70-411 R2 Test Bank Lesson 07

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 10

70-411 Test Bank, Lesson 7 Configure Advanced Audit Policies

15 Multiple Choice
6 Short Answer
3 Best Answer
3 Build List
4 Repeated Answer
31 questions

Multiple Choice
1. Authentication is used for what purpose?
a. to grant access to a user
b. to verify a users identity
c. to determine security restrictions
d. to calculate effective permissions
Answer: b
Difficulty: Easy
Section Ref: Enabling and Configuring Auditing (The Bottom Line)
Explanation: Authentication is used to prove the identity of a user.
2. Authorization is used for what purpose?
a. to grant access to a user
b. to verify a users identity
c. to determine security restrictions
d. to calculate effective permissions
Answer: a
Difficulty: Easy
Section Ref: Enabling and Configuring Auditing (The Bottom Line)
Explanation: Authorization gives access to an authenticated user.
3. Auditing is used for what purpose?
a. authenticating users
b. authorizing users
c. recording users actions
d. assessing a users permissions

Answer: c
Difficulty: Medium
Section Ref: Enabling and Configuring Auditing (The Bottom Line)
Explanation: Auditing keeps a record of users who have logged on, what they
accessed or tried to access, and what actions they performed such as rebooting,
shutting down a computer, or accessing a file.
4. Why is choosing what to audit, instead of auditing everything that a user does, a
good idea?
a. High levels of auditing can affect system performance.
b. Auditing sets up an air of suspicion for users.
c. Extensive audit trails often lead to too much troubleshooting.
d. Auditing requires a high level of expertise to set up and maintain.
Answer: a
Difficulty: Medium
Section Ref: Implementing Auditing Using Group Policies
Explanation: High levels of auditing can affect the performance of the computer you
audit.
5. Before Windows 2008 R2, only nine basic audit settings existed. Windows Server
2012 introduces a total of how many audit subsettings?
a. 23
b. 53
c. 56
d. 64
Answer: c
Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings
Explanation: Starting with Windows Server 2008 R2, Windows introduced advanced
audit policy settings, which enable you to have more control over what events get
recorded by using multiple subsettings instead of the traditional nine basic audit
settings. Windows Server 2008 R2 introduced 53 subsettings; Windows Server 2012
and Windows Server 2012 R2 has 56 subsettings.
6. What is the purpose of implementing new audit subsettings?
a. so that you can fill up Event Logs even faster than before
b. so that you can build intricate audit trails for regulatory compliance
c. so that you can audit every possible user process
d. so that you can focus on important audit items
Answer: d
Difficulty: Medium

Section Ref: Implementing Advanced Audit Policy Settings


Explanation: By using advanced audit policy settings, you cut down the number of
log entries and can focus on what is important to you.
7. Why should you avoid using basic audit policy settings and advanced audit policy
settings together?
a. That amount of auditing will fill up Event Logs too quickly.
b. The two audit setting ranges have too much redundancy or overlap between
them.
c. Setting too many policies can put your system in an out of compliance state.
d. Audit policies might cause conflicts or erratic behavior.
Answer: d
Difficulty: Medium
Section Ref: Removing Advanced Audit Policy Configuration
Explanation: It is not recommended that you use basic audit policy settings with
advanced audit policy settings because they can cause conflicts or erratic behavior.
8. Which command do you use to manage auditing at the command prompt?
a. Audit.exe
b. AdPolicy.exe
c. AuditPol.exe
d. Policy.exe
Answer: c
Difficulty: Medium
Section Ref: Implementing Auditing Using AuditPol.exe
Explanation: To manage auditing at the command prompt or by creating scripts, you
use the AuditPol.exe command, which displays information about and performs
functions to manipulate audit policies.
9. Where can you view audit events?
a. in the C:\Temp\Logs folder as text files
b. in System logs in Event Viewer
c. in Security logs in Event Viewer
d. by using audit /logs at the command line
Answer: c
Difficulty: Medium
Section Ref: Viewing Audit Events
Explanation: To view audit events, open the Security logs in the Event Viewer.
10. Which auditing feature allows you to define computer-wide system access
control lists for the file system or the registry?

a. Global Object Access Auditing


b. Filereg Auditing
c. Registry Trail Auditing
d. System Tracker Auditing snap-in
Answer: a
Difficulty: Medium
Section Ref: Creating Expression-Based Audit Policies
Explanation: Global Object Access Auditing lets you define computer-wide system
access control lists for the file system or the registry.
11. By using what type of policy can you track, limit, or deny a users ability to use
removable storage devices such as USB drives in Windows Server 2012 R2?
a. USB Storage Access
b. Removable Storage Access
c. Removable Device Access
d. Storage Device Audit
Answer: b
Difficulty: Hard
Section Ref: Creating Removable Device Audit Policies
Explanation: Organizations can limit or deny users the ability to use removable
storage devices by using the Removable Storage Access policy.
12. Which utility do you use to access advanced audit policy settings?
a. Local Policy Editor
b. Group Policy Editor
c. Domain Policy Editor
d. Schema Policy Editor
Answer: b
Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings Using Group Policies
Explanation: To access a new policy, open Group Policy Editor for a group policy and
go to Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
Policy Configuration.
13. What type of audit event notifies you that an account failed to log on?
a. DS Access
b. Object Access
c. Privilege Use
d. Logon/Logoff
Answer: d

Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings Using Group Policies
Explanation: The Audit Account Lockout event is generated by a failed attempt to
log on to a locked-out account.
14. Shutting down the system is an example of what kind of audit event?
a. Privilege Use
b. System
c. Logon/Logoff
d. Policy Change
Answer: a
Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings Using Group Policies
Explanation: The Privilege Use event is generated by the use of non-sensitive
privileges, such as accessing this computer from the network, adding a workstation
to the domain, allowing logging on locally, changing the system time, creating a
page file, and shutting down the system.
15. When resetting audit settings back to basic mode, what file must you remove as
part of the process?
a. policies.txt
b. audit.txt
c. policies.csv
d. audit.csv
Answer: d
Difficulty: Medium
Section Ref: Removing Advanced Audit Policy Configuration
Explanation: If you need to go back to the basic audit settings after enabling
Advanced Audit Policy Configuration, you need to perform the following: Set all
Advanced Audit Policy subcategories to Not configured, delete the %systemroot
%\security\audit\audit.csv file on the domain controllers for group policies and on
the local computer for local policies, and reconfigure and apply the basic audit
policy settings.

Short Answer
16. Auditing NTFS files, NTFS folders, and printers is a two-step process. What are
the two steps?
Answer: Enable the object in the Group Policy Editor and then specify the audit
objects.
Difficulty: Medium

Section Ref: Implementing Object Access Auditing Using Group Policies


Explanation: Auditing NTFS files, NTFS folders, and printers is a two-step process.
You must first enable object access using Group Policy, and then you must specify
which objects you want to audit.
17. When you enable object auditing, you generate many other events that also get
recorded, including what two types of filtering?
Answer: Audit Filtering Platform Connection and Audit Filtering Platform Packet Drop
Difficulty: Hard
Section Ref: Implementing Auditing Using Group Policies
Explanation: When you enable object auditing, you generate many other events
that also get recorded, including Audit Filtering Platform Connection and Audit
Filtering Platform Packet Drop, which shows packets that get connected or dropped
at the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) level.
18. On which types of objects can you enable object auditing?
Answer: Registry objects, files, folders, and printers
Difficulty: Medium
Section Ref: Implementing Auditing Using Group Policies
Explanation: After you enable object access auditing, you have to enable auditing
on the specific object that you want to enable. These objects include registry
objects, files, folders, and printers.
19. List any three of the nine basic audit events.
Answer: (only need three from this list) authentication, authorization, successful
login, failed login, AD account changes, accessed or changed files, used printers,
restarted a system, and made system changes
Difficulty: Hard
Section Ref: Enabling and Configuring Auditing
Explanation: You must protect your information and service resources from people
who should not have access to them. At the same time, you need to make those
resources available to authorized users. Along with authentication and
authorization, you need to enable auditing so that you can have a record of who has
successfully logged on, who has attempted to log on but failed, who has made
changes to accounts in Active Directory, who has accessed or changed certain files,
who has used a certain printer, who has restarted a system, and who has made
system changes.
20. What do you hope to find by enabling basic auditing?

Answer: Basic auditing allows you to track significant system alterations and
security breaches. It also allows you to measure the severity of any breaches.
Difficulty: Medium
Section Ref: Enabling and Configuring Auditing
Explanation: Using auditing logs enables you to determine whether any security
breaches have occurred and to what extent.
21. Active Directory sets up some default monitoring and auditing. List the three
account-related default audited events.
Answer: (only need three from this list) account logon, account management,
directory service access, logon, object access, policy change, privilege use, process
tracking, and system
Difficulty: Hard
Section Ref: Implementing Auditing Using Group Policies
Explanation: From Table 7.1 Audit Events: The possible choices are Account Logon,
Account Management, Directory Service Access, Logon, Object Access, Policy
Change, Privilege Use, Process Tracking, and System.

Best Answer
22. Why is it a good idea (other than the effect on system performance) to set up
auditing for only those objects that you really need to focus on?
a. Object auditing is complex and requires a lot of time to set up.
b. Searching through too many events makes finding problems more difficult.
c. By enabling object auditing, you also enable many other events.
d. Auditing too many events adds an extra layer of complexity to management
tasks.
Answer: b
Difficulty: Medium
Section Ref: Implementing Auditing Using Group Policies
Explanation: When you search through the security logs, you will find far too many
events, which can make it more difficult for you to find the potential problems you
need to find.
23. Why are success audits as important as failure audits?
a. Successes are important to troubleshooting for establishing baselines of normal
behavior.
b. Successes are included by default and can be filtered out.
c. Successes can point to security breaches as well as normal behavior.
d. Successes allow you to track activity such as new account creation.
Answer: d

Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings Using Group Policies
Explanation: As an administrator, you arent always looking for failures. Sometimes
you want to measure how many successful accesses are made or how many
privileged accounts are being created.
24. Why would auditing include logon and logoff times?
a. These are simply default audit types for accounts.
b. Logon and logoff times can help track users work hours.
c. Logon and logoff times can help pinpoint who was logged on during a failure.
d. Logon and logoff events can track system usage for capacity planning.
Answer: c
Difficulty: Medium
Section Ref: Implementing Advanced Audit Policy Settings Using Group Policies
Explanation: During critical troubleshooting episodes, knowing who, if anyone, was
logged on to a system is valuable. If a user or administrator caused the outage, its
easier to remedy by reversing what was done that to continue with standard trialand-error exercises.

Build List
25. Order the following steps for setting up Printer Event Auditing.
a. Right-click and select Printer properties.
b. On the Security tab, click Advanced.
c. To specify a user or group, click Select a principal.
d. Select the Auditing tab.
e. For Type, select Success, Fail, or All.
f. Click the Add button to open the Auditing Entry for Microsoft XPS Document Writer
dialog box.
g. Choose Control Panel > View devices and printers.
Answer: G A B D F C E
Difficulty: Medium
Section Ref: Implementing Object Access Auditing Using Group Policies
Explanation: Refer to the steps required to Audit Printer Events.
26. Order the following steps required to audit account logon.
a. Double-click Audit account logon events.
b. Expand Computer Configuration, Windows Settings, Security Settings, Local
Policies, and select Audit Policy.
c. Select Define these policy settings and select both Success and Failure.
d. Right-click the Default Domain Control Default Policy and click Edit.
e. Expand the Domain Controllers to show the Default Domain Controllers Policy.

f. Server Manager->Tools->Group Policy Management.


Answer: F E D B A C
Difficulty: Medium
Section Ref: Implementing an Audit Policy
Explanation: Refer to the steps in the Audit Account Logon example.
27. Order the following steps required to configure monitoring of removable storage
devices.
a. In the console tree, right-click a group policy object, and then click Edit.
b. Select the Configure the following audit events check box, select the Success
check box, and then click OK.
c. Choose Server Manager > Tools > Group Policy Management.
d. Double-click Computer Configuration, double-click Security Settings, double-click
Advanced Audit Policy Configuration, and double-click Object Access.
e. Double-click Audit Removable Storage.
Answer: C A D E B
Difficulty: Medium
Section Ref: Creating Removable Device Audit Policies
Explanation: Refer to the Configure the Monitoring of Removable Storage Devices
section.

Repeated Answer
28. The powerful auditpol.exe command-line utility is widely used in automated
scripting solutions. Select the correct action for the auditpol.exe /remove
/allusers command.
a. Delete the per-user audit policy for all users, reset or disable the system audit
policy for all subcategories, and then set the audit policies settings to disable.
b. Remove the per-user audit policy for a single users account.
c. Remove the per-user audit policy for all users.
d. Show an authoritative report on what audit settings are being applied.
Answer: c
Difficulty: Medium
Section Ref: Implementing Auditing Using AuditPol.exe
Explanation: To remove the per-user audit policy for all users, perform the following
command: auditpol.exe /remove /allusers.
29. The powerful auditpol.exe command-line utility is widely used in automated
scripting solutions. Select the correct action for the auditpol.exe /get
/category:* command.

a. Delete the per-user audit policy for all users, reset or disable the system audit
policy for all subcategories, and then set the audit policies settings to disable.
b. Remove the per-user audit policy for a single users account.
c. Remove the per-user audit policy for all users.
d. Show an authoritative report on what audit settings are being applied.
Answer: d
Difficulty: Medium
Section Ref: Implementing Auditing Using AuditPol.exe
Explanation: If you want to get an authoritative report on what audit settings are
being applied, use the following command: auditpol.exe /get /category:*.
30. The powerful auditpol.exe command-line utility is widely used in automated
scripting solutions. Select the correct action for the auditpol.exe /clear
command.
a. Delete the per-user audit policy for all users, reset or disable the system audit
policy for all subcategories, and then set the audit policies settings to disable.
b. Remove the per-user audit policy for a single users account.
c. Remove the per-user audit policy for all users.
d. Show an authoritative report on what audit settings are being applied.
Answer: a
Difficulty: Medium
Section Ref: Implementing Auditing Using AuditPol.exe
Explanation: To delete the per-user audit policy for all users, reset or disable the
system audit policy for all subcategories, and then set the audit policies settings to
disable, execute the following command: auditpol.exe /clear.
31. The powerful auditpol.exe command-line utility is widely used in automated
scripting solutions. Select the correct action for the auditpol.exe /remove
/user:username command.
a. Delete the per-user audit policy for all users, reset or disable the system audit
policy for all subcategories, and then set the audit policies settings to disable.
b. Remove the per-user audit policy for a single users account.
c. Remove the per-user audit policy for all users.
d. Show an authoritative report on what audit settings are being applied.
Answer: b
Difficulty: Medium
Section Ref: Implementing Auditing Using AuditPol.exe
Explanation: To remove the per-user audit policy for the jsmith account, perform the
following command: auditpol.exe /remove /user:jsmith.

You might also like