Your location:Tech News>OS>Windows 2000>Use Windows 2000 security audits to make intruders visible

Latest News

Use Windows 2000 security audits to make intruders visible



Source: eNet

Sometimes you want to know what happened on your host or server-who has visited it? In fact Windows 2000 provides us with a very useful function: security audit function. Security audits can record several security-related events in the form of logs. You can use the information to generate a profile of regular activities find and track suspicious events and leave information about the activities of an intruder. Legal evidence.

  Open the audit policy

The default installation of Windows 2000 does not open any security audit so you need to enter [My Computer]→[Control Panel]→[Management Tools]→[Local Security Strategy]→[Audit Strategy] open the corresponding audit. The system provides nine types of auditable events. For each type you can specify whether to audit successful events failed events or both (see Figure 1). 

  Figure 1 Develop an audit strategy

Policy changes: Security policy changes including privilege assignment audit policy modification and trust relationship modification. This category must also review its success or failure events.

  Login event: interactive login or network connection to the local computer. This category must simultaneously review its success and failure events.

  Object access: It must be enabled to allow auditing of a specific object this type of failure events that need to be audited.

  Process tracking: Detailed tracking of process calls repeated process handles and process terminations this category can be selected according to needs.

Directory service access: record access to Active Directory this type of failure events that need to be audited.

  Privilege use: the use of a certain privilege; the assignment of special privileges this category needs to audit its failure events.

  System events: events related to security (such as system shutdown and restart); events that affect the security log. This type of event must be audited at the same time for its success and failure.

  Account login event: verification (account validity) access to the local computer through the network this category must simultaneously audit its success and failure events.

  Account management: create modify or delete users and groups and change passwords. This category must simultaneously audit its success and failure events.

After opening the above audit when someone tries to invade your system in certain ways (such as trying user passwords changing account policies unauthorized file access etc.) they will be safely audited Record it and store it in the security log in the 'Event Viewer'.

In addition the account policy can be turned on in the 'Local Security Policy'. If set in the account lock policy the account lock threshold is three times (then when three invalid logins will be locked) the account will be locked for time Set to 30 minutes or even longer. In this way if hackers want to attack you they can't try passwords 24 hours a day but they also risk being recorded and tracked.

  After the audit policy setting is completed the computer needs to be restarted to take effect. What needs to be explained here is that there can be neither too many nor too few audit items. If there are too few if you want to check the signs of hacking but find that there is no record then there is no way but if there are too many audit items not only will it take up a lot of system resources but you may not have the time to read them all. Those security logs in this way lose the significance of auditing.Auditing access to files and folders

Auditing access to files and folders requires that the files or folders to be audited must be located on the NTFS partition and secondly the object access event audit policy must be opened as described above. If the above conditions are met you can review specific files or folders and review which users or groups specify which types of access.

  Figure 2 Confirmation of audit items

  Figure 3 Decide whether to inherit the audit

On the 'Security' page of the properties window of the selected file or folder click the [Advanced] button; on the 'Audit' page click the [Add] button to select the file or folder you want to review User click [OK]; in the 'audit items' dialog box select the 'success' or 'failure' check box for the event you want to audit (as shown in Figure 2) and confirm after the selection is complete. Return to the 'Access Control Settings' dialog box. By default audit changes made to the parent folder will be applied to the subfolders and files it contains. If you do not want to apply the audit changes made by the parent folder to the currently selected file or folder clear the check box 'Allow inheritable audit items from the parent to be propagated to this object' (Figure 3).

Viewing and maintaining audit results

After the audit policy and audit events are set the results of the audit are recorded in the security log which can be viewed using the event viewer The content of the security log or the detailed information of the specified event in the log.

  Figure 4 Event View

Run the 'Event Viewer' in the 'Administrative Tools' and select 'Security Log'. The log list is displayed on the right as well as the summary information of each entry (Figure 4). If you find a successful login audit after several failed login audits you must carefully check the log information. If the password is too simple to be guessed you need to increase the length and complexity of the password. Here you can view the detailed information of each event you can also find and filter the events that meet the conditions.

With the continuous increase of audit events the size of the security log file will also continue to increase. By default the size of the log file is 512KB. When the maximum log size is reached the system will overwrite the events 7 days ago. In fact we can make changes as needed. Right-click the 'Security Log' item of the 'Event Viewer' and select 'Properties' to enter the security log properties window (Figure 5). On the 'General' tab page network administrators can modify the system according to their actual needs These default settings to meet their own needs for storing security logs.


  Figure 5 Security log attribute settings

Using audit policy in Windows 2000 system although you can not control user access but you open according to Auditing the generated security logs can understand the hidden dangers of the system and the use of system resources so as to provide us with a reliable basis for tracking hackers and it is also helpful to take corresponding preventive measures to minimize the insecure factors of the system Thus creating a more secure and reliable Windows 2000 system platform.?Use Windows Server Backup to do server backup

Recommend article

Relate article