Apply Your Knowledge

What is a certificate?

Why would an organization have a Standalone CA?

Why would a CA need to renew its certificate?

You are the network administrator of a large campuswide community college network. Your network is composed of computers running every version of Windows from Windows 95 to Windows Server 2003. Is SUS a good solution for your network, to ensure that all computers are up to date with the latest security patches?

You have configured SUS for your network, but now several client computers are not getting updates. You determine that these computers are running a Japanese localized version of Windows XP Professional. What should you do to allow the client computers to get updates from your SUS server?

Your CIO has instructed you to implement an SUS solution for your corporate network. He is concerned , however, about making unsecured connections to the SUS server. What can be done to provide connection security?

Christopher is the network administrator for the Heron Woods Resort Cottages company. Heron Woods rents vacation cottages at several locations along the Eastern Shore of Virginia and Maryland. Christopher needs to implement a solution that will keep the Windows Server 2003 and Windows XP Professional computers at all his locations up to date with the latest security updates, while at the same time installing only those updates that he has specifically approved. Heron Woods has a main office in Chincoteague, Virginia, connected to the Internet by a fractional T-1 line. All other locations are considered remote locations and have a dedicated ISDN link connecting them to the main office. What solution can Christopher implement that will allow him to meet his goals of providing available updates and allowing only approved updates to be installed? Christopher has received authorization from the CEO of Heron Woods to add only the absolute minimum number of additional servers as required to provide the best solution for meeting the requirements.

1. Christopher should configure all servers and client workstations to connect directly to the Microsoft Windows Update Web servers weekly to download and install any new security updates that are required.

2. Christopher should install an SUS server at each of his locations, including the remote offices, that is configured to automatically synchronize each night with the Windows Update Web servers. Additionally, he should configure Automatic Updates to download and install any new security updates that are required on a nightly basis from the local SUS server.

3. Christopher should install an SUS server at each of his locations, including the remote offices. The SUS server at the main office should be configured to automatically synchronize each night with the Windows Update Web servers. The SUS servers at each of the remote offices should be configured to synchronize each night using the SUS server at the main office as its source. Additionally, he should configure Automatic Updates to download and install any new security updates that are required on a nightly basis from the local SUS server.

4. Christopher should install an SUS server at his main office that synchronizes nightly with the Windows Update Web servers. Automatic Updates for all clients , local and remote, should be configured to download and install all approved updates from the main office SUS server on a nightly basis.

Andrea is the network administrator for Purple Pony Wear, Inc., a leading supplier of novelty clothing items. The Purple Pony network consists of 2 Windows Server 2003 computers and 34 Windows XP Professional client computers, 30 of which are laptops in use in various remote locations by sales personnel. Andrea wants to create and implement a PKI solution so that her users can use smart cards to log on to their laptop computers, thus increasing the security of the laptops and the Purple Pony network. Priscilla, the President of Purple Pony, is concerned about users removing their smart cards from their laptop computers during their sessions and leaving their laptops logged in without being in front of them. Priscilla would like all laptops to be configured to lock the workstation when the smart card is removed so open documents will not be lost. What option does Andrea need to configure to ensure the desired result is achieved?

1. Do not allow smart card device redirection

2. Interactive logon: Require smart card

3. Account Lockout Policy

4. Interactive logon: Smart card removal behavior

You are the network administrator of a Windows Server 2003 Active Directory network. Your company policy states that the network access attempts of all temporary employees are to be tracked, regardless of what workstation they log on to. What auditing options do you need to configure to ensure that you can track the access of all temporary employees ? (Choose two correct options.)

1. Audit Account Management

2. Audit Directory Service Access

3. Audit Logon Events

4. Audit Privilege Use

5. Audit System Events

6. Audit Account Logon Events

You are the administrator of a large Windows Server 2003 network. Your company is a leading provider of state of the art satellite communications services for customers all over the world. The CIO of your company is very concerned about user account properties being modified by users who should not have administrative permissions. As part of your efforts to determine who might be modifying user account properties, you have decided to implement auditing. What auditing option should you configure to help you determine who is changing the user account properties on your network?

