Clever use of Win2008 auditing features to make the system more secure

Windows Server 2008 server operating system, in terms of security has been greatly improved and improving, but we still difficult to guarantee it will not be attacked by viruses. In order to better ensure the security of Windows Server 2008 systems, I believe that most network administrators will spare no expense to "please" all kinds of professional security tools to secure the server system. "In fact, in the absence of any professional security tools at hand, we can you can rely on Windows server 2008 system on its own strength to the security performance of all aspects of the system all play together, so likewise is Windows server 2008 security operation & ldquo; escort & rdquo ;, that is the clever use WindowsServer2008 audit function, the server system All operations are tracked and monitored, and the monitoring results can be used to quickly troubleshoot server systems and ensure the security of the server system.

Enabling configuration auditing

The auditing features of Windows Server 2008 systems are not enabled by default, we must enable and configure their auditing for specific system events, so that The function will monitor and record the same type of system events. The network administrator can view the monitoring result of the audit function by opening the log record of the corresponding system in the future. The auditing function has a wide range of applications. It can not only track and monitor some operational behaviors in the server system, but also quickly eliminate operational faults according to the operating state of the server system. Of course, the need to remind our friends that auditing is enabled tend to consume some of the valuable resources of the server system, and can cause decreased operating performance server system, because Windows Server 2008 system resources must vacate part of the space to store audit function monitoring, record the results. To this end, in the case of limited server system space resources, we should use the audit function carefully, to ensure that this function only monitors and records some particularly important operations.

When enabling and configuring the auditing function of Windows Server 2008 system, we can log in to the corresponding system with system super authority, open the “Start” menu in the system desktop, and click “Select” from the menu. Set the “,“Control Panel” command, and click the “System and Maintenance” button in the pop-up System Control Panel window, and the “Administrative Tools” icon will appear in the list of management tools that appear later. find the & ldquo; local security policy & rdquo; icon and double-click on the icon with the mouse, open the local security policy console window.

Secondly, displayed in the left goal console window pane, expand & ldquo; Security Settings & rdquo; /& ldquo; local policy & rdquo; /& ldquo; Audit Policy & rdquo; branch option, in the corresponding & ldquo; review In the right pane of the policy & branching option, we will find that the Windows Server 2008 system contains nine auditing policies, which means that the server system can allow nine categories of operations to be tracked and recorded.

The audit process tracking policy is specifically used to track the running status of the server system's daemon. For example, what program is suddenly running or closed in the background of the server system, whether the handle handle has file copy or system resources. access and other operations, audit functions can be tracked, record them, and to monitor, record content is automatically saved to the corresponding system log file.

The audit account management policy is specifically used to track and monitor the modification, deletion and addition of the login system of the server system. Any operation of adding user accounts, deleting user account operations, and modifying user account operations will be reviewed. The function is automatically recorded.

Auditing privilege usage policy is specifically used to track and monitor other privileged operations performed by users in addition to logout operations and login operations during the running of the server system. Any privilege that affects the security of the server system. The operation will be saved to the security log of the system by the audit function record. The network administrator can easily find some clues that affect the security of the server according to the log content.

When different auditing policies are enabled, Windows Server 2008 systems will track and record different types of operations. Network administrators should enable auditing according to their own security requirements and server system performance. Strategy, rather than blindly enabling all auditing strategies, so that the role of the auditing function is not fully utilized.

For example, if we want to track and monitor the login status of the server system to confirm whether there is illegal login behavior in the LAN, then we can directly double-click the audit login event policy here to open Corresponding to the policy's option settings dialog box, select the “success” & “quo” and “failure” options, and then click the “OK” button, so that the Windows Server 2008 system will automatically be on the local server system in the future. All system login operations are tracked and recorded. Whether it is a successful operation of the login server or a failed operation of the login server, we can find the corresponding operation record through the event viewer. By carefully analyzing the records of these login operations, we can find the local server. Is there really illegal login or even illegal intrusion?

Viewing Auditing Function Records

After enabling and configuring the appropriate auditing policies, Windows Server 2008 will automatically track and record certain types of operations and save the records to the corresponding The system's log file is included. In the future, the network administrator can find out whether there is a security threat in the server system based on the log content. When viewing the log content recorded by the audit function, we must use the event viewer function to complete the following steps:

First enter the Windows Server 2008 system with super administrator privileges. click the desktop in the & ldquo; start & rdquo; /& ldquo; program & rdquo; /& ldquo; Administrative tools & rdquo; /& ldquo; server Manager & rdquo; command, open server Manager console window corresponding to the system;

Next, in the display area on the left side of the console window, position the mouse over the “Diagnostics” branch option, and from the branch option, click “Event Viewer” and “//ldquo;Windows Log” ; sub-items, under the target sub-item we will see the "Applications", "Safety", "Installer", "System", "Return Events" Event record;

When you select a category option with the mouse, we can clearly see all the event records under the corresponding category, and then use the mouse to double When you specify logging options, you can open the details screen target events recorded in the interface we will be able to view the details of the source of target event specific event content, event ID, and other relevant information.

When discovering important event content, we can also perform some operations on it; for example, in order to analyze the content of important events in time when we are free, we can save the important events first. Prevent accidental deletion when cleaning the log. When saving the important event content, we just right click on the target event content, execute from the pop-up shortcut menu, and save the event as the ” command, then set the save path and For the specific file name, click the “Save” button. In the future, you only need to execute the “Save Saved Log” command in the right-click menu to call the previously saved log file. If you find that there are too many events stored in the server system, we should periodically execute the "Clear Logs" command in the right-click menu to clear the log records to free up more valuable space resources. In the case of more log records, it is not easy to quickly find the event record you want. At this time, we may perform the "Filter Current Log" command to filter the log records. Previous12Next page Total 2 pages