Setup and General Controls

The following represents a check of the overall system setup and other general controls to ensure overall system compliance with your organization's policy. These are mostly general, high-level controls, such as making certain that the system runs company-provisioned firewall and antivirus programs.

1 Obtain the system information and service pack version and compare with policy requirements.

Policies were written and agreed to in order to make your environment more secure, easily manageable, and auditable. Double-check the basic configuration information to ensure that the host is in compliance with policy. Older operating systems increase the difficulty in managing the server and increase the scope of administrator responsibilities as he or she attempts to maintain control over disparate operating system (OS) versions. Maintaining standard builds and patch levels greatly simplifies the process of managing the servers.

How

You could find this information using built-in command-line tools, hunting through the graphical user interface (GUI), and searching the registry. However, two efficient ways to pull up this information include the SysInternals tool psinfo and the native tool systeminfo. Go to http//www.sysinternals.com and download the pstool package. Use psinfo to pull up this information, and then compare the results with your organization's policies and requirements.

2 Determine if the server is running the company-provisioned firewall.

Failure to have a firewall subjects the client to network attacks from malware, attackers, and curious people.

How

Most of the time, a check of the processes on the system shows that the company-provisioned firewall is installed and running on the system. An easy way to script this check is to run the SysInternals tool pslist. Do this by running pslist <process name> on the system, and search for the appropriate running process by specifying the process you want to find.

Depending on the nature of your audit, you also might want to check the configuration of the firewall on the host. For many organizations the firewall is centrally managed and the same across all hosts.

If you are using the Windows firewall, then learn the netsh command set, which allows scripted output and changes to the firewall. Try running netsh firewall show config to see the overall configuration of the firewall on the host and whether the firewall is configured for particular adapters. Use netsh firewall show to see other available options for the netsh firewall tool.

3 Determine if the server is running a company-provisioned antivirus program.

Running different software other than company provisioned software may cause instabilities in the enterprise software environment on the laptop or desktop. Failure to have antivirus protection may allow harmful code or hacking tools to run on the computer that violate company policy.

How

A visual check of the system tray shows that an antivirus program is installed and running on the system. As mentioned earlier, an easy way to script this check is to run pslist from SysInternals on the system and search for the running process.

 pslist rtvscan PsList 1.26 - Process Information Lister Copyright (C) 1999-2004 Mark Russinovich SysInternals - http://www.SysInternals.com Process information for CA-CDAVIS: Name        Pid Pri Thd Hnd Priv    CPU Time  Elapsed Time Rtvscan      244 8 53 569 26212  0:07:16.640  85:27:32.223

Depending on the nature of your audit, you also might want to check the configuration of the antivirus program on the host. For many organizations, the antivirus program is managed centrally and is the same across all hosts. One thing to be careful about with antivirus programs is the ability to exclude certain files or folders from monitoring. This is an easy way to get around the antivirus program.

4 Ensure that all approved patches are installed per your server management policy.

If all the OS and software patches are not installed, then widely known security holes could exist on the server.

How

Use psinfo -s to pull this information up for you, and then compare the results against the policies and requirements of your organization. You can use the psinfo output to compare with existing sms, patchlink, and other patch-management data. You also could compare the psinfo output with data from a vulnerability scanner, two of which are discussed below.

5 Determine if the server is running a company-provisioned patch-management solution.

Again, running different software other than company-provisioned software may cause instabilities in the enterprise software environment on the laptop or desktop. Failure to have a company-provisioned patch-management solution may prevent the server from receiving the latest patches, allowing harmful code or hacking tools to run on the computer.

How

A visual check of the processes in the task manager usually shows that the company-provisioned patch-management system for servers is installed and running on the system. For example, this may be evidenced by the existence of the process in the task manager or pslist. Some organizations like to enable automatic updates, which is also easily checked by looking for "Automatic Updates" in the Control Panel.

6 Review and verify startup information.

Rogue partitions, processes, or programs in violation of your policies sometimes may be found during system startup. Additionally, sometimes malware will make use of the next reboot to install kits deeper into the OS.

How

There are several utilities that can help to dissect what the next reboot will do to the system. We recommend using bootcfg, pendmoves, and autoruns(c).

The output of bootcfg reveals the partitions set in the boot.ini file. There are several ways to get this information, including reading the file, but this allows you to easily script the result. Each bootable OS will have a separate boot entry ID like this:

 Boot Entries ------------ Boot entry ID:  1 OS Friendly Name: Windows Server 2003, Standard Path:      multi(0)disk(0)rdisk(0)partition(1)\WINDOWS OS Load Options: /noexecute=optout /fastdetect

Run pendmoves by itself without any switches to understand what file moves are planned for the next system restart.

Autoruns is the GUI version of autoruns (c). When you use autoruns (c) from the command line, it might be easier to output it to a csv file with the -c switch and view the results inside Excel. It might be hard to appreciate the power of autoruns (c) until you use the GUI autoruns version to see the information it's capable of uncovering for you.