the added value of an operating system audit to an...
TRANSCRIPT
Thesis:
The added value of an operating system audit to an IT
General Controls audit
S.A.H. Cobelens MSc.
2174332
September 6, 2013
Vrije Universiteit Amsterdam
The added value of an operating system audit to an IT General Controls audit 2
Abstract
The threat of information leakage, financial misstatements or fraud from financial IT
solutions is imminent. Accountancy firms have to trust on information coming from these
systems and deal with a world where new cyber-attacks are daily news. Accountancy firms
continuously develop their audit approach to mitigate (new) risks in a more effective and
efficient way. Auditors are often unsure of whether to include a thorough operating system
parameter check in their IT General Controls audit approach. This thesis explores the added
value of an operating system parameter check to an ITGC audit. This is done by inspecting a best
practice, testing it at three companies and creating a risk analyses per parameter category.
The added value of an operating system audit to an IT General Controls audit 3
Acknowledgements
I would like to thank my thesis supervisor Rene Matthijsse for helping and guiding me
through the whole thesis process. Besides that I would like to thank my colleagues for their
import and thought on the subject. Last but not least I thank my family and friends for their
support.
The added value of an operating system audit to an IT General Controls audit 4
Table of contents
Acknowledgements .....................................................................................................................3
1. Introduction .........................................................................................................................7
1.1 Introduction .......................................................................................................................7
1.2 Research question ..............................................................................................................8
1.3 Contribution ......................................................................................................................8
1.3.1 Academic Relevance: .................................................................................................8
1.3.2 Managerial Relevance:................................................................................................8
1.4 Research design: ................................................................................................................9
1.5 Thesis structure .................................................................................................................9
2. Theoretical Background .................................................................................................... 10
2.1 A brief history of IT audits .............................................................................................. 10
2.2 IT General Controls ......................................................................................................... 11
2.3 ITGC in the financial statement audit .............................................................................. 12
2.4 The structure of IT General Controls ............................................................................... 14
2.5 Auditing of the ITGCs ..................................................................................................... 16
2.6 Information security ........................................................................................................ 17
3. Hypotheses ........................................................................................................................ 24
3.1 Conceptual Framework .................................................................................................... 24
3.2 Hypotheses ...................................................................................................................... 25
3.3 Control Variables ............................................................................................................ 26
4. Case study methodology ........................................................................................................ 27
4.1 Research Methods ........................................................................................................... 27
4.1.1 Observation .............................................................................................................. 27
4.1.2 Preliminary information gathering ............................................................................ 27
4.1.3 Theory formulation ................................................................................................... 28
4.1.4 Hypothesizing ........................................................................................................... 28
4.1.5 Further scientific data collection ............................................................................... 28
4.1.6 Data analysis and conclusion .................................................................................... 29
4.2 Sample selection .............................................................................................................. 29
5. Case study findings ............................................................................................................... 30
5.1 Company profile .............................................................................................................. 30
The added value of an operating system audit to an IT General Controls audit 5
5.1.1 Company A .............................................................................................................. 30
5.1.2 Company B ............................................................................................................... 30
5.1.3 Company C ............................................................................................................... 30
5.2 Outcome .......................................................................................................................... 30
5.3 Analysis of results ........................................................................................................... 32
5.3.1 Accounts ................................................................................................................... 32
5.3.2 Audit policy .............................................................................................................. 32
5.3.3 Detailed Security Auditing ........................................................................................ 33
5.3.4 Event log .................................................................................................................. 33
5.3.5 Windows Firewall ..................................................................................................... 34
5.3.6 Windows Update ...................................................................................................... 34
5.3.7 User Account Control ............................................................................................... 35
5.3.8 User Rights ............................................................................................................... 35
5.3.9 Security options ........................................................................................................ 36
5.3.10 Terminal services .................................................................................................... 36
5.3.11 Internet Communication ......................................................................................... 37
5.3.12 Additional security settings ..................................................................................... 37
5.4 Other factors .................................................................................................................... 38
5.4.1 Costs of the operating system parameter check ......................................................... 38
5.4.2 Type of operating system(s) in use ............................................................................ 38
5.4.3 No extra comfort ....................................................................................................... 38
5.4.4 Politics and time ....................................................................................................... 39
6. Validation of hypotheses ....................................................................................................... 40
6.4.1 WH1: An operating system parameter audit will only give comfort over the operating
system layer ...................................................................................................................... 40
6.4.2 WH2: Operating system comfort is essential for reliance on application controls ...... 40
7. Conclusions ........................................................................................................................... 41
8. Limitations and further research ............................................................................................ 43
References ................................................................................................................................ 44
Appendix I: Detailed results ...................................................................................................... 45
The added value of an operating system audit to an IT General Controls audit 6
List of tables and figures
Figure 1..................................................................................................................................... 13 Figure 2..................................................................................................................................... 15 Figure 3..................................................................................................................................... 21
The added value of an operating system audit to an IT General Controls audit 7
1. Introduction
1.1 Introduction
Companies use a variety of software solutions for their financial administration. These
financial software solutions (e.g. SAP, Oracle, PeopleSoft and Navision) have been implemented
in thousands of companies worldwide. Software solutions often have a client-server architecture
which means they can be reached within a network and are therefore likely to be a target for
people with the wrong intentions (Albornoz Mulligan, 2007). The machines that run these
financial software solutions need to be hardened in order to respond to the increasing amount of
risks from the connected world. There are best practices available for the setup of the system
environments and there are tools to check them.
The threat of information leakage, financial misstatements or fraud from financial IT
solutions is imminent and it is a complex matter where there is no single control that mitigates all
the risks. For example, users with broad privileges in a financial system can bypass controls like
the 4-eyes principle to make unauthorized adjustments, database administrators can edit tables
and change user information, and system administrators can get access to the database and the
software. This shows that multiple levels of computer system security need to be taken into
account for a company in order to be able to trust its businesses processes to such financial
software. Its accountants need to obtain comfort about the completeness, accuracy and validity of
the data coming from the system in order to do their work.
Accountancy firms, who sign off the financial statements, rely heavily on data coming
from these systems and therefore need to be sure of the completeness, accuracy and validity of
the data it generates. In order to gain this comfort an IT General Control (ITGC) audit is
performed as part of the financial statement audit. This is an audit on all controls that apply to
relevant system components, processes, and data of the IT environment (ISACA, 2013).
Accountancy firms continuously develop their audit approach to mitigate (new) risks in a
more effective and efficient way. Auditors are often unsure of whether to include a thorough
operating system parameter check in their ITGC audit approach. This thesis explores the added
value of an operating system parameter check to an IT General Controls audit.
The added value of an operating system audit to an IT General Controls audit 8
1.2 Research question
A company uses an operating system baseline security scan as part of their ITGC audit.
This security scan checks the system settings of the operating systems against a best practice
published by the Center for Internet Security (CIS). The outcome of the scan is an overview of
the many system settings and their compliance against the best practice. Audit teams are often
not aware what the added value of such a baseline scan is for their ITGC audit and when they
can or should use it. What comfort does this security baseline scan give the IT auditor regarding
the ITGCs and when should an auditor consider performing such a scan?
How does a baseline security scan on operating systems parameters add value to an ITGC
audit?
In order to answer the research question, several sub questions have to be answered:
What is the place of operating system parameters in the IT General Control environment?
What kind of comfort and assurance can result from an operating system parameter
baseline scan to the ITGC audit?
Under which conditions should an ITGC auditor consider using an operating system
parameter baseline scan?
1.3 Contribution
1.3.1 Academic Relevance:
This research tries to add academic value to both topics making the choice for auditors
more sound as whether to use an operating system baseline security scan for their IT General
Control work. There exist a lot of best practices but not much academic literature is found
regarding ITGCs and operating system security baselines.
1.3.2 Managerial Relevance:
A business unit tries to sell baseline scans as part of an IT audit (ITGC). Audit teams are
sometimes unsure and are wondering what comfort they will get with a baseline scan and how it
can make impact at the client. Several baseline scans have been done. It is important for IT audit
The added value of an operating system audit to an IT General Controls audit 9
processes to understand what the most common and notable findings are and what is their impact
is on the IT General Controls.
1.4 Research design:
This research intends to study the use of an operating system parameter baseline scan as
part of an IT General Control audit, how the operating system parameters can be linked the IT
General Control environment, what kind of comfort an auditor would get doing an operating
system parameter audit and when it would be a viable audit approach. The link between the
ITGC environment and the operating system parameters will first be determined by a literature
study. Based on the outcome an operating system parameter check will designed and performed
in a case study environment. Based on the theoretical background and results from the case study
the impact to the ITGC audit will be determined and recommendation will be formulated and
documented.
1.5 Thesis structure
The structure of this thesis can be broken down into three main parts. The first part
consists of a general introduction concerning what will be researched as well as the theoretical
foundations of the thesis. Furthermore all relevant literature concerning operating system
parameters and ITGCs will be discussed.
The second part is about the methodological aspect of the thesis. In this section, a
conceptual framework is constructed based on the research questions and literature review.
Moreover, the methodology of this research is explained. This section will also elaborate on the
design and execution of the case study.
Finally, the last part of this thesis will consist of the presentation of results, discussion of
the results, limitations and future research and conclusion.
The added value of an operating system audit to an IT General Controls audit 10
2. Theoretical Background
2.1 A brief history of IT audits
Over the course of the years businesses have become more and more dependent on
information coming from IT systems. In the 60’s one of the first frauds using IT systems was
detected at the Equity funding Corporation of America. Also in The Netherlands auditors became
aware that information systems more and more became part of the business and therefore needed
to be taken into account for the audit. This shift in thinking had a great impact on accountants
and the financial statement audit. Accountants formed ideas about information systems, their
place in the administrative organization and how to audit them. Some accountants started to
specialize in the audit of information systems which meant the birth of the IT auditor.
When the 3270-terminal was released on the markets in the 70’s it allowed mutations to
be entered real-time on the computer. This replaced the physical processes and controls that were
used with the so called ponskaarten. Because now anyone could make mutations, the accountants
had no comfort over the reliability of the information generated by the system. In order to
mitigate the risks associated to such information systems the segregation of duties principle and
authorization matrixes were introduced.
In the 80’s the field of IT audits was further developed. Data centers and IT projects
became a focus point for IT auditors. In 1988 the Dutch National Bank released a memorandum
that stated that IT is an essential part of a business that supports its solvability and liquidity. This
confirmed that the IT environment is essential for the financial statement audit.
The 90’s introduced the client/server architecture which replaced a lot of main frames and was
adopted in many projects. Next to that new IT developments methodologies were developed
based on the client/server architecture which promised more efficient projects with shorter
durations. Because of an increase in computer systems and applications best practices like ITIL
were developed to manage the new IT infrastructure.
