• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/103

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

103 Cards in this Set

  • Front
  • Back
Configuring Authentication and Authorization

What is Authentication ?
Authentication is an automated process whereby a computer verifies the identity of a user, computer, or service attempting to access the system.
Authentication Forms ?
Password
Certificate
Smart card
Biometrics
Security protocol.
What is the Windows PIV standard ?
Personal Identity Verification, commonly referred to as the PIV standard, allows users to use smart cards from any vendor that has published their smart card drivers with Windows Update.
How does the PKINIT protocol help with Smart Cards ?
If you use the PKINIT protocol, Windows 7 automatically finds the driver for a smart card. So the smart card can authenticate the domain without requiring the user to add intermediary software.
Some Authentication protocol packages ?
Negotiate
TLS/SSL
Credential SSPs, and
Digest
What is the Kerberos Authentication protocol.
Windows 7 uses Kerberos Version 5.0 as an SSP accessible through an SSPI. Kerberos 5.0 authenticates between a client and a server, or between individual servers.
What is the NTLM Authentication protocol ?
NTLM is a challenge/response authentication protocol used to verify the identity of parties falling outside of a particular domain. For example, it can be used to authenticate unaffiliated work groups or servers.
What is the Credential SSP Authentication protocol.
Features single sign-on with Terminal Services. With CredSSP, users' credentials can be transferred from a client computer to the target server using client policies.
What is the Digest Authentication protocol.
Digest is a challenge/response protocol that requires authentication conducted using secret keys.
Tip: To enable or disable biometric technology , you use the appropriate Group Policy settings.
Tip: To enable or disable biometric technology , you use the appropriate Group Policy settings.
Abbrev : UAC - User Account Control
Abbrev : UAC - User Account Control
Tip : To Launch Local Security Policy please " RUN secpol.msc"
Tip : To Launch Local Security Policy please " RUN secpol.msc"
Tip : Credential Manager manages user names, passwords, and proof of identification.
Tip : Credential Manager manages user names, passwords, and proof of identification.
Location of "User Rights Assignment" in Local Security Policy ?
Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment
Tip: The netsh lan command can garner information about specific hardware and configuration settings of your client. By contrast, wireless authentication uses the netsh wlan command.
Tip: The netsh lan command can garner information about specific hardware and configuration settings of your client. By contrast, wireless authentication uses the netsh wlan command.
Tip : Credential Manager cannot be used to back up EFS certificates
Tip : Credential Manager cannot be used to back up EFS certificates
Tip : The Windows 7 certificate Management Console - certmgr.msc
Tip : The Windows 7 certificate Management Console - certmgr.msc
EFS certificates can be backed up using three tools ?
Certificates Console(Certmgr.msc),
Manage File Encryption Certificates tool
Cipher.exe commandline tool.
Where are the Windows 7 login credentials stored ?
Windows Vault
What does the Credential Manager do ?
Credential Manager allows you to manage passwords for Web sites, terminal services and remote desktop sessions, stand-alone network resources, and smart card certificates.
Tip : You can assign rights to users by adding them to the appropriate built-in local group or by assigning them rights through Group Policy
Tip : You can assign rights to users by adding them to the appropriate built-in local group or by assigning them rights through Group Policy
You have used Runas with the /savecred option to save the credentials of an administrator account on a client running Windows 7. You have finished performing the tasks that you needed to and now want to remove those credentials from the computer. Which of the following tools could you use to do this?

A. Runas
B. Credential Manager
C . The Certificates console
D. UAC settings
B. Credential Manager
You want to ensure that users are forcibly logged off from their computers running Windows 7 if they remove their smart cards. Which of the following policies and settings should you configure to accomplish this goal? (Choose all that apply; each answer forms part of a complete solution.)


A. Interactive Logon: Smart Card Removal Behavior Properties: No Action
B. Interactive Logon: Smart Card Removal Behavior Properties: Lock Workstation
C . Interactive Logon: Smart Card Removal Behavior Properties: Force Logoff
D. Interactive Logon: Require Smart Card: Enabled
C . Interactive Logon: Smart Card Removal Behavior Properties: Force Logoff
D. Interactive Logon: Require Smart Card: Enabled
You want to ensure that users of stand-alone clients running Windows 7 in your organization change their passwords every three weeks. Which of the following
policies should you configure on each computer to accomplish this goal?

