Use Event Viewer to maintain server security

The Event Viewer is equivalent to a health care doctor in the operating system. Some "stubborn" clues are displayed in the event viewer, A qualified system administrator and security maintenance personnel regularly checks the application, security, and system logs to check for illegal logon, abnormal system shutdown, program execution errors, and other information, you can view the event properties to determine the source and solution of the error, so that the operating system and application work normally. This article introduces some knowledge about Event Viewer, and finally provides a security maintenance instance, which provides some reference and reference for security maintenance personnel to maintain the system.

(1) knowledge about Event Viewer

1. Event Viewer

The Event Viewer is a Microsoft Windows operating system tool. It is equivalent to a thick system log. It can view information about hardware, software, and system problems, and monitor security events in Windows operating systems. There are three ways to open the Event Viewer:

(1) Click Start> set> Control Panel> Administrative Tools> Event Viewer to open the Event Viewer window.

(2) manually type "% SystemRoot % system32eventvwr. msc/s" in the "run" dialog box to open the Event Viewer window.

(3) Enter "eventvwr" or "eventvwr. msc" at run to open the event viewer.

2. log types recorded in Event Viewer

Three types of logs are recorded in the Event Viewer:

(1) application logs

Contains events recorded by applications or system programs, which mainly records program running events. For example, database programs can record file errors in application logs, program developers can decide which events to monitor. If an application crashes, we can find the corresponding records in the Program Event Log, which may help you solve the problem.

(2) security logs

Events such as valid and invalid logon attempts and resource usage events, such as creating, opening, or deleting files or other objects, are recorded, the system administrator can specify what events are recorded in security logs. By default, security logs are disabled. administrators can use group policies to start security logs, or set audit policies in the Registry to stop the system from responding when security logs are full.

(3) system logs

Events recorded by system components that contain Windows XP, such as loading drivers or failure of other system components during startup, are recorded in system logs, by default, Windows records system events to system logs. If the computer is configured as a domain controller, directory service logs and file replication service logs are also included. if the machine is configured as a Domain Name System (DNS) server, the DNS server logs will also be recorded. When Windows is started, the "event log" Service (EventLog) is automatically started. All users can view the application and system logs, but only the administrator can access security logs.

Five events are recorded in the Event Viewer. The icon on the left of the Event Viewer screen describes the categories of events in the Windows operating system. The Event Viewer displays the following types of events:

(1) error: major problems, such as data loss or function loss. For example, if the service cannot be loaded during startup, an error is recorded.

(2) Warning: potential problems can also be identified for events that are not necessarily important. For example, if the disk space is low, a warning is recorded.

(3) Information: describes whether an application, driver, or service has been successfully operated. For example, if the network driver is successfully loaded, an information event is recorded.

(4) successful review: Successful security access attempts. For example, a user's Successful Logon Attempt to the system is recorded as a "successful review" event.

(5) failed Review: security access attempts that have been reviewed and failed. For example, if a user attempts to access a network drive but fails, the attempt will be recorded as a "failed review.

 

(2) Maintaining server security instances

　　1. Open and view three types of logs in the Event Viewer

In "run", enter "eventvwr. msc directly opens the Event Viewer, click system in the window, as shown in 1, click the type on the right of the window for sorting, you can see that there are multiple types of information, such as warning, error.

Figure 1 open and view system logs

　　2. view detailed information about system error records

Select the "error" record and double-click it to open and view the event attributes. 2 shows that the event is an attack event. The event description is:

An anonymous session connected from 211.99.226.9 tries to open an LSA policy handle on this computer. The attempt is denied by STATUS_ACCESS_DENIED to prevent leakage of sensitive information to anonymous callers.

The application for this attempt needs to be corrected. Contact the application supplier. As a temporary solution, this security measure can be disabled by setting the value of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD to 1. This message can be recorded at most once a day.

Figure 2 view system error event attributes

Note: This description indicates that the computer with the IP address "211.99.226.9" is attacking the server.

3. Fix system vulnerabilities as prompted

Based on the description, open the Registry Editor and click "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymous" to create a DWORD "TurnOffAnonymousBlock DWORD" key and set its value to "1 ", 3.

Figure 3 system security risks fixed

NOTE: If no solution is provided in the event attribute, in addition to finding a solution in google, you can also track the error information to find a proper solution, there are two methods:

(1) Microsoft Knowledge Base. An article in the Microsoft Knowledge Base is composed of official Microsoft documents and technical articles written by Microsoft MVP. It mainly solves Microsoft Product problems and faults. When the Bug and error-prone application points of Microsoft products are discovered, there will be a corresponding KB article to analyze this error solution. The address of Microsoft Knowledge Base is: http://support.microsoft.com, in the "Search (Knowledge Base)" on the left of the web page to enter the relevant keywords for query, event source and ID information. Of course, it is also a good way to enter keywords in the detailed description. If there is an error number in the log, enter this error number for query.

(2) query through the Eventid.net website

To query the error event solution, there is actually a better place, that is, Eventid.net website address is: http://www.eventid.net. This website is hosted by many Microsoft MVPs (most valuable experts) and contains solutions for almost all system events. After logging on to the website, click the Search Events link to display the event Search page. Enter the Event ID and Event Source as prompted, and click the Search button. The Eventid.net system will find all relevant resources and solutions. Most importantly, it is completely free to enjoy these solutions. Of course, paying Eventid.net users can enjoy better services, such as directly accessing the Knowledge Base Article set for an event.

4. Multi-party review

Since the anonymous enumeration of LSA appears, there will certainly be login information, as shown in Figure 4. Click "security" to view event attributes and view "Audit Failed" first, you can see the review Information for multiple connection failures of the IP address "211.99.226.9. Note that the logs recorded in the Event Viewer must be set in the security policy. By default, the logs are not recorded. They are recorded only after the audit is enabled. Check the logon records that are successfully reviewed in sequence. If you find that the IP address is successfully logged on, you also need to perform a thorough security check on the system, including modifying the logon password, the attacker left a backdoor when checking the system. In this example, the main event is that the server with the IP address 211.99.226.9 performs a password attack scan. After setting the policy in the event attribute, the security risks of the anonymous enumeration can be solved.