Strengthen the network security control of the computer

First, field analysis, looking for security risks

A unit of the IIS server in the late night of the hacker's illegal attack, the day on duty network administrator Xiao Wang found that the IIS server is not working, the phone immediately contacted the experienced senior Network security engineer Lao Zhang. After work in the morning, Lao Zhang rushed to the IIS server site, not long time, Lao Zhang will attack IIS server illegal attack to find out, and also found in the IIS server system other security risks. In fact, the reason why Lao Zhang was able to find a security risk in the IIS server system so quickly was that he cleverly exploited the log features of the server system itself.

In general, when an illegal attacker attempts to attack a target IIS server system, it often takes some effort to collect information about the target IIS server system and to scan the target IIS server system with a number of professional-level scanning tools. Is there a security breach right now? , and the log function of the target IIS server system is in the default state, the ability to automatically memorize various behaviors that have access to the local system and store the memory in the specified log file, which contains a number of scanned server port numbers, Access user names, client IP addresses, etc. , by carefully analyzing the content, we are often able to determine whether there is a security risk in the local IIS server system.

When viewing log files for the local system, we can click the Start/Settings/Control Panel commands First, then double-click the Administrative Tools icon in the System Control Panel window and double-click the Event Viewer option in the Pop-up Admin tool window. Enter the Event Viewer window for the local system, as shown in the following illustration.

in the left child pane of the previous image interface, we see that the log files consist primarily of the security log, System log, and application log types. Select a type of log file with the mouse. In the right pane of the right file, we can see the list of all the logs, double-click a log record, and then we can see the specific record in the property settings dialog that pops up, root By recording the content, we can intuitively see what happens to the server system at what time.





analysis of the various log files for the IIS server system, we can see a record of the various audit events that record all of the visitors ' activities in the IIS server system, through an analysis of the behavior of the various activities, We can easily find out what the security risks are in the local IIS server system.





However, after attacking the target IIS server system, some hackers often try to find ways to empty the various types of log files in the IIS server system so that the traces left behind when they attack the IIS server system are wiped clean. In that way, network administrators cannot quickly find the various security vulnerabilities of IIS server systems from the various log files in the system. Therefore, the effective protection of the IIS server system log files, to trace the security of the system and the search for illegal attackers have a great help.





if a server system log file is deleted, we can use a professional data recovery tool to try to restore the data information and log files, because deleting the log files is often the last action taken by an illegal attacker on the IIS server System. Generally they do not perform other operations on the server system after the log file is deleted, so when the log file is illegally deleted, we must not be able to remove any additions to the server system to ensure that the professional tools successfully restore the deleted log files successfully.





In addition, if the IIS server system to work longer, the target site site traffic is relatively large, then the server automatically generated log files may be relatively large, at this time, according to the above method to analyze the system of various log files, it seems very troublesome, but also not easy to analyze accurately. To do this, in this case, we need to use the Professional Log Analysis tool to help, of course, can also be used in the Windows system with the "find" function command to help.





of course sometimes, relying solely on IIS server system log files, we are not able to identify certain security vulnerabilities, this time can also try to borrow some other software log records, for further security screening operations. For example, when suspicious events or objects are found in the log files of the IIS server system, we should record the time they occur and filter out all records recorded in the specified time in all log types. Then comprehensive analysis of the firewall program log files or serv-u program log files, so that we can easily find specific security risks.

Second, remote tracking, to find illegal hackers

After working in the afternoon, I as usual, check the operating status of the unit file server, during the inspection process, I found some important data in the file server was stolen by illegal hackers; in order to prevent illegal hackers continue to attack units of file servers, the author immediately contacted the network administrator in the field to learn Xiao Wang, Ask him to find a way to solve this security problem.

Network administrator Xiao Wang suggested that a careful look at the log of the file server, but the author can not be seen from the log file; After some consultation, network administrator Xiao Wang is going to try to use Remote management method to view the file server log files, after his remote tracking, finally the illegal hackers pulled out. Now, this article will be the network administrator Xiao Wang remote view log files of the specific process to restore, for your friends reference!

To remotely view the log files in the server system by using remote administration methods, we need to first install the remote management functionality component in the server system, which is not installed by default. When installing the Remote Administration feature component, we can follow these steps:

First log into the server system with administrator privileges, click the Start/Settings/Control Panel command in the system desktop, and in the Pop-up System Control Panel window, double-click the Add or Remove Programs icon, and then click the Add/Remove Windows Components tab in the window that appears. Open the Windows Components Wizard dialog box (as shown in the following illustration);

Next Select the Application Server option in the wizard dialog box. Also, click the Details button below the option, and in the settings dialog that pops up, see if the Internet Information Services (IIS) item is selected, and if it is found that the option has not been selected, We should select it in time (as shown in the following figure), and then click the "Details" button, and then select "World Wide Web Service Options" in the following interface.