Self Test

1.

You are setting up a procedure to keep documents exchanged between members of the R & D department secret. They will be sending these documents across the Internet to each other. Which PKI process will you need to employ to achieve this?

1. Confidentiality

2. Non-repudiation

3. Authentication

4. Data Integrity

1.

A

2.

You are the administrator for a large and very busy network and your bandwidth is nearing its limits. Your users are complaining about the time it takes to access the payroll server to update their hours. All users are required to have certificate authentication to access the server. What can you change in your current setup to help reduce network traffic and speed access to the payroll server?

1. Configure the CA to use complete CRLs for replication.

2. Assign times for each user to update their payroll.

3. Use DES for the encryption method.

4. Configure the CA to use Delta CRLs.

3.

Your department has completed preliminary testing of a newly established PKI, and before actual deployment begins, you’ve been assigned the task of revoking the test certificates. So far, there is only a single enterprise CA installed, and Active Directory is of course in use. Which of the following steps should you take?

1. In the Certification Authority console, expand the Issued Certificates container, and revoke all certificates by right-clicking each certificate and choosing All | Revoke Certificate.

2. In the Certification Authority console, expand the Issued Certificates container, and revoke all certificates by right-clicking each certificate and choosing All | Revoke Certificate. Right-click the Revoked Certificates container, and choose All Tasks | Publish.

3. Using the Certificates snap-in, expand the Personal container, and highlight the Certificates container found beneath. In the right pane of the console, right-click each certificate and choose Add to Certificate Revocation List.

4. Using the Certificates snap-in, expand the Personal container, and highlight the Certificates container found beneath. In the right pane of the console, right-click each certificate and choose Add to Certificate Revocation List. Right-click the Trusted Root Certification Authority, and choose Publish to Directory.

4.

You decide to implement a Windows Server 2003 based-PKI for your network, and because you want the most secure method of issuing and maintaining certificates, you decide to use a stand-alone server to issue a certificate to a subordinate, which in turn issues certificates to users. You take the root CA offline. Your users complain that they are unable to access some resources. After investigating the problem you discover that they can log on to the network and access everything except those resources protected by certificates. They also can connect to the servers by both name and IP address. What is preventing the users from gaining access to those resources?

1. The root CA server is offline.

2. The subordinate CA is offline.

3. The certificates have been compromised.

4. The certificates are still pending.

5.

You have a two-tier hierarchy for your certificate PKI. OurRoot is an enterprise root CA. OurIssuer1 and OurIssuer2 are OurRoot subordinates. These two CAs issue all the certificates for your company. OurIssuer1 issues to the northern region and OurIssuer2 issues to the southern region. An ex-employee appears to have obtained the issuing certificate for OurIssuer2. What steps would you take to prevent users from using certificates issued by the compromised server?

1. Add the compromised certificate to the CRL from OurRoot.

2. Delete all certificates on OurIssuer2 and reissue them.

3. Reinstall certificate services on OurIssuer2.

4. Add all certificates issued by OurRoot to the CRL.

6.

As a member of the PKI design team in your company, you are charged with integrating one of your subsidiaries that already has a PKI with your office’s PKI. The current proposal on the table has a second-tier CA located in your local PKI issuing certificates to a second-tier CA located on the subsidiary’s PKI, and vice-versa. Both infrastructures are Windows Server 2003 based. Your company’s security goals, however, mandate that only certain certificates be used on your PKI if they are issued from the subsidiary’s CA, but all your CA’s certificates need to be trusted by the subsidiary. What is your assessment?

1. Both your office and the subsidiary will need to create a CTL that has a limited trust chain length on your side.

2. The subsidiary’s CA needs to be reconfigured as your CA’s subordinate.

3. A cross-trust needs to be created, and the type of acceptable certificates for your CA narrowed by using qualified subordination policies.

4. This arrangement is not possible under Windows Server 2003. The company needs to implement a third-party PKI.

7.

Your company has a partner with whom you need to communicate securely. You have an existing root CA and need to allow usage for partner-issued certificates as well. In which of the following ways can you accomplish this? Choose all that apply.

1. Create a CTL.

2. Install an issuing CA at the partner’s site.

3. Create a cross-trust hierarchy.

4. Install a partner’s issuing CA at your site.

8.

You are the administrator of an existing three-tier PKI including a stand-alone Root CA, three mid-level CAs, and twelve issuing CAs. You fear that your Root certificate has been compromised. What steps should you take to secure your infrastructure with the least amount of administrative effort?

1. Add the twelve issuing CAs’ certificates to the mid-level CAs’ CRL.

2. Add the three mid-level CAs’ certificates to the Root CA’s CRL.

3. Add the Root CA’s certificate to the three mid-level and twelve issuing CAs’ CRL.

4. Create a new CA hierarchy and issue new certificates to all clients.

2.

D

3.

