Self-reliance network security changes need to be clear

Regardless of the Internet or Intranet environment, the network will always encounter various security threats ", we must find a way to fully understand the network security status of the system, in order to effectively resolve security threats. Many methods are available to monitor changes in the network security status. However, many methods require the help of professional tools. In fact, important host systems have their own skills in this field, as long as we are self-reliant and deeply explore it, we can fully understand the network security changes of the system.

1. Monitor network service changes

Once an important host in the LAN is attacked by a network virus, the network service status in the corresponding system may change significantly. To this end, we can monitor the network service status changes in important host systems in a timely manner to determine whether the target host has suffered a network virus or Trojan attack. How can we know which network services are newly started in the target host system and which network services are disabled? In fact, it is very simple. We can use the net start Command provided by Windows to quickly monitor the status changes of network services. The following describes the specific monitoring steps:

First, when the important host is running normally, click the "Start"/"run" command. In the displayed system running text box, enter the "cmd" string command, click the Enter key to switch the system status to the doscommand line status;

In the doscommand line status, enter the string command "net start> e: ormal.txt" and click Enter, the target host system automatically saves the network service activation status information in the "e: ormal.txt" file, this file can be used as a reference for the normal status of the system network service of the target host;

In the future, when we feel that the target host system suddenly runs slowly or suffers other obvious exceptions, we can execute the string command "net start> e: ignor.txt" again ", output the network service status information when the system status of the target host is abnormal and save it to the "e: ignor.txt" file;

Then, run the "fc e: ormal.txt e: ignor.txt" string command in the doscommand line to compare the network service status information after the system of the target host encounters an obvious exception, check whether new network services have been successfully started. These new network services are probably process services or Trojan services with network viruses, in this case, we should manually disable the new network service, and then use professional anti-virus software to scan and kill important host systems until the operating status of important host systems is restored.

2. Monitor shared status changes

In order to achieve the attack purpose, some Trojans or malicious attackers often Secretly create hidden shared folders in important host systems and use these hidden shared folders to gain a peek at the privacy information of the corresponding system. To prevent privacy information in important host systems from being peeked at by others, we must find a way to monitor the status changes of shared folders in the local system. Once a strange shared folder is found to be secretly created, you must delete it in time. How can you monitor the status changes of shared folders in important host systems? We can use the built-in net share command in Windows to achieve this purpose. The following describes the specific implementation steps of this method:

First, open the "Start" menu of the target important host system, click the "run" command, and execute the "cmd" command in the pop-up system running box to switch the system to the doscommand line working status;

Then, run the "net share> e: old.txt" string command at the command line prompt in the working state, in Windows, all the status information of shared folders in the current State is automatically output and stored in the "e: old.txt" file. In this case, the "my computer" Window of the corresponding system is displayed, when the "e: old.txt" file is opened, we can clearly see all the sharing status information in the target host system.

In the future, run the "net share> e: e0000txt" string command regularly on the target host system to output the latest shared folder status information and save it to the "e: e0000txt" file; to determine whether the shared status information has changed, run the "fc e: old.txt e: e0000txt" string command, the execution result of this command accurately tells us what changes have taken place to the shared folder in the target host system, such as the newly created shared folder and the canceled shared folder.

Of course, if you want to automatically monitor changes in the sharing status, you can open the Notepad program and enter the following command line code in the text editing window:

@ Echo off

Net share> e: e0000txt

Fc e: old.txt e: e0000txt

After confirming that the entered code is correct, execute the "file"/"save" command in the text editing window, and save the above command code as "e: auto. bat "batch processing file, and finally drag the file shortcut directly to the" Start "item under the corresponding host system" start "menu, so that each time you log on to the system successfully, the target host system automatically runs "e: auto. bat "batch processing files to monitor the changes in the sharing status information in the corresponding host system.

 

3. Monitor logon status changes

Some unconscious users may secretly log on to the corresponding system to gain a peek at important privacy information while the host leaves the computer. So can we find a suitable way to automatically monitor users' logon behavior and report the monitoring results to the computer's host? The answer is yes! In Windows Vista and later versions, we can enable the logon monitoring function to automatically monitor users' logon behavior. The following describes the specific monitoring procedure:

First, click "start" and "run" on the system desktop of the target host, open the "run" text box of the corresponding system, and execute "gpedit. msc string command. The group policy editing page is displayed;

Next, move the cursor to the "Computer Configuration" branch in the list on the left of the editing page, expand the "management template", "Windows components", and "Windows logon options" Node options under the target branch, double-click the Group Policy Option "display previous Logon Information During User Logon" under the target node. The target group policy attribute window is displayed;

Check whether the "started" option in the property window has been selected. Once you see that it is not selected, we should select it in time, at the same time, click "OK" to save the settings, so that the target host system will be able to support the logon monitoring function in the future.

In the future, if an illegal user leaves the computer host temporarily and secretly uses the host's account to log on to the local system, the logon monitoring function of the Windows system can be used to remember the illegal user logon behavior. The next time the Computer Host logs on to the system again, the specific monitoring results will be displayed, this includes the username and logon time used for the secretly logged-on operation.

4. Monitor account status changes

For malicious attacks or monitoring purposes, illegal attackers often Secretly create malicious accounts in the background of the system, and they will be able to use malicious accounts to launch attacks on important hosts in the future. To protect the security of important host systems, we must find a way to promptly discover and delete malicious accounts. To do so, it is actually very simple, we can skillfully use the Windows system's review function to automatically trigger alarms when creating malicious accounts. The following are the specific steps:

First, review the Account creation events of the target host system. By default, Windows does not automatically monitor the creation of malicious accounts. system logs track and record Account creation events only after the audit feature is enabled for this operation; when reviewing creation of a malicious account, we can first open the running text box of the target host system and execute "secpol. msc string command to bring up the Local Security Policy console interface;

Next, place the cursor on the "Security Settings" branch, and expand the "local policy" and "Audit Policy" Node options under the target branch, double-click the "Audit Account Management" option under the target node to enter the target group policy Properties window shown in 3, and select the "successful" and "failed" options in this window, click OK to save the settings;

Then, click the "Start", "set", and "Control Panel" commands, and click the "User Account" icon in the system control panel window. In the user account management window that appears, create a user account manually. After the account is created, open the computer management window of the target host system, expand the "System Tools", "Event Viewer", "Windows logs", and "system" Node options one by one, under the target node option, we can see the User Account creation operation record just now;

Next, right-click the record option and run the "Attach task to event" command from the shortcut menu to open the Add task wizard dialog box. Follow the prompts on the wizard screen, set the name of the additional task and select the appropriate task content. Here we select "Display message" as the specific alarm method, and then set the specific alarm content, for example, you can enter "someone has just created a malicious account, please check it in time", and click "finish" to end the setting operation of the additional task, in this way, once someone secretly creates a malicious account in the target host system, the system screen will automatically display the alarm information such as "someone has just created a malicious account, please check in time, we can quickly take measures to prevent such alarms.