NT Gatekeeper: Set the Audit Policy Remotely

To minimize performance impact on critical Windows NT 4.0 applications and domain controllers (DCs), I turn NT auditing on and off as needed. What command-prompt tool can I use to configure audit policy settings on local and remote systems? If such a tool exists, can attackers misuse it to cover their tracks?

The Microsoft Windows NT Server 4.0 Resource Kit Auditpol tool lets you view or modify the audit policy on a local or remote computer from a command prompt. Attackers with Administrator access to a system can use Auditpol to cover their tracks by typing

auditpol /disable

before starting their actions and

auditpol /enable

when they're finished. However, running Auditpol in this manner usually logs an audit-policy change event—provided that you're auditing policy changes.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish