To minimize performance impact on critical Windows NT 4.0 applications and domain controllers (DCs), I turn NT auditing on and off as needed. What command-prompt tool can I use to configure audit policy settings on local and remote systems? If such a tool exists, can attackers misuse it to cover their tracks?
The Microsoft Windows NT Server 4.0 Resource Kit Auditpol tool lets you view or modify the audit policy on a local or remote computer from a command prompt. Attackers with Administrator access to a system can use Auditpol to cover their tracks by typing
auditpol /disable
before starting their actions and
auditpol /enable
when they're finished. However, running Auditpol in this manner usually logs an audit-policy change event—provided that you're auditing policy changes.