Top things Windows System Administrators should and should not do!
Posted on March 14, 2007 at 1:45 pm
As a Systems Administrator for a small company for several years, here are a few things I learned the hard way when it comes to managing IT operations, which I condensed down into the SHOULD and SHOULD NOT!
As a Systems Administrator you…
1. SHOULD NOT update ANYTHING on production servers unless you have tested it in a virtual environment first. This goes for the obvious patches, service packs, and drivers, but also for any software applications. If you can’t test it, then you should not install it. If it is a critical security patch and you are not able to test it in a virtual or lab environment, then you should be absolutely certain you have all the backups needed to fully recover the server in case of a system failure.
2. SHOULD document your current IT configuration including network setup, domain hierarchies, desktop configurations and server configurations. You should have documentation for your DNS configurations, DHCP scopes & scope options, IIS settings, database configurations, and Active Directory/Group Policy configurations. A year after you configure your DNS servers, you may not remember exactly what zones you created or their settings, so when a problem arises, you don’t have to waste time trying to remember what you did.
3. SHOULD make sure that all computers on the network get the latest security updates installed as quickly as possible. This does not mean all computers should be updated immediately, but after the updates are tested on a set of test machines that match the production network computers and everything is OK, the updates should be released to the rest of the network.
4. SHOULD NOT make live changes to a production network. A change in group policy setting may seem trivial, but there are too many services and applications that can be effected with even the simplest change. You should have test machines that have all of your company software installed and configured, so that when you change a security setting or something else domain-wide, you can test to make sure everything still runs smoothly before releasing the changes.
5. SHOULD NOT go wild with logon or logoff scripts that slow down the logon process significantly. It is always very tempting to use logon and logoff scripts to do something on a user’s computer since those are built-in points that you can configure system actions easily, but putting too many scripts in at these two points can significantly increase the time it takes for users to logon. Try to avoid scripts that transfer data back and forth from the user’s computer to the server.
6. SHOULD install anti-virus software on every computer on the network. Having anti-spyware software would also be a good idea. Making sure the anti-virus software is configured correctly is also important. Many real-time scanners can slow down your custom applications significantly and should therefore be excluded from the real-time scanning system.
7. SHOULD have all Internet traffic flow through a proxy server that monitors traffic and blocks access to black-listed web sites. Even if a user accidentally goes to a bad site, it can be blocked by the proxy server.
8. SHOULD make sure all user logins on the network have only regular user privileges on their computers. I have never seen any reason to give users full access to their computers unless they are traveling sales people or something similar. Giving full access will only allow viruses and spyware to spread themselves more easily.
9. SHOULD create an image of a fresh machine with all company software installed so that in case of a computer failure, a user’s computer can be brought back online very quickly. Spending hours re-installing the operating system and applications is unacceptable these days. Also, this point brings me to the next point.
10. SHOULD make sure all user profiles and My Documents are redirected to a file server, so that in case a user has to work on another computer due to a system failure, they can continue their work with all of their documents and settings just as before.
11. SHOULD rename the Administrator account on all servers and workstations using group policy. This is a simple yet effective strategy that has helped save my servers from being hacked into. Along with changing the account name, the password should be complex and as long as possible.
12. SHOULD check the computer logs on critical servers regularly to make sure that there is no unusual activity occurring. Checking the System logs may help expose certain problems that you were not aware of before such as time synchronization problems or network issues.
13. SHOULD not logon to servers with an Administrator account. All servers should be logged on with regular user credentials and if any administrative work needs to be done, the RunAs command should be used. This may help prevent a compromised system from compromising the rest of the network.
14. SHOULD make sure that the network is separated from the internet by a hardware firewall. All ports should be blocked except for those needed by services such as FTP, email, web, etc.
This does not cover everything and if there are more you can think of, let me know!
» Filed Under IT Job Stuff
 Save this page |
 Stir it up on Mixx |
|
 Add to Reddit |
 Stumble this page |
Related Posts
- Use Windows SteadyState to manage and lock down user accounts for shared access computers
- VBS Script for System Administrators - How to backup Outlook email automatically in a login or logoff script
- Disable restart now message after Windows automatic update message
- How to access blocked web sites from school, office, or work using JAP
- How to track and monitor who and when someone accesses a folder on your computer!
