Microsoft 2 Testbank 15

A. NTLM is alles voor non domein

C. NT Lan manager. NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users

c. sending a password to the server NTLM uses a challenge-response mechanism for authentication in which clients can prove their identities without sending a password to the server.

a. a secure network authentication protocol Kerberos is a computer network authentication protocol that allows hosts to prove their identity securely over a non-secure network

b. secret key With Kerberos, security and authentication are based on secret-key technology. Every host on the network has its own secret key

b. 5 minutes For all of this to work and to ensure security, the domain controllers and clients must have the same time. Windows operating systems include the Time Service tool (W32Time service). Kerberos authentication will work if the time interval between the relevant computers is within the maximum enabled time parameters. The default is five minutes

d. service class, host name, and port number The SPN consists of three components: the service class, such as HTTP (which includes both the HTTP and HTTPS protocols) or SQLService, the host name, and the port (if port 80 is not used).

b. The client receives an access denied error. If a client submits a service ticket request for an SPN that does not exist in the identity store, no service ticket can be established and the client throws an access denied error.

d. ADSI Edit

a. Domain Administrator privileges d. the editor runs from the domain controller To configure an SPN for a service or application pool account, you must have domain administrative permissions or a delegation to modify the ServicePrincipalName property. You also must run ADSI Edit from a domain controller

c. setspn You can use setspn.exe to add SPNs to an account.

c. service A service account is an account under which an operating system, process, or service runs.

a. using strong passwords c. granting the least rights To reduce the risk of using service accounts, you should use a strong password for the service account and make sure that the password changes often. Also, give the account the least amount of access (user rights, NTFS permissions, and share permissions) that it needs to perform its necessary tasks.

b. automatic password management c. simplified SPN management To simplify administration, MSAs provide automatic password management and simplified SPN management.

c. group MSAs The Windows PowerShell cmdlets default to managing the group Managed Service Accounts rather than the original standalone MSAs.

c. NT Serviceservicename A virtual account is an account that emulates a Network Service account that has the name NT Serviceservicename. The virtual account has simplified service administration, including automatic password management, and simplified SPN management

Complicated Although Kerberos is more secure than NTLM, it is also more complicated than NTLM, which requires additional configuration, such as requiring a service principal name (SPN) for the domain account.

The Time Service. Systems need to be time synchronized within a certain amount of lapse. For all of this to work and to ensure security, the domain controllers and clients must have the same time. Windows operating systems include the Time Service tool (W32Time service). Kerberos authentication will work if the time interval between the relevant computers is within the maximum enabled time parameters.

Current ticket, double hop authentication. When the client connects to a server or service, Kerberos uses the current client ticket proving that the client is authenticated. As a result, the service does not have to perform authentication to a domain controller. Kerberos also can perform a double-hop authentication. Both of these Kerberos benefits improve authentication performance.

Kerberos forwards the authentication ticket from one service to another to prove

To secure the double-hop authentication, you can configure Kerberos constrained delegation. Constrained delegation restricts which services are allowed to delegate user credentials by specifying—for each application pool or service—the services to which a Kerberos ticket can be forwarded.

d. service principal name

c. a key distribution services root key Before you can create an MSA object type, you need to create a key distribution services root key for the domain.

b. log on as a service On the Log On tab, confirm that the name appears with a dollar sign ($). The account will be given the Log On As Service right

d. maximum tolerance for computer clock synchronization The setting for maximum tolerance for computer clock synchronization defines the maximum time skew that can be tolerated between a ticket's timestamp and the current time at the KDC. Kerberos uses a timestamp to protect against replay attacks. The default setting is 5 minutes.

b. maximum lifetime for user ticket The setting for maximum lifetime for user ticket defines the maximum lifetime ticket for a Kerberos TGT ticket (user ticket). The default lifetime is 10 hours.

a. maximum lifetime for service ticket The setting for maximum lifetime for service ticket defines the maximum lifetime of a service ticket (Kerberos ticket). The default lifetime is 10 hours.

c. maximum lifetime for user ticket renewal