Scribd
Upload
29 views8 pages

Week#5 Lab05

This document outlines hands-on lab exercises for securing Windows systems, focusing on using Event Viewer and auditing file access. It includes steps for filtering events, creating subscriptions, and configuring Group Policy for auditing. The exercises guide users through practical tasks to enhance their understanding of Windows event management and security auditing.

Uploaded by

jackthelord007
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views8 pages

Week#5 Lab05

This document outlines hands-on lab exercises for securing Windows systems, focusing on using Event Viewer and auditing file access. It includes steps for filtering events, creating subscriptions, and configuring Group Policy for auditing. The exercises guide users through practical tasks to enhance their understanding of Windows event management and security auditing.

Uploaded by

jackthelord007
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

INFO-1212 Securing Windows Systems

Remote lab exercises

Hands-on lab Exercise 5

Hands-on Exercise 5.1, Event Viewer

Becoming familiar with Event Viewer

1. Connect to and login to Server.


2. From Server Manager and Tools, click Event Viewer.
3. Select Event Viewer (Local) and examine the Summary of Administrative Events.
You may need to maximize the window in order to see this.

4. Expand each of the Event Types to see what they list.


This is a convenient screen to see all Critical, Error or Warning events all together.
5. In the tree (left-hand pane) expand Windows logs. Select each of the standard windows logs in
turn, Application, Security, Setup and System, to see the types of events each holds.
6. Expand Application and Services Logs. Some specific logs are available.
Expand Microsoft > Windows and scroll down the list of application and service specific logs.
7. Scroll down the list and find Backup. Because you executed a backup task in a previous exercise
there are backup events that were recorded.
Expand the backup events to see what information was recorded.

1
Filter events
Because the system generates a blizzard of events you must filter events to find important information.

1. Under Windows Logs select System. The top of the middle pane tells you how many events the
log holds.

2. Under Actions in the right-hand pane click on Filter Current Log…


3. There are many properties that you can use to filter the log. Try the following.
Logged: Last hour
Click OK to see the results.
You can click on Clear Filter to return to the complete list.
4. Try the following filters and clear the list between each change.
Event level: select information and warning
Event logs: this is fixed because you chose a particular log
Event source: select all
5. To keep the log file at a manageable size open its Properties.
6. The maximum log size is currently set. Change the size only if you have a good reason to.
7. Read the three options for the log file when its maximum size has been reached.
Make no changes.

2
Creating Subscriptions

1. Click Subscriptions at the bottom of the tree pane.


2. Answer Yes when asked if you want to start the Windows Event Collector Service.
3. Right-click Subscriptions and choose Create Subscriptions…
4. Use the following for the Subscription name: Win10 Events.
5. Click on Select Computers…
Click Add Domain Computers…
6. Use Win10 for the object name. Check the name and click OK.

7. For Events to collect click on Select Events.


Choose Critical, Warning, Error and
Information. For Event Logs choose
Windows Logs. Save and then OK

3
8. Open a command prompt with administrative privileges.
9. Issue this command: wecutil qc
Answer Yes
The Windows Event Collector Service is configured.

10. Connect to and login into Win10 as Ontario\administrator.


Open up a command prompt with administrative privileges Issue this (right
click on cmd and run as administrator) command: winrm quickconfig , type Y
enter.
Enable the WinRM firewall exception , Yes
(Take a Screenshot showing firewall is enabled)

Close the command prompt window.


11. Right-click Start > Computer Management.
12. System Tools > Local Users and Groups > Groups
Double-click Event Log Readers
Add an account
Click Object Types…
Check Computers and OK
For object name use Server name Toronto01 then Check Names
4
Toronto01 Server name will show up on the list of those who could read the event
log. OK, OK & close all windows.

13. Return to the Server.


Open Event Viewer and highlight Subscriptions.
Right-click Win10 Events and choose Runtime Status. Win10 should be Active.
(If not Active! Click on Disable then Enable).

14. Highlight Forwarded Events. (Take a Screenshot Win10 is Active status)


Forwarding events from Win10 to Server is not instantaneous. If events do not show up you may
have to wait a while. Also you may have to refresh the screen. Eventually events from Win10
will show up.
15. Close Event Viewer.

Hands-on Exercise 5.2, Auditing file access

1. You are still on Server. Use Tools to open up Group Policy Management.
2. Right Click on Ontario Domain Create a GPO in this domain and link it here called Log File.
3. Edit the Log File GPO.
5
4. Navigate to the Audit object access policy.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies >
Audit Policy.
5. For Audit object access define the policy setting and audit both success and failure.
6. Close the Group Policy Editor.

7. On the server open File Explorer go to C:\Backup\Malqarni Create a Rich text Document called
Week#5
8. Type inside the file Week#5 the save and close
9. On Win10 login as malqarni.
10. Open File Explorer.
Navigate to Backup\Malqarni We created last week.
You should see Week#5, on the file Week#5 add another line to the file (type Lab#5), exit and
save the file.
11. On Server Open up Tools Event viewer and navigate to Windows Logs > Security.
12. There should be a lot of events in this log.
Under Actions use Find type Week#5.
13. The first event with Week#5 is shown. You can continue viewing additional event by clicking on
Find Next. (Take a Screenshot for any event required 2 screenshots as the following)
This is the easiest method for finding the events that result from auditing object access.
14. Close Event Viewer.

6
7
8

You might also like