ComputerSecurityStudent (CSS)

|WINDOWS >> Windows 2008 Server >> Current Page

|Views: 22120

(Windows 2008 Server: Lesson 8)

{ Setting Up Audit Account Logon Events }

Section 0. Background Information

What are Audit Policies?
- This feature allows the administrators log events that deal with the following items:
  - Audit account logon events
  - Audit logon events
  - Audit account management
  - Audit policy change
  - Audit privilege use
  - Audit system events
  - and more...

Section 1. Login to your W2K8 server.

Start your Windows 2008 Server
- Instructions:
  1. Click on W2K8 Server
  2. Click on Play virtual machine
CRTL + ALT + DELETE
- Instructions
  1. Virtual Machine
  2. Send Ctrl+Alt+Del
Login as Administrator
- Click on the Administrator icon.
Login
- Command: Provide the password for the Administrator account.

Section 2. Launching Group Policy Management

Launch Group Policy Management
- Instructions:
  1. Start --> Administrative Tools --> Group Policy Management
Edit Default Domain Controller Policies
- Instructions:
  1. Navigate to Forest:security.student --> Domains --> security.student --> Domain Controllers.
  2. Right Click on Default Domain Controller Policies
  3. Click on Edit...
Navigate to the Audit Policy Section
- Instructions:
  1. Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy

Section 3. Edit Audit account logon events

Edit Audit account logon events
- Instructions:
  1. Right Click on Audit account logon events
  2. Select Properties
- Notes:
  - This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account.
Configuration Audit account logon events Properties
- Instructions:
  1. Check Define these policy settings
  2. Check Success
  3. Check Failure
  4. Click on the Apply Button.
  5. Click on the OK Button.

Section 4. Edit Audit logon events

Edit Audit logon events
- Instructions:
  1. Right click on Audit logon events
  2. Click on Properties.
- Notes:
  - This security setting determines whether to audit each instance of a user logging on to or logging off from this local computer.
Configuration Audit logon events Properties
- Instructions:
  1. Check Define these policy settings
  2. Check Success
  3. Check Failure
  4. Click on the Apply Button.
  5. Click on the OK Button.

Section 5. Edit Audit management events

Edit Audit system events
- Instruction:
  1. Right click on Audit account management events
  2. Click on Properties
- Notes:
  - This security setting determines whether to audit each event of account management on a computer. Examples of account management events include:
    1. A user account or group is created, changed, or deleted.
    2. A user account is renamed, disabled, or enabled.
    3. A password is set or changed.
Configuration Audit account management Properties
- Instructions:
  1. Check Define these policy settings
  2. Check Success
  3. Check Failure
  4. Click on the Apply Button.
  5. Click on the OK Button

Section 6. Edit privilege use events

Edit Audit system events
- Instruction:
  1. Right click on Audit privilege use events
  2. Click on Properties
- Notes:
  - This security setting determines whether to audit each instance of a user exercising a user right.
Configuration Audit privilege use Properties
- Instructions:
  1. Check Define these policy settings
  2. Check Success
  3. Check Failure
  4. Click on the Apply Button.
  5. Click on the OK Button

Section 7. Edit policy change events

Edit Audit system events
- Instruction:
  1. Right click on Audit policy change events
  2. Click on Properties
- Notes:
  - This security setting determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
Configuration Audit policy change Properties
- Instructions:
  1. Check Define these policy settings
  2. Check Success
  3. Check Failure
  4. Click on the Apply Button.
  5. Click on the OK Button

Section 8. Update Group Policies

Bring up a command prompt
- Instruction:
  1. Start --> Command Prompt
For Update

Instruction:
1. gpupdate /force
Note:
- The "gpupdate" utility will update group policies.

Restart the server
- Instruction:
  1. Start --> Restart

Section 9. Create two failed logon attempts

CRTL + ALT + DELETE
- Instructions:
  1. Virtual Machine
  2. Send Ctrl+Alt+Del
Create failed logon attempt #1
- Instructions:
  1. Supply the wrong password.
  2. Press Enter
Press the OK Button
- Instructions:
  1. Click the OK Button
Create failed logon attempt #2
- Instructions:
  1. Supply the wrong password.
  2. Press Enter
Press the OK Button
- Instructions:
  1. Click the OK Button
Provide the correct password
- Instructions:
  1. Supply the correct password.
Open the Event Viewer
- Instructions:
  1. Start --> Administrative Tools --> Event Viewer
Navigate to the security logs
- Instructions:
  1. Windows Logs --> Security
  2. Look for the failed logon attempts

Section 10. Proof of Lab

Bring up a command prompt
- Instruction:
  1. Start --> Command Prompt
Using the gpresult utility

Instruction:
1. gpresult /V | more
2. Before you press the <Enter> key more than once, continue to the next step.
Note:
- Displays Group Policy settings and Resultant Set of Policy (RSOP) for a user or a computer. (See More)

Using the gpresult utility

Instruction:
1. Keep pressing the <Enter> key until you see "User Rights"
2. Once you see "User Rights" press the <Ctrl>+c keys
3. date
4. Press Enter
5. echo "Your Name"
  - Replace the string "Your Name" with your actual name.
  - E.g., echo "John Gray"
Proof of Lab Instruction:
1. Do a PrtScn
2. Paste into a word document
3. Upload to Moodle.