The Windows NT Audit Policy

The other item to keep in mind regarding passwords is to periodically review the NT audit logs for suspicious activity. The logs might help identify attempts or even unusual activity on your machine. Of course, to actually view login data, logging must be turned on. By default, logging is not turned on in Windows NT. By using User Manager's Policies option, you can set the audit policy for the machine. Figure 10.19 shows some suggested audit settings you can use to track what is happening on and to your computer. At a bare minimum, account logons and logoffs should be audited. Even when logging is enabled, NT won't warn you about suspicious behavior. You have to check the logs on a periodic basis. A common mistake is to audit too many things. If the log grows too large, you'll be less likely to pay close attention to it. That usually means potential security breaches might go unnoticed. Consider auditing only login failures and file access failures if you have security set up on directories and files. These are good indicators that trouble is brewing. If someone attempts to log in with a bad password or access a restricted file, this will be considered a failure and be written to the log. If you get in the habit of analyzing your security log at least every morning, if not more, you'll be better armed.

Auditing and logging are perhaps the most often neglected aspects of computer security. When properly set, logs can be an extremely valuable source of information, both for security-related events and general system administrative problems. Without logs, you cannot adequately investigate computer incidents. Even when audit logs are generated and events are logged, that data serves no purpose if no one actually monitors those logs. The logs could easily be filled with many traces of unauthorized activity, but NT will not notify you.

In many organizations, logs often go unchecked simply due to the sheer volume of data and the mundane nature of the task. Lucky for us, many freely available tools exist on the Internet to make it easier to extract data from the NT event logs. Using a utility such as NTLast from Foundstone, Inc. (http://www.foundstone.com), you can easily parse the NT event log and pull out logon information. Using the -f option of NTLast, it is easy to view all failed login attempts to a particular machine, as shown in Listing 10.10.

Listing 10.10. NTLast Output

C:WINNT>ntlast  -f
StrangeUser     GHOST               GHOST           Fri Aug 03 01:01:56pm 2001
StrangeUser     GHOST               GHOST           Fri Aug 03 01:01:53pm 2001
StrangeUser     GHOST               GHOST           Fri Aug 03 01:01:49pm 2001
Mark            \PC01              PC01            Thu Aug 02 04:27:14pm 2001
Joe             \PC01              PC01            Thu Aug 02 04:27:14pm 2001
Administrator   \PC14              PC14            Wed Jul 25 12:04:27pm 2001
Administrator   \PC14              PC14            Wed Jul 25 12:02:30pm 2001
Administrator   \PC12              PC12            Wed Jul 25 10:40:47am 2001
Administrator   \PC12              PC12            Wed Jul 25 10:40:47am 2001

In this example, we see that StrangeUser tried unsuccessfully to log in three times on Friday, August 3, at 1:01 in the afternoon from a machine called GHOST. If this isn't someone we know, it bears investigation.

Turn on auditing and review your logs on a periodic basis. You will be able to see if you are being attacked in some cases. Although auditing is not as robust as using third-party software to detect attacks, it is a free start.