Exam GCIH All QuestionsBrowse all questions from this exam
Go to Exam
Question 73

You are a member of your organization's security team. A new ticket just came into your service desk and was escalated to you. One of the system administrators noticed the following entry in a Windows Server 2008 R2 file server Security event log:

Log Name: Security -

Source: Microsoft-Windows-Security-Auditing

Date: 2/1/2012 2:24:07 AM -

Event ID: 4674 -

Task Category: Sensitive Privilege Use

Level: Information -

Keywords: Audit Failure -

User: N/A -

Computer: somehost.somecompany.com

Description: An operation was attempted on a privileged object.

Subject:

Security ID: LOCAL SERVICE -

Account Name: LOCAL SERVICE -

Account Domain: NT AUTHORITY -

Logon ID: 0x3e5 -

Object:

Object Server: LSA -

Object Type: -

Object Name: -

Object Handle: 0x0 -

Process Information:

Process ID: 0x1d8 -

Process Name: C:\Windows\System32\Isass.exe

Requested Operation:

Desired Access: 16777216 -

Privileges: SeSecurityPrivilege -

What is your next step?

    Correct Answer: B

    When encountering an unfamiliar security event log entry, the first appropriate step is to confirm whether this event is common or has a benign explanation. Searching Microsoft's TechNet or other reliable resources allows you to determine if this Windows Security event is normal behavior. Moving to containment or disabling the account without this verification could lead to unnecessary disruptions or actions without a clear understanding of the event.

Discussion
847ch0n3Option: B

I do not agree with the answer, the next step is likely to identify if it's an incident. I'm leaning towards B.