I. What is a security audit?
A computer security audit is a manual and systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the system.
II. Why security audit?
Security audit is needed to ensure that your cyber-defenses are up-to-date, so they can respond effectively to threats posed by hackers and other criminals who attempt to manipulate IT systems for their own gains.
III. What a security audit usually covers:
+ Physical security
+ Port and Services
+ Security event log
+ Account security
+ Backup & disaster recovery
1. Physical Security
This involves the location of your servers. Make sure your servers are placed in a secured environment to protect your employees and assets. Have a checklist in place, and make sure it is regularly maintained and followed.
Do consider implementing the 3 rings-of-security, which is a logical and cost-effective approach to flexible security. Each ring has a definite and separate function but, when combined, they provide flexible and effective security, at a reasonable cost:
The first and outermost ring addresses the building and its outer perimeters. These areas are secured with a combination of mechanical locks and electronic access controls. The first ring is electronically monitored.
The second ring of security includes physically separating and locking controlled areas. These areas are secured, at the very least, with mechanical locks.
The third and innermost ring of security includes restricted areas. Entry into these areas is controlled on a need-to-enter basis. These areas are secured with electronic access control. The third ring is also electronically monitored.
While this may be a very thorough list, there are additional protective measures being discovered every day. These steps are in the installation process that includes security implications:
+ Remove your servers from the network to prevent your computers from being attacked or exploited before appropriate patches or configurations are in place.
+ Create separate partitions for each major portion of the server: operating system, file serving, log, etc.
+ Format all drives using NTFS. The NTFS file system allows you to control access to file and directory.
+ You will be prompted to set up the administrator’s password. Select a strong password, and note that you will need to change this regularly.
+ Install all services and hot fixes
appropriate to your server. It is extremely important to stay up-to-date on new versions and releases.
+ Install antivirus packages and keep them updated. Schedule your software to update regularly and frequently. Have a process in place that will detect and alert immediately when an unknown event takes place.
+ Use the “Custom Settings” to configure your network settings. This is where you will enter your designated IP information - static IP addresses are more secure. Configure the DNS and WINS on your NIC cards, disable the Enable LMHOSTS lookup and select the Disable NetBIOS Over TCP/IP option on the WINS tab.
Now that your server has been configured properly for network security, it is time to start configuring and applying numerous security enhancements that will protect your server from internal and external intrusions.
3. Account Security
Verify that the Guest account is disabled - since attackers can log on the host as a guest user using a random account. Such a vulnerability will be discovered easily by Singalarity’s Vulnerability Assessment:
Guest Account Vulnerability
A common suggestion is to rename the Administrator account - even create a dummy account named "Administrator". While this may be a simple procedure, it could stop some attempts to attack Window Hosts using Administrator Account. Whatever your decision is, make sure you are using a strong password policy.
Do not create unnecessary accounts such as test accounts, shared accounts, or generic accounts as doing so will create unnecessary vulnerabilities to your system. If you must create these types of accounts, be sure to disable them when they are not being used and use group policies to assign permissions and audit these accounts regularly.
4. Authentication Group
+ Replace the Everyone Group with Authenticated Users on file shares as this setting will allow anyone who gains access to your network to access all your data.
5. Password Policies
Password Policies is a set of rules designed to enhance computer security by encouraging users to set strong passwords and use them properly.
The password policies requirement of Enterprise and Government System
Some common suggestions are (tested in Windows Server):
Enforce Password History Enabled (recommended value is 5 past passwords)
Maximum Password Age Enabled (recommended value is 60 characters)
Minimum Password Age Enabled (recommended value is 5 characters)
6. Account Lockout Policies
Account Lockout Policies are a useful method for slowing down online password-guessing attacks and to compensate for weak password policies. These three policies work together to limit the number of consecutive login attempts within a set timeframe that fail due to wrong passwords.
Some suggestions are (tested in Windows Server with Audit checklists by Singalarity for Enterprise and Government System):
Account Lockout Threshold Enabled (recommended value is 3-5 invalid logon attempts)
Account Lockout Duration Enabled (recommended value is 30s)
Reset Account Lockout Threshold After Disabled (recommended manual reset of accounts)
7. Audit Policies
Audit policies determines which type of system information you'll find in the Security log.
Some suggestions in Singalarity’s Security Audit Checklist for Enterprise and Government’ System
Take note that in large organizations, recording Success events will cause the logs size to scale rapidly. You may consider recording Success events at only certain Domain Controllers or specific member servers that may hold highly sensitive or confidential information.
Disable any network services that are not required. Be aware that many applications installed require additional services to run, which will open the server to potential exploitation. A few services that should be disabled are IIS services, FTP services, Network News Transport Protocol (NNTP), Simple Mail Transport Protocol (SMTP), and the World Wide Web Publishing Service. Some suggestions for Windows services are:
Disable any ports that are not required, but never assume your servers are completely safe! You can find a list of open ports on your local system in the file %systemroot%\drivers\etc\services.
Some suggestions by Singalarity experts for special ports to be blocked:
This article has explained how proper configurations and planning for servers as an initial step in the audit process will ensure your system information is secured. The cost of time and money may be significant. However, the budget for security, controls and monitoring is necessary to minimize or eliminate the risks posed to a networked system with many potential avenues for penetration.