Microsoft Windows Security Audit Tools
A Windows security audit involves identifying, collecting, and analyzing information. You’ll need a plan and some tools to make the task manageable. You should plan ahead for any audit information needs and start the collection process as soon as possible. Your goal is to use the tools at your disposal to collect every bit of information that an auditor can use to verify compliance or research unusual activity.
Collecting every bit of information that may be needed is impossible without collecting lots of unneeded information. The goal should be to collect as much information as possible that is likely to be useful for auditing. TABLE 7-2 lists some Windows auditing-related tools you can use and the information they help you retain.
TABLE 7-2 Windows Auditing Tools |
|
|---|---|
| TOOL | DESCRIPTION |
| Security and Configuration Analysis (SCA) snap-in | GUI snap-in to the MMC that compares a computer’s settings with a predefined template. The SCA is useful to quickly identify any differences from standard settings. |
| Secedit.exe | Command-line version of SCA. Secedit performs the same basic functions of SCA but produces a text file as output. The command-line format allows you to use secedit in batch files for automatically scheduled audits. |
| Microsoft Baseline Security Analyzer (MBSA) | GUI auditing tool that checks one or more computers for missing patches, weak passwords, and other common security vulnerabilities. |
| Mbsacli.exe | Command-line interface for MBSA. Mbsacli makes it easy to run MBSA on a schedule and store output text files for later analysis. |
| Microsoft Security Assessment Tool (MSAT) | Legacy tool to measure current system security and provide recommendations to mitigate vulnerabilities. MSAT supports Windows versions through Windows 7 and Windows Server 2008. |
| Microsoft Security Compliance Toolkit (SCT) | A set of tools to help enterprise administrators assess Microsoft-recommended security baselines for Microsoft products. |
| DumpSec | The SomarSoft utility that dumps permissions and audit settings for the file system, Registry, and printers, and shares the information to a text file; a command-line utility to use in batch files to schedule audit tasks. |
| DumpEvt | The SomarSoft utility that dumps the Windows event logs to text files. DumpReg is a command-line utility you can use in batch files to schedule audit tasks. |
| DumpReg | The SomarSoft utility that dumps part or all of the Windows Registry to text files. DumpReg is a command-line utility you can use in batch files to schedule audit tasks. |
© Jones & Bartlett Learning. |
|
The tools listed in Table 7-2 are a great starting point for collecting audit information. Develop a naming convention and storage location for the tools’ output. A good naming convention includes information, such as the computer name, date, time, and type of information in the file. Here is a suggested audit file-naming convention:
Computer_name.file_contents.yyyymmddhhmmss.txt
Example: SCILaptop.sec_evt_log.20100401113533.txt
Computer_name—Name of the computer
File_contents—Abbreviated identifier that represents the contents of the file, such as sec_evt_log or registry
Date and time—Creation date and time of the file
yyyy—Four-digit year
mm—Two-digit month
dd—Two-digit day of the month
hh—Two-digit hour in 24-hour format
mm—Two-digit minute
ss—Two-digit second
Use the Windows auditing tools at your disposal to create periodic baselines and store event log files. You should decide what frequency works best for your organization. Monthly or quarterly baselines generally provide a good starting point for auditors. Consider creating baselines more frequently in environments that regularly change. The baselines show a snapshot of your computers at a point in time and the event logs show how settings changed from one baseline to another. Taken together, baselines and event log files can provide the information to better understand your Windows environment and make it compliant with your security policy.