Wonderful graphic introduction of Win2008 system audit function

Enabling configuration auditing

The auditing features of Windows Server 2008 systems are not enabled by default, we must enable and configure their auditing for specific system events so that this feature will only be enabled. Monitor and record the same type of system events, and the network administrator can view the monitoring results of the audit function by opening the log records of the corresponding system in the future. The auditing function has a wide range of applications. It can not only track and monitor some operational behaviors in the server system, but also quickly eliminate operational faults according to the operating state of the server system. Of course, you need to remind all friends that the activation of the audit function often consumes some valuable resources of the server system, and will cause the running performance of the server system to decline. This is because the Windows Server 2008 system must free up some space resources to save the audit function. Monitoring and recording results. To this end, in the case of limited server system space resources, we should use the audit function carefully, to ensure that this function only monitors and records some particularly important operations.

When enabling and configuring the auditing function of Windows Server 2008 system, we can log in to the corresponding system with system super authority, open the “Start” menu in the system desktop, and click “Select” from the menu. Set the “,“Control Panel” command, and click the “System and Maintenance” button in the pop-up System Control Panel window, and the “Administrative Tools” icon will appear in the list of management tools that appear later. Find the “Local Security Policy' icon and double-click the icon to open the Local Security Policy Console window.

Next, in the left pane of the target console window, expand the “Security Settings"/“Local Policies”/“Audit Policy" branch option in the corresponding “ In the right pane of the policy & branching option, we will find that the Windows Server 2008 system contains nine auditing policies, which means that the server system can allow nine major operations to be tracked and recorded, as shown in Figure 1.
Figure 1 Local security policy

Audit process tracking policy is specifically used to track the running status of the server system's daemon, such as what the server system background runs or shuts down, handle handle Whether the file copy or access to system resources is performed, the audit function can track and record them, and automatically save the contents of the monitoring and recording to the log files of the corresponding system.

The audit account management policy is specifically used to track and monitor the modification, deletion and addition of the login system of the server system. Any operation of adding user accounts, deleting user account operations, and modifying user account operations will be reviewed. The function is automatically recorded.

Auditing privilege usage policy is specifically used to track and monitor other privileged operations performed by users in addition to logout operations and login operations during the running of the server system. Any privilege that affects the security of the server system. The operation will be saved to the security log of the system by the audit function record. The network administrator can easily find some clues that affect the security of the server according to the log content.

When different auditing policies are enabled, Windows Server 2008 systems will track and record different types of operations. Network administrators should enable auditing according to their own security requirements and server system performance. Strategy, rather than blindly enabling all auditing strategies, so that the role of the auditing function is not fully utilized.
Figure 2 Auditing Login Event Properties

For example, if we want to track and monitor the login status of the server system to confirm whether there is illegal login behavior in the LAN, then we can use the mouse directly. Double-click the audit login event policy here, open the option setting dialog box of the corresponding policy (as shown in Figure 2), select the "success>;success" and “failure" option, and then click the "OK" button. As a result, Windows Server 2008 system will automatically track and record all system login operations of the local server system in the future. Whether it is a successful operation of the login server or a failed login operation, we can find the corresponding operation through the event viewer. Recording, carefully analyzing the records of these login operations, we can find out whether there are illegal logins or even illegal intrusions in the local server.

Viewing Auditing Function Records

After enabling and configuring the appropriate auditing policies, Windows Server 2008 will automatically track and record certain types of operations and save the records to the corresponding The system's log file is included. In the future, the network administrator can find out whether there is a security threat in the server system based on the log content. When viewing the log content recorded by the audit function, we must use the event viewer function to complete the following steps:

First enter the Windows Server 2008 system with super administrator privileges. Click the “Start”/“Programs”/“Administratives">; Server Manager" command in the system desktop to open the Server Manager console window for the corresponding system;

Next, in the display area on the left side of the console window, position the mouse over the “Diagnostics” branch option, and from the branch option, click “Event Viewer” and “//ldquo;Windows Log” ; sub-items, under the target sub-item we will see the "Applications", "Safety", "Installer", "System", "Return Events" Event record, as shown in Figure 3;
Figure 3 Server Manager

When you select a category option with the mouse, we can display from the middle of the interface of Figure 3. In the display area, all the event records under the corresponding category are clearly seen, and when the specified record option is double-clicked with the mouse, the detailed information interface of the target event record can be opened, in which we can view the source of the target event in detail. , specific event content, event ID and other related information.

When discovering important event content, we can also perform some operations on it; for example, in order to analyze the content of important events in time when we are free, we can save the important events first. Prevent accidental deletion when cleaning the log. When saving the important event content, we just right click on the target event content, execute from the pop-up shortcut menu, and save the event as the ” command, then set the save path and For the specific file name, click the “Save” button. In the future, you only need to execute the “Save Saved Log” command in the right-click menu to call the previously saved log file. If you find that there are too many events stored in the server system, we should periodically execute the "Clear Logs" command in the right-click menu to clear the log records to free up more valuable space resources. In the case of more log records, it is not easy to quickly find the event record you want. At this time, we may perform the "Filter Current Log" command to filter the log records.

Practical Application Auditing Function

The auditing function is especially important for Windows Server 2008 systems in real-world environments, because server systems are vulnerable to attacks in LAN environments, and network administrators can use auditing capabilities. Tracking and monitoring various attacks, when an event with a potential security threat occurs, we can find ways to notify the network administrator of the event monitored by the audit function, and the network administrator can immediately find out the cause of the incident. Solve the problem with the right medicine to protect the server system from illegal attacks.

For example, some Trojans often secretly create user accounts in the server system to steal the super administrator privileges of the server system. At this point, we can use user account monitoring to determine whether there are illegal users in the server system. Account number, and then further determine which user account is an illegal account. It should be noted that in order for the Windows Server 2008 system to automatically notify the network administrator of the event created by the illegal account, it is necessary to ensure that the Task Scheduler service of the corresponding system is in a normal running state.

First, click the “Start”/“Run” command in the Windows Server 2008 system desktop. In the pop-up system run dialog box, execute the string command “secpol.msc”, Open the local security policy console window of the server system;
Figure 4 Audit Account Management

Next, display the area on the left side of the console window, and then expand “Security Settings",“Local Policies ”, "Audit Policy" branch option, in the corresponding area of ​​the corresponding "Audit Policy" branch option, double-click the "Audit Account Management" policy option to open the policy option settings as shown in Figure 4. Dialog box, select the “success>; failure" option, and then click the "OK" button to close the policy option settings dialog box, so that regardless of the user account creation success or creation failure, Windows Server 2008 system will Automatically record user account creation events;

In order to automatically notify the network administrator of the user account creation event content, We also need automatic alarm task plan for the implementation of additional events. When attaching an automatic alarm task, we first click the “Start”/“Program”/“Administrative>;&“Server Manager” command in the Windows Server 2008 system desktop to open the corresponding system. Server Manager console window; in the left area of ​​the console window, click the "Diagnostics" //ldquo; Event Viewer & rdquo; /& ldquo; Windows Log & rdquo; /& ldquo; System & rdquo; sub-item, and then The user account event is found under the “System” sub-item. If the event content cannot be found, we need to manually create a user account in the server system, so that the user account creation event will appear. In the event viewer.

Right-click the user account to create an event, execute the "Add task to this event" command from the pop-up shortcut menu, open the task plan add wizard dialog box, and then set the name of the new task. For example, here we will name the new task “Automatic alarm user account creation situation”, when the setting dialog box shown in Figure 5 appears on the screen, select the “Show message” option, and then set the alarm. The title and content, here we set the title to "Automatic alarm user account creation" & rdquo;, set the alarm content to "The server system may have an illegal account created, please the network administrator to immediately handle the relevant events!" Finally, click the “Complete” button, so that the Windows Server 2008 system can automatically report the user account creation recorded by the audit function to the network administrator.
Figure 5 Create Basic Task Wizard

When we try to create a user account in the server system through remote desktop mode, an automatic alarm prompt window appears on the Windows Server 2008 system screen to tell the network. The administrator said, “There may be an illegal account created in the server system. Please ask the network administrator to handle the relevant event immediately!” This means that someone has secretly created a user account in the server system. The network administrator automatically The alarm prompt information can take measures to solve the related problems in the first time, thus protecting the Windows Server 2008 server system from illegal attacks.