Chapter 08: 8.4.5 Practice Questions

You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows servers for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. Computer accounts for workstations are located in the Workstations OU. You are creating a security template that you plan to import into a GPO. What should you do to log whenever a user is unable to log on to any computer using a domain user account? (Select two. Each choice is a required part of the solution.) - Enable the logging of successful logon events. - Enable the logging of failed logon events. - Link the GPO to the Domain Controllers OU. - Enable the logging of failed account logon events. - Enable the logging of successful account logon events. - Link the GPO to the Member Servers an

- Link the GPO to the Domain Controllers OU. - Enable the logging of failed account logon events. Explanation: To audit unsuccessful logins: Audit the Account Logon event. This event type will be recorded when an account is authenticated against an account database, such as Active Directory. In short, Account Logon events are generated where the account lives; in the case of domain accounts, this would be domain controllers. Audit failed events. Link the GPO to the Domain Controllers OU. Domain logon uses a domain controller for authentication. Link the GPO to the member servers and the Workstation OUs if you want to audit logon events for every computer.

Privilege use tracks which of the following? (Select two.) - When a user accesses files or folders - When a user exercises a user right - When a user accesses a printer - When a system shuts down or restarts - When an administrator takes ownership of an object

- When a user exercises a user right - When an administrator takes ownership of an object Explanation: Privilege use auditing tracks when a user exercises a user right and when an administrator takes ownership of an object. Object access auditing tracks access to files, folders, or printers. Global Object Access Auditing allows you to create access control lists. System events auditing tracks system shutdown, restart, or the starting of system services. It also tracks events that affect security or the security log.

You are an administrator for a company that uses Windows servers. In addition to Active Directory, you provide file and print services, DHCP, DNS, and email services. There is a single domain and a single site. There are two member servers, one that handles file and print services only and one database server. You are considering adding additional servers as business increases. Your company produces mass mailings for its customers. The mailing list and contact information provided to your company by its clients are strictly confidential. Because of the private information sometimes contained in the data (one of your clients is a hospital), and because of the importance of the data to your operation, the data can also be considered a trade secret. You want to ensure the data stored on your member servers is only accessed by authorized personnel for business purposes. You've set file permissions to restrict access, b

Configure object access auditing in a GPO and link it to the domain. Explanation: Because you are considering adding servers, it would be best to implement your security policy in a GPO so that it will be applied automatically when new computers are added. The category of auditing that you want is Object Access, and it should be applied to the domain so that it applies to all computers. Linking the GPO to the Domain Controllers OU would result in the policy being applied only to the domain controllers, not to the member servers where the sensitive data is stored. System events is the wrong category to audit, as is logon access. Applying the policy directly to the database server leaves your other servers unprotected, including any new ones that are implemented later.

You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You enable successful auditing of directory service access events in a GPO and link the GPO to the domain. After several days, you check Event Viewer, but you do not see any events listed in the event log indicating changes to Active Directory objects. What should you do?

Edit the access list for the OU. Identify specific users and events to audit. Explanation: When configuring directory service access auditing, you must enable auditing for the domain or OU and then identify the users and objects you want to audit. Simply enabling auditing using a GPO will be insufficient. Using a filter or a custom view in Event Viewer can help you find events that you are looking for. However, without enabling auditing for specific users and objects, no events will be shown.

You suspect that sensitive information has been leaked. Which audit logs could you review to track who opened a file containing the sensitive data?

Object access Explanation: Object access auditing tracks access to files, folders, and printers. It can also audit actions taken by a certificate authority or changes made to your specific registry settings. For example, you can use object access auditing to track who deleted a particular file or who accessed a file that contains sensitive data. Auditing can also report who opened or modified a document. It can report who tried to open a document and could not because they didn't have the necessary permissions to access it. System events, logon and logoff, and account logon are all audit categories but would not provide information on file access.

You manage a single domain named widgets.com. This morning, you noticed that a trust relationship you established with another forest has changed. You reconfigured the trust, but you want to be able to identify if this change happens again in the future. You want to configure auditing to track this event. Which auditing category should you enable?

