Chapter 4: Installing, Configuring, and Managing Windows 2000 Certificate Authorities

Previous page
Table of content
Next page

Cryptography and You: What is it All About?

  1. What keys are used in public key encryption and what are their functions? (Choose all that apply.)

    1. A public key that can be used by a sender to encrypt data

    2. A public key that can be used by a recipient to decrypt data

    3. A private key that can be used by a recipient to decrypt data

    4. A private key that can be used by a sender to encrypt data

    þ Answers A and C are correct. The public key is made freely available to all and is used to encrypt data being sent to the key's owner. When the data is received, the recipient will use his or her private key to encrypt the message.

    ý Answers B and D are incorrect because the public key is made freely available to all and is used to encrypt data being sent to the key's owner. When the data is received, the recipient will use his or her private key to encrypt the message.

  2. A digital signature provides what assurance? (Choose all that apply.)

    1. The message has not been tampered with during transit.

    2. The message has been protected from capture during transit.

    3. The message has originated from the sender.

    4. The message has not been delayed during transit.

    þ Answers A and C are correct. A digital signature can be used to verify that the message has not been tampered with and the sender is who he or she claims they are.

    ý Answer B is incorrect because there is no guarantee of the message not having been captured in transit.Answer D is incorrect because there is no guarantee that the message has not been delayed in transit.

  3. What is used to provide assurance that the public key being used belongs to the entity that owns the corresponding private key?

    1. Active Directory

    2. Digital certificate

    3. Smart card

    4. User name and password

    þ Answer B is correct. A digital certificate is used to provide assurance that a public key being used belongs to the owner of the matching private key.

    ý Answer A is incorrect because Active Directory is not responsible for verifying a match between public and private keys.Answer C is incorrect because a smart card is part of a multifactor authentication system, but does not verify that a public and private key pair match. Answer D is incorrect because a user name and password is not used to verify a match between a public and private key.

Certificate Authorities

  1. What type of CAs does Windows 2000 provide support for? (Choose all that apply.)

    1. Enterprise Root CA

    2. Standalone Root CA

    3. Standalone Subordinate CA

    4. Enterprise Subordinate CA

    þ Answers A, B, C, and D are correct. Windows 2000 supports four types of CAs: The Enterprise Root CA, the Enterprise Subordinate CA, the Standalone Root CA, and the Standalone Subordinate CA.

    ý None.

  2. You wish to deploy a certificate services solution for your network, which is not using Active Directory. Your CA will not be required to be on the network continuously, but only for brief periods of time to allow you to issue certificates and publish updated CRLs. You have installed a Trusted Root CA certificate from VeriSign to act as your CA's root. What type of CA should you deploy?

    1. Enterprise Root CA

    2. Standalone Root CA

    3. Standalone Subordinate CA

    4. Enterprise Subordinate CA

    þ Answer C is correct. In this case, where you do not plan to leave the CA connected to the network continuously and you are using a third-party Root CA certificate as your root, you would most likely want to deploy a Standalone Subordinate CA.

    ý Answers A and D are incorrect because Enterprise CAs require Active Directory.Answer B is incorrect because you do not need to configure a Standalone Root CA since you are going to use a third-party CA as your root.

Installing and Managing Windows 2000 CAs

  1. Ralph is preparing to implement a PKI solution in his small corporate network. He is currently using Windows 2000 Servers and Windows 2000 Professional computers, but has not deployed Active Directory. Ralph does not currently have any plans for an Active Directory deployment and his users are happy in the peer-to-peer workgroup arrangement that they are currently using. The company that Ralph works for is a small software development firm that would like to be able to digitally sign their downloadable applications to assure customers that they are legitimate and valid downloads. What type of Certificate Services solution can Ralph deploy to meet this need without requiring him to spend too much time or money?

    1. Ralph should configure his network for Active Directory and issue these code-signing certificates from a newly created Enterprise Root CA.

    2. Ralph should configure a Stand-alone Subordinate CA that uses a third-party certificate from VeriSign or Thawte as its root, and issue code-signing certificates with this standalone CA.

    3. Ralph should configure his network for Active Directory and create an Enterprise Root and Enterprise subordinate CA. He should then install a trusted Root Certificate on the Enterprise Subordinate CA that comes from a trusted third party such as VeriSign or Thawte, and issue code-signing certificates from the Enterprise Subordinate CA.

    4. Ralph should purchase an individual code-signing certificate issued by a trusted third party such as VeriSign or Thawte for each of his code developers, and allow them use these certificates to sign code made available for download.

    þ Answer B is correct. Ralph can take the easiest (and cheapest path) to the solution configuring a standalone CA that uses a third-party certificate from VeriSign, Thawte, or any other trusted third-party CA as its root. This stand-alone CA can then issue code-signing certificates that the developers can use to sign code before making it available for public download.

    ý Answer A is incorrect because configuring and implementing Active Directory and using an Enterprise CA with a trusted third-party certificate is more work than is required, especially since there are no plans in place to upgrade the peer-to-peer network to Active Directory for any other reason. Answer C is incorrect because issuing code-signing certificates from an internal CA with no path back to a trusted third-party source will not go very far towards reassuring customers that the certificate is valid and trustworthy. Answer D is incorrect because purchasing certificates for each developer is not a very time or cost effective solution.

  2. Allison is attempting to install Certificate Services on one of her member servers. She is unable to complete the installation. What are some of the possible reasons for her inability to install Certificate Services? (Choose all that apply.)

    1. Allison does not have administrative rights on the domain controllers in her organization.

    2. Allison does not have administrative rights on the DNS servers in her
      organization.

    3. Allison does not have administrative rights on the WINS servers in her
      organization.

    4. Allison does not have administrative rights on the computer she is attempting to install Certificate Services onto.

    5. Allison does not have administrative rights on the RRAS servers in her
      organization.

    6. Allison does not have administrative rights on the Exchange servers in her organization.

    þ Answers A, B, and D are correct. To install Certificate Services, you need to have administrative permissions on the domain controllers, DNS servers, and the local computer on which Certificate Services is being installed. Failure to have any of these permissions will result in a failure.

    ý Answers C, E, and F are incorrect because having administrative permissions on the WINS, RRAS and Exchange servers is not required for installing Certificate Services.

  3. Hannah is attempting to install Certificate Services on one of her member servers. From where would Hannah initiate the installation process?

    1. Hannah should issue the certsrv.exe command from the command line to initiate the installation.

    2. Hannah should perform the installation by using the Windows 2000 Setup CD-ROM menu.

    3. Hannah should perform the installation by configuring Certificate Services from the Windows Component Wizard.

    4. Hannah should visit the Windows Update Web site to download and install the required updates to Windows 2000 to support Certificate Services-it is not part of a default installation of Windows 2000.

    þ Answer C is correct. Certificate Services is installed and removed by using the Windows Component Wizard.

    ý Answers A, B and D are incorrect because Certificate Services is installed and removed by using the Windows Component Wizard.

  4. Jon wants to create a trust chain for his Root CA from a third-party CA such as VeriSign or Thawte. How can Jon create this trust chain that starts with the third-party CA, goes next to his Root CA, and then on to his subordinate CAs, which in turn are issuing certificates to users in his network?

    1. Jon will need to purchase a special Root CA server from the third-party company and physically place that in his network.

    2. Jon will need to purchase a certificate from the third-party CA and import it into the trusted root folder of his Root CA. This will make the third-party CA the root of all CAs in his network.

    3. Jon will need to set up a VPN from his network to the third party in order for his Root CA to communicate with their CA's to verify chain of trust.

    4. Jon will need to co-locate his CA in the third-party company's building and issue certificates from it to his subordinate CA's and users.

    þ Answer B is correct. By acquiring and importing a trusted third-party certificate into the trusted root folder of the Root CA, Jon can establish a chain of trust from the third-party through his Root CA, to his subordinate CAs, and finally to his users and computers. All certificates he issues can be validated back to this trusted third-party Root Certificate.

    ý Answer A is incorrect because there is no need to actually purchase a CA from a third-party, just to acquire the third-party Root CA certificate Answer C is incorrect because a VPN is not part of the solution to this problem. Answer D is incorrect because co-locating a CA is not required to solve this problem.

  5. The employees in Christopher's organization routinely access an SSL-secured web site. You would like for their computers to automatically be able to verify the certificate being presented to them instead of being prompted to download and install the other organizations root certificate each time. What can you do? (Choose two correct answers.)

    1. Import the Root Certificate into the Trusted Root Certification Authorities folder in the domain Group Policy Object. This will propagate it to all domain computers.

    2. Import the root certificate into the Trusted Root Certification Authorities folder in the local computer certificate store for your Root CA.

    3. Import the Root Certificate manually into the Trusted Root Certification Authorities folder for each user's personal certificate store.

    4. Import the Root Certificate to your domain controller and then export it to a floppy disk for safekeeping.

    þ Answers A and B are correct. By importing the certificate to your Trusted Root Certification Authorities folders in the domain GPO and on your Root CA, you will establish a chain of trust for your organization through your CA to the other organization.

    ý Answer C is incorrect because importing the certificate manually onto each computer in your network would be too time-consuming. Answer D is incorrect because importing the certificate to the domain controller would not accomplish anything (except in the case where it was also a CA, which was not specified here).

  6. You have recently revoked 14 certificates that were in use in your organization. What would be the next thing you would likely want to do?

