Section 6 - Chapter 15

Question 1

AD CS Role Services

Answer 1

Certificate Authority - issues and manages certs
CA Web Enrollment - allows users to: request and renew certs, retrieve CRLs, enroll for smart card certs
Online Responder - makes cert revocation data accessible
Network Device Enrollment Service - certs for routers and other hardware
Cert Enrollment Web Services - enroll and renew certs when computer does not belong to domain or is outside security boundary
Cert Enrollment Web Policy Service - policy based auto enroll cert enroll web service users, provides policies not certs

Question 2

Comparison

Publish CA config to AD DS

Answer 2

Stand Alone - optional

Enterprise - mandatory

Question 3

Comparison

CA Cert Data Integration w/ AD DS Forests

Answer 3

Stand Alone - optional, manual process

Enterprise - mandatory and automatic

Question 4

Comparison

CRL publication in AD DS Forest

Answer 4

Stand Alone - optional, manual process

Enterprise - mandatory and automatic, includes delta CRLs and cross certificates

Question 5

Comparison

AD DS Forest pub assigned per template level as an attribute of the template

Answer 5

Stand Alone - n/a

Enterprise - supported

Question 6

Comparison

Web Enrollment for cert requests and validation

Answer 6

Stand Alone - supported

Enterprise - supported

Question 7

Comparison

Cert MMC for request and validation

Answer 7

Stand Alone - n/a

Enterprise - supported

Question 8

Comparison

Cert requests thru http or https

Answer 8

Stand Alone - supported

Enterprise - supported

Question 9

Comparison

Cert requests thru RPC and DCOM

Answer 9

Stand Alone - n/a

Enterprise - default mode

Question 10

Comparison

V1 templates with custom object identifiers (OID) as source of certs

Answer 10

Stand Alone - Default

Enterprise - n/a

Question 11

Comparison

V2 & V3 templates - can be customized and duplicated

Answer 11

Stand Alone - n/a

Enterprise - default

Question 12

Comparison

User input during cert requests

Answer 12

Stand Alone - manual

Enterprise - retrieved from AD DS

Question 13

Comparison

Supported enrollment methods

Answer 13

Stand Alone - automatic or pending for all templates

Enterprise - automatic or pending, applied on a per template basis

Question 14

Comparison

Cert approval process

Answer 14

Stand Alone - manual

Enterprise - manual or auto thru AD DS

Question 15

Comparison

Cert Publishing

Answer 15

Stand Alone - manually to client or CA, AD DS thru custom policy module

Enterprise - depends on cert type and setting, can be auto enrolled in clients cert store and pub’d in AD DS

Question 16

Comparison

Cert Publishing and manangement thru AD DS

Answer 16

Stand Alone - n/a

Enterprise - supported

Question 17

Deployment Options

Answer 17

Stand Alone - DC, Member Server or Stand Alone Server

Standard, Enterprise or Datacenter

Enterprise - DC or Member Server

Enterprise or Datacenter

Question 18

CPS - Certificate Policy Statement

Answer 18

Clear definition of who your company is
A list of your certificate policies
A general statement of proceedures used to issue, assign and revoke certs
A description of methods used to protect CAs
Revocation policy used

Question 19

AD CS New Features 2008 r2

Answer 19

Certificate Enrollment and Certificate Enrollment Policy Web Services

Certificate enrollment across forests

Better support for high-volume CAs

Question 20

AD CS Web Services

Answer 20

Cert enroll over http/https

Proxy between client and CA

Direct communication unnecessary

Allows enroll over internet and across forests

Question 21

Functional Levels Needed for AD CS Web Services

Answer 21

Forest Functional Level 2008 r2

CA running 2003 and above

Client Computers Win 7

Cross Forest Enroll - CA running Enterprise or Datacenter

Question 22

Cross Forest Enrollment

Answer 22

Two Way Trust

Forest Functional Level 2003

Issue Certs - forest functional level 2003

Enrollment - forest functional level 2008 r2

Clients do not need an update

Question 23

High Volume CAs

Answer 23

Windows Server Network Access Protection (NAP) may require

Non persistant cert processing

Bypasses certain CA database operations - not storing each request record and issued cert

Improves performance and reduces CA operational costs

Can no longer revoke certs or manage CRLs

Question 24

AD CS Hosting Server Config

Answer 24

Multiple processors

Minimal RAM

Seperate disks for store on Root

Another disk for logs on Issuing

Medium key lengths

RAID balanced for reliability and performance

Question 25

Stand Alone Root CA - Installation

Answer 25

AD CS only role needed Create new private key or use existing Chose CN - name will be embedded in every subordinate cert issued by the chain, cannot change once installed Set Validity Period Select cert db and cert db log file paths

Question 26

Create a new private key

Answer 26

Only for internal networks Select Cryptographic Service Provider (CSP) Key Character Length Hash Algorithm Allow Admin Interaction When Private Key is Accessed by the CA

Question 27

Using An Existing Key

Answer 27

Reinstalling Machine Chained to 3rd Party, must be pre-installed

Question 28

Roles That Can Be Installed AD CS

Answer 28

Certificate Authority CA Web Enrollment Online Responder Network Device Enrollment Service Certificate Enrollment Web Service Certficate Enrollment Policy Web Service

Question 29

CA Properties General Tab

Answer 29

Name, cryptography, hash setting, view cert

Question 30

CA Properties Policy Module Tab

Answer 30

Properties - Request Handling Pending, Admin Must Install Follow Settings in Template or Automatic

Question 31

CA Properties Exit Module

Answer 31

Windows Default - publishes certs when issued Properties - allow certs to be pub'd to file system

Question 32

CA Properties Extensions

Answer 32

CRL Distribution Point (CDP) Authority Information Access (AIA) Specify locations from which users can obtain a CRL Publishing options

Question 33

CA Properties Storage

Answer 33

Shows if AD DS integrated Paths to db and db logs

Question 34

CA Properties Certificate Managers

Answer 34

Can restrict Administrators, Domain Admins and Enterprise Admin rights or others who have been added thru the Security Tab Allow or Deny

