|
A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.
1. | You are setting up a procedure to keep documents exchanged between members of the R & D department secret. They will be sending these documents across the Internet to each other. Which PKI process will you need to employ to achieve this?
|
|
Answers
1. | A |
2. | You are the administrator for a large and very busy network and your bandwidth is nearing its limits. Your users are complaining about the time it takes to access the payroll server to update their hours. All users are required to have certificate authentication to access the server. What can you change in your current setup to help reduce network traffic and speed access to the payroll server?
|
|
3. | Your department has completed preliminary testing of a newly established PKI, and before actual deployment begins, you’ve been assigned the task of revoking the test certificates. So far, there is only a single enterprise CA installed, and Active Directory is of course in use. Which of the following steps should you take?
|
|
4. | You decide to implement a Windows Server 2003 based-PKI for your network, and because you want the most secure method of issuing and maintaining certificates, you decide to use a stand-alone server to issue a certificate to a subordinate, which in turn issues certificates to users. You take the root CA offline. Your users complain that they are unable to access some resources. After investigating the problem you discover that they can log on to the network and access everything except those resources protected by certificates. They also can connect to the servers by both name and IP address. What is preventing the users from gaining access to those resources?
|
|
5. | You have a two-tier hierarchy for your certificate PKI. OurRoot is an enterprise root CA. OurIssuer1 and OurIssuer2 are OurRoot subordinates. These two CAs issue all the certificates for your company. OurIssuer1 issues to the northern region and OurIssuer2 issues to the southern region. An ex-employee appears to have obtained the issuing certificate for OurIssuer2. What steps would you take to prevent users from using certificates issued by the compromised server?
|
|
6. | As a member of the PKI design team in your company, you are charged with integrating one of your subsidiaries that already has a PKI with your office’s PKI. The current proposal on the table has a second-tier CA located in your local PKI issuing certificates to a second-tier CA located on the subsidiary’s PKI, and vice-versa. Both infrastructures are Windows Server 2003 based. Your company’s security goals, however, mandate that only certain certificates be used on your PKI if they are issued from the subsidiary’s CA, but all your CA’s certificates need to be trusted by the subsidiary. What is your assessment?
|
|
7. | Your company has a partner with whom you need to communicate securely. You have an existing root CA and need to allow usage for partner-issued certificates as well. In which of the following ways can you accomplish this? Choose all that apply.
|
|
8. | You are the administrator of an existing three-tier PKI including a stand-alone Root CA, three mid-level CAs, and twelve issuing CAs. You fear that your Root certificate has been compromised. What steps should you take to secure your infrastructure with the least amount of administrative effort?
|
|
Answers
2. | D |
3. | B |
4. | D |
5. | A |
6. | C |
7. | A, C |
8. | D |
9. | You are attempting to request a certificate by using Internet Explorer, but fail to display the welcome screen of the Web site. You have typed in the address http://mycertauthority/certsrv and you’ve double-checked the name of the CA. Also, you have confirmed with the network administrator that the CA is configured with IIS, and the Web enrollment support option was chosen during the certificate services installation. What is the most likely cause of the problem?
|
|
10. | The Ecstatic Llama Company wants your consulting firm to implement a two-tier private CA design made specifically for their PKI. Because the plans for ELC call for high security, the root CA will be designated as standalone and offline. Your job is to install an enterprise subordinate CA while maintaining the security needs of your client. What are the two best methods to accomplish this task? Choose two answers.
|
|
11. | You are the CA administrator for your branch office and want to have greater control over your certificate managers. Your plan is to have each manager manage certificates over a different Active Directory group, but you do not want to give any manager the capability to renew the CA’s certificate. What is your best course of action?
|
|
12. | As the network administrator for B & H Day Care Centers, you are attempting to configure a third-tier CA to issue a particular type of certificate. From the Certificate Templates snap-in, you have duplicated an existing template and modified it to B & H’s specifications. However, users are still unable to successfully install the certificate governed by the new template. You have checked the structure of the CA hierarchy and are comfortable that no intentional attacks have taken place. What first step can you take to ensure the proper distribution of the certificate?
|
|
Answers
9. | B |
10. | C, D |
11. | C |
12. | A |
13. | You have been designated as the enrollment agent for the entire Pants, Inc. organization during the smart card deployment that has just been completed. Your supervisor has now assigned you the project of updating the company’s VPN solution by configuring the current RRAS server to accept smart card remote access. However, when you log on to the server and attempt to configure it, you are unsuccessful. What is the most likely reason for the failure?
|
|
14. | Your company uses smart card authentication for its local network. You are an administrator and have been directed to install a new domain controller in the main office. You install Windows Server 2003 on the new hardware and begin the dcpromo process. When the install process asks you for authentication, what will you need to supply to finish the promotion?
|
|
15. | You are the administrator of a small network, and you have recently assigned yourself as an enrollment agent for your firm’s new smart card system by making sure that you have Read and Enroll permissions on the Smart Card Logon template’s Security tab. However, when you begin testing the implementation, you discover that you are unable to fully complete a request for a certificate on behalf of another user. You are using Internet Explorer on the enrollment station computer. Which of the following, if true, could be reasons for the failure? Choose all that apply.
|
|
Answers
13. | B |
14. | A |
15. | A, D |
|