The added value of an operating system audit to an IT General Controls audit

Transcription

1 Thesis: The added value of an operating system audit to an IT General Controls audit S.A.H. Cobelens MSc September 6, 2013 Vrije Universiteit Amsterdam

2 The added value of an operating system audit to an IT General Controls audit 2 Abstract The threat of information leakage, financial misstatements or fraud from financial IT solutions is imminent. Accountancy firms have to trust on information coming from these systems and deal with a world where new cyber-attacks are daily news. Accountancy firms continuously develop their audit approach to mitigate (new) risks in a more effective and efficient way. Auditors are often unsure of whether to include a thorough operating system parameter check in their IT General Controls audit approach. This thesis explores the added value of an operating system parameter check to an ITGC audit. This is done by inspecting a best practice, testing it at three companies and creating a risk analyses per parameter category.

3 The added value of an operating system audit to an IT General Controls audit 3 Acknowledgements I would like to thank my thesis supervisor Rene Matthijsse for helping and guiding me through the whole thesis process. Besides that I would like to thank my colleagues for their import and thought on the subject. Last but not least I thank my family and friends for their support.

4 The added value of an operating system audit to an IT General Controls audit 4 Table of contents Acknowledgements Introduction Introduction Research question Contribution Academic Relevance: Managerial Relevance: Research design: Thesis structure Theoretical Background A brief history of IT audits IT General Controls ITGC in the financial statement audit The structure of IT General Controls Auditing of the ITGCs Information security Hypotheses Conceptual Framework Hypotheses Control Variables Case study methodology Research Methods Observation Preliminary information gathering Theory formulation Hypothesizing Further scientific data collection Data analysis and conclusion Sample selection Case study findings Company profile... 30

5 The added value of an operating system audit to an IT General Controls audit Company A Company B Company C Outcome Analysis of results Accounts Audit policy Detailed Security Auditing Event log Windows Firewall Windows Update User Account Control User Rights Security options Terminal services Internet Communication Additional security settings Other factors Costs of the operating system parameter check Type of operating system(s) in use No extra comfort Politics and time Validation of hypotheses WH1: An operating system parameter audit will only give comfort over the operating system layer WH2: Operating system comfort is essential for reliance on application controls Conclusions Limitations and further research References Appendix I: Detailed results... 45

6 The added value of an operating system audit to an IT General Controls audit 6 List of tables and figures Figure Figure Figure

7 The added value of an operating system audit to an IT General Controls audit 7 1. Introduction 1.1 Introduction Companies use a variety of software solutions for their financial administration. These financial software solutions (e.g. SAP, Oracle, PeopleSoft and Navision) have been implemented in thousands of companies worldwide. Software solutions often have a client-server architecture which means they can be reached within a network and are therefore likely to be a target for people with the wrong intentions (Albornoz Mulligan, 2007). The machines that run these financial software solutions need to be hardened in order to respond to the increasing amount of risks from the connected world. There are best practices available for the setup of the system environments and there are tools to check them. The threat of information leakage, financial misstatements or fraud from financial IT solutions is imminent and it is a complex matter where there is no single control that mitigates all the risks. For example, users with broad privileges in a financial system can bypass controls like the 4-eyes principle to make unauthorized adjustments, database administrators can edit tables and change user information, and system administrators can get access to the database and the software. This shows that multiple levels of computer system security need to be taken into account for a company in order to be able to trust its businesses processes to such financial software. Its accountants need to obtain comfort about the completeness, accuracy and validity of the data coming from the system in order to do their work. Accountancy firms, who sign off the financial statements, rely heavily on data coming from these systems and therefore need to be sure of the completeness, accuracy and validity of the data it generates. In order to gain this comfort an IT General Control (ITGC) audit is performed as part of the financial statement audit. This is an audit on all controls that apply to relevant system components, processes, and data of the IT environment (ISACA, 2013). Accountancy firms continuously develop their audit approach to mitigate (new) risks in a more effective and efficient way. Auditors are often unsure of whether to include a thorough operating system parameter check in their ITGC audit approach. This thesis explores the added value of an operating system parameter check to an IT General Controls audit.

8 The added value of an operating system audit to an IT General Controls audit Research question A company uses an operating system baseline security scan as part of their ITGC audit. This security scan checks the system settings of the operating systems against a best practice published by the Center for Internet Security (CIS). The outcome of the scan is an overview of the many system settings and their compliance against the best practice. Audit teams are often not aware what the added value of such a baseline scan is for their ITGC audit and when they can or should use it. What comfort does this security baseline scan give the IT auditor regarding the ITGCs and when should an auditor consider performing such a scan? How does a baseline security scan on operating systems parameters add value to an ITGC audit? In order to answer the research question, several sub questions have to be answered: What is the place of operating system parameters in the IT General Control environment? What kind of comfort and assurance can result from an operating system parameter baseline scan to the ITGC audit? Under which conditions should an ITGC auditor consider using an operating system parameter baseline scan? 1.3 Contribution Academic Relevance: This research tries to add academic value to both topics making the choice for auditors more sound as whether to use an operating system baseline security scan for their IT General Control work. There exist a lot of best practices but not much academic literature is regarding ITGCs and operating system security baselines Managerial Relevance: A business unit tries to sell baseline scans as part of an IT audit (ITGC). Audit teams are sometimes unsure and are wondering what comfort they will get with a baseline scan and how it can make impact at the client. Several baseline scans have been done. It is important for IT audit

9 The added value of an operating system audit to an IT General Controls audit 9 processes to understand what the most common and notable findings are and what is their impact is on the IT General Controls. 1.4 Research design: This research intends to study the use of an operating system parameter baseline scan as part of an IT General Control audit, how the operating system parameters can be linked the IT General Control environment, what kind of comfort an auditor would get doing an operating system parameter audit and when it would be a viable audit approach. The link between the ITGC environment and the operating system parameters will first be determined by a literature study. Based on the outcome an operating system parameter check will designed and performed in a case study environment. Based on the theoretical background and results from the case study the impact to the ITGC audit will be determined and recommendation will be formulated and documented. 1.5 Thesis structure The structure of this thesis can be broken down into three main parts. The first part consists of a general introduction concerning what will be researched as well as the theoretical ations of the thesis. Furthermore all relevant literature concerning operating system parameters and ITGCs will be discussed. The second part is about the methodological aspect of the thesis. In this section, a conceptual framework is constructed based on the research questions and literature review. Moreover, the methodology of this research is explained. This section will also elaborate on the design and execution of the case study. Finally, the last part of this thesis will consist of the presentation of results, discussion of the results, limitations and future research and conclusion.

10 The added value of an operating system audit to an IT General Controls audit Theoretical Background 2.1 A brief history of IT audits Over the course of the years businesses have become more and more dependent on information coming from IT systems. In the 60 s one of the first frauds using IT systems was detected at the Equity funding Corporation of America. Also in The Netherlands auditors became aware that information systems more and more became part of the business and therefore needed to be taken into account for the audit. This shift in thinking had a great impact on accountants and the financial statement audit. Accountants formed ideas about information systems, their place in the administrative organization and how to audit them. Some accountants started to specialize in the audit of information systems which meant the birth of the IT auditor. When the 3270-terminal was released on the markets in the 70 s it allowed mutations to be entered real-time on the computer. This replaced the physical processes and controls that were used with the so called ponskaarten. Because now anyone could make mutations, the accountants had no comfort over the reliability of the information generated by the system. In order to mitigate the risks associated to such information systems the segregation of duties principle and authorization matrixes were introduced. In the 80 s the field of IT audits was further developed. Data centers and IT projects became a focus point for IT auditors. In 1988 the Dutch National Bank released a memorandum that stated that IT is an essential part of a business that supports its solvability and liquidity. This confirmed that the IT environment is essential for the financial statement audit. The 90 s introduced the client/server architecture which replaced a lot of main frames and was adopted in many projects. Next to that new IT developments methodologies were developed based on the client/server architecture which promised more efficient projects with shorter durations. Because of an increase in computer systems and applications best practices like ITIL were developed to manage the new IT infrastructure. The 00 s marked the introduction of further integration of IT with the business, development of best practices and continuously new challenges for the control of the IT environment. New upcoming technologies and initiatives like Cloud-computing and Bring Your Own Device challenge management and auditors to find a way to implement these advances in a controlled manner (Comte, 2009).

