"Bathroom philosophy" of system management"

[51cto.com quick translation] Every administrator is fighting for obsolete and unused user accounts. As we all know, if the system contains an "expired" user account, it will leave more attacks and hiding places for malicious hackers. If you are a smart person, you need to be vigilant and clear them.

Old and unused resources are like restrooms in a hotel. When you first walk into a restaurant, you need to check the restroom first. If the bathroom is super clean, you can bet the restaurant is well managed and the kitchen must be very clean. If the bathroom is a mess, consider somewhere else.

Who to manage and what to manage

The Administrator should establish policies and programs to encapsulate all the computer objects (users, groups, computers, etc.) and resources (files, printers, application software, etc.) in the Life Cycle Mode. Objects and resources covered by the lifecycle management plan include:
* User Account
* Computer Account
* Service account/daemon account
* Working Group
* Email addresses and objects
* Printer
* Applications
* Disk storage
* Folders, shared files, and Web Folders
* IP subnet
* Ldap/Active Directory object
* Group Policy object (if Active Directory is used)
* Digital Certificate
* Audit/Alert Plan (auditing/alerting Plan)

Each task, related objects, and resources under your control should be included in the lifecycle plan. The lifecycle plan should include the following activities at the minimum ,:
* Obtain/supply/create/approve
* Distribution of ownership/accountability
* Change/modify/rename/copy/move/Transfer
* Disable/delete/reverse supply
* Change confirmation
* Audit/reminder/monitoring (auditing/alerting/Monitoring)
* Document record

Without appropriate lifecycle policies and programs, these objects and resources will often accumulate over time and will never be deleted. The Administrator must answer questions about who to create, who to approve, and who to record changes to ensure compliance with the lifecycle policy. The 51cto editor believes that, in fact, the system itself provides us with a lot of security settings, cleverly using these features, we can completely deal with network security issues, such as using system group policies, to ensure secure network operation.

How to manage objects

Each object should have a strictly defined process, including who can request or change this object, what are the requirements for requests and changes, and who owns the object.

The role and health of assigned ownership can be queried in the future. It is best to assign ownership to a specific person rather than a team, so as not to show too many people. Of course, this also means that if the role of the owner changes or leaves the work environment, the ownership must also be updated.

In general, the addition or modification of objects will affect the security of a large number of computers and users. Therefore, IT department approval is required. When a project is added or changed, its results should be confirmed by the other party, or at least by the party making the change. All changes should be recorded in logs. Secondary review should be triggered for events that do not ensure security or may cause widespread changes. 51cto editor's suggestion: this is already a relatively sound management system, but few small and medium enterprises in China can manage it in this way. For now, no feasible management system is available for small and medium-sized enterprises.

For example, my current client is arranged in this way. The job of Administrator 1 is to delete expired test user accounts. The IT administrator finds that the deletion takes longer than expected-several minutes instead of several seconds. If all expired user objects are lost after deletion, the work is completed. If administrator 1 accidentally deletes a large ou (LDAP Organization) When deleting a user account, the local audit system will immediately notify administrator 2. With an appropriate audit system and alarm policy, errors are immediately noticed and deleted objects can be recovered in a timely manner. In the editor's opinion, once an important LDAP account storage unit such as ou is deleted by mistake, it may cause serious consequences that all users cannot log on to the server. Therefore, backup is very important. If you need it, you can read the article "prepare a detailed Linux backup and restoration method.

Record documents and workflows

The lifecycle of each object, including all related tasks, should be recorded. Documented documents should include who can request a specific task, who has completed the task, and who has verified that the task has been completed correctly. The documented document should include who is responsible for maintaining and updating the document so that it will not expire. And this procedure should be automated as much as possible. Many software tools provide automation and workflow functions, as well as better security and audit tracking. Some of the simplest object lifecycle management tools use the company's email system to manage workflows. In the opinion of the 51cto editor, the rapid development of the network has brought many difficulties to management. For example, many IT system devices or products currently have the log function, and these logs must be retained for at least six months, how to effectively retain massive logs and meet the new log-based requirements of enterprises has become a common challenge for log management solution providers.

Finally, appropriate policies and procedures should always include some rapid informal handling methods to deal with special emergencies. For example, when the CEO's user object is accidentally deleted and must be recovered, I believe he will not like to wait until the Committee convene or automate the tool to start periodic processing. This also means that automated tools must consider these special and urgent events and be able to respond quickly.

Develop a resource life cycle plan and observe it. You will have a new feeling of cleaning up the bathroom.

[51cto.com]. Do not reprint it if it is not authorized. For reprinted on the Cooperation site, please specify the source and source of the original article as 51cto.com, and do not modify the original content .]

Original article: Do you have a handle on your 'managed' resources?By Roger Grimes

[Edit recommendations]

1. High-speed network development brings management difficulties
2. How to solve the three it O & M management problems of Enterprises
3. Topic: Linux System Management

[Responsible editor: Zhao Yi Tel :( 010) 68476606]