How to do Windows server auditing ?
1. Verify Guest account is disabled or not
[edit]Log in to the Windows Server using an account with administrative privileges.
Open the Command Prompt by typing "cmd" in the Run dialog box and pressing Enter.
In the Command Prompt, type "net user guest" and press Enter. This will display information about the Guest account, including whether it is enabled or disabled.
Look for the line that says "Account active" and check if it says "Yes" or "No". If it says "Yes", the Guest account is enabled. If it says "No", the Guest account is disabled.
2. Ensure that the firewall is on in the server.
[edit]Open the Command Prompt by typing "cmd" in the Run dialog box and pressing Enter.
In the Command Prompt, type "netsh advfirewall show allprofiles" and press Enter.
Look for the line that says "State" under the "Domain Profile", "Private Profile", and "Public Profile" sections. If the state says "On", the Windows Firewall is enabled.
If the firewall is off, you can enable it by typing "netsh advfirewall set allprofiles state on" and pressing Enter.
3. Use Windows Group Policies to stop known Worms and Trojans from running.
[edit]Open the Group Policy Management Console: Click the Start button, search for "Group Policy Management" and click on it.
Navigate to the Group Policy Object you want to modify: Expand the forest, domain, and organizational unit that contains the computer you want to configure, then right-click on the Group Policy Object you want to modify and click "Edit".
Navigate to the "Software Restriction Policies" section: In the left-hand pane of the Group Policy Editor, navigate to "Computer Configuration" > "Windows Settings" > "Security Settings" > "Software Restriction Policies".
Create a new policy: Right-click on "Software Restriction Policies" and select "New Software Restriction Policies".
Configure the policy: Right-click on "Additional Rules" and select "New Path Rule". Then, enter the path of the executable file you want to block in the "Path" field. For example, if you want to block the "msblast.exe" worm, you would enter "C:\Windows\System32\msblast.exe" in the "Path" field. You can also specify a security level, such as "Disallowed" to block the file from running.
Apply the policy: Once you have configured the policy, close the Group Policy Editor and apply the policy to the computer you want to configure.
4. Ensure that enough disk space is available in the system.
[edit]Open file manager and navigate to This PC, then check the disk space available on the disks
5. Check system event log and confirm that no hardware failures are reported.
[edit]Open the Event Viewer by clicking on the Windows Start button and searching for "Event Viewer".
In the Event Viewer window, select the "Windows Logs" section in the left-hand pane.
Click on the "System" log to view its contents.
Look for any events with a "Critical" or "Error" level that relate to hardware failures
6. Check the event viewer for suspicious events such as: Event log service was stopped
[edit]Open the Event Viewer by clicking on the Windows Start button and searching for "Event Viewer".
In the Event Viewer, expand the "Windows Logs" folder and select "System".
Look for any events with a "Critical" or "Error" level that relate to the Event Log service being stopped, such as event ID 1100 or 1101.
7.Shutdown the system and initiate server snap-shot (System will be restarted when the snap-shot is done)
[edit]Click windows start button and press power button
Then click shut down.
Server snapshot can be taken in azure portal.
Restart the server once the snapshot is done.
8. Initiate windows defender and malwarebyte scan and open ticket to customer if any suspicious find.
[edit]Open Windows Defender by clicking on the Windows Start button and searching for "Windows Security".
Click on "Virus & threat protection" and select "Scan options".
Choose the type of scan you want to run, such as a full scan or a quick scan, and click on "Scan now".
