Chapter 3: Designing a Secure Public Key Infrastructure


1.  

NoMoreHackers Inc. is implementing a PKI implementation. You have been asked to work as a consultant to design the PKI blueprint for the company. You have met with the CIO and the senior management to gather the requirements. You are confident of creating a sophisticated PKI architecture for the company. What will be your first step in the process?

  1. Determine the location of the CAs.

  2. Design the root CA.

  3. Determine which CA trust hierarchy we will use.

  4. Design the head office CA first, and then proceed to the regional offices.

 b . the first step of designing the pki implementation is to structure your root ca. the root ca will manage and delegate the rest of the cas of the enterprise. x answer a is incorrect. the locations of the cas should be taken into account at the design phase. however, the choice of the root ca might dictate the location for the subordinate cas (the subordinate cas can also be based close the root ca to reduce network and data transmission costs). answer c is incorrect. the ca hierarchy is controlled by the root ca. the hierarchy can be modified to suit a location or an organizational structure. however, the root ca will remain as the authority. the root ca does not need to reside in the head office of the enterprise; it could easily be accommodated in one of the it departments. therefore, we do not need to design the security implications for the head office and proceed to the regional offices; hence, answer d is incorrect.

2.  

IronCladSecurity Ltd s organization structure has several components . The majority of IT needs of the enterprise are met by the IronCladSecurity staff. This includes manufacturing, accounting, and sales divisions of the company. They also subcontract to other IT companies to provide IT services. The proposed PKI security structure should support all these business activities. What do you recommend to implement at IronCladSecurity under Windows Server 2003?

  1. Have one root CA and one intermediary CA.

  2. Have one root CA for internal use and one intermediary for external use.

  3. Have one root CA and two intermediaries for internal and external use.

  4. Have two root CAs for internal and external use.

 c . there can be only one root ca in a windows server 2003 pki architecture. there are clear internal and external activities at this company. the best practice is to have an intermediary ca for internal use and an external ca for external use. x answer a is incorrect. to have one root ca is correct. however, we need at least two intermediaries to delineate the internal and the external users. the root ca will be for both internal and external use; therefore, answer b is incorrect. you cannot have two root cas in a windows server 2003 environment; hence, answer d is incorrect.

3.  

You are contemplating the hierarchy of the CA servers at IronCladSecurity. IronCladSecurity has 40 offices in the United States, Germany, and Singapore. They have both contractors and permanent employees working for them, and have multiple IT departments. However, there is no Active Directory implementation for the enterprise. IronCladSecurity prefers to have independent entries as subsidiaries. Therefore, they do not prefer to link the three IT systems to accommodate a global IT system. What trust hierarchies can IronCladSecurity support?

  1. Geographical and network

  2. Network and organizational structure

  3. Geographical and organizational structure

  4. Organizational structure and network

 c . ironcladsecurity can easily accommodate geographical and organizational trust ca hierarchies. we need to have a global directory (such as active directory) to support network ca hierarchy. x answer a is incorrect because we cannot implement a network hierarchy without active directory at ironcladsecurity. we can easily accommodate a geographical hierarchy, not a network hierarchy. answer b is also incorrect. we can accommodate an organizational structure hierarchy, not a network hierarchy. answer d is also incorrect. we can implement an organizational structure, not a network hierarchy.

4.  

You are reviewing a previous PKI implementation of a company called NoMoreHackers. It has come to your attention that all of the CA servers are connected to the network. The root CA, intermediary, and issuing CAs are connected to the same domain. You believe this a severe security risk and have instructed the company to take the servers offline. What step will not assist you to make the CA servers offline?

  1. Shut down the CA computer.

  2. Shut down the CA service.

  3. Shut down the CSP service.

  4. Configure CA as a Windows Server 2003 stand-alone server that is not connected to the domain.

 c . the question is about cas, not csps. the csps (cryptographic server providers) store the key information in memory or on hardware devices. therefore, shutting down the csp service will not have an impact on taking the ca offline. x answer a is incorrect. shutting down the ca computer will make the ca offline. the ca could be taken offline by shutting down the ca service also. therefore, answer b is incorrect. we can also take the ca offline by configuring it as a windows 2003 stand-alone server that is not connected to a domain. it will be difficult for the hackers to find the ca even if they hack into the domain; hence, answer d is also incorrect.

5.  

You are proposing a new PKI implementation for NoMoreHackers to replace the existing security structure. You have proposed a three- tier CA server structure with online and offline CAs to protect the CAs from intruders. You will have root CA, policy CAs, and issuing CAs in your implementation. Which CAs will be set as offline CAs?

  1. Only the root CA; the issuing and policy CAs can be online.

  2. The root CAs and policy CAs; the issuing CAs will be online.

  3. Only the policy CAs; the root CA and issuing CAs can be online.

  4. The policy and issuing CAs will be offline; the root CA will be online.

 b . the root ca and the policy cas should be protected and should be offline to the users. the issuing cas need to be online to provide the certificates to the end users. x answer a is incorrect. the policy cas need to be offline also. the policy cas have sensitive information of the enterprise, and therefore need to be protected. the root ca must be offline; hence, answer c is incorrect. answer d is also incorrect. the root ca should never be online.

