SC0-502 Real Exam Prep DEMO

Question 8: Evaluate the rollout, test, and modify as needed to improve the overall security of the
Certkiller trusted network.
C. You design the plan for two weeks, and then you present it to Blue. Your plan follows
these critical steps:
1. Draft a Certificate Policy (CP) document to define what users will be allowed to do
with their certificates, and a Certification Practice Statement (CPS) document to define
the technology used to ensure the users are able to use their certificates as per the CPS.
2. Draft a Certificate Practices Framework (CPF) document based on RFC 2527,
including every primary component.
3. Design the system to be a full hierarchy, with the Root CA located in the executive
building. Every remote office will have a subordinate CA, and every other building on
the campus in Testbed will have a subordinate CA.
4. Design the hierarchy with each remote office and building having it's own enrollment
CA.
5. Build a small test pilot program, to test the hierarchy, and integration with the existing
network.
6. Implement the CA hierarchy in the executive office, and get all users acclimated to the
system.
7. Implement the CA hierarchy in each other campus building in Testbed, and get all
users acclimated to the system.
8. One at a time, implement the CA hierarchy in each remote office; again getting all
users acclimated to the system.
9. Test the team in each location on proper use and understanding of the overall PKI and
their portion of the trusted network.
10. Evaluate the rollout, test, and modify as needed to improve the overall security of the
Certkiller trusted network.
D. You design the plan for two weeks, and then you present it to Blue. Your plan follows
these critical steps:
1. Draft a Certificate Policy (CP) document to define what users will be allowed to do
with their certificates, and a Certification Practice Statement (CPS) document to define
the technology used to ensure the users are able to use their certificates as per the CPS.
2. Draft a Certificate Practices Framework (CPF) document based on RFC 2527,
including every primary component.
3. Design the system to be a full mesh, with the Root CA located in the executive
building.
4. Design the mesh with each remote office and building having it's own Root CA.
5. Build a small test pilot program, to test the hierarchy, and integration with the existing
network.
6. Implement the CA mesh in the executive office, and get all users acclimated to the
system.
7. Implement the CA mesh in each other campus building in Testbed, and get all users
acclimated to the system.
8. One at a time, implement the CA mesh in each remote office; again getting all users
acclimated to the system.
9. Test the team in each location on proper use and understanding of the overall PKI and
their portion of the trusted network.
10. Evaluate the rollout, test, and modify as needed to improve the overall security of the
Certkiller trusted network.
E. You design the plan for two weeks, and then you present it to Blue. Your plan follows
these critical steps:
1. Draft a Certification Practice Statement (CPS) to define what users will be allowed to
do with their certificates, and a Certificate Policy (CP) to define the technology used to
ensure the users are able to use their certificates as per the CPS.
2. Draft a CPF based on your own guidelines, including physical and technology
controls.
3. Design the system to be a full mesh, with the Root CA located in the executive
building.
4. Design the mesh with each remote office and building having it's own Root CA.
5. Build a small test pilot program, to test the hierarchy, and integration with the existing
network.
6. Implement the CA mesh in the executive office, and get all users acclimated to the
system.
7. Implement the CA mesh in each other campus building in Testbed, and get all users
acclimated to the system.
8. One at a time, implement the CA mesh in each remote office; again getting all users
acclimated to the system.
9. Test the team in each location on proper use and understanding of the overall PKI and
their portion of the trusted network.
10. Evaluate the rollout, test, and modify as needed to improve the overall security of the
Certkiller trusted network.
Correct Answer: C
5.Blue thanks you for your plan and design and took it into consideration. You are
then informed that Blue has gone ahead and made a new plan, which will
incorporate some of your suggestions, but is going to build the network a bit
differently. In Testbed and in each remote office there will be a single self-sufficient
CA hierarchy, one that is designed to directly integrate with the existing network.
Blue mentions that the hierarchy is only to go two-levels deep, you are not to make
an extensive hierarchy in any location. This means a distinct CA hierarchy in six
locations, inclusive of the Testbed headquarters.
