|
|
A Quick Answer Key follows the Self Test questions. For complete questions, answers, and epxlanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.
1. | What keys are used in public key encryption and what are their functions? (Choose all that apply.)
|
|
2. | A digital signature provides what assurance? (Choose all that apply.)
|
|
3. | What is used to provide assurance that the public key being used belongs to the entity that owns the corresponding private key?
|
|
Answers
1. | þ Answers A and C are correct. The public key is made freely available to all and is used to encrypt data being sent to the key's owner. When the data is received, the recipient will use his or her private key to encrypt the message. ý Answers B and D are incorrect because the public key is made freely available to all and is used to encrypt data being sent to the key's owner. When the data is received, the recipient will use his or her private key to encrypt the message. |
2. | þ Answers A and C are correct. A digital signature can be used to verify that the message has not been tampered with and the sender is who he or she claims they are. ý Answer B is incorrect because there is no guarantee of the message not having been captured in transit.Answer D is incorrect because there is no guarantee that the message has not been delayed in transit. |
3. | þ Answer B is correct. A digital certificate is used to provide assurance that a public key being used belongs to the owner of the matching private key. ý Answer A is incorrect because Active Directory is not responsible for verifying a match between public and private keys.Answer C is incorrect because a smart card is part of a multifactor authentication system, but does not verify that a public and private key pair match. Answer D is incorrect because a user name and password is not used to verify a match between a public and private key. |
4. | What type of CAs does Windows 2000 provide support for? (Choose all that apply.)
|
|
5. | You wish to deploy a certificate services solution for your network, which is not using Active Directory. Your CA will not be required to be on the network continuously, but only for brief periods of time to allow you to issue certificates and publish updated CRLs. You have installed a Trusted Root CA certificate from VeriSign to act as your CA's root. What type of CA should you deploy?
|
|
Answers
4. | þ Answers A, B, C, and D are correct. Windows 2000 supports four types of CAs: The Enterprise Root CA, the Enterprise Subordinate CA, the Standalone Root CA, and the Standalone Subordinate CA. ý None. |
5. | þ Answer C is correct. In this case, where you do not plan to leave the CA connected to the network continuously and you are using a third-party Root CA certificate as your root, you would most likely want to deploy a Standalone Subordinate CA. ý Answers A and D are incorrect because Enterprise CAs require Active Directory.Answer B is incorrect because you do not need to configure a Standalone Root CA since you are going to use a third-party CA as your root. |
6. | Ralph is preparing to implement a PKI solution in his small corporate network. He is currently using Windows 2000 Servers and Windows 2000 Professional computers, but has not deployed Active Directory. Ralph does not currently have any plans for an Active Directory deployment and his users are happy in the peer-to-peer workgroup arrangement that they are currently using. The company that Ralph works for is a small software development firm that would like to be able to digitally sign their downloadable applications to assure customers that they are legitimate and valid downloads. What type of Certificate Services solution can Ralph deploy to meet this need without requiring him to spend too much time or money?
|
|
7. | Allison is attempting to install Certificate Services on one of her member servers. She is unable to complete the installation. What are some of the possible reasons for her inability to install Certificate Services? (Choose all that apply.)
|
|
8. | Hannah is attempting to install Certificate Services on one of her member servers. From where would Hannah initiate the installation process?
|
|
9. | Jon wants to create a trust chain for his Root CA from a third-party CA such as VeriSign or Thawte. How can Jon create this trust chain that starts with the third-party CA, goes next to his Root CA, and then on to his subordinate CAs, which in turn are issuing certificates to users in his network?
|
|
10. | The employees in Christopher's organization routinely access an SSL-secured web site. You would like for their computers to automatically be able to verify the certificate being presented to them instead of being prompted to download and install the other organizations root certificate each time. What can you do? (Choose two correct answers.)
|
|
11. | You have recently revoked 14 certificates that were in use in your organization. What would be the next thing you would likely want to do?
|
|
12. | Rob is the administrator of a large Windows 2000 PKI implementation, which has several hundred certificates issued and revoked daily. Which of the following presents the best option Rob can perform that will enable his users to always have the most up to date CRL?
|
|
13. | You want to perform a backup of your Enterprise Root CA server. What methods are available to you to accomplish this task? (Choose all that apply.)
