Summary of Exam Objectives

In this chapter we looked at many important topics for the Implementing and Administering Security in a Microsoft Windows 2000 Network exam. The most important topics covered were auditing your network for increased security, auditing Windows 2000, auditing IIS, and using Windows auditing tools.

When you're auditing for increased security, it is important to remember what auditing is and why it is needed. Auditing is the process of analyzing gathered data for the purpose or intent of determining a possible problem or, in the security arena, an attack or exploit. We also looked at the need for both success- and failure-based auditable events and the differences between them.

We then covered auditing Windows 2000-based systems. This section of the chapter contained exercises on how to perform an audit and how to analyze events within the Security Log. We looked at how to log auditable events, how to set up success- and failure-based auditing, and how to configure auditing on a local system or through a GPO. We covered many aspects of auditing to include general concepts and auditing-based exercises. Things to remember in detail are how to audit and when to audit for specific events.

Other items of importance are the terminology of defense in depth. The general concept of not relying or depending on a single way to secure your infrastructure or systems (such as having a firewall as the only means of protection) is called defense in depth. Memorizing the needs for auditing is also essential. Auditing is the process of analyzing gathered data for the purpose or intent of determining a possible problem or, in the security arena, an attack or exploit. Auditing is best used on any system that can generate some type of log file that you can save, refer to, and analyze. Auditing is the process of logging and analyzing events that occur to proactively find and eliminate problems such as attacks, hacking, or mischief.

We learned that an audit could either be for success or failure of a specific event. Remember, do not just set up failure-based auditing. In reading this chapter, you should have learned that is it more important to first understand what you are auditing because you might be looking for a success as well-such as a successful logon after a series of failures. This activity could constitute not only a password-cracking attempt but a possible breach of your systems.

Windows 2000 comes with the built-in ability to perform system auditing. From the Local Security Policy console, you can choose from many categories, such as auditing for object access of logon events.

Quite a few categories are available to you when you're working with Local Security Policy. You must intimately know all eight of these categories and their uses for the exam. They are logon events, account logon events, object access, directory service access, privilege use, process tracking, system events, and policy change.

You can audit Windows 2000 at the local level (with Local Security Policy) or using Group Policy at the site, domain, or OU level. You will find the audit policy settings in the actual GPO that you create.

We looked at IIS auditing and logging. We covered how to set up logging and how to analyze the log files IIS creates as well as where to find the logs and how to change where the files will log.

Lastly, we looked at two tools that are heavily tested on this exam: Dumpel and EventCombMT. You should know how both tools work.