Top 10 controls to audit in windows server
Download
1 / 31

Download Meeting Presentation - PowerPoint PPT Presentation


  • 306 Views
  • Updated On :

Top 10 Controls to Audit in Windows Server Randy Franklin Smith, CISA, SSCP, Security MVP Monterey Technology Group, Inc. www.montereytechgroup.com Windows Versions NT 3.51 NT 4.0 Windows 2000 (NT 5.0) Windows XP (NT 5.1) Windows Server 2003 (NT 5.2) Active Directory Architecture

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Download Meeting Presentation' - ostinmannual


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Top 10 controls to audit in windows server l.jpg

Top 10 Controls to Audit in Windows Server

Randy Franklin Smith,

CISA, SSCP, Security MVP

Monterey Technology Group, Inc.

www.montereytechgroup.com


Windows versions l.jpg
Windows Versions

  • NT 3.51

  • NT 4.0

  • Windows 2000 (NT 5.0)

  • Windows XP (NT 5.1)

  • Windows Server 2003 (NT 5.2)

(c) 2004 Monterey Technology Group Inc.


Active directory architecture l.jpg
Active Directory Architecture

  • Multi-level structure

  • Structure locates and controls

    • Computers

    • Users

    • Groups

    • Printers

    • Shared folders

(c) 2004 Monterey Technology Group Inc.


Ad structure l.jpg
AD Structure

  • Forests

    • Trees

      • Domains

        • Organizational Units

    • Sites

(c) 2004 Monterey Technology Group Inc.


Forests and trees l.jpg
Forests and trees

(c) 2004 Monterey Technology Group Inc.


Domains and organizational units l.jpg
Domains and Organizational Units

(c) 2004 Monterey Technology Group Inc.


Ad structure and it audits l.jpg
AD Structure and IT Audits

  • Auditing AD and Windows

    • NOT a matter of applying the a checklist on each server

    • Controls and risks reside at each level

      • Enterprise

      • Forest

      • Domain

      • Domain controller

      • Member server

      • Workstation

(c) 2004 Monterey Technology Group Inc.


Member server level controls l.jpg
Member Server Level Controls

  • Each server has its own security configuration

(c) 2004 Monterey Technology Group Inc.


Member server level controls9 l.jpg
Member Server Level Controls

  • Local Users

    • Administrator, Guest

  • Cardinality

    • Each MS

    • One DC per domain

  • Where to get the evidence:

    • Administrative Tools\Computer Management

    • DumpSEC Reports

      • Users as Table

(c) 2004 Monterey Technology Group Inc.


Local sam vs active directory l.jpg

AD

SAM

domain controller

SAM

SAM

workstation

member server

Local SAM vs Active Directory

  • User accounts

  • Groups

  • Password and lockout policy

(c) 2004 Monterey Technology Group Inc.


Domain accounts l.jpg
Domain accounts

(c) 2004 Monterey Technology Group Inc.


Member server level controls12 l.jpg
Member Server Level Controls

  • Local Groups

    • Administrators, Power Users, Backup Operators

  • Cardinality

    • Each MS

  • Where to get the evidence:

    • Administrative Tools\Computer Management

    • DumpSEC Reports

      • Users as Table

(c) 2004 Monterey Technology Group Inc.


Member server level controls13 l.jpg
Member Server Level Controls

  • Administrative Authority

    • Local groups

    • Administrators, Power Users, Backup Operators

  • Where to get the evidence:

    • Administrative Tools\Computer Management

    • DumpSEC Reports

      • Groups as Table

(c) 2004 Monterey Technology Group Inc.


Member server level controls14 l.jpg
Member Server Level Controls

  • Password & Lockout Policy

    • Minimum length, age, complexity

    • Lockout accounts for X minutes after X bad logins within X minutes

  • Cardinality

    • One DC per domain

  • Where to get the evidence:

    • Administrative Tools\Local Security Policy

    • DumpSEC policy report

(c) 2004 Monterey Technology Group Inc.


Member server level controls15 l.jpg
Member Server Level Controls

  • Audit policy

    • 9 categories control what w2k records in security log

  • Cardinality

    • One DC per domain

    • Each MS

    • WS?

  • Where to get the evidence:

    • Administrative Tools\Local Security Policy

    • DumpSEC policy report

(c) 2004 Monterey Technology Group Inc.


Member server level controls16 l.jpg
Member Server Level Controls

  • Service pack level

    • Ctrl-Alt-Del – Task Manager – Help\About

  • Hotfixes

    • Control Panel\Add/Remove Programs

  • Microsoft Baseline Security Analyzer

(c) 2004 Monterey Technology Group Inc.


Member server level controls17 l.jpg
Member Server Level Controls

  • File and Folder Permissions

    • Important application, departmental and database directories

  • Where to get the evidence:

    • Windows Explorer

    • DumpSEC file permissions report

(c) 2004 Monterey Technology Group Inc.


