Tingnan ang lahat ng mga set ng pag-aaral

742 Final study guide

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

To perform key archival, you must perform the following:

1. Configure the KRA certificate template. 2. Configure certificate managers. 3. Enable KRA. 4. Configure user templates.

To deploy software with group policies, take the following steps:

1. Create a distribution point on the publishing server. 2. Create a GPO to distribute the software package. 3. Assign or publish a package to a user or computer.

relying party trust

A ___________ identifies the relying party so that the federation server knows which applications can use AD FS.

Publish software to a user:

A program shortcut will be available in the Control Panel's Programs applet, or you can configure the application to be installed when a file that is associated with the application is opened.

AD FS supports the following attribute stores:

Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008, and later Microsoft SQL Server 2008 (all editions) and later A custom attribute store

Authority Information Access (AIA), CRL distribution point (CDP)

After a CA is installed, you must configure the _____ extension and _______ extension before the CA issues any certificates.

Windows Settings:

Allows you to configure Windows settings, including Name Resolution Policy, Scripts (Startup/Shutdown), Security Settings, and Policy-Based QoS nodes

Before you implement AD FS, you need to plan your implementation. You should also create a test environment so that you can foresee the potential problems.

By default, Group Policy is applied when you restart computers, or at logon for users. In addition, group policies are refreshed every 90 minutes for domain members.

Administrative Templates Property Filters.

By default, all policy settings are displayed. To narrow down the displayed list of settings, you can use these

The benefits of the PKI include:

Confidentiality: The PKI allows you to encrypt data that is stored or transmitted. Integrity: A digital signature identifies whether the data is modified while the data is transmitted. Authenticity: A message digest is digitally signed using the sender's private key. Because the digest can be decrypted only with the sender's corresponding public key, it proves that the message can come only from the sending user (nonrepudiation).

Software Settings:

Contains only one node, Software installation, which allows you to install and maintain software within your organization

Administrative Templates:

Contains registry-based Group Policy settings that are used to configure the computer environment, such as the Control Panel, Printers, System, and Windows components

preferences settings include the following actions

Create: Create a new preference setting for the user or computer. Replace: Delete and re-create a preference setting for the user or computer. The result is that GPP replace all existing settings and files associated with the preference item. Update: Modify an existing preference setting for the user or computer. Delete: Remove an existing preference setting for the user or computer.

To toggle the editing state, use the following keys:

F5: Enable All F6: Enable Current F7: Disable Current F8: Disable All

Network Load Balancing (NLB)

If you need scalability and high availability, you can use _____

.pfx file

If you need to import the digital certificate, you will import the certificate from a _______, which will include the public and private key.

When configuring a relying party trust, you have three options

Import data about the relying party published online or on a local network: Import data about the relying party from a file: Manually configure the claims provider trust:

In the simplest scenario, an organization may deploy a federation server to be used with its own web applications.

The methods available for a user or computer to enroll for a certificate include:

Manual enrollment CA Web enrollment Enrollment on behalf (enrollment agent) Auto-enrollment

When configuring Administrative Templates, there are three states:

Not Configured: The registry key is not modified or overwritten. Enabled: The registry key is modified by this setting. Disabled: The Disabled settings undo a change made by a prior Enabled setting.

certificate store.

On a local computer running Windows, the certificates are stored in a _____

Active Directory group policies

One of the most powerful tools available with Active Directory is _____ that allow you to control the working environment of the computers and users of the organization. It provides the centralized management and configuration of operating systems, applications, and user settings

AD FS configuration consists of two types of organizations:

Resource organizations: Organizations that own the resources or data that are accessible from the AD FS-enabled application, similar to a trusting domain in a traditional Windows trust relationship Account organizations: Organizations that contain the user accounts that access the resources controlled by resource organizations

When you install a CA, you have the following choices:

Standalone CA or Enterprise CA Root CA or Subordinate CA

Assign software to a computer:

The application is installed the next time the computer starts.

Certificate Enrollment Web Service:

The component that allows computers to connect to a CA using a web browser to request, renew, and install issued certificates; retrieve CRLs; download a root certificate; and enroll over the Internet or across forests

Network Device Enrollment Service:

The component that can be used to assign certificates to routers, switches, and other network devices

Online Responder:

The component that configures and manages Online Certificate Status Protocol (OCSP), which is used to validate and revoke certificates

Certificate Authority Policy Web Service:

The component that enables users to obtain certificate enrollment policy information

CA:

The component that issues certificates to users, computers, and services and manages certificate validity

CA Web Enrollment:

The component that provides a method to issue and renew certificates for users, computers, and devices that are not joined to the domain, are not connected directly to the network, or are for users of non-Windows operating systems

Assign software to a user:

The software is available on the user's Start menu when the user logs on. However, the installation does not occur unless the user clicks the application icon on the Start menu or a file that is associated with the application. For example, opening a .docx file installs Microsoft Word.

root ca

The top of the certificate hierarchy is the _______. Because everything branches from the root, it is trusted by all clients within an organization.

