Jun 11, 2010

IT Audit Automation: Windows Baseline Audits

IT Audit Automation: Windows Baseline Audits:
"Managing the security of your Windows workstations is a fairly simple task when you leverage technologies like Group Policy. Even so, individual systems within the domain can change for a wide variety of reasons. It could be that we have users who are starting and stopping services, it may be that malware is finding its way in or any of a variety of other possibilities. How can we monitor how our workstations are changing?

I’ve long been a strong proponent of compliance automation. To this end, I’ve included a script at the end of this post that can be used as a starting point for pulling out any WMIC based information from Windows computers within your domain. In fact, the script will first pull a complete list of all of the domain computers and then work its way through that list, either creating a baseline or comparing each system to the pre-existing baseline for that system.

With a minimum of effort you can easily extend this script to send notifications to the domain administrators when changes are detected or new systems are identified. This is the perfect starting point not only for compliance management but even for early malware detection.

In a future article look forward to some tools and scripts that will allow you to perform zero day malware detection in your environment using the same scripting concepts explored here.

Download the script here: Windows_Baselines

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“. David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses."