AD CS, AD FS, and AD RMS Flashcards

Question

What port does Web Application Proxy use to communicate with ADFS?

Answer 1

Through Add Roles & Features: * Since 2012 R2, WAP is a role service under the Remote Access server role. * You can then use the configuration wizard to provide the ADFS server name, admin credentials for ADFS, and the certificate. Through PowerShell: * Install-WindowsFeature Web-Application-Proxy * Install-WebApplicationProxy -FederationServiceName "adfsservername" -FederationServiceCredential $Credential -CertificateThumprint $Thumbprint

Answer 2

On the ADFS server.

Answer 3

It has nothing built-in, so you would have to put it behind a Network Load Balancer.

Answer 4

Remote Access Management Console

Answer 5

* ADFS: unauthenticated client requests are redirected to the ADFS server. After successful authentication, they are forwarded to the backend application server. * Pass-through: WAP does not perform any pre-authentication, and just forwards all requests to the backend application server. The application itself will need to do the authentication. (This could be useful for applications using FBA.)

Answer 6

* Preauthentication for HTTP Basic applications. * HTTP to HTTPS redirection. (Previously, you had to do a lot of complication manually configuration with IIS to make this work; now's it just a check box in WAP.) * Wildcard domain publishing of applications. * HTTP Publishing * Publishing of Remote Desktop Gateway apps

Answer 7

* the internal URL of the application / backend server * The thumbprint for the certificate for the application * the external URL that will be used by clients to access WAP for this application. * the name to be displayed in the WAP interface * the external pre-authentication method * The name of the Relying Party Trust in ADFS.

Answer 8

It's a simple check box that you mark when publishing an application. However, WAP does not open port 80 by default. So, you also need to create a firewall rule to allow inbound traffic over TCP 80.

Answer 9

They need to be using a Microsoft Web Browser, such as IE, and they need to install the ActiveX control that they're prompted for on the login screen. If the Published App isn't configured for Pass-through authentication, then the client will also need to log in twice, once to the WAP, and once to the Remote Desktop Gateway.

Answer 10

Remote Desktop Gateway

Answer 11

Active Directory Rights Management Services A Server Role that allows you to create Information Rights Management policies. The access policies are applied to documents and e-mail messages, and remain with the content as it moves, both online and offline. Policies are enforced through encryption, certificates, and authentication.

Answer 12

* Full Control * View * Edit * Save * Export (Save As) * Print * Extract (Copy) * Forward (for e-mail) * Reply (for e-mail) * Reply All (for e-mail) * Allow Macros * View Rights * Edit Rights

Answer 13

In Roles and Features, install the role "AD Rights Management Services"

Answer 14

After installing the role, * Open the configuration Wizard. * Create a new AD RMS root cluster. * Choose a SQL server, or use WID (only if you won't be clustering). * Specify the service account that RMS will run under. It must be a domain user, but does not need any particular permissions. * Configure the AD RMS Cluster Key

Answer 15

Cryptographic Service Provider You can offload the processing required for cryptography to the CSP.

Answer 16

Service Connection Point * It is an object in AD that provides the intranet URL of the AD RMS cluster, allowing RMS-aware clients and applications to discover the cluster automatically. * Only one SCP can exist per forest in AD. * It is created automatically when the first AD RMS cluster is deployed (though you can opt not to create one). Any future changes to the SCP from then on must be made manually.

Answer 17

* The name, and description (which is required) * Any number of users and groups, which are identified by e-mail address; and the rights assigned to each of them * The expiration settings for the content * Additional conditions * The revocation policy

Answer 18

There are two expirations that can be configured: Content expiration: The content cannot be accessed until it is republished. Use license expiration: The user will have to reconnect to the RMS server to obtain a new license. (The use license is cached on the client computer once it's obtained).

Answer 19

If a revocation policy has been configured in a Rights Policy Template, it points to the URL of a location where the revocation list is published, and settings for how often to check the list, and the public key for the list. The revocation list contains factors to deny permission to content. Factors include content ID, users, applications, etc.

Answer 20

The RMS Client comes installed on every version of Windows from Vista and newer, but 2.1 is a newer version. For added functionality, it needs to be downloaded and installed. Even Windows 10 doesn't include this newer version of the client. One feature it adds, is that by editing the Registry, you can modify how frequently templates are refreshed.

Answer 21

You need three three things: * A securely backup copy of the Cluster Key Password * An export of the Trusted Publishing Domain (exported as an XML file). (Can be exported using the AD RMS Administrative Console.) * A backup the RMS Configuration Database (which could be WID or SQL)

Answer 22

* Configuration Database * Directory Services Database * Logging Database

Answer 23

* Port 443 for device authentication of remote users. * Port 49443 for certificate authentication of remote users. If using AAD: * Port 80 for downloading certificate revocation lists to verify SSL certificates * Port 5985 as the WinRM listener.

Answer 24

Either with: • New-PSDrive or • Install-ADRMS or its alias, • Install-RMS

Answer 25

This is used to create a new AD RMS cluster, or join an existing cluster.

Answer 26

A CA binds public keys with the respective identities of entities. * This binding is done through a process of registration and issuance of certificates. * Certificates have a public key binded with them.

Answer 27

Active Directory Certificate Services Provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

Answer 28

* A standalone can exist offline, but an Enterprise cannot exist offline. * Standalone does not depend on AD DS, but Enterprise does. * A standalone can only get certificates via manual procedure or web enrollment. Enterprise can use these, plus auto-enrollment, enrollment on behalf, or web services enrollment. * In standalone, all certificates must be approved manually. In Enterprise, they can be issued of denied automatically based on policy. * Standalone CAs do not support templates. (Therefore, no automatic key archival.)

Answer 29

Certificate Revocation List It is published by a CA, and contains a list certificates that have been revoked. Clients check the CRL when they need to confirm certificates, to check whether the certificates are still valid. The CRL is cached by clients, who will update it on a set schedule.

Answer 30

Standard: 4096. The default is 2048.

Answer 31

CRL Distribution Point (Certificate Revocation List Distribution Point) • Included in a certificate, it tells clients where to look for the CRL.

Answer 32

Authority Information Access • Tells you where to find the authority for the CRL.

Answer 33

In addition to the default selections, you must install these role service: * Basic Authentication * Windows Authentication

Answer 34

The CDP and the AIA of the root server are made available on the web server, since the standalone root CA will be offline.

Answer 35

Group Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies This contains several options, including a folder for "Trusted Root Certification Authorities." Loading the CA Root certificate there will install the certificate on all domain computers.

Answer 36

The Certificate Database, and its Database Log, are located here by default: C:\Windows\system32\CertLog\

Answer 37

A certificate request, which is a request from a device to receive a certificate from a higher up CA.

Answer 38

certutil -installCert

Answer 39

By default, the CDP and the AIA are published on the root CA. If it is going to be offline, then those need to be located elsewhere. Usually, you'll locate them on a web server so they are always accessible. To do so, you need to edit the properties of the root CA and modify the extensions.

Answer 40

MMC > Certification Authority > select Root CA server > Properties > Extensions > * Remove the local locations for both the CDP and the AIA, and add the web address, or whatever new location, you'll be locating these certificate files... * then add necessary variables to the end of that path.. * then end with the file extension: .crl for the CDP, and .crt for the AIA. Or, in PowerShell, the cmdlets are: * Add-CACrlDistributionPoint * Add-CAAuthorityInformationAccess

Answer 41

A command line utility for managing AD Certificate Services. It is the only tool that can be used for several tasks and configurations.

Answer 42

Lists information on the issuing certificates themselves, as well as a little info about the CA.

Answer 43

ADCSDeploy ADCSAdministration These are limited, and there's actually not a lot of things you can do in PowerShell for configuring Certificate Services.

Answer 44

• Read (Can locate CA and see some contents) • Request Certificates • Issue and Manage Certificates (Approve, Deny, and Revoke) • Manage CA (Manage and configure all CA options)

Answer 45

For users and groups, each of these can be set to Allow or Deny: • Read (Can locate CA and see some contents) • Request Certificates • Issue and Manage Certificates (Approve, Deny, and Revoke) • Manage CA (Manage and configure all CA options)

Answer 46

Any user or group who has been granted security permission to issue and manage certificates on a CA. • This means they have "Allow" permissions for the "Issue and Manage Certificates" access on the CA.

Answer 47

In the "Certificate Managers" tab of a CA's properties, is the option to restrict. • You select users and groups (as configured in the Security tab) and may restrict their management access to particular certificate templates, or particular users/groups.

Answer 48

Add-WebApplicationProxyApplication

Answer 49

* A new feature of WAP for 2016. * Allows you to publish multiple applications from the same DNS domain. * To support scenarios such as SharePoint 2013, the external URL for the application can now include a wildcard to enable you to publish multiple applications from within a specific domain, for example, https://*.sp-apps.contoso.com. * This will simplify publishing of SharePoint apps.

Answer 50

* After installing the AD RMS role, you need to configure it by identifying the database instance, and the cluster key. * (Clusters keep their database files on a SQL Server instance.)

Answer 51

* Most significantly, a SQL database allows clustering of AD RMS across multiple nodes. * It also has more extensive options for backup and maintenance tasks, etc.