1. Audit Account Management

2. Audit Object Access

3. Audit Logon Events

4. Audit Privilege Use

5. Audit System Events

6. Audit Account Logon Events

You are the administrator of a large Windows Server 2003 network. Your company is a leading provider of state of the art satellite communications services for customers all over the world. The CIO of your company is very concerned about who is able to access files and folders located in a sensitive folder named Contacts. What auditing option should you configure to help you determine what users on your network are accessing the files and folders located within the Contacts folder?

1. Audit Account Management

2. Audit Object Access

3. Audit Logon Events

4. Audit Privilege Use

5. Audit System Events

6. Audit Account Logon Events

You are the network administrator for Nebuchadnezzar Furnaces. The company's Windows Server 2003 domain consists of domain controllers, 2 member servers, and 765 Windows XP Professional workstations. Every summer you hire 30 to 40 temporary employees to assist with additional production and sales needs for the upcoming winter season . Each employee is issued a digital certificate for smart card usage to allow him or her to securely access the network. The digital certificates have a validity period of two years by default due to the configuration of the CA that has issued them. Allison, your CIO, has told you on more than one occasion that she does not like the idea of having unused digital certificates still active. What should you do to increase your network's level of security?

1. Change the CSP key length.

2. Revoke the unused digital certificates.

3. Lock the user's accounts.

4. Disable the unused digital certificates.

You have just composed and sent an email message to a colleague who is located within a different Windows Server 2003 network than your own. Your email message has been digitally signed using your email certificate. Your Root CA uses a third-party certificate from a trusted third-party organization. What will your colleague need to have available to him to be able to read your email and verify it originated from you?

1. Your private key

2. Your public key

3. The third-party CA's private key

4. The third-party CA's public key

You have just received an email message from a colleague who is located within a different Windows Server 2003 network than your own. The email message has been digitally signed by the public key for your email certificate. Her Root CA uses a third-party certificate from a trusted third-party organization. What will you need to have available to you to be able to read her email and verify it originated from her?

1. Your public key

2. Your colleague's public key

3. The third-party CA's private key

4. The third-party CA's public key

Rick is the network administrator for Mr. Whippy's Ice Cream. Rick has recently installed and configured an Enterprise Root CA for his Windows Server 2003 network on a server named CHOCOLATE. He performed no configuration for this new CA other than what was required during the installation process. When he tries to access the Web Enrollment Web pages at http://CHOCOLATE/certsrv , he receives a 404 error from Internet Explorer. What is the most likely cause of this problem?

1. Rick forgot to start the Certificate Services service following the completion of the installation process.

2. Rick has not installed Terminal Services on his CA.

3. Rick has not installed IIS on his CA.

4. Rick did not create a new CNAME record for the CA.

Hannah is the network administrator for the Wallops Island Rocket Company, Incorporated. Her network is required to maintain the highest level of security possible without adversely affecting the required operations of its users. For the past 10 weeks, six visiting rocket scientists have been working at her facility on a joint project with another company. Hannah issued each of these users a secure laptop including a smart cardallowing them to securely access and update the rocket systems data stored in the SQL databases. These six visiting users have completed their work and have now left the facility, leaving behind their laptop computers and smart cards as required. Hannah has just completed sanitizing their laptop computers; what should she do next?

1. Delete the data created by the scientists during their stay.

2. Degauss the hard drives installed in the laptop computers the scientists were using.

3. Perform a background check with the FBI, NSA, and NCIS on the scientists.

4. Revoke the smart card certificates the scientists were issued and immediately publish the CRL to all configured CDPs.

Chris is the network administrator for Island Dreams Tour and Rentals, Inc. She is preparing to implement a smart card solution for her Windows Server 2003 network. All her client computers are Windows XP Professional desktops and laptops. Some users have both a desktop computer and a laptop computer. Chris wants users to be able to use a single smart card at all times, regardless of what computer they are logging in to the network from. Chris does not want any user to be able to log on to the network without using their assigned smart cards. What can she configure to enforce this requirement on her users?

