You have a properly configured certification authority in a active directory domain services domain.
You must implement two-factor authentication and use virtual smart cards to secure user sessions.
You need to implement two-factor authentication for each client device.
What should you install on each client device?
A.
A trusted platform module (TPM) chip.
B.
A user certificate issue by a certification authority.
C.
A smart card reader.
D.
A local computer certificate issued by a certificate authority.
Explanation:
Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed.
Basically… think BitLocker….
To Authenticate:
The Virtual Smart Card can be thought of as a Physical Smart card that is contained on the computer. You “swipe” that Virtual Smart Card in your Smart Card
Reader (the TPM chip) and then you enter a PIN to authenticate.
http://www.certifychat.com/70-414-a/344-install-client-device.html?highlight=implement+two-factor+authentication+client+device.
Um, the TPM comes on the motherboard…Incorrect.
You’d want to install: B, “a user certificate issued by a CA”
0
0
Well this one is a bit misleading. Normally TPM is a part of your motherboard yes but here is a post on putting the actual module\chip in the port..
https://www.pugetsystems.com/labs/support-software/Installing-and-Configuring-a-TPM-and-BitLocker-631/
If you got the TPM then you need to install a user certificate from the CA.
https://technet.microsoft.com/en-us/library/dn579260(v=ws.11).aspx#BKMK_Step3
Other questions regarding virtual smart cards are about TPM presence.
http://www.aiotestking.com/microsoft/how-can-you-ensure-that-all-windows-8-devices-support-virtual-smart-cards/
I think I would go for A:
0
0
Typical Microsoft red herring 😉 Thanks for your input!
0
0
I’ve changed my mind. I recently built a computer and I could have sworn that the TPM chips are pre-installed (soldered). They are not. You have to purchase/install them separately.
I agree with A.
0
0
Thank you, no!
0
0
Thank you, Han Solo!
0
0
The keyword is “VIRTUAL smart card”.
Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically secured hardware.
https://technet.microsoft.com/en-us/library/dn593708(v=ws.11).aspx
0
0
https://docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards
The thing is, a TPM without a certificate is an incomplete solution. But a certificate without a TPM is also an incomplete solution. If the question asked, “What should you install first?” then I’d pick A. But it really should ask for two answers that are both part of a complete solution…
0
0