The 00’s marked the introduction of further integration of IT with the business,
development of best practices and continuously new challenges for the control of the IT
environment. New upcoming technologies and initiatives like Cloud-computing and Bring Your
Own Device challenge management and auditors to find a way to implement these advances in a
controlled manner (Comte, 2009).
The added value of an operating system audit to an IT General Controls audit 11
2.2 IT General Controls
From the founding thoughts about administrative organizations it is said that proper
internal controls need to be in place to ensure the reliability of information processed by
information systems (Starreveld, 2002). These controls can be divided into organization, logical
and physical controls.
In accounting and auditing, internal control is defined as a process affected by an
organization's structure, work and authority flows, people and management information systems,
designed to help the organization accomplish specific goals or objectives. It is a means by which
an organization's resources are directed, monitored, and measured. It plays an important role in
preventing and detecting fraud and protecting the organization's resources, both physical (e.g.,
machinery and property) and intangible (e.g., reputation or intellectual property such as
trademarks) (COSO, 2013).
Because of the increasing reliability on IT systems, controls were developed and best
practices formed to control the IT environment. Two control “frameworks” have been devised to
assist both management and auditors in designing and assessing controls in computerized
environments. One is the Information Technology Control Guidelines (IT Guidelines), first
published by the Canadian Institute of Chartered Accountants (CICA) in 1970 (in its 3rd edition
in 2011). The other is the Control Objectives for Information and related Technology (COBiT)
developed by the Information Systems Audit and Control Association (ISACA) (GFS, 2013).
IT controls are a subset of the internal controls of an organization. In literature (Jenkins,
1992) internal controls are often divided into
User controls; manual controls
Application controls; programmed controls
ITGC; general IT management controls
User controls are defined as manual internal controls. The goal of user controls is to generate
reliable information for the input into information systems, to take action based on information
or signals from an information system and to control an information system in a proper manner.
Manual elements in internal control may be less reliable than automated elements because they
can be more easily bypassed, ignored, or overridden and they are also more prone to simple
The added value of an operating system audit to an IT General Controls audit 12
errors and mistakes. Consistency of application of a manual control element cannot therefore be
assumed.
Application controls can be defined as programmed controls in applications. The goal of
application controls is to create segregation of duties in applications and to ensure the reliability
of the data.
IT general controls (ITGC) are controls that apply to all system components, processes, and
data for a given organization or information technology (IT) environment. The objectives of
ITGCs are to ensure the proper development and implementation of applications, as well as the
integrity of programs, data files, and computer operations (ITGC, 2013).
2.3 ITGC in the financial statement audit
Accountants need to be sure that the published financial statements are being prepared
reliably. Also called Financial Statement Line Items (FSLI), they give an overview of the
financial figures and position of the organisation (Berger, 2003). The controls in the ITGC are an
aid to mitigate IT risks that the company faces in the preparation of the financial statements. The
IT risks need to be identified and appropriate controls need to be in place to mitigate these risk.
IT risks can be divided into two types: IT-dependent and IT-specific risks (PwC Audit Guide,
2012). The ITGC mitigate the IT-dependent and IT-specific risks
IT-dependent risks are risks that directly stem from comfort that the ITGC should provide
the organization. There are three types of IT dependent risk areas: Automated Control Integrity
(ACI), Report Integrity (RI) and Access Integrity (AI). Access Integrity is the risk area about
controls that can be bypassed to gain unauthorized access to systems and applications. Risks in
the Automated Control Integrity area are risks coming from automated application and system
functions that haven´t been properly tested and implemented. Report Integrity risks are the risks
associated with the reliability of the system generated reports.
IT-specific risks are risks that are inherent to IT-systems such as hardware/software
changes outside of the normal business processes. The primary risk areas Direct Data Access
(DDA), Data Integrity (DI) and Applications Controls in Computer Operations (ACCO). Direct
Data Access risks involve all the risks that can lead to unauthorised access to data, to the change
of data and to the destruction of data. Data Integrity risks involve all the risks that can lead to
The added value of an operating system audit to an IT General Controls audit 13
damaged or lost data. Applications Controls in Computer Operations risks involve errors in batch
jobs or interfaces leading to incomplete or unreliable (financial) data.
Effective ITGCs ensure the continued effective operation of application and automated
accounting procedures that depend on computer processes. ITGCs are also important when
manual controls depend on application-generated information.
Figure 1
The figure above depicts how ITGCs link indirectly to the achievement of the financial
statement assertions. Transaction level controls are control activities over the initiation,
recording, processing and reporting of transactions designed to operate at a level of precision that
would prevent, or detect and correct on a timely basis, misstatements related to one or more
relevant assertions for a FSLI/business process. Transaction level controls can be either detective
or preventive in nature and they often include manual application, automated application or IT-
dependent manual controls (PwC, 2013).
The added value of an operating system audit to an IT General Controls audit 14
2.4 The structure of IT General Controls
Although there is no detailed control set for ITGCs the general areas are described. They are
generally divided into the following domains:
Access to programs and data
Program Changes
Computer Operations
Program Development
IT Control Environment
Each domain has certain IT -dependent or IT-specific risks associated to it. We can map
these risks to the IT-dependent or IT-specific risks.
Table 1
Domain Associated risks Type of risk
Access to Programs and
Data Application Access
Database/Data File Access
Operating System/Network Access
IT-dependent - Access
integrity
IT-specific - Direct data
access
Program Changes Changes to Application Programs
Changes to Application Configurations
Changes to Operating System/Network
IT-dependent – Auto
control/ report integrity
IT-specific - Data integrity
Computer Operations Computer Operations IT-specific - Data integrity
IT-specific - Application
controls in computer
operations
Program Development Program development IT-dependent – Auto
control/ report integrity
IT-specific - Data integrity
IT Control Environment Organizational IT-dependent – Auto
control/ report integrity
The most common ITGC controls are:
Logical access controls over infrastructure, applications, and data.
System development life cycle controls.
Program change management controls.
Data center physical security controls.
The added value of an operating system audit to an IT General Controls audit 15
System and data backup and recovery controls.
Computer operation controls.
(ITGC, 2013)
Figure 2 shows the domains and associated controls.
IT General Controls
Systems Development
Computer Operations
Program Changes Access to programs and dataIT Control
Environment
Application security administration
Operating system security
administration
Network / connection security
administration
Application logical security
Operating system logical security
Network logical security
Application powerful accounts
Operating system powerful accounts
Network powerful accounts
Database administration
Direct data access via App/Network/
OS/Util.
Specification and authorisation
Constructing
Testing
Implementation
Documenting and training
Segregation of duties
Report integrity
Batch processing
Interface processing
Monitoring of computer processing
Backups
Computer centre operations
Initiation, analysis and design
Contructing
Testing
Data conversion
Implementation
Documentation and training
Segregation of duties
IT strategy
IT organisation
Risk management
Figure 2
(PwC, 2013)
The added value of an operating system audit to an IT General Controls audit 16
For an organization to be in control of their IT they need to identify the IT risks and
implement a tailored ITGC control framework. A control framework exists of at least of risk, a
control objective and a control activity. Control objectives are the "aim or purpose of specified
controls at the service organization which address the very risks that these controls are intended
to effectively mitigate" (SSAE16, 2013). Control activities are the activities that occur within a
control (University of Washington, 2013).
Risk CONTROL
Risk
Risk Properties Key
control
ref.
no.
Control
Activity
Control Properties
Control
Objectives
Operator /
Owner
Preventive/
Detective Evidence Freq.
Unauthorized access
to the IT systems
because of weak
password policies
All passwords are
based on a
password policy
based on best
practices
AM-1 An up-to-date
password
policy is
available and
applied to key
applications
ICT manager Preventive Password
policies
Annual
In the example framework above the risk, control and control activity can be seen. In
order to make the control more SMART an owner, type of control, evidence and frequency is
added. A control framework can be used by internal and external auditors.
2.5 Auditing of the ITGCs
Accountancy firms have defined their own ITGC framework and audit these controls in
an organisation. The IT auditor need to form an opinion about the ITGCs by testing these
controls. The auditor needs to design his audit activities based on the type of organization that is
being audited so to be efficient and effective. Sufficient appropriate audit evidence needs to be
obtained to be able to draw reasonable conclusions on which to base the auditor’s opinion.
Most of the auditor’s work in forming the auditor’s opinion consists of obtaining and
evaluating audit evidence. Audit procedures to obtain audit evidence can include inspection,
observation, confirmation, recalculation, reperformance, and analytical procedures, often in some
The added value of an operating system audit to an IT General Controls audit 17
combination, in addition to inquiry. Reasonable assurance is obtained when the auditor has
obtained sufficient appropriate audit evidence to reduce audit risk to an acceptably low level.
The sufficiency and appropriateness of audit evidence are interrelated. Sufficiency is the
measure of the quantity of audit evidence. The quantity of audit evidence needed is affected by
the auditor’s assessment of the risks of misstatement (the higher the assessed risks, the more
audit evidence is likely to be required) and also by the quality of such audit evidence (the higher
the quality, the less may be required).
Appropriateness is the measure of the quality of audit evidence; that is, its relevance and
its reliability in providing support for the conclusions on which the auditor’s opinion is based.
The reliability of evidence is influenced by its source and by its nature, and is dependent on the
individual circumstances under which it is obtained (International Standards of Auditing, 2009).
2.6 Information security
The term ‘information security’ means protecting information and information systems
from unauthorized access, use, disclosure, disruption, modification, or destruction in order to
provide
Integrity, which means guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and authenticity;
Confidentiality, which means preserving authorized restrictions on access and disclosure,
including means for protecting personal privacy and proprietary information; and
Availability, which means ensuring timely and reliable access to and use of information.
Which is often depicted in the CIA triad as seen below (Cornell, 2013)
.
The added value of an operating system audit to an IT General Controls audit 18
Figure 3
In order to ensure the confidentiality, integrity and availability of information and
information systems companies often implement an access management, change management,
business continuity and risk management process.
Access to protected information must be restricted to people who are authorized to access
the information. The foundation on which access control mechanisms are built start with
identification and authentication. Identification is an assertion of who someone is or what
something is. Authentication is the act of verifying a claim of identity. Information security uses
cryptography to transform usable information into a form that renders it unusable by anyone
other than an authorized user; this process is called encryption.
Change management is a formal process for directing and controlling alterations to the
information processing environment. This includes alterations to desktop computers, the
network, servers and software. The objectives of change management are to reduce the risks
posed by changes to the information processing environment and improve the stability and
reliability of the processing environment as changes are made.
