Comments: Network Security always Prevents viruses that are greater than passive viruses. many network administrators have come up with various ways to enhance network security control in order to resist the Internet virus. However, many of these methods do not require the help of external tools, that is, the network administrator needs to be familiar with various security settings of the server system, which is not only a little troublesome but also a little advanced for the "cainiao" administrators who have been in touch with network management. In fact, by default, the log function is automatically enabled on any server system to capture and record any behavior that accesses the server system. As long as the network administrator cleverly learns to use logs, it can also enhance network security control!
I. Field Analysis to find security risks
An organization's IIS server was attacked by hackers late at night. On the same day, Xiao Wang, a network administrator on duty, found that the IIS server could not work normally, call Old Zhang, an experienced senior network security engineer. After going to work in the morning, Lao Zhang quickly arrived at the IIS server site. It didn't take long for Lao Zhang to find out illegal attacks against the IIS server, other security risks in the IIS server system are also discovered. In fact, the reason why Lao Zhang can quickly find the security risks in the IIS server system is mainly because he cleverly utilizes the log power that comes with the server system.
In general, when attackers attempt to attack the target IIS server system, they often spend some time to collect various information about the target IIS server system, through some professional-level scanning tools, to scan the target IIS server system for security vulnerabilities at this moment. By default, the log function of the target IIS server system can automatically remember the behaviors that have accessed the local system, the stored content is stored in the specified log file. The log file contains the scanned server port number, access username, and Client IP address; by carefully analyzing the content, we can probably determine whether there are security risks in the local IIS server system.
When viewing the log files of the local system, we can first click the "Start"/"set"/"Control Panel" command, double-click the "Management Tools" icon in the system control panel window, and double-click the "Event Viewer" option in the displayed Management Tools window, go to the Event Viewer window of the local system, as shown in ).
In the left-side pane, we can see that the log files mainly include security logs, system logs, and application logs. Click a type of log file. In the subpane on the right of the file, we can see the list of all log records. Double-click a log record with the mouse, in the pop-up attribute Setting dialog box, we can see the specific record content. The root Record Content allows us to intuitively understand when the server system has happened.
By analyzing various log files in the IIS server system, we can see records of various audit events, which record various activities of all visitors in the IIS server system, through the analysis of various activities, we can easily find out what security risks exist in the local IIS server system.
However, some hackers often try every means to clear all types of log files in the IIS server system after they have attacked the target IIS server system, in this way, all the traces left when they attack the IIS server system are cleared, so that the network administrator will not be able to log files from the system, quickly find various security risks in the IIS server system. Therefore, effectively protecting IIS server system log files is of great help to trace system security risks and find illegal attackers.
If the server system log file is deleted, we can use professional data recovery tools to restore data information and log files; because deleting log files is often the last operation performed by illegal attackers on the IIS server system. Generally, they will not perform other operations on the server system after deleting the log files, therefore, when a log file is illegally deleted, you must not add or delete it to the server system, to ensure that professional tools can successfully restore deleted log files.
In addition, if the IIS server system has been operating for a long time and the access traffic to the target website is large, the log files automatically generated by the server may be large, at this time, it is very troublesome to analyze the various log files of the system according to the above method, and it is not easy to analyze accurately. Therefore, in this case, we need to use professional log analysis tools to help, of course, you can also use the "find" function commands in Windows to help.
Of course, sometimes, simply relying on IIS server system log files, we cannot clearly find some security risks. At this time, we can also try to borrow some log records from other software, for further security screening. For example, when a suspicious event or object is found in the log file of the IIS server, we should record the specific time when they occurred, in addition, all records recorded during the specified period are filtered out among all log types. Then, the log files of the firewall program or the log files of the Serv-U program are comprehensively analyzed, in this way, we can easily find specific security risks.
2. remote tracking and identification of illegal hackers
After I went to work in the afternoon, I checked the running status of the file server as usual. During the inspection, I found that some important data on the file server was stolen by illegal hackers; in order to prevent illegal hackers from continuing to attack the file server of the Organization, I immediately contacted Mr. Wang, a network administrator studying far away, and asked him to find a solution to this security problem.
Mr. Wang, a network administrator, suggested that you carefully check the log of the file server. However, the author cannot tell the name of the log file. After some negotiation, mr. Wang, a network administrator, is trying to use the remote management method to view the log files of the file server. After remote tracking, he finally released the illegal hacker. Now, this article will restore the specific process of remote viewing log files by the network administrator Mr. Wang for your reference!
