Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    Copyright
    Acknowledgments
    Foreword
    Introduction
    Pt. 1. Foundations of PKI
    Pt. 2. Establishing a PKI
    Pt. 3. Deploying Application-Specific Solutions
    Ch. 17. Identity Lifecycle Manager 2007 Certificate Management
    Ch. 18. Archiving Encryption Keys
    Ch. 19. Implementing SSL Encryption for Web Servers
    Ch. 20. Encrypting File System
    Ch. 21. Deploying Smart Cards
    Ch. 22. Secure E-Mail
    Ch. 23. Virtual Private Networking
    Ch. 24. Wireless Networking
    Ch. 25. Document and Code Signing
    Ch. 26. Deploying Certificates to Domain Controllers
    Ch. 27. Network Device Enrollment Service
    Appx. A. Case Study Questions and Answers
    Chapter 1: Cryptography Basics
    Chapter 2: Primer to PKI
    Chapter 3: Policies and PKI
    Chapter 4: Preparing an Active Directory Environment
    Chapter 5: Designing a Certification Authority Hierarchy
    Chapter 6: Implementing a CA Hierarchy
    Chapter 7: Upgrading Your Existing Microsoft PKI
    Chapter 8: Verifying and Monitoring Your Microsoft PKI
    CA Hierarchy Verification Questions
    Monitoring Questions
    Chapter 9: Securing a CA Hierarchy
    Chapter 10: Certificate Revocation
    Chapter 11: Certificate Validation
    Troubleshooting Exercise
    Chapter 12: Designing Certificate Templates
    Chapter 13: Role Separation
    Chapter 14: Planning and Implementing Disaster Recovery
    Chapter 15: Issuing Certificates
    Chapter 16: Creating Trust Between Organizations
    Chapter 17: Identity Lifecycle Manager 2007 Certificate Management
    Chapter 18: Archiving Encryption Keys
    Chapter 19: Implementing SSL Encryption for Web Servers
    Chapter 20: Encrypting File System
    Chapter 21: Deploying Smart Cards
    Chapter 22: Secure E-Mail
    Chapter 23: Virtual Private Networking
    Chapter 24: Wireless Networking
    Chapter 25: Document and Code Signing
    Chapter 26: Deploying Certificates to Domain Controllers
    Chapter 27: Network Device Enrollment Service
    Appx. B. About the Author
    Index
    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    A.16. Chapter 13: Role Separation

    Q:The backup software implemented by Tailspin Toys uses a centralized backup services account. When reviewing the event logs, the backup operator notices that the backup fails every night on the two issuing CAs. On inspecting the event logs further, the backup software reports that the failed backup item is the System State backup. What is the likely cause of the error?
    A:The backup services account is assigned two or more of the Common Criteria roles. Typically, the issue is that the account is a member of the local Administrators group. This group is assigned both the backup privilege and the auditing privilege.
    Q:When inspecting the security permission assignments at the Tailspin Toys Infrastructure CA, you accidentally assign the CA Administrator group the Issue and Manage Certificates permission. When you try and fix the permissions assignment error, you find that access is denied. What must be done to fix the issue?
    A:A local administrator must first disable the CA\EnableRoleSeparation registry entry. Once role separation is disabled, the local administrator can fix the permissions assignment. Once the assignment is fixed, the local administrator should reenable the CA\EnableRoleSeparation registry entry.
    Q:The certificate for the Tailspin Toys Employee CA is reaching the halfway point of its validity period and must be renewed. You are logged on to the CA as a CA Administrator but all attempts to renew the CA certificate fail. Who must perform the renewal of the CA certificate?
    A:A local administrator must perform the CA certificate renewal. Only a local administrator has the necessary access to the local machine store to generate or access the CA key pair and generate the certificate request. If role separation is enabled, it must be disabled for the renewal process.
    Q:The Tailspin Toys Employee CA implements key archival for both Encrypting File System (EFS) certificates and e-mail encryption certificates. The security policy of your organization requires that all key recovery operations be performed by at least two employees. If you are assigned the Key Recovery Agent role, what Common Criteria role can you not hold, because this would break the security policy for key recovery?
    A:You cannot hold the Certificate Manager role. In the key recovery process, a Certificate Manager extracts the encrypted private key from the CA database, and then the Key Recovery Agent decrypts the encrypted private key.
    Q:Tailspin Toys implements several version 1 certificate templates at the Tailspin Toys Infrastructure CA. You have delegated the task of managing certificate templates to Andy, a member of the IT security team. Andy is able to create new version 2 and version 3 certificate templates but is unable to modify the permissions for any of the version 1 certificate templates deployed at the Tailspin Toys Infrastructure CA. Why is Andy unable to modify the version 1 certificate templates?
    A:Andy, or a group in which Andy has membership, was delegated permission at both the Certificate Templates and the OID container. Andy (or a group in which Andy has membership) was not assigned permissions on the existing certificate templates. This prevents him from modifying the permissions on the version 1 certificate templates.
    Q:Tailspin Toys wishes to deploy a new enterprise subordinate CA named Tailspin Toys Contractor CA to issue certificates to contractors and vendors working on-site. When you attempt to install the enterprise CA, the options for both enterprise root CA and enterprise subordinate CA are unavailable. What group memberships are required to install an enterprise CA?
    A:You must be a member of the Enterprise Admins group to install an enterprise CA. Only Enterprise Admins have the necessary permissions to create objects in the Configuration naming context when a new enterprise CA is installed.
    Q:You have enabled auditing at all issuing CAs in the CA hierarchy. Today, you received a call from the audit department indicating that no events related to Certificate Services exist in the Windows Security log. You view the properties of each CA and find that the auditing is configured at each CA, as shown in Figure A-2.

    Figure A-2. Auditing settings defined at the Tailspin Toys Employee CA


    Why are there no audit entries related to Certificate Services?

    A:The CA does not have success and failure auditing enabled for Object Access. The auditing must be enabled either in the local security policy or in a Group Policy Object linked to the organizational unit where the CA’s computer account exists in AD DS.


      

    You are currently reading a PREVIEW of this book.

                                                                                            

    Get instant access to over
    $1 million worth of books and videos.

      

    Start a Free Trial


      
    • Safari Books Online
    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint