If you fall under one of the many governmental regulatory acts that mandate information privacy protection for various industries--for example, the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley (GLB) Act--securing the data on your network is more than just a best practice; it's the law. That means you must be able to prove that your systems are properly configured to prevent access by unauthorized persons and you must have mechanisms in place to log when and by whom data was accessed.
Even if your company has thus far escaped regulatory requirements, keeping track of how securely your systems are configured and who’s accessing sensitive data is just plain smart.
Regardless of the size of your company and the size of your budget, there are security auditing tools that you can use to track and report on important security information on an on-going basis.
Security auditing tools for small businesses and tight budgets
When we talk about security auditing, we’re really talking about two different aspects:
- Auditing user access to information
- Auditing system configurations
When your organization is small, you may not have a lot of extra room in the budget for auditing tools. The good news is that there are a number of free or low cost software utilities that can help your small business implement both types of auditing.
Auditing user access with Windows auditing feature
If you’re using Windows 2000, XP and/or Server 2003 computers, either in a peer-to-peer network or a domain, you can use the built-in auditing function to set audit policies to log security-related events to the Security log in the Windows Event Viewer. There is no extra cost and no software to install. You can choose to log any or all of the following:
- Logon attempts and events (successful and failed)
- Account management
- Directory service access
- Object access
- Policy changes
- Privilege use
- Process tracking
- System events
Auditing is disabled by default in Windows 2000, but can be turned on easily through the Local Security Policy snap-in. An extra step is necessary to set up auditing of access on a particular object (file, folder, printer). In Windows Server 2003, auditing of account logon and logon events are enabled by default, but object access is not. You can define audit policies for a local computer, domain controller, domain or OU.
For instructions on enabling security auditing on Windows Server 2003, see http://technet2.microsoft.com/WindowsServer/en/Library/74783f7a-49bc-4f16-b920-34081b890a3d1033.mspx?mfr=true
It’s important to plan carefully when enabling auditing of object access, as this can result in a very large security log that takes up a lot of disk space and is difficult to sort through. You can also use the Security Configuration Wizard in Server 2003 Service Pack 1 to help you configure auditing.
Auditing system settings with configuration scanners
To audit system configurations and determine if your computers and network devices are securely configured, you can use one of many popular vulnerability scanners. Again, Microsoft provides a free tool that can be used by small businesses on a budget: the Microsoft Baseline Security Analyzer (MBSA).
The MBSA v.2 scans and analyzes the configurations of Windows 2000 SP3 and later operating systems, Office XP and later, Exchange 2000 and later, SQL Server 2000 SP4 and later. The tool can detect common misconfigurations and determine whether your machines have the current service packs and security updates applied.
The MBSA only works for Microsoft products. If you have other operating systems on your network, there are numerous free and low cost vulnerability scanners that support UNIX/Linux. An example is Nessus, an open source vulnerability scanner available from http://nessus.org/
Sophisticated security auditing for the enterprise
As your organization grows, your auditing demands may become more sophisticated. This is especially true if you’re in a regulated industry. Then it’s time to turn to commercial enterprise-level solutions for auditing both access and configuration.
Access auditing for the enterprise
Access auditing products for the enterprise include:
- User File Access Tracker from ByStorm Software records access and changes made to files, without negative impact on performance and without the need to set up databases.
- File System Auditor from ScriptLogic provides real-time monitoring and logs, reports and sends alerts based on file server activity, with events stored in a centralized SQL database.
Enterprise level vulnerability scanners
Configuration/vulnerability scanners designed for large organizations provide for centralized scanning of large numbers of systems with centralized reporting. They don’t come cheap, but they can make auditing of your network assets much easier. Some examples include:
- Sunbelt Network Security Inspector (SNSI) from Sunbelt Software, which supports a wide variety of Windows and UNIX/Linux operating systems as well as Macintosh OS X, HP printers and Cisco network devices. Per-administrator licensing makes it cost effective in large environments.
- LANguard Network Security Scanner (NSS) from GFI gives you per-IP address information about all the machines on your network, as well as wireless access points and USB devices. The ReportPack add-on lets you create graphical reports geared toward both IT and management uses.
Planning a security auditing solution that will grow with your organization
The key to developing a security auditing solution that will grow as your organization does is to plan ahead. Assess your auditing needs based on regulatory status, nature of business, sensitivity of data, network infrastructure, and threat levels and exposure.
Auditing can be deployed in a layered construction, beginning with auditing of a few local machines and transitioning to domain-wide auditing or centralized auditing via third party products by adding layers (and removing layers at the other end if/when they are no longer needed).
A good audit plan takes into consideration what needs to be audited, who needs to be audited, when auditing is needed, where auditing is needed, and how the audit information is to be formatted and used.
