Case Study Questions

1.

You need to design a certificate solution for the internal users of Get Results Marketing. What should you do?

1. Establish a website that users will use to request certificates.

2. Give users Enrollment Agent rights on the system.

3. Write a login script that determines the user and requests the appropriate certificate from the web server.

4. Install some enrollment stations in the company and store client certificates on smart cards.

2.

What type of technology should you recommend for securing and signing e-mail?

1. SSL

2. TLS

3. S/MIME

4. IPSec

3.

You need to design an auditing policy for the PKI. What should you recommend for Get Results Marketing? Choose all that apply.

1. Enable all of the settings for auditing on a CA.

2. Enable object access auditing to track PKI server access.

3. Enable success/failed login attempts.

4. Enable file access auditing to track access to certificate files.

4.

What type of PKI should you recommend for the issuing servers?

1. Stand-alone

2. Active Directory integrated

3. SQL Server integrated

4. Third party

5.

What type of hierarchy should you recommend for Get Results Marketing?

1. Functional

2. Geographical

3. Departmental

4. Organizational

6.

Where would you place the different types of servers in the organization? Drag and drop the proper server type to the proper location of the organization. Answers may be used more than once.

1.

D. The company wants to implement two-factor authentication for increased security, which would involve using smart cards and a password or PIN to gain access to the system. You would need to create some enrollment stations for enabling a smart card for a user and distribute the smart card to the users. The administrators issuing the smart card certificates on behalf of users would need Enrollment Agent rights, but you would not need to issue these rights to users. The web server and login scripts do not provide for two-factor authentication but could be a means to issue certificates to computers or users without using smart cards.

2.

C. S/MIME is a web standard technology that is used to sign and encrypt e-mail messages. It requires a PKI to manage the certificates that are necessary for the technology. Because Get Results Marketing will have a PKI, this would be the recommended approach. SSL, TLS, and IPSec are used to encrypt network traffic and verify computers. They are not appropriate for verifying individuals or encrypting individual messages and not others.

3.

A, B, C. The network administrator expressed concerns about not being able to track information and various occurrences on the network. You will need to focus on the CA infrastructure and authentication on the network.You should plan to size the log file to accommodate the increased volume of logging.

4.

B. Because the clients are Windows XP based, the company would benefit from an Active Directory–integrated issuing server because it can automatically issue machine certificates to computers based on domain credentials. This would minimize the effort of the network administrators in managing machine certificates.

5.

B. Since the CSO states that they are worried about legal requirements for certificates and encryption in countries they operate, you should implement a hierarchy based on geography. This would give the individual regions control over the local CA servers, to make sure they comply with local laws. The organizational, departmental, and functional hierarchies would be more difficult to lay out in such a way to follow local laws because they focus on group servers by other requirements like a department or function in the organization.

6.

You would want to keep the root secure at the company headquarters where the IT staff is based. You would then need to provide issuing and intermediate CAs to each geographical region the country is in to provide local control over how and what certificates are issued and renewed to comply with local laws.