6.  

You are about to install a CA on Windows Server 2003. You have a choice of two machines. One is a single processor machine with 1GB of memory with an existing Windows Server 2003 on a FAT file system. The other system is a twin processor with 512MB of memory on an NTFS file system. Which one would you choose to host the CA?

  1. Use the first CA with 1GB of memory. The CA needs a lot of memory.

  2. Use the first option because of the FAT file system.

  3. Use the second option because Windows Server 2003 works best on a single-server system.

  4. Use the second system because of the NTFS system.

 d . the ca implementation on windows server 2003 should be installed on an ntfs file system. this will enable the ca to communicate with active directory and share windows account information. x answer a is incorrect. windows server 2003 does not require a lot of memory. there is not much difference between 1gb and .5 gb of memory. answer b is also incorrect. we should not install a ca on a fat file system. windows 2003 ca is not optimized to run on single servers; therefore, answer c is also incorrect.

7.  

We are going through the wizards to install a CA on a Windows Server 2003 server. We have selected the type as a stand-alone root CA. We have also selected the MS Strong Cryptographic Provider as the CSP. Now we need to select a hashing algorithm for the private and public key pair. What is a Windows 2003 hashing algorithm that comes with default CA installation?

  1. Asymmetric

  2. .NET Crypto API

  3. Triple DES

  4. SHA-1

 d . sha-1 is a hashing algorithm that comes with the windows server 2003 ca service. x answer a is incorrect. asymmetric algorithms have key pairs that are not identical. the pki process generates asymmetric keys; it is not a hashing algorithm. answer b is also incorrect. .net cryptographic libraries are used to encrypt data communication in .net assemblies. triple des is also an encryption mechanism to protect data communication; hence, answer c is also incorrect.

8.  

Our management has asked us to install a CA to issue certificates to the employees and the business partners of our company. We are contemplating either Windows 2000 Server or Windows Server 2003 as our CA implementation. You have read that there are several new features in the Windows Server 2003 CA architecture that support a better implementation for the company. What are the new features?

  1. Certificate templates

  2. Auto-enrollment and Active Directory support

  3. Web enrollment support interface and Active Directory support

  4. Auto-enrollment and Web enrollment support interface

 d . the new features are auto-enrollment and web support ca interface. x answer a is incorrect. certificate templates are available in windows 2000 servers. the requirement for certificate templates is an active directory, not windows 2000. active directory support is also available in windows 2000. it does not integrate as smoothly as windows server 2003 does; however, it is present. therefore, answer b is incorrect. the same applies for answer c .

9.  

You are been appointed as the new CA administrator of one of the subordinate CA servers. You will administer the CA through the MMC Certification Authority application. You are experimenting with the different functionalities of the CA console. What is not available to you modify in the CA MMC console?

  1. Revoke certificates

  2. Issue certificates from the pending queue

  3. View certificate details

  4. Change certificate s hash algorithm

 d . you will not be able to change the certificate s hash algorithm through the ca mmc console. the algorithm is determined when the user requests a certificate. the administrator will not be able to change this. the certificate will be invalid if the algorithm is altered. x answer a is incorrect. you can choose to revoke certificates from the ca console. answer b is also incorrect. the administrators can also issue certificates form the pending queue. we can also view the certificate data by double-clicking on the certificate in the ca console; hence, answer c is also incorrect.

10.  

Several of your company resources are behaving strangely. You have noticed that some of the printer queues were deleted using an administrator account. All of these printers are protected using the PKI certificates of the company. You suspect that someone has obtained the CA keys and is impersonating the administrator account to delete the print queue. How will you solve this puzzle?

  1. Monitor the CA auditing logs and renew the CA keys.

  2. Disable auditing to save space for larger new key pairs.

  3. Monitor the CA auditing logs; however, stick with the old key pairs.

  4. Disable auditing and generate a new public key; however, use the same private key.

 a . we need to monitor auditing on a ca server to track intruder access. when we find the intruder, we need to disable his or her access. in addition, we need to create a new private and public key pair for the enterprise to avoid future hackings. x answer b is incorrect. disable auditing is not the correct step to take. it also does not save a lot of space for large key pairs. using the old key pairs is not safe for the enterprise. the hacker might have passed the key to others or published it on a web site. this will trigger future attacks. therefore, the keys need to be regenerated. hence, answer c is incorrect. answer d is also incorrect. we cannot disable the auditing, and we need to replace both private and public keys.

Answers

1.  

