© 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Windows Server 2003 Audit Program for Member Servers* * Not to be used for Domain Controllers. See Active Directory Audit Program at www.ultimateWindowsSecurity.com Internal Use License Agreement for Windows Server 2003 Audit Program for Member Servers This audit program contains Intellectual Property and is licensed, copyrighted material owned by Monterey Technology Group, Inc the publisher of this web site. This audit work program is intended for employees of Internal Audit departments. As such, you are allowed to use this audit program during the course your own work and you may copy the findings, risk and recommendations from the Member Server Control Tests into your own audit work papers and edit as necessary. Employees of Information Technology departments may use this document in a similar manner in preparation for an audit or as a self-assesment tool. Prohibited uses: • Use by a consultant, subcontractor in providing services to another company or in developing products or services • Use by an associate or partner of a public accounting firm • Distributing this audit program to colleagues. Each individual must request a personal copy • Posting on a website • Incorporating into a larger work except as provided above • Training Organization-wide licensing is available. Contact us for more information. Monterey Technology Group, Inc. 179 Dunbar St Suite E Spartanburg SC 29306 (866) 749-2048 info@montereytechgroup.com Table of Contents Member Server Evidence Collection 2 Member Server Control Tests………….19 Control Framework Mappings…………44 Windows Server 2003 Audit Program for Member Servers Page 2 of 40 Monterey Technology Group, Inc . Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids © 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Member Server Evidence Collection All evidence on this worksheet is member server specific – i.e. the evidence can potentially be different on each member server. Therefore a copy of this worksheet should be filled out for each relevant member server in the domain or sample thereof. Evidence collection methods: • Command line. Commands in this work program will not modify any setting. Most commands require administrative authority but the parameters used guarantee their operation is read only. We suggest creating a text file at the beginning of your evidence collection to receive the output of these commands. Using the >> redirection feature as indicated in the guidance below will cause each command’s output to be appended to this file. • Screen print. We recommend collecting all your screen prints into a single file with WordPad. Pressing Alt-PrintScreen will copy the current window (instead of the entire screen) to your clipboard. Then you can paste the screen print into WordPad. For projects requiring many screen prints we recommend Snagit from www.techsmith.com. Evidence collection items are sequenced so as to avoid switching between programs unnecessarily. Windows Server 2003 Audit Program for Member Servers Page 3 of 40 Monterey Technology Group, Inc . Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids © 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Evidence item Guidance Example 1. Location on physical network • DMZ or on internal network • City, building, floor 2. Describe physical security controls 3. Create a files to receive subsequent command line output and screen prints 1. Run notepad.exe and create a new file named evidence.txt or similar. 2. Enter the name of the computer, the date and your name. 3. Save and close the file. 4. Open Accessories\Word Pad and create a new file called screenprints.rtf. Keep this file open so that you can paste screen prints into it. Windows Server 2003 Audit Program for Member Servers Page 4 of 40 Monterey Technology Group, Inc . Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids © 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Evidence item Guidance Example 4. List of services Command line: sc query type= service state= all >> evidence.txt where evidence.txt is the name of the file that receives the output of the command. SERVICE_NAME: AeLookupSvc DISPLAY_NAME: Application Experience Lookup Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Alerter DISPLAY_NAME: Alerter TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)) WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 5. List of shared folders Command line: net share >> evidence.txt where evidence.txt is the name of the file that receives the output of the command. When analyzing evidence, note: Ignore SYSVOL, IPC$, NETLOGON, ADMIN$, C$, D$, E$ and other drive-letter-dollar- sign shares Share name Resource Remark C$ C:\ Default share E$ E:\ Default share ADMIN$ C:\WINDOWS Remote Admin IPC$ Remote IPC The command completed successfully. 6. Share permissions For each share in previous evidence item run: net share [sharename] >> evidence.txt where evidence.txt is the name of the file that receives the output of the command Ignore SYSVOL, IPC$, NETLOGON, ADMIN$, C$, D$, E$ and other drive-letter-dollar- sign shares Share name SharedDocuments Path C:\files Remark Maximum users No limit Users Caching Manual caching of documents Permission BUILTIN\Administrators, FULL Everyone, READ The command completed successfully. Windows Server 2003 Audit Program for Member Servers Page 5 of 40 Monterey Technology Group, Inc . Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids © 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Evidence item Guidance Example 7. Listing of all local user accounts Command line: net user >> evidence.txt where evidence.txt is the name of the file that receives the output of the command. User accounts for \\CALADAN __vmware_user__ Administrator ASPNET Guest HelpAssistant SUPPORT_388945a0 The command completed successfully. 8. Document properties for administrator, guest and any other local accounts selected by auditor 1. Determine from IT staff if built-in account Administrator has been renamed. If so, substitute account name below. 2. Command line: net user administrator >> evidence.txt where evidence.txt is the name of the file that receives the output of the command 3. repeat previous step but replace administrator with guest 4. Examine list of user accounts from previous evidence item and identify any additional accounts that have been created besides: • Administrator • Guest • SUPPORT_* • IUSR_* • IWAM_* • ASPNET If additional accounts exist, repeat step 2 for each account. If there are too many accounts use a sample. User name Administrator Full Name Comment Built-in account for administering the computer/domain User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 10/22/2005 2:03 PM Password expires Never Password changeable 10/23/2005 2:03 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 3/24/2006 7:54 AM Logon hours allowed All Local Group Memberships *Administrators Global Group memberships *None The command completed successfully. Windows Server 2003 Audit Program for Member Servers Page 6 of 40 Monterey Technology Group, Inc . Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids © 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Evidence item Guidance Example 9. Listing of all local groups Command line: net localgroup >> evidence.txt where evidence.txt is the name of the file that receives the output of the command. Aliases for \\A3 *Administrators *Backup Operators *Distributed COM Users *Guests *HelpServicesGroup *IIS_WPG *Network Configuration Operators *Performance Log Users *Performance Monitor Users *Power Users *Print Operators *Remote Desktop Users *Replicator *TelnetClients *Users The command completed successfully. 10. Document members of all local groups 1. Command line: net localgroup administrators >> evidence.txt where evidence.txt is the name of the file that receives the output of the command. 2. repeat previous step for: • Backup Operators • Power Users • Telnet Clients • Network Configuration Operators • Remote Desktop Users • Examine list of groups from previous evidence item and identify any groups created besides the default groups shown in the previous evidence item example. Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members bosshogg S3DGROUP\Domain Admins The command completed successfully. Windows Server 2003 Audit Program for Member Servers Page 7 of 40 Monterey Technology Group, Inc . Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids © 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Evidence item Guidance Example 11. Password policy and lockout policy Command line: net accounts >> evidence.txt where evidence.txt is the name of the file that receives the output of the command. Force user logoff how long after time expires?: Never Minimum password age (days): 0 Maximum password age (days): Unlimited Minimum password length: 7 Length of password history maintained: None Lockout threshold: 7 Lockout duration (minutes): 1440 Lockout observation window (minutes): 1440 Computer role: SERVER The command completed successfully. 12. Identify principle folders that contain important information and document permissions Command line: cacls [folder path] >> evidence.txt where evidence.txt is the name of the file that receives the output of the command and where [folder path] is the full pathname of the folder in question (e.g. c:\documents\hrdocs). C:\sls BUILTIN\Administrators:(OI)(CI)F NT AUTHORITY\SYSTEM:(OI)(CI)F MTG\rsmith:F CREATOR OWNER:(OI)(CI)(IO)F BUILTIN\Users:(OI)(CI)R BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA BUILTIN\Users:(CI)(special access:) FILE_WRITE_DATA Windows Server 2003 Audit Program for Member Servers Page 8 of 40 Monterey Technology Group, Inc . Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids © 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Evidence item Guidance Example 13. Document whether group policy is being used to secure the system Command line: gpresult /scope computer /z >> evidence.txt where evidence.txt is the name of the file that receives the output of the command Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 5/25/2006 at 11:09:12 PM RSOP data for S3DGROUP\radmin on A3 : Logging Mode OS Type: Microsoft(R) Windows(R) Server 2003, Standard Edition OS Configuration: Member Server OS Version: 5.2.3790 Terminal Server Mode: Remote Administration Site Name: Default-First-Site-Name Roaming Profile: Local Profile: C:\Documents and Settings\radmin Connected over a slow link?: No COMPUTER SETTINGS CN=A3,OU=Application,OU=Servers,OU=Computers,OU=Objects,DC=s3dgroup,DC=com Last time Group Policy was applied: 5/25/2006 at 11:03:25 PM Group Policy was applied from: a4.s3dgroup.com Group Policy slow link threshold: 500 kbps Domain Name: S3DGROUP Domain Type: Windows 2000 Applied Group Policy Objects Server Policies Special Exceptions For A3 Web Server Default Domain Policy The following GPOs were not applied because they were filtered out Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization A3$ Windows Server 2003 Audit Program for Member Servers Page 9 of 40 Monterey Technology Group, Inc . Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids © 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Evidence item Guidance Example 14. Document IP Security Policy Command line: netsh ipsec static show policy all >> evidence.txt where evidence.txt is the name of the file that receives the output of the command Policy Name : Server (Request Security) Description : For all IP traffic, always request security using K Last Modified : 2/12/2005 1:03:03 AM Assigned : NO Master PFS : NO Polling Interval : 180 minutes Policy Name : Client (Respond Only) Description : Communicate normally (unsecured). Use the default r Last Modified : 2/12/2005 1:03:03 AM Assigned : NO Master PFS : NO Polling Interval : 180 minutes Policy Name : Secure Server (Require Security) Description : For all IP traffic, always require security using K Last Modified : 2/12/2005 1:03:04 AM Assigned : NO Master PFS : NO Polling Interval : 180 minutes Policy Name : Firewall Rules Description : NONE Last Modified : 7/15/2005 11:59:32 PM Assigned : NO Master PFS : NO Polling Interval : 180 minutes No. of policies : 4 Windows Server 2003 Audit Program for Member Servers Page 10 of 40 Monterey Technology Group, Inc . Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids © 2002-2007 Monterey Technology Group, Inc. v2006.05 www.montereytechgroup.com , www.ultimateWindowsSecurity.com Evidence item Guidance Example 15. Audit policies Administrative Tools\Local Security Policy: Capture screen print of Security Policy\Local Policies\Audit Policy Alternative: use auditpol utitlity from Windows Resource Kit. Command line: auditpol >> evidence.txt where evidence.txt is the name of the file that receives the output of the command. 16. User Rights Assignments Administrative Tools\Local Security Policy: Capture screen print of Security Policy\Local Policies\User Rights Assignments Alternative: use ntrights utility from Windows Resource Kit. Command line: ntrights >> evidence.txt where evidence.txt is the name of the file that receives the output of the command. [...]... v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 11 12 Test Name Check membership of Administrators group Guidance Member Server Evidence 10 Finding Inappropriat e users ( _) have administrato r access to member server Check membership of Power Users group Member Server. .. information, operations or transactions hosted on this server could be exposed to fraud, divulged, corrupted, or deleted Recommendation Implement consistent physical access control for all member servers v2006.05 Windows Server 2003 Audit Program for Member Servers Page 18 of 40 Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids... log Without auditing attacks could be ongoing without organization’s knowledge Page 27 of 40 Recommendation Enable this category for success Enable this category for success v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 18 Test Name Verify audit policy: Audit account... the server could be exposed to fraud, divulged, corrupted, or deleted Page 29 of 40 Recommendation Enable this category for success and failure v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 20 Test Name Verify audit policy: Audit account management” is enabled for. .. deletion of information, or disclosure of confidential business or customer information or fraud Page 30 of 40 Recommendation Enable this category for success v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 21 Test Name Check admin equivalent rights Guidance Member Server. .. v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 24 Test Name Verify user rights are assigned appropriately: Guidance Member Server Evidence 16 Finding Inappropriat e assignment s for following rights: Risk Profile rights allow the holder to track performance data on server. .. www.ultimateWindowsSecurity.com v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids 27 28 Test Name Check Local Settings\Security Options Check for FAT file system Guidance Member Server Evidence 17 Compare this server to recommended “Enterprise” settings in section 3.2 of the Center for Internet... scanned for viruses before opening? • Logon as the built-in Administrator account Page 16 of 40 Example © 2002-2007 Monterey Technology Group, Inc www.montereytechgroup.com, www.ultimateWindowsSecurity.com v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids Page 17 of 40 Member. .. www.ultimateWindowsSecurity.com Page 22 of 40 v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • Consulting • Practice Aids Test Name Verify no permissions are assigned to machine local groups Guidance Member Server Evidence 6, 9 and 12 9 Verify no permissions are assigned to individual users Member Server 6 and 12 Best practice... SUPPORT_ Local accounts created for applications or services may be necessary In particular, look for accounts named after people © 2002-2007 Monterey Technology Group, Inc www.montereytechgroup.com, www.ultimateWindowsSecurity.com Page 26 of 40 v2006.05 Windows Server 2003 Audit Program for Member Servers Monterey Technology Group, Inc Active Directory and Windows Server Audit Specialists Training • . www.ultimateWindowsSecurity.com Windows Server 2003 Audit Program for Member Servers* * Not to be used for Domain Controllers. See Active Directory Audit Program. www.ultimateWindowsSecurity.com Internal Use License Agreement for Windows Server 2003 Audit Program for Member Servers This audit program contains