Detecting Unauthorized Access

You can archive Web site and server security audit logs to monitor security events over extended periods of time. You can then use the Windows NT Event Viewer utility to view these audit logs and detect unauthorized access attempts, which can appear as warning or error log entries. For more information about auditing, consult your Windows NT documentation.

Important    You must log on as a member of the Administrators group to audit files and directories.

To detect unauthorized access of Web server resources with Event Viewer
  1. Click Start, point to Programs, point to Administrative Tools, then click Event Viewer.
  2. On the Log menu, select Security.

    3. Note   Choose carefully which events will be logged. The maximum size of each computer's security log is defined in Event Viewer. Consult the Event Viewer online Help for more information.

  3. Inspect the logs for suspect security events, including the following:
    • Multiple failed commands attempting to run executable files or scripts. Closely monitor the Scripts directory.
    • Excessive failed logon attempts from a single IP address, with the possible intention of increasing network traffic or denying access to other users.
    • Failed attempts to access and modify .bat or .cmd files.
    • Unauthorized attempts to upload files to a directory containing executable files.

© 1997 by Microsoft Corporation. All rights reserved.