You work as the network administrator at certifyme.com. The certifyme.com
network consists of a single Active Directory domain named certifyme.com. All
servers on the certifyme.com network run Windows Server 2003 and all client
computers run Windows XP Professional.
Leading the way in IT testing and certification tools, www.certifyme.com
- 29 -
Clive Wilson is a manager in the Human Resources department. Clive Wilson
frequently accesses files that contain confidential information on certifyme.com's
employees. The files reside in several shared folders on his Windows XP
Professional computer. Both Dean and employees working in the Human Resources
department modify these files.
Clive Wilson complains that this morning, when he attempted to access a file in one
of the shared folders, the shared folders and files were deleted. 350-001 You decide to use
last nights backup to restore the files. You successfully restore the latest available
backup of these files. You must immediately determine who the culprit is that
deleted the files.
You suspect that someone deleted Clive's files from across the network. You log on
to Clive Wilson's computer. You want to configure local security policy, so that you
can determine who connected to Clive's computer and deleted the files. You want to
use Event Viewer to produce a listing of all logged entries.
What should you do? (Choose the two actions which you should perform. Each
correct answer presents only part of the complete solution. Choose two answers that
apply.)
A. Enable the Privilege Use - Success audit policy on Clive Wilson's computer.
Use Event Viewer to configure a filter that will list all entries produced by the audit
policy.
B. Enable the Logon Events - Success audit policy on Clive Wilson's computer.
Use Event Viewer to configure a filter that will list all entries produced by the audit
policy. 640-802
C. Enable the Account Logon Events - Success audit policy on Clive Wilson's computer.
Use Event Viewer to configure a filter that will list all entries produced by the audit
policy.
D. Enable the Object Access - Success audit policy on Clive Wilson's computer.
Use Event Viewer to configure a filter that will list all entries produced by the audit
policy.
Answer: A, D
Explanation: The Privilege Use - Success audit policy will allow you to see who
deleted the files from Clive Wilson's computer, and also when these files were deleted.
The Object Access - Success audit policy will let you know when an individual
successfully accessed Clive Wilson's files. You can then use Event Viewer to configure a
filter that will list all entries produced by the audit policy.
Leading the way in IT testing and certification tools, www.certifyme.com
- 30 -
Incorrect Answers:
C: The Logon Events - Success and Account Logon Events - Success audit policies
would not work because the question states that Clive Wilson's files were deleted from
over the network. These policies would inform you on who logged on to the local
computer, and whether a user account was compromised. VCP-310 B: The Logon Events - Success and Account Logon Events - Success audit policies
would not work because the question states that Clive Wilson's files were deleted from
over the network. These policies would inform you on who logged on to the local
computer, and whether a user account was compromised.
Reference:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment