Upgrade to remove ads
MICROSOFT 2 week 7
Terms in this set (55)
What benefit does Single Sign-On provide for application users?
a. Prohibits users from being able to register multiple accounts within an application
b. Prevents users from needing to remember multiple usernames and passwords.
c. Provides users an easy way to remember the login information for the application
d. Provides for faster account lockout remediation
. Which of the following are supported as attribute stores for AD FS?
a. ADAM in Windows Server 2003, and AD LDS in Windows Server 2008 and higher
b. Microsoft SQL Server 2005
c. Microsoft SQL Server 2008
d. All of the above
In order to utilize AD FS, what is the oldest version of Windows Server that any domain controller can
a. Windows Server 2003 SP1
b. Windows Server 2008 SP1
c. Windows Server 2008 R2
d. Windows Server 2012
e. Windows Server 2012 R2
What options are available for the storage of the AD FS configuration settings? (Choose all that apply)
a. SQL Server
b. AD LDS or ADAM
c. Windows Internal Database
d. AD DS
What PowerShell cmdlet would you use to list the attribute stores currently configured for AD FS?
What add-on component can you download from the Microsoft.com website to create a test
Windows Identity Foundation (WIF) application that you can use to test AD FS claims-based
a. AD FS Claims-Based Authentication Accelerator
b. Windows Identity Foundation SDK 4.0
c. Windows Identity Foundation 3.5
d. AD FS Sample Application Accelerator
While testing AD FS claims-based authentication with a sample application, you encounter an error
due to the self-signed certificate you opted to use. What can you do to eliminate this error? (Choose all
a. Add the self-signed certificate to your computer's Trusted Root Certification Authorities store
b. Add the self-signed certificate to the application server's Trusted Root Certification Authorities store
c. Issue a valid certificate from your internal CA
d. Configure AD FS to ignore self-signed certificate errors
By default, the AD FS server is configured with a claims provider trust named Active Directory. If you
are communicating with other organizations, you need to create additional claims provider trusts for
each federated organization. What options are available to get the data you need for the creation of
these claims provider trusts? (Choose all that apply)
a. Import data about the claims provider through the federation metadata
b. Manually configure the claims provider trust
c. Import data about the claims provider from a file
d. Create a site-to-site VPN tunnel to bridge networks together
What step(s) will you need to perform while configuring a claims provider trust that you will not need
to perform while configuring a relying party trust? (Choose all that apply)
a. Map attributes
b. Specify the application
c. Edit claims rules
d. Provide a URL for the partner federation server
In Windows Server 2012 R2, which of the following is used to control who can use an AD FS
application or service?
a. Usage policies
b. Proxy policies
c. Rights policies
d. Authentication policies
In AD FS, which of the following allows you to create issuance authorization rules for relying party
applications and allows you to use custom 'Access Denied' message?
a. Relying party permission policy
b. Multifactor access control
c. Usage policy
d. Federation Service proxy
Which of the following features allows you to join a device (such as a smart phone) to the
organization network without joining the device to the Active Directory domain?
a. Workplace Join
b. Domain Join
c. Universal Join
d. Global Join
Which of the following services is used to provision a device object in AD DS and issue a certificate
for the Workplace-Joined Device?
a. Domain Join Service
b. AD FS Authentication Service
c. Device Registration Service
d. Device Emulation Service
What is another name for Asymmetric encryption?
a. Public key infrastructure
b. Public key cryptography
c. Digital certificate
d. Certificate authority
The benefits of PKI include all of the following except one item. What item listed is not a benefit of
What is the name of the role in the PKI that is responsible for the distribution of keys and the
validation of identities?
a. Certificate authority
b. Registration authority
c. Registration agent
d. Key recovery agent
Which of the following is not a choice when installing a new CA?
a. Standalone CA
b. Enterprise CA
c. Bridged CA
d. Root CA
In Windows Server 2012 R2 AD CS, how many Root CAs can you install in a single certificate hierarchy?
What file can you deploy to CAs so they have predefined values or parameters during installation?
By default, if you install a CA server on January 1, 2014, when will the CA certificate expire?
a. January 1, 2019
b. January 1, 2024
c. January 1, 2029
d. January 1, 2034
You have built a two-tier PKI with an offline Root CA and an online Enterprise Subordinate CA. What
must you do so that Active Directory clients will trust certificates issued from the Subordinate CA?
a. Manually import the Subordinate CA certificate into Active Directory one time
b. Manually import the Subordinate CA certificate into Active Directory every time the Root CA CRL is
c. Manually import the Root CA certificate into Active Directory one time
d. Manually import the Root CA certificate into Active Directory every time the Root CA CRL is updated
What is the function of the AIA?
a. It specifies where to find up-to-date CRLs that are signed by the CA
b. It specifies where to find up-to-date CRLs that are signed by the RA
c. It specifies where to find up-to-date certificates for the CA
d. It specifies which CAs are available to issue certificates to clients
What should be done as soon as possible once you have been notified that a user has lost control of
the private keys for their certificates?
a. Reset the user's password
b. Disable the user's account
c. Reissue the user a new certificate
d. Revoke the user's issued certificates
Your network has a mix of Windows, Macintosh, Linux and AIX computers. All of your internal web
applications use Web Server certificates issued by your PKI. How will you need to configure your AIA and
a. As LDAP paths
b. As file server paths
c. As URLs (HTTP paths)
d. As CIFS paths
How is an Online Responder different than a certificate revocation list (CRL)?
a. The Online Responder is available via HTTP, whereas the CRL is only available via LDAP
b. The Online Responder provides a validation response for a single certificate, whereas the CRL
provides revocation information about all revoked certificates
c. The Online Responder is accurate in real-time, whereas the CRL is time-delayed
d. The Online Responder must be provided by a domain-joined server, whereas a non domain-joined
machine can provide the CRL
Which Windows client operating systems are capable of using the Online Responder to check
certificate revocation status? (Choose all that apply)
a. Windows XP Professional
b. Windows 7
c. Windows 2000
d. Windows 8
To grant a junior administrator the ability to issue and revoke all certificate templates on your CA,
what permission would you grant his or her AD account?
a. Issue and Manage Certificates: Allow
b. Manage CA: Allow
c. Request Certificates: Allow
d. Read: Allow
What two values would be required in a CAPolicy.inf file to set the CRL period to 4 hours?
What are the contents of the certificate chain?
a. It is a list of all trusted root certificates
b. It is a list of certificate authorities that can be used to authenticate an entity certificate
c. It is a list of all trusted root certificate authorities
d. It is a list of certificates that can be used to authenticate an entity certificate
Your organization issues certificates for code signing and user authentication to employees from a
Windows Server 2012 R2-based certificate authority. In what folders of the Certificates MMC snap-in
would a user find the certificates that have been issued to him or her? (Choose all that apply)
b. Trusted People
c. Other People
d. Active Directory User Object
What usages does the User certificate allow by default? (Choose all that apply)
a. Secure Email
b. Encrypting File System
c. Client Authentication
d. Document Signing
Which of the following permissions must be configured on the ACL of a certificate template in order
for a user to be able to automatically enroll for the certificate via Group Policy? (Choose all that apply)
Which of the following URLs would be the correct one to visit to get to the Web Enrollment pages?
In addition to the permissions required on the certificate templates used for autoenrollment, what
other requirements must be met to support autoenrollment in your organization? (Choose all that
a. The certificate template must be a version 3 or higher
b. The issuing CA must be a standalone CA
c. DNS must be configured to support autoenrollment
d. Group Policy must be configured to support autoenrollment
What minimum certificate version is required to enable key archival and recovery?
a. Version 1
b. Version 2
c. Version 3
d. Version 4
. As a security precaution, what should you do immediately after you have configured a CA to issue a
a. Configure the ACL on the template with the specific security principals who will be designated KRAs
b. Perform a backup of the CA database
c. Perform a backup of the server's system state
d. Publish a new Certificate Revocation List (CRL)
What must you do immediately after issuing the first KRA certificate to a trusted user to enable key
archival and recovery on the CA? (Choose all that apply)
a. Restart the CA
b. Configure key archival on the CA properties
c. Archive the keys for the issued KRA certificate
d. Perform a backup of the CA database
When performing key recovery as a KRA, in what format will you retrieve the key from the database?
a. Base64-encoded X.509
b. DER-encoded binary X.509
c. Personal Information Exchange (PKCS #12)
d. Cryptographic Message Syntax Standard (PKCS #7)
To recover a key from the CA database using the certutil utility, what information will you need
to know about the certificate?
a. The password for the private keys
b. The certificate serial number
c. The certificate subject name
d. The certificate key length
Which of the following represents the correctly formatted command to recover the keys from the CA
a. certutil -getkey 2BD06947947609FEF46B8D2E40A6F7474D7F085E c:\outfile
b. certutil -recover email@example.com c:\outfile
c. certutil -exportBlob 2BD06947947609FEF46B8D2E40A6F7474D7F085E
d. certutil -getkey
How does AD RMS protect a Microsoft Office file that has been transferred out of the organization to
an external recipient?
a. The external recipient will not be able to open the file because they cannot contact the AD RMS
b. The external recipient will not be able to open the file because they will not know the unlock
c. The external recipient will not be able to open the file because they do not have an account on the AD
d. The external recipient will not be able to open the file because they do not have the AD RMS
integrated version of Office installed
What is the name of the location in Active Directory where information about the AD RMS server is
a. Service Record
b. Service Advertisement Point
c. Service Locator Record
d. Service Connection Point
What issue should you be aware of if you perform the installation of AD RMS onto a Domain
a. AD RMS will only work for that domain
b. The AD RMS service account will be a domain administrator
c. The AD RMS service account will not support Kerberos authentication
d. AD RMS will not be able to automatically create a Service Connection Point
Which AD RMS group members have access to only policy template administration in the AD RMS
a. AD RMS Policy Administrators
b. AD RMS Policy Template Administrators
c. AD RMS Template Managers
d. AD RMS Template Administrators
To enable Kerberos authentication with AD RMS, you will need to be a member of which groups?
(Choose all that apply)
a. AD RMS Enterprise Administrators
b. Enterprise Admins
c. Domain Admins
d. Schema Admins
To enable Kerberos authentication with AD RMS, you will need to perform which of the following
actions? (Choose all that apply)
a. Raise the forest functional level to Windows Server 2008 R2
b. Set the Internet Information Services (IIS) useAppPoolCredentials variable to True
c. Set the User Principal Name (UPN) value for the AD RMS service account
d. Set the Service Principal Names (SPN) value for the AD RMS service account
What tools provided in Windows Server 2012 R2 allow you to view the SCP configuration in Active
Directory? (Choose all that apply)
a. Active Directory Users and Computers
b. ADSI Edit
d. SCP Edit
To enable mobile devices running Windows Mobile 6 and above operating systems to obtain
certificates and licenses for their users, you will need to edit the NTFS permissions of a file. What file
must you edit the permissions for?
What is the name of the objects that are used to enforce the rights a user or group has on rightsprotected
a. Protections policy templates
b. Rights policy templates
c. Restrictions policy templates
d. Rights protection templates
Which AD RMS template right would be required to allow a user the ability to use part of the
contents of the protected document in a new document?
a. Export (Save As)
Generally speaking, what could be considered the absolute minimum rights that a user could be
granted via AD RMS that would allow the user to still consume the document?
Why is it generally recommended to not delete an RMS template that has previously been used to
assign rights to documents?
a. The documents will revert to the default permissions for their location
b. The documents will revert to the permissions they had before RMS was applied
c. The documents will become inaccessible to all users except the super users group
d. The documents will become accessible to all users, including those who previously had no rights
A Temporary Rights Account Certificate has a validity period of how long?
a. 15 minutes
b. 1 hour
c. 4 hours
d. 1 day
When you back up the entire AD RMS system, which of the following databases will you need to
back up? (Choose all that apply)
a. Directory services database
b. Logging database
c. Configuration database
d. Rights database
Which of the following must be deleted when you have to recreate a new AD RMS cluster within an
Active Directory domain?
a. AD RMS SID
b. Publishing license
c. Client Licensor Certificate
d. Service Connection Point
THIS SET IS OFTEN IN FOLDERS WITH...
Testbank Lesson 18
testbanks week 1
Microsoft 2 Testbank 15
server "chapter 16-20"
YOU MIGHT ALSO LIKE...
Server 70-412 Chapters 16-20
412 Finals mid-terms
70-412 Chapter 21
70-412 Chapter 21
OTHER SETS BY THIS CREATOR
ICT recht begrippen
Prince 2 foundation exam
MICROSOFT testbanks WEEK 3
Microsoft testbanks week 1