Windows Log and Intrusion Detection Based on System Security Prevention

I. Log File particularity
To understand the log file, we must first talk about its particularity, saying that it is special because the file is managed and protected by the system. In general, normal users cannot change it at will. You cannot edit a common TXT file. For example, WPS series, Word Series, WordPad, Edit, etc. We cannot even perform "RENAME", "delete", or "move" operations on it. Otherwise, the system will tell you that the access is denied. Of course, some general operations can be performed on a pure DOS state (such as Win98 State), but you will soon find that your modifications are useless, when Windows 98 is restarted, the system automatically checks this special text file and generates one if it does not exist. If it exists, logs are appended to the text.
Ii. Why are hackers interested in log files?
After obtaining the system administrator privilege of the server, hackers can freely destroy files on the system, including log files. However, all this will be recorded by system logs, so hackers must modify the logs to hide their intrusion traces. The simplest way is to delete system log files, but this is generally done by novice hackers. Real senior hackers always use the log modification method to prevent system administrators from tracking themselves, there are many programs dedicated to such features on the network, such as Zap and Wipe.
Iii. Introduction to Windows series log systems
1. Windows 98 log files
Because the vast majority of users still use Windows 98 as the operating system, this section begins with the Windows 98 log file. Common users in Windows 98 do not need to use system logs unless they have special purposes. For example, when Windows 98 is used to create a personal Web server, you need to enable system logs as a reference for server security. When you have used Windows 98 to create a personal Web server, you can perform the following operations to enable the log function.
(1) double-click the "Personal Web server" icon on the "control panel". (You must have configured the relevant network protocol and added "Personal Web server ).
(2) On the "management" tab, click the "manage" button;
(3) On the "Internet service administrator" page, click "WWW management ";
(4) On the "WWW management" page, click the "logs" tab;
(5) Select the Enable Log check box and make changes as needed. Name the log file "Inetserver_event.log ". If no log file directory is specified on the logs tab, the file is saved in the Windows folder.
Common users can find the log file schedlog.txt in the Windows 98's system folder. We can find it in the following ways. Find it in "start"/"Search", or start "Task Scheduler", and click "view log" in the "advanced" menu to view it. The log files of common Windows 98 users are simple. They only record some preset task running processes. Compared with the server's NT operating system, hackers are rarely interested in Windows 98. Therefore, logs under Windows 98 are not valued by people.
2. Windows NT Log System
Windows NT is an operating system currently under a large number of attacks. In Windows NT, log files audit almost every transaction in the system to a certain extent. Windows NT log files are generally divided into three types:
System logs: tracks various system events and records events generated by system components of Windows NT. For example, loading driver errors or failure records of other system components during startup is recorded in system logs.
Application logs: records events generated by applications or system programs. For example, information about dll loading (Dynamic Link Library) failures generated by applications appears in logs.
Security logs: records events such as logon to the Internet, downloading the Internet, changing access permissions, system startup and shutdown, and events associated with resource usage such as file creation, opening, and deletion. You can use the system's "event manager" to specify the events to be recorded in security logs. The default status of security logs is disabled.
The log system of Windows NT is usually placed below, which varies slightly according to the operating system.
C: \ systemroot \ system32 \ config \ sysevent. evt
C: \ systemroot \ system32 \ config \ secevent. evt
C: \ systemroot \ system32 \ config \ appevent. evt
Windows NT uses a special format to store its log files. files in this format can be read by the event viewer, which can be found in the control panel, the system administrator can use the Event Viewer to select the log entries to view. The viewing conditions include category, user, and message type.
3. The log system of Windows 2000 is the same as that of Windows NT, and the "Event Viewer" is also used in Windows 2000 to manage the log system. You also need to enter the system as a system administrator to perform operations.
In Windows 2000, there are many types of log files, such as application logs, security logs, system logs, DNS server logs, FTP logs, and WWW logs, it may vary slightly depending on the services enabled by the server. When Windows 2000 is started, Event Log service is automatically started. All users can view "application logs". However, only the system administrator can access "security logs" and "system logs ". By default, "security log" is disabled, but you can use "Group Policy" to enable "security log" to start logging. Once security logs are enabled, they are recorded without limit until they are fully loaded.

18:47:53 upload Download Attachment (33.29 KB)