11 The added value of an operating system audit to an IT General Controls audit IT General Controls From the ing thoughts about administrative organizations it is said that proper internal controls need to be in place to ensure the reliability of information processed by information systems (Starreveld, 2002). These controls can be divided into organization, logical and physical controls. In accounting and auditing, internal control is defined as a process affected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks) (COSO, 2013). Because of the increasing reliability on IT systems, controls were developed and best practices formed to control the IT environment. Two control frameworks have been devised to assist both management and auditors in designing and assessing controls in computerized environments. One is the Information Technology Control Guidelines (IT Guidelines), first published by the Canadian Institute of Chartered Accountants (CICA) in 1970 (in its 3rd edition in 2011). The other is the Control Objectives for Information and related Technology (COBiT) developed by the Information Systems Audit and Control Association (ISACA) (GFS, 2013). IT controls are a subset of the internal controls of an organization. In literature (Jenkins, 1992) internal controls are often divided into User controls; manual controls Application controls; programmed controls ITGC; general IT management controls User controls are defined as manual internal controls. The goal of user controls is to generate reliable information for the input into information systems, to take action based on information or signals from an information system and to control an information system in a proper manner. Manual elements in internal control may be less reliable than automated elements because they can be more easily bypassed, ignored, or overridden and they are also more prone to simple

12 The added value of an operating system audit to an IT General Controls audit 12 errors and mistakes. Consistency of application of a manual control element cannot therefore be assumed. Application controls can be defined as programmed controls in applications. The goal of application controls is to create segregation of duties in applications and to ensure the reliability of the data. IT general controls (ITGC) are controls that apply to all system components, processes, and data for a given organization or information technology (IT) environment. The objectives of ITGCs are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations (ITGC, 2013). 2.3 ITGC in the financial statement audit Accountants need to be sure that the published financial statements are being prepared reliably. Also called Financial Statement Line Items (FSLI), they give an overview of the financial figures and position of the organisation (Berger, 2003). The controls in the ITGC are an aid to mitigate IT risks that the company faces in the preparation of the financial statements. The IT risks need to be identified and appropriate controls need to be in place to mitigate these risk. IT risks can be divided into two types: IT-dependent and IT-specific risks (PwC Audit Guide, 2012). The ITGC mitigate the IT-dependent and IT-specific risks IT-dependent risks are risks that directly stem from comfort that the ITGC should provide the organization. There are three types of IT dependent risk areas: Automated Control Integrity (ACI), Report Integrity (RI) and Access Integrity (AI). Access Integrity is the risk area about controls that can be bypassed to gain unauthorized access to systems and applications. Risks in the Automated Control Integrity area are risks coming from automated application and system functions that haven t been properly tested and implemented. Report Integrity risks are the risks associated with the reliability of the system generated reports. IT-specific risks are risks that are inherent to IT-systems such as hardware/software changes outside of the normal business processes. The primary risk areas Direct Data Access (DDA), Data Integrity (DI) and Applications Controls in Computer Operations (ACCO). Direct Data Access risks involve all the risks that can lead to unauthorised access to data, to the change of data and to the destruction of data. Data Integrity risks involve all the risks that can lead to

13 The added value of an operating system audit to an IT General Controls audit 13 damaged or lost data. Applications Controls in Computer Operations risks involve errors in batch jobs or interfaces leading to incomplete or unreliable (financial) data. Effective ITGCs ensure the continued effective operation of application and automated accounting procedures that depend on computer processes. ITGCs are also important when manual controls depend on application-generated information. Figure 1 The figure above depicts how ITGCs link indirectly to the achievement of the financial statement assertions. Transaction level controls are control activities over the initiation, recording, processing and reporting of transactions designed to operate at a level of precision that would prevent, or detect and correct on a timely basis, misstatements related to one or more relevant assertions for a FSLI/business process. Transaction level controls can be either detective or preventive in nature and they often include manual application, automated application or ITdependent manual controls (PwC, 2013).

14 The added value of an operating system audit to an IT General Controls audit The structure of IT General Controls Although there is no detailed control set for ITGCs the general areas are described. They are generally divided into the following domains: Access to programs and data Program Changes Computer Operations Program Development IT Control Environment Each domain has certain IT -dependent or IT-specific risks associated to it. We can map these risks to the IT-dependent or IT-specific risks. Table 1 Domain Associated risks Type of risk Access to Programs and Data Application Access Database/Data File Access Operating System/Network Access IT-dependent - Access integrity IT-specific - Direct data access Program Changes Changes to Application Programs Changes to Application Configurations Changes to Operating System/Network IT-dependent Auto control/ report integrity IT-specific - Data integrity Computer Operations Computer Operations IT-specific - Data integrity IT-specific - Application controls in computer operations Program Development Program development IT-dependent Auto control/ report integrity IT-specific - Data integrity IT Control Environment Organizational IT-dependent Auto control/ report integrity The most common ITGC controls are: Logical access controls over infrastructure, applications, and data. System development life cycle controls. Program change management controls. Data center physical security controls.

15 The added value of an operating system audit to an IT General Controls audit 15 System and data backup and recovery controls. Computer operation controls. (ITGC, 2013) Figure 2 shows the domains and associated controls. IT General Controls IT Control Environment Systems Development Computer Operations Program Changes Access to programs and data IT strategy Initiation, analysis and design Batch processing Specification and authorisation Application security administration Operating system powerful accounts IT organisation Contructing Interface processing Constructing Operating system security administration Network powerful accounts Risk management Testing Monitoring of computer processing Testing Network / connection security administration Database administration Data conversion Backups Implementation Application logical security Direct data access via App/Network/ OS/Util. Implementation Computer centre operations Documenting and training Operating system logical security Documentation and training Segregation of duties Network logical security Segregation of duties Report integrity Application powerful accounts Figure 2 (PwC, 2013)

16 The added value of an operating system audit to an IT General Controls audit 16 For an organization to be in control of their IT they need to identify the IT risks and implement a tailored ITGC control framework. A control framework exists of at least of risk, a control objective and a control activity. Control objectives are the "aim or purpose of specified controls at the service organization which address the very risks that these controls are intended to effectively mitigate" (SSAE16, 2013). Control activities are the activities that occur within a control (University of Washington, 2013). Risk CONTROL Risk Risk Properties Control Objectives Key control ref. no. Control Activity Operator / Owner Control Properties Preventive/ Detective Evidence Freq. Unauthorized access to the IT systems because of weak password policies All passwords are based on a password policy based on best practices AM-1 An up-to-date password policy is available and applied to key applications ICT manager Preventive Password policies Annual In the example framework above the risk, control and control activity can be seen. In order to make the control more SMART an owner, type of control, evidence and frequency is added. A control framework can be used by internal and external auditors. 2.5 Auditing of the ITGCs Accountancy firms have defined their own ITGC framework and audit these controls in an organisation. The IT auditor need to form an opinion about the ITGCs by testing these controls. The auditor needs to design his audit activities based on the type of organization that is being audited so to be efficient and effective. Sufficient appropriate audit evidence needs to be obtained to be able to draw reasonable conclusions on which to base the auditor s opinion. Most of the auditor s work in forming the auditor s opinion consists of obtaining and evaluating audit evidence. Audit procedures to obtain audit evidence can include inspection, observation, confirmation, recalculation, reperformance, and analytical procedures, often in some

17 The added value of an operating system audit to an IT General Controls audit 17 combination, in addition to inquiry. Reasonable assurance is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. The sufficiency and appropriateness of audit evidence are interrelated. Sufficiency is the measure of the quantity of audit evidence. The quantity of audit evidence needed is affected by the auditor s assessment of the risks of misstatement (the higher the assessed risks, the more audit evidence is likely to be required) and also by the quality of such audit evidence (the higher the quality, the less may be required). Appropriateness is the measure of the quality of audit evidence; that is, its relevance and its reliability in providing support for the conclusions on which the auditor s opinion is based. The reliability of evidence is influenced by its source and by its nature, and is dependent on the individual circumstances under which it is obtained (International Standards of Auditing, 2009). 2.6 Information security The term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and Availability, which means ensuring timely and reliable access to and use of information. Which is often depicted in the CIA triad as seen below (Cornell, 2013).

18 The added value of an operating system audit to an IT General Controls audit 18 Figure 3 In order to ensure the confidentiality, integrity and availability of information and information systems companies often implement an access management, change management, business continuity and risk management process. Access to protected information must be restricted to people who are authorized to access the information. The ation on which access control mechanisms are built start with identification and authentication. Identification is an assertion of who someone is or what something is. Authentication is the act of verifying a claim of identity. Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. Change management is a formal process for directing and controlling alterations to the information processing environment. This includes alterations to desktop computers, the network, servers and software. The objectives of change management are to reduce the risks posed by changes to the information processing environment and improve the stability and reliability of the processing environment as changes are made. Business continuity is the mechanism by which an organization continues to operate its critical business units, during planned or unplanned disruptions that affect normal business operations, by invoking planned and managed procedures. Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value

19 The added value of an operating system audit to an IT General Controls audit 19 of the information resource to the organization (CISA, 2006). These four processes are also part of the ITGC audit as described in paragraph 2.4 (Information security, 2013). 2.7 Operating System security Businesses store their financial information on computer systems. These computer systems enable employees to access, modify and delete information. The operating system is the heart of the computer system that allows hardware and software applications to communicate with each other and share resources as can be seen in the multiple definitions of an operating system. Software designed to control the hardware of a specific data-processing system in order to allow users and application programs to make use of it. (Answers, 2013) The collection of software that directs a computer's operations, controlling and scheduling the execution of other programs, and managing storage, input/output, and communication resources. (Dictionary, 2013) An operating system (OS) is software, consisting of programs and data, which runs on computers and manages the computer hardware and provides common services for efficient execution of various application software. (Wikipedia, 2013) For example consider a program that allows a user to enter her password. The operating system provides access to the disk device on which the program is stored, access to device memory to load the program so that it may be executed, the display device to show the user how to enter her password, and keyboard and mouse devices for the user to enter her password. Of course, there are now a multitude of such devices that can be used seamlessly, for the most part, thanks to the function of operating systems. The most used operating systems by businesses are Microsoft Windows and the different UNIX variants. Ensuring the secure execution of all processes depends on the correct implementation of resource and scheduling mechanisms. First, any correct resource mechanism must provide

20 The added value of an operating system audit to an IT General Controls audit 20 boundaries between its objects and ensure that its operations do not interfere with one another. For example, a file system must not allow a process request to access one file to overwrite the disk space allocated to another file. Also, file systems must ensure that one write operation is not impacted by the data being read or written in another operation. Second, scheduling mechanisms must ensure availability of resources to processes to prevent denial of service attacks. For example, the algorithms applied by scheduling mechanisms must ensure that all processes are eventually scheduled for execution. These requirements are fundamental to operating system mechanisms. A lot of people, or at least lots of addresses, web sites, and network requests, want to share stuff that aim to circumvent operating system security mechanisms and cause computers to share additional, unexpected resources. The ease with which malware can be conveyed and the variety of ways that users and their processes may be tricked into running malware present modern operating system developers with significant challenges in ensuring the security of their system s execution. There s an ongoing battle between operating system developers and hackers to secure and breach operating systems. The term secure operating system is both considered an ideal and an oxymoron. Systems that provide a high degree of assurance in enforcement have been called secure systems, or even more frequently trusted systems. However, it is also true that no system of modern complexity is completely secure. The difficulty of preventing errors in programming and the challenges of trying to remove such errors means that no system as complex as an operating system can be completely secure. (Jaeger, 2008) Because an operating system plays such a vital role in an information system its security has a direct impact on applications and their data as can be seen in figure 3. All data that comes from outside the system needs to pass the operating system layer.

21 The added value of an operating system audit to an IT General Controls audit 21 Figure 3 Operating system settings are highly customizable in order to be tailored to the needs of the user. This means that the user is also responsible for a secure implementation of configurable settings. 2.8 Operating System configuration for Windows Server 2008 Apart from the inherent design of the operating system the configuration of parameters also plays a role in the secureness of the operating system. There are many types of operating systems that can be configured in a variety of different ways. Researching all these operating systems would be too exhausting for this thesis. This research will therefore look at the settings for one of the most used operating systems for servers, Windows Server 2008 (Wikipedia, 2013). Windows Server 2008 was released by Microsoft on February 27, It is the successor to Windows Server The Center for Internet Security (CIS) helps organizations improve their security posture by reducing risk resulting from inadequate technical security controls. One way of doing

22 The added value of an operating system audit to an IT General Controls audit 22 this is by publishing security configuration benchmarks for operating systems. The security configuration benchmark for Windows Server 2008 was released on September 30 th, 2011 and includes many parameter settings recommendations (CIS, 2011). Each recommendation contains a description, rationale, remediation, audit, default value and reference. For example for the enforce password history control we see the following recommendation. Description Rationale Remediation Audit Default Value References Enforce password history This control defines the number of unique passwords a user must leverage before a previously used password can be reused. For all profiles, the recommended state for this setting is 24 or more passwords remembered. Enforcing a sufficiently long password history will increase the efficacy of password-based authentication systems by reducing the opportunity for an attacker to leverage a known credential. For example, if an attacker compromises a given credential that is then expired, this control prevents the user from reusing that same compromised credential. To establish the recommended configuration via GPO, set the following to the value prescribed above: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. 24 passwords remembered CCE There are more than a hundred recommendations like this for Windows Server This shows one of the complexities of securing the operating system. It is always a balance of security versus usability. All these settings can be broken down and ordered into the following categories or controls. Category Accounts Audit Policy Detailed Security Auditing Event Log Windows Firewall Windows Update Settings Password and account settings. These settings all contribute to the logical access security. Settings regarding the logging of events and changes to the operating system. For example the logging of access attempts and changes to user rights and policies. These are more specified auditing settings like the logging of changes to the security state of the system, when a register object is accessed or whether the results of a validation test are logged These settings are about the retention of the system logging and some technical settings. Settings in this area are about the setup of the Windows Firewall that is part of operating system. Settings regarding the installation and download of new patches

23 The added value of an operating system audit to an IT General Controls audit 23 User Account Control User Rights Security Options Terminal Services Internet Communication Additional Security Settings Settings regarding the behaviour of the operating system when operations are being performed that require elevated privileges Defines which type of users can do certain types of actions like logon, shutdown or change the system time. Specific security settings fall in this category like interactive logon, Microsoft network client, network access and system settings. Remote desktop settings Settings regarding the use of local resources over a network connection like printing or publishing files. Additional settings like disable remote desktop sharing, turn of autoplay and registery policy processing. Most of the categories would fall under the ITGC domain Access to programs and data except for the Windows Update category which would fall under Computer operations. 2.9 Influence of operating system settings on the IT General Controls As can be seen in previous paragraphs the operating system is only one of the parts that together can form a secure information system environment. Logically it protects the applications, data and system resources but once a program or user is allowed access it cannot control the implications of that access. For example the operating system cannot control the behaviour of a user within an application or the content of data that is being send and received. Nevertheless it is an essential part of the security because it does protect data from external and internal threats in a way that applications cannot do. There is not one setting that determines how secure an operating system is and therefor an auditor always has to look at combination of settings. Some settings can have a higher impact than others. being able to rely on the operating system for access to programs and data controls undermines the application controls. In practice most operating systems including Windows Server 2008 have a basic level of security configured which means that reliance on the operating system is not binary and can be partial. Financial statement audits always have a time period in scope. In order for an auditor to get some comfort over the operating system settings for a certain period the changes to the settings need to be logged. Which means an auditor either has to rely on the change management process or has to inspect the event logs that the server generates (if this logging is enabled).

24 The added value of an operating system audit to an IT General Controls audit Hypotheses 3.1 Conceptual Framework There are different operating systems and types of audits that need to be identified and researched. This research will only look at Microsoft Windows Server 2008 for the financial statement ITGC audit in order to keep focus. To visualize the research question and give a clear overview of which variables are involved and how they are interlinked, the research idea of this thesis can be visualized in a Conceptual Framework seen below. T0 Inherent Operating system security design Operating system parameters T3 Operating system comfort ITGC comfort T4 T1 Operating system paramater configuration There are five main variables that can be distinguished in this framework. The Independent Variables Inherent operating system security design and Operating system parameters, the Moderating Variables Operating system configurations, the Dependent Variable Operating system comfort and the Dependent Variable ITGC comfort. The meaning of these variables will be explained next. First, the independent variables Inherent operating system security design and Operating system parameters stands for all the possible operating systems and there inherent security design. There are many different operating systems build for different purposes and thus have a

25 The added value of an operating system audit to an IT General Controls audit 25 different security design. A company has to think about this when they choose the operating system for their applications. Next to the inherent design they also have to make sure that the operating system is setup and configured according to their security needs Secondly, Operating system configuration is the moderating variable in this framework. It entails the actual configuration of the operating system. This variable influences the dependent variables based on parameter configuration. The forth variable Operating system comfort is one of the dependable variables in this framework. It entails the combination of security design and configuration leading to a level of comfort that can be placed on the operating system. Finally, the dependent variable ITGC comfort is about the contribution of the Operating system comfort to the IT General Controls audit. If an audit looks at application controls, Operating system comfort must be obtained. 3.2 Hypotheses With the conceptual framework set up, specific working hypothesis can be set up to test the framework. Working hypotheses (WH) are a provisional, working means of advancing investigation ; they lead to the discovery of other critical facts (Dewey, 1938). Working hypotheses are linked to exploratory studies (Shields, 2006). They are never proven but are supported by empirical evidence. Building on the research questions the working hypothesis will explore the subject in more detail. Based on the literature background the following working hypothesis were created. WH1: An operating system parameter audit will only give comfort over the operating system layer As depicted in Figure 3 the operating system is the layer between applications, data and the network. Auditing the operating system parameters will therefor only give comfort over the implementation of information security on the OS layer.

26 The added value of an operating system audit to an IT General Controls audit 26 WH2: Operating system comfort is essential for reliance on application controls Because the operating system manages system resources and data the systems needs to be secured in a way that minimizes the risk of unauthorized use of the system resources. Using an application, even in a client/server architecture, requires some form of operating system access and thus exposes the application and data to certain threats. 3.3 Control Variables In order to answer the research question and the sub-questions the relationships between the main variables have to be tested. The formulated working hypotheses can then be, based on the results either be supported or not. However, it is possible that the results of this study are influenced by other variables that were not included in the framework. For this study it will be hard to exclude all the other variables that might influence the Dependent Variable ITGC comfort and thus influence the outcome of this study. The Inherent Operating system security design is a variable that greatly influences the Operating system comfort but is tricky to measure. As (Jaeger, 2008) argues that no operating system of great complexity can be completely secure a feeling of its security can be obtained by looking at its history of secureness and design philosophy. Although the methodology for performing an IT General Control audit tries to be as objective as possible there is still a lot of room for an auditor s opinion and so called professional judgment. Companies are almost never 100% alike, technology develops fast and there are many variables that influence IT security, yet auditors often work on a tight time schedule with limited budget. Therefore an auditor has to form an opinion as best as possible and can only give reasonable or limited assurance.

27 The added value of an operating system audit to an IT General Controls audit Case study methodology 4.1 Research Methods The purpose of this research is to find out what the added value of an operating system audit is for the IT General Controls. In order to do this, this study tries to find out the theoretical place of an operating system in the IT General Control framework and audit methodology. Secondly, an operating system parameter audit is performed and the added value to the ITGC audit is discussed. The methodology used for exploring the hypothesizes is a case study. This study uses the hypothetico-deductive method that according to (Sekaran, 1992) involves seven research steps: observation, preliminary information gathering, theory formulation, hypothesizing, further scientific data collection, data analysis and logically deducing conclusions from the results obtained Observation By being a professional auditor for a big firm and studying IT-audit the researcher is aware of discussions and hot-topics in the field of IT-audit. The company the researcher works for has been using a tool the last couple of years to audit operating system parameters and the results of these settings are being sent back to audit teams. It was observed that auditors often do not know how to interpret the results and what the added value to the audit is. They noticed that it makes an impact at the client if they present the results but the exact meaning and impact for the ITGC audit as part of the financial statement audit is unclear. The researcher felt like this was an interesting area that lacked enough academic or pragmatic literature and needs to be clarified Preliminary information gathering Preliminary information gathering is the search for information in order to build up the researchers understanding towards the area (Sekaran, 1992). In order to do so a research proposal was written. Google, work experience and the PwC audit guide were the basis for further preliminary information gathering. The topics of financial statement audits, IT General Controls, auditing and operating systems were explored. Most concrete information was in academic literature but in white-papers and best-practices.

28 The added value of an operating system audit to an IT General Controls audit Theory formulation The theory formulation is done by literature research and is necessary in order to get a good understanding of what is already known about the topic to save valuable time and make sure the wheel doesn t get invented for the second time. only operating system and IT General Control literature is relevant for the theory formulation but also related literature in order to develop a theoretical framework. The goal of this theoretical framework is to put the topic in perspective. Most of the literature research was done via Google and Google Scholar which can search through many (academic) databases. Beside online literature research the researcher has access to internal audit methodology material from PwC, one of the four big accountancy and consulting firms, in the form of the PwC audit guide. This guide describes the companies audit methodology in order to deliver high quality audits Hypothesizing From the theoretical framework educated guesses were made regarding the outcome of the research question. These working hypotheses are presented in chapter 3.2. They represent a tentative statement of a relationship between two variables that have yet to be empirically tested. This study will try to test these hypotheses and the empirical results will either hold and support the hypotheses or discard it Further scientific data collection In order to test the hypotheses further scientific data has to be collected. In order to find out about the added value of an operating system audit this study will perform an operating system audit at three companies that uses Microsoft Windows Server 2008 as platform for their IT environment The operating system design In order to get an understating of the inherent operating system security design, literature research is performed by looking at the builders design philosophy, responsiveness to security issues and global opinion.

29 The added value of an operating system audit to an IT General Controls audit The operating system parameters Based on the CIS best practice a parameter scan will be performed at a company. The researcher will use his professional network to find three companies willing to do an operating system parameter scan. The researcher will provide a script that companies need to run on their Windows Server 2008 Domain Controller. This script will check the parameters and output the results into a text (.txt) file. The results of this file be analyzed using a tool called Easy2Audit. Easy2Audit is a benchmarking website where you can upload the results of the script and it will generate a graphical representation of the results Data analysis and conclusion After all the scans are performed the case information per company will be stated and the results will be evaluated. The research will make use of Easy2Audit s benchmark tool to make a graphical representation of the results from whereon the researcher will further investigate. Next to that the parameters, baselines values and results will be put into a table. For the baseline, the recommended settings for an enterprise domain controller are used because we are testing the enterprise domain controllers. The other recommended settings in the CIS baseline are for Special Security Limited Function (SSLF) systems. The companies in our sample do not have a higher than average risk profile so it was chosen not to use the recommended SSLF settings. 4.2 Sample selection The samples used in the research are companies that run a Microsoft Windows office environment that is managed by Active Directory and the domain controllers run on Microsoft Windows Server Domain controllers distribute the companies IT policies and configuration settings to all computers that are in the office network. This means that a domain controller is a key system in a network and needs to be secure. The configuration of the domain controller does not necessarily apply to the computers in the domain but it can indicate the level of thought that was given to security. If a domain controller is compromised a hacker has the potential to access all systems that are part of the Active Directory network.

30 The added value of an operating system audit to an IT General Controls audit Case study findings Three Dutch companies participated in this study which are anonymized for privacy and security reasons. This study took place between January 2013 and June The system administrators first tested the scripts on their test environment before running them on the production. It took each administrator about an hour to test the scripts, run the scripts on the production environment and send the results. 5.1 Company profile Company A The first company is a medium sized company with about 500 employees active in the food industry. Their ERP system, SAP, is used primarily for sales, purchasing and finance. They run a Windows environment which is administrated by two domain controllers. There is no single sign-on so in order to login to SAP a separate username and password have to be used Company B The second company is a small company operating in the gambling machine market. They use Exact for their enterprise resource planning and run a Windows environment Company C Company C is a medium sized software company operating in the supply chain logistics industry. Their ERP system, SAP, is used primarily for sales and purchasing. They run a Windows environment which is administrated by two domain controllers. There is no single sign-on so in order to login to SAP a separate username and password have to be used. 5.2 Outcome Compliance overall:

31 The added value of an operating system audit to an IT General Controls audit 31 Company A: Company B: Company C: The more detailed results can be in Appendix I.

32 The added value of an operating system audit to an IT General Controls audit Analysis of results In this paragraph, the results will be discussed that were obtained from the scans and the theoretical framework. First the parameter categories and their audit impact are discussed. Once the audit impact of the parameters is determined non-technical factors are discussed. A complete overview of the results can be in chapter 5. Thereafter results aside from the Working Hypothesizes are presented Accounts In the ITGC framework the account settings can be placed in the Access to programs and data domain and they directly influence the logical operating system security. They can also influence application and data access if there are no further mitigation controls defined. Finding Impact Likelihood Risk Decreased efficacy of the password based authentication control Unauthorized users get administrator access to the critical systems, their applications and data. Medium Medium. This control can directly influence access to financial data and thus cause financial misstatements Unauthorized access to financial data and applications can lead to misstatement, fraud and can threaten the business continuity Our results show that none of the companies have implemented a secure password policy. In company C the password based authentication control is operating at a bare minimum without a minimum password length making it simple to guess or brute force attack the password Audit policy In the ITGC framework the audit policy can be placed in the Computer operations domain under monitoring of computer processing. The event log is filled based on the audit policy. This can be classified as a detective control for inspection of (potential) problems

33 The added value of an operating system audit to an IT General Controls audit 33 afterwards. As can be seen in the baseline CIS did not define any audit settings. This is because Windows Server 2008 comes with more detailed audit facilities that are preferred to the legacy audit facility. Finding Impact Likelihood Risk No audit trail available possible to determine system and user changes to the system over a certain period. In case of a calamity this can make it more difficult to inspect the cause. Medium Low. This is a detective control that does not directly influence financial misstatement. It is merely a monitoring instrument. The obtained results show that all three companies use the windows server 2008 audit facility in a different manner. This means that the companies have event logs available that can be used in case of a calamity Detailed Security Auditing The detailed security auditing parameters are the detailed audit policies introduced in Windows Server In the ITGC framework the detailed security auditing policy can be placed in the Computer operations domain under monitoring of computer processing. Its use and impact on the ITGC audit is similar as the audit policy described in paragraph Event log With the event log parameters the size of the logs and thus the retention of events is determined. This would, just as category and fall under the monitoring control category as part of the computer operations domain. Its use and impact on the ITGC audit is similar as the audit policy described in paragraph The event log settings in combination with the audit policy and/or the detailed security auditing together determine the impact for the monitoring control called the audit trail.

34 The added value of an operating system audit to an IT General Controls audit Windows Firewall The windows firewall controls the incoming and outgoing connections and is thus part of the access to programs and data domain. Companies often have a dedicated firewall controlling all the network traffic. This often results in a de-activated Windows Firewall which can be seen in the results where none of the companies have any firewall rules determined. An auditor should establish that the client uses a dedicated firewall. If this is not the case then the whole network is open for the outside world and that alone would pose a serious security hazard. The risk analyses done for this category assumes a dedicated firewall. Finding Impact Likelihood Risk No firewall settings configured. Administrators can overwrite Group policy settings that exposes the system to remote attacks. However, in case of a dedicated firewall this might have no impact Low. Low. All network activity is controlled by a dedicated firewall Windows Update The windows update parameters define how Windows handles available updates. This would fall under the Access to programs and data domain since ensuring that the latest updates and patches are installed minimizes the potential of a successful hack through a known vulnerability. However, the settings alone do not tell anything about the patch level of the server and thus not much can be said about the patch level of the machine. Finding Impact Likelihood Risk Windows update settings do not enforce the positive behavior of installing updates No impact. Low. Low. These settings do no tell anything about the patch level of a machine but can indicate a nonadequate patch management process.

35 The added value of an operating system audit to an IT General Controls audit User Account Control User Account Control aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase of elevation. This would ensure that malicious software would not be able to perform administrative tasks on the operating system. This control would fit under operating system security in the Access to programs and data domain. Finding Impact Likelihood Risk UAC is not enabled Software uses administrator operating system functions to perform malicious actions. Medium Medium. Once a system is infected with malware it might perform malicious actions that impact the integrity of the system In the results we can see that all companies have UAC enabled in some manner. Company C has implemented in the most secure way so that even admin approval is required for admin accounts User Rights The user rights parameters would also fall under the Access to programs and data domain. They manage which users and/or user groups can perform certain high risk or administrative functions. It also impacts some of the system security design functions. Finding Impact Likelihood Risk User rights are not setup based on the least authorizations principle Unexpected users can perform high risk or administrative functions which can compromise the systems availability and integrity Medium Medium. The attack surface is increased unnecessarily. In the results we can see that all three companies have defined and limited most user rights to appropriate users or groups.

36 The added value of an operating system audit to an IT General Controls audit Security options The security options parameters are a set of security options influencing various functionalities like accounts, devices, domain membership, logon, Microsoft network client, network and system. Operating system security administration is the ITGC topic that this would be placed in. Finding Impact Likelihood Risk Security options do not adhere to the best practice Attackers could potentially benefit from the security misconfiguration compromising the system. Low Medium. The security options are not configured tightly which increases the chance of a successful attack. The companies have set about 60% percent of the security options according to best practice Terminal services With terminal service, users can login to a server from a remote location. The parameters deal with encryption, the password mechanism and drive redirection. In the ITGC framework we can find these settings under operating system logical security. Finding Impact Likelihood Risk The terminal service connection is more vulnerable to eaves dropping because of the lower level of encryption. Unauthorized access to the server through terminal services. Medium High. Unauthorized access through terminal services makes it easy for an attacker to compromise the system. Attackers can potentially access remote servers via a locally saved terminal service shortcut.

37 The added value of an operating system audit to an IT General Controls audit 37 The results default values apply for all except company B, who disabled drive allocations Internet Communication The best practice recommends to disable all unnecessary internet options that come with Windows Server 2008 for hardening purposes. Operating system security administration in Access to programs and data would be the ITGC domain this relates to. Finding Impact Likelihood Risk Unnecessary internet options enabled Increased exposure to malicious content, unstable drivers and potential loss of information. Medium Medium. The system has unnecessary functions enabled that can disrupt the system and lead to information leakage when an administrators is not careful. None of the companies have changed any of the default values leaving these options enabled, thus unnecessarily increasing their risk Additional security settings The additional security settings are settings that can further harden the system. The difference with the security options is that the security options can have multiple possible values and the additional security settings are more binary. Only three out of the 11 settings have to be set according to the best practice which relate to operating system security and logical access in the Access to programs and data domain. Finding Impact Likelihood Risk Additional security settings not configured Increased number of options that an attacker can benefit from to compromise the system Low Medium. The options that are not set according to the best practice can be key for an attacker to compromise the system.

38 The added value of an operating system audit to an IT General Controls audit 38 None of the companies have changed any of the default values leaving these options enabled, thus unnecessarily increasing their risk. 5.4 Other factors Aside from the value of the parameter audit there many other factors that can influence whether an auditor should use an operating system parameter scan. These factors are drawn from the researchers audit experience Costs of the operating system parameter check Most audits are performed for an agreed upon fee and thus have a limited budget. Although an operating system parameter check is no rocket science it will take an auditor at least a couple hours to perform. There are many cases, especially when small companies are audit which often have a very tight budget, where a couple hours is already quite an expense on the budget. This means that an auditor will have to decide how to spend his hours most effectively in order to gain the most comfort Type of operating system(s) in use Although there are baselines for the most common operating systems it is possible that a company uses a legacy or customized operating system. In these cases it will be a time consuming task to get any comfort about that operating system and comfort needs to be obtained in a different manner No extra comfort There could be situations where testing the operating system parameters would lead to no extra comfort. For example when a server or computers are not connected to an external network. When it is known that the ITGC audit will lead to limited or no-comfort the additional comfort obtained by performing an operating system audit will be minimal.

39 The added value of an operating system audit to an IT General Controls audit Politics and time Companies can be reluctant to perform scripts from third-parties, such as the auditor, because they fear it can disrupt the system. In these cases the scripts will need to go through a test procedure before they can be ran on a production environment. This can take quite some time depending on the company s organization as it has to go through (multiple) steps of approval. This might influence the usability of an operating system parameter audit because of the time factor. Some companies might outright refuse to run a script on their server which means the auditor will have to inspect the settings himself or find some other way to obtain them, probably increasing the time-spend and thus the costs.

40 The added value of an operating system audit to an IT General Controls audit Validation of hypotheses In this chapter the working hypotheses are discussed WH1: An operating system parameter audit will only give comfort over the operating system layer As noted in paragraph 6.2 the parameters influence the access to programs and data and computer operations ITGC domains. Within these domains operating system security, operating system logical security, operating system powerful accounts, network powerful accounts, direct data access and network logical security are influenced. Because the operating system is the heart of a system it is logical that all these categories are influenced. The results obtained from the operating system audit give all the information needed to formulate an opinion regarding the operating system layer. However the information can also tell the auditor something regarding the security policy of the company, the manner of hardening they applied and their user account policy. The results support the working hypotheses in the sense that it will only give comfort about the operating system layer. It does however give an auditor additional information that might influence his audit approach and opinion WH2: Operating system comfort is essential for reliance on application controls There are many settings that an attacker can use to eventually compromise a system. Once access, or worse, administrator access is obtained an attacker can further penetrate the system directly accessing or modifying unprotected data. Secured data can also be stolen or attempts can be made to breach the security. User account data can be tried to log into applications and if a company has single sign-on enabled access is immediately obtained. All this can lead to a bypass of application controls. Because of the layers in computer systems, comfort can only be obtained of a layer if the layers below are reliable. The literature and results support the working hypothesis that operating system comfort is essential for reliance on application controls.

