Thông tin tài liệu
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Windows Server 2003 Audit Program for Member Servers*
* Not to be used for Domain Controllers. See Active Directory Audit Program at www.ultimateWindowsSecurity.com
Internal Use License Agreement for Windows Server 2003 Audit Program for
Member Servers
This audit program contains Intellectual Property and is licensed, copyrighted material owned by Monterey Technology Group, Inc
the publisher of this web site.
This audit work program is intended for employees of Internal Audit departments. As such, you are allowed to use this audit
program during the course your own work and you may copy the findings, risk and recommendations from the Member Server
Control Tests into your own audit work papers and edit as necessary. Employees of Information Technology departments may use
this document in a similar manner in preparation for an audit or as a self-assesment tool.
Prohibited uses:
• Use by a consultant, subcontractor in providing services to another company or in developing products or services
• Use by an associate or partner of a public accounting firm
• Distributing this audit program to colleagues. Each individual must request a personal copy
• Posting on a website
• Incorporating into a larger work except as provided above
• Training
Organization-wide licensing is
available. Contact us for more
information.
Monterey Technology Group, Inc.
179 Dunbar St Suite E
Spartanburg SC 29306
(866) 749-2048
info@montereytechgroup.com
Table of Contents
Member Server Evidence Collection 2
Member Server Control Tests………….19
Control Framework Mappings…………44
Windows Server 2003 Audit Program for Member Servers Page 2 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Member Server Evidence Collection
All evidence on this worksheet is member server specific – i.e. the evidence can potentially be different on each member server.
Therefore a copy of this worksheet should be filled out for each relevant member server in the domain or sample thereof.
Evidence collection methods:
• Command line. Commands in this work program will not modify any setting. Most commands require administrative authority
but the parameters used guarantee their operation is read only. We suggest creating a text file at the beginning of your evidence
collection to receive the output of these commands. Using the >> redirection feature as indicated in the guidance below will
cause each command’s output to be appended to this file.
• Screen print. We recommend collecting all your screen prints into a single file with WordPad. Pressing Alt-PrintScreen will copy
the current window (instead of the entire screen) to your clipboard. Then you can paste the screen print into WordPad. For
projects requiring many screen prints we recommend Snagit from www.techsmith.com.
Evidence collection items are sequenced so as to avoid switching between programs unnecessarily.
Windows Server 2003 Audit Program for Member Servers Page 3 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
1.
Location on
physical
network
• DMZ or
on internal
network
• City,
building,
floor
2.
Describe
physical security
controls
3.
Create a files to
receive
subsequent
command line
output and
screen prints
1. Run notepad.exe and create
a new file named evidence.txt
or similar.
2. Enter the name of the
computer, the date and your
name.
3. Save and close the file.
4. Open Accessories\Word Pad
and create a new file called
screenprints.rtf. Keep this file
open so that you can paste
screen prints into it.
Windows Server 2003 Audit Program for Member Servers Page 4 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
4.
List of services
Command line: sc query type=
service state= all >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
SERVICE_NAME: AeLookupSvc
DISPLAY_NAME: Application Experience Lookup Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Alerter
DISPLAY_NAME: Alerter
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
5.
List of shared
folders
Command line: net share >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
When analyzing evidence, note:
Ignore SYSVOL, IPC$,
NETLOGON, ADMIN$, C$, D$,
E$ and other drive-letter-dollar-
sign shares
Share name Resource Remark
C$ C:\ Default share
E$ E:\ Default share
ADMIN$ C:\WINDOWS Remote Admin
IPC$ Remote IPC
The command completed successfully.
6.
Share
permissions
For each share in previous
evidence item run: net share
[sharename] >> evidence.txt
where evidence.txt is the name
of the file that receives the
output of the command
Ignore SYSVOL, IPC$,
NETLOGON, ADMIN$, C$, D$,
E$ and other drive-letter-dollar-
sign shares
Share name SharedDocuments
Path C:\files
Remark
Maximum users No limit
Users
Caching Manual caching of documents
Permission BUILTIN\Administrators, FULL
Everyone, READ
The command completed successfully.
Windows Server 2003 Audit Program for Member Servers Page 5 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
7.
Listing of all
local user
accounts
Command line: net user >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
User accounts for \\CALADAN
__vmware_user__ Administrator ASPNET
Guest HelpAssistant SUPPORT_388945a0
The command completed successfully.
8.
Document
properties for
administrator,
guest and any
other local
accounts
selected by
auditor
1. Determine from IT staff if
built-in account Administrator
has been renamed. If so,
substitute account name
below.
2. Command line: net user
administrator >>
evidence.txt where
evidence.txt is the name of
the file that receives the
output of the command
3. repeat previous step but
replace administrator with
guest
4. Examine list of user accounts
from previous evidence item
and identify any additional
accounts that have been
created besides:
• Administrator
• Guest
• SUPPORT_*
• IUSR_*
• IWAM_*
• ASPNET
If additional accounts exist,
repeat step 2 for each
account. If there are too
many accounts use a sample.
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/22/2005 2:03 PM
Password expires Never
Password changeable 10/23/2005 2:03 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/24/2006 7:54 AM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
Windows Server 2003 Audit Program for Member Servers Page 6 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
9.
Listing of all
local groups
Command line: net localgroup >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
Aliases for \\A3
*Administrators
*Backup Operators
*Distributed COM Users
*Guests
*HelpServicesGroup
*IIS_WPG
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*TelnetClients
*Users
The command completed successfully.
10.
Document
members of all
local groups
1. Command line: net
localgroup administrators
>> evidence.txt where
evidence.txt is the name of
the file that receives the
output of the command.
2. repeat previous step for:
• Backup Operators
• Power Users
• Telnet Clients
• Network Configuration
Operators
• Remote Desktop Users
• Examine list of groups
from previous evidence
item and identify any
groups created besides
the default groups shown
in the previous evidence
item example.
Alias name administrators
Comment Administrators have complete and unrestricted access to the
computer/domain
Members
bosshogg
S3DGROUP\Domain Admins
The command completed successfully.
Windows Server 2003 Audit Program for Member Servers Page 7 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
11.
Password policy
and lockout
policy
Command line: net accounts >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): Unlimited
Minimum password length: 7
Length of password history maintained: None
Lockout threshold: 7
Lockout duration (minutes): 1440
Lockout observation window (minutes): 1440
Computer role: SERVER
The command completed successfully.
12.
Identify principle
folders that
contain
important
information and
document
permissions
Command line: cacls [folder
path] >> evidence.txt where
evidence.txt is the name of the file
that receives the output of the
command and where [folder path]
is the full pathname of the folder in
question (e.g.
c:\documents\hrdocs).
C:\sls BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
MTG\rsmith:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA
Windows Server 2003 Audit Program for Member Servers Page 8 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
13.
Document
whether group
policy is being
used to secure
the system
Command line: gpresult /scope
computer /z >> evidence.txt
where evidence.txt is the name of
the file that receives the output of
the command
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 5/25/2006 at 11:09:12 PM
RSOP data for S3DGROUP\radmin on A3 : Logging Mode
OS Type: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Remote Administration
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\radmin
Connected over a slow link?: No
COMPUTER SETTINGS
CN=A3,OU=Application,OU=Servers,OU=Computers,OU=Objects,DC=s3dgroup,DC=com
Last time Group Policy was applied: 5/25/2006 at 11:03:25 PM
Group Policy was applied from: a4.s3dgroup.com
Group Policy slow link threshold: 500 kbps
Domain Name: S3DGROUP
Domain Type: Windows 2000
Applied Group Policy Objects
Server Policies
Special Exceptions For A3 Web Server
Default Domain Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
A3$
Windows Server 2003 Audit Program for Member Servers Page 9 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
14.
Document IP
Security Policy
Command line: netsh ipsec
static show policy all >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command
Policy Name : Server (Request Security)
Description : For all IP traffic, always request security using K
Last Modified : 2/12/2005 1:03:03 AM
Assigned : NO
Master PFS : NO
Polling Interval : 180 minutes
Policy Name : Client (Respond Only)
Description : Communicate normally (unsecured). Use the default r
Last Modified : 2/12/2005 1:03:03 AM
Assigned : NO
Master PFS : NO
Polling Interval : 180 minutes
Policy Name : Secure Server (Require Security)
Description : For all IP traffic, always require security using K
Last Modified : 2/12/2005 1:03:04 AM
Assigned : NO
Master PFS : NO
Polling Interval : 180 minutes
Policy Name : Firewall Rules
Description : NONE
Last Modified : 7/15/2005 11:59:32 PM
Assigned : NO
Master PFS : NO
Polling Interval : 180 minutes
No. of policies : 4
Windows Server 2003 Audit Program for Member Servers Page 10 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
15.
Audit policies Administrative Tools\Local
Security Policy: Capture screen
print of Security Policy\Local
Policies\Audit Policy
Alternative: use auditpol utitlity
from Windows Resource Kit.
Command line: auditpol >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
16.
User Rights
Assignments
Administrative Tools\Local
Security Policy: Capture screen
print of Security Policy\Local
Policies\User Rights Assignments
Alternative: use ntrights utility from
Windows Resource Kit.
Command line: ntrights >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
[...]... v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 11 12 Test Name Check membership of Administrators group Guidance Member Server Evidence 10 Finding Inappropriat e users ( _) have administrato r access to member server Check membership of Power Users group Member Server. .. information, operations or transactions hosted on this server could be exposed to fraud, divulged, corrupted, or deleted Recommendation Implement consistent physical access control for all member servers v2006.05 Windows Server 2003 Audit Program for Member Servers Page 18 of 40 Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids... log Without auditing attacks could be ongoing without organization’s knowledge Page 27 of 40 Recommendation Enable this category for success Enable this category for success v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 18 Test Name Verify audit policy: Audit account... the server could be exposed to fraud, divulged, corrupted, or deleted Page 29 of 40 Recommendation Enable this category for success and failure v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 20 Test Name Verify audit policy: Audit account management” is enabled for. .. deletion of information, or disclosure of confidential business or customer information or fraud Page 30 of 40 Recommendation Enable this category for success v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 21 Test Name Check admin equivalent rights Guidance Member Server. .. v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 24 Test Name Verify user rights are assigned appropriately: Guidance Member Server Evidence 16 Finding Inappropriat e assignment s for following rights: Risk Profile rights allow the holder to track performance data on server. .. www.ultimateWindowsSecurity.com v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 27 28 Test Name Check Local Settings\Security Options Check for FAT file system Guidance Member Server Evidence 17 Compare this server to recommended “Enterprise” settings in section 3.2 of the Center for Internet... scanned for viruses before opening? • Logon as the built-in Administrator account Page 16 of 40 Example © 2002-2007 Monterey Technology Group, Inc www.montereytechgroup.com, www.ultimateWindowsSecurity.com v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids Page 17 of 40 Member. .. www.ultimateWindowsSecurity.com Page 22 of 40 v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids Test Name Verify no permissions are assigned to machine local groups Guidance Member Server Evidence 6, 9 and 12 9 Verify no permissions are assigned to individual users Member Server 6 and 12 Best practice... SUPPORT_ Local accounts created for applications or services may be necessary In particular, look for accounts named after people © 2002-2007 Monterey Technology Group, Inc www.montereytechgroup.com, www.ultimateWindowsSecurity.com Page 26 of 40 v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • . www.ultimateWindowsSecurity.com
Windows Server 2003 Audit Program for Member Servers*
* Not to be used for Domain Controllers. See Active Directory Audit Program. www.ultimateWindowsSecurity.com
Internal Use License Agreement for Windows Server 2003 Audit Program for
Member Servers
This audit program contains
Ngày đăng: 20/01/2014, 15:20
Xem thêm: Tài liệu Windows Server 2003 Audit Program for Member Servers doc, Tài liệu Windows Server 2003 Audit Program for Member Servers doc