Server OS and App Patches, Hot Fixes, Service Packs
Objective: Standardized decision-making process for how and when system patches are applied.
Description: All members of the SysAdmin team are responsible for keeping informed regarding the latest details and alerts concerning SPU technologies; including: OS and application security patches; hot fixes; service packs; security alerts; etc.
Staff members holding primary administrative responsibility for each given server are responsible for applying necessary upgrades in a timely and proactive manner. This is generally defined as “quarterly,” unless circumstances dictate special implementations.
Prior to applying an upgrade, the responsible analyst will send an email to the SysAdmin group informing them of their intent. Details will include the upgrade version, the servers on which the patch will be applied, the expected time during which the upgrade will occur, and any anticipated disruptions in service. This notification should be made with ample time so that concerns regarding the upgrade may be addressed prior to implementation.
In instances where upgrades will be applied on multiple servers, the order of progression will be that the 'least critical' server will be targeted first, and an appropriate time to observe any ill-effects of the upgrade given before applying the upgrade to more essential systems.
Frequency/Detail of Routine Sys Admin Tasks
Objective: Standardize the procedures and frequency of systems administration tasks for all CIS servers.
Description: The following procedures have been tested and are recommended to be performed by primary analysts in accordance with the frequency noted. Please note that references to specific applications and logs will change depending on the server under consideration. The following procedures are intended as general guidelines; analysts are expected to provide their own granularity to the technologies within their charge.
- Drive Space Freq: weekly
Drives should have enough free space (at least 1 gig)If drive is full, check for unnecessary temp files, programs that shouldn't be installed, and probably check the sizes of log files… delete / uninstall these things as needed.
- Backup Metabase Freq: scheduled twice daily
Copy a back up of the back up of the Metabase dir to the folder in d: drive.
- Check SQL Backup Logs Freq: weekly
Make sure the databases are getting backed up. If these are not getting backed up, figure out why, but in the mean time, do a manual backup of the files (stop the service & just copy the data dir).
- Check IIS Logs Freq: weekly
Make sure URLscan is blocking things and look for weird requests. If there are odd or tell tale signs of hacking or virus, start to isolate the day / times and the ISPs.
- Check hotfixes and OS updates Freq: weekly / as released
Run windows update to double check for OS, security patches / updates. Run hotfix checker / security analyzer and update as needed. Maintain close watch for industry alerts and recommendations. Some of the reports will be false positives; also beware of hardware issues. If a hotfix is not current or updated, update in accordance with the steps outlined in “Server OS and App Patches, Hot Fixes, Service Packs.”
- Check virus updates Freq: weekly
Make sure the virus updates are running / have current version… these should be automatically updating. If not automatic, update and patch DATs immediately and diagnose/resolve why manual intervention was needed.
- Check Event Viewer Freq: weekly
Learn appropriate message patterns and look for unusual errors, stop events, anomalies. Many alerts are informational, but take immediate action on STOP errors. Some are common and ok… but keep an eye out for odd-balls. Also, in the security logs, check for mysterious users / frequent & short log on / off instances: these are virus indicators.
- Check security tab on HDs Freq: weekly
Make sure "everyone" group does not have access. Or other unauthorized accounts. Remove unauthorized accounts / reset correct permissions.
- Defrag / Scandisk HDs Freq: monthly / as needed
Run defrag / scandisk. Defrag if fragmentation exceeds (x)%.
- Activity Logging Freq: as tasks are completed
Analysts will maintain an activity log file for each server that shall be used to document all details of the activities mentioned above.
Archive of Server Log Files
Objective: Standardize archival requirements for NOS and Application server log files.
Description: Recognizing the value of maintaining a historical archive of server log files, CIS shall maintain at least 3 months of log data on each server, and ideally, up to 6 or 12 months.