1. Obtain a list of all the Administrators and determine that each user with this capability needs list level of authority.
2. Obtain a list of all users and groups and ensure that each member is a valid entry.
3. Determine that default account rules are set to ensure that all users must properly log-on to the system.
4. Determine that the default password rules are set to industry standards.
5. Determine if domains or workgroups are being used. If they are, map each user or group to a domain and ensure that each user requires this level of access.
6. Determine which common user groups have been established and review the groups capability to ensure that all users need to have this level of access.
7. Determine what personal groups have been established for each user and ensure that the user needs this level of access to perform their job function.
8. Map all the startup applications for each user to ensure that only authorized applications are accessed.
9. Review all system services to ensure that users are restricted to authorized functions only
10. Obtain a listing of all directories sub-directories, and files.
11. Review the permission levels of who owns the directories, sub-directories, and files.
12. Review all user and group privileges to critical or sensitive directories, sub-directories, or files.
13. Obtain a list of all of the user’s rights and determine if the user needs this level of authority.
14. Review the Power User group and ensure that only authorized individuals are members of this group.
15. Review the User group and ensure that only authorized individuals are members of this group.
16. Review the Guest group and ensure that this group’s authorities are restricted.
17. Review the user’s Log-on Script to ensure that it is set up properly from a security perspective.
18. Review the system’s configuration files and ensure that the parameters are properly set.
19. Determine if screen saver security is properly set.
20. Review all devices and the security settings protecting access to these devices.
21. Determine what alerts are established to notify the security administrator of any security violations.
22. Determine if any directory replication has been established and ensure that sensitive or critical data is properly protected on the remote platform.
23. Review the event auditing for the system and determine if it is adequate.
24. Review the backup procedures for contingency planning to ensure that they are adequate.
25. Review the organizational structure to ensure that there is a proper separation of duties.
