2.7 Advanced Auditing
Make sure the Audit File System policy is configured for success and failure. Make sure the correct users and groups are listed in the File System policy. Make sure the files to be audited are on NTFS partitions. First, file auditing requires that the files to be audited are on NTFS, not FAT, volumes. Next, use the Global Object Access Auditing \ File System audit policy to specify which groups are going to be audited (in this case, "Everyone" is probably the correct entry). Finally, the Object Access \ Audit File System policy must be enabled, or no results will be generated. Since you have an administrative account, you can read the log. Users do NOT write into the Security log, the System does, and there is no way to allow users to write into the Security log.
You are consulting with the owner of a small network which has a Windows Server 2012 R2 functioning as a workgroup server. There are six client desktop computers, each of which is running Windows 2007. There is no Internet connectivity. The owner of the company has heard of a case where the owner of a network was found legally liable for misuse of the corporate computers, because insufficient care was taken to prevent unauthorized access. The server contains possibly sensitive information and due care needs to be taken to ensure that no unauthorized access occurs. Specifically, the owner of the company wants you to configure auditing so that access to sensitive files can be tracked. You need to check and ensure that the files generate audit results. What should you do? Choose 3 Make sure the Audit File System policy is configured for success and failure. Make sure the correct users and groups are listed in the File System policy. Make sure the account you logged into has permissions to read the security log. Make sure the properties on the Security log allow writes by all users. Make sure the files to be audited are on NTFS partitions.
Audit successful system security state changes. Create a GPO to configure auditing. Link the GPO to the domain. To track when the system shuts down, audit successful system events by enabling the System \ Audit Security State Change policy. This policy tracks system shutdown and startup as well as changing of the system time. To configure auditing, create a GPO and link it to the domain or OU. In this example, to audit member servers, link the GPO to the domain. By default, member servers are in the Computers container. However, you cannot link a GPO to this container. A better solution would be to create an OU with only the member servers, and then link the GPO to that OU. Linking the GPO to the domain means that system events will be audited on all computers in the domain.
You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use advanced auditing to track who performs these actions. You want to only monitor the necessary events and no others. What should you do? (Select two. Each choice is a required part of the solution.) Audit successful system security state changes. Audit failed system security state changes. Audit failed user account management events. Create a GPO to configure auditing. Link the GPO to the domain. Audit successful user account management events.
Enable Audit Directory Service Access in the Audit policy of the Default Domain Controllers Policy Group Policy Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone.
You are the administrator for eastsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. eastsim.com has one main site. There are two domain controllers named DC1 and DC2, which also provide DNS services to clients. There is a single Active Directory Integrated zone named eastsim.com. After users complain that they are unable to reach an application server in the main site, you determine that the record for the server has been deleted from the zone. You recreate the missing record. You need to ensure that if the record disappears again you can identify the cause of the deletion. Your solution must minimize the impact on servers not hosting the DNS role. Enable Audit Directory Service Access in the Audit policy of the Default Domain Controllers Policy Group Policy Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone. Enable Audit Directory Service Access in the Audit policy of the Default Domain Policy Group Policy Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone. Enable Audit Object Access in the Audit policy of the Default Domain Policy Group Policy Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone. Enable Audit Object Access in the Audit policy of the Default Domain Controllers Policy Group Policy Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone.
Create a new group policy object and link it to the organizational unit that contains the computer account of the file server. Enable the Audit File System and Audit Handle Manipulation policies in the Advanced Audit Policy Configuration node. On the Auditing tab in the Advanced Security Settings dialog box for the file, specify the Everyone group.
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2012 R2. All of the clients run Windows 8. The manager of the Sales business unit informs you that critical files have been inappropriately modified. You need to determine who has modified the files and what permissions have allowed them to do so. What should you do? Create a new group policy object and link it to the organizational unit that contains the computer account of the file server. Enable the Audit File System and Audit Handle Manipulation policies in the Advanced Audit Policy Configuration node. On the Auditing tab in the Advanced Security Settings dialog box for the file, specify the Everyone group. Create a new group policy object and link it to the organizational unit that contains the computer account of the file server. Enable the Audit File System policy in the Advanced Audit Policy Configuration node. On the Auditing tab in the Advanced Security Settings dialog box for the file, specify the Everyone group. Create a new group policy object and link it to the organizational unit that contains the user's account. Enable the Audit Object Access policy. On the Auditing tab in the Advanced Security Settings dialog box for the file, specify the Everyone group. Create a new group policy object and link it to the organizational unit that contains the computer account of the file server. Enable the Audit Object Access policy. On the Auditing tab in the Advanced Security Settings dialog box for the file, specify the Everyone group.
Create a new group policy object and link it to the FileServers organizational unit. Enable Global Object Access Auditing for the File System and specify the user's account in the Auditing tab.
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2012 R2. All of the clients run Windows 8. The computer objects for all of the file servers in the company have been placed into an organizational unit named FileServers. Human Resources has received a complaint that a user has been accessing secured material on the company's file servers. They have requested a list of all files accessed by this user on any file server in the company during the next two weeks. You must provide this information using the least amount of administrative effort. Create a new group policy object and link it to the FileServers organizational unit. Enable Global Object Access Auditing for the File System and specify the user's account in the Auditing tab. Create a new group policy object and link it to the organizational unit that contains the user's account. Enable the Audit Object Access policy. Then at each of the file servers, modify the access control list at the root of the file system, and specify the user's account in the Auditing tab of the Advanced Security Settings dialog box. Create a new group policy object and link it to the FileServers organizational unit. Enable the Audit Object Access policy. Then at each of the file servers, modify the access control list at the root of the file system, and specify the user's account in the Auditing tab of the Advanced Security Settings dialog box. Create a new group policy object and link it to the organizational unit that contains the user's account. Enable Global Object Access Auditing for the File System and specify the user's account in the Auditing tab.
Create a new group policy object. In the Advanced Audit Policy Configuration, enable the Logon/Logoff \ Audit Account Lockout policy. The Windows Audit Policy allows administrators to audit the success and failures of nine types of events. Windows Server 2008 R2 and Windows 7 introduced the Advanced Audit Policy Configuration, which adds 53 new settings that can be used for more in-depth auditing. There are nine different events related to Logon/Logoff including Account Lockout which audits attempts by users to log on after their account has been locked out. You can configure the Advanced Audit Policy using Group Policy Management Console by navigating to the Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration node or using the command line utility Auditpol.exe.
You are the network administrator for westsim.com. The network consists of one Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. You need to identify attempts by users to log on after their accounts have been locked out. Yoursolution should identify attempts made on any client computer in the domain. You must use the least amount of administrative effort. What should you do? Create a new group policy object. In the Audit Policy, enable Account Logon Events. Create a new group policy object. In the Advanced Audit Policy Configuration, enable Audit Account Lockout. In Event Viewer on each of the domain controllers, attach a task to event ID 644. Create a new group policy object. In the Audit Policy, enable Logon Events.
Select Failure for Audit Logon. Audit policy settings are used to define which events will be noted in a computer's Security log when they occur. Audit policy on a Windows 8 computer is configured by configuring the local security policy or by distributing settings using a Group Policy object (if the computer is a member of an Active Directory domain). Each setting can be enabled to audit successful events, failed events, or both. To audit failed user logons, enable the Logon/Logoff \ Audit Logon policy and audit Failure events.
You are the network administrator for your company. Your company uses Windows 8 as its desktop operating system. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its Security event log. You want to use an advanced audit policy to accomplish this. What should you do? Select Failure for Audit Logon. Select Failure for Audit System Integrity. Select Failure for Audit account logon events.
Select Failure for Security Group Management. Audit policy settings are used to define which events will be noted in a computer's Security log when they occur. Audit policy on a Windows 8 computer is configured by configuring the local security policy or by distributing settings using a Group Policy object (if the computer is a member of an Active Directory domain). Each setting can be enabled to audit successful events, failed events, or both. To use an advanced audit policy to monitor group membership changes, elect Failure for Account Management \ Security Group Management.
You are the network administrator for your company. Your company uses Windows 8 as its desktop operating system. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to change a user's security group membership in a computer's local database. You want to create a policy that meets these requirements. What should you do? Select Failure for Audit object access. Select Failure for Audit User Account Management. Select Failure for Security Group Management.
Select Failure for Audit File System. Enable File system; then configure the security principles and types of access you want to audit. Audit policy settings are used to define which events will be noted in a computer's Security log when they occur. Audit policy on a Windows 8 computer is configured by configuring the local security policy or by distributing settings using a Group Policy object (if the computer is a member of an Active Directory domain). Each setting can be enabled to audit successful events, failed events, or both. To audit file system access using advanced audit policies, you must do the following: • Select Failure for Audit File System. • Enable File system and configure the security principles and types of access you want to audit.
You are the network administrator for your company. Your company uses Windows 8 as its desktop operating system. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to manipulate files on computers that have been secured through NTFS permissions. You want to use an advanced audit policy to accomplish this. What should you do? (Choose two. Both selections are part of the complete solution.) Select Failure for Audit object access. Select Failure for Audit File System. Select Failure for Audit system events. Enable File system; then configure the security principles and types of access you want to audit. Select Failure for Audit account management
Link the GPO to the Member Servers OU. Enable the logging of Logon events The proper policy to enable is Audit Logon under Advanced Audit Policy Configuration. This policy will record events when a network logon occurs, such as a domain user connecting to a share on the member server. Link the GPO to the Member Servers OU so that it applies to each member server.
You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server 2012 R2 for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers. You want to be able to check each server's log for the events. What should you do? (Choose two. Each choice is a required part of the solution.) Link the GPO to the Member Servers OU. Enable the logging of Object Access events. Enable the logging of Logon events Link the GPO to the Domain Controllers OU. Enable the logging of System events.
Look in the Security log. Filter to look for successful audit events. Auditing events are logged in the Security log. To find events related to changes that were made, filter for successful events. Failed events will show when users tried, but failed, to perform an action. In this case you are not concerned with failed attempts.
You are the server administrator for your network. Recently, the system time on several servers has been modified. You want to find out who has been making the change. You enable the Audit Security State Change audit policy. After several days, you decide to check to see if any events have been logged. You want to view only those events that related to auditing that might indicate someone had changed the system time. What should you do? (Select two. Each choice is a required part of the solution.) Filter to look for both successful and failed events. Filter to look for failed events. Look in the System log. Look in the Application log. Look in the Security log. Filter to look for successful audit events.
Enable the Audit Directory Service Changes policy to record the old and new values for changed objects. Auditing the Directory Service Access subcategory identifies that a change has been made, but does not indicate the old and new values. Enabling Directory Service Replication policies allows you to audit replication between two Active Directory domain controllers.
You manage a single domain named widgets.com. Recently, you notice that there have been several unusual changes to objects in the Sales OU. You would like to use advanced auditing to keep track of those changes. You want to only enable auditing that shows you the old and new values of the changed objects. Which directory service auditing subcategory should you enable? Detailed Directory Service Replication Directory Service Access Directory Service Changes Directory Service Replication