Chapter 11 - Monitoring and Auditing Flashcards
Which of the following is a record of the tracked actions of users? A. Performance Monitor B. Audit trails C. Permissions D. System and event logs
B. Audit trails are records showing the tracked actions of users. The Performance Monitor is a tool in Windows that enables you to track the performance of objects such as CPU, RAM, network adapter, physical disk, and so on. Permissions grant or deny access to resources. To see whether permissions were granted, auditing must be enabled. The system and other logs record events that happened in other areas of the system, for example, events concerning the operating system, drivers, applications, and so on.
What tool enables you to be alerted if a server’s processor trips a certain threshold? A. TDR B. Password cracker C. Event Viewer D. Performance Monitor
D. The Performance Monitor can be configured in such a way where alerts can be set for any of the objects (processor, RAM, paging file) in a computer. For example, if the processor were to go beyond 90% usage for more than 1 minute, an alert would be created and could be sent automatically to an administrator. A TDR is a time-domain reflectometer, an electronic instrument used to test cables for faults. A password cracker is a software program used to recover or crack passwords; an example would be Cain & Abel. The Event Viewer is a built-in application in Windows that enables a user to view events on the computer such as warnings, errors, and other information events. It does not measure the objects in a server in the way that Performance Monitor does.
The IT director has asked you to install agents on several client computers and monitor them from a program at a server. What is this known as? A. SNMP B. SMTP C. SMP D. Performance Monitor
A. The Simple Network Management Protocol (SNMP) is used when a person installs agents on client computers to monitor those systems from a single remote location. SMTP is used by e-mail clients and servers. SMP is Symmetric Multi-Processing, which is not covered in the Security+ exam objectives. Performance Monitor enables a person to monitor a computer and create performance baselines.
One of your coworkers complains to you that he cannot see any security events in the Event Viewer. What are three possible reasons for this? (Select the three best answers.)
A. Auditing has not been turned on.
B. The log file is only 512 KB.
C. The coworker is not an administrator.
D. Auditing for an individual object has not been turned on.
A, C, and D. To audit events on a computer, an administrator would need to enable auditing within the computer’s policy, then turn on auditing for an individual object (folder, file, and so on), and then view the events within the Security log of the Event Viewer. 512 KB is big enough for many events to be written to it.
Which tool can be instrumental in capturing FTP GET requests? A. Vulnerability scanner B. Port scanner C. Performance Monitor D. Protocol analyzer
D. A protocol analyzer captures data including things such as GET requests that were initiated from an FTP client. Vulnerability scanners and port scanners look for open ports and other vulnerabilities of a host. Performance Monitor
is a Windows program that reports on the performance of the computer system and any of its parts.
Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this? A. Anomaly-based IDS B. Signature-based IDS C. Behavior-based IDS D. Heuristic-based IDS
B. When using an IDS, particular types of traffic patterns refer to signaturebased IDS. Heuristic signatures are a subset of signature-based monitoring systems, so signature-based IDS is the best answer. Anomaly-based and behavior-
based systems use different methodologies.
You are setting up auditing on a Windows XP Professional computer. If set up properly, which log should have entries? A. Application log B. System log C. Security log D. Maintenance log
C. After Auditing is turned on and specific resources are configured for auditing, you need to check the Event Viewer’s Security log for the entries. These could be successful logons or misfired attempts at deleting files; there are literally hundreds of options. The Application log contains errors, warnings, and informational entries about applications. The System log deals with drivers and system files and so on. A System Maintenance log can be used to record routine maintenance procedures.
You have established a baseline for your server. Which of the following is the best tool to use to monitor any changes to that baseline? A. Performance Monitor B. Antispyware C. Antivirus software D. Vulnerability assessments software
A. Performance monitoring software can be used to create a baseline and monitor for any changes to that baseline. An example of this would be the Performance console window within Windows Server 2003. (It is commonly referred to as the Performance Monitor.) Antivirus and antispyware applications
usually go hand-in-hand and are not used to monitor server baselines. Vulnerability assessing software such as Nessus or Nmap are used to see whether open ports and other vulnerabilities are on a server.
In what way can you gather information from a remote printer? A. HTTP B. SNMP C. CA D. SMTP
B. SNMP (Simple Network Management Protocol) enables you to gather information from a remote printer. HTTP is the hypertext transfer protocol that deals with the transfer of web pages. A CA is a certificate authority, and
SMTP is the Simple Mail Transfer Protocol.
Which of the following can determine which flags are set in a TCP/IP handshake? A. Protocol analyzer B. Port scanner C. SYN/ACK D. Performance Monitor
A. A protocol analyzer can look inside the packets that make up a TCP/IP handshake. Information that can be viewed includes SYN, which is synchronize sequence numbers, and ACK, which is acknowledgment field-significant. Port scanners and performance monitor do not have the capability to view
flags set in a TCP/IP handshake, nor can they look inside packets in general.
Which of following is the most basic form of IDS? A. Anomaly based B. Behavioral-based C. Signature-based D. Statistical-based
C. Signature-based IDS is the most basic form of intrusion detection systems, or IDS. This monitors packets on the network and compares them against a database of signatures. Anomaly-based, behavioral-based, and statistical-based are all more complex forms of IDS. Anomaly and statistical are often considered to be the same type of monitoring methodology.
Which of the following deals with the standard load for a server? A. Patch management B. Group policy C. Port scanning D. Configuration baseline
D. A configuration baseline deals with the standard load of a server. By measuring the traffic that passes through the server’s network adapter, you can create a configuration baseline over time.
Your boss wants you to properly log what happens on a database server. What are the most important concepts to think about while you do so? (Select the two best answers.)
A. The amount of virtual memory that you will allocate for this task
B. The amount of disk space you will require
C. The information that will be needed to reconstruct events later
D. Group policy information
B and C. It is important to calculate how much disk space you will require for the logs of your database server and verify that you have that much disk space available on the hard drive. It is also important to plan what information will be needed in the case that you need to reconstruct events later. Group policy information and virtual memory are not important for this particular task.
Which of the following is the best practice to implement when securing logs files?
A. Log all failed and successful login attempts.
B. Deny administrators access to log files.
C. Copy the logs to a remote log server.
D. Increase security settings for administrators.
C. It is important to copy the logs to a secondary server in case something happens to the primary log server; this way you have another copy of any possible security breaches. Logging all failed and successful login attempts might not be wise, because it will create many entries. The rest of the answers are not necessarily good ideas when working with log files.
What is the main reason to frequently view the logs of a DNS server?
A. To create aliases
B. To watch for unauthorized zone transfers
C. To defend against denial of service attacks
D. To prevent domain name kiting
B. Security administrators should frequently view the logs of a DNS server to monitor any unauthorized zone transfers. Aliases are DNS names that redirect to a hostname or FQDN. Simply viewing the logs of a DNS server will not defend against denial-of-service attacks. Domain name kiting is the process of floating a domain name for up to five names without paying for the domain
name.