System Hacking - p.13

Lab 12

Viewing, Enabling, and Clearing the Audit Policies Using Auditpol

Ajidffpolis a con/n/andin Windons Server2012, Windons Server2008, and Windoirs Server 200J and is leqnhedfor querying orconfgningan a!iditpolicy at the snbcafespy level

Lab Scenario

To be an expert ethical hacker and penetration tester, you must have sound
knowledge of footprinting, scanning, and enumeration. Tins process requires an
active connection to the machine being attacked. A hacker enumerates applications
and banners in addition to identifying user accounts and shared resources.
You should also have knowledge on gaining access, escalating privileges, executing
applications, luduig tiles, and covering tracks.

Lab Objectives

The objective of tins lab is to help students learn:
■ How to set audit policies

Lab Environment

To earn־ out the lab, you need:
■ Auditpol is a built-in command in Windows Server 2012
■ You can see the more audit commands from the following link:
http:/ / technet.microsott.com/enus

/library /cc731451 %28v=ws. 100/029.aspx for Windows Server 2012
■Run diis on Windows Server 2012

Lab Duration

Time: 10 Minutes
Overview of Auditpol
Aucftpd displays information on performance and functions to man^xiate audit policies.

Lab Task

1. Select Start Command Prompt.
2. Administrator: A command prompt will appears as shown in the following
figure.

FIGURE 12.1: Administrator Command Prompt in windows server 2012

3. To view all die audit policies, type die following command in thecommand prompt: auditpol /get /category:*
4. Press Enter

FIGURE 12.2: Auditpol viewing die policies

5. To enable die audit policies, type die following command in the command prompt:
auditpol /set /category:"system",'"account logon" /success:enable /failureienable
6. Press Enter.

FIGURE 12.3: Auditpol Local Security Policies in Windows Server 2012

7. To check if audit policies are enabled, type die following command in the command prompt auditpol /get /category:*
8. Press Enter.

FIGURE 12.4: Auditpol enabling system and account logon policies

9. To clear die audit policies, type die following command in the command prompt: auditpol /clear /y
10. Press Enter.

FIGURE 12.5: Auditpol clearing die policies

11. To check if the audit policies are cleared, type the following command in the  command prompt: auditpol I get /category:*
12. Press Enter.

FIGURE 12.6: Auditpol clearing die audit policies

Lab Analysis
Analyze and document the results related to the lab exercise.

Questions

1. How do you configure global resource SACLs using Auditpol?
2. Evaluate a report or backup an audit policy to a comma separated value (CSV) text file.