Mikrotik RouterOS Security Audit Checklist

Questions

Findings
Yes
No

ISO 27001
Control

Standard/Best Practice

Router Policy
Is a router security policy in
place?

A.5.1.1
A.9.1.2

Router security policy will address the requirements from

business, regulations, etc. It will consist policy topics such
as access control, backup, etc.

A.12.1.1
A.9.2.1
A.9.2.2

A documented procedure for creation of administrators

on the router should exist.
The procedure should address:
Approval from the department head
Recording the authorization level given to the new
administrator and the duration

A.9.2.1
A.9.2.2

Each router administrator should have a unique account

for him/her to maintain accountability.

Administrator Authentication
Is there a documented procedure
for creation of users?

Does each router administrator

have a unique account for
himself/herself?
According to policy, how often do
admin passwords have to be
changed?

A.9.4.3

Do the admin passwords meet

with the required complexity as
defined by the policy?

A.9.3.1

Are all user accounts assigned the

lowest privilege level that allows
them to perform their duties?
(Principle of Least Privilege)

A.9.2.3

Is a Message of the Day (MOTD)

banner defined?

A.9.4.2

Admin passwords need to be changed periodically,

typically once every 4-6 months depending on the
functionality of the router.
All password defined on the router should meet the
following criteria:
Minimum 8 characters in length
Should be alphanumeric along with special characters
(@#$%)
Should not include organizations name in it
All user accounts should be assigned the lowest privilege
level that allows them to perform their duties.
If multiple administrators exist on the router, each
administrator should be given an individual username and
password and assigned the lowest privilege levels.
Login banners should be used as a preventive measure
against unauthorized access to the routers.
Use the following command to enable a MOTD banner:
/system note set note=[MOTD]

Router Access Management

Are unused services such as
webfig, ssh, telnet, dns allow
remote request, etc disabled?

A.9.4.4

Is Mikrotik Network Discovery

Protocol disabled on the router?

A.12.6.1
A.9.4.4
A.13.1.3

Which version of SNMP is used to

manage the router?

A.13.1.1

Is the SNMP process restricted to

A.13.1.1

Unused services needs to disabled to prevent any

unauthorized access and possible exploitation
Mikrotik Network Discovery Protocol enable neighbor
routers (connected router) to learn information about the
neighbor. This should be disabled if not used or on the
interface facing external network.
Ideally SNMP version 3 should be used on the router since
it introduces authentication in the form of a username
and password and offers encryption as well.
SNMP is disabled by default in MikroTik, however, if
enabled, there will be one default community called
public
If SNMP v1 or v2c is used, ACLs should be configured to

Mikrotik RouterOS Security Audit Checklist

Questions

Findings
Yes
No

ISO 27001
Control

certain range of IP Addresses

only?

Is the default community strings

such as public changed?

A.9.2.4

How often is the SNMP

community string changed?

A.9.3.1

Standard/Best Practice
limit the addresses that can send SNMP commands to the
device. SNMP v1 or v2c uses the community string as the
only form of authentication and is sent in clear text across
the network.
Default community strings such as public should be
changed immediately before bring the router on the
network.
If SNMP v1 or v2c is being used, the SNMP community
strings should be treated like root passwords by changing
them often and introducing complexity in them.

Configuration Management
How often is the router
configurations backed up?
Is there any technical control to
prevent unauthorized access to
configuration backup?
Is there a documented procedure
for backup of router
configurations?
Is there any procedure for system
reset or recovery from backup?
Are all router configuration
changes and updates
documented in a manner suitable
for review according to a change
management procedure?
Is there any periodically router
capacity review for performance
assurance?
Is the network engineer aware of
the latest vulnerabilities that
could affect the router and aware
of recent updates?

A.12.3.1

Router configurations should be backed up periodically

depending on importance and frequency of changes
made to the configuration.

A.8.2.1
A.12.3.1

If a file server is used to store configuration files, the files

should be restricted to authorized personnel only.

A.12.3.1
A.12.1.1

Procedure for backup, such as periods and backup

storage place needs to be documented

A.12.1.1

A clear procedure for system reset or recovery from

backup needs to be documented to prevent unnecessary
downtime

A.12.1.2

Any changes in router configuration changes and updates

needs to follow change management procedure to
prevent unnecessary downtime and to maintain the
integrity of the configuration

A.12.1.3

Periodically there is a need to review the router capacity

if it is still sufficient for operation requirements capacity

A.6.1.4
A.12.6.1

Network engineer should receive periodic RouterOS

updates

A.17.1.1
A.17.1.2

Depends on your organization requirements, time critical

and strategic routers needs to have redundancy

A.17.1.2
A.17.1.3

Any disaster recovery plan needs to be documented

properly and tested periodically

Business Continuity
Is there a router redundancy in
cold standby or hot standby?
Are disaster recovery procedures
for the router/network
documented and are they tested?
Is the configuration backup saved
to an off-site/DR site?

A.12.3.1
A.17.1.1

Copy of router configuration needs to saved to an offsite/DR site for disaster recovery purpose

Log Management and Incident Handling

Is login and logout

A.12.4.1

A detailed log of every command typed on the router as

Mikrotik RouterOS Security Audit Checklist

Questions
tracking/command logging for
the router administrators
enabled?
Is the NTP server service used to
synchronize the clocks of all the
routers?
Are all attempts to any port,
protocol, or service that is denied
logged?
Is logging to a syslog server
enabled on the router?
How often is the router logs
(covering administrator access
/access control) reviewed?
Are reports and analyses carried
out based on the log messages?
Is there any documentation for
course of action to be followed if
any incident is noticed?

Findings
Yes
No

ISO 27001
Control
A.12.4.3

Standard/Best Practice
well as when an administrator logged in or out can be
recorded for audit purposes.

A.12.4.4

The NTP service helps to synchronize clocks between

networking devices thereby maintaining a consistent time
which is essential for diagnostic and security alerts and
log data.

A.12.4.1
A.16.1.2

All security events needs to be logged

A.12.4.2
A.16.1.2

Critical and important logs should be send and stored on

external syslog

A.12.4.1

Logs need to reviewed regularly

A.16.1.6

Reports and analysis should be based from the log

messages

A.16.1.1

Course of action for any incidents should be planned and

documented properly

This work is a derivative work from a document ISO27k Cisco Router Security Audit
Checklist copyright 2007, ISO27k Forum, some rights reserved. It is licensed under the Creative
Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce,
circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a
commercial product, (b) it is properly attributed to the ISO27k implementers' forum
(www.ISO27001security.com), and (c) if shared, any derivative works are shared under the same terms
as this.
Note: this is NOT security advice. Do not rely on this checklist. Refer to the Mikrotik RouterOS
documentation and take advice from competent network security professionals.