70-411 R2 Test Bank Lesson 07
70-411 R2 Test Bank Lesson 07
70-411 R2 Test Bank Lesson 07
15 Multiple Choice
6 Short Answer
3 Best Answer
3 Build List
4 Repeated Answer
31 questions
Multiple Choice
1. Authentication is used for what purpose?
a. to grant access to a user
b. to verify a users identity
c. to determine security restrictions
d. to calculate effective permissions
Answer: b
Difficulty: Easy
Section Ref: Enabling and Configuring Auditing (The Bottom Line)
Explanation: Authentication is used to prove the identity of a user.
2. Authorization is used for what purpose?
a. to grant access to a user
b. to verify a users identity
c. to determine security restrictions
d. to calculate effective permissions
Answer: a
Difficulty: Easy
Section Ref: Enabling and Configuring Auditing (The Bottom Line)
Explanation: Authorization gives access to an authenticated user.
3. Auditing is used for what purpose?
a. authenticating users
b. authorizing users
c. recording users actions
d. assessing a users permissions
Answer: c
Difficulty: Medium
Section Ref: Enabling and Configuring Auditing (The Bottom Line)
Explanation: Auditing keeps a record of users who have logged on, what they
accessed or tried to access, and what actions they performed such as rebooting,
shutting down a computer, or accessing a file.
4. Why is choosing what to audit, instead of auditing everything that a user does, a
good idea?
a. High levels of auditing can affect system performance.
b. Auditing sets up an air of suspicion for users.
c. Extensive audit trails often lead to too much troubleshooting.
d. Auditing requires a high level of expertise to set up and maintain.
Answer: a
Difficulty: Medium
Section Ref: Implementing Auditing Using Group Policies
Explanation: High levels of auditing can affect the performance of the computer you
audit.
5. Before Windows 2008 R2, only nine basic audit settings existed. Windows Server
2012 introduces a total of how many audit subsettings?
a. 23
b. 53
c. 56
d. 64
Answer: c
Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings
Explanation: Starting with Windows Server 2008 R2, Windows introduced advanced
audit policy settings, which enable you to have more control over what events get
recorded by using multiple subsettings instead of the traditional nine basic audit
settings. Windows Server 2008 R2 introduced 53 subsettings; Windows Server 2012
and Windows Server 2012 R2 has 56 subsettings.
6. What is the purpose of implementing new audit subsettings?
a. so that you can fill up Event Logs even faster than before
b. so that you can build intricate audit trails for regulatory compliance
c. so that you can audit every possible user process
d. so that you can focus on important audit items
Answer: d
Difficulty: Medium
Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings Using Group Policies
Explanation: The Audit Account Lockout event is generated by a failed attempt to
log on to a locked-out account.
14. Shutting down the system is an example of what kind of audit event?
a. Privilege Use
b. System
c. Logon/Logoff
d. Policy Change
Answer: a
Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings Using Group Policies
Explanation: The Privilege Use event is generated by the use of non-sensitive
privileges, such as accessing this computer from the network, adding a workstation
to the domain, allowing logging on locally, changing the system time, creating a
page file, and shutting down the system.
15. When resetting audit settings back to basic mode, what file must you remove as
part of the process?
a. policies.txt
b. audit.txt
c. policies.csv
d. audit.csv
Answer: d
Difficulty: Medium
Section Ref: Removing Advanced Audit Policy Configuration
Explanation: If you need to go back to the basic audit settings after enabling
Advanced Audit Policy Configuration, you need to perform the following: Set all
Advanced Audit Policy subcategories to Not configured, delete the %systemroot
%\security\audit\audit.csv file on the domain controllers for group policies and on
the local computer for local policies, and reconfigure and apply the basic audit
policy settings.
Short Answer
16. Auditing NTFS files, NTFS folders, and printers is a two-step process. What are
the two steps?
Answer: Enable the object in the Group Policy Editor and then specify the audit
objects.
Difficulty: Medium
Answer: Basic auditing allows you to track significant system alterations and
security breaches. It also allows you to measure the severity of any breaches.
Difficulty: Medium
Section Ref: Enabling and Configuring Auditing
Explanation: Using auditing logs enables you to determine whether any security
breaches have occurred and to what extent.
21. Active Directory sets up some default monitoring and auditing. List the three
account-related default audited events.
Answer: (only need three from this list) account logon, account management,
directory service access, logon, object access, policy change, privilege use, process
tracking, and system
Difficulty: Hard
Section Ref: Implementing Auditing Using Group Policies
Explanation: From Table 7.1 Audit Events: The possible choices are Account Logon,
Account Management, Directory Service Access, Logon, Object Access, Policy
Change, Privilege Use, Process Tracking, and System.
Best Answer
22. Why is it a good idea (other than the effect on system performance) to set up
auditing for only those objects that you really need to focus on?
a. Object auditing is complex and requires a lot of time to set up.
b. Searching through too many events makes finding problems more difficult.
c. By enabling object auditing, you also enable many other events.
d. Auditing too many events adds an extra layer of complexity to management
tasks.
