AUDIT PROGRAM The Logical Organization (Network Protocols and Layers, Operating Systems & Application Access) -founder of ESSI NETWORK PROTOCOLS & LAYERS

kindlyminnowNetworking and Communications

Oct 26, 2013 (3 years and 10 months ago)

69 views

AUDIT PROGRAM

The Logical Organization

(Network Protocols and Layers, Operating Systems & Application Access)


Contributed by “Mick” Neshem, Co
-
founder of ESSI


NETWORK PROTOCOLS & LAYERS

(rules & ways for computers to “talk”)


AUDIT OBJECTIVE: Determine
adequacy of security and controls over protocols
and network layers


Network Protocols & Layers (standardized rules for communicating):




Determine Protocol Stack



Single Protocol Stack



Most routers and firewalls use Single Stack



Data can be exchanged at any

protocol layer except Physical Layer



TCP/IP is four Layer Stack (Physical, Network, Transport, Application)



Independent Protocol Stacks



Two separate IP Stacks (external network, internal network)



Prevents unwanted communication at given networking layer




Determine Protocol Model



OSI Model (7 Layers)



TCP Model



SNA Model (System Network Architecture model developed by IBM)



MAC Addresses(Media Access Control; works on Layer 2)




Determine Protocols



TCP/IP



IPX/SPX (Novell)



NetBEUI (older Microsoft)



UDP



ICMP



SM
TP (email protocol)



ARP



DHCP



WINS



DNS



SNMP (management protocol)




Determine Routing Protocols



ICMP (Internet Control Message Protocol)



GGP (Gateway to Gateway Protocol)



TCP (Transmission Control Protocol)



UDP (User Datagram Protocol)



RIP (Routing Informati
on Protocol)



BGP (Border Gateway Protocol)



OSPF (Open Shortest Path First Protocol)



EGP (Exterior Gateway Protocol)



GRE (General Routing Encapsulation Protocol)




Review Network Layer Security to determine network transmissions are
forwarded to authorized d
estinations properly and securely



Review purpose of Network Layer



Governs switching/routing of information to establish a connection
through the network matrix



Logical addressing as opposed to physical



IP runs on Network Layer



Obtain detailed diagrams of n
etworks including,



Network and node IP addresses



Authorized host names (DNS names)



Determine if legal IP addresses and DNS names are used



Standard, organized naming, IP addressing and sub
-
net scheme used



Duplicate network and host IP addresses exist



Determ
ine if undocumented routes or intermediate notes exist for each
significant network & investigate



Use Traceroute Utility (Tracet in Windows 95) from a network
workstation to document network path form workstation to servers



Compare Traceroute results to Ro
uter documentation



Investigate undocumented routes, intermediate nodes



Determine accuracy of IP addresses and host names of systems



Use Ping Utility to test accuracy



Identify and investigate any systems not responding



Determine accuracy of network document
ation



Obtain log
-
in account on significant host systems



Log in and execute commands netstat

rn and netstat

r



List out routing table for the node



Reconcile output with network documentation




Determine security of Link Layer


TCP/IP



Review purpose of Lin
k Layer



Identify LAN link protocols (Ethernet, token, ring, etc.)



Identify WAN link protocols (X.25, Frame
-
relay, T1, etc)



Determine if link
-
level encryption is needed and used to ensure protected
transmissions across LANs and public WAN links




Determine s
ecurity of Transport Layer (# 4)



Review purpose of Transport Layer



Assures end to end data integrity and quality of service are adhered to



TCP protocol runs in Transport Layer



Error checking and recovery



Determine application port numbers are assigned and
controlled in secure
manner



Determine applications use transmission integrity and acknowledgment
controls of Transport Layer



Review TCP connection monitoring procedures



Use netstat

a command while logged into a host system to review active
connections to
host systems



Review results with system administrator




Determine controls over Domain Name System (DNS)



Review purpose of DNS



Maps names to IP addresses



Name indicates what to look for



Address indicates where it is located



Route indicates how to get there



Simplifies finding names



Determine DNS properly controlled



Who manages



How are names/IP addresses configured




Determine controls over Dynamic Host Configuration Protocol (DHCP) are
adequate



Review purpose of DHCP



Provides dynamic IP configuration for clien
t machines



Servers typically do not use DHCP; servers want a static address



Determine DHCP access is controlled




Determine controls over Simple Network Management Protocol (SNMP) are
adequate



Review purpose of SNMP



Powerful management tool used to monitor,

log and update network



Can be used to change network/server configuration



Routers can be changed via SNMP



Default configuration allows public access



Determine if SNMP software is properly employed and controlled



If not used, determine



Why



What tool is us
ed to manage network



SNMP used to monitor network physical connections and traffic loads



Using network configuration diagram, determine if SNMP is managed by
responsible person



Review default passwords for SNMP



Review format of community string passwords u
sed for different LAN
devices



Determine if default configuration allowing public access was reset to
more secure values



Determine if special privilege access is required for sending powerful set
command to SNMP agents from manager



Review controls over SNMP

routers



Determine if filter policies for SNMP routers require incoming SNMP
packets to be dropped to prevent an external system from changing
configuration of network and host systems on local network using the set
command



Review SNMP access to router en
sures SNMP access sets are restricted to
select authorized workstations



Router configuration information secured


AUDIT PROGRAM

The Logical Organization

(Network Protocols and Layers, Operating Systems & Application Access)


OPERATING SYSTEMS


AUDIT OBJE
CTIVE: Evaluate adequacy of controls and security over operating
system


Operating Systems:




Evaluate server environment



Identify types of servers



File


data storage



Application


network application access



Database


database application access



Web


HT
TP access (internet, intranet, extranet)



Communication


providing remote access to corporate site



Servers appropriate for critical applications



Server configuration secured



Physical and network layers support environment



Servers managed, secured and contr
olled




Microsoft NT servers



Protocols used



TCP/IP



NWLink (IPX/SPX)



WINS



DHCP



NetBios



NetBEUI



Review security



IP Forwarding been disabled



Nonessential Inbound TCP/IP Ports allowing access to applications been
blocked



NetBios over TCP/IP disabled



Use NTFS v
olumes



Running only servers needed



Unnecessary services from internet adapter cards eliminated



Permissions set on network appropriate



Administrator group membership defaults renamed and limited



Passwords adequate, controlled



Identify significant systems, e
tc. to ensure appropriate inclusion in audit



Obtain/prepare logical and physical diagrams of Windows NT network
including



Attached local and wide area networks



Server physical location



Applications and data residing and processing on NT servers and
worksta
tions



Document the NT domain



Identify Primary Domain Controller (PDC) and Backup Domain
Controller



Execute command NET VIEW to list all computers in the domain and
network



Document the server and directory locations for significant application
programs and

data within domain



Document flow of transactions between systems and nodes in the network



Review all trusting and trusted domains using the Server Manager utility



Review Trusted Networks



Trusted and Trusting domains under same physical and administrative
control



Domains logically located within same subnetwork



Router filtering used to prevent external network nodes from spoofing IP
address of Trusted domain or NT server



Review user security to determine if user log
-
in identification and
authentication proc
ess are properly configured and users are assigned to NT
groups consistent with their job requirements and access needs



Obtain security policies



Identify procedures over NT server environment



Display global log in accounts security parameters using User Ma
nager
utility



Remote users forcibly disconnected from system after predetermined
time limit



Accounts locked out



After certain number of bad log on attempts



Reset after certain number of minutes



Passwords



Minimum and maximum password ages in days appropriat
e



Minimum password length



Unique



Disallowed for future use



Review account properties settings for each user’s individual profile
using User Manager utility



Full name and description (job, department, etc.)



New users required to change password at next log

in



User cannot change password, forcing administrator to manage
passwords



Passwords never expire



Account disabled, locked out



Cross reference to user group



Profile indicating home directory, path statement and log in



Time restrictions



Restricted to certai
n workstations



Evaluate membership in sensitive groups using User Manager



Sensitive groups include Administrators, Domain Administrator,
Account Operators



Document members



Assess appropriateness of each member in groups



Determine significant system and app
lication programs and data
resources are protected from unauthorized access and modifications



Review file system directory trees to ensure only NT file systems are
used on servers within domain



With the exception of NT Share security, other file system typ
es
(DOS, etc) cannot be controlled by NT security



Validate security permissions for all system directories and significant
application programs and directories using File Manager directory
tree utility



Assess directory security



Determine owner of NT system

directories is only the Administrator
account



Determine application program and data directories are owned by
restricted user application owner including NT Adminstrator



Review assess permissions assigned to groups and individuals



Full Control (all permis
sions) and Change permissions (read,
write, execute and delete) restricted to authorized users



Change permissions and Take Ownership permissions register
only to Administrative account or group



Assess shared directories



Identify shared directories in the t
ree using File Manager directory



Assess Share permissions assigned to directories by group/user



Evaluate detective controls



Adequate and properly configured



Reported events being reviewed and followed up



Evaluate audit options for the domain and server us
ing the User Manager
utility



Reported conditions being audited



Review log for malicious or suspicious events using Event Viewer utility



Inquire with security administrator about reported conditions



Ensure only necessary services are active



Click service op
tion on Control Panel and review active and dormant
services



Identify purpose and necessity



Disable unnecessary services



Determine that each service begins with a user and account and not a
system account



Audit permissions granted to each service account



D
etermine network and network services are protected against
unauthorized use and access



Identify all necessary NetBIOS services offered on each server



Review usage of each



Review configurations of routers connecting NT network to external
networks



TCP/UDP
ports are attacked by harmful programs



TCP/UDP ports 137, 138 and 139 should be blocked or altered to restrict
NetBIOS traffic coming into and going out of the network



Identify and assess security of all active, native and third party TCP/IP
network servic
es running in NT server



Review security over system and program control parameters in Windows
NT Registry (database of information stored on NT)



Can destroy network by changing Registry



Review NT directory and file permissions over system and program
contr
ol parameters in the Registry



Review Registry permission for major system and program keys and
subkeys to ensure



Administrator’s local group owns each key



Owner group and system global group have full access permissions



Global group called everyone has res
tricted special access permissions




Novell Netware Servers



Protocols used



IPX/SPC



TCP/IP



DHCP



SAP (Service Advertising Protocol)



RIP (Routing Information Protocol)



Review security



User accounts limited to one concurrent session



Users limited to specific co
mputers to log in



System console secure



Keyboard passwords are activated on system console



DOS removed from server



Explicit file permissions set for limited information/files



Fileservers run security program at least once every 30 days



Audit Netware



Use g
eneral guidelines for auditing servers



Use system provided auditing functions, Auditcon



Use third party tools to document and analyze environment





UNIX



Determine how known security weaknesses are being addressed



Limited controls over access to system fil
es and applications



Chief administrator account or supervisor has access to everything



Access to supervisor allows for changes or destruction of files and
exploitation of applications



Privileged System Calls allows access to essential parts of operating
sy
stem



Review controls over file tools



Chmod: used to change file access privileges for files and directories



Chown used to change/assign file or directory ownership



Review what is running on the system using ps: command



Review controls over powerful Root Us
er which can



Access, modify, delete files



Add, delete users



Start, stop processes



Change file/directory access



Reboot the machine



Review controls over Standard User which can



Create file/directories



View some system files



Run some system utilities



Become R
oot User



Review security



All processes an applications not needed are removed (FTP, telenet, finer,
NFS, snedmail, RPC, NIS, etc.)



Small number of user accounts should be configured on server



Trusted hosts removed or limited to only other Host servers



UUCP

disabled



rsh and rexec disabled



Passwords stored in a shadow file



netrc removed



Email gateways and DNS servers configured on separate computers



Current release being run



Enhance system security by requiring administrator to



Require passwords that expire o
ver time



Constantly check file/directory permissions



Constantly monitor computer



Use chroot for certain users




Auditing server


See general guidelines for Mainframe Servers (follows)




Mainframe Servers



Identify significant systems, etc. to ensure appropri
ate inclusion in audit



Obtain/prepare logical and physical diagrams of network including



Attached local and wide area networks



Server physical location



Applications and data residing and processing on NT servers and
workstations



Document the server and dir
ectory locations for significant application
programs and data within domain



Document flow of transactions between systems and nodes in the network



Review Trusted Networks



Trusted and Trusting domains under same physical and administrative
control



Logicall
y located within same subnetwork



Router filtering used to prevent external network nodes from spoofing IP
address of server



Review user security to determine if user log
-
in identification and
authentication process are properly configured and users are ass
igned to
groups consistent with their job requirements and access needs



Obtain security policies



Identify procedures over server environment



Display global log in accounts security parameters



Remote users forcibly disconnected from system after predetermi
ned
time limit



Accounts locked out



After certain number of bad log on attempts



Reset after certain number of minutes



Passwords



Minimum and maximum password ages in days appropriate



Minimum password length



Unique



Disallowed for future use



Review account pro
perties settings for each user’s individual profile



Full name and description (job, department, etc.)



New users required to change password at next log in



User cannot change password, forcing administrator to manage
passwords



Passwords never expire



Accoun
t disabled, locked out



Cross reference to user group



Profile indicating home directory, path statement and log in



Time restrictions



Restricted to certain workstations



Evaluate membership in sensitive groups



Sensitive groups include Administrators, Domain A
dministrator,
Account Operators



Document members



Assess appropriateness of each member in groups



Determine significant system and application programs and data
resources are protected from unauthorized access and modifications



Review file system directory
trees to ensure only appropriate file
systems are used on servers within environment



Validate security permissions for all system directories and significant
application programs and directories using File Manager directory
tree utility



Assess directory se
curity



Determine owner of all system directories is only the Administrator
account



Determine application program and data directories are owned by
restricted user application owner



Review assess permissions assigned to groups and individuals



Assess shared
directories



Identify shared directories on the server



Assess shared permissions assigned to directories by group/user



Evaluate detective controls



Adequate and properly configured



Reported events being reviewed and followed up



Evaluate audit options for th
e server



Reported conditions being audited



Review log for malicious or suspicious events



Inquire with security administrator about reported conditions



Ensure only necessary services are active



Determine network and network services are protected against
un
authorized use and access



Identify all necessary services offered on each server



Review usage of each



Review configurations of routers connecting network to external networks



TCP/UDP ports are attacked by harmful programs



TCP/UDP ports 137, 138 and 139 sho
uld be blocked or altered to restrict
traffic coming into and going out of the network



Identify and assess security of all active, native and third party network
services running in server

AUDIT PROGRAM

The Logical Organization

(Network Protocols and Laye
rs, Operating Systems & Application Access)


APPLICATION ACCESS


AUDIT OBJECTIVE: Evaluate security over access to applications


Application Access:




Identify significant and high risk applications and their TCP or UDP port
numbers




Determine services nee
ded to support applications (telnet, ftp, nfs, tftp, etc.)




Evaluate security over critical applications