41 The added value of an operating system audit to an IT General Controls audit Conclusions The intention of this research was to determine the added value of an operating system audit to the IT General Controls audit by answering the research question How does a baseline security scan on operating system parameters add value to an ITGC audit?. A literature study provided the context and role of operating systems within the ITGCs. A best practice for Windows Server 2008 configuration settings was used to test three companies against this baseline. This led to (1) a risk analysis of the security categories and (2) insight into the company s compliance and the link between the parameters. To answer the research question three sub questions have to be answered. First of all, what is the place of operating system parameters in the IT General Control environment? As can be seen in the analysis of results, chapter 5.3, all the parameters were analysed and the results show that they can be linked with the access to programs and data and computer operations ITGC domains. This demonstrates that they have a place in the IT General Control framework and thus should be taken into account when performing an ITGC audit. Secondly, what kind of comfort and assurance can result from an operating system parameter baseline scan to the ITGC audit? It was that there are many parameters that an attacker can leverage to compromise an operating system. Once access, or worse, administrator access is obtained an attacker can further penetrate the system directly accessing or modifying unprotected data. Secured data can also be stolen or attempts can be made to breach its security. User account data can be used to log into applications and if a company has single sign-on enabled access is immediately obtained. All of this can lead to a bypass of application controls. As discussed in the working hypotheses, an audit on operating system parameters only gives comfort over the operating system layer but this comfort is essential. When there is no comfort regarding the operating system layer the integrity, confidentiality and availability of the information generated by the system cannot be fully relied upon. The results from an operating system parameter audit can also influence an audit approach and opinion because of the indirect information it can give about the company s security policy. Thirdly, under which conditions should an ITGC auditor consider using an operating system parameter baseline scan? As shown, operating system security has a place within the ITGC framework and is essential for relying on information generated by applications. An auditor should consider using and operating system parameter baseline scan when he judges that

42 The added value of an operating system audit to an IT General Controls audit 42 there is a risk of unauthorised access to the systems. This can be done by looking a company s IT environment, infrastructure, external connections, and other mitigating factors. The answer to the research question How does a baseline security scan on operating system parameters add value to an ITGC audit? is in the theory, case study results and the above answers to the sub questions. This research shows that a baseline security scan on operating system parameters adds comfort to the IT General Controls when the auditor judges that there is a risk of unauthorized access to the system. It also argues that operating system comfort is necessary in order to rely on information generated by applications.

43 The added value of an operating system audit to an IT General Controls audit Limitations and further research As mentioned before this study has several limitations. First of all no thorough study was performed regarding the operating system s inherent security design. An unresolved security flaw could undermine the whole value of the parameter check. Also the researcher did not inspect all the operating system parameters individually and/or tested its workings. This research relies on the recommendations of the Center for Internet Security. Secondly, this research only focusses on Windows Server 2008 and inspected its best practice. Therefor this research can say little about the other operating systems. Its usefulness, costs and time can vary depending on the OS s security options and design. Thirdly, as mentioned in paragraph 5.4, there a many factors that influence the appropriateness and added value to an ITGC audit. These factors are not taken into account in this research and leave room for further research. If all these factors are researched this might lead to a more concrete framework on when to use an operating system audit. Furthermore the role of the accountant and auditor is an ongoing discussion. Especially with the increasing risk of cyber-attacks their might be a shift in thinking and interpretation or adaptation of the financial statement assertions. This can influence the way the auditor has to take cyber security and business continuity into account. Because systems are not stand-alone and are operating within an IT environment, an audit on operating systems as well as the other components in the infrastructure, e.g. the firewall, could potentially increase the value to the ITGCs. Further research could look at the added value of an infrastructure audit to the ITGCs.

44 The added value of an operating system audit to an IT General Controls audit 44 References Albornoz Mulligan, J. (2007). Best Practices: Server Operating System Security. Answers. (2013). Retrieved from Answers: CIS. (2011). Security Configuration Benchmark For Microsoft Windows Server CIS. CIS. (2013). Center for Internet Security. Retrieved from CISA. (2006). Review Manual. Comte, L. (2009). IT audit en SOx. Retrieved from Cornell. (2013). Retrieved from COSO. (2013). Retrieved from Integrated%20Framework.pdf Dewey. (1938). Experience and Education, The Educational Forum, , Volume 50, Issue 3, 1986, pp Dictionary. (2013). Dictionary. Retrieved from Reference: GFS. (2013). Retrieved from Information security. (2013). Retrieved from Wikipedia: International Standards of Auditing. (2009). ISACA. (2013). Information System Audit and Control Association. Retrieved from ITGC. (2013). Retrieved from Wikipedia: Jaeger, T. (2008). Operating System Security. Morgan & Claypool. Jenkins, B. (1992). An Audit Approach to Computers. PwC. (2013). PwC Audit Guide. Sekaran, U. (1992). Research Methods for Business: A Skill Building Approach. New York, John Wiley & Sons. Shields, P. M. (2006). Intermidiate theory: The missing link to successful student scholarship. Journal of Public Affairs Education, Vol, 12, No. 3, pp SSAE16. (2013). Retrieved from example-control-objectives-for-soc-1-ssae-16-reporting--ssae16org.html Starreveld. (2002). Bestuurlijke Informatieverzorging, Deel I, Algemene Grondslagen. University of Washington. (2013). Retrieved from Wikipedia. (2013). Operating system. Retrieved from Wikipedia: Wikipedia. (2013). Usage share of operating systems. Retrieved from Wikipedia:

45 The added value of an operating system audit to an IT General Controls audit 45 Appendix I: Case research #IDENTITY:A #IDENTITY:B #IDENTITY:C CONTROL Baseline A B C Accounts Password History 24 PasswordHistorySize = 0 PasswordHistorySi ze = 6 Maximum Password Age 60 MaximumPasswordAge = -1 MaximumPasswor dage = 60 Minimum Password Age 1 MinimumPasswordAge = 0 MinimumPasswor dage = 1 Minimum Password Length 8 MinimumPasswordLength = 4 MinimumPasswor dlength = 6 Password Complexity 1 PasswordComplexity = 0 PasswordComplex ity = 0 Store Passwords using Reversible Encryption 0 ClearTextPassword = 0 ClearTextPasswor d = 0 Account Lockout Duration 15 null null null Account Lockout Threshold 15 LockoutBadCount = 0 LockoutBadCount = 0 Reset Account Lockout After 15 null null null Microsoft Network Server: Disconnect clients when logon hours expire PasswordHistorySize = 0 MaximumPasswordAge = -1 MinimumPasswordAge = 0 MinimumPasswordLength = 0 PasswordComplexity = 1 ClearTextPassword = 0 LockoutBadCount = Audit Policy Audit Account Logon Events 0 AuditAccountLogon = 1 AuditAccountLog on = 3 Audit Account Management 0 AuditAccountManage = 1 AuditAccountMan age = 3 Audit Directory Service Access 0 AuditDSAccess = 1 AuditDSAccess = 2 Audit Logon Events 0 AuditLogonEvents = 1 AuditLogonEvents = 3 Audit Object Access 0 AuditObjectAccess = 0 AuditObjectAcces s = 0 Audit Policy Change 0 AuditPolicyChange = 1 AuditPolicyChang e = 3 Audit Privilege Use 0 AuditPrivilegeUse = 0 AuditPrivilegeUse = 2 Audit Process Tracking 0 AuditProcessTracking = 0 AuditProcessTrack ing = 0 Audit System Events 0 AuditSystemEvents = 1 AuditSystemEvent s = 0 Audit: Shut Down system immediately if unable to log security audits AuditAccountLogon = 0 AuditAccountManage = 0 AuditDSAccess = 0 AuditLogonEvents = 0 AuditObjectAccess = 0 AuditPolicyChange = 0 AuditPrivilegeUse = 0 AuditProcessTracking = 0 AuditSystemEvents = Audit: Force audit policy subcategory settingsto override audit policy category settings 1 Detailed Security Auditing

46 The added value of an operating system audit to an IT General Controls audit 46 Audit Policy: System: IPsec Driver Audit Policy: System: Security State Change Audit Policy: System: Security System Extension Audit Policy: System: System Integrity and Failure and Failure and Failure and Failure IPsec Driver Audit Policy: Logon-Logoff: Logoff Logoff Audit Policy: Logon-Logoff: Logon Logon Audit Policy: Logon-Logoff: Special Logon Audit Policy: Object Access: File System Audit Policy: Object Access: Registry Audit Policy: Privilege Use: Sensitive Privilege Use Audit Policy: Detailed Tracking: Process Creation Audit Policy: Policy Change: Audit Policy Change Audit Policy: Policy Change: Authentication Policy Change Audit Policy: Account Management: Computer Account Management Audit Policy: Account Management: Other Account Management Events Audit Policy: Account Management: Security Group Management Audit Policy: Account Management: User Account Management Audit Policy: DS Access: Directory Service Access Audit Policy: DS Access: Directory Service Changes No Auditing No Auditing and Failure and Failure Security State Change Security System Extension System Integrity Special Logon File System No Auditing Registry No Auditing Sensitive Privilege Use No Auditing Process Creation No Auditing Audit Policy Change Authentication Policy Change Computer Account Management Other Account Management Events Security Group Management User Account Management Directory Service Access Directory Service Changes IPsec Driver No Auditing Security State Change No Auditing Security System Extension No Auditing System Integrity No Auditing Logoff and Failure Logon and Failure Special Logon and Failure File System No Auditing Registry No Auditing Sensitive Privilege Use Failure Process Creation No Auditing Audit Policy Change and Failure Authentication Policy Change and Failure Computer Account Management and Failure Other Account Management Events and Failure Security Group Management and Failure User Account Management and Failure Directory Service Access Failure Directory Service Changes Failure IPsec Driver No Auditing Security State Change Security System Extension No Auditing System Integrity and Failure Logoff Logon and Failure Special Logon File System No Auditing Registry No Auditing Sensitive Privilege Use No Auditing Process Creation No Auditing Audit Policy Change Authentication Policy Change Computer Account Management Other Account Management Events No Auditing Security Group Management User Account Management Directory Service Access Directory Service Changes No Auditing

