I wonder if you could give me a steer in the direction of any obvious missing areas: Alternatively there may already be a benchmark of requirements for an internal security healthcheck that I could use that you may be aware of?
My lame effort below:
1. Identify vulnerabilities on physical desktop devices (i.e. OS security, application security, compliance with golden build)
2. Identify vulnerabilities on physical laptop devices (i.e. OS security, application security, compliance with golden build)
3. Identify vulnerabilities on file and print servers (i.e. inappropriate share/directory ACL’s)
4. Identify vulnerabilities in critical database and database servers (i.e. weak passwords, missing patches, inappropriate permissions)
5. Identify vulnerabilities and security misconfigurations on VMware host systems
6. Identify weaknesses in security related group policies
7. Identify weaknesses in patch management processes
8. Identify weaknesses in account management processes
9. Identify weaknesses in access management processes
Looking at the going rates for security healthchecks (seem to be in the ballpark of $1300 per day per consultant), we probably have budget for around 10 days’ work, so ideally I want to focus on the highest priority. As a rough guide we are talking 20 VSphere, hosts, 200 guests, 500 thin client users (citrix xen), 500 physical client device users. Any sort of steer will be a help. I am guessing most companies will come with a pack of what they can offer, but I thought any sort of heads up on what they should cover will be a useful assistance. I want some input on scope so we dont get ripped off by some user just coming in and running nessus, and thats all they do as if thats the limit we probably could do that internally.