[Windows security Settings] Win 2000 security Audit policy makes intruders nowhere to hide

As a network administrator, do you know what is happening on your host or server--who has visited it. What they have done. What is the purpose. What the. You don't know. In fact, Windows 2000 to provide us with a security audit function, we do administrator this line, the most need to be familiar with this function, otherwise you how to tube it. Security audits can record several security-related events in the form of logs that you can use to generate a regular activity profile, identify and track suspicious events, and leave valid legal evidence of an intruder's activities.

Open Audit Policy

The default installation for Windows 2000 does not open any security audits, so you need to open the appropriate audit in [My Computer]→[Control Panel]→[Administrative Tools]→[Local Security Policy]→[Audit policy]. The system provides nine types of events that can be audited, and for each category you can specify whether to audit success events, failure events, or both (Figure 1).



Figure 1 Developing an audit strategy

Policy changes: Security policy changes, including privilege assignment, audit policy modification, and trust relationship modifications. This class must also audit its success or failure events.

Logon event: An interactive logon or network connection to the local computer. This category must audit both its success and failure events at the same time.

Object access: It must be enabled to allow auditing of specific objects, a category that needs to audit its failed events.

Process tracing: Detailed tracking of process invocations, duplicate process handles, and process terminations, which can be selected as needed.

Directory service access: Logs access to Active Directory, which needs to be audited for failure events.

Privileged use: The use of a privilege, the assignment of a private privilege, a category of failed events that needs to be audited.

System events: Events related to security (such as system shutdown and restart), events that affect the security log, which must simultaneously audit both its success and failure events.

Account Logon event: Verify (Account Effectiveness) access to the local computer through the network, which must simultaneously audit its success and failure events.

Account Management: Create, modify, or delete users and groups, and make password changes that must audit both its success and failure events.

When you open the above audit, when someone tries to do something to your system (such as trying user passwords, changing account policies, unauthorized file access, etc.), it is logged by the security audit, stored in the security log in Event Viewer.

In addition to the "Local Security policy" can also open account policy, such as in the Account lockout policy set, the account lockout threshold of three times (then when three invalid login will be locked), and then the account lockout time set to 30 minutes, or even longer. In this way, hackers want to attack you, 24 hours a day to try the password will not try a few times, but also risked being tracked down the risk.

After the audit policy setting is complete, you will need to restart your computer to take effect. It should be explained here that the audit project can be neither too much, nor too little. If it's too little, if you want to look at the signs of a hacker attack and find no records, then there is no way, but the audit project if too much, not only will occupy a lot of system resources, and you may not be free to read all the security logs, so that the meaning of the audit is lost.

Auditing for file and folder access

Auditing of file and folder access requires that the approved file or folder must be on an NTFS partition, and then the object Access event audit policy must be opened as described above. With the above criteria, you can audit specific files or folders, and which users or groups specify which types of access to audit.

On the Security page of the Properties window for the selected file or folder, click on the [Advanced] button; On the Audit page, click the Add button, select the user who wants to audit the file or folder access, and in the Audit Entries dialog box, select Success or Failed check box (Figure 2), determined after the selection is complete. Returns to the Access Control Settings dialog box, by default, the audit changes made to the parent folder are applied to the subfolders and files that it contains. If you do not want to apply the audit changes made by the parent folder to the currently selected file or folder, the empty check box "allows inheritable auditing entries from the sire to propagate to this object" (see Figure 3).

Review and maintenance of audit results

After the audit policy and audit events are set up, the results of the audit are recorded in the security log, and Event Viewer allows you to view the contents of the security log or to find the details of the specified event in the log.

Run Event Viewer in Administrative Tools and select Security log. Displays a list of logs on the right, as well as summary information for each goal (Figure 4). If you find a successful audit of a login after a few login failures, you will need to look through the log information, and if the password is too simple to be guessed, it needs to increase the length and complexity of the password. Here you can view the details of individual events, and you can also find and filter for eligible events.

As audit events increase, the size of the security log files increases, by default the log file size is 512KB, and when the maximum log size is reached, the system overwrites events 7 days ago. In fact, we can make changes as needed. Right-click the security log entry in Event Viewer, select Properties to enter the Security Log Properties window (Figure 5), and on the General tab page, the network administrator can modify these default settings for their own needs to store the security log.

The audit policy is used in Windows 2000 systems, although it is not possible to control the user's access, but you can find out what security risks the system has and how to use the system resources according to the security log that is generated by opening the audit, thus providing a reliable basis for us to trace the hacker. At the same time, it is also advantageous to take the corresponding precautionary measures to minimize the system's unsafe factors, thus creating a more secure and reliable Windows 2000 system platform.