Exercises 16.1. Creating a new log view It can be helpful to have a custom view of the event logs so that you can easily find specific events. For example, to quickly find quota events, you can filter the event logs. By saving a custom view of the logs, you can easily identify these events without having to reconfigure the filter on the logs every time you want to monitor quotas. What is the best way to accomplish this in Windows Server 2003? On your own, try to develop a solution that involves limited ongoing management by the system administrator. If you would like to see a possible solution, follow these steps: Estimated Time: 20 minutes 1. | From the Start menu, click Start, All Programs, Administrative Tools, Event Viewer.
| 2. | In the left pane of the Event Viewer MMC, right-click the System log. From the pop-up menu, select New Log View.
| 3. | A new log entry appears in the left pane of the Event Viewer MMC. Right-click the entry and select Rename from the pop-up menu. Change the name to Quota.
| 4. | Right-click the Quota log. From the system menu, select View, Filter.
| 5. | After you select Filter, the Properties dialog box appears. From the Log Properties dialog box, select the event ID 36 and a source of NTFS and then click OK.
|
This gives you a custom log that can be used to track Quota events. Exam Questions | 1. | Jason is the system administrator for a small bank. The bank requires that he maintain a log of all logon events in the domain and retain it for a period of no less than 7 years. What must Jason do to obtain and archive this data? 
| A. | Auditing is automatically turned on in Windows Server 2003. He must clear and archive the Security logs weekly. |
| B. | In the domain GPO, he must turn on the option Audit Account Logon Events for both success and failure. He must also clear and archive the Security logs weekly. |
| C. | In the domain GPO, he must turn on the option Audit Logon Events for both success and failure. He must also clear and archive the Security logs weekly. |
| D. | In the domain GPO, he must turn on the option Audit Account Logon Events and the option Audit Logon Events for both success and failure. He must also clear and archive the security logs weekly. |
| | | | 2. | You are the network administrator for FlyByNight Airlines. The network consists of a single Active Directory domain. All network servers run Windows Server 2003, and all client computers run Windows 2000 Professional. One of the members of the network security department calls and says that he can't access the security event logs on your file and print server FandP. All members of the network security department are members of the ITSecurity global group. You need to grant the ITSecurity global group the minimum rights necessary to view the security event log on FandP. What should you do?
| A. | Assign the Generate Security Audits user right to the ITSecurity global group. |
| B. | Assign the Manage Auditing and Security Logs user right to the ITSecurity global group. |
| C. | Assign the Allow Logon through Terminal Services user right to the ITSecurity global group. |
| D. | Assign the Act as Part of the Operating System user right to the ITSecurity global group. |
| | 3. | You are the network administrator for FlyByNight Airlines. The network consists of a single Active Directory domain with 20 sites. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. One of the users in another office has been complaining that when she comes in every Monday morning, her user account is locked out. You suspect that someone is trying to break into your network using her user account. Where should you search for information?
| A. | Only in the Security Event log of a domain controller in your site. |
| B. | Only in the Security Event logs of the domain controllers in the user's site. |
| C. | In the Security Event logs of all domain controllers in all sites. |
| D. | Only in the Security Event log of the user's computer. |
| | 4. | You are the network administrator for Cheap Stuff Inc. The network consists of a single Active Directory domain with 20 sites. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. You have three departments, and each department has its resources located in a separate OU. The manager of the Marketing department is complaining that his user's accounts are being locked out after three unsuccessful logon attempts. He wants the setting changed to five attempts. The other two department managers don't want their settings to be changed. What must you do?
| A. | Change the Account Lockout Threshold for the domain to five unsuccessful attempts. |
| B. | Change the Account Lockout Threshold for the Marketing OU to five unsuccessful attempts. |
| C. | Change the Account Lockout Threshold for the Marketing users group to five unsuccessful attempts. |
| D. | None of the above. |
| | | | 5. | You are the network administrator for the Kansas City office of Cheap Stuff Inc. The network consists of a single Active Directory domain with 20 sites. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. Each site has its own OU. Cheap Stuff's network security department has implemented a new policy that requires a specific configuration for the size and retention settings for the Security event log of all file servers. The rule also specified that local administrators on servers cannot override the changes you make to the settings for the Security event log. You need to define a method to modify the Security event log settings on each file server in the Kansas City office to meet the security department's requirements. What should you do?
| A. | Modify the local security policy on each file server to define the size and retention settings for the Security event log. |
| B. | Create a security template on one of the file servers by using the Security Configuration and Analysis tool. Define the size and retention settings for the Security event log in the template. Import the security template into the local security policy of all your file servers. |
| C. | Use Event Viewer to modify the event log properties on each file server. Define the size and retention settings for the Security event log. |
| D. | Create a new Group Policy object (GPO) and link it to the Kansas City OU. In the GPO, define the size and retention settings for the Security event log. |
| | 6. | You are the network administrator for FlyByNight Airlines. The network consists of a single Active Directory domain. All network servers run Windows Server 2003, and all client computers run Windows 2000 Professional. One of the junior administrators is attempting to diagnose a problem on one of your servers. However, when he tries to open the Security event log, he receives an Access Denied error. Which of the following should you do to enable him to complete his tasks?
| A. | Add the junior administrator's user account to the Server Operators domain group. |
| B. | Add the junior administrator's user account to the local Administrators group on the file server. |
| C. | Add the junior administrator's user account to the Power Users local group. |
| D. | Assign the junior administrators user account the Allow Logon through Terminal Services user right for the file server. |
| | | | 7. | You are the network administrator for FlyByNight Airlines. The network consists of a single Active Directory domain with four domain controllers. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. The domain's audit policy ensures that all account logon events are audited. A temporary employee uses a client computer named FBN0431. When the temporary user's assignment concludes, his employment is terminated. Now you need to learn the times and dates when the temporary employee logged on to the domain. You need to accomplish this goal by reviewing the minimum amount of information. What should you do?
| A. | Log on to FBN0431 as a local Administrator, and use the Event Viewer to view the local security log. Use the Find option to list only the events for the employee's user account. |
| B. | Log on to FBN0431 as a local Administrator, and use the Event Viewer to view the local security log. Use the Find option to list only the events for the FBN0431 computer account. |
| C. | Use the Event Viewer to view the security log on each domain controller. Use the Find option to list only the events for King's user account. |
| D. | Use the Event Viewer to view the security log on each domain controller. Set a filter to list only the events for King's user account. |
| E. | Use Event Viewer to view the security log on each domain controller. Set a filter to list only the events for the FBN0431 computer account. |
| | 8. | You are the network administrator for Cheap Stuff Inc. The network consists of a single Active Directory domain with 20 sites. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. You install an application on one of your servers. The application fails to start because the default NTFS permissions on your server are too restrictive. You use a security template from the manufacturer of the application to modify the NTFS permissions on your server to allow the application to work. A new update to the application is released. The application no longer requires the modified NTFS permissions. You need to restore the default permissions to restore the original level of system security. Which security template should you import into the local security policy of your server?
| A. | The Syssetup.inf template. |
| B. | The Setup Security.inf template. |
| C. | The Defltsv.inf template. |
| D. | The Netserv.inf template. |
| | | | 9. | You are the network administrator for Cheap Stuff Inc. The network consists of a single Active Directory domain. All network servers run Windows Server 2003. Confidential files are stored on a member server named CSI5. The computer object for CSI5 resides in an OU named Confidential. A Group Policy object named GPO1 is linked to the Confidential OU. To audit access to the confidential files, you enable auditing on all private folders on CSI5. Several days later, you review the audit logs. You discover that auditing is not successful. You need to ensure that auditing occurs successfully. What should you do?
| A. | Start the System Event Notification Service (SENS) on CSI5. |
| B. | Start the Error Reporting service on CSI5. |
| C. | Modify the Default Domain Controllers GPO by selecting Success and Failure as the Audit Object Access setting. |
| D. | Modify GPO1 by selecting Success and Failure as the Audit Object Access setting. |
| | 10. | You are the network administrator for the Kansas City office of Cheap Stuff Inc. The network consists of a single Active Directory domain with 20 sites. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. Each site has its own OU. Cheap Stuff's network security department has implemented a new policy that requires that all new servers be configured with specified predefined security settings when the servers join the domain. These settings differ slightly for the various company offices. You plan to install Windows Server 2003 on 10 new computers, which all function as file servers. You need to ensure that the security configuration of the new file servers meets the new company standards. The network security department has implemented these settings on a test server in the Kansas City office. You export a copy of this server's local security policy settings to a template file. You need to configure the security settings of the new servers, and you want to use the minimum amount of administrative effort. What should you do?
