Windows system >> Windows 7 System Tutorial >> Win7 system basics

Security Audit Policy for Windows 7 File Access

  

In the audit file access policy, you can select multiple security audit policies as needed, that is, you can tell the operating system to log the access information to the security log when the operation occurs. , including the visitor, the visitor's computer, the access time, what was done, and so on. If all the access operations are recorded in the log, the log capacity will become very large, which is not easy to maintain and manage. For this reason, when setting the audit file access policy, the system administrator often needs to select some specific events to reduce the capacity of the secure access log. In order to achieve this goal, the following suggestions are available to the system administrator.

First, the principle of minimum access operation.

In Windows 7, this access operation is divided into very fine, such as modifying permissions, changing the owner and so on. Although the system administrator needs to spend some time thinking about which operations to choose or related settings, it is still a boon for system administrators. Permission subdivision means that after the administrator selects a particular access operation, the minimum audit record is available. Simply put, the goal of "generating the minimum audit records and covering the security needs of users" is easier to achieve. Because in actual work, it is often only necessary to audit specific operations. For example, only a small part of the operation such as changing the contents of the file or accessing the file can be audited. There is no need to audit all operations. The resulting audit records will be much less, and the user's security needs will be realized.

Second, the failure operation is preferred.

For any operation, the system is divided into two situations: success and failure. In most cases, in order to collect information that the user has illegally accessed, it is only necessary to have the system log the failure event. For example, a user can only read-only access to a shared file. At this point the administrator can set a secure access policy for this file. This information is recorded when the user attempts to change this file. For other operations, such as normal access, the relevant information will not be recorded. This can also greatly reduce the security audit record. Therefore, the author suggests that in general, as long as the failure event is enabled. It is considered to enable simultaneous event logging at the same time if it does not meet the demand. At this time, the information of legally accessing files by some legitimate users will also be recorded. At this time, it should be noted that the content in the security log may be multiplied. In the Windows 7 operating system, you can filter the contents of the log by brushing. For example, you can press “Failure Event” to let the system only list those failed records to reduce the system administrator's reading.

Three, how to use honey strategy to collect information of illegal visitors?

In practical work, system administrators can also use some "honey sugar strategy" to collect information of illegal visitors. . What is the honey strategy (honeypot strategy)? In fact, it is to put some honey on the network, attract some bees who want to steal honey, and record their information. For example, you can set some seemingly important files on the shared files on the network. Then set up an audit access policy on these files. In this way, it is possible to successfully collect illegal intruders who are not well-intentioned. However, this obedience information is often not used as evidence. It can only be used as a measure of access. That is, system administrators can use this means to determine whether there are some "uneasy elements" in the enterprise network, always trying to access some unauthorized files, or to perform unauthorized operations on certain files, such as malicious changes or deletion of files. Wait. Knowing ourselves and knowing each other can only buy a hundred wins. After collecting this information, the system administrator can take the corresponding measures. Such as to strengthen the monitoring of this user, or check whether the user's host has become someone else's broiler and so on. In short, system administrators can use this mechanism to successfully identify internal or external illegal visitors to prevent them from making more serious damage.

Fourth, note: file replacement does not affect the original audit access policy

Set security audit

As shown above, there is a picture file called capture, for It sets up a file-level security audit access and does not set any security audit access policy on its folder "New Folder". At this point, if I copy an identical file (the same file name and no security audit access policy is set) to this folder, overwrite the original file. Note that this will not set any security audit access policy at this time. After the file is copied, the original file will be overwritten by the same name. However, at this time, the security audit access policy is transferred to the newly copied file. In other words, the new file now has security audit access to the file that was originally overwritten. This is a very strange phenomenon, and the author is also unintentionally discovered. I don't know if this is a vulnerability in the Windows 7 operating system, or is it set up deliberately? This is to be explained by the developers of the Microsoft operating system.

Win7 system basics
Windows system
How to view the location of the Win7 desktop program

                   During the process of using Windows, users usually create some common software pr
Ten optimization tips to help your Windows 7 system faster and faster

The use of Windows7 operating system has become a great joy for many computer users, compared to the
How to do Win7 forgot password? Win7 password reset U disk production method

often see many friends forget the password because they have not used the computer for a long time,

Win7 power management where win7 power setting method

Win7 power management is more powerful in Win7 system, but many netizens dont know where Win7 power

What is the hidden new feature of Windows 7? What is the Windows 7 shortcut?

Although Windows 7 has higher requirements for computer configuration, it also has a lot of good new
Resolution: MED-V(4)

MED-V Limitations and Solution Components for IE Virtualization under Windows 7 Although MED-V is t
  • Win7 system application skills
  • Win7 system basics
  • Win7 FAQ
  • About Windows7 System Tutorial

    • How does Win10 set F8 into safe mode?

    What are the hardware conditions for Windows 10 free upgrade?

    Hard disk mispartition operation or false GHOST recovery

    Windows 7 Tips: Drag and drop files to complete the association

    How Win8's cloud storage service OneDrive renames cloud folders

    Launch the Metro application method directly on the Win8 desktop

    How to delete the program folder of Win10 start menu directly

    Bypassing the installed version of Win7 system 100MB partition space

    Win7 prompts you to need permission to perform this operation when you delete the file

    WinXP system Netware customer service disables the welcome screen and the solution

  • Windows XP System Tutorial
  • Windows 7 System Tutorial
  • Windows 8 System Tutorial
  • Windows 10 System Tutorial
  • Windows 2003 System Tutorial
  • Windows 2008 System Tutorial
  • Windows Vista System Tutorial
  • Windows tutorial synthesis
  • Windows Server System Tutorial
  • Linux system Tutorial
  • Computer software Tutorial
  • Windows NT Tutorial
    • Copyright © Windows knowledge All Rights Reserved