TSRS PN ABC - Windows 2003 Server Security Review

Windows 2003 Server - NoSP, SP1, SP2 Configuration Standard Workplan
Generated by Mercury on: September 07, 2007

Copyright 2007 Ernst & Young, LLP. All rights reserved.
Description: Please type in a Description.
Fiscal Year: 12/31/07 - Integrated Audit
Description: Windows 2003 Server - NoSP, SP1, SP2 Security Review for Aplicación
Source: Nombre del cliente
Workpaper Reference: TSRS PN ABC - Windows 2003 Server Aplicacion Evidence.xls
Control Category Reference Conclusión

No Exceptions Noted
1
No Exceptions Noted
2
No Exceptions Noted
A. User Account Management 3

Findings Noted
4
A. User Account Management
No Exceptions Noted
5
No Exceptions Noted
6
No Exceptions Noted
7
No Exceptions Noted
B. Access Control Management
8
No Exceptions Noted
9
No Exceptions Noted
10
No Exceptions Noted
11
No Exceptions Noted
C. Configuration and Supporting

Processes
12
No Exceptions Noted
13
No Exceptions Noted
14
No Exceptions Noted
D. System Logging and Auditing
15
No Exceptions Noted
16
E. Network and Environment Controls

No Exceptions Noted
17
No Exceptions Noted
18
No Exceptions Noted
19
No Exceptions Noted
20
No Exceptions Noted
21
No Exceptions Noted
22
No Exceptions Noted
23
No Exceptions Noted
N/A
24
No Exceptions Noted
25
No Exceptions Noted
26
w for Aplicación
licacion Evidence.xls
TSRS PCP Mapping Name

LA-1: General system security settings are Test Default Accounts & Passwords - Windows
appropriate 2003 Server
LA-2: Password settings are appropriate Test Idle Session Time Out - Windows 2003
Server
LA-2: Password settings are appropriate Test Password Policy and Account Lockout -
Windows 2003 Server
LA-2: Password settings are appropriate Test User Capability to Change Passwords After
First Login - Windows 2003 Server
LA-3: Access to privileged IT functions is limited Test Access to Privileged IT Functions - Windows
to appropriate individuals 2003 Server
LA-5: User access is authorized and Temporary & Contractor Type Accounts -
appropriately established Windows 2003 Server
LA-1: General system security settings are Test Permission to Access the Registry -
appropriate Windows 2003 Server
LA-1: General system security settings are Test Trust Relationships - Windows 2003 Server
appropriate
LA-1: General system security settings are Test Anonymous Login to FTP - Windows 2003
appropriate Server
LA-1: General system security settings are Test Domain Structure - Windows 2003 Server
appropriate
LA-1: General system security settings are Test Use of NT File System (NTFS) - Windows
appropriate 2003 Server
MC-1: Changes are authorized Test Manage Change Process (authorized) -

Windows 2003 Server
MC-2: Changes are tested Test Manage Change Process (tested) -

Windows 2003 Server
MC-3: Changes are approved Test Manage Change Process (approved) -
Windows 2003 Server
LA-5: User access is authorized and Test Monitoring of User Access - Windows 2003
appropriately established Server
LA-6: Physical access to computer hardware is Test Physical Security - Windows 2003 Server
limited to appropriate individuals
LA-8: Segregation of incompatible duties exists Test Logical Access Segregation of Duties -
within the logical access environment Windows 2003 Server
OP-1: Financial data has been backed-up and is Test Data Back Up and Recovery Process -
recoverable Windows 2003 Server
OP-2: Deviations from scheduled processing are Test Scheduling - Windows 2003 Server
identified and resolved in a timely manner
LA-4: Access to system resources and utilities is Test Access to Data and Data Modification
limited to appropriate individuals Utilities - Windows 2003 Server
LA-5: User access is authorized and Test New User Setup - Windows 2003 Server
appropriately established
LA-5: User access is authorized and Test User Validation Procedures - Windows 2003
appropriately established Server
LA-7: Logical access process is monitored Test Logical Access Monitoring - Windows 2003
Server
MC-4: Changes are monitored Test Program Change Monitoring - Windows
2003 Server
MC-5: Segregation of incompatible duties exists Test Manage Change Segregation of Duties /
within the manage change environment Access to Programs - Windows 2003 Server
OP-3: IT operations problems or incidents are Test Problem/Incident Management - Windows

identified, resolved, reviewed, and analyzed in a 2003 Server
timely manner
Description Risk Statement
General system security settings are appropriate. Security and password configuration are not
optimized to prevent unauthorized access.
Unauthorized users are granted access to key

resources, including access to sensitive utilities
and master files.
Key financial data/programs are intentionally or

unintentionally modified.
Password settings are appropriate. Security and password configurations are not

Unauthorized access attempts are not detected

and resolved by management.
Access to privileged IT functions is limited to Unauthorized users are granted key privileged
appropriate individuals. rights.
Unauthorized access attempts are not detected


Contractor and temporary accounts are Failure to configure temporary and contract
configured to expire after a specified period of accounts to expire after a defined period
time. increases the risk of active accounts being left on
the system after the worker's employment ends.
The former worker could use the account to gain
unauthorized access, or an attacker could target
the active accounts to compromise the system.
General system security settings are appropriate. Unauthorized users are granted key privileged
rights.
General system security settings are appropriate. Unauthorized access attempts are not detected

General system security settings are appropriate. Unauthorized users are granted access to key
and master files.

Security and password configurations are not

and master files.

and master files.

Changes are authorized. An unauthorized or unapproved change is

promoted to the production environment.
Changes promoted to production are not

functioning properly or according to user
specifications.

Changes are tested. An unauthorized or unapproved change is

Changes are approved. An unauthorized
Changes promotedor unapproved
to productionchange
are notis
specifications.
User access is authorized and appropriately Unauthorized access attempts are not detected
functioning
Key resolvedproperly
financial or according
data/programs to user
are intentionally or
established. and by management.
specifications.
Physical access to computer hardware is limited Key financial data/programs
Unauthorized personnel haveare intentionally
access or
to computer
to appropriate individuals. unintentionally modified.
hardware and infrastructure.
Segregation of incompatible duties exists within Users with conflicting access and responsibilities
the logical access environment. could compromise the reliability, availability, and
integrity of data.

Financial data has been backed-up and is Financial applications and data are lost due to
recoverable. insufficient or incomplete backups.
Deviations from scheduled processing are Operational problems and incidents are not
identified and resolved in a timely manner. identified and resolved resulting in processing
errors.
Job scheduling and batch processing are not

properly planned and executed affecting key
financial processes, data, interfaces, or reports.
Access to system resources and utilities is limited Unauthorized users are granted access to key
to appropriate individuals. resources, including access to sensitive utilities
and master files.
Users inappropriately have access to applicable

logical access layers.

User access is authorized and appropriately Unauthorized users are granted access to
established. applicable local access layers.
User access is authorized and appropriately Key

Usersfinancial data/programs
retain inappropriate are intentionally
access or
to applicable
established. unintentionally modified.
logical access layers.

Logical access process is monitored. Key financial data/programs are intentionally or

Changes are monitored. An unauthorized or unapproved change is

specifications.

Segregation of incompatible duties exists within An unauthorized or unapproved change is
the manage change environment. promoted to the production environment.
Inappropriate users have access to migrate

changes into the production environment.

IT operations problems or incidents are identified, Operational problems and incidents are not
resolved, reviewed and analyzed in a timely identified and resolved resulting in processing
manner. errors.
Job scheduling and batch processing are not

properly planned and executed affecting key
financial processes, data, interfaces, or reports.
Manual Review Procedures Include in Audit
PCP: Determine that the general system security
settings are appropriate based on minimum
guidelines defined in our technology-specific
guidance, if available.
Determine if the default accounts have been

disabled by performing the following steps: Yes
A. If Active Directory is being used:
STEP 1
Click [Start] > [Administrative Tools] > [Active
Directory Users and Computers].
PCP: For each relevant technical component of
the
STEP logical
2 access path, obtain evidence of the
organization’s
Highlight the [Users] settings for the
folder andfollowing
verify tosecurity
see that
configurations:
the Guest account has been disabled (a red X will Yes
appear over the user icon).
• Minimum password length
•STEP Initial3log-on uses a one-time password
•In
PCP: Password
the For
same composition
screen
each (e.g.,
identify
relevant thealpha/numeric
technical default
component of
characters,
Administrator not words
account.
the logical access path, obtain evidence of the in dictionary)
•It Frequency
organization’s is recommended ofsettings
forced
thatpassword
thisthe
for default changes
Administrator
following security
•configurations:
account The number of unsuccessful
be disabled and a newlog on attempts
administrator Yes
allowed
account before createdlockoutwith a strong password.
•• Ability of users
Minimum password to assign
length their own passwords
•B. Number
If Active of passwords
Directory
• Initial log-on uses a one-time is that
NOT must
being beused:
passwordused prior to
•using
PCP: a password
For
Password each again technical
relevant
composition component of
(e.g., alpha/numeric
•the
STEP
characters, Idle session
1 access
logical nottime out in obtain
path,
words dictionary) evidence of the Yes
•Click Logging
organization’s [Start]
• Frequency ofsettings of >unsuccessful
[Administrative login
for the
forced password attempts
Tools]
following> [Computer
changes security
Management].
configurations:
• The number of unsuccessful log on attempts
STEP
allowed1 before lockout
•Click
If Minimum [Start]
evaluating
Ability >domain
[Adminstrative
password
of users accounts,
length
to assign their Tools]
own >passwords
connect [Local
to any
(Domain)
•other machine
Initial
Number Security
log-on uses
of passwords Policy].
in that domain
a one-time
that must using bethe
password [Connect
used prior to
to
•using another
Password computer…]
a password againoption
composition from the [Action]
(e.g., alpha/numeric
STEP
menu.
characters,
• Idle session 2 nottime words
out in dictionary)
•Select Logging [Security
Frequency Settings]
of forced
of unsuccessful ->
password
login[Local Policies] ->
changes
attempts
•[Security
STEP 2 Options].
The number of unsuccessful log on attempts
Expand
allowed
STEP the [System
1 before lockoutTools] > [Local Users and
STEP
Groups]
•ClickAbility3 of node.
[Start] users to assign their
> [Adminstrative own >passwords
Tools] [Local
Double
•(Domain)
Number click the security
of passwords
Security Policy]. option
that must labeled
be used [Microsoft
prior to
network server: Amount
STEP a3 password
using again of idle time required
before
Highlight
•STEP 2suspending
Idle session the [Users]
time outsession]
Folder and verify validatethatthe
the
security
Guest
•Select
Logging settings
account value.
has beenAdisabled.
of unsuccessful
[Security Settings] >recommended
login
[Account A red
attempts Xvalue>is
should
Policies]
to lock
appear out
over after
[Password Policy]. the 60 minutes
user icon if of
it inactivity.
is disabled.
PCP: Obtain a list of privileged user rights (e.g.,
users with full system access or access to
security administration functionality) for the
relevant technical components of the logical
access path that support the key controls. Yes
Determine that it is complete. Review the lists of
users with privileged rights and determine if the
number of users appears appropriate. Based on
the volume of users and the critical nature of this
control, develop a test to determine if the users’
Obtain
privileged a listing
access of is
temporary
appropriate employees
based on andtheir
ensure that all accounts(this
job description/function are set to expire
listing shouldon a
include
given date of
the review using the following
privileged systemprocedure.
accounts). (On
the Domain Controller) STEP 1: Open Active
Directory
A. If Active User Management
Directory is beingby performing the
used:
following: [Start] > [Administrative Tools] > Yes
[Active
STEP 1Directory Users and Computers] STEP
2:
ClickHighlight
[Start] >the [Users] folderTools]
[Administrative and <double-click>
> [Active
on the user
Directory to beand
Users modified.
Computers]. STEP 3: Select the
[Account] tab and verify that expiration dates are
set
STEP appropriately
2 for the sample users.
Highlight the [Groups] folder and double click on
each group with privileged user rights (such as
settings are appropriate based on minimum Yes
the Administrators or Power users groups) and
determine if the membership is appropriate.
PCP:
AttentionDetermine
should be thatpaidthe to:
general system security
STEP1 are appropriate based on minimum
settings
- Excessive numbers of users;
Click [Start]defined
guidelines > [Run]in>our Type in 'regedt32' to
technology-specific
- The inclusion of any generic account names; Yes
access Registry
guidance, if Editor (Regedt32.exe)
available.
and
- The inclusion of any other groups as members
STEP 2
in one 1of the Administration Groups.
Locate
Click the following
[Start] key:
> [Administrative Tools] > [Active
PCP: Determine that
HKEY_LOCAL_MACHINE\SYSTEM\
Directory Domains andtheTrusts].
general system security
B. If Active
settings areDirectory
appropriate is NOTbasedbeing used:
on minimum
CurrentControlSet\Control\SecurePipeServers\
guidelines
Winreg\
STEP 2 defined in our technology-specific
STEP
guidance, 1 if available.
Expand the root
Click [Start] and right clickTools]
> [Administrative on the> domain.
[Computer
STEP 3
Management].
Perform the following Yes
<Right3Click>
STEP [Winreg]review and thensteps to verify that
click
anonymous
[Permissions...].
Select FTP login
Properties from is
therestricted:
displayed context
If evaluating domain accounts, connect to any
menu.
other machine in that domain using the [Connect
STEP 1 4
to another
Click [Start] computer…]
> [Administration optionTools]
from the [Action]
> [Internet
Determine
STEP 4 that only Administrators have access
menu.
Information Service (IIS) Manager].
to update
Select thethe registry.
Trusts tab.
PCP:
STEP Determine
2 that the general system security
STEP
STEP
settings 2
5 are appropriate based on minimum
Expand
Right theon
click [System
[FTP Tools]
Sites] > [Local
and Choose Users and
Review
guidelines
Groups] the
node trust
defined
andrelationships
in our
highlight and determine
technology-specific
the [Groups] that
folder.
[Properties]
the trust relationships
guidance, if available. that may exist are required
and support the domain model. Yes
STEP
STEP 3
3 the following to verify that application
Perform
Double click on eachAccounts]
group with privileged user
Select
servers the [Security
(such IIS, etc.)tab.
rights (such asas SQL,
the Administrators areornot usedusers
Power as
domain
groups) controllers and servers that are
STEP 4 andfrom
accessible
determine if the membership is
the Internet are not members of a
appropriate.
Verify the [Allow Anonymous Connections] box is
domain.
unchecked.
Attention should be paid to:
For application
- Excessive serverofsupporting
numbers users; financially-
significant applications:
- The inclusion of any generic account names;
and
STEP 1
- The inclusion of any other groups as members
Click
in one of the>Administration
[Start] [Control Panel]Groups.
> [System].
STEP 2
Click on the [Computer Name] tab.
settings are appropriate based on minimum
Yes
Perform the following review steps to verify that
NTFS is used on the financially-significant
servers:
PCP:
STEPObtain
1 a complete list of changes to the
relevant technical componentsTools]
Click [Start] > [Administrative of the>IT
[Computer
environment
Management]. since the beginning of the audit
period through the date of our tests. Select an
appropriate
STEP 2 sample of changes from the list and
determine that the change
Expand the [Storage] was
> [Disk appropriately
Management].
authorized.
STEP 3
STEP
Verifiy 1if the File System for each partition is set
With assistance from the client identify the
to NTFS.
financially significant production program
directories.
STEP 2
If a system-generated list of application changes
cannot be obtained from the application, obtain a
Windows 2003 generated listing of the files within Yes
the production program directories. The system-
generated listing can be obtained by taking a
screenshot of the relevant directories (from
Windows Explorer), which contain file compile
dates. The compile dates can be reviewed to
identify programs that have been changed during
the audit period.
If change management software is used and the

