Configuration Audit Checklist
🖥️ Windows Server Hardening
Account Management
- Review local administrator accounts
- Check for disabled Guest account
- Verify password policy compliance
- Review account lockout settings
- Check for service account privileges
- Audit local group memberships
- Review scheduled task accounts
Security Settings
- UAC configuration
- Windows Firewall status
- Windows Defender settings
- Audit policy configuration
- Security options (GPO)
- User rights assignment
- AppLocker/WDAC policies
Services & Features
- Unnecessary services disabled
- SMBv1 disabled
- Remote Desktop settings
- WinRM configuration
- Print spooler status
- IIS configuration (if present)
Patch Management
- Windows Update status
- Missing critical patches
- WSUS configuration
- Third-party software updates
# Quick security check
Get-ComputerInfo | Select WindowsVersion,OsArchitecture
Get-HotFix | Sort-Object InstalledOn -Descending | Select -First 10
Get-Service | Where-Object {$_.Status -eq "Running"} | Select Name,DisplayName
Get-NetFirewallProfile | Select Name,Enabled
🐧 Linux Server Hardening
User & Access
- Root login disabled (SSH)
- Password authentication vs keys
- Sudo configuration review
- User account audit
- Shell restrictions
- Home directory permissions
- Password aging policy
SSH Configuration
# Check SSH config
grep -E "^(PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|X11Forwarding|AllowUsers|MaxAuthTries)" /etc/ssh/sshd_config
Recommended settings
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
MaxAuthTries 3
File System Security
- SUID/SGID binaries audit
- World-writable files
- Sensitive file permissions
- /tmp mounting options
- Partition scheme review
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
World-writable files
find / -perm -002 -type f 2>/dev/null
Check important permissions
stat /etc/passwd /etc/shadow /etc/sudoers
Network Security
- Firewall rules (iptables/nftables)
- Open ports review
- Network services audit
- IP forwarding disabled
- ICMP settings
Logging & Monitoring
- Syslog configuration
- Audit daemon (auditd)
- Log rotation settings
- Centralized logging
- File integrity monitoring
🌐 Network Device Audit
Switch/Router Configuration
- Default credentials changed
- SSH enabled / Telnet disabled
- Management ACLs
- SNMP configuration
- Banner configuration
- Unused ports disabled
- Port security
- VTY line security
Firewall Review
- Rule base analysis
- Any/any rules
- Unused rules
- Rule ordering
- Logging configuration
- NAT configuration
- VPN settings
Wireless Security
- SSID configuration
- Encryption standard (WPA3/WPA2)
- PSK strength
- Client isolation
- Rogue AP detection
- Guest network separation
🗃️ Database Security
SQL Server
- SA account disabled/secured
- Authentication mode
- Database permissions
- Encryption at rest
- TDE configuration
- Audit logging
- Network encryption
-- Check authentication mode
SELECT SERVERPROPERTY('IsIntegratedSecurityOnly');
-- List SQL logins
SELECT name, is_disabled FROM sys.sql_logins;
-- Check database encryption
SELECT name, is_encrypted FROM sys.databases;
MySQL/MariaDB
- Root password set
- Anonymous users removed
- Remote root disabled
- Test database removed
- User privileges audit
- SSL/TLS enabled
-- Security check queries
SELECT user, host FROM mysql.user;
SHOW GRANTS FOR 'root'@'localhost';
SHOW VARIABLES LIKE '%ssl%';
PostgreSQL
- pg_hba.conf review
- Superuser accounts
- Database permissions
- SSL configuration
- Password encryption
- Logging settings
📧 Email Server Security
Exchange/O365
- Admin account security
- Audit logging enabled
- Mail flow rules
- Anti-malware settings
- Spam filtering
- DLP policies
- Mobile device policies
SMTP Security
- Open relay testing
- SPF record
- DKIM signing
- DMARC policy
- TLS enforcement
- Authentication required
📊 Compliance Frameworks
CIS Benchmarks
| Category | Key Controls |
|---|---|
| Account | Password policy, lockout |
| Access | Least privilege, MFA |
| Audit | Logging, monitoring |
| Network | Firewall, segmentation |
| Data | Encryption, backup |
NIST Cybersecurity Framework
- Identify - Asset inventory
- Protect - Access controls
- Detect - Monitoring
- Respond - Incident handling
- Recover - Backup/DR
PCI-DSS (if applicable)
- Requirement 1: Firewall
- Requirement 2: No defaults
- Requirement 3: Data protection
- Requirement 4: Encryption in transit
- Requirement 5: Anti-malware
- Requirement 6: Secure development
- Requirement 7: Need-to-know
- Requirement 8: Authentication
- Requirement 9: Physical security
- Requirement 10: Logging
- Requirement 11: Testing
- Requirement 12: Policies
🔧 Audit Tools
Windows
| Tool | Purpose |
|---|---|
| Microsoft Baseline Security Analyzer | Security assessment |
| CIS-CAT | CIS benchmark audit |
| Nessus | Vulnerability/compliance |
| PolicyAnalyzer | GPO analysis |
Linux
| Tool | Purpose |
|---|---|
| Lynis | Security auditing |
| OpenSCAP | Compliance checking |
| Lunar | Security audit |
| Tiger | Security audit |
# Lynis audit
lynis audit system --quick
OpenSCAP
oscap xccdf eval --profile standard --results results.xml /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
📝 Report Structure
Executive Summary
- Overall security posture
- Critical findings count
- Compliance status
- Priority recommendations
Detailed Findings
- Category
- Finding description
- Evidence
- Risk rating
- Recommendation
- Reference (CIS, NIST, etc.)
Remediation Roadmap
| Priority | Timeframe | Category |
|---|---|---|
| Critical | 7 days | Immediate risk |
| High | 30 days | Significant risk |
| Medium | 90 days | Moderate risk |
| Low | 180 days | Best practice |
Last updated: 2024