Sometimes do you want to know what happened on your host or server-who accessed it? In fact, Windows 2000 provides us with a very useful function: security review function. Security audit records several security-related events in the form of logs. You can use the information to generate a summary file of regular activities to discover and track suspicious events, and leave valid legal evidence about a certain entrant activity.
Open Audit Policy
No security review is enabled for the default installation of Windows 2000, therefore, you need to go to [my computer] → [Control Panel] → [Administrative Tools] → [Local Security Policy] → [Audit Policy] to open the corresponding audit. The system provides nine types of events that can be audited. For each type of events, you can specify whether the audit is successful, failed, or both (1 ).
Figure 1 Audit Policy Formulation
Policy Change: security policy changes, including privileged assignment, Audit Policy Modification, and trust relationship modification. This type of event must be reviewed at the same time.
Logon event: Interactive Logon or network connection to the local computer. This type of event must be reviewed for both successes and failures.
Object Access: It must be enabled to allow review of specific objects. This type of failure event needs to be reviewed.
Process tracing: detailed tracking of process calls, repetitive process handles, and process termination. This type can be selected as needed.
Directory Service Access: records access to Active Directory. This type of failure event needs to be reviewed.
Privileged use: the use of a specific permission; the assignment of special privileges, which need to be reviewed for failure events.
System Events: events related to security (such as system shutdown and restart); events that affect security logs, which must be reviewed at the same time.
Account Logon Events: Verify (account validity) access to the local computer through the network. This type of events must be reviewed simultaneously.
Account Management: creates, modifies, or deletes users and groups, and changes passwords. This type of account must be reviewed for successful and failed events at the same time.
After opening the above review, when someone tries to intrude into your system in some ways (such as trying the user password, changing the Account Policy, and accessing files without permission, security audit records are stored in the security logs in the event viewer.
In addition, you can enable the Account Policy in the "Local Security Policy". For example, if the account lock threshold is set to three times in the account lock Policy (when the three logon attempts are invalid, the account is locked ), set the account lock time to 30 minutes or even longer. In this way, hackers may not try to attack you a few times a day and may be at risk of being tracked.
After the audit policy is set, you need to restart the computer to take effect. It should be noted that there cannot be too many or too few review items. If you want to view the signs of hacker attacks but find that there are no records, there is no way to do it. However, if there are too many review items, it will not only occupy a large amount of system resources, in addition, you may not be able to read all the security logs at all, thus losing the meaning of review.
Review access to files and folders
To review access to files and folders, first, the files or folders to be reviewed must be located on the NTFS partition, and then the object access event audit policy must be enabled as described above. When the preceding conditions are met, a specific file or folder can be reviewed and users or groups of specified access types can be reviewed.
Figure 2 confirm the review project
Figure 3 determine whether to inherit the review
On the "Security" page in the Properties window of the selected file or folder, click the [advanced] button. On the "Review" page, click the [add] button, select the user who wants to review the access to the file or folder and click [OK]. In the "Review Project" dialog box, select the "successful" or "failed" check box (2) for the event to be reviewed, and click "OK" after the selection. Return to the "access control settings" dialog box. By default, the audit changes made to the parent folder are applied to the subfolders and files it contains. If you do not want to apply the audit changes of the parent folder to the selected file or folder, clear the check box "allow propagation of inherited review items from the parent line to this object" (3 ).
View and maintain audit results
After the audit policy and Audit Event are set, the audit results are recorded in the security log, you can use the Event Viewer to view the security log Content or find the details of a specified event in the log.
Figure 4 event viewing
Run "Event Viewer" in "Administrative Tools" and select "security log ". Display the log list on the right and the summary of each log entry (4 ). If you find a successful logon review after several logon Failure reviews, you should carefully check the log information. If the password is too simple to be guessed, you need to increase the length and complexity of the password. You can view the details of each event and search for and filter events that meet the conditions.
As audit events increase, the size of Security Log Files increases. By default, the size of log files is KB. When the maximum log size is reached, the system will rewrite the event seven days ago. In fact, we can make changes as needed. Right-click "security log" in "Event Viewer" and select "properties" to enter the Security Log Properties window (5). On the "General" tab, network administrators can modify the default settings of the system based on their actual needs to meet their own security log storage needs.
Figure 5 Security Log attribute settings
In Windows 2000, the audit policy is used. Although user access cannot be controlled, you can view the security logs generated by the audit, we can understand the security risks and resource usage of the system, so as to provide a reliable basis for tracking hackers, at the same time, it is also conducive to taking appropriate preventive measures to minimize the system's insecure factors, thus creating a more secure and reliable Windows 2000 system platform.
