Windows NT Event Log contents.gifindex.gif

Windows NT Event Log

This vulnerability enables an intruder to read the application, system, or security log on a Windows NT computer. Any user who is allowed to access the computer from the network can read the application and system logs, so this test may show nothing more than the fact the person running the scanner is allowed to access the scanned machine. However, if the scanning user is not one who should have access to the scanned machine, it can indicate that the guest account is enabled and is allowed to access the computer from the network. If the security log has been accessed, it shows that the scanning user has administrator level access to the scanned machine. If the scanning user should not have that level of access, it indicates the user permissions may be set incorrectly, or in the worst case, the guest account is enabled and is a member of the administrators group.

Typically, the application log does not contain information an intruder may find useful. However, some applications may write sensitive information to the application log. One such application is the Ataman Telnet, Rlogin and Rexec services.

Risk: Low to high

OS Vulnerable: Windows NT

Fix: Check the Access the computer from the network access control list under User rights, or if inappropriate security log access was noted, check which users are administrator on the host.