742 Final study guide
To perform key archival, you must perform the following:
1. Configure the KRA certificate template. 2. Configure certificate managers. 3. Enable KRA. 4. Configure user templates.
To deploy software with group policies, take the following steps:
1. Create a distribution point on the publishing server. 2. Create a GPO to distribute the software package. 3. Assign or publish a package to a user or computer.
relying party trust
A ___________ identifies the relying party so that the federation server knows which applications can use AD FS.
Publish software to a user:
A program shortcut will be available in the Control Panel's Programs applet, or you can configure the application to be installed when a file that is associated with the application is opened.
AD FS supports the following attribute stores:
Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008, and later Microsoft SQL Server 2008 (all editions) and later A custom attribute store
Authority Information Access (AIA), CRL distribution point (CDP)
After a CA is installed, you must configure the _____ extension and _______ extension before the CA issues any certificates.
Windows Settings:
Allows you to configure Windows settings, including Name Resolution Policy, Scripts (Startup/Shutdown), Security Settings, and Policy-Based QoS nodes
Before you implement AD FS, you need to plan your implementation. You should also create a test environment so that you can foresee the potential problems.
Before you implement AD FS, you need to plan your implementation. You should also create a test environment so that you can foresee the potential problems.
By default, Group Policy is applied when you restart computers, or at logon for users. In addition, group policies are refreshed every 90 minutes for domain members.
By default, Group Policy is applied when you restart computers, or at logon for users. In addition, group policies are refreshed every 90 minutes for domain members.
Administrative Templates Property Filters.
By default, all policy settings are displayed. To narrow down the displayed list of settings, you can use these
The benefits of the PKI include:
Confidentiality: The PKI allows you to encrypt data that is stored or transmitted. Integrity: A digital signature identifies whether the data is modified while the data is transmitted. Authenticity: A message digest is digitally signed using the sender's private key. Because the digest can be decrypted only with the sender's corresponding public key, it proves that the message can come only from the sending user (nonrepudiation).
Software Settings:
Contains only one node, Software installation, which allows you to install and maintain software within your organization
Administrative Templates:
Contains registry-based Group Policy settings that are used to configure the computer environment, such as the Control Panel, Printers, System, and Windows components
preferences settings include the following actions
Create: Create a new preference setting for the user or computer. Replace: Delete and re-create a preference setting for the user or computer. The result is that GPP replace all existing settings and files associated with the preference item. Update: Modify an existing preference setting for the user or computer. Delete: Remove an existing preference setting for the user or computer.
To toggle the editing state, use the following keys:
F5: Enable All F6: Enable Current F7: Disable Current F8: Disable All
Network Load Balancing (NLB)
If you need scalability and high availability, you can use _____
.pfx file
If you need to import the digital certificate, you will import the certificate from a _______, which will include the public and private key.
When configuring a relying party trust, you have three options
Import data about the relying party published online or on a local network: Import data about the relying party from a file: Manually configure the claims provider trust:
In the simplest scenario, an organization may deploy a federation server to be used with its own web applications.
In the simplest scenario, an organization may deploy a federation server to be used with its own web applications.
The methods available for a user or computer to enroll for a certificate include:
Manual enrollment CA Web enrollment Enrollment on behalf (enrollment agent) Auto-enrollment
When configuring Administrative Templates, there are three states:
Not Configured: The registry key is not modified or overwritten. Enabled: The registry key is modified by this setting. Disabled: The Disabled settings undo a change made by a prior Enabled setting.
certificate store.
On a local computer running Windows, the certificates are stored in a _____
Active Directory group policies
One of the most powerful tools available with Active Directory is _____ that allow you to control the working environment of the computers and users of the organization. It provides the centralized management and configuration of operating systems, applications, and user settings
AD FS configuration consists of two types of organizations:
Resource organizations: Organizations that own the resources or data that are accessible from the AD FS-enabled application, similar to a trusting domain in a traditional Windows trust relationship Account organizations: Organizations that contain the user accounts that access the resources controlled by resource organizations
When you install a CA, you have the following choices:
Standalone CA or Enterprise CA Root CA or Subordinate CA
Assign software to a computer:
The application is installed the next time the computer starts.
Certificate Enrollment Web Service:
The component that allows computers to connect to a CA using a web browser to request, renew, and install issued certificates; retrieve CRLs; download a root certificate; and enroll over the Internet or across forests
Network Device Enrollment Service:
The component that can be used to assign certificates to routers, switches, and other network devices
Online Responder:
The component that configures and manages Online Certificate Status Protocol (OCSP), which is used to validate and revoke certificates
Certificate Authority Policy Web Service:
The component that enables users to obtain certificate enrollment policy information
CA:
The component that issues certificates to users, computers, and services and manages certificate validity
CA Web Enrollment:
The component that provides a method to issue and renew certificates for users, computers, and devices that are not joined to the domain, are not connected directly to the network, or are for users of non-Windows operating systems
Assign software to a user:
The software is available on the user's Start menu when the user logs on. However, the installation does not occur unless the user clicks the application icon on the Start menu or a file that is associated with the application. For example, opening a .docx file installs Microsoft Word.
root ca
The top of the certificate hierarchy is the _______. Because everything branches from the root, it is trusted by all clients within an organization.
Item-level targeting:
This option is used to determine which users or computers will receive a preference based on a criteria such as computer name, IP address range, operating system, security group, user, or Windows Management Instrumentation (WMI) queries. Each targeting item results in a value of either true or false. You can apply multiple targeting items to a preference item and select the logical operation (AND or OR) by which to combine each targeting item with the preceding one. If the combined value is false, the settings in the preference item are not applied to the user or computer.
Discretionary Access Control List (DACL)
To configure certificate template permissions, you need to define the ______________ for each certificate template on the Security tab
CAPolicy.inf file.
To deploy CAs with predefined values or parameters during installation, you can use the ______. The default validity period is 5 years.
zap files
To distribute a software package that installs with an .exe file, you must convert the .exe file to an .msi file by using a third-party utility or you need to define a ZAP file (a file with a .zap file name extension). ZAP files are created with a text editor, such as Notepad, and they can only be published (not assigned).
collections
To help you organize the registry settings, you can use __________, which act as folders to hold the registry settings
key archival and recovery agent
To recover lost keys, you use a _________________. You can also use automatic or manual key archival and key recovery methods to ensure that you can gain access to data in the event that your keys are lost.
Key Recovery Agent (KRA)
To recover private keys, you need to archive (or back up) the keys. Then you use a __________, which is a designated user who is able to retrieve the original certificate, private key, and public key that were used to encrypt the data from the CA database.
GPP Client-Side Extensions
To support Windows XP SP3, Windows Vista SP1 or Windows Server 2003 client computers, you must install __________ from Microsoft Downloads or Windows Updates.
Web services are based on Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web Services Description Language (WSDL), and Universal Discovery Description and Integration (UDDI). It also uses Security Assertion Markup Language (SAML),
Web services are based on Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web Services Description Language (WSDL), and Universal Discovery Description and Integration (UDDI). It also uses Security Assertion Markup Language (SAML),
ADML files.
Where The descriptions of the settings are stored for the ADMX files
administrative templates
Windows Server 2016 includes thousands of ______ policies, which contains registry-based policy settings that are used to configure the user and computer environment
GPP are divided into two sections:
Windows Settings and Control Panel Settings
ADMX files
Windows Vista and Windows Server 2008 introduced _____, which are based on Extensible Markup Language (XML). ADMX files can be stored in a single location called the Central Store in the SYSVOL directory. they are not stored in individual GPOs. They are also language neutral
Active Directory
Windows can also publish certificates to _______. Publishing a certificate in _______ enables all users or computers with adequate permissions to retrieve the certificate as needed.
You can configure Active Directory Federation Services as either a stand-alone server or as part of a server farm. You would use a stand-alone server when you want to evaluate AD FS or you want to use it for a small production environment. If you need high availability or load balancing, you will create an AD FS farm.
You can configure Active Directory Federation Services as either a stand-alone server or as part of a server farm. You would use a stand-alone server when you want to evaluate AD FS or you want to use it for a small production environment. If you need high availability or load balancing, you will create an AD FS farm.
CA
_______ is a Windows Server 2016 server role that verifies the identity of the certificate requestors; issues certificates to requesting users, computers, and services; and manages certificate revocation. The first _____ is known as the root _____, which establishes the PKI in the network and provides the highest point in the whole structure.
Claims-based
access control uses a trusted identity provider to provide authentication.
Network drive maps
allow you to create dynamic drive mappings to network shares, modify mapped drives, delete a mapped drive, or hide or show drives.
Credential Roaming
allows user certificates and private keys to be stored in Active Directory. When using Credential Roaming, the certificates and keys are downloaded when a user logs on, and if desired, the certificate and keys are removed when the user logs off. The advantage of Credential Roaming is that the certificate and key follow the user no matter which computer the user logs on to.
Folder redirection
allows you to redirect the content of a certain folder to a network location or to another location on the user's local computer.
Asymmetric encryption,
also known as public key cryptography, uses two mathematically related keys for encryption. One key is used to encrypt the data, whereas the second key is used to decrypt it.
The certificate chain
also known as the certification path, is a list of certificates used to authenticate an entity.
Group Policy Preferences (GPP)
are made up of more than 20 new Group Policy client-side extensions (CSEs) that expand the range of configurable settings in a Group Policy Object (GPO) that were not available before.
MSI patch files
are used to apply service packs and hotfixes to installed software.
MSI transform files
are used to deploy customized MSI files.
Certificate templates
are used to simplify the task of administering a CA by allowing an administrator to identify, modify, and issue certificates that have been preconfigured for selected tasks. Certificates based on a certificate template can be issued only by an enterprise CA.
backup operator
backs up and restores files and directories.
GPP
can be configured on domain controllers running Windows Server 2008 or later.
Used to initiate a backup
certutil -backup <BackupDirectory>
CA administrator
configures and maintains the CA. CA administrators have the ability to assign all other CA roles and renew the CA certificate.
Delta CRLs
contain only the certificates revoked since the last regular CRL was published. This allows clients to retrieve the smaller delta CRL and more quickly build a complete list of revoked certificates.
The Computer Configuration node
contains settings that are applied to the computer regardless of who logs on to the computer.
The User Configuration node
contains settings that are applied when the user logs on. Group Policy settings are refreshed every 90 minutes with a random delay of 30 minutes (giving a random range between 90 minutes and 120 minutes). On domain controllers, group policies get refreshed every five minutes.
CSP
encrypts a private key and stores the encrypted private key on the local profile and registry.
The key difference between preferences and policy settings is
enforcement
auto-enrollment
enrolls automatically
permissions for a certificate template include:
full control, read, write, enroll and auto enroll
ADM files
have been used to define the settings that an administrator can configure through Group Policy.
A security template
is a collection of configuration settings stored in a text file with the .inf extension.
Certificate Revocation List (CRL)
is a digitally signed list issued by a CA that contains a list of certificates issued by the CA that have been revoked
certification practice statement (CPS)
is a policy that is defined by the issuing organization's responsibilities when issuing the certificates, including identifying the organization issuing the certificates, what the certificates will be used for, the process used when assigning the certificates, how the certificates are revoked, and how the certificates are protected.
Active Directory Certificate Services (AD CS)
is a server role that allows you to issue and manage digital certificates as part of a public key infrastructure.
The Windows Installer
is a software component used for the installation, maintenance, and removal of software on Windows. The installation information for software is stored in a Microsoft Software Installation (MSI) file in a database installation file that has an .msi file name extension.
Public key infrastructure (PKI)
is a system consisting of hardware, software, policies, and procedures that create, manage, distribute, use, store, and revoke digital certificates. PKI consists of certification authorities (CAs) and registration authorities that verify and authenticate the validity of each entity that is involved in an electronic transaction using public key cryptography.
Active Directory Rights Management Services (AD RMS)
is a technology used to provide an extra level of security to documents, such as email, Microsoft Office documents, and web pages, by using encryption to limit who can access a document or web page and what can be done with a document or web page
Online Responder
is a trusted server that runs the Online Responder service and Online Responder web proxy to receive and respond to individual client requests for information about the status of a certificate. It implements the Online Certificate Status Protocol (OCSP)
digital certificate
is an electronic document that contains an identity, such as a user or organization name, along with a corresponding public key.
Network Device Enrollment Service (NDES)
is the Microsoft implementation of Simple Certificate Enrollment Protocol (SCEP), which is used for network devices such as switches and routers to enroll for a X.509 digital certificate from a CA.
certificate manager
issues and manages certificates, and approves certificate enrollment and revocation requests.
Auditors
manage and read security logs on a computer running the AD CS role.
Administrative Templates can be divided into
managed and non-managed and configured and not configured.
manual enrollment,
manual enrollment, you create a private key and a certificate request is generated on a device such as a web service or a computer. The request is sent to the CA to generate the certificate. The certificate is sent back to the device for installation.
X.509 version 3
most common digital certificate is the _____
Role services for ADCS (continue to next card to start)
next card dummy
end of ADCS services (proceed to next card)
read front of card
enterprise CA
requires Active Directory and is typically used to issue certificates to users, computers, devices, and servers for an organization.
Active Directory Federation Services (AD FS)
role allows administrators to configure Single Sign-On (SSO) for web-based applications across a single organization or multiple organizations without requiring users to remember multiple user names and passwords.
editing state
specifies if the option will be delivered and processed by the client. If the setting is surrounded by a green box (solid lines) or has a green solid underline, the settings will be delivered and processed by the client. If the setting is surrounded by a red box (dashed lines) or has a red dashed underline, the settings will not be delivered and processed by the client.
CDP extension
specifies where to find up-to-date CRLs that are signed by the CA.
AIA extension
specifies where to find up-to-date certificates for the CA.
Rights
specify what a user or group can do on a system
enrollment on behalf (enrollment agent),
the CA administrator creates an enrollment agent account for the user. The user with enrollment agent rights can then enroll for certificates on behalf of other users such as when the administrator needs to preload logon certificates of new employees' smart cards.
CA Web enrollment
uses a website on a CA to obtain certificates. The website uses Internet Information Services (IIS), and the AD CS web enrollment role has been installed and configured.
Online Certificate Status Protocol (OCSP)
which allows a recipient of a certificate to submit a certificate status request to a responder by using the Hypertext Transfer Protocol (HTTP).
registration authority (RA)
which might or might not be the same server as the CA, is used to distribute keys, accept registrations for the CA, and validate identities. The RA does not distribute digital certificates; instead, the CA does.
standalone CA
works without Active Directory and does not need Active Directory; however, the server can be a member of a domain.
