Do you remember your "first love"?
I will never forget the name of my first server - Rachel. I was very proud to be the person whose job it was to defend Rachel from all types of disruption. To this day I still remember each IP address, user account, service account and application. When patches were installed, I manually verified they had been applied successfully. I diligently reviewed the logs and configured full auditing to let me know the success and failure of just about everything.
I have administered many servers since Rachel, but do not remember as much about them as I do about my "first love”. Consider this an invitation to fall back in love with your servers. An invitation to return back to the time when you did everything possible to defend them. It may be possible that by returning to the diligence you once had, many problems and outages could be avoided.
How can you do this? The act of actively measuring how well you manage, secure and maintain your severs can very well be the catalyst you need to return back to your "first love”. Consider creating and sending yourself a daily report that clearly shows its current security posture. What are good candidates for this report? I am glad you asked, Some of my favorites include the following.
- Mean time to detect a network scan
- Mean time to identify a new administrator account
- Mean time to identify a new service running (or not running anymore)
There are certainly many metrics you could track. Pick a few and diligently check them every day for the next month. You'll be glad you did!
Feel free to use our comment page to let us know what you are doing to remember your “first love”.
Russell Eubanks
@russelleubanks
Performing A Cybersecurity Risk Assessment | New Orleans | Feb 17th - Feb 18th 2025 |
Comments
Anonymous
Oct 28th 2014
1 decade ago
1 - Ask psexec to list all executables on a Windows system and send the output to a file using the command:
@echo off
psexec dir *.exe > %computername%_ExeFound.txt
2 - Ask WMIC to tell you the patches that are installed using the command:
wmic qfe > patches.txt - NOTE - WMIC is extensively covered at http://blog.commandlinekungfu.com/
3 - Use the security log to search for Successful ( and unsuccessful ) logins for administrative and service accounts
4 - Review the daily log volume, perhaps looking at the last 7 days to show trends that indicate significantly more or less than expected log volume
5 - Count the number of Remote Desktop sessions in a "normal" day
6 - Look for the events generated when the Security log is cleared
Russell Eubanks
@russelleubanks
Anonymous
Oct 28th 2014
1 decade ago