Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
ZFPAudit:
A Computer-assisted Audit Tool for Evaluation
of Microsoft Operating Systems
By Jon Bek
T
he evaluation of computer system configuration is an
important element of any general controls audit of
information technology. The analysis of the
configuration helps assess security risks, determines
compliance with organization policy and measures consistency
with industry best practices. Improperly configured computer
systems undermine otherwise sound IT security practices,
increase costs, impair efficiency and contribute to unscheduled
business interruptions.
Addressing this task poses special challenges to an audit
organization. A thorough hardware and software evaluation
requires significant technical skills and knowledge. Gathering
evidence and reviewing collected data also require substantial
time and effort. Ensuring consistency of manually collected
information as well as keying, tabulating and interpreting the
data are demanding tasks for a deadline-driven auditor.
In the commercial sector, there are a limited number of
software products that address this need, but most of these
tools are not tailored to the specialized requirements of IT
auditors. Additionally, these tools are usually expensive,
require prior installation on the target system and may demand
the support of the auditee’s IT department. Though achievable
in the for-profit, centralized-authority model of many
businesses, this is often impractical in academic institutions
and other organizations with a great degree of distributed
authority and local autonomy.
To address these needs and constraints in IT audit work for
the California Institute of Technology, the author has
developed a tool utilizing standards-based remote management
features that Microsoft now incorporates into its Windows
operating system products. These features are known
collectively as Windows Management Instrumentation (WMI),1
and comprise Microsoft’s implementation of the Common
Information Model (CIM) standard published by the
Distributed Management Task Force (DMTF).2 WMI has been
incorporated into all Windows releases beginning with
Windows 98 Second Edition. Due to limitations of the security
model in releases of Windows 98 and Windows Millennium
Edition, the software to be discussed is truly useful only with
Windows 2000 and subsequent versions.
The ZFPAudit Tool
The Zero-Footprint Audit Tool (ZFPAudit) is a script-based
tool for gathering and reporting Windows-based computer
system settings useful to the IT auditor in assessing
compliance and risk elements arising from improper
configuration. ZFPAudit may be run from the system to be
audited or from a remote console. In either case, the software
requires no installation, and in no way modifies the hardware
or operating system environment of the host console or audited
computer. Data collected by ZFPAudit may be evaluated and
printed as a field report, imported into Excel, ACL or other
analysis tools, or automatically sent to a remote database.
ZFPAudit architecture is modular and plug-in, allowing
auditors to easily include or exclude audit tests to be
conducted, add new or updated tests as new or revised plug-ins
become available, and write their own plug-ins, if desired. The
product is published under the terms of the GNU3 public
license. This means that the product is provided at no charge
and the complete source code is available for review and
improvement.
In its current version, ZFPAudit includes plug-ins that:
• Provide a unique identifier for the audited system, using
elements such as the hardware serial number, Windows
system name and burned-in hardware address (MAC address)
of the system’s network adapter
• Report the use of inherently insecure file systems (FAT32) on
any local, nonremovable storage device
• Report configuration settings for the computer’s security,
application and system event logs
• Provide an inventory of installed software [for software
installed in compliance with the Microsoft Installer (MSI)
standard]
• List the current operating system build, patch and service
pack level of the running operating system
• Enumerate the running services. Inappropriate or incorrectly
configured services are often exploited by hackers or may
indicate that a system has been compromised.
• Report if the system is protected from unauthorized local
access by a password-protected screensaver automatically
invoked after a specific period of inactivity
• Detail user account settings that indicate problems such as
dormant or unused accounts, accounts without passwords,
passwords that never expire and so forth
• Determine if the system is currently running antivirus
software, if the software is providing real-time file protection,
and the date on which the software’s antivirus definition files
were last updated
Using ZFPAudit
The user interface for ZFPAudit is a web page, opened in
Microsoft’s Internet Explorer browser (see figure 1). This adds
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004
a degree of flexibility, as the web page and other files may be
installed on a web server, copied to a centrally accessible shared
network drive, or run from a CD-ROM, Zip drive, solid-state
flash disk plugged into a USB port, or any other convenient,
accessible remote or local file system. For example, ZFPAudit
could be installed on a web server at one location, such as a data
center, opened with the Internet Explorer browser on an
auditor’s computer in the audit office, and used to audit remote
client machines elsewhere in the enterprise.
To conduct an audit, the auditor provides a user ID (1) and
password (2) with administrative privilege on the target
machine, the IP address or Windows machine name (3) for the
remote system, and a project or audit code (4). The audit code
is useful if a number of audits are to be conducted, and results
grouped, trended or summarized. Data collection begins when
the auditor presses the OK button (5). If the audit is being
conducted on the local machine and the current logon account
has administrator privilege, parameters 1 through 3 may be
omitted. Parameter 4, though recommended, may always be
left blank, if desired.
A minor disadvantage of opening ZFPAudit from a web
server is that the default security settings of the browser on the
auditor’s console will disallow the execution of the embedded
scripts necessary for the software to perform an audit. The
software’s documentation explains how to add the web server
or specific ZFPAudit web pages to a list of the browser’s
trusted resources, which will allow proper operation. When
running from either a web server or file system (local or
remote), the auditor will still be prompted to allow the scripts
to run (as an Active-X control) each time an audit is
conducted. Minor modifications in a forthcoming release of the
product will allow the software to be hosted as an active server
page (ASP) on web servers supporting ASP, which will avoid
these inconveniences.
After gathering data for each of the installed plug-ins, the
web page is updated to display the results (see figure 2). The
user may scroll down to peruse the complete results. Partial
results for the user account plug-in appear in figure 2, item 3.
The complete results for this plug-in appear in figure 3. Two
additional controls also appear. Item 1 posts the audit results to a
remote database, if one has been configured for this purpose.
Once posted, this control turns gray and becomes disabled, so
duplicate results cannot be posted for the same audit. Results
may be audited and posted for the same machine again;
however, time stamps on the data will make the distinction
between audits clear. Item 2 returns the user to the main page
(figure 1), whether or not the audit results have been submitted
to a remote database. This makes the tool useful for compliance
purposes, allowing clients to self-audit, correct noncompliance
on all machines and then record audits for each machine for
which they are responsible, proving compliance.
ZFPAudit and Sarbanes-Oxley
At a glance, a tool for evaluating computer system
configuration and security would appear to have little to do
with Sarbanes-Oxley, a US Act intended to protect investors by
Figure 1—Main Page
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004
Figure 2—Updated Results
Figure 3—User Accounts
Name
Disabled
Locked
COMPO\JLB false
false
* Denotes a possible audit concern
Audit Statistics:
Password Not Required: 0
Password Life Problems: 0
Dormant Account Problems: 0
Password
Does Not
Expire
false
Password
Not
Required
false
Account
Expires
improving the accuracy and reliability of corporate disclosures
made pursuant to the securities laws, and for other purposes.
However, section 404 requires that the annual report shall state
the responsibility of management for establishing and
maintaining adequate internal controls, and contain an
assessment of the effectiveness of the internal control structure
and procedures. The public accounting firm that prepares the
annual report is required to attest and report on this
information provided by the company’s management.
Consequently, securing the organization’s computers,
networks and online systems to protect internal controls and
financial reporting processes may indeed fall under the long
reach of Sarbanes-Oxley. When considered in combination
Last
Logon
(days)
0
Logon
Hours
All
Password
Age
(days)
79 days
Password
Expires
In (days)
11
Excessive
Password
Life
false
with other legislation to which an organization may be subject,
such as HIPAA, Gramm-Leach-Bliley, the Digital Millenium
Copyright Act and others, it is clear that information
technology controls that have heretofore been best practice
ideals may soon become requirements for US businesses.
Conclusion
Admittedly, a zero-footprint configuration auditing tool for
Windows only begins to address the needs of IT auditors, and
is just one of the myriad opportunities for computer-assisted
auditing tools (CAATS) to improve IT audit quality and
efficiency. Fortunately, ZFPAudit is not unique.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004
Figure 4—Low-cost/No-cost Tools and Resources
NESSUS
KISMET
TIGER
Network Vulnerability Assessment Tool
802.11 Wireless Network Sniffer
Security Tool for UNIX O/S
Common Vulnerabilities and Exposures
SCRIPT-O-MATIC
Mitre Corp.’s database of known vulnerabilities
Tool for getting started with Windows
Management Instrumentation (WMI) scripts
Authors Note:
A list of the author’s top five low-cost/no-cost tools and
resources is found in figure 4. To obtain a free copy of the
ZFPAudit software and documentation, or to exchange ideas
on automating other aspects of IT auditing, contact the author
or visit the IT audit section of the Caltech Audit Services and
Institute Compliance web site, http://asic.caltech.edu/itaudit/.
Endnotes
Lavy, Matthew; Ashley Meggitt; Windows Management
Instrumentation, New Riders, Massachusetts, USA, 2002
2
Distributed Management Task Force Inc.,
www.dmtf.org/index.php
3
The GNU Project, www.gnu.org/
1
www.nessus.org/
www.kismetwireless.net/
www.net.tamu.edu/
network/tools/tiger.html
http://cve.mitre.org/
www.microsoft.com/technet/
treeview/default.asp?url=
/technet/scriptcenter/tools/
wmimatic.asp.
Jon Bek
is a senior information technology auditor for the California
Institute of Technology (Caltech), in Pasadena, California, USA.
He has 14 years of experience in enterprise systems
development, deployment and IT operations with a major oil
company. He joined the Audit Services and Institute
Compliance department of Caltech in 2001, and conducts IT
and integrated team audits at the Caltech campus and the Jet
Propulsion Laboratory, NASA’s lead center for robotic
exploration of the solar system, managed by Caltech. He is
currently completing a program of graduate study in Computer
Information Systems at the California State University, Los
Angeles. He can be reached at jon.bek@caltech.edu.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004