47 The added value of an operating system audit to an IT General Controls audit 47 Audit Policy: Account Logon: Credential Validation Event Log Credential Validation Credential Validation and Failure Credential Validation Application: Maximum Log Size (KB) Application: Retain old events Security: Maximum Log Size (KB) Security: Retain old events System: Maximum Log Size (KB) System: Retain old events Windows Firewall Windows Firewall: Allow ICMP exceptions (Domain) Disabled Windows Firewall: Allow ICMP exceptions (Standard) Windows Firewall: Apply local connection security rules (Domain) Windows Firewall: Apply local connection security rules (Private) Windows Firewall: Apply local connection security rules (Public) Windows Firewall: Apply local firewall rules (Domain) Windows Firewall: Apply local firewall rules (Private) Windows Firewall: Apply local firewall rules (Public) Windows Firewall: Display a notification (Domain) Windows Firewall: Display a notification (Private) Windows Firewall: Display a notification (Public) Windows Firewall: Firewall state (Domain) Windows Firewall: Firewall state (Private) Disabled No No No configure d configure d No configure d configure d No On 0 On Windows Firewall: Firewall state (Public) On

48 The added value of an operating system audit to an IT General Controls audit 48 Windows Firewall: Inbound connections (Domain) Windows Firewall: Inbound connections (Private) Windows Firewall: Inbound connections (Public) Windows Firewall: Prohibit notifications (Domain) Windows Firewall: Prohibit notifications (Standard) Windows Firewall: Protect all network connections (Domain) Windows Update Block Block Block Disabled Disabled Enabled 0 Configure Automatic Updates Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Reschedule Automatic Updates scheduled installations User Account Control User Account Control: Admin Approval Mode for the Built-in Administrator account User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Disabled 1 1 Enabled Enabled Prompt for credential s User Account Control: Behavior of the elevation prompt for standard users User Account Control: Detect application installations and prompt for elevation User Account Control: Only elevate UIAccess applications that are installed in secure locations User Account Control: Run all administrators in Admin Approval Mode User Account Control: Switch to the secure desktop when prompting for elevation User Account Control: Virtualize file and registry write failures to per-user locations Automati cally deny elevation requests Enabled Enabled Enabled Enabled Enabled 1 1 1

49 The added value of an operating system audit to an IT General Controls audit 49 User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled User Rights Access this computer from the network Administ rators, Authentic ated Users SeNetworkLogonRight = *S-1-1-0,*S ,IWAM_DC0004,IUSR_ DC0004,*S ,*S ,*S SeNetworkLogon Right = *S ,*S ,*S ,*S ,*S SeNetworkLogonRight = *S ,*S ,IWAM_QUINTIQ_APPS, IUSR_QUINTIQ_APPS,QB DataServiceUser17,*S ,*S ,*S ,*S Act as part of the operating system No one null SeTcbPrivilege = patrol SeTcbPrivilege = Administrator,*S Adjust memory quotas for a process Defined SeIncreaseQuotaPrivilege = *S ,*S ,IWAM_DC0004,SQLSer ver2005mssqluser$dc00 04$MICROSOFT##SSEE,S QLServer2005MSSQLUser $DC0005$MICROSOFT## SSEE,*S ,*S ,*S SeIncreaseQuotaPr ivilege = *S ,*S ,patrol,*S SeIncreaseQuotaPrivilege = *S ,*S ,IWAM_QUINTIQ_APPS, *S Back up files and directories Defined SeBackupPrivilege = *S ,*S ,*S SeBackupPrivilege = *S ,*S ,*S SeBackupPrivilege = *S ,*S ,*S Bypass traverse checking Defined SeChangeifyPrivilege = *S-1-1-0,*S ,*S ,*S ,SQLServer2005MSSQL User$DC0004$MICROSOF T##SSEE,SQLServer2005M SSQLUser$DC0005$MICR OSOFT##SSEE,*S ,*S SeChangeifyPr ivilege = *S ,*S ,*S ,*S ,*S ,*S SeChangeifyPrivilege = *S-1-1-0,*S ,*S ,QBDataServiceUser17,*S Change the system time Create a pagefile LOCAL SERVIC E, Administ rators Defined null null null SeCreatePagefilePrivilege = *S SeCreatePagefileP rivilege = *S SeCreatePagefilePrivilege = *S Create a token object No one null null null

50 The added value of an operating system audit to an IT General Controls audit 50 Create Global Objects Defined SeCreateGlobalPrivilege = *S ,*S ,*S ,*S SeCreateGlobalPri vilege = *S ,*S ,*S ,*S Create permanent shared objects No one null null null Debug Programs Deny access to this computer from the network Administ rators Guests SeDebugPrivilege = *S SeDenyNetworkLogonRight = SUPPORT_388945a0 null SeDenyNetworkL ogonright = SUPPORT_ a0 SeCreateGlobalPrivilege = *S ,*S ,*S ,*S SeDebugPrivilege = *S SeDenyNetworkLogonRight = SUPPORT_388945a0 Enable computer and user accounts to be trusted for delegation No one SeEnableDelegationPrivileg e = *S SeEnableDelegatio nprivilege = *S SeEnableDelegationPrivilege = *S Force shutdown from a remote system Defined SeRemoteShutdownPrivileg e = *S ,*S SeRemoteShutdow nprivilege = *S ,*S SeRemoteShutdownPrivilege = *S ,*S Impersonate a client after authentication Increase scheduling priority Administ rators, SERVIC E, Local Service, Network Service Defined SeImpersonatePrivilege = *S ,*S ,*S ,*S SeIncreaseBasePriorityPrivil ege = *S SeImpersonatePriv ilege = *S ,*S ,IIS_WPG,*S ,*S ,*S ,*S ,*S SeIncreaseBasePri orityprivilege = *S SeImpersonatePrivilege = *S ,*S ,IIS_WPG,aspuser,*S ,*S SeIncreaseBasePriorityPrivile ge = *S Load and unload device drivers Administ rators SeLoadDriverPrivilege = *S ,*S SeLoadDriverPrivi lege = *S ,*S SeLoadDriverPrivilege = *S ,*S Lock pages in memory Manage auditing and security log Modify firmware environment values Defined Defined Defined null SeSecurityPrivilege = Exchange Enterprise Servers,Exchange Servers,*S SeSystemEnvironmentPrivil ege = *S SeLockMemoryPri vilege = admin_ordina SeSecurityPrivileg e = Exchange Enterprise Servers,Exchange Servers,*S SeSystemEnviron mentprivilege = *S null SeSecurityPrivilege = *S SeSystemEnvironmentPrivile ge = *S Perform volume maintenance tasks Defined SeManageVolumePrivilege = *S SeManageVolume Privilege = Ordina_TskMgr SeManageVolumePrivilege = *S Profile single process Administ rators SeProfileSingleProcessPrivil ege = *S SeProfileSinglePro cessprivilege = *S SeProfileSingleProcessPrivile ge = *S Profile system performance Administ rators SeSystemProfilePrivilege = *S SeSystemProfilePr ivilege = patrol,*s SeSystemProfilePrivilege = *S

