Download (Member Only, 582K)
Purchase the Book
Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community
IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.
Objective—The Microsoft IIS 7.x audit/assurance review provides management with an independent assessment of the effectiveness of the configuration and of the security of the IIS servers in the enterprise’s computing environment.
Scope—The review will focus on the configuration, management and physical security of the relevant IIS servers in the enterprise. The selection of specific applications, functions and servers will be based on the risks introduced to the enterprise by these systems.
Numerous IIS modules exist to provide customized resources and capabilities. Because each environment may use different programming and support tools to customize IIS, this audit/assurance program is limited in scope to the IIS server configuration. Additional software, including databases, dynamic content systems, common gateway interfaces, server-side includes, etc., are excluded from the scope of this review. It is suggested that either separate audits be performed of these products or that this audit/assurance program be modified to address these specific extensions to the basic IIS server.
Since IIS relies on the integrity of the host operating system (OS), the audit and assurance professional must perform or have access to a recent audit of the host OS’s configuration and be assured of the integrity and security of the host, whether physical or virtualized. If this cannot be assured, the audit of the host OS should be completed prior to beginning this audit. If the audit has identified significant deficiencies or material weaknesses, the audit should be postponed until these issues are remediated.
The review will focus on the configuration controls relating to:
- IIS management and administration
- IIS configuration settings
- Physical security of the IIS web servers
- Secure administrative practices
The scope excludes:
- Windows OS configuration, physical or virtual
- Workstation configurations
- User access and identity management
- Domain name service (DNS) management
It is recommended that:
- Assessments be performed of Windows server configurations, using an audit/assurance program specifically designed for the server’s function (database, email, file/print, etc.)
- Workstation configuration assessments be performed using audit/assurance programs designed for the OS and function (desktop, laptop, special applications, etc.)
- User access and identity management be reviewed using ISACA’s Identity Management Audit/Assurance Program
- DNS management be approached as part of a network assessment