What should you recommend?

Your network consists of one Active Directory domain that contains two servers named Serverl1and
Server2 that run Windows Server 2008. Server1 runs Active Directory Certificate Services (AD CS)
and is configured as an enterprise root certification authority (CA). Server1 is only accessible from
the internal network. Server1 issues certificates to both internal and external client computers that
run Windows Vista. Server2 is configured as a Web server. Server2 is located in the perimeter
network and is only accessible through HTTP. The network is configured as shown in the following
diagram.

You need to recommend an e-mail security solution for all Windows Vista client computers that
meets the following requirements. Users must only request status information for individual
certificates. Users must be notified when they attempt to send a secure e-mail message to a user
that has an expired certificate. What should you recommend?

Your network consists of one Active Directory domain that contains two servers named Serverl1and
Server2 that run Windows Server 2008. Server1 runs Active Directory Certificate Services (AD CS)
and is configured as an enterprise root certification authority (CA). Server1 is only accessible from
the internal network. Server1 issues certificates to both internal and external client computers that
run Windows Vista. Server2 is configured as a Web server. Server2 is located in the perimeter
network and is only accessible through HTTP. The network is configured as shown in the following
diagram.

You need to recommend an e-mail security solution for all Windows Vista client computers that
meets the following requirements. Users must only request status information for individual
certificates. Users must be notified when they attempt to send a secure e-mail message to a user
that has an expired certificate. What should you recommend?

A.
Configure a root CA on Server2.

B.
Configure a subordinate CA on Server2.

C.
Configure the Online Responder service on Server2.

D.
Configure a certification revocation list (CRL) distribution point on Server2.

Explanation:
To ensure that the clients can only request status information for individual certificates and they
should be notified when they attempt to send a secure e-mail message to a user that has an expired
certificate, you need to configure the Online Responder service on Server2. An Online Responder
receives and responds only to requests from clients for information about the status of a single
certificate. The use of Online Responders that distribute Online Certificate Status Protocol (OCSP)
responses, along with the use of CRLs, is one of two common methods for conveying information
about the validity of certificates. CRLs should not be used because they are distributed periodically
and contain information about all certificates that have been revoked or suspended.
AD CS: Online Certificate Status Protocol Support
http://technet2.microsoft.com/windowsserver2008/en/library/99d1f392-6bcd-4ccf-94ee-
640fc100ba5f1033.mspx?mfr=true

Show Hint

← Previous question

Next question →