To remotely view log files in the server system through remote management, we need to first install and enable the remote management function component in the server system, this function component is not installed by default. To install the remote management component, follow these steps:
Log on to the server system as a system administrator. On the system desktop, click Start, set, and control panel commands. In the displayed system control panel window, double-click the "add or delete programs" icon. In the displayed window, click the "Add/delete Windows Components" tab to open the Windows component wizard dialog box, as shown in );
Select the "Application Server" option in the Wizard dialog box, and click the "details" button under the option. In the displayed Setting dialog box, check whether the "Internet Information Service (IIS)" project has been selected. If you find that this option has not been selected, we should promptly re-select it (as shown in ), then, click the "details" button and select "World Wide Web service options" on the page;
Then, click the "details" button under the "World Wide Web service options" project to open the World Wide Web Service List window, and select the "Remote Management (HTML)" function component, click "OK" and complete the remaining operations as prompted to install the remote management component of the server system.
Now we can use the remote management component to remotely view the log files of the server system. When remotely viewing the server system's log files, we can first start the run IE browser program in the remote computer, in the corresponding window address bar input https://xxx.xxx.xxx.xxx: 8098 (where xxx. xxx. xxx. xxx is the IP address of the host where the target server system is located, and "8098" is the default Remote Management port number enabled by the server system;
After you click the Enter key, the remote logon dialog box appears. Enter the Logon account and password of the target server system, and click OK in the dialog box, you can access the Web access interface management page of the target server system. Click the "maintain" hyperlink on the Management page to go to the System Maintenance page, click the "log" hyperlink on this page to go to the log management page of the target server system. On this page, we can remotely view various log information, you can also remotely delete or download log files.
It is also very simple to remotely view specific log Content. You only need to click the "Web management log" hyperlink on the log management page, on the corresponding hyperlink page, select the target log file to be viewed and click "view log". The specific log content will be displayed in the IE browser window.
Iii. troubleshooting with logs
Next, this article will give you detailed recommendations on how to use the built-in log files in Windows to find the cause of the fault efficiently and quickly, ultimately, the goal of effectively improving network management efficiency is achieved.
1. Locate the cause of network access failure
In LAN networks with a relatively large number of computers, network administrators usually set up DHCP servers in the LAN to automatically assign appropriate IP addresses to all computers, so as to improve network management efficiency. Once a common computer cannot obtain an appropriate IP address from the DHCP server of the LAN, the Windows system will automatically assign it a reserved IP address as the target computer, and when the system log file is opened, we will also see an event record with the ID of "1007.
Based on the above analysis, we can view the log file to locate the cause of network access failure in the future. For example, if you see that the target computer system cannot access the network normally in the future, you can open the Event Viewer window for the corresponding computer system and find the system log file, at the same time, check whether there is an event record with the ID of "1007". If this event record is found, then we can identify that the reason for network access failure is that the target computer system does not correctly apply for a valid IP address from the lan dhcp server, at this time, we only need to lock the scope of troubleshooting on the DHCP server. If we find that the lan dhcp server can work normally, we only need to carefully check whether the network connection between the target computer and the lan dhcp server is smooth, so that we can quickly and effectively solve the network access failure.
2. Locate the reason why the network cannot be logged on
We know that MSNMessenger, QQ, and other communication applications will automatically generate their own log files during their work to save the records of the network logon status of the target application, we can also use their log files to locate the cause of network failures.
For example, if you encounter a failure prompt when you log on to QQ and cannot log on to the network, you may wish to click the "details" button on the fault prompt page, after that, you will be able to see from the detailed information prompt that the QQ application has attempted to establish a network connection with multiple TCP and UDP servers, but each network connection prompts a domain name resolution failure, eventually, a network logon failure occurs. In this case, you can click the "Troubleshooting" button on the prompt page to automatically diagnose the current network connection, after the diagnosis is complete, you can determine whether the IP addresses of the TCP and UDP server can be pinged and the local network gateway address can be pinged; if you find that the local gateway address cannot pass the detection, you can basically conclude that the reason for the failure to log on to the network is mostly because the network connection between the local computer and the gateway device is faulty, at this time, you only need to carefully check the physical line of the Local Computer to quickly solve the failure of network login.
3. Locate the cause of application errors
What should I do if my computer system encounters application errors frequently? In fact, we can view the system log files and find out the cause of application errors. The specific operation steps are as follows:
First, on the desktop of your computer system, click "start", "set", and "Control Panel" commands. In the displayed system control panel window, double-click the "Administrative Tools" icon. In the displayed management tools List window, double-click the Event Viewer icon to enter the Event Viewer window of the corresponding system;
In the left-side area of the Event Viewer window, click the "application" option. In the area displayed on the right of the option, we can clearly see the event records of the application program running; once an application crashes, we can find the corresponding record content from the corresponding application log, by recording the content, we can quickly find out the cause of application errors.