Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
103 Cards in this Set
- Front
- Back
Configuring Authentication and Authorization
What is Authentication ? |
Authentication is an automated process whereby a computer verifies the identity of a user, computer, or service attempting to access the system.
|
|
Authentication Forms ?
|
Password
Certificate Smart card Biometrics Security protocol. |
|
What is the Windows PIV standard ?
|
Personal Identity Verification, commonly referred to as the PIV standard, allows users to use smart cards from any vendor that has published their smart card drivers with Windows Update.
|
|
How does the PKINIT protocol help with Smart Cards ?
|
If you use the PKINIT protocol, Windows 7 automatically finds the driver for a smart card. So the smart card can authenticate the domain without requiring the user to add intermediary software.
|
|
Some Authentication protocol packages ?
|
Negotiate
TLS/SSL Credential SSPs, and Digest |
|
What is the Kerberos Authentication protocol.
|
Windows 7 uses Kerberos Version 5.0 as an SSP accessible through an SSPI. Kerberos 5.0 authenticates between a client and a server, or between individual servers.
|
|
What is the NTLM Authentication protocol ?
|
NTLM is a challenge/response authentication protocol used to verify the identity of parties falling outside of a particular domain. For example, it can be used to authenticate unaffiliated work groups or servers.
|
|
What is the Credential SSP Authentication protocol.
|
Features single sign-on with Terminal Services. With CredSSP, users' credentials can be transferred from a client computer to the target server using client policies.
|
|
What is the Digest Authentication protocol.
|
Digest is a challenge/response protocol that requires authentication conducted using secret keys.
|
|
Tip: To enable or disable biometric technology , you use the appropriate Group Policy settings.
|
Tip: To enable or disable biometric technology , you use the appropriate Group Policy settings.
|
|
Abbrev : UAC - User Account Control
|
Abbrev : UAC - User Account Control
|
|
Tip : To Launch Local Security Policy please " RUN secpol.msc"
|
Tip : To Launch Local Security Policy please " RUN secpol.msc"
|
|
Tip : Credential Manager manages user names, passwords, and proof of identification.
|
Tip : Credential Manager manages user names, passwords, and proof of identification.
|
|
Location of "User Rights Assignment" in Local Security Policy ?
|
Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment
|
|
Tip: The netsh lan command can garner information about specific hardware and configuration settings of your client. By contrast, wireless authentication uses the netsh wlan command.
|
Tip: The netsh lan command can garner information about specific hardware and configuration settings of your client. By contrast, wireless authentication uses the netsh wlan command.
|
|
Tip : Credential Manager cannot be used to back up EFS certificates
|
Tip : Credential Manager cannot be used to back up EFS certificates
|
|
Tip : The Windows 7 certificate Management Console - certmgr.msc
|
Tip : The Windows 7 certificate Management Console - certmgr.msc
|
|
EFS certificates can be backed up using three tools ?
|
Certificates Console(Certmgr.msc),
Manage File Encryption Certificates tool Cipher.exe commandline tool. |
|
Where are the Windows 7 login credentials stored ?
|
Windows Vault
|
|
What does the Credential Manager do ?
|
Credential Manager allows you to manage passwords for Web sites, terminal services and remote desktop sessions, stand-alone network resources, and smart card certificates.
|
|
Tip : You can assign rights to users by adding them to the appropriate built-in local group or by assigning them rights through Group Policy
|
Tip : You can assign rights to users by adding them to the appropriate built-in local group or by assigning them rights through Group Policy
|
|
You have used Runas with the /savecred option to save the credentials of an administrator account on a client running Windows 7. You have finished performing the tasks that you needed to and now want to remove those credentials from the computer. Which of the following tools could you use to do this?
A. Runas B. Credential Manager C . The Certificates console D. UAC settings |
B. Credential Manager
|
|
You want to ensure that users are forcibly logged off from their computers running Windows 7 if they remove their smart cards. Which of the following policies and settings should you configure to accomplish this goal? (Choose all that apply; each answer forms part of a complete solution.)
A. Interactive Logon: Smart Card Removal Behavior Properties: No Action B. Interactive Logon: Smart Card Removal Behavior Properties: Lock Workstation C . Interactive Logon: Smart Card Removal Behavior Properties: Force Logoff D. Interactive Logon: Require Smart Card: Enabled |
C . Interactive Logon: Smart Card Removal Behavior Properties: Force Logoff
D. Interactive Logon: Require Smart Card: Enabled |
|
You want to ensure that users of stand-alone clients running Windows 7 in your organization change their passwords every three weeks. Which of the following
policies should you configure on each computer to accomplish this goal? A. Enforce Password History B. Minimum Password Length C. Minimum Password Age D. Maximum Password Age |
D. Maximum Password Age
D. Correct: The Maximum Password Age policy ensures that a user must change his password after a certain amount of time has expired. In this case, you would set the policy to 21 days. |
|
Which of the following tools can users use to back up EFS certificates created when they encrypt a file on a stand-alone computer running Windows 7? (Choose all that apply.)
A. Credential Manager B. The Manage File Encryption Certificates tool C . The Certificate Manager console D. Cipher.exe |
B. The Manage File Encryption Certificates tool
C . The Certificate Manager console D. Cipher.exe |
|
What is Credential Roaming ?
|
Credential roaming enables you to use Active Directory Domain Services, abbreviated to AD DS, to store certificates and private keys separately from application state or configuration information.
|
|
Tip: Group Policy is used to configure credential roaming to automatically run when a user logs in
|
Tip: Group Policy is used to configure credential roaming to automatically run when a user logs in
|
|
Tip: Credentials stored on one domain controller only become available on another domain controller once replication has occurred.
|
Tip: Credentials stored on one domain controller only become available on another domain controller once replication has occurred.
|
|
Abbrev : CRLs
|
Certificate Revocation Lists
|
|
Group Policy can help you manage certificates. How ?
|
GP can help you specify
Root Certificates Trusted Publishers Network Retrieval and Path Validation Revocation Checking Policy |
|
You can use credential roaming and certificate path validation to manage various tasks.
Match each task with the appropriate method. Options: 1. Manage responses from online responders 2. Specify the root certification authorities that you trust 3. Store your certificates and private keys in AD DS 4. Store certificates only on machines where trusted users have logged on Targets: 1. Credential roaming 2. Certificate path validation |
Credential roaming enables you to use AD DS to store your certificates and private keys. This enhances security by ensuring that certificates are only stored for trusted users.
Certificate path validation enables you to better manage certificates and public keys by managing responses from online responders, and indicating which root certification authorities you trust. Correct answer(s): Target 1 = Option C, Option D Target 2 = Option B, Option A |
|
Methods to obtain a certificate ?
|
You can use four methods to obtain a certificate:
the Certificates snap-in the Certificate Request Wizard the Internet requesting certificates on behalf of users |
|
NA
|
NA
|
|
NA
|
NA
|
|
NA
|
NA
|
|
NA
|
NA
|
|
NA
|
NA
|
|
User Account Control
How do UAC tokens work for Standard Users ? |
When a standard user logs on to Windows 7, the system will create only one access token. The token specifies the level of access that the user has. The token also contains information about Windows privileges and specific security identifiers, more commonly known as SIDs.
|
|
UAC
How do UAC tokens work for Administrative Users ? |
When an administrator logs on to a computer in Windows 7, the system creates two access tokens. The one token is an administrator token, and the other is a standard user access token.
Both the administrator access token and the standard user access token contain the same user-specific information. However, the standard user access token doesn't contain information about administrative Windows privileges or the SIDs, where the administrator access token does contain this information. |
|
UAC
What is an Elevation prompt ? |
Windows 7 will automatically prompt the user for approval if the administrator access token is required to perform a task. This is an elevation prompt.
