As a network administrator, do you know what happened on your host or server - Who visited? What have they done? What is the purpose? what? you do not know! In fact, Windows 2000 provides us with a security audit function. We do administrators, the most familiar is this feature, otherwise how do you manage? Safety audits can record several kinds of security-related events in the form of logs. You can use the information to generate a regular summary file, discover and track suspicious events, and leave a valid event about a certain invasive activity. Legal evidence.
Open a review policy
Windows 2000's default installation does not open any security audit, so you need to enter the corresponding review in [My Computer] → [Control Panel] → [Administrative Tools] → [Local Security Policy] → [Audit Policy]. The system provides nine types of audited events, which can be specified for each category to be reviewed successful events, failed events, or both review (as shown in Figure 1).
Figure 1 Develop an audit strategy
Policy changes: security policy changes, including privileged assignments, audit policy modifications, and trust modifications. This kind of successful or failed event must be reviewed at the same time.
Log in: Connects to local computers' interactive login or network connection. This category must also review its success and failure events.
Object Access: It must be enabled to allow audit specific objects, which requires reviewing its failure events.
Process tracking: Detailed tracking process call, repetitive process handle and process termination, this category can be selected as needed.
Directory Service Access: Record access to Active Directory, this category needs to review its failed event.
Privilege: A privilege; a special privilege assignment, this type needs to review its failure event.
System events: Events related to security (such as system shutdown and restart); this category must also review its success and fail events at the same time.
Account Login Event: Verification (Account Validity) Access to your local computer via the network, this category must also review its success and failure events.
Account Management: Create, modify, or delete users and groups, password changes, which must be reviewed at the same time.
After opening the above review, when someone tries to perform some ways to your system (such as trying the user password, changing account strategy, unlicensed file access), it will be recorded by the security audit, stored " In the security log in the Event Viewer.
In addition, the account policy can also be turned on in the Local Security Policy, such as setting in the account lock policy, the account lock threshold is three times (then when three invalid logins will be locked), then set the account lock time to 30 minutes. Even longer. In this way, the hacker wants to attack you, 24 hours a day, try the password several times, but also risks the danger of being recorded.
After the audit policy setting is complete, you need to restart your computer to take effect. What is needed here is that the audit items should not be too much, and they can't be too small. If there is too little, if you want to see the signs of hacker attack, it is found that there is no record, then there is no way, but if there is too much, you will not only take a lot of system resources, but you may not be empty at all. Those safety logs, this will lose the significance of the review.
Audit for files and folder access
A review of files and folder access, first requiring the audited file or folder must be on the NTFS partition, followed by opening an object access event audit policy as described above. If you meet the above conditions, you can review a specific file or folder and specify which types of access to which users or groups are reviewed.
On the "Security" page of the properties window of the selected file or folder, click the [Advanced] button; on the Audit page, click the [Add] button, select the user who wants to review the file or folder access to the audit Click [OK]; in the Audit Project dialog box, select "Success" or "Fail" check box for the event you want to review (Figure 2), and then determine after the completion is selected. Returns to the Access Control Settings dialog, by default, the audit changes to the parent folder will be applied to its included subfolders and files. If you do not want the audit changes made by the parent folder to the currently selected file or folder, the empty check box "allows the inheritance audit item from the parent to this object" (Figure 3). View and maintenance of audit results
After setting the audit strategy and audit events, the results generated by the audit are recorded in the security log, using the event viewer to view the contents of the security log or to find more information for the specified event in the log.
Run the "Event Viewer" in Administrative Tools, select Secure Log. The log list is displayed on the right, and the summary information of each item (Figure 4). If you find the successful review of the login after several login failures, you have to take a closer look at these log information. If you are too simple to be guessed, you need to increase the length and complexity of your password. You can see more information for each event here, you can also find and filter the eligible events.
As the audit event is increasing, the size of the security log file will continue to increase. By default, the size of the log file is 512KB. When the maximum log size is reached, the system will rewrite the incident before 7 days. In fact, we can make changes as needed. Right-click the "Safety Log" item of the "Event Viewer", select Properties, enter the properties window of the security log (Figure 5), on the "General" tab, the network administrator can modify the system according to the actual needs These default settings to meet the needs of your own storage security logs.
Using an audit policy in the Windows 2000 system, although you cannot control the user's access, you can understand the system's security hazards and system resources based on the security logs that open audits, so that the usage of system resources is available for us to track our hackers. Reliable basis, as well as taking corresponding precautions to minimize system unsafe factors, creating a more secure and reliable Windows 2000 system platform.
