Chapter 13 - Auditing Windows NT Security Features and Controls

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

In Chapters 1 through 12, we discuss security objectives and controls. We also explain the various security controls within Windows NT and how to implement them. Most of our clients have implemented Windows NT in multiple configurations, and have concerns about Windows NT controls meeting their IT control objectives. For example, Enright Bank recently asked us to assist them in evaluating the strength of their Windows NT controls because they were not sure they implemented the Windows NT features which would accomplish their control objectives. One of Enright Banks IT control objectives is: "The systems that support our client accounts will be secured from unauthorized access." PricewaterhouseCoopers (PwC) can perform this service for Enright Bank, but believes it is far more valuable for Enright Banks IT department to understand this review process and perform it for themselves. PwC will analyze the results of the review, and assist in developing corrective action recommendations. Therefore, we explain the vehicle used to perform these reviews, more commonly known as a systems audit.

A systems audit is an independent examination designed to determine whether adequate controls exist to ensure that the following corporate IT objectives have been met: Effectiveness, Efficiency, Compliance, Reliability of Information, Confidentiality, Integrity, and Availability. A systems security audit is designed to determine whether the information system has adequate security controls to ensure that the following IT security objectives have been met: Confidentiality, Integrity, and Availability. Systems audits are based on audit objectives, which are the goals an auditor wants to achieve through the audit. Methods and guides have been developed to help perform the systems audit. PwC has developed systems audit guides for many operating systems including Windows NT. In this chapter, we help you conduct a systems security audit on Windows NT by presenting the systems audit process and PwC's Windows NT Security Audit Program ("PwC-NTSAP").

On This Page

The Systems Security Audit Process
PricewaterhouseCoopers' Windows NT Security Audit Program (PwC-NTSAP)

The Systems Security Audit Process

The systems security audit process should be used as the framework for performing the PricewaterhouseCoopers' Windows NT Security Audit Program. The steps in the systems audit process are as follows:

  1. Gain an understanding.

  2. Define the scope.

  3. Review the controls.

  4. Report the findings.

Gaining an understanding involves gathering and reviewing background information about the IT organization, IT operations, network, applications, and Windows NT environment. Defining the scope involves reviewing the risk assessment conducted in Chapter 3, "Effective Security Management," and deciding on which systems should be audited. These systems should be the same as those deemed critical by the organization. Reviewing the controls involves inquiring and examining for appropriateness which Windows NT security control features have been implemented. Reporting findings involves drafting an audit report, which conveys the audit findings to management. The report should focus on corrective actions, which are steps that need to be taken to implement the deficient controls.

PricewaterhouseCoopers' Windows NT Security Audit Program (PwC-NTSAP)

PwC-NTSAP is designed to assist you in performing the systems audit process, focusing on IT security controls and Windows NT configurable security features. PwC-NTSAP accomplishes this process by identifying Windows NT security control features. PwC-NTSAP makes this identification by posing questions, presenting audit procedures that assist in answering the questions, and explaining how to examine the features.

Note: The features should be analyzed using the descriptions and guidance provided on configuring each security feature in Chapters 2 through 12, and the Baseline Security Configuration Matrix in Appendix A.

The PwC-NTSAP is primarily aimed at a Windows NT server installed as a PDC, but selectively applies to the following six different types of servers:

  1. Domain Controller

  2. File and Print Member Server

  3. Application Server: Web Server

  4. Application Server: Database Server

  5. Remote Access Server

  6. Workstation

All these servers come with network components fully enabled. When performing PwC-NTSAP, be aware that most Windows NT environments contain other components that include other servers using other operating systems, and network components such as hubs, routers, and firewalls. In addition, a Windows NT server may have applications resident, such as Microsoft Exchange or Microsoft SQL Server. The addition of applications adds another layer of risk that needs to be analyzed in conjunction with the Windows NT servers. Application change management, development, and implementation as well as the applications' use of Windows NT server security needs to be reviewed and audited to ensure that risks have been identified. PwC-NTSAP is not designed to identify these risks.

Background of the IT Environment

Before assessing the control environment, you need to understand the environment you plan to audit. The minimum amount of data required to understand the environment is subjective. However, we believe the following provide a reasonable basis to gain this understanding.

The objective of this audit is to understand the systems environment. The following sections detail the procedures involved in performing this audit.

Contacts in the IT Function and User Departments

If the audit is being performed in a sizeable IT department or by someone other than the system administrator, a list of primary IT contacts and their titles should be created. This point is very basic, but auditors can attest to how important it is to know who is responsible for what function. A handy way to gather contact information is to create a document that specifies each contact's name, job title, telephone number, fax number, and e-mail address.

Organizational Structure of the IT Function or User Departments

Understanding the organizational structure of the IT function or user departments will help the auditor understand whether IT duties are properly segregated, whether the company places importance on IT, and if the IT function is decentralized or highly leverages the user community. The auditor can answer the following questions to gain a better understanding of this.

  • What is the organizational structure of the IT department?

    Obtain an organization chart for the IT department. Focus on the number of people in the department, their segregation of duties, and where your primary contacts reside in the organization.

  • What is the organizational structure of the corporation?

    Obtain an organization chart for the corporation. Focus on the IT reporting structure to the company. This is an indicator of the level of importance the company places on IT.

  • Do any other departments have significant IT responsibilities for critical

    systems?

    Focus on the segregation of duties and potential points of security control failure due to decentralization of duties outside the span of IT control. For example, does the financial department download files to Excel spreadsheets that are manipulated and used to present financial data? At our clients' offices we have seen that most IT managers give a no answer to this question because they do not regard systems out of their control as being critical. However, it is common to find remote offices with a low user count and a strong user with administrator privileges who does not report to the IT department.

Operation of the IT Function

The operation of the IT function provides an understanding on whether the IT objectives that have been documented are aligned to the corporate business objectives, and whether the IT organization is capable of meeting these objectives. The following questions should provide this understanding:

  • Are the IT roles and responsibilities defined clearly?

  • Are the IT roles and responsibilities appropriate to the size of the organization?

  • Is the number of IT personnel appropriate to support the size of the organization?

  • Has the IT personnel significantly turned over during the year?

  • Are the IT staff's skills appropriate to the complexity of the IT environment and industry?

  • Are there documented IT objectives consistent with the corporate business objectives?

  • Have the IT objectives been communicated and agreed to by senior management?

  • Do the users have a positive regard for the quality of service provided?

Overall System Structure

After reviewing the structure of the IT department and its relation to the corporation, gather an understanding of the overall system and network environment. A logical network diagram should suffice. Through this diagram, you should also gain a preliminary understanding of where the domain controller, backup domain controllers, file and print servers, application and database servers, RAS servers, Web servers, workstations, and any external connections reside. You should also note the instances and direction of trust relationships. The following points of focus should be covered for the overall system structure:

  • Is there a network diagram?

  • What Windows NT domain model is deployed?

  • Where are the PDCs and BDCs located?

  • Where are the other critical servers located?

  • What are the trust relationships?

  • Is there a connection to the Internet?

Computer Environment

After gaining an understanding of the system environment, focus on the detailed components of the system environment (such as hardware and application software), which is more commonly known as the computer environment. To fully analyze the system environment, consider the following questions:

  • What are the specifications of the critical computers?

    Examine the Windows NT version and service pack installed by choosing Start » Programs » Administrative Tools » Windows NT Diagnostics » Version.

    Examine which domain or workgroup the computer is a member of by choosing Start » Settings » Control Panel » Network » Identification.

    Examine whether the computer is a primary or backup domain controller or a workstation or a member server by choosing Start » Programs » Administrative Tools » Server Manager.

    Examine the file system by choosing Start » Programs » Administrative Tools » Disk Manager.

    Compile a list of your group's machines (specifying manufacturer and model # for each machine), their primary functions, the versions of Windows NT and Service Pack running on the machines, the domains or workgroups to which each machine is assigned, whether the machines are running PDC/BDC or Workstation, and whether the machines are using NTFS or FAT.

  • Do hardware service maintenance agreements exist for all major hardware components documented?

  • Does the number of Windows NT users equal the amount of licenses purchased?

  • What are the drives and their mappings? Examine the Drives dialog box by choosing Start » Programs » Administrative Tools » Windows NT Diagnostics » Drives.

  • How much memory resides on each computer? Examine the Memory tab by choosing Start » Programs » Administrative Tools » Windows NT Diagnostics » Memory.

Key Applications

Understanding the IT environment should include a review of the significant applications. This review identifies the computers where critical applications reside. Also, you should identify what versions of these applications are running on the machines and then ask the questions that follow. (Note that these questions do not pertain to only Windows NT, but contribute to the understanding of the overall IT environment.)

  • Do any of the applications utilize the Windows NT Remote Procedure Call facility?

  • Do any of the applications utilize NT account security?

Effective Security Management

The Effective Security Management control is often overlooked because most of the controls that are not features are "touchy feely" or intangible. Therefore, implementing and auditing these controls can be difficult. Effective Security Management involves corporate security awareness, senior management support on security issues, and a corporate security policy.

The objective of this audit is to determine whether security is being managed effectively. The following sections detail the procedures for this audit.

Corporate Security Policy

To ascertain the state of the current corporate security policy and to better direct the future of such a policy, answer the following questions:

  • Is there a documented corporate security policy?

  • Does the corporate security policy include the following sections: Mission Statement, Objectives and Scope, Definition of the Assets, Asset Owners, Security Roles and Responsibilities, Risk Assessment of the Assets, and Security Procedures Regarding the Assets?

  • Is there an awareness of and a commitment to the corporate security policies?

  • Did senior management review, support, and communicate their support of the corporate security policies?

  • Are users trained in security policies and procedures?

Legal Notice

Has a legal notice been implemented? To examine the legal notice, choose Start » Programs » Windows NT Explorer and execute Systemroot\system32\Regedt32.exe. Select HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon LegalNotice Caption: REG_SZ LegalNoticeText: REG_SZ.

Effective Security Monitoring

Monitoring controls are often overlooked, but can really aid management in determining whether systems have been secured. Monitoring controls include violation and exception reporting, which help management determine whether their systems are being compromised.

The objective of this audit is to determine whether security is being monitored effectively. The following sections detail the procedures for this audit.

Performance Monitor

Determine how effectively you are using the Performance Monitor by considering the following questions.

  • Is the Performance Monitor utility used to gather, analyze, and graphically display vital information? Examine Performance Monitor by choosing Start » Program » Administrative Tools » Performance Monitor. Then answer the following questions.

  • Is Chart View used? Examine Chart View by choosing View » Chart.

  • What objects are tracked?

  • Why are these objects being tracked?

  • On what frequency are the charts viewed?

  • Is Alert View used? Examine Alert View by choosing View » Alert.

  • What objects are tracked?

  • Why are these objects being tracked?

  • What are the threshold values?

  • To whom are the alerts sent?

  • Is Log View used? Examine Log View by choosing View » Log.

  • What objects are tracked?

  • Why are these objects being tracked?

  • On what frequency are the logs viewed?

  • Are critical logs updated manually or periodically? If they are updated periodically, what is the interval set for updates?

  • Is Report View used? To access Report View, choose View » Report.

  • What objects are tracked?

  • Why are these objects being tracked?

  • On what frequency are the reports viewed?

  • Are critical reports updated manually or periodically? If they are updated periodically, what is the interval set for updates?

Network Monitor

To better direct your use of the Network Monitor utility, consider the following questions:

  • Is the Network Monitor utility being used to watch network traffic? If so, on what frequency is the Network Monitor utility used to monitor this traffic to and from the server? Examine Network Monitor by choosing Start » Administrative Tools » Network Monitor.

  • What network addresses, protocols, and protocol properties are monitored?

  • What triggers have been set for what conditions? Examine Triggers by choosing Capture » Triggers.

  • Are reviews conducted for identifying unauthorized copies of Network Monitor? Examine who else on the network has installed and is using Network Monitor by choosing Tools » Identify Network Monitor.

  • Are any third-party network monitoring tools used?

Auditing User Accounts

When preparing to perform an audit of User Accounts, consider the following questions:

  • Has User Account auditing been enabled? Examine User Account auditing by choosing Start » Administrative Tools » User Manager for Domains » Policies » Audit. Focus on whether the User and Group Management option is selected for success and/or failures. If this option is not selected, User Account auditing is not possible.

  • Which permissions are audited?

File and Directory Auditing

When preparing to perform a File and Directory audit, consider the following questions:

  • Has File and Directory auditing been enabled? Examine File and Directory auditing by choosing Start » Administrative Tools » User Manager for Domains » Policies » Audit. Focus on whether the Audit These Events option is selected. If this option is not selected, File and Directory auditing is not possible. Also focus on whether the File and Object Access option is highlighted.

  • On which Windows NT implementations do critical directories and files reside?

  • What auditing settings have been selected on these critical directories? Examine the audit settings selected by choosing Start » Programs » Windows NT Explorer, highlighting a directory and right-clicking the object to open its drop-down menu, and then choosing Properties. The Properties dialog box appears. Click on the Security tab and then click the Auditing button. A Directory Auditing dialog box appears. Focus on the appropriateness of the selected auditing settings.

Registry Auditing

When preparing to perform an audit of the Registry, consider the following questions:

  • Has Registry auditing been enabled? Examine whether Registry auditing is possible by choosing Start » Administrative Tools » User Manager for Domains » Policies » Audit. Focus on whether the Audit These Events option is selected. If this option is not selected, Registry auditing is not possible. Also focus on whether the File and Object Access option is highlighted. Examine the auditing selected on the Registry by choosing Start » Programs » Windows NT Explorer » Regedt32.exe. Select the subkey or value in question and choose Security » Auditing, and then answer the following questions.

  • Which Registry keys and subkeys are audited?

  • Which permissions are audited?

Printer Auditing

When preparing to perform an audit of your printers, consider the following questions:

  • Which printers are critical?

  • Is Printer auditing selected on critical printers? Examine whether Printer auditing is possible by choosing Start » Administrative Tools » User Manager for Domains » Policies » Audit. Focus on whether the Audit These Events option is selected. If this option is not selected, Printer auditing is not possible. Also, focus on whether the File and Object Access option is highlighted. Examine Printer auditing by choosing Start » Settings » Printers. Double-click on the printer you want to audit. Choose Printer » Properties. Click the Security tab and then click the Auditing button. The Printer Auditing dialog box appears. Ask which permissions are audited.

Remote Access Server (RAS) Auditing

When preparing to perform an audit of a Remote Access Server, consider the following questions:

  • Which computers offer remote access services?

  • Examine whether RAS auditing is possible by choosing Start » Administrative Tools » User Manager for Domains » Policies » Audit. Focus on whether the Audit These Events option is selected. If this option is not selected, RAS auditing is not possible. Examine if auditing is enabled on computers offering remote access services by choosing Start » Programs » Windows NT Explorer, executing Systemroot\system32\Regedt32.exe, and then selecting the HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\EnableAudit key. Focus on whether the DWORD value is 1.

Event Viewer

When attempting to utilize the Event Viewer in creating security logs, consider the following questions:

  • Is the Event Viewer used to log and monitor User Account, File and Directory, Registry, Printer, and RAS audit events? Examine the Security Log by choosing Start » Programs » Administrative Tools » Event Viewer » Log » Security. Focus on the nature of the events. To categorically view events, choose View » Filter events.

  • What is the policy for archiving the Event Logs? Examine the log settings by choosing Log » Log Settings. Click on Change Settings.

  • Which log settings are selected?

  • Is the Crash On Audit Fail feature implemented? Examine whether the feature is implemented by choosing Start » Programs » Windows NT Explorer, and then executing Systemroot\system32\Regedt32.exe. Select HKLM\SYSTEM\CurrentControlSet\Control\Lsa, and then focus on whether the flag in the CrashOnAuditFail Registry key exists.

Securing Audit Logs

To ensure that your audit logs are secure, address this question—are the Audit Logs properly secured? Examine the permissions on the Security Logs by choosing Start » Programs » Windows NT Explorer, and then selecting the systemroot\System32\CONFIG directory. Select each of the APPEVENT.EVT, SECEVENT.EVT, and SYSEVENT.EVT files, choose File » Properties » Security, and then choose Permissions.

Securing Physical Access to All Critical Systems

Physical access to all critical systems should be restricted. Implementing these controls ensures that unauthorized users cannot physically access your systems, which is the easiest way to access data.

The objective of this audit is to determine whether physical access to all critical systems is restricted. The following sections detail the procedures involved in performing this audit.

Computer Room and Communications Room Security

To assess the security of your computer room and your communications room, consider the following questions.

  • Does a lock restrict access to the computer room?

  • Are keys or locks to the computer room controlled by the Security Administrator?

  • For high traffic rooms, do visitors record their access to the computer room in a log?

  • Is access to the computer room limited to the operations staff?

  • Is the access list to the computer room reviewed on a regular basis?

  • Is the computer room monitored by cameras or a security guard?

  • Are backup tapes and other sensitive electronic media stored in a locked fireproof cabinet within the computer room?

  • Are backup tapes and other sensitive electronic media stored offsite?

  • Does the computer room contain a window viewable from the inside of the building?

  • Does the computer room contain a window viewable from the outside of the building?

Workstation Security

You should also ensure that the individual workstations within your system are secure. To assess the security of these workstations, consider the following questions:

  • Do cables or alarms secure workstations?

  • Are removable media drives, such as floppy, removable hard drives, writable CD-ROM, and portable streaming tape units, present on any workstations?

  • Have floppy drives been disabled? To examine whether floppy drives have been disabled, choose Start » Programs » Windows NT Explorer and execute Systemroot\system32\Regedt32.exe. Then select HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateFloppies key. Focus on whether the String value is 0.

  • Have compact disk drives been disabled? To examine whether compact disk drives have been disabled, choose Start » Programs » Windows NT Explorer and execute Systemroot\system32\Regedt32.exe. Then select HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateCDRoms key. Focus on whether the String value is 0.

  • Do workstations contain modems connected to telephone lines?

  • If workstations contain modems connected to telephone lines, is remote dial-in restricted? To examine the port configuration, choose Start » Settings » Control Panel » Network » Services » Remote Access Service » Properties. Highlight the device you want to examine and click the Configure button.

  • If workstations contain modems connected to telephone lines, is the Callback option enabled? To examine whether Callback is enabled, choose Start » Programs » Administrative Tools » Remote Access Admin. Users » Permissions. Focus on whether Callback is selected for each of the users who appear in the Grant Dial-in Permission to User field.

  • Are any of the telephone lines restricted to "dial-out only" by the telephone company?

Network Access Points

Assess the security of your network access points by considering the following questions:

  • Are network access points restricted to active computers?

  • Are unused network access points physically secured via locking devices or disconnected?

Securing All External and Internal Network Connections

Most systems today are made up of many networked computers, which may physically reside in one room or across the world. Each connection to this network of computers creates a potential point of vulnerability. In addition, the transport of data across the network creates a potential vulnerability for the data. The controls assessed in this section focus on the network points of connection as well as data traversing the network.

The objective of this audit is to determine whether external and internal network connections are secure. The following sections detail the procedures involved in performing this audit.

Domain Administration

To perform the domain administration portion of this audit, consider the following questions:

  • What Windows NT domain model is deployed? To examine the domains in the network, choose Start » Programs » Administrative Tools » User Manager for Domains » User menu » Select Domain. Compare the visible domains with those presented in the network diagram.

  • Where are the PDC(s) and BDC(s) located? To examine the PDC(s) and BDC(s), choose Start » Programs » Administrative Tools » Server Manager.

  • What are the trust relationships? For each PDC examined, examine the trust relationships (trusted domains and trusting domains) between the domain being examined and other domains on the network by choosing Start » Programs » Administrative Tools » User Manager for Domains » Policies » Trust Relationships. Compare whether the relationships match those in the logical network diagram. You may find it helpful to create your own logical network diagram of the domains, using one- and two-way arrows to indicate trust relationships between the domains in the network.

Protocols

You should audit the security of the general protocols within your system. What protocols are deployed on the network and why were they selected? To examine the deployed protocols, choose Start » Settings » Control Panel » Network » Protocols tab.

To examine the security of your system's use of the TCP/IP protocol, consider the following questions:

  • Are simple TCP/IP services installed? To examine simple TCP/IP services, choose Start » Settings » Control Panel » Network » Services tab » Simple TCP/IP Services.

  • What are the TCP/IP settings? To examine the TCP/IP settings, choose Start » Settings » Control Panel » Network » Protocols tab » TCP/IP Protocol » Properties. Examine the IP address schema specified. Click the TCP/IP Advanced button and examine the Gateways, whether Enable PPTP Filtering and Enable Security have been selected. Click the Configure button. For each adapter, focus on whether packet filtering has been enabled by viewing the allowable TCP ports, UDP ports, and IP protocols.

Denial of Service Security Attacks

Have solutions been applied to some of the potential denial of service attacks? To examine whether solutions have been applied by examining the level of Service Pack applied, choose Start » Programs » Administrative Tools » Windows NT Diagnostics » Version tab. To examine whether hot fixes have been applied, go to Microsoft's web site and download HOTFIX.EXE. Run HOTFIX.EXE on the local computer and examine the list of hot fixes installed.

External Networking

To examine the external networking of your system, address the following questions:

  • Is there a connection to the Internet?

  • Is RAS being used?

  • Is any remote control software being used?

Windows NT Remote Access Services

To examine the Remote Access Services of your system, address the following questions:

  • Are remote access users monitored?

  • How is remote access authorization granted?

  • Are the RAS Servers domain members? To examine the Windows NT RAS configuration, choose Start » Programs » Administrative Tools » Remote Access Admin.

  • What remote access permissions are users granted? To examine these permissions, choose Start » Programs » Administrative Tools » Remote Access Admin »Users » Permissions. Focus on whether the users who appear in the Grant Dial-in Permission to User field should have remote access capability. In addition, for each user (if feasible), focus on whether the Callback option is selected, and how Callback is configured.

  • Are any of the telephone lines restricted to "dial-out only" by the telephone company?

  • What is the configuration for each RAS port? To examine the port configuration, choose Start » Settings » Control Panel » Network » Services tab » Remote Access Service » Properties. Highlight the device you want to examine and click the Configure button. Focus on the dial-out and dial-in protocols used. Click the Network button. Focus on the level of encryption settings.

Securing the System

Auditing whether the system is secure encompasses evaluating all the controls available to ensure your system and data are not accessible by unauthorized users. Because Windows NT's control capabilities are numerous, evaluating these controls can be a massive undertaking. To aid you in this task, we focus on four areas:

  • User Security Management

  • Resource Security Management

  • Server Security Management

  • System Security Management

These areas focus on overall user policies and rights, the use of groups, the file systems, services, and specifics on the Registry. The objective of this audit is to determine whether Users, Resources, the Server, and the System are secure. The following sections detail the procedures involved in performing this audit.

User Security Management—Group Accounts

To examine the group accounts within your system, address the following questions:

  • How are users and groups managed? Focus on whether users are assigned to global groups as a method of managing common permissions, rights and privileges, and whether users are ever assigned directly to local groups.

  • What are the rights assigned to the built-in local groups? To examine the built-in local groups, choose Start » Programs » Administrative Tools » User Manager for Domains » Policies » User Rights. Examine the rights assigned to the built-in local groups by scrolling through the various user rights. Don't forget to select Show Advanced Rights so all user rights can be viewed. Focus on the differences between our recommended group rights and those assigned to these groups. Table 13-1 and Table 13-2 can be used as a basis for documenting these rights and capabilities. Do not attempt to fill out the table from scratch; just document the changes.

Table 13-1 Domain Controllers Rights and Capabilities

Accout Oper-ators

Admin-istra-tors

Backup Oper-ators

Guests

Print Oper-ators

Rep-lica-tors

Server Oper-ators

Users

Standard Rights

 

 

 

 

 

 

 

 

Log On Locally

X

X

X

X

X

X

X

X

Access This Computer from Network

 

X

 

 

 

 

 

 

Take Ownership of Files or Other Objects

 

X

 

 

 

 

 

 

Manage Auditing and Security Log

 

X

 

 

 

 

 

 

Change the System Time

 

X

 

 

 

 

X

 

Shut Down the System

X

X

X

 

X

X

X

 

Force Shutdown from a Remote System

 

X

 

 

 

 

X

 

Back Up Files and Directories

 

X

X

 

 

 

X

 

Restore Files and Directories

 

X

X

 

 

 

X

 

Advanced Rights

 

 

 

 

 

 

 

 

Act As Part of the Operating System

 

 

 

 

 

 

 

 

Bypass Traverse Checking

 

 

 

 

 

 

 

 

Create a Pagefile

 

X

 

 

 

 

 

 

Create a Token Object

 

 

 

 

 

 

 

 

Create Permanent Shared Objects

 

 

 

 

 

 

 

 

Debug Programs

 

X

 

 

 

 

 

 

Generate Security Audits

 

 

 

 

 

 

 

 

Increase Quotas

 

X

 

 

 

 

 

 

Increase Scheduling Priority

 

X

 

 

 

 

 

 

Load and Unload Device Drivers

 

X

 

 

 

 

 

 

Lock Pages in Memory

 

 

 

 

 

 

 

 

Log On As a Batch Job

 

 

 

 

 

 

 

 

Log On As a Service

 

 

 

 

 

 

 

 

Modify Firmware Environment Variables

 

X

 

 

 

 

 

 

Profile Single Process

 

X

 

 

 

 

 

 

Profile System Performance

 

X

 

 

 

 

 

 

Replace a Process Level Token

 

 

 

 

 

 

 

 

Built-in Capabilities

 

 

 

 

 

 

 

 

Create and Manage User Accounts

X

X

 

 

 

 

 

 

Create and Manage Local Groups

X

X

 

 

 

 

 

 

Create and Manage Global Groups

X

X

 

 

 

 

 

 

Assign User Rights

 

X

 

 

 

 

 

 

Lock the Work- station/Server

 

X

 

 

 

 

 

X

Override the Lock of the Work- station/Server

 

X

 

 

 

 

 

X

Format Work- station/Server's Hard Disk

 

X

 

 

 

 

 

X

Create Common Groups

 

X

 

 

 

 

 

X

Keep Local Profile

 

X

X

X

 

X

X

X

Share and Stop Sharing Directories

 

 

X

 

 

 

 

X

Share and Stop Sharing Printers

 

 

X

 

 

X

 

X

Table 13-2 Non-Domain Controllers Rights and Capabilities

Admin- istra- tors

Backup Oper- ators

Guests

Rep- licators

Power Users

Users

Standard Rights

 

 

 

 

 

 

Log On Locally

X

X

X

X

X

X

Access This Computer from Network

X

 

 

 

X

 

Take Ownership of Files or Other Objects

X

 

 

 

 

 

Manage Auditing and Security Log

X

 

 

 

X

 

Change the System Time

X

 

X

 

X

 

Shut Down the System

X

X

 

X

X

X

Force Shutdown from a Remote System

X

 

 

 

X

 

Back Up Files and Directories

X

X

 

 

 

 

Restore Files and Directories

X

X

 

 

 

 

Advanced Rights

 

 

 

 

 

 

Act As Part of the Operating System

 

 

 

 

 

 

Bypass Traverse Checking

 

 

 

 

 

 

Create a Pagefile

 

X

 

 

 

 

Create a Token Object

 

 

 

 

 

 

Create Permanent Shared Objects

 

 

 

 

 

 

Debug Programs

 

X

 

 

 

 

Generate Security Audits

 

 

 

 

 

 

Increase Quotas

 

X

 

 

 

 

Increase Scheduling Priority

 

X

 

 

 

 

Load and Unload Device Drivers

 

X

 

 

 

 

Lock Pages in Memory

 

 

 

 

 

 

Log On As a Batch Job

 

 

 

 

 

 

Log On As a Service

 

 

 

 

 

 

Modify Firmware Environment Variables

 

X

 

 

 

 

Profile Single Process

 

X

 

 

 

 

Profile System Performance

 

X

 

 

 

 

Replace a Process Level Token

 

 

 

 

 

 

Built-in Capabilities

 

 

 

 

 

 

Create and Manage User Accounts

 

X

 

 

 

X

Create and Manage Local Groups

 

X

 

 

 

X

Create and Manage Global Groups

 

 

 

 

 

 

Lock the Work- station/Server

 

X

 

 

 

X

Override the Lock of the Workstation/Server

 

X

 

 

 

 

Format Work- station/Server's Hard Disk

 

X

 

 

 

 

Create Common Groups

 

X

 

 

 

X

Keep Local Profile

 

X

X

 

X

X

Share and Stop Sharing Directories

 

X

 

 

 

X

Share and Stop Sharing Printers

 

X

 

 

 

X

  • Are the group's members administratively and functionally appropriate?

  • What are the rights assigned to the additional local groups? To examine the additional local group's rights, choose Start » Programs » Administrative Tools » User Manager for Domains » Policies » User Rights. Examine the rights assigned to the local group by scrolling through the various user rights. Don't forget to select Show Advanced Rights so all user rights can be viewed. Focus on assessing whether the global groups or possibly users are administratively and functionally appropriate for the groups they are assigned.

  • What are the rights assigned to the built-in and additional significant global groups? To examine the global groups, choose Start » Programs » Administrative Tools » User Manager for Domains » Policies » User Rights. Examine the local group(s) of which the global group is a member by scrolling through the various user rights. Don't forget to select Show Advanced Rights so all user rights can be viewed. Focus on assessing whether the users are ad ministratively and functionally appropriate members of the group. Focus only on critical global groups.

User Security Management—User Accounts

To examine the user accounts within your system, address the following questions:

  • What are the properties of the two built-in user accounts? To examine the accounts, choose Start » Programs » Administrative Tools » User Manager for Domains. Determine whether the Administrator or Guest accounts exist in the User Account list. Either double-click on the desired account or highlight it and select User » Properties. If either account is enabled, examine whether the following check boxes are selected:

  • User Cannot Change Password

  • Password Never Expires

  • Account Disabled

  • Has the Administrator account been renamed? If the Administrator account has been renamed, execute the preceding procedure for the renamed account.

  • Is a password set for each of the built-in accounts? To examine whether these accounts have passwords, try to log on the accounts from the Windows NT Login dialog box.

  • What are the properties for all other significant accounts? To examine the properties, choose Start » Programs » Administrative Tools » User Manager for Domains » User » Properties.

  • To which groups do the significant user accounts belong? To examine the groups to which the user belongs, click the Groups button. Focus on whether the user is an administratively and functionally appropriate member of the groups of which it is a member.

  • What is the User Environment Profile configuration for the significant accounts? To examine the profiles, click the Profile button. Focus on whether logon scripts and profiles have been implemented. Also focus on whether a home directory has been established. Inquire on the specific contents of the logon script.

  • What are the valid logon hours for all significant accounts? To examine the logon hours click the Hours button. Focus on whether all users have all hours allowed, and whether hours are commensurate with a user's functional and administrative need.

  • Which workstations can the significant accounts log on? To examine which workstations the account is able to log on, click the Logon To button. Focus on comparing the applicability of the feature to the environment, and the users who are restricted.

  • Which accounts have expiration dates? Focus on any temporary accounts. For those identified accounts, examine whether the account has an expiration date by clicking the Account button.

  • Which accounts have dialin capability? To examine whether an account has dialin capability, click the Dialin button. Focus on comparing whether the access granted is commensurate with a user's functional and administrative need.

