Do you remember your “first love”?

Leadership, Operational Security, SANS, Security Published November 8, 2014

I recently published the below post on the SANS Internet Storm Center site.

I will never forget the name of my first server – Rachel. I was very proud to be the person whose job it was to defend Rachel from all types of disruption. To this day I still remember each IP address, user account, service account and application. When patches were installed, I manually verified they had been applied successfully. I diligently reviewed the logs and configured full auditing to let me know the success and failure of just about everything. 
I have administered many servers since Rachel, but do not remember as much about them as I do about my “first love”. Consider this an invitation to fall back in love with your servers. An invitation to return back to the time when you did everything possible to defend them. It may be possible that by returning to the diligence you once had, many problems and outages could be avoided.
How can you do this? The act of actively measuring how well you manage, secure and maintain your severs can very well be the catalyst you need to return back to your “first love”. Consider creating and sending yourself a daily report that clearly shows its current security posture. What are good candidates for this report? Some of my favorites include the below.

  • Mean time to detect a network scan
  • Mean time to identify a new administrator account
  • Mean time to identify a new service running (or not running anymore)
  • Ask psexec to list all executables on a Windows system and send the output to a file using

                 @echo off
                 psexec dir *.exe > %computername%_ExeFound.txt

  • Ask WMIC to tell you the patches that are installed using the command: 

                 wmic qfe > patches.txt 

  • Use the security log to search for Successful ( and unsuccessful ) logins for administrative and service accounts
  • Review the daily log volume, perhaps looking at the last 7 days to show trends that indicate significantly more or less than expected log volume
  • Count the number of Remote Desktop sessions in a “normal” day
  • Look for the events generated when the Security log is cleared

There are certainly many metrics you could track. Pick a few and diligently check them every day for the next month. You’ll be glad you did!  

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.