Briefly introduce the file access audit strategy of Win 7 system

win 7 system actually has a lot of so-called strategies, it is estimated that everyone is not familiar with it, today Xiaobian will introduce you to the Win 7 system file access audit strategy, Unfamiliar users should take a good look.

First, the principle of least access operation

In Win7, this access operation is divided into very fine, such as modifying permissions, changing the owner and so on more than ten access operations. Although the system administrator needs to spend some time thinking about which operations to choose or related settings, it is still a boon for system administrators. Permission subdivision means that after the administrator selects a particular access operation, the minimum audit record is available. Simply put, “the audit records generated are minimal and can cover the security needs of users”; this goal is easier to achieve. Because in actual work, it is often only necessary to audit specific operations. For example, only a small part of the operation such as changing the contents of the file or accessing the file can be audited. There is no need to audit all operations. The resulting audit records will be much less, and the user's security needs will be realized.

Second, the failure operation priority selection

For any operation, the system is divided into two cases of success and failure. In most cases, in order to collect information that the user has illegally accessed, it is only necessary to have the system log the failure event. For example, a user can only read-only access to a shared file. At this point the administrator can set a secure access policy for this file. This information is recorded when the user attempts to change this file. For other operations, such as normal access, the relevant information will not be recorded. This can also greatly reduce the security audit record. Therefore, the author suggests that in general, as long as the failure event is enabled. It is considered to enable simultaneous event logging at the same time if it does not meet the demand. At this time, the information of legally accessing files by some legitimate users will also be recorded. At this time, it should be noted that the content in the security log may be multiplied. In the Windows 7 operating system, you can filter the contents of the log by brushing. For example, you can press the “Failure Event” to let the system only list those failed records to reduce the system administrator's reading.

Third, how to use the honey strategy to collect information about illegal visitors?

In practice, system administrators can also use some "honey sugar strategy" to collect illegal visitors. Information. What is the honey strategy (honeypot strategy)? In fact, it is to put some honey on the network, attract some bees who want to steal honey, and record their information. For example, you can set some seemingly important files on the shared files on the network. Then set up an audit access policy on these files. In this way, it is possible to successfully collect illegal intruders who are not well-intentioned. However, this obedience information is often not used as evidence. It can only be used as a measure of access. That is, the system administrator can use this means to determine whether there are some “uneasy elements” in the enterprise network, always trying to access some unauthorized files, or to perform unauthorized operations on certain files, such as malicious changes or deletions. Files and so on. Knowing ourselves and knowing each other can only buy a hundred wins. After collecting this information, the system administrator can take the corresponding measures. Such as to strengthen the monitoring of this user, or check whether the user's host has become someone else's broiler and so on. In short, system administrators can use this mechanism to successfully identify internal or external illegal visitors to prevent them from making more serious damage.

Fourth, note that file replacement does not affect the original audit access policy

For example: there is a picture file called capture, which sets a file level security audit access for it, not in Set any security audit access policy on its folder “New Folder". At this point, if I copy an identical file (the same file name and no security audit access policy is set) to this folder, overwrite the original file. Note that this will not set any security audit access policy at this time. After the file is copied, the original file will be overwritten by the same name. However, at this time, the security audit access policy is transferred to the newly copied file. In other words, the new file now has security audit access to the file that was originally overwritten. This is a very strange phenomenon, and the author is also unintentionally discovered. I don't know if this is a vulnerability in the Windows 7 operating system, or is it deliberately set up? This is to be explained by the developers of the Microsoft operating system.

In fact, the file access audit strategy of Win 7 system is these four aspects. Let's take a look at the growth and see it, maybe it will help you someday.