Network administrator security training camp - protect the black box of Windows

Home is no stranger to the "black box", it faithfully records every parameter of the flight, in the event of an accident, you can find out the cause of the failure by looking at the data in the "black box". Windows systems also have a "black box", which is a log file that records every detail of the Windows system and its various services, and plays a very important role in enhancing the stability and security of Windows. However, many users do not pay attention to its protection. Some "uninvited guests" easily emptied the log files, which brings serious security risks to the system.

First, what is a log file
Log file is a special file in the Windows system, it records everything that happens in the Windows system, such as the start, run, shutdown, etc. of various system services information. The Windows log includes several parts such as application, security, and system. Its storage path is "%systemroot%\\system32\\config", and the file names corresponding to the application log, security log, and system log are AppEvent.evt and SecEvent.evt. And SysEvent.evt. These files are protected by the "Event Log" service and cannot be deleted, but can be emptied.

Second, how to view the log file
Viewing the log file in Windows system is very simple. Click "Start → Settings → Control Panel → Administrative Tools → Event Viewer" to list the log types included in the machine, such as application, security, system, etc., in the left column of the Event Viewer window. Viewing a log record is also very simple. Select a type of log in the left column, such as the application, then list all the records of the type log in the right column, double-click on one of the records, and the "Event Properties" dialog pops up. The box shows the details of the record, so that we can accurately grasp what is happening in the system, whether it affects the normal operation of Windows, and if there is a problem, find it out.

Third, the protection of Windows log files
Log files are so important to us, so we can not ignore the protection of it, to prevent some "lawless" from cleaning the log files.

1. Modify the log file storage directory
The default path of the Windows log file is "%systemroot%\\system32\\config". We can change the storage directory by modifying the registry to enhance the protection of the log.

Click "Start → Run", enter "Regedit" in the dialog box, press Enter to pop up the Registry Editor, and then expand "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog", then the following Application, Security and System sub-items correspond to application logs, security logs, and system logs.

The author takes the application log as an example and transfers it to the "d:\\cce\\" directory. Select the Application sub-item (as shown), and find the File key in the right column. The key value is the path of the application log file "%SystemRoot%\\system32\\config\\AppEvent.Evt", and change it to "d:\\cce". \\AppEvent.Evt". Then create a new "CCE" directory on the D drive, copy "AppEvent.Evt" to the directory, restart the system, and complete the modification of the application log file storage directory. Other types of log file paths are modified in the same way, except that they operate under different subkeys.

2. Set file access permissions
After modifying the log file storage directory, the log can still be emptied. The following is to prevent this from happening by modifying the log file access permissions, provided that the Windows system uses the NTFS file system format.
Right click on the CCE directory of the D drive, select "Properties", and switch to the "Security" tab. First, uncheck the "Allow the inheritable permissions from the parent to be propagated to this object" option. Then select the "Everyone" account in the account list box, and give it the "Read" permission; then click the "Add" button to add the "System" account to the account list box, giving it the "Full Control" and "Modify" All permissions except ", and finally click the "OK" button. This will bring up an error dialog when the user clears the Windows log.

Fourth, Windows log instance analysis
Many operational events are recorded in the Windows log. In order to facilitate the management of users, each type of event is given a unique number, which is the event ID. .

1. View normal switch history
On Windows systems, we can view the computer's open and shutdown records through the system log of the event viewer. This is because the log service will be started or shut down with the computer and leave a record in the log. . Here we are going to introduce two event IDs "6006 and 6005". 6005 indicates that the event log service has been started. If an event ID number of 6005 is found in the event viewer, it indicates that the Windows system is started normally on this day. 6006 indicates that the event log service has been stopped. If the event ID number of 6006 is not found in the event viewer, it means that the computer did not shut down normally on this day. It may be due to system reasons or the power is cut off directly. Shutdown operation.

2. Check the DHCP configuration warning message
In a large-scale network, the DHCP server is usually used to configure the client IP address information. If the client cannot find the DHCP server, it will automatically configure the client with an internal IP address. And an event with the event ID number 1007 is generated in the Windows log. If the user finds the number event in the log, indicating that the machine cannot obtain information from the DHCP server, it is necessary to check whether the machine is faulty or the DHCP server is faulty.