1 C:IWIRDOWSI...\devrngmt.msc 2 C:\WINDOWS\system32\gpedit.msc Exit — Trong man hinh Add Stand-alone Snap-in chon Security Templates — Add > chon Security Configuration and Anly
Trang 1SECURITY TEMPLATE —-AUDIT
I Security Template
Chuan bi:
- Khởi động máy chọn Windows Server 2003 chua nang Domain Controller (P1)
B1: Start — Run — gd MMC vao h6p thoai Open
— OK
B2: Trong cửa số Console1 — chọn menu File —
chọn Add/Remove Snap in — Add
een ett tt
File Action View Favorites Window Help
Open Ctrl+O
Save As
Add/Remove Snap-in Ctrl+1 are no iter Options
1 C:IWIRDOWSI \devrngmt.msc
2 C:\WINDOWS\system32\gpedit.msc
Exit
— Trong man hinh Add Stand-alone Snap-in chon
Security Templates — Add > chon Security
Configuration and Anlysis — Add — Close >
OK
— Trong man hinh Console 1, xuat hién hai
template
— Bung dau “+” 6 compatws (trong Security
Template\C:\WINDOW‘S'\security\templates)
— Click chuét phai trén compatws — chon Save As
ñdd Standalone Snap-in 2) x]
Available Standalone Snap-ins:
Snap-in | Vendor | 4]
l9) Link to Web Address Microsoft Corporation
@ Local Users and Groups Microsoft Corporation
sl Performance Logs and Alerts Microsoft Corporation
® Remote Desktops Microsoft Corporation
@ Removable Storage Management Microsoft Corporation
Ss Resultant Set of Policy Microsoft Corporation
Microsoft Corporation (|
3 Routing and Remote Access
ga Security Configuration and Analysis — Microsoft Corporation
Microsoft Corporation Microsoft Corporation x
Security Templates
Services
; Description 5 a : = =
Security Templates is an MMC snap-in that provides editing capabilities for
security template files
Add Close | Fi Console1 - [Console Root\\Security Templates\C:\ WINDOWS
fi File Action View Favorites Window Help
© 3 |m1Ìm| x Fạ| £@
Í~] Consol.R Name _ @P account Policies
ecurity\templates Local Policies
##]Event Log
Am count Policies (restricted Groups ()~.2e4 Local Policies (system Services
og Event Log “Dregitry
(49 Restricted Groups
#i-(Ñ 5ystem Services
68 Registry
#i-(CÑ File 5ystem
hisecdc
hisecws
iesacls
mytemplate rootsec
securedc securews
security securitytemplate secutemplate _ setup security Cốt Security Configuration and Analysis —3
Crile System
File name — Save
— Bung dau “+” trén SecurityTemplate (vira mdi tao) — Account Policy\Password Policy
Trang 2
LT :(-
=| Of >=m Save in: jo templates
—> Click chuột phải trên MiniumPassword Length — Properties — Danh dau chon vao 6
Define this policy Nhap vao 6 Password
“$ compatws inf
ica “Bhisecdc.inf
nate > hisecws inF
D0050) | "a iesacls.inf
“> rootsec inf
> securedc inf
“> securews inF
“Ssecurity inf
3 setup security inf
Desktop
9
My Documents
os
Sr
My Eamputer
`
a
must s6 8 — Apply — OK — Click chuột phai trén SecurityTemplate — Save
Minimum password length Properties k
Template Security Policy Setting | Minimum password length
Clv Define this policy setting in the template Password must be at least:
Cia 3 aj characters
Save
CSecuityt emplated inf
| Security Template (inf)
MyMetwok File name:
MS
B3: Click chuột phải trên Security Configurate and
Anlysis — Open database
—> Trong hộp thọai Eile name, gõ My Template —> Open
B mạ Security Templates
EI-Ñ C:\WINDOWSsecurity\templates Security |
| @ compatws
[ hisecde To OpenanE
| @ hisecws
+, mytemplate 2 Click Oper
ja rootsec 3 Select a de
| @ securedc
| @ securews _
Gl) @ securitytem
a @ø Account| Analyze Gompucer Wow -click
Pas: Gonfiqure Gomputer Now Oper
đổ ác Saye anew t7 kert Import Template pt a se
3 Local Pe Export Template
(QB System View »
3 Registr; New Window from Here
GG File Sys!
FÖ secutemplat New Taskpad View
Look in: | 3 Database xị G32 r1
My Recent
Documenits
®Œ
Desktop
(3) phuc.sdb
S
My Documents
wa
og 8
Mụ Computer `
ORO etre) ig
Places
|Security Database Files (“.sdb) © Cancel | ile name:
— Trong man hinh Import Template — chon
SecurityTemplate (Template vira thiét lap)— Open
B4: Click chuột phải trên Security Configuration and Analysis — chon Anslyze Computer Now
Look in: | C2 templates xị e mc*k Be
> compatws inf
“$hisecdc.inf
‘> hisecws.inf
“iesacls.inf
K) rootsec inf
:$ securedc inf
‘> securews inf
Sa) elena
File name: CecuiyTenpiate i 3 (| Open ie
T Clear this database before importing
i+) @ securews
| @ security Open
@ Password Pc Configure Computer Now
es) Account Locl Save
ey Event Log View Log File
(9 Restricted Grour
(39 Registry New Window From Here
| @ secutemplate
Security Confiquration and gl
79
Trang 3—> Trong màn hình Perform Analysis — OK —> Hệ thông sẽ phân tích sự khác biệt giữa Security
Policy của hệ thông và Securify Template vừa mới thiét lap
Analyzing:
Error log file path:
_ *“ Llser Hights Àssiqnment xf Äctive Directory [biects
¥ Restricted Groups ¥ System Services
¥ Registry =» Security Policy
—> Hệ thống sẽ áp đăt Template vừa thiết lập
ta Console1 - [Console Root`Security Configuration and Analysis\Account Policies\Password Policy]
"tạ Console1 - [Console Root`Security Configuration and ân
fa File Action View Favorites Window Help tì File Action View Favorites Window Help
(4) Console Po ot ial Policy / | Database Setting | Computer Setting | (|) Console Root | Name
= 2 ae © ee and Analysis (#8]Enforce password history Not Defined 24 passwords reme a sa aon
9 Account i [RE] Maximum password age Not Defined 42 days E29 Account Policies ee
th yy AerosiFLodtookPoEeỷ alMigimum password age Not Defined 1 days a = Account Locka Analyze Computer Now
th ăg E& be oi BI 7 ( : im password length 8 characters 0 characters = a i Tae Configure Computer Now
BS 3 tại ae nce fix}PasSword must meet complexity re Not Defined Disabled ° can Policy Cate
La ge Event Log R2] Store passwords using reversible Not Defined Disabled ej Event Log eg Local Policies : Import Template
R8 Restricted Groups (@ Restricted Groups Export Template
R8 68 Registry
G8 Registry View r
BH sa Security Templates New Window from Here (9 G:\WINDOWS\secut jew Taskpad View
Export List
Help
Bó: Dong tât cả các cửa sô — Hệ thông hỏi bạn có save
Console1 không — chon No
—> Tạo một user “*U1” với password 123 —› Hệ thống sẽ thông | — Nhập lại Password cho user “U1” với báo lỗi yêu câu nhập lại password —> OK chiều đài ít nhất là § ký tự
VD :nhatnghe
Qà The Following error occurred while attempting to create the user ul on compuiter PC18;
The password does not meet the password policy requirements, Check the minimum
password length, password complexity and password history requirements
II Audit Policy
1 Ghi nhan qua trinh Logon trén may Local
Trang 4B1: Start — Programs— Administative Tools — Local
Security Policy — Audit Policy —
— Click chudt phai trén Audit Account Logon Events — Properties — chọn dấu
check Failure — Apply — OK — Đóng hết cửa số màn hình lại — Cập nhật Policy (gpupdate /force)
Security Policy Setting |
8 Security Settings
4 gd Account Policies
————ễ=
udit account logon events
B ed Local Policies
ele
i 3 T ssi t ie] Audit directory service access Not Defined
* 3 ser Mg Š "ssIgnmen tg] Audit logon events Not Defined IV
(+) eed Security Options J lout ite] Audit object access pe Not Defined - Sea aa
#24) Event Log 7 Audit these attempts:
ch = : ie] Audit policy change Not Defined
#i-(C Restricted Groups SỐ '
GQ System Services ite] Audit privilege use Not Defined [Success
(49 Registry 3] Audit process tracking Not Defined CẾ taue >
#i-(C File 5ystem ito] Audit system events Not Defined
Audit account logon events
Cancel Apply
Lox |
B2: Start — Programs— Event Viewer — Click
chuột phải trén Security — Clear All Events —
Thông báo xuất hiện yêu cầu có lưu lại những Security
Audit đó không chọn NO
— Dong tat cả các cửa số màn hình lại
B3: Logoff Administrator — Logon user “U1” va
co tinh logon sai vai lan B4: Logon lai Administrator — Start —
Programes — Event Viewer — Chon Security
— Xuat hién mot so ghi nhận quá trình logon sai
[i0] Event Viewer (Local) Security 14 event(s)
Bị Application Type | Date | Time Source | Categ:
- sua Open Log File @& Success Audit 12/28/2004 10:45:43 PM = Security Logon,
New Log View G' Success Audit 12/28/2004 10:38:55 PM Security Logon,
Clear all Events h @& Success Audit 12/28/2004 10:38:52 PM Security Logon,
@& Success Audit 12/28/2004 10:37:19PM Security Privilec
oe P | | success Audit 12/28/2004 10:37:19PM Security Logon,
Kế @& Success Audit 12/28/2004 10:37:19PM Security Logon,
Reve a Failure Audit 12/28/2004 10:37:18 PM Security Logon,
Escort List a Failure Audit 12/28/2004 10:37:17 PM = Security Logon,
- — @& Success Audit 12/28/2004 10:37:17 PM = Security Logon,
Properties G)Failure Audit 12/28/2004 10:3716PM Security Logon,
Help a Failure Audit 12/28/2004 10:37:15 PM Security Logon,
— @& Success Audit 12/28/2004 10:37:11 PM Security Logon,
@& Success Audit 12/28/2004 10:37:07 PM = Security Syster
BJ Event Viewer
File Action View Help
|| Event Viewer (Local) | Security 6 event(s)
4 Application Type | Date [ Time [Source _[ Category [event [User
‘ — @jFailure Audit 12/28/2004 11:13:33 PM 5ecuity LogonjLogoff 529 SYSTEM
- 8 Failure Audit 12/28/2004 11:13:31 PM Security Logonj/Logoff 529 SYSTEM
Failure Audit 12/28/2004 11:13:30 PM Security Logon/Logoff 529 SYSTEM
8 Failure Audit 12/28/2004 11:13:29PM Security LogonjLogoff 529 SYSTEM dit 12/28/2004 11:43;/27PM Security Logon{Logoff 529 5Y5TEM
2 Ghi nhan qua trinh truy cap 1 Folder
Chuan bi
- Khởi động máy chọn Window Server 2003 đã nâng cấp lên Domain Controller (P3)
- Tao OU KeToan, trong OU KeToan tao user “KT1”
- Tao OU NhanSu, trong OU NhanSU tao user “NS1”
- Cho group Users quyén Allow Logon Locally
- Vao C: tao thu muc “TaiLieuKeToan’”’
Mục đích: Ghi nhận lại toàn bộ hành động truy cập that bai vao folder “TaiLieuKeToan”’
BI: Click chuột phải trên thư mục TaiLieuKeToan
— Properties — chon tab Security — Chon
Advanced — bo dau check Allow inheritable —
Apply — OK — chon group Users — Remove
— chon Add — chon user ““K T1”— cho user
“KT1” có quyền Full Controll trên thư mục TaiLieuKeToan — Apply — chon Advanced — chọn tab Audting —> Add — chọn user “NÑS1”? — Trong hộp thoại Audifting — đánh dâu chọn vào ô List Folder /Read Data cua cét Failed — OK — Apply — OK — OK
81
Trang 5
TaiLieuKeToan Properties ?| x| ñuditing Entry for TaiLieuKeToan 2) xi
Group or user names:
ft? Administrators (DOM19'\Administrators] Rave tee irelSeenis opal _Shange _|
Full Control oO nm &
Traverse Folde ecute File L] H
Permissions for SYSTEM Allow Read Extended Attributes H H
Modify oO Create Folders / Append Data oO |
Read & Execute oO ‘Write Attributes H H
List Folder Contents oO Write Extended Attributes oO oO
Read Permissions H H
For special permissions or for advanced settings, = Advanced | i To u S2
click Advanced —
` Apply these auditing entries to objects Clear All | and/or containers within this container only
| OK | Cancel |
B2: Start > Programs — Domain Security Policy | — Click chudt phai tren Audit Obiect Access —
cua s6 — Cap nhat Policy (gpupdate /force)
3 Security Settings Policy é
5 Account P dlicies (88]audit account logon events FF Dees tress câo cha
E1- gg Local Policies [Rg] Audit account management -
es Pluie Policy - (88]audit directory service access eee a
eey User Rights Assignment uxt logon events i
<ey Security Options === =
Audit object access
ed Event Log di i h
Cá) Restricted Groups Au it po cự change
GQ system Services (88]audit privilege use
C@ Registry (83) Audit process tracking
(G8 File System (88]audit system events OK | Cancel Apply
Y Wireless Network (IEEE 802.11) P
() Public Key Policies
(} Software Restriction Policies
® IP Security Policies on Active Direc
B3: Start — Programs — Event Viewer — Click
œ 3 | &|m| E:
—> Hộp thọai xuât hiện yêu câu lưu lại các Security [ig] Event Viewer (Local) Security 1 event(s
= Open Log File Fd Success Audit 1 Save Log File As
hịc oo View
Rename Refresh Export List
Properties
Trang 6
B4: Logoff Administrator— Logon KT1 — Vào
thư mục TaiLieuKe Toan tạo một file
dulieuketoan.txt — Lưu lại
B5: Logoff KT1 — Logon NS1 — Vao thư mục TaiLieuKeToan— hệ thông sẽ thông báo lôi
® C:`TaiLieuKeToan
@QBa% + ) - ? | - ssach le Folders | + c3:
Address jo C:1TaiLieuKeToan
(3 Desktop
+) a My Documents
E 4 My Computer
£2 3% Floppy (4:)
El œ P1 (C:)
#i (C3 Documents and Settings
fl (>) Program Files
(9 TailieukeToan
ÍCð WINDOWS
#i (C3 wmpub
Name ^—
@ C:\TaiLieukeToan is not accessible
Access is denied
B7: Start — Programs — Administrative Tools — Event
Viewer — chon Security
tạ
Ly
Eile Action View Help
— Click chuột phải trên | Failure Audit cua
user “NS1” — Xuât hiện ban chi tiét ngày gid user “NS1” truy cập vào thư mục
tal Event Viewer (Local) Security 225 event(s) ‘ategory: Object Access a
bị — = | Type | Date | Time | Source Type: amure Aud EventID: 560 + |
a @)Failure Audit 12/29/2004 3:31:20PM Securiy Use: — DOM19\ns1 7
a Directory Service 8 peare Aude 12/29/2004 3:31:18 PM Securky Computer: PC19
S] DNS Server a Failure Audit 12/29/2004 3:31:18PM S5ecurity
= File Replication Service 8 Failure Audit 12/29/2004 3:31:18PM — Security Description:
@)Failure Audit 12/29/2004 3:31:12PM Security Bhiect Nang
a Failure Audit 12/29/2004 3:31:12 PM Security Handietb- : |
@)Failure Audit 12/29/2004 3:31:11 PM Securiy Operation ID: {0,1591176}
@)Failure Audit 12/29/2004 —-3:31:11PM Security ices _ 284 INDOWS\expl
@& Success Audit 12/29/2004 3:31:02 PM 5ecurity Primary Doman DUM19
Failure Audit 12/23/2004 3; > Security Data: © Bytes © words
a Failure Audit 12/29/2004 3:29:33 PM = Security
& Failure Audit 12/29/2004 3:29:33 PM — Security ba
Lm | Epply |
QS