Item-level targeting:

This option is used to determine which users or computers will receive a preference based on a criteria such as computer name, IP address range, operating system, security group, user, or Windows Management Instrumentation (WMI) queries. Each targeting item results in a value of either true or false. You can apply multiple targeting items to a preference item and select the logical operation (AND or OR) by which to combine each targeting item with the preceding one. If the combined value is false, the settings in the preference item are not applied to the user or computer.

Discretionary Access Control List (DACL)

To configure certificate template permissions, you need to define the ______________ for each certificate template on the Security tab

CAPolicy.inf file.

To deploy CAs with predefined values or parameters during installation, you can use the ______. The default validity period is 5 years.

zap files

To distribute a software package that installs with an .exe file, you must convert the .exe file to an .msi file by using a third-party utility or you need to define a ZAP file (a file with a .zap file name extension). ZAP files are created with a text editor, such as Notepad, and they can only be published (not assigned).

collections

To help you organize the registry settings, you can use __________, which act as folders to hold the registry settings

key archival and recovery agent

To recover lost keys, you use a _________________. You can also use automatic or manual key archival and key recovery methods to ensure that you can gain access to data in the event that your keys are lost.

Key Recovery Agent (KRA)

To recover private keys, you need to archive (or back up) the keys. Then you use a __________, which is a designated user who is able to retrieve the original certificate, private key, and public key that were used to encrypt the data from the CA database.

GPP Client-Side Extensions

To support Windows XP SP3, Windows Vista SP1 or Windows Server 2003 client computers, you must install __________ from Microsoft Downloads or Windows Updates.

Web services are based on Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web Services Description Language (WSDL), and Universal Discovery Description and Integration (UDDI). It also uses Security Assertion Markup Language (SAML),

ADML files.

Where The descriptions of the settings are stored for the ADMX files

administrative templates

Windows Server 2016 includes thousands of ______ policies, which contains registry-based policy settings that are used to configure the user and computer environment

GPP are divided into two sections:

Windows Settings and Control Panel Settings

ADMX files

Windows Vista and Windows Server 2008 introduced _____, which are based on Extensible Markup Language (XML). ADMX files can be stored in a single location called the Central Store in the SYSVOL directory. they are not stored in individual GPOs. They are also language neutral

Active Directory

Windows can also publish certificates to _______. Publishing a certificate in _______ enables all users or computers with adequate permissions to retrieve the certificate as needed.

You can configure Active Directory Federation Services as either a stand-alone server or as part of a server farm. You would use a stand-alone server when you want to evaluate AD FS or you want to use it for a small production environment. If you need high availability or load balancing, you will create an AD FS farm.

_______ is a Windows Server 2016 server role that verifies the identity of the certificate requestors; issues certificates to requesting users, computers, and services; and manages certificate revocation. The first _____ is known as the root _____, which establishes the PKI in the network and provides the highest point in the whole structure.

Claims-based

access control uses a trusted identity provider to provide authentication.

Network drive maps

allow you to create dynamic drive mappings to network shares, modify mapped drives, delete a mapped drive, or hide or show drives.

Credential Roaming

allows user certificates and private keys to be stored in Active Directory. When using Credential Roaming, the certificates and keys are downloaded when a user logs on, and if desired, the certificate and keys are removed when the user logs off. The advantage of Credential Roaming is that the certificate and key follow the user no matter which computer the user logs on to.

Folder redirection

allows you to redirect the content of a certain folder to a network location or to another location on the user's local computer.

Asymmetric encryption,

also known as public key cryptography, uses two mathematically related keys for encryption. One key is used to encrypt the data, whereas the second key is used to decrypt it.

The certificate chain

also known as the certification path, is a list of certificates used to authenticate an entity.

Group Policy Preferences (GPP)

are made up of more than 20 new Group Policy client-side extensions (CSEs) that expand the range of configurable settings in a Group Policy Object (GPO) that were not available before.

MSI patch files

are used to apply service packs and hotfixes to installed software.

MSI transform files

are used to deploy customized MSI files.

Certificate templates

are used to simplify the task of administering a CA by allowing an administrator to identify, modify, and issue certificates that have been preconfigured for selected tasks. Certificates based on a certificate template can be issued only by an enterprise CA.

backup operator

backs up and restores files and directories.

GPP

can be configured on domain controllers running Windows Server 2008 or later.

Used to initiate a backup

certutil -backup <BackupDirectory>

CA administrator

configures and maintains the CA. CA administrators have the ability to assign all other CA roles and renew the CA certificate.

Delta CRLs

contain only the certificates revoked since the last regular CRL was published. This allows clients to retrieve the smaller delta CRL and more quickly build a complete list of revoked certificates.

The Computer Configuration node

contains settings that are applied to the computer regardless of who logs on to the computer.

The User Configuration node

contains settings that are applied when the user logs on. Group Policy settings are refreshed every 90 minutes with a random delay of 30 minutes (giving a random range between 90 minutes and 120 minutes). On domain controllers, group policies get refreshed every five minutes.