¾ B . The first step of designing the PKI implementation is to structure your root CA. The root CA will manage and delegate the rest of the CAs of the enterprise.

x Answer A is incorrect. The locations of the CAs should be taken into account at the design phase. However, the choice of the root CA might dictate the location for the subordinate CAs (the subordinate CAs can also be based close the root CA to reduce network and data transmission costs). Answer C is incorrect. The CA hierarchy is controlled by the root CA. The hierarchy can be modified to suit a location or an organizational structure. However, the root CA will remain as the authority. The root CA does not need to reside in the head office of the enterprise; it could easily be accommodated in one of the IT departments. Therefore, we do not need to design the security implications for the head office and proceed to the regional offices; hence, Answer D is incorrect.

2.  

¾ C . There can be only one root CA in a Windows Server 2003 PKI architecture. There are clear internal and external activities at this company. The best practice is to have an intermediary CA for internal use and an external CA for external use.

x Answer A is incorrect. To have one root CA is correct. However, we need at least two intermediaries to delineate the internal and the external users. The root CA will be for both internal and external use; therefore, Answer B is incorrect. You cannot have two root CAs in a Windows Server 2003 environment; hence, Answer D is incorrect.

3.  

¾ C . IronCladSecurity can easily accommodate geographical and organizational trust CA hierarchies. We need to have a global directory (such as Active Directory) to support network CA hierarchy.

x Answer A is incorrect because we cannot implement a network hierarchy without Active Directory at IronCladSecurity. We can easily accommodate a geographical hierarchy, not a network hierarchy. Answer B is also incorrect. We can accommodate an organizational structure hierarchy, not a network hierarchy. Answer D is also incorrect. We can implement an organizational structure, not a network hierarchy.

4.  

¾ C . The question is about CAs, not CSPs. The CSPs (cryptographic server providers) store the key information in memory or on hardware devices. Therefore, shutting down the CSP service will not have an impact on taking the CA offline.

x Answer A is incorrect. Shutting down the CA computer will make the CA offline. The CA could be taken offline by shutting down the CA service also. Therefore, Answer B is incorrect. We can also take the CA offline by configuring it as a Windows 2003 stand-alone server that is not connected to a domain. It will be difficult for the hackers to find the CA even if they hack into the domain; hence, Answer D is also incorrect.

5.  

¾ B . The root CA and the policy CAs should be protected and should be offline to the users. The issuing CAs need to be online to provide the certificates to the end users.

x Answer A is incorrect. The policy CAs need to be offline also. The policy CAs have sensitive information of the enterprise, and therefore need to be protected. The root CA must be offline; hence, Answer C is incorrect. Answer D is also incorrect. The root CA should never be online.

6.  

¾ D . The CA implementation on Windows Server 2003 should be installed on an NTFS file system. This will enable the CA to communicate with Active Directory and share Windows account information.

x Answer A is incorrect. Windows Server 2003 does not require a lot of memory. There is not much difference between 1GB and .5 GB of memory. Answer B is also incorrect. We should not install a CA on a FAT file system. Windows 2003 CA is not optimized to run on single servers; therefore, Answer C is also incorrect.

7.  

¾ D . SHA-1 is a hashing algorithm that comes with the Windows Server 2003 CA Service.

x Answer A is incorrect. Asymmetric algorithms have key pairs that are not identical. The PKI process generates asymmetric keys; it is not a hashing algorithm. Answer B is also incorrect. .NET Cryptographic libraries are used to encrypt data communication in .NET assemblies. Triple DES is also an encryption mechanism to protect data communication; hence, Answer C is also incorrect.

8.  

¾ D . The new features are auto-enrollment and Web support CA interface.

x Answer A is incorrect. Certificate templates are available in Windows 2000 servers. The requirement for certificate templates is an Active Directory, not Windows 2000. Active Directory support is also available in Windows 2000. It does not integrate as smoothly as Windows Server 2003 does; however, it is present. Therefore, Answer B is incorrect. The same applies for Answer C .

9.  

¾ D . You will not be able to change the certificate s hash algorithm through the CA MMC console. The algorithm is determined when the user requests a certificate. The administrator will not be able to change this. The certificate will be invalid if the algorithm is altered .

x Answer A is incorrect. You can choose to revoke certificates from the CA console. Answer B is also incorrect. The administrators can also issue certificates form the pending queue. We can also view the certificate data by double-clicking on the certificate in the CA console; hence, Answer C is also incorrect.

10.  

¾ A . We need to monitor auditing on a CA server to track intruder access. When we find the intruder, we need to disable his or her access. In addition, we need to create a new private and public key pair for the enterprise to avoid future hackings.

x Answer B is incorrect. Disable auditing is not the correct step to take. It also does not save a lot of space for large key pairs. Using the old key pairs is not safe for the enterprise. The hacker might have passed the key to others or published it on a Web site. This will trigger future attacks. Therefore, the keys need to be regenerated. Hence, Answer C is incorrect. Answer D is also incorrect. We cannot disable the auditing, and we need to replace both private and public keys.




MCSE Designing Security for a Windows Server 2003 Network. Exam 70-298
MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298
ISBN: 1932266550
EAN: 2147483647
Year: 2003
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net