Test Steps for Auditing Windows

In an ideal world, you would audit against a reference set of controls and information covering every possible configuration setting. However, we don’t live in an ideal world, and most of us don’t have that much time per host. The test steps in this chapter are a recommended list of items to evaluate. From experience, we know that debate abounds regarding auditing Windows. Can a Windows server be secured? What makes your steps better than someone else’s steps? The steps covered here have worked for several companies.

Many auditing programs fail to balance effective audits and effective time management. Related to time management, notice that we spend a lot of time discussing various ways to script the results. Configuration management tools can also be leveraged by the audit team to review scores of servers very quickly, and some audit packages promise the same. The only concerns here regard ensuring that all of the controls that impact the business are covered, and occasionally validating the results of the tools with your own independent reviews.