Windows 2000 security audits give intruders nowhere to hide

As a network administrator, do you know what is happening on your host or server-who has visited? What have they done? What is the purpose? What the? You don't know! In fact, Windows 2000 to provide us with a security audit function, we do administrator this line, the most need to be familiar with this function, otherwise how do you manage it? Security audits can record several security-related events in the form of logs that you can use to generate a regular activity profile, identify and track suspicious events, and leave valid legal evidence of an intruder's activities.

Open Audit Policy

The default installation for Windows 2000 does not open any security audits, so you need to open the appropriate audit in [My Computer]→[Control Panel]→[Administrative Tools]→[Local Security Policy]→[Audit policy]. The system provides nine types of events that can be audited, and for each category you can specify whether to audit success events, failures, or both.

Policy changes: Security policy changes, including privilege assignment, audit policy modification, and trust relationship modifications. This class must also audit its success or failure events.

Logon event: An interactive logon or network connection to the local computer. This category must audit both its success and failure events at the same time.

Object access: It must be enabled to allow auditing of specific objects, a category that needs to audit its failed events.

Process tracing: Detailed tracking of process invocations, duplicate process handles, and process terminations, which can be selected as needed.

Directory service access: Logs access to Active Directory, which needs to be audited for failure events.

Privileged use: The use of a privilege, the assignment of a private privilege, a category of failed events that needs to be audited.

System events: Events related to security (such as system shutdown and restart), events that affect the security log, which must simultaneously audit both its success and failure events.

Account Logon event: Verify (Account Effectiveness) access to the local computer through the network, which must simultaneously audit its success and failure events.