© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Windows Server 2003 Audit Program for Member Servers*
* Not to be used for Domain Controllers. See Active Directory Audit Program at www.ultimateWindowsSecurity.com
Internal Use License Agreement for Windows Server 2003 Audit Program for
Member Servers
This audit program contains Intellectual Property and is licensed, copyrighted material owned by Monterey Technology Group, Inc
the publisher of this web site.
This audit work program is intended for employees of Internal Audit departments. As such, you are allowed to use this audit
program during the course your own work and you may copy the findings, risk and recommendations from the Member Server
Control Tests into your own audit work papers and edit as necessary. Employees of Information Technology departments may use
this document in a similar manner in preparation for an audit or as a self-assesment tool.
Prohibited uses:
• Use by a consultant, subcontractor in providing services to another company or in developing products or services
• Use by an associate or partner of a public accounting firm
• Distributing this audit program to colleagues. Each individual must request a personal copy
• Posting on a website
• Incorporating into a larger work except as provided above
• Training
Organization-wide licensing is
available. Contact us for more
information.
Monterey Technology Group, Inc.
179 Dunbar St Suite E
Spartanburg SC 29306
(866) 749-2048
Table of Contents
Member Server Evidence Collection 2
Member Server Control Tests………….19
Control Framework Mappings…………44
Windows Server 2003 Audit Program for Member Servers Page 2 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Member Server Evidence Collection
All evidence on this worksheet is member server specific – i.e. the evidence can potentially be different on each member server.
Therefore a copy of this worksheet should be filled out for each relevant member server in the domain or sample thereof.
Evidence collection methods:
• Command line. Commands in this work program will not modify any setting. Most commands require administrative authority
but the parameters used guarantee their operation is read only. We suggest creating a text file at the beginning of your evidence
collection to receive the output of these commands. Using the >> redirection feature as indicated in the guidance below will
cause each command’s output to be appended to this file.
• Screen print. We recommend collecting all your screen prints into a single file with WordPad. Pressing Alt-PrintScreen will copy
the current window (instead of the entire screen) to your clipboard. Then you can paste the screen print into WordPad. For
projects requiring many screen prints we recommend Snagit from www.techsmith.com.
Evidence collection items are sequenced so as to avoid switching between programs unnecessarily.
Windows Server 2003 Audit Program for Member Servers Page 3 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
1.
Location on
physical
network
• DMZ or
on internal
network
• City,
building,
floor
2.
Describe
physical security
controls
3.
Create a files to
receive
subsequent
command line
output and
screen prints
1. Run notepad.exe and create
a new file named evidence.txt
or similar.
2. Enter the name of the
computer, the date and your
name.
3. Save and close the file.
4. Open Accessories\Word Pad
and create a new file called
screenprints.rtf. Keep this file
open so that you can paste
screen prints into it.
Windows Server 2003 Audit Program for Member Servers Page 4 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
4.
List of services
Command line: sc query type=
service state= all >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
SERVICE_NAME: AeLookupSvc
DISPLAY_NAME: Application Experience Lookup Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Alerter
DISPLAY_NAME: Alerter
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
5.
List of shared
folders
Command line: net share >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
When analyzing evidence, note:
Ignore SYSVOL, IPC$,
NETLOGON, ADMIN$, C$, D$,
E$ and other drive-letter-dollar-
sign shares
Share name Resource Remark
C$ C:\ Default share
E$ E:\ Default share
ADMIN$ C:\WINDOWS Remote Admin
IPC$ Remote IPC
The command completed successfully.
6.
Share
permissions
For each share in previous
evidence item run: net share
[sharename] >> evidence.txt
where evidence.txt is the name
of the file that receives the
output of the command
Ignore SYSVOL, IPC$,
NETLOGON, ADMIN$, C$, D$,
E$ and other drive-letter-dollar-
sign shares
Share name SharedDocuments
Path C:\files
Remark
Maximum users No limit
Users
Caching Manual caching of documents
Permission BUILTIN\Administrators, FULL
Everyone, READ
The command completed successfully.
Windows Server 2003 Audit Program for Member Servers Page 5 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
7.
Listing of all
local user
accounts
Command line: net user >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
User accounts for \\CALADAN
__vmware_user__ Administrator ASPNET
Guest HelpAssistant SUPPORT_388945a0
The command completed successfully.
8.
Document
properties for
administrator,
guest and any
other local
accounts
selected by
auditor
1. Determine from IT staff if
built-in account Administrator
has been renamed. If so,
substitute account name
below.
2. Command line: net user
administrator >>
evidence.txt where
evidence.txt is the name of
the file that receives the
output of the command
3. repeat previous step but
replace administrator with
guest
4. Examine list of user accounts
from previous evidence item
and identify any additional
accounts that have been
created besides:
• Administrator
• Guest
• SUPPORT_*
• IUSR_*
• IWAM_*
• ASPNET
If additional accounts exist,
repeat step 2 for each
account. If there are too
many accounts use a sample.
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/22/2005 2:03 PM
Password expires Never
Password changeable 10/23/2005 2:03 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/24/2006 7:54 AM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
Windows Server 2003 Audit Program for Member Servers Page 6 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
9.
Listing of all
local groups
Command line: net localgroup >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
Aliases for \\A3
*Administrators
*Backup Operators
*Distributed COM Users
*Guests
*HelpServicesGroup
*IIS_WPG
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*TelnetClients
*Users
The command completed successfully.
10.
Document
members of all
local groups
1. Command line: net
localgroup administrators
>> evidence.txt where
evidence.txt is the name of
the file that receives the
output of the command.
2. repeat previous step for:
• Backup Operators
• Power Users
• Telnet Clients
• Network Configuration
Operators
• Remote Desktop Users
• Examine list of groups
from previous evidence
item and identify any
groups created besides
the default groups shown
in the previous evidence
item example.
Alias name administrators
Comment Administrators have complete and unrestricted access to the
computer/domain
Members
bosshogg
S3DGROUP\Domain Admins
The command completed successfully.
Windows Server 2003 Audit Program for Member Servers Page 7 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
11.
Password policy
and lockout
policy
Command line: net accounts >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): Unlimited
Minimum password length: 7
Length of password history maintained: None
Lockout threshold: 7
Lockout duration (minutes): 1440
Lockout observation window (minutes): 1440
Computer role: SERVER
The command completed successfully.
12.
Identify principle
folders that
contain
important
information and
document
permissions
Command line: cacls [folder
path] >> evidence.txt where
evidence.txt is the name of the file
that receives the output of the
command and where [folder path]
is the full pathname of the folder in
question (e.g.
c:\documents\hrdocs).
C:\sls BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
MTG\rsmith:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA
Windows Server 2003 Audit Program for Member Servers Page 8 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
13.
Document
whether group
policy is being
used to secure
the system
Command line: gpresult /scope
computer /z >> evidence.txt
where evidence.txt is the name of
the file that receives the output of
the command
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 5/25/2006 at 11:09:12 PM
RSOP data for S3DGROUP\radmin on A3 : Logging Mode
OS Type: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Remote Administration
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\radmin
Connected over a slow link?: No
COMPUTER SETTINGS
CN=A3,OU=Application,OU=Servers,OU=Computers,OU=Objects,DC=s3dgroup,DC=com
Last time Group Policy was applied: 5/25/2006 at 11:03:25 PM
Group Policy was applied from: a4.s3dgroup.com
Group Policy slow link threshold: 500 kbps
Domain Name: S3DGROUP
Domain Type: Windows 2000
Applied Group Policy Objects
Server Policies
Special Exceptions For A3 Web Server
Default Domain Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
A3$
Windows Server 2003 Audit Program for Member Servers Page 9 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
14.
Document IP
Security Policy
Command line: netsh ipsec
static show policy all >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command
Policy Name : Server (Request Security)
Description : For all IP traffic, always request security using K
Last Modified : 2/12/2005 1:03:03 AM
Assigned : NO
Master PFS : NO
Polling Interval : 180 minutes
Policy Name : Client (Respond Only)
Description : Communicate normally (unsecured). Use the default r
Last Modified : 2/12/2005 1:03:03 AM
Assigned : NO
Master PFS : NO
Polling Interval : 180 minutes
Policy Name : Secure Server (Require Security)
Description : For all IP traffic, always require security using K
Last Modified : 2/12/2005 1:03:04 AM
Assigned : NO
Master PFS : NO
Polling Interval : 180 minutes
Policy Name : Firewall Rules
Description : NONE
Last Modified : 7/15/2005 11:59:32 PM
Assigned : NO
Master PFS : NO
Polling Interval : 180 minutes
No. of policies : 4
Windows Server 2003 Audit Program for Member Servers Page 10 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
15.
Audit policies Administrative Tools\Local
Security Policy: Capture screen
print of Security Policy\Local
Policies\Audit Policy
Alternative: use auditpol utitlity
from Windows Resource Kit.
Command line: auditpol >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
16.
User Rights
Assignments
Administrative Tools\Local
Security Policy: Capture screen
print of Security Policy\Local
Policies\User Rights Assignments
Alternative: use ntrights utility from
Windows Resource Kit.
Command line: ntrights >>
evidence.txt where evidence.txt
is the name of the file that
receives the output of the
command.
Windows Server 2003 Audit Program for Member Servers Page 11 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
17.
Security Options Administrative Tools\Local
Security Policy:
Capture screen print of Security
Policy\Local Policies\Security
Options
Windows Server 2003 Audit Program for Member Servers Page 12 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
18. Document file
systems in use
Administrative Tools\Computer
Management\Disk Management:
capture screen print
Windows Server 2003 Audit Program for Member Servers Page 13 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
19. Security log
settings
1. Computer Management\Event
Viewer
2. Select and right click on
Security log
3. Select Properties
4. Screen print
20. Save a copy of
the event log
Computer Management\Event
Viewer
Right click on Security log and
select Save Log File As…
Use the EVT format
Windows Server 2003 Audit Program for Member Servers Page 14 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
21. Security patch
status
1. Download MBSA from
www.microsoft.com/mbsa
2. Run MBSA against the server
with the “Check for security
updates” option enabled.
Important:
• Disable “Configure
computers for
Microsoft Update
and scanning
prerequisites”
• Do not check
“Advanced Update
Services options:”
Optionally, enable
• Check for Windows
administrative
vulnerabilities
• Check for weak
passwords
• Check for IIS
administrative
vulnerabilities
• Check for SQL
administrative
vulnerabilities
3. When MBSA displays the
report, save the report using
the Print or Copy links on the
left of the MBSA window
Windows Server 2003 Audit Program for Member Servers Page 15 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
22. Determine
antimalware
controls
(antivirus)
Depends on antimalware solution.
Use interview, examine services,
add/remove programs and the
interface of the antimalware
product.
• What product is used
• Is the software up-to-date and
operational
• Is the malware signature
database up-to-date?
23. Document
security log
collection,
monitoring
Interview
• Is the security log streamed to
central security log server in
real time?
• If not, is it periodically
collected/transferred to
security log server? With
what frequency?
• What monitoring and
reporting takes place at the
central log server?
• What is the archival process
at the central log server?
• If there is no central log
server, are these operations
performed locally?
Windows Server 2003 Audit Program for Member Servers Page 16 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Evidence item Guidance Example
24. Assess
administrative
practices
While logged onto server
interactively or via Terminal
Services do administrators:
• Browse the web
• Use MS office, Adobe other
document based applications
• Work with content downloaded
from the Internet except from
trusted vendor sites? Is all such
content scanned for viruses
before opening?
• Logon as the built-in
Administrator account
Windows Server 2003 Audit Program for Member Servers Page 17 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Member Server Control Tests
Test Name Guidance Finding Risk Recommendation
1. Check physical
security controls
Member Server Evidence 1 and 2.
Insufficient
physical
access
controls for
member
server.
Physical access to a
computer allows
attacker to
compromise the
computer. Sensitive
or business critical
information,
operations or
transactions hosted
on this server could
be exposed to fraud,
divulged, corrupted,
or deleted.
Implement consistent
physical access control
for all member servers.
Windows Server 2003 Audit Program for Member Servers Page 18 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Test Name Guidance Finding Risk Recommendation
2. Is security log
large enough and
configured to
overwrite
appropriately?
Member Server Evidence 17
Log size should not exceed 199MB (299 on Windows Server
2003) to prevent corruption and instability.
It isn’t secure or practical to expect the local security log to be
the archive of security events for a server. It’s impractical
because most servers generate much more information than
can be kept long term on the local system (a maximum of
199MB). It’s insecure since a hacker or rogue administrator
can tamper with the logs if they are stored locally.
For compliance with most interpretations of SOX, FISMA, et al,
you must frequently collect security logs from monitored
systems to a separate log server. Collection interval should be
as short as possible to minimize opportunity for tampering.
Preferably security events should be streamed in real time by a
local agent to the log server. See NIST Special Publication
800-92.
In such an environment, the local security log should be
viewed as a staging point for the collection to the central log
server and the goal should be for the local security log to be
allocated enough space to hold events between collections –
including longer intervals if the collection process temporarily
breaks.
Recommendation: Simply allocate the log to 199MB and
configure it to “overwrite as needed”.
Unless the system is configured to “shutdown immediately on
audit failure”, avoid “Do not overwrite events, clear log
manually” for several reasons:
• If the log fills, it stops logging events until cleared
Current log
size and
overwrite
settings do
not provide
maximum
assurance
of log
integrity
Audit trail and
compliance evidence
could be lost resulting
in hampered
investigations,
compromised
regulatory
compliance, ability to
prosecute intruders.
Allocate the log to
199MB (299 on Windows
Server 2003) and
configure it to “overwrite
as needed”.
Use a log management
solution that provides
• Collection of server
security logs into
central database.
• Real time alerts of
severe events
• Reporting for
compliance
monitoring, change
control and audit
trails
• Ability to archive
older activity.
• Supports separation
of duty between
operational
administrators and
staff tasked with
monitoring
Windows Server 2003 Audit Program for Member Servers Page 19 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Test Name Guidance Finding Risk Recommendation
This forces you to clear the log regularly. If new events are
regularly collected to the central log server there’s no need to
clear the security log – it just overwrites as needed. This in
turn allows you to avoid clearing the log which in turn allows
you to monitor for and treat any occurrences of event ID 517
(log cleared) as suspicious evidence of log tampering
3. Is there sufficient
monitoring of the
security log?
Member Server Evidence 23
It is impractical and unrealistic to expect administrators to
manually review Windows security logs due to the cryptic
nature of the logs, the volume of information and the number of
Windows servers on a typical network.
Yet most corporate information security policies and
compliance legislation require log archival and monitoring.
The only solution is a log management product that provides
centralized collection, monitoring, reporting and archival.
See Randy Franklin Smith’s Selecting the Right Log
Management Solution Special Report at
www.UltimateWindowsSecurity.com. for more details on log
management requirements.
For detailed recommendations on what should be monitored
and how to analyze Windows security logs see the Security
Log Secrets course at www.UltimateWindowsSecurity.com.
See NIST Special Publication 800-92.
Security log
monitoring
of member
servers is
insufficient.
Without a process in
place to monitor
member server
security log attacks
could be ongoing
without organization’s
knowledge.
Audit trail and
compliance evidence
could be lost resulting
in hampered
investigations,
compromised
regulatory
compliance, ability to
prosecute intruders,
compromised audit
trails.
Implement a process for
regular monitoring and
archival of security log.
Windows Server 2003 Audit Program for Member Servers Page 20 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Test Name Guidance Finding Risk Recommendation
4. Check for latest
service pack and
security updates.
Member Server Evidence 21
Analyze security updates reported as missing by MBSA.
Determine if any of these updates address vulnerabilities likely
to be exploited on this server given its role, installed services
and network exposure.
For brief, simplified explanations of the risks associated with
each MS security bulletin research Independent Analysis of
MS Security Bulletins at www.ultimateWindowsSecurity.com.
Member
server is not
patched
against
current
vulnerabilitie
s
New security bugs are
discovered every
month. Many exploits
can only be prevented
by loading the
associated update. As
networks become
more porous and
mobile code attacks
increase even
computers on the
internal network,
protected by a
firewall, should be
kept up-to-date with
security related
hotfixes. Without
keeping the member
servers up-to-date it is
vulnerable to mobile
code attacks and
attacks by individuals.
Sensitive or business
critical information,
operations or
transactions hosted
by that server could
be exposed to fraud,
divulged, corrupted,
or deleted.
Keep member server up
to date with the latest
service pack and security
updates. Consider using
Windows Server Update
Services to automate
patch management.
Follow testing and limited
rollout best practices to
reduce risk of
destabilizing network due
to defective fixes.
Subscribe to security
notification service from
Microsoft.
Windows Server 2003 Audit Program for Member Servers Page 21 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Test Name Guidance Finding Risk Recommendation
5. Check for
dangerous or
unnecessary
services that are
not disabled.
Member Server Evidence 4.
Analyze services currently running when evidence was
collected and identify potentially dangerous services or any
other service that is not necessary for the server to fulfill its roll.
For lists for required services for Windows 2003 and various
roles see
/>identifying-essential-windows-services-1.html and
/>identifying-essential-windows-services-2.html.
Potentially dangerous services include:
· WWW Publishing Service
· FTP Publishing Service
· Telnet
· SMTP
· NetMeeting Remote Desktop Sharing
· Routing and Remote Access
· Terminal Services
· Clipbook
· Internet Connection Sharing
· Simple TCP/IP
· Windows Media
· Indexing Service
· NNTP
But others exist such as PC Anywhere, etc. Some of these
services such as telnet or Terminal Services may be required
by administrators to manage systems. For required services,
what controls are in place, specific to each service to keep it
secure?
Dangerous
services
(___) are
enabled on
member
server.
Services constitute
doorways into a
computer from over
the network. Best
practice recommends
disabling unneeded
services. Sensitive or
business critical
information,
operations or
transactions hosted
by this server could
be exposed to fraud,
divulged, corrupted,
or deleted.
Disable ____.
Windows Server 2003 Audit Program for Member Servers Page 22 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Test Name Guidance Finding Risk Recommendation
6. Assess service
“logon as”
accounts
Member Server Evidence 4
For services that are not native to Windows Server 2003
(services that do not appear in the articles referenced in the
previous test) examine the user account under which the
service runs. Note any services that run as a member of
administrators or as Local System.
Determine from application documentation and interview why
the service requires such a high level of authority.
Are there other applications or information on that system that
would be endangered if the system were compromised/
Service
_________
is running
with
excessive
authority.
A service running as
Local System or with
administrator authority
that is compromised
by an attacker can
then be exploited by
the attacker to
compromise the entire
system including
other applications or
services running on
that system.
Configure service to
logon as an account with
least privilege necessary.
7. Assess share
permissions
Member Server Evidence 5, 6 and 12.
Each shared folder is a doorway into the file system from over
the network. Share permissions set a maximum level of
access for any user accessing files through that share.
(Windows enforces both the share’s permissions and the
actual file being accessed through that share. Therefore, the
most restrictive permissions are applied) Assess
appropriateness of each share and its permissions. Take into
account what information is being made available in that
shared folder and its subfolders. Some administrators choose
to set share permissions to Everyone Full Control and instead
rely on underlying file and folder permissions. In that case
assess permissions of the actual files and folders under each
share.
File or share
permissions
for shared
folder ____
are
insufficient.
[specify type of
information] can be
accessed by
unauthorized users
including [insert users
or groups] which
could result in [insert
risk description].
Adjust permissions to
limit access to
appropriate groups.
Windows Server 2003 Audit Program for Member Servers Page 23 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Test Name Guidance Finding Risk Recommendation
8. Verify no
permissions are
assigned to
machine local
groups.
Member Server Evidence 6, 9 and 12.
Assigning permissions to machine local groups (see Member
Server Evidence 9) is better than individual users but should
be avoided because machine local groups cannot be tracked
centrally from Active Directory Users and Computers whereas
domain local and global groups can. A server administrator
can easily be given an OU in Active Directory and delegated
authority to manage groups in that OU for use in managing
access to his server.
Best
practice of
assigning
permissions
to domain
groups not
followed.
It is difficult to track
permissions on
computers throughout
the domain due to the
quantity of computers.
It is best practice to
assign permissions by
domain groups only
so that permissions
can be tracked
centrally in Active
Directory by group
membership.
Assign permissions to
domain global or domain
local groups only.
9. Verify no
permissions are
assigned to
individual users.
Member Server 6 and 12.
Best
practice of
assigning
permissions
to groups
not
followed.
It is difficult to
permissions on
computers throughout
the domain due to the
quantity of computers.
It is best practice to
assign permissions by
domain groups only
so that rights can be
tracked centrally in
Active Directory by
group membership.
Assign permissions to
domain global or domain
local groups only.
10. Assess file
permissions
Member Service Evidence 12
File
permissions
for folder
____ are
insufficient.
[specify type of
information] can be
accessed by
unauthorized users
including [insert users
or groups] which
could result in [insert
risk description].
Adjust permissions to
limit access to
appropriate groups.
Windows Server 2003 Audit Program for Member Servers Page 24 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Test Name Guidance Finding Risk Recommendation
11. Check
membership of
Administrators
group.
Member Server Evidence 10
Inappropriat
e users
(___) have
administrato
r access to
member
server.
Members of this
group have unlimited
authority on the
server. With
inappropriate admin
authority, users can
perform unauthorized
operations or cause
widespread damage
through mistakes due
to lack of training.
Inappropriate users
with admin authority
provide increased
targets to individuals
trying to gain admin
authority after which
they can damage,
tamper with or divulge
the server or the
business processes
and confidential
information. Best
practice is to follow
least privilege.
Remove ____ from the
Administrators group.
12. Check
membership of
Power Users
group.
Member Server Evidence 10. Power Users group can share
folders and printers and create and manage users and groups.
Inappropriat
e users
(___) have
Power User
access to
member
server.
Without restricting
Power User authority,
unauthorized users
can compromise the
server. Sensitive or
business critical
information,
operations or
transactions hosted
by this server could
be exposed to fraud,
divulged, corrupted,
or deleted.
Remove ____ from the
Power Users group.
Windows Server 2003 Audit Program for Member Servers Page 25 of 40
Monterey Technology Group, Inc
.
Active Directory and Windows Server Audit Specialists
Training • Consulting • Practice Aids
© 2002-2007 Monterey Technology Group, Inc. v2006.05
www.montereytechgroup.com
, www.ultimateWindowsSecurity.com
Test Name Guidance Finding Risk Recommendation
13. Verify Guest
account is
disabled
Member Server Evidence 8. Guest
account is
enabled.
Guest account is a
known target by W2k
attackers. Remote
Windows computers
also use Guest when
connecting after
normal logon
credentials fail.
Logons as Guest are
anonymous – reduces
accountability and
audit trail. Unless
best practice is
followed and Guest is
disabled users may
be able to logon
anonymously and
access unauthorized
information.
Disable guest account.