Auditing Windows operating systems involves evaluating the security and configuration of a Windows-based computer system to identify potential vulnerabilities and ensure compliance with security policies and best practices. Regular auditing of Windows operating systems helps organizations maintain the security and stability of their systems and prevent potential security incidents.
Windows auditing is a mechanism for tracking events. Knowing when and where these events occurred and who triggered them can help when doing Windows network forensics. It can also be very helpful with detecting certain types of problems like improper rights assignments in the file system.
Auditing and Advanced Auditing
Auditing policies enable you to record a variety of activities in the Windows security log. You then can examine these auditing logs to identify issues that need further investigation. Auditing successful activities provide documentation of changes so you can troubleshoot which changes led to a failure or a breach. Logging failed attempts can spot malicious hackers or unauthorized users accessing enterprise resources.
Your auditing policy specifies the categories of security-related events that you want to audit. To configure policy settings, go to Group Policy Computer configuration -> Policies -> Windows settings -> Security settings -> Local policies -> Audit policy. Here are the basic settings and what happens if you turn them on:
- Audit account logon events — This creates an event when a user or computer attempts to use an Active Directory account to authenticate.
- Audit account management — Audits events such as the creation, deletion, or modification of a user, group, or computer account and the resetting of user passwords.
- Audit directory service access — Audits events that are specified in the system access control list, such as permissions.
- Audit logon events — This creates an event when a user logs on to a computer interactively (locally) or over the network (remotely).
- Audit object access — Audits access to objects such as files, folders, registry keys, and printers that have their own SACLs.
- Audit policy change — Audits changes to user rights assignment policies, audit policies, and trust policies.
- Audit privilege use — Audits attempt to use permissions or user rights. You can choose whether to audit successful attempts, failed attempts, or both.
- Audit process tracking — Audits process-related events, such as process creation, process termination, handle duplication, and indirect object access.
- Audit system events — Audits system restarts and shutdowns, and changes that affect the system or security logs.
Advanced Audit Policy
Administrators can audit more specific events using the advanced audit policy settings located in Group Policy Computer configuration -> Policies -> Windows settings -> Security settings -> Advanced audit policy configuration -> Audit policies. The following categories are available:
- Account Logon — These settings control auditing of the validation of credentials and other Kerberos-specific authentication and ticket operation events.
- Account Management — These policy settings are related to the modification of user accounts, computer accounts, group membership changes, and the logging of password change events.
- Detailed Tracking — These settings control the auditing of encryption events, Windows process creation and termination events, and remote procedure call (RPC) events.
- DS Access — These policy settings determine whether to track access to AD, AD changes, and replication.
- Logon/Logoff — This group of settings controls the auditing of standard logon and logoff events.
- Object Access — These settings cover access to AD, the registry, applications, and file storage.
- Policy Change — These settings control the tracking of changes to policy settings.
- Privilege Use — These settings determine whether to audit privilege use attempts within the Windows environment.
- System. These settings are used to audit changes to the state of the security subsystem.
- Global Object Access Auditing. These settings are for controlling the SACL settings for all objects on one or more computers.
Tools used in Windows Operating System:
- Essential Command-Line Tools
- Resource Kit Tools
- Sysinternals Tools
- Windows Forensic Toolchest (WFT)
Steps in the Windows auditing process:
- Preparation: Define the scope, objectives, and requirements of the audit, and gather relevant documentation and tools.
- System Inventory: Perform a thorough inventory of the system, including hardware and software components, to ensure all components are accounted for and up to date.
- Patch Management: Check for and apply any available software updates and patches, including Windows updates and third-party software updates.
- User and Group Management: Evaluate the configuration of user accounts, permissions, and groups to ensure they are set up securely and in compliance with policies.
- Security Settings Review: Review the security settings of the operating system and installed software to ensure they are configured securely and in compliance with policies.
- Log Analysis: Review the system logs to identify any security incidents and monitor system usage.
- Vulnerability Scanning: Scan the system for known vulnerabilities and address any identified risks.
- Backup and Disaster Recovery Plan Review: Evaluate the backup and disaster recovery plan to ensure it is effective and efficient in the event of a failure or security breach.
- Reporting: Compile the results of the audit and present a report that includes recommendations for improvement.
- Remediation: Implement any recommended changes to improve the security and performance of the system.
Checklist for Auditing Windows Servers
- Obtain the system information and service pack version, and compare them with policy requirements.
- Determine whether the server is running the company-provisioned firewall.
- Determine whether the server is running a company-provisioned antivirus program.
- Ensure that all approved patches are installed per your server management policy.
- Determine whether the server is running a company-provisioned patch-management solution. Using the patch-management solution, validate the patched history of the client, if possible.
- Review and verify startup information.
- Determine what services are enabled on the system and validate their necessity with the system administrator. For necessary services, review and evaluate procedures for assessing vulnerabilities associated with those services and keeping them patched.
- Ensure that only approved applications are installed on the system per your server management policy.
- Ensure that only approved scheduled tasks are running.
- Review and evaluate procedures for creating user accounts and ensuring that accounts are created only when there’s a legitimate business need. Also, review and evaluate processes for ensuring that accounts are removed or disabled in a timely fashion in the event of termination or job change.
Other List for Auditing Windows Servers
- Ensure that all users are created at the domain level and clearly annotated in the active directory. Each user should trace to a specific employee or team.
- Review and evaluate the use of groups, and determine the restrictiveness of their use.
- Review and evaluate the strength of system passwords.
- Evaluate the use of password controls on the server, such as password aging, length, complexity, history, and lockout policies.
- Review and evaluate the use of user rights and security options assigned to the elements in the security policy settings.
- Review and evaluate the use and need for remote access, including RAS connections, FTP, Telnet, SSH, VPN, and other methods.
- Ensure that a legal warning banner is displayed when users connect to the system.
- Look for and evaluate the use of shares on the host.
- Ensure that the server has auditing enabled per your organization’s policies.
- Review and evaluate system administrator procedures for monitoring the state of security on the system.
- If you are auditing a larger environment (as opposed to one or two isolated systems), determine whether a standard build is available for new systems and whether that baseline has adequate security settings. Consider auditing a system freshly created from the baseline.
- Perform the steps from Chapter 4 as they pertain to the system you are auditing.
Checklist for Auditing Windows Clients
- Determine whether the client is running the company-provisioned firewall.
- Determine whether the client is running a company-provisioned antivirus program.
- Determine whether the client is running a company-provisioned patch-management solution.
- Determine whether the client is equipped with the minimum recommended service pack, hotfixes, and software.
- Ensure that the client has all the following according to the Microsoft Baseline Security Analyzer (MBSA).
- Scan the system using a commercial-grade network scanner.
- Evaluate physical security controls during a walk-through
Conclusion
The Windows OS was thoroughly evaluated and found to be in compliance with established security policies and best practices. Recommendations were made to further improve the system’s security posture.