With the current update, several new features have been added to AuditTAP. One of the new features is particularly important for companies.
What is the AuditTAP?
The AuditTAP checks the Secure Configuration of your systems (for example Windows 10, Windows 11, Microsoft server operating systems or Linux) and frequently used programs such as Microsoft Office, Google Chrome and Mozilla Firefox.
Based on a transparent report, you will learn whether the operating systems and applications in use meet the hardening recommendations of BSI, DISA, CIS, ACSC and Microsoft.
You may also download the latest version of AuditTAP free of charge and use it fully in accordance with the BSD3 license. Click here to download from Github:
AuditTap 5.2: What is the biggest change?
After introducing only a few minor updates with AuditTAP 5.1, the new update includes a few major and, above all, important changes. For example, version 5.2 brings a business-oriented risk model called “risk score”.
This risk score evaluates the state of a system from a quantitative point of view and now also takes into account the criticality of settings. In addition to the number of compliant or non-compliant settings, a weighting is also applied. This is because some settings are more critical than others from an information security perspective.
Both assessment dimensions taken together then result in risk score.
Due to this, the report has been restructured and minor design changes lead to an even better and easier readability. Finally, some benchmark updates have been implemented.
Why is the new risk assessment so important?
The AuditTAP offers the possibility to easily and transparently perform an audit of IT systems. In just a few seconds, you can see to what extent your own configurations comply with the system hardening recommendations of DISA, CIS & Co.
Can it be any better? We think so: Yes! Because until now, there was no help when the following questions were asked:
-
- Is a system secure if 90% compliance has been achieved, but SMBv1 is turned on?
- Is a system considered insecure if only 70% compliance has been achieved but, for example, the obsolete SMBv1 protocol or the use of the RC4 algorithm has been prevented?
- Or is a system considered secure if the Windows firewall has been disabled?
To enable a better assessment of the risk, we have implemented the new risk score. With it, even non-technical people can see and understand how risky the insufficiently or only partially hardened system is. This helps immensely to answer the questions posed above.
This is what the AuditTAP report looks like in action
If a report is created at the operating system level (currently Microsoft operating systems are supported) using AuditTAP, all important points – summarized and consolidated – can be found in the new menu item “Summary”.
This is also where the new, risk-based approach is located. A risk matrix is used to evaluate the number of settings conforming to a hardening recommendation, but also the criticality of the settings. This combination leads to a direct interpretation of the configuration targeting the risk. As a result, potential actions can now be prioritized more easily.
The calculation of the risk score turns out to be quite simple. It is explained transparently in the report itself under the “Risk Score” tab, as well as explained below.
Quantitatively, a certain level of compliance is required to lower the risk level from “Critical” to “Low”. This table illustrates this:
Compliance to Benchmark | Risk assessment |
80% < X | Low |
65% < X < 80% | Medium |
50% < X < 65% | High |
X < 50% | Critical |
A system with a compliance of less than 50% with current hardening recommendations is thus considered “critical” per se.
Qualitatively, AuditTAP checks whether settings stored as critical (“severity”) do not conform to the hardening recommendations. If one of the settings stored as critical does not conform to the recommendation, it is considered critical and thus corresponds to the highest risk level.
For example, the following settings are marked as critical:
-
- Passwords must not be stored with reversible encryption
- Audit logs may only be managed by administrators
- RC4 must be disabled
- SMBv1 must be disabled
- Windows Firewall must be turned on
- Various Attack Surface Reduction (ASR) configurations must be configured.
Would you like to learn more about AuditTAP’s new Risk Score? And do you want to know what things you can or should derive from the results? Then read this article:
What else is new in AuditTap 5.2?
With more changes and optimizations, we have taken the ever-growing AuditTAP to a new level. These things have been added in addition to the risk score:
-
- To better structure the now quite long report, there is now a navigation bar.
- The top header bar has been slimmed down. The content from the top header bar has now moved down to the content area of the report.
- Individual hardening recommendations are now checked for the currently available version.
- Some issues from the community have been fixed. A detailed overview of all changes can be found on this changelog page.
- In short, the new AuditTAP is now more visually appealing, easier to interpret, and offers an important new feature in the form of risk assessment.
How to use AuditTAP?
The installation as well as the application is quite simple. This video will help you get started:
What follows after the audit?
If the systems are not configured according to generally accepted hardening recommendations, this deficiency must be eliminated as quickly as possible. For example, with a #NoCodeHardening tool such as the Enforce Administrator.
Shall we show you Enforce Administrator?
Do you need help with the secure configuration of systems?
Do you have questions about AuditTAP? Or do you need support with (automated) system hardening? Do you want to integrate system hardening directly into your deployment or installation processes? Our experts are here for you! Contact us without obligation and we will get back to you as soon as possible.