Mikrotik RouterOS Security Audit Checklist
Findings ISO 27001
Questions
Yes
Router Policy
Is a router security policy in
place?
Administrator Authentication
Is there a documented procedure
for creation of users?
Does each router administrator
have a unique account for
himself/herself?
According to policy, how often do
admin passwords have to be
changed?
Do the admin passwords meet
with the required complexity as
defined by the policy?
Are all user accounts assigned the
lowest privilege level that allows
them to perform their duties?
(Principle of Least Privilege)
Is a Message of the Day (MOTD)
banner defined?
Router Access Management
Are unused services such as
webfig, ssh, telnet, dns allow
remote request, etc disabled?
Is Mikrotik Network Discovery
Protocol disabled on the router?
Which version of SNMP is used to
manage the router?
Is the SNMP process restricted to
Standard/Best Practice
No Control
Router security policy will address the requirements from
A.5.1.1
business, regulations, etc. It will consist policy topics such
A.9.1.2
as access control, backup, etc.
A documented procedure for creation of administrators
on the router should exist.
A.12.1.1
The procedure should address:
A.9.2.1
 Approval from the department head
A.9.2.2
 Recording the authorization level given to the new
administrator and the duration
A.9.2.1 Each router administrator should have a unique account
A.9.2.2 for him/her to maintain accountability.
Admin passwords need to be changed periodically,
A.9.4.3 typically once every 4-6 months depending on the
functionality of the router.
All password defined on the router should meet the
following criteria:
 Minimum 8 characters in length
A.9.3.1
 Should be alphanumeric along with special characters
(@#$%)
 Should not include organization’s name in it
All user accounts should be assigned the lowest privilege
level that allows them to perform their duties.
A.9.2.3
If multiple administrators exist on the router, each
administrator should be given an individual username and
password and assigned the lowest privilege levels.
Login banners should be used as a preventive measure
against unauthorized access to the routers.
A.9.4.2
Use the following command to enable a MOTD banner:
/system note set note=[MOTD]
Unused services needs to disabled to prevent any
A.9.4.4
unauthorized access and possible exploitation
Mikrotik Network Discovery Protocol enable neighbor
A.12.6.1
routers (connected router) to learn information about the
A.9.4.4
neighbor. This should be disabled if not used or on the
A.13.1.3
interface facing external network.
Ideally SNMP version 3 should be used on the router since
it introduces authentication in the form of a username
and password and offers encryption as well.
A.13.1.1
SNMP is disabled by default in MikroTik, however, if
enabled, there will be one default community called
“public”
A.13.1.1 If SNMP v1 or v2c is used, ACL’s should be configured to
 Mikrotik RouterOS Security Audit Checklist

Findings ISO 27001

Questions Standard/Best Practice
Yes No Control
certain range of IP Addresses limit the addresses that can send SNMP commands to the
only? device. SNMP v1 or v2c uses the community string as the
only form of authentication and is sent in clear text across
the network.
Default community strings such as ‘public’ should be
Is the default community strings
A.9.2.4 changed immediately before bring the router on the
such as ‘public’ changed?
network.
If SNMP v1 or v2c is being used, the SNMP community
How often is the SNMP
A.9.3.1 strings should be treated like root passwords by changing
community string changed?
them often and introducing complexity in them.
Configuration Management
Router configurations should be backed up periodically
How often is the router
A.12.3.1 depending on importance and frequency of changes
configurations backed up?
made to the configuration.
Is there any technical control to
A.8.2.1 If a file server is used to store configuration files, the files
prevent unauthorized access to
A.12.3.1 should be restricted to authorized personnel only.
configuration backup?
Is there a documented procedure
A.12.3.1 Procedure for backup, such as periods and backup
for backup of router
A.12.1.1 storage place needs to be documented
configurations?
A clear procedure for system reset or recovery from
Is there any procedure for system
A.12.1.1 backup needs to be documented to prevent unnecessary
reset or recovery from backup?
downtime
Are all router configuration
Any changes in router configuration changes and updates
changes and updates
needs to follow change management procedure to
documented in a manner suitable A.12.1.2
prevent unnecessary downtime and to maintain the
for review according to a change
integrity of the configuration
management procedure?
Is there any periodically router
Periodically there is a need to review the router capacity
capacity review for performance A.12.1.3
if it is still sufficient for operation requirements capacity
assurance?
Is the network engineer aware of
the latest vulnerabilities that A.6.1.4 Network engineer should receive periodic RouterOS
could affect the router and aware A.12.6.1 updates
of recent updates?
Business Continuity
Is there a router redundancy in A.17.1.1 Depends on your organization requirements, time critical
cold standby or hot standby? A.17.1.2 and strategic routers needs to have redundancy
Are disaster recovery procedures
A.17.1.2 Any disaster recovery plan needs to be documented
for the router/network
A.17.1.3 properly and tested periodically
documented and are they tested?

Is the configuration backup saved Copy of router configuration needs to saved to an off-
A.12.3.1
to an off-site/DR site? site/DR site for disaster recovery purpose
A.17.1.1

Log Management and Incident Handling

Is login and logout A.12.4.1 A detailed log of every command typed on the router as
 Mikrotik RouterOS Security Audit Checklist

Findings ISO 27001

Questions Standard/Best Practice
Yes No Control
tracking/command logging for A.12.4.3 well as when an administrator logged in or out can be
the router administrators recorded for audit purposes.
enabled?
The NTP service helps to synchronize clocks between
Is the NTP server service used to
networking devices thereby maintaining a consistent time
synchronize the clocks of all the A.12.4.4
which is essential for diagnostic and security alerts and
routers?
log data.
Are all attempts to any port,
A.12.4.1
protocol, or service that is denied All security events needs to be logged
A.16.1.2
logged?
Is logging to a syslog server A.12.4.2 Critical and important logs should be send and stored on
enabled on the router? A.16.1.2 external syslog
How often is the router logs
(covering administrator access A.12.4.1 Logs need to reviewed regularly
/access control) reviewed?
Are reports and analyses carried Reports and analysis should be based from the log
A.16.1.6
out based on the log messages? messages
Is there any documentation for
Course of action for any incidents should be planned and
course of action to be followed if A.16.1.1
documented properly
any incident is noticed?

This work is a derivative work from a document ISO27k Cisco Router Security Audit
Checklist copyright © 2007, ISO27k Forum, some rights reserved. It is licensed under the Creative
Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce,
circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a
commercial product, (b) it is properly attributed to the ISO27k implementers' forum
(www.ISO27001security.com), and (c) if shared, any derivative works are shared under the same terms
as this.

Note: this is NOT security advice. Do not rely on this checklist. Refer to the Mikrotik RouterOS
documentation and take advice from competent network security professionals.