Auditing Windows Operating Systems

Performing the audit

The key to a successful audit of Windows servers or clients is to review the host thoroughly by itself and in conjunction with the many other possible connections that pass data to and from the host.
Setup and General Controls

The following represents a check of the overall system setup and other general controls to ensure overall system compliance with your organization's policy. These are most general, high-level controls, such as making certain that the system runs company provisioned firewall and antivirus programs.

1. Obtain the system information and service pack version and compare with policy requirements.

Policies were written and approved to make your environment more secure, easily manageable, and auditable. Double check the basic configuration information to ensure that the host is in compliance with policy. Older operating systems increase the difficulty in managing the server and increase the scope of administrator responsibilities as he or she attempts to maintain control over disparate operating system (OS) versions. Maintaining standard builds and patch levels greatly simplifies the process of managing the servers.

2. Determine whether the server is running the company-provisioned firewall.

Failure to use a firewall subjects the client to network attacks from malware, attackers, and curious people.

3. Determine whether the server is running the company-provisioned antivirus program.(PCI Data Security Standard 5.1)

Running software other than company-provisioned software may cause instabilities in the enterprise software environment on the laptop or desktop. Failure to have antivirus protection may allow harmful code or hacking tools to run on the computer that violates company policy.

4. Ensure that all approved patches are installed per your server management policy. (PCI Data Security Standard Requirement 6)

If all the OS and software patches are not installed, widely known security vulnerabilities could exist on the server.

5. Determine whether the server is running a company-provisioned patch-management solution.

Again, running software other than company-provisioned software may cause instabilities in the enterprise software environment on the laptop or desktop. Failure to have a company-provisioned patch-management solution may prevent the server from receiving the latest patches, allowing harmful code or hacking tools to run on the computer.

6. Review and verify startup information.

Rogue partitions, processes, or programs in violation of your policies can sometimes be found during system startup. In addition, malware will sometimes make use of the next reboot to install kits deeper into the OS.
Review Services, Installed Applications, and Scheduled Tasks (PCI Data Security Standard Requirement 2.2)

Running services, installed applications, and automated tasks that are beyond the scope of the server's stated purpose increase the complexity of maintaining the server and provide additional attack vectors. Unknown services, applications, and tasks may be indications that a server was compromised. These should be reviewed routinely.

7. Determine what services are enabled on the system, and validate their necessity with the system administrator. For necessary services, review and evaluate procedures for assessing vulnerabilities associated with those services and keeping them patched.

Enabling network services creates a new potential vector of attack, therefore increasing the risk of unauthorized entry into the system. Therefore, network services should be enabled only when there is a legitimate business need for them.

8. Ensure that only approved applications are installed on the system per your server management policy.

Administrators must manage the set of application installed on their hosts for the following reasons:

• Not all applications play well together.
• Applications may have a dependency that's not installed.
• More applications means more areas of potential compromise.

Unmanaged or unknown applications also may have configuration or coding issues that make the server vulnerable to compromise

9. Ensure that only approved scheduled task are running.

Scheduled tasks can stay hidden for weeks until an administrator takes the time to view the running scheduled tasks on the host. Scheduled tasks created by malicious or unknown sources could damage host or network resources.
Account Management and Password Controls

Account management and password controls are fundamental components of server management. Tracking users over time is a difficult task, and a common method for gaining access to system that a user should never have had access to in the first place.

10. Review and evaluate procedures for creating user accounts and ensuring that accounts are created only for a legitimate business need. Review and evaluate processes for ensuring that accounts are removed or disabled in a timely fashion in the event of termination or job change.(PCI Data Security Standard Requirement 7)

If effective controls for providing and removing access to the server are not in place it could result in unnecessary access to system resources. This, in turn, places the integrity and availability of the server at risk

11. Ensure that all users are created at the domain level and clearly annotated in the active directory. Each user should trace to a specific employee or team.

Most user accounts should be administered centrally by a domain controller, with the possible exception of accounts created on isolated systems that are not a member of a domain (such as some DMZs). h is increases network security because account provisioning and deprovisioning can be controlled.

12. Review and evaluate the use of groups, and determine the restrictiveness of their use.

Groups can greatly simplify the provisioning and deprovisioning process for adding or removing user access to systems as users join and leave a team. However, old members sometimes hang around inside a group when they leave a team.

13. Review and evaluate the strength of system passwords.

If passwords on the system are easy to guess, it is more likely that an attacker will be able to break into that account, obtaining unauthorized access to the system and its resources. A key mitigating control for many organizations is the use of two-factor authentication.

14. Evaluate the use of password controls on the server, such as password aging, length, complexity, history, and lockout policies.(PCI Data Security Standard 8.2)

Password controls are essential to enforcing password complexity, length, age, and other factors that keep unauthorized users out of a system.
Review User Rights and Security Options

Microsoft ships with a robust ability to configure user rights and security options. These are only effective if they are configured properly.

15. Review and evaluate the use of user rights and security options assigned to the. elements in the security policy settings.

The default installation of Windows Server 2003 has 39 user rights settings and 70 security options. Windows Server 2008 grew to 44 user right settings and 78 security options. These settings and options allow broad, sweeping, and Powerful changes to how the host behaves under many different situations.
Network Security and Controls

Network access to servers must be controlled.

16. Review and evaluate the use and need for remote access, including RAS connections, FTP, Telnet, SSH, VPN, and other methods.

Not all remote access technologies are created equal, and until encrypted networks become the standard, clear text protocol should be eliminated where possible. Although newer equipment and savvy network administrators can help mitigate the risk of eavesdropping on network traffic, the real risk of catching that traffic still exists, especially on the same broadcast domain. Modems in particular, or Remote Access services (RAS) access, bypass corporate perimeter security (such as firewalls) and allow direct access to the machine from outside the network. They present significant risk to the security of the machine on which they reside and can also allow the modem user to access the rest of the network. Using a virtual private network (VPN) is a much better idea-preferably a VPN with two-factor authentication.

17. Look for and evaluate the use of share on the host

Inappropriate or open shares may needlessly compromise personal or company data. You need to identify all shares, shared directories, and permissions. For example, it's not uncommon to find open shares on a network with personal, group ranking, or payroll in formation. This type of data never should be kept on an open share.

18. Ensure that the server has auditing enabled per your organization's policies.

Auditing provides evidence in the aftermath of an event and helps with troubleshooting issues on the host.

19.Review and evaluate system administrator procedures for monitoring the state of security on the system.

If the system administrator doesn't monitor his or her systems for changes or regularly attempt discovering issues in these systems, security vulnerabilities could exist, and security incidents could occur without his or her knowledge. By monitoring, we mean actively watching for issues (detection) and actively searching them out (finding vulnerabilities).