To change the account. Windows Server 2008 System Early

Many network viruses or Trojan programs attack the system, often secretly modify the system login account, in order to achieve the purpose of hiding the attack traces! In order to effectively protect the security of the system, we should find ways to timely hidden in the system of various network viruses or Trojan horse program "pull" out, then we should How can I know in the first time that a user account in the system has been secretly modified? Although it is easy to do this with some professional security tools, in the Windows Server 2008 system environment, even if we do not have professional security tools to help, we can steal The "bad" event of the account is captured; we can only use the newly added binding task feature of Windows Server 2008 System Event Viewer to know that a user account in the system has been secretly modified in the first time!

Tracking stolen accounts.

As you know, in the old version of the system environment, we often use Event Viewer to log some of the events that affect the security of the system, and then carefully analyze the security log content, we can find hidden in the local system of some security risks. However, it is regrettable that the Event Viewer program under the older version of the system can only record operational events that have security threats, rather than issuing security alert information to the system administrator in a timely manner, so that the system administrator will not be able to know at the first time that there is a security threat to the local system. In a Windows Server 2008 system environment, Event Viewer programs are significantly more functional, and system administrators can bind task schedules for specific system events, and when specific system events occur in the future, the bound Task Scheduler can automatically trigger the operation.

With this function, we can track the incident of the stolen account in time, and for the theft of the account to bind an automatic alarm task planning; Once the event occurs, the automatic Alarm task plan can be triggered to execute, when we hear the automatic alarm prompts, we can know in the first time that some of the system's user account has been secretly modified. According to the above analysis, we will first in the Windows Server 2008 system environment to modify the system audit policy, so that the system audit account management events, to ensure that the Event Viewer program can automatically record the user account is secretly modified by the operation of the action; You need to manually trigger an event that modifies the user account, and attaches the automatic Alarm task plan to the Modify user account event; In the future, when a system user account is secretly modified in the Windows Server 2008 system, the task plan for automatic alerting will naturally be performed, and the system administrator When you receive the alarm information, you will know that the system has been stolen to change account events, the system administrator can immediately take targeted measures to find security risks, to ensure that the first time the system to eliminate hidden dangers.

Audit account Management Events

In the default state, even if we modify the name of a system user account, we do not see the corresponding action record from the system's Event Viewer list, what is the reason? In fact, this is because the Windows Server 2008 system does not automatically record user accounts by default Modify the behavior of the operation, we must modify the Windows Server 2008 System Audit policy to allow Event Viewer to record the user account has been modified events. When auditing the account management events, we can follow these steps:

First log on to the Windows Server 2008 system as a system administrator, click the start/Run command in the System desktop, enter the string command "Gpedit.msc" in the pop-up system run text box, and click OK to enter the System Group Policy editing window;

Next, in the display pane on the left side of the edit window, position the mouse over the Computer Configuration node option. Click the Windows Settings/security Settings/Local Policies/Audit policy subkeys below the node in turn, and locate the target Group Policy option under Audit Policy subkey Audit account management , right-click the option, select Properties from the pop-up shortcut menu, and open the target Group Policy property Settings window as shown in Figure 1.

In this property Settings window, in the Local Security Settings tab page, select the Success option, and then click OK, so that the Windows Server 2008 System can audit the user account events successfully. In the same way, we can also audit the user account failure to modify the event, so that the Event Viewer program will also automatically record changes to the user account failed events.