|
|
UAC
Tip : Elevation prompt`s behavior can be configured using Group Policy, or using Secpol.msc – the Local Security Policy snap-in. |
UAC
Tip : Elevation prompt`s behavior can be configured using Group Policy, or using Secpol.msc – the Local Security Policy snap-in. |
|
UAC
Exceptions to Elevation prompts ? |
Applications must prompt the administrator for consent to use the administrator access token. The only exceptions are the relationship between
* parent processes and * child processes |
|
UAC
UAC settings are modified using ? |
User Account Control Settings
|
|
UAC
Tip : Most Windows executables are auto-elevated by the system |
UAC
Tip : Most Windows executables are auto-elevated by the system |
|
UAC
When do windows excutable not produce a prompt ? |
Windows executables must hold two factors true:
1. they must be located in secure directories 2. Windows publisher must sign the Windows executables they must be located in secure directories, and 1. Windows executables must be located in one of the secure directories that standard users aren't allowed to modify. These directories include certain directories under Program Files, System32, most of the System32 subdirectories, and Ehome. The Program Files directories include Windows Journal and Windows Defender. the Windows publisher must sign them digitally 2. Windows publisher must sign the Windows executables digitally. All code in Windows needs to be signed by Windows publisher, which is the certificate used to sign code. |
|
Tip : Auto Elevation has extra conditions for Executable COM objects
|
Tip : Auto Elevation has extra conditions for Executable COM objects
|
|
UAC
Tip : MSC files part of MMC Console may require an elevation prompt depending on whether its on the windows internal list |
UAC
Tip : MSC files part of MMC Console may require an elevation prompt depending on whether its on the windows internal list |
|
UAC
Tip Windows executables that are auto-elevated include * the Service Pack installer, Spinstall.exe * the package manager, Pkgmgr.exe, and * the migration wizard, Migwiz.exe |
UAC
Tip Windows executables that are auto-elevated include * the Service Pack installer, Spinstall.exe * the package manager, Pkgmgr.exe, and * the migration wizard, Migwiz.exe |
|
UAC
Components of the UAC Architecture ? |
Kernel
User System |
|
UAC
The User Component of UAC has three elements ? |
user performs an operation requiring privilege,
ShellExecute, and CreateProcess. |
|
UAC
How does ShellExecute (User Element ) perform tasks ? |
hen an operation calls ShellExecute, this in turn calls CreateProcess. CreateProcess must send the ERROR_ELEVATION_REQUIRED error to ShellExecute. If ShellExecute finds this, it will call the Application Information service to try to perform the task requested with the elevated prompt.
CreateProcess will reject the call with ERROR_ELEVATION_REQUIRED if the application requires elevation. |
|
UAC
8 elements of the System Component of the UAC architecture ? |
Application Information Service
Active X Note : More to be added |
|
UAC
What does the Application Information Service do ? |
Application Information service, is a system service that helps to start applications that need user rights or elevated privileges to run.
|
|
UAC
How does create process assess if an application requires Elevation ? |
To assess whether the application requires elevation, CreateProcess calls:
AppCompat Fusion Installer |
|
UAC
How do Fusion, AppCompat, and Installer determine an elevation is required by an application ? |
Fusion, AppCompat, and Installer detection inspect the executable file's application manifest to establish the application's requested execution level.
|
|
UAC
The kernel component of the UAC architecture has two subcomponents ? |
Virtualization
File system and registry |
|
UAC
UAC Group policy location ? |
Security Settings >> Local Policies >> Security Options.
|
|
UAC
Tip Some of the UAC policies listed are * Allow UIAccess applications to prompt for elevation without using the secure desktop * Behavior of the elevation prompt for administrators in Admin Approval Mode * Behavior of the elevation prompt for standard users * Detect application installations and prompt for elevation, and * Only elevate executables that are signed and validated |
UAC
Tip Some of the UAC policies listed are * Allow UIAccess applications to prompt for elevation without using the secure desktop * Behavior of the elevation prompt for administrators in Admin Approval Mode * Behavior of the elevation prompt for standard users * Detect application installations and prompt for elevation, and * Only elevate executables that are signed and validated |
|
Windows 7 HomeGroup is not compatible with Windows XP and Windows Vista
|
Windows 7 HomeGroup is not compatible with Windows XP and Windows Vista
|
|
What does Network Discovery allow you to do ?
|
The computer can see other computers and devices and is visible to other network computers
|
|
Encryption only works on the the Professional, Ultimate, and Enterprise editions.
|
Encryption only works on the the Professional, Ultimate, and Enterprise editions.
|
|
EFS works only on the NTFS file system.
|
EFS works only on the NTFS file system.
|
|
Direct Access
Tip VPN allows you to access a workplace network remotely. |
Direct Access
Tip VPN allows you to access a workplace network remotely. |
|
Direct Access
Abbrev: NAP |
Network Access Protection
|
|
Direct Access
What is Direct Access ? |
Direct Access is an automatic connectivity solution that allows clients running Windows 7 to connect to the corporate intranet the moment they establish a connection to the global Internet.
|
|
Direct Access
Can Direct Access be run on IPV4 ? |
NO
DirectAccess only uses IPV6. |
|
Direct Access
Direct Access vs VPN |
The connection process is automatic (in DA) and does not require user intervention or logon. Users must initiate VPN connections to the corporate intranet manually.
