In the audit file access policy, you can select a variety of security audit policies as needed, which tells the operating system what to do when the information is logged in to the security log, including the person, the visitor's computer, the access time, what has been done, and so on. If all the access operations are recorded in the log, then the volume of the log will become very large, but not easy to post maintenance and management. For this reason, system administrators often need to select specific events to reduce the capacity of secure access logs when setting audit file access policies. In order to achieve this goal, some of the following recommendations to the system administrator can refer to.
First, the minimum access operation principle.
In Windows 7, this access operation is divided into fine-grained, such as modifying permissions, changing the owner, and so on over 10 access operations. Although it takes a while for a system administrator to consider which actions to choose or to make relevant settings, it is still a boon for system administrators. A subdivision of a privilege means that an administrator chooses a specific access operation to obtain a minimal audit record. Simply put, "the resulting audit records are minimal and can cover the security needs of users" is easier to achieve. Because in the actual work, often only need to audit specific operations. If only the user changes the contents of the file or access to the file, such as a small number of operations audit can be. Without the need to audit all operations. The resulting audit record will be much less, and the user's security needs can be achieved.
Second, failure operation priority choice.
For any operation, the system is divided into two cases of success and failure. In most cases, in order to collect information that the user illegally accesses, it is only necessary to have the system recorded as a failed event. such as a user, who can only access a shared file read-only. The administrator can now set a secure access policy for this file. This information is recorded when the user tries to change the file. Other actions, such as normal access, do not record the relevant information. This can also significantly reduce the security audit record. Therefore, I suggest that, in general, you can only enable failure events. Consider enabling the Success event record at the same time if it is not able to meet the requirements. At this point, some legitimate users of legitimate access to the file information will also be recorded, at this point, it should be noted that the security log content may increase exponentially. In the Windows 7 operating system, you can filter the contents of the log by brushing, such as "failed events", so that the system can only list those failed records, to reduce the amount of reading by the system administrator.
Third, how to use the honey strategy to collect information about illegal visitors
In practice, system administrators can also use a number of "honey policies" to collect information about illegal visitors. What is called the Honey Strategy (Honeypot strategy)? In fact, put some honey on the network, attract some bees who want to steal honey, and record their information. If you can set up some files that appear to be more important on a shared file on your network. The audit access policy is then set on these files. In this way, you can successfully collect those who are hostile to the illegal invaders. But this disciplined message is often not available as evidence. But only as a measure of access. That is, the system administrator can use this method to determine whether there are some "restless elements" in the enterprise network, always try to access some unauthorized files, or some files for ultra vires operation, such as malicious change or delete files and so on. To be able to buy the invincible. Once this information has been collected, the system administrator can take the appropriate action. such as strengthening the user's monitoring, or check whether this user's host has become someone else's broiler and so on. In short, the system administrator can use this mechanism to successfully identify internal or external illegal visitors to prevent them from making more serious damage.
Iv. Note: File substitution does not affect the existing audit access policy
Set up security audits
There is a picture file called capture, with file-level security audit access set to it, and no security audit access policy set on its folder, "New folder." At this point, if the author of the same file (the same file name and no security audit access policy settings) copied to this folder, the original file cover. Note that this does not set any security audit access policies at this time. After the file is copied, the original file will be overwritten by the same name. However, this security audit access strategy is then transferred to the new copy of the previous file. In other words, the new file now has security audit access to the file that was previously overwritten. This is a very strange phenomenon, the author is also inadvertently found. I wonder if this is a vulnerability in the Windows 7 operating system, or does it deliberately set it up? This awaits the developers of Microsoft's operating system to explain
Note : More wonderful tutorials Please pay attention to the triple computer tutorial section, triple Computer office group: 189034526 welcome you to join