A. Enforce Password History
B. Minimum Password Length
C. Minimum Password Age
D. Maximum Password Age
D. Maximum Password Age

D. Correct: The Maximum Password Age policy ensures that a user must change his password after a certain amount of time has expired. In this case, you would set the policy to 21 days.
Which of the following tools can users use to back up EFS certificates created when they encrypt a file on a stand-alone computer running Windows 7? (Choose all that apply.)


A. Credential Manager
B. The Manage File Encryption Certificates tool
C . The Certificate Manager console
D. Cipher.exe
B. The Manage File Encryption Certificates tool
C . The Certificate Manager console
D. Cipher.exe
What is Credential Roaming ?
Credential roaming enables you to use Active Directory Domain Services, abbreviated to AD DS, to store certificates and private keys separately from application state or configuration information.
Tip: Group Policy is used to configure credential roaming to automatically run when a user logs in
Tip: Group Policy is used to configure credential roaming to automatically run when a user logs in
Tip: Credentials stored on one domain controller only become available on another domain controller once replication has occurred.
Tip: Credentials stored on one domain controller only become available on another domain controller once replication has occurred.
Abbrev : CRLs
Certificate Revocation Lists
Group Policy can help you manage certificates. How ?
GP can help you specify

Root Certificates
Trusted Publishers
Network Retrieval and Path Validation
Revocation Checking Policy
You can use credential roaming and certificate path validation to manage various tasks.

Match each task with the appropriate method.

Options:

1. Manage responses from online responders
2. Specify the root certification authorities that you trust
3. Store your certificates and private keys in AD DS
4. Store certificates only on machines where trusted users have logged on

Targets:

1. Credential roaming
2. Certificate path validation
Credential roaming enables you to use AD DS to store your certificates and private keys. This enhances security by ensuring that certificates are only stored for trusted users.

Certificate path validation enables you to better manage certificates and public keys by managing responses from online responders, and indicating which root certification authorities you trust.

Correct answer(s):

Target 1 = Option C, Option D

Target 2 = Option B, Option A
Methods to obtain a certificate ?
You can use four methods to obtain a certificate:

the Certificates snap-in
the Certificate Request Wizard
the Internet
requesting certificates on behalf of users
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
User Account Control

How do UAC tokens work for Standard Users ?
When a standard user logs on to Windows 7, the system will create only one access token. The token specifies the level of access that the user has. The token also contains information about Windows privileges and specific security identifiers, more commonly known as SIDs.
UAC

How do UAC tokens work for Administrative Users ?
When an administrator logs on to a computer in Windows 7, the system creates two access tokens. The one token is an administrator token, and the other is a standard user access token.

Both the administrator access token and the standard user access token contain the same user-specific information. However, the standard user access token doesn't contain information about administrative Windows privileges or the SIDs, where the administrator access token does contain this information.
UAC

What is an Elevation prompt ?
Windows 7 will automatically prompt the user for approval if the administrator access token is required to perform a task. This is an elevation prompt.
UAC

Tip : Elevation prompt`s behavior can be configured using Group Policy, or using Secpol.msc – the Local Security Policy snap-in.
UAC

Tip : Elevation prompt`s behavior can be configured using Group Policy, or using Secpol.msc – the Local Security Policy snap-in.
UAC

Exceptions to Elevation prompts ?
Applications must prompt the administrator for consent to use the administrator access token. The only exceptions are the relationship between

* parent processes and

* child processes
UAC

UAC settings are modified using ?
User Account Control Settings
UAC

Tip : Most Windows executables are auto-elevated by the system
UAC

Tip : Most Windows executables are auto-elevated by the system
UAC

When do windows excutable not produce a prompt ?
Windows executables must hold two factors true:

1. they must be located in secure directories

2. Windows publisher must sign the Windows executables


they must be located in secure directories, and

1. Windows executables must be located in one of the secure directories that standard users aren't allowed to modify. These directories include certain directories under Program Files, System32, most of the System32 subdirectories, and Ehome. The Program Files directories include Windows Journal and Windows Defender.
the Windows publisher must sign them digitally

2. Windows publisher must sign the Windows executables digitally. All code in Windows needs to be signed by Windows publisher, which is the certificate used to sign code.
Tip : Auto Elevation has extra conditions for Executable COM objects
Tip : Auto Elevation has extra conditions for Executable COM objects
UAC

