A security audit is a process where manual or automated techniques are used for vulnerability analysis of any system and a report is generated. Manual audit includes the process of interviewing staff, performing vulnerability scans without using any automated tools, reviewing all installed applications and OS access controls, and analyzing physical access to the systems. In a security audit of an operating system comes windows audit, Linux audit, etc. Windows auditing is one of the methods to make the system secure after knowing about the weakness of the system. Windows auditing system consists of tracking events and logs and what events were triggered in the system.
Two important areas where operating system audits can be performed are all the directories that are active or running in the background and various policies of windows and privacy settings. Active Directory provides information about specific applications, folders, and files, based on their identity. Because it is an extensively used method in the authentication and authorization of users, it is often prone to cyber-attacks. Therefore, monitoring and auditing of changes in Active Directory should be considered an essential part of security audits. Another vital area is Windows Policy changes.
Events that can be audited in the Windows operating system for vulnerability assessment of systems are listed below:
- Audit Account Logon Events: Audit of each login and logout instances with the exact date and time of users.
- Audit Account Management: Audit of every instance of account management operations on a machine such as altering passwords, usernames of accounts, number of users, etc.
- Audit Objects Access: Audit the event of a user accessing an object with its system access control list (SACL) specified. A few examples of objects are files, folders, registry keys, printers, etc.
- Audit Policy Change: Audit every incident where user rights were changed, or change in audit policies or modifying trust policies.
- Audit Privilege and Use: Audit each instance of a user.
- Audit Process Tracking: Audit and track detailed information of events such as program activation, process exit, handle duplication, and indirect object access.
- Audit System Events: Audit all the patch updates, unknown connections being established.
Audit Life Cycle: The audit framework consists of four major steps. The first step is Planning in which the auditors plan according to the requirements of the organization’s needs. The second part consists of an Assessment in which the old audits are assessed and results are reviewed and then accordingly the new audit checklist is planned. The third step consists of Follow-Up which is performing the audit tasks. And the last part consists of the Report Phase in which a detailed report of the audit is created and the expected solutions are given.
Commands to Perform Audit: These are needed to be executed in the windows command prompt under administrator mode. To access the command prompt, click on the start button, search cmd, right-click on it and click on run as administrator option.
- Systeminfo: To get the full details of the system like installation date, users and accounts, last log activity, etc. command used is systeminfo that gives the complete details of a system.
- ipconfig: To get the IP address of a machine this command can be used.
- Secpol.msc: To retrieve the configuration of security policies of a system secpol.msc command is used that helps to know about account policies, Firewall policies, etc.
- getmac: To get the mac address of the machine.
- netstat: To check network statistics and analyze the foreign or unknown server that has successful connections established.
- compmgmt.msc: To check external devices that were used in the system and their logs etc.