ComputerSecurityStudent (CSS) [Login] [Join Now]




|WINDOWS >> Windows 2008 Server >> Current Page |Views: 21353

(Windows 2008 Server: Lesson 8)

{ Setting Up Audit Account Logon Events }


Section 0. Background Information
  • What are Audit Policies? 
    • This feature allows the administrators log events that deal with the following items:
      • Audit account logon events
      • Audit logon events
      • Audit account management
      • Audit policy change
      • Audit privilege use
      • Audit system events
      • and more...
Section 1. Login to your W2K8 server.
  1. Start your Windows 2008 Server
    • Instructions
      1. Click on W2K8 Server
      2. Click on Play virtual machine

     

  2. CRTL + ALT + DELETE
    • Instructions
      1. Virtual Machine
      2. Send Ctrl+Alt+Del

     

  3. Login as Administrator
    • Click on the Administrator icon.

     

  4. Login
    • Command: Provide the password for the Administrator account.

     

Section 2. Launching  Group Policy Management
  1. Launch Group Policy Management
    • Instructions:
      1. Start --> Administrative Tools --> Group Policy Management

     

  2. Edit Default Domain Controller Policies
    • Instructions:
      1. Navigate to Forest:security.student --> Domains --> security.student --> Domain Controllers.
      2. Right Click on Default Domain Controller Policies
      3. Click on Edit...

     

  3. Navigate to the Audit Policy Section
    • Instructions:
      1. Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy

 

Section 3. Edit Audit account logon events
  1. Edit Audit account logon events
    • Instructions:
      1. Right Click on Audit account logon events
      2. Select Properties
    • Notes:
      • This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account.

     

  2. Configuration Audit account logon events Properties
    • Instructions:
      1. Check Define these policy settings
      2. Check Success
      3. Check Failure
      4. Click on the Apply Button.
      5. Click on the OK Button.

     

Section 4. Edit Audit logon events
  1. Edit Audit logon events
    • Instructions:
      1. Right click on Audit logon events
      2. Click on Properties.
    • Notes:
      • This security setting determines whether to audit each instance of a user logging on to or logging off from this local computer.

     

  2. Configuration Audit logon events Properties
    • Instructions:
      1. Check Define these policy settings
      2. Check Success
      3. Check Failure
      4. Click on the Apply Button.
      5. Click on the OK Button.

     

Section 5. Edit Audit management events
  1. Edit Audit system events
    • Instruction:
      1. Right click on Audit account management events
      2. Click on Properties
    • Notes:
      • This security setting determines whether to audit each event of account management on a computer. Examples of account management events include:
        1. A user account or group is created, changed, or deleted.
        2. A user account is renamed, disabled, or enabled.
        3. A password is set or changed.

     

  2. Configuration Audit account management Properties
    • Instructions:
      1. Check Define these policy settings
      2. Check Success
      3. Check Failure
      4. Click on the Apply Button.
      5. Click on the OK Button

 

Section 6. Edit privilege use events
  1. Edit Audit system events
    • Instruction:
      1. Right click on Audit privilege use events
      2. Click on Properties
    • Notes:
      • This security setting determines whether to audit each instance of a user exercising a user right.

     

  2. Configuration Audit privilege use Properties
    • Instructions:
      1. Check Define these policy settings
      2. Check Success
      3. Check Failure
      4. Click on the Apply Button.
      5. Click on the OK Button

 

 

Section 7. Edit policy change events
  1. Edit Audit system events
    • Instruction:
      1. Right click on Audit policy change events
      2. Click on Properties
    • Notes:
      • This security setting determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.

     

  2. Configuration Audit policy change Properties
    • Instructions:
      1. Check Define these policy settings
      2. Check Success
      3. Check Failure
      4. Click on the Apply Button.
      5. Click on the OK Button

 

Section 8. Update Group Policies
  1. Bring up a command prompt
    • Instruction:
      1. Start --> Command Prompt

     

  2. For Update
    • Instruction:
      1. gpupdate /force
    • Note:
      • The "gpupdate" utility will update group policies.

     

  3. Restart the server
    • Instruction:
      1. Start --> Restart

     

 

Section 9. Create two failed logon attempts
  1. CRTL + ALT + DELETE
    • Instructions:
      1. Virtual Machine
      2. Send Ctrl+Alt+Del

     

  2. Create failed logon attempt #1
    • Instructions:
      1. Supply the wrong password.
      2. Press Enter

     

  3. Press the OK Button
    • Instructions:
      1. Click the OK Button

     

  4. Create failed logon attempt #2
    • Instructions:
      1. Supply the wrong password.
      2. Press Enter

     

  5. Press the OK Button
    • Instructions:
      1. Click the OK Button

     

  6. Provide the correct password
    • Instructions:
      1. Supply the correct password.

     

  7. Open the Event Viewer
    • Instructions:
      1. Start --> Administrative Tools --> Event Viewer

     

  8. Navigate to the security logs
    • Instructions:
      1. Windows Logs --> Security
      2. Look for the failed logon attempts

 

Section 10. Proof of Lab
  1. Bring up a command prompt
    • Instruction:
      1. Start --> Command Prompt

     

  2. Using the gpresult utility
    • Instruction:
      1. gpresult /V | more
      2. Before you press the <Enter> key more than once, continue to the next step.
    • Note:
      • Displays Group Policy settings and Resultant Set of Policy (RSOP) for a user or a computer. (See More)

     

  3. Using the gpresult utility
    • Instruction:
      1. Keep pressing the <Enter> key until you see "User Rights"
      2. Once you see "User Rights" press the <Ctrl>+c keys
      3. date
      4. Press Enter
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • E.g., echo "John Gray"
    • Proof of Lab Instruction:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to Moodle.


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth