Question

You work as the IT security administrator for a small corporate network. As part of an ongoing program to improve security, you want to implement an audit policy for all workstations. You plan to audit user logon attempts and other critical events. In this lab, your task is to configure the following audit policy settings in WorkstationGPO: Local PoliciesSettingAudit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabledAudit: Shut down system immediately if unable to log security auditsEnabledEvent LogSettingRetention method for security logDefine: Do not overwrite events (clear log manually)Advanced Audit Policy ConfigurationSettingAccount Logon: Audit Credential ValidationSuccess and FailureAccount Management: Audit User Account ManagementSuccess and FailureAccount Management: Audit Security Group ManagementSuccess and FailureAccount Management: Audit Other Account Management EventsSuccess and FailureAccount Management: Audit Computer Account ManagementSuccessDetailed Tracking: Audit Process CreationSuccessLogon/Logoff: Audit LogonSuccess and FailureLogon/Logoff: Audit LogoffSuccessPolicy Change: Audit Authentication Policy ChangeSuccessPolicy Change: Audit Audit Policy ChangeSuccess and FailurePrivilege Use: Audit Sensitive Privilege UseSuccess and FailureSystem: Audit System IntegritySuccess and FailureSystem: Audit Security System ExtensionSuccess and FailureSystem: Audit Security State ChangeSuccess and FailureSystem: Audit IPsec DriverSuccess and FailureDo not use the old audit policies located in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policies.

Answer 1

The task involves setting up an audit policy via Group Policy Object for monitoring user logon attempts and critical events on a corporate network by enabling the relevant policy settings and ensuring events are logged for both successes and failures.

Step-by-step explanation:

The task is to configure an audit policy for workstations within a corporate network focusing on user logon attempts and other critical events. To do this, you would implement settings in the Group Policy Object (GPO) for workstations. The settings include enabling policy subcategory settings to override audit policy category settings and shutting down the system immediately if it's unable to log security audits.

Furthermore, you'll set the retention method for the security log to 'Do not overwrite events (clear log manually)'. Additionally, in the 'Advanced Audit Policy Configuration', you will configure to audit several aspects including Credential Validation, User Account Management, Security Group Management, and several others, for both success and failure events where applicable. These settings are important for maintaining a secure environment through active monitoring of user activities and system changes. It is critical to enable both success and failure auditing to ensure comprehensive coverage of potential security issues.

Remember to avoid using the old audit policy settings located in the deprecated path and focus only on implementing policies through the Advanced Audit Policy Configuration.