Tip :

MSC files part of MMC Console may require an elevation prompt depending on whether its on the windows internal list
UAC

Tip :

MSC files part of MMC Console may require an elevation prompt depending on whether its on the windows internal list
UAC

Tip

Windows executables that are auto-elevated include

* the Service Pack installer, Spinstall.exe

* the package manager, Pkgmgr.exe, and

* the migration wizard, Migwiz.exe
UAC

Tip

Windows executables that are auto-elevated include

* the Service Pack installer, Spinstall.exe

* the package manager, Pkgmgr.exe, and

* the migration wizard, Migwiz.exe
UAC

Components of the UAC Architecture ?
Kernel
User
System
UAC

The User Component of UAC has three elements ?
user performs an operation requiring privilege,
ShellExecute,
and CreateProcess.
UAC

How does ShellExecute (User Element ) perform tasks ?
hen an operation calls ShellExecute, this in turn calls CreateProcess. CreateProcess must send the ERROR_ELEVATION_REQUIRED error to ShellExecute. If ShellExecute finds this, it will call the Application Information service to try to perform the task requested with the elevated prompt.

CreateProcess will reject the call with ERROR_ELEVATION_REQUIRED if the application requires elevation.
UAC

8 elements of the System Component of the UAC architecture ?
Application Information Service
Active X

Note : More to be added
UAC

What does the Application Information Service do ?
Application Information service, is a system service that helps to start applications that need user rights or elevated privileges to run.
UAC

How does create process assess if an application requires Elevation ?
To assess whether the application requires elevation, CreateProcess calls:

AppCompat
Fusion
Installer
UAC

How do Fusion, AppCompat, and Installer determine an elevation is required by an application ?
Fusion, AppCompat, and Installer detection inspect the executable file's application manifest to establish the application's requested execution level.
UAC

The kernel component of the UAC architecture has two subcomponents ?
Virtualization
File system and registry
UAC

UAC Group policy location ?
Security Settings >> Local Policies >> Security Options.
UAC

Tip

Some of the UAC policies listed are

* Allow UIAccess applications to prompt for elevation without using the secure desktop

* Behavior of the elevation prompt for administrators in Admin Approval Mode

* Behavior of the elevation prompt for standard users

* Detect application installations and prompt for elevation, and

* Only elevate executables that are signed and validated
UAC

Tip

Some of the UAC policies listed are

* Allow UIAccess applications to prompt for elevation without using the secure desktop

* Behavior of the elevation prompt for administrators in Admin Approval Mode

* Behavior of the elevation prompt for standard users

* Detect application installations and prompt for elevation, and

* Only elevate executables that are signed and validated
Windows 7 HomeGroup is not compatible with Windows XP and Windows Vista
Windows 7 HomeGroup is not compatible with Windows XP and Windows Vista
What does Network Discovery allow you to do ?
The computer can see other computers and devices and is visible to other network computers
Encryption only works on the the Professional, Ultimate, and Enterprise editions.
Encryption only works on the the Professional, Ultimate, and Enterprise editions.
EFS works only on the NTFS file system.
EFS works only on the NTFS file system.
Direct Access

Tip

VPN allows you to access a workplace network remotely.
Direct Access

Tip

VPN allows you to access a workplace network remotely.
Direct Access

Abbrev: NAP
Network Access Protection
Direct Access

What is Direct Access ?
Direct Access is an automatic connectivity solution that allows clients running Windows 7 to connect to the corporate intranet the moment they establish a connection to the global Internet.
Direct Access

Can Direct Access be run on IPV4 ?
NO

DirectAccess only uses IPV6.
Direct Access

Direct Access vs VPN
The connection process is automatic (in DA) and does not require user intervention or logon. Users must initiate VPN connections to the corporate intranet manually.

DirectAccess is bidirectional, with servers on the intranet being able to interact with the client running Windows 7. Traditional VPN solutions, the client can access the intranet but servers on the intranet cannot initiate communication with the client.