DirectAccess is bidirectional, with servers on the intranet being able to interact with the client running Windows 7. Traditional VPN solutions, the client can access the intranet but servers on the intranet cannot initiate communication with the client. DirectAccess provides administrators with greater flexibility in controlling which intranet resources are available to remote users |
|
Direct Access
Which Editions of Windows 7 Support Direct Access? |
Only domain-joined clients running Windows 7 Enterprise and Ultimate editions support DirectAccess.
|
|
Direct Access
Tip Group Policy settings override settings manually configured using Netsh Commands. |
Direct Access
Tip Group Policy settings override settings manually configured using Netsh Commands. |
|
Direct Access
How does the Direct Access Server authenticate Users ? |
DirectAccess clients use digital certificates to authenticate with the DirectAccess server.
|
|
Direct Access
Tip : DirectAccess clients and the DirectAccess server almost always receive their certificates from an Active Directory Certificate Services Certificate Authority that is integrated into the domain. |
Tip :
DirectAccess clients and the DirectAccess server almost always receive their certificates from an Active Directory Certificate Services Certificate Authority that is integrated into the domain. |
|
Direct Access
Abbrev: ADCS \ CA |
Active Directory Certificate Services \ Certificate Authority
|
|
Direct Access
DirectAccess server needs the following requirements: |
The computer needs to have Windows Server 2008 R2 installed and be a member of a domain.
This server must have two network adapters. One of these network adapters needs to a direct connection to the Internet. You must assign this adapter two consecutive public IPv4 addresses. The second network adapter needs a direct connection to the corporate intranet. The computer needs digital certificates to support server authentication. This includes having a computer certificate that matches the fully qualified domain name (FQDN)that is assigned to the IP addresses on the DirectAccess server’s external network interface. |
|
Direct Access
How does Direct establish connections with client running IPV4 or !PV6 ? |
If a client running Windows 7 has a public IPv6 address, a direct IPv6 connection is made.
If the client has a public IPv4 address, a connection is made using the 6to4 transition technology. If the client has a private IPv4 address, a connection is made using the Teredo transition technology. If the client has a private IPv4 address and is behind a firewall that restricts most forms of network traffic, a connection using IP-HTTPS is made. |
|
User Profiles
How do you access User Profiles ? |
opening System within Control Panel, clicking Advanced System Settings, and then clicking the Settings button in the User Profiles area of the Advanced System Settings tab
|
|
User Profiles
Whats tools can be used for User Migration ? |
Windows Easy Transfer (WET)
User State Migration Tool (USMT) |
|
User Profiles
What is the Windows Easy Transfer? |
Windows Easy Transfer is a utility that comes with Windows 7 that you can use to transfer user profile data from computers running Windows XP, Windows Vista, or Windows 7 to new computers running Windows 7.
|
|
User Profiles
What can Windows Easy Transfer be used to transfer ? |
Windows Easy Transfer can be used to transfer user accounts, documents, music, pictures, e-mail, bookmarks, certificates, and other data.
|
|
User Profiles
What methods does Windows Easy Transfer use to migrate user profiles. |
There are three separate methods that you can use to migrate data with Windows Easy Transfer :
Easy Transfer Cable Network External Hard Disk or USB Flash Drive |
|
User Profiles
Tip Windows Easy Transfer Migration |
If you want to migrate only a single user account, you can log on with that account to perform the transfer.
If you want to migrate all accounts on the computer, you need to log on with a user account that has local administrator privileges |
|
User Profiles
What is the USMT ? |
User State Migration Tool - is a command-line utility that allows you to automate the process of user profile migration.
|
|
User Profiles
Tip USMT is part of the WAIK and is a better tool for performing a large number of profile migrations than Windows Easy Transfer. |
User Profiles
Tip USMT is part of the WAIK and is a better tool for performing a large number of profile migrations than Windows Easy Transfer. |
|
User Profiles
Tip USMT can write data to a removable USB storage device or a network share but cannot perform a direct side-by-side migration over the network from the source to the destination computer. |
User Profiles
Tip USMT can write data to a removable USB storage device or a network share but cannot perform a direct side-by-side migration over the network from the source to the destination computer. |
|
User Profiles
Abbrev: WAIK |
WAIK - Windows Automated Installation Kit
|
|
User Profiles
Abbrev : ACLs |
Access control lists
|
|
User Profiles
Does USMT migrate ACLs ? |
The USMT tool also migrates access control lists (ACLs) for files and folders, ensuring that permissions set on the source computer are retained on the destination computer.
|
|
User Profiles
What does USMT not migrate ? |
You cannot use USMT to migrate mapped network drives, local printers, device drivers, passwords, shared folder permissions, and Internet connection sharing settings.
|
|
User Profiles
What are the different Migration files ? |
There are four different .xml migration files used with the USMT:
MigApp.xml MigUser.xml MigDocs.xml Config.xml |
|
User Profiles
How does the Config.xml files help ? |
used to exclude features from the migration. You can create and modify the Config.xml file using
ScanState.exe with the /genconfig option. |
|
User Profiles:
What are the two USMT Commands ? |
ScanState
Loadstate |
|
User Profiles:
What does the ScanState command do ? |
ScanState scans the source computer during the migration
|
|
User Profiles:
What are the different Migration Store Types ? |
Uncompressed
Compressed Hard-link |
|
User Profiles:
What is the Hard-link migration stores used for ? |
Hard-link migration stores are used in wipe-and-load scenarios only
|
|
User Profiles:
Can USMT be used for offline migrations? |
Yes. You can use USMT to perform offline migrations
|
|
User Profiles:
What migration file helps specify what user data and ACLs are migrated ? |
USMT uses the MigUser.xml file to define how to migrate access control lists and user data
|
|
User Profiles:
Abbrev : SOE |
SOE - standard operating environment
|
|
User Profiles:
Can USMT be used on a workstation with Bitlocker ? |
USMT cannot be used on computer with Bitlocker activated . Suspend Bitlocker to run USMT.
|
|
User Profiles:
What happens during an Offline Migration ? |
Offline migrations involve booting the computer into a Windows PE environment that
includes the USMT files and then running ScanState against the installation of Windows on the computer’s hard disk drive. You must still run the LoadState feature of the migration from within Windows 7. You cannot run LoadState when booted into a Windows PE environment. |
|
User Profiles :
1. Which of the following operating systems support an offline migration using USMT? A . Windows 2000 Professional B. Windows XP Professional C . Windows Vista D. Windows 7 |
1. Correct Answers: B, C, and D
A . Incorrect: Windows 2000 does not support offline migration using the USMT. B. Correct: Windows XP Professional supports offline migration using the USMT. C . Correct: Windows Vista supports offline migration using the USMT. D. Correct: Windows 7 support offline migration using the USMT. |
|
2. Which of the following utilities can you use to transfer user encryption certificates from
a computer running Windows XP Professional to Windows 7 Professional? (Choose all that apply.) A . File Settings and Transfer Wizard B. USMT C . Windows Easy Transfer D. Robocopy.exe |
2. Correct Answers: B and C
A . Incorrect: File Settings and Transfer Wizard is a Windows XP utility; it cannot be used to migrate data to Windows 7. B. Correct: USMT can be used to transfer user encryption certificates from a computer Running Windows XP Professional to a computer running Windows 7 Professional. C . Correct: Windows Easy Transfer can be used to transfer user encryption certificates from a computer running Windows XP Professional to a computer running Windows 7 Professional. D. Incorrect: Robocopy.exe cannot be used to transfer user encryption certificates From a computer running Windows XP Professional to a computer running Windows 7Professional. |
|
3. Which XML file is used with ScanState to specify information about user profile data
that should be migrated? A . MigDocs.xml B. MigUser.xml C . MigApp.xml D. Config.xml |
3. Correct Answer: B
A . Incorrect: MigDocs.xml contains rules about locating user documents. B. Correct: MigUser.xml contains rules about migrating user profiles and user data. C . Incorrect: MigApp.xml contains rules about the migration of application settings. D. Incorrect: Config.xml contains information about what features to exclude from a migration. |
|
4. Which of the following must you download from Microsoft’s Web site to obtain USMT 4.0?
A . Windows Anytime Upgrade B. Windows Upgrade Advisor C . WAIK D. Microsoft Application Compatibility Toolkit |
4. Correct Answer: C
A . Incorrect: Windows Anytime Upgrade is a tool used to upgrade from one edition of Windows 7 to another. It does not contain USMT 4.0 B. Incorrect: Windows Upgrade Advisor is a tool that advises you whether hardware and software used with a computer running Windows Vista is compatible with Windows 7. C . Correct: The WAIK contains USMT 4.0. D. Incorrect: The Microsoft Application Compatibility Toolkit does not include USMT 4.0. |
|
5. Which of the following types of USMT migration store types minimizes hard disk space
used when performing a wipe-and-load migration? A . Uncompressed B. Compressed C . Hard-link |
5. Correct Answer: C
A . Incorrect: Uncompressed migration stores use the most hard disk space as it creates a copy of the data being migrated in a separate directory structure. B. Incorrect: Compressed migration stores create a compressed copy of the data being migrated in a separate directory structure. C . Correct: Hard-link migration stores create a set of hard links to all data that will be Migrated in a separate location but do not actually duplicate that data on the volume. |