Windows File Server Audit/Assurance Program 

Bookstore Purchase the Download:  Member US $25 | Non-Member US $50

  Provide feedback on this document
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community
Knowledge Center  Visit the Audit Guidelines Knowledge Center community

Objective: The objective of the Windows File Server Audit/Assurance Program is to ensure data confidentiality, integrity and availability around the enterprise’s server practices. Assessment of the controls around Windows File Servers facilitates assurance that identification and resolution of server vulnerabilities support business objectives. These business objectives may include managing operational costs and maintaining compliance.

Scope: Some enterprises run several versions of Windows File Servers. In some instances, this includes Windows 2003, which is no longer supported by Microsoft. Using an unsupported version of Windows, may expose enterprises to security vulnerabilities. As the risks of operating an unsupported system are known, this audit/assurance program covers Windows File Server versions from 2008 to the present.

The Windows File Server Audit/Assurance Program covers the following areas:

  • Access control management – Domain membership and exclusion; perspectives of aligning administrator access with the administrator’s particular role as well as the period of time that the administrator needs the access.
  • Network security – Configuration management topics such as separation of virtual machines, port restriction and remote server management.
  • Operating system security ¬– Hardening, encryption, logging/monitoring and patch management.
  • Incident management – In addition to intrusion monitoring, this section also considers emergency change management.
  • Physical security – Physical security policies and procedures that lend greater assurance of data integrity, confidentiality, and availability.
  • .

As an IT audit and assurance professional, you are expected to customize this document for your unique assurance process environment. Use it as a review tool or starting point to modify for your purposes, rather than as a checklist or questionnaire. Keep in mind that to use this document for maximum effectiveness, you should hold the Certified Information Systems Auditor (CISA) designation or have the necessary subject matter expertise to conduct your assurance process while under the supervision of a professional who holds the CISA designation.