Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 9. Active Directory Certificate ... > Answers to Exam Cram Questions

Answers to Exam Cram Questions

1.A. Dawn should keep a standalone root CA offline as a safeguard against compromise. She should bring this CA online only to issue certificates to CA servers lower in the CA hierarchy. She should not use an enterprise root CA for this purpose because it would become out of date with respect to other AD DS servers, so answer B is incorrect. Intermediate and issuing CAs are involved in active day-to-day issuing of certificates and must not be allowed to go offline, so answers C and D are incorrect.
2.D. Kevin must run dcpromo.exe to promote the server to a domain controller. An enterprise CA can run only on a domain controller, and if Kevin is at a member server, the Enterprise CA option will be unavailable. Kevin does not need to be a member of either the Enterprise Admins or Schema Admins group to install an enterprise CA, so answers A and B are incorrect. Merely using Server Manager to install AD DS without promoting the server to domain controller is insufficient, so answer C is incorrect. The Certification Authority console does not offer an option to promote a standalone CA to an enterprise CA, so answer E is incorrect.
3.C, E, H. Kim should set up an offline standalone root CA and an enterprise subordinate CA. She should then configure an autoenrollment user template, enable this template on the subordinate CA, and configure a GPO linked to the domain that enables certificate autoenrollment in the Computer Configuration section of the GPO. The combination of an offline standalone root CA and an enterprise subordinate CA provides a secure top-level PKI structure that minimizes the risk of compromise. If an online enterprise root CA were compromised, the entire PKI would have to be rebuilt and new certificates issued, so answer A is incorrect. An offline enterprise root CA would not remain up to date with respect to AD DS, so answer B is incorrect. A standalone subordinate CA would not maintain its database in AD DS. This is not the best idea, so answer D is incorrect. A web-based enrollment agent is not required for autoenrollment, so answer F is incorrect. The User Configuration section of the GPO does not enable certificate autoenrollment, so answer G is incorrect.
4.C. Steve should duplicate the template and configure the duplicate for autoenrollment. The Smartcard User template is a version 1 template that was originally supplied with Certificate Services in Windows 2000. It does not support autoenrollment. By duplicating this template, Steve can create either a version 2 or version 3 template, both of which support autoenrollment. He does not need a certificate from a third-party certification authority, so answer A is incorrect. Logging on as a member of the Enterprise Admins group does not provide the Autoenroll permissions, so answer B is incorrect. The Autoenroll permission is required for certificate autoenrollment to be available, so answer D is incorrect.
5.A. Mary should configure the Trusted group as restricted enrollment agents. Certificate Services in Windows Server 2008 enables her to designate a security group as restricted enrollment agents, who are granted the permission to enroll for certificates on behalf of other users. The Certificate Manager administrative role enables role holders to approve certification enrollment and revocation requests, and the PKI Administrator role enables role holders to configure and maintain the CA. Both these roles grant the users more administrative authority than required for this scenario, so answers B and C are incorrect. The Account Operators group enables users to create and manage user and group accounts but does not enable the enrollment of certificates, so answer D is incorrect.
6.C. Brenda should add a copy of each third-party CA certificates to the Trusted Root Certification Authorities node in the Default Domain Policy GPO. This node is found under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. It enables her to ensure that all domain computers receive a copy of the required certificates. Installing the certificates on the root or issuing-CA servers would enable these servers to trust the third-party certificates but would not allow client computers to trust these certificates, so answers A and B are incorrect. Manually placing a copy of each certificate in the Trusted Root Certification Authorities certificate store on each client computer would take far more administrative effort than using Group Policy to accomplish the same task, so answer D is incorrect.
7.B, C, E. Any of these procedures will back up Certificate Services. There is no specific Certificate Services folder, so answer A is incorrect. The Certificate Export Wizard allows you to back up a certificate but does not enable you to back up Certificate Services, so answer D is incorrect. The Certificate Templates snap-in does not provide an option for backing up Certificate Services, so answer F is incorrect.
8.B. Jackie should implement role-based administration in the CA hierarchy. This way she can assign different predefined task-based roles such as PKI Administrator, Certificate Manager, and Key Recovery Manager to different individuals. Doing so reduces the chance that the entire PKI would be compromised should one user account become compromised. Use of a special user account with a strong password and a Password Settings Object (PSO) to enforce a strong password might help to prevent the account’s compromise, but it is still preferable to implement role-based administration, so answer A is incorrect. Configuring the subordinate CA servers so that certificate enrollment and renewal take place on different servers would not help here, so answer C is incorrect. Reconfiguring the offline standalone root CA as an offline enterprise root CA would prevent it from being up to date and is not recommended, so answer D is incorrect. Placing this machine online would increase the risk of compromising the entire CA hierarchy, so answer E is incorrect.
9.C, D, F. Betsy should revoke the certificate of the disbanded division’s subordinate CA, publish a new base CRL, and copy this CRL to the network’s CDP. Revoking the certificate of the disbanded division’s subordinate CA automatically revokes all certificates that this CA issues, so she does not need to revoke certificates from this CA; therefore, answer A is incorrect. Betsy might want to uninstall AD CS from the disbanded division’s subordinate CA, but this is not required by this scenario, so answer B is incorrect. She could publish a delta CRL, but it is more expedient to publish a new base CRL that ensures all applications and processes across the network are aware of the large number of certificates that have been revoked in this process; therefore, answer E is incorrect. The AIA extension is used to locate the URL of an online responder. Online responders are not being used in this scenario, so answer G is incorrect.
10.A, E. Jim should enable the use of the OCSP Response Signing certificate template. This enables the installation of an OCSP Response Signing certificate on the computer on which the online responder role service is installed. Jim also must select the URL for the online responder and select the check boxes labeled Include in the AIA Extension of Issued Certificates and Include in the Online Certificate Status Protocol (OCSP) Extension. He should also ensure that IIS is installed on the CA servers. The online responder clients use this URL to check certificates for revocation. The use of online responders replaces the use of CRLs, delta CRLs, and CRL distribution points, so answers B and C are incorrect. If Jim does not select the Include in the Online Certificate Status Protocol (OCSP) Extension check box, clients will be unable to locate the online responder server; therefore, answer D is incorrect.


  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint