Tài liệu Windows Server 2003 Audit Program for Member Servers doc

Active Directory and Windows Server Audit Specialists Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc.. Active Directory and Windows Server Audit Spec

Trang 1

Internal Use License Agreement for Windows Server 2003 Audit Program for

Member Servers

This audit program contains Intellectual Property and 1s licensed, copyrighted material owned by Monterey Technology Group, Inc

the publisher of this web site

This audit work program 1s intended for employees of Internal Audit departments As such, you are allowed to use this audit

program during the course your own work and you may copy the findings, risk and recommendations from the Member Server

Control Tests into your own audit work papers and edit as necessary Employees of Information Technology departments may use

this document in a similar manner in preparation for an audit or as a self-assesment tool

Prohibited uses:

° Use by a consultant, subcontractor in providing services to another company or in developing products or services

° Use by an associate ot partner of a public accounting firm

° Distributing this audit program to colleagues Each individual must request a personal copy

° Posting on a website

° Incorporating into a larger work except as provided above

Organization-wide licensing 1s available Contact us for more information

Monterey Technology Group, Inc

179 Dunbar St Suite E Spartanburg SC 29306 (866) 749-2048

info@montereytechgroup.com

‘Table of Contents

Member Server Evidence Collection 2

Member Server Control Tests 19

Control Framework Mappings 44

www.montereytechgroup.com, www.ultimateWindowsSecurity.com

v2006.05

Trang 2

Windows Server 2003 Audit Program for Member Servers Page 2 of 40

Active Directory and Windows Server Audit Specialists

Training * Consulting * Practice Aids

Member Server Evidence Collection

All evidence on this worksheet is member server specific —1.e the evidence can potentially be different on each member server

Therefore a copy of this worksheet should be filled out for each relevant member server in the domain or sample thereof

Evidence collection methods:

e Command line Commands in this work program will not modify any setting Most commands require administrative authority

but the parameters used guarantee their operation is read only We suggest creating a text file at the beginning of your evidence

collection to receive the output of these commands Using the >> redirection feature as indicated in the guidance below will cause each command’s output to be appended to this file

e Screen print We recommend collecting all your screen prints into a single file with WordPad Pressing Alt-PrintScreen will copy

the current window (instead of the entire screen) to your clipboard ‘Then you can paste the screen print into WordPad For projects requiring many screen prints we recommend Snagit from www.techsmith.com

Evidence collection items are sequenced so as to avoid switching between programs unnecessarily

Trang 3

Windows Server 2003 Audit Program for Member Servers

Training ° Consulting ¢ Practice Aids

screen prints Run notepad.exe and create

a new file named evidence.txt

or similar

Enter the name of the computer, the date and your name

Save and close the file

Open Accessories\Word Pad and create a new file called screenprints.rtf Keep this file open so that you can paste screen prints into it

Trang 4

4 | List of services Command line: sc query type=

service state= all >>

evidence.txt where evidence.txt

is the name of the file that

receives the output of the

command

SERVI CE_NAVE: AeLookupSvc

DI SPLAY_NAVE: Appl i cation Exper i ence Lookup Service

~ TYPE 20 WNB2_ SHARE PROCESS STATE : 4 RUNNI NG

( NOT_STOPPABLE, NOT_PAUSABLE, | GNORES_SHUTDOMW) ) WNS82_ EXI T CODE : O (0x0)

SERVI CE_EXIT_COCDE : 0 (0x0) CHECKPO NT > 0x0 WAI T_HI NT : 0x0 SERVI CE_NANVE: Al ert er

(NOT _STOPPABLE, NƠI PAUSABLE, | GNORES_SHUTDOW)) )

WNð32 EXIT CC : 1077 (0x435)

SERVI CE_EXIT CODE : 0 (0x0) CHECKPO NT : 0x0

WALT HINT : 0x0

5 | List of shared Command line: net share >> Sh Re R k

folders evidence.txt where evidence.txt are name source emaf

is the name oftheflethai | - receives the output of the C$ C: \ Def ault share

command E$ E: \ Def ault share

| PCS Rerot e | PC

When analyzing evidence, note: | The conmand conpl et ed successfully

Ignore SYSVOL, IPC$, NETLOGON, ADMIN$, C$, D§$, E$ and other drive-letter-dollar- sign shares

6 | Share For each share in previous ohare name Giá edEocunt S

permissions evidence item run: net share Romer 7 nà Ủ 68

[sharename] >> evidence.txt Maxi mum users No limit where evidence.txt is the name oes Vanual hị ba t

of the file that receives the Per m ssi on BUILTIN Administrators, FULL

output of the command

Ignore SYSVOL, IPC$, NETLOGON, ADMINS, C$, D§, E$ and other drive-letter-dollar-

sign shares Everyone, READ

The comrand compl eted successfully

Trang 5

7 | Listing of all Command line: net user >> U \\ CALADAN

local user evidence.txt where evidence.txt | FS8f accounts Tor \\ CALADAN

accounts isthe name ofthefilethat = | -

receives the output of the vimware_user Adm ni st rat or ASPNET

, The comrand compl eted successfully

8 | Document 1 Determine from IT staff if Ki nam Adm ni st rat or

properties for built-in account Administrator Comrent Built-in account for administering the comput er/ domain

has been renamed If so, substitute account name

administrator,

guest and any

other local below

accounts 2 Command line: net user

selected by administrator >>

auditor evidence.txt where

evidence.txt is the name of the file that receives the

output of the command

3 repeat previous step but replace administrator with

guest

4 Examine list of user accounts

from previous evidence item and identify any additional

accounts that have been created besides:

Administrator Guest SUPPORT_*

IUSR_*

IWAM_*

e ASPNET

If additional accounts exist,

repeat step 2 for each

account If there are too many accounts use a sample

Password Password Password Password

User may Workstations all owed Logon scri pt

User profile Hore directory Last logon Logon hours all owed Œoup Menber shi ps Goup renber shi ps

Local

G oba

000 (Syst em Def aul t )

Yes Never 10/22/2005 2:03 PM Never

10/23/2005 2:03 PM Yes

Trang 6

Command line: net localgroup >>

* Net work_ Conf ¡ gur ati on Cper at or s

“Performance Log Users

“Performance Monitor Users

10 Document 1 Command line: net Alias name adm ni s† r at 0r s

members of all localgroup administrators Sonnet er / domai wom nistrators have conpl ete and unrestricted access to the

local groups >> evidence.txt where

evidence.txt is the name of Menber s

output of the command bosshogg

2 repeat previous step for:

e Backup Operators

e Power Users

e Telnet Clients

e Network Configuration Operators

Remote Desktop Users

e Examine list of groups from previous evidence item and identify any groups created besides the default groups shown

in the previous evidence item example S3 DGROUP\ Domai n Adm ns

Trang 7

Training ° Consulting * Practice Aids

Evidence item | Guidance Example

41 Password policy | Command line: net accounts >> Mec’ user 5 oot i dong te time expires’: never

and lockout evidence.txt where evidence txt Maxi mum password age (days): Unlimited

policy is the name of the file that M ni mum password | engt h: 7

receives the output of the Length of password history rai nt ai ned: None

Lockout observation w ndow (m nut e3) : 1440

42] Identify principle | Command line: cacls [folder C:\sis BUILTIN Adm ni strat ors: (Ql) (Cl) F

folders that path] >> evidence.txt where NO ra roan SYSTEM (1) (Cl) F

contain evidence.txt is the name of the file CREATOR OWER: (C1) (Cl) (IOF

important that receives the output of the BUILTIN Users: (Q)(C1)R

information and | command and where [folder path] BUILTIN Users: (Cl) (speci al access: )

document is the full pathname of the folder in FI LE APPEND DATA

permissions question (e.g

c:\documents\hrdocs) BUILTIN Users: (Cl) (speci al access: )

FI LE_WAl TE_DATA

Trang 8

Training ° Consulting * Practice Aids

43] Document Command line: gpresult /scope

: Mcrosoft (R) Wndows (R) Qerating System Goup Policy Result tool v2.0 whether group computer Iz >> evidence.txt Copyright (C) Mcrosoft Corp 1981-2001

policy is being where evidence.txt is the name of

used to secure | the file that receives the output of | Created Qn 5/25/2006 at 11:09:12 PM

the system the command

RSCP data for S3DŒHRCLUPradmn on A3 :

Connect ed over a sl ow li nk?:

Logging Mode

CS Type: Mcrosoft(R) Wndows(R) Server 2003, Standard Edition

OS Conti gur ati on: Merber Ser ver

QS Versi on: 5 2.3790 Terminal Server Mode: Rerote Adm ni stration

Site Narre: Def aul t - First - Si t e- Name

Roam ng Profile:

Local Profile: C:\Documents and Settings\radmn

No COMPUTER SETTINGS

CNEA3, QUEAppl i cat i on, QU=Ser vers, OCorput ers, QUQbj ect s, DC=s3dgr oup, D0@=com Last time Goup Policy was applied: 5/25/2006 at 11:03:25 PM

Goup Policy was applied from a4 s3dgr oup com Goup Policy sl ow link thr eshol d: 500 kbps

Applied Œoup Policy Chị ects Server Policies

Speci al Exceptions For A3 Wb Server Def aul t Domain Pol ¡i cy

The follow ng GPO were not applied because they were filtered out Local Goup Policy

Filtering: Not Applied ( Enpt y) The computer is a part of the follow ng security groups BUI LTI N\ Adm ni strators

Ever yone

BUI LTI N\ Users

NT AUTHORI TY\ NETWORK

NT AUTHCRI TY\ Aut henti cated Users

This Qgani zation

Trang 9

44] Document IP Command line: netsh ipsec Poli cy Name Server (Request Security)

Security Policy static show policy all >> Description For all |P traffic, always request security using K

evidence.txt where evidence.txt Last Mbdified 2/12/2005 1:03:03 AM

is the name of the file that tài gnec NO

Polling Interval 180 m nutes

Policy Narre Firewall Rules

Trang 10

Page 10 of 40

15 Audit policies Administrative Tools\Local

Security Policy: Capture screen print of Security Policy\Local Policies\Audit Policy Alternative: use auditpol utitlity

from Windows Resource Kit

Command line: auditpol >>

3 Security Settings {39 Account Policies

=) Local Policies

Cũ Audit Policy (39 User Rights Assignment {9 Security Options () Public Key Policies

(} Software Restriction Policies

® IP Security Policies on Local Cc

JÌ _

Policy = / | Security Setting

29 audit account logon events

4 audit account management

9 audit directory service access

9 audit logon events

9 audit object access

9 audit policy change

9 audit privilege use

9 audit process tracking

9 audit system events

«|

Success, Failure

Success, Failure Success, Failure

Success, Failure

Success, Failure Success, Failure Success, Failure

+i

Windows Resource Kit

Command line: ntrights >>

P Securty Settings Poky : [ Securky Setting

% GD Accourt Potcies Bl acenss thes computer frome the network Everyone, ASPNET, Adkarestr ators, Liters Power Users, Backup Operators

= C@ Local Pokcies Zz) Act as part of the operating system

* GD Aud Pộcy L@ Securty Optees

4 Gy Pubk& Key Pohodez

D User Rights Assignmer +) 2) Software Restriction Poko 0D P Secusty Podeins on Loxe

33] Add workstations to domain

#3] tt: mẹmery quotes for a process

33) Mlow logon through Terminal Senaces

Bl tack up flies and denctories Ea) bypass traverse checking Za) Change the system time 22) Create o pogetie

|Creske a toknn db/e<t Zz) Creste gobal objects Ei) Create permanent shared objects

#3]Detxs) pcog anz

LOCAL SERVICE NETWORK SERVICE, Aceresty shors Admaretrators Remote Desitop Users Acearedty ators tachi Operators

Cveryore, Aceurestr ators Users Porer Users Backup Operator Acris ators Power Users

Ze) Derry logon as 0 service

BP Deny logon locally

SP Dery logon theough Terminal Services

®%1-5-21-601074242-316931221é-233344037-1 131

*S 1S 21681074242 316991 2216 238748971131

BE) Erntic compete oned user accourts to be try Be) reece ctatdown from 4 renote system Ea) Generate seoury sudks Ei) impersonate 2 chert after authentication Ba) ircrease scheculing prinky BE) Load and uriond device drivers

Soc ages in memory Plog on as @ batch job

PP Log on as 2 service

$2)L09 on beally

BE) eeunge axiting and cmcurty log Zz) Mody Firmmevare errrincnment vahses Zi) Perform vokime matenance tasks

£2) Protte singe process

BE) rolte sy teen performace

Eels computer from docking ation Ez)Replace 4 process level token

— fles and drectories

4

Au#ez với Mor<

LOCAL SERVPOLALTWORK SERVICE ASPNET Achnirestr ators, SERVICE

esetơralors

Adar icty ators, anes Powenr Ucers

LOCAL SERVPOLALTWORK SCRVICL Administrators Backup Operators

v2006.05

Trang 11

Capture screen print of Security Policy\Local Policies\Security Options

Fle Action Wew Hợp

B Local Securty Settings

=l#J xJ

BD Accourk Potcies Bl accoures: admirets stor account Qatus taMdm4

2 Local Policies Sz Accourts: Guest account status Cieabled

GS Aust Pokey $$) Accounts: Unt local account use of blank pas Enabled

D User Ritts Assigrmer BZlaccourts: Rename administraker account Argewrestr shor

od Securty Optiere Baccourts: Rename guest occourt Gms

4) (DJ Softuure Restriction Poke Đ]A.xk: at the xicssk cỀ QioệxAi cự teen objets Drcablied

MP Seaurty Pekcins on Loce Ea) Aad: Aad the use of Backup and Restore Dreabled

Ee) Audk: Stet down system immediately # unatl Disabled

EXJOCOM: Machine Access Restrictions in Seon Not defined BB)OCOM: Machine Louch Restrictions in Securi., Not defined Zz) Devices: Allow undock without having tolog on Disabled Za) Devices: Allowed to format and eject remove Administrators Ex]Devices: Prevent users trom installing printer Enabled BE) Devices: Restrict CO-ROM access to locally bo Disabiied

Be devces: Rewrit floppy access to locally ogg Orcablind Zz) Devices: Uruigned driver ratallaton behavior — Warn but allow installation Ez] Domain controller: Allow server operators to Not defined Ex]Domain controller: LOAP server signing requir Not defined BE) Domain cortroier: Refuse machine accourt p Not defined J BE) Ooman member: Dagtaly eexrypt oF ag one Orcablied

#Ÿ]Doewe member: Requre strong (Windows 2 Disabled Bi) rteractive logon: Oo not deplay last user name Disabled Ea) irteractive logon: Oo not requre CTRL *ALT Disabled BE) ter antive &

Be) rte tive logon: Mescange title for uumes att Not defined Ze) irteractive logon: Number of previews logons 10 lagons Ee) interactive logon: Promek user to change pas 14 days Ba] irteractive logon: Requre Domain Controfer Disabled

BE) rterantive logan: Regaee wnat cord Not defined

n: Message teat for users ott

Bo) reer active logon: Smet card renoval bebuvior Lock Workstation Ze) Microsoft network cheek: Ovgtally sigh comers Oteabled

ee network dent: Oigtalhy sign commu Enabled

4

v2006.05

Trang 12

systems in use Management\Disk Management:

=-j§ System Tools 9 (c:) Partition Basic NTFS ẹ Healthy (System) 55.88GB 26

(fj) Event viewer c5})IP53(D:) Partiian Basic CDFS Healthy 17MB 0M

(4) #87 Local Users and Groups

Online

Trang 13

Page 13 of 40

19.} Security log 1 Computer Management\Event 2) x}

Log size

Mawimum log size: |5l2 KB

When maximum log size is reached:

20.| Save a copy of Computer Management\Event

the event log Viewer

Use the EVT format

Right click on Security log and select Save Log File As

v2006.05

Trang 14

Evidence item | Guidance

21.| Security patch 1 Download MBSA from

status www.microsoft.com/mbsa

2 Run MBSA against the server with the “Check for security updates” option enabled

Important:

e Disable “Configure

computers for

Microsoft Update and scanning prerequisites”

se Do not check

“Advanced Update Services options:”

Optionally, enable

e Check for Windows

administrative vulnerabilities

e Check for weak passwords

e Check for IIS administrative vulnerabilities

e Check for SQL administrative vulnerabilities

3 When MBSA displays the report, save the report using the Print or Copy links on the left of the MBSA window

Weeem

GO Pick 8 computer to scan

Gl Pick mulighe computers to sean

OO Views » security ippoet

1000.99 nhafsec MTG - CALADAN (12:2-2005 10-45 AM]

12/2/2005 10.45 AM"™ Mictosoll recommends scanning on o weekly bass Ther seport 176 days old

209292

See Also ] Metoseht Bareine Seounty Analyzer Help

Macroseft Update

Potential Risk [Ore or mere noercatcal checks tated |

DB (b4 Mxzosoet B sss&nm S&c:z#y

Analyoet

'Wrskesee Secuky 1 eeenice packs ot update rouge se mersing

What wat scanned eo detal: = How to comect ther

Administrative Vulnerebiities

Parewoed

Exqeoter Scere uiee accourts (2 of 6] have norvexpiing pascwceds

What wat ccanned Recut detal: Hows to comect ther

Windows ‘Windows Firewall ic disabled and has exceptions configured

Freral What war scanned Peru detals How tocomect this

bitrate Preincas cecunty repost Eirvles xem mm oẩ (oeerkrvver xrvf mslelev cơ WEry ccơnge đợc

Trang 15

Page 15 of 40

22.| Determine Depends on antimalware solution

antimalware Use interview, examine services,

controls add/remove programs and the

(antivirus) interface of the antimalware

product

e What product is used

e Is the software up-to-date and operational

e Is the malware signature database up-to-date?

23.| Document Interview

security log e Is the security log streamed to

collection, central security log server in

monitoring real time?

If not, is it periodically

collected/transferred to security log server? With what frequency?

What monitoring and reporting takes place at the central log server?

What is the archival process

at the central log server?

If there is no central log server, are these operations performed locally?

Trang 16

e Browse the web

e Use MS office, Adobe other

document based applications

e Work with content downloaded

from the Internet except from

trusted vendor sites? Is all such content scanned for viruses

Trang 17

Member Server Control Tests

Test Name Guidance Finding Risk Recommendation

1 | Check physical Member Server Evidence 1 and 2 Insufficient Physical access toa Implement consistent security controls physical computer allows physical access control

access attacker to for all member servers controls for | compromise the

member computer Sensitive server or business critical

information, operations or

transactions hosted

on this server could

be exposed to fraud, divulged, corrupted,

Trang 18

Page 18 of 40

2 | Is security log Member Server Evidence 17 Currentlog | Audit trail and Allocate the log to

large enough and size and compliance evidence | 199MB (299 on Windows configured to Log size should not exceed 199MB (299 on Windows Server overwrite could be lost resulting | Server 2003) and

overwrite 2003) to prevent corruption and instability settings do in hampered configure it to “overwrite appropriately? not provide | investigations, as needed”

It isn’t secure or practical to expect the local security log to be maximum compromised the archive of security events for a server It’s impractical assurance regulatory because most servers generate much more information than of log compliance, ability to Use a log management can be kept long term on the local system (a maximum of integrity prosecute intruders solution that provides

as short as possible to minimize opportunity for tampering

Preferably security events should be streamed in real time by a local agent to the log server See NIST Special Publication 800-92

In such an environment, the local security log should be viewed as a Staging point for the collection to the central log server and the goal should be for the local security log to be allocated enough space to hold events between collections — including longer intervals if the collection process temporarily breaks

Recommendation: Simply allocate the log to 199MB and configure it to “overwrite as needed”

e = Ability to archive older activity

e Supports separation

of duty between operational administrators and staff tasked with

monitoring Unless the system is configured to “shutdown immediately on

audit failure”, avoid “Do not overwrite events, clear log manually” for several reasons:

e If the log fills, it stops logging events until cleared

Trang 19

Page 19 of 40

This forces you to clear the log regularly If new events are regularly collected to the central log server there’s no need to clear the security log — it just overwrites as needed This in turn allows you to avoid clearing the log which in turn allows you to monitor for and treat any occurrences of event ID 517 (log cleared) as suspicious evidence of log tampering

3 Is there sufficient | Member Server Evidence 23 Security log | Without a process in Implement a process for

security log? It is impractical and unrealistic to expect administrators to of member member server archival of security log

manually review Windows security logs due to the cryptic servers is security log attacks nature of the logs, the volume of information and the number of | insufficient | could be ongoing

See Randy Franklin Smith’s Selecting

management requirements

and how to analyze Windows security

Windows servers on a typical network

Yet most corporate information security policies and compliance legislation require log archival and monitoring

The only solution is a log management product that provides centralized collection, monitoring, reporting and archival

Management Solution Special Report at www.UltimateWindowsSecurity.com for more details on log

For detailed recommendations on what should be monitored Log Secrets course at www UltimateWindowsSecurity.com

the Right Log

logs see the Security

without organization’s knowledge

Audit trail and compliance evidence could be lost resulting

in hampered investigations, compromised regulatory compliance, ability to prosecute intruders, compromised audit trails

Trang 20

Page 20 of 40

4 | Check for latest Member Server Evidence 21 Member New security bugs are | Keep member server up service pack and server is not | discovered every to date with the latest security updates | Analyze security updates reported as missing by MBSA patched month Many exploits | service pack and security

Determine if any of these updates address vulnerabilities likely | against can only be prevented | updates Consider using

to be exploited on this server given its role, installed services current by loading the Windows Server Update and network exposure vulnerabilitie | associated update As | Services to automate

S networks become patch management

Sensitive or business

Critical information,

operations or transactions hosted

by that server could

be exposed to fraud, divulged, corrupted,

or deleted

Follow testing and limited rollout best practices to reduce risk of

destabilizing network due

to defective fixes

Subscribe to security notification service from Microsoft

Tiêu đề	Windows Server 2003 Audit Program for Member Servers
Trường học	Monterey Technology Group, Inc.
Chuyên ngành	Windows Server Administration
Thể loại	Hội nghị, hướng dẫn kỹ thuật
Năm xuất bản	2007
Thành phố	Spartanburg

Định dạng
Số trang	40
Dung lượng	561,67 KB