Windows Server 2008 virus stealing account security risks

[IT expert network exclusive] Many network viruses or Trojans attack the system, often secretly modify the system login account, in order to achieve the purpose of hiding the attack marks! In order to effectively protect the system The operational security, we should find a way to promptly smash the various network viruses or Trojans hidden in the system, then how can we know that a user account in the system has been sneaked in the first time? Even though it can be easily done with some professional security tools, in the Windows Server 2008 system environment, even if we don't have professional security tools to help, we can steal the "bad" incidents of stealing accounts with bare hands. To; we can use the Windows Server 2008 System Event Viewer's newly added binding task function to know that a user account in the system has been sneaked in the first time!

As you know, in the old version of the system environment, we often use the event viewer to put some shadows Event safe operation of the record, a careful analysis of these security log content in the future, we will be able to find some security risks hidden in the local system. However, it is regrettable that the event viewer program in the old version of the system can only record operational events with security threats, and cannot issue security alert information to the system administrator in time, so that the system administrator cannot be in the first place. Time knows that there are security threats in the local system. In the Windows Server 2008 system environment, the function of the event viewer program is obviously enhanced, and the system administrator can bind the task plan for specific system events. Once the system system event occurs in the future, the bound task plan can be automatically Trigger to run.

With this function, we can track the account change event in time, and bind an automatic alarm task plan for stealing account events; once the event occurs, the automatic alarm task plan can be Trigger execution, when we hear the automatic alarm prompt, we can know that some user accounts in the system have been secretly modified in the first time. According to the above analysis, we only need to modify the system auditing policy in the Windows Server 2008 system environment, let the system audit the account management events, and ensure that the event viewer program can automatically record the operation behavior of the user account being secretly modified; after that, we need Manually trigger an event to modify the user account, and attach the automatic alarm task plan to modify the user account event; thus, when the system user account is secretly modified in the Windows Server 2008 system in the future, the automatic alarm task plan will naturally After being executed, the system administrator knows that the account change event occurred in the system. At that time, the system administrator can immediately take targeted measures to find security risks and ensure that the system hidden dangers are eliminated at the first time. Drop it.

By default, even if we change the name of a system user account, we will not see the corresponding operation record from the system's event viewer list. What is this? The reason? In fact, it is very simple, this is because Windows Server 2008 system does not automatically record the user account modification behavior in the default state, we must modify the Windows Server 2008 system audit policy, in order to let the event viewer record the user account is Modified event. In the audit of account management events, we can follow the steps below:

First log in to the Windows Server 2008 system as a system administrator, click "Start" /"Run" in the system desktop Command, enter the string command "gpedit.msc" in the pop-up system run text box, click the "OK" button, enter the system group policy editing window;

Secondly, display on the left side of the edit window In the pane, position the mouse on the Computer Configuration node option, and then click the Windows Settings /Security Settings /Local Policies /Audit Policy sub-item under the node, in the Audit Policy Under the sub-item, find the target group policy option "Audit Account Management", and right-click the option, and select the "Properties" command from the pop-up shortcut menu to open the target group policy attribute setting window as shown in Figure 1; Br>

In the "Local Security Settings" tab of the property settings window, select the "Success" option and click the "OK" button. The Windows Server 2008 system can audit the successful modification of user account events. Similarly, we can also review the failure of modifying the user account, and let the event viewer program automatically record the event that the user account failed to be modified.
Previous 12 Next Read more