| A. | Use the Security Configuration and Analysis tool on one of the new servers to import the template file. |
| B. | Use the default Domain Security Policy console on one of the new servers to import the template file. |
| C. | Use the Group Policy Editor console to open the Kansas City OU and import the template file. |
| D. | Use the default Local Security Policy console on one of the new servers to import the template file. |
|
Answers to Exam Questions | 1. | D. For all logon events on all workstations to be collected in the Security logs on the domain controllers, both Audit Account Logon and Audit Logon Events must be turned on. Although auditing is turned on by default in Windows Server 2003, Audit Account Logon and Audit Logon Events are turned on only for success events, not failure events. See "Configuring Auditing." | | 2. | B. By default, the ability to view the Security event log is restricted to administrators. The Manage the Security Event log user right is a powerful user privilege that should be closely guarded. Users with this right can clear the security log, possibly erasing important evidence of unauthorized activity. Neither the ability to generate audits or act as part of the operating system would enable the security group to access the security logs, as would logging on via Terminal Services. See "Working with the Event Logs." | | 3. | C. When a user logs on to a domain where auditing is enabled, the authenticating domain controller will log an event in its security log. You will need to check the Security Event logs of all the domain controllers in all the sites, because it could be that the attack is being launched from outside of the office where the user is located. Checking just the user's computer or a limited number of domain controllers wouldn't give you a complete picture. See "Managing Security Logs." | | 4. | D. The Account Lockout Threshold setting can be applied only at the domain level, so any changes there would affect the other departments, which was not allowed. See "Account Policies." | | 5. | D. Any of the listed methods would work to set the configuration of the Security Event logs. But D is the only method that can't be overridden by the local administrators. See "User Rights Assignment" in this chapter. | | 6. | B. By default, the ability to view the Security event log is restricted to administrators. The Manage the Security Event log user right is a powerful user privilege that should be closely guarded. Users with this right can clear the security log, possibly erasing important evidence of unauthorized activity. The ability to log on via Terminal Services wouldn't add any additional access rights. See "Working with the Event Logs." | | 7. | D. When a user logs on to a domain where auditing is enabled, the authenticating domain controller will log an event in its security log. It is likely that multiple domain controllers have authenticated the user at different times; therefore, we must examine the security log on each domain controller. In Event Viewer, you can set various filters to simplify the search for information. In this case, we can filter the logs to show events for only the user's account. See "Creating an Audit Policy." | | | | 8. | B. The default security template (Setup Security.inf) is configured with the default security settings for Windows Server 2003 computers. This template is created during the installation process. See "Using Security Templates." | | 9. | D. For objects such as folders, auditing is a two-step process. First, you have to enable the specific auditing category that includes the object you want to audit. Second, you have to enable auditing of specific events on this object from the properties page of the object itself. Because we want to audit only this server, we would enable it at the OU level. See "Using Audit Policies." | | 10. | C. Importing the template into a GPO linked to the Kansas City OU is the best solution. Because we need to apply the settings to all the servers in Kansas City and not to the other servers in the domain, using the Security and Configuration and Analysis tool wouldn't be sufficient, because it does only one server at a time. Also, importing the template into the Default Domain policy would affect all the servers in the domain. See "Using Security Templates." |
Suggested Readings and Resources 1. Security Policy Settings. Microsoft Corporation. http://technet2.microsoft.com/WindowsServer/en/Library/bcd7ea4c-f989-4cee-969a-920f62f555111033.mspx?mfr=true. 2. Shinder, Deb. Understanding the Roles of Server 2003 Security Policies. http://www.windowsecurity.com/articles/Understanding-Roles-Server-2003-Security-Policies.html. 3. Windows Server 2003 Deployment Guide. Microsoft Corporation. http://technet2.microsoft.com/WindowsServer/en/Library/c283b699-6124-4c3a-87ef-865443d7ea4b1033.mspx?mfr=true. 4. Windows Server 2003 Resource Kit. Microsoft Press, 2005. ISBN 0735614717. 5. Windows Server 2003 Security Policy. Microsoft Corporation. http://technet2.microsoft.com/windowsserver/en/technologies/secpol.mspx. |
