As mentioned before this study has several limitations. First of all no thorough study was performed regarding the operating system’s inherent security design. An unresolved security flaw could undermine the whole value of the parameter check. Also the researcher did not inspect all the operating system parameters individually and/or tested its workings. This research relies on the recommendations of the Center for Internet Security.
Secondly, this research only focusses on Windows Server 2008 and inspected its best practice. Therefor this research can say little about the other operating systems. Its usefulness, costs and time can vary depending on the OS’s security options and design.
Thirdly, as mentioned in paragraph 5.4, there a many factors that influence the
appropriateness and added value to an ITGC audit. These factors are not taken into account in this research and leave room for further research. If all these factors are researched this might lead to a more concrete framework on when to use an operating system audit.
Furthermore the role of the accountant and auditor is an ongoing discussion. Especially with the increasing risk of cyber-attacks their might be a shift in thinking and interpretation or adaptation of the financial statement assertions. This can influence the way the auditor has to take cyber security and business continuity into account.
Because systems are not stand-alone and are operating within an IT environment, an audit on operating systems as well as the other components in the infrastructure, e.g. the firewall, could potentially increase the value to the ITGCs. Further research could look at the added value of an infrastructure audit to the ITGCs.
References
Albornoz Mulligan, J. (2007). Best Practices: Server Operating System Security.
Answers. (2013). Retrieved from Answers: http://www.answers.com/topic/operating-system CIS. (2011). Security Configuration Benchmark For Microsoft Windows Server 2008. CIS.
CIS. (2013). Center for Internet Security. Retrieved from http://CISsecurity.org CISA. (2006). Review Manual.
Comte, L. (2009). IT audit en SOx. Retrieved from
http://www.vurore.nl/images/vurore/downloads/718_IT_audit_en_SOx_Le_Comte.pdf Cornell. (2013). Retrieved from http://www.law.cornell.edu/uscode/text/44/3542
COSO. (2013). Retrieved from http://coso.org/documents/Internal%20Control-Integrated%20Framework.pdf
Dewey. (1938). Experience and Education, The Educational Forum, 1938-8098, Volume 50, Issue 3, 1986, pp. 241 – 252.
Dictionary. (2013). Dictionary. Retrieved from Reference:
http://dictionary.reference.com/browse/operating+system
GFS. (2013). Retrieved from http://www.gfsconsulting.ca/sox/it-general-controls-and-it-application-controls-what-businesses-really-needs-to-know
Information security. (2013). Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/Information_security#cite_note-1 International Standards of Auditing. (2009).
ISACA. (2013). Information System Audit and Control Association. Retrieved from https://www.isaca.org/
ITGC. (2013). Retrieved from Wikipedia: http://en.wikipedia.org/wiki/ITGC Jaeger, T. (2008). Operating System Security. Morgan & Claypool.
Jenkins, B. (1992). An Audit Approach to Computers.
PwC. (2013). PwC Audit Guide.
Sekaran, U. (1992). Research Methods for Business: A Skill Building Approach. New York, John Wiley & Sons.
Shields, P. M. (2006). Intermidiate theory: The missing link to successful student scholarship.
Journal of Public Affairs Education, Vol, 12, No. 3 , pp. 313-334.
SSAE16. (2013). Retrieved from http://www.ssae16.org/glossary/83-control-objectives--example-control-objectives-for-soc-1-ssae-16-reporting--ssae16org.html
Starreveld. (2002). Bestuurlijke Informatieverzorging, Deel I, Algemene Grondslagen.
