8 pages

English

Windows NT Security Audit Program

Thaub

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

8 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Windows NT Security Audit Program Date: 04/11/03 Internal Audit Job Program and Record of Tests Number: PRT Control Detail Test Steps W/P Dispo- Sign Objective Ref sition Date Auditor Access • Request local administrator access to the NT server being reviewed. required • Obtain Hyena (or alternate software) for audit testing Objective Determine whether adequate internal controls exist to ensure an effective security management and system administration for NT environment. Background 1. Obtain an understanding of the overall system structure: • Identify the primary and backup domain controllers. • Identify other types of servers we have in the area reviewed: • File and print server • Web server • Database server • Remote Access server • Workstation • Identify the location of related servers and controllers. • Identify current trust relationships. • Obtain network diagrams • Obtain copy of Domain strategy. 2. Obtain the detailed components of the system environment by performing the following tasks: • Compile a list of the group’s machines, their primary functions, the domains or workgroups to which each machine is assigned, and whether the machines are running PDC/BDC or workstation. • Identify which domain or workgroup the computer is a member of. • Examine if the machines are using NTFS or FAT. To examine, double-click on the server of interest ⇒ Disk Space. Ensure all servers are set up NTFS to support ...

Informations

Publié par	Thaub
Nombre de lectures	29
Langue	English

Extrait

Windows NT Security Audit Program

Date:

Job

Number:

04/11/03

Internal Audit

Program and Record of Tests

PRT

Control

Objective

Detail Test Steps

W/P

Ref

Dispo-

sition

Sign

Date

Auditor Access

required

•

Request local administrator access to the NT server being reviewed.

•

Obtain Hyena (or alternate software) for audit testing

Objective

Determine whether adequate internal controls exist to ensure an effective security management and

system administration for NT environment.

Background

Obtain an understanding of the overall system

structure:

•

Identify the primary and backup domain controllers.

•

Identify other types of servers we have in the area

reviewed:

•

File and print server

•

Web server

•

Database server

•

Remote Access server

•

Workstation

•

Identify the location of related servers and controllers.

•

Identify current trust relationships.

•

Obtain network diagrams

•

Obtain copy of Domain strategy.

Obtain the detailed components of the system

environment by performing the following tasks:

•

Compile a list of the group’s machines, their primary

functions, the domains or workgroups to which each

machine is assigned, and whether the machines are

running PDC/BDC or workstation.

•

Identify which domain or workgroup the computer is a

member of.

•

Examine if the machines are using NTFS or FAT. To

examine, double-click on the server of interest

⇒

Disk

Space. Ensure all servers are set up NTFS to support

NT security features. FAT cannot support NT

security.

•

Examine the Windows NT version and service

pack installed by right clicking on the server of

interest

⇒

Properties. Confirm that current release,

service pack, and/or supported release is used;

otherwise, ensure that release installed is supported

and acceptable.

A) Security

Administration

Identify who is responsible for operating system

administration and maintenance for the NT platforms

at your location. Ensure they have been adequately

trained. Verify that administrators are aware of NT

standards and Information Security Standards.

C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc

Windows NT Security Audit Program

Date:

Job

Number:

04/11/03

Internal Audit

Program and Record of Tests

PRT

Control

Objective

Detail Test Steps

W/P

Ref

Dispo-

sition

Sign

Date

Verify system and security administration procedures

have been formally documented and up-to-date. If

document is not available, meet with NT administrator

to identify procedures followed. Ensure that it is

designed for least privilege.

Verify if the responsibility for operating system

administration / maintenance and security has been

included as one of their accountabilities.

Ascertain if a warning message is initiated for users

accessing the NT network. To examine, select the

server of interest

⇒

C:\WINNT\system32\regedt32.exe. Execute

regedt32.exe, select HKLM\software\microsoft\

Windows NT\current version \ Winlogon \

LegalNotice Caption: REG_SZ legal Notice Text :

REG_SZ

⇒

Also ensure that the warning message is included in

the login script.

Wordings recommended by legal are “You have

connected to a proprietary system. Only authorized

users may access this system. Access by unauthorized

individuals is prohibited and will be prosecuted to the

full extent of the law. This system is monitored for

unauthorized usage.”

Verify the following:

•

A standard naming convention is being used.

•

Each user is assigned a unique user id.

•

Group IDs (e.g. Apclerk) and shared/generic account

(Test Id) should not be used.