production libraries are adequately secured (as
tested during MC-5), a list of changes from the
change management application is also
acceptable.
STEP 3
Select a sample of application program changes
and obtain documentation to support that the
PCP: Obtain a complete list of changes to the
relevant technical components of the IT Yes
environment since the beginning of the audit
PCP:
periodObtain
through a complete
the date oflistour
of tests.
changes to the
Select an
relevant technical components of the
appropriate sample of changes from the list and IT Yes
environment
determine that since the beginning
the change of the audit
was appropriately
period
tested. through the date of our tests. Select an
PCP: Identify relevant monitoring controls and
appropriate sample of changes from the list and
test that the controls functioned as expected over Yes
determine
STEP that the change was appropriately
1 period.
the audit These controls might include:
approved.
For the changes selected in MC-1, obtain
PCP: Obtain a list of employees with access to
•documentation
theViolation
data to support that the change
center, determine it is complete, and
or violation attempts reporting was
and Yes
STEP
tested. 1
review for appropriateness. Confirm that controls
review
For the changes selected in MC-1, obtain
•are
Review of logs
in place (i.e., surrounding
to restrict access privileged user
documentation to support thattotheonly thosewas
change
access)
individuals.
approved.
Determine
STEP 1 that system settings are appropriately
configured
Obtain a listtoofcapture key system
employees events
with access to and
the data
activities.
center, determine it is complete, and review for
appropriateness. Confirm that controls are in
STEP
place to1 -restrict
System Audit to
access Settings
only those individuals.
• Click [Start] > [Administrative Tools] > [Local
PCP: Determine, both organizationally and
logically, that different individuals/system
resources perform the following duties related to
granting user access: Yes
• Requesting access, approving access, setting
up access and monitoring access
violations/violation attempts
•PCP: Performing
Determine rights of a “privileged”
process for identifying userdata and to be
monitoring use of a
backed up. Determine that individuals who “privileged” user Yes
perform backups are not also responsible for
PCP:
STEPDetermine
monitoring 1 them. that Select onlyanappropriate
appropriateusers sample have of
the
Determine,
back-up ability to
activity make
both and changes
organizationally to
test that the and the job
ITGCs schedule
logically,
over
and
that
back-ups only approved
different changes
are individuals/system
operating are resources
as expected. made. Review the
Determine
perform the that individuals
following
procedures for periodically testing that duties whorelated to granting
back-ups
program/implement/monitor
userbe
can access:
restored. scheduling do not Yes
have conflicting duties. Test a sample of errors
from
• Requesting
STEP production
1 processing.
access, approving Foraccess,
each, determine setting
that
Determine process for identifying dataand
up an
access appropriate
and level
monitoring of follow-up
access to be
resolution
backed up.occurred.attempts
violations/violation
• Performing
PCP: Identifyrights and obtainof a privileged user and (e.g.
a list of resources
STEP
monitoring
datasets,
STEP 1
2 security,use of aaccounting
privileged user schema, master
Obtain
files,
Determine system
transactional security
the individualsdata),reportsincluding to determine
who perform utilities backups that
(e.g.
only
As
SQL
are not appropriate
appropriate,
Plus,alsoDFU, users
utilize
SuperZap)
responsible have
system the ability
security
associated them.
for monitoring to make
reports
with the As
changes
(used
relevant
appropriate, to the
forapplications
testing job
utilize schedule
LA-3) that
system andaffect
to determine
could
security only approved
that
the
reports logical
to
changes
access configurations
accuracy
determine are
ofthat made.
the financial
logical arestatements
access in place toifenforce
configurations not are the Yes
segregation
appropriately
in place to enforce ofsecured.
duties. Determine that access to
the control.
STEP 2
the resource(s) is appropriate.
Determine
STEP 3 that individuals who
program/implement/monitor
STEP
Select 1an appropriate sample scheduling
of back-updoactivity not
have
With
and test conflicting
that theduties.
assistance from
controls the client identify the
over back-ups are
PCP: Obtain
financially-significant
operating a list of new
as expected. users added
production during the
data directories
STEP
period 3
and any data modification scripts/utilitiesishoused
under audit and determine that it Yes
Test
complete.
on
STEP thea 4sample
server. Select of errors from production
an appropriate sample and
processing.
determine
PCP:
Review Obtain that For each,
there
the periodic
the procedures was determine
appropriate
forvalidation
periodically that an
approval
report(s)
testingand
appropriate
granting
select
STEP
that back-ups anthe
2 level
newcanof
appropriate user
befollow-up
access and
sample
restored. and
to resolution
that the user’s
determine that
occurred.
access
the
Obtain users’awas appropriately
access
system-generated had been established
appropriately
list of users basedwith on
his/her Yes
update job
validated. access function to the and the new significant
financially user request
form.
production data directories and files and any data
STEP
modification 1 scripts/utilities by executing the
STEP
If
following
PCP: 1 commands
the client
Obtain has a periodic
sufficient useridentified
forevidence
each validation
to determine directory that
Obtain
(and/or
process,
the afile):
logical listaccess
obtain of user accounts
theprocess
periodic created or
isvalidation
monitored modified
report(s)
on a Yes
within
and select
regular Windows
basis an (e.g., 2003
appropriate during
monitoring the
sample audit period.
to determine
compliance with
PCP: Obtain sufficient evidence to determine that
• Click
that
establishedthe[Start]
users’ >access
logical[All access
Programs]
had control
been > [Accessories]
appropriately
procedures, >
the
•periodic change
Click [Start] process
> [Run] is>monitored
Type in 'cmd'on atoregular obtain
[Windows
validated. reviewExplorer]. of logical access policies and the
basis
command (e.g.,prompt steering committee, management
(cmd.exe)
procedures).
review of changes to production).
• <Right-click>
STEP 2 on the system/program file to be
•STEPUse
reviewed
If LDIFDE
the client
1 in does command
Explorer, not have andtoselect
an extract
effective the periodic
[Properties].User
STEP 1
ID(SAMAccountName), Account Name(CN) and Yes
user validation
Obtain sufficientprocess: evidence to determine that the
Obtain
Ceation sufficient
Date(whencreated) evidence toofdetermine user accountsthat the
• Click on
logical access the [Security]
process istab to obtainon
monitored thea list ofby
regular
change
entering process is monitored on a regular basis
-user
Obtain
basis (e.g.,athe
accounts list following
oforterminated
monitoring groups command:
thatemployees
compliance have access with during rights.
the
(e.g., steering committee, management review of
period underlogical
established audit and access determine
control that it is
procedures,
changes
ldifde to production).
STEP -f3 export.txt
complete.
periodic review Select of -s
an <Domain
appropriate
logical access Controller>
sample and
policies -r
"(&(ObjectClass=user)
Review theifappropriateness
determine
procedures). system access had of access
been removed to the or
(whencreated>=20070101000000.OZ))"
financially significant
deactivated timely. production data directories -l
"SAMAccountName,
and files and any datacn, when
modification
created"
-scripts/utilities.
Obtain a list of Access transferred should employees
be restricted for the to
period
those that under audititand
require determine
to perform their that jobit is
Note:
complete.<Domain
responsibilities. Determine Controller> if the should
user’s access be the name is of
the domain controller,
appropriate based on his/her job function andfor example "-s tsrsdomain"
without
his/her
The security the double
previous quotes.
system
permissions Thewere
access
that time format for
hasobtained
been in
whencreated
removed
STEP 2 will contain lists of user accountswhich
is
or deactivated.YYMMDDHHMMSS.OZ and/or
represents
groups. When the two-digit
groups are year (YY), month
present (MM),
in the security
day
NOTE: (DD),
list and Unused hour
the group (HH),
accounts minutes
has update (MM),
can permissions, and
be identified based seconds
we
PCP: Determine, both organizationally and
logically, that different individuals within the
organization perform the following duties:
- Request/Approve program development or Yes

program change
- Program the development or change
- Move programs in and out of production
- Monitor program development and changes
PCP:
STEPObtain
1 sufficient evidence to determine that
IT operations
With assistance problem or incidents
from the are identified,
client, identify the
resolved, reviewed, and analyzed in
financially significant production programa timely
manner.
directories.
Yes
STEP
STEP 1 2
Obtain
Obtain a a list of job processing
system-generated listerrors andwith
of users
determine that the incidents were resolved,
update access to the financially significant
reviewed,
productionand analyzed
program in a timely
directories and manner.
files by
executing the following commands for each
identified directory:
• Click [Start] > [All Programs] > [Accessories] >

