Gathering client-server data: A server utility helps auditors at a large confectionary products manufacturer gather configuration data across their company's network - Computers & Auditing

Internal Auditor, Dec, 2001 by Jeffrey N. Mason, Mark Hoffacker

HEN EVALUATING CORPORATE computer systems, internal auditors used to be able to tap into one central source: the mainframe computer, which held all the secrets of the company's universe. That was then. Today, those same company resources usually are held on multiple servers that are often scattered across various geographical locations. During the past decade, the situation has become, in short, an auditing nightmare.

Many auditors now have to spot-check corporate servers to look for configuration issues. This laborious process typically involves sitting down with a technical employee who has administrator-level security clearance and asking him or her to provide a guided tour of the server to find specific answers to specific questions. The situation is becoming even more complicated as corporate information works its way across the Internet.

At Hershey Foods Corp., a five-member information technology (IT) audit team is in charge of evaluating more than 300 servers running Windows NT and several varieties of UNIX at the company's Pennsylvania headquarters and other sites nationwide. The sheer numbers make manual evaluation of each server impossible. That's why Hershey's IT auditors and IT department recently decided to try a software tool that improves the efficiency and effectiveness of client-server audits.

A GROWING PROBLEM

The proliferation of client-server technology is a global phenomenon. Many companies, including Hershey, have increased their number of servers by more than 100 percent in the past few years. Now, numerous servers typically handle each critical function or application. At Hershey, for example, various servers handle applications related to finance, human resources, inventory, distribution, bar coding, and other functions.

Organizations have migrated away from a mainframe environment because of the versatility offered by the newer client server technology. Previously, employee terminals were all linked to a mainframe computer, which allowed users only to perform the specific functions displayed on a menu. Today, employees have more control. Armed with personal computers rather than mere "dumb" terminals, they have the ability to create files, print documents, send and receive e-mail, search the Internet, conduct e-commerce, and much more. Organizations typically connect these individual workstations to a network of servers that carry out the transactions.

For the auditor, these modern conveniences mean some modern inconveniences. The mainframe environment was around for decades, and people understood it. Because the system was controlled by only one operating system and one centralized security system, auditors could easily determine who had access to it an what each user was permitted to see and do. Today, instead of one complex machine, auditors must evaluate multiple complex machines that have multiple user with multiple layers of security.

In addition, the server environment can change every day, which means the system often is being altered while the auditor is trying to evaluate it. For instance, vendors send out security patches each week to fix bugs that have been uncovered in server systems. Some administrators might add the patches as soon as they receive them, but others may not. That means if an organization has 50 servers, and each server has five people who are authorized t make changes on it, there is no guarantee each piece of hardware is configured the same way. For an auditor, the situation is as toilsome as comparing the same set of data on 50 spreadsheets that present information in 50 different ways.

A CONTEMPORARY SOLUTION

At most companies, auditing a server-based technology environment is a tedious, manual chore. Operating systems are typically not provided with even the most basic audit tools, and the required security information must be gleaned through a time-consuming process of viewing security parameters on the system administrator's screen. In addition, internal auditors typically do not have administrative privileges on each server, so they have to sit down with a system administrator who has the requisite access every time they need information about a particular server. They then have to ask specific questions regarding the servers security parameter settings and user access restrictions. Consequently, auditors usually review only a small sample of servers.

With the server population continuing to increase, "toolkits" of utilities that make information gathering easier and help enhance server security are becoming more prominent (see "Network Assessment Tools," page 29). One software tool used by Hershey, for example, searches each server and reports whether all available software patches are installed. Another tool searches for security vulnerabilities on the network and suggests remedial action.

Hershey recently purchased a configuration-management utility to help simplify the process even further. Configuration Auditor, created by Ecora Corp., enables users to collect configuration data from all servers connected to the network from a single workstation. Hershey recently used the software to evaluate the security and configuration of 60 Windows NT servers on the company's network. The company's IT auditors found that the new tool saved time, improved the effectiveness of their server audits, and increased cooperation between themselves and the system administrators.