User Security Management—Account Policies

To examine the account policies within your system, answer this question: What is the account policy? Examine the account policy for all accounts by choosing Start » Programs » Administrative Tools » User Manager for Domains » Policies Account. Focus on each of the following account policy settings:

  • Maximum Password Age (days)

  • Minimum Password Age (days)

  • Minimum Password Length (characters)

  • Password Uniqueness (passwords)

  • Account Lockout

  • Account Lockout (bad attempts)

  • Account Lockout (reset count in minutes))

  • Lockout Duration (minutes)

  • Forcibly disconnect remote users from server when logon hours expire

  • Users log on to change password

Auditing User Rights

To audit the user rights within your system, address the following questions:

  • Which accounts have been granted which user rights? For each right, examine the user rights policy by choosing Start » Programs » Administrative Tools » User Manager for Domains » Policies » User Rights. Focus on the functional and administrative appropriateness of the users or groups who were granted the right.

  • Which accounts have been granted which advanced user rights? For each right, examine the advanced user rights policy by choosing Start » Programs » Administrative Tools » User Manager for Domains » Policies » select Show Advanced User Rights and scroll down through the list of various rights. For each right, focus on the functional and administrative appropriateness of the users or groups who were granted the right.

Resource Security Management—File Systems

To examine the security of file systems within your network, address this question: Which file system is deployed? To examine the deployed file system, choose Start » Programs » Administrative Tools » Disk Administrator. If NTFS is not the deployed file system, inquire on the reasoning for selecting FAT.

Resource Security Management/File and Directory Permissions

To audit the file and directory permissions within your network, address the following questions:

  • Which directories, subdirectories, and files are critical?

  • What are the permissions on the critical files? To examine the permissions, choose Start » Programs » Windows NT Explorer. Select the file and choose File » Properties » Security. Choose Focus on whether the owner, and user, and group access is functionally and administratively appropriate.

  • What are the permissions on the critical directories? To examine the permissions, choose Start » Programs » Windows NT Explorer. Select the directory and then choose File » Properties » Security. Choose Permissions. Focus on whether the owner, and user and group access is functionally and administratively appropriate.

  • What are the permissions on the critical systems directories? To examine these permissions, choose Start » Programs » Windows NT Explorer. Select the directory or file, choose File » Properties » Security, and then choose Permissions. Document any differences between the default permissions and the actual permissions.

Resource Security Management—Shared File and Directory Permissions

To audit the security of the shared file and directory permissions within your network, address this question: What shares and permissions have been placed on the previously identified directories? To examine each significant directory shares, choose Start » Programs » Administrative Tools » Server Manager » Computer menu » Shared Directories. For each share, click Properties. Focus on whether user and group access is functionally and administratively appropriate.

Resource Security Management—Managing Printers

To manage the printers within your network, address the following questions:

  • What printers are critical?

  • What permissions have been set on the critical printers? To examine each printer, choose Start » Settings » Printers. Select the critical printer and choose File » Properties » Security tab. Choose Permissions. Focus on whether user and group access is functionally and administratively appropriate.

Server Security Management

What computers reside on the domain? To examine the list of computers on the domain, choose Start » Programs » Administrative Tools » Server Manager. Then choose Domain Members Only. With the administrator, review the list of computers that are members of the domain for appropriateness. One should note that Windows 95 and 98 boxes as well as Windows For Workgroup and DOS clients would not appear using this method.

Server Security Management—Computer Properties

Is the Properties dialog box (Computer » Properties) used as a method of monitoring and controlling connections to the server and domain?

Server Security Management—Users

Is the User Sessions dialog box (Computer » Properties » Users button) used as a method of monitoring and controlling the users connected to the server and domain?

Server Security Management—Shares

Is the Shared Resources dialog box (Computer » Properties » Shares button) used as a method of monitoring and controlling shares on the server and other computers in the domain?

Server Security Management—In Use

Is the Open Resources dialog box (Computer » Properties » In Use button) used as a method of monitoring and controlling network usage of shares?

Server Security Management—Replication

Is replication used to maintain identical directory trees and files on multiple servers and workstations? Focus on the nature of the directories and files being replicated.

Is there a replication user account with appropriate rights? To examine the account, choose Start » Programs » User Manager for Domains. To focus on whether the account exists and is a member of the Replicator local group, choose User » Properties and click the Groups button.

Does the Replicator local group have appropriate rights? To examine the rights of the Replicator group, choose Start » Programs » Administrative Tools » User Manager for Domains » Policies » User Rights. Examine each right and focus on the rights that have been granted to the Replicator group.

Is the Replicator service running? To examine whether the Replicator service is running, choose Start » Programs » Administrative Tools » Server Manager » Computer » Services, and double-click on the Directory Replicator service. Focus on whether the service is started automatically, and whether the account specified is the one designated for replication.

Are the files and computers designated for import and export replication appropriate? To examine the configuration of the Replication dialog box, choose Start » Programs » Administrative Tools » Server Manager » Computer » Properties, and then click the Replication button.

Do locks exist on the subdirectories in the replicated directory? To examine the Manage Exported Directories dialog box, click the Manage button for Export Directories. Also, focus on whether the Wait Until Stabilized and Entire Subtree check boxes are selected.

Server Security Management—Alerts

Who is receiving administrator alerts? To examine the list of users receiving alerts, choose Start » Programs » Administrative Tools » Server Manager » Computer » Properties and then click the Alerts button. Focus on the appropriateness of the users selected to receive alerts.

Server Security Management—Services

Which services are running on critical computers? To examine the services, choose Start » Programs » Administrative Tools » Server Manager, highlight the critical computer, and choose Services from the Computer menu.

System Security Management—Registry

To examine the security of the Registry, address the following questions:

  • Has REGEDT32.EXE been removed from workstations? To examine a sample of workstations, choose Start » Programs » Windows NT Explorer » systemroot\system32\.

  • Are Registry file and directory permissions appropriate for groups with access? To examine the Registry directory permissions, choose Start Programs Windows NT Explorer and select the directory. Choose File Properties Security, and then choose Permissions. Focus on any changes from the following table.

    File and Directory Permissions

    Recommendations

    \winnt\system32\config

    Administrators
    Everyone
    CREATOR OWNER
    SYSTEM

    Full Control
    List
    Full Control
    Full Control

    \winnt\repair

    Administrators

    Full Control

  • Does the Prevent Remote Editing key exist? To examine whether the key exists, choose Start » Programs » Windows NT Explorer and execute Systemroot\system32\Regedt32.exe. Select HKLM\SYSTEM\CurrentControl-Set\Control\SecurePipeServers\winreg.

  • What permissions have been set for the Registry keys? To examine the permissions, choose Start » Programs » Windows NT Explorer, execute Systemroot\system32\Regedt32.exe, and then choose Security » Permissions. Focus on comparing the permissions with those in the following table.

    Registry HKEY

    Permissions

    HKCR (all subkeys)

    Modify Everyone: Special (Query Value, Enumerate Subkeys, Notify, Read Control)

    HKLM\SOFTWARE

    Modify Everyone: Special (Query Value, Enumerate Subkeys, Notify, Read Control)

    HKEY_LOCAL_MACHINE\SOFT-
    WARE\MICROSOFT \RPC (and all subkeys) \WindowsNT\CurrentVersion\\WindowsNT\CurrentVersion\AeDebug
    \WindowsNT\CurrentVersion\Compatibility \WindowsNT \CurrentVersion\Drivers \WindowsNT\CurrentVersion\Embedding \WindowsNT\CurrentVersion\Fonts \WindowsNT\CurrentVersion\FontSubstitutes \WindowsNT\CurrentVersion\FontDrivers \WindowsNT\CurrentVersion\FontMapper \WindowsNT\CurrentVersion\FontCache \WindowsNT\CurrentVersion\GRE_Initialize \WindowsNT\CurrentVersion\MCI \WindowsNT\CurrentVersion\MCI Extensions \WindowsNT\CurrentVersion\Port (all subkeys) \WindowsNT\CurrentVersion\Type1Installer \WindowsNT\CurrentVersion\ProfileList \WindowsNT\CurrentVersion\Windows3.1Migra-
    tionStatus(all subkeys)\WindowsNT\CurrentVersion\WOW (all subkeys)

    Modify Everyone: Special (Query Value, Enumerate Subkeys, Notify, Read Control)

    HKLM\SOFTWARE\MICROSOFT\WindowsNT\Cur- rentVersion\PerfLib

    Remove Everyone: Read, Add Interactive: Read

    HKLM\SOFTWARE\MICROSOFT\WindowsNT\Cur- rentVersion\PerfLib

    Remove Everyone: Read, Add Interactive: Read

    HKLM\SOFTWARE\Microsoft\Windows\Cur- rentVersion\Run

    Modify Everyone: Special (Query Value, Enumerate Subkeys, Notify, Read Control)

    HKLM\SOFTWARE\Microsoft\Windows\Cur- rentVersion\RunOnce

    Modify Everyone: Special (Query Value, Enumerate Subkeys, Notify, Read Control)

    HKLM\Software\Microsoft\WindowsNT\Cur- rentVersion\Winlogon

    Creator Owner: Full Control, Administrator: Full Control, System: Full Control, Everyone: Read

    HKLM\SYSTEM\CurrentControlSet\Control\LSA

    Creator Owner: Full Control, Administrator: Full Control, System: Full Control, Everyone: Read

    HKLM\System\CurrentControlSet\Control\Se- curePipeServers\WinReg

    Administrators: Full Control

    HKLM\System\CurrentControlSet\Services \LanManServer\Shares \UPS

    Modify Everyone: Special (Query Value, Enumerate Subkeys, Notify, Read Control)

    HKEY_USERS\.default

    Modify Everyone: Special (Query Value, Enumerate Subkeys, Notify, Read Control)

  • What are the Registry key values? To examine the values, choose Start » Programs » Windows NT Explorer, execute Systemroot\system32\Regedt32.exe, and then choose Security » Permissions. Focus on comparing the values with those in the following table.

    Description

    Registry Key

    Value Name

    Data Type

    Disable CD-ROM

    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

    AllocateCDROMs

    String

    Disable Floppy Drive

    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

    AllocateFloppies

    String

    Automatic Logon

    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

    AutoAdminLogon

    Binary

    Disable of Caching of Logon Credential

    HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon

    CachedLog-onsCount

    Strings

    Do Not Display Last User to Log In

    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

    Don'tDisplay-LastUserName

    String

    Legal Notice

    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

    LegalNoticeText

    String

    Shut Down without Logging On

    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

    ShutdownWith outLogon

    String

    Shutdown on Full Audit Log

    SYSTEM\CurrentControlSet\Control\Lsa

    CrashOnAuditFail

    DWORD

    Enable Auditing
    Of Rights

    HKLM\SYSTEM\CurrentCon-trolSet\Control\LSA

    FullPrivi-legeAuditing

    Binary

    LanManager Pass-word Hash Support

    HKLM\System\CurrentCon-trolSet\Control\LSA

    LMCompatibi-lityLevel

    DWORD

    Password Filtering

    HKLM\SYSTEM\CurrentCon-trolSet\Control\LSA

    Notification Packages

    Multi String

    Null Credentials Logon

    HKLM\System\CurrentCon-trolSet\Control\LSA

    RestrictAnony-mous

    DWORD

    Schedule Service

    HKLM\SYSTEM\CurrentCon-trolSet\Control\LSA

    SubmitControl

    DWORD

    Page File Clearing

    HKLM\SYSTEM\CurrentCon-trolSet\Control\ SessionMan-ager\MemoryManagement

    ClearPageFile- AtShutdown

    DWORD

    Disable Autorun

    HKLM\SYSTEM\CurrentCon-trolSet\Services\CDROM

    Autorun

    DWORD

    Auditing

    HKLM\SYSTEM\CurrentCon-trolSet\Services\RemoteAccess

    Parameters

    Binary

    Secure Event
    Log Viewing

    HKLM\System\CurrentCon-trolSet\Services\EventLog\logname

    RestrictGuestAccess

    DWORD

System Security Management—System Policy Editor

What system policies have been established? To examine the policies, choose Start » Programs » Administrative Tools » System Policy Editor » File » Open Policy. Focus on any .POL and .ADM files. Open each .POL or .ADM file and document the groups and policies. Focus on the policies for the following network and computer features:

  • Network Features

    Shell » Restrictions » Remove Run command from Start menu

    Shell » Restrictions » No Entire Network in Network Neighborhood

    Shell » Restrictions » Don't save settings at exit

    System » Restrictions » Disable Registry editing tools

    Windows NT Shell » Restrictions » Remove the "Map Network Drive" and "Disconnect Network Drive" options

  • Computer Features

    Windows NT Remote Access » Max number of unsuccessful authentication retries

    Windows NT Remote Access » Max time limit for authentication

    Windows NT Remote Access » Auto disconnect

    Windows NT System » Logon » Logon banner

    Windows NT System » Logon » Enable shutdown from Authentication dialog box

    Windows NT System » Logon » Do not display last logged on user name

System Security Management—Workstation Lockout

Is the Workstation Lockout feature utilized? To examine the feature for critical computers and sample noncritical computers, choose Start » Settings » Control Panel » Display » Screen Saver. Focus on whether the password protection feature has been selected and if the value for the number of minutes before the lockout invokes is reasonable.

Ability to Recover from Operational Failure

The ability to recover from operational failure is often neglected. However, the ramifications of not being able to recover from a failure may be devastating to the business. Therefore, we focus on examining the security controls relating to recoverability.

The objective of this audit is to determine the level of ability to recover from operational failure. The following sections detail the procedures involved in performing this audit.

Environmental Protection

To perform the Environmental Protection section of the Ability to Recover from Operational Failure audit, address the following questions:

  • Are the building and computer room structurally sound enough to resist any probable weather or geological activity?

  • Is the computer room floor static resistant?

  • Is the computer room floor elevated?

  • Is the computer room large enough to accommodate growth?

  • Is the computer room large enough to move within while installing and maintaining equipment?

  • Is the computer room humidity and temperature controlled, and are these systems redundant?

  • Are systems designed to shut down in the event humidity or temperature exceeds a predetermined critical point?

  • Is power to the computer room clean (free from significant spikes or surges), and supplied through wiring that is fire- and smoke-retardant?

  • Is the computer room equipped with smoke and fire detectors?

  • Is the computer room equipped with fire extinguishers that are nondamaging to equipment?

  • Is the computer room equipped with a fire suppression system that is nondamaging to equipment?

Fending off Viruses

To perform the Fending off Viruses section of the Ability to Recover from Operational Failure audit, address the following questions:

  • Are precautions taken to minimize the potential introduction of viruses? Focus on the following points.

    Are floppy and CD-ROM drives disabled? To examine whether floppy drives have been disabled, choose Start » Programs » Windows NT Explorer and execute Systemroot\system32\Regedt32.exe. Select HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateFloppies key. Focus on whether the String value is 0. Select HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateCDRoms key. Focus on whether the String value is 0.

    Do strong company policies exist to discourage users from downloading information from the Internet?

    Are file permissions set to Read Only and Execute Only for all program directories available on the Windows NT server and workstation? To examine the permissions, choose Start Programs Windows NT Explorer. Select the file and choose File Properties Security. Then choose Permissions.

    Are new applications installed on a test computer not attached to the network?

  • Are virus detection programs installed to prevent viruses from causing destructive events?

Fault Tolerance

To perform the Fault Tolerance section of the Ability to Recover from Operational Failure audit that deals with disk mirroring and data striping, address the following question: Is and on what level of redundancy are the storage drives? To examine the drives, choose Start » Programs » Administrative Tools » Disk Administrator. Focus on the number and type of drives, and configurations, including whether they are stripe or mirror sets. If a stripe set is used, focus on whether the stripe set is configured with parity.

Fault Tolerance—UPS

To perform the Fault Tolerance section of the Ability to Recover from Operational Failure audit that deals with the uninterruptable power supply, address the following questions:

  • Is an uninterruptable power supply used to ensure "clean" reliable power? If the Windows NT UPS feature is used, examine it by choosing Start » Settings » Control Panel. Then double-click the UPS icon. Focus on comparing the values selected to those in the following table.

    UPS Feature

    Policy

    Power Failure Signal

    Select

    Low Battery Signal (at least 2 minutes before shutdown)

    Select

    Remote UPS Shutdown

    Select

    Execute Command File

    Select

    Time between Power Failure and Initial Warning Message

    5 Seconds

    Delay between Warning Messages

    300 seconds

  • Which users receive the UPS Alerts? To examine which users receive Alerts, choose Start » Programs » Administrative Tools » Server Manager » Computer » Properties » Alert.

Data Backup

To perform the Data Backup section of the Ability to Recover from Operational Failure audit, address the following questions:

  • What is the company's backup and archiving strategy? Focus on the type of media (tape, hard disk, optical media, and floppy disk), backup application (NT Backup Utility, third-party application), type of backup (full, incremental, and differential), rotation and archive schedule (real time, daily, weekly, and monthly), and storage location (onsite versus offsite).

  • Is the Backup Operators group membership appropriate? To examine the membership, choose Start » Programs » Administrative Tools » User Manager for Domains. Double-click on the Backup Operators group. Examine the group's members. Are the rights assigned to the Backup Operators group appropriate? To examine the rights, choose Start » Programs » Administrative Tools » User Manager for Domains » Policies » User Rights. Examine each right and focus on which rights are granted to the Backup Operators group.

  • Is the Registry backed up through Emergency Repair Disk, tape backup (either Windows NT Backup selecting the Backup Local Registry check box or Third-Party Tape Backup system), or REGBACK.EXE? If the Registry is backed up with the Windows NT Backup utility, inquire how registries on other computers are backed up.

  • Is a backup log maintained? Examine the log file. The path for the log file is displayed in the Backup Information dialog box, which can be launched by choosing Start » Programs » Administrative Tools » Backup » Operations » Backup. Focus on whether a log is maintained, and whether log in Full Detail is selected.

Data Recovery

To perform the Data Recovery section of the Ability to Recover from Operational Failure audit, address the following question: What is the frequency of backup testing? To examine any backups recovered to a test computer, load the backup tape and choose Start » Administrator Tools » Disk Administrator » Window » Tape. Select the tape or backup set that you want to restore, and then choose Operations » Catalog. Select the first file, hold down the Ctrl key, and select the other files. Choose Select » Check and then choose Operations » Restore.

Business Continuity Planning

To perform the Business Continuity Planning section of the Ability to Recover from Operational Failure audit, address the following question: What are the company's contingency plans? Focus on the appropriateness of the Disaster Recovery and Business Continuity plans based on the risk analysis.

Last Known Good Configuration

To perform the Last Known Good Configuration section of the Ability to Recover from Operational Failure audit, address the following question: Has the company ever invoked Last Good Known Configuration? Focus on whether the staff knows the conditions for when the Last Known Good Configuration should be used.

Emergency Repair Disk (ERD)

To perform the ERD section of the Ability to Recover from Operational Failure audit, address the following question: Is there an ERD and what is the practice for creating and updating the ERD? Inquire on when the last ERD was updated. Inquire on whether the ERD is updated using the /s option in order to force the Repair Disk program to update all the files.

The above article is courtesy of Microsoft Press. Copyright 1999, Microsoft Corporation.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.

Link
click to order