Actions upon arrival to work - reception of cases, updating, documentation, audit
I read with interest the IT Infrastructure Audit - how to be a beginner , but it seemed to me that the to-do list (especially if everyone who remembered something had quit a long time ago) was much wider.
If processes are not built in your organization, then this text is useless to you. If built - then also useless. Almost Rifleman's Creed - Without me, my rifle is useless. Without my rifle, I am useless.
I did not see any standard management packages for the entire architecture and technology - which is not surprising, given the constant discrepancy between accounting and technology reports in fact and the general complexity of the systems. It’s good if the network’s scheme, password accounting and other necessary is kept, there is some kind of accounting that when (certificates, domain payment) expires, but sometimes it doesn’t. Just some forgot to ask, others were not worried about this. The third had it, but they already quit, and the fourth scored, so we have what we have.
Lifecycle management, SCOM / SCSM is a little different, and ITIL
Service Asset and Configuration Management are good wishes that do not contain some functionality.
Accordingly, the first thing when you come to work you need an audit "for yourself"
- Which devices are where, what are they responsible for, is there access to them (to the web control panel / ssh / ilo), if not, then how to restore it. Are these devices alive, or stand for accounting.
- Who is responsible for ACS, general security, electricity, air conditioning (maintenance), water pipes, fire alarms. When was the last time the same air conditioners were serviced. What is the reliability (power reserve) of air conditioners (N + 0, N + 1).
- UPS and batteries. How much they keep (in hours), when the batteries changed, when there was a calibration, is there a notification about the operation and other blackout. What is the reliability (power reserve) of the UPS - (N + 0, N + 1).
- How interaction with neighboring departments and business as a customer of services is built.
- How does the desktop service work.
- How monitoring works, whether it monitors all devices and necessary equipment parameters. It is possible that he has long died or is redundant. Or insufficient.
- How the notification of failures works, especially large ones - for example, general blackout / blackout, leakage of water supply / heating.
Backup and recovery
It is necessary to check everything - what is backed up to, what is the storage depth, is there free space on the archive storage system, is there free space, is the backup monitored, is the backup in the backup window. How the recovery is going on - what the recovery procedure looks like and whether it is restored at all.
On behalf of which KM is archiving (especially in the case of backup agents / service in machines), does it have a lot of rights (in which groups it belongs), does it (and from it) have a password, and is it worth changing it. Where is it (in the backup system) registered.
Is there a regulation in which all of the above is spelled out and approved.
Control of rights, control of service KM (accounts)
In addition to a simple check "who is in the group of domain administrators and why", control of service KM is necessary. Including control of which service on what behalf starts (if it does not start from the system), what are the built-in KLs, what group is included and why, what are they (groups) delegated rights to and where.
AD
AD roles - where (on which servers) lie in the logs. Who is responsible for what network services (DHCP, DNS). Audit - is there, how is it arranged. Forwarding logs - what, where, and what happens to them.
Get ready to learn a new subject for you - engineering archeology / Design and technological archeology (1)
Typical holes and crutches of curved smokers of localhost hosts. Starting from the corrected host,
SUDDENLY for me it turned out that the localhost administrators not only edit the etc / host files (well, who didn’t rule in childhood?), But they are also proud of it and write articles about it.
However, the same shame happens with DNS settings on DC.
No, well, how can you not read technet ?? (2)
REMEMBER CITIZENS!
It is necessary to write in \ host \ etc in production if and only if you have already read the instructions for Oracle and Veritas netbackup, having squeezed the instructions for Veeam.
The second stage of the check
Upon arrival to work, in addition to the physics audit (starting from air conditioners and the battery life in the UPS and the battery life of the UPS, ending with what and how it is counted - and what comes of it in fact) - three things must be checked:
- Tasks in Tash scheduler and startup on servers
- HOST files in particular and DHCP and DNS settings in general
- to whom, how, where and what rights are given in AD and Exchange.
If the first paragraph is clear, download Sysinternals Autoruns for Windows and go, then the second and third paragraph are more complicated.
Suddenly for many, the Microsoft Windows server does not have a “do well” button. Even there is no makegood.ps1 script - MS WS and AD as a service does not have any built-in ready-made graphical solutions for displaying to whom and where the rights are delegated to AD, and using powershell upsets the information security and the GUI buff.
On the other hand, the necessary tools for this are -
To view delegation of rights by organizational unit (OU) - Active Directory OU Permissions Report:
This script generates a report of all Active Directory OU permissions in the domain. I would advise all Active Directory shops to review this report on a quarterly basis to make sure there are no surprise administrators lurking in your domain.
Lies traditionally on technete .
To view the distribution of Exchanhe rights, use the same
RBAC tech Role Group Membership Reporting
This PowerShell script will generate a report of the Role Based Access Control (RBAC) role groups in an Exchange Server organization.
To start an audit, all of the above should be enough, but before you start reading documents “how to do well”, you should not, because most likely you will have to clutch your head many times.
References:
(1)
Industrial archeology of Mtsensk Uyezd. Part 1.
Industrial archeology of Mtsensk Uyezd. Part 2.
Corporate memory and reverse smuggling.
A copy of the same article with links.
Original in web.archive
Design and technological archeology
(2)
Link 1
Link 2
or
Link 3
and finally actually:
DNS: DNS servers on should include the loopback address, but not as the first entry
Impact
If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners. See the link.
In general, there are a lot of interesting things with the availability of the first DNS for CSV, but this will be later.
If processes are not built in your organization, then this text is useless to you. If built - then also useless. Almost Rifleman's Creed - Without me, my rifle is useless. Without my rifle, I am useless.
I did not see any standard management packages for the entire architecture and technology - which is not surprising, given the constant discrepancy between accounting and technology reports in fact and the general complexity of the systems. It’s good if the network’s scheme, password accounting and other necessary is kept, there is some kind of accounting that when (certificates, domain payment) expires, but sometimes it doesn’t. Just some forgot to ask, others were not worried about this. The third had it, but they already quit, and the fourth scored, so we have what we have.
Lifecycle management, SCOM / SCSM is a little different, and ITIL
Service Asset and Configuration Management are good wishes that do not contain some functionality.
Accordingly, the first thing when you come to work you need an audit "for yourself"
- Which devices are where, what are they responsible for, is there access to them (to the web control panel / ssh / ilo), if not, then how to restore it. Are these devices alive, or stand for accounting.
- Who is responsible for ACS, general security, electricity, air conditioning (maintenance), water pipes, fire alarms. When was the last time the same air conditioners were serviced. What is the reliability (power reserve) of air conditioners (N + 0, N + 1).
- UPS and batteries. How much they keep (in hours), when the batteries changed, when there was a calibration, is there a notification about the operation and other blackout. What is the reliability (power reserve) of the UPS - (N + 0, N + 1).
- How interaction with neighboring departments and business as a customer of services is built.
- How does the desktop service work.
- How monitoring works, whether it monitors all devices and necessary equipment parameters. It is possible that he has long died or is redundant. Or insufficient.
- How the notification of failures works, especially large ones - for example, general blackout / blackout, leakage of water supply / heating.
Backup and recovery
It is necessary to check everything - what is backed up to, what is the storage depth, is there free space on the archive storage system, is there free space, is the backup monitored, is the backup in the backup window. How the recovery is going on - what the recovery procedure looks like and whether it is restored at all.
On behalf of which KM is archiving (especially in the case of backup agents / service in machines), does it have a lot of rights (in which groups it belongs), does it (and from it) have a password, and is it worth changing it. Where is it (in the backup system) registered.
Is there a regulation in which all of the above is spelled out and approved.
Control of rights, control of service KM (accounts)
In addition to a simple check "who is in the group of domain administrators and why", control of service KM is necessary. Including control of which service on what behalf starts (if it does not start from the system), what are the built-in KLs, what group is included and why, what are they (groups) delegated rights to and where.
AD
AD roles - where (on which servers) lie in the logs. Who is responsible for what network services (DHCP, DNS). Audit - is there, how is it arranged. Forwarding logs - what, where, and what happens to them.
Get ready to learn a new subject for you - engineering archeology / Design and technological archeology (1)
Typical holes and crutches of curved smokers of localhost hosts. Starting from the corrected host,
SUDDENLY for me it turned out that the localhost administrators not only edit the etc / host files (well, who didn’t rule in childhood?), But they are also proud of it and write articles about it.
However, the same shame happens with DNS settings on DC.
No, well, how can you not read technet ?? (2)
REMEMBER CITIZENS!
It is necessary to write in \ host \ etc in production if and only if you have already read the instructions for Oracle and Veritas netbackup, having squeezed the instructions for Veeam.
The second stage of the check
Upon arrival to work, in addition to the physics audit (starting from air conditioners and the battery life in the UPS and the battery life of the UPS, ending with what and how it is counted - and what comes of it in fact) - three things must be checked:
- Tasks in Tash scheduler and startup on servers
- HOST files in particular and DHCP and DNS settings in general
- to whom, how, where and what rights are given in AD and Exchange.
If the first paragraph is clear, download Sysinternals Autoruns for Windows and go, then the second and third paragraph are more complicated.
Suddenly for many, the Microsoft Windows server does not have a “do well” button. Even there is no makegood.ps1 script - MS WS and AD as a service does not have any built-in ready-made graphical solutions for displaying to whom and where the rights are delegated to AD, and using powershell upsets the information security and the GUI buff.
On the other hand, the necessary tools for this are -
To view delegation of rights by organizational unit (OU) - Active Directory OU Permissions Report:
This script generates a report of all Active Directory OU permissions in the domain. I would advise all Active Directory shops to review this report on a quarterly basis to make sure there are no surprise administrators lurking in your domain.
Lies traditionally on technete .
To view the distribution of Exchanhe rights, use the same
RBAC tech Role Group Membership Reporting
This PowerShell script will generate a report of the Role Based Access Control (RBAC) role groups in an Exchange Server organization.
To start an audit, all of the above should be enough, but before you start reading documents “how to do well”, you should not, because most likely you will have to clutch your head many times.
References:
(1)
Industrial archeology of Mtsensk Uyezd. Part 1.
Industrial archeology of Mtsensk Uyezd. Part 2.
Corporate memory and reverse smuggling.
A copy of the same article with links.
Original in web.archive
Design and technological archeology
(2)
Link 1
Link 2
or
Link 3
and finally actually:
DNS: DNS servers on should include the loopback address, but not as the first entry
Impact
If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners. See the link.
In general, there are a lot of interesting things with the availability of the first DNS for CSV, but this will be later.