Check or Attack Name: applog

The Windows NT Application Log could be read from the network. If the user account is not one who should have access to the host, it may indicate that the Guest account is enabled and is allowed to access the computer from the network. If the account should not have that level of access, then the user permissions may be set incorrectly, or in the worst case, the Guest account is enabled and is a member of the Administrators group. Typically, the application log does not contain information an attacker would find useful. However, some applications, such as the Ataman Telnet, Rlogin, and Rexec may write sensitive information to the application log.

Remove Administrator access for unauthorized user accounts and remove network access rights for the Guest account.

To remove Administrator access from a user account, follow these steps:

1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
2. Double-click the Administrators group, or the group you use to assign administrative rights.
3. Remove any unexpected Members. Look for the following:
• User accounts or groups that do not need administrative rights.
• User accounts or groups that are disabled or obsolete.
4. The Guest account should not be a member of Administrators unless there is a compelling reason.

To prevent remote log on of a Windows NT user account, follow these steps:

1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
2. Select the user account from the list.
3. From the Policies menu, select User Rights to display the User Rights Policy dialog box.
4. From the Right list, select Access this computer from network.
5. From the Grant To list, select the user account and click Remove.
6. Click OK>