You have an enterprise certification authority (CA).
You create a global security group named Group1.
You need to provide members of Group1 with the ability to issue and manage certificates.
The solution must prevent the Group1 members from managing certificates requested by members of the
Domain Admins group.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
From the CA properties, modify the Policy Module settings.
B.
From the Certificate Templates console, modify the Security settings of the Administrator certificate
template.
C.
From the CA properties, modify the security settings.
D.
From the CA properties, modify the Enrollment Agents settings.
E.
From the CA properties, modify the Certificate Managers Settings.
F.
From the Certificate Templates console, modify the Security settings of the User certificate template.
Should be C and E
27
0
Why? I did not found an explanation for that
0
0
This is from Finkel:
By default, members of the following built-in Active Directory Domain Services groups can manage a CA:
Domain Admins
Enterprise Admins
Local Administrators
One of the first tasks you should perform is to establish additional security groups for the management of the CA. Once
that is complete you can delegate different CA management tasks to those groups, and by extension members of those
groups, instead of having to add users to the powerful groups from the preceding list.
To delegate permissions:
Step 1. Log on to a Windows Server Certificate Authority.
Step 2. Start Server Manager from either the Start Menu or the Taskbar.Step 3. Select Tools > Certification Authority.
Step 4. Right-click the node for the current CA and select Properties.
Step 5. Select the Security tab.
Step 6. The default groups are listed. To add an additional group (it must already exist in the directory), click Add.
Step 7. Use the standard directory browse dialog to find the group to add.
Step 8. In the box shown in Figure 12-13, select the permissions for the group as described in the following list.
Read: Users with this permission can launch the CA console and view the details but not perform any tasks.
Issue and Manage Certificates: Users with this permission can issue new certificates and revoke existing certificates.
Manage CA: Users with this permission can perform full CA management, including backup and recovery.
Request Certificates: Users with this permission can request a certificate from the CA. By default all authenticated users have this permission.
Step 9. Click OK
0
3
This doesnt explain how to prevent certificates that is created by domain admins.
1
0
In any way, A is wrong answer
1
0
Answer should be: C,E
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732590(v%3dws.11)#assigning-roles
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753372(v%3dws.11)
5
0
answer should be A,C.
add Group1 in security tab with “ability to issue and manage certificates” checked and them select in policy module properties “….The administrator must explicitly issue the certificate”
0
6
I’m going with C and E in this case. Why?
First, we need to give Group1 permissions to “Issue and Manage Certificates” which is an option in the security tab of the CA’s properties. Thus, answer C.
Next, we need to restrict this group to Deny them access to the Administrator’s certificates.
For that, we go to the Certificate Managers tab, click on “Restrict Certificate Managers”. At this point, Group1 should be listed. Click on it, then under Permissions, Add the Domain Admins group and click on Deny. Group1 can now no longer Manage and Issue for the Domain Admins group. Thus, answer E.
See:
https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx
Or the links posted above by b0b.
9
0