4. Prerequisites for using the audit policy
The premise of implementing the audit strategy, first of all, the installation of Windows XP Professional (or Windows 2003), the files, folders and files required for review The registry key, etc. must be located in the NTFS file system partition, and secondly the object access event audit policy must be opened as described above. If the above conditions are met, specific files or folders can be reviewed and which types of access are specified for which users or groups are specified.
Practical Application
Practical Task 1: What did the commercial spy do?
Task Description: Agui is an IT company's network management. Recently, the boss found that some trade secrets are gone. He wants to monitor when his employees have visited or not let the employees know. The data in the disk or folder specified on the company computer is used, for example, the server "D:\\data" folder. The boss felt that Xiao He was the most suspicious, so he decided to start by monitoring him.
Pre-war analysis: Each employee of the company is assigned a different account (remember to not give them permission to modify the policy settings!), as long as monitoring the selected account or group access to the target, you need to monitor the target access Right and execution right. Before you start, first cancel "Use Simple File Sharing" under the "Folder Options → View" tab.
Step 1: Double-click "Audit Object Access" on the right side in "Audit Policy", check "Success", confirm the operation and exit the editor. Right click on the target disk or folder and select "Properties", switch to the "Security" tab, click "Advanced" and switch to the "Audit" tab.
Step 2: Click “Add” and enter the user name used by Xiaohe. Because Xiaohe belongs to the normal user group (users), enter “computer name\\users” and click “OK” ( See Figure 3). At this time, the audit item selection window will pop up, because it is necessary to monitor Xiao He's “Access and Execution” (see Figure 4) for the target to determine all operations.
The third step: the strategy has been completed. Now you can try to see if it works. Open the event viewer and right-click on "Security" and select "Empty All Events" to log out of the system. At this time, Xiaohe logs into the system, visits "D:\\data" and executes one of the files (such as running the "MSN6.2.exe" file stored under the directory). After logging out of the system, Agui logs in as an administrator and checks the logs. Is it clearly recorded the access behavior of Xiaohe (see Figure 5)?
Haha, eyes that evidence in hand, how even small clever, can not escape network Kuei.
Practical Task 2: I want to know who "kidnapped" my IE?
Task Description: I believe you have had a similar experience, family members often use your computer to access the Internet, but after you use the computer, I found that IE's home page does not know which disgusting guy is "kidnapped"! Although you can get back to the way you are, you don't know which website you are on! How can I catch the murderer when IE is "kidnapped" next time?
prewar analysis: We know that modify IE home page, in fact, add some keys in the registry, as long as the monitor recorded in the registry key information to find out "kidnappers" should not be a difficult thing.
Step 1: Set Audit "success" in the "Audit object access" in. Open the Registry Editor, find [HKEY_CURRENT_USER\\Software \\Microsoft\\Internet Explorer\\Main], right click on the "Main" item and select "Permissions".
Tips
If necessary, you can also monitor [HKEY_LOCAL_MacHINE \\Software\\Microsoft\\Internet Explorer\\Main].
Step 2: Click “Advanced”, switch to “Audit”, enter the current user account, and apply this rule after checking “Set Value” in the access audit item.
Step 3: Open http://www.cfan.com.cn
, select “Tools→Internet Options”, and set the current page as the default under “General” Home. At this point, open the event log viewer and easily find the modified registry entry based on the log record (see Figure 6).
Practical Task 3: How to get out of the "inner ghost" in the registry?
Task Description: Some software will automatically add the program to start without prompting the user after installation, worse still comes Trojans! And these abominable behaviors are often difficult to see directly, so how can we identify and extract the "inner ghosts" they place in the registry?
Pre-war analysis: This task was introduced in the article "Catch the inner ghost in the registry - registry listener" in the 17th issue of 2004, the author is through many registration forms Monitoring software to complete. The principle of the utility software monitoring is to monitor the registry key value of the control system self-starting group, and then judge according to the change of the monitoring target data before and after, and now use the "audit object access" strategy to complete this task. After installing MSN Messenger, automatically add a self-starting item as an example.
Step 1: In the same way, create a policy to review and modify the [HKEY_CURRENT_USER \\Software\\Microsoft\\Windows\\ CurrentVersion\\Run] key in the registry.
Step 2: Open the event log viewer to clear the list and install MSN Messenger.
Step 3: Open the log viewer again, and you can find the event record for modifying the self-starting in the right window (see Figure 7).
Schedule: registry since the launch of the program 9 hideouts
Load registration key HKEY_CURRENT_USER \\ Software \\ Microsoft \\WindowsNT\\CurrentVersion\\Windows\\load
Userinit registration key HKEY_LOCAL_MacHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon\\Userinit
ExplorerRun registration key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\PolicIEs \\Explorer\\Run
and HKEY_LOCAL_MacHINE\\SOFTWARE\\Microsoft\\Windows Current\\Version\\PolicIEs\\Explorer\\Run
RunServicesOnce registration key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\Once < BR>
and HKEY_LOCAL_MacHINESO
RunServices registration key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices
and HKEY_LOCAL_MacHINE\\SOFTWARE\\Mic Rosoft\\Windows\\CurrentVersion\\Run\\Services
RunOnceSetup registration key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceSetup
and HKEY_LOCAL_MacHINE\\SOFTWARE \\Microsoft\\Windows\\CurrentVersion\\RunOnceSetup
RunOnce registration key HKEY_LOCAL_MacHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce and HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
Run registration key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and HKEY_LOCAL_MacHINE\\SOFTWARE \\Microsoft\\Windows\\CurrentVersion\\Run
Although the Windows graphical interface has already replaced the boring DOS character interface (no
On weekdays, if we need to convert BMP format image files to JPG form
On August 6, 2004, Microsoft finally released XP SP2 to the computer manufacturer. This mark
Fun in the Windows XP operating system, today you are a dog trainer
Exclusion of a Windows XP system startup failure
Play XP System Featured Win XP Tip 10
Xp system account security problem
Improve the speed of system disk defragmentation
XP operating system optimization skills
Windows operating system skills and tips (on)
Must not look at Windows XP system broadband application skills
Win XP Tips: Automatically Close Script Error Message
Now that's professional! Right to build giant personality (4)
XP upgrade Windows 7 data transfer related issues
2016 Win10 Mobile Redstone update to see first Look forward to new features /release schedule
How to make the Windows 8 taskbar turn into two
How to choose win10 partitioning tool
Teach you to find the Windows Experience Index feature in Win10
Sogou input method on the computer to play Korean graphic tutorial
How to close the U disk and other mobile storage in the win10 system?
Win10 right-click new menu is gone, how to do
Microsoft will issue three serious Win8.1 security patches on November 12