top 10 controls to audit in windows server
Download
Skip this Video
Download Presentation
Top 10 Controls to Audit in Windows Server

Loading in 2 Seconds...

play fullscreen
1 / 31

Top 10 Controls to Audit in Windows Server - PowerPoint PPT Presentation


  • 307 Views
  • Uploaded on

Top 10 Controls to Audit in Windows Server Randy Franklin Smith, CISA, SSCP, Security MVP Monterey Technology Group, Inc. www.montereytechgroup.com Windows Versions NT 3.51 NT 4.0 Windows 2000 (NT 5.0) Windows XP (NT 5.1) Windows Server 2003 (NT 5.2) Active Directory Architecture

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Top 10 Controls to Audit in Windows Server' - ostinmannual


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
top 10 controls to audit in windows server

Top 10 Controls to Audit in Windows Server

Randy Franklin Smith,

CISA, SSCP, Security MVP

Monterey Technology Group, Inc.

www.montereytechgroup.com

windows versions
Windows Versions
  • NT 3.51
  • NT 4.0
  • Windows 2000 (NT 5.0)
  • Windows XP (NT 5.1)
  • Windows Server 2003 (NT 5.2)

(c) 2004 Monterey Technology Group Inc.

active directory architecture
Active Directory Architecture
  • Multi-level structure
  • Structure locates and controls
    • Computers
    • Users
    • Groups
    • Printers
    • Shared folders

(c) 2004 Monterey Technology Group Inc.

ad structure
AD Structure
  • Forests
    • Trees
      • Domains
        • Organizational Units
    • Sites

(c) 2004 Monterey Technology Group Inc.

forests and trees
Forests and trees

(c) 2004 Monterey Technology Group Inc.

domains and organizational units
Domains and Organizational Units

(c) 2004 Monterey Technology Group Inc.

ad structure and it audits
AD Structure and IT Audits
  • Auditing AD and Windows
    • NOT a matter of applying the a checklist on each server
    • Controls and risks reside at each level
      • Enterprise
      • Forest
      • Domain
      • Domain controller
      • Member server
      • Workstation

(c) 2004 Monterey Technology Group Inc.

member server level controls
Member Server Level Controls
  • Each server has its own security configuration

(c) 2004 Monterey Technology Group Inc.

member server level controls9
Member Server Level Controls
  • Local Users
    • Administrator, Guest
  • Cardinality
    • Each MS
    • One DC per domain
  • Where to get the evidence:
    • Administrative Tools\Computer Management
    • DumpSEC Reports
      • Users as Table

(c) 2004 Monterey Technology Group Inc.

local sam vs active directory
AD

SAM

domain controller

SAM

SAM

workstation

member server

Local SAM vs Active Directory
  • User accounts
  • Groups
  • Password and lockout policy

(c) 2004 Monterey Technology Group Inc.

domain accounts
Domain accounts

(c) 2004 Monterey Technology Group Inc.

member server level controls12
Member Server Level Controls
  • Local Groups
    • Administrators, Power Users, Backup Operators
  • Cardinality
    • Each MS
  • Where to get the evidence:
    • Administrative Tools\Computer Management
    • DumpSEC Reports
      • Users as Table

(c) 2004 Monterey Technology Group Inc.

member server level controls13
Member Server Level Controls
  • Administrative Authority
    • Local groups
    • Administrators, Power Users, Backup Operators
  • Where to get the evidence:
    • Administrative Tools\Computer Management
    • DumpSEC Reports
      • Groups as Table

(c) 2004 Monterey Technology Group Inc.

member server level controls14
Member Server Level Controls
  • Password & Lockout Policy
    • Minimum length, age, complexity
    • Lockout accounts for X minutes after X bad logins within X minutes
  • Cardinality
    • One DC per domain
  • Where to get the evidence:
    • Administrative Tools\Local Security Policy
    • DumpSEC policy report

(c) 2004 Monterey Technology Group Inc.

member server level controls15
Member Server Level Controls
  • Audit policy
    • 9 categories control what w2k records in security log
  • Cardinality
    • One DC per domain
    • Each MS
    • WS?
  • Where to get the evidence:
    • Administrative Tools\Local Security Policy
    • DumpSEC policy report

(c) 2004 Monterey Technology Group Inc.

member server level controls16
Member Server Level Controls
  • Service pack level
    • Ctrl-Alt-Del – Task Manager – Help\About
  • Hotfixes
    • Control Panel\Add/Remove Programs
  • Microsoft Baseline Security Analyzer

(c) 2004 Monterey Technology Group Inc.

member server level controls17
Member Server Level Controls
  • File and Folder Permissions
    • Important application, departmental and database directories
  • Where to get the evidence:
    • Windows Explorer
    • DumpSEC file permissions report

(c) 2004 Monterey Technology Group Inc.

member server level controls18
Member Server Level Controls
  • User Rights
    • Change system time, reboot computer, clear security log, etc
  • Where to get the evidence:
    • Administrative Tools\Local Security Policy
    • DumpSEC user rights report

(c) 2004 Monterey Technology Group Inc.

member server level controls19
Member Server Level Controls
  • Services
    • FTP, WWW, Telnet, SMTP, NNTP, Terminal Services, etc
  • Where to get the evidence:
    • Administrative Tools\Services
    • DumpSEC services report

(c) 2004 Monterey Technology Group Inc.

domain controller level controls
Domain Controller Level Controls
  • A subset of member server level controls
    • Can be different on each domain controller within domain
  • Subset
    • Services
    • Patch status

(c) 2004 Monterey Technology Group Inc.

domain level controls
Domain Level Controls
  • Subset of member server level controls
    • Collect from anyone DC in the domain
  • Subset
    • Users and groups
    • Password and lockout policy
    • Audit policy
    • User rights

(c) 2004 Monterey Technology Group Inc.

domain control areas
Domain Control Areas
  • Coarse administrative authority
    • Domain Admins, Administrators, Enterprise Admins*, Account Operators, Server Operators, Backup Operators, Schema Admins, DNSAdmins
  • Where to get the evidence:
    • Administrative Tools\Active Directory Users and Computers
    • DumpSEC groups report

(c) 2004 Monterey Technology Group Inc.

domain control areas23
Domain Control Areas
  • Coarse administrative authority
    • Domain Admins, Administrators, Enterprise Admins*, Account Operators, Server Operators, Backup Operators, Schema Admins, DNSAdmins
  • Where to get the evidence:
    • DumpSEC groups report

(c) 2004 Monterey Technology Group Inc.

domain control areas24
Domain Control Areas
  • Granular administrative authority
    • Permissions
      • Organizational units
      • Group policy objects
  • Where to get the evidence:
    • Administrative Tools\Active Directory Users and Computers
    • DumpSEC groups report

(c) 2004 Monterey Technology Group Inc.

forest level
Forest Level
  • Domain ownership and physical location
  • Trust relationships
  • Root domain considerations

(c) 2004 Monterey Technology Group Inc.

windows and active directory evidence collection
Windows and Active Directory Evidence Collection
  • Screen prints
  • DumpSEC reports
    • www.systemtools.com
  • Microsoft Baseline Security Analyzer
    • Patch status

(c) 2004 Monterey Technology Group Inc.

top 10 things to audit in a win2k domain
Top 10 Things to Audit in a Win2k Domain
  • Local Security Policy of one DC
    • 1. Password
    • 2. Lockout policy
    • 3. Audit policy
      • Account Management, Account Logon, System Policy, Policy Changes
      • Failure AND Success!
  • Active Directory Users and Computers
    • 4. Important group memberships
      • Domain Admins, Administrators, Account Ops, Server Ops, Backup Ops
      • If the root domain of the forest also check: Enterprise Admins, Schema Admins, DNSAdmins

(c) 2004 Monterey Technology Group Inc.

top 10 things to audit in a win2k domain28
Top 10 Things to Audit in a Win2k Domain
  • One or more Domain Controllers
    • 5. Service Pack Level
    • 6. Dangerous Services
  • One or more Member Servers
    • 7. Audit Policy
      • Account Logon, Account Management, System Policy, Policy Change
    • 8. Service Pack Level
    • 9. Dangerous Services
    • 10. Administrator account

(c) 2004 Monterey Technology Group Inc.

monterey technology group
Monterey Technology Group
  • Windows and Active Directory Audit Kit
    • Absolutely free
    • Request at www.montereytechgroup.com

(c) 2004 Monterey Technology Group Inc.

slide30
"How many and which

Forests are part of this

project?"

Forest

Forest

Evidence

Findings

Active Directory

Domain

Domain

Active Directory

Evidence

Findings

Evidence

Findings

(optional)

Domain

Domain

Member Server

Member Server

Controller

Controller

Findings

Evidence

Findings

Evidence

Report in your

format and

language

(c) 2004 Monterey Technology Group Inc.

monterey technology group inc services
Monterey Technology Group, Inc.Services:
  • Windows & Active Directory Auditing
    • Turnkey outsourcing
    • Co-sourcing w/ knowledge transfer
  • Application Auditing
    • Specification/design vs delivered product
    • Coding quality
    • Maintainability
  • Contact information

(c) 2004 Monterey Technology Group Inc.

ad