Windows Server 2008 server operating system has greatly improved and improved in terms of security, but we still can't guarantee that it will not be attacked by viruses. In order to better guarantee the security of Windows Server 2008 system, I believe most network administrators will not hesitate. Heavy gold "please" to a variety of professional security tools, security protection of the server system! In fact, in the absence of any professional security tools available, we can rely on the power of the WindowsServer2008 system to All aspects of the system's security and protection performance play, so that the same can be used for the security operation of WindowsServer2008, that is, using the WindowsServer2008 audit function, tracking and monitoring all operations of the server system, and can quickly check the server system according to the monitoring results. Failure and security of the server system.
enable the configuration auditing
WindowsServer2008 system auditing is not enabled by default, we have to be enabled for specific system events, configuring their auditing functions, so that this feature only The same type of system events are monitored and recorded, and the network administrator can view the monitoring results of the audit function by simply opening the log records of the corresponding system in the future. The auditing function has a wide range of applications. It can not only track and monitor some operational behaviors in the server system, but also quickly eliminate operational faults according to the operating state of the server system. Of course, you need to remind friends that the activation of the audit function often consumes some valuable resources of the server system, and will cause the running performance of the server system to decline. This is because the Windows Server 2008 system must free up some space resources to save the monitoring function. Record the results. To this end, in the case of limited server system space resources, we should use the audit function carefully, to ensure that this function only monitors and records some particularly important operations.
enabled, when you configure auditing WindowsServer2008 system, we can start to log into the system root privileges correspondence system, open the desktop in the "Start" menu, from which in turn click on the "Settings", "Control In the panel command, click the System and Maintenance and Management Tools icons in the pop-up system control panel window. In the list of management tools that appears, locate the Local Security Policy icon and double-click it with your mouse. Icon to open the Local Security Policy Console window.
next target in the left pane of the console window displays, expand "Security Settings" /"Local Policies" /"Audit Policy" branch option, in the corresponding right of the "Audit Policy" branch option In the display pane, we will find that the Windows Server 2008 system contains nine auditing policies, which means that the server system can allow nine major operations to be tracked and recorded.
audit process tracking strategy is designed to run on the state of the server daemon system's track record, such as a server system running a sudden back or shut down any program, handle handle copying or whether the file system resources For operations such as access, the audit function can track and record them, and automatically save the contents of the monitoring and recording to the log files of the corresponding system.
Audit account management strategy is designed to track, monitor server system login account modify, delete, add operation, any operation to add user accounts, deleting user accounts, modify user account operations will be audited The function is automatically recorded. Some privileged
Audit privilege use policy is designed to track, monitor privileged user to perform other operations other than logout, login operation of the server system during operation, the server runs on any system safety implications The operation will be saved to the security log of the system by the audit function record. The network administrator can easily find some clues that affect the security of the server according to the log content.
enable different audit policy, WindowsServer2008 system will operate on a different type of track, record, network administrators should be configured in accordance with the performance of their security requirements and server systems to enable their own audit policy, Instead of blindly enabling all auditing strategies, the role of the auditing function will not be fully utilized.
For example, if we want to log in when the state of the server system for tracking, monitoring, in order to confirm the existence of illegal acts LAN login, then we can double-click Audit logon events policy here directly with the mouse, open Corresponding to the policy's option setting dialog box, select the "success" and "fail" options, and then click the "OK" button, so that the Windows Server 2008 system will automatically track and record all system login operations of the local server system in the future. Whether it is a successful operation of logging in to the server or a failed operation of logging in to the server, we can find the corresponding operation record through the event viewer. By carefully analyzing the records of these login operations, we can find out whether there is an illegal login or even illegal in the local server. Intrusion. After
view audit records
function is enabled, configure the appropriate audit policy, WindowsServer2008 system will automatically keep track of a particular type of operation, record and save the recorded content to the corresponding systems In the log file, the network administrator can find out whether there is a security threat in the server system based on the log content. When viewing the contents of the audit log function recorded, we must use Event Viewer feature to complete, is to look at the following specific steps auditing feature records:
First, the super administrator privileges to enter WindowsServer2008 system, followed by a single click the desktop in the "start" /"programs" /"Administrative tools" /"server Manager" command, open server Manager console window corresponding to the system;
Second, in the console window In the left display area, position the mouse in the "Diagnostics" branch option, and from the branch option, click the "Event Viewer" /"Windows Log" sub-item, under the target sub-item we will see "Applications" "," security "," Setup "," system "," forward event "the five categories of events recorded; when
select a category option with the mouse, we can clearly see the corresponding Open all the event records under the category, and then double-click the specified record option to open the detailed information interface of the target event record. In this interface we will be able to view details of the source of target event specific event content, event ID, and other relevant information. When
find important event content, we can do something with them; for example, in order to be able to have time in the future when a careful analysis of the content of important events, we can be an important event content to save up to Prevent accidental deletion when cleaning the log. When saving important event content, we just right click on the target event content, execute the “Save Event As” command from the pop-up shortcut menu, and then set the save path and the specific The file name, click the "Save" button, and you only need to execute the "Open Saved Log" command in the right-click menu to call the previously saved log file. If we find that there are too many events stored in the server system, we should periodically clear the log records by executing the "Clear Logs" command in the right-click menu to free up more valuable space resources. In the case of more log records, it is not easy to quickly find the event record you want. In this case, we may perform the "Filter Current Log" command to filter the log records.