Question 2) MCSA Certified on Windows 2000

Posted on
Like what you see? Share it.Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

Objective : Managing Users, Computers, and Groups
SubObjective : Troubleshoot user authentication issues
Single Answer Multiple Choice

You are the network administrator for your company. The network consists of a single Windows Server 2003 domain named PROCENT. The domain is operating in Windows 2000 mixed mode. The domain contains both Windows Server 2003 and Windows 2000 Server computers. All desktop computers run Windows XP Professional. The network does not have Internet connectivity and does not provide dial-up remote access. Auditing of failed object access events is configured on all server computers. The Default Domain Policy is configured to audit failed logon events.

 

The company’s written security policy requires you to audit the security logs on domain controllers and member servers each week. During an audit of the security logs on one of the Windows 2000 domain controllers you discover numerous Event ID 529 and ID 539 (Logon Events) entries. All Event ID 529 entries contain the following information:

 

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/5/2002
Time: 2:56:47 PM
Computer: DC1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: GregM
Domain: PROCENT
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PRC001

 

GregM, the user whose user account is indicated in the event, is on leave of absence for one month. You must ensure that the attempted intrusion is unsuccessful without disrupting other users’ access to the domain.

 

What should you do?

 

 

  1. Use the Local Users and Groups console on PRC001 to disable the GregM user account.
  2. Use the Active Directory Users and Computers console to delete the GregM user account.
  3. Use the Active Directory Users and Computers console to disable the GregM user account.
  4. Use the Active Directory Users and Computers console to delete the PRC001 computer account.
  5. Use the Active Directory Users and Computers console to disable the PRC001 computer account.

 

 

 

 

 

Answer:
C. Use the Active Directory Users and Computers console to disable the GregM user account.

Tutorial:
You should use the Active Directory Users and Computers console to disable the GregM user account. Disabling the account will prevent the unauthorized user, who is attempting to gain access to the network using the PRC001 computer, from guessing GregM’s password and accessing the domain.

The event information indicates that the intruder is attempting to access the network using the domain user account. The event log being audited is on DC1, which is a domain controller. This is indicated in the scenario and by the Domain: PROCENT entry in the event. When this occurs, an event ID 529 (Logon Event) entry will be logged into the security log. This will be accompanied with an event ID 681 (Account Logon Event) entry, which is not mentioned. The event ID 539 (Logon Event) entry indicates that the account has reached the lockout threshold value and is locked out. All these indications point to an unauthorized user that is attempting to gain entry to the domain by logging onto the PRC001 computer using the GregM domain user account. The account should be disabled until the threat is resolved.

You should not use the Local Users and Groups console on PRC001 to disable the GregM user account. While an event ID 529 (Logon Event) also indicates an unauthorized logon using a local account, the Domain: PROCENT value in the event, along with the location of the entry in the domain controller’s security log, indicates that the domain account is the intrusion target.

You should not use the Active Directory Users and Computers console to disable the PRC001 computer account. While this would neutralize the attack, it would also prevent any other users who must use the computer from logging onto the domain. Your solution must not disrupt network access.

You should not use the Active Directory Users and Computers console to delete the PRC001 computer account. This would also disrupt other users that use this computer from logging onto the domain, and would require the account to be re-created and reconfigured.

You should not use the Active Directory Users and Computers console to delete the GregM user account. This would require the account to be re-created, including all associated user rights, privileges, and group membership assignments.

Reference:
1. Microsoft TechNet – Search Phrase
– Windows 2000 Security Event Descriptions (Part 1 of 2)

 

These questions are derived from the Self-Test Software Practice Test for 70-292 – Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000.

Like what you see? Share it.Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone
cmadmin

ABOUT THE AUTHOR

Posted in Archive|

Comment: