6.5 - Audit Policies
You are an administrator for a company that uses Windows servers. In addition to Active Directory, you provide file and print services, DHCP, DNS, and email services. There is a single domain and a single site. There are two member servers, one that handles file and print services only and one database server. You are considering adding additional servers as business increases... You want to ensure the data stored on your member servers is only accessed by authorized personnel for business purposes. You've set file permissions to restrict access, but you want to track the authorized users. How should you configure your security policy to track access to the data files?
Configure object access auditing in a GPO and link it to the domain.
You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use auditing to track who performs these actions. What should you do only to monitor the necessary events and no others? (Select two. Each choice is a required part of the solution.)
Create a GPO to configure auditing. Link the GPO to the domain. Audit successful system events.
You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You enable successful auditing of directory service access events in a GPO and link the GPO to the domain. After several days, you check Event Viewer, but you do not see any events listed in the event log indicating changes to Active Directory objects. What should you do?
Edit the access list for the OU. Identify specific users and events to audit.
You are the network administrator for your company. Rodney, a user in the research department, shares a computer with two other users. One day, Rodney notices that some of his documents have been deleted from the computer's local hard drive. You restore the documents from a recent backup. Rodney now wants you to configure the computer, so he can track all users who delete his documents in the future. You enable auditing of successful object access events in the computer's local security policy. Rodney then logs on and creates a sample document. To test auditing, you then log on and delete the document. However, when you examine the computer's security log, no auditing events are listed. How can you make sure an event is listed in the security log whenever one of Rodney's documents is deleted?
Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit the success of the Delete permission.
You suspect that sensitive information has been leaked. Which audit logs could you review to track who opened a file containing the sensitive data?
Object Access
You manage a single domain named widgets.com. This morning, you noticed that a trust relationship you established with another forest has changed. You reconfigured the trust, but you want to be able to identify if this change happens again in the future. You want to configure auditing to track this event. Which auditing category should you enable?
Policy change events
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its security database. How can you create a policy that meets these requirements?
Select Audit Failure for the enabled audit policy.
Privilege use tracks which of the following? (Select two.)
When a user exercises a user right When an administrator takes ownership of an object
You are the security administrator for your organization. Your multiple-domain Active Directory forest uses Windows servers for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. Computer accounts for workstations are located in the Workstations OU. You are creating a security template that you plan to import into a GPO. What should you do to log whenever a user is unable to log on to any computer using a domain user account? (Select two. Each choice is a required part of the solution.)
Enable the logging of failed account logon events. Link the GPO to the Domain Controllers OU.
You are consulting with the owner of a small network with a Windows server functioning as a workgroup server. There are six Windows desktop computers. There is no internet connectivity. The server contains possibly sensitive information, so the owner wants to make sure that no unauthorized access occurs. You suggest that auditing be configured so that access to sensitive files can be tracked. What can you do to ensure that the files generate audit results? (Select two.)
Make sure the files to be audited are on NTFS partitions. Make sure the correct users and groups are listed in the auditing properties of the files.