Home » Microsoft » 70-647 » What should you include in your plan?
Your network contains servers that run Windows Server 2008 R2 and client computers that run Windows 7. You deploy a public key infrastructure by using Certificate Services servers that run Windows Server 2008 R2.
You need to plan the implementation of smart card authentication on the network.
The solution must meet the following requirements:
. Help desk users must only be able to enroll user certificates.
. Managers must be able to enroll smartcards for other employees.
. Managers must be able to use their client computers to manage certificates.
What should you include in your plan?
A. Enable Web enrollment.
B. Configure Restricted Enrollment Agents.
C. Upgrade all certificates to V3 templates.
D. Configure Restricted Certificate Managers.
Correct Answer: B
Explanation/Reference:
The restricted enrollment agent is a new functionality in the Windows Server® 2008 Enterprise operating system that allows limiting the permissions that users designated as enrollment agents have for enrolling smart card certificates on behalf of other users. The following sections describe this change and its implications.
Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalf of users. Enrollment agents are typically members of the corporate security, Information Technology (IT) security, or help desk teams because these individuals have already been trusted with safeguarding valuable resources. In some organizations, such as banks that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, designating a branch manager or other trusted employee to act as an enrollment agent is required to enable smart card credentials to be issued from multiple locations.
On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an enrollment agent based on a certain Active Directory® organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows Server® 2008 Standard-based CA.
http://technet.microsoft.com/en-us/library/cc753800%28v=ws.10%29.aspx