Other than maintaining the physical components of a network (especially the NICs (Network Interface Cards) and the media), the following tasks should be performed when auditing a network:
- Data read and writes: number, volume, and success rate.
- Number of commands on queue.
- Number of Ethernet network collisions.
- Security errors and failure in: logins, object access, changes to security settings. Too many may mean a hacker at work.
- Server session and connections: rate, volume, and causes of termination.
- Hard disk performance: space available, rate and volume of access, and number of requests.
- Memory usage: how often RAM usage peaks and has to do a hard page fault (i.e. virtual memory on the hard disk).
NT Server Auditing Tools
NT Server includes many tools. Here are four nice ones:
- Event Viewer, an NT Administrative Tool. Keeps an ongoing log of security events, system information events, and application generated events. The events logged are selected by the NT Administrative Tool called User Manager for Domains (from there go to the menu Policies and choose Audit).
- Performance Monitor, an NT Administrative Tool. Graphs performance of miscellaneous network components like the disk, network interface, protocol, redirector, etc. This is best used by a low load monitor to monitor trends on a remote server because monitoring an already loaded local server would use up a lot the server resources.
- Network Monitor, an NT Administrative Tool. This is a powerful low-level sniffer. It can be used to directly see the data stream. You can see protocol type, source and destination addresses, headers, footers, and body data in either ASCII or hexadecimal. There is so much to be seen that Network Monitor is best used with some sort of filter or filters. Since it has such potential as a hacking tool, Network Monitor detects other instances Network Monitor agents on the network. Network Monitor does automatically install with NT, it must be installed separately at Control Panel: Network: Services: Network Monitor.
- Windows NT Task Manager, a lighter monitoring tool accessible via ALT-CTRL-DEL. It shows open apps, processes, and performance data. It is also a quick and dirty way to close apps and processes.