This action might not be possible to undo. Are you sure you want to continue?
A Computer-assisted Audit Tool for Evaluation of Microsoft Operating Systems
By Jon Bek
he evaluation of computer system configuration is an important element of any general controls audit of information technology. The analysis of the configuration helps assess security risks, determines compliance with organization policy and measures consistency with industry best practices. Improperly configured computer systems undermine otherwise sound IT security practices, increase costs, impair efficiency and contribute to unscheduled business interruptions. Addressing this task poses special challenges to an audit organization. A thorough hardware and software evaluation requires significant technical skills and knowledge. Gathering evidence and reviewing collected data also require substantial time and effort. Ensuring consistency of manually collected information as well as keying, tabulating and interpreting the data are demanding tasks for a deadline-driven auditor. In the commercial sector, there are a limited number of software products that address this need, but most of these tools are not tailored to the specialized requirements of IT auditors. Additionally, these tools are usually expensive, require prior installation on the target system and may demand the support of the auditee’s IT department. Though achievable in the for-profit, centralized-authority model of many businesses, this is often impractical in academic institutions and other organizations with a great degree of distributed authority and local autonomy. To address these needs and constraints in IT audit work for the California Institute of Technology, the author has developed a tool utilizing standards-based remote management features that Microsoft now incorporates into its Windows operating system products. These features are known collectively as Windows Management Instrumentation (WMI),1 and comprise Microsoft’s implementation of the Common Information Model (CIM) standard published by the Distributed Management Task Force (DMTF).2 WMI has been incorporated into all Windows releases beginning with Windows 98 Second Edition. Due to limitations of the security model in releases of Windows 98 and Windows Millennium Edition, the software to be discussed is truly useful only with Windows 2000 and subsequent versions.
The ZFPAudit Tool
The Zero-Footprint Audit Tool (ZFPAudit) is a script-based tool for gathering and reporting Windows-based computer system settings useful to the IT auditor in assessing compliance and risk elements arising from improper
configuration. ZFPAudit may be run from the system to be audited or from a remote console. In either case, the software requires no installation, and in no way modifies the hardware or operating system environment of the host console or audited computer. Data collected by ZFPAudit may be evaluated and printed as a field report, imported into Excel, ACL or other analysis tools, or automatically sent to a remote database. ZFPAudit architecture is modular and plug-in, allowing auditors to easily include or exclude audit tests to be conducted, add new or updated tests as new or revised plug-ins become available, and write their own plug-ins, if desired. The product is published under the terms of the GNU3 public license. This means that the product is provided at no charge and the complete source code is available for review and improvement. In its current version, ZFPAudit includes plug-ins that: • Provide a unique identifier for the audited system, using elements such as the hardware serial number, Windows system name and burned-in hardware address (MAC address) of the system’s network adapter • Report the use of inherently insecure file systems (FAT32) on any local, nonremovable storage device • Report configuration settings for the computer’s security, application and system event logs • Provide an inventory of installed software [for software installed in compliance with the Microsoft Installer (MSI) standard] • List the current operating system build, patch and service pack level of the running operating system • Enumerate the running services. Inappropriate or incorrectly configured services are often exploited by hackers or may indicate that a system has been compromised. • Report if the system is protected from unauthorized local access by a password-protected screensaver automatically invoked after a specific period of inactivity • Detail user account settings that indicate problems such as dormant or unused accounts, accounts without passwords, passwords that never expire and so forth • Determine if the system is currently running antivirus software, if the software is providing real-time file protection, and the date on which the software’s antivirus definition files were last updated
The user interface for ZFPAudit is a web page, opened in Microsoft’s Internet Explorer browser (see figure 1). This adds
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004
Two additional controls also appear. The user may scroll down to peruse the complete results. or run from a CD-ROM. 2004 . and results grouped. ZFPAudit and Sarbanes-Oxley At a glance. item 3. may always be left blank. this control turns gray and becomes disabled. The software’s documentation explains how to add the web server or specific ZFPAudit web pages to a list of the browser’s trusted resources. VOLUME 1. whether or not the audit results have been submitted to a remote database. as the web page and other files may be installed on a web server. Parameter 4. though recommended. if desired. Zip drive. proving compliance. such as a data center. which will allow proper operation. the auditor provides a user ID (1) and password (2) with administrative privilege on the target machine. the IP address or Windows machine name (3) for the remote system. trended or summarized. the web page is updated to display the results (see figure 2). To conduct an audit. Minor modifications in a forthcoming release of the product will allow the software to be hosted as an active server page (ASP) on web servers supporting ASP. a tool for evaluating computer system configuration and security would appear to have little to do with Sarbanes-Oxley. Data collection begins when the auditor presses the OK button (5). ZFPAudit could be installed on a web server at one location. so duplicate results cannot be posted for the same audit. however. The complete results for this plug-in appear in figure 3.a degree of flexibility. copied to a centrally accessible shared network drive. If the audit is being conducted on the local machine and the current logon account has administrator privilege. which will avoid these inconveniences. Results may be audited and posted for the same machine again. allowing clients to self-audit. a US Act intended to protect investors by Figure 1—Main Page INFORMATION SYSTEMS CONTROL JOURNAL. Item 1 posts the audit results to a remote database. opened with the Internet Explorer browser on an auditor’s computer in the audit office. correct noncompliance on all machines and then record audits for each machine for which they are responsible. time stamps on the data will make the distinction between audits clear. accessible remote or local file system. For example. This makes the tool useful for compliance purposes. the auditor will still be prompted to allow the scripts to run (as an Active-X control) each time an audit is conducted. parameters 1 through 3 may be omitted. and used to audit remote client machines elsewhere in the enterprise. and a project or audit code (4). solid-state flash disk plugged into a USB port. Item 2 returns the user to the main page (figure 1). The audit code is useful if a number of audits are to be conducted. Partial results for the user account plug-in appear in figure 2. A minor disadvantage of opening ZFPAudit from a web server is that the default security settings of the browser on the auditor’s console will disallow the execution of the embedded scripts necessary for the software to perform an audit. Once posted. if one has been configured for this purpose. or any other convenient. After gathering data for each of the installed plug-ins. When running from either a web server or file system (local or remote).
Figure 2—Updated Results Figure 3—User Accounts Name Disabled Locked Password Does Not Expire false Password Not Required false Account Expires Last Logon (days) 0 Logon Hours All Password Age (days) 79 days Password Expires In (days) 11 Excessive Password Life false COMPO\JLB false false * Denotes a possible audit concern Audit Statistics: Password Not Required: 0 Password Life Problems: 0 Dormant Account Problems: 0 improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. 2004 . VOLUME 1. the Digital Millenium Copyright Act and others. such as HIPAA. networks and online systems to protect internal controls and financial reporting processes may indeed fall under the long reach of Sarbanes-Oxley. and for other purposes. a zero-footprint configuration auditing tool for Windows only begins to address the needs of IT auditors. Conclusion Admittedly. The public accounting firm that prepares the annual report is required to attest and report on this information provided by the company’s management. ZFPAudit is not unique. and is just one of the myriad opportunities for computer-assisted auditing tools (CAATS) to improve IT audit quality and efficiency. it is clear that information technology controls that have heretofore been best practice ideals may soon become requirements for US businesses. Fortunately. However. securing the organization’s computers. Consequently. When considered in combination with other legislation to which an organization may be subject. INFORMATION SYSTEMS CONTROL JOURNAL. and contain an assessment of the effectiveness of the internal control structure and procedures. section 404 requires that the annual report shall state the responsibility of management for establishing and maintaining adequate internal controls. Gramm-Leach-Bliley.
. Information Systems Control Journal. managed by Caltech..edu/ network/tools/tiger. contact the author or visit the IT audit section of the Caltech Audit Services and Institute Compliance web site.org/ www. He has 14 years of experience in enterprise systems development. control and security.’s database of known vulnerabilities Tool for getting started with Windows Management Instrumentation (WMI) scripts www. reprint or republication.isaca. Authors Note: A list of the author’s top five low-cost/no-cost tools and resources is found in figure 4. a voluntary organization of persons interested in information systems (IS) auditing. 01970.org/ 1 Jon Bek is a senior information technology auditor for the California Institute of Technology (Caltech).kismetwireless. For other copying. for a flat fee of US $2. in Pasadena.asp.microsoft. and conducts IT and integrated team audits at the Caltech campus and the Jet Propulsion Laboratory.org INFORMATION SYSTEMS CONTROL JOURNAL. He joined the Audit Services and Institute Compliance department of Caltech in 2001. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. California. Massachusetts. Windows Management Instrumentation.php 3 The GNU Project. © Copyright 2004 by Information Systems Audit and Control Association Inc. Send payment to the CCC stating the ISSN (1526-7407). NASA’s lead center for robotic exploration of the solar system. He can be reached at jon.com/technet/ treeview/default. www. Endnotes Lavy.org/ www. permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC).gnu. www. or the editors of this Journal.edu/itaudit/.. is published by the Information Systems Audit and Control Association. Salem.edu. deployment and IT operations with a major oil company.html http://cve.asp?url= /technet/scriptcenter/tools/ wmimatic. Information Systems Control Journal does not attest to the originality of authors' content. Ashley Meggitt. volume. VOLUME 1.50 per article plus 25¢ per page. entitles one to receive an annual subscription to the Information Systems Control Journal. http://asic. formerly the EDP Auditors Association. Mass. and from opinions endorsed by authors' employers.nessus. to photocopy articles owned by the Information Systems Audit and Control Association Inc. He is currently completing a program of graduate study in Computer Information Systems at the California State University. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. Copying for other than personal use or internal reference. 2002 2 Distributed Management Task Force Inc.. permission must be obtained in writing from the association. formerly the IS Audit & Control Journal. date.net.. New Riders.caltech. USA. or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.net/ www.11 Wireless Network Sniffer Security Tool for UNIX O/S Mitre Corp. Los Angeles. USA. Inc. Where necessary. 2004 . To obtain a free copy of the ZFPAudit software and documentation.bek@caltech. and first and last page number of each article. or to exchange ideas on automating other aspects of IT auditing. Matthew. Membership in the association. 27 Congress St. www. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees. All rights reserved.dmtf.mitre.tamu.org/index.Figure 4—Low-cost/No-cost Tools and Resources NESSUS KISMET TIGER Common Vulnerabilities and Exposures SCRIPT-O-MATIC Network Vulnerability Assessment Tool 802.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.