I've attached a generic audit program for NT and some resources I use when performing an audit of NT. I know the list is far from comprehensive, but it will give you a start. Best of Luck, Glen Sexton Central IL. Public Service (217) 523-1792 x 5624 e-mail glen_sexton@ue.com "All Standard Disclaimers Apply" ______________________________ Reply Separator _________________________________ Subject: Windows NT Audit Author: Information Systems Audit and Control Association List at INTERNET Date: 8/20/96 3:11 AM Hello all I am preparing for a Windows NT audit (Server 3.51). Does anyone have any audit programs / titles of related books / tips / hints that could assist me? Many thanx Ravin Jugdav IS Auditor Caltex Oil South Africa (Pty) (Ltd) Tel : +27 21 403-7742 Fax : +27 21 403-7607 e-Mail : ZACXTJRK@IBMMAIL.COM B. NT File Server Controls 1. Determine if auditing is enabled by choosing event viewer under policy, file systems. 2. Choose File Manager then select Disk Administrator to make sure the server is using NTFS as its file allocation scheme. If it uses FAT in any disk partition, it is not secured. 3. Review the file size for the security log. Bare minimum should be a size of 5 Megabytes since the log is overwritten when its full. View via server tools, event log settings. 4. How often is the security log reviewed ? Should be once a week to keep the log from being overwritten. 5. Attempt to access the security log from a non-privileged account. Note any deficiencies. 6. Under Control Panel make sure the most important services are started at boot up. Note FTP services should be started manually only. 7. Check built in accounts (Administrator etc.) Review policies (length of passwords, expiration period, etc.) Review built in group memberships (Dumpall utility) Review rights for all accounts 8. Review the Registry (address lax registry permissions) Verify auditing is turned on (at least for successful accesses to the registry). Review permissions and determine their appropriateness for everyone and users. 9. Determine if a backup of the Registry is performed at least monthly and that baseline copy was retained. (use the Dumpall utility). 10. Check "users" rights and permissions. (use the Dumpall utility) 11. Verify all trust relationships between NT Domains. 12. Determine the method used to notify user of system down time or unexpected interruptions in service. 13. If the workstations are running Windows for Workgroups instead of NT Workstation, verify they are using screen saver and boot up passwords. Otherwise it won't matter what security is on the server. 14. Review security over any mainframe uploads or downloads. 15. Review any remote access for adequate controls. 16. Review interfaces and security for connections to other LANs. 17. Determine if virus detection software is in place to protect the files on the LANs. References -------------- Citibank NA, Coopers & Lybrand, IIA and Microsoft, Microsoft Windows NT 3.5 Guidelines for Security, Audit, and Control, Microsoft Press, 1994. Available from ISACA International. Cowart, Robert, Windows NT Unleashed, Sam's Publishing, 1995. MIS Training Institute, "Windows NT Advanced Server Seminar", Chicago, IL, 1995. Internet Web Pages: ------------------------- http://infotech.kumc.edu/winnt http://www.somarsoft.com http://www.winntmag.com http://www.microsoft.com/ntserver Newsgroups: ---------------- Connect to msnews.microsoft.com is the Microsoft News Server then select newsgroups starting with microsoft.public.windowsnt.++++++ On most regular news servers NT newsgroups start with: comp.os.ms-windows.nt.+++++++