GIAC Certified Incident Handler (GCIH) — Question 167

You are a member of your organization's security team. A new ticket just came into your service desk and was escalated to you. One of the system administrators noticed the following entry in a Windows Server 2008 R2 file server Security event log:

Log Name: Security -
Source: Microsoft-Windows-Security-Auditing

Date: 2/1/2012 2:24:07 AM -

Event ID: 4674 -
Task Category: Sensitive Privilege Use

Level: Information -

Keywords: Audit Failure -

User: N/A -
Computer: somehost.somecompany.com
Description: An operation was attempted on a privileged object.
Subject:

Security ID: LOCAL SERVICE -

Account Name: LOCAL SERVICE -

Account Domain: NT AUTHORITY -

Logon ID: 0x3e5 -
Object:

Object Server: LSA -
Object Type: -
Object Name: -

Object Handle: 0x0 -
Process Information:

Process ID: 0x1d8 -
Process Name: C:\Windows\System32\Isass.exe
Requested Operation:

Desired Access: 16777216 -

Privileges: SeSecurityPrivilege -
What is your next step?

Answer options

• A. Initiate the ג€Containmentג€ phase of the Incident Handling process
• B. Search Microsoft's TechNet to find out if this is a normal Windows Security event
• C. Disable the trusted account status of the Local Service account
• D. Request that all audit failure log entries be forwarded to you

Correct answer: A

Explanation

The correct answer is A because initiating the 'Containment' phase is crucial to mitigate any potential security incident arising from the event log entry. Option B is less immediate, as verifying normality does not address the potential threat. Option C is inappropriate since the Local Service account is a default account that should not be modified without proper justification. Option D, while helpful for monitoring, does not directly address the immediate incident response needed.