The keys to a successful audit of Windows servers or clients is to thoroughly review the host by itself and in conjunction with the many other possible connections that pass data to and from the host.
The following audit steps focus only on the host and do not cover extensive reviews of overlying applications or trust relationships with outside systems. Also not covered are data input and data output methods or their validity. You would cover these on a per-host basis using techniques and tools covered elsewhere in this book. The steps here are typical of many server audits and represent a good tradeoff between the number of risks covered and the amount of time it takes to review the host.
The test steps in this chapter focus on testing the logical security of Windows boxes, as well as processes for maintaining and monitoring that security. However, there are other internal controls that are critical to the overall operations of a computing environment, such as physical security, disaster-recovery planning, backup processes, change management, capacity planning, and system monitoring. These topics are covered in Chapter 4 and should be included in your audit if they have not already been covered effectively in a separate data center or entity-level information technology (IT) controls audit.