These questions are derived from the Self Test Software Practice Test for Microsoft exam #70-284 – Implementing and Managing Microsoft Exchange Server 2003
Objective: Managing Security in the Exchange Environment
SubObjective: Manage audit settings and audit logs
Single Answer, Multiple Choice
Your company uses Exchange 2003 as its messaging system. The Exchange organization contains five Exchange Server 2003 computers. You are an Exchange administrator for your company. Messaging services are very important for the company’s normal operation, and you must ensure that only authorized personnel have access to the Exchange servers. If anyone tampers with Exchange services on the Exchange servers, you want to have evidence of such events in the security logs.
Which of the following should you do?
- Enable auditing of logon events on the Exchange servers
- On each Exchange server, configure diagnostics logging for all Exchange services.
- Periodically review the system log on each Exchange server. Define a filter to isolate all events that are related to the starting and stopping of Exchange services.
- Periodically review the application log on each Exchange server. Define a filter to isolate all events that are related to the starting and stopping of Exchange services.
A.. Enable auditing of logon events on the Exchange servers
The scenario requires that you collect evidence of possible tampering with Exchange services in the security logs. A Windows security log contains records of security-related events, such as auditing results. To interfere with Exchange services, a perpetrator has to connect to the Exchange servers. You should be able to identify occurrences of tampering with the Exchange servers by configuring an audit policy that will record all logon events. If you notice that anyone logged on to any of the Exchange servers at unusual hours or shortly before a suspicious failure occurred, then the logon audit records in the security logs on the Exchange servers can be helpful in identifying the perpetrator. However, note that you should allocate sufficient disk space for the security logs because, typically, very large numbers of logon events occur during normal Exchange operations.
When Exchange services are started or stopped, the appropriate events are written to the system and application logs. On the Diagnostics Logging tab of each Exchange server’s Properties sheet, you can configure logging of various Exchange services and related events. Diagnostics logging causes events to be written to the application log. Those records might also prove helpful in identifying the occurrences of tampering with Exchange services. However, the scenario requires that you maintain evidence in the security logs. If you desire to have these types of events also recorded in the security log for convenience sake, you can enable an audit policy that logs system events. For example, recording the stopping and starting of the services will allow a good indication of up time.
1. Exchange Server 2003 Help – Contents
- Microsoft Exchange Server 2003 – Server Administration – Monitoring Exchange – Monitor Your Exchange Organization – Use Diagnostic Logging and Event Viewer (entire section).
2. Windows Server 2003 Online Help – Contents
- Security – Security Configuration Manager – Concepts – Using Security Configuration Manager – Security Setting Descriptions – Local Policies – Auditing Policy (entire section).