Self Test

1. 

Jake is responsible for six Windows 2000 servers in his organization. He has noticed that lately there are multiple login attempts on the main file server. What can Jake do to find out if in fact an attacker is trying to exploit his system? (Choose all that apply.)

1. Use Dumpel.exe to find the attack IDs numbered 200–600 in the System Event Log. This will indicate a possible attack.

2. Turn on auditing (success and failure) for logon events. Check the Application Log daily for possible password-cracking attacks.

3. Set up a Windows 2000 Security Template that will only allow registered IPs to connect to and communicate with the file server.

4. Configure your router to only let the file server NetBIOS name be authenticated for communication.

2. 

Stan is the network administrator responsible for 10 Windows 2000 servers and 400 Windows XP Professional workstations, all separated geographically across four sites. Stan is responsible for implementing defense in depth. From the following list, select the options that Stan can implement for a defense-in-depth strategy. (Choose all that apply.)

1. Set up a and implement a firewall.

2. Set up and implement auditing

3. Set up and implement IDS.

4. Set up and implement a router ACL.

3. 

Peter is the administrator for a large Windows 2000 network infrastructure. He is responsible for 10 IIS servers, two Exchange servers, and 20 file and print servers. All 32 servers are internal to the LAN and serve as application, e-mail, file, and print server for over 700 clients in five separate locations. Because of a shortage of staff, Peter needs to make sure that his servers are safe and is giving himself the task of ensuring that auditing takes place so that he can analyze possible mischievous events that could lead to an attack. He turns on auditing for all 32 servers. Peter is also new to auditing, so he turns on auditing for all categories, success and failure based. What is the most logical thing Peter should do now to analyze his servers? (Choose all that apply.)

1. Peter should plan a time each week to view, archive, and analyze all the events he is receiving.

2. Peter should analyze all events and start turning off categories he will not need to view in the Security Log.

3. Peter should adjust his Security Log size to hold more events so that important auditable events are not overwritten.

4. Peter should use the Dumpel command-line tool in batch format to scan all System Logs in all 32 servers for any event in the 500–600 range.

1. 

þ B. You want to set up auditing on your server and make sure you check the logs frequently, looking for possible attacks.

ý A is incorrect because Dumpel is used to parse Event Viewer Logs and the security-related events will be logged in the Security Log, not the System Log. C is incorrect because a template will not work in this fashion. Security templates have nothing to do with looking for registered IPs. D is incorrect because routers cannot be configured to authenticate Windows-based NetBIOS names.

2. 

þ A, B, C, and D are all correct.

ý When setting up a defense-in-depth strategy, you should set up a layered solution for security. Make sure that you implement more than just a firewall to lock the gates; you will want to include auditing, IDS, and router ACLs, among other things.

3. 

þ A, B, and C. Peter needs to closely look at what he is auditing so he can start turning things off that he doesn't need and so he doesn't fill up all his logs. B is also correct because when Peter turned on auditing for all events, he was trying to get an idea of what is going on within the network on his systems. C is also correct because during this period of auditing events, the logs will fill up past the default of 512K, so in order to not have events overwritten, the Security Logs default parameters need to be adjusted.

ý D is incorrect because it's the Security Log that you need to be concerned about. This question is meant to be misleading.

4. 

Stan is the network administrator responsible for 10 Windows 2000 servers and 400 Windows XP Professional workstations, all separated geographically across four sites. Stan is responsible for auditing two Windows XP Professional workstations. One of the reasons he audits only the two workstations is because the two owners of the workstations are complaining that each time they sit down to work at their workstations, they think someone has tried to log in to them. From the list that follows, what is the most logical way to audit the two workstations so that Stan can analyze whether an attack is actually being attempted?

1. Use the Local Security Policy on each local workstation and audit logon events (success and failure).

2. Use the GPO Security Policy on the NY OU and audit logon events (success and failure).

3. Use the Local Security Policy on the domain controller and audit logon events (success and failure).

4. Use the Local Security Policy on the domain and audit logon events (success and failure).

5. 

Jake is responsible for six Windows 2000 servers in his organization. He has noticed that lately there are no events in the Security Log on the main file server. Jake has found a single 517 event in the Security Log. What can Jake do to find out if in fact someone is trying to exploit his system?

1. The 517 event ID means that an attacker has breached the system and has tried to exploit the lssas.exe process and succeeded.

2. The 517 event ID is not a valid ID number. The Security Log only looks at event IDs 600 and higher.

3. The 517 event ID means that an attacker has breached the system and has tried to exploit the cmd.exe process and has failed.

4. The log has been cleared, and since auditing was turned on, it was caught by the Security Log.

6. 

Peter is the administrator for a large Windows 2000 network infrastructure. He is responsible for 10 IIS servers, two Exchange servers, and 20 file and print servers. All 32 servers are internal to the LAN and serve as application, e-mail, file, and print servers for over 700 clients in five separate locations. Peter has noticed that there are 10 new events on his main domain controller. The event IDs are showing as Event ID 531. What is possibly happening that Peter should be aware of?

