1. Home
  2. Teknologi

Security Auditing

Security Auditing

. Configure remote connections

Cram Saver

1. What feature tracks and records various security-related events so that you can detect intruders and attempts to compromise the system?

❍ A. Auditing ❍ B. ACL ❍ C. Permissions ❍ D. Rights

2. You want to enable auditing of a folder called Reports. What is the first step you need to do?

❍ A. Enable user auditing ❍ B. Enable file auditing ❍ C. Enable object auditing ❍ D. Enable ACL auditing

Answers

1. A is correct. If you enable auditing, you can track and record various security-related events, such as when someone logs on to the computer or when a file or folder is accessed. Answer B is incorrect because the access control list (ACL) is used to specify who can access an object and what permissions they have for that object. Answer C is incorrect because permissions are assigned to an object and recorded in the ACL. Answer D is incorrect because rights are used to determine what actions a user can perform on a computer running Windows.

2. C is correct. The first step in enabling auditing for a printer, file, or folder is that you must first enable object auditing. Printers, files, and folders are examples of objects. User auditing and ACL auditing are not specifically used in Windows audit policies and, therefore, Answers A and D are incor- rect. Answer B is incorrect because configuring file auditing would be the second step after you enable object auditing.

CHAPTER 8: User Management

Auditing is a feature of Windows 7 that tracks and records various security- related events so that you can detect intruders and attempts to compromise data on the system. Therefore, you want to set up an audit policy for a com- puter to

. Minimize the risk of unauthorized use of resources. . Maintain a record of user and administrator activity.

Examples of auditing including tracking the success and failures of events, such as attempts to log on, attempts by a particular user to read a specific file, changes to user accounts, or changes to security settings.

Some events that you can monitor are access to an object such as a folder or file, management of user and group accounts, and logging on and off a sys- tem. The security events are provided in the Event Viewer, specifically the security logs, which contain the following information:

. The action that was performed . The user who performed the action . The success or failure of the event and when the event occurred . Additional information, such as the computer where the event occurred

Therefore, auditing is one way to find security holes in your network and to ensure accountability for people’s actions.

Not all events are audited by default. If you have Administrator permissions, you can specify what types of system events to audit using group policies or the local security policy (Security Settings\Local Policies\Audit Policy). In addi- tion, Windows 7 also offers Advanced Audit Policy configuration, which allows more granular control, as shown in Figure 8.13. The amount of auditing that needs to be done depends on the needs of the organization. A minimum- security network might only audit failed logon attempts so that brute-force attacks can be detected. A high security network most likely audits both suc- cessful and failed logons to track who successfully gained access to the network.

Security Auditing

FIGURE 8.13 Auditing policy.

Auditing can be configured on any Windows computer, including worksta- tions and servers. Because a user working on a workstation often accesses remote network resources, it makes sense that you have to configure auditing on those Windows servers so that you monitor how those resources are being accessed. In addition, because many organizations are using Active Directory domains, you need to enable auditing at the domain level so that you can monitor when a user logs in to the domain, no matter what computer they are logging from.

The first step in implementing an audit policy is to select the types of events that you want Windows 7 to audit. Table 8.3 describes the events that Windows 7 can audit.

TABLE 8.3 Audit Events

Event Example

Account Logon When a user logs on to the local computer, the computer records the Account Logon event. When a user logs on to a domain, the authenticating domain controller records the Account Logon event.

Account An administrator creates, changes, or deletes a user account Management

or group; a user account is renamed, disabled, or enabled; or a password is set or changed.

CHAPTER 8: User Management

TABLE 8.3 Continued

Event Example

Directory Service A user accesses an Active Directory object. Note: You must Access

then configure specific Active Directory objects for auditing.

Logon

A user logs on or off a local computer or a user makes or cancels a network connection to the computer; the event is recorded on the computer that the user accesses, regardless of whether a local account or a domain account is used.

Object Access A user accesses a file, folder, or printer. Note: You must then configure specific files, folders, or printers to be audited, the users or groups that are being audited, and the actions that they are audited for.

Policy Change A change is made to the user security options (for example, password options or account logon settings), user rights, or audit policies.

Privilege Use A user exercises a user right (not related to logging on or off), such as changing the system time or taking ownership of a file.

Process Tracking An application performs an action. This is generally used only for programmers and can be very intensive.

System A user restarts or shuts down the computer, or an event occurs that affects Windows security or the security log.

With file and folder auditing, you can audit only those volumes that are for- matted with NTFS. In addition, you must first enable Object Access auditing using group policies. After the group policy has been applied, you can set, view, or change auditing a file or folder by doing the following:

1. Using a group or local policy, enable object access auditing.

2. Open Windows Explorer and locate the file or folder that you want to audit.

3. Right-click the file or folder and select the Properties option.

4. Click the Security tab, click the Advanced button, and click the Auditing tab:

. To set up auditing for a new group or user, click Add, specify the name of the user you want, and click the OK button to open the Auditing Entry box.

. To view or change auditing for an existing group or user, click the name and then the View/Edit button.

. To remove auditing for an existing group or user, click the name and then the Remove button.

Security Auditing

Because the security log is limited in size, select only those objects that you need to audit and consider the amount of disk space that the security log needs. The maximum size of the security log is defined in Event Viewer by right-clicking Security Log and selecting the Properties option.

Cram Quiz

1. Where do you look to see the events you audited?

❍ A. System Configuration ❍ B. Registry Editor ❍ C. Logs folder ❍ D. Event Viewer

2. How do you enable auditing in Windows?

❍ A. Modify the boot.ini ❍ B. Right-click Computer applet and select properties ❍ C. Use group policies ❍ D. System Configuration

Cram Exam Answers

1. D is correct. If auditing is enabled, the security logs in the Event Viewer contain events. If not, the security logs are empty. Therefore, the other answers are incorrect.

2. C is correct. You would enable auditing in Windows using group policies includ- ing local policies. Therefore, the other answers are incorrect.

CHAPTER 8: User Management

Review Questions

1. What allows a system to determine whether an authenticated user can access a resource and how they can access the resource?

❍ A. Authentication ❍ B. Authorization ❍ C. Auditing ❍ D. Certificate

2. Which protocol is the main logon authentication method used when logging onto a computer running Windows Server 2008 that is part of an Active Directory domain?

❍ A. Kerberos ❍ B. Windows NT LAN Manager ❍ C. Certificate mappings ❍ D. Password Authentication Protocol

3. Which of the following does UAC prompt for permission or administrative credentials? (Choose two answers.)

❍ A. Change time zone ❍ B. Change power management settings ❍ C. Install fonts ❍ D. Install a device driver ❍ E. Install an application

4. Which of the following is used to prevent unauthorized changes to your computer?

❍ A. Computer Management Console ❍ B. User Account Control (UAC) ❍ C. Windows Firewall ❍ D. Event Viewer

5. You receive a message asking for your permission to continue a certain action. What would usually generate this warning?

❍ A. Windows Firewall ❍ B. NTFS permissions ❍ C. User Account Control (UAC) ❍ D. Internet Sharing Console

Review Questions

6. You work as the desktop support technician at Acme.com. You have many com- puters running Windows 7 that are part of a Windows domain. Your company decides to allow only applications that have been approved by the IT depart- ment. You have a handful of users who need to make configuration changes to these applications. However, when they try to make the appropriate changes, they always receive the following error message:

You need to ensure that <username> is able to make configuration changes to <computer name>.

After verifying that these users have administrative access to their computer, what do you need to do to make sure that they no longer receive these messages?

❍ A. Add all users to the Power Users group ❍ B. Add all users to the Users group ❍ C. Turn off the Windows Firewall ❍ D. Change the Elevation prompt for administrators in User Account

Control (UAC) Admin Approval Mode 7. You work as the desktop support technician at Acme.com. You need to assign a

handful of users to install applications without giving administrative permissions. What do you do?

❍ A. Make these users part of the local administrator group ❍ B. Turn User Account Control off in the User Accounts Control Panel tool ❍ C. Configure Parental Controls to block each user from the ability to

download unapproved software ❍ D. Configure the User Account Control not to prompt during software

installation in the Security Options section of the Local Security Policy.

8. What program do you need to download and install so that you can manage Active Directory resources from your computer running Windows 7?

❍ A. ADManager ❍ B. WFW ❍ C. UAC ❍ D. RSAT

9. To create local user accounts, you use which of the following? (Choose two answers.)

❍ A. User Accounts in the Control Panel ❍ B. Computer Management Console ❍ C. Active Directory Users and Computers ❍ D. Users and Groups Administrator console

CHAPTER 8: User Management

10. Which auditing do you need to enable if you want to see if someone is deleting a user account from a computer running Windows 7?

❍ A. Account logon ❍ B. Account management ❍ C. Object access ❍ D. Policy change

Review Question Answers

1. Answer B is correct. Authorization occurs after authentication, which allows access to a network resource. Answer A is incorrect because authentication is the process to confirm a user’s identity when he or she accesses a computer system or additional system resources. Answer C is incorrect because auditing is the recording of activity to be used to track user actions. Answer D is incorrect because a digital certificate is a form of authentication.

2. Answer A is correct. Kerberos is the main logon authentication method used by clients and servers running Microsoft Windows operating systems to authenti- cate both user accounts and computer accounts. Answer B is incorrect because Windows NT LAN Manager (NTLM) is an authentication protocol used for back- ward compatibility with pre-Windows 2000 operating systems and applications. Answer C is incorrect because certificate mappings are used with smart cards (which contain a digital certificate) for logon authentication. Answer D is incorrect because Password Authentication Protocol (PAP) is used as a remote access authentication protocol that sends username and password in clear text (unen- crypted).

3. Answers D and E are correct. Installing device drivers and installing applications require administrative permission. Therefore, UAC prompts you to make sure it is something that you want done. Answers A, B, and C are incorrect because stan- dard users can perform these actions.

4. Answer B is correct. User Account Control is used to prevent unauthorized changes to the computer. Answer A is incorrect because the computer manage- ment console is used to manage the computer including managing volumes, using the Event Viewer and managing local users and groups. Answer C is incor- rect because the Windows firewall helps block unwanted packets from getting to your computer. Answer D is incorrect because the Event Viewer is used to look at warning and error messages and the security logs.

5. Answer C is correct. User Account Control asks for permission to continue when you are performing tasks that require you to be an administrator to make sure that they are tasks that you really want to complete. Answer A is incorrect because Windows Firewall prevents unwanted packets from the outside. Answer

B is incorrect because NTFS permissions help protect the files on an NTFS vol- ume. Answer D is incorrect because there is no such thing as an Internet Sharing Console.

Review Question Answers

6. Answer D is correct. The message is generated by User Account Control, which you can configure by using local or group policies. Answer A is incorrect because the Power Users group is left behind from Windows 2000 and XP for backward compatibility. Answer B is incorrect because all standard user accounts should already be members of the Users group. Answer C is incorrect because turning off the firewall would not get rid of the message.

7. Answer D is correct. You need to edit the Local Security Policy to not prompt during installs by disabling the Detect application installations and prompt for elevation setting. This allows applications to be installed without prompting for the administrative credentials. Answer A is incorrect because you don’t want to give administrative permission. Answer B is incorrect because turning off User Account Control stops protecting the system. Answer C is also incorrect because Parental Controls cannot be used when a computer is connected to a domain.

8. Answer D is correct. Active Directory consoles including Active Directory Users and Computers console and Group Policy Management console. To install these consoles, you need to install the Microsoft Remote Server Administration Tools (RSAT) for Windows 7. Answer A is incorrect because ADManager does not exist in Windows. Answer B is incorrect because WFW is short for Windows Firewall, which is used to protect a computer from unauthorized access. Answer C is incorrect because UAC is short for User Access Control, which helps protect a computer from unauthorized changes.

9. Answer A and B are correct. The Control Panel User Accounts and the Computer Management Console, specifically under Users and Groups, are used to add and manage user accounts. Answer C is incorrect because Active Directory Users and Computers console is used to manage domain user accounts. Answer D is incorrect because the Users and Groups Administrator console does not exist.

10. Answer B is correct. When you enable auditing of account management, events are recorded when someone creates, changes, or deletes a user account or group; a user account is renamed, disabled, or enabled; or a password is set or changed. Answer A is incorrect because account logon auditing records when a user logs on to the local computer. Answer C is incorrect because object access auditing is the first step in monitoring access to objects, including printers, fold- ers, and files. Answer D is incorrect because policy change audits change in local policies.

This page intentionally left blank

CHAPTER 9

Dokumen yang terkait

Keanekaragaman Makrofauna Tanah Daerah Pertanian Apel Semi Organik dan Pertanian Apel Non Organik Kecamatan Bumiaji Kota Batu sebagai Bahan Ajar Biologi SMA

26 317 36

FREKUENSI KEMUNCULAN TOKOH KARAKTER ANTAGONIS DAN PROTAGONIS PADA SINETRON (Analisis Isi Pada Sinetron Munajah Cinta di RCTI dan Sinetron Cinta Fitri di SCTV)

27 310 2

Analisis Sistem Pengendalian Mutu dan Perencanaan Penugasan Audit pada Kantor Akuntan Publik. (Suatu Studi Kasus pada Kantor Akuntan Publik Jamaludin, Aria, Sukimto dan Rekan)

136 695 18

DOMESTIFIKASI PEREMPUAN DALAM IKLAN Studi Semiotika pada Iklan "Mama Suka", "Mama Lemon", dan "BuKrim"

133 700 21

KONSTRUKSI MEDIA TENTANG KETERLIBATAN POLITISI PARTAI DEMOKRAT ANAS URBANINGRUM PADA KASUS KORUPSI PROYEK PEMBANGUNAN KOMPLEK OLAHRAGA DI BUKIT HAMBALANG (Analisis Wacana Koran Harian Pagi Surya edisi 9-12, 16, 18 dan 23 Februari 2013 )

64 565 20

PENERAPAN MEDIA LITERASI DI KALANGAN JURNALIS KAMPUS (Studi pada Jurnalis Unit Aktivitas Pers Kampus Mahasiswa (UKPM) Kavling 10, Koran Bestari, dan Unit Kegitan Pers Mahasiswa (UKPM) Civitas)

105 442 24

Pencerahan dan Pemberdayaan (Enlightening & Empowering)

0 64 2

KEABSAHAN STATUS PERNIKAHAN SUAMI ATAU ISTRI YANG MURTAD (Studi Komparatif Ulama Klasik dan Kontemporer)

5 102 24

GANGGUAN PICA(Studi Tentang Etiologi dan Kondisi Psikologis)

4 75 2

Efek Hipokolesterolemik dan Hipoglikemik Patigarut Butirat

2 94 12