Using this information, choose the solution that will provide for the proper rollout
of the Certificate Authorities in the network.}
A. In each location, you recommend the following steps:
1. Harden a system to function as the Root CA
2. Harden a system to function as the Registration Authority
3. Configure CATool on the Root CA
4. Configure CATool on the Registration Authority, as a subordinate to the Root CA
5. Once the Subordinate CA is active, take the Root CA offline
6. Configure users for the CAs
7. Configure each Root CA to trust each other Root CA via cross certification
8. Test the CA hierarchy
9. Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate
B. In each location, you recommend the following steps:
1. Harden a system to function as the Root CA
2. Harden a system to function as a Registration Authority
3. Configure a Windows Enterprise Root CA
4. Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross
certification
5. Configure a Windows Stand-Alone Subordinate Enrollment Authority to function as
the Registration Authority
6. Once the Stand-Alone Subordinate is installed, take the Enterprise Root CA offline
7. Test the CA hierarchy
8. Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate
C. In each location, you recommend the following steps:
1. Harden a system to function as the Root CA
2. Harden a system to function as the Registration Authority
3. Configure a Windows Enterprise Root CA
4. Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross
certification
5. Configure a Windows Enterprise Registration Authority, as a subordinate to the
Enterprise Root CA
6. Once the Subordinate CA is active, take the Enterprise Root CA offline
7. Test the CA hierarchy
8. Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate
D. In each location, you recommend the following steps:
1. Harden a system to function as the Root CA
2. Harden a system to function as the Registration Authority
3. Configure CATool on the Root CA
4. Configure CATool on the Registration Authority, as a subordinate to the Root CA
5. Configure users for the CAs
6. Configure each Root CA to trust each other Root CA via cross certification
7. Test the CA hierarchy
8. Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate
E. In each location, you recommend the following steps:
1. Harden a system to function as the Root CA
2. Harden a system to function as the Registration Authority
3. Configure a Windows Enterprise Root CA
4. Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross
certification
5. Configure a Windows Registration Authority, as a subordinate to the Enterprise Root
CA
6. Test the CA hierarchy
7. Have the local administrative staff inform and train each user how to connect to the
Registration Authority through their browser and request a certificate
Correct Answer: E
6.Now that you have a fully functioning CA hierarchy in each location, and that the
trusted network is well underway, you are called in to meet with Blue. Blue comes
into the room, and you talk to one another for a while. It seems that now with the
CA hierarchy in place, you need to plan the certificate rollout for the individual
users and computers in the network.
Since this is the executive building, Blue places higher security requirements here
than on the other buildings. Certificates need to be issued to all the entities,
computers and users, in the network. Blue has decided that for all senior level
management, the process for certificate issuance should be even more secure than
the rest of the deployment.
Based on this information, and you understanding of the Certkiller environment,
choose the best solution to assigning certificates to the computers and users of the
trusted network in the Executive building:}
A. You meet with the other administrators of the executive building and let them know
what you are working on, and how they can help. You will first assign certificates to the
computers in the network, followed by assigning certificates to the users in the network.
For this task, you divide the other administrators into four teams, one per floor of the
building. Each team will be responsible for the assigning of certificates to the computers
and users on the corresponding floor. To make the process faster, you have decided to
install a new CA for each floor. The team leader on each floor will install and configure
the CA, and you will oversee the process.
With the new CAs installed, one administrator from each team goes to each desk on the
floor and makes a request for a certificate for the computer using Internet Explorer. Once
the machine certificate is installed, the administrator has each user log on to their
machine and the administrator walks the user through the process of connecting to the
CA_SERVER\certsrv on their floor to request a user certificate.
To ensure the security of the senior level management, you lead the team on the fourth
floor. You install the new CA yourself, and oversee the configuration of the certificates
for every machine and user on the floor.
B. You meet with the other administrators of the executive building and let them know
what you are working on, and how they can help. You will first assign certificates to the
computers in the network. To make the process easier, you have decided to configure the
network so that the computers will request certificates automatically. In order to do this
you perform the following steps:
1. You open Active Directory Users and Computers
2. You use Group Policy to edit the domain policy that is controlling the executive
building.
3. You expand Computer Configuration to Public Key Policies, and you click the
Automatic Certificate request option.
4. In the template list, you select computer, and define CA as the location to send the
request.
5. You restart the computers that you can, and wait for the policy to refresh on the
systems you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your
focus to all the users in the executive building. In order to have each user obtain a
certificate you issue a memo (the actual memo goes into extreme detail on each step,
even listing common questions and answers) to all users that instructs them to perform
the following steps:
1. Log on to your computer as your normal user account
2. Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3. Select the option to Request A Certificate, and to choose a User Certificate Request
type, then submit the request.
4. When the certificate is issued, click the Install This Certificate hyperlink on screen.
Finally, you address the senior level management. For these people, you want the
security to be higher, so you select a stronger algorithm for their certificates. With all the
other certificates, you used the default key strength and algorithms. However, the senior
level management needs higher security. Therefore, you personally walk each person
through the process of requesting a certificate; only you ensure that they select 1024-bit
AES as their encryption algorithm.
C. You meet with the other administrators of the executive building and let them know
what you are working on, and how they can help. You will first assign certificates to the
computers in the network. To make the process easier, you have decided to configure the
network so that the computers will request certificates automatically. In order to do this
you perform the following steps:
1. You open Active Directory Users and Computers
2. You use Group Policy to edit the domain policy that is controlling the executive
building.
3. You expand Computer Configuration to Public Key Policies, and you click the
Automatic Certificate request option.
4. In the template list, you select computer, and define CA as the location to send the
request.
5. You restart the computers that you can, and wait for the policy to refresh on the
systems you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your
focus to all the users in the executive building. In order to have each user obtain a
certificate you issue a memo (the actual memo goes into extreme detail on each step,
even listing common questions and answers) to all users that instructs them to perform
the following steps:
1. Log on to your computer as your normal user account
2. Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3. Select the option to Request A Certificate, and to choose a User Certificate Request
type, then submit the request.
4. When the certificate is issued, click the Install This Certificate hyperlink on screen.
Finally, you address the senior level management. For these people, you want the
security to be higher, so you select a different certificate scheme. By using a different
scheme, you ensure that there will be no possibility of other people in the building
gaining access to the senior level management accounts. For these accounts you utilize
licensed PGP digital certificates that can be used for both authentication and secure
email. You personally show each manager how to create and use their key ring, providing
for very secure communication.
D. You meet with the other administrators of the executive building and let them know
what you are working on, and how they can help. You will first assign certificates to the
computers in the network. To make the process easier, you have decided to configure the
network so that the computers will request certificates automatically. In order to do this
you perform the following steps:
1. You open Active Directory Users and Computers
2. You use Group Policy to edit the domain policy that is controlling the executive
building.
3. You expand Computer Configuration to Public Key Policies, and you click the
Automatic Certificate request option.
4. In the template list, you select computer, and define CA as the location to send the
request.
5. You restart the computers that you can, and wait for the policy to refresh on the
systems you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your
focus to the users, except for the senior management, in the executive building. In order
to have each user obtain a certificate you issue a memo (the actual memo goes into
extreme detail on each step, even listing common questions and answers) to all users that
instructs them to perform the following steps:
1. Log on to your computer as your normal user account
2. Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3. Select the option to Request A Certificate, and to choose a User Certificate Request
type, then submit the request.
4. When the certificate is issued, click the Install This Certificate hyperlink on screen.
Finally, you address the senior level management in the building. For these people, you
personally go into their office and walk through the steps with each person.
1. The user logs on to the computer with their normal user account
2. You open the MMC and add the personal certificates snap-in
3. You right-click certificates and Request A New Certificate
4. The user fills in the requested information, and you verify this information.
5. You put the certificate request onto a USB drive, and take the request back to the CA.
6. You put the USB drive into the CA, manually process the request, and put the issued
certificate onto the USB drive.
7. You bring the USB drive back to each person, and manually import their new
certificate
E. You meet with the other administrators of the executive building and let them know
what you are working on, and how they can help. You will first assign certificates to the
computers in the network. To make the process easier, you have decided to configure the
network so that the computers will request certificates automatically. In order to do this
you perform the following steps:
1. You open Active Directory Users and Computers
2. You use Group Policy to edit the domain policy that is controlling the executive
building.
3. You expand Computer Configuration to Public Key Policies, and you click the
Automatic Certificate request option.
4. In the template list, you select computer, and define CA as the location to send the
request.
5. You restart the computers that you can, and wait for the policy to refresh on the
systems you cannot restart.
Once you finishing setting up the computers to be assigned certificates, you shift your
focus to all the users in the executive building. In order to have each user obtain a
certificate you issue a memo (the actual memo goes into extreme detail on each step,
even listing common questions and answers) to all users that instructs them to perform
the following steps:
1. Log on to your computer as your normal user account
2. Open Internet Explorer, and to connect to the CA_SERVER\certsrv.
3. Select the option to Request A Certificate, and to choose a User Certificate Request
type, then submit the request.
4. When the certificate is issued, click the Install This Certificate hyperlink on screen.
Correct Answer: D
7.Now that the network is moving towards a trusted network, you are preparing for
the specific new implementations in Certkiller . Just as you wrap up some paperwork
for the morning, Blue calls you and lets you know that you are going to be needed in
a meeting this afternoon.
You get to Blue's office and sit down at the desk. Blue begins the conversation, "You
know we have some solid fundamental issues addressed in our new trusted network,
but I have yet to feel that we have addressed any serious concerns."
"I've been thinking about some similar issues," you reply.
"Good, then I'm sure you have been thinking about our email. Right now, I cannot
guarantee the integrity of any email, and I cannot guarantee the confidentiality of
any email. We have reasonable controls towards guaranteeing the availability of our
email, but what's the point if there is no confidentiality or integrity?"
"I agree. I think that addressing this issue should be an immediate priority."
"One concern is that whatever the system is that we put in place, it must be very
user-friendly. As we roll out these new systems, anything that will significantly
increase the calls into the help desk is something we need to minimize. A second
concern is that it not be too costly. We already have this new investment in the
trusted network, we need to be sure that we utilize what are building to the fullest
extent possible."
"I think we should be able to do that without much difficulty. I already have some
solid ideas," you reply.
"OK, take a few days on this. For the moment, just concern yourself with the
executive building; the others can follow the plan in their own buildings. Let's meet
again this coming Monday and you can describe your suggestion then."
Based on this conversation, and your knowledge of Certkiller , select the best solution
to the email problems in the network.}
A. After careful consideration you decide that you will implement secure email in a test
group using PGP. You will use a full licensed version of PGP. You will go to each
computer and you will install the full PGP on each system.
Once installed, you will show each user how to create a PGP certificate by requesting the
certificate from the CATool CA server you installed specifically for secure email. After
the user has received a certificate, you associate that PGP certificate with their Windows
domain user account.
With the PGP certificate associated with the user account, you show each user how to
manage their key ring. You show them how to generate their key, and you configure all
user's key strength to be 2048 bits. Now that the user has a strong key and a PGP
certificate, you configure the email client of each user.
You explain that each user will have to install the public key of each other user in the
network. You test this by sending an email from your laptop with your PGP certificate
attached, and you have the user save the attachment to their Outlook folder. With the
certificate saved, you show them how to send secure email to you. You receive the email
on your laptop, and double-click the lock to show the user that the secure email message
was successfully sent and received.
B. After careful consideration you decide that you will implement secure email in a test
group using X.509v3 digital certificates. You choose this since every user received their
certificate during an earlier phase, and those certificates included the ability to be used
for secure email.
Using the X.509v3 certificates, you will configure each machine to use S\MIME. You go
to each computer and open Outlook Express, which is the default client email program in
the test group. You go to the Tools and Account option, selecting the Mail tab, and the
properties for the email account.
You select he Security Tab and in the submenu for the Signing Certificate you configure
the certificate for the user's account. You select 3DES as the algorithm to use. You then
check the Encrypt Contents And Attachments For All Outgoing Messages check box and
the Digitally Sign All Outgoing Messages check box. You accept the default of including
the digital id when sending signed messages and the default to add sender's certificates to
the user's address book, and close the properties the email account.
You show the user how to send and receive email, showing the red ribbon that indicates a
signed message and the blue lock that indicates an encrypted message.
C. After careful consideration you decide that you will implement secure email in a test
group using GPG. You have decided to use GPG to avoid any licensing conflicts that
might occur if any user requires secure email exchange with another individual that is in
a country with different cryptography laws. You will go to each computer and you will
install GPG on each system.
Once installed, you will show each user how to create the required directory structure, by
typing the command: gpg --gen-key Once the directory structure is created, you will
show each user how to generate the required files, by typing the command: gpg --gen-key
Since you want very secure email, you configure each system to use 2048 bit key
strength and you select DSA and ElGamal encryption.
With GPG installed and configured, you show each user how to use their new secure
email. You have them open Outlook and create a new message to you. Once the message
is created, you have them select the Security drop-down list and choose both GPG Sign
and GPG Encrypt, and then press send.
You show them on your laptop that you receive the message. You press Reply, and on
your laptop also select the Security drop-down menu, where you choose both GPG Sign
and GPG Encrypt. The user receives the message, and you show that secure email was
successfully sent and received.
D. After careful consideration you decide that you will implement secure email in a test
group using PGP. You will use a full licensed version of PGP. You will go to each
computer and you will install the full PGP on each system.
Once installed, you will show each user how to create a PGP certificate by requesting the
certificate from the MS Enterprise Root CA server you installed, and configured
specifically for secure email certificates. After the user has received a certificate, you
associate that PGP certificate with their Windows domain user account.
With the PGP certificate associated with the user account, you show each user how to
manage their key ring. You show them how to generate their key, and you configure all
user's key strength to be 2048 bits. Now that the user has a strong key and a PGP
certificate, you configure the email client of each user.
You explain that each user will have to install the public key of each other user in the
network. You test this by sending an email from your laptop with your PGP certificate
attached, and you have the user save the attachment to their Outlook folder. With the
certificate saved, you show them how to send secure email to you. You receive the email
on your laptop, and double-click the lock to show the user that the secure email message
was successfully sent and received.
E. After careful consideration you decide that you will implement secure email in a test
group using X.509v3 digital certificates. You choose this since every user received their
certificate during an earlier phase, and those certificates included the ability to be used
for secure email.
You will configure each machine to use PGP, with the X.509v3 certificates option. You
go to each computer and open Outlook Express, which is the default client email program
in the test group. You go to the Tools and Account option, selecting the Mail tab, and the
properties for the email account.
You select he Security Tab and in the submenu for the Signing Certificate you configure
the certificate for the user's account. You select DSA and ElGamal as the cryptosystem to
use. You then check the Encrypt Contents And Attachments For All Outgoing Messages
check box and the Digitally Sign All Outgoing Messages check box. You accept the
default of including the digital id when sending signed messages and the default to add
sender's certificates to the user's address book, and close the properties the email account.
You show the user how to send and receive email, showing the red ribbon that indicates a
signed message and the blue lock that indicates an encrypted message.
Correct Answer: B
8.You have now been involved in several major changes in the security of Certkiller ,
and specifically the Testbed campus. You have worked on the planning and design
of the trusted network, you have worked on the initial rollout of the CA hierarchy,
you have worked on assigning certificates to the end users and computers in the
Executive building of the Testbed campus, and you have managed the
implementation of secure email - a critical service for Certkiller .
Blue has asked you to meet with the other administrative staff of the Testbed
campus and discuss how the certificates will impact the organization. There are a
total of about 40 people in the meeting, and you have decided that your primary
focus during this meeting will be on encryption\cryptography.
Choose the best solution for providing the correct information to your
administrative staff on how encryption\cryptography and digital certificates will be
properly used in the network:}
A. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Certkiller network.
You explain that public key cryptography is founded on math, and that the big picture
fundamental point is that UserA has a pair of keys and UserB has a pair of keys. You
explain that one key of each key pair is made available to the other users in the network.
You illustrate this with an example of sending an encrypted message from UserA to
UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that
message to be secure. UserB will use the public key that UserA has made available to
encrypt the message. Once encrypted, UserB will send the message over the network to
User
A. UserA will then use the other key of the pair, the private key to decrypt the
message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them
that Diffie-Hellman was the first widely used private key algorithm, and that
Diffie-Hellman itself is not used to secure messages, rather to exchange a symmetric key.
You explain that RSA was another breakthrough in that it was a private key algorithm
that was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that
digital certificates can be assigned to different entities, including users and computers.
You state that these digital certificates include many options, for example an Issuer Field
that holds the distinguished name of the entity that issued the certificate, and a Subject
Field that holds the distinguished name of the person who has the private key that
corresponds to the public key in the certificate.
B. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Certkiller network.
You explain that public key cryptography is founded on math, and that the big picture
fundamental point is that UserA has a pair of keys and UserB has a pair of keys. You
explain that one key of each key pair is made available to the other users in the network.
You illustrate this with an example of sending an encrypted message from UserA to
UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that
message to be secure. UserA will use the public key that UserB has made available to
encrypt the message. Once encrypted, UserA will send the message over the network to
UserB. UserB will then use the other key of the pair, called the private key, to decrypt the
message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them
that Diffie-Hellman was the first widely used public key algorithm, and that
Diffie-Hellman itself is not used to secure messages, rather to exchange a symmetric key.
You explain that RSA was another breakthrough in that it was a public key algorithm that
was able to secure messages.
You then describe digital certificates and some of their features. You tell the group that
digital certificates can be assigned to different entities, including users and computers.
You state that these digital certificates include many options, for example an Issuer Field
that holds the distinguished name of the entity that issued the certificate, and a Subject
Field that holds the distinguished name of the person who has the private key that
corresponds to the public key in the certificate.
C. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Certkiller network.
You explain that public key cryptography is founded on math, and that the big picture
fundamental point is that UserA and UserB have a set of mathematically linked keys.
You explain that one key of each key pair is made available to the other users in the
network. You illustrate this with an example of sending an encrypted message from
UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that
message to be secure. UserA will use the public key that UserB has made available to
encrypt the message. Once encrypted, UserA will send the message over the network to
UserB. UserB will then use the other key of the pair, the private key to decrypt the
message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them
that RSA was the first widely used private key algorithm, and that RSA itself is not used
to secure messages, rather to exchange a symmetric key. You explain that Diffie-Hellman
was another breakthrough in that it was a private key algorithm that was able to secure
messages.
You then describe digital certificates and some of their features. You tell the group that
digital certificates can be assigned to different entities, including users and computers.
You state that these digital certificates include many options, for example an Issuer Field
that holds the distinguished name of the entity that issued the certificate, and a Subject
Field that holds the distinguished name of the person who has the private key that
corresponds to the public key in the certificate.
D. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Certkiller network.
You explain that public key cryptography is founded on math, and that the big picture
fundamental point is that UserA and UserB have a set of mathematically linked keys.
You explain that one key of each key pair is made available to the other users in the
network. You illustrate this with an example of sending an encrypted message from
UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that
message to be secure. UserA will use the private key that UserB has made available to
encrypt the message. Once encrypted, UserA will send the message over the network to
UserB. UserB will then use the other key of the pair, the public key to decrypt the
message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them
that RSA was the first widely used private key algorithm, and that RSA itself is not used
to secure messages, rather to exchange a symmetric key. You explain that Diffie-Hellman
was another breakthrough in that it was a private key algorithm that was able to secure
messages.
You then describe digital certificates and some of their features. You tell the group that
digital certificates can be assigned to different entities, including users and computers.
You state that these digital certificates include many options, for example an Issuer Field
that holds the distinguished name of the entity that issued the certificate, and a Subject
Field that holds the distinguished name of the person who has the private key that
corresponds to the public key in the certificate.
E. You gather the administrative staff together in the conference room to discuss
cryptography in the network. You begin your talk with the function of cryptography, in
general, and then you move towards specific implementations in the Certkiller network.
You explain that public key cryptography is founded on math, and that the big picture
fundamental point is that UserA and UserB have a set of mathematically linked keys.
You explain that one key of each key pair is made available to the other users in the
network. You illustrate this with an example of sending an encrypted message from
UserA to UserB.
"We know, for example, that UserA wishes to send a message to UserB and wants that
message to be secure. UserA will use the private key that UserB has made available to
encrypt the message. Once encrypted, UserA will send the message over the network to
UserB. UserB will then use the other key of the pair, the public key to decrypt the
message," you explain to the group.
You further explain some of the common algorithms used in the network. You tell them
that RSA was the first widely used private key algorithm, and that RSA itself is not used
to secure messages, rather to exchange a symmetric key. You explain that Diffie-Hellman
was another breakthrough in that it was a private key algorithm that was able to secure
messages.
You then describe digital certificates and some of their features. You tell the group that
digital certificates can be assigned to different entities, including users and computers.
You state that these digital certificates include many options, for example an Issuer Field
that holds the distinguished name of the person who issued the certificate, and a Subject
Field that holds the full OIDs describing the use of the certificate by the holder of the
certificate.
Correct Answer: B
9.You have now seen to it that all end users and computers in the Testbed office have
received their certificates. The administrative staff has been trained on their use
and function in the network. The following day, you meet with Blue to discuss the
progress.
"So far so good," starts Blue, "all the users have their certificates, all the computers
have their certificates. I think we are moving forward at a solid pace. We have
talked about the ways we will use our certificates, and we need to move towards
securing our network traffic."
"I agree," you reply, "last week I ran a scheduled scan, and we still have
vulnerability in our network traffic. The folks from MassiveCorp would love to
have a sniffer running in here, I'm sure of that."
"That's exactly the point. We need a system in place that will ensure that our
network traffic is not so vulnerable to sniffing. We have to get some protection for
our packets. I'd like you to design the system and then we can review it together."
The meeting ends a few minutes later, and you are back in your office working on
the design.
Choose the best solution for protecting the network traffic in the executive office of
the Testbed campus:}
A. After further analysis on the situation, you decide that you will need to block traffic in
a more complete way at the border firewalls. You have decided that by implementing
stricter border control, you will be able to manage the security risk of the packets that
enter and leave the network better.
You implement a new firewall at each border crossing point. You will configure half of
the firewalls with Checkpoint FW-1 NG and the other half with Microsoft IS
A. By using
two different firewalls, you are confident that you will be minimizing any mass
vulnerability.
At each firewall you implement a new digital certificate for server authentication, and
you configure the firewall to require every user to authenticate all user connections. You
block all unauthorized traffic and run remote test scans to ensure that no information is
leaking through.
Once the test scans are complete, you verify that all users are required to authenticate
with the new firewall before their traffic is allowed to pass, and everything works as you
planned.
B. You spend time analyzing the network and decide that the best solution is to take
advantage of VPN technology. You will create one VPN endpoint in each building. Your
plan is to create a unique tunnel between each building.
You first install a new Microsoft machine, and configure it to perform the functions of
Routing and Remote Access. You then create a tunnel endpoint, and configure each
machine to use L2TP to create the tunnel.
To increase security, you will implement full 256-bit encryption on each tunnel, and you
will use 3DES on one half of the tunnels and AES on the other half of the tunnels. You
will be sure that each tunnel uses the same algorithm on both ends, but by using two
algorithms you are sure that you have increased the security of the network in a
significant way.
C. You decide that you will implement an IPSec solution, using the built-in functionality
of Windows. You decide that you wish for there to be maximum strength, and therefore
you choose to implement IPSec using both AH and ESP.
First, you configure each server in the network with a new IPSec policy. You choose to
implement the default Server IPSec Policy. Using this policy you are sure that all
communication both to and from the server will utilize IPSec. You reboot the servers that
you can and use secedit to force the others to refresh their policy.
Next, with the help of the administrative staff, you will configure each client in the
network. For the clients, you use the default Client IPSec Policy. You reboot the client
machines that you can and use secedit to force the others to refresh their policy.
D. You decide that you will implement an IPSec solution, using custom IPSec settings.
You wish to utilize the digital certificates that are available in the network. You decide
that you wish for there to be maximum strength, and therefore you choose to implement
IPSec using both AH and ESP.
First, you configure a custom policy for the servers in the network. You verify that none
of the default policies are currently implemented, and you create a new policy. Your new
policy will use SHA for AH and SHA+3DES for ESP. You make sure that the policy is
to include all IP traffic, and for Authentication Method, you use the certificate that is
assigned to each server. You reboot the servers that you can and use secedit to force the
others to refresh their policy.
Next, with the help of the administrative staff, you will configure each client in the
network. For the clients, you verify that no default policy is enabled, and you create a
policy that uses SHA for AH and SHA+3DES for ESP. You make sure that the policy is
to include all IP traffic, and for Authentication Method, you use the certificate that is
assigned to each server. You reboot the client machines that you can and use secedit to
force the others to refresh their policy.
E. You decide that you will implement an IPSec solution, using custom IPSec settings.
You wish to utilize the digital certificates that are available in the network. You decide
that you wish for there to be maximum strength, and therefore you choose to implement
IPSec using both AH and ESP.
First, you configure a custom policy for the servers in the network. To increase strength,
you will implement your custom policy on top of the default Server IPSec Policy. You
verify that the policy is running, and then you create a new policy. Your new policy will
use SHA+3DES for AH and SHA for ESP. You make sure that the policy is to include all
IP traffic, and for Authentication Method, you use the certificate that is assigned to each
server. You reboot the servers that you can and use secedit to force the others to refresh
the two policies.
Next, with the help of the administrative staff, you will configure each client in the
network. For the clients you also need the highest in security, so you will use a custom
policy on the default policy. You verify that the default Client IPSec policy is enabled,
and then you create a policy that uses SHA+3DES for AH and SHA for ESP. You make
sure that the policy is to include all IP traffic, and for Authentication Method, you use the
certificate that is assigned to each server. You reboot the client machines that you can
and use secedit to force the others to refresh the two policies.
Correct Answer: D
10.You had been taking a short vacation, and when you come into work on Monday
morning, Blue is already at your door, waiting to talk to you.
"We've got a problem," Blue says, "It seems that the password used by our Vice
President of Engineering has been compromised. Over the weekend, we found this
account had logged into the network 25 times. The Vice President was not even in
the office over the weekend."
"Did we get the source of the compromise yet?"
"No, but it won't surprise me if it is our new neighbors at MassiveCorp. I need to
you to come up with a realistic plan and bring it to me tomorrow afternoon. This
problem must be resolved, and like everything else we do not have unlimited funds -
so keep that in mind."
Based on this information, choose the best solution to the password local
authentication problem in the Executive building.}
A. Since you are aware of the significance of the password problems, you plan to address
the problem using technology. You write up a plan for Blue that includes the following
points:
1. For all executives you recommend no longer using passwords, and instead migrating to
a token-based authentication system.
2. You will install the RSA SecurID time-based token system.
3. You will create SecurID user records for each user to match their domain accounts.
4. You will assign each user record a unique token.
5. You will hand deliver the tokens to the correct executive.
6. Users will be allowed to create their own PIN, which will be 4 characters long.
7. The tokens will replace all passwords for authentication into each user's Windows
system.
B. Since you are aware of the significance of the password problems, and since you do
not have unlimited funds, you plan to address this problem through education and
through awareness. You write up a plan for Blue that includes the following points:
1. All end users are to be trained on the methods of making strong passwords
2. All end users are instructed that they are to change their password at a minimum of
every 30 days.
3. The administrative staff is to run password-checking utilities on all passwords every
30 days.
4. All end users are to be trained on the importance of never disclosing their password to
any other individual.
5. All end users are to be trained on the importance of never writing down their
passwords where they are clearly visible.
C. Since you are aware of the significance of the password problems, you plan to address
the problem using technology. You write up a plan for Blue that includes the following
points:
1. You will reconfigure the Testbed. Certkiller .org domain to control the password
problem.
2. You will configure AD in this domain so that complex password policies are required.
3. The complex password policies will include:
a. Password length of at least 8 characters
b. Passwords must be alphanumeric
c. Passwords must meet Gold Standard of complexity
d. Passwords must be changed every 30 days
e. Passwords cannot be reused
D. Since you are aware of the significance of the password problems, you plan to address
the problem using technology. You write up a plan for Blue that includes the following
points:
1. For all executives you recommend no longer using passwords, and instead migrating to
a token-based authentication system.
2. You will install the RSA SecurID challenge-response token system.
3. You will create SecurID user records for each user to match their domain accounts.
4. You will assign each user record a unique token.
5. You will hand deliver the tokens to the correct executive.
6. Users will be required to use tokencodes from the One-Time tokencode list. The
tokencodes will be alphanumeric and will be 4 characters long.
7. The tokens will replace all passwords for authentication into each user's Windows
system.
E. Since you are aware of the significance of the password problems, plan to address the
problem using technology. You write up a plan for Blue that includes the following
points:
1. For all executives you recommend no longer using passwords, and instead migrating to
a biometric solution.
2. You will install retinal scanners at every user's desktop in the executive building.
3. You will personally enroll each user at each desktop.
4. You will instruct each user on the proper positioning and use of the scanner.
5. The biometric system will replace all passwords for authentication into each user's
Windows system.
Correct Answer: A