In this task we viewed the security logs in the windows 2003 system. We then saved these logs to the desktop and cleared them so we could view what we were doing next. In the command prompt we then made a new user. After doing this we went into the event viewer and saw that making the user had been logged.
1. Name the three main Windows Event Logs.
Application log - issues with system software
System log - issues with system hardware
Security log - successful and failed attempts to access resources
2. Explain why saving Event Logs regularly is a good practice.
Logs can be deleted without the users knowledge, so its good to have evidence of them happening in any situation where you may need them after they have been erased.
3. Event Logs can be saved as which three different formats?
EVT
TXT
CSV
4. Adding a user account to the system will trigger an event in which log?
The security log under account management
TASK 2:
In this task we changed the audit policy on logging the failed attempts to log on to the administrative server. After making it log the failed log in attempts we updated the policies and then failed two log ins and then viewed them in the events security logs.
1. Which is more important, auditing for successes or failures?
In my opinion it is more important to log the failures as you can see if someone is attempting to get into your system who doesn't have permission, however if they are succeeding with their log in then that is a bigger issue but once they are in it is hard to stop them, stopping them is easier on the outside. Although you would want to know if someone is on the system so both are useful to have on.
2. Where do you go in Windows to examine the audit policy?
GP edit.msc
3. What are two ways that you can get to the Event Viewer in Windows?
run event viewer.msc
start>administrativeTools>eventviewer
4. What is the command line tool that can be used to update security settings?
gpupdate /force
TASK 3:
In this lab we used the backtrack 5 machine to access the windows 2003 machine and clear the logs on that machine.
1. What happens when the security log is cleared?
There is only one log left, it being the log telling you that all the logs are cleared.
2. What is the difference between the ClearLogs tool and the clearev command?
clearev clears all of the logs and ClearLogs allows you to clear individual logs in the system.
3. Why might a hacker clear the logs?
They clear the evidence that they were on the machine and it also prevents a forensic examiner from doing timeline analysis.
4. What would be an indicator that a hacker may have cleared one or more logs?
It logs that there has been a log cleared.
No comments:
Post a Comment