(Windows
2008 Server:
Lesson 8)
{ Setting Up Audit
Account Logon Events }
Section 0.
Background Information |
- What are Audit Policies?
- This feature allows the administrators log
events that deal with the following items:
- Audit account logon events
- Audit logon events
- Audit account management
- Audit policy change
- Audit privilege use
- Audit system events
- and more...
Section 1. Login to
your W2K8 server. |
- Start your Windows 2008 Server
- Instructions:
- Click on W2K8 Server
- Click on Play virtual machine
![](index.1.jpg)
- CRTL + ALT + DELETE
- Instructions
- Virtual Machine
- Send Ctrl+Alt+Del
![](index.254.jpg)
- Login as Administrator
- Click on the Administrator icon.
![](index.255.jpg)
- Login
- Command:
Provide the password for the Administrator account.
![](index.24.jpg)
Section 2. Launching
Group Policy Management |
- Launch Group Policy Management
- Instructions:
- Start --> Administrative Tools -->
Group Policy Management
-
![](index.44.jpg)
- Edit Default Domain Controller Policies
- Instructions:
- Navigate to Forest:security.student -->
Domains --> security.student --> Domain Controllers.
- Right Click on Default Domain
Controller Policies
- Click on Edit...
-
![](index.45.jpg)
- Navigate to the Audit Policy Section
- Instructions:
- Computer Configuration --> Policies
--> Windows
Settings --> Security Settings --> Local Policies --> Audit Policy
![](index.46.jpg)
Section 3. Edit
Audit account logon events |
- Edit Audit account logon events
- Instructions:
- Right Click on Audit account logon
events
- Select Properties
- Notes:
- This security setting determines whether to
audit each instance of a user logging on to or logging off from another
computer in which this computer is used to validate the account.
![](index.47.jpg)
- Configuration Audit account logon events
Properties
- Instructions:
- Check Define these policy settings
- Check Success
- Check Failure
- Click on the Apply Button.
- Click on the OK Button.
![](index.48.jpg)
Section 4. Edit
Audit logon events |
- Edit Audit logon events
- Instructions:
- Right click on Audit logon events
- Click on Properties.
- Notes:
- This security setting determines whether to
audit each instance of a user logging on to or logging off from this
local computer.
![](index.49.jpg)
- Configuration Audit logon events Properties
- Instructions:
- Check Define these policy settings
- Check Success
- Check Failure
- Click on the Apply Button.
- Click on the OK Button.
![](index.50.jpg)
Section 5. Edit
Audit management events |
- Edit Audit system events
- Instruction:
- Right click on Audit account management
events
- Click on Properties
- Notes:
- This security setting determines whether to
audit each event of account management on a computer. Examples of
account management events include:
- A user account or group is created,
changed, or deleted.
- A user account is renamed, disabled, or
enabled.
- A password is set or changed.
![](index.53.jpg)
- Configuration Audit account management
Properties
- Instructions:
- Check Define these policy settings
- Check Success
- Check Failure
- Click on the Apply Button.
- Click on the OK Button
![](index.54.jpg)
Section 6. Edit
privilege use events |
- Edit Audit system events
- Instruction:
- Right click on Audit privilege use
events
- Click on Properties
- Notes:
- This security setting determines whether to
audit each instance of a user exercising a user right.
![](index.55.jpg)
- Configuration Audit privilege use Properties
- Instructions:
- Check Define these policy settings
- Check Success
- Check Failure
- Click on the Apply Button.
- Click on the OK Button
![](index.56.jpg)
Section 7. Edit
policy change events |
- Edit Audit system events
- Instruction:
- Right click on Audit policy change
events
- Click on Properties
- Notes:
- This security setting determines whether to
audit every incident of a change to user rights assignment policies,
audit policies, or trust policies.
![](index.57.jpg)
- Configuration Audit policy change Properties
- Instructions:
- Check Define these policy settings
- Check Success
- Check Failure
- Click on the Apply Button.
- Click on the OK Button
![](index.58.jpg)
Section 8. Update
Group Policies |
- Bring up a command prompt
- Instruction:
- Start --> Command Prompt
![](index.59.jpg)
- For Update
- Instruction:
- gpupdate /force
- Note:
- The "gpupdate" utility will update
group policies.
-
![](index.62.jpg)
- Restart the server
- Instruction:
- Start --> Restart
![](index.63.jpg)
Section 9. Create
two failed logon attempts |
- CRTL + ALT + DELETE
- Instructions:
- Virtual Machine
- Send Ctrl+Alt+Del
![](index.254.jpg)
- Create failed logon attempt #1
- Instructions:
- Supply the wrong password.
- Press Enter
![](index.64.jpg)
- Press the OK Button
- Instructions:
- Click the OK Button
- Create failed logon attempt #2
- Instructions:
- Supply the wrong password.
- Press Enter
![](index.66.jpg)
- Press the OK Button
- Instructions:
- Click the OK Button
- Provide the correct password
- Instructions:
- Supply the correct password.
![](index.24.jpg)
- Open the Event Viewer
- Instructions:
- Start --> Administrative Tools -->
Event Viewer
- Navigate to the security logs
- Instructions:
- Windows Logs --> Security
- Look for the failed logon attempts
- Bring up a command prompt
- Instruction:
- Start --> Command Prompt
![](index.59.jpg)
- Using the gpresult utility
- Instruction:
- gpresult /V | more
-
Before you press the <Enter>
key more than once, continue to the next step.
- Note:
- Displays Group Policy settings and
Resultant Set of Policy (RSOP) for a user or a computer. (See
More)
-
![](index.69.jpg)
- Using the gpresult utility
- Instruction:
- Keep pressing the <Enter> key until you
see "User Rights"
- Once you see "User Rights" press the
<Ctrl>+c keys
- date
- Press Enter
- echo "Your Name"
- Replace the string "Your Name" with
your actual name.
- E.g., echo "John Gray"
-
Proof of Lab Instruction:
- Do a PrtScn
- Paste into a word document
- Upload to Moodle.
|
![](/facebook.png)
|