51 The added value of an operating system audit to an IT General Controls audit 51 Remove computer from docking station Administ rators SeUndockPrivilege = *S SeUndockPrivileg e = *S SeUndockPrivilege = *S Replace a process level token LOCAL SERVIC E, NETWO RK SERVIC E SeAssignPrimaryTokenPrivi lege = *S ,*S ,IWAM_DC0004,SQLSer ver2005mssqluser$dc00 04$MICROSOFT##SSEE,S QLServer2005MSSQLUser $DC0005$MICROSOFT## SSEE,*S ,*S SeAssignPrimaryT okenprivilege = *S ,*S ,patrol SeAssignPrimaryTokenPrivil ege = *S ,*S ,IWAM_QUINTIQ_APPS Shut down the system Administ rators SeShutdownPrivilege = whadmin,*s ,*s ,*S ,*S SeShutdownPrivil ege = *S ,*S ,*S ,*S SeShutdownPrivilege = *S ,*S ,*S ,*S Add workstations to domain Administ rators SeMachineAccountPrivilege = *S SeMachineAccoun tprivilege = *S SeMachineAccountPrivilege = *S Allow log on locally Administ rators SeInteractiveLogonRight = IUSR_DC0004,*S ,*S ,*S ,*S ,*S SeInteractiveLogo nright = patrol,*s ,*s ,*s ,*s ,*s SeInteractiveLogonRight = *S ,IUSR_QUINTIQ,IUSR _QUINTIQ_APPS,*S ,*S ,*S ,*S ,*S Allow logon through terminal services Administ rators SeRemoteInteractiveLogon Right = *S SeRemoteInteracti velogonright = *S ,*S SeRemoteInteractiveLogonRi ght = *S

52 The added value of an operating system audit to an IT General Controls audit 52 Deny logon locally Guests SeDenyInteractiveLogonRig ht = SUPPORT_388945a0 SeDenyInteractive LogonRight = SUPPORT_ a0 SeDenyInteractiveLogonRigh t = SophosSAUQUINTIQSER0, *S ,*S ,*S ,*S ,SUPPORT_388945a0,* S ,*S ,QBDataServiceUser17, *S Deny logon through Terminal Service (minimum) Generate security audits Guests null null null Defined SeAuditPrivilege = *S ,*S ,*S ,*S SeAuditPrivilege = *S ,*S SeAuditPrivilege = *S ,*S

53 The added value of an operating system audit to an IT General Controls audit 53 Log on as a batch job No one SeBatchLogonRight = *S ,SUPPORT_388945a0,P Madmin,whadmin,SA_Alge meen,ecs_svc,iis_wpg,bva dmin,iwam_dc0004,iusr _DC0004,SQLServer2005M SSQLUser$DC0004$MICR OSOFT##SSEE,SQLServer 2005MSSQLUser$DC0005$ MICROSOFT##SSEE,*S SeBatchLogonRig ht = *S ,SUPPORT_ a0,Ordina_Tsk Mgr,admin_ordina,IIS_WPG,*S SeBatchLogonRight = *S ,*S ,*S ,*S ,IWAM_QUINTIQ_AP PS,IUSR_QUINTIQ_APPS, EMLib,IIS_WPG,SUPPORT _388945a0,Administrator,*S Restore files and directories Administ rators, Backup Operators SeRestorePrivilege = *S ,*S ,*S SeRestorePrivilege = *S ,*S ,*S SeRestorePrivilege = *S ,*S ,*S Take ownership of file or other objects Administ rators SeTakeOwnershipPrivilege = *S SeTakeOwnership Privilege = *S Synchronize directory service data No one null null null Security Options Network Security: Minimum session security for NTLM SSP based (incl. secure RPC) servers Require NTLMv2 session security, Require bit encryptio n SeTakeOwnershipPrivilege = *S Accounts: Rename Administrator Account <> admin NewAdministratorName = "Administrator" NewAdministrator Name = "Administrator" Accounts: Rename Guest Account <> guest NewGuestName = "Guest" NewGuestName = "Guest" Accounts: Guest Account Status Disabled EnableGuestAccount = 0 EnableGuestAcco unt = 0 Accounts: Limit local account use of blank passwords to console logon only NewAdministratorName = "Administrator" NewGuestName = "Guest" EnableGuestAccount = 0 Enabled Devices: Allowed to format and eject removable media Administ rators 0 Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM Access to Locally Logged-On User Only Enabled Defined 1

54 The added value of an operating system audit to an IT General Controls audit 54 Devices: Restrict Floppy Access to Locally Logged-On User Only Defined 1 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always) Enabled Domain Member: Digitally Encrypt Secure Channel Data (When Possible) Enabled Domain Member: Digitally Sign Secure Channel Data (When Possible) Enabled Domain Member: Disable Machine Account Password Changes Domain Member: Maximum Machine Account Password Age Domain Member: Require Strong Session Key Domain Controller: Allow Server Operators to Schedule Tasks Disabled Enabled Disabled 0 Domain Controller: LDAP Server Signing Requirements Domain Controller: Refuse machine account password changes Interactive Logon: Do Display Last User Name Interactive Logon: Do not require CTRL+ALT+DEL Interactive Logon: Number of Previous Logons to Cache Interactive Logon: Prompt User to Change Password Before Expiration Interactive Logon: Require Domain Controller authentication to unlock workstation Interactive Logon: Smart Card Removal Behavior Defined Disabled Enabled Disabled Enabled Lock Workstati on 0 2 0

55 The added value of an operating system audit to an IT General Controls audit 55 Interactive Logon: Message Text for Users Attempting to Log On Interactive Logon: Message Title for Users Attempting to Log On Interactive logon: Require smart card Microsoft Network Client: Digitally sign communications (always) Microsoft Network Client: Digitally sign communications (if server agrees) - U gebruikt de automatiseringsfac iliteiten van Comany B In het kader van de beveiliging en het voorkomen van misbruik gelden voor de gebruikers en systeembeheerders van Company B een aantal bepalingen die in een protocol beschreven zijn. Van u wordt verwacht dit protocol te kennen en daar ook naar te handelen. Voor meer informatie kunt u contact op nemen met uw lokale ICT afdeling. - ICT Protocol Company B Defined Enabled Enabled Microsoft Network Client: Send Unencrypted Password to Connect to Third-Part SMB Server Disabled Microsoft Network Server: Amount of Idle Time Required Before Disconnecting Session 15 minutes Microsoft Network Server: Digitally sign communications (always) Microsoft Network Server: Disconnect clients when logon hours expire Enabled Enabled Network Access: Do not allow Anonymous Enumeration of SAM Accounts Network Access: Do not allow storage of credentials or.net passports Enabled Enabled Network Access: Let Everyone permissions apply to anonymous users Disabled Network Access: Named pipes that can be accessed anonymously Network access: Restrict anonymous access to Named Pipes and Shares Defined browserhydralspi petermservlicens ing Enabled 1 1 1

56 The added value of an operating system audit to an IT General Controls audit 56 Network Access: Shares that can be accessed anonymously None COMCFGDFS$ Network Security: Do not store LAN Manager password hash value on next password change Enabled Network Security: LAN Manager Authentication Level Network Security: LDAP client signing requirements Network Security: Minimum session security for NTLM SSP based (incl. secure RPC) clients NTLMv2 response only. Refuse LM Negotiate signing Require NTLMv2 session security, Require bit encryptio n Recovery Console: Allow Automatic Administrative Logon Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders Shutdown: Clear Virtual Memory Pagefile Shutdown: Allow System to be Shut Down Without Having to Log On System objects: Require case insensitivity for non-windows subsystems System objects: Strengthen default permissions of internal system objects Disabled defined Disabled Disabled Enabled Enabled System cryptography: Force strong key protection for user keys stored on the computer User is prompted when the key is first used System settings: Optional subsystems None Posix Posix Posix System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Defined MSS: (DisableIPSourceRouting) IP source routing protection level Highes t protectio n, source routing is completel y disabled

57 The added value of an operating system audit to an IT General Controls audit 57 MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Disabled MSS: How often keep-alive packets are sent in milliseconds Defined MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Enabled MSS: Enable the computer to stop generating 8.3 style filenames MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses Enabled Disabled MSS: Enable Safe DLL search mode Enabled MSS: The time in seconds before the screen saver grace period expires MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted 0 3 MSS: Percentage threshold for the security event log at which the system will generate a warning 90% or le ss 0 Terminal Services Always prompt client for password upon connection Enabled Set client connection encryption level Enabled: High level Do not allow drive redirection Defined 1 Do not allow passwords to be saved Enabled Internet Communication Turn off downloading of print drivers over HTTP Turn off the -Publish to Web- task for files and folders Turn off Internet download for Web publishing and online ordering wizards Enabled Enabled Enabled Turn off printing over HTTP Enabled

58 The added value of an operating system audit to an IT General Controls audit 58 Turn off Search Companion content file updates Turn off the Windows Messenger Customer Experience Improvement Program Turn off Windows Update device driver searching Additional Security Settings Do not process the legacy run list Do not process the run once list Registry policy processing Offer Remote Assistance Solicited Remote Assistance Restrictions for Unauthenticated RPC clients RPC Endpoint Mapper Client Authentication Turn off Autoplay Enumerate administrator accounts on elevation Enabled Enabled Defined configure d configure d Defined Defined Defined Defined Defined Enabled: All drives configure d Require trusted path for credential entry Enabled 255 Disable remote Desktop Sharing Enabled