QUESTION 231
Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA).
You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a many-to-one mapping.
You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site. What should you do?
A. Run certutil.exe -crl.
B. Run certutil.exe -delkey.
C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.
D. From Active Directory Users and Computers, modify the Contact object for the external partner.
Answer: A
Explanation:
certutil.exe -crlwill publish a new CRL so that the web server knows the user’s certificate is no longer valid.
-delkeyis not a valid parameter of certutil.exe, nor would the certificate need to be deleted. The equivalent of this was accomplished when you revoked the certificate. However, the website is still not aware of this revocation until the next CRL is published.
Removing the user from the IIS_IUSRS group will restrict their access to the website files, but they will still likely have a minimum of read access to the site.
Modifying contact information for the partner in no way restricts their access to the system.
QUESTION 232
You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement a certification authority (CA) server that meets the following requirements:
. Allows the certification authority to automatically issue certificates
. Integrates with Active Directory Domain Services
What should you do?
A. Purchase a certificate from a third-party certification authority.
Import the certificate into the computer store of the schema master.
B. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.
C. Purchase a certificate from a third-party certification authority.
Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA.
D. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.
Answer: D
Explanation:
Both of these features are only available with an Enterprise CA. Standalone CAs do not integrate with Active Directory and do not allow automatic handling of certificate requests.
Importing a 3rd party certificate into the schema master will only allow it to verify secure requests made to it, but will not allow it to function as a CA.
QUESTION 233
Your company has an Active Directory forest. You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) server role, you find that the Enterprise CA option is not available. You need to install the AD CS server role as an Enterprise CA. What should you do first?
A. Add the DNS Server server role.
B. Join the server to the domain.
C. Add the Web Server (IIS) server role and the AD CS server role.
D. Add the Active Directory Lightweight Directory Services (AD LDS) server role.
Answer: B
Explanation:
The question specifies it is a stand-alone server, meaning it is not part of the Active Directory domain. Enterprise CA’s integrate with Active Directory, so the server must first be a member of the domain before it can serve as an Enterprise CA.
The other server roles can be used in conjunction with certificate services, but are not requirements for establishing certificate services.
QUESTION 234
You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.
You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL).
What should you do?
A. Install and configure an Online Responder.
B. Install and configure an additional domain controller.
C. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.
D. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations.
Answer: A
Explanation:
Online Responders are specifically designed to lighten the load of CRL transfers by only working with changes since the last CRL, rather than transferring the entire CRL.
Domain controllers do not handle certificate requests. Updated the list of Trusted Root CA’s will only ensure certain servers are trusted to handle CRLs, but will not lighten the traffic load of CRL downloads.
QUESTION 235
Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority (CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings. Which two tasks should you perform? (Each Answer presents part of the solution. Choose two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%
\CertSrvdirectory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLogdirectory.
D. Enable the Audit Object Access setting in the Local Security Policy for the Active Directory Certificate
Services (AD CS) server.
Answer: AD
Explanation:
In order to audit changes to CA settings you must enable Audit Object Access on the CA itself. Like with other auditing procedures, however, this alone will not perform the audit; it only allows audits to take place on the server.
In order for auditing to start, you must configure auditing on the CA using the Certification Authority snap-in.
The CertLog and CertSrv directories contain the log and application files, respectively, associate with certificate services. Auditing access to these files will not allow you to be aware of specific configuration and security settings that are changed.
QUESTION 236
Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1.
You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1.
What should you do?
A. Remove the Request Certificates permission from the Domain Users group.
B. Remove the Request Certificates permission from the Authenticated Users group.
C. Assign the Allow – Manage CA permission to only the Security Manager user account.
D. Assign the Allow – Issue and Manage Certificates permission to only the Security Manager user account.
Answer: D
Explanation:
The Allow – Issue and Manage Certificates permission is the only one that will allow a user to issue, approve or revoke certificates.
The Allow – Manage CA permission will grant the user ability to configure CA settings, but not to handle certificate requests.
The Request Certificates permission is not required or used for revoking certificates.
QUESTION 237
You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).
You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates.
You grant the Account Operators group the Issue and Manage Certificates permission on the CA.
Which three tasks should you perform next? (Each Answer presents part of the solution. Choose three.)
A. Enable the Restrict Enrollment Agents option on the CA .
B. Enable the Restrict Certificate Managers option on the CA .
C. Add the Basic EFS certificate template for the Account Operators group.
D. Grant the Account Operators group the Manage CA permission on the CA .
E. Remove all unnecessary certificate templates that are assigned to the Account Operators group.
Answer: BCE
Explanation:
To manage a specific certificate template, a group or user first needs the Issue and Manage permission (already assigned). This will allow them to manage all certificates assigned to them, so we must do the following to prevent Account Operators from being able to manage other certificates:
1. Assign the Basic EFS template to the group so they are able to manage it
2. Remove all other templates assigned to Account Operators so they do not have access to other templates
3. Restrict Certificate Managers to the Account Operators group so other users/groups are not able to manage certificates
The question specifies that the Account Operators group must manage Basic EFS certificates. The ability to enroll in certificates is not required, so restricting the Enrollment Agents will not achieve the desire outcome.
The Manage CA permission will allow the Account Operators permissions to configure CA settings but will not allow them to manage certificates.
QUESTION 238
You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2.
Server1 is configured as an enterprise root certification authority (CA). You install the Online Responder role service on Server2.
You need to configure Server1 to support the Online Responder.
What should you do?
A. Import the enterprise root CA certificate.
B. Configure the Certificate Revocation List Distribution Point extension.
C. Configure the Authority Information Access (AIA) extension.
D. Add the Server2 computer account to the CertPublishers group.
Answer: C
Explanation:
The AIA extension informs the Online Responder where it can find up-to-date certificates in the enterprise.
Importing the enterprise root CA certificate is needed when that CA needs to be added to a Trusted Root store (list of trusted CA’s). As an Enterprise CA, Server1 would already be in the enterprise Trusted Root store. The CRL Distribution Point extension informs servers where the latest CRLs (revocation lists) can be located. Online Responders do not transfer the full CRL, only information about a particular certificate.
Members of the CertPublishers group are allowed to publish certificates. An Online Responder does not need to publish certificates.
QUESTION 239
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA).
You need to ensure that only Administrators can sign code.
Which two tasks should you perform? (Each Answer presents part of the solution. Choose two.)
A. Publish the Code Signing template.
B. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and
allow only Administrators to apply the policy.
C. Edit the local computer policy of the Enterprise Root CA to allow only Administrators to manage
Trusted Publishers.
D. Modify the security settings on the template to allow only Administrators to request code signing certificates.
Answer: AD
Explanation:
For someone to sign code, the Code Signing template must be published to the CA.
The question also specifies that only administrators should be assigned this template. This means we must update the template’s Security tab to remove other groups from being able to receive the template.
Management of Trusted Publishers will allow the administrators to determine who can sign drivers, but will not provide them the certificate necessary to do so.
Allowing Administrators the ability to apply a policy that enables Trust Peer Certificates will allow them to trust self-issued certificates, but not to sign them.
QUESTION 240
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.
The Enterprise Intermediate CA certificate expires.
You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.
What should you do?
A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.
B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.
C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy
object.
D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.
Answer: D
Explanation:
All computers must receive the certificate. This is only possible through the Default Domain policy.
The Default Domain Controllers policy will only deploy the certificate to domain controllers. Importing the certificate to the Root CA or Intermediate CA will only deploy the certificate to that specific server, not to all computers in the enterprise.
If you want to pass Microsoft 70-648 successfully, donot missing to read latest lead2pass Microsoft 70-648 exam questions.
If you can master all lead2pass questions you will able to pass 100% guaranteed.