Practical Steps – Audit of Desktop Hardening

This article has been written by Mr. Hemang Doshi & Mr. Moloy Paul. Both of them have wide experience in field of Audit & Risk more specifically in audit of third party risk management. They can be reached at hemangdoshi99@yahoo.co.in/pmoloy08@gmail.com

Desktop security is not just a matter of protecting a single machine and the data stored in it. Even if a single machine is compromised, entire network is on stake. This makes endpoint security very critical. Auditor should perform some basic checks to ensure endpoint device is appropriately hardened. This article explains few of the critical audit steps for verification of endpoint devices.

Audit steps to verify that passwords are not pre-saved in browser(s):

By storing the passwords in the browser, we are making like of the hackers much easy.

Allowing a browser to “remember” passwords can pose a major security risk because:

  • Password recovery tools can easily find these passwords.
  • Browsers generally do not use strong encryption for these passwords.
  • If a device is compromised, these browser-stored passwords make it easy for hackers to access

An IS auditor should discover all the browser-stored passwords and then correct them before hackers can exploit them.

In this article, we will discuss predominantly about google chrome, Firefox and IE.

Google chrome:

Step 1:

Open the Chrome browser/Go to Settings

Step 2:

Double click on ‘passwords’ tab

Step 3:

If user has saved the password, same will appear here.

Internet Explore:

Step 1:

Open Internet Explorer (IE)/ Go to Setting Tab/ Go to Internet Options

Step 2:

Go to ‘Content’ Tab / Under autocomplete go to ‘settings’

Step 3:

Go to ‘Manage Passwords’

Step 4:

If user has saved passwords, it will appear here.

Firefox:

Step 1:

Open Firefox / Go to settings

Step 2:

Go to Privacy and Settings

Step 3:

Go to ‘saved logins’

Step 4:

If user has saved the passwords, it will appear here.

Audit steps to verify whether screen saver is enabled:

As a best practice, screensavers should be configured to ask users for a password before permitting the user to resume work. This will prevent unauthorized access of an idle system. Generally, wait time should be below 15 minutes.

Auditor should perform below mentioned steps:

Step 1: Search ‘screen saver’ in window’s search option. Open ‘turn screen saver on or off’.

Step 2:

Audit steps to verify administrative control for change of system data and time:

User should not be allowed to change date and time of the system. Inaccuracy of the time stamps makes it impossible to correlate log files from different sources and hence it will be difficult to track the events.

Also, mismatched timestamps often cause errors for programs that are based on system time.

Auditor should perform below mentioned steps:

Step 1: Go to Control Panel/Date and Time

Step 2:

Audit steps to verify that guest user account is disabled:

Through ‘Guest’ account, system can be accessed anonymously. Making sure that this account is Disabling guest account will prevent people from using services that may have inadvertently left open. The Guest account allows users who do not have an account in your domain to log on to the domain as a guest. This account is disabled by default, and should remain disabled.

Step 1: Open Command Prompt (CMD) / Type Command ‘lusrmgr’

Step 2: On giving above command, following screen will appear:

Step 3:

Audit steps to verify deployment of password framework:

Step 1: Note down approved password framework of the company. Password framework should be approved by competent authority. Following parameters to be noted:

  • Minimum Password Age
  • Maximum Password Age
  • Minimum Password length
  • Length of Password History Maintained
  • Lockout Threshold
  • Lockout duration (in minutes)

Step 2: Open Command Prompt (CMD) and type command: net accounts

Step 3: Compare the results of step 1 and step 2. Any differences to be reported for correction.

Audit steps to verify whether critical files such as regedit cannot be deleted by user:

Step 1: Go to C:/ Windows/regedit

Step 2: Right click on regedit and check whether administrative restriction is in place so user cannot delete the file.

Audit steps to verify whether critical files such as system 32 cannot be deleted by user:

Step 1: Go to C:/ Windows/system32

Step 2: Right click on system32 and check whether administrative restriction is in place so user cannot delete the file.

Audit steps to verify whether critical files such as logs cannot be deleted by user:

Step 1: Go to C:/ Windows/logs

Step 2: Right click on logs and check whether administrative restriction is in place so user cannot delete the file.

Audit steps to verify synchronization with Network Time Protocol (NTP):

If the system is not synchronized with NTP server, the inaccuracy of the time stamps makes it impossible to correlate log files from different sources and hence it will be difficult to track the events.

Also, mismatched timestamps often cause errors for programs that are based on system time.

Auditor should perform below mentioned steps:

Step 1: Open Command Prompt (CMD) / Type Command ‘Net Time’

On giving the command, the following information will be fetched where it will show the Server name and Server timing which is synchronized with Network Time Protocol and same can check with the system timing like in the below screen.

In the above screen, we can see the difference of 3 minutes with the server timing which means that systems are not synchronized with the server timing.