Pulogalamu ya ProHoster > Blog > Ulamuliro > Ndi zinthu ziti zothandiza zomwe zitha kuchotsedwa pazipika za Windows-based workstation?

Ndi zinthu ziti zothandiza zomwe zitha kuchotsedwa pazipika za Windows-based workstation?

Malo ogwiritsira ntchito ogwiritsira ntchito ndiye malo omwe ali pachiwopsezo kwambiri pazachitetezo malinga ndi chitetezo chazidziwitso. Ogwiritsa ntchito atha kulandira kalata yopita ku imelo yawo yantchito yomwe ikuwoneka kuti ikuchokera kotetezeka, koma ndi ulalo wopita patsamba lomwe lili ndi kachilombo. Mwina wina atha kutsitsa chida chothandiza pantchito kuchokera kumalo osadziwika. Inde, mutha kubwera ndi milandu ingapo ya momwe pulogalamu yaumbanda ingalowerere mkati mwamakampani kudzera mwa ogwiritsa ntchito. Chifukwa chake, malo ogwirira ntchito amafunikira chidwi chowonjezereka, ndipo m'nkhaniyi tikuuzani komwe ndi zomwe muyenera kuchita kuti muwunikire.

Ndi zinthu ziti zothandiza zomwe zitha kuchotsedwa pazipika za Windows-based workstation?

Kuti muzindikire kuwukira koyambirira kwambiri, WIndows ili ndi magawo atatu ofunikira: Logi yachitetezo chachitetezo, Logi Yoyang'anira System, ndi Logi za Power Shell.

Chitetezo Chochitika Cholemba

Awa ndiye malo osungiramo zipika zachitetezo chadongosolo. Izi zikuphatikizapo zochitika za kulowa / kutuluka kwa ogwiritsa ntchito, kupeza zinthu, kusintha kwa ndondomeko, ndi zina zokhudzana ndi chitetezo. Inde, ngati ndondomeko yoyenera ikukonzedwa.

Ndi zinthu ziti zothandiza zomwe zitha kuchotsedwa pazipika za Windows-based workstation?

Kuwerengera kwa ogwiritsa ntchito ndi magulu (zochitika 4798 ndi 4799). Kumayambiriro kwenikweni kwa kuwukira, pulogalamu yaumbanda nthawi zambiri imasakasaka maakaunti am'deralo ndi magulu am'deralo pamalo ogwirira ntchito kuti apeze zidziwitso zakuchita kwake koyipa. Zochitika izi zidzathandiza kuzindikira code yoyipa isanapitirire ndipo, pogwiritsa ntchito deta yosonkhanitsidwa, imafalikira ku machitidwe ena.

Kupanga akaunti yakumaloko ndikusintha kwamagulu am'deralo (zochitika 4720, 4722-4726, 4738, 4740, 4767, 4780, 4781, 4794, 5376 ndi 5377). Kuwukirako kungayambenso, mwachitsanzo, powonjezera wogwiritsa ntchito watsopano ku gulu la oyang'anira amderalo.

Kuyesa kolowera ndi akaunti yakomweko (chochitika 4624). Ogwiritsa ntchito olemekezeka amalowa ndi akaunti ya domain, ndipo kuzindikira malowedwe pansi pa akaunti yakomweko kungatanthauze kuyamba kwa chiwembu. Chochitika 4624 chimaphatikizanso zolowera pansi pa akaunti ya domain, chifukwa chake mukakonza zochitika, muyenera kusefa zochitika zomwe domain ndi yosiyana ndi dzina lamalo antchito.

Kuyesera kulowa ndi akaunti yotchulidwa (chochitika 4648). Izi zimachitika pamene ndondomeko ikuyenda mu "run monga" mode. Izi siziyenera kuchitika panthawi yogwira ntchito bwino, choncho zochitika zoterezi ziyenera kuyendetsedwa.

Kutseka/kutsegula malo ogwirira ntchito (zochitika 4800-4803). Gulu la zochitika zokayikitsa limaphatikizapo chilichonse chomwe chidachitika pamalo otsekedwa.

Kusintha kwa kasinthidwe ka firewall (zochitika 4944-4958). Mwachiwonekere, pakukhazikitsa mapulogalamu atsopano, zoikamo zowonetsera moto zingasinthe, zomwe zingayambitse zolakwika. Nthawi zambiri, palibe chifukwa chowongolera zosintha zotere, koma sizingapweteke kudziwa za iwo.

Kulumikiza zida za Plug'n'play (chochitika 6416 komanso cha WIndows 10 chokha). Ndikofunikira kuyang'anira izi ngati ogwiritsa ntchito nthawi zambiri samalumikiza zida zatsopano kumalo ogwirira ntchito, koma mwadzidzidzi amatero.

Windows imaphatikizapo magawo 9 owerengera ndi magawo 50 kuti akonze bwino. Magawo ochepa omwe akuyenera kuyatsidwa muzokonda:

Logon / Makhalidwe

  • Chizindikiro;
  • Tulukani;
  • Kutsekeka kwa Akaunti;
  • Zochitika Zina za Logon/Logoff.

Kusamalira Akaunti

  • Kuwongolera Akaunti Yogwiritsa Ntchito;
  • Security Group Management.

Kusintha kwa Ndondomeko

  • Kusintha kwa Ndondomeko ya Audit;
  • Kusintha kwa Ndondomeko Yotsimikizira;
  • Kusintha kwa Ndondomeko Yovomerezeka.

System Monitor (Sysmon)

Sysmon ndi chida chopangidwa mu Windows chomwe chimatha kujambula zochitika mu log log. Nthawi zambiri muyenera kukhazikitsa padera.

Ndi zinthu ziti zothandiza zomwe zitha kuchotsedwa pazipika za Windows-based workstation?

Zochitika zomwezi, makamaka, zitha kupezeka mu chipika chachitetezo (poyambitsa ndondomeko yowunikira yomwe mukufuna), koma Sysmon imapereka zambiri. Ndi zochitika ziti zomwe zingatengedwe kuchokera ku Sysmon?

Kupanga ndondomeko (ID ya chochitika 1). Tsamba lachitetezo chachitetezo chadongosolo lingakuuzeninso pomwe * .exe idayamba komanso kuwonetsa dzina lake ndi njira yoyambira. Koma mosiyana ndi Sysmon, sichitha kuwonetsa hashi ya pulogalamuyo. Mapulogalamu oyipa amathanso kutchedwa kuti notepad.exe, koma ndi hashi yomwe ingawonetsere.

Malumikizidwe a Netiweki (Chochitika ID 3). Mwachiwonekere, pali maukonde ambiri, ndipo n'zosatheka kuzitsatira zonse. Koma ndikofunikira kulingalira kuti Sysmon, mosiyana ndi Security Log, ikhoza kumangirira kulumikizana kwa netiweki kugawo la ProcessID ndi ProcessGUID, ndikuwonetsa ma doko ndi ma adilesi a IP a gwero ndi kopita.

Zosintha mu kaundula wa dongosolo (chochitika ID 12-14). Njira yosavuta yodziwonjezera ku autorun ndikulembetsa mu registry. Logi Yachitetezo imatha kuchita izi, koma Sysmon ikuwonetsa yemwe adasintha, liti, kuchokera komwe, ID yopangira komanso mtengo wam'mbuyomu.

Kupanga fayilo (ID ya chochitika 11). Sysmon, mosiyana ndi Security Log, idzawonetsa osati malo a fayilo, komanso dzina lake. Zikuwonekeratu kuti simungathe kutsata chilichonse, koma mutha kuyang'ana zolemba zina.

Ndipo tsopano zomwe sizili mu ndondomeko za Security Log, koma zili mu Sysmon:

Kusintha kwa nthawi yopanga mafayilo (Chochitika ID 2). Pulogalamu ina yaumbanda imatha kusokoneza tsiku lomwe fayilo idapangidwa kuti ibisike ku malipoti a mafayilo opangidwa posachedwa.

Kutsegula madalaivala ndi malaibulale osinthika (ma ID a zochitika 6-7). Kuyang'anira kutsitsa kwa ma DLL ndi madalaivala a chipangizo kukumbukira, kuyang'ana siginecha ya digito ndi kutsimikizika kwake.

Pangani ulusi mukuyenda (chochitika ID 8). Mtundu umodzi woukira womwe umafunikanso kuyang'aniridwa.