University of Washington. (2013). Retrieved from http://f2.washington.edu/fm/fa/internal-controls
Wikipedia. (2013). Operating system. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/Operating_system
Wikipedia. (2013). Usage share of operating systems. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/Usage_share_of_operating_systems
Appendix I: Case research
#IDENTITY:A #IDENTITY:B #IDENTITY:C
CONTROL Baseline A B C
Accounts
Password History 24 PasswordHistorySize = 0 PasswordHistorySi
ze = 6
PasswordHistorySize = 0
Maximum Password Age 60 MaximumPasswordAge = -1 MaximumPasswor
dAge = 60
MaximumPasswordAge = -1
Minimum Password Age 1 MinimumPasswordAge = 0 MinimumPasswor
dAge = 1
MinimumPasswordAge = 0
Minimum Password Length 8 MinimumPasswordLength =
4
MinimumPasswor dLength = 6
MinimumPasswordLength = 0
Password Complexity 1 PasswordComplexity = 0 PasswordComplex
ity = 0
PasswordComplexity = 1 Store Passwords using Reversible
Encryption
0 ClearTextPassword = 0 ClearTextPasswor d = 0
ClearTextPassword = 0
Account Lockout Duration 15 null null null
Account Lockout Threshold 15 LockoutBadCount = 0 LockoutBadCount
= 0
LockoutBadCount = 0
Reset Account Lockout After 15 null null null
Microsoft Network Server: Disconnect clients when logon hours expire
1 1 1 1
Audit Policy
Audit Account Logon Events 0 AuditAccountLogon = 1 AuditAccountLog on = 3
AuditAccountLogon = 0
Audit Account Management 0 AuditAccountManage = 1 AuditAccountMan age = 3
AuditAccountManage = 0 Audit Directory Service Access 0 AuditDSAccess = 1 AuditDSAccess =
2
AuditDSAccess = 0
Audit Logon Events 0 AuditLogonEvents = 1 AuditLogonEvents
= 3
AuditLogonEvents = 0
Audit Object Access 0 AuditObjectAccess = 0 AuditObjectAcces
s = 0
AuditObjectAccess = 0
Audit Policy Change 0 AuditPolicyChange = 1 AuditPolicyChang
e = 3
AuditPolicyChange = 0
Audit Privilege Use 0 AuditPrivilegeUse = 0 AuditPrivilegeUse
= 2
AuditPrivilegeUse = 0
Audit Process Tracking 0 AuditProcessTracking = 0 AuditProcessTrack ing = 0
AuditProcessTracking = 0
Audit System Events 0 AuditSystemEvents = 1 AuditSystemEvent
s = 0
AuditSystemEvents = 0
Audit: Shut Down system immediately if unable to log security audits
0 0 0 0
Audit: Force audit policy subcategory settingsto override audit policy category settings
1 NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Detailed Security Auditing
Audit Policy: System: IPsec Driver Success
Audit Policy: System: Security State Change
Audit Policy: System: Security System Extension
Audit Policy: System: System Integrity Success and Success and Failure
Audit Policy: Logon-Logoff: Logoff Success Logoff Success and Failure
Audit Policy: Logon-Logoff: Special Logon
Audit Policy: Object Access: File System
Audit Policy: Object Access: Registry No Auditing
Audit Policy: Privilege Use: Sensitive Privilege Use
Audit Policy: Detailed Tracking:
Process Creation
Audit Policy: Policy Change: Audit Policy Change
Audit Policy: Policy Change:
Authentication Policy Change
Success Authentication Policy Change Success
Authentication Policy Change Success and Failure
Authentication Policy Change Success
Audit Policy: Account Management:
Computer Account Management
Success Computer Account
Computer Account Management Success
Audit Policy: Account Management:
Other Account Management Events
Success Other Account
Other Account Management Events No Auditing
Audit Policy: Account Management:
Security Group Management
Success Security Group
Audit Policy: Account Management:
User Account Management
Success User Account Management
Audit Policy: DS Access: Directory Service Access
Success Directory Service Access Success
Directory Service Access Failure
Directory Service Access Success
Audit Policy: DS Access: Directory Service Changes
Success Directory Service Changes Success
Directory Service Changes Failure
Directory Service Changes No Auditing
Audit Policy: Account Logon:
Application: Maximum Log Size (KB) 32768 20971520 16777216 20971520
Application: Retain old events 0 0 0 0
Security: Maximum Log Size (KB) 81920 134217728 102367232 134217728
Security: Retain old events 0 0 0 0
System: Maximum Log Size (KB) 32768 20971520 16777216 20971520
System: Retain old events 0 0 0 0
Windows Firewall
Windows Firewall: Allow ICMP exceptions (Domain)
Disabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Allow ICMP exceptions (Standard)
Disabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Apply local connection security rules (Domain)
No NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Apply local connection security rules (Private)
No NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Apply local connection security rules (Public)
No NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Apply local firewall rules (Domain)
Not configure d
NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Apply local firewall rules (Private)
Not configure d
NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Apply local firewall rules (Public)
No NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Display a notification (Domain)
Not configure d
NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Display a notification (Private)
Not configure d
NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Display a notification (Public)
No NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Firewall state (Domain)
On 0 NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Firewall state (Private)
On NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Firewall state (Public)
On NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Inbound connections (Domain)
Block NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Inbound connections (Private)
Block NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Inbound connections (Public)
Block NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Prohibit notifications (Domain)
Disabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Prohibit notifications (Standard)
Disabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Firewall: Protect all network connections (Domain)
Enabled 0 NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Windows Update
Configure Automatic Updates 3 3 3 3