Answer 52

You would need to do all three of the following: * New-ADfsLdapServerConnection * New-AdfsLdapAttributeToClaimMapping * Add-AdfsLocalClaimsProviderTrust

Answer 53

It extends the AD schema for Server 2016, meaning it makes it able to accomodate new attributes.

Answer 54

Provides single sign-on remote access to on-prem web applications that use Azure AD for authentication. All that is required to install on-prem is a small connector software agent. All federated identity and secure authentication flow is handled by Azure AD Application Proxy.

Answer 55

Key Recovery Agent

Answer 56

Public Key Infrastructure View A GUI utility for managing CAs, certificates, AIAs, CDPs, etc.

Answer 57

These options are only available when working on the CA computer locally, rather than connecting remotely: * Back up CA * Restore CA * Renew CA Certificate For this reason, your root CA should always be a server with full Desktop Experience, rather than Server Core.

Answer 58

• When the lifetime of the certificates you are currently issuing is reduced. This is because a CA cannot issue certificates with expiration dates beyond its own certificate's expiration date. So, typically, you'll want to renew the CA's certificate at least one year before it expires. • Also, you'd need a new certificate if the signing key was compromised.

Answer 59

You only need a new signing key when: * The signing key is compromised * You have a program that requires a new signing key to be used with a new CA certificate * The current CRL is too big, and you want to move some of the info to a new CRL

Answer 60

It is audited through Event Viewer. First, you must enabled the "Audit object access" setting in Group Policy. Then, in the CA's properties > Auditing tab, check off what items you want to audit.

Answer 61

• Using the CA Backup Wizard: - Backup the Private key and CA certificates - It will make you create a password for the key backup - Backup the certificate database and certificate database log • Then, in Registry Editor: - Export the CertSvc\Configuration partition • On an Enterprise CA, you need to record all published templates.

Answer 62

* When installing Certificate Services on the new machine, select the option to "use an existing private key," and select the certificate and key which were been backed up. * For the restore to work, the database and its log must have identical paths to how they were in the backup. * Stop the certsvc service * Merge the CertSvc/Configuration registry entries • Use the Restore CA wizard from the CA snap-in - You'll need the password for the key restore

Answer 63

An electronic document used to prove the ownership of a public key. It serves to validate the sender's authorization and name.

Answer 64

Literally just provides storage for your cryptographic keys.

Answer 65

Permissions can apply to groups only, no users. Permissions include these options: * Read * Write * Enroll (also requires read) * Autoenroll (requires read and enroll) * Full Control

Answer 66

Version 1 - The default. These templates cannot be changed Version 2 - Created by duplicating a V1 template - Allows autoenrollment - V2 templates, even default ones, can be modified Version 3 - created by duplicating a V1 or V2 template - Allows Cryptography Next Generation - V3 templates can be modified Version 4 - requires Server 2012 or later - Allows use of CSP and key storage providers - V4 templates can be modified

Answer 67

* The CA's Request Handling Policy must NOT be set to require manual administrator approval of all requests. * The certificate template must allow these permissions to the group that will be enrolling: - Read - Enroll - Autoenroll • Autoenrollment must be enabled in GPO Public Key Policies

Answer 68

Personal Information Exchange (*.pfx) A file that stores exported certificate keys. When it is created, it can have password protection built into it, as well as access restricted to select users or groups.

Answer 69

* The key needs to have been archived, either manually, or through having enabled auto-archiving in the template for the certificate it was created with. A KRA must have been specified when archiving. * From the certificate issuer, get the Serial number of the certificate. * Then, use these cmdlets: Certutil -getkey [serial number] outputblob Certutil -recoverkey outputblob [newfilename].pfx • You can then right-click the .pfx file and select Install.

Answer 70

* If the CA is not trusted * If the Subject Name or Subject Alternate Name does not match the name of the website or service that you are connecting to.

Answer 71

1. The browser clicks on an HTTPS website 2. The browser requests a certificate from the web server 3. The web server sends its certificate, and included in that certificate is its public key 4. The browser checks the certificate and if it trusts the issuing CA, and whether the certificate is revoked 5. The browser generates a symmetric encryption key, encrypts it and then sends it 6. The web server decrypts the symmetric key and secures the communication

Answer 72

One of the Reason codes that can be selected when revoking a certificate in CA Unlike with any other reason code, certificates that have been revoked this way can be Unrevoked.

Answer 73

Read and Enroll. Autoenroll permission is not required for automatic renewal.

Answer 74

1. Configure a key recovery agent certificate template. 2. Add the key recovery agent cert template to an enterprise CA. 3. Enroll one or more key recovery agents. 4. Configure the VA for key archival and recovery.

Answer 75

An Enrollment Agent is a user that has been granted permission to request certificates on behalf of another user.

Answer 76

An AD CS role feature that responds to client requests for information about specific certificates. This service provides support for Online Certificate Status Protocol (OCSP) validation and revocation checking. This service makes it possible to check the revocation status of a single certificate, rather than downloading and checking the complete CRL.

Answer 77

Allows the holder to authenticate its identity by using a smart card

Answer 78

Allows the holder to authenticate its identity and protect e-mail by using a smart card Capable of: • Authentication • Signing • Encryption

Answer 79

Used to prove the identity of the subordinate CA; it is issued by the parent or root CA Capable of: • Authentication only

Answer 80

Allows subjects to authenticate to a Web server

Answer 81

Allows a computer to authenticate itself on the network

Answer 82

Used to request certificates on behalf of another user

Answer 83

Recovers private keys that are archived on the CA

Answer 84

Proves the identity of a Web server

Answer 85

Enables client computers to authenticate their identity to servers for mutual authentication.

Answer 86

A role service that provides a set of web pages that allow interaction with the CA role service. • It's used to supports enrollment and renewal requests for computers that: - run non-Windows OSs, - are not a domain member, - or are not connected to your domain network. • Allows you to connect to a CA using a web browser to perform common tasks, such as: - Request a new cert from the CA, or a renewal - Check a pending cert request - Request the CA's cert - Retrieve the CA's CRL

Answer 87

Self-signed root certificates from other organizations.

Answer 88

If your root CA is an Enterprise CA, then CRLs are published to AD DS. With a standalone root CA, it is stored on the CA itself by default, but can be changed and published to a location you specify. You'll need to update the CDP extension to indicate the CRL's location.

Answer 89

Certificate Enrollment Web Service CES acts as a proxy for the CA for issuing and renewing certificates, and provides for retrieval of CRLs for computers running Windows 7 or later. • It also supports auto-renewal for non-domain members, and members of untrusted domains.

Answer 90

Certificate Enrollment Policy Web Service CEP allows users and clients to retrieve certificate enrollment policy information.

Answer 91

This service is used to issue and renew certificates for network devices such as routers and switches. * It allows these devices to obtain certificates without direct interaction. * Requests are made under the context of the service account specified when you configure NDES.

Answer 92

Because a standalone CA does not verify a certificate requester's credentials.

Answer 93

These are configure in Group Policy: * Auto-Enrollment policy * Automated update and renewal of certificates * Automatic trusting of root CA * Enable auditing of a CA

Answer 94

Used to authenticate AD users and computers.

Answer 95

Used for security with e-mail and encrypting file services.

Answer 96

Used to enable users to digitally sign data.

Answer 97

The AD RMS Administrative Console. | It is exported as an XML file.

Answer 98

Trusted Publishing Domain TPDs allow one AD RMS server to issue use licenses that correspond with a publishing license issued by another AD RMS server. A TPD is added by importing the server licensor certificate and private key of the server to be trusted.

Answer 99

Microsoft Office clients needing to access data on a backend server

Answer 100

Clients that need to use Windows Store Apps

Answer 101

Rich clients (such as smartphones) that need to connect to Exchange or another backend server. (ActiveSync uses HTTP Basic pre-authentication)

Answer 102

Is created when you install and configure your first AD RMS server in a cluster. Other servers in the cluster share the same SLC.

Answer 103

Gives a user the ability to publish protected content, even when the client is not currently connected to the AD RMS server.

Answer 104

Identifies a computer or other supported device.

Answer 105

Identifies a specific user based on either account credentials only (temporary RAC), or on account and device credentials (standard RAC).

Answer 106

Specifies applied rights on protected content, including: * the users that can open it * under what conditions it may be opened * the rights each user will have to the content

Answer 107

Gives a user the ability to access protected content based on user account credentials. The license is tired to the user's RAC. (If the user's RAC is not present or valid, the user is not given access to the content.)

Answer 108

Standard RAC: * identifies a user by account credentials and device credentials together. * has a validity time measured in number of days. (the default is 365 days) Temporary RAC: * identifies a user based on account credentials only. * has a validity time measured in number of minutes. (the default is 15 minutes)

Answer 109

Invoke-AdfsFarmBehaviorLevelRaise

Answer 110

certutil.exe -viewdelstore

Answer 111

certutil.exe -revoke

Answer 112

Set-AdfsSyncProperties -Role PrimaryComputer

Answer 113

* User – block specific users * Application – block specific applications * Lockbox version – block specific Windows versions

AD CS, AD FS, and AD RMS Flashcards

Implement Identity Federation and Access Solutions; Implement Active Directory Certificate Services