    1. Perform an incremental backup of your system state data.

    2. Publish a new CRL.

    3. Renew the CA's certificate.

    4. Change the KMS password.

    þ Answer B is correct. In the situation where you have revoked a certificate (or a large number of them in this case), you would next want to publish the CRL so that all users can be informed of the recently revoked certificates.

    ý Answer A is incorrect because backing up the system state data would not be the next thing to do after revoking a large number of certificates.Answer C is incorrect because renewing the CA's certificate is not required until it is coming upon its expiration.Answer D is incorrect because changing the KMS password has nothing to do with revoking certificates.

  7. Rob is the administrator of a large Windows 2000 PKI implementation, which has several hundred certificates issued and revoked daily. Which of the following presents the best option Rob can perform that will enable his users to always have the most up to date CRL?

    1. Configure the CRL publication interval for 30 minutes.

    2. Manually publishes the CRL every morning at 9 AM.

    3. Configure the CRL publication interval for 60 minutes.

    4. Add additional CDPs to the publication list for his CRLs.

    þ Answer C is correct. The best option is to configure the CRL publication schedule for 60-minute intervals. This is the smallest publication interval that can be configured and is the best option of the options presented.

    ý Answer A is incorrect because you cannot configure the CRL publication interval for any time less than 60 minutes.Answer B is incorrect because manually publishing the CRL once per day is not the best solution as revocations made throughout the day will not be published until the next morning. Answer D is incorrect because adding additional CDPs, while always a good idea to ensure the maximum availability of a CRL, is not the correct solution.

  8. You want to perform a backup of your Enterprise Root CA server. What methods are available to you to accomplish this task? (Choose all that apply.)

    1. Perform a system state backup using the NTBACKUP program.

    2. Export all Trusted Root Certificates to removal media.

    3. Create a striped disk set on the CA server.

    4. Perform a Certificate Services backup from the CA console.

    þ Answers A and D are correct. The two methods available for backing up your CA include performing a system state backup or performing a backup from within the Certification Authority console.

    ý Answer B is incorrect because exporting all Trusted Root Certificates will not perform a complete backup of the CA.Answer C is incorrect because creating a striped disk set will not provide a backup.

Advanced Certificate Management Issues

  1. Andrea is the Exchange administrator for her organization. She is using Exchange 2000 on Windows 2000 and is using the Exchange Key Management Service for advanced e-mail message security. One of her users, George, recently dropped his laptop in the hotel pool while vacationing. George has been issued a new laptop, complete with Windows 2000 and Microsoft Outlook. He would like to be able to continue to use secure e-mail. What can Andrea do to allow him to continue to be able to use secure e-mail functions?

    1. George's KMS private key is tied to his GUID and cannot be recovered without deleting and recreating his user account.

    2. Andrea will need to delete George's Exchange mailbox and create a new one from the Exchange System Manager.

    3. Andrea will need to login to the KMS and perform a key recovery action on George's account. He will receive an e-mail from the Exchange System Attendant providing him with instructions on how to configure for advanced e-mail security.

    4. Andrea will need to contact Microsoft to get the unlock code for the PID used to install Outlook on George's old laptop. Only with this PID can she reassociate his Exchange mailbox to his new laptop and allow him to use secure e-mail functions again.

    þ Answer C is correct. In this case, all that needs to be done is for Andrea
    to perform a recovery action from the KMS server. George will be sent an
    e-mail with all of the instructions he needs to get configured for secure e-mail once again.

    ý Answers A, B, and D are incorrect because, in this case, all Andrea needs to
    do is perform a recovery action from the KMS server. George will be sent an e-mail with all of the instructions he needs to reconfigure for e-mail.

  2. You are the administrator of your organization's small Windows 2000 network. You have just finished configuring a new laptop computer for your CEO who replaced an existing computer. The first time he attempts to digitally sign a message in Outlook, he finds that he does not have the capability to do so. You are using Exchange 2000 as your messaging system and have the Key Management Server in place. What do you need to so that your CEO can digitally sign his e-mail once again? (Choose two answers.)

    1. Use the Key Manager in the ESM.

    2. Open the User Properties page for your CEO in Active Directory Users and Computers.

    3. Recover the lost key and issue your CEO a new enrollment token.

    4. Place a check in the "Password never expires" check box.

    þ Answers A and C are correct. You will need to use the Key Manager in the ESM to recover the lost key and issue a new enrollment token (e-mail message) to your CEO. After this, he can reconfigure for e-mail security in Outlook by following the instructions in the e-mail.

    ý Answers B and D are incorrect because you will not need to modify your CEOs user account properties from the Active Directory Users and Computers console to perform a KMS key recovery.


Previous page
Table of content
Next page
MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162
Authors: Will Schmied, Thomas W. Shinder
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Web Systems Design and Online Consumer Behavior
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy