Event Viewer maintains server security instances

This article describes the running mode, log type, and Event Type of the Event Viewer. In this article, we will provide an Event Viewer instance for maintaining server security. We believe it will be of reference and value for security maintenance personnel to maintain the system.

1. Open and view three types of logs in the Event Viewer

In "run", enter "eventvwr. msc directly opens the Event Viewer, click system in the window, as shown in 1, click the type on the right of the window for sorting, you can see that there are multiple types of information, such as warning, error.

2. view detailed information about system error records

Select the "error" record and double-click it to open and view the event attributes. 2 shows that the event is an attack event. The event description is:

An anonymous session connected from 211.99.226.9 tries to open an LSA policy handle on this computer. The attempt is denied by STATUS_ACCESS_DENIED to prevent leakage of sensitive information to anonymous callers.

The application for this attempt needs to be corrected. Contact the application supplier. As a temporary solution, this security measure can be disabled by setting \ HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ TurnOffAnonymousBlock DWORD to 1. This message can be recorded at most once a day.

Note: This description indicates that the computer with the IP address "211.99.226.9" is attacking the server.

3. Fix system vulnerabilities as prompted

Based on the description, open the Registry Editor and click "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ TurnOffAnonymous" to create a DWORD "TurnOffAnonymousBlock DWORD" key, set the value to "1", as shown in 3.

NOTE: If no solution is provided in the event attribute, in addition to finding a solution in google, you can also track the error information to find a proper solution, there are two methods:

(1) Microsoft Knowledge Base. An article in the Microsoft Knowledge Base is composed of official Microsoft documents and technical articles written by Microsoft MVP. It mainly solves Microsoft Product problems and faults. When the Bug and error-prone application points of Microsoft products are discovered, there will be a corresponding KB article to analyze this error solution. The address of Microsoft Knowledge Base is: http://support.microsoft.com, in the "Search (Knowledge Base)" on the left of the web page to enter the relevant keywords for query, event source and ID information. Of course, it is also a good way to enter keywords in the detailed description. If there is an error number in the log, enter this error number for query.

(2) query through the Eventid.net website

To query the error event solution, there is actually a better place, that is, Eventid.net website address is: http://www.eventid.net. This website is hosted by many Microsoft MVPs (most valuable experts) and contains solutions for almost all system events. After logging on to the website, click the Search Events link to display the event Search page. Enter the Event ID and Event Source as prompted, and click the Search button. The Eventid.net system will find all relevant resources and solutions. Most importantly, it is completely free to enjoy these solutions. Of course, paying Eventid.net users can enjoy better services, such as directly accessing the Knowledge Base Article set for an event.

4. Multi-party review

Since the anonymous enumeration of LSA appears, there will certainly be login information, as shown in Figure 4. Click "security" to view event attributes and view "Audit Failed" first, you can see the review Information for multiple connection failures of the IP address "211.99.226.9. Note that the logs recorded in the Event Viewer must be set in the security policy. By default, the logs are not recorded. They are recorded only after the audit is enabled. Check the logon records that are successfully reviewed in sequence. If you find that the IP address is successfully logged on, you also need to perform a thorough security check on the system, including modifying the logon password, the attacker left a backdoor when checking the system. In this example, the main event is that the server with the IP address 211.99.226.9 performs a password attack scan. After setting the policy in the event attribute, the security risks of the anonymous enumeration can be solved.

1. Network security solution for industrial standard servers
2. Analysis of Three entry points for Enterprise Server Security Protection
3. Analysis: three disciplines of server security