RawAccessRead Events (Chochitika ID 9). Disk kuwerenga ntchito pogwiritsa ntchito "". Nthawi zambiri, ntchito yotereyi iyenera kuonedwa ngati yachilendo.

Pangani fayilo yomwe ili ndi dzina (ID ya chochitika 15). Chochitika chimalowetsedwa pomwe fayilo yotchedwa stream stream imapangidwa yomwe imatulutsa zochitika ndi hashi ya zomwe zili mufayilo.

Kupanga chitoliro chotchedwa ndi kulumikizana (chidziwitso cha chochitika 17-18). Kutsata manambala oyipa omwe amalumikizana ndi zigawo zina kudzera pa chitoliro chotchulidwa.

Ntchito ya WMI (chochitika ID 19). Kulembetsa zochitika zomwe zimapangidwira mukamalowa mudongosolo kudzera pa WMI protocol.

Kuti muteteze Sysmon yokha, muyenera kuyang'anira zochitika ndi ID 4 (Sysmon kuima ndi kuyamba) ndi ID 16 (Sysmon kasinthidwe kusintha).

Zolemba za Power Shell

Power Shell ndi chida champhamvu chowongolera zida za Windows, kotero mwayi ndi waukulu kuti wowukira asankhe. Pali magwero awiri omwe mungagwiritse ntchito kuti mupeze data ya Power Shell: chipika cha Windows PowerShell ndi Microsoft-WindowsPowerShell/Logi yogwira ntchito.

Windows PowerShell chipika

Ndi zinthu ziti zothandiza zomwe zitha kuchotsedwa pazipika za Windows-based workstation?

Wopereka data adakwezedwa (ID ya chochitika 600). Othandizira a PowerShell ndi mapulogalamu omwe amapereka gwero la data kuti PowerShell iwone ndikuwongolera. Mwachitsanzo, operekera omwe adamangidwa akhoza kukhala zosintha za Windows kapena registry system. Kuwonekera kwa ogulitsa atsopano kuyenera kuyang'aniridwa kuti azindikire zochitika zoipa panthawi yake. Mwachitsanzo, ngati muwona WSMan ikuwonekera pakati pa opereka chithandizo, ndiye kuti gawo lakutali la PowerShell layambika.

Microsoft-WindowsPowerShell / Operational log (kapena MicrosoftWindows-PowerShellCore / Operational in PowerShell 6)

Ndi zinthu ziti zothandiza zomwe zitha kuchotsedwa pazipika za Windows-based workstation?

Kudula mitengo ya module (ID ya chochitika 4103). Zochitika zimasunga zambiri za lamulo lililonse lomwe laperekedwa ndi magawo omwe adayitanira.

Kutsekereza Script (chochitika ID 4104). Kutsekereza script kukuwonetsa chipika chilichonse cha PowerShell chomwe chachitika. Ngakhale wowukira ayesa kubisa lamulo, mtundu wa chochitikachi uwonetsa lamulo la PowerShell lomwe lidachitidwadi. Mtundu uwu wa chochitika ukhozanso kulemba mafoni ena otsika a API omwe akupangidwa, zochitikazi nthawi zambiri zimalembedwa ngati Verbose, koma ngati lamulo lokayikitsa kapena script likugwiritsidwa ntchito pamtundu wa code, lidzalowetsedwa ngati Chenjezo.

Chonde dziwani kuti chidacho chikakonzedwa kuti musonkhanitse ndi kusanthula zochitika izi, nthawi yowonjezera yowonongeka idzafunika kuchepetsa chiwerengero cha zolakwika.

Tiuzeni mu ndemanga zomwe mumasonkhanitsa kuti mufufuze zachitetezo komanso zida zomwe mumagwiritsa ntchito pochita izi. Chimodzi mwazinthu zomwe timayang'ana kwambiri ndi mayankho owunikira zochitika zachitetezo chazidziwitso. Kuti tithane ndi vuto la kutolera ndi kusanthula zipika, titha kupereka lingaliro kuti tiyang'ane mozama Quest Intrust, yomwe imatha kupondereza deta yosungidwa ndi chiΕ΅erengero cha 20: 1, ndipo chitsanzo chimodzi choyikapo chimatha kukonza mpaka zochitika 60000 pamphindikati kuchokera ku 10000.

Source: www.habr.com

Kuwonjezera ndemanga