Top Five Security Control Points Auditors Miss

Make sure you check these essential control points in any Windows network audit

Auditors face two limiting factors: time and money. Budgets normally prohibit an auditor from compiling a 100-percent-complete audit on all computers, even for small and mid-size networks. As for the time restriction, if a company has tens of thousands of computers, it is impossible to consider auditing all of them. So how can you be more proficient and efficient in audits of Windows networks?

One or more of the missed audit control points I describe below may come as a surprise. You might be checking a portion of the control point but miss the entire picture. You may not consider an item on this list to even be a security concern because it isn't part of your audit program. However, these control points have security written all over them and should be included in every audit program for Windows networks.

Missed Control Point #1: Domain Admins Missing from Local Administrators Group

This is a key control point for two reasons. First, the default behavior of all Windows Active Directory domain computer members is to have the Domain Admins group placed in the Local Administrators group in the Local SAM. This default behavior allows the administrators from the domain to configure and troubleshoot all computers on the network. If this is taken away from domain administrators, they are not able to perform their jobs, which include configuring security settings on all computers.

Second, this important check goes to the core of why the Domain Admins group is no longer in the Administrators group. This group is a member of the Administrators group by default and the only reason for taking it out is to remove the administrative capabilities of the domain administrators, which should be cause for concern for the owner of the computer where this setting is incorrect.

Missed Control Point #2: Local User Account in the Local SAM

This missed control point is essential for all computers where the owner of the computer is also a local administrator of that computer. In these cases, it is common for the administrator to add a new user account to the Local SAM of the computer, which has the same name and password as their domain user account. This allows users to log on locally instead of to the domain, allowing them to bypass the user-based Group Policy Objects configured in Active Directory. The problem: the computer is not as secure. Bypassing the GPOs fails to configure the proper security and environment settings, leaving potential security holes on the computer every time the user logs on locally.

In our audit, be sure there are no local user accounts on client computers and member servers. If local user accounts exist, then they need to be accounted for and justified.

Missed Control Point #3: Each Domain Has a Unique Account Policy Configuration

If a company has more than one domain, then there will be more than one Account Policy configuration. (Remember the Account Policy dictates the password restrictions and account lockout criteria for all domain users.) Each domain, even child domains, has its own unique Account Policy. If only the main domain Account Policy is checked, or a sampling is done, it leaves one of the most important audit checks untouched. This is undesirable and should be avoided at all costs. Every domain in the environment needs to be audited for the Account Policy.

Missed Control Point #4: Patch Management Procedures

Auditing the patch level on a sampling of computers is common. Tools such as Microsoft Baseline Security Analyzer (MBSA) are ideal for this, allowing for a global sweep of all computers’ patch level. However, what is equally important to the security of the computer and the stability of the infrastructure is the procedure that is used to apply the patches. If the patch management procedure is manual, the chance that the computers are maintained efficiently is almost nil. Tools such as Software Update Services (SUS) and Software Management Services (SMS) allow patches to be forced down to computers and installed regardless of users' desires. This provides a secure and safe environment that is controlled by an automated process.

Missed Control Point #5: Failure to Check for Membership in the Pre-Windows Compatibility Access (PWCA) group

One audit point that is easy to perform (but almost never is) is membership in the Pre-Windows Compatibility Access group. Every Windows Active Directory domain (2000 and 2003) has this group. During installation, administrators are asked if they want the Everyone group placed in the PWCA group (this allows for “null credential authentication” to Active Directory). This is needed for Windows NT 4.0 Remote Access Services and SMS 2.0. Unfortunately, it also provides an opportunity for anonymous connections and enumeration against the domain controllers. If older RAS and SMS services are not being used in the environment, there should not be any user or group accounts listed in the Pre-Windows Compatibility Access group.


Adding these control points to your audit plan will help seal up the holes that administrators fail to secure in Windows. It will also encourage the IT staff to more carefully think about all of the detailed security settings for which they are responsible.

Additional articles by Derek Melber

About the Author

Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.