Answering the following questions will reinforce key information presented in this chapter. If you are unable to answer a question, review the appropriate lesson and then try the question again. Answers to the questions can be found in the appendix.
- A company has found that its offline root CA's hard disk has crashed. What must you include in the backup set to ensure that the root CA can be recovered?
- Assume that after the restoration of the previous backup, Certificate Services refused to start. What can you do to get Certificate Services running without having to redeploy the organization's PKI?
- The CRL publication interval for the CA that issues user certificates for authenticating with the Human Resources Web site is currently set to the default of seven days. The actual publication takes place every Sunday evening. On Tuesday morning, Amy Anderson was terminated from her position at the company and her user certificate was revoked immediately. When the administrator reset the password on Amy's account so that her supervisor could investigate Amy's My Documents folder, the supervisor found that she still could access the Human Resources Web site by authenticating with Amy's certificate. If the certificate was revoked, why is this happening?
- The permissions for the EnrollmentAgent certificate template are defined in the following manner:
- Authenticated Users: Read, Enroll
- Domain Admins: Full Control
- Enterprise Admins: Read
Are there any security weaknesses with the defined DACL for the EnrollmentAgent certificate template? What modifications should be made to give only members of the SmartCardDeployment group the ability to perform smart card enrollments?
- An organization has been approached as a consultant to design certificate mapping to allow secure access to a Web server located in the organization's DMZ. To prevent the internal network from being compromised, the Web server located in the DMZ isn't made a member of the domain. The Web server uses certificate-based authentication to ensure that only members of the IT infrastructure team can access the auditing Web pages. Where should the certificate mapping be defined—at the IIS server or in Active Directory?
- An organization has been approached as a consultant to design certificate mapping to allow secure access to a series of Web servers located on the organization's internal network. The Web servers use certificate-based authentication to ensure that only members of the IT infrastructure team can access the auditing Web pages. Where should the certificate mapping be defined—at the IIS servers or in Active Directory?