|
|
Answers
6. | þ Answer B is correct. Ralph can take the easiest (and cheapest path) to the solution configuring a standalone CA that uses a third-party certificate from VeriSign, Thawte, or any other trusted third-party CA as its root. This stand-alone CA can then issue code-signing certificates that the developers can use to sign code before making it available for public download. ý Answer A is incorrect because configuring and implementing Active Directory and using an Enterprise CA with a trusted third-party certificate is more work than is required, especially since there are no plans in place to upgrade the peer-to-peer network to Active Directory for any other reason. Answer C is incorrect because issuing code-signing certificates from an internal CA with no path back to a trusted third-party source will not go very far towards reassuring customers that the certificate is valid and trustworthy. Answer D is incorrect because purchasing certificates for each developer is not a very time or cost effective solution. |
7. | þ Answers A, B, and D are correct. To install Certificate Services, you need to have administrative permissions on the domain controllers, DNS servers, and the local computer on which Certificate Services is being installed. Failure to have any of these permissions will result in a failure. ý Answers C, E, and F are incorrect because having administrative permissions on the WINS, RRAS and Exchange servers is not required for installing Certificate Services. |
8. | þ Answer C is correct. Certificate Services is installed and removed by using the Windows Component Wizard. ý Answers A, B and D are incorrect because Certificate Services is installed and removed by using the Windows Component Wizard. |
9. | þ Answer B is correct. By acquiring and importing a trusted third-party certificate into the trusted root folder of the Root CA, Jon can establish a chain of trust from the third-party through his Root CA, to his subordinate CAs, and finally to his users and computers. All certificates he issues can be validated back to this trusted third-party Root Certificate. ý Answer A is incorrect because there is no need to actually purchase a CA from a third-party, just to acquire the third-party Root CA certificate Answer C is incorrect because a VPN is not part of the solution to this problem. Answer D is incorrect because co-locating a CA is not required to solve this problem. |
10. | þ Answers A and B are correct. By importing the certificate to your Trusted Root Certification Authorities folders in the domain GPO and on your Root CA, you will establish a chain of trust for your organization through your CA to the other organization. ý Answer C is incorrect because importing the certificate manually onto each computer in your network would be too time-consuming. Answer D is incorrect because importing the certificate to the domain controller would not accomplish anything (except in the case where it was also a CA, which was not specified here). |
11. | þ Answer B is correct. In the situation where you have revoked a certificate (or a large number of them in this case), you would next want to publish the CRL so that all users can be informed of the recently revoked certificates. ý Answer A is incorrect because backing up the system state data would not be the next thing to do after revoking a large number of certificates.Answer C is incorrect because renewing the CA's certificate is not required until it is coming upon its expiration.Answer D is incorrect because changing the KMS password has nothing to do with revoking certificates. |
12. | þ Answer C is correct. The best option is to configure the CRL publication schedule for 60-minute intervals. This is the smallest publication interval that can be configured and is the best option of the options presented. ý Answer A is incorrect because you cannot configure the CRL publication interval for any time less than 60 minutes.Answer B is incorrect because manually publishing the CRL once per day is not the best solution as revocations made throughout the day will not be published until the next morning. Answer D is incorrect because adding additional CDPs, while always a good idea to ensure the maximum availability of a CRL, is not the correct solution. |
13. | þ Answers A and D are correct. The two methods available for backing up your CA include performing a system state backup or performing a backup from within the Certification Authority console. ý Answer B is incorrect because exporting all Trusted Root Certificates will not perform a complete backup of the CA.Answer C is incorrect because creating a striped disk set will not provide a backup. |
14. | Andrea is the Exchange administrator for her organization. She is using Exchange 2000 on Windows 2000 and is using the Exchange Key Management Service for advanced e-mail message security. One of her users, George, recently dropped his laptop in the hotel pool while vacationing. George has been issued a new laptop, complete with Windows 2000 and Microsoft Outlook. He would like to be able to continue to use secure e-mail. What can Andrea do to allow him to continue to be able to use secure e-mail functions?
|
|
15. | You are the administrator of your organization's small Windows 2000 network. You have just finished configuring a new laptop computer for your CEO who replaced an existing computer. The first time he attempts to digitally sign a message in Outlook, he finds that he does not have the capability to do so. You are using Exchange 2000 as your messaging system and have the Key Management Server in place. What do you need to so that your CEO can digitally sign his e-mail once again? (Choose two answers.)
|
|
Answers
14. | þ Answer C is correct. In this case, all that needs to be done is for Andrea to perform a recovery action from the KMS server. George will be sent an e-mail with all of the instructions he needs to get configured for secure e-mail once again. ý Answers A, B, and D are incorrect because, in this case, all Andrea needs to do is perform a recovery action from the KMS server. George will be sent an e-mail with all of the instructions he needs to reconfigure for e-mail. |
15. | þ Answers A and C are correct. You will need to use the Key Manager in the ESM to recover the lost key and issue a new enrollment token (e-mail message) to your CEO. After this, he can reconfigure for e-mail security in Outlook by following the instructions in the e-mail. ý Answers B and D are incorrect because you will not need to modify your CEOs user account properties from the Active Directory Users and Computers console to perform a KMS key recovery. |
|
|