[Windows Explorer].
• <Right-click> on the system/program file to be

reviewed in Explorer, and select [Properties].
• Click on the [Security] tab to obtain the list of

user accounts or groups that have access rights.
STEP 3
Determine that the individuals involved in the
program change procedures (in test steps MC-1,
MC-2, MC-3 and MC-4) are appropriate to
enforce segregation of duties. The individuals
should not perform two or more of the above
defined responsibilities.
Logical access should be restricted to those that

require it to perform their job responsibilities and
enforce segregation of duties between the
responsibilities outlined above. Developers
should not have the ability to move code to
production unless a compensating control is
identified.
In evaluating logical access assignments, review

the file permissions for financially significant
production program directories to identify user
accounts and/or groups that have been assigned
update access. When groups are present in the
security list and the group has update
permissions, we should review the
appropriateness of the membership within the
groups. Also, it should be noted that the
"Everyone" group typically contains all listed
users within the domain. The "Everyone" group
should not have update access to production
program files.
To obtain a list of users assigned to a group:
A. If Active Directory is being used:

Comment Riesgos
Que las configuraciones de la seguridad y
contraseña no sean optimizadas para prevenir
accesos no autorizados.
Que se concedan accesos a los recursos

dominantes, incluyendo el acceso a las utilidades
sensibles y a los archivos maestros, a usuarios
no autorizados.
Que los datos y/o programas financieros claves

se modifiquen intencionalmente o por error.



Que los intentos de acceso no autorizado, no

sean detectados y corregidos por la gerencia.
Que Las configuraciones de la seguridad y de la

contraseña no se optimicen para prevenir el
acceso no autorizado.
Que se concedan accesos privilegiados a
usuarios no autorizados.
Que los intentos de acceso no autorizados, no

sean detectados y resueltos por la gerencia.

No definir el tiempo de expiración para cuentas

temporales o de contrato, incrementa el riesgo de
dejar cuentas activas en el sistema después del
tiempo de empleo del trabajador. El trabajador
anterior podría utilizar la cuenta para tener el
acceso no autorizado, o un atacante podría
apuntar las cuentas activas para comprometer el
sistema.
Que se concedan accesos privilegiados a

usuarios no autorizados.
Que los intentos de acceso no autorizadas, no

sean detectadas y corregidas por la gerencia.







Que un cambio no autorizado o no aprobado se

pase al ambiente de producción.
Que los cambios promovidos a producción no

funcionen correctamente o según
especificaciones del usuario.


Que
Que un
los cambio
cambiosnopromovidos
autorizadoao producción
no aprobadonose
Que los intentos de acceso no autorizadas, no
funcionen
Que los correctamente
datos o según
y/oyprogramas
sean detectadas corregidas financieros claves
por la gerencia.
Que
Que personal
los datos noy/oautorizado
programastenga accesoclaves
financieros al
hardware y a laintencionalmente
se modifiquen infraestructura. o por error.
Que usuarios con conflicto de acceso y
responsabilidades puedan comprometer la
confiabilidad, disponibilidad, e integridad de
datos.

Que los datos y las aplicaciones financieras se

pierdan, debido a respaldos incompletos.
Que los problemas e incidentes operacionales no
se identifiquen y no se resuelven dando por
resultado errores de proceso.
Que los trabajos programados y procesos en

lotes no se planeen y ejecuten correctamente,
afectando los procesos, los datos, las interfaces,
o los informes financieros claves.

Que los usuarios tengan acceso inadecuado a

las capas lógicas.

Que los usuarios conserven acceso inadecuados

a las capas lógicas de acceso.
Que
Que los
los datos y/oconserven
usuarios programasacceso
financieros claves
inadecuados
se modifiquen
a las intencionalmente
capas lógicas de acceso. o por error.




Que usuarios inadecuados tengan acceso a

migrar los cambios al ambiente de producción.

Que los problemas e incidentes operacionales no

se identifiquen y no se resuelven dando por
resultado errores de proceso.
Que los trabajos programados y procesos en

lotes no se planeen y ejecuten correctamente,
afectando los procesos, los datos, las interfaces,
o los informes financieros claves.
Control Category Review Procedures
TSRS PCP Mapping
LA-1: General system security settings are appropriate
Name Tipo
Test Default Accounts & Passwords - Windows 2003 Server Technical
Description
General system security settings are appropriate.
Risk Statement
Security and password configuration are not optimized to prevent unauthorized access.
Unauthorized users are granted access to key resources, including access to sensitive utilities and master files.
Key financial data/programs are intentionally or unintentionally modified.
Leading Practice
The presence of active default accounts on a system significantly increases the risk of an individual gaining
unauthorized access to the Windows 2003 server environment by using commonly known user IDs and passwords
to authenticate to the system. For this reason, default accounts should be renamed or disabled if not required to
support business approved activities.
It should be noted that some system processes are executed under the privileges of default accounts. In these
instances the default accounts should be renamed or disabled (and not be removed), so as to allow system
processes to be run under their privileges but still preventing the accounts from being used to login to the system.
In instances where default accounts are a necessity to continue business operations, the passwords for the accounts
should be changed.
In the case of a default Windows 2003 server install, two default accounts are created in each domain:
Administrator; and
Guest.
Administrator Account
The default Administrator account on all servers should be renamed and a strong password set on the account.
This account cannot be deleted or locked out. In Windows Server 2003, the Administrator account can be
disabled, but it is automatically re-enabled when you start the computer in Safe Mode. The passprop utility (Refer
to Administrator Account Lockout) should be used to prevent malicious users to brute force the default
administrator account over the network. Usage of this account should be monitored on a daily basis.
Guest Account
The Windows 2003 Server is installed with the Guest account disabled. The default guest account on all servers
should be renamed, disabled and a strong password set on the account.
Note: Most programmatic attacks use the administrator account's well-know Security Identifier (SID) rather than
its name, so renaming Administrator is of limited use. For the best protection against attacks on your built-in
administrator account, create a new administration account and then disable the built-in account.
Test Status Complete

Test Result No Exceptions Noted
Conclusion EY concludes this control is operating effectively.
Evidence
TSRS PN ABC - Windows 2003 Server Aplicacion Evidence.xls, tab Users, tickmark A
TSRS PCP Mapping
LA-2: Password settings are appropriate
Name Tipo
Test Idle Session Time Out - Windows 2003 Server Technical
Description
Password settings are appropriate.
Risk Statement
Security and password configurations are not optimized to prevent unauthorized access.
Leading Practice
Session timeout relates to the period of time an idle computer session / system is permitted to remain active
without requiring the user to re-authenticate to the session / system. Typically, it is recommended that a session be
disconnected after 15-30 minutes of inactivity; however, this may vary depending on the sensitivity of the data
held on the system.
Idle session timeout values should be set in line with organizational requirements. Considered the following when
setting session timeouts in Windows 2003:
- Sensitive servers - Idle session (network connection) should be disconnected after 15-30 minutes of inactivity;
- File Servers / Domain Controllers - For these types of servers, automatically disconnecting idle session may not
be a practical control. For example, as active Microsoft Word document sessions will be disconnected from the
file server after, e.g., 60 minutes, changes made an hour ago may not be saved (manually or automatically) and
may result in the loss of data or work.
A more practical alternative is to enable the screensaver configuration on the desktop. The desktop screensaver
should be configured to automatically enable after 5-15 minutes of inactivity. This way the user will be required to
re-authenticate before gaining access to the network while avoiding losing an active application connection, e.g.,
Microsoft Word. In addition, users should be educated to use the Ctrl-Alt-Del option to lock the desktop every
time they leave the workstation; and
- Other Applications - Other applications (e.g., FTP server using Internet Information Server (IIS), Microsoft
Terminal Server) that can potentially provide users remote access to the server should be configured to
automatically disconnect after 15-30 minutes of inactivity.

