Network Audits

[marley1]

Client of ours need to have some network audits performed.

Need logs showing:
1) Who has logged into the system - Hopefully username and PC name
2) When they logged in
3) When they logged off
4) What files those users accessed

I know auditing can be enabled on the server but need something easier to handle.

Let me know.

 

[Metraon]

What OS is the server ?

 

[marley1]

sbs 2011

 

[Metraon]

I think on most windows servers, login and logoff are by default audited and loged in the windows events logs console (event viewer) or in Server Manager / Performance / Reports.

For file auditing you will need to follow this tutorial.

http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

You can even automate reports with the Server Manager console, in the Server Manager / Performance / Reports.

 

[Tee]

I think on most windows servers, login and logoff are by default audited and loged in the windows events logs console (event viewer) or in Server Manager / Performance / Reports.

For file auditing you will need to follow this tutorial.

http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

You can even automate reports with the Server Manager console, in the Server Manager / Performance / Reports.

You have to turn on audits under the local machine policy to be able to audit the real user account.

 

[boylazer]

sample audit questionair... my past year:

Routers
1. Who owns and manages your routers?
2. Please add to the network component listing the router's operating system version number.
3. For routers providing connectivity to third-party locations, please provide documentation for all tunnels or ACLs configured in each router.
4. If third-party connections exist, please provide or describe your procedures for reviewing the access-control lists or tunnels with customers. Also, indicate the frequency of these reviews.
5. Please provide or describe your policies and procedures for router access authentication. In other words, what is the process for determining who can access or change the router configuration?
6. Please provide a list of people who know the built-in passwords. Please provide or describe your procedures to change the router's administrator password when someone who knows the passwords leaves the group.
7. Is each router covered by a maintenance agreement? If yes, please describe who is providing the maintenance and the outage response times (either on-site arrival time or replacing broken hardware).
8. Does the maintenance agreement cover software upgrades? If yes, how is the new software obtained?
9. How do you learn of new releases, service packs or hot-fixes?

will share my work experience about how to answer them

 

[wgm3446]

We go through a yearly SAS70 / SSAE16 Audit and we run monthly event log security audit exports from all of our servers using a vbscript.

Then we dump it to a raw text file and reviewed for any exceptions. We have a smaller environment with about 15 servers total.

For the past 5 years, that has satisfied the auditors.

 

[boylazer]

(+) Are there any connections to a third party or to an Internet Service Provider (ISP) connected to your network? If yes, approximately how many connections exist? If you or your team does not manage these connections, who does?
o No, there is no connection to 3rd Party or Internet Service Provider

(+) If a tool to help maintain IP compliance is used, how often are the reports reviewed and actions taken to resolve issues for each system type?
o Semi-annually

(+) Please detail any significant changes to your IT environment anticipated within the next 6-9 months (i.e. this may include adding new personnel, new systems or applications or decommissioning existing systems).

Completion
o Nortel Contact Center system installed on dedicated application server and interfaced to Nortel PBX for view call information log online and report printing since 2008.
o Replaced Oracle 9i with SQL 2005 with application migrated to new version since early 2009
o Upgraded 3 SQL2000 servers to SQL2005 with minor change to application in 2009.
o Decommission 1 SQL server 2005 in Q2 2010.
o GIL3 deployment location THHQ, THBT completed 2010 Q1, Q2
o Return office 26th floor, relocated users to CEC (30), ST 25th, and 27th fl (49)
o Closed 2 sites
o Decommission RemoteWare server and firewall


get positive feedback from the auditor