###BeginCaseStudy###
Case Study 6: Contoso Ltd Case D
Overview
Contoso, Ltd., is a manufacturing company that makes several different components that are used in automobile production. Contoso has a main office in Detroit, a
distribution center in Chicago, and branch offices in Dallas, Atlanta, and San Diego. The contoso.com forest and domain functional level are Windows Server 2008
R2. All servers run Windows Server 2012 R2, and all client workstations run Windows 7 or Windows 8. Contoso uses System Center 2012 Operations Manager and
Audit Collection Services (ACS) to monitor the environment. There is no certification authority (CA) in the environment.
Current Environment
The contoso.com domain contains the servers as shown in the following table:
Contoso sales staff travel within the United States and connect to a VPN by using mobile devices to access the corporate network. Sales users authenticate to the
VPN by using their Active Directory usernames and passwords. The VPN solution also supports certification-based authentication.
Contoso uses an inventory system that requires manually counting products and entering that count into a database. Contoso purchases new inventory software
that supports wireless handheld scanners and several wireless handheld scanners. The wireless handheld scanners run a third party operating system that supports
the Network Device Enrollment Service (NDES).
Business Requirements
Security
The wireless handheld scanners must use certification-based authentication to access the wireless network.
Sales users who use mobile devices must use certification-based authentication to access the VPN. When sales users leave the company, Contoso administrators
must be able to disable their VPN access by revoking their certificates.
Monitoring
All servers must be monitored by using System Center 2012 Operating Manager. In addition to monitoring the Windows operating system, you must collect security
logs from the CA servers by using ACS, and monitor the services that run on the CA and Certificate Revocation List (CRL) servers, such as certification authority
and web services.
Technical Requirements
CA Hierarchy
Contoso requires a two-tier CA hierarchy. The CA hierarchy must include a stand-alone offline root and two Active Directory-integrated issuing CAs: one for issuing
certificates to domain-joined devices, and one for issuing certificates to non-domain-joined devices by using the NDES. CRLs must be published to two web servers:
one in Detroit and one in Chicago.
Contoso has servers that run Windows Server 2012 R2 to use for the CA hierarchy. The servers are described in the following table:
The IT security department must have the necessary permissions to manage the CA and CRL servers. A domain group named Corp-IT Security must be used for
this purpose.
The IT security department users are not domain admins.
Fault Tolerance
The servers that host the CRL must be part of a Windows Network Load Balancing (NLB) cluster. The CRL must be available to users in all locations by using the
hostname crl.contoso.com, even if one of the underlying web servers is offline.
###EndCaseStudy###
This question consists of two statements: One is named Assertion and the other is named Reason. Both of these statements may be true; both may be
false; or one may be true, while the other may be false.
To answer this question, you must first evaluate whether each statement is true on its own. If both statements are true, then you must evaluate whether the Reason
(the second statement) correctly explains the Assertion (the first statement). You will then select the answer from the list of answer choices that matches your
evaluation of the two statements.
Assertion:
You must install and configure Network Device Enrollment Services (NDES) on CHICA01
Reason:
NDES allows non-domain joined devices to obtain a Certificate Revocation List from Active Driectory-integrated certification authority, and then validate whether
certificates is valid.
Evaluate the Assertion and Reason statements and choose the correct answer option.
A.
Both the Assertion and Reason are true, and the Reason is the correct explanation for the Assertion.
B.
Both the Assertion and Reason are true, but the Reason is not the correct explanation for the Assertion.
C.
The Assertion is true, but the Reason is false.
D.
The Assertion is false, but the Reason is true.
E.
Both the Assertion and the Reason are false.
D
Although you can install NDES on a CA, it is not recommended. Reason is valid.
Somebody please comment for confirmation. CHICA01 is supposed to be used for NDES registration of non-domain joined devices…which would make C correct, but I’m on the fence about this one.
I was actually wrong in my original post. I’m debating between either C or E.
http://windowsitpro.com/security/setting-network-device-enrollment-service
The NDES server role shouldn’t be installed on a device that’s running the enterprise CA role, to minimize the attack surface and protect the CAs private key. NDES is intended for organizations that already have a PKI in place and want to issue certificates to network devices, such as routers and firewalls, to improve security by protecting network traffic with IPsec.
I’m going for E.
I pick E.
http://windowsitpro.com/security/setting-network-device-enrollment-service
The NDES server role shouldn’t be installed on a device that’s running the enterprise CA role, to minimize the attack surface and protect the CAs private key. NDES is intended for organizations that already have a PKI in place and want to issue certificates to network devices, such as routers and firewalls, to improve security by protecting network traffic with IPsec.
What is NDES?
The Network Device Enrollment Service performs the following functions:
1.Generates and provides one-time enrollment passwords to administrators
2.Submits enrollment requests to the CA
3.Retrieves enrolled certificates from the CA and forwards them to the network device
E
On “Add Roles and Features Wizard”: Network Device Enrollment Service makes it possible to issue and manage certificates for routers and other network devices that do not have network accounts