Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
54 Cards in this Set
- Front
- Back
|
What do ACLs do?
|
They are the rules that determine the level of access a security principal (user, group) has.
|
|
|
What is an Access Token called in a Windows Server environment?
|
A Kerberos ticket (Issued by Kerberos/the Security Support Provider)
|
|
|
What is Authentication?
|
It is simply the process that says you are who you say you are (username and password)
|
|
|
What is Authorization?
|
Once authenticated, the security principal gains authorization by presenting their access token to a desired resource. The resource checks your permissions on its DACL based on your access token.
|
|
|
What is Server Core?
|
It is a stripped down version of Windows Server with no GUI. It is more secure with a smaller attack surface but it also has less features/capabilities than the full version of Windows Server can do.
|
|
|
Where is the AD database stored?
|
The Ntds.dit database file
|
|
|
Where should the AD database and System Volume (SYSVOL) be stored?
|
On separate volumes that do not contain other user data and application data.
|
|
|
What was Active Directory Lightweight Directory Services named before?
|
ADAM (Active Directory Applications Mode)
|
|
|
What is AD LDS for?
|
Designed to provide account services and similar directory benefits to applications without the overhead of a full-domain.
It's great for development of software that interacts with AD without altering the production network. |
|
|
Explain the reasons for PKI (Public Key Infrastructure)?
|
Origin authentication: Verification that a document or message was created by the person claimed. This is often referred to as 'digital signature.’
Content integrity: Prove that a document has not been tampered with. Content confidentiality (encryption): Protecting the contents of a document or message so that it can be read only by authorized users. Non-repudiation: A security service whereby creation of a document or message cannot subsequently be denied. |
|
|
What is asymmetric encryption?
|
Check out:
http://en.wikipedia.org/wiki/Public-key_cryptography |
|
|
What is the basic building block of a PKI?
|
A digital certificate
|
|
|
What is a CA?
|
A trusted entity that issues digital certificates to clients/servers and etc.
|
|
|
What does ADSI stand for?
|
Active Directory Service Interfaces
|
|
|
What is ADSI?
|
It's a set of COM interfaces used to access the features of directory services.
It can be used to automate administrative tasks (mostly replaced by PowerShell now). |
|
|
What is COM?
|
Component Object Model is a mechanism that allows the re-use of objects (or rather components), independently of the programming language used and where the component is implemented.
|
|
|
What is a drawback of ADSI?
|
You need complementary tools such as WMI, CDO and WSH to do things such as access the hardware, e-mail, access the registry.
|
|
|
What is PowerShell?
|
An Object Oriented command line interface developed by Microsoft.
It is also used for scripting. |
|
|
What is WMI?
|
WMI allows scripting languages like ADSI and Windows PowerShell to manage Microsoft Windows personal computers and servers, both locally and remotely.
|
|
|
What is WSH?
|
Windows Script Host is an automation technology that provides scripting abilities comparable to batch files, but with a wider range of supported features such as registry access.
|
|
|
What is CDO?
|
Collaborative Data Objects allows email functionality from within a script
|
|
|
What is Dynamic DNS?
|
It allows a client to dynamically add itself to DNS when it is assigned an IP by DHCP.
|
|
|
What is a Stub Zone (DNS)?
|
A DNS Server that only contains records (NS) of another DNS server.
|
|
|
Where is domain wide DNS information stored?
|
On the Domain Partition of the directory
|
|
|
Where is forest wide DNS information stored?
|
On the application directory partition
|
|
|
What is an ACL?
|
An Access Control List contains a list of Access Control Entries (Permissions).
|
|
|
True or false:
Authentication determines your level of access? |
False, authorization does that.
|
|
|
What is the Authentication Process?
|
o User to MSGINA (Graphical Interactive Network Authentication) (the logon screen on PC)
o MSGINA hands it off to LSA (Local system authority) and determines if its remote or local account o LSA hands it off to SSP (Security Support Provider) which is on the DC if remote (the Kerberos engine) |
|
|
What is the Authorization Process for a print job?
|
o User sends print job and token to printer server.
o Server checks to see if ACL is valid and which ACL applies to it. o If user has access, the job prints. |
|
|
What is an Online Responder?
|
They are designed to respond to specific certificate validation requests through the Online Certificate Status Protocol (OCSP). Using an OR, the system relying on a PKI does not need to obtain a full CRL and can submit validation request for a specific certificate.
|
|
|
What AD CS Feature allows for routers and switches to participate in a Windows PKI?
|
NDES (Network Device Enrollment Service)
|
|
|
True or False:
Best practice suggests to have a Root CA be a Stand-alone Server. |
True, and it should be taken offline as soon as the Enterprise Subordinate CAs are setup.
|
|
|
What are the four elements of AD CS?
|
Certificate Authorities, CA Web Enrollment, Online Responders and Network Device Enrollment Service.
|
|
|
What is a CRL?
|
A Certificate Revocation Lists shows certificates that have been revoked (made invalid)
|
|
|
What is a Delta CRL?
|
A Delta CRL is a partial CRL that only contains entries for certificates that have been revoked since the issuance of a prior, base CRL.
|
|
|
What are Certificate Templates?
|
Certificate templates are used to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process.
|
|
|
What is the AIA?
|
The Authority Information Access is a certificate extension that contains URLs where the issuing CA certificate can be retrieved.
|
|
|
Site Link frequency is best defined as..
|
how often the link attempts to replicate information within the specified availability (schedule)
|
|
|
Universal Group Membership is maintained in the
|
Global Catalog
|
|
|
True or False: You can send email to a security group.
|
True
|
|
|
By default, the background group policy refresh interval is every ____ minutes.
|
90
|
|
|
Rather than wait until next user logoff or background policy refresh interval, you can force a group policy update via...
|
gpupdate.exe /force
|
|
|
To ensure that a Group Policy's settings do not get overwritten, you can...
|
Enable the "No Override" switch
|
|
|
To determine which group policies were applied to a particular user and/or PC, you would run:
|
gpresult.exe
|
|
|
What is AD FS?
|
Active Directory Federation Services is a software component that provides users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity.
|
|
|
What is AD RMS?
|
Active Directory Rights Management Services uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mail, Word documents, and web pages, and the operations authorized users can perform on them.
Companies can use this technology to encrypt information stored in such document formats, and through policies embedded in the documents, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. |
|
|
What are the two organizations required in AD FS?
|
The Resource Organization and the Account Organization
|
|
|
In AD FS, what are Claims?
|
Assertions used to determine a user’s level of access to an application. Can be as simple as a user account name or groups.
|
|
|
What is the Account Partner responsible for (AD FS)?
|
The organization that hosts the user accounts (In AD DS or AD LDS) that need to use those resources.
|
|
|
What is the Resource Partner responsible for (AD FS)?
|
The organization responsible for maintaining the web resources.
|
|
|
What are examples of applications that can use AD RMS?
|
Office, SharePoint, Exchange Server
|
|
|
What are the states that certificates can have (AD CS)?
|
o Creation
o Revocation o Expiration o Suspension |
|
|
What is the difference between a Standalone PKI and Enterprise PKI (AD CS)?
|
Standalone CA – does not require AD, less automated (request set to Pending) and requires more input from users.
Enterprise Certificate Authority – Integrates with AD and uses IIS to allow users to request Certificates. The certificate verification is mostly automated by verifying AD for the user’s identity and information. |
|
|
What is NDES (AD CS)?
|
Network Device Enrollment Service is used to enable devices such as routers and switches as well as applications to request certificate enrollment with CAs.
|