B

4.

D

5.

A

6.

C

7.

A, C

8.

D

9.

You are attempting to request a certificate by using Internet Explorer, but fail to display the welcome screen of the Web site. You have typed in the address http://mycertauthority/certsrv and you’ve double-checked the name of the CA. Also, you have confirmed with the network administrator that the CA is configured with IIS, and the Web enrollment support option was chosen during the certificate services installation. What is the most likely cause of the problem?

1. The CA is configured as a standalone.

2. IIS was installed after certificate services.

3. The EAP protocol has not been installed.

4. You are using a Windows 2000 Professional client.

10.

The Ecstatic Llama Company wants your consulting firm to implement a two-tier private CA design made specifically for their PKI. Because the plans for ELC call for high security, the root CA will be designated as standalone and offline. Your job is to install an enterprise subordinate CA while maintaining the security needs of your client. What are the two best methods to accomplish this task? Choose two answers.

1. In the Certification Authority console, configure the subordinate to use auto-enrollment and reboot the machine.

2. In the Certification Authority console, point the subordinate to use Active Directory and configure the subordinate to trust the root CA.

3. Put the root CA briefly online and use Web enrollment to obtain the root CA certificate, then take the root CA back offline.

4. Save the subordinate request as a PKCS #10 file, transport the file to the root CA, issue the certificate, and then transport the certificate back to the subordinate.

11.

You are the CA administrator for your branch office and want to have greater control over your certificate managers. Your plan is to have each manager manage certificates over a different Active Directory group, but you do not want to give any manager the capability to renew the CA’s certificate. What is your best course of action?

1. In the Certification Authority snap-in, use the Security tab of the CA’s property sheet to configure manager restrictions.

2. Using the Certificate Templates snap-in, right-click the Certificate Templates container, and choose Properties. On the Security tab, give the Certificate Managers group the Issue and Manage Certificates permission.

3. In the Certification Authority snap-in, use the Certificate Managers Restrictions tab of the CA’s property sheet and choose the Restrict certificate managers option.

4. It cannot be done.

12.

As the network administrator for B & H Day Care Centers, you are attempting to configure a third-tier CA to issue a particular type of certificate. From the Certificate Templates snap-in, you have duplicated an existing template and modified it to B & H’s specifications. However, users are still unable to successfully install the certificate governed by the new template. You have checked the structure of the CA hierarchy and are comfortable that no intentional attacks have taken place. What first step can you take to ensure the proper distribution of the certificate?

1. Launch the Certificate Templates snap-in, right-click the Certificate Templates container, and select New | Certificate Template to Issue. Select the new certificate template.

2. Launch the Certificate Templates snap-in and highlight the Certificate Templates container. In the right pane of the console, right-click the new certificate template, and choose Properties. From the Publish tab, select the Publish to Directory option.

3. From any PKI client’s browser, point to http://servername/certsrv, where servername is the name of the CA that contains the new certificate template. Select the Issue a Certificate Template link.

4. Using an account with appropriate permissions, copy the new certificate template to the root CA’s certificate store. From the root CA, enable the template by using the Certificate Templates snap-in.

9.

B

10.

C, D

11.

C

12.

A

13.

You have been designated as the enrollment agent for the entire Pants, Inc. organization during the smart card deployment that has just been completed. Your supervisor has now assigned you the project of updating the company’s VPN solution by configuring the current RRAS server to accept smart card remote access. However, when you log on to the server and attempt to configure it, you are unsuccessful. What is the most likely reason for the failure?

1. The Extensible Authentication Protocol (EAP) has not been installed.

2. You are not a member of the Administrators group.

3. The Routing and Remote Access Service does not have the required application certificate.

4. A smart card reader has not been installed on the server.

14.

Your company uses smart card authentication for its local network. You are an administrator and have been directed to install a new domain controller in the main office. You install Windows Server 2003 on the new hardware and begin the dcpromo process. When the install process asks you for authentication, what will you need to supply to finish the promotion?

1. Username and password

2. Smart card and PIN

3. Username and PIN

4. Smart card and password

15.

You are the administrator of a small network, and you have recently assigned yourself as an enrollment agent for your firm’s new smart card system by making sure that you have Read and Enroll permissions on the Smart Card Logon template’s Security tab. However, when you begin testing the implementation, you discover that you are unable to fully complete a request for a certificate on behalf of another user. You are using Internet Explorer on the enrollment station computer. Which of the following, if true, could be reasons for the failure? Choose all that apply.

1. The smart card manufacturer’s CSP has not been installed on the enrollment station.

2. IIS has not been installed on the enrollment station.

3. The Write permission has not been assigned to your account.

4. Neither the Smart Card Logon nor the Smart Card User templates have been enabled on the CA.

5. You logged on to the enrollment station using your administrator account.

13.

B

14.

A

15.

A, D