MS Server Administration Chapter 8 8.4.5
You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use auditing to track who performs these actions. What should you do to only monitor the necessary events and no others? (Select two. Each choice is a required part of the solution.) Answer Create a GPO to configure auditing. Link the GPO to the domain. Audit successful system events. Audit failed account management events. Audit failed system events. Create a GPO to configure auditing. Link the GPO to the Computers container. Audit successful account management events.
Create a GPO to configure auditing. Link the GPO to the domain. Audit successful system events.
You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You want to only enable auditing that shows you the old and new values of the changed objects. Which directory service auditing subcategory should you enable? Directory Service Changes Directory Service Replication Directory Service Access Detailed Directory Service Replication
Directory Service Changes
You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You enable successful auditing of directory service access events in a GPO and link the GPO to the domain. After several days, you check Event Viewer, but you do not see any events listed in the event log indicating changes to Active Directory objects. What should you do? Create a custom view in Event Viewer that shows only Active Directory events. Edit the access list for the OU. Identify specific users and events to audit. Link the GPO to the Sales OU. Create a filter in Event Viewer that shows only Active Directory events.
Edit the access list for the OU. Identify specific users and events to audit.
You are the network administrator for your company. Rodney, a user in the research department, shares a computer with two other users. One day, Rodney notices that some of his documents have been deleted from the computer's local hard drive. You restore the documents from a recent backup. Rodney now wants you to configure the computer so he can track all users who delete his documents in the future. You enable auditing of successful object access events in the computer's local security policy. Rodney then logs on and creates a sample document. To test auditing, you then log on and delete the document. However, when you examine the computer's security log, no auditing events are listed. How can you make sure an event is listed in the security log whenever one of Rodney's documents is deleted? Answer Configure the local security policy to audit successful system events. Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Modify permission. Configure the local security policy to audit failed system events. Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Delete permission. Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit failure of the Delete permission. Configure the local security policy to audit failed object access events.
Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Delete permission.
You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers. What should you do to be able to check each server's log for the events? (Choose two. Each choice is a required part of the solution.) Answer Enable the logging of logon events. Enable the logging of system events. Enable the logging of account logon events. Link the GPO to the Member Servers OU. Enable the logging of object access events. Link the GPO to the Domain Controllers OU.
Enable the logging of logon events. Link the GPO to the Member Servers OU.
You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows servers for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. Computer accounts for workstations are located in the Workstations OU. You are creating a security template that you plan to import into a GPO. What should you do to log whenever a user is unable to log on to any computer using a domain user account? (Select two. Each choice is a required part of the solution.) Enable the logging of successful logon events. Link the GPO to the Domain Controllers OU. Enable the logging of successful account logon events. Link the GPO to the Member Servers and Workstations OU. Enable the logging of failed logon events. Enable the logging of failed account logon events.
Link the GPO to the Domain Controllers OU. Enable the logging of failed account logon events.
You manage a single domain named widgets.com. This morning, you noticed that a trust relationship you established with another forest has changed. You reconfigured the trust, but you want to be able to identify if this change happens again in the future. You want to configure auditing to track this event. Which auditing category should you enable? System events Logon events Process tracking events Policy change events Object access events
Policy change events
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to change a user's group membership in a computer's local database. How can you create a policy that meets these requirements? Answer Select Failure for Audit object access. Select Success for Audit object access. Select Failure for Audit system events. Select Success for Audit system events. Select Failure for Audit account management. Select Success for Audit account management.
Select Failure for Audit account management.
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to manipulate files on computers that have been secured through NTFS permissions. How can you create a policy that meets these requirements? Select Failure for Audit object access. Select Success for Audit object access. Select Failure for Audit system events. Select Success for Audit system events. Select Failure for Audit account management. Select Success for Audit account management.
Select Failure for Audit object access.
You are an administrator for a company that uses Windows servers. In addition to Active Directory, you also provide file and print services, DHCP, DNS, and email services. There is a single domain and a single site. There are two member servers, one that handles file and print services only, and one database server. You are considering adding additional servers as business increases. Your company produces mass mailings for its customers. The mailing list and contact information provided to your company by its clients is strictly confidential. Because of the private information sometimes contained in the data (one of your clients is a hospital), and because of the importance of the data to your operation, the data can also be considered a trade secret. You want to ensure the data stored on your member servers is only accessed by authorized personnel for business purposes. You've set file permissions to restrict access, but you want to track the authorized users. How should you configure your security policy to track access to the data files? Answer Configure object access auditing in a GPO and link it to the Domain Controllers OU. Configure logon access auditing in a GPO and link it to the Domain Controllers OU. Configure object access on the database server. Configure object access auditing in a GPO and link it to the domain. Configure system events auditing on the domain controllers.
Configure object access auditing in a GPO and link it to the domain.
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its security database. How can you create a policy that meets these requirements? Select Failure for Audit account logon events. Select Success for Audit account logon events. Select Failure for Audit logon events. Select Success for Audit logon events. Select Failure for Audit system events. Select Success for Audit system events.
Select Failure for Audit account logon events.
You are consulting with the owner of a small network that has a Windows server functioning as a workgroup server. There are six Windows desktop computers. There is no Internet connectivity. The server contains possibly sensitive information, so the owner wants to make sure that no unauthorized access occurs. You suggest that auditing be configured so that access to sensitive files can be tracked. What can you do to make sure that the files generate audit results? (Choose three. Each correct answer is part of the required solution.) Make sure the properties on the Security log allow writes by all users. Make sure the files to be audited are on NTFS partitions. Make sure the account you logged into has permission to read the security log. Make sure the correct users and groups are listed in the auditing properties of the files. Make sure the Object Access auditing policy is configured for success and failure.
Make sure the files to be audited are on NTFS partitions. Make sure the correct users and groups are listed in the auditing properties of the files. Make sure the Object Access auditing policy is configured for success and failure.