Exam MD-100 topic 5 question 14 discussion

Isn't B correct? From the link you supplied: Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel. No mention about putting the computer object in this group.

Answer: B "Note: Many of the event logs in Windows Server already provide the Network Service account access to the common event logs like Application and System. But the account is not given access to the Security event log and other custom event logs." https://adamtheautomator.com/windows-event-log-forwarding/

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc748890(v=ws.10)

I have just tested this, I have given my normal user account the Event Log Reader membership then connected to eventviewer remotely to the client and I was able to read all logs. When I removed the membership and did the same exercise I get the error that I don't have access. I answered this wrong at the test yesterday. Howecer something is not quite right with the question because since the user could read all the other logs except securty, it no longer makes sense.

B. On each computer, add the NETWORK SERVICE account to the Event Log Readers group. Explanation: By default, only the security event logs are not available to non-administrative users, so adding the NETWORK SERVICE account to the Event Log Readers group is enough to forward the security events to Computer1.

https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection

B= Correct.

https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection

Answer B: https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection

I would say given answer is correct. computers have already been set up and are forwarding events. By default, standard users can access system, application and setup logs. But in order to access security logs, you have to add that object to the event readers security group. Network Service would not be the best option due to the fact that all other logs have been forwarded other than security events. Therefore, the needed services to receive event and deliver subscriptions have been properly configured. https://docs.microsoft.com/en-us/windows/win32/services/networkservice-account

I will go for B

Answer: B

The winrm quickconfig command (or the abbreviated version winrm qc ) performs these operations. Starts the WinRM service, and sets the service startup type to auto-start. Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address I believe that Answer ( D ) is the correct with 99.9%

Additional Notes : If you cannot connect to a remote host, verify that the service on the remote host is running and is accepting requests by running the following command on the remote host: winrm quickconfig This command analyzes and configures the WinRM service " /q is for quite mode - If present, quickconfig will not prompt for confirmation. Configure the Windows Event Collector Service The following syntax is used to configure the Windows Event Collector service to ensure event subscriptions can be created and sustained through computer restarts. This includes the following procedure: To configure the Windows Event Collector service 1. Enable the ForwardedEvents channel if it is disabled. 2. Delay the start of the Windows Event Collector service. 3. Start the Windows Event Collector service if it is not running. syntaxCopy wecutil { qc | quick-config } /q:VALUE Parameters **/q:**VALUE A value that determines whether the quick-config command will prompt for confirmation. VALUE can be true or false. If VALUE is true, then the command will prompt for confirmation. The default value is false.

In The link Explanation, search to "Appendix D" : " Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel." B must be Correct for me.

On the question it says "You can see all the other forwarded events from the other computers." so that's assuming the computer1 is already added to Event Log Readers group. For me the answer on this is B.

D is correct - https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2 Before a collector can access the Event Log, you will need to add the collector’s computer account to the Event Log Readers group.