Business continuity is the mechanism by which an organization continues to operate its
critical business units, during planned or unplanned disruptions that affect normal business
operations, by invoking planned and managed procedures.
Risk management is the process of identifying vulnerabilities and threats to the
information resources used by an organization in achieving business objectives, and deciding
what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value
The added value of an operating system audit to an IT General Controls audit 19
of the information resource to the organization (CISA, 2006). These four processes are also part
of the ITGC audit as described in paragraph 2.4 (Information security, 2013).
2.7 Operating System security
Businesses store their financial information on computer systems. These computer
systems enable employees to access, modify and delete information. The operating system is the
heart of the computer system that allows hardware and software applications to communicate
with each other and share resources as can be seen in the multiple definitions of an operating
system.
Software designed to control the hardware of a specific data-processing system in order to allow
users and application programs to make use of it. (Answers, 2013)
The collection of software that directs a computer's operations, controlling and scheduling the
execution of other programs, and managing storage, input/output, and communication
resources. (Dictionary, 2013)
An operating system (OS) is software, consisting of programs and data, which runs on computers
and manages the computer hardware and provides common services for efficient execution of
various application software. (Wikipedia, 2013)
For example consider a program that allows a user to enter her password. The operating
system provides access to the disk device on which the program is stored, access to device
memory to load the program so that it may be executed, the display device to show the user how
to enter her password, and keyboard and mouse devices for the user to enter her password. Of
course, there are now a multitude of such devices that can be used seamlessly, for the most part,
thanks to the function of operating systems. The most used operating systems by businesses are
Microsoft Windows and the different UNIX variants.
Ensuring the secure execution of all processes depends on the correct implementation of
resource and scheduling mechanisms. First, any correct resource mechanism must provide
The added value of an operating system audit to an IT General Controls audit 20
boundaries between its objects and ensure that its operations do not interfere with one another.
For example, a file system must not allow a process request to access one file to overwrite the
disk space allocated to another file. Also, file systems must ensure that one write operation is not
impacted by the data being read or written in another operation. Second, scheduling mechanisms
must ensure availability of resources to processes to prevent denial of service attacks. For
example, the algorithms applied by scheduling mechanisms must ensure that all processes are
eventually scheduled for execution. These requirements are fundamental to operating system
mechanisms.
A lot of people, or at least lots of email addresses, web sites, and network requests, want
to share stuff that aim to circumvent operating system security mechanisms and cause computers
to share additional, unexpected resources. The ease with which malware can be conveyed and the
variety of ways that users and their processes may be tricked into running malware present
modern operating system developers with significant challenges in ensuring the security of their
system’s execution.
There’s an ongoing battle between operating system developers and hackers to secure and
breach operating systems. The term “secure operating system” is both considered an ideal and an
oxymoron. Systems that provide a high degree of assurance in enforcement have been called
secure systems, or even more frequently “trusted” systems. However, it is also true that no
system of modern complexity is completely secure. The difficulty of preventing errors in
programming and the challenges of trying to remove such errors means that no system as
complex as an operating system can be completely secure. (Jaeger, 2008)
Because an operating system plays such a vital role in an information system its security
has a direct impact on applications and their data as can be seen in figure 3. All data that comes
from outside the system needs to pass the operating system layer.
The added value of an operating system audit to an IT General Controls audit 21
Figure 3
Operating system settings are highly customizable in order to be tailored to the needs of
the user. This means that the user is also responsible for a secure implementation of configurable
settings.
2.8 Operating System configuration for Windows Server 2008
Apart from the inherent design of the operating system the configuration of parameters
also plays a role in the secureness of the operating system. There are many types of operating
systems that can be configured in a variety of different ways. Researching all these operating
systems would be too exhausting for this thesis. This research will therefore look at the settings
for one of the most used operating systems for servers, Windows Server 2008 (Wikipedia, 2013).
Windows Server 2008 was released by Microsoft on February 27, 2008. It is the successor to
Windows Server 2003.
The Center for Internet Security (CIS) helps organizations improve their security
posture by reducing risk resulting from inadequate technical security controls. One way of doing
The added value of an operating system audit to an IT General Controls audit 22
this is by publishing security configuration benchmarks for operating systems. The security
configuration benchmark for Windows Server 2008 was released on September 30th, 2011 and
includes many parameter settings recommendations (CIS, 2011). Each recommendation contains
a description, rationale, remediation, audit, default value and reference. For example for the
enforce password history control we see the following recommendation.
1.1.1 Enforce password history Description This control defines the number of unique passwords a user must leverage before a previously
used password can be reused. For all profiles, the recommended state for this setting is 24 or
more passwords remembered.
Rationale Enforcing a sufficiently long password history will increase the efficacy of password-based
authentication systems by reducing the opportunity for an attacker to leverage a known
credential. For example, if an attacker compromises a given credential that is then expired,
this control prevents the user from reusing that same compromised credential.
Remediation To establish the recommended configuration via GPO, set the following to the value
prescribed above:
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy\Enforce password history
Audit Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed.
Default Value 24 passwords remembered
References CCE-2237-6
There are more than a hundred recommendations like this for Windows Server 2008. This
shows one of the complexities of securing the operating system. It is always a balance of security
versus usability. All these settings can be broken down and ordered into the following categories
or controls.
Category Settings
Accounts Password and account settings. These settings all
contribute to the logical access security.
Audit Policy Settings regarding the logging of events and changes to
the operating system. For example the logging of
access attempts and changes to user rights and policies.
Detailed Security Auditing These are more specified auditing settings like the
logging of changes to the security state of the system,
when a register object is accessed or whether the
results of a validation test are logged
Event Log These settings are about the retention of the system
logging and some technical settings.
Windows Firewall Settings in this area are about the setup of the Windows
Firewall that is part of operating system.
Windows Update Settings regarding the installation and download of
new patches
The added value of an operating system audit to an IT General Controls audit 23
User Account Control Settings regarding the behaviour of the operating
system when operations are being performed that
require elevated privileges
User Rights Defines which type of users can do certain types of
actions like logon, shutdown or change the system
time.
Security Options Specific security settings fall in this category like
interactive logon, Microsoft network client, network
access and system settings.
Terminal Services Remote desktop settings
Internet Communication Settings regarding the use of local resources over a
network connection like printing or publishing files.
Additional Security Settings Additional settings like disable remote desktop sharing,
turn of autoplay and registery policy processing.
Most of the categories would fall under the ITGC domain ‘Access to programs and data’
except for the Windows Update category which would fall under ‘Computer operations’.
2.9 Influence of operating system settings on the IT General Controls
As can be seen in previous paragraphs the operating system is only one of the parts that
together can form a secure information system environment. Logically it protects the
applications, data and system resources but once a program or user is allowed access it cannot
control the implications of that access. For example the operating system cannot control the
behaviour of a user within an application or the content of data that is being send and received.
Nevertheless it is an essential part of the security because it does protect data from external and
internal threats in a way that applications cannot do.
There is not one setting that determines how secure an operating system is and therefor
an auditor always has to look at combination of settings. Some settings can have a higher impact
than others. Not being able to rely on the operating system for access to programs and data
controls undermines the application controls. In practice most operating systems including
Windows Server 2008 have a basic level of security configured which means that reliance on the
operating system is not binary and can be partial.
Financial statement audits always have a time period in scope. In order for an auditor to get
some comfort over the operating system settings for a certain period the changes to the settings
need to be logged. Which means an auditor either has to rely on the change management process
or has to inspect the event logs that the server generates (if this logging is enabled).
The added value of an operating system audit to an IT General Controls audit 24
3. Hypotheses
3.1 Conceptual Framework
There are different operating systems and types of audits that need to be identified and
researched. This research will only look at Microsoft Windows Server 2008 for the financial
statement ITGC audit in order to keep focus. To visualize the research question and give a clear
overview of which variables are involved and how they are interlinked, the research idea of this
thesis can be visualized in a Conceptual Framework seen below.
Inherent Operating system security
design
Operating system parameters
Operating system comfort
ITGC comfort
Operating system paramater
configuration
T0
T1
T3 T4
There are five main variables that can be distinguished in this framework. The
Independent Variables Inherent operating system security design and Operating system
parameters, the Moderating Variables Operating system configurations, the Dependent
Variable Operating system comfort and the Dependent Variable ITGC comfort. The meaning
of these variables will be explained next.
First, the independent variables Inherent operating system security design and Operating
system parameters stands for all the possible operating systems and there inherent security
design. There are many different operating systems build for different purposes and thus have a
The added value of an operating system audit to an IT General Controls audit 25
different security design. A company has to think about this when they choose the operating
system for their applications. Next to the inherent design they also have to make sure that the
operating system is setup and configured according to their security needs
Secondly, Operating system configuration is the moderating variable in this framework.
It entails the actual configuration of the operating system. This variable influences the dependent
variables based on parameter configuration.
The forth variable Operating system comfort is one of the dependable variables in this
framework. It entails the combination of security design and configuration leading to a level of
comfort that can be placed on the operating system.
Finally, the dependent variable ITGC comfort is about the contribution of the Operating
system comfort to the IT General Controls audit. If an audit looks at application controls,
Operating system comfort must be obtained.
3.2 Hypotheses
With the conceptual framework set up, specific working hypothesis can be set up to test
the framework. Working hypotheses (WH) are a “provisional, working means of advancing
investigation”; they lead to the discovery of other critical facts (Dewey, 1938). Working
hypotheses are linked to exploratory studies (Shields, 2006). They are never proven but are
supported by empirical evidence.
Building on the research questions the working hypothesis will explore the subject in
more detail. Based on the literature background the following working hypothesis were created.
WH1: An operating system parameter audit will only give comfort over the operating
system layer
As depicted in Figure 3 the operating system is the layer between applications, data and the
network. Auditing the operating system parameters will therefor only give comfort over the
implementation of information security on the OS layer.
The added value of an operating system audit to an IT General Controls audit 26
WH2: Operating system comfort is essential for reliance on application controls
Because the operating system manages system resources and data the systems needs to be
secured in a way that minimizes the risk of unauthorized use of the system resources. Using an
application, even in a client/server architecture, requires some form of operating system access
and thus exposes the application and data to certain threats.
3.3 Control Variables
In order to answer the research question and the sub-questions the relationships between
the main variables have to be tested. The formulated working hypotheses can then be, based on
the results either be supported or not. However, it is possible that the results of this study are
influenced by other variables that were not included in the framework. For this study it will be
hard to exclude all the other variables that might influence the Dependent Variable ITGC comfort
and thus influence the outcome of this study.
The Inherent Operating system security design is a variable that greatly influences the
Operating system comfort but is tricky to measure. As (Jaeger, 2008) argues that no operating
system of great complexity can be completely secure a feeling of its security can be obtained by
looking at its history of secureness and design philosophy.
Although the methodology for performing an IT General Control audit tries to be as
objective as possible there is still a lot of room for an auditor’s opinion and so called professional
judgment. Companies are almost never 100% alike, technology develops fast and there are many
variables that influence IT security, yet auditors often work on a tight time schedule with limited
budget. Therefore an auditor has to form an opinion as best as possible and can only give
reasonable or limited assurance.
The added value of an operating system audit to an IT General Controls audit 27
4. Case study methodology
4.1 Research Methods
The purpose of this research is to find out what the added value of an operating system
audit is for the IT General Controls. In order to do this, this study tries to find out the theoretical
place of an operating system in the IT General Control framework and audit methodology.
Secondly, an operating system parameter audit is performed and the added value to the ITGC
audit is discussed. The methodology used for exploring the hypothesizes is a case study.
This study uses the hypothetico-deductive method that according to (Sekaran, 1992)
involves seven research steps: observation, preliminary information gathering, theory
formulation, hypothesizing, further scientific data collection, data analysis and logically
deducing conclusions from the results obtained.
4.1.1 Observation
By being a professional auditor for a big firm and studying IT-audit the researcher is
aware of discussions and hot-topics in the field of IT-audit. The company the researcher works
for has been using a tool the last couple of years to audit operating system parameters and the
results of these settings are being sent back to audit teams. It was observed that auditors often do
not know how to interpret the results and what the added value to the audit is. They noticed that
it makes an impact at the client if they present the results but the exact meaning and impact for
the ITGC audit as part of the financial statement audit is unclear. The researcher felt like this was
an interesting area that lacked enough academic or pragmatic literature and needs to be clarified.
4.1.2 Preliminary information gathering
Preliminary information gathering is the search for information in order to build up the
researchers understanding towards the area (Sekaran, 1992). In order to do so a research proposal
was written. Google, work experience and the PwC audit guide were the basis for further
preliminary information gathering. The topics of financial statement audits, IT General Controls,
auditing and operating systems were explored. Most concrete information was not found in
academic literature but in white-papers and best-practices.
The added value of an operating system audit to an IT General Controls audit 28
4.1.3 Theory formulation
The theory formulation is done by literature research and is necessary in order to get a
good understanding of what is already known about the topic to save valuable time and make
sure the wheel doesn’t get invented for the second time. Not only operating system and IT
General Control literature is relevant for the theory formulation but also related literature in order
to develop a theoretical framework. The goal of this theoretical framework is to put the topic in
perspective.
Most of the literature research was done via Google and Google Scholar which can
search through many (academic) databases. Beside online literature research the researcher has
access to internal audit methodology material from PwC, one of the four big accountancy and
consulting firms, in the form of the PwC audit guide. This guide describes the companies audit
methodology in order to deliver high quality audits.
4.1.4 Hypothesizing
From the theoretical framework educated guesses were made regarding the outcome of
the research question. These working hypotheses are presented in chapter 3.2. They represent a
tentative statement of a relationship between two variables that have yet to be empirically tested.
This study will try to test these hypotheses and the empirical results will either hold and support
the hypotheses or discard it.
4.1.5 Further scientific data collection
In order to test the hypotheses further scientific data has to be collected. In order to find
out about the added value of an operating system audit this study will perform an operating
system audit at three companies that uses Microsoft Windows Server 2008 as platform for their
IT environment.
4.1.5.1 The operating system design
In order to get an understating of the inherent operating system security design, literature
research is performed by looking at the builders design philosophy, responsiveness to security
issues and global opinion.
The added value of an operating system audit to an IT General Controls audit 29
4.1.5.2 The operating system parameters
Based on the CIS best practice a parameter scan will be performed at a company. The
researcher will use his professional network to find three companies willing to do an operating
system parameter scan.
The researcher will provide a script that companies need to run on their Windows Server
2008 Domain Controller. This script will check the parameters and output the results into a text
(.txt) file. The results of this file be analyzed using a tool called Easy2Audit. Easy2Audit is a
benchmarking website where you can upload the results of the script and it will generate a
graphical representation of the results.
4.1.6 Data analysis and conclusion
After all the scans are performed the case information per company will be stated and the
results will be evaluated. The research will make use of Easy2Audit’s benchmark tool to make a
graphical representation of the results from whereon the researcher will further investigate. Next
to that the parameters, baselines values and results will be put into a table.
For the baseline, the recommended settings for an enterprise domain controller are used
because we are testing the enterprise domain controllers. The other recommended settings in the
CIS baseline are for Special Security – Limited Function (SSLF) systems. The companies in our
sample do not have a higher than average risk profile so it was chosen not to use the
recommended SSLF settings.
4.2 Sample selection
The samples used in the research are companies that run a Microsoft Windows office
environment that is managed by Active Directory and the domain controllers run on Microsoft
Windows Server 2008. Domain controllers distribute the companies IT policies and
configuration settings to all computers that are in the office network. This means that a domain
controller is a key system in a network and needs to be secure. The configuration of the domain
controller does not necessarily apply to the computers in the domain but it can indicate the level
of thought that was given to security. If a domain controller is compromised a hacker has the
potential to access all systems that are part of the Active Directory network.
The added value of an operating system audit to an IT General Controls audit 30
5. Case study findings
Three Dutch companies participated in this study which are anonymized for privacy and
security reasons. This study took place between January 2013 and June 2013. The system
administrators first tested the scripts on their test environment before running them on the
production. It took each administrator about an hour to test the scripts, run the scripts on the
production environment and send the results.
5.1 Company profile
5.1.1 Company A
The first company is a medium sized company with about 500 employees active in the
food industry. Their ERP system, SAP, is used primarily for sales, purchasing and finance. They
run a Windows environment which is administrated by two domain controllers. There is no
single sign-on so in order to login to SAP a separate username and password have to be used.
5.1.2 Company B
The second company is a small company operating in the gambling machine market.
They use Exact for their enterprise resource planning and run a Windows environment.
5.1.3 Company C
Company C is a medium sized software company operating in the supply chain logistics
industry. Their ERP system, SAP, is used primarily for sales and purchasing. They run a
Windows environment which is administrated by two domain controllers. There is no single
sign-on so in order to login to SAP a separate username and password have to be used.
5.2 Outcome
Compliance overall:
The added value of an operating system audit to an IT General Controls audit 31
Company A:
Company B:
Company C:
The more detailed results can be found in Appendix I.
The added value of an operating system audit to an IT General Controls audit 32
5.3 Analysis of results
In this paragraph, the results will be discussed that were obtained from the scans and the
theoretical framework. First the parameter categories and their audit impact are discussed. Once
the audit impact of the parameters is determined non-technical factors are discussed. A complete
overview of the results can be found in chapter 5. Thereafter results aside from the Working
Hypothesizes are presented.
5.3.1 Accounts
In the ITGC framework the account settings can be placed in the Access to programs and
data domain and they directly influence the logical operating system security. They can also
influence application and data access if there are no further mitigation controls defined.
Finding Impact Likelihood Risk
Decreased efficacy of the
password based
authentication control
Unauthorized users get
administrator access to
the critical systems, their
applications and data.
Unauthorized access to
financial data and
applications can lead to
misstatement, fraud and
can threaten the business
continuity
Medium Medium. This control can
directly influence access
to financial data and thus
cause financial
misstatements
Our results show that none of the companies have implemented a secure password policy. In
company C the password based authentication control is operating at a bare minimum without a
minimum password length making it simple to guess or brute force attack the password.
5.3.2 Audit policy
In the ITGC framework the audit policy can be placed in the Computer operations
domain under monitoring of computer processing. The event log is filled based on the audit
policy. This can be classified as a detective control for inspection of (potential) problems
The added value of an operating system audit to an IT General Controls audit 33
afterwards. As can be seen in the baseline CIS did not define any audit settings. This is because
Windows Server 2008 comes with more detailed audit facilities that are preferred to the legacy
audit facility.
Finding Impact Likelihood Risk
No audit trail available
Not possible to determine
system and user changes
to the system over a
certain period. In case of
a calamity this can make
it more difficult to inspect
the cause.
Medium Low. This is a detective
control that does not
directly influence
financial misstatement. It
is merely a monitoring
instrument.
The obtained results show that all three companies use the windows server 2008 audit
facility in a different manner. This means that the companies have event logs available that can
be used in case of a calamity.
5.3.3 Detailed Security Auditing
The detailed security auditing parameters are the detailed audit policies introduced in
Windows Server 2008. In the ITGC framework the detailed security auditing policy can be
placed in the Computer operations domain under monitoring of computer processing. Its use and
impact on the ITGC audit is similar as the audit policy described in paragraph 6.2.2.
5.3.4 Event log
With the event log parameters the size of the logs and thus the retention of events is
determined. This would, just as category 6.2.2 and 6.2.3 fall under the monitoring control
category as part of the computer operations domain. Its use and impact on the ITGC audit is
similar as the audit policy described in paragraph 6.2.2. The event log settings in combination
with the audit policy and/or the detailed security auditing together determine the impact for the
monitoring control called the audit trail.
The added value of an operating system audit to an IT General Controls audit 34
5.3.5 Windows Firewall
The windows firewall controls the incoming and outgoing connections and is thus part of
the access to programs and data domain. Companies often have a dedicated firewall controlling
all the network traffic. This often results in a de-activated Windows Firewall which can be seen
in the results where none of the companies have any firewall rules determined. An auditor should
establish that the client uses a dedicated firewall. If this is not the case then the whole network is
open for the outside world and that alone would pose a serious security hazard. The risk analyses
done for this category assumes a dedicated firewall.
Finding Impact Likelihood Risk
No firewall settings
configured.
Administrators can
overwrite Group policy
settings that exposes the
system to remote attacks.
However, in case of a
dedicated firewall this
might have no impact
Low. Low. All network activity
is controlled by a
dedicated firewall.
5.3.6 Windows Update
The windows update parameters define how Windows handles available updates. This
would fall under the Access to programs and data domain since ensuring that the latest updates
and patches are installed minimizes the potential of a successful hack through a known
vulnerability. However, the settings alone do not tell anything about the patch level of the server
and thus not much can be said about the patch level of the machine.
Finding Impact Likelihood Risk
Windows update settings
do not enforce the
positive behavior of
installing updates
No impact. Low. Low. These settings do no
tell anything about the
patch level of a machine
but can indicate a non-
adequate patch
management process.
The added value of an operating system audit to an IT General Controls audit 35
5.3.7 User Account Control
User Account Control aims to improve the security of Microsoft Windows by limiting
application software to standard user privileges until an administrator authorizes an increase of
elevation. This would ensure that malicious software would not be able to perform administrative
tasks on the operating system. This control would fit under operating system security in the
Access to programs and data domain.
Finding Impact Likelihood Risk
UAC is not enabled
Software uses
administrator operating
system functions to
perform malicious
actions.
Medium Medium. Once a system
is infected with malware
it might perform
malicious actions that
impact the integrity of the
system
In the results we can see that all companies have UAC enabled in some manner. Company C has
implemented in the most secure way so that even admin approval is required for admin accounts.
5.3.8 User Rights
The user rights parameters would also fall under the Access to programs and data
domain. They manage which users and/or user groups can perform certain high risk or
administrative functions. It also impacts some of the system security design functions.
Finding Impact Likelihood Risk
User rights are not setup
based on the least
authorizations principle
Unexpected users can
perform high risk or
administrative functions
which can compromise
the systems availability
and integrity
Medium Medium. The attack
surface is increased
unnecessarily.
In the results we can see that all three companies have defined and limited most user rights to
appropriate users or groups.
The added value of an operating system audit to an IT General Controls audit 36
5.3.9 Security options
The security options parameters are a set of security options influencing various
functionalities like accounts, devices, domain membership, logon, Microsoft network client,
network and system. Operating system security administration is the ITGC topic that this would
be placed in.
Finding Impact Likelihood Risk
Security options do not
adhere to the best practice
Attackers could
potentially benefit from
the security mis-
configuration
compromising the system.
Low Medium. The security
options are not configured
tightly which increases
the chance of a successful
attack.
The companies have set about 60% percent of the security options according to best practice.
5.3.10 Terminal services
With terminal service, users can login to a server from a remote location. The parameters
deal with encryption, the password mechanism and drive redirection. In the ITGC framework we
can find these settings under operating system logical security.
Finding Impact Likelihood Risk
The terminal service
connection is more
vulnerable to eaves
dropping because of the
lower level of encryption.
Attackers can potentially
access remote servers via
a locally saved terminal
service shortcut.
Unauthorized access to
the server through
terminal services.
Medium High. Unauthorized
access through terminal
services makes it easy for
an attacker to compromise
the system.
The added value of an operating system audit to an IT General Controls audit 37
The results default values apply for all except company B, who disabled drive allocations.
5.3.11 Internet Communication
The best practice recommends to disable all unnecessary internet options that come with
Windows Server 2008 for hardening purposes. Operating system security administration in
Access to programs and data would be the ITGC domain this relates to.
Finding Impact Likelihood Risk
Unnecessary internet
options enabled
Increased exposure to
malicious content,
unstable drivers and
potential loss of
information.
Medium Medium. The system has
unnecessary functions
enabled that can disrupt
the system and lead to
information leakage when
an administrators is not
careful.
None of the companies have changed any of the default values leaving these options enabled,
thus unnecessarily increasing their risk.
5.3.12 Additional security settings
The additional security settings are settings that can further harden the system. The
difference with the security options is that the security options can have multiple possible values
and the additional security settings are more binary. Only three out of the 11 settings have to be
set according to the best practice which relate to operating system security and logical access in
the Access to programs and data domain.
Finding Impact Likelihood Risk
Additional security
settings not configured
Increased number of
options that an attacker
can benefit from to
compromise the system
Low Medium. The options that
are not set according to
the best practice can be
key for an attacker to
compromise the system.
The added value of an operating system audit to an IT General Controls audit 38
None of the companies have changed any of the default values leaving these options enabled,
thus unnecessarily increasing their risk.
5.4 Other factors
Aside from the value of the parameter audit there many other factors that can influence
whether an auditor should use an operating system parameter scan. These factors are drawn from
the researchers audit experience.
5.4.1 Costs of the operating system parameter check
Most audits are performed for an agreed upon fee and thus have a limited budget.
Although an operating system parameter check is no rocket science it will take an auditor at least
a couple hours to perform. There are many cases, especially when small companies are audit
which often have a very tight budget, where a couple hours is already quite an expense on the
budget. This means that an auditor will have to decide how to spend his hours most effectively in
order to gain the most comfort.
5.4.2 Type of operating system(s) in use
Although there are baselines for the most common operating systems it is possible that a
company uses a legacy or customized operating system. In these cases it will be a time
consuming task to get any comfort about that operating system and comfort needs to be obtained
in a different manner.
5.4.3 No extra comfort
There could be situations where testing the operating system parameters would lead to no
extra comfort. For example when a server or computers are not connected to an external
network. When it is known that the ITGC audit will lead to limited or no-comfort the additional
comfort obtained by performing an operating system audit will be minimal.
The added value of an operating system audit to an IT General Controls audit 39
5.4.4 Politics and time
Companies can be reluctant to perform scripts from third-parties, such as the auditor,
because they fear it can disrupt the system. In these cases the scripts will need to go through a
test procedure before they can be ran on a production environment. This can take quite some
time depending on the company’s organization as it has to go through (multiple) steps of
approval. This might influence the usability of an operating system parameter audit because of
the time factor. Some companies might outright refuse to run a script on their server which
means the auditor will have to inspect the settings himself or find some other way to obtain them,
probably increasing the time-spend and thus the costs.
The added value of an operating system audit to an IT General Controls audit 40
6. Validation of hypotheses
In this chapter the working hypotheses are discussed.
6.4.1 WH1: An operating system parameter audit will only give comfort over the operating
system layer
As noted in paragraph 6.2 the parameters influence the access to programs and data and
computer operations ITGC domains. Within these domains operating system security, operating
system logical security, operating system powerful accounts, network powerful accounts, direct
data access and network logical security are influenced. Because the operating system is the
heart of a system it is logical that all these categories are influenced. The results obtained from
the operating system audit give all the information needed to formulate an opinion regarding the
operating system layer. However the information can also tell the auditor something regarding
the security policy of the company, the manner of hardening they applied and their user account
policy. The results support the working hypotheses in the sense that it will only give comfort
about the operating system layer. It does however give an auditor additional information that
might influence his audit approach and opinion.
6.4.2 WH2: Operating system comfort is essential for reliance on application controls
There are many settings that an attacker can use to eventually compromise a system.
Once access, or worse, administrator access is obtained an attacker can further penetrate the
system directly accessing or modifying unprotected data. Secured data can also be stolen or
attempts can be made to breach the security. User account data can be tried to log into
applications and if a company has single sign-on enabled access is immediately obtained. All this
can lead to a bypass of application controls. Because of the layers in computer systems, comfort
can only be obtained of a layer if the layers below are reliable. The literature and results support
the working hypothesis that operating system comfort is essential for reliance on application
controls.
The added value of an operating system audit to an IT General Controls audit 41
7. Conclusions
The intention of this research was to determine the added value of an operating system
audit to the IT General Controls audit by answering the research question ‘How does a baseline
security scan on operating system parameters add value to an ITGC audit?’. A literature study
provided the context and role of operating systems within the ITGCs. A best practice for
Windows Server 2008 configuration settings was used to test three companies against this
baseline. This led to (1) a risk analysis of the security categories and (2) insight into the
company’s compliance and the link between the parameters. To answer the research question
three sub questions have to be answered.
First of all, what is the place of operating system parameters in the IT General Control
environment? As can be seen in the analysis of results, chapter 5.3, all the parameters were
analysed and the results show that they can be linked with the access to programs and data and
computer operations ITGC domains. This demonstrates that they have a place in the IT General
Control framework and thus should be taken into account when performing an ITGC audit.
Secondly, what kind of comfort and assurance can result from an operating system
parameter baseline scan to the ITGC audit? It was found that there are many parameters that an
attacker can leverage to compromise an operating system. Once access, or worse, administrator
access is obtained an attacker can further penetrate the system directly accessing or modifying
unprotected data. Secured data can also be stolen or attempts can be made to breach its security.
User account data can be used to log into applications and if a company has single sign-on
enabled access is immediately obtained. All of this can lead to a bypass of application controls.
As discussed in the working hypotheses, an audit on operating system parameters only gives
comfort over the operating system layer but this comfort is essential. When there is no comfort
regarding the operating system layer the integrity, confidentiality and availability of the
information generated by the system cannot be fully relied upon. The results from an operating
system parameter audit can also influence an audit approach and opinion because of the indirect
information it can give about the company’s security policy.
Thirdly, under which conditions should an ITGC auditor consider using an operating
system parameter baseline scan? As shown, operating system security has a place within the
ITGC framework and is essential for relying on information generated by applications. An
auditor should consider using and operating system parameter baseline scan when he judges that
The added value of an operating system audit to an IT General Controls audit 42
there is a risk of unauthorised access to the systems. This can be done by looking a company’s IT
environment, infrastructure, external connections, and other mitigating factors.
The answer to the research question ‘How does a baseline security scan on operating
system parameters add value to an ITGC audit?’ is found in the theory, case study results and
the above answers to the sub questions. This research shows that a baseline security scan on
operating system parameters adds comfort to the IT General Controls when the auditor judges
that there is a risk of unauthorized access to the system. It also argues that operating system
comfort is necessary in order to rely on information generated by applications.
The added value of an operating system audit to an IT General Controls audit 43
8. Limitations and further research
As mentioned before this study has several limitations. First of all no thorough study was
performed regarding the operating system’s inherent security design. An unresolved security
flaw could undermine the whole value of the parameter check. Also the researcher did not
inspect all the operating system parameters individually and/or tested its workings. This research
relies on the recommendations of the Center for Internet Security.
Secondly, this research only focusses on Windows Server 2008 and inspected its best
practice. Therefor this research can say little about the other operating systems. Its usefulness,
costs and time can vary depending on the OS’s security options and design.
Thirdly, as mentioned in paragraph 5.4, there a many factors that influence the
appropriateness and added value to an ITGC audit. These factors are not taken into account in
this research and leave room for further research. If all these factors are researched this might
lead to a more concrete framework on when to use an operating system audit.
Furthermore the role of the accountant and auditor is an ongoing discussion. Especially
with the increasing risk of cyber-attacks their might be a shift in thinking and interpretation or
adaptation of the financial statement assertions. This can influence the way the auditor has to
take cyber security and business continuity into account.
Because systems are not stand-alone and are operating within an IT environment, an audit
on operating systems as well as the other components in the infrastructure, e.g. the firewall,
could potentially increase the value to the ITGCs. Further research could look at the added value
of an infrastructure audit to the ITGCs.
The added value of an operating system audit to an IT General Controls audit 44
References
Albornoz Mulligan, J. (2007). Best Practices: Server Operating System Security.
Answers. (2013). Retrieved from Answers: http://www.answers.com/topic/operating-system
CIS. (2011). Security Configuration Benchmark For Microsoft Windows Server 2008. CIS.
CIS. (2013). Center for Internet Security. Retrieved from http://CISsecurity.org
CISA. (2006). Review Manual.
Comte, L. (2009). IT audit en SOx. Retrieved from
http://www.vurore.nl/images/vurore/downloads/718_IT_audit_en_SOx_Le_Comte.pdf
Cornell. (2013). Retrieved from http://www.law.cornell.edu/uscode/text/44/3542
COSO. (2013). Retrieved from http://coso.org/documents/Internal%20Control-
Integrated%20Framework.pdf
Dewey. (1938). Experience and Education, The Educational Forum, 1938-8098, Volume 50,
Issue 3, 1986, pp. 241 – 252.
Dictionary. (2013). Dictionary. Retrieved from Reference:
http://dictionary.reference.com/browse/operating+system
GFS. (2013). Retrieved from http://www.gfsconsulting.ca/sox/it-general-controls-and-it-
application-controls-what-businesses-really-needs-to-know
Information security. (2013). Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/Information_security#cite_note-1
International Standards of Auditing. (2009).
ISACA. (2013). Information System Audit and Control Association. Retrieved from
https://www.isaca.org/
ITGC. (2013). Retrieved from Wikipedia: http://en.wikipedia.org/wiki/ITGC
Jaeger, T. (2008). Operating System Security. Morgan & Claypool.
Jenkins, B. (1992). An Audit Approach to Computers.
PwC. (2013). PwC Audit Guide.
Sekaran, U. (1992). Research Methods for Business: A Skill Building Approach. New York, John
Wiley & Sons.
Shields, P. M. (2006). Intermidiate theory: The missing link to successful student scholarship.
Journal of Public Affairs Education, Vol, 12, No. 3 , pp. 313-334.
SSAE16. (2013). Retrieved from http://www.ssae16.org/glossary/83-control-objectives--
example-control-objectives-for-soc-1-ssae-16-reporting--ssae16org.html
Starreveld. (2002). Bestuurlijke Informatieverzorging, Deel I, Algemene Grondslagen.
University of Washington. (2013). Retrieved from http://f2.washington.edu/fm/fa/internal-
controls
Wikipedia. (2013). Operating system. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/Operating_system
Wikipedia. (2013). Usage share of operating systems. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/Usage_share_of_operating_systems
The added value of an operating system audit to an IT General Controls audit 45
Appendix I: Case research
#IDENTITY:A #IDENTITY:B #IDENTITY:C
CONTROL Baseline A B C
Accounts
Password History 24 PasswordHistorySize = 0 PasswordHistorySi
ze = 6
PasswordHistorySize = 0
Maximum Password Age 60 MaximumPasswordAge = -1 MaximumPasswordAge = 60
MaximumPasswordAge = -1
Minimum Password Age 1 MinimumPasswordAge = 0 MinimumPasswor
dAge = 1
MinimumPasswordAge = 0
Minimum Password Length 8 MinimumPasswordLength =
4
MinimumPasswor
dLength = 6
MinimumPasswordLength =
0
Password Complexity 1 PasswordComplexity = 0 PasswordComplexity = 0
PasswordComplexity = 1
Store Passwords using Reversible
Encryption
0 ClearTextPassword = 0 ClearTextPasswor
d = 0
ClearTextPassword = 0
Account Lockout Duration 15 null null null
Account Lockout Threshold 15 LockoutBadCount = 0 LockoutBadCount
= 0
LockoutBadCount = 0
Reset Account Lockout After 15 null null null
Microsoft Network Server: Disconnect
clients when logon hours expire
1 1 1 1
Audit Policy
Audit Account Logon Events 0 AuditAccountLogon = 1 AuditAccountLogon = 3
AuditAccountLogon = 0
Audit Account Management 0 AuditAccountManage = 1 AuditAccountMan
age = 3
AuditAccountManage = 0
Audit Directory Service Access 0 AuditDSAccess = 1 AuditDSAccess =
2
AuditDSAccess = 0
Audit Logon Events 0 AuditLogonEvents = 1 AuditLogonEvents = 3
AuditLogonEvents = 0
Audit Object Access 0 AuditObjectAccess = 0 AuditObjectAcces
s = 0
AuditObjectAccess = 0
Audit Policy Change 0 AuditPolicyChange = 1 AuditPolicyChang
e = 3
AuditPolicyChange = 0
Audit Privilege Use 0 AuditPrivilegeUse = 0 AuditPrivilegeUse = 2
AuditPrivilegeUse = 0
Audit Process Tracking 0 AuditProcessTracking = 0 AuditProcessTrack
ing = 0
AuditProcessTracking = 0
Audit System Events 0 AuditSystemEvents = 1 AuditSystemEvent
s = 0
AuditSystemEvents = 0
Audit: Shut Down system immediately if unable to log security audits
0 0 0 0
Audit: Force audit policy subcategory
settingsto override audit policy category settings
1 NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Detailed Security Auditing
The added value of an operating system audit to an IT General Controls audit 46
Audit Policy: System: IPsec Driver Success
and Failure
IPsec Driver
Success
IPsec Driver
No Auditing
IPsec Driver
No Auditing
Audit Policy: System: Security State
Change
Success
and
Failure
Security State Change
Success
Security State
Change
No Auditing
Security State Change
Success
Audit Policy: System: Security System Extension
Success and
Failure
Security System Extension Success
Security System Extension
No Auditing
Security System Extension No Auditing
Audit Policy: System: System Integrity Success
and
Failure
System Integrity
Success
System Integrity
No Auditing
System Integrity
Success and Failure
Audit Policy: Logon-Logoff: Logoff Success Logoff
Success
Logoff
Success and
Failure
Logoff
Success
Audit Policy: Logon-Logoff: Logon Success Logon Success
Logon Success and
Failure
Logon Success and Failure
Audit Policy: Logon-Logoff: Special
Logon
Success Special Logon
Success
Special Logon
Success and
Failure
Special Logon
Success
Audit Policy: Object Access: File
System
No
Auditing
File System
No Auditing
File System
No Auditing
File System
No Auditing
Audit Policy: Object Access: Registry No
Auditing
Registry
No Auditing
Registry
No Auditing
Registry
No Auditing
Audit Policy: Privilege Use: Sensitive Privilege Use
Success and
Failure
Sensitive Privilege Use No Auditing
Sensitive Privilege Use
Failure
Sensitive Privilege Use No Auditing
Audit Policy: Detailed Tracking:
Process Creation
Success Process Creation
No Auditing
Process Creation
No Auditing
Process Creation
No Auditing
Audit Policy: Policy Change: Audit Policy Change
Success and
Failure
Audit Policy Change Success
Audit Policy Change
Success and
Failure
Audit Policy Change Success
Audit Policy: Policy Change: Authentication Policy Change
Success Authentication Policy Change Success
Authentication Policy Change
Success and
Failure
Authentication Policy Change Success
Audit Policy: Account Management:
Computer Account Management
Success Computer Account
Management Success
Computer
Account
Management Success and
Failure
Computer Account
Management Success
Audit Policy: Account Management:
Other Account Management Events
Success Other Account
Management Events Success
Other Account
Management Events
Success and Failure
Other Account Management
Events No Auditing
Audit Policy: Account Management:
Security Group Management
Success Security Group
Management
Success
Security Group
Management
Success and Failure
Security Group
Management
Success
Audit Policy: Account Management:
User Account Management
Success User Account Management
Success
User Account
Management Success and
Failure
User Account Management
Success
Audit Policy: DS Access: Directory
Service Access
Success Directory Service Access
Success
Directory Service
Access
Failure
Directory Service Access
Success
Audit Policy: DS Access: Directory
Service Changes
Success Directory Service Changes
Success
Directory Service
Changes
Failure
Directory Service Changes
No Auditing
The added value of an operating system audit to an IT General Controls audit 47
Audit Policy: Account Logon:
Credential Validation
Success Credential Validation
Success
Credential
Validation Success and
Failure
Credential Validation
Success
Event Log
Application: Maximum Log Size (KB) 32768 20971520 16777216 20971520
Application: Retain old events 0 0 0 0
Security: Maximum Log Size (KB) 81920 134217728 102367232 134217728
Security: Retain old events 0 0 0 0
System: Maximum Log Size (KB) 32768 20971520 16777216 20971520
System: Retain old events 0 0 0 0
Windows Firewall
Windows Firewall: Allow ICMP
exceptions (Domain)
Disabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Windows Firewall: Allow ICMP exceptions (Standard)
Disabled NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Windows Firewall: Apply local
connection security rules (Domain)
No NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Windows Firewall: Apply local
connection security rules (Private)
No NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Windows Firewall: Apply local connection security rules (Public)
No NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Windows Firewall: Apply local firewall
rules (Domain)
Not
configure
d
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Windows Firewall: Apply local firewall rules (Private)
Not configure
d
NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Windows Firewall: Apply local firewall
rules (Public)
No NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Windows Firewall: Display a
notification (Domain)
Not
configure
d
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Windows Firewall: Display a
notification (Private)
Not
configured
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Windows Firewall: Display a
notification (Public)
No NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Windows Firewall: Firewall state (Domain)
On 0 NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Windows Firewall: Firewall state
(Private)
On NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Windows Firewall: Firewall state (Public)
On NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
The added value of an operating system audit to an IT General Controls audit 48
Windows Firewall: Inbound connections
(Domain)
Block NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Windows Firewall: Inbound connections
(Private)
Block NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Windows Firewall: Inbound connections (Public)
Block NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Windows Firewall: Prohibit
notifications (Domain)
Disabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Windows Firewall: Prohibit
notifications (Standard)
Disabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Windows Firewall: Protect all network
connections (Domain)
Enabled 0 NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Windows Update
Configure Automatic Updates 3 3 3 3
Do not display 'Install Updates and Shut Down' option in Shut Down Windows
dialog box
Disabled 1 1 NOT FOUND: Registry key not found
Reschedule Automatic Updates
scheduled installations
Enabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
User Account Control
User Account Control: Admin Approval Mode for the Built-in Administrator
account
Enabled 0 0 0
User Account Control: Behavior of the
elevation prompt for administrators in
Admin Approval Mode
Prompt
for
credentials
0 0 5
User Account Control: Behavior of the
elevation prompt for standard users
Automati
cally
deny elevation
requests
3 1 3
User Account Control: Detect
application installations and prompt for elevation
Enabled 1 1 1
User Account Control: Only elevate
UIAccess applications that are installed
in secure locations
Enabled 1 1 1
User Account Control: Run all administrators in Admin Approval
Mode
Enabled 0 0 1
User Account Control: Switch to the
secure desktop when prompting for elevation
Enabled 0 1 1
User Account Control: Virtualize file and registry write failures to per-user
locations
Enabled 1 1 1
The added value of an operating system audit to an IT General Controls audit 49
User Account Control: Allow UIAccess
applications to prompt for elevation without using the secure desktop
Disabled 0 0 0
User Rights
Access this computer from the network Administ
rators,
Authenticated
Users
SeNetworkLogonRight =
*S-1-1-0,*S-1-5-
11,IWAM_DC0004,IUSR_DC0004,*S-1-5-32-544,*S-
1-5-32-554,*S-1-5-9
SeNetworkLogon
Right = *S-1-1-
0,*S-1-5-11,*S-1-5-32-544,*S-1-5-
32-554,*S-1-5-9
SeNetworkLogonRight = *S-
1-1-0,*S-1-5-
11,IWAM_QUINTIQ_APPS,IUSR_QUINTIQ_APPS,QB
DataServiceUser17,*S-1-5-
32-544,*S-1-5-32-551,*S-1-5-32-554,*S-1-5-9
Act as part of the operating system No one null SeTcbPrivilege =
patrol
SeTcbPrivilege =
Administrator,*S-1-5-32-551
Adjust memory quotas for a process Not
Defined
SeIncreaseQuotaPrivilege =
*S-1-5-19,*S-1-5-
20,IWAM_DC0004,SQLServer2005MSSQLUser$DC00
04$MICROSOFT##SSEE,S
QLServer2005MSSQLUser$DC0005$MICROSOFT##
SSEE,*S-1-5-32-544,*S-1-
5-82-1036420768-
1044797643-1061213386-
2937092688-
4282445334,*S-1-5-82-3006700770-424185619-
1745488364-794895919-
4004696415
SeIncreaseQuotaPr
ivilege = *S-1-5-
19,*S-1-5-20,patrol,*S-1-5-
32-544
SeIncreaseQuotaPrivilege =
*S-1-5-19,*S-1-5-
20,IWAM_QUINTIQ_APPS,*S-1-5-32-544
Back up files and directories Not Defined
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-
1-5-32-551
SeBackupPrivilege = *S-1-5-32-
544,*S-1-5-32-
549,*S-1-5-32-551
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-
5-32-551
Bypass traverse checking Not
Defined
SeChangeNotifyPrivilege =
*S-1-1-0,*S-1-5-11,*S-1-5-
19,*S-1-5-
20,SQLServer2005MSSQLUser$DC0004$MICROSOF
T##SSEE,SQLServer2005M
SSQLUser$DC0005$MICROSOFT##SSEE,*S-1-5-32-
544,*S-1-5-32-554
SeChangeNotifyPr
ivilege = *S-1-1-
0,*S-1-5-11,*S-1-
5-19,*S-1-5-20,*S-1-5-32-
544,*S-1-5-32-554
SeChangeNotifyPrivilege =
*S-1-1-0,*S-1-5-19,*S-1-5-
20,QBDataServiceUser17,*S
-1-5-32-554
Change the system time LOCAL SERVIC
E,
Administrators
null null null
Create a pagefile Not
Defined
SeCreatePagefilePrivilege =
*S-1-5-32-544
SeCreatePagefileP
rivilege = *S-1-5-32-544
SeCreatePagefilePrivilege =
*S-1-5-32-544
Create a token object No one null null null
The added value of an operating system audit to an IT General Controls audit 50
Create Global Objects Not
Defined
SeCreateGlobalPrivilege =
*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeCreateGlobalPri
vilege = *S-1-5-19,*S-1-5-20,*S-
1-5-32-544,*S-1-
5-6
SeCreateGlobalPrivilege =
*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
Create permanent shared objects No one null null null
Debug Programs Administrators
SeDebugPrivilege = *S-1-5-32-544
null SeDebugPrivilege = *S-1-5-32-544
Deny access to this computer from the
network
Guests SeDenyNetworkLogonRight
= SUPPORT_388945a0
SeDenyNetworkL
ogonRight =
SUPPORT_388945a0
SeDenyNetworkLogonRight
= SUPPORT_388945a0
Enable computer and user accounts to
be trusted for delegation
No one SeEnableDelegationPrivileg
e = *S-1-5-32-544
SeEnableDelegatio
nPrivilege = *S-1-
5-32-544
SeEnableDelegationPrivilege
= *S-1-5-32-544
Force shutdown from a remote system Not
Defined
SeRemoteShutdownPrivileg
e = *S-1-5-32-544,*S-1-5-32-549
SeRemoteShutdow
nPrivilege = *S-1-5-32-544,*S-1-5-
32-549
SeRemoteShutdownPrivilege
= *S-1-5-32-544,*S-1-5-32-549
Impersonate a client after authentication Administ
rators, SERVIC
E, Local
Service, Network
Service
SeImpersonatePrivilege =
*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeImpersonatePriv
ilege = *S-1-5-19,*S-1-5-
20,IIS_WPG,*S-1-
5-21-2682533525-32957448-
2324837924-
1005,*S-1-5-21-2682533525-
32957448-
2324837924-1006,*S-1-5-32-
544,*S-1-5-32-
568,*S-1-5-6
SeImpersonatePrivilege = *S-
1-5-19,*S-1-5-20,IIS_WPG,aspuser,*S-1-5-
32-544,*S-1-5-6
Increase scheduling priority Not
Defined
SeIncreaseBasePriorityPrivil
ege = *S-1-5-32-544
SeIncreaseBasePri
orityPrivilege =
*S-1-5-32-544
SeIncreaseBasePriorityPrivile
ge = *S-1-5-32-544
Load and unload device drivers Administ
rators
SeLoadDriverPrivilege =
*S-1-5-32-544,*S-1-5-32-550
SeLoadDriverPrivi
lege = *S-1-5-32-544,*S-1-5-32-550
SeLoadDriverPrivilege = *S-
1-5-32-544,*S-1-5-32-550
Lock pages in memory Not
Defined
null SeLockMemoryPri
vilege =
admin_ordina
null
Manage auditing and security log Not
Defined
SeSecurityPrivilege =
Exchange Enterprise
Servers,Exchange Servers,*S-1-5-32-544
SeSecurityPrivileg
e = Exchange
Enterprise Servers,Exchange
Servers,*S-1-5-32-
544
SeSecurityPrivilege = *S-1-
5-32-544
Modify firmware environment values Not Defined
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemEnvironmentPrivilege =
*S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
Perform volume maintenance tasks Not
Defined
SeManageVolumePrivilege
= *S-1-5-32-544
SeManageVolume
Privilege = Ordina_TskMgr
SeManageVolumePrivilege =
*S-1-5-32-544
Profile single process Administ
rators
SeProfileSingleProcessPrivil
ege = *S-1-5-32-544
SeProfileSinglePro
cessPrivilege =
*S-1-5-32-544
SeProfileSingleProcessPrivile
ge = *S-1-5-32-544
Profile system performance Administrators
SeSystemProfilePrivilege = *S-1-5-32-544
SeSystemProfilePrivilege =
patrol,*S-1-5-32-
544
SeSystemProfilePrivilege = *S-1-5-32-544
The added value of an operating system audit to an IT General Controls audit 51
Remove computer from docking station Administ
rators
SeUndockPrivilege = *S-1-
5-32-544
SeUndockPrivileg
e = *S-1-5-32-544
SeUndockPrivilege = *S-1-5-
32-544
Replace a process level token LOCAL SERVIC
E,
NETWORK
SERVIC
E
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-
20,IWAM_DC0004,SQLSer
ver2005MSSQLUser$DC0004$MICROSOFT##SSEE,S
QLServer2005MSSQLUser
$DC0005$MICROSOFT##SSEE,*S-1-5-82-
1036420768-1044797643-
1061213386-2937092688-4282445334,*S-1-5-82-
3006700770-424185619-
1745488364-794895919-
4004696415
SeAssignPrimaryTokenPrivilege =
*S-1-5-19,*S-1-5-
20,patrol
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-
20,IWAM_QUINTIQ_APPS
Shut down the system Administrators
SeShutdownPrivilege = whadmin,*S-1-5-32-544,*S-
1-5-32-549,*S-1-5-32-
550,*S-1-5-32-551
SeShutdownPrivilege = *S-1-5-32-
544,*S-1-5-32-
549,*S-1-5-32-550,*S-1-5-32-551
SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-
1-5-32-550,*S-1-5-32-551
Add workstations to domain Administrators
SeMachineAccountPrivilege = *S-1-5-11
SeMachineAccountPrivilege = *S-1-
5-11
SeMachineAccountPrivilege = *S-1-5-11
Allow log on locally Administ
rators
SeInteractiveLogonRight =
IUSR_DC0004,*S-1-5-32-544,*S-1-5-32-548,*S-1-5-
32-549,*S-1-5-32-550,*S-1-
5-32-551
SeInteractiveLogo
nRight = patrol,*S-1-5-32-
544,*S-1-5-32-
548,*S-1-5-32-549,*S-1-5-32-
550,*S-1-5-32-551
SeInteractiveLogonRight =
*S-1-5-21-1702575486-368451825-1349916565-
1058,IUSR_QUINTIQ,IUSR
_QUINTIQ_APPS,*S-1-5-32-544,*S-1-5-32-548,*S-1-
5-32-549,*S-1-5-32-550,*S-
1-5-32-551
Allow logon through terminal services Administ
rators
SeRemoteInteractiveLogon
Right = *S-1-5-32-544
SeRemoteInteracti
veLogonRight =
*S-1-5-32-544,*S-1-5-32-555
SeRemoteInteractiveLogonRi
ght = *S-1-5-32-544
The added value of an operating system audit to an IT General Controls audit 52
Deny logon locally Guests SeDenyInteractiveLogonRig
ht = SUPPORT_388945a0
SeDenyInteractive
LogonRight = SUPPORT_38894
5a0
SeDenyInteractiveLogonRigh
t = SophosSAUQUINTIQSER0,
*S-1-5-21-1702575486-
368451825-1349916565-2344,*S-1-5-21-1702575486-
368451825-1349916565-
2347,*S-1-5-21-1702575486-368451825-1349916565-
2367,*S-1-5-21-1702575486-
368451825-1349916565-2631,SUPPORT_388945a0,*
S-1-5-21-1702575486-
368451825-1349916565-3439,*S-1-5-21-1702575486-
368451825-1349916565-
3816,QBDataServiceUser17,*S-1-5-21-1702575486-
368451825-1349916565-
4377
Deny logon through Terminal Service
(minimum)
Guests null null null
Generate security audits Not Defined
SeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-
1036420768-1044797643-
1061213386-2937092688-4282445334,*S-1-5-82-
3006700770-424185619-
1745488364-794895919-4004696415
SeAuditPrivilege = *S-1-5-19,*S-1-
5-20
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
The added value of an operating system audit to an IT General Controls audit 53
Log on as a batch job No one SeBatchLogonRight = *S-1-
5-19,SUPPORT_388945a0,P
Madmin,whadmin,SA_Alge
meen,ecs_svc,IIS_WPG,bvadmin,IWAM_DC0004,IUSR
_DC0004,SQLServer2005M
SSQLUser$DC0004$MICROSOFT##SSEE,SQLServer
2005MSSQLUser$DC0005$
MICROSOFT##SSEE,*S-1-5-32-568
SeBatchLogonRig
ht = *S-1-5-19,SUPPORT_388
945a0,Ordina_Tsk
Mgr,admin_ordina,IIS_WPG,*S-1-5-
32-568
SeBatchLogonRight = *S-1-
5-18,*S-1-5-19,*S-1-5-21-1702575486-368451825-
1349916565-1019,*S-1-5-21-
1702575486-368451825-1349916565-
1380,IWAM_QUINTIQ_AP
PS,IUSR_QUINTIQ_APPS,EMLib,IIS_WPG,SUPPORT
_388945a0,Administrator,*S-
1-5-32-551
Restore files and directories Administ
rators, Backup
Operators
SeRestorePrivilege = *S-1-
5-32-544,*S-1-5-32-549,*S-1-5-32-551
SeRestorePrivilege
= *S-1-5-32-544,*S-1-5-32-
549,*S-1-5-32-551
SeRestorePrivilege = *S-1-5-
32-544,*S-1-5-32-549,*S-1-5-32-551
Take ownership of file or other objects Administ
rators
SeTakeOwnershipPrivilege
= *S-1-5-32-544
SeTakeOwnership
Privilege = *S-1-
5-32-544
SeTakeOwnershipPrivilege =
*S-1-5-32-544
Synchronize directory service data No one null null null
Security Options
Network Security: Minimum session
security for NTLM SSP based (incl. secure RPC) servers
Require
NTLMv2 session
security,
Require 128
-
bit encryptio
n
536870912 0 536870912
Accounts: Rename Administrator Account
<> admin NewAdministratorName = "Administrator"
NewAdministratorName =
"Administrator"
NewAdministratorName = "Administrator"
Accounts: Rename Guest Account <> guest NewGuestName = "Guest" NewGuestName =
"Guest"
NewGuestName = "Guest"
Accounts: Guest Account Status Disabled EnableGuestAccount = 0 EnableGuestAccount = 0
EnableGuestAccount = 0
Accounts: Limit local account use of
blank passwords to console logon only
Enabled 1 1 1
Devices: Allowed to format and eject
removable media
Administ
rators
NOT FOUND: Registry key
not found
0 NOT FOUND: Registry key
not found
Devices: Prevent users from installing
printer drivers
Enabled 1 1 1
Devices: Restrict CD-ROM Access to
Locally Logged-On User Only
Not
Defined
NOT FOUND: Registry key
not found
1 NOT FOUND: Registry key
not found
The added value of an operating system audit to an IT General Controls audit 54
Devices: Restrict Floppy Access to
Locally Logged-On User Only
Not
Defined
NOT FOUND: Registry key
not found
1 NOT FOUND: Registry key
not found
Domain Member: Digitally Encrypt or
Sign Secure Channel Data (Always)
Enabled 1 0 1
Domain Member: Digitally Encrypt Secure Channel Data (When Possible)
Enabled 1 1 1
Domain Member: Digitally Sign Secure
Channel Data (When Possible)
Enabled 1 1 1
Domain Member: Disable Machine
Account Password Changes
Disabled 0 0 0
Domain Member: Maximum Machine
Account Password Age
30 30 30 30
Domain Member: Require Strong
Session Key
Enabled 1 0 1
Domain Controller: Allow Server Operators to Schedule Tasks
Disabled NOT FOUND: Registry key not found
0 NOT FOUND: Registry key not found
Domain Controller: LDAP Server
Signing Requirements
Not
Defined
1 1 1
Domain Controller: Refuse machine account password changes
Disabled 0 0 0
Interactive Logon: Do Not Display Last
User Name
Enabled 0 1 0
Interactive Logon: Do not require
CTRL+ALT+DEL
Disabled 0 15 15
Interactive Logon: Number of Previous Logons to Cache
0 10 10 10
Interactive Logon: Prompt User to
Change Password Before Expiration
14 5 14 5
Interactive Logon: Require Domain
Controller authentication to unlock workstation
Enabled 0 1 0
Interactive Logon: Smart Card Removal
Behavior
Lock
Workstati
on
0 2 0
The added value of an operating system audit to an IT General Controls audit 55
Interactive Logon: Message Text for
Users Attempting to Log On
- U gebruikt de
automatiseringsfaciliteiten van
Comany B In het
kader van de beveiliging en het
voorkomen van
misbruik gelden voor de gebruikers
en
systeembeheerders van Company B
een aantal
bepalingen die in een protocol
beschreven zijn.
Van u wordt verwacht dit
protocol te kennen
en daar ook naar te handelen. Voor
meer informatie kunt u contact op
nemen met uw
lokale ICT afdeling.
Interactive Logon: Message Title for
Users Attempting to Log On
- ICT Protocol
Company B
Interactive logon: Require smart card Not
Defined
0 0 0
Microsoft Network Client: Digitally
sign communications (always)
Enabled 0 0 0
Microsoft Network Client: Digitally
sign communications (if server agrees)
Enabled 1 1 1
Microsoft Network Client: Send Unencrypted Password to Connect to
Third-Part SMB Server
Disabled 0 0 0
Microsoft Network Server: Amount of
Idle Time Required Before Disconnecting Session
15
minutes
15 15 15
Microsoft Network Server: Digitally sign communications (always)
Enabled 0 0 0
Microsoft Network Server: Disconnect
clients when logon hours expire
Enabled 1 1 1
Network Access: Do not allow Anonymous Enumeration of SAM
Accounts
Enabled 1 1 1
Network Access: Do not allow storage
of credentials or .NET passports
Enabled 0 0 0
Network Access: Let Everyone
permissions apply to anonymous users
Disabled 0 1 0
Network Access: Named pipes that can
be accessed anonymously
Not
Defined
browserHydraLsPi
peTermServLicens
ing
Network access: Restrict anonymous
access to Named Pipes and Shares
Enabled 1 1 1
The added value of an operating system audit to an IT General Controls audit 56
Network Access: Shares that can be
accessed anonymously
None NOT FOUND: Registry key
not found
COMCFGDFS$ NOT FOUND: Registry key
not found
Network Security: Do not store LAN
Manager password hash value on next
password change
Enabled 1 0 1
Network Security: LAN Manager Authentication Level
NTLMv2 response
only.
Refuse LM
2 2 NOT FOUND: Registry key not found
Network Security: LDAP client signing
requirements
Negotiate
signing
1 1 1
Network Security: Minimum session
security for NTLM SSP based (incl. secure RPC) clients
Require
NTLMv2 session
security,
Require 128
-
bit encryptio
n
536870912 0 536870912
Recovery Console: Allow Automatic Administrative Logon
Disabled 0 0 0
Recovery Console: Allow Floppy Copy
and Access to All Drives and All
Folders
Not
defined
0 1 0
Shutdown: Clear Virtual Memory Pagefile
Disabled 0 0 0
Shutdown: Allow System to be Shut
Down Without Having to Log On
Disabled 0 0 0
System objects: Require case
insensitivity for non-Windows subsystems
Enabled 1 1 1
System objects: Strengthen default
permissions of internal system objects
Enabled 1 1 1
System cryptography: Force strong key
protection for user keys stored on the
computer
User is
prompted
when the
key is first used
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
System settings: Optional subsystems None Posix Posix Posix
System settings: Use Certificate Rules
on Windows Executables for Software
Restriction Policies
Not
Defined
0 0 0
MSS: (DisableIPSourceRouting) IP
source routing protection level
Highes
t protectio
n, source routing
is
completely
disabled
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
The added value of an operating system audit to an IT General Controls audit 57
MSS: (EnableICMPRedirect) Allow
ICMP redirects to override OSPF generated routes
Disabled 1 1 1
MSS: How often keep-alive packets are
sent in milliseconds
Not
Defined
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS
name release requests except from
WINS servers
Enabled NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
MSS: Enable the computer to stop
generating 8.3 style filenames
Enabled 2 0 2
MSS: (PerformRouterDiscovery) Allow
IRDP to detect and configure
DefaultGateway addresses
Disabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
MSS: Enable Safe DLL search mode Enabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
MSS: The time in seconds before the
screen saver grace period expires
0 NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
MSS: (TCPMaxDataRetransmissions)
How many times unacknowledged data is retransmitted
3 NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
MSS: Percentage threshold for the
security event log at which the system will generate a warning
90% or le
ss
NOT FOUND: Registry key
not found
0 NOT FOUND: Registry key
not found
Terminal Services
Always prompt client for password upon connection
Enabled NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Set client connection encryption level Enabled:
High level
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Do not allow drive redirection Not
Defined
NOT FOUND: Registry key
not found
1 NOT FOUND: Registry key
not found
Do not allow passwords to be saved Enabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Internet Communication
Turn off downloading of print drivers
over HTTP
Enabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Turn off the -Publish to Web- task for
files and folders
Enabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Turn off Internet download for Web
publishing and online ordering wizards
Enabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Turn off printing over HTTP Enabled NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
The added value of an operating system audit to an IT General Controls audit 58
Turn off Search Companion content file
updates
Enabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Turn off the Windows Messenger
Customer Experience Improvement
Program
Enabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Turn off Windows Update device driver searching
Not Defined
NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Additional Security Settings
Do not process the legacy run list Not
configure
d
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Do not process the run once list Not configure
d
NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Registry policy processing Not
Defined
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
Offer Remote Assistance Not Defined
NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Solicited Remote Assistance Not
Defined
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Restrictions for Unauthenticated RPC
clients
Not
Defined
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not
found
NOT FOUND: Registry key
not found
RPC Endpoint Mapper Client
Authentication
Not
Defined
NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Turn off Autoplay Enabled:
All
drives
NOT FOUND: Registry key
not found
255 NOT FOUND: Registry key
not found
Enumerate administrator accounts on elevation
Not configure
d
NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found
Require trusted path for credential entry Enabled NOT FOUND: Registry key
not found
NOT FOUND:
Registry key not found
NOT FOUND: Registry key
not found
Disable remote Desktop Sharing Enabled NOT FOUND: Registry key not found
NOT FOUND: Registry key not
found
NOT FOUND: Registry key not found