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Disabled 1 1 NOT FOUND: Registry key
not found
Reschedule Automatic Updates scheduled installations
Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
User Account Control
User Account Control: Admin Approval Mode for the Built-in Administrator account
Enabled 0 0 0
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
Prompt for credential s
0 0 5
User Account Control: Behavior of the elevation prompt for standard users
Automati
User Account Control: Detect application installations and prompt for elevation
Enabled 1 1 1
User Account Control: Only elevate UIAccess applications that are installed in secure locations
Enabled 1 1 1
User Account Control: Run all administrators in Admin Approval Mode
Enabled 0 0 1
User Account Control: Switch to the secure desktop when prompting for elevation
Enabled 0 1 1
User Account Control: Virtualize file and registry write failures to per-user locations
Enabled 1 1 1
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
Disabled 0 0 0
User Rights
Access this computer from the network Administ rators,
Act as part of the operating system No one null SeTcbPrivilege = patrol
SeTcbPrivilege =
Administrator,*S-1-5-32-551
Adjust memory quotas for a process Not Defined
Back up files and directories Not Defined
Bypass traverse checking Not Defined
Change the system time LOCAL
SERVIC E, Administ rators
null null null
Create a pagefile Not
Defined
Create Global Objects Not
Create permanent shared objects No one null null null
Debug Programs Administ
rators
SeDebugPrivilege = *S-1-5-32-544
null SeDebugPrivilege = *S-1-5-32-544
Deny access to this computer from the network
Guests SeDenyNetworkLogonRight
= SUPPORT_388945a0
Enable computer and user accounts to be trusted for delegation
No one SeEnableDelegationPrivileg e = *S-1-5-32-544
Force shutdown from a remote system Not Defined
Impersonate a client after authentication Administ rators,
Increase scheduling priority Not Defined
Load and unload device drivers Administ rators
Manage auditing and security log Not Defined
Modify firmware environment values Not Defined
Perform volume maintenance tasks Not Defined
Profile single process Administ
rators
Profile system performance Administ rators
Remove computer from docking station Administ
Replace a process level token LOCAL SERVIC
Shut down the system Administ
rators
Add workstations to domain Administ rators
Allow log on locally Administ
rators
Allow logon through terminal services Administ rators
SeRemoteInteractiveLogon Right = *S-1-5-32-544
SeRemoteInteracti
Deny logon locally Guests SeDenyInteractiveLogonRig ht = SUPPORT_388945a0
SeDenyInteractive LogonRight = SUPPORT_38894 5a0
SeDenyInteractiveLogonRigh t =
SophosSAUQUINTIQSER0,
*S-1-5-21-1702575486- 368451825-1349916565- 2344,*S-1-5-21-1702575486- 368451825-1349916565- 2347,*S-1-5-21-1702575486- 368451825-1349916565- 2367,*S-1-5-21-1702575486- 368451825-1349916565-2631,SUPPORT_388945a0,*
S-1-5-21-1702575486- 368451825-1349916565- 3439,*S-1-5-21-1702575486- 368451825-1349916565-3816,QBDataServiceUser17,
*S-1-5-21-1702575486- 368451825-1349916565-4377
Deny logon through Terminal Service (minimum)
Guests null null null
Generate security audits Not Defined
SeAuditPrivilege = *S-1-5- 19,*S-1-5-20,*S-1-5-82- 1036420768-1044797643- 1061213386-2937092688- 4282445334,*S-1-5-82- 3006700770-424185619- 1745488364-794895919-4004696415
SeAuditPrivilege
= *S-1-5-19,*S-1-5-20
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
Log on as a batch job No one SeBatchLogonRight =
Restore files and directories Administ rators,
Take ownership of file or other objects Administ rators
Synchronize directory service data No one null null null
Security Options
Network Security: Minimum session security for NTLM SSP based (incl.
secure RPC) servers
Require
536870912 0 536870912
Accounts: Rename Administrator Account
<> admin NewAdministratorName =
"Administrator"
Accounts: Rename Guest Account <> guest NewGuestName = "Guest" NewGuestName =
"Guest"
NewGuestName = "Guest"
Accounts: Guest Account Status Disabled EnableGuestAccount = 0 EnableGuestAcco unt = 0
EnableGuestAccount = 0 Accounts: Limit local account use of
blank passwords to console logon only
Enabled 1 1 1
Devices: Allowed to format and eject removable media
Administ rators
NOT FOUND: Registry key not found
0 NOT FOUND: Registry key not found
Devices: Prevent users from installing printer drivers
Enabled 1 1 1
Devices: Restrict CD-ROM Access to Locally Logged-On User Only
Not Defined
NOT FOUND: Registry key not found
1 NOT FOUND: Registry key not found
Devices: Restrict Floppy Access to Locally Logged-On User Only
Not Defined
NOT FOUND: Registry key not found
1 NOT FOUND: Registry key not found
Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)
Enabled 1 0 1
Domain Member: Digitally Encrypt Secure Channel Data (When Possible)
Enabled 1 1 1
Domain Member: Digitally Sign Secure Channel Data (When Possible)
Enabled 1 1 1
Domain Member: Disable Machine Account Password Changes
Disabled 0 0 0
Domain Member: Maximum Machine Account Password Age
30 30 30 30
Domain Member: Require Strong Session Key
Enabled 1 0 1
Domain Controller: Allow Server Operators to Schedule Tasks
Disabled NOT FOUND: Registry key not found
0 NOT FOUND: Registry key not found
Domain Controller: LDAP Server Signing Requirements
Not Defined
1 1 1
Domain Controller: Refuse machine account password changes
Disabled 0 0 0
Interactive Logon: Do Not Display Last User Name
Enabled 0 1 0
Interactive Logon: Do not require CTRL+ALT+DEL
Disabled 0 15 15
Interactive Logon: Number of Previous Logons to Cache
0 10 10 10
Interactive Logon: Prompt User to Change Password Before Expiration
14 5 14 5
Interactive Logon: Require Domain Controller authentication to unlock workstation
Enabled 0 1 0
Interactive Logon: Smart Card Removal Behavior
Lock Workstati on
0 2 0
Interactive Logon: Message Text for Users Attempting to Log On
- U gebruikt de
automatiseringsfac iliteiten van Comany B In het kader van de beveiliging en het voorkomen van misbruik gelden voor de gebruikers en
systeembeheerders van Company B een aantal bepalingen die in een protocol beschreven zijn.
Van u wordt verwacht dit protocol te kennen en daar ook naar te
Interactive Logon: Message Title for Users Attempting to Log On
- ICT Protocol
Company B
Interactive logon: Require smart card Not Defined
0 0 0
Microsoft Network Client: Digitally sign communications (always)
Enabled 0 0 0
Microsoft Network Client: Digitally sign communications (if server agrees)
Enabled 1 1 1
Microsoft Network Client: Send Unencrypted Password to Connect to Third-Part SMB Server
Disabled 0 0 0
Microsoft Network Server: Amount of Idle Time Required Before
Disconnecting Session
15 minutes
15 15 15
Microsoft Network Server: Digitally sign communications (always)
Enabled 0 0 0
Microsoft Network Server: Disconnect clients when logon hours expire
Enabled 1 1 1
Network Access: Do not allow Anonymous Enumeration of SAM Accounts
Enabled 1 1 1
Network Access: Do not allow storage of credentials or .NET passports
Enabled 0 0 0
Network Access: Let Everyone permissions apply to anonymous users
Disabled 0 1 0
Network Access: Named pipes that can be accessed anonymously
Not Defined
browserHydraLsPi
peTermServLicens ing
Network access: Restrict anonymous access to Named Pipes and Shares
Enabled 1 1 1
Network Access: Shares that can be accessed anonymously
None NOT FOUND: Registry key not found
COMCFGDFS$ NOT FOUND: Registry key not found
Network Security: Do not store LAN Manager password hash value on next password change
Enabled 1 0 1
Network Security: LAN Manager Authentication Level
Network Security: LDAP client signing requirements
Negotiate signing
1 1 1
Network Security: Minimum session security for NTLM SSP based (incl.
secure RPC) clients
Require
536870912 0 536870912
Recovery Console: Allow Automatic Administrative Logon
Disabled 0 0 0
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
Not defined
0 1 0
Shutdown: Clear Virtual Memory Pagefile
Disabled 0 0 0
Shutdown: Allow System to be Shut Down Without Having to Log On
Disabled 0 0 0
System objects: Require case insensitivity for non-Windows subsystems
Enabled 1 1 1
System objects: Strengthen default permissions of internal system objects
Enabled 1 1 1
System cryptography: Force strong key protection for user keys stored on the computer
NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
System settings: Optional subsystems None Posix Posix Posix
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Not Defined
0 0 0
MSS: (DisableIPSourceRouting) IP source routing protection level
Highes
NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
Disabled 1 1 1
MSS: How often keep-alive packets are sent in milliseconds
Not Defined
NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
MSS: Enable the computer to stop generating 8.3 style filenames
Enabled 2 0 2
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure
DefaultGateway addresses
Disabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
MSS: Enable Safe DLL search mode Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
MSS: The time in seconds before the screen saver grace period expires
0 NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted
3 NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
MSS: Percentage threshold for the security event log at which the system will generate a warning
90% or le ss
NOT FOUND: Registry key not found
0 NOT FOUND: Registry key not found
Terminal Services
Always prompt client for password upon connection
Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Set client connection encryption level Enabled:
High level
NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Do not allow drive redirection Not Defined
NOT FOUND: Registry key not found
1 NOT FOUND: Registry key not found
Do not allow passwords to be saved Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Internet Communication
Turn off downloading of print drivers over HTTP
Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Turn off the -Publish to Web- task for files and folders
Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Turn off Internet download for Web publishing and online ordering wizards
Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Turn off printing over HTTP Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Turn off Search Companion content file updates
Enabled NOT FOUND: Registry key not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key not found
Turn off the Windows Messenger Customer Experience Improvement
Turn off the Windows Messenger Customer Experience Improvement