Scribd
Upload
22 views4 pages

Using Event Viewer for Windows Security

The document provides instructions for identifying suspicious activity on a Windows computer or server by reviewing events logged in the Windows Event Viewer. It describes how to access and filter the Event Viewer to see events related to the computer being turned on or waking from sleep, which could indicate unauthorized use. It also lists types of suspicious events to watch for in security reports on a Windows server, such as failed or successful remote desktop sessions, login attempts, or changes to security settings. Finally, it provides steps to use the Windows Audit Policy tool to track user activity in a workgroup network.

Uploaded by

Jerwin Lucero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
22 views4 pages

Using Event Viewer for Windows Security

The document provides instructions for identifying suspicious activity on a Windows computer or server by reviewing events logged in the Windows Event Viewer. It describes how to access and filter the Event Viewer to see events related to the computer being turned on or waking from sleep, which could indicate unauthorized use. It also lists types of suspicious events to watch for in security reports on a Windows server, such as failed or successful remote desktop sessions, login attempts, or changes to security settings. Finally, it provides steps to use the Windows Audit Policy tool to track user activity in a workgroup network.

Uploaded by

Jerwin Lucero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Name: ___________________

Course and Section: _____________

Direction: Follow the instructions and answer some of the question in


each procedure and attach a screenshot as a proof of your task.

Windows Events
Windows keeps track of all user activity on your computer. The first step to
determine if someone else is using your computer is to identify the times when it
was in use.

● From the Start Menu, type event viewer and open it by clicking on it.
Provide a screenshot where you access it.

● To expand the Windows Logs folder, click on Event Viewer (local).


(screenshot)

● Expand Windows Logs by clicking on it, and then right-click on System.


● Double-click on Filter Current Log and open the dropdown menu for Event
Sources.
● Scroll down to Power-Troubleshooter and tick the box next to it. Then
click OK.

● The Windows Event Viewer will show you when your computer was
brought out of sleep mode or turned on. If you weren’t using it during these
times, someone else was.

What are the tye of events that Event viewer provides?

________________________________________________________________
What do you observe about Windows Event Viewer?
_______________________________________________________________
How To Identify Suspicious Activity On a
Windows Server
If you are running an environment with several Windows servers, security is
vital. Auditing and tracking Windows activities to identify suspicious activity is
paramount for numerous reasons, including:

● The prevalence of malware and viruses in Windows OS


● Some applications and programs require users to disable some antivirus
and local firewalls
● Users often don’t disconnect remote desktop sessions, leaving the system
vulnerable to unauthorized access

It’s better to take preventative measures than to wait until an incident occurs. You
should have a robust security monitoring process in place to see who is logging
onto your server and when. This will identify suspicious events in the Windows
server security reports

What To Look Out For In Your Windows Reports


As the administrator of a server, there are several events to keep an eye on to
protect your network from nefarious Windows user activity, including:

● Failed or successful attempts of remote desktop sessions.


● Repeated login attempts resulting in password lockouts.
● Group or audit policy changes you didn’t make.
● Successful or failed attempts to log into your Windows network, member
services, or domain controller.
● Deleted or stopped existing services or new services added.
● Registry settings changed.
● Event logs cleared.
● Disabled or changed Windows firewall or rules.

As discussed above, events are recorded in the event log in Windows. The three
main types of native logs are:
● Security.
● Application.
● System

How To Track User Activity In Workgroups


Workgroups are organized networks of computers. They enable users to share
storage, files, and printers.

It is a convenient way to work together and easy to use and administer. However,
without proper administration, you are opening your network to potential security
risks that can affect all participants of the workgroup.

Below are tips on how to track user activity to increase your network security.

Use Windows Audit Policy


Follow the steps below to track what workgroup participants are doing on your
network.

1. Open Run by holding down the Windows key and R.


2. Type [Link] in the box next to Open: and click OK. Provide a screen of
how you access it.

What are the contents of the window that appears?

____________________________________________________________________
__

● From the column on the left, double-click Security Settings. Then expand
the Local Policies setting by clicking on it.

What do you see?

_____________________________________________________

● Open Audit Policy, and then on the menu in the right pane you will see
many Audit entries that are set to Not Defined.
What do you see on the window that appear?

___________________________________________________________________

● Open the first entry. From the Local Security Settings tab,
check Success and Failure under Audit these attempts. Then
click Apply and OK.

What happen to the window? What do you observe.

You might also like