Review Questions

1.

What is a X.509 digital certificate?

1. An entity that list the policies that are used for security on the network

2. An electronic document that contains information about the owner of the certificate and the public key of the owner and the signature of the certificate authority

3. A means of updating Active Directory with user information

4. A way to provide information to the server about the security mechanism needed to establish the connection

2.

Which of the following applications would require that a PKI architecture be in place? (Choose all the apply.)

1. Smart card logon

2. Encrypting File System

3. File sharing

4. IP security

5. E-mail

6. Secure e-mail

3.

What are the four possible ways of designing a CA hierarchy?

1. Organization

2. Groups

3. Geography

4. Function

5. Department

6. Users

4.

Which of the following ways can you use to enroll for a certificate with a stand-alone CA?

1. Web enrollment page

2. Autoenrollment

3. certreq.exe

4. Certificate Request Wizard

5.

Which operating systems can be used to perform autoenrollment with an enterprise CA? (Choose all that apply.)

1. Windows XP

2. Windows ME

3. Windows Server 2003

4. Windows 2000

6.

What are the three possible roles for a CA in the organization?

1. Root CA

2. Intermediate CA

3. Enrollment CA

4. Issuing CA

5. Renewal CA

7.

What auditing setting must be enabled to allow CA-specific auditing through the Certification Authority console?

1. Audit Account Login Events

2. Audit Object Access

3. Audit System Events

4. Audit Process Tracking

8.

Which of the following reasons would you use in choosing to revoke a certificate? (Choose all that apply.)

1. The CA has been compromised.

2. The certificate has been renewed.

3. The CA certificate has been renewed.

4. The private key was stolen.

5. The certificate was used for signing.

6. The certificate authority has been retired.

9.

What are the four roles that perform administrative tasks on a Windows Server 2003 CA server?

1. PKI Manager

2. Certificate Manager

3. PKI Administrator

4. Auditor

5. Administrator

6. Backup Operator

7. CA Administrator

10.

Why should you perform role separation on a CA server?

1. To separate the types of CA servers so that renewal and enrollment take place on different servers

2. To minimize damage done to the certificate hierarchy should an attacker infiltrate the administrator account

3. To split the roles of the server for renewal and enrollment of certificates

4. To provide a mechanism to increase the availability of the PKI structure

1.

B. A certificate contains fields that identify the subject (owner of the certificate) and the subject’s public key. The certificate is then signed by a certificate authority that verified the information so all clients that trust the CA can trust the information in the certificate.

2.

A, B, D, F. You would need to use certificates in applications that require authentication of the user, a digital signature, or encryption without the exchange of keys through some other means. Smart card logon verifies the identity of the user through a certificate and a PIN or password, referred to as two-factor authentication. EFS requires a certificate to verify the owner of a file and the encrypting keys. IP security requires encryption and the validation of the client and the server, which will require a certificate. Secure e-mail supports digital signatures and encrypted e-mail requires PKI.

3.

A, C, D, E. Depending on the management or legal needs of the organization, you will need to design a CA hierarchy based on the organization (employee, contractors, partner), geography (USA, France, Asia), function (S/MIME, EFS, smart card), or department (Marketing, Finance, Accounting).

4.

A. You would use a web enrollment page to request, renew, and manage certificates that are used in the organization.

5.

A, C. Windows XP and Windows Server 2003 are the only two operating systems that support autoenrollment for certificates with a Windows Server 2003 enterprise CA server.

6.

A, B, D. You can have three different roles for a CA in an organization: root, intermediate, and issuing. The root CA is responsible for signing all certificates issued in the PKI and is the most trusted CA. The intermediate CA is used to approve requests for enrollment and renewal of certificates. The issuing CA is responsible for issuing or deploying the certificate and CRL to the clients.

7.

B. You would need to enable Success and Failure on the Audit Object Access setting to make it possible to audit file, Registry, or CA auditing. You then would set the audit property on the item you would like to audit.

8.

A, D, F. You would need to issue new certificates if the CA or private key was compromised. If you retire the CA, you will need to revoke the old certificate and issue the new CA’s certificate.

9.

B, D, F, G. The CA Administrator can configure the CA server, manage permissions, and renew CA certificates. The Certificate Manager role can initiate a key recovery, manage certificate enrollment, and revoke certificates. The Backup Operator can back up and restore the CA databases. The Auditor can read the security log and configure auditing.

10.

B. You distribute the administrative function of the CA servers among four different roles. This will minimize damage done to the CA hierarchy if one of the administrator accounts were infiltrated.