When was the last time you audited your Windows desktop environment to ensure that the proper policies and standards are being met? If you're like many network managers I work with, you're lucky to have a standard desktop image that gets rolled out as needed. A formal audit of what's what on all desktops may seem to be out of the question.
Perhaps you're looking to standardize your Windows configuration settings. Or, maybe you need to get a better grasp on endpoint security. You may even be looking to clean up your organization's software licensing. Regardless of your goal, there are several things to keep in mind to maximize the effectiveness of a desktop audit.
Define what's needed for a Windows audit
Why are you auditing Windows configurations in the first place? Fully 50% of any successful project -- audit or not -- relies on properly set expectations. In addition to making sure that the right IT people are participating, ask who else outside of IT should be involved to check the desktop environment.
Human resources, legal, regulatory compliance and internal audit staffers come to mind. Given the more stringent requirements for doing business today, representatives from these areas will surely have some say regarding logon banners, local security policies, software licensing, audit logging and the like. Even salespeople and customer service can benefit from having a say in desktop configurations.
Ask all affected parties what they need. Some may look at you like you're crazy. "A desktop audit is an IT thing," they'll presume. Educate them on how a software audit affects the organization as a whole and how their assistance in the decision-making process helps everyone in the business in the long run.
Know your enterprise systems
Understand what's where. You cannot audit what you don't acknowledge. It's easy to overlook certain desktop systems, such as those belonging to salespeople, remote offices or warehouses. However, if you're going to get an accurate picture of current Windows desktop usage, you'll eventually have to look at everything.
Start with your network diagram. Branch out to a network port scanner such as nmap or SoftPerfect Network Scanner to see which hosts are alive. Just don't forget about systems that are not directly accessible via your LAN. All it takes to end up with a mediocre desktop audit is forgetting about various systems that may not be immediately visible but should be under IT control nonetheless.
Take advantage of security vulnerability assessments
More about Windows configuration and security
Five steps to a successful desktop audit
Find and fix Windows flaws with free security tools
Russinovich provides insight into Windows Sysinternals in his book
Back to the command line: Using the Windows desktop manager
If you're performing periodic vulnerability scans or having more formal internal security assessments, you might have much of the information you need already at your disposal. Vulnerability scanner reports are chock full of information you can use to analyze the existing state of your desktops as well as look at trends over time such as what's changing and what's not, plus other areas that are in obvious need of improvement (such as third-party patch management and local security policies). If the scans are being run with authentication, that's even better. Tools such as Nexpose and LanGuard can provide an amazing amount of insight and information about your Windows systems when run with authentication.
Remember, a desktop audit isn't all about security
Sure, security is a top priority for practically every Windows-based desktop, and ongoing security assessments will indeed complement your desktop audits. But there's more to this exercise, including gathering information on software licensing to ensure compliance, operating system versioning for upgrade planning, and monitoring application usage for the sake of consistency and support.
In addition, it's always a good idea to periodically conduct a general inventory of enterprise systems (including those now under bring-your-own-device policies). The more information you have about your environment, the better decisions you and executives can make.
Windows configuration is a work in progress
Technology is changing faster than most people can realistically keep up with. Don't look at a Windows desktop audit as a one-time deal. Imagine trying to make ongoing decisions about your personal life or anything else in business for years on end based on a one-time snapshot of information. Desktop audits should be part of your ongoing IT plans, likely being performed on an annual basis, perhaps alongside periodic vulnerability assessments.
The more time you can spend making sure that a Windows configuration is in order before you begin a desktop audit, the greater the chance you'll work more efficiently and minimize hassles. It's OK to start small with a software audit, especially if you've never been down this road. Just build out your audit program and tool set, and a Windows desktop audit will be yet another well-run IT function before you know it.
Successful Windows audits can help IT admins optimize workstation configurations, improve security and compliance, as well as streamline systems administration.
This was first published in January 2014