Copyright 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

ZFPAudit:
A Computer-assisted Audit Tool for Evaluation of Microsoft Operating Systems
By Jon Bek

he evaluation of computer system configuration is an important element of any general controls audit of information technology. The analysis of the configuration helps assess security risks, determines compliance with organization policy and measures consistency with industry best practices. Improperly configured computer systems undermine otherwise sound IT security practices, increase costs, impair efficiency and contribute to unscheduled business interruptions. Addressing this task poses special challenges to an audit organization. A thorough hardware and software evaluation requires significant technical skills and knowledge. Gathering evidence and reviewing collected data also require substantial time and effort. Ensuring consistency of manually collected information as well as keying, tabulating and interpreting the data are demanding tasks for a deadline-driven auditor. In the commercial sector, there are a limited number of software products that address this need, but most of these tools are not tailored to the specialized requirements of IT auditors. Additionally, these tools are usually expensive, require prior installation on the target system and may demand the support of the auditees IT department. Though achievable in the for-profit, centralized-authority model of many businesses, this is often impractical in academic institutions and other organizations with a great degree of distributed authority and local autonomy. To address these needs and constraints in IT audit work for the California Institute of Technology, the author has developed a tool utilizing standards-based remote management features that Microsoft now incorporates into its Windows operating system products. These features are known collectively as Windows Management Instrumentation (WMI),1 and comprise Microsofts implementation of the Common Information Model (CIM) standard published by the Distributed Management Task Force (DMTF).2 WMI has been incorporated into all Windows releases beginning with Windows 98 Second Edition. Due to limitations of the security model in releases of Windows 98 and Windows Millennium Edition, the software to be discussed is truly useful only with Windows 2000 and subsequent versions.

The ZFPAudit Tool

The Zero-Footprint Audit Tool (ZFPAudit) is a script-based tool for gathering and reporting Windows-based computer system settings useful to the IT auditor in assessing compliance and risk elements arising from improper

configuration. ZFPAudit may be run from the system to be audited or from a remote console. In either case, the software requires no installation, and in no way modifies the hardware or operating system environment of the host console or audited computer. Data collected by ZFPAudit may be evaluated and printed as a field report, imported into Excel, ACL or other analysis tools, or automatically sent to a remote database. ZFPAudit architecture is modular and plug-in, allowing auditors to easily include or exclude audit tests to be conducted, add new or updated tests as new or revised plug-ins become available, and write their own plug-ins, if desired. The product is published under the terms of the GNU3 public license. This means that the product is provided at no charge and the complete source code is available for review and improvement. In its current version, ZFPAudit includes plug-ins that: Provide a unique identifier for the audited system, using elements such as the hardware serial number, Windows system name and burned-in hardware address (MAC address) of the systems network adapter Report the use of inherently insecure file systems (FAT32) on any local, nonremovable storage device Report configuration settings for the computers security, application and system event logs Provide an inventory of installed software [for software installed in compliance with the Microsoft Installer (MSI) standard] List the current operating system build, patch and service pack level of the running operating system Enumerate the running services. Inappropriate or incorrectly configured services are often exploited by hackers or may indicate that a system has been compromised. Report if the system is protected from unauthorized local access by a password-protected screensaver automatically invoked after a specific period of inactivity Detail user account settings that indicate problems such as dormant or unused accounts, accounts without passwords, passwords that never expire and so forth Determine if the system is currently running antivirus software, if the software is providing real-time file protection, and the date on which the softwares antivirus definition files were last updated

Using ZFPAudit
The user interface for ZFPAudit is a web page, opened in Microsofts Internet Explorer browser (see figure 1). This adds

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004

a degree of flexibility, as the web page and other files may be installed on a web server, copied to a centrally accessible shared network drive, or run from a CD-ROM, Zip drive, solid-state flash disk plugged into a USB port, or any other convenient, accessible remote or local file system. For example, ZFPAudit could be installed on a web server at one location, such as a data center, opened with the Internet Explorer browser on an auditors computer in the audit office, and used to audit remote client machines elsewhere in the enterprise. To conduct an audit, the auditor provides a user ID (1) and password (2) with administrative privilege on the target machine, the IP address or Windows machine name (3) for the remote system, and a project or audit code (4). The audit code is useful if a number of audits are to be conducted, and results grouped, trended or summarized. Data collection begins when the auditor presses the OK button (5). If the audit is being conducted on the local machine and the current logon account has administrator privilege, parameters 1 through 3 may be omitted. Parameter 4, though recommended, may always be left blank, if desired. A minor disadvantage of opening ZFPAudit from a web server is that the default security settings of the browser on the auditors console will disallow the execution of the embedded scripts necessary for the software to perform an audit. The softwares documentation explains how to add the web server or specific ZFPAudit web pages to a list of the browsers trusted resources, which will allow proper operation. When running from either a web server or file system (local or

remote), the auditor will still be prompted to allow the scripts to run (as an Active-X control) each time an audit is conducted. Minor modifications in a forthcoming release of the product will allow the software to be hosted as an active server page (ASP) on web servers supporting ASP, which will avoid these inconveniences. After gathering data for each of the installed plug-ins, the web page is updated to display the results (see figure 2). The user may scroll down to peruse the complete results. Partial results for the user account plug-in appear in figure 2, item 3. The complete results for this plug-in appear in figure 3. Two additional controls also appear. Item 1 posts the audit results to a remote database, if one has been configured for this purpose. Once posted, this control turns gray and becomes disabled, so duplicate results cannot be posted for the same audit. Results may be audited and posted for the same machine again; however, time stamps on the data will make the distinction between audits clear. Item 2 returns the user to the main page (figure 1), whether or not the audit results have been submitted to a remote database. This makes the tool useful for compliance purposes, allowing clients to self-audit, correct noncompliance on all machines and then record audits for each machine for which they are responsible, proving compliance.

ZFPAudit and Sarbanes-Oxley

At a glance, a tool for evaluating computer system configuration and security would appear to have little to do with Sarbanes-Oxley, a US Act intended to protect investors by

Figure 1Main Page

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004

Figure 2Updated Results

Figure 3User Accounts

Name Disabled Locked Password Does Not Expire false Password Not Required false Account Expires Last Logon (days) 0 Logon Hours All Password Age (days) 79 days Password Expires In (days) 11 Excessive Password Life false

COMPO\JLB false false * Denotes a possible audit concern Audit Statistics: Password Not Required: 0 Password Life Problems: 0 Dormant Account Problems: 0

improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. However, section 404 requires that the annual report shall state the responsibility of management for establishing and maintaining adequate internal controls, and contain an assessment of the effectiveness of the internal control structure and procedures. The public accounting firm that prepares the annual report is required to attest and report on this information provided by the companys management. Consequently, securing the organizations computers, networks and online systems to protect internal controls and financial reporting processes may indeed fall under the long reach of Sarbanes-Oxley. When considered in combination

with other legislation to which an organization may be subject, such as HIPAA, Gramm-Leach-Bliley, the Digital Millenium Copyright Act and others, it is clear that information technology controls that have heretofore been best practice ideals may soon become requirements for US businesses.

Conclusion
Admittedly, a zero-footprint configuration auditing tool for Windows only begins to address the needs of IT auditors, and is just one of the myriad opportunities for computer-assisted auditing tools (CAATS) to improve IT audit quality and efficiency. Fortunately, ZFPAudit is not unique.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004

Figure 4Low-cost/No-cost Tools and Resources

NESSUS KISMET TIGER Common Vulnerabilities and Exposures SCRIPT-O-MATIC Network Vulnerability Assessment Tool 802.11 Wireless Network Sniffer Security Tool for UNIX O/S Mitre Corp.s database of known vulnerabilities Tool for getting started with Windows Management Instrumentation (WMI) scripts www.nessus.org/ www.kismetwireless.net/ www.net.tamu.edu/ network/tools/tiger.html http://cve.mitre.org/ www.microsoft.com/technet/ treeview/default.asp?url= /technet/scriptcenter/tools/ wmimatic.asp.

Authors Note:
A list of the authors top five low-cost/no-cost tools and resources is found in figure 4. To obtain a free copy of the ZFPAudit software and documentation, or to exchange ideas on automating other aspects of IT auditing, contact the author or visit the IT audit section of the Caltech Audit Services and Institute Compliance web site, http://asic.caltech.edu/itaudit/.

Endnotes
Lavy, Matthew; Ashley Meggitt; Windows Management Instrumentation, New Riders, Massachusetts, USA, 2002 2 Distributed Management Task Force Inc., www.dmtf.org/index.php 3 The GNU Project, www.gnu.org/
1

Jon Bek is a senior information technology auditor for the California Institute of Technology (Caltech), in Pasadena, California, USA. He has 14 years of experience in enterprise systems development, deployment and IT operations with a major oil company. He joined the Audit Services and Institute Compliance department of Caltech in 2001, and conducts IT and integrated team audits at the Caltech campus and the Jet Propulsion Laboratory, NASAs lead center for robotic exploration of the solar system, managed by Caltech. He is currently completing a program of graduate study in Computer Information Systems at the California State University, Los Angeles. He can be reached at jon.bek@caltech.edu.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004