Windows NT Security Audit Program
8 Pages
English
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Windows NT Security Audit Program

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer
8 Pages
English

Description

Windows NT Security Audit Program Date: 04/11/03 Internal Audit Job Program and Record of Tests Number: PRT Control Detail Test Steps W/P Dispo- Sign Objective Ref sition Date Auditor Access • Request local administrator access to the NT server being reviewed. required • Obtain Hyena (or alternate software) for audit testing Objective Determine whether adequate internal controls exist to ensure an effective security management and system administration for NT environment. Background 1. Obtain an understanding of the overall system structure: • Identify the primary and backup domain controllers. • Identify other types of servers we have in the area reviewed: • File and print server • Web server • Database server • Remote Access server • Workstation • Identify the location of related servers and controllers. • Identify current trust relationships. • Obtain network diagrams • Obtain copy of Domain strategy. 2. Obtain the detailed components of the system environment by performing the following tasks: • Compile a list of the group’s machines, their primary functions, the domains or workgroups to which each machine is assigned, and whether the machines are running PDC/BDC or workstation. • Identify which domain or workgroup the computer is a member of. • Examine if the machines are using NTFS or FAT. To examine, double-click on the server of interest ⇒ Disk Space. Ensure all servers are set up NTFS to support ...

Subjects

Informations

Published by
Reads 29
Language English

Exrait

Windows NT Security Audit Program
Date:
Job
Number:
04/11/03
Internal Audit
Program and Record of Tests
PRT
Control
Objective
Detail Test Steps
W/P
Ref
Dispo-
sition
Sign
Date
Auditor Access
required
Request local administrator access to the NT server being reviewed.
Obtain Hyena (or alternate software) for audit testing
Objective
Determine whether adequate internal controls exist to ensure an effective security management and
system administration for NT environment.
Background
1.
Obtain an understanding of the overall system
structure:
Identify the primary and backup domain controllers.
Identify other types of servers we have in the area
reviewed:
File and print server
Web server
Database server
Remote Access server
Workstation
Identify the location of related servers and controllers.
Identify current trust relationships.
Obtain network diagrams
Obtain copy of Domain strategy.
2.
Obtain the detailed components of the system
environment by performing the following tasks:
Compile a list of the group’s machines, their primary
functions, the domains or workgroups to which each
machine is assigned, and whether the machines are
running PDC/BDC or workstation.
Identify which domain or workgroup the computer is a
member of.
Examine if the machines are using NTFS or FAT. To
examine, double-click on the server of interest
Disk
Space. Ensure all servers are set up NTFS to support
NT security features. FAT cannot support NT
security.
Examine the Windows NT version and service
pack installed by right clicking on the server of
interest
Properties. Confirm that current release,
service pack, and/or supported release is used;
otherwise, ensure that release installed is supported
and acceptable.
A) Security
Administration
3.
Identify who is responsible for operating system
administration and maintenance for the NT platforms
at your location. Ensure they have been adequately
trained. Verify that administrators are aware of NT
standards and Information Security Standards.
C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc
1
Windows NT Security Audit Program
Date:
Job
Number:
04/11/03
Internal Audit
Program and Record of Tests
PRT
Control
Objective
Detail Test Steps
W/P
Ref
Dispo-
sition
Sign
Date
4.
Verify system and security administration procedures
have been formally documented and up-to-date. If
document is not available, meet with NT administrator
to identify procedures followed. Ensure that it is
designed for least privilege.
5.
Verify if the responsibility for operating system
administration / maintenance and security has been
included as one of their accountabilities.
6.
Ascertain if a warning message is initiated for users
accessing the NT network. To examine, select the
server of interest
Shares
C:\WINNT\system32\regedt32.exe. Execute
regedt32.exe, select HKLM\software\microsoft\
Windows NT\current version \ Winlogon \
LegalNotice Caption: REG_SZ legal Notice Text :
REG_SZ
Also ensure that the warning message is included in
the login script.
Wordings recommended by legal are “You have
connected to a proprietary system. Only authorized
users may access this system. Access by unauthorized
individuals is prohibited and will be prosecuted to the
full extent of the law. This system is monitored for
unauthorized usage.”
.
7.
Verify the following:
A standard naming convention is being used.
Each user is assigned a unique user id.
Group IDs (e.g. Apclerk) and shared/generic account
(Test Id) should not be used.
The PDC has been configured to authenticate all users
through a valid ID and password
8.
Verify adequate procedures are in place to review
server configuration using third party tools, such as
Kane and ISS.
9.
Verify procedures are in place to ensure that system
level accounts are disabled and/or removed for
terminated employees.
10. Verify procedures are in place to ensure that user
system access rights are appropriately modified for
transferred employees.
11. Verify that Human Resources department does
provide security administration personnel with
periodic reports of terminated and transferred
employees. If not, verify if alternate procedures exist.
C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc
2
Windows NT Security Audit Program
Date:
Job
Number:
04/11/03
Internal Audit
Program and Record of Tests
PRT
Control
Objective
Detail Test Steps
W/P
Ref
Dispo-
sition
Sign
Date
B) Access
Control
B.1)
Account
policies &
restrictions
12. Verify that global password rules have been
established by setting appropriate account policies.
Examine the following account policy settings by
right clicking on the server of interest
account
policy
Minimum Password Age (allow changes in 1 day)
Maximum Password Age (60 days)
Minimum password length (6 characters)
Account Lockout (allow 3 bad attempts)
Account Lockout (reset count in 1440 minutes)
Lockout Duration (Forever)
Password History (Remember 3 passwords)
Reference the Information Security Standards.
B.2)
User Accounts
13. Verify that the guest account has been disabled.
14. Verify if the administrator account has been renamed.
If yes, is there a standard for renaming account. If no,
why not.
15. Verify if a strong password has been set for the guest
and administrator accounts, and if there is a process
for maintaining and securing the passwords.
16. Determine if the default set of rights for built-in user
and group accounts (i.e., Administrator, Account
Operators, Backup Operators, etc.) have been
modified.
17. Administrator who requires admin rights to perform
his job functions should have his unique account
assigned to only him, and not shared by other
administrators.
18. Identify the properties for all other significant
accounts by double-clicking on the desired server
Users
double-clicking on the desired account to
open Properties.
19. Ascertain if normal production users on the network
have had their access restricted appropriately through
user environment profiles (or logon scripts).
Ascertain logon scripts are used for ease of
C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc
3
Windows NT Security Audit Program
Date:
Job
Number:
04/11/03
Internal Audit
Program and Record of Tests
PRT
Control
Objective
Detail Test Steps
W/P
Ref
Dispo-
sition
Sign
Date
administration.
20. Determine if the logon scripts are secured under NTFS
partition with restricted access permission.
21. Verify a unique initial password is assigned to new
account when created, and the user is required to
change the password at the time of initial logon.
22. Verify restrictions, e.g. length of time, are placed on
system accounts provided to contractors and
temporary workers.
B.3)
Groups
(Lower Risk)
23. Identify global groups (other than default groups and
system-generated groups) and local groups, which the
administrator has set up and ascertain the reasons for
these groups.
24. Verify a structure exists to group user IDs by
department or job functions in order to be efficiently
administered by security.
25. Identify the rights assigned to the global groups.
Verify that group membership and privileges are
appropriate.
26. Identify the rights assigned to the local groups. Verify
that group membership and privileges are appropriate.
27. Verify that there is a business purpose for each global
group.
28. Verify that there is a business purpose for each local
group.
29. Identify the number of users with privileged access
(i.e., Administrator) is appropriately limited.
B.4)
User Rights
(Lower Risk)
30. Obtain standard user rights from system administrator.
Then examine that any user given rights outside
standard should have special authorization.
31. Verify appropriate management completes periodic
review of user access rights to ensure that access
rights remain commensurate with user job
responsibilities. Verify if audit software is used as
part of the regular review.
B.5) Registry
Security
(High Risk)
32. Verify Registry file and directory permissions are
appropriate for groups with access. Double-click the
desired server
Shares
highlight the desired
directory
right-click for “File Properties”
Properties
Security
Permission.
Only System Administrators should have full control
of \winnt\system32\config. Everyone should only
C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc
4
Windows NT Security Audit Program
Date:
Job
Number:
04/11/03
Internal Audit
Program and Record of Tests
PRT
Control
Objective
Detail Test Steps
W/P
Ref
Dispo-
sition
Sign
Date
have list/read access.
33. Review the permissions set for the critical Registry
keys for reasonableness. To examine the permission,
double-click the desired server
Shares
highlight
the desired directory
right-click for “File
Properties”
Properties
Security
Permission.
Then highlight the desired key
Security
Permissions. Verify they are configured to
recommended standards. (Refer to appendix A of the
Windows NT Security, Audit, and Control book)
C)
System
configuration
34. Verify that formal procedures are in place over the
installation of new servers to ensure the consistency of
operating system configuration settings throughout the
processing environment.
35. Verify that formal standards and procedures are in
place over the implementation of operating system
upgrades.
36. Determine if operating system installations / upgrades
are thoroughly tested before being loaded into the
production environment.
37. Determine if fallback procedures are in place for
operating system upgrades.
38. Verify that controls are in place to ensure that
operating system security configuration changes are
authorized and approved.
39. Verify that records are maintained to document all
modifications and fixes to operating system security.
40. Verify that secure passwords for predefined system
accounts (i.e., Administrator, Guest, etc.) are assigned
immediately upon installation or upgrade. Identify
how they are maintained.
41. Verify with administrator that powerful system
utilities (i.e., User Manager, Disk Administrator,
Server Manager, Registry Editor, etc.) are
appropriately restricted to authorized system
personnel only.
42. For each domain within scope, request system
administrator to show that appropriate trust
relationships exist in the User Manager for Domains
utility via Properties, Trust Relationships.
43. Verify that formal standards and procedures exist over
the configuration of security at the directory and file
level.
44. Verify that key system directories are secured.
C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc
5
Windows NT Security Audit Program
Date:
Job
Number:
04/11/03
Internal Audit
Program and Record of Tests
PRT
Control
Objective
Detail Test Steps
W/P
Ref
Dispo-
sition
Sign
Date
Determine if access to these resources is restricted to
system administration personnel.
45. Confirm that the Windows NT system files (i.e.,
\WINNT) have been installed on NTFS volumes.
46. Verify that permissions assigned to shared resources
within the environment have been restricted.
D)
File &
Directory
protection
47. Identify production application directories,
subdirectories, and files that are critical.
48. Examine directory permission for reasonableness by
double-clicking the desired server
Shares
select
the desired directory
right click for File Properties
Properties
Security
Permission
Ensure Full Control permission is not given to users
unless required for the smooth operation of the system
and surrounded by compensating controls.
49. Examine file permission for reasonableness by
double-clicking the desired server
Shares
double clicking the desired directory
highlight the
desired file
right click for Properties
Security
Permission
Ensure Full Control permission is not given to users
unless required for the smooth operation of the system
and surrounded by compensating controls. Verify that
users are not granted access to modify key system
programs.
50. Confirm that these directories and files are stored on
NTFS volumes. If not, inquire on the reasoning. To
examine, double-clicking the desired server
Disk
Space.
E)
Monitoring/Au
diting/Reporti
ng
51. Ascertain that the auditing function has been enabled
by highlighting the server of interest
right for
Audit Policy.
Examine if the systems have been
configured to log audit events such as:
Log-on and log-off activity (failure)
Security policy changes (failure)
Restart and Shutdown (failure)
If the “Audit These Events” option is selected,
perform step # 52 – 54 below. If not, inquire on the
reasoning and what mitigating controls are in place,
and skip to step #55
C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc
6
Windows NT Security Audit Program
Date:
Job
Number:
04/11/03
Internal Audit
Program and Record of Tests
PRT
Control
Objective
Detail Test Steps
W/P
Ref
Dispo-
sition
Sign
Date
52. Examine the Directory/file auditing function for
reasonableness. Double-click the desired server
select “Shares”
right-click on critical directory/file
of interest
Properties
Security
Auditing.
(Note: If “Audit These Events” option is not selected,
Directory auditing is not possible.)
53. Examine the Registry auditing function for adequacy.
Clicking on the desired server
Shares
execute
c:\winnt\system32\Regedt32.exe. Select the subkey or
value in question and choose Security
Auditing.
Review what events are audited and determine its
reasonableness. If this function is not on, inquire on
the reasoning.
54. Determine that system audit log files are secured.
Examine the permissions on the logs by clicking on
the desired server
Shares
c:\WINNT\System32\CONFIG directory. Then select
each of the APPEVENT.EVT, SECEVENT.EVT, and
SYSEVENT.EVT files, right-click on Properties
Security
Permissions.
55. Verify that audit logs are backed up on a regular basis.
56. Confirm that generated audit logs are reviewed by
appropriate security / system administration personnel
on a regular basis.
57. Identify that escalation procedures are in place to
ensure that detected security events are appropriately
investigated in a timely manner.
58. Verify that reports are produced to evaluate trends in
the audit log information.
59. Review procedures established to prevent, detect,
and recover from computer viruses.
60. Verify if invalid attempts to exercise administrative
rights are audited.
F)
RAS Access
Services
Control
61. Identify if Remote Access Services (RAS) is installed
on the server being reviewed. Perform the following
on the console, choose Start
Programs
Administrative Tools
Remote Access Admin. If
RAS service is not installed, skip to the next section.
62. Identify how remote access authorization is granted.
63. Identify accounts or groups to which RAS access has
been granted. Verify that remote access is within their
job function
64. Identify what remote access permissions are granted
to users. Perform the following on the console, choose
C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc
7
Windows NT Security Audit Program
Date:
Job
Number:
04/11/03
Internal Audit
Program and Record of Tests
PRT
Control
Objective
Detail Test Steps
W/P
Ref
Dispo-
sition
Sign
Date
C:\Data\Web Pages\AuditNet2\docs\WindowsNTSecurity.doc
8
Start
Programs
Administrative Tools
Remote Access Admin
Users
Permissions.
Focus on whether the Callback option is selected.
65. To examine the configuration for each RAS port, at
the console do the following: choosing Start
Settings
Control Panel
Network
Services Tab
Remote Access Service
Properties. Highlight
the device you want to examine and click the
Configure button. Ensure only dial-out is allowed.
Click the Network button and verify TCP/IP has been
selected as dial-out protocol.
66. Discuss with system administrator to determine
whether mandatory encryption has been set on all
RAS logon and authentication information.
67. Verify that remote access users are monitored.
Review the monitoring procedures for adequacy.
G) Backup &
Recovery
68. Review backup and recovery schema for the systems
within scope to ensure that proper procedures are in
place.
H) Physical
Security
69. Determine if the critical servers/domain controllers are
physically secured from unauthorized access.