Day-to-day system administration

Day-to-day system administration encompasses many activities, but most focus on keeping your computers and networks running smoothly by maintaining equipment, making sure there’s sufficient space on the system disks, and protecting the system and its software from damage. Examples include making sure users can’t modify system software; checking each new release of a vendor’s software, especially fixes to security problems, to be sure such problems have really been fixed; and insisting that users or system administrators promptly patch any security holes or other bugs that are discovered.

It is essential to monitor various groups and news wires, as well as official sites of your vendors, so that you are aware of potential problems. Unfortunately, there are still instances where a patch to one problem breaks something else, especially in cross-vendor situations. The most affluent of organizations maintain test networks in which checks are made to make sure the cure is not worse than the disease prior to pushing out software updates. If you would prefer to get a holiday bonus rather than get more problems to worry about, stay tuned to security web sites for news of troubles with bug fixes and patches.

Performing Backups

Backups of your system and all the data stored on your system are absolutely essential if you expect to be able to recover from a disaster. What kind of disaster? It might be a natural disaster, such as a fire or a flood. It might be a crime, such as a system intruder’s meddling, vandalism of your computer room, or theft of a computer or a disk. It might be a hardware or software failure or a user error (e.g., deleting the latest version of a document or the latest release of some development software). Whatever the cause, and whatever the extent of the damage, you will be able to recover eventually if you have recent backups of all your system data. In a PC environment, many system administrators discover that critical documents on a user’s machine often disappear when a disk fails. They can help protect against this by providing personal folders in common space on a server. Users are responsible for the contents of their own hard disks. Failure to have these files in a public storage area is not an excuse at your performance review, when a PC failure necessitates rework.

There are many systems for backup. You should do it regularly. Many organizations have well-defined rules about performing backups; if you don’t follow the rules, you’ll lose your job. But many other organizations have much looser policies. The scheduling and the extent of backups is far more discretionary. What does it mean to perform regular backups? That’s an organizational decision: it depends on the number of users in your system, the volume of work, and many other variables. Many organizations perform a full backup (of every file in the system) every night. Others may do a full backup only once a month, or more commonly, once a week, but they do an incremental backup (of everything that’s changed since the last full backup) every day. The best rule of thumb is to back up frequently enough that you can afford to recreate the work that may be lost since the last backup.

Like most security practices, however, backups have a cost associated with them. In this case, it is usually network bandwidth and server capability. You’ll need to schedule backups in less desirable parts of the day, so that they will inconvenience the fewest users. If your organization operates 24/7, it may be necessary to host redundant systems, so that one can be backed up while the other is live. Fortunately, improvements in fault tolerance, using technical means to limit any single points of failure, and clustering technology, which entails running several computers in parallel to spread the load and provide redundancy, make this economically feasible. It is not necessary for the redundant system to just sit there when it is not being used, it can share the load of normal processing as well.

Hardware and Software Security Tools

Fortunately, today there’s a good variety of hardware and software tools designed to prevent network incursion. As I mentioned previously, one of the most important is the firewall. A firewall monitors communications that pass through it, and it can take action against users that seem to be abusing or attacking the network. In some cases, the firewall monitors the Internet Protocol (IP) address of a packet, and if it is not found on a safe list, or is discovered to be on a “deny entry” list, it deletes the packet from the transmission stream, and usually any that follow from the same unauthorized addresses.

A firewall can also monitor the ports used by a communications session. Each protocol has a unique combination of ports available to it over which to communicate information. Using ports allows several different conversations to take place using the same IP address. However, the presence of communications from unexpected ports may indicate that an attack is underway. A firewall can also silence packets to and from undesired ports.

An intrusion detection system (IDS), on the other hand, usually listens to the circuit, taking note if any unusual activity is taking place. For instance, a certain user that constantly connects to a little used disk drive may be storing information there, either for later theft, or perhaps to be used as a tool in a future incursion. Intrusion detection systems usually have large libraries of attack signatures, that is, lists of the steps attackers typically take or have taken in the past to accomplish some attack. If the pattern of these attacks is repeated in a system being monitored by the IDS, the IDS will likely stop the transaction if it can, and place a page or call to an administrator informing of the attempted attack.

A honeypot, sometimes called a honeynet, is a decoy. It is usually placed in an unprotected portion of the network as a lure to attackers. While unauthorized users are checking out the honeypot, their movements are recorded. This helps further develop the library of attack signatures.

Penetration testing, or pentesting is a programmed, usually automated series of attacks that administrators carry out on their own network. The purpose of pentesting is to locate overlooked vulnerabilities. These are then patched, and communications proceeds. Pentesting may be performed by network personnel or by outsiders contracted for the purpose.

Performing a Security Audit

It’s a good idea to check on the security of your system by performing periodic security audits. A security audit  is a search through your system for security problems and vulnerabilities.

Check your system files and any system logs or audit reports your system produces for dangerous situations or clues to suspicious activity. These might include:

Accounts without passwords

They might have come with the system, or they might have been set up for guests or demos. Anyone can log in using such accounts.

Accounts with easily guessed passwords
These might include passwords selected by users or passwords associated with administrator or guest accounts. In addition, most attackers are well aware of the passwords and usernames that come with equipment from the factory. Change these immediately.

Group accounts
Long lists of privileges for individual accounts sometimes create confusion. Group management of accounts can simplify security administration by allowing precise, predetermined groups of privileges to be assigned to groups such as accountants, HR, engineering, and so on, in accordance with the organization’s security policy.

Dormant accounts
These include accounts of users who have left your organization, have gone on vacation, or have moved to a different group or system.

New accounts
Be sure these are accounts you have assigned and not accounts that an intruder has created.

Default accounts
Many operating systems create “Everybody” or “Guest” or even “Administrator” accounts automatically. In some cases, these accounts are disabled, but an attacker may be able to make them live, or use them as a foothold to deeper penetrations. For this reason, some administrators delete them or provide more subtly labeled replacements.

Recent changes in file protection
An intruder may have given special privileges to certain programs or may have made system files accessible to ordinary users. Individual users may have carelessly made their files accessible to everyone in the system. Monitor logs for privilege escalation to make sure attackers aren’t gradually trying to obtain administrative ability.

Suspicious user activity
Basically, this means that a user (or someone using that user’s account) is acting in an unexpected wayfor example, someone logs in from a number of different terminals, logs in at odd times of the day or the week, runs protected system programs, transmits or dials out an unusual amount, uses new networks, etc.

You may also build your own rules to run the system. Different environment will need a different act to handle the system.