Evidence
TSRS PCP Mapping
Name Tipo
Test Password Policy and Account Lockout - Windows 2003 Technical
Description
Risk Statement
Unauthorized access attempts are not detected and resolved by management.
Leading Practice
Password Composition
Implementing strong password composition standards is a key control in safeguarding the confidentiality and
integrity of an organization’s data. The password standards should be defined in the organizations’ Information
Security Policy, communicated to employees and applied consistently across all the IT systems.
For Windows 2003, consideration should be given to enabling the complex password option to include at least 3
of the following settings in user passwords:
- Lower-case characters;
- At least 1 upper-case characters;
- At least 1 numeric character;
- At least 1 special / Meta Character (e.g., !@#$%^&*); and
- Password length of 6-8 characters is enforced.
In addition, password cracking tools should be run against enterprise password files periodically (e.g., quarterly)
to confirm that the passwords used are not easily crackable, as well as to gain an understanding on password
usage. For example, the report could cover:
- Percentage of passwords that are default to “passwd”, “test” or are the same as the user’s login;
- Type of crack used to identify the password (e.g., Dictionary, Hybrid, etc); and
- Password control structures in place across systems, i.e., a password exception list to verify composition.
Password History
Password history should be enforced to prevent users from reusing the same password repeatedly. Password
history should be defined in the organization’s Information Security Policy, communicated to employees and
applied appropriately across all the IT systems.
User passwords should not be reused within a 1 year period. The combination of password aging and the password
history policies will determine if passwords can be reused within 1 year, i.e.,:
Password Aging Password History

30 days 12
60 days 6
90 days 4
For servers that are providing more sensitive functionality (such as authentication, application and database) and /
or facing the Internet, the password aging policy should be more frequent (30-60 days) and the password history
should be set at 12-24.
To prevent users from repeatedly changing passwords back to the original, users should not be able to change their
passwords for a certain period of time after it has been set.
Password Expiration
Passwords are vulnerable to compromise if they are not changed on a regular basis. The system should be
configured to enforce password expiration. Password expiration should be defined in the organization’s
Information Security Policy, communicated to employees and applied appropriately across all the IT systems.
For Windows 2003, consideration should be given to enabling the password expiration option to allow system-
forced user password changes on a regular basis. The password expiration period should be configured to 30 days
for critical servers and 90-120 days for less sensitive servers. In nearly all circumstances, password expiration
should be enabled.
In general, consideration should be given to the following when defining the password expiration period:
- Privileged User Accounts. User profiles assigned special authorities, e.g., profiles for system administration staff
should be required to change passwords on a more regular basis, e.g., every 30 days, as compromise of these user
profiles poses a greater risk to the organization;
- Organizational Culture. The culture of the organization should be considered prior to implementing strict
password expiration levels, which may impact employee productivity, i.e., if users are not very technology aware
there is a greater risk of passwords being forgotten or mistyped;
- Information Sensitivity. Systems hosting critical / sensitive information, such as financial information, payroll
information, customer information and executive information typically require greater levels of protection. User
passwords on these systems should be configured to change on a more frequent basis, e.g., 30-60 days;
- Server Functionality, e.g., mail server, web server, database server, authentication / RAS server. Systems
providing sensitive functionality such as authentication, application and database servers should be configured to
expire passwords on a more frequent basis, e.g., 30-60 days. Authentication servers store information about
usernames and passwords. Compromise of the authentication servers could potentially compromise all
information on all hosts in an organization’s network. Application servers could be critical to the operation of the
business. Furthermore, some application servers such as the web servers may be exposed to the Internet. Database
servers may store highly sensitive information; and
- Hosting Environment, e.g., Internet facing, internal systems etc. Internet facing systems or servers accessible
from outside the organization typically requires greater protection due to greater exposures to external threats such
as hackers, viruses, Trojans etc.
Systems on an organization’s internal network should be less exposed to external threats and may require less
stringent controls to be in place. The degree of controls applied to internal systems will also be dependent upon its
functionality and sensitivity of the information assets hosted on the server.
An Internet facing server is normally configured to have the password to expire after 30-60 days. Users within an
active directory are normally required to change their password less frequently, e.g., 30-120 days.
should be required to change passwords on a more regular basis, e.g., every 30 days, as compromise of these user
profiles poses a greater risk to the organization;
- Organizational Culture. The culture of the organization should be considered prior to implementing strict
password expiration levels, which may impact employee productivity, i.e., if users are not very technology aware
there is a greater risk of passwords being forgotten or mistyped;
- Information Sensitivity. Systems hosting critical / sensitive information, such as financial information, payroll
information, customer information and executive information typically require greater levels of protection. User
passwords on these systems should be configured to change on a more frequent basis, e.g., 30-60 days;
- Server Functionality, e.g., mail server, web server, database server, authentication / RAS server. Systems
providing sensitive functionality such as authentication, application and database servers should be configured to
expire passwords on a more frequent basis, e.g., 30-60 days. Authentication servers store information about
usernames and passwords. Compromise of the authentication servers could potentially compromise all
information on all hosts in an organization’s network. Application servers could be critical to the operation of the
business. Furthermore, some application servers such as the web servers may be exposed to the Internet. Database
servers may store highly sensitive information; and
- Hosting Environment, e.g., Internet facing, internal systems etc. Internet facing systems or servers accessible
from outside the organization typically requires greater protection due to greater exposures to external threats such
as hackers, viruses, Trojans etc.
Systems on an organization’s internal network should be less exposed to external threats and may require less
stringent controls to be in place. The degree of controls applied to internal systems will also be dependent upon its
functionality and sensitivity of the information assets hosted on the server.
An Internet facing server is normally configured to have the password to expire after 30-60 days. Users within an
active directory are normally required to change their password less frequently, e.g., 30-120 days.
In addition, password should also be immediately changed in the following situations:

- Suspected unauthorized usage of the account;
- Suspected intruder and / or virus activities on the system;
- Password has been exposed to a third party, such as vendors;
- Staff movement such as resignation of the administrator; and
- Existing unused accounts are reissued to staff.
Note: If a server is part of a domain, password expiration should be applied using a container (i.e., an application
program) to ensure configuration is consistently applied for all similar type of servers.
Account Lockout
The number of permissible failed login attempts largely determines the level of protection provided by account
lockout. Increasing the number of permissible attempts to login to the system weakens the control. Typically, it is
recommended that account lockout be set to between 3 to 5 attempts, however, this may vary depending on a
number of considerations.
The following key factors should be considered when enabling the Account Lockout option within the Domain
Security Policy in Windows 2003 Server:
- Account lockout should be enabled after a maximum of 3 to 5 failed login attempts;
- Account Lockout period should be set to permanent, requiring the System Administrator or logical access
security staff to unlock the account;
- Locked out users should be positively identified before the account is reactivated;
- The system administrators should be notified (in case of critical systems in real time by using, for example, SMS
or pagers) and an investigation conducted to determine the cause of the account lockout incidents;
- Administrators should ensure that all failed login attempts are logged and a process implemented to periodically
(e.g., every two weeks) review log files for trends that may indicate attempts to perform unauthorized or
inappropriate activities on the system; and
- If intruder activities are suspected, the affected account should be disabled / deleted and a new account created
for the user.
Depending on the server environment, there are other variables that need to be considered when configuring
Account Lockout in Windows 2003 Server. These include:
1. Server Functionality, e.g., mail server, web server, database server, authentication / RAS server.
- Authentication servers store information about usernames and passwords. Compromise of such servers could
potentially compromise information security on all hosts in an organization's network. Windows 2003 servers
used as authentication / RAS servers will typically require more protection as compromise of these servers poses a
greater risk to the organization. Consider enabling account lockout after a maximum 3 failed login attempts for
such servers;
- Application servers such as web servers may be exposed to the Internet. Greater exposure increases the risk of
Test Status unauthorized
Complete access. Consider enabling account lockout after a maximum of 3 failed login attempts for such
servers; and
Test Result -No Exceptions
Database Noted
servers may store highly sensitive information that requires greater protection. Compromise of such
Conclusion servers poses a greater risk to the organization. Consider enabling account lockout after a maximum
EY concludes of 3 isfailed
this control operating effectively.
login attempts for such servers. Evidence
TSRS PN ABC2.- Hosting
WindowsEnvironment,
2003 Server e.g.,
Aplicacion
InternetEvidence.xls, tabsystems
facing, internal Users, tickmark
etc. A
- Internet facing systems or servers accessible from outside the organization typically require stronger levels of
protection due to their increased exposure to external threats such as hackers, viruses, Trojans etc. Systems on an
organization's internal network should be less exposed to such threats and may require less stringent controls to be
in place. The degree of controls applied to internal systems will also be dependent upon the functionality and
sensitivity of the information assets hosted on the server. Consider enabling account lockout to a maximum of 3
failed login attempts for Internet facing systems and up to 5 failed login attempts for appropriate internal systems.
3. Information Sensitivity
- Systems hosting critical / sensitive information, such as financial information, payroll information, customer
information and executive information typically require greater levels of protection. Consideration should be
given to enabling account lockout to a maximum of 3 failed login attempts for such servers.
4. Level of administration / support

