"Audit" function is like the barometer of Windows, so that we can understand the computer's every move, and can use this information to maintain the security of the computer system and troubleshoot. In Vista, the "audit" feature is more powerful than ever, and this article will discuss its application under Vista. 1. Enabling auditing strategy The so-called auditing is tracking. After the corresponding auditing function is enabled, the system will track and record the event process for the administrator to view. With the auditing function, we can not only monitor the operations performed by the user on the computer, but also eliminate the fault according to the operating state of the system. However, turning on auditing will degrade the performance of the system because the system consumes a portion of the resources for logging and storing events. Therefore, we need to develop an audit strategy as needed when auditing is enabled. As an administrator, you need to be clear about the following aspects: what content needs to be reviewed; whether the audit policy is properly set; which users have access to the log; who is responsible for collecting and archiving logs; how the log backup works; log loss How to deal with it; the period of log saving and review; the tools and measures needed to review the log; how to deal with the security problem after the log is found. Only in this way can we strike a balance between reviewing system performance. 2, configuration audit strategy Audit is to monitor and record the process of specific events, so the results will be saved to the system's event log. Of course, Windows Vista does not log security logs unless the appropriate auditing feature is turned on. To enable auditing, open the Local Security Policy console by clicking Start→ Control Panel→ System and Maintenance→ Administrative Tools. Then find the appropriate audit policy in Local Policies → Audit Policy. There are 9 audit policies that can be enabled in Vista, such as "audit privilege use", which is used to record the user's authority to perform operations other than login, logout, and network during system operation. Audit Account Management records events such as creation, deletion, and changes to user accounts. "Audit Process Tracking" tracks and records the background operations of the process, such as activation of programs, copying of handle handles, and access to file management resources. The methods for enabling various audit policies are similar. As for which audit policies are enabled, they should be selected according to their own security needs. (Figure 1)
For example, to audit the login event, just double-click to open the policy, then check the success and failure of the audit including the event, and finally click "Fix". In this way, Windows Vista can start to audit login events of all local user accounts, including successful login and login failure, so that the system can be used to detect whether the system is illegally logged in and hacked. (Figure 2)
3, view the audit report After the audit policy is enabled, the system will record the relevant events in the system log. If you want to view the log, you need to view it through the Event Viewer, click Start→ Control Panel→ System and Maintenance→ Administrative Tools to open the Event Viewer console. Under Windows Logs, there are multiple categories such as Application, Security, Installer, System, and Forward Event. Click on different categories to view all categories in the middle pane. Event record. Double-click an event record to open the details window of the record, and the user can know the source of the event and the event, event ID, and so on. Right-click on a certain type of event log to perform some operations on its log. For example, we can select "Save Event As" to export the event log for this category; select "Open Saved Log" to import the existing event log; if there are too many log records, in order to free up more space, we You can select the "Clear Logs" option to clear all records; the administrator needs to find the information he needs in a large number of records, with the help of the "Filter Current Log" function, based on event level, event ID, keyword, user, etc. Screening. (Figure 3)
4, monitoring file access file monitoring is very practical in the real world, such as the administrator set up a shared folder, but was changed beyond recognition, we can use folder monitoring to determine which The user operates on the folder and then further determines which user did it. It should be noted that the monitoring of files or folders is based on the NTFS file system, so the partition format must be this format. First enable the "audit object access" policy in the "local security policy", in order to accurately locate, we can only record the "success" event. Then navigate to the folder you want to monitor, right click and select "Properties", click the "Advanced" button in the "Security" tab, then select the "Audit" tab and click the "Continue" button, in the window that opens Click the Add button and enter the name of the user account or user group to which you want to add the audit. Then check the actions you want to monitor in the Audit Items panel, including creating files/writing data, deleting, and more. You can select Full Control if you want to monitor all actions of the user. Finally, click the "OK" button to complete the audit settings. (Figure 4)
This system will record the specified events in the system log, we can view the relevant records through the "Windows Log" → "Security" of the Time Viewer. Of course, the event record at this time is very much, we can filter through the "filter". Right click on "Security" on the left and select "Filter Current Log" to open the filter window. Filter settings under the "Filter" tab, because we want to view the copied file "Event Source Selection" select "Security-Auditing", "Task Category" select "File System", "Event ID" enter "4656 "Show" and then "OK" to exit. At this time, what is listed on the right side of the Event Viewer is the information for each read data. Double-click each item to view the details, noting that the item with Object Type: File is the access to the file. We can double-click to open the hacker user to copy the fr folder. (Figure 5)
Summary: This article only uses file monitoring as an example to demonstrate the application of Vista "audit" function in system security. In fact, its application is very extensive. However, it is used in a similar way. Generally, you first enable the desired "audit" policy and then view it through the Event Viewer. Of course, the flexible application of "filters" can help us quickly locate the items we need to view.