1. There is a possible attack on the server, whereby someone could be trying to log in with a disabled account.

2. There is a possible attack on the server, whereby someone could be trying to change the permissions of a group.

3. There is a possible attack on the server, whereby someone could be trying to change the permissions of a user account.

4. There is a possible attack on the server, whereby someone could be trying to launch a buffer overflow attack on the server.

4. 

þ A is the correct answer. The most logical way to audit this issue is to use the Local Security Policy on each local workstation and audit logon events (success and failure).

ý B, C, and D are not going to work because either Stan will be auditing too much or it will take more work to audit the events he needs. Since it is two specific workstations, the easiest, most logical way is to just audit the two workstations with the Local Security Policy MMC.

5. 

þ D is the correct answer. When someone (possibly an attacker who has breached the system) is malicious in their attempts to erase the Security Logs, if you have auditing set up correctly (as you learned in this chapter) you can catch the clearing of the logs with the 517 event. The only possible problem is that if the attacker knew enough to get into the system, he or she could also know how to turn off auditing, and then they wouldn't see this event unless they refreshed the Security Log.

ý A and C are both incorrect and misleading. Object access has nothing to do with the 517 event ID or the clearing of the Security Log. Answer B is also incorrect. The Security Log will, of course, pick up and show events numbered in the 500 range as well.

6. 

þ A is correct. Event ID 531 showing up in the Event Log is a scary thing. This means that a logon attempt was made using a disabled account. It could mean that either the person for whom you disabled the account has tried it again, or worse yet, someone else is trying to use the account. It could also be an attempt on the Guest account, which is disabled by default.

ý Answers B and C are both incorrect and misleading. They both look at a change of permissions, which will not be indicated by a 531 ID. Only the use of a disabled account will generate this ID number if auditing is turned on. Answer D is incorrect because a buffer overflow or DoS attack will not generate an ID event like this.

7. 

Stan is the network administrator responsible for 10 Windows 2000 servers running IIS 5.0 and 400 Windows XP Professional workstations, all separated geographically across four sites. Stan is responsible for implementing security on his 10 Windows Web-based servers. He would like to set up logging on his systems so he can audit the logs. What type of logging should Stan set up if he wants to log right to the system in the %WinDir%\System32\Logfiles folder using the default logging the system provides?

1. ODBC logging

2. NCSA Common Log File format

3. W3C Extended Log File format

4. Logging to an Oracle database using SQL Logging

8. 

Jake is responsible for six Windows 2000 servers in his organization. He has noticed that lately there are multiple login attempts on the main Web server. Jake wants to log to a SQL server so that he can log to a separate server; he also wants to be able to log massive amounts of events. What can Jake do to log all these events to a large SQL database on a separate server so that he can eliminate the threat of being exploited by a possible attacker?

1. ODBC logging

2. NCSA Common Log File format

3. W3C Extended Log File format

4. THD Logging format

7. 

þ Answer C is correct. Auditing IIS is critical to any system administrator responsible for managing company Web servers. You should audit, monitor, and analyze IIS just the same as Windows 2000 Server. When using default logging, you use the W3C Extended Log File format.

ý Answers A, B, and D are incorrect. Answer A is listed as ODBC logging which is not correct. Answer B is NCSA Common Log File Format, which is also incorrect. Answer D is wrong as well; we don't want logging to a separate database.

8. 

þ Answer A is correct. IIS creates log files that track connection attempts to Web (HTTP), FTP, NNTP, and SMTP services. Each of these services (which can run using IIS) maintains its own log files. You can find these log files in the %WinDir%\System32\Logfiles folder. If you want to log to a separate database that is ODBC compliant (such as SQL 2000), you can use ODBC logging.

ý All other answers are incorrect. Answers B and C are the two other log file formats, neither of which is ODBC compliant. Answer D is not a log file format at all.

9. 

Stan is the network administrator responsible for 10 Windows 2000 servers and 400 Windows XP Professional workstations, all separated geographically across four sites. Stan is auditing all 10 servers and needs a way to parse all Security Logs very quickly from the command prompt. What tool from the list that follows could he use?

1. URLSCAN

2. Dumpel

3. EVENTSWP

4. Net Event

10. 

Erika is the systems engineer for the London central hub location. The hub location contains over 50 Windows 2000 servers, but only three of them are accessible through the Internet. These three servers are responsible for Web-based services such as FTP and HTTP. All the rest of the servers (all 47 of them) are located within the private LAN protected by a firewall. These 47 servers are used for applications, file, print, and database purposes. Erika wants to parse all the servers for Event Log information. She wants to collect all the default logs found on all Windows 2000 systems as well as the FRS, DNS, and Active Directory logs as well. Erika has Dumpel.exe and is having problems using it to parse all the logs. What is the problem Erika is running into?

1. Erika is using dumpel.exe and it is corrupted. She needs a new version, and then it will work.

2. Erika is using dumpel.exe and it is never going to be able to parse anything but the default System Logs. It will not parse the FRS, DNS, and ADS logs.

3. Erika is using dumpel.exe and it is not going to work without net1.exe. A batch file must be created to run the tool accurately.

4. Erika is using dumpel.exe and it is not going to work without the use of the Task Scheduler or AT command.

11. 

Jake is responsible for six Windows 2000 servers in his organization. Jake has been made aware that there could be a problem with his DNS servers on the DMZ. He is concerned that a Zone Transfer attack or DNS poisoning could be attempted. He wants to use a tool that will parse all the DNS and Security Logs. What tool from the list that follows will allow Jake to quickly get all the DNS and Security Logs from his DNS servers?

1. Dumpel

2. EventCombMT

3. EVENTSWP

4. UrlScan

12. 

Rob is the network engineer responsible for 10 Windows 2000 servers and 400 Windows XP Professional workstations, all separated geographically across four sites. Rob is responsible for getting all Event Logs in all servers across the network. One issue is that getting the Active Directory logs is essential to trying to find NTDS directory shutdowns. What tool should Rob use to get this information?

1. EventCombMT

2. Dumpel

3. EVENTSWP

4. UrlScan

13. 

Peter is the network administrator responsible for performing security audits on Windows 2000 servers. Peter has a new assignment: to use the EventCombMT utility to search specifically for event ID number 682 because some kind of Terminal Server access problem is being reported. From the answers that follow, is the solution with the EventCombMT utility possible?

1. Yes, you can use the EventCombMT utility, but it will only search for one ID at a time.

2. No, you can't use the EventCombMT utility, because it will not search by a single ID, only in groups.

3. Yes, you can use the EventCombMT utility to search for one or multiple IDs at a time.

4. No, you can't use the EventCombMT utility, because it doesn't search for specific event IDs.

14. 

EventCombMT allows you to scan and filter through many types of events. Jane, a network administrator, needs to find out what EventCombMT will filter for her. From the options that follow, what can she filter through using EventCombMT? (Choose all that apply.)

1. Error

2. Informational

3. Warning

4. Critical

15. 

Sandra is a systems engineer who has been asked to search and parse Event Viewer Logs. She has acquired and will use the Dumpel utility. Using Dumpel, what option could Sandra use to specify the filename for the output file?

1. -f

2. -s

3. -q

4. -g

9. 

þ Answer B is correct. Dumpel.exe is used to dump an Event Log into a tab-separated text file. This file can then be imported into an Excel spreadsheet (because it is tab separated) and/or a database such as Access for storage or future analysis.

ý All other answers are incorrect. A is a valid tool, but not for parsing Event Logs, and C and D are not tools at all.

10. 

þ Answer B is correct. Dumpel is used to dump an Event Log into a tab-separated text file. This file can then be imported into an Excel spreadsheet (because it is tab separated) and/or a database such as Access for storage or future analysis. Dumpel will only parse the default System Logs. It will not parse the ADS, DNS, and FRS logs.

ý A, C, and D are incorrect. A is incorrect because the real problem is that Dumpel will not parse all logs, only the default System Logs. C and D are incorrect because Dumpel can in fact be run from the command prompt; both C and D imply that you need to automate this tool to get it to work, which is not true.

11. 

þ Answer B is correct. EventCombMT is the GUI-based tool that allows you to manage the parsing of many Event Logs from your systems that will be dumped to a text-based file for analysis. This tool allows you to specifically search for event IDs by ID number, or you could search based on many other criteria. EventCombMT works with the DNS Logs, whereas Dumpel does not.

ý Answer A is incorrect because Dumpel will not parse the DNS Logs. Answers C and D are incorrect as well. UrlScan is a valid tool but not to be used for parsing Event Logs, and EVENTSWP is not a tool at all.

12. 

þ Answer A is correct. EventCombMT is the GUI-based tool that allows you to manage the parsing of many Event Logs from your systems that will be dumped to a text-based file for analysis. This tool allows you to specifically search for event IDs by ID number, or you could search based on many other criteria. Since EventCombMT is the only tool in the list that allows you to get the Directory Service Logs, you will only be able to use that one.

ý Answer B is a log parser, but it's not able to get the ADS Logs. Answer C is not a valid tool. Answer D is a valid tool but does not parse an Event Log.

13. 

þ C is the correct answer. The EventCombMT utility will allow you to search for single or multiple event IDs at a time.

ý Answers A, B, and D are incorrect. Answer A is wrong because EventCombMT is not limited to searching only one ID at a time. Answer B is incorrect because you are also not locked down to just searching for groups. Answer D is incorrect because EventCombMT will in fact search for IDs.

14. 

þ A, B, and C are all correct. You can search for error, informational, and warning events.

ý Answer D is incorrect. Critical is not an event type.

15. 

þ A is the correct answer. The –f switch specifies the filename for the output file. There is no default for -f, so you must specify the file.

ý Answers B, C, and D are all incorrect. The –s switch specifies the server for which you want to dump the Event Log. Leading backslashes on the server name are optional. The other switches do not exist.