Mikrotik RouterOS Security Audit Checklist
Questions
Findings
Yes
No
ISO 27001
Control
Standard/Best Practice
Router Policy
Is a router security policy in
place?
A.5.1.1
A.9.1.2
Router security policy will address the requirements from
business, regulations, etc. It will consist policy topics such
as access control, backup, etc.
A.12.1.1
A.9.2.1
A.9.2.2
A documented procedure for creation of administrators
on the router should exist.
The procedure should address:
Approval from the department head
Recording the authorization level given to the new
administrator and the duration
A.9.2.1
A.9.2.2
Each router administrator should have a unique account
for him/her to maintain accountability.
Administrator Authentication
Is there a documented procedure
for creation of users?
Does each router administrator
have a unique account for
himself/herself?
According to policy, how often do
admin passwords have to be
changed?
A.9.4.3
Do the admin passwords meet
with the required complexity as
defined by the policy?
A.9.3.1
Are all user accounts assigned the
lowest privilege level that allows
them to perform their duties?
(Principle of Least Privilege)
A.9.2.3
Is a Message of the Day (MOTD)
banner defined?
A.9.4.2
Admin passwords need to be changed periodically,
typically once every 4-6 months depending on the
functionality of the router.
All password defined on the router should meet the
following criteria:
Minimum 8 characters in length
Should be alphanumeric along with special characters
(@#$%)
Should not include organizations name in it
All user accounts should be assigned the lowest privilege
level that allows them to perform their duties.
If multiple administrators exist on the router, each
administrator should be given an individual username and
password and assigned the lowest privilege levels.
Login banners should be used as a preventive measure
against unauthorized access to the routers.
Use the following command to enable a MOTD banner:
/system note set note=[MOTD]
Router Access Management
Are unused services such as
webfig, ssh, telnet, dns allow
remote request, etc disabled?
A.9.4.4
Is Mikrotik Network Discovery
Protocol disabled on the router?
A.12.6.1
A.9.4.4
A.13.1.3
Which version of SNMP is used to
manage the router?
A.13.1.1
Is the SNMP process restricted to
A.13.1.1
Unused services needs to disabled to prevent any
unauthorized access and possible exploitation
Mikrotik Network Discovery Protocol enable neighbor
routers (connected router) to learn information about the
neighbor. This should be disabled if not used or on the
interface facing external network.
Ideally SNMP version 3 should be used on the router since
it introduces authentication in the form of a username
and password and offers encryption as well.
SNMP is disabled by default in MikroTik, however, if
enabled, there will be one default community called
public
If SNMP v1 or v2c is used, ACLs should be configured to
�Mikrotik RouterOS Security Audit Checklist
Questions
Findings
Yes
No
ISO 27001
Control
certain range of IP Addresses
only?
Is the default community strings
such as public changed?
A.9.2.4
How often is the SNMP
community string changed?
A.9.3.1
Standard/Best Practice
limit the addresses that can send SNMP commands to the
device. SNMP v1 or v2c uses the community string as the
only form of authentication and is sent in clear text across
the network.
Default community strings such as public should be
changed immediately before bring the router on the
network.
If SNMP v1 or v2c is being used, the SNMP community
strings should be treated like root passwords by changing
them often and introducing complexity in them.
Configuration Management
How often is the router
configurations backed up?
Is there any technical control to
prevent unauthorized access to
configuration backup?
Is there a documented procedure
for backup of router
configurations?
Is there any procedure for system
reset or recovery from backup?
Are all router configuration
changes and updates
documented in a manner suitable
for review according to a change
management procedure?
Is there any periodically router
capacity review for performance
assurance?
Is the network engineer aware of
the latest vulnerabilities that
could affect the router and aware
of recent updates?
A.12.3.1
Router configurations should be backed up periodically
depending on importance and frequency of changes
made to the configuration.
A.8.2.1
A.12.3.1
If a file server is used to store configuration files, the files
should be restricted to authorized personnel only.
A.12.3.1
A.12.1.1
Procedure for backup, such as periods and backup
storage place needs to be documented
A.12.1.1
A clear procedure for system reset or recovery from
backup needs to be documented to prevent unnecessary
downtime
A.12.1.2
Any changes in router configuration changes and updates
needs to follow change management procedure to
prevent unnecessary downtime and to maintain the
integrity of the configuration
A.12.1.3
Periodically there is a need to review the router capacity
if it is still sufficient for operation requirements capacity
A.6.1.4
A.12.6.1
Network engineer should receive periodic RouterOS
updates
A.17.1.1
A.17.1.2
Depends on your organization requirements, time critical
and strategic routers needs to have redundancy
A.17.1.2
A.17.1.3
Any disaster recovery plan needs to be documented
properly and tested periodically
Business Continuity
Is there a router redundancy in
cold standby or hot standby?
Are disaster recovery procedures
for the router/network
documented and are they tested?
Is the configuration backup saved
to an off-site/DR site?
A.12.3.1
A.17.1.1
Copy of router configuration needs to saved to an offsite/DR site for disaster recovery purpose
Log Management and Incident Handling
Is login and logout
A.12.4.1
A detailed log of every command typed on the router as
�Mikrotik RouterOS Security Audit Checklist
Questions
tracking/command logging for
the router administrators
enabled?
Is the NTP server service used to
synchronize the clocks of all the
routers?
Are all attempts to any port,
protocol, or service that is denied
logged?
Is logging to a syslog server
enabled on the router?
How often is the router logs
(covering administrator access
/access control) reviewed?
Are reports and analyses carried
out based on the log messages?
Is there any documentation for
course of action to be followed if
any incident is noticed?
Findings
Yes
No
ISO 27001
Control
A.12.4.3
Standard/Best Practice
well as when an administrator logged in or out can be
recorded for audit purposes.
A.12.4.4
The NTP service helps to synchronize clocks between
networking devices thereby maintaining a consistent time
which is essential for diagnostic and security alerts and
log data.
A.12.4.1
A.16.1.2
All security events needs to be logged
A.12.4.2
A.16.1.2
Critical and important logs should be send and stored on
external syslog
A.12.4.1
Logs need to reviewed regularly
A.16.1.6
Reports and analysis should be based from the log
messages
A.16.1.1
Course of action for any incidents should be planned and
documented properly
This work is a derivative work from a document ISO27k Cisco Router Security Audit
Checklist copyright 2007, ISO27k Forum, some rights reserved. It is licensed under the Creative
Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce,
circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a
commercial product, (b) it is properly attributed to the ISO27k implementers' forum
(www.ISO27001security.com), and (c) if shared, any derivative works are shared under the same terms
as this.
Note: this is NOT security advice. Do not rely on this checklist. Refer to the Mikrotik RouterOS
documentation and take advice from competent network security professionals.
