Objective 3.6: Questions

 < Day Day Up > 



1. 

Rooslan is currently configuring communication between a computer running Windows Server 2003, Web Edition that is located on the company perimeter network and a computer running Windows Server 2003, Standard Edition that hosts a SQL Server 2000 installation on the internal LAN. The internal LAN also hosts a standalone root CA that is installed on a separate standalone computer that is running Windows Server 2003. The SQL Server computer stores confidential information that will be displayed to authorized clients of a Web application running on the computer running Windows Server 2003, Web Edition. Rooslan wants to configure an SSL connection between the server running SQL Server 2000 and the computer on the perimeter network that runs Windows Server 2003, Web Edition. When logged on to the SQL Server computer’s console, Rooslan runs Microsoft Internet Explorer and connects to the standalone root CA. He submits an advanced certificate request, selecting to create and submit a request to this particular CA. When he is presented with the Advanced Certificate Request form, he is asked what type of certificate is needed. Which type of certificate should Rooslan choose to install on the SQL Server computer on the internal LAN?

  1. E-mail Protection Certificate

  2. Code Signing Certificate

  3. Time Stamp Signing Certificate

  4. IPSec Certificate

  5. Server Authentication Certificate

 correct answers: e a. incorrect this sort of certificate, when installed on the sql server computer, will not allow sql traffic between the server and the computer on the perimeter network that runs windows server 2003, web edition to be encrypted by ssl. b. incorrect this sort of certificate, when installed on the sql server computer, will not allow sql traffic between the server and the computer on the perimeter network that runs windows server 2003, web edition to be encrypted by ssl. this type of certificate is generally used to prove that a particular organization authored specific software that you might download and install on your computer. c. incorrect this sort of certificate, when installed on the sql server computer, will not allow sql traffic between the server and the computer on the perimeter network that runs windows server 2003, web edition to be encrypted by ssl. d. incorrect this question discusses ssl rather than ipsec. although it is possible to encrypt communication between the computer running windows server 2003, web edition and the sql server computer using shared certificates, that is not the method of secure communication discussed in the question text. e. correct a server authentication certificate is the appropriate type of certificate to request and install on the sql server computer. sql server can then be configured to force protocol encryption. as long as the server running windows server 2003, web edition is configured to trust certificates issued by the standalone root ca on the internal lan, communication between it and the sql server will not be encrypted by ssl.

2. 

You are configuring the domain controllers in your domain to use SSL to encrypt Lightweight Directory Access Protocol (LDAP) traffic. This will mean that domain controller communication, in addition to communication from global catalog servers, will be secure. Your domain has a single enterprise root CA installed. It is the only domain in the forest. To proceed with this configuration, you are editing the Default Domain Controllers Policy. In the Computer Configuration\Windows Settings\Public Keys Policies node, you are configuring the Automatic Certificate Request Settings. For which of the following certificate templates should you configure automatic certificate requests to use SSL to encrypt Active Directory traffic? (Select all that apply.)

  1. Computer

  2. Domain Controller

  3. Enrollment Agent (Computer)

  4. IPSec

 correct answers: a and b a. correct both the computer and the domain controller certificate templates are required to encrypt all ldap traffic transmitted to and from domain controllers by ssl. b. correct both the computer and the domain controller certificate templates are required to encrypt all ldap traffic transmitted to and from domain controllers by ssl. c. incorrect the enrollment agent (computer) certificate template is not required to encrypt all ldap traffic transmitted to and from domain controllers by ssl. d. incorrect an ipsec certificate template is not required to encrypt all ldap traffic transmitted to and from domain controllers by ssl, though it could be used if data were to be encrypted by ipsec.

3. 

Tailspin Toys has a CA infrastructure represented by the information in the following table.

CA name

CA role

Certificate end date

entrootca.tailspintoys.com

Enterprise root CA

May 12, 2005

ausca.tailspintoys.com

Australia intermediate CA

December 28, 2004

nzca.tailspintoys.com

New Zealand intermediate CA

November 03, 2004

melbca.tailspintoys.com

Melbourne issuing CA

July 27, 2004

auckca.tailspintoys.com

Auckland issuing CA

May 12, 2004

The CA hierarchy is displayed in the following figure.

click to expand

Today’s date is January 26, 2004. Which of the following statements about certificate renewal is true?

  1. A computer running Windows XP Professional that requests a one-year certificate renewal from melbca.tailspintoys.com will receive a certificate with an end date of January 26, 2005.

  2. If the melbca.tailspintoys.com issuing CA attempts to renew its certificate for one year, it will receive a certificate with an end date of December 28, 2004.

  3. If the nzca.tailspintoys.com issuing CA attempts to renew its certificate for one year, it will receive a certificate with an end date of May 12, 2005.

  4. A computer running Windows XP Professional that attempts to renew a certificate from the auckca.tailspintoys.com CA will be issued a certificate that expires on January 26, 2005.

 correct answers: b a. incorrect a ca will truncate any request to the date in which its own certificate expires. in this case, any certificate issued from the melbca.tailspintoys.com issuing ca will expire on or before july 27, 2004. b. correct the melbca.tailspintoys.com issuing ca is below the ausca.tailspintoys.com intermediate ca in the hierarchy. the ausca.tailspintoys.com ca cannot issue a certificate dated later than the expiration of its own certificate, which in this case is december 28, 2004. c. incorrect if the nzca.tailspintoys.com issuing ca attempts to renew its certificate for one year, that renewal will be granted. the new certificate will expire on january, 26 2005, rather than may 12, 2005. d. incorrect the auckca.tailspintoys.com ca will be unable to issue a certificate dated later than may 12, 2004.

