Tech Tips / Windows NT / Security

Auditing failed logons to track hacker activity

Hackers often gain access to a system by setting up an automated program that bombards a server with thousands of possible password combinations. Windows NT provides an auditing utility that can help you recognize these hacking attempts by tracking events at the system and object level. By default, this auditing option is turned off. To configure Windows NT to audit events, go to the Start | Programs | Administrative Tools | User Manager. In the User Manager window, go to the Policies menu and select Audit. In the resulting Audit Policy dialog box, click the Audit These Events radio button to activate auditing and use the check boxes to track successful and failed events for

  • Logon And Logoff
  • File And Object Access
  • Use Of User Rights
  • User And Group Management
  • Security Policy Changes
  • Restart, Shutdown, and System
  • Process Tracking

When you select one or more of these items, Windows NT tracks occurrences of the events and stores them in the Security Log, which you can view in the Event Viewer (go to Start | Programs | Administrative Tools | Event Viewer).

To watch for failed logons, for example, check the Failure box for Logon And Logoff and click OK. With this configuration, periodic checks of the Event Viewer should quickly provide evidence of a high frequency of failed logon attempts that could indicate a hacker trying to break into your system.

Contact Us | Authors | Subject Index | Directory | RSS Feeds

Copyright ©2006