Actions upon arrival at work - receiving cases, updating, documenting, auditing
I read with interest the IT Infrastructure Audit - how to be a newbie , but it seemed to me that the list of cases during the audit and recruitment (especially if all who remembered something had already left) for a long time.
If your organization has not built processes, then this text is useless for you. If built - it is also useless. Almost Rifleman's Creed - Without me, my rifle is useless. Without my rifle, I am useless.
I did not see any standard management packages for the entire architecture and technology - which is not surprising, given the constant discrepancies between the accounting and the factories and the overall complexity of the systems. It’s good if the network scheme, password accounting, etc. are kept, there is some kind of account that when (certificates, domain payment) expires, but sometimes it doesn’t. Just one forgot to ask, others did not worry about it. The third had it, but they had already quit, and the fourth had scored, so we have what we have.
Lifecycle management, SCOM / SCSM is a little different, and ITIL
Service Asset and Configuration Management are good wishes that do not contain any functionality.
Accordingly, the first thing when you come to work you need an audit "for yourself"
')
- What devices where they are, what they are responsible for, whether they have access to them (to the web control panel / ssh / ilo), if not - how to restore it. Are these devices alive, or are they worth keeping in mind?
- Who is responsible for access control, general security, electricity, air conditioning (maintenance), plumbing, fire alarms. When was the last time the maintenance of the same air conditioners. What is the reliability (power reserve) of air conditioners (N + 0, N + 1).
- UPS and battery. How much is kept (in hours), when the batteries changed, when there was a calibration, is there a notification of operation and other blackouts. What is the reliability (power reserve) of the UPS - (N + 0, N + 1).
- How to build interaction with neighboring departments and businesses as a customer of services.
- How does the service desk.
- How monitoring works, whether it monitors all devices and the necessary equipment parameters. It is possible that he has long died or is redundant. Or insufficient.
- How failure notification works, especially large ones - for example, common blackout / power outage, water supply / heating leakage.
Backup and Restore
It is necessary to check everything - what is being backed up, what is the storage depth, is there free space on the archive storage system, is free space monitored, does backup get into the backup window. How the recovery goes - how the recovery procedure looks and whether it is restored at all.
On behalf of which KM is archiving (especially in the case of backup agents / services in machines), is it not a bit too many rights (in which groups it is), does it have (and from) a password and is it not worth changing it. Where is it (in the backup system) spelled out.
Is there a regulation in which all of the above is stated and approved?
Control of rights, control of official UZ (accounts)
In addition to a simple check “who is in the group of domain administrators and why”, control of official KM is necessary. Including control over which service starts on what behalf (if it does not start from the system), what with embedded UZ, what group is included and why, what rights are delegated to them (groups) and where.
AD
Roles AD - where (on what servers) are that in the logs. Who for what network services (DHCP, DNS) is responsible. Audit - is there how it works. Sending logs - what, where, and what happens to them.
Get ready to learn a new subject for you - engineering archeology / Design and technological archeology (1)
Typical holes and crutches of Krivokurik admins localhost. Starting from the correct host
SUDDENLY for me, it turned out that the admins of the local host not only run the etc / host files (well, who didn't rule in childhood?), But they also take pride in this and write articles about it.
However, with the DNS settings on DC there is the same shame.
No, how can you not read tech ?? (2)
REMEMBER, CITIZENS!
Writing to \ host \ etc in production is necessary if and only if you have already read the instructions for Orakla and Veritas netbackup, before giving instructions on Veeam.
Second check queue
Upon arrival at work, in addition to auditing physics (starting from air conditioners and battery life in the UPS and battery life of the UPS, ending with what and by accounting — and what is in fact) - three things should be checked:
- Tasks in Tash scheduler and startup on servers
- HOST files in particular, and DHCP and DNS settings in general
- who, how, where and what rights are given in AD and Exchange.
If it is clear with the first item, we download Sysinternals Autoruns for Windows and go, then with the second and third item everything is more complicated.
Suddenly, for many, there is no “do well” button in Microsoft Windows server. There is even no makegood.ps1 script - MS WS and AD as a service do not have any built-in ready-made graphical solutions for displaying who and where privileges are delegated to AD, and using powershell distresses the info safe and GUI lover.
On the other hand, the necessary tools for this are -
To view the delegation of rights for the organizational unit (OU) - Active Directory OU Permissions Report:
This script generates a report of all Active Directory permissions in the domain. There are no surprise administrators lurking in your domain.
Lies traditionally on the technet .
To view the distribution of rights Exchanhe here - on the same tech.
RBAC Role Group Membership Reporting
This is a script of the Role Based Access Control (RBAC) of the Exchange Server organization.
To start the audit, all of the above should suffice, but prior to its holding, it is not worthwhile to proceed to reading the “how to do well” documents, because you will most likely have to clutch your head many times.
References:
(one)
Industrial archeology "Mtsensk district." Part 1.
Industrial archeology "Mtsensk district." Part 2.
Corporate memory and reverse smuggling.
A copy of the same article with links.
Original in web.archive
Technological Archeology
(2)
Reference 1
Reference 2
or
Reference 3
and finally actually:
DNS: DNS servers must not be addressed as the first entry
Impact
If you need a DNS server, it will be possible to find your replication partners. See the link
In general, with the availability of the first DNS for CSV there are many interesting things, but this may be later.
If your organization has not built processes, then this text is useless for you. If built - it is also useless. Almost Rifleman's Creed - Without me, my rifle is useless. Without my rifle, I am useless.
I did not see any standard management packages for the entire architecture and technology - which is not surprising, given the constant discrepancies between the accounting and the factories and the overall complexity of the systems. It’s good if the network scheme, password accounting, etc. are kept, there is some kind of account that when (certificates, domain payment) expires, but sometimes it doesn’t. Just one forgot to ask, others did not worry about it. The third had it, but they had already quit, and the fourth had scored, so we have what we have.
Lifecycle management, SCOM / SCSM is a little different, and ITIL
Service Asset and Configuration Management are good wishes that do not contain any functionality.
Accordingly, the first thing when you come to work you need an audit "for yourself"
')
- What devices where they are, what they are responsible for, whether they have access to them (to the web control panel / ssh / ilo), if not - how to restore it. Are these devices alive, or are they worth keeping in mind?
- Who is responsible for access control, general security, electricity, air conditioning (maintenance), plumbing, fire alarms. When was the last time the maintenance of the same air conditioners. What is the reliability (power reserve) of air conditioners (N + 0, N + 1).
- UPS and battery. How much is kept (in hours), when the batteries changed, when there was a calibration, is there a notification of operation and other blackouts. What is the reliability (power reserve) of the UPS - (N + 0, N + 1).
- How to build interaction with neighboring departments and businesses as a customer of services.
- How does the service desk.
- How monitoring works, whether it monitors all devices and the necessary equipment parameters. It is possible that he has long died or is redundant. Or insufficient.
- How failure notification works, especially large ones - for example, common blackout / power outage, water supply / heating leakage.
Backup and Restore
It is necessary to check everything - what is being backed up, what is the storage depth, is there free space on the archive storage system, is free space monitored, does backup get into the backup window. How the recovery goes - how the recovery procedure looks and whether it is restored at all.
On behalf of which KM is archiving (especially in the case of backup agents / services in machines), is it not a bit too many rights (in which groups it is), does it have (and from) a password and is it not worth changing it. Where is it (in the backup system) spelled out.
Is there a regulation in which all of the above is stated and approved?
Control of rights, control of official UZ (accounts)
In addition to a simple check “who is in the group of domain administrators and why”, control of official KM is necessary. Including control over which service starts on what behalf (if it does not start from the system), what with embedded UZ, what group is included and why, what rights are delegated to them (groups) and where.
AD
Roles AD - where (on what servers) are that in the logs. Who for what network services (DHCP, DNS) is responsible. Audit - is there how it works. Sending logs - what, where, and what happens to them.
Get ready to learn a new subject for you - engineering archeology / Design and technological archeology (1)
Typical holes and crutches of Krivokurik admins localhost. Starting from the correct host
SUDDENLY for me, it turned out that the admins of the local host not only run the etc / host files (well, who didn't rule in childhood?), But they also take pride in this and write articles about it.
However, with the DNS settings on DC there is the same shame.
No, how can you not read tech ?? (2)
REMEMBER, CITIZENS!
Writing to \ host \ etc in production is necessary if and only if you have already read the instructions for Orakla and Veritas netbackup, before giving instructions on Veeam.
Second check queue
Upon arrival at work, in addition to auditing physics (starting from air conditioners and battery life in the UPS and battery life of the UPS, ending with what and by accounting — and what is in fact) - three things should be checked:
- Tasks in Tash scheduler and startup on servers
- HOST files in particular, and DHCP and DNS settings in general
- who, how, where and what rights are given in AD and Exchange.
If it is clear with the first item, we download Sysinternals Autoruns for Windows and go, then with the second and third item everything is more complicated.
Suddenly, for many, there is no “do well” button in Microsoft Windows server. There is even no makegood.ps1 script - MS WS and AD as a service do not have any built-in ready-made graphical solutions for displaying who and where privileges are delegated to AD, and using powershell distresses the info safe and GUI lover.
On the other hand, the necessary tools for this are -
To view the delegation of rights for the organizational unit (OU) - Active Directory OU Permissions Report:
This script generates a report of all Active Directory permissions in the domain. There are no surprise administrators lurking in your domain.
Lies traditionally on the technet .
To view the distribution of rights Exchanhe here - on the same tech.
RBAC Role Group Membership Reporting
This is a script of the Role Based Access Control (RBAC) of the Exchange Server organization.
To start the audit, all of the above should suffice, but prior to its holding, it is not worthwhile to proceed to reading the “how to do well” documents, because you will most likely have to clutch your head many times.
References:
(one)
Industrial archeology "Mtsensk district." Part 1.
Industrial archeology "Mtsensk district." Part 2.
Corporate memory and reverse smuggling.
A copy of the same article with links.
Original in web.archive
Technological Archeology
(2)
Reference 1
Reference 2
or
Reference 3
and finally actually:
DNS: DNS servers must not be addressed as the first entry
Impact
If you need a DNS server, it will be possible to find your replication partners. See the link
In general, with the availability of the first DNS for CSV there are many interesting things, but this may be later.
Source: https://habr.com/ru/post/333910/
All Articles