Lesson 10: Maintaining Network Health Multiple Choice 1. In a PKI, each user/computer possesses a piece of information that is known only to the individual user or computer that is called a __________. a) public key b) private packet c) private key d) shared secret key 2. Which digital document contains identifying information about a particular user, computer, service, and so on? a) digital signature b) digital certificate c) certificate revocation list d) smart card 3. Which of the following provides a detailed explanation of how a particular Certification Authority manages certificates and keys? a) smart card b) certificate template c) Certificate Revocation List d) Certificate Practice Statement 4. Which service responds to requests from clients concerning the revocation status of a particular certificate, sending back a digitally signed response indicating the certificate’s current status? a) Web enrollment b) Network Device Enrollment Service c) Online Responder d) Simple Certificate Enrollment Protocol 5. Which CA integrates with an Active Directory domain and can use certificate templates to allow autoenrollment of digital certificates, as well as store the certificates themselves within the Active Directory database? a) standalone b) enterprise c) subordinate d) none of the above 6. Certificate templates can be used to automate the deployment of PKI certificates by controlling the __________. a) security settings associated with each template b) user settings associated with each template c) configuration settings associated with each template d) networking settings associated with each template 7. Which security role is tasked with issuing and managing certificates, including approving certificate enrollment and revocation requests? a) CA Administrator b) Certificate Manager c) Backup Operator d) Auditor 8. Which of the following is not a privilege granted to certificate managers? a) modify Certificate Revocation List (CRL) publication schedules b) recover archived keys c) issue, approve, deny, revoke, reactivate, and renew certificates d) read records and configuration information in the CA database 9. To indicate the health status of a particular SHA, each SHA creates what kind of statement that it transmits to the NAP Agent? a) System Health Agent b) Statement of Health c) Statewide Statement of Health d) System Statement of Health 10. Who maintains information about the health of the NAP client computer and transmits information between the NAP Enforcement Clients and the System Health Agents? a) Health Registration Authority b) System Health Agent c) NAP Agent d) System Health Validator 11. A server that operates the NAP Enforcement Server components is referred to as a NAP __________. a) Agent b) enforcement point c) enforcement server d) none of the above 12. Depending on the enforcement method in use, a NAP enforcement point can take a number of different forms, such as what? a) 802.1X-capable Wireless Access Point for 802.1X enforcement b) Health Registration Authority (HRA) that can obtain health certificates from client computers when the IPSec enforcement method is used c) Windows Server 2008 DHCP server for the DHCP enforcement method d) All of the above 13. To distribute the load of issuing certificates in a geographically dispersed location, an organization can have one or more __________ CAs. a) intermediate b) subordinate c) standalone d) enterprise 14. Which enforcement method allows authorized remote users to connect to resources on an internal corporate or private network from any Internet-connected device? a) Internet Protocol Security (IPSec) enforcement b) VPN enforcement c) 802.1X enforcement d) Terminal Services Gateway (TS Gateway) enforcement 15. The IPSec NAP enforcement method relies on which type of PKI certificate to perform its enforcements? a) IPSec certificate b) NAP certificate c) health certificate d) recovery certificate 16. The NPS service combines each Statement of Health Response into what? a) System Statement of Health Response b) System Statement of Health Requirement c) Statement of Health Requirement d) System Statement of Health Policy 17. What is an optional component that can be deployed to allow non-compliant client computers to achieve network compliance and gain network access? a) enforcement server b) health policy server c) health requirement server d) remediation server 18. Which feature enables users to request their own PKI certificates, typically through a Web browser? a) self-enrollment b) recovery agents c) autoenrollment d) Web enrollment 19. What feature allows users or computers to manually request a certificate based a template? a) Enroll ACL b) Write ACL c) Read ACL d) Autoenroll ACL 20. Which element of Active Directory Certificate Services utilizes the Online Certificate Status Protocol to act in response to client requests? a) NDES b) subordinate CA c) Certificate Revocation List d) Online Responder . True/False 21. DHCP is the only NAP enforcement method that can be deployed in a non-Active Directory environment. 22. If a client cannot provide the necessary health certificate, they will still be able to participate in IPSec-secured traffic. 23. Windows Server 2008, Windows Vista, and Windows XP with Service Pack 3 all have a built-in NAP client, and third-party vendors can use the NAP API to write additional clients for additional operating systems, such as Macintosh and Linux computers. 24. DHCP enforcement is the least secure enforcement method because a user can simply configure their computer with a static IP configuration to bypass any DHCP enforcement method that is in place. 25. Depending on the configuration item that is being monitored for compliance, autoremediation may not be possible. Fill-in-the-Blank 26. Group Policy can be used to establish __________ settings for an Active Directory domain. 27. __________ is an extremely flexible command-line utility for administering Active Directory Certificate Services. 28. NAP can perform __________ if it detects that the client is out of compliance. 29. The top-level CA in any PKI hierarchy is the __________ CA. 30. A(n) __________ CA integrates with an Active Directory domain, and it can use certificate templates to allow autoenrollment of digital certificates, as well as store the certificates themselves within the Active Directory database. 31. Simple Certificate Enrollment __________ allows network devices to enroll for PKI certificates. 32. The __________ service combines each Statement of Health Response into a System Statement of Health Response (SSOHR). 33. Windows Server 2008, Windows Vista, and Windows XP with Service Pack 3 all have a built-in NAP client, and third-party vendors can use the NAP __________ to write additional clients for additional operating systems, such as Macintosh and Linux computers. 34. Enforcement __________ receive information from the Enforcement Clients on each client, which is then consumed by other components of the NAP server-side architecture. 35. To deploy the DHCP enforcement mechanism within Network Access Protection, you must first deploy a(n) __________ server running Windows Server 2008. Short Answer 36. The new Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft’s larger what? 37. PKI consists of a number of elements that allow two parties to communicate securely without any previous communication through the use of a mathematical algorithm called what? 38. Users can use a smart card to authenticate to an Active Directory domain, access a Web site, or authenticate to other secured resources through the use of what type of physical device that attaches to a workstation? 39. What is the network protocol that allows network devices to enroll for PKI certificates? 40. Certification Authority Web Enrollment allows users to manually request certificates using a Web interface, which is located where by default on a CA that is running the Certification Authority Web Enrollment role service? 41. An escrow copy of a private key can be restored by one or more of what item? 42. What solution controls access to corporate network resources based on the identity of the computer attempting to connect to the resource, as well as the connecting computer’s compliance with corporate policies and standards like patching levels and Windows Firewall configurations? 43. What is the name of the specially configured PKI certificates used by the Internet Protocol Security (IPSec) enforcement method that are issued to clients that meet defined compliance standards?