1. What does the ENROLLEE_SUPPLIES_SUBJECT flag control on a certificate template?
Whether the certificate can be used for authentication Whether the person requesting the certificate can specify whose identity the certificate claims Whether the certificate requires manager approval before issuance Whether the certificate's private key can be exported from the machine
2. A template has Client Authentication EKU and ENROLLEE_SUPPLIES_SUBJECT enabled, but enrollment is restricted to Domain Admins only. According to the lesson, is this a risk?
Yes — any template with these settings is always critical regardless of enrollment rights No — the restricted enrollment rights significantly reduce the risk because the attacker already needs high privileges to exploit it Yes — because the EKU setting alone makes any template critical No — because Domain Admins cannot request certificates in AD CS
3. According to the lesson, what is the relationship between the CA and certificate templates?
The CA uses its own judgment to decide whether a certificate request is safe before issuing The CA follows the template — if the template allows it, the CA issues the certificate regardless of whether the result is dangerous The CA overrides template settings when it detects a potentially dangerous certificate request Templates are suggestions that the CA may or may not follow depending on security policies
4. What does the lesson identify as the dangerous three-property combination in a certificate template?
Long validity period, no CRL checking, and exportable private key The requester can specify the subject identity, the certificate enables authentication, and low-privilege users can enroll Multiple EKUs enabled, no key archival, and automatic enrollment Schema version 1, no authorized signatures, and subordinate CA template type
5. The lesson distinguishes between enrollment rights and template configuration. Why does this distinction matter?
Because enrollment rights are more important than template configuration Because enrollment rights control who can submit a request, while the template controls what the resulting certificate can do — both must be restrictive for the template to be safe Because enrollment rights are set by Microsoft and cannot be changed by administrators Because template configuration is irrelevant if enrollment rights are properly set