MCITP Guide 70-646 by XL07a39U

VIEWS: 1,134 PAGES: 7

									                                    Chapter 9 Solutions
Review Questions

  1.   You are working with your supervisor to order Windows Server 2008 for a server that will
       function as a certificate authority. One of your goals is to use Network Device Enrollment service.
       Your supervisor wants to order Windows Server 2008 Standard Edition for the cost savings. What
       is your response??
            Answer: c. Standard Edition Active Directory Certificate Services does not include support
            for Network Device Enrollment.

  2.   Which of the following are health and diagnostics features the can be installed with IIS? (Choose
       all that apply.)?
             Answer: a. Tools for Web server logs and d. ODBC logging for databases

  3.   You are training a new employee to manage a Web server and are in the process of installing IIS.
       Which of the following are prerequisites for installing IIS? (Choose all that apply.)
          Answer: b. TCP/IP installed on the IIS host server and c. A service, such as DNS and WINS,
          to resolve addresses

  4.   You have installed IIS but your IIS server does not handle digital IDs for security. Which of the
       following modules should you install?
            Answer: d. IIS Client Certificate Mapping Authentication

  5.   Your school has a Web site with links for each department, such as for English, math, biology, and
       so on. Each department wants to maintain its own portion of the site. Which of the following can
       you set up for each department to maintain its own Web files?
           Answer: d. a virtual directory for each department.

  6.   A(n) _____ root CA is fully integrated with Active Directory.
           Answer: enterprise

  7.   You are on an IT planning committee that is discussing how to implement the use of PKI and
       certificate authorities. One of the committee members believes it is important for the sake of
       security to divide up PKI management so that the server administrator manages CA servers and
       the IT security administrator manages the administration of digital certificates. What roles exist
       within Active Directory Certificate Services to accomplish such a division of responsibilities?
       (Choose all that apply.)?
            Answer: c. certificate manager and d. administrator

  8.   A Web server that handles e-mail coming in through the Internet must be compatible with the
       _____ Protocol.
           Answer: Simple Mail Transfer or SMTP

  9.   What tool for Active Directory Certificate Services enables you to start, stop, back up, and restore
       a CA?
           Answer: c. Certification Authority MMC snap-in

  10. A server administrator has implemented ten specialized Level 1 certificate templates to use with a
      CA. Which of the following is a limitation this server administrator should take into
          Answer: a. Level 1 certificate templates do not support autoenrollment.

  11. In several departments of your company, such as the research department and shipping
      department, many users work at different workstations throughout the day. Which of the following
      role services should you install with Active Directory Certificate Services to enable certificate data
      to follow users from computer to computer?
           Answer: b. credential roaming

  12. Your college enables students to access student information such as classes they have taken and
      their grades by using a special college Web site. Since students do not log on through the network,
      is there another way to authenticate the students when they access their college information
      through the Web
           Answer: d. Implement the AD CS certification authority Web enrollment service.

  13. Name four types of information that would be found in an X.509 certificate.
         Answer: Any four of the following elements given in the book:
                        Certificate format version
                        Certificate serial number
                        Signature algorithm identifier
                        Certificate authority (certificate issuer)
                        Length of time the certificate is valid
                        ID of the certificate holder
                        Public key data

  14. Which of the following are part of the steps for configuring autoenrollment? (Choose all that
      Answer: a. Configure a group policy to enable autoenrollment.

  15. Your Web site contains pages of special events. You don’t always remember to deactivate these
      Web pages and some remain available after the event has occurred. How can you prevent the
      display of Web pages that are no longer current?
          Answer: b. Configure the HTTP response headers function to expire specific documents.

  16. Which of the following can you accomplish with IIS Manager? (Choose all that apply.)
         Answer: b. manage ASP .NET, c. manage logging of Web server activities, and d. manage
         server certificates

  17. What AD CS capability enables digital certificates to be used with network routers?
         Answer: The network device enrollment service (which is a role service)

  18. Your company has a busy network and wants to use AD CS as efficiently as possible. Which of
      the following revocation alternatives would work best for them?
           Answer: d. Online Responder Service using Online Certificate Status Protocol (OCSP)

  19. What tool is used to configure certificate templates?
         Answer: Certificate Templates MMC snap-in

  20. Users complain that when an error occurs on your Web site confusing messages are displayed.
      What IIS feature enables you to address this problem?
          Answer: Use IIS Manager to configure error pages to display more informative messages.

Hands-On Projects Tips and Solutions for Chapter 9
  Activity 9-1

This project enables students to install the Web Server (IIS) role via Server Manager.

In Step 6, the role services installed by default are as follows:

Under Common HTTP Features:
    Static Content
    Default Document
    Directory Browsing
    HTTP Errors

Under Health and Diagnostics:
    HTTP Logging
    Request Monitor

Under Security:
    Request Filtering

Under Performance:
    Static Content Compression

Under Management Tools
    IIS Management Console

Activity 9-2
This activity enables students to create a virtual directory.

In Step 8, to share the directory, click the Share button to configure it for sharing.

Activity 9-3
In this activity students perform some basic configuration steps for their web site.

In Step 3, to rename the Web site, click Rename from the shortcut menu; and to restart the Web site,
click Manage Web Site from the shortcut menu and click Restart.

Activity 9-4
In this activity, students install the Active Directory Certificate Services role from Server Manager.

In Step 3, the other role services that can be installed are:
      Certification Authority Web Enrollment
      Online Responder
      Network Device Enrollment Service

In Step 10, the other option is Use existing private key. If this option is selected two other options can
be specified: Select a certificate and use its associated private key or Select an existing private key on
this computer.

In Step 14, the default certificate database location is: \Windows\system32\CertLog (this is typically on
drive C:, but your system may differ)

Activity 9-5

   This activity enables students to manage a CA using the Certification Authority tool from the
   Administrative Tools menu.

   In Step 2, the folders of information are:
         Revoked Certificates
         Issued Certificates
         Pending Certificates
         Failed Requests
         Certificate Templates
   Also in Step 2, to view the revoked certificates students would open the Revoked Certificates folder in
   the right pane.

   In Step 10 the groups set up by default as certificate managers are:
         BUILTIN\Administrators
         DOMAINNAME\Domain Admins
         DOMAINNAME\Enterprise Admins

   Activity 9-6

   In this activity, students use the Certificate Templates snap-in to configure the Workstation
   Authentication template for autoenrollment.

   Activity 9-7
   Students learn how to use the Group Policy Management Editor Snap-in to enable and configure the
   autoenrollment default domain group policy.

   Activity 9-8
   For this activity, students use the Group Policy Management Editor Snap-in to enable the credential
   roaming group policy.

Case Projects
       United Industrial Supply sells industrial tools and parts to manufacturing companies. Their
       inventory includes specialized drills, tooling components, machinery parts, saws, fasteners,
       motors, and nearly any part to keep a manufacturing company going. United Industrial Supply has
       grown exponentially and wants to develop a Web site so that customers can order directly through
       the Web.

       United Industrial Supply has very little competition because of its size and ability to be a one-stop
       supply source for manufacturers. More companies are looking into developing a similar business
       and so United Industrial Supply is concerned about implementing improved security to keep their
       sensitive business information confidential.

       United Industrial Supply currently uses Windows Server 2008 servers and employees use
       Windows Vista and Windows 7 workstations. They have selected a server running Windows
       Server 2008 Enterprise Edition on which to establish their initial Web site. Because they are
       expanding so rapidly United Industrial Supply has hired you through Aspen Consulting to help
       develop the Web server and implement more security measures.

   Case Project 9-1: Setting Up a Web Server

    The United Industrial Supply management team is considering options for the Web server. They
    have asked you to write a report or create a slide show covering the following:
         What IIS features can benefit the company's plan to sell manufacturing equipment
         Is there a effective tool to manage the Web server after it is installed? If so, what are its
         Does IIS provide security to protect the Web-based assets, such as Web documents, after
            they are set up?


Students can take several directions with this answer, but here are some ideas:

         IIS has many features. One important feature is that it can be installed in modules so that only
          those portions of IIS that are necessary are installed. This is also a good security measure
          because it reduces the attack surface of the Web server. Students might also mention some or
          all of the following example features:
                 Authentication: enables use of different authentication methods.
                 Compression: enables Web files to be compressed to save disk space.
                 Default document: for specifying default Web pages.
                 Directory browsing: for listing folder contents.
                 Error pages: to customize error messages that users see.
                 Handler mappings: to configure .dll and code files.
                 HTTP response headers: to set expiration dates, code files, and other files for use by
                 Logging: for logging Web server activities.
                 MIME types: for configuring file extensions.
                 Modules: for configuring code modules.
                 Output caching: for caching output to help make the server respond faster.
                 SSL settings: for encrypted communications to ensure protection for the company
                    and its customers.
          Still another advantage is the ability use of FTP to download and upload files. Further, you
          can use virtual pages for storing Web documents and application pools for coordinating Web
         The IIS Manager is the tool to use for managing the Web site and IIS. This tool has the
          following advantages:
                 Enables you to connect to a Web server on your computer or remotely connect to a
                    Web server, an application, or site.
                 Have connections to multiple Web servers, applications, and sites.
                 Manage a Web server.
                 Manage ASP .NET.
                 Manage authorization for users and for specific Web server roles.
                 Manage Web server logging.
                 Compress Web server files.
                 Manage code modules and worker processes.
                 Manage server certificates.
                 Troubleshoot a Web server.
         IIS provides security through several means that include:
                 SSL encryption
                 Authentication techniques
                 Lower attack surface when you install only the IIS modules you need
                 NTFS permissions that can be applied, such as to virtual directories
                 Share permissions that can be used

Case Project 9-2: Planning a Public Key Infrastructure

    You have been talking with the management team about using a public key infrastructure and
    digital certificates to enhance the company's security. For their next meeting with you they ask
    that you prepare a report or slide show to explain the following as a way to help them with
          Public-key encryption
          Digital certificates
          Certificate authorities

             As noted in the text Public-key is an encryption method that uses a public key and private
              key combination. The public key can be communicated over an unsecured connection,
              but the private keys used by the sender and the receiver are never shared in this way. One
              key is used to encrypt the data, and the other key is used to decrypt it, which makes this a
              method called asymmetric encryption. The public key/private key method uses an
              encryption algorithm developed by Whitfield Diffie and Martin Hellman, involving the
              use of prime numbers and numbers that are nearly prime numbers. This approach
              constructs values that have the mathematical characteristics of two “difficult to find”
              prime values.
             Digital certificates are issued by certificate authorities (CAs) to entities, such as users, as
              a way to authenticate communications from those entities. The X.509 standard has been
              developed as a way to standardize certificates using information such as a certificate
              serial number, name of the CA, length of time the certificate is valid, ID of the certificate
              holder, and public key data.
             A certificate authority (CA) is a computer, usually a server, that issues and revokes
              digital certificates. In AD CS there are four kinds of CAs: enterprise root, enterprise
              subordinate, standalone root, and standalone subordinate. For this company it should be
              recommended that they use an enterprise root and enterprise subordinate CAs. Students
              might explain the advantages of the enterprise CA integration with Active Directory so
              that Active Directory data can be used for authentication. Students might also create a
              diagram showing the relationship between the root and subordinate CAs.

Case Project 9-3: Planning for Autoenrollment

    As you are training the server administrator she has heard of autoenrollment but is uncertain about
    its function in PKI. How would you explain the function of autoenrollment, how to plan for it, and
    how to set it up in AD CS?

Autoenrollment enables digital certificate clients to be enrolled automatically by a CA so there is no
intervention on the part of the CA administrator, certificate manager, or recipient. This service can
save the CA administrator or certificate manager significant time and headaches.
Planning for autoenrollment entails first planning the CA structure of the root and subordinate CAs.
Next, it is important to recognize that autoenrollment is based on the use of certificate templates. There
are many existing certificate templates and in many cases the CA administrator or certificate manager
can simply select the templates appropriate for the specific need. It is also important to recognize in the
planning that Level 1 certificate templates cannot be used with autoenrollment.
The steps for setting up autoenrollment involve:
         Configuring the autoenrollment permission in the security of the designated certificate
         Configuring a group policy, such as the default domain policy, so that autoenrollment is
          enabled as a public key policy.

Case Project 9-4: Digital Certificate Security for the Web

    The server administrator that you are training is interested in implementing digital certificate
    security for the new Web server. She also is aware that the company is planning to implement new
    Web-based applications for internal company use, particularly for tracking budgets. Address the
    following questions for the server administrator:
          What AD CS capability enables digital certificate security for Web applications?
          What planning considerations are there for this capability?
          What do you install the digital certificate security capability?


         Web enrollment is the AD CS capability that can be used to implement digital certificate
          security for the Web applications.
         Web enrollment can provide Web customers and the internal Web users better security, which
          is important for planning. These are all users that will access Web information and so they
          will expect strong security. Web enrollment is particularly important for the internal company
          Web applications. Users of these applications may not be authenticated through Active
          Directory because they don't have to log on through an account on the network to use a Web
          application. Thus, they are still covered because they must pass through digital certificate
          security to use the Web applications. Another planning consideration is that only Level 1 and
          2 certificate templates can be used with Web enrollment, and not Level 3.
         Web enrollment is installed as the Certificate authority Web enrollment service in AD CS,
          which is an AD CS role service. This means it can be installed at the time AD CS is installed
          or it can be installed later through Server Manager (open the AD CS role and install it as a
          role service).


To top