Audit of Operating System. Module 4 Protection of Information Systems and Information Assets

Size: px

Start display at page:

Download "Audit of Operating System. Module 4 Protection of Information Systems and Information Assets"

Solomon Page
7 years ago
Views:

1 Audit of Operating System Module 4 Protection of Information Systems and Information Assets 1

2 Table of Contents Task Statment Introduction Why Audit Operating System? Password Policy Password Policy- How to Audit? Audit Policy Audit Policy- How to audit? Event Logs Types of Event Logs Event Logs- How to Audit? Security Options Security Options- How to Audit? Users Right Assignment Users Right Assignment- How to Audit? Case Study 2

3 Task Statements By completing the module, students will be able to perform the following tasks: a) Review logical access controls for the identification, authentication and restriction of users to authorized functions and data. 3

4 Introduction (1/2) Every operating system includes a set of security features and vulnerabilities, which varies from OS to OS and sometimes between versions. The security features are designed in such a way that they can be turned on or off and set to high security or low security, depending on the purpose for which the user intends to use the OS. In most cases, the default settings are not designed for high security. It is up to the user to enable the security features to the desired level of security for that installation. 4

5 Introduction (2/2) An IS auditor needs to be concerned about the operating system for the following reasons: The operating system sees all data on the disk as streams of bits in the records inside the files and folders. Most application users log directly onto an application and, on exiting the application, are automatically logged out of the system. However, if a user is able to bypass the application and gain access to the operating system, then all the rules and controls in the application software become irrelevant. 5

6 Why Audit Operating System? (1/2) The process of auditing OS security is required to: Evaluate whether the security features have been enabled and parameters have been set to values consistent with the security policy of the organization, and Verify that all users of the system (user IDs) have appropriate privileges to the various resources and data held in the system. 6

7 Why Audit Operating System? (2/2) Some of the most common security parameters that can be evaluated are: Password policy Audit Policy Security Options User Rights Assignment 7

8 Password Policy The security provided by a password depends on the passwords being kept secret at all times. Thus, a password is vulnerable to compromise whenever it is used or stored. Password policies can be set depending on the needs of the organization. For e.g. it is possible to specify minimum password length, maximum and minimum password age etc. It is also possible to prevent users from reusing passwords and ensure that they use specific characters in their passwords, making the passwords more difficult to crack. 8

9 Why to audit Password Policy? It is easier to crack weak passwords. It makes organization's network and Information Systems vulnerable. It increases the probability of targeted attacks on the organisations which can adversely impact the goodwill. 9

10 Password Policy- How to Audit? (1/2) Start Control Panel Administrative Tools Local Security Policy Account Policies Password Policy 10

11 Password Policy- How to Audit? (2/2) Policy Enforce password history What it does Prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered. Maximum password age Minimum password age Minimum password length Sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password. Sets the minimum number of days that must pass before a password can be changed. Specifies the fewest number of characters a password can have. Password must meet complexity Requires that passwords: requirements - Be at least six characters long - Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numbers, symbols (punctuation marks) - Don't contain the user's user name or screen name Store passwords using reversible encryption Stores the password without encrypting it. 11

12 Audit Policy Before audit records are logged, an auditing policy must be established. The policy defines the types of events that will be audited for a specific user or group of users. An auditing policy specifies categories of security-related events that must be audited. When Windows server is first installed, all auditing categories are turned off. By turning on various auditing event categories, the administrator can implement an auditing policy that suits the security needs of the organization. 12

13 Why to review Audit Policy? The absence of an adequate audit trail reduces the effectiveness of audit based customs control. Increases the risk of non-compliance of company policies by internal users. Fixing accountability of wrong doing becomes difficult. Reduces the organisation s capability to detect and act upon unauthorised activities, on-time, which could have been used as a deterrent control. 13

14 Audit Policy- How to audit? Start Control Panel Administrative Tools Local Security Policy Local Policies Audit Policy 14

15 Event Logs Event logs are files that record significant events on the server, such as when a user logs on to the server or when a program encounters an error. Whenever these types of events occur, Windows records the event in an event log that you can read by using Event Viewer. 15

16 Types of Event Logs There are primarily three (3) kinds of Event Logs: Application logs: It capture events logged by programs. They are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, or service. Security logs: It captures audit related events and are described as successful or unsuccessful depending on the event, such as whether a user trying to log on to Windows was successful. System logs: It captures events logged by Windows server components. For example, if a driver fails to load during startup, an event is recorded in the system log. 16

17 Event Logs- How to Audit? (1/2) Control Panel Administrative Tools Event Viewer Expand Windows logs and select respective event/logs 17

18 Event Logs- How to Audit? (2/2) By double clicking to single event below log details will be available on screen. 18

19 Security Options The Security Options section of Windows Server configures server s security settings for Administrator and Guest account names, digital data signatures, access to floppy disk and CD drives, driver installation behavior, logon prompts etc. 19

20 Why to audit Security Options? Keeping Security Options at default / null values: a) increases the risk of hacking and intrusion attacks. b) Makes the organization's network vulnerable to internal and external attacks. c) Increases the probability of unauthorized access to the network and Information Systems. 20

21 Security Options- How to Audit? Start Control Panel Administrative Tools Local Security Policy Local Policies Security Options 21

22 Users Right Assignment User Rights Assignment policies determines which users or groups have logon rights or privileges on the computer. User Rights Assignment govern the methods by which a user can log on to a system. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a computer and how they can log on. User rights permissions control access to server and domain resources. 22

23 Why to audit User Right Assignment? Keeping User Rights Assignment at default / null values: a) Increases the risk of hacking and intrusion attacks. b) Makes the organization's server and personal computers vulnerable to internal and external attacks. c) Increases the probability of unauthorized access to the network and Information Systems. 23

24 Users Right Assignment- How to Audit? Start Control Panel Administrative Tools Local Security Policy Local Policies User Rights Assignment 24

25 Case Study You have been appointed as IS Auditor of ABC Ltd. As part of IT General Controls review, you have been asked to review the: 1. Password Policy 2. Audit Policy 3. Event Logs 4. Security Options 5. User Rights Assignment How you will download the above data from Windows server? 25

The Institute of Internal Auditors Detroit Chapter Presents

1 The Institute of Internal Auditors Detroit Chapter Presents 1 MOST Suitable for all categories business and personal presentation 3 If You Have Questions If you have questions during the webcast: If