- Enabling account lockout on user accounts has the potential to deny access to accounts for extended periods of
time. This may occur for a variety of reasons, such as poor user awareness of policy, low computer skilled
workforce, or a lack of administration / help desk resources. In addition, the system will also be vulnerable to
denial-of-service attacks where intruders intentionally login to user accounts using bad passwords and
consequently lock out user accounts. In such circumstances, there may be a valid business reason to increase the
level of failed login attempts to prevent users being unnecessarily locked out and to meet the requirements of the
business. Such a change should be viewed as an exception to policy, temporary and resulting in a potential
weakening of the information security control environment. In such cases, consider increasing the number of
failed login attempts. Account lockout should not be disabled on the system. Management sign off should be
sought before making changes to the account lockout policy.
5. Other compensating controls in place

- Systems with other compensating controls in place to prevent unauthorized access may allow an organization to
increase the number of failed login attempts. Controls such as strong password controls and regular user account
logging, monitoring and maintenance can be used to reduce the reliance of account lockout as a control. In such
cases, consider increasing the number of failed login attempts to 5. Account lockout should not be disabled on the
system as it can allow a brute force attack (password guessing techniques) to be run against the system.
6. Legal obligation
- Systems which contain information that is subject to legal obligations.
TSRS PCP Mapping
Name Tipo
Test User Capability to Change Passwords After First Login Technical
Description
Risk Statement
Leading Practice
The management of default passwords is a key control in safeguarding the confidentiality and integrity of an
organization's data. The prevalence of well-known or widespread default passwords has the potential to
significantly weaken logical access security controls. It is therefore important that users are forced to change their
passwords on initial login to minimize the risk of password compromise.
Users should be required to immediately change the assigned password after the first login in the following
situations:
- Initial password assigned by the administrator or helpdesk personnel for new user account;
- Password that has been reset by network administration staff (e.g., administrator, helpdesk personnel); and
- Suspicion that password integrity for any number of users may have been compromised. All user accounts
should be forced to change password after the next immediate login.
To further minimize the risk of unauthorized access to information assets and network resources through a
compromise of the default password, the administrator should consider:
- Setting an obscure password which is different for every new user, with the new user informed by an alternative
communication method; or
- Not setting the password until the new user is ready to log in. This reduces the amount of time that the new user
account exists with the default password enabled.
Users should select passwords that meet the following requirements:

- Do not include the user ID;
- Do not use any person's name or personal information which may be commonly known (e.g., pets or children's
names);
- Do not contain words which are found in dictionaries;
- Are at least six characters in length; and
Test Status -Complete
Consist of alpha, numeric, and special characters.
Test Result Findings Noted
Evidence
TSRS PCP Mapping
LA-3: Access to privileged IT functions is limited to appropriate individuals
Name Tipo
Test Access to Privileged IT Functions - Windows 2003 Serv Technical
Description
Access to privileged IT functions is limited to appropriate individuals.
Risk Statement
Unauthorized users are granted key privileged rights.
Leading Practice
The organization’s Information Security Policy should address the requirement to monitor the privileges assigned
to group profiles and the members of each group profile, particularly those group profiles assigned special
authorities. The assignment of special authorities should be limited and only performed where necessary for
business operations. Special authorities are generally intended for use by those responsible for the implementation
and administration of the system.
Windows 2000 by default creates 6 default groups for servers and 9 default groups for domain controllers:
Default groups: Servers
- Administrators;
- Backup Operators;
- Guests;
- Power Users;
- Replicator; and
- Users.
Default groups: Domain Controllers
- Account Operators;
- Administrators;
- Backup Operators;
- Guest;
- Pre-Windows 2000 Compatible Access;
- Print Operators;
- Replicators;
- Server Operators; and
- Users.
Apart from Guest and Users groups, the remaining groups have privileged access. Users of the Administrator
group have complete access / control to the system. Membership to the 4 powerful default groups for server and 7
powerful default groups for domain controllers should be limited.
In addition, powerful groups created by the organization should be identified and periodically reviewed, e.g.,
server admin, workstation admin and database operator. Membership to these privileged groups should also be
limited.
Active Directory
Often, if a server is part of a domain, it is very likely that privileged groups within the Active Directory will also
have access to the system. Membership to these global privileged groups should be limited. Consideration should
be given to using Restricted Groups enforced by Group Policy to limit access to privilege groups. The default
Active Directory groups with privileges are listed below:
- Domain Admins;
- Cert Publishers;
- Domain Computers;
- Domain Controllers;
- Group Policy Creator Owners;
- Enterprise Admins; and
- Schema Admins.
Enterprise Admins Group

By default, only the Administrator account in the forest root domain is a member of this group. Membership to
this group should be restricted to prevent unauthorized modifications to sites and trust relationships. By default,
the Enterprise Admins group is granted full control over all objects in a forest.
Schema Admins Group

By default, only the Administrator account in the forest root domain is a member of this group. Membership to
this group should be restricted to prevent unauthorized modifications to the schema. If the schema is corrupted,
the entire directory will stop functioning.
Periodic Review
Periodic reviews (e.g., quarterly) should be conducted to confirm that memberships in powerful or privileged
groups are appropriate. In addition, powerful group memberships should also be reviewed and updated when there
are staff movements, such as staff resignation or change of job function.

Evidence
TSRS PCP Mapping
LA-5: User access is authorized and appropriately established
Name Tipo
Temporary & Contractor Type Accounts - Windows 2003 Ser Technical
Description
Contractor and temporary accounts are configured to expire after a specified period of time.
Risk Statement
Failure to configure temporary and contract accounts to expire after a defined period increases the risk of active
accounts being left on the system after the worker's employment ends. The former worker could use the account to
gain unauthorized access, or an attacker could target the active accounts to compromise the system.
Leading Practice
Associated Control: Vendor accounts must also be reviewed. The work step titled, "Vendor Support Accounts"
provides supplemental information in reviewing controls over temporary and contractor type accounts. Refer to
the Vendor Support Accounts record for more relevant information.

Evidence
TSRS PCP Mapping
Name Tipo
Test Permission to Access the Registry - Windows 2003 Serv Technical
Description
Risk Statement
Unauthorized users are granted key privileged rights.
Leading Practice
Access to the registry should be limited to local and domain administrators unless there is valid business
requirement to do otherwise. Exceptions should be reviewed and authorized by management. If users require
access to certain part of the registry (i.e., Hive), permission granted to the hive should be specific. Reasons for
granting access should be formally documented and approved by management. Further, measures are required to
remove user access on a timely basis once the need for the access is no longer required.

Evidence
TSRS PCP Mapping
Name Tipo
Test Trust Relationships - Windows 2003 Server Technical
Description
Risk Statement
Leading Practice
Trust relationships should only be allowed for approved business purposes. Connection to other systems through
trust relationships should be configured appropriately to reduce the risk of individuals being able to compromise
the security of the network by gaining unauthorized or inappropriate access to strongly secured systems from
weakly secured trusted systems.
By default, trust relationships in Windows 2003 are transitive. For example, if Domain A trusts B and B trusts C,
Domain A also trusts C. An approved domain model should be developed, and all transitive trust relationships
should be configured according to the policy. Trust relationships that do not support the approved domain model
should be removed.
In addition, periodic reviews of the domain trust model and review of existing trust relationships and connections
to the organization’s network should be performed to ensure these connections are appropriate and have been
authorized by management. Connections, which have been identified as being unsecured, should be investigated
and where appropriate removed or reconfigured to ensure that only authorized access to the Windows 2003
environment is assigned.
Modification to the trust relationship between servers and domains should be formally documented, authorized
and tested prior to use in production.

Evidence
TSRS PCP Mapping
Name Tipo
Test Anonymous Login to FTP - Windows 2003 Server Technical
Description
Risk Statement
Leading Practice
Where the FTP service is approved for business requirements, user ID authentication should be required as a
minimum (i.e., avoid anonymous FTP). If anonymous FTP is unavoidable, logins should be restricted and closely
monitored. The ability of individuals to perform an anonymous login to the Windows 2003 environment through
FTP prevents the organization from being able to track FTP activities to a specific user. As a result, the
organization may not be able to trace unauthorized or inappropriate access and modifications to system files and
data via the FTP service to the original source. Where possible restrict access to FTP services by only allowing
authorized users access to the system.
If anonymous FTP is used, the following should be considered:

- Alternate FTP Port and Separate Interface: the default FTP data port is set on Port 21. To improve security,
change the FTP data port to other unused ports (i.e., any ports above 1024). In addition, for Internet facing servers,
the web service (IIS) and FTP service should be provided on separate network interface cards. That is, the IIS
server is listening on the network interface card connected to the Internet and the FTP server listening only on the
network interface card facing the internal network. This allows internal users to access the FTP service and
prevents external users on the Internet from attempting to connect to the FTP server; and
- Different Anonymous Username: by default, anonymous users are assigned to the account IUSR_computername.
This account should be changed and it should differ from the account that is running the web server (IIS).
However, note that the default account should not be changed if:
- The web server and the FTP server will be accessing the same file system; and
- The security exposure to the system is low.

Evidence
C. Configuration and Supporting Processes
TSRS PCP Mapping
Name Tipo
Test Domain Structure - Windows 2003 Server Technical
Description
Risk Statement
Leading Practice
Windows domain is a logical group of computers that share a central directory database known as the Active
Directory which contains the user accounts and security information for the resources in that domain. Each person
who uses computers within a domain receives his or her own account. This account can then be assigned access to
resources within the domain.
Application and database servers should not be configured as a domain controller.

Servers that are accessible from the Internet should be be a member of a domain (e.g Web Server, FTP Server,
Exchange Server, etc)

Evidence
TSRS PCP Mapping
Name Tipo
Test Use of NT File System (NTFS) - Windows 2003 Server Technical
Description
Risk Statement
Leading Practice
Servers not using NT File System do not have logical access control over files. NTFS provides security access
control list to a folder or file. Administrator can control who can read, write and execute a file on a NTFS disk
drive. It is recommended that NTFS be used on all servers.

Evidence
TSRS PCP Mapping
MC-1: Changes are authorized
Name Tipo
Test Manage Change Process (authorized) - Windows 2003 S Technical
Description
Changes are authorized.
Risk Statement
An unauthorized or unapproved change is promoted to the production environment.
Changes promoted to production are not functioning properly or according to user specifications.
Leading Practice
Formal and communicated change control procedures should be in place to ensure system changes are defined,
appropriately managed and authorized by management prior to changes being made in production environments.
A formal change control process for the Windows 2003 Server environment should consider the following:
- Defining the procedures to be followed, the associated documentation to be created and retained, and the
corresponding responsibilities with respect to the end-to-end process of specifying, developing and implementing
changes to the system;
- Implementing formalized procedures for communicating change requests to IT. This should involve
authorization of the change by an appropriate senior authority from within the business and completion of a form,
which facilitates appropriate description of the change and sign-off;
- A steering committee consisting of business and IT representatives should assess and prioritize the authorized
change requests;
- Creating and maintaining a centrally controlled log of change requests to facilitate an audit trail and appropriate
progress tracking. This log may include a brief description of the request, a priority rating, key stakeholders and a
current implementation status;
- Segregating the duties of the development and production support roles and implementing controls, which
prevent developers from migrating changes to the production environment;
- Implementing a process whereby sign-off is required by a business user representative following successful User
Acceptance Testing (UAT) and prior to the migration of changes to the production environment; and
- Reviewing audit logs to detect unauthorized changes.
Configuration changes should first be tested in a development or test environment, with test results documented to
provide an audit trail of tests performed. A review of the test results should be performed by a party other than the
person performing the tests, with a signature and date required as evidence of review.
A backup of existing configuration details and data should be performed prior to any changes to the production
environment. This provides the organization with the ability to perform rollback procedures in the event of errors.

Evidence
TSRS PCP Mapping
MC-2: Changes are tested
Name Tipo
Test Manage Change Process (tested) - Windows 2003 Serve Technical
Description
Changes are tested.
Risk Statement
Leading Practice
change requests;

Evidence
TSRS PCP Mapping
MC-3: Changes are approved
Name Tipo
Test Manage Change Process (approved) - Windows 2003 Se Technical
Description
Changes are approved.
Risk Statement
Leading Practice
change requests;

Evidence
TSRS PCP Mapping
Name Tipo
Test Monitoring of User Access - Windows 2003 Server Technical
Description
User access is authorized and appropriately established.
Risk Statement
Leading Practice
User activity should be logged and monitored in order to identify inappropriate or unauthorized activity within the
domain. The following are important considerations when defining security event auditing:
-Quantity of data versus performance. A balance should be achieved between the level of logging detail required
to detect suspicious activity and the impact this may have on available disk space and system performance;
-The number of super users with privileged or unrestricted access to the system;
-The number of generic accounts with access to the system which will reduce the accountability of specific users;
and
-The criticality of the information / applications that warrant monitoring.
The following event categories should be logged using the audit log facility:
-Audit Account Logon Events – Success and Failure;
-Audit Account Management – Success and Failure;
-Audit Directory Service Access – Failure;
-Audit Logon Events – Success and Failure;
-Audit Object Access – Failure;
-Audit Policy Change – Success and Failure;
-Audit Privilege Use – Failure;
-Audit Process Tracking - None; and
-Audit System Events – Failure.
If a server is part of a domain, auditing should be centrally managed through Group Policy.

Evidence
TSRS PCP Mapping
LA-6: Physical access to computer hardware is limited to appropriate individuals
Name Tipo
Test Physical Security - Windows 2003 Server Technical
Description
Physical access to computer hardware is limited to appropriate individuals.
Risk Statement
Unauthorized personnel have access to computer hardware and infrastructure.
Leading Practice
Physical access to a server is a high security risk. Physical access to a server by an intruder could result in
unauthorized data access or modification as well as installation of hardware or software designed to circumvent
security. To maintain a secure environment, you must restrict physical access to all servers and network hardware.

Evidence
TSRS PCP Mapping
LA-8: Segregation of incompatible duties exists within the logical access environment
Name Tipo
Test Logical Access Segregation of Duties - Windows 2003 S Technical
Description
Segregation of incompatible duties exists within the logical access environment.
Risk Statement
Users with conflicting access and responsibilities could compromise the reliability, availability, and integrity of
data.
Leading Practice
Control processes should be segregated to reduse the risk of unauthorized access creation. When creating the user
access policy the following user functions should be segregated:
- user requesting access,
- user approving access,
- user setting up access (this might be the privileged users), and
- user monitoring access violations and monitoring the use of privileged accounts.

Evidence
D. System Logging and Auditing
TSRS PCP Mapping
OP-1: Financial data has been backed-up and is recoverable
Name Tipo
Test Data Back Up and Recovery Process - Windows 2003 Se Technical
Description
Financial data has been backed-up and is recoverable.
Risk Statement
Financial applications and data are lost due to insufficient or incomplete backups.
Leading Practice
Backup policies and procedures should address the following at a minimum:
- The Servers to be backed up;
- Location of mission critical files;
- The files/folders to be backed up for users;
- Schedule of back up• Backup operators and their rights;
- Key backup procedures (If key based encryption or authentication are used);
- Location of Backups; and
- Users authorized to restore data--Restoration procedures.

Evidence
TSRS PCP Mapping
OP-2: Deviations from scheduled processing are identified and resolved in a timely manner
Name Tipo
Test Scheduling - Windows 2003 Server Technical
Description
Deviations from scheduled processing are identified and resolved in a timely manner.
Risk Statement
Operational problems and incidents are not identified and resolved resulting in processing errors.
Job scheduling and batch processing are not properly planned and executed affecting key financial processes,
data, interfaces, or reports.
Leading Practice
Unauthorized or inappropriate access to change batch files may affect the accuracy of the financial statements.
Access to change scheduled jobs should be restricted to authorized personnel and planned changes should be
approved by management prior to implementation.
Scheduled jobs should be monitored and any failed scheduled jobs should be reported and resolved in a timely
manner.

Evidence
TSRS PCP Mapping
LA-4: Access to system resources and utilities is limited to appropriate individuals
Name Tipo
Test Access to Data and Data Modification Utilities - Windo Technical
Description
Access to system resources and utilities is limited to appropriate individuals.
Risk Statement
Users inappropriately have access to applicable logical access layers.
Leading Practice
Unauthorized or inappropriate access to sensitive system/program files may affect the accuracy of the financial
statements. It is important to restrict logical access to critical application and database files to authorized
administrator accounts and groups. Other users should not be granted access rights to these files unless approved
by management.

Evidence
TSRS PCP Mapping
Name Tipo
Test New User Setup - Windows 2003 Server Technical
Description
Risk Statement
Unauthorized users are granted access to applicable local access layers.
Leading Practice
Account management policies and procedures should be formally documented and communicated to provide
guidance on user account management practices. The policy should document the process for the approval,
creation, update and deletion of administrator, system and user accounts on the system. The procedures should be
documented in the organization's Information Security Policy and communicated to employees.
The account management policy should consider the following:

- Accounts should only be created on an as-needed basis;
- Accounts have only been assigned privileges required by the user's job function;
- Accounts have been authorized by the appropriate business representative;
- Accounts are reviewed periodically to identify dormant accounts; and
- Accounts no longer required are disabled or removed in a timely manner.

Evidence
N/A
TSRS PCP Mapping
Name Tipo
Test User Validation Procedures - Windows 2003 Server Technical
Description
Risk Statement
Users retain inappropriate access to applicable logical access layers.
Leading Practice
A common detect control is to perform a periodic review of user access to determine whether access rights are
still appropriate based on job responsibilities.

Evidence
N/A
TSRS PCP Mapping
LA-7: Logical access process is monitored
Name Tipo
Test Logical Access Monitoring - Windows 2003 Server Technical
Description
Logical access process is monitored.
Risk Statement
Leading Practice
User access should be reviewed regularly identify any security breach or inappropriate access. The reviewing
period should be determined by the number of users in the network and the critical level of the application and
data. Weekly review should be performed for non critical systems and daily review is recommended for critical
systems.
Some organizations may use automated tools to notify administrator of any security breaches.
Policies and procedures should be reviewed and updated at lease annually.

Evidence
N/A
TSRS PCP Mapping
MC-4: Changes are monitored
Name Tipo
Test Program Change Monitoring - Windows 2003 Server Technical
Description
Changes are monitored.
Risk Statement
Leading Practice
[None Specified]

Evidence
N/A
TSRS PCP Mapping
MC-5: Segregation of incompatible duties exists within the manage change environment
Name Tipo
Test Manage Change Segregation of Duties / Access to Prog Technical
Description
Segregation of incompatible duties exists within the manage change environment.
Risk Statement
Inappropriate users have access to migrate changes into the production environment.
Leading Practice
change requests;

Evidence
N/A
TSRS PCP Mapping
OP-3: IT operations problems or incidents are identified, resolved, reviewed, and analyzed in a timely manner
Name Tipo
Test Problem/Incident Management - Windows 2003 Server Technical
Description
IT operations problems or incidents are identified, resolved, reviewed and analyzed in a timely manner.
Risk Statement
Operational problems and incidents are not identified and resolved resulting in processing errors.
Job scheduling and batch processing are not properly planned and executed affecting key financial processes,
data, interfaces, or reports.
Leading Practice
[None Specified]

Evidence
Lista de requerimientos para el Cliente
Solicitud
Requerimiento adicional a la ejecusión del query de windows 2003.

TSRS PN ABC - Windows 2003 Server Security Review

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TSRS PN ABC - Windows 2003 Server Security Review

Uploaded by

Copyright:

Available Formats

Windows 2003 Server - NoSP, SP1, SP2 Configuration Standard Workplan

Generated by Mercury on: September 07, 2007

Control Category Reference Conclusión

A. User Account Management 3

C. Configuration and Supporting

E. Network and Environment Controls

TSRS PCP Mapping Name

MC-1: Changes are authorized Test Manage Change Process (authorized) -

MC-2: Changes are tested Test Manage Change Process (tested) -

OP-3: IT operations problems or incidents are Test Problem/Incident Management - Windows

Unauthorized users are granted access to key

Key financial data/programs are intentionally or

Key financial data/programs are intentionally or

Unauthorized access attempts are not detected

Unauthorized access attempts are not detected

Key financial data/programs are intentionally or

Key financial data/programs are intentionally or

Key financial data/programs are intentionally or

Security and password configurations are not

Security and password configurations are not

Security and password configurations are not

Changes are authorized. An unauthorized or unapproved change is

Changes promoted to production are not

Key financial data/programs are intentionally or

Changes are tested. An unauthorized or unapproved change is

Key financial data/programs are intentionally or

Job scheduling and batch processing are not

Users inappropriately have access to applicable

Key financial data/programs are intentionally or

User access is authorized and appropriately Key

Key financial data/programs are intentionally or

Logical access process is monitored. Key financial data/programs are intentionally or

Changes promoted to production are not

Key financial data/programs are intentionally or

Inappropriate users have access to migrate

Key financial data/programs are intentionally or

Job scheduling and batch processing are not

Determine if the default accounts have been

A. If Active Directory is being used:

If change management software is used and the

- Request/Approve program development or Yes

• Click [Start] > [All Programs] > [Accessories] >

• <Right-click> on the system/program file to be

• Click on the [Security] tab to obtain the list of

Logical access should be restricted to those that

In evaluating logical access assignments, review

To obtain a list of users assigned to a group:

A. If Active Directory is being used:

Que se concedan accesos a los recursos

Que los datos y/o programas financieros claves

Que las configuraciones de la seguridad y

Que los datos y/o programas financieros claves

Que las configuraciones de la seguridad y

Que los intentos de acceso no autorizado, no

Que Las configuraciones de la seguridad y de la

Que los intentos de acceso no autorizados, no

Que los datos y/o programas financieros claves

No definir el tiempo de expiración para cuentas

Que se concedan accesos privilegiados a

Que los intentos de acceso no autorizadas, no

Que los datos y/o programas financieros claves

Que Las configuraciones de la seguridad y de la

Que los datos y/o programas financieros claves

Que Las configuraciones de la seguridad y de la