The following tables summarize the steps listed earlier for auditing Windows servers and clients.
Checklist for Auditing Windows Servers
qObtain the system information and service pack version, and compare with policy requirements.
qDetermine if the server is running the company-provisioned firewall.
qDetermine if the server is running a company-provisioned antivirus program.
qEnsure that all approved patches are installed per your server management policy.
qDetermine if the server is running a company-provisioned patch-management solution.
qReview and verify startup information.
qDetermine what services are enabled on the system and validate their necessity with the system administrator. For necessary services, review and evaluate procedures for assessing vulnerabilities associated with those services and keeping them patched.
qEnsure that only approved applications are installed on the system per your server management policy.
qEnsure that only approved scheduled tasks are running.
qReview and evaluate procedures for creating user accounts and ensuring that accounts are created only when there's a legitimate business need. Also review and evaluate processes for ensuring that accounts are removed or disabled in a timely fashion in the event of termination or job change.
qEnsure that all users are created at the domain level and clearly annotated in the active directory. Each user should trace to a specific employee or team.
qReview and evaluate the use of groups, and determine the restrictiveness of their use.
qReview and evaluate the strength of system passwords.
qEvaluate the use of password controls on the server, such as password aging, length, complexity, history, and lockout policies.
qReview and evaluate the use of user rights and security options assigned to the elements in the security policy settings.
qReview and evaluate the use and need for remote access, including RAS connections, FTP, Telnet, SSH, VPN, and other methods.
qEnsure that a legal warning banner is displayed when connecting to the system.
qLook for and evaluate the use of shares on the host.
qEnsure that the server has auditing enabled per your policies or organization's practices.
qReview and evaluate system administrator procedures for monitoring the state of security on the system.
qIf you are auditing a larger environment (as opposed to one or two isolated systems), determine whether there is a standard build for new systems and whether that baseline has adequate security settings. Consider auditing a system freshly created from the baseline.
qPerform the steps from Chapter 4: Auditing Data Centers and Disaster Recovery as they pertain to the system you are auditing.
Checklist for Auditing Windows Clients
qDetermine if the client is running the company-provisioned firewall.
qDetermine if the client is running a company-provisioned antivirus program.
qDetermine if the client is running a company-provisioned patch-management solution.
qDetermine if the client is equipped with the minimum recommended service pack, hotfixes, and software.
qEnsure that the client has all the following according to the Microsoft Baseline Security Analyzer (MBSA).
qScan the system using a commercial-grade network scanner.
qEvaluate physical security controls during a walk-through.