1. Do not allow smart card device redirection

2. Interactive logon: Require smart card

3. Account Lockout Policy

4. Interactive logon: Smart card removal behavior

Jim has recently completed a configuration change to one of his network's firewalls. Now multiple users have called the help desk complaining that they can no longer access external resources. What document did Jim most likely not have in hand which could well have prevented this problem?

1. A Security Monitoring policy

2. A Firewall Configuration policy

3. A Change and Configuration Control policy

4. A User Naming Convention policy

Kim has requested a new smart card certificate from one of her organization's CAs. Her request was not automatically approved and thus has been placed in a queue for administrative approval. You are the network administrator for the organization where Kim is employed. What must you do to approve her smart card certificate request?

1. You need to log in using Kim's user account and supply the approval key for her certificate request.

2. You need to use the Active Directory Users and Computers console to locate the Pending Requests folder.

3. You need to use the Certificates console to locate the Pending Requests folder.

4. You need to use the Certification Authorities console to locate the Pending Requests folder.

Kim has requested a new smart card certificate from one of her organization's CAs using the Web Enrollment pages. Her request was not automatically approved and thus has been placed in a queue for administrative approval. Kim wants to check on the status of her certificate request to see whether the certificate has been approved for issuance. Where can Kim most easily find this information and install the certificate if her request has been approved?

1. Active Directory Users and Computers console

2. Certificates console, Personal Store node

3. Log on to the CA Web Enrollment pages again

4. The Certificate Request Wizard

Chris is the network administrator for Seashell Cruises, LTD. The Seashell network has recently been upgraded from a mixed environment consisting of Windows 98 clients with Windows NT 4.0 Server and Windows 2000 Server servers. All clients now run Windows XP Professional, and all servers now run Windows Server 2003. Some computers were upgraded in place, whereas others were clean installations. Chris has recently been hired by Seashell Cruises and wants to establish the security level of her network using the least administrative effort. She has approximately 200 client workstations and 30 servers spread over two different locations in the same geographic area all on the same IP subnet. What method can Chris use to most easily analyze all her computers and find security problems with them?

1. Use Windows Update locally on each computer to download and install required security updates.

2. Use Automatic Updates on each computer to download and install required security updates.

3. Install and configure SUS on one of her servers and configure Automatic Updates on the clients to download and install approved, required security updates.

4. Use the MBSA utility to scan her entire subnet to quickly identify security problems and missing security updates on all computers.

A certificate is a component that allows you to send and receive secure data over a network. It assures the recipient that you are whom you claim to be, and it assures the sender that the data will reach the recipient without being jeopardized. For more information, see the section "Certificates."

A Standalone CA is an excellent choice when Active Directory is not present or when you want to manually approve certificate requests. For more information, see the section "The Standalone CA."

When a CA is created, it is assigned a certificate. This certificate, like all certificates, is set to expire. When a certificate has or is about to expire, an administrator can choose to renew the certificate. For more information, see the section "Renewing CAs."

If you have large numbers of pre-Windows 2000 computers (that is, legacy clients), SUS is probably not the best solution for your updating needs. In this situation, you would most likely want to examine a solution such as SMS or a third-party solution that provides the same type of functionality. For more information, see the section "Planning for Software Update Services."

This problem is relatively easy to solve : You simply enable support for the languages that you will be supporting from the SUS Server Options page. In this case, you should select the Japanese language option. For more information, see the section "Planning for Software Update Services."

You can enable SSL support on the SUS Web site and thus require that all connections be SSL secured. For more information, see the section "Planning for Software Update Services."

D. Because WAN link usage is not an issue in this scenario, and Christopher has received authorization to add only those new servers that are absolutely required, Christopher's best option is to install and configure one SUS server at the main office that synchronizes nightly with the Windows Update Web serves. All Automatic Updates clients will then be configured to receive their updates from the home office SUS server. For more information, see the section "Planning for Software Update Services."

D. By configuring the Smart card removal behavior option, located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node of the Group Policy Editor, for Lock Workstation, Andrea can achieve the desired results. For more information, see the section "Smart Card Group Policy Options."

C, F. When both the Audit Logon Events and the Audit Account Logon Events options are configured, logons and logoffs that use a domain account generate logon or logoff audit events on the local computer as well as the domain controller. A success audit generates an audit entry when a logon attempt succeeds, and a failure audit generates an audit entry when a logon attempt fails. For more information, see the section "Planning for Security Monitoring."

A. The Audit Account Management option configures auditing to occur for each event of account management on a computer. Typical account management events include creating a user, creating a group, renaming a user, disabling a user account, and setting or changing a password. A success audit generates an audit entry when any account management event is successful, and a failure audit generates an entry when any account management event fails. For more information, see the section "Planning for Security Monitoring."

B. The Audit Object Access option configures auditing to occur upon each user access of an object, such as a file, folder, printer, or Registry key that has its own SACL configured. To configure auditing for object access, you also need to configure auditing specifically on each object for which you want to perform auditing. A success audit generates an audit entry when a user successfully accesses an object, and a failure audit generates an audit entry when a user unsuccessfully attempts to access an object. For more information, see the section "Planning for Security Monitoring."

B. In this scenario, the best option for increasing security is to revoke any unused certificates and immediately publish the CRL to all CDPs. For more information, see the section "Configuring Active Directory for Certificate Publication."

B. All that is necessary to read the email and verify it came from you is your public key, which can be safely transferred to anyone you want. Your private key should never be given out. If your colleague were to install the third-party CA's root certificate, he would thus be able to verify the entire certificate chain for your digital certificate. For more information, see the section "Certificates."

A. In this scenario, because the email has been signed with your public key, you need to have access to your private key, which should not be any problem. Your private key can be used to verify messages signed with your public key and can be used to verify messages that can be decrypted with your public key. For more information, see the section "Certificates."

C. To use the Certificate Services Web Enrollment pages, Rick must ensure that IIS is installed and configured properly to allow ASP pages to function properly. For best results, Rick should have installed IIS before installing the CA. For more information, see the section "Installing and Configuring an Enterprise Root CA."

D. Hannah should revoke the smart card certificates and immediately publish the CRL next. After doing so, she should also delete any unused user accounts that may have been created for the scientists' use during their visit to Hannah's facility. For more information, see the section "Configuring Active Directory for Certificate Publication."

B. By configuring the Interactive Logon: Require smart card Group Policy setting, Chris can ensure that all her users are required to log on to the network using their smart cards. Smart cards are used to provide the highest level of user authentication available in Windows Server 2003 networks. A user uses a password or PIN to access the digital certificate on the smart card, thus protecting the user's identity from rogue applications and attackers . Through the use of on-card digital signatures, smart cards can ensure that a user's private key is never exposed. Perhaps the single best feature of smart cards is that theyunlike software-based private keyscan be moved at will from one computer to another with ease. You can prevent smart cards from being used to access the network after a preconfigured number of incorrect login attempts, protecting them further from dictionary attacksa type of password guessing attack where a password is guessed from a list, or dictionary, of common words and phrases. For more information, see the section "Smart Card Group Policy Options."

C. Had Jim used a Change and Configuration Control policy, along with an approved change request, he most likely would not have created the problem he did as a result of his configuration change on the firewall. For more information, see the section "Planning for Change and Configuration Management."

D. Queued certificates are located in the Pending Requests folder of the Certification Authorities console. You can find and issue this certificate for Kim from this location. For more information, see the section "Installing and Configuring an Enterprise Root CA."

C. The easiest way for Kim to check on the status of her requested certificate is to go back to the CA from which she requested it via its Web Enrollment pages. If the certificate request has been approved, she also can install the certificate from that location. For more information, see the section "Using the Web Enrollment Web Pages."

D. Chris only wants to determine the security status of her network at this time, not install any updates. Using the MBSA utility is the best option because she can configure a single scan of all computers located on her subnet. After MBSA has completed the scan, she can examine each computer's results separately from the others, quickly determining what areas of their security configuration are weak in addition to determining what security updates are missing on each computer. For more information, see the section "Planning for Software Update Services."