70-411 Exam Cram - Configure File and Print Services

Configure advanced audit policies

Implement auditing using Group Policy and AuditPol.exe

  • Auditpol.exe with the /get subcommand can be used to query audit policies, for example: Auditpol.exe /get /category:\"Object Access\"
  • Auditpol.exe with the /set subcommand can be used to query audit policies, for example: Auditpol.exe /set /Category:\"Object Access\" /Subcategory:\"File System\" /success:Enable
  • Auditpol.exe /backup can be used to backup audit settings and restore them to another server
  • Auditing can be enabled in the default domain policy if you wish to target domain and local accounts. Auditing is enabled under computer configuration. To audit both logons and logon attempts you need to enable both success and failure for 'Audit account logon attempts'
  • Auditing 'Object access' needs to be enabled in both Group Policy and on the security tab of the object you wish to audit
  • Audited events are recorded in the Security Event log
  • Auditing privilege use allows you to audit events when a user uses their special permissions, configure the setting on the server where the special permission is applied
  • You can ensure that simple auditing will not conflict with advanced audit policies by settings the "Audit: Force audit policy subcategory settings" group policy setting under "Security Settings\Local Policies\Security Options". Setting this value will cause the simple audit policies to be ignored

Create expression-based audit policies

  • Expression-based audit policies allow for the same conditions that are used for Dynamic Access Control, which includes user and device claims to be applied to auditing
  • You can configure Global auditing here: Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Global Object Access Auditing. This setting is preferred over the old enable auditing and then turn it on per folder process that used to be required

Create removable device audit policies

  • You should edit the Advanced Audit Policy Configuration setting as it contains the new Audit Removable Storage setting. Only success should be enabled, as failure events will include audit events where the file was not successfully copied. You may also want to configure the Audit Handle Manipulation setting

Popular posts from this blog

Get local computer UUID/GUID using Windows Powershell

Use the following syntax to get the local computer's UUID/GUID using Windows Powershell: get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID Add -computername after the WMI class to find a remote computer's UUID, example: get-wmiobject Win32_ComputerSystemProduct -computername RANTPC | Select-Object -ExpandProperty UUID
Read more

gPLink and gPOptions

gPLink is a property for sites, domains and organisational units that contains a prioritised list of GPOs linked to the node. gPOptions is a property that contains all Block Policy Inheritance settings for the node. To manage GPO links on a node, you must have read and write access to the gPLink and gPOptions properties.
Read more

PSLoggedOn Getting Started on Windows Server 2008 R2

Image
PSLoggedOn is a tool I downloaded to allow me to find out which computers a user is currently logged on to. Getting it up and running wasn’t exactly easy. I’m running a Windows Server 2008 R2 test environment. The first error I encountered was: Error browing network: The list of servers for this workgroup is not currently available. Note: I kept the spelling mistake from the error message to make it easier to find via search engines. To get past this error, you have to enable and start the “Computer Browser” service. Then I started getting the error telling me that the Administrator is not logged on. That’s simply not true because I am logged onto another server (Name: ELARA): I turned the firewall OFF OFF OFF (It is a test network after all). I enabled Network Discovery and to do that I went on a service starting frenzy: DNS Client, Function Discovery Resource Publication, SSDP Discovery, and UPnP Device Host, Computer Browser After all that, I ran the script against the se
Read more