Do you remember your "first love"?

Published: 2014-10-28
Last Updated: 2014-10-28 03:05:10 UTC
by Russell Eubanks (Version: 1)
2 comment(s)

I will never forget the name of my first server - Rachel. I was very proud to be the person whose job it was to defend Rachel from all types of disruption. To this day I still remember each IP address, user account, service account and application. When patches were installed, I manually verified they had been applied successfully. I diligently reviewed the logs and configured full auditing to let me know the success and failure of just about everything. 

I have administered many servers since Rachel, but do not remember as much about them as I do about my "first love”. Consider this an invitation to fall back in love with your servers. An invitation to return back to the time when you did everything possible to defend them. It may be possible that by returning to the diligence you once had, many problems and outages could be avoided.

How can you do this? The act of actively measuring how well you manage, secure and maintain your severs can very well be the catalyst you need to return back to your "first love”. Consider creating and sending yourself a daily report that clearly shows its current security posture. What are good candidates for this report? I am glad you asked, Some of my favorites include the following. 

  • Mean time to detect a network scan
  • Mean time to identify a new administrator account
  • Mean time to identify a new service running (or not running anymore)
     

There are certainly many metrics you could track. Pick a few and diligently check them every day for the next month. You'll be glad you did! 

Feel free to use our comment page to let us know what you are doing to remember your “first love”.

 

 

Russell Eubanks

@russelleubanks

Keywords:
2 comment(s)

Comments

Mean Time doesn't seem like the place to start. How to identify new services running or not running, new accounts, etc. should be the place to start. I manage a single server, and would love to see a list of things that could be reported daily that shows the security stance. I currently run logwatch and get those reports daily, but would love a list of other things to add!
Building upon the list of things to check for daily, I have found success with the following.


1 - Ask psexec to list all executables on a Windows system and send the output to a file using the command:

@echo off
psexec dir *.exe > %computername%_ExeFound.txt

2 - Ask WMIC to tell you the patches that are installed using the command:

wmic qfe > patches.txt - NOTE - WMIC is extensively covered at http://blog.commandlinekungfu.com/

3 - Use the security log to search for Successful ( and unsuccessful ) logins for administrative and service accounts

4 - Review the daily log volume, perhaps looking at the last 7 days to show trends that indicate significantly more or less than expected log volume

5 - Count the number of Remote Desktop sessions in a "normal" day

6 - Look for the events generated when the Security log is cleared


Russell Eubanks
@russelleubanks

Diary Archives