Top 10 Controls to Audit in Windows Server - PowerPoint PPT Presentation

ostinmannual
top 10 controls to audit in windows server l.
Skip this Video
Loading SlideShow in 5 Seconds..
Top 10 Controls to Audit in Windows Server PowerPoint Presentation
Download Presentation
Top 10 Controls to Audit in Windows Server

play fullscreen
1 / 31
Download Presentation
Top 10 Controls to Audit in Windows Server
329 Views
Download Presentation

Top 10 Controls to Audit in Windows Server

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Top 10 Controls to Audit in Windows Server Randy Franklin Smith, CISA, SSCP, Security MVP Monterey Technology Group, Inc. www.montereytechgroup.com

  2. Windows Versions • NT 3.51 • NT 4.0 • Windows 2000 (NT 5.0) • Windows XP (NT 5.1) • Windows Server 2003 (NT 5.2) (c) 2004 Monterey Technology Group Inc.

  3. Active Directory Architecture • Multi-level structure • Structure locates and controls • Computers • Users • Groups • Printers • Shared folders (c) 2004 Monterey Technology Group Inc.

  4. AD Structure • Forests • Trees • Domains • Organizational Units • Sites (c) 2004 Monterey Technology Group Inc.

  5. Forests and trees (c) 2004 Monterey Technology Group Inc.

  6. Domains and Organizational Units (c) 2004 Monterey Technology Group Inc.

  7. AD Structure and IT Audits • Auditing AD and Windows • NOT a matter of applying the a checklist on each server • Controls and risks reside at each level • Enterprise • Forest • Domain • Domain controller • Member server • Workstation (c) 2004 Monterey Technology Group Inc.

  8. Member Server Level Controls • Each server has its own security configuration (c) 2004 Monterey Technology Group Inc.

  9. Member Server Level Controls • Local Users • Administrator, Guest • Cardinality • Each MS • One DC per domain • Where to get the evidence: • Administrative Tools\Computer Management • DumpSEC Reports • Users as Table (c) 2004 Monterey Technology Group Inc.

  10. AD SAM domain controller SAM SAM workstation member server Local SAM vs Active Directory • User accounts • Groups • Password and lockout policy (c) 2004 Monterey Technology Group Inc.

  11. Domain accounts (c) 2004 Monterey Technology Group Inc.

  12. Member Server Level Controls • Local Groups • Administrators, Power Users, Backup Operators • Cardinality • Each MS • Where to get the evidence: • Administrative Tools\Computer Management • DumpSEC Reports • Users as Table (c) 2004 Monterey Technology Group Inc.

  13. Member Server Level Controls • Administrative Authority • Local groups • Administrators, Power Users, Backup Operators • Where to get the evidence: • Administrative Tools\Computer Management • DumpSEC Reports • Groups as Table (c) 2004 Monterey Technology Group Inc.

  14. Member Server Level Controls • Password & Lockout Policy • Minimum length, age, complexity • Lockout accounts for X minutes after X bad logins within X minutes • Cardinality • One DC per domain • Where to get the evidence: • Administrative Tools\Local Security Policy • DumpSEC policy report (c) 2004 Monterey Technology Group Inc.

  15. Member Server Level Controls • Audit policy • 9 categories control what w2k records in security log • Cardinality • One DC per domain • Each MS • WS? • Where to get the evidence: • Administrative Tools\Local Security Policy • DumpSEC policy report (c) 2004 Monterey Technology Group Inc.

  16. Member Server Level Controls • Service pack level • Ctrl-Alt-Del – Task Manager – Help\About • Hotfixes • Control Panel\Add/Remove Programs • Microsoft Baseline Security Analyzer (c) 2004 Monterey Technology Group Inc.

  17. Member Server Level Controls • File and Folder Permissions • Important application, departmental and database directories • Where to get the evidence: • Windows Explorer • DumpSEC file permissions report (c) 2004 Monterey Technology Group Inc.

  18. Member Server Level Controls • User Rights • Change system time, reboot computer, clear security log, etc • Where to get the evidence: • Administrative Tools\Local Security Policy • DumpSEC user rights report (c) 2004 Monterey Technology Group Inc.

  19. Member Server Level Controls • Services • FTP, WWW, Telnet, SMTP, NNTP, Terminal Services, etc • Where to get the evidence: • Administrative Tools\Services • DumpSEC services report (c) 2004 Monterey Technology Group Inc.

  20. Domain Controller Level Controls • A subset of member server level controls • Can be different on each domain controller within domain • Subset • Services • Patch status (c) 2004 Monterey Technology Group Inc.

  21. Domain Level Controls • Subset of member server level controls • Collect from anyone DC in the domain • Subset • Users and groups • Password and lockout policy • Audit policy • User rights (c) 2004 Monterey Technology Group Inc.

  22. Domain Control Areas • Coarse administrative authority • Domain Admins, Administrators, Enterprise Admins*, Account Operators, Server Operators, Backup Operators, Schema Admins, DNSAdmins • Where to get the evidence: • Administrative Tools\Active Directory Users and Computers • DumpSEC groups report (c) 2004 Monterey Technology Group Inc.

  23. Domain Control Areas • Coarse administrative authority • Domain Admins, Administrators, Enterprise Admins*, Account Operators, Server Operators, Backup Operators, Schema Admins, DNSAdmins • Where to get the evidence: • DumpSEC groups report (c) 2004 Monterey Technology Group Inc.

  24. Domain Control Areas • Granular administrative authority • Permissions • Organizational units • Group policy objects • Where to get the evidence: • Administrative Tools\Active Directory Users and Computers • DumpSEC groups report (c) 2004 Monterey Technology Group Inc.

  25. Forest Level • Domain ownership and physical location • Trust relationships • Root domain considerations (c) 2004 Monterey Technology Group Inc.

  26. Windows and Active Directory Evidence Collection • Screen prints • DumpSEC reports • www.systemtools.com • Microsoft Baseline Security Analyzer • Patch status (c) 2004 Monterey Technology Group Inc.

  27. Top 10 Things to Audit in a Win2k Domain • Local Security Policy of one DC • 1. Password • 2. Lockout policy • 3. Audit policy • Account Management, Account Logon, System Policy, Policy Changes • Failure AND Success! • Active Directory Users and Computers • 4. Important group memberships • Domain Admins, Administrators, Account Ops, Server Ops, Backup Ops • If the root domain of the forest also check: Enterprise Admins, Schema Admins, DNSAdmins (c) 2004 Monterey Technology Group Inc.

  28. Top 10 Things to Audit in a Win2k Domain • One or more Domain Controllers • 5. Service Pack Level • 6. Dangerous Services • One or more Member Servers • 7. Audit Policy • Account Logon, Account Management, System Policy, Policy Change • 8. Service Pack Level • 9. Dangerous Services • 10. Administrator account (c) 2004 Monterey Technology Group Inc.

  29. Monterey Technology Group • Windows and Active Directory Audit Kit • Absolutely free • Request at www.montereytechgroup.com (c) 2004 Monterey Technology Group Inc.

  30. "How many and which Forests are part of this project?" Forest Forest Evidence Findings Active Directory Domain Domain Active Directory Evidence Findings Evidence Findings (optional) Domain Domain Member Server Member Server Controller Controller Findings Evidence Findings Evidence Report in your format and language (c) 2004 Monterey Technology Group Inc.

  31. Monterey Technology Group, Inc.Services: • Windows & Active Directory Auditing • Turnkey outsourcing • Co-sourcing w/ knowledge transfer • Application Auditing • Specification/design vs delivered product • Coding quality • Maintainability • Contact information • www.montereytechgroup.com • rsmith@montereytechgroup.com (c) 2004 Monterey Technology Group Inc.