Tab
  • Select Advance
  • Select Details
  • Select the Cert to back up
  • Click Back up keys..
  • This will take you to the Certificate Export Wizard

OR

You can go into the certificates console

23
Q

If you add additional recovery agents what happens to files that were encrypted before it was added?

A

The certificate is added when:

  • The file is open and closed
  • You can run: cipher /u
24
Q

How do you add additional Data Recovery Agents to your Domain?

A
  • Edit the default domain policy
  • Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies
  • Select what you want a Data Recovery Agent for (either EFS, Data Protection, or Bitlocker Drive Encryption)
  • Right-Click and Select Add or Create Data Recovery Agent
25
Q

What does the following CMD do:

  1. cipher /r:c:\backup
A
  1. Backs up a Cert for both public and private key
26
Q

Where can you turn off EFS for self signed certs?

A

Go to the GPO Computer Configuration -> Policies -> Windows Settings ->

Security Settings -> Public Key Policies

The Right-Click, selet Properties, Certificates Tab, Unselect Allow EFS to generate self-signed certifications

27
Q

What are the BitLocker Network Unlock core requirements?

A
  • You must be running at least Windows 8 or Windows Server 2012.
  • Any supported operating system with UEFI DHCP drivers can be Network Unlock clients.
  • A server running the Windows Deployment Services (WDS) role on any supported server operating system.
  • BitLocker Network Unlock optional feature installed on any supported server operating system.
  • A DHCP server, separate from the WDS server.
  • Properly configured public/private key pairing.
  • Network Unlock Group Policy settings configured.
28
Q

How do you install BitLocker Network Unlock via PowerShell?

A

Install-WindowsFeature BitLocker-NetworkUnlock

29
Q

What are the steps (broad overview) to set up BitLocker Network Unlock?

A

This is a justa broad overview not specifics

  1. Install WDS or ensure that WDS is installed
  2. Confirm the WDS Service is running
  3. Install the Network Unlock feature
  4. Create the Network Unlock certificate
  5. Deploy the private key and certificate to the WDS Server
  6. Configure Group Policy settings for Network Unlock
    1. Require TPM+PIN protectors at startup
30
Q

How do you create the network unlock certificates?

A

To enroll a certificate from an existing certification authority (CA), do the following:

  1. Open Certificate Manager on the WDS server using certmgr.msc
  2. Under the Certificates - Current User item, right-click Personal
  3. Select All Tasks, then Request New Certificate
  4. Select Next when the Certificate Enrollment wizard opens
  5. Select Active Directory Enrollment Policy
  6. Choose the certificate template created for Network Unlock on the Domain controller and select Enroll. When prompted for more information, add the following attribute to the certificate:
    1. Select the Subject Name pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example “BitLocker Network Unlock Certificate for Contoso domain”
  7. Create the certificate. Ensure the certificate appears in the Personal folder.
  8. Export the public key certificate for Network Unlock
  9. Export the public key with a private key for Network Unlock
31
Q

How do you deploy the private key and ceritifcate to the WDS Server?

A

With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:

  1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
  2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then Import
  3. In the File to Import dialog, choose the .pfx file created previously.
  4. Enter the password used to create the .pfx and complete the wizard.
32
Q

What Group Policy Settings do you need to configure for Network Unlock?

A
  1. Navigate to the following Location: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
    1. Enable the policy “Require additional authentication at startup”
      1. select the Require startup PIN with TPM option
      2. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
  2. Enable the GPO “Allow network unlock at startup setting”
    1. Deploy the public certificate to clients
      1. Navigate to the following location: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate
      2. Right-click the folder and choose Add Network Unlock Certificate
      3. Follow the wizard steps and import the .cer file that was copied earlier.
33
Q

What policy would you configure for removable device audit policies?

A

Computer Configuration -> Security Settings -> Advanced Audit Policy Configuration -> Object Access -> Audit Removable Storage

34
Q

What is the different between the Local Audit Policies?

  1. Accout Logon Events
  2. Logon Events
A
  1. Audit Account Logon Events: Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller’s security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated. (Event is logged on a DC)
  2. Audit Logon Events: logons that use a domain or local accounts generate a logon or logoff event on the workstation or server.
35
Q

What does the Audit Policy Account Management?

A

Examples

  • A user account or group is created, changed, or deleted.
  • A user account is renamed, disabled, or enabled.
  • A password is set or changed.
36
Q

What is a SACL?

A

System Access Control List

37
Q

What is the Advanced Audit Policy Global Object Access Auditing?

A

You can configure expression-based audit policies for files and the registry.

Note: This is all files not just a specific file

38
Q

What is the Advanced Audit Policy group System?

A

You can audit changes to the security subsytem

39
Q
A
40
Q

What does the following Advanced Audit Policy Group allow you to audit?

Account Logon

A

You can audit credential validation and Kerberos-specific operations.

41
Q

What does the following Advanced Audit Policy Group allow you to audit?

Account Management

A

You can audit account management operations, such as changes to computer accounts, user accounts, and group accounts.

42
Q

What does the following Advanced Audit Policy Group allow you to audit?

Detailed Tracking

A

You can audit encryption events, process creation, process termination, and RPC events.

43
Q

What does the following Advanced Audit Policy Group allow you to audit?

DS Access

A

You can audit Active Directory access and functionality.

44
Q

What does the following Advanced Audit Policy Group allow you to audit?

Logon/Logoff

A

You can audit logon, logoff, and other account activity events, including IPsec and Network Policy Server (NPS) events.

45
Q

What does the following Advanced Audit Policy Group allow you to audit?

Object Access

A

You can audit access to objects including files, folders, applications, and the registry.

46
Q

What does the following Advanced Audit Policy Group allow you to audit?

Policy Change

A

You can audit changes to audit policy.

47
Q

What does the following Advanced Audit Policy Group allow you to audit?

Privilege Use

A

You can audit the use of privileges.

MCSA 70-411 - Global Knowledge (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions