Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Chapter 18. Auditing

Ask someone in IT what auditing is, and you may be told that it's running a vulnerability scanner from outside your network to assess its security weaknesses, configuring the audit policy on the Windows Server 2003 computer so that it records security events, or even performing a penetration test (pen test) from outside your network. IT auditors, on the other hand, may view auditing as checking the security configuration of systems and the exercise of IT operations against your organization's security policy and against legislative requirements to determine if IT systems are in compliance.

Both viewpoints are correct but don't go far enough. Auditing is a process that improves security not just because it finds known vulnerabilities or exposes variances from security policy or legislative requirements, but also because it points out weaknesses in the current security architecture. You should incorporate this approach into Windows Server 2003 security configuration and maintenance. You should also support auditing by non-IT employees or outside auditors. Many auditing functions should be done by IT, but regular audits by individuals who are not from IT are imperative if you want to maintain and improve the security of your information systems.

It's management's job to dictate and ensure the proper implementation of controls that provide the confidentiality, integrity, and availability of information used during the conduction of business operations. Only management can set the security policy and enforce it. In addition to security policy, management provides for both internal and external audits that document where IT practices deviate from stated policy and/or established IT security best practices. The IT administrator should base security implementation on management-dictated security policy. It's time that IT administrators took more responsibility for helping management define a security policy and for auditing its adherence to stated policy and best practices.

This book provides information on the security technologies and best practices available for Windows Server 2003. Auditing implementation and practice for Windows Server 2003 networks consists of

Implementing the Audit Policy functionality available in Group Policy for both domain controllers and member computers.

If standalone Windows systems are part of the network, setting auditing controls as available locally, such as setting an audit policy in Local Security Policy.

Setting auditing controls in implemented server services, such as certificate services and remote access server services.

Setting auditing controls in Windows Server 2003based applications implemented on the network.

Verifying that technical security controls are in place, for example by using Security Configuration and Analysis, Microsoft Security Baseline Analysis, and/or third-party vulnerability assessment tools and perhaps penetration testing.

Reviewing and verifying that physical security controls are in place.

Reviewing and verifying that security policy, standards, and procedures are in place and meet best practices as defined in accepted standards and by well-known auditing associations.

Reviewing the "people" part of security, including the security awareness and practice of good security by employees.

Understanding and using log contents to differentiate the normal from the abnormal, document incidents, determine what happened, and potentially detect intrusions happening in real time or ones that may have happened in the past.

Reviewing customer, partner, and vendor IT relationships with respect to technical and other controls where communications and connections exist, and if it is determined that the security practices of the other party may influence the security of your organization, reviewing their security policies, standards, procedures, and practices.

This chapter does not address all these points. It does not address issues specific to server applications such as SQL server, Exchange, or other Microsoft or third-party applications that may exist on your network. It does not address third-party vulnerability testing products, nor include pen testing specifics or intrusion detection techniques beyond those useful in evaluating the logs produced by Windows Server 2003. All these things are important, but they simply fall outside the scope of this book.

Information on IT auditing that is not Windows Server 2003 specific can be found on the web site of the Information Systems Audit and Control Association ( ISACA) at www.isaca.org. ISACA is composed of over 35,000 members from over 100 countries, and its members are IT auditors, consultants, educators, IS security professionals, CIOs, and CSOs. The Certified Information System Auditor (CISA) certification is sponsored by ISACA. Start by reading the proposed IT auditing standards document, http://www.isaca.org/Template.cfm?Section=Standards&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=29&ContentID=6707. An audit glossary is also on the site (http://www.isaca.org/Template.cfm?Section=Glossary&Template=/CustomSource/Glossary.cfm&char=A&TermSelected=635).