Question 35

CA Properties Auditing Options

Answer 35

``` Back up and Restore Changes to Configuration Changes to Security Settings Issue and Manage Cert Requests Revoke Certs and Publish CRLs Store and Retrieve Archive Keys Start and Stop AD CS ```

Question 36

CA Properties Security

Answer 36

Permissions Read Issue and Manage Certs (Local, Domain & Enterprise Admins) Manage CA (Local, Domain and Enterprise Admins) Request Certs (authenticated users) Can added users or groups that can then be allowed or denied management rights on Certificate Management tab

Question 37

certutil

Answer 37

- viewstore = verifies publication - dspublish = publishes a cert or CRL to AD - resubmit = resubmit a pending request - revoke = revoke a cert - CRL = publishes a new CRL - pulse = pulse autoenroll events

Question 38

Enterprise Issuing CA Install

Answer 38

CA and OR Automatically adds: IIS and RSAT Do not select Allow Admin Interaction - must be able to interact with all users needing certs Make request for cert or save request and do manually, save to docs folder

Question 39

Adding Root CA cert to Issuing CA

Answer 39

On Root - rc Contoso-Root-CA, all tasks, submit new request, specify file location rc Pending Requests, all tasks, Issue rc, Issued Cert, Details tab, copy to > opens export wizard, chose format

Question 40

Export File Formats

Answer 40

DER encoded binary x.509 (.cer) - non Windows computers Base-64 encoded x.509 (.cer) - support S/MIME, usually used for non-windows on servers Cryptograph Message Syntax Standard - PKCS #7 - (.p7b) - transfers certs and their chained paths Personal Info Exchange - PKCS #12 - (pfx) - transfers certs and their chained paths and transfer of private key as well as public Microsoft Serialized Cert Store - transfers root certs from one computer to another

Question 41

Import Cert and Start Service on Issuing

Answer 41

rc Issuing-CA, all tasks, install CA cert rc Issuing-CA. all tasks, start service

Question 42

CA Properties Additional Tabs On Enterprise CAs

Answer 42

Enrollment Agents - can restrict enroll agents to certain certs and give allow or deny access Recovery Agents - archive or do not archive when cert request includes key archival

Question 43

Prep for Install NDES

Answer 43

Create a service account identity Server Manager, Config, Local Users and Groups, IIS_IURs Group > add service account identity

Question 44

Install NDES

Answer 44

Cannot be install at the same time as AD CS rc AD CS, add role services IIS automatically added Specify service account identity as user RA (registration authority) Setup - will assign and manage certs assigned to network devices Config cryptography Adds additional web files

Question 45

Credentials for AD CS Installation

Answer 45

Local Admin

Question 46

ORs

Answer 46

Responds to specific cert validation requests thru Online Cert Status Protocol (OCSP) Relies on PKI Does not need full CRL Can request validation for a specific cert OR decodes validation request sending back encrypted response

Question 47

Finalizing the Config of Issuing CA

Answer 47

Create certificate revocation config Config and personalize cert templates Config enrollment and issuance options

Question 48

Personalizing Templates

Answer 48

EFS - involves planning recovery agent Wireless Networks - enforces strong authentication and encrypts all communications Smart Cards - supports two-factor authentication Website and Enabled e-commerce - web server certs, also can protect DCs and encrypt communication to and from

Question 49

Create Revocation Config for CA

Answer 49

Specify Cert Revocation List (CRL) distribution points Config CRL and Delta CRL overlap periods Schedule pub of CRLs

Question 50

CRL Distribution Point

Answer 50

Issuing CA, Properties, Extention Tab drop down list set to CDP, publish CRLs and publish Delta CRLs to this lcoation check boxes

Question 51

Config CRL and Delta CRL Overlap Periods

Answer 51

certutil -setreg ca\CRLOverlapUnits value certutil -setreg ca\CRLOverlapPeriod units certutil -setreg ca\CRLDeltaOverlapUnits value certutil -setreg ca\CRLDeltaOverlapPeriod units

Question 52

Config Pub of the CRLs

Answer 52

Issuing CA, Revoked Certificates, Properties Set Pub Intervals CRL 1 week, Delta 1 day For high throughput and high availibility decrease values

Question 53

Cert Templates Pub to AD DS

Answer 53

Must be connected to DC while working with the templates

Question 54

Working with Cert Templates

Answer 54

Select source template, rc, duplicate and select version of Windows Name Template Customize Template Save Template

Question 55

Basic EFS Templates

Answer 55

Request Handling Tab Archive Subject's Encryption Private Key Use Advanced Symmetric Algorithm to Send the Key to the CA Subject Name Tab Adds Alternative Subject Name Values

Question 56

EFS Recovery Agent Template

Answer 56

Publish Cert in AD Use same settings on other tabs that were used on Basic EFS duplicate

Question 57

Network Policy Server (NPS) Template

Answer 57

Used for wireless networks Create and config for autoenrollment RAS and IAS Server Templates as source for NPS Template Publish in AD Security Tab - select RAS and IAS Servers group to assign Autoenroll and Enroll permissions

Question 58

Smartcard Logon and Smartcard User Templates

Answer 58

Name and publish in AD Do not use autoenrollment for these, use smart card enrollment stations to distribute cards

Question 59

Web Server and Domain Controller Authentication Templates

Answer 59

Do not use DC template - made for earlier versions of OS Name and publish in AD

Question 60

Issuing Templates

Answer 60

Issuing CA, Certificate Templates rc Cert Templates, new, cert template to issue Select cert template(s)

Question 61

Config Enrollment in GP

Answer 61

Must be assigned to all members of the domain Computer Config or User Config \Policies\Windows Settings\Security Settings\Public Key Policies dc Cert Services Client - Auto Enrollment Enable Renew expired, update pending, and remove revoked certs Update Certs that use Cert Templates - if already issued certs manually On User Config - can enable Expiration Notification

Question 62

Set Default Action for Issuing CA

Answer 62

rc Issuing CA server name, Properties Policy Module Tab, Properties Set to Pending, Admin must issue or Follow Cert Setting, otherwise Automatic

Question 63

Config of Online Responder

Answer 63

Config and Install OCSP Response Signing Cert Config AIA extension support Assign template to a CA Enroll system to obtain cert

Question 64

OR Array

Answer 64

Two or more CAs acting as ORs

Question 65

Config OCSP Response Signing Cert

Answer 65

Duplicate cert and name Publish in AD Security Tab - Add CA server that hosts OR and give enroll and autoenroll permissions

Question 66

Config AIA Extension

Answer 66

rc Issuing CA, Properties, Extensions Tab Extension drop down list - AIA Specify locations to obtain revocation data Include AIA Extension of Issued Cert Include OCSP Extension Cert Templates, new, cert templates to issue Select OCSP Response Signing template to enable

Question 67

Verify OCSP cert assign to server

Answer 67

``` Create MMC Certs snap in Computer Account Local Computer Save ``` Expand Cert\Personal, Certs, rc, request new cert AD Enrollment Policy Select new OCSP cert and click enroll rc new cert, all task, Manage Private Key, Security Tab Local server name in location, add Network Service, give full control permission

Question 68

Adding Revocation Config for OR

Answer 68

Online Responder, Revocation Config, rc, add Assign a valid name - each revocation config tied to particular CA so use CA name in it Select location - AD, local cert store or a file Located Root CA in AD Select signing method - auto, manually or CA cert uses cert from CA Provider, Add under Base CRLs and Delta CRLs: http:\\localhost\ca.crl Repeat for each CA that is an OR

Question 69

AD CS & AD DS

Answer 69

Relies on LDAP to get infor from directory store

Question 70

AD CS & RSAT

Answer 70

To get MMC snap in to manage certs on Win 7 workstation select AD CS tools in RSAT tools

Question 71

Cross-Certification

Answer 71

Created to establish relationships between original cert and renewed root

Question 72

Exit Module

Answer 72

publish or send email notification

Question 73

Enterprise PKI or PKIView - command line

Answer 73

View status of deployment, entire PKI hierarcy and drill down into individual CAs to identify issues with config or operations Can link to CAs quickly, rc CA, Manage CA Access to Manage Templates Access to Certs Container in AD DS Icons show green (healthy), yellow (minor issues) and red (critical issues)

Question 74

Backing Up CAs

Answer 74

Cert Authority Backup Wizard Select Items: Private Key and CA Cert Cert db and cert db log (full or incremental) Identify backup location Assign strong password can also use certutil on the command line

Question 75

Restoring CAs

Answer 75

Cert Authority Restore Wizard Stop CA service Select items to restore: Private Key and CA Cert Cert db and db logs Enter location of backup files Provide password Restart AD CS service

Question 76

Web Based Download Locations for CRL Distribution

Answer 76

CDP and AIA http locations Must be created manually in IIS Secondary locations needed for mobile or external users outside network, URLs specified must be available externallly AD DS integrated deployment does not need web based secondary locations, directory service responsible for AIA and CRL distribution

Question 77

Web Support for CRLs

Answer 77

Points to CertEnroll vd under default website as CDP, not created by default, must create in IIS

Question 78

AD CS Servers Name and Role

Answer 78

After AD CS installed cannot change name or domain status (cannot be demoted from or promoted to DC)

Question 79

EFS

Answer 79

Encryption of NT File System, allows offline folders to maintain encryption sert on the server

Question 80

BitLocker

Answer 80

Vista or Win 7 - allows for entire hard drive, aside from some boot files, to be encrypted

Question 81

Base CRL and Delta CRL Overlap

Answer 81

The amount of time at the end of a published CRLs lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable The default value is 10% of the CRLs lifetime

Question 82

CRLs Lifetime

Answer 82

Revoked Certificates CRL Publishing Parameters tab Base default - 1 week Delta default - 1 day

Question 83

Enterprise PKI - rc

Answer 83

Manage Templates Manage AD Containers Options - can set Cert, CRL and Delta CRL status to expiring

Question 84

Publish CRL Manually

Answer 84

rc Revoked Certificates

Question 85

4 Ways To Enroll For Certs

Answer 85

MMC Based Enrollment Auto Enrollment Web Based Enrollment Manual Enrollment

Question 86

Cert Web Enrollment Services Cert Web Enrollment Policy

Answer 86

Cert web enroll service enables users to obtain the cert web enroll policies which policies enable cert enroll when the client computer is not a member of or not currently connected to the domain Also enables cross forest based cert enroll for Win 7 or 2008 r2 clients

Question 87

Cert Web Enroll & GP

Answer 87

Computer / User Config Policies\windows settings\security policy\public key policies\certificate services client - certificate enrollment policy

Question 88

CA Web Enrollment

Answer 88

Provides a set of web pages that interact with a CA Can be installed on a server that is not a CA to keep web traffic away from the CA Install configs the computer as a enrollment registration authority The CA used is called the TargetCA If the CA Web Enrollment is installed on a computer that is not the Target CA, the computer account where it is installed must be trusted for delegation in order to present the client identity to the CA