Your network contains an Active Directory domain named contoso.com.
domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
Your user account is assigned the certificate manager role and the auditor role on the contoso.com CA.
Your account is a member of the local Administrators group on Server1.
You enable CA role separation on Server1.
You need to ensure that you can manage the certificates on the CA.
What should you do?
A.
Remove your user account from the local Administrators group.
B.
Assign the CA administrator role to your user account.
C.
Assign your user account the Bypass traverse checking user right.
D.
Remove your user account from the Manage auditing and security log user right.
Explanation:
The separation of CA roles can be enforced using role separation. Once enforced, role separation only allows a user to be assigned a single role. If a user is
assigned to more than one role and attempts to perform an operation on the CA, the operation is denied. For this reason, before role separation is enabled, a user
should be assigned only one CA role.
Shouldn’t be A?
Administrator concerns
The default installation setting for a stand-alone CA is to have members of the local Administrators group as CA administrators. The default installation setting for an enterprise CA is to have members of the local Administrators, Enterprise Admins, and Domain Admins groups as CA administrators. To limit the power of any of these accounts, they should be removed from the CA administrator and certificate manager roles when all CA roles are assigned.
As a best practice, group accounts that have been assigned CA administrator or certificate manager roles should not be members of the local Administrators security group. Also, CA roles should only be assigned to group accounts and not individual user accounts.
Note: Membership in the local Administrators group on the CA is required to renew a CA certificate. Members of this group can assume administrative authority over all other CA roles.
https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx#Roles_and_activities
0
0
“Users can be assigned to only one role, and if they are assigned to more than one role, they are unable to perform any CA-related activities.”
Unfortunately this contradicts the article you posted, but I believe the given answer is correct. I have read other articles stating the same thing. Because the question is specifically asking for “managing certificates” works, all we need to do is remove the auditor permissions role for the other to work again.
https://technet.microsoft.com/en-us/library/dn786426(v=ws.11).aspx
1
0
Answer: D
Bob’s comment seems to be correct. Some roles require membership to local Administrator computer group. CA Administrator gives more rights than are required, and traverse checking doesn’t seem to have any bearing on the question.
https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx#Roles_and_activities
https://technet.microsoft.com/en-us/library/dn786426(v=ws.11)
1
0