The magical function of Windows 2008 system auditing

enable the configuration auditing feature

The auditing features of the Windows Server 2008 system are not enabled by default, and we must enable and configure their auditing capabilities for specific system events so that the functionality is monitored and logged for the same type of system events. The network administrator will be able to see the audit results as soon as they open the log records of the corresponding system. Audit function of the application of a wide range, not only can the server system for some of the operation of the tracking, monitoring, but also in accordance with the operating state of the server system to quickly eliminate the operation of the fault. Of course, it is important to remind friends that the auditing feature is enabled to consume some of the valuable resources of the server system and to degrade the performance of the server system because the Windows Server 2008 system must free up a portion of the space resources to hold the monitoring of the audit function and record the results. For this reason, in the case of limited space resources in the server system, we should use the audit function with caution and make sure that the feature only monitors and records some of the most important operations.

In enable, when configuring the auditing features of the Windows Server 2008 system, we can login to the corresponding system with system super privileges, open the Start menu in the System desktop, click Settings, Control Panel commands in the System Control Panel window System and maintenance, administrative Tools icon, in the list of administrative tools that appears, locate the Local Security policy icon, and then double-click the icon to open the Local Security Policy console window.

Second, in the left pane of the Target Console window, expand the security Settings/Local Policy/Audit Policy Branch options, and in the right pane of the Audit Policy Branch option, we will find that the Windows Server 2008 system contains nine audit policies. That is to say, the server system allows you to track and record nine types of operations, as shown in Figure 1.

Figure 1 Local Security policy

Audit process tracking policy, is dedicated to the server system daemon running state tracking records, such as the server system in the background suddenly run or shut down the program, handle handle whether file replication or access to system resources, and other operations, the audit function can be tracked, recorded, and will monitor , the contents of the record are automatically saved to the log file of the corresponding system.

Audit account Management policy, is specifically used to track, monitor server system login account modification, delete, add operation, any add user account operation, delete user account operation, modify user account operation, will be audited function automatically recorded.

Audit privilege usage policy, which is specifically used to track and monitor users performing privileged operations other than logoff or logon operations while the server system is running, any privileged operations that affect the security of the server system are saved to the system's security log by the audit function record. According to the log content, network administrators can easily find some clues that affect the security of server operation.

With different audit policies enabled, the Windows Server 2008 system tracks and records different types of operations, and network administrators should enable their own audit policies in accordance with their security requirements and the performance configuration of the server system, rather than blindly enabling all audit policies. In that case, the function of auditing is not fully played.

Figure 2 Audit Login Event Properties

For example, if we want to track the login status of the server system, monitoring to confirm that there is an illegal logon behavior on the LAN, we can double-click the audit login event policy here, open the Option Settings dialog for the corresponding policy (as shown in Figure 2), and select "Success" and "failure". option, and then click OK, so that the Windows Server 2008 system will automatically track and record all system logon actions for the local server system in the future, whether the successful operation of the logon server or the failure to log on to the server. We can all find the corresponding action records through the Event Viewer, and we can find out whether there is any illegal login or even illegal intrusion in the local server if we analyze the records of these login operations carefully.

View Audit feature Records

When the appropriate audit policy is enabled and configured, the Windows Server 2008 system automatically tracks and records specific types of operations, and saves the record content to the corresponding system's log file, and the network administrator can then look for security threats in the server system based on the log content. When viewing the log content logged by the audit feature, we have to use the Event Viewer feature to complete the following steps to view the Audit feature record:

First enter the Windows Server 2008 system with Super Administrator privileges, click the Start/program/admin Tools/Server Manager command in the system desktop, and open the Server Manager console window for the corresponding system;

Next, in the display area to the left of the console window, position the mouse over the Diagnostics branch option, and then click Event Viewer/Windows log subkeys from the branch option, and below the target subkey we'll see application, security, installer, system, forward events, and so on. These five categories of event records, as shown in Figure 3;

Figure 3 Server Manager

When you select a category option with the mouse, we can clearly see all the event records under the corresponding category from the middle display area of the Figure 3 interface, and then double-click the specified logging option to open the details interface of the target event record, in which we can see in detail the source of the target event, Specific event contents, event IDs, and other related information.

When important event content is found, we can also perform some action on it; for example, to make a careful analysis of important event content in the future, we can save important event content to prevent accidental deletion when clearing the log, and when saving important event content, All we have to do is right-click the target event content, follow the Save event as command from the pop-up shortcut menu, then set the save path and the specific file name, and then click the Save button to perform the "Open saved Log" command in the right-click menu. You can call out the previously saved log files. If you find that there are too many events stored in the server system, we should periodically clear the log by executing the Purge log command in the right-click menu to free up more valuable space resources. In the case of more log records, it is not easy to quickly find the event record you want, at this time we may wish to perform the "Filter Current Log" command to filter the log records.

　　Actual Application Audit function

Auditing is particularly important for Windows Server 2008 systems in a real-world environment, because server systems are vulnerable to attacks in the LAN environment, and network administrators can use auditing to track and monitor various types of attacks, and when events with potential security threats occur, We can find ways to the audit function to monitor the event content to the network administrator, the network administrator can immediately identify the cause of events and solve the problem, so as to protect the server system from illegal attacks.

For example, some Trojans often secretly create a user account in the server system, in order to steal the server system's Super administrator rights, at this time we can through user account monitoring to determine whether there is an illegal user account in the server system, and then further determine which user account is the illegal account. It is important to note that when the Windows Server 2008 system automatically notifies network administrators of events created by illegal accounts, you must ensure that the Task Scheduler service of the corresponding system is in a normal state of operation.

First click the start/Run command in the Windows Server 2008 System desktop, and in the pop-up System Run dialog box, execute the string command "Secpol.msc" to open the server system's Local Security Policy console window;

Figure 4 Audit account Management

Next, in the display area on the left side of the console window, expand Security Settings, click Local Policies, Audit Policy Branch options, in the right display area for the Audit Policy Branch option, double-click the Audit account Management policy option to open the Policy Options Settings dialog shown in Figure 4, and select Success and Failure option, and then click OK to close the Policy Options Settings dialog box so that the Windows Server 2008 system automatically records user account creation events, regardless of whether the user account was created successfully or failed;

In order to automatically notify the network administrator of the user account creation event content, we also need to attach a task plan to execute the automatic alarm for the event. When attaching an automatic alarm task, we first click the Start/program/Administrative Tools/Server Manager command in the Windows Server 2008 System desktop to open the Server Manager console window for the corresponding system, and in the left area of the console window, select Diagnostics/ Event Viewer/Windows Log/System subkey, and then find the Create user account event under the System subkey, and if the event content is not found, we also need to manually create a user account in the server system. This makes the user account creation event appear in the Event Viewer.

Right-click the user account creation event, follow the "Attach task to this event" command from the pop-up shortcut menu, open the Task Plan Add Wizard dialog box, and then set the name of the new task, for example, here we call the new task "automatic alarm user account creation", When the Setup dialog box shown in Figure 5 appears on the screen, select the "Show Messages" option, and then set the title and content that needs to be alerted, where we will set the title to "Automatic Alarm user account creation", the alarm content set to "server system may have illegal account is created, Ask your network administrator to immediately handle the relevant events! Finally, click the Finish button, so that the Windows Server 2008 system will automatically report to the network administrator the user account creation that is logged by the audit function in the future.

Figure 5 Creating the Basic Task Wizard

When we try to create a user account at random in the server system via Remote Desktop, an Automatic alert window appears immediately on the Windows Server 2008 system screen, telling the network administrator that "an illegal account may be created in the server system, and ask the network manager to immediately handle the related event." ! ", which means that at this time someone in the server system secretly created a user account, the network administrator based on this automatic alert information, can be the first time to take measures to resolve related issues, so as to protect the Windows Server 2008 Server system from illegal attacks.

Note : More wonderful tutorials Please pay attention to the triple computer tutorial section, triple Computer office group: 189034526 welcome you to join