Windows System Log Auditing

Experimental background

For Windows Server attacks in the network often occur, the administrator needs to be in the server after the abnormal situation, rapid response, and the need to locate the intrusion of services, detection of the means of hacking, find the system vulnerable point and to be patched, Windows server The log tools provided can help us to complete the relevant operations.

There are three logs in the Windows system: The Application log, the system log, the security log, and by default, the security log is not generated if the system does not audit the event.

Experimental target

Mastering the structure of the Windows log system

Ability to set auditing criteria as needed

Ability to perform audit operations on accounts

Can be based on different application requirements

Experimental environment

Server:windows Server 2003

Client:windows

Experimental process Guidance

(1) Local Security policy in the Startup management tool

(2) Open the audit policy in the local security policy and set the items that need to be audited as needed

(3) Set audit logon success and failure events

(4) Audit directory access to successful and failed events

(5) According to the actual need to select and set audit options, the results can be used in two ways to test:

A, use remote 3389 port to enumerate the server to attack

B, in the local try to guess to solve the administrator password

(6) Administrator to view the security log through Event Viewer after logging in with the correct password

(7) View log information for login failure

(8) Answer the following questions by experiment

A, which users, through which IP to scan the server

B, which user names have been guessed

C, which users have successfully logged on this machine

D, what are the IP cracked unsuccessful

E, how to circumvent and prevent enumeration attacks