Policy change events Explanation: Audit policy change events to track changes to user rights, trust relationships, IPsec and Kerberos policies, or audit policies. Object access auditing tracks access to files, folders, or printers. Process tracking auditing records actions taken by applications. Process tracking auditing is used mainly for program debugging and tracking. System events auditing tracks system shutdown, restart, and the starting of system services. It also tracks events that affect security or the security log. Logon auditing tracks log on or log off on the local system or when a network connection is made to a system.

You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its security database. How can you create a policy that meets these requirements?

Select Audit Failure for the enabled audit policy. Explanation: Audit policy settings are used to define which events will be noted in a computer's security log when they occur. An audit policy is either enabled or disabled. When enabled, you can choose: Audit Success to identify who has gained access or who was able to exercise a right or privilege. Audit Failure to identify patterns of attempted access. In this scenario, you would choose Audit Failure to find out who might be attempting to break into a computer but is failing at the attempt. You do not select Audit Failure or Audit Success for the Active Directory domain; you select it for the audit policy.

You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use auditing to track who performs these actions. What should you do to only monitor the necessary events and no others? (Select two. Each choice is a required part of the solution.) - Create a GPO to configure auditing. Link the GPO to the Computers container. - Audit successful account management events. - Audit successful system events. - Audit failed account management events. - Create a GPO to configure auditing. Link the GPO to the domain. - Audit failed system events.

- Audit successful system events. - Create a GPO to configure auditing. Link the GPO to the domain. Explanation: To track when the system shuts down, audit successful system events. System events auditing tracks system shutdown, restart, and the starting of system services. It also tracks events that affect security or the security log. To configure auditing, create a GPO and link it to the domain or OU. In this example, to audit member servers, link the GPO to the domain. By default, member servers are in the Computers container. However, you cannot link a GPO to this container. A better solution would be to create an OU with only the member servers and then link the GPO to that OU. Linking the GPO to the domain means that system events will be audited on all computers in the domain. You do not need to audit failed events because you are only interested in when the system shuts down, not when someone tried to shut it down but was unsuccessful. Account management auditing tracks changes to user accounts. Directory service access auditing tracks changes to Active Directory objects.

You are consulting with the owner of a small network with a Windows server functioning as a workgroup server. There are six Windows desktop computers. There is no internet connectivity. The server contains possibly sensitive information, so the owner wants to make sure that no unauthorized access occurs. You suggest that auditing be configured so that access to sensitive files can be tracked. What can you do to ensure that the files generate audit results? (Select three. Each correct answer is part of the required solution.) - Make sure the account you logged into has permission to read the security log. - Make sure the Object Access auditing policy is configured for success and failure. - Make sure the properties on the Security log allow writes by all users. - Make sure the files to be audited are on NTFS partitions. - Make sure the correct users and groups are listed in the auditing properties of the files.

- Make sure the Object Access auditing policy is configured for success and failure. - Make sure the files to be audited are on NTFS partitions. - Make sure the correct users and groups are listed in the auditing properties of the files. Explanation: First, file auditing requires that the files to be audited are on NTFS, not FAT volumes. Next, the auditing properties require you to select which groups are going to be audited (in this case, Everyone is probably the correct entry). Finally, Object Access auditing must be enabled in the local security policy, or no results will be generated. Since you have an administrative account, you can read the log. Users do not write into the Security log; the System does. There is no way to allow users to write into the Security log.

You are the network administrator for your company. Rodney, a user in the research department, shares a computer with two other users. One day, Rodney notices that some of his documents have been deleted from the computer's local hard drive. You restore the documents from a recent backup. Rodney now wants you to configure the computer, so he can track all users who delete his documents in the future. You enable auditing of successful object access events in the computer's local security policy. Rodney then logs on and creates a sample document. To test auditing, you then log on and delete the document. However, when you examine the computer's security log, no auditing events are listed. How can you make sure an event is listed in the security log whenever one of Rodney's documents is deleted?

Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit the success of the Delete permission. Explanation: Object access events occur when a user accesses any object with its own access control list (such as a file, folder, registry key, or printer). In addition to enabling auditing of these types of events, you must also edit the properties of the specific objects you want to audit and define what type of access to the object you will audit. You configure auditing using special permissions (such as Delete) rather than the less advanced permissions (such as Modify, which includes the Delete special permission). In this scenario, you should audit the successful exercise of the permission.