•

The PDC has been configured to authenticate all users

through a valid ID and password

Verify adequate procedures are in place to review

server configuration using third party tools, such as

Kane and ISS.

Verify procedures are in place to ensure that system

level accounts are disabled and/or removed for

terminated employees.

10. Verify procedures are in place to ensure that user

system access rights are appropriately modified for

transferred employees.

11. Verify that Human Resources department does

provide security administration personnel with

periodic reports of terminated and transferred

employees. If not, verify if alternate procedures exist.

C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc

Windows NT Security Audit Program

Date:

Job

Number:

04/11/03

Internal Audit

Program and Record of Tests

PRT

Control

Objective

Detail Test Steps

W/P

Ref

Dispo-

sition

Sign

Date

B) Access

Control

B.1)

Account

policies &

restrictions

12. Verify that global password rules have been

established by setting appropriate account policies.

Examine the following account policy settings by

right clicking on the server of interest

⇒

account

policy

•

Minimum Password Age (allow changes in 1 day)

•

Maximum Password Age (60 days)

•

Minimum password length (6 characters)

•

Account Lockout (allow 3 bad attempts)

•

Account Lockout (reset count in 1440 minutes)

•

Lockout Duration (Forever)

•

Password History (Remember 3 passwords)

Reference the Information Security Standards.

B.2)

User Accounts

13. Verify that the guest account has been disabled.

14. Verify if the administrator account has been renamed.

If yes, is there a standard for renaming account. If no,

why not.

15. Verify if a strong password has been set for the guest

and administrator accounts, and if there is a process

for maintaining and securing the passwords.

16. Determine if the default set of rights for built-in user

and group accounts (i.e., Administrator, Account

Operators, Backup Operators, etc.) have been

modified.

17. Administrator who requires admin rights to perform

his job functions should have his unique account

assigned to only him, and not shared by other

administrators.

18. Identify the properties for all other significant

accounts by double-clicking on the desired server

⇒

Users

⇒

double-clicking on the desired account to

open Properties.

19. Ascertain if normal production users on the network

have had their access restricted appropriately through

user environment profiles (or logon scripts).

Ascertain logon scripts are used for ease of

C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc

Windows NT Security Audit Program

Date:

Job

Number:

04/11/03

Internal Audit

Program and Record of Tests

PRT

Control

Objective

Detail Test Steps

W/P

Ref

Dispo-

sition

Sign

Date

administration.

20. Determine if the logon scripts are secured under NTFS

partition with restricted access permission.

21. Verify a unique initial password is assigned to new

account when created, and the user is required to

change the password at the time of initial logon.

22. Verify restrictions, e.g. length of time, are placed on

system accounts provided to contractors and

temporary workers.

B.3)

Groups

(Lower Risk)

23. Identify global groups (other than default groups and

system-generated groups) and local groups, which the

administrator has set up and ascertain the reasons for

these groups.

24. Verify a structure exists to group user IDs by

department or job functions in order to be efficiently

administered by security.

25. Identify the rights assigned to the global groups.

Verify that group membership and privileges are

appropriate.

26. Identify the rights assigned to the local groups. Verify

that group membership and privileges are appropriate.

27. Verify that there is a business purpose for each global

group.

28. Verify that there is a business purpose for each local

group.

29. Identify the number of users with privileged access

(i.e., Administrator) is appropriately limited.

B.4)

User Rights

(Lower Risk)

30. Obtain standard user rights from system administrator.

Then examine that any user given rights outside

standard should have special authorization.

31. Verify appropriate management completes periodic

review of user access rights to ensure that access

rights remain commensurate with user job

responsibilities. Verify if audit software is used as

part of the regular review.

B.5) Registry

Security

(High Risk)

32. Verify Registry file and directory permissions are

appropriate for groups with access. Double-click the

desired server

⇒

highlight the desired

Directory

protection

47. Identify production application directories,

subdirectories, and files that are critical.

48. Examine directory permission for reasonableness by

double-clicking the desired server

⇒

select

the desired directory

⇒

right click for File Properties

⇒

Properties

⇒

Security

⇒

Permission

Ensure Full Control permission is not given to users

unless required for the smooth operation of the system

and surrounded by compensating controls.

49. Examine file permission for reasonableness by

double-clicking the desired server

⇒

double clicking the desired directory

⇒

highlight the

desired file

⇒

right click for Properties

⇒

Security

⇒

Permission

Ensure Full Control permission is not given to users

unless required for the smooth operation of the system

and surrounded by compensating controls. Verify that

users are not granted access to modify key system

programs.

50. Confirm that these directories and files are stored on

NTFS volumes. If not, inquire on the reasoning. To

examine, double-clicking the desired server

⇒

Disk

Space.

Monitoring/Au

diting/Reporti

51. Ascertain that the auditing function has been enabled

by highlighting the server of interest

⇒

right for

Audit Policy.

Examine if the systems have been

configured to log audit events such as:

•

Log-on and log-off activity (failure)

•

Security policy changes (failure)

•

Restart and Shutdown (failure)

If the “Audit These Events” option is selected,

perform step # 52 – 54 below. If not, inquire on the

reasoning and what mitigating controls are in place,

and skip to step #55

C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc

Windows NT Security Audit Program

Date:

Job

Number:

04/11/03

Internal Audit

Program and Record of Tests

PRT

Control

Objective

Detail Test Steps

W/P

Ref

Dispo-

sition

Sign

Date

52. Examine the Directory/file auditing function for

reasonableness. Double-click the desired server

⇒

select “Shares”

⇒

right-click on critical directory/file

of interest

⇒

Properties

⇒

Security

⇒

Auditing.

(Note: If “Audit These Events” option is not selected,

Directory auditing is not possible.)

53. Examine the Registry auditing function for adequacy.

Clicking on the desired server

⇒

execute

c:\winnt\system32\Regedt32.exe. Select the subkey or

value in question and choose Security

⇒

Auditing.

Review what events are audited and determine its

reasonableness. If this function is not on, inquire on

the reasoning.

54. Determine that system audit log files are secured.

Examine the permissions on the logs by clicking on

the desired server

⇒

c:\WINNT\System32\CONFIG directory. Then select

each of the APPEVENT.EVT, SECEVENT.EVT, and

SYSEVENT.EVT files, right-click on Properties

⇒

Security

⇒

Permissions.

55. Verify that audit logs are backed up on a regular basis.

56. Confirm that generated audit logs are reviewed by

appropriate security / system administration personnel

on a regular basis.

57. Identify that escalation procedures are in place to

ensure that detected security events are appropriately

investigated in a timely manner.

58. Verify that reports are produced to evaluate trends in

the audit log information.

59. Review procedures established to prevent, detect,

and recover from computer viruses.

60. Verify if invalid attempts to exercise administrative

rights are audited.

RAS Access

Services

Control

61. Identify if Remote Access Services (RAS) is installed

on the server being reviewed. Perform the following

on the console, choose Start

⇒

Programs

⇒

Administrative Tools

⇒

Remote Access Admin. If

RAS service is not installed, skip to the next section.

62. Identify how remote access authorization is granted.

63. Identify accounts or groups to which RAS access has

been granted. Verify that remote access is within their

job function

64. Identify what remote access permissions are granted

to users. Perform the following on the console, choose

C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc

Windows NT Security Audit Program

Date:

Job

Number:

04/11/03

Internal Audit

Program and Record of Tests

PRT

Control

Objective

Detail Test Steps

W/P

Ref

Dispo-

sition

Sign

Date

C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc

Start

⇒

Programs

⇒

Administrative Tools

⇒

Remote Access Admin

⇒

Users

⇒

Permissions.

Focus on whether the Callback option is selected.

65. To examine the configuration for each RAS port, at

the console do the following: choosing Start

⇒

Settings

⇒

Control Panel

⇒

Network

⇒

Services Tab

⇒

Remote Access Service

⇒

Properties. Highlight

the device you want to examine and click the

Configure button. Ensure only dial-out is allowed.

Click the Network button and verify TCP/IP has been

selected as dial-out protocol.

66. Discuss with system administrator to determine

whether mandatory encryption has been set on all

RAS logon and authentication information.

67. Verify that remote access users are monitored.

Review the monitoring procedures for adequacy.

G) Backup &

Recovery

68. Review backup and recovery schema for the systems

within scope to ensure that proper procedures are in

place.

H) Physical

Security

69. Determine if the critical servers/domain controllers are

physically secured from unauthorized access.

Univers
Ebooks
Livres audio
Presse
Podcasts
BD
Documents

Livre audio en ligne - Développement personnel Livre en ligne Tout le catalogue Tous les Intérêts

Windows NT Security Audit Program

YouScribe

Le catalogue

Le service

Les conditions