Event Viewer-related knowledge
1. Event Viewer
Event Viewer is a Microsoft operating system tool that is equivalent to a thick system log that allows you to view information about hardware, software, and system issues, or to monitor security events in the operating system. There are three ways to open Event Viewer:
(1) Click Start-Settings-control Panel-Administrative Tools-Event Viewer, open the Event Viewer window
(2) Manually type "%systemroot%system32eventvwr.msc/s" in the "Run" dialog box to open the Event Viewer window.
(3) Directly enter "EVENTVWR" or "eventvwr.msc" to open Event Viewer directly in the run.
2. Log type logged in Event Viewer
Three types of logs are recorded in the Event Viewer altogether, namely:
(1) Application log
Contains events logged by an application or system program that primarily record events in the running of a program, such as a database program that can log file errors in the application log, and program developers can decide which events to monitor at their own discretion. If an application crashes, then we can find the appropriate record from the program event log, which may help you solve the problem.
(2) Security log
Events such as valid and invalid logon attempts, and events related to resource use, such as creating, opening, or deleting files or other objects, can be specified by the system administrator to specify what events are logged in the security log. By default, the security log is turned off, the administrator can use Group Policy to start the security log, or the audit policy is set up in the registry to cause the system to stop responding when the security log is full.
(3) System log
Events logged by system components that contain XP, such as loading drivers or other system component failures during startup, are recorded in the system log, and system events are logged in the system log by default. If the computer is configured as a domain controller, the directory service log, File Replication Service log will also be included, and the DNS server log will be logged if the machine is configured as a Domain Name System (DNS) server. When started, the Event Log service (EVENTLOG) is started automatically, and all users can view the application and system logs, but only administrators can access the security log.
Five events are primarily recorded in Event Viewer, and the icon on the left side of the Event Viewer screen describes the operating system's classification of events. Event Viewer displays the following types of events:
(1) Error: Major issues, such as data loss or loss of functionality. For example, if a service cannot be loaded during startup, an error is logged.
(2) Warning: Events that are not necessarily important can also point to potential problems. For example, if disk space is low, a warning is logged.
(3) Information: An event that describes whether an application, driver, or service has been successfully manipulated. For example, if a network driver is successfully loaded, an informational event is logged.
(4) Successful audit: accept audit and obtain successful security access attempts. For example, a user's successful logon attempt to the system will be logged as a "success audit" event.
(5) Failure audits: audited and unsuccessful security access attempts. For example, if a user attempts to access a network drive but is unsuccessful, the attempt is logged as a failure audit.
Second, the maintenance of server security instances
1. Open and view the three types of logs in Event Viewer
Enter Eventvwr.msc in run to open Event Viewer directly, click System in the window, click the type on the right side of the window to sort, and you can see multiple messages in the type, such as warnings, errors, and so on.
2. View System Error Record details
Select the error record, double-click to open and view the properties of the event, such as discovering that the event is an attack event, and its event is described as:
An anonymous session that is connected to 211.99.226.9 attempts to open an LSA policy handle on this computer. Attempts to be rejected by status_access_denied to prevent the disclosure of security-sensitive information to anonymous callers.
The application for this attempt needs to be corrected. Please contact the application vendor. As a temporary workaround, this security method can be disabled by setting: Hkey_local_machinesystemcurrentcontrolsetcontrollsaturnoffanonymousblock DWORD value. This message will be logged up to a maximum of one day.
Description: This description indicates that a computer with an IP address of "211.99.226.9" is attacking this server.
3. Repair system vulnerabilities as prompted
According to the description information, directly open Registry Editor, and then layer by layer expand to find the key value "Hkey_local_machinesystemcurrentcontrolsetcontrollsaturnoffanonymous" new DWORD Turnoffanonymousblock block DWORD key, and set its value to "1";
Note: If no solution is given in the event properties, the error message can be traced to find the appropriate solution, generally in two ways:
(1) Microsoft Knowledge Base. The Microsoft Knowledge Base article is composed of Microsoft Official information and Microsoft MVP writing technical articles, mainly to solve the problems and failures of Microsoft products. When the bugs and error-prone applications of Microsoft's products are found, there will be a corresponding article to analyze this error solution.
(2) through the Eventid.net website to inquire. To query system error event solution, there is actually a better place, that is the Eventid.net website. The site is hosted by a number of Microsoft MVP (Most valuable experts), and contains almost all of the system event solutions.
4. Multi-party review
Now that there is an anonymous enumeration of LSA, there must be login information, click Security to view the event properties, view the audit failure first, and see the audit information for multiple connections to the IP address "211.99.226.9" failure. It is important to note that the logs logged in Event Viewer must first be set in the security policy and not logged by default, as long as auditing is enabled. Then review the successful logon record in turn, and if the IP address is found to be successful, a thorough security check is also required, including modifying the login password and leaving the backdoor behind when the attacker is viewing the system. In this example, the primary event is that the server with the IP address 211.99.226.9 is being scanned for a password attack, and the security implications of the anonymous enumeration can be resolved by setting the policy provided in the event properties.