The magic of Windows 2008 system audit function

Users who are using Windows 2008 system will know that Windows2008 has superior system security, high intelligence and significant security. If users can use it skillfully, they can play better. Windows2008 system. Let us first take a look at the magical features of the audit function under Windows 2008.

Enabling configuration auditing

The auditing features of Windows Server 2008 systems are not enabled by default, we must enable and configure their auditing for specific system events, so that The function will monitor and record the same type of system events. The network administrator can view the monitoring result of the audit function by opening the log record of the corresponding system in the future. The auditing function has a wide range of applications. It can not only track and monitor some operational behaviors in the server system, but also quickly eliminate operational faults according to the operating state of the server system. Of course, you need to remind all friends that the activation of the audit function often consumes some valuable resources of the server system, and will cause the running performance of the server system to decline. This is because the Windows Server 2008 system must free up some space resources to save the audit function. Monitoring and recording results. To this end, in the case of limited server system space resources, we should use the audit function carefully, to ensure that this function only monitors and records some particularly important operations.

When enabling and configuring the auditing function of Windows Server 2008 system, we can log in to the corresponding system with system super authority, open the “Start” menu in the system desktop, and click “Select” from the menu. Set the “,“Control Panel” command, and click the “System and Maintenance” button in the pop-up System Control Panel window, and the “Administrative Tools” icon will appear in the list of management tools that appear later. Find the “Local Security Policy' icon and double-click the icon to open the Local Security Policy Console window.

Next, in the left pane of the target console window, expand the “Security Settings"/“Local Policies”/“Audit Policy" branch option in the corresponding “ In the right pane of the policy & branching option, we will find that the Windows Server 2008 system contains nine auditing policies, which means that the server system can allow nine major operations to be tracked and recorded, as shown in Figure 1.
Figure 1 Local security policy

Audit process tracking policy is specifically used to track the running status of the server system's daemon, such as what the server system background runs or shuts down, handle handle Whether the file copy or access to system resources is performed, the audit function can track and record them, and automatically save the contents of the monitoring and recording to the log files of the corresponding system.

The audit account management policy is specifically used to track and monitor the modification, deletion and addition of the login system of the server system. Any operation of adding user accounts, deleting user account operations, and modifying user account operations will be reviewed. The function is automatically recorded.

Auditing privilege usage policy is specifically used to track and monitor other privileged operations performed by users in addition to logout operations and login operations during the running of the server system. Any privilege that affects the security of the server system. The operation will be saved to the security log of the system by the audit function record. The network administrator can easily find some clues that affect the security of the server according to the log content.

When different auditing policies are enabled, Windows Server 2008 systems will track and record different types of operations. Network administrators should enable auditing according to their own security requirements and server system performance. Strategy, rather than blindly enabling all auditing strategies, so that the role of the auditing function is not fully utilized.
Figure 2 Auditing Login Event Properties

For example, if we want to track and monitor the login status of the server system to confirm whether there is illegal login behavior in the LAN, then we can use the mouse directly. Double-click the audit login event policy here, open the option setting dialog box of the corresponding policy (as shown in Figure 2), select the "success>;success" and “failure" option, and then click the "OK" button. As a result, Windows Server 2008 system will automatically track and record all system login operations of the local server system in the future. Whether it is a successful operation of the login server or a failed login operation, we can find the corresponding operation through the event viewer. Recording, carefully analyzing the records of these login operations, we can find out whether there are illegal logins or even illegal intrusions in the local server.

Viewing Auditing Function Records

After enabling and configuring the appropriate auditing policies, Windows Server 2008 will automatically track and record certain types of operations and save the records to the corresponding The system's log file is included. In the future, the network administrator can find out whether there is a security threat in the server system based on the log content. When viewing the log content recorded by the audit function, we must use the event viewer function to complete the following steps:

First enter the Windows Server 2008 system with super administrator privileges. Click the “Start”/“Programs”/“Administratives">; Server Manager" command in the system desktop to open the Server Manager console window for the corresponding system;

Next, in the display area on the left side of the console window, position the mouse over the “Diagnostics” branch option, and from the branch option, click “Event Viewer” and “//ldquo;Windows Log” ; sub-items, under the target sub-item we will see the "Applications", "Safety", "Installer", "System", "Return Events" Event record, as shown in Figure 3;
Figure 3 Server Manager Previous 12 Next Page Total 2 Pages