NET140 TestOut Chapter 8.4 Audit Policies
You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You want to only enable auditing that shows you the old and new values of the changed objects. Which directory service auditing subcategory should you enable?
Directory Service Changes Explanation Audit Directory Service Changes to record the old and new values for changed objects. Auditing the Directory Service Access sub-category records that a change has been made, but does not indicate the old and new values.
You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use auditing to track who performs these actions. What should you do to only monitor the necessary events and no others? (Select two. Each choice is a required part of the solution.)
Audit successful system events. Create a GPO to configure auditing. Link the GPO to the domain. Explanation To track when the system shuts down, audit successful system events. System events auditing tracks system shutdown, restart, and the starting of system services. It also tracks events that affect security or the security log. To configure auditing, create a GPO and link it to the domain or OU. In this example, to audit member servers, link the GPO to the domain. By default, member servers are in the Computers container. However, you cannot link a GPO to this container. A better solution would be to create an OU with only the member servers and then link the GPO to that OU. Linking the GPO to the domain means that system events will be audited on all computers in the domain. You do not need to audit failed events because you are only interested in when the system actually shuts down, not when someone tried to shut it down but was unsuccessful. Account management auditing tracks changes to user accounts. Directory service access auditing tracks changes to Active Directory objects.
You are an administrator for a company that uses Windows servers. In addition to Active Directory, you also provide file and print services, DHCP, DNS, and email services. There is a single domain and a single site. There are two member servers, one that handles file and print services only, and one database server. You are considering adding additional servers as business increases. Your company produces mass mailings for its customers. The mailing list and contact information provided to your company by its clients is strictly confidential. Because of the private information sometimes contained in the data (one of your clients is a hospital), and because of the importance of the data to your operation, the data can also be considered a trade secret. You want to ensure the data stored on your member servers is only accessed by authorized personnel for business purposes. You've set file permissions to restrict access, but you want to track the authorized users. How should you configure your security policy to track access to the data files?
Configure object access auditing in a GPO and link it to the domain. Explanation Because you are considering adding servers, it would be best if you implemented your security policy in a GPO so that it will be applied automatically when new computers are added. The category of auditing that you want is Object Access, and it should be applied to the domain so that it applies to all computers. Linking the GPO to the Domain Controllers OU would result in the policy being applied only to the domain controllers, not to the member servers where the sensitive data is stored. System events is the wrong category to audit, as is logon access. Applying the policy directly to the database server leaves your other servers unprotected, including any new ones that are implemented later.
You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You enable successful auditing of directory service access events in a GPO and link the GPO to the domain. After several days, you check Event Viewer, but you do not see any events listed in the event log indicating changes to Active Directory objects. What should you do?
Edit the access list for the OU. Identify specific users and events to audit. Explanation When configuring directory service access auditing, you must enable auditing for the domain or OU and then identify the users and objects you want to audit. Simply enabling auditing using a GPO will be insufficient. Using a filter or a custom view in Event Viewer can help you find events that you are looking for. However, without enabling auditing for specific users and objects, no events will be shown.
You are the network administrator for your company. Rodney, a user in the research department, shares a computer with two other users. One day, Rodney notices that some of his documents have been deleted from the computer's local hard drive. You restore the documents from a recent backup. Rodney now wants you to configure the computer so he can track all users who delete his documents in the future. You enable auditing of successful object access events in the computer's local security policy. Rodney then logs on and creates a sample document. To test auditing, you then log on and delete the document. However, when you examine the computer's security log, no auditing events are listed. How can you make sure an event is listed in the security log whenever one of Rodney's documents is deleted?
Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Delete permission. Explanation Object access events occur when a user accesses any object with its own access control list (such as a file, folder, registry key, or printer). In addition to enabling auditing of these types of events, you must also edit the properties of the specific objects you want to audit and define what type of access to the object you will audit. You configure auditing using special permissions (such as Delete) rather than the less advanced permissions (such as Modify, which includes the Delete special permission). In this scenario, you should audit the successful exercise of the permission.
You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers. What should you do to be able to check each server's log for the events? (Choose two. Each choice is a required part of the solution.)
Enable the logging of logon events. Link the GPO to the Member Servers OU. Explanation The proper event to enable is the logon event. This event type will record when a network logon occurs, such as a domain user connecting to a share on the member server. Link the GPO to the Member Servers OU so that it applies to each member server. Account logon events for domain accounts will be recorded on the domain controllers, not the member servers. In short, account logon events are generated where the account lives; logon events are generated where the logon attempt occurs. If you wanted to audit when a domain user account was authenticated to the domain, you would enable the account logon event in a GPO linked to the Domain Controllers OU. Object access must be enabled for a computer before you can enable NTFS or printer auditing. System events record start-up and shutdown events on a computer.
You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows servers for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. Computer accounts for workstations are located in the Workstations OU. You are creating a security template that you plan to import into a GPO. What should you do to log whenever a user is unable to log on to any computer using a domain user account? (Select two. Each choice is a required part of the solution.)
Link the GPO to the Domain Controllers OU. Enable the logging of failed account logon events. Explanation To audit unsuccessful logons: Audit the Account Logon event. This event type will be recorded when an account is authenticated against an account database, such as Active Directory. In short, Account Logon events are generated where the account lives; in the case of domain accounts, this would be domain controllers. Audit failed events. Link the GPO to the Domain Controllers OU. Domain logon uses a domain controller for authentication. Link the GPO to the member servers and the Workstations OUs if you want to audit logon events for every computer.
You are consulting with the owner of a small network that has a Windows server functioning as a workgroup server. There are six Windows desktop computers. There is no Internet connectivity. The server contains possibly sensitive information, so the owner wants to make sure that no unauthorized access occurs. You suggest that auditing be configured so that access to sensitive files can be tracked. What can you do to make sure that the files generate audit results? (Choose three. Each correct answer is part of the required solution.)
Make sure the files to be audited are on NTFS partitions. Make sure the Object Access auditing policy is configured for success and failure. Make sure the correct users and groups are listed in the auditing properties of the files. Explanation First, file auditing requires that the files to be audited are on NTFS, not FAT, volumes. Next, the auditing properties require you to select which groups are going to be audited (in this case, Everyone is probably the correct entry). Finally, Object access auditing must be enabled in the local security policy, or no results will be generated. Since you have an administrative account, you can read the log. Users do not write into the Security log; the System does. There is no way to allow users to write into the Security log.
You manage a single domain named widgets.com. This morning, you noticed that a trust relationship you established with another forest has changed. You reconfigured the trust, but you want to be able to identify if this change happens again in the future. You want to configure auditing to track this event. Which auditing category should you enable?
Policy change events Explanation Audit policy change events to track changes to user rights, trust relationships, IPsec and Kerberos policies, or audit policies. Object access auditing tracks access to files, folders, or printers. Process tracking auditing records actions taken by applications. Process tracking auditing is used mainly for program debugging and tracking. System events auditing tracks system shutdown, restart, and the starting of system services. It also tracks events that affect security or the security log. Logon auditing tracks logon or log off on the local system or when a network connection is made to a system.
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its security database. How can you create a policy that meets these requirements?
Select Failure for Audit account logon events. Explanation Audit policy settings are used to define which events will be noted in a computer's security log when they occur. Audit policy on Windows desktops is configured through local security policy or by distributing settings using a Group Policy object (if the computer is a member of an Active Directory domain). Each setting can be enabled to audit successful events, failed events, or both. When configuring an audit policy for a Windows computer, you will generally be concerned with the following types of events: Account logon events occur when a computer authenticates (or fails to authenticate) an account from its database. In other words, these events are generated where the logon is authenticated. (In this scenario, you want to audit when a computer denies authentication, so this is what needs to be audited.) Logon events occur when a user uses a computer to log on. In other words, these events are generated where the logon is performed. Account management events occur when user or group objects are created, deleted, or edited in a computer's database. System events occur when a computer restarts or shuts down or when an event that affects system security or the security log occurs. Object access events occur when a user accesses any object with its own access control list (such as a file, folder, registry key, or printer). In addition to enabling auditing of these types of events, you must also edit the properties of the specific objects you want to audit and define what type of access to the object you will audit. Policy change events occur when a computer's audit policies, user rights assignments, or trust policies change. Privilege use events occur when a user exercises a user right defined in the computer's user rights assignments. A few user rights do not generate auditing events, such as backing up or restoring files.
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to change a user's group membership in a computer's local database. How can you create a policy that meets these requirements?
Select Failure for Audit account management.
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to manipulate files on computers that have been secured through NTFS permissions. How can you create a policy that meets these requirements?
Select Failure for Audit object access.