Member server level controls18 l.jpg
Member Server Level Controls

  • User Rights

    • Change system time, reboot computer, clear security log, etc

  • Where to get the evidence:

    • Administrative Tools\Local Security Policy

    • DumpSEC user rights report

(c) 2004 Monterey Technology Group Inc.


Member server level controls19 l.jpg
Member Server Level Controls

  • Services

    • FTP, WWW, Telnet, SMTP, NNTP, Terminal Services, etc

  • Where to get the evidence:

    • Administrative Tools\Services

    • DumpSEC services report

(c) 2004 Monterey Technology Group Inc.


Domain controller level controls l.jpg
Domain Controller Level Controls

  • A subset of member server level controls

    • Can be different on each domain controller within domain

  • Subset

    • Services

    • Patch status

(c) 2004 Monterey Technology Group Inc.


Domain level controls l.jpg
Domain Level Controls

  • Subset of member server level controls

    • Collect from anyone DC in the domain

  • Subset

    • Users and groups

    • Password and lockout policy

    • Audit policy

    • User rights

(c) 2004 Monterey Technology Group Inc.


Domain control areas l.jpg
Domain Control Areas

  • Coarse administrative authority

    • Domain Admins, Administrators, Enterprise Admins*, Account Operators, Server Operators, Backup Operators, Schema Admins, DNSAdmins

  • Where to get the evidence:

    • Administrative Tools\Active Directory Users and Computers

    • DumpSEC groups report

(c) 2004 Monterey Technology Group Inc.


Domain control areas23 l.jpg
Domain Control Areas

  • Coarse administrative authority

    • Domain Admins, Administrators, Enterprise Admins*, Account Operators, Server Operators, Backup Operators, Schema Admins, DNSAdmins

  • Where to get the evidence:

    • DumpSEC groups report

(c) 2004 Monterey Technology Group Inc.


Domain control areas24 l.jpg
Domain Control Areas

  • Granular administrative authority

    • Permissions

      • Organizational units

      • Group policy objects

  • Where to get the evidence:

    • Administrative Tools\Active Directory Users and Computers

    • DumpSEC groups report

(c) 2004 Monterey Technology Group Inc.


Forest level l.jpg
Forest Level

  • Domain ownership and physical location

  • Trust relationships

  • Root domain considerations

(c) 2004 Monterey Technology Group Inc.


Windows and active directory evidence collection l.jpg
Windows and Active Directory Evidence Collection

  • Screen prints

  • DumpSEC reports

    • www.systemtools.com

  • Microsoft Baseline Security Analyzer

    • Patch status

(c) 2004 Monterey Technology Group Inc.


Top 10 things to audit in a win2k domain l.jpg
Top 10 Things to Audit in a Win2k Domain

  • Local Security Policy of one DC

    • 1. Password

    • 2. Lockout policy

    • 3. Audit policy

      • Account Management, Account Logon, System Policy, Policy Changes

      • Failure AND Success!

  • Active Directory Users and Computers

    • 4. Important group memberships

      • Domain Admins, Administrators, Account Ops, Server Ops, Backup Ops

      • If the root domain of the forest also check: Enterprise Admins, Schema Admins, DNSAdmins

(c) 2004 Monterey Technology Group Inc.


Top 10 things to audit in a win2k domain28 l.jpg
Top 10 Things to Audit in a Win2k Domain

  • One or more Domain Controllers

    • 5. Service Pack Level

    • 6. Dangerous Services

  • One or more Member Servers

    • 7. Audit Policy

      • Account Logon, Account Management, System Policy, Policy Change

    • 8. Service Pack Level

    • 9. Dangerous Services

    • 10. Administrator account

(c) 2004 Monterey Technology Group Inc.


Monterey technology group l.jpg
Monterey Technology Group

  • Windows and Active Directory Audit Kit

    • Absolutely free

    • Request at www.montereytechgroup.com

(c) 2004 Monterey Technology Group Inc.


Slide30 l.jpg

"How many and which

Forests are part of this

project?"

Forest

Forest

Evidence

Findings

Active Directory

Domain

Domain

Active Directory

Evidence

Findings

Evidence

Findings

(optional)

Domain

Domain

Member Server

Member Server

Controller

Controller

Findings

Evidence

Findings

Evidence

Report in your

format and

language

(c) 2004 Monterey Technology Group Inc.


Monterey technology group inc services l.jpg
Monterey Technology Group, Inc.Services:

  • Windows & Active Directory Auditing

    • Turnkey outsourcing

    • Co-sourcing w/ knowledge transfer

  • Application Auditing

    • Specification/design vs delivered product

    • Coding quality

    • Maintainability

  • Contact information

(c) 2004 Monterey Technology Group Inc.


ad