DirectAccess provides administrators with greater flexibility in controlling which intranet resources are available to remote users
Direct Access

Which Editions of Windows 7 Support Direct Access?
Only domain-joined clients running Windows 7 Enterprise and Ultimate editions support DirectAccess.
Direct Access

Tip

Group Policy settings override settings manually configured using Netsh Commands.
Direct Access

Tip

Group Policy settings override settings manually configured using Netsh Commands.
Direct Access

How does the Direct Access Server authenticate Users ?
DirectAccess clients use digital certificates to authenticate with the DirectAccess server.
Direct Access

Tip :

DirectAccess clients and the DirectAccess server almost always receive their certificates from an Active Directory Certificate Services Certificate Authority that is integrated into the domain.
Tip :


DirectAccess clients and the DirectAccess server almost always receive their certificates from an Active Directory Certificate Services Certificate Authority that is integrated into the domain.
Direct Access

Abbrev: ADCS \ CA
Active Directory Certificate Services \ Certificate Authority
Direct Access

DirectAccess server needs the following requirements:
The computer needs to have Windows Server 2008 R2 installed and be a member of a domain.

This server must have two network adapters.

One of these network adapters needs to a direct connection to the Internet. You must assign this adapter two consecutive public IPv4 addresses.

The second network adapter needs a direct connection to the corporate intranet.

The computer needs digital certificates to support server authentication. This includes having a computer certificate that matches the fully qualified domain name (FQDN)that is assigned to the IP addresses on the DirectAccess server’s external network interface.
Direct Access

How does Direct establish connections with client running IPV4 or !PV6 ?
If a client running Windows 7 has a public IPv6 address, a direct IPv6 connection is made.

If the client has a public IPv4 address, a connection is made using the 6to4 transition technology. If the client has a private IPv4 address, a connection is made using the Teredo transition technology.

If the client has a private IPv4 address and is behind a firewall that restricts most forms of network traffic, a connection using IP-HTTPS is made.
User Profiles

How do you access User Profiles ?
opening System within Control Panel, clicking Advanced System Settings, and then clicking the Settings button in the User Profiles area of the Advanced System Settings tab
User Profiles

Whats tools can be used for User Migration ?
Windows Easy Transfer (WET)
User State Migration Tool (USMT)
User Profiles

What is the Windows Easy Transfer?
Windows Easy Transfer is a utility that comes with Windows 7 that you can use to transfer user profile data from computers running Windows XP, Windows Vista, or Windows 7 to new computers running Windows 7.
User Profiles

What can Windows Easy Transfer be used to transfer ?
Windows Easy Transfer can be used to transfer user accounts, documents, music, pictures, e-mail, bookmarks, certificates, and other data.
User Profiles

What methods does Windows Easy Transfer use to migrate user profiles.
There are three separate methods that you can use to migrate data with Windows Easy Transfer :

Easy Transfer Cable
Network
External Hard Disk or USB Flash Drive
User Profiles

Tip

Windows Easy Transfer Migration
If you want to migrate only a single user account, you can log on with that account to perform the transfer.

If you want to migrate all accounts on the computer, you need to log on with a user account that has local administrator privileges
User Profiles

What is the USMT ?
User State Migration Tool - is a command-line utility that allows you to automate the process of user profile migration.
User Profiles

Tip

USMT is part of the WAIK and is a better tool for performing a large number of profile migrations than Windows Easy Transfer.
User Profiles

Tip

USMT is part of the WAIK and is a better tool for performing a large number of profile migrations than Windows Easy Transfer.
User Profiles

Tip

USMT can write data to a removable USB storage device or a network share but cannot
perform a direct side-by-side migration over the network from the source to the destination
computer.
User Profiles

Tip

USMT can write data to a removable USB storage device or a network share but cannot
perform a direct side-by-side migration over the network from the source to the destination
computer.
User Profiles

Abbrev: WAIK
WAIK - Windows Automated Installation Kit
User Profiles

Abbrev : ACLs
Access control lists
User Profiles

Does USMT migrate ACLs ?
The USMT tool also migrates access control lists (ACLs) for files and folders, ensuring that permissions set on the source computer are retained on the destination computer.
User Profiles

What does USMT not migrate ?
You cannot use USMT to migrate mapped network drives, local printers, device drivers, passwords, shared folder permissions, and Internet connection sharing settings.
User Profiles

What are the different Migration files ?
There are four different .xml migration files used with the USMT:
MigApp.xml
MigUser.xml
MigDocs.xml
Config.xml
User Profiles

How does the Config.xml files help ?
used to exclude features from the migration. You can create and modify the Config.xml file using
ScanState.exe with the /genconfig option.
User Profiles:

What are the two USMT Commands ?
ScanState
Loadstate
User Profiles:

What does the ScanState command do ?
ScanState scans the source computer during the migration
User Profiles:

What are the different Migration Store Types ?
Uncompressed
Compressed
Hard-link
User Profiles:

What is the Hard-link migration stores used for ?
Hard-link migration stores are used in wipe-and-load scenarios only
User Profiles:

Can USMT be used for offline migrations?
Yes. You can use USMT to perform offline migrations
User Profiles:

What migration file helps specify what user data and ACLs are migrated ?
USMT uses the MigUser.xml file to define how to migrate access control lists and user data
User Profiles:

Abbrev : SOE
SOE - standard operating environment
User Profiles:

Can USMT be used on a workstation with Bitlocker ?
USMT cannot be used on computer with Bitlocker activated . Suspend Bitlocker to run USMT.
User Profiles:

What happens during an Offline Migration ?
Offline migrations involve booting the computer into a Windows PE environment that
includes the USMT files and then running ScanState against the installation of Windows
on the computer’s hard disk drive.
You must still run the LoadState feature of the migration from within Windows 7.
You cannot run LoadState when booted into a Windows PE environment.
User Profiles :

1. Which of the following operating systems support an offline migration using USMT?
A . Windows 2000 Professional
B. Windows XP Professional
C . Windows Vista
D. Windows 7
1. Correct Answers: B, C, and D
A . Incorrect: Windows 2000 does not support offline migration using the USMT.
B. Correct: Windows XP Professional supports offline migration using the USMT.
C . Correct: Windows Vista supports offline migration using the USMT.
D. Correct: Windows 7 support offline migration using the USMT.
2. Which of the following utilities can you use to transfer user encryption certificates from
a computer running Windows XP Professional to Windows 7 Professional? (Choose all
that apply.)

A . File Settings and Transfer Wizard
B. USMT
C . Windows Easy Transfer
D. Robocopy.exe
2. Correct Answers: B and C
A . Incorrect: File Settings and Transfer Wizard is a Windows XP utility; it cannot be used to
migrate data to Windows 7.
B. Correct: USMT can be used to transfer user encryption certificates from a computer
Running Windows XP Professional to a computer running Windows 7 Professional.
C . Correct: Windows Easy Transfer can be used to transfer user encryption certificates
from a computer running Windows XP Professional to a computer running
Windows 7 Professional.
D. Incorrect: Robocopy.exe cannot be used to transfer user encryption certificates
From a computer running Windows XP Professional to a computer running Windows 7Professional.
3. Which XML file is used with ScanState to specify information about user profile data
that should be migrated?

A . MigDocs.xml
B. MigUser.xml
C . MigApp.xml
D. Config.xml
3. Correct Answer: B
A . Incorrect: MigDocs.xml contains rules about locating user documents.
B. Correct: MigUser.xml contains rules about migrating user profiles and user data.
C . Incorrect: MigApp.xml contains rules about the migration of application settings.
D. Incorrect: Config.xml contains information about what features to exclude from
a migration.
4. Which of the following must you download from Microsoft’s Web site to obtain USMT 4.0?

A . Windows Anytime Upgrade
B. Windows Upgrade Advisor
C . WAIK
D. Microsoft Application Compatibility Toolkit
4. Correct Answer: C
A . Incorrect: Windows Anytime Upgrade is a tool used to upgrade from one edition of
Windows 7 to another. It does not contain USMT 4.0
B. Incorrect: Windows Upgrade Advisor is a tool that advises you whether hardware and
software used with a computer running Windows Vista is compatible with Windows 7.
C . Correct: The WAIK contains USMT 4.0.
D. Incorrect: The Microsoft Application Compatibility Toolkit does not include USMT 4.0.
5. Which of the following types of USMT migration store types minimizes hard disk space
used when performing a wipe-and-load migration?
A . Uncompressed
B. Compressed
C . Hard-link
5. Correct Answer: C
A . Incorrect: Uncompressed migration stores use the most hard disk space as it creates
a copy of the data being migrated in a separate directory structure.
B. Incorrect: Compressed migration stores create a compressed copy of the data being
migrated in a separate directory structure.
C . Correct: Hard-link migration stores create a set of hard links to all data that will be
Migrated in a separate location but do not actually duplicate that data on the volume.