Tech Tip: Audit failed logons to track NT hacker activity

Check out this NT auditing utility that helps you recognize hacking attempts.

Hackers often gain access to a system by setting up an automated program that bombards a server with thousands of possible password combinations. Windows NT provides an auditing utility that can help you recognize these hacking attempts by tracking events at the system and object level.

NT does not enable this auditing option by default, so you'll need to turn on this feature. To configure NT to audit events, follow these steps:

  1. Go to Start | Programs | Administrative Tools | User Manager.
  2. In the User Manager window, select Audit from the Policies menu.
  3. In the Audit Policy dialog box, select the Audit These Events radio button to activate auditing, and use the check boxes to track successful and failed events.

These options include:

  • Logon And Logoff
  • File And Object Access
  • Use Of User Rights
  • User And Group Management
  • Security Policy Changes
  • Restart, Shutdown, and System
  • Process Tracking

When you select one or more of these items, NT tracks occurrences of the events and stores them in the Security Log, which you can view in the Event Viewer. (Go to Start | Programs | Administrative Tools | Event Viewer.)

For example, to watch for failed logons, select the Failure check box for Logon And Logoff, and click OK. With this configuration, periodic checks of the Event Viewer should quickly provide evidence of a high frequency of failed logon attempts that could indicate a hacker trying to break into your system.

Editor's Picks

Free Newsletters, In your Inbox