NT's implementation of C2 security doesn't distinguish between an administrator and an auditor. In an ideal system, all administrator and user actions would be logged for later review by an auditor, and no users, including administrators, could cover their tracks by altering the logs. Currently, NT can log administrator actions, but there are several ways administrators can hide those actions. For example, rogue administrators can clear the event logs, effectively covering up actions they want to hide. However, clearing the event logs leaves a trail of evidence. First, an absence of events in the event logs is a situation that invites suspicion. Second, clearing the event logs is an audited event (Event 517 specifies that the event logs were cleared and by whom). In other words, administrators can cover their tracks, but they can't cover up the fact that they covered their tracks. The situation is similar if an administrator turns off auditing
|
|
|
|
|
|
|
|