CSP

encrypts a private key and stores the encrypted private key on the local profile and registry.

The key difference between preferences and policy settings is

enforcement

auto-enrollment

enrolls automatically

permissions for a certificate template include:

full control, read, write, enroll and auto enroll

ADM files

have been used to define the settings that an administrator can configure through Group Policy.

A security template

is a collection of configuration settings stored in a text file with the .inf extension.

Certificate Revocation List (CRL)

is a digitally signed list issued by a CA that contains a list of certificates issued by the CA that have been revoked

certification practice statement (CPS)

is a policy that is defined by the issuing organization's responsibilities when issuing the certificates, including identifying the organization issuing the certificates, what the certificates will be used for, the process used when assigning the certificates, how the certificates are revoked, and how the certificates are protected.

Active Directory Certificate Services (AD CS)

is a server role that allows you to issue and manage digital certificates as part of a public key infrastructure.

The Windows Installer

is a software component used for the installation, maintenance, and removal of software on Windows. The installation information for software is stored in a Microsoft Software Installation (MSI) file in a database installation file that has an .msi file name extension.

Public key infrastructure (PKI)

is a system consisting of hardware, software, policies, and procedures that create, manage, distribute, use, store, and revoke digital certificates. PKI consists of certification authorities (CAs) and registration authorities that verify and authenticate the validity of each entity that is involved in an electronic transaction using public key cryptography.

Active Directory Rights Management Services (AD RMS)

is a technology used to provide an extra level of security to documents, such as email, Microsoft Office documents, and web pages, by using encryption to limit who can access a document or web page and what can be done with a document or web page

Online Responder

is a trusted server that runs the Online Responder service and Online Responder web proxy to receive and respond to individual client requests for information about the status of a certificate. It implements the Online Certificate Status Protocol (OCSP)

digital certificate

is an electronic document that contains an identity, such as a user or organization name, along with a corresponding public key.

Network Device Enrollment Service (NDES)

is the Microsoft implementation of Simple Certificate Enrollment Protocol (SCEP), which is used for network devices such as switches and routers to enroll for a X.509 digital certificate from a CA.

certificate manager

issues and manages certificates, and approves certificate enrollment and revocation requests.

Auditors

manage and read security logs on a computer running the AD CS role.

Administrative Templates can be divided into

managed and non-managed and configured and not configured.

manual enrollment,

manual enrollment, you create a private key and a certificate request is generated on a device such as a web service or a computer. The request is sent to the CA to generate the certificate. The certificate is sent back to the device for installation.

X.509 version 3

most common digital certificate is the _____

Role services for ADCS (continue to next card to start)

next card dummy

end of ADCS services (proceed to next card)

read front of card

enterprise CA

requires Active Directory and is typically used to issue certificates to users, computers, devices, and servers for an organization.

Active Directory Federation Services (AD FS)

role allows administrators to configure Single Sign-On (SSO) for web-based applications across a single organization or multiple organizations without requiring users to remember multiple user names and passwords.

editing state

specifies if the option will be delivered and processed by the client. If the setting is surrounded by a green box (solid lines) or has a green solid underline, the settings will be delivered and processed by the client. If the setting is surrounded by a red box (dashed lines) or has a red dashed underline, the settings will not be delivered and processed by the client.

CDP extension

specifies where to find up-to-date CRLs that are signed by the CA.

AIA extension

specifies where to find up-to-date certificates for the CA.

Rights

specify what a user or group can do on a system

enrollment on behalf (enrollment agent),

the CA administrator creates an enrollment agent account for the user. The user with enrollment agent rights can then enroll for certificates on behalf of other users such as when the administrator needs to preload logon certificates of new employees' smart cards.

CA Web enrollment

uses a website on a CA to obtain certificates. The website uses Internet Information Services (IIS), and the AD CS web enrollment role has been installed and configured.

Online Certificate Status Protocol (OCSP)

which allows a recipient of a certificate to submit a certificate status request to a responder by using the Hypertext Transfer Protocol (HTTP).

registration authority (RA)

which might or might not be the same server as the CA, is used to distribute keys, accept registrations for the CA, and validate identities. The RA does not distribute digital certificates; instead, the CA does.

standalone CA

works without Active Directory and does not need Active Directory; however, the server can be a member of a domain.

742 Final study guide

Kaugnay na mga set ng pag-aaral

LSN- OB Quiz #1

Exam #4 - Dr. Klein - The University of North Alabama

CSC251-N801: Advanced JAVA Programming Attendance Quizzes

Unit 10 - Shoulder - Bones, Joints, Ligaments, Muscles

Databases

Vol 3 Ch 10

8: 54, 57, 58, 59

Multiple Choice (Chapter 12)

chapter 14 quiz

Mastering A&P 2 CH 27 HW

ALED TEST 1

APUSH 41

CH 13 Opioids PSYC 3303

A&P Wrist and Hand Unit 2

vulnerable populations

VTS FELVI

intro to business ch.6

Level 24: Fair Housing

QBA Block 1-2

Gender Vocabulary Unit 2