Ask an IT manager to tell you who made what changes to system configurations in their IT infrastructure and it will often involve a time-consuming manual process of trawling through a disparate array of native audit logs from servers and network equipment. Despite being slow and insecure this manual approach is still common-place even in the largest of organizations.
In reality very few IT teams know what is happening in their networks. With increasingly complex environments, there is a lot to keep track of but below is our IT infrastructure audit checklist of top 10 things IT departments really should be auditing:
Active Directory is truly a backbone of all modern networks, however a majority of organizations still do not audit it at all or rely on native log tools to audit their AD and don’t understand what’s happening until they have to investigate events such as e-mail downtime or unauthorized access to sensitive data.
Typical audit questions:
- Who added a user to a security group?
- Who delegated management rights to OU?
- What OUs were removed?
Download a Free Cheat Sheet for Active Directory auditing >
2. Windows Server
Unauthorized changes to Windows-based server can potentially impact the users and cause major disruptions to your business. It is important to keep track of even the slightest configuration changes made to hardware devices, drivers, Windows Registry settings, software installation and removal, services, network settings, local users and groups, etc.
Typical audit questions:
- Who installed what software?
- Who changed computer configuration settings?
- Who made changes to registry?
Download a Free Cheat Sheet for Windows Server auditing >
3. File Server
Data thefts and security threats are consequences of improper auditing mechanisms for organizations that rely on file servers or storage devices to store documents and network applications. Accidental or intentional changes to files, folder structure, permissions, file shares, and other objects can lead to data losses, exposure of sensitive data and access governance failures.
Typical audit questions:
- Who changed file permissions on file server?
- Who accessed sensitive files on file servers?
- Who deleted files from file server?
4. Group Policy
Even relatively small changes to security policies, desktop configurations, software deployment and other settings can severely impact security, compliance, and performance of organizations that on Group Policy infrastructure.
Typical audit questions:
- Who deactivated strong password policy?
- Who unlinked GPO from organization unit?
- Who configured new software installation policy?
5. Exchange Server
What irritates users the most? The answer is e-mail issues. Not to say that even an hour of email downtime can result in revenue losses. Auditing changes in Exchange environment is critical to ensure reliable e-mail operation, security and compliance. Exchange servers, mailboxes, information stores, permissions and all other types of objects must be routinely monitored in order to detect changes, both authorized and not, and the full audit trail must be maintained for compliance and forensics.
Typical audit questions:
- Who deleted a mailbox?
- Who accessed another user’s mailbox?
- Who reconfigured information store?
Stay tuned for updates in our blog. The part #2 and more Free Auditing Cheat Sheets are coming soon!
For fully automated auditing of IT systems, try Netwrix Auditor:
