Upgrade to remove ads
Only $2.99/month

MICROSOFT 2 week 7

Terms in this set (55)

B
What benefit does Single Sign-On provide for application users?
a. Prohibits users from being able to register multiple accounts within an application
b. Prevents users from needing to remember multiple usernames and passwords.
c. Provides users an easy way to remember the login information for the application
d. Provides for faster account lockout remediation
D
. Which of the following are supported as attribute stores for AD FS?
a. ADAM in Windows Server 2003, and AD LDS in Windows Server 2008 and higher
b. Microsoft SQL Server 2005
c. Microsoft SQL Server 2008
d. All of the above
A
In order to utilize AD FS, what is the oldest version of Windows Server that any domain controller can
be using?
a. Windows Server 2003 SP1
b. Windows Server 2008 SP1
c. Windows Server 2008 R2
d. Windows Server 2012
e. Windows Server 2012 R2
A,C
What options are available for the storage of the AD FS configuration settings? (Choose all that apply)
a. SQL Server
b. AD LDS or ADAM
c. Windows Internal Database
d. AD DS
D
What PowerShell cmdlet would you use to list the attribute stores currently configured for AD FS?
a. List-ADFSAttributeStore
b. Show-ADFSAttributeStore
c. Display-ADFSAttributeStore
d. Get-ADFSAttributeStore
B
What add-on component can you download from the Microsoft.com website to create a test
Windows Identity Foundation (WIF) application that you can use to test AD FS claims-based
authentication?
a. AD FS Claims-Based Authentication Accelerator
b. Windows Identity Foundation SDK 4.0
c. Windows Identity Foundation 3.5
d. AD FS Sample Application Accelerator
A,C
While testing AD FS claims-based authentication with a sample application, you encounter an error
due to the self-signed certificate you opted to use. What can you do to eliminate this error? (Choose all
that apply)
a. Add the self-signed certificate to your computer's Trusted Root Certification Authorities store
b. Add the self-signed certificate to the application server's Trusted Root Certification Authorities store
c. Issue a valid certificate from your internal CA
d. Configure AD FS to ignore self-signed certificate errors
A,B,C
By default, the AD FS server is configured with a claims provider trust named Active Directory. If you
are communicating with other organizations, you need to create additional claims provider trusts for
each federated organization. What options are available to get the data you need for the creation of
these claims provider trusts? (Choose all that apply)
a. Import data about the claims provider through the federation metadata
b. Manually configure the claims provider trust
c. Import data about the claims provider from a file
d. Create a site-to-site VPN tunnel to bridge networks together
A,C
What step(s) will you need to perform while configuring a claims provider trust that you will not need
to perform while configuring a relying party trust? (Choose all that apply)
a. Map attributes
b. Specify the application
c. Edit claims rules
d. Provide a URL for the partner federation server
D
In Windows Server 2012 R2, which of the following is used to control who can use an AD FS
application or service?
a. Usage policies
b. Proxy policies
c. Rights policies
d. Authentication policies
B
In AD FS, which of the following allows you to create issuance authorization rules for relying party
applications and allows you to use custom 'Access Denied' message?
a. Relying party permission policy
b. Multifactor access control
c. Usage policy
d. Federation Service proxy
A
Which of the following features allows you to join a device (such as a smart phone) to the
organization network without joining the device to the Active Directory domain?
a. Workplace Join
b. Domain Join
c. Universal Join
d. Global Join
C
Which of the following services is used to provision a device object in AD DS and issue a certificate
for the Workplace-Joined Device?
a. Domain Join Service
b. AD FS Authentication Service
c. Device Registration Service
d. Device Emulation Service
B
What is another name for Asymmetric encryption?
a. Public key infrastructure
b. Public key cryptography
c. Digital certificate
d. Certificate authority
A
The benefits of PKI include all of the following except one item. What item listed is not a benefit of
PKI?
a. Availability
b. Integrity
c. Confidentiality
d. Authenticity
B
What is the name of the role in the PKI that is responsible for the distribution of keys and the
validation of identities?
a. Certificate authority
b. Registration authority
c. Registration agent
d. Key recovery agent
C
Which of the following is not a choice when installing a new CA?
a. Standalone CA
b. Enterprise CA
c. Bridged CA
d. Root CA
A
In Windows Server 2012 R2 AD CS, how many Root CAs can you install in a single certificate hierarchy?
a. One
b. Two
c. Three
d. Unlimited
D
What file can you deploy to CAs so they have predefined values or parameters during installation?
a. CAValue.xml
b. CAConfig.inf
c. CASetting.xml
d. CAPolicy.inf
A
By default, if you install a CA server on January 1, 2014, when will the CA certificate expire?
a. January 1, 2019
b. January 1, 2024
c. January 1, 2029
d. January 1, 2034
C
You have built a two-tier PKI with an offline Root CA and an online Enterprise Subordinate CA. What
must you do so that Active Directory clients will trust certificates issued from the Subordinate CA?
a. Manually import the Subordinate CA certificate into Active Directory one time
b. Manually import the Subordinate CA certificate into Active Directory every time the Root CA CRL is
updated
c. Manually import the Root CA certificate into Active Directory one time
d. Manually import the Root CA certificate into Active Directory every time the Root CA CRL is updated
C
What is the function of the AIA?
a. It specifies where to find up-to-date CRLs that are signed by the CA
b. It specifies where to find up-to-date CRLs that are signed by the RA
c. It specifies where to find up-to-date certificates for the CA
d. It specifies which CAs are available to issue certificates to clients
D
What should be done as soon as possible once you have been notified that a user has lost control of
the private keys for their certificates?
a. Reset the user's password
b. Disable the user's account
c. Reissue the user a new certificate
d. Revoke the user's issued certificates
C
Your network has a mix of Windows, Macintosh, Linux and AIX computers. All of your internal web
applications use Web Server certificates issued by your PKI. How will you need to configure your AIA and
CDP?
a. As LDAP paths
b. As file server paths
c. As URLs (HTTP paths)
d. As CIFS paths
B
How is an Online Responder different than a certificate revocation list (CRL)?
a. The Online Responder is available via HTTP, whereas the CRL is only available via LDAP
b. The Online Responder provides a validation response for a single certificate, whereas the CRL
provides revocation information about all revoked certificates
c. The Online Responder is accurate in real-time, whereas the CRL is time-delayed
d. The Online Responder must be provided by a domain-joined server, whereas a non domain-joined
machine can provide the CRL
B,D
Which Windows client operating systems are capable of using the Online Responder to check
certificate revocation status? (Choose all that apply)
a. Windows XP Professional
b. Windows 7
c. Windows 2000
d. Windows 8
A
To grant a junior administrator the ability to issue and revoke all certificate templates on your CA,
what permission would you grant his or her AD account?
a. Issue and Manage Certificates: Allow
b. Manage CA: Allow
c. Request Certificates: Allow
d. Read: Allow
A,B
What two values would be required in a CAPolicy.inf file to set the CRL period to 4 hours?
a. CRLPeriod=Hours
b. CRLPeriodUnits=4
c. CRLDeltaPeriod=Hours
d. CRLDeltaPeriodUnits=4
D
What are the contents of the certificate chain?
a. It is a list of all trusted root certificates
b. It is a list of certificate authorities that can be used to authenticate an entity certificate
c. It is a list of all trusted root certificate authorities
d. It is a list of certificates that can be used to authenticate an entity certificate
A,D
Your organization issues certificates for code signing and user authentication to employees from a
Windows Server 2012 R2-based certificate authority. In what folders of the Certificates MMC snap-in
would a user find the certificates that have been issued to him or her? (Choose all that apply)
a. Personal
b. Trusted People
c. Other People
d. Active Directory User Object
A,B,C
What usages does the User certificate allow by default? (Choose all that apply)
a. Secure Email
b. Encrypting File System
c. Client Authentication
d. Document Signing
A,C,D
Which of the following permissions must be configured on the ACL of a certificate template in order
for a user to be able to automatically enroll for the certificate via Group Policy? (Choose all that apply)
a. Read
b. Write
c. Enroll
d. AutoenrolL
...
Which of the following URLs would be the correct one to visit to get to the Web Enrollment pages?
a. https://<servername>/certificates
b. https://<servername>/ca
c. https://<servername>/certsrv
d. https://<servername>/certsrvcs
B,D
In addition to the permissions required on the certificate templates used for autoenrollment, what
other requirements must be met to support autoenrollment in your organization? (Choose all that
apply)
a. The certificate template must be a version 3 or higher
b. The issuing CA must be a standalone CA
c. DNS must be configured to support autoenrollment
d. Group Policy must be configured to support autoenrollment
B
What minimum certificate version is required to enable key archival and recovery?
a. Version 1
b. Version 2
c. Version 3
d. Version 4
A
. As a security precaution, what should you do immediately after you have configured a CA to issue a
KRA certificate?
a. Configure the ACL on the template with the specific security principals who will be designated KRAs
b. Perform a backup of the CA database
c. Perform a backup of the server's system state
d. Publish a new Certificate Revocation List (CRL)
B,C
What must you do immediately after issuing the first KRA certificate to a trusted user to enable key
archival and recovery on the CA? (Choose all that apply)
a. Restart the CA
b. Configure key archival on the CA properties
c. Archive the keys for the issued KRA certificate
d. Perform a backup of the CA database
D
When performing key recovery as a KRA, in what format will you retrieve the key from the database?
a. Base64-encoded X.509
b. DER-encoded binary X.509
c. Personal Information Exchange (PKCS #12)
d. Cryptographic Message Syntax Standard (PKCS #7)
B
To recover a key from the CA database using the certutil utility, what information will you need
to know about the certificate?
a. The password for the private keys
b. The certificate serial number
c. The certificate subject name
d. The certificate key length
A
Which of the following represents the correctly formatted command to recover the keys from the CA
database?
a. certutil -getkey 2BD06947947609FEF46B8D2E40A6F7474D7F085E c:\outfile
b. certutil -recover jdoe@contoso.local c:\outfile
c. certutil -exportBlob 2BD06947947609FEF46B8D2E40A6F7474D7F085E
c:\outfile
d. certutil -getkey
E491A9091F91DB1E4750EB05ED5E79842DEB36A2574C55EC8B1989DEF94B6CF507AB22
3002E8183EF85009D37F41A898F9D1CA669C246B11D0A3BBE41B2AC31F959E7A0CA447
8B5BD4163733CBC40F4DCE1469D1C91972F55D0ED57F5F9BF22503BA558F4D5D0DF164
3523154B15591DB394F7F69C9ECF50BAC15850678F08B420F7CBAC2C206F70B63F0130
8CB743CF0F9D3DF32B49281AC8FECEB5B90ED95E1CD6CB3DB53AADF40F0E00920BB121
162E74D53C0DDB6216ABA37192475355C1AF2F41B3F8FBE370CDE6A34C457E1F4C6B50
964189C474620B10834187338A81B13058EC5A04328C68B38F1DDE6573FF675E65BC49
D8769F331465A17794C92D c:\outfile
A
How does AD RMS protect a Microsoft Office file that has been transferred out of the organization to
an external recipient?
a. The external recipient will not be able to open the file because they cannot contact the AD RMS
server
b. The external recipient will not be able to open the file because they will not know the unlock
password
c. The external recipient will not be able to open the file because they do not have an account on the AD
RMS server
d. The external recipient will not be able to open the file because they do not have the AD RMS
integrated version of Office installed
D
What is the name of the location in Active Directory where information about the AD RMS server is
published?
a. Service Record
b. Service Advertisement Point
c. Service Locator Record
d. Service Connection Point
B
What issue should you be aware of if you perform the installation of AD RMS onto a Domain
Controller?
a. AD RMS will only work for that domain
b. The AD RMS service account will be a domain administrator
c. The AD RMS service account will not support Kerberos authentication
d. AD RMS will not be able to automatically create a Service Connection Point
D
Which AD RMS group members have access to only policy template administration in the AD RMS
console?
a. AD RMS Policy Administrators
b. AD RMS Policy Template Administrators
c. AD RMS Template Managers
d. AD RMS Template Administrators
A,B
To enable Kerberos authentication with AD RMS, you will need to be a member of which groups?
(Choose all that apply)
a. AD RMS Enterprise Administrators
b. Enterprise Admins
c. Domain Admins
d. Schema Admins
B,D
To enable Kerberos authentication with AD RMS, you will need to perform which of the following
actions? (Choose all that apply)
a. Raise the forest functional level to Windows Server 2008 R2
b. Set the Internet Information Services (IIS) useAppPoolCredentials variable to True
c. Set the User Principal Name (UPN) value for the AD RMS service account
d. Set the Service Principal Names (SPN) value for the AD RMS service account
B,C
What tools provided in Windows Server 2012 R2 allow you to view the SCP configuration in Active
Directory? (Choose all that apply)
a. Active Directory Users and Computers
b. ADSI Edit
c. LDP
d. SCP Edit
D
To enable mobile devices running Windows Mobile 6 and above operating systems to obtain
certificates and licenses for their users, you will need to edit the NTFS permissions of a file. What file
must you edit the permissions for?
a. MobileDeviceConfiguration.asmx
b. WindowsMobileADRMSConfiguration.asmx
c. MobileDeviceParticipate.asmx
d. MobileDeviceCertification.asmx
B
What is the name of the objects that are used to enforce the rights a user or group has on rightsprotected
content?
a. Protections policy templates
b. Rights policy templates
c. Restrictions policy templates
d. Rights protection templates
C
Which AD RMS template right would be required to allow a user the ability to use part of the
contents of the protected document in a new document?
a. Export (Save As)
b. Save
c. Extract
d. Edit
A
Generally speaking, what could be considered the absolute minimum rights that a user could be
granted via AD RMS that would allow the user to still consume the document?
a. View
b. Edit
c. Save
d. Extract
C
Why is it generally recommended to not delete an RMS template that has previously been used to
assign rights to documents?
a. The documents will revert to the default permissions for their location
b. The documents will revert to the permissions they had before RMS was applied
c. The documents will become inaccessible to all users except the super users group
d. The documents will become accessible to all users, including those who previously had no rights
A
A Temporary Rights Account Certificate has a validity period of how long?
a. 15 minutes
b. 1 hour
c. 4 hours
d. 1 day
A,B,C
When you back up the entire AD RMS system, which of the following databases will you need to
back up? (Choose all that apply)
a. Directory services database
b. Logging database
c. Configuration database
d. Rights database
D
Which of the following must be deleted when you have to recreate a new AD RMS cluster within an
Active Directory domain?
a. AD RMS SID
b. Publishing license
c. Client Licensor Certificate
d. Service Connection Point
THIS SET IS OFTEN IN FOLDERS WITH...