Answer: b
Difficulty: Medium
Section Ref: Implementing Auditing Using Group Policies
Explanation: When you search through the security logs, you will find far too many
events, which can make it more difficult for you to find the potential problems you
need to find.
23. Why are success audits as important as failure audits?
a. Successes are important to troubleshooting for establishing baselines of normal
behavior.
b. Successes are included by default and can be filtered out.
c. Successes can point to security breaches as well as normal behavior.
d. Successes allow you to track activity such as new account creation.
Answer: d
Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings Using Group Policies
Explanation: As an administrator, you arent always looking for failures. Sometimes
you want to measure how many successful accesses are made or how many
privileged accounts are being created.
24. Why would auditing include logon and logoff times?
a. These are simply default audit types for accounts.
b. Logon and logoff times can help track users work hours.
c. Logon and logoff times can help pinpoint who was logged on during a failure.
d. Logon and logoff events can track system usage for capacity planning.
Answer: c
Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings Using Group Policies
Explanation: During critical troubleshooting episodes, knowing who, if anyone, was
logged on to a system is valuable. If a user or administrator caused the outage, its
easier to remedy by reversing what was done that to continue with standard trialand-error exercises.
Build List
25. Order the following steps for setting up Printer Event Auditing.
a. Right-click and select Printer properties.
b. On the Security tab, click Advanced.
c. To specify a user or group, click Select a principal.
d. Select the Auditing tab.
e. For Type, select Success, Fail, or All.
f. Click the Add button to open the Auditing Entry for Microsoft XPS Document Writer
dialog box.
g. Choose Control Panel > View devices and printers.
Answer: G A B D F C E
Difficulty: Medium
Section Ref: Implementing Object Access Auditing Using Group Policies
Explanation: Refer to the steps required to Audit Printer Events.
26. Order the following steps required to audit account logon.
a. Double-click Audit account logon events.
b. Expand Computer Configuration, Windows Settings, Security Settings, Local
Policies, and select Audit Policy.
c. Select Define these policy settings and select both Success and Failure.
d. Right-click the Default Domain Control Default Policy and click Edit.
e. Expand the Domain Controllers to show the Default Domain Controllers Policy.
Repeated Answer
28. The powerful auditpol.exe command-line utility is widely used in automated
scripting solutions. Select the correct action for the auditpol.exe /remove
/allusers command.
a. Delete the per-user audit policy for all users, reset or disable the system audit
policy for all subcategories, and then set the audit policies settings to disable.
b. Remove the per-user audit policy for a single users account.
c. Remove the per-user audit policy for all users.
d. Show an authoritative report on what audit settings are being applied.
Answer: c
Difficulty: Medium
Section Ref: Implementing Auditing Using AuditPol.exe
Explanation: To remove the per-user audit policy for all users, perform the following
command: auditpol.exe /remove /allusers.
29. The powerful auditpol.exe command-line utility is widely used in automated
scripting solutions. Select the correct action for the auditpol.exe /get
/category:* command.
a. Delete the per-user audit policy for all users, reset or disable the system audit
policy for all subcategories, and then set the audit policies settings to disable.
b. Remove the per-user audit policy for a single users account.
c. Remove the per-user audit policy for all users.
d. Show an authoritative report on what audit settings are being applied.
Answer: d
Difficulty: Medium
Section Ref: Implementing Auditing Using AuditPol.exe
Explanation: If you want to get an authoritative report on what audit settings are
being applied, use the following command: auditpol.exe /get /category:*.
30. The powerful auditpol.exe command-line utility is widely used in automated
scripting solutions. Select the correct action for the auditpol.exe /clear
command.
a. Delete the per-user audit policy for all users, reset or disable the system audit
policy for all subcategories, and then set the audit policies settings to disable.
b. Remove the per-user audit policy for a single users account.
c. Remove the per-user audit policy for all users.
d. Show an authoritative report on what audit settings are being applied.
Answer: a
Difficulty: Medium
Section Ref: Implementing Auditing Using AuditPol.exe
Explanation: To delete the per-user audit policy for all users, reset or disable the
system audit policy for all subcategories, and then set the audit policies settings to
disable, execute the following command: auditpol.exe /clear.
31. The powerful auditpol.exe command-line utility is widely used in automated
scripting solutions. Select the correct action for the auditpol.exe /remove
/user:username command.
a. Delete the per-user audit policy for all users, reset or disable the system audit
policy for all subcategories, and then set the audit policies settings to disable.
b. Remove the per-user audit policy for a single users account.
c. Remove the per-user audit policy for all users.
d. Show an authoritative report on what audit settings are being applied.
Answer: b
Difficulty: Medium
Section Ref: Implementing Auditing Using AuditPol.exe
Explanation: To remove the per-user audit policy for the jsmith account, perform the
following command: auditpol.exe /remove /user:jsmith.