A checklist of items to check, especially when inheriting a foreign network.

This list is meant to be a prompt sheet for getting an overview of a network in order to understand and make recommendations, as well as perform basic health check. It is not a survey that you can get a client to complete.

• How many servers?
• Is virtualization being used?
  • Virtual platform? (VMware/Xen/HyperV etc)
• What operating systems are installed?
  • Windows NT4 (!!), 2003 (!!), 2008 (!!), 2008 R2 (!!), 2012, 2012 R2, 2016
  • Linux
  • Solaris/HP-UX/Other Unix
• File Servers
• NAS devices
• Is there a SAN? Fibre Channel or iSCSI?
• Check disk utilization of File Servers / NAS / SAN.
• Are there UPS units installed? Operational?

Check the following items:

• free disk space
• disk health
  • RAID health
  • RAID level; none (!!), RAID0 (!!), RAID1, RAID5(!), RAID6, RAID10, ZFS
• running processes
• memory utilization
• pending updates
• multi-homing

Check the following items:

• disk fragmentation
• network file shares
• local admin accounts

Check the following items:

• distribution and release
• load average
• mountpoints (local and remote)
• listening ports
• logged in users
• host firewall
• uptime

• Website hosting provider? (External/Internal)
• Website developer(s)?
• Deployment stack?
  • Web Server
  • Database - Scheduled Backups?

• Email hosting platform? (Google Apps, Rackspace, Self-hosted etc)
• Self-hosted platform? (Exchange, Kerio Connect etc)
• Server Address, Ports
• Anti-spam and Anti-virus protection?
• Public MX records?
• SPF records? DKIM?

• Is Active Directory installed?
• What is the:
  • Forest:
  • Domain(s):
• Is the domain(s) public or private?
  • Public: Is the domain registered to the business?
• Is there any OU structure in place?
• How many Domain Controllers are there?
  • Is there at least 1 physical Domain Controller?
  • What is the state of replication? (repadmin /showrepl * /errorsonly)
• What roles are installed on what servers? (eg, DC, DHCP, DNS, Print Server, File Server)
• Where are the FSMO roles held? (netdom query /domain:<DOMAIN> FSMO)
• Are there any domain trusts configured?
• Are there any Group Policy Objects:
  • Configured?
  • Linked to OU?
• Is there a password policy in place?
  • Change every X days
  • Complexity?
  • Number of passwords remembered?
• Are there DFS namespaces being used for file shares?

• What IP subnet is being used on the LAN?
• Router/Gateway IP address (LAN):
• Internet Connectivity:
  • ISP & Connection Type (ADSL, cable, fibre etc)
  • Are there static IP Address(es)
  • Router - hardware make/model
• Are there VLAN's in use?
• Are there multiple Layer 3 networks on a single Layer 2?
• Any internal routers in-use to segregate internal networks/subnets?
  • See Routing Section

• Is there a permieter firewall in place?
• Is egress traffic filtered?

• Does the network have DNS redundancy? (2 or more working DNS servers)
• Locally authorative DNS zones:

• DHCP server:
• DHCP scope:
• Check for rouge DHCP servers.

• How many routers are installed?
  • Make/Models
  • Any configured in High Availability (HA)?
  • Are they edge or internal routers?
• Is there firewalling between internal subnets?
• Interfaces
  • Names (system and friendly names)
  • Capabilities (Speed, Media etc)

• How many switches are installed
  • Make/Models
  • Utilization (port usage) of each switch
• Speed/capabilities
  • 10/100mbps -- Gigabit?
  • Copper -- Fibre?
  • SFP's or Media Converters in place?
• Switch topology:
  • Star
  • Daisy-chain
  • Mesh
• Managed Switches:
  • Check interfaces for:
    • Dropped packets.
    • CRC errors.
    • Forced speed/duplex.
  • Is there any Port Security enabled?
  • Check STP is enabled
    • Is the STP root set correctly?
    • Is BPDU Guard enabled?
  • DHCP Snooping - Enabled? Required?
• Uplink Design:
  • Single port uplinks between switches?
  • LACP/LAGG uplinks?
  • Redundant Paths?

• Wireless network installed?
• What are the SSID's?
• Security:
  • Open / No Security (!!)
  • WEP (!!)
  • WPA/WPA2 PSK
  • WPA2 Enterprise (802.1x)
  • Mac Filtering
• Hardware:
  • Make/Models
  • 802.11a/b/g/n/ac
• Management method (individual AP's, central management etc)
• Is coverage sufficient?
• Check for Rogue Access Points (on or off SSID)
• Check channel spacing with surrounding SSID's

• Do users have Local Admin rights?
• Do any users have remote access?
  • Remote Desktop
  • Citrix
• Are there VPN services in place?
  • Site-to-site
  • Road warrior
  • IPSec / PPTP (!!) / SSL
• Are there SSL/TLS protections in place for:
  • Corporate website
  • Email retrieval (POP3/IMAP/ActiveSync)
  • Email sending (SMTPS)
  • Public or self-signed certificates?
  • What are the SSLLabs test results?
• Are logs centrally stored (Splunk/Greylog/Logstash etc)?
• Is there any form of NAC (eg, 802.1x)?
• Auditing; are there any compliance requirements? (PCI, SOX etc)
• Have patches for major vulnerabilities been applied to: Servers? Desktops? Others?
  • Meltdown
  • Spectre
  • Heartbleed
  • Shellshock

• Do users have Domain Admin rights?
• Are there additional enterprise/domain admin accounts besides "Administrator"?
• Are old users/computers disabled/deleted from Active Directory?

• What backup processes are in place?
• Have test restoration of backup been done?
• Are there off-site backups being made?
• Shadow Copies enabled on Windows file servers?

• How many:
  • Desktops
  • Laptops
  • Tablets
  • Smartphones
• Is there any MDM in place for Phones/Tablets etc?

• Operating systems:
  • Windows XP (!!)
  • Windows Vista (!!)
  • Windows 7 (!!)
  • Windows 8
  • Windows 10
  • OS X
  • Linux
• Productivity software (eg Microsoft Office)?
• Anti-virus protection?
• Business/Industry specific applications?
• Are there any instances of Dropbox, OneDrive, Google Drive etc?
  • If yes, is it authorized or is it Shadow IT?
• Are there any instances of TeamViewer, LogMeIn etc?
  • If yes, is it authorized or is it Shadow IT?