4. 

Which of the following represents the fastest way to reenroll all certificate holders of the Workstation Authentication certificate in a single-domain forest with an enterprise root CA running on a Windows Server 2003 domain controller?

  1. Log on to the enterprise root CA. Run the Certificate Templates MMC. Right-click the Workstation Authentication certificate. Select the Reenroll All Certificate Holders option.

  2. Create a GPO and apply it to the domain. In the \Computer Configuration\Windows Settings\Security Settings\Public Key Policies node, right-click the Automatic Certificate Request settings and run the Automatic Certificate Request Setup Wizard. Select the Workstation Authentication Certificate.

  3. From the command prompt, run the netsh certificates reenroll wrkstnauth command.

  4. Create a logon script and deploy it to each computer in the domain. In the logon script, include the command-line command certificates reenroll /auto.

 correct answers: a a. correct this represents the fastest way to reenroll all certificate holders of the workstation authentication certificate. b. incorrect this is used for the automatic request of certificates, not for the reenrollment of certificates. to reenroll all certificate holders, run the certificate templates mmc on the ca. right-click the certificate template you want to have reenrolled, and then click reenroll all certificate holders. c. incorrect the netsh command cannot be used to reenroll certificates. to reenroll all certificate holders, run the certificate templates mmc on the ca. right- click the certificate template you want to have reenrolled, and then click reenroll all certificate holders. d. incorrect there is no certificates reenroll /auto command. to reenroll all certificate holders, run the certificate templates mmc on the ca. right-click the certificate template you want to have reenrolled and then click reenroll all certificate holders.

Answers

1. 

Correct Answers: E

  1. Incorrect This sort of certificate, when installed on the SQL Server computer, will not allow SQL traffic between the server and the computer on the perimeter network that runs Windows Server 2003, Web Edition to be encrypted by SSL.

  2. Incorrect This sort of certificate, when installed on the SQL Server computer, will not allow SQL traffic between the server and the computer on the perimeter network that runs Windows Server 2003, Web Edition to be encrypted by SSL. This type of certificate is generally used to prove that a particular organization authored specific software that you might download and install on your computer.

  3. Incorrect This sort of certificate, when installed on the SQL Server computer, will not allow SQL traffic between the server and the computer on the perimeter network that runs Windows Server 2003, Web Edition to be encrypted by SSL.

  4. Incorrect This question discusses SSL rather than IPSec. Although it is possible to encrypt communication between the computer running Windows Server 2003, Web Edition and the SQL Server computer using shared certificates, that is not the method of secure communication discussed in the question text.

  5. Correct A Server Authentication Certificate is the appropriate type of certificate to request and install on the SQL Server computer. SQL Server can then be configured to force protocol encryption. As long as the server running Windows Server 2003, Web Edition is configured to trust certificates issued by the standalone root CA on the internal LAN, communication between it and the SQL Server will not be encrypted by SSL.

2. 

Correct Answers: A and B

  1. Correct Both the Computer and the Domain Controller certificate templates are required to encrypt all LDAP traffic transmitted to and from domain controllers by SSL.

  2. Correct Both the Computer and the Domain Controller certificate templates are required to encrypt all LDAP traffic transmitted to and from domain controllers by SSL.

  3. Incorrect The Enrollment Agent (Computer) certificate template is not required to encrypt all LDAP traffic transmitted to and from domain controllers by SSL.

  4. Incorrect An IPSec certificate template is not required to encrypt all LDAP traffic transmitted to and from domain controllers by SSL, though it could be used if data were to be encrypted by IPSec.

3. 

Correct Answers: B

  1. Incorrect A CA will truncate any request to the date in which its own certificate expires. In this case, any certificate issued from the melbca.tailspintoys.com issuing CA will expire on or before July 27, 2004.

  2. Correct The melbca.tailspintoys.com issuing CA is below the ausca.tailspintoys.com intermediate CA in the hierarchy. The ausca.tailspintoys.com CA cannot issue a certificate dated later than the expiration of its own certificate, which in this case is December 28, 2004.

  3. Incorrect If the nzca.tailspintoys.com issuing CA attempts to renew its certificate for one year, that renewal will be granted. The new certificate will expire on January, 26 2005, rather than May 12, 2005.

  4. Incorrect The auckca.tailspintoys.com CA will be unable to issue a certificate dated later than May 12, 2004.

4. 

Correct Answers: A

  1. Correct This represents the fastest way to reenroll all certificate holders of the Workstation Authentication certificate.

  2. Incorrect This is used for the automatic request of certificates, not for the reenrollment of certificates. To reenroll all certificate holders, run the Certificate Templates MMC on the CA. Right-click the certificate template you want to have reenrolled, and then click Reenroll All Certificate Holders.

  3. Incorrect The netsh command cannot be used to reenroll certificates. To reenroll all certificate holders, run the Certificate Templates MMC on the CA. Right- click the certificate template you want to have reenrolled, and then click Reenroll All Certificate Holders.

  4. Incorrect There is no certificates reenroll /auto command. To reenroll all certificate holders, run the Certificate Templates MMC on the CA. Right-click the certificate template you want to have reenrolled and then click Reenroll All Certificate Holders.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net