Troubleshooting
Conducting a Technology Self Audit
November, 2005
By Arthur Vincie, Tech News Staff Writer
|
Technology for nonprofit organizations has quickly evolved into a 'mission critical' environment. In only a few short years, resources like email and shared database access have moved from 'nice' to a 'must have.' With the pace of change only increasing, nonprofits are well served to strive towards ongoing accountability throughout the network. If you have had 'down time' recently it probably pointed out that staff were unable to work without network access or email, an indication of how the work environment has changed over the last five years. A more relevant question to ask, then, is whether your server has been updated over the past five years. Policies and Procedures Clearly defining group policies and procedures is an important first step for an organization to significantly reduce potential problems. It is often helpful for policies to be discussed and agreed upon before being implemented so that co-workers understand why the decision was made. Policies can range from ensuring your internet connection is not used to access inappropriate content, to prohibiting individual users from installing software at the desktop level. Many policy guidelines can be implemented quickly at the server level. User Password Policy Automatic password reset prompts can be set for specific time intervals at the server level. For instance, a password can be set to expire every 30 days and require a user to reset their password at next login. ...and yes...please do not use password for your password. A generally recommended password string usually contains eight digits and should include both upper and lower case letters and numbers. Passwords should not use any part of a user's name or email address. Administrator Password Policy Ensure that passwords for the server, firewall, managed switches, wireless routers and access points are known to more than one individual or stored in a safe place in the event of an emergency. Software Updates Ensuring that operating system and virus definition updates are regularly installed is essential in protecting against the latest exploits. For the most part these updates can be distributed directly from the server, saving not only bandwidth but proving a clear administrative snapshot to view client machines that are not updating properly. Limiting Administrative Rights for Software Installations Many nonprofit IT departments and their consultants spend valuable time tracking down and correcting issues emerging from spyware and malware vulnerabilities. Often, these issues can be traced back to software installs from online downloads (sometimes unknowingly by a user). Given the opportunity, users will often treat their office workstation like a home computer downloading screensavers and peer to peer music sharing services. Although these installs may not create a direct problem, they often create vulnerabilities for an individual system that allow an exploit which then subsequently spreads throughout the network. Recent variations of the mydoom virus for instance blocked a user's ability to update antivirus definitions that would have lead to its removal. A single system such as this can often create significant issues for an entire network. Software Inventory Having an inventory of software owned by the organization, along with installation disks and key codes, saves valuable time when rebuilding a server or an end user machine. Additionally, future purchasing needs are more easily identified. Hardware Inventory Maintaining a hardware inventory, including server utilization statistics, can assist with easily pinpointing which desktops or servers are reaching the end of their lifespan or require an upgrade. For servers utilizing a RAID configuration that seem near the end of their lifecycle, it is helpful to have an extra hot swappable hard drive on hand in the event of disk failure. Wireless Access Points Unconfigured wireless networks present significant risks to your network because wireless equipment is often shipped with the security settings disabled. Windows XP's built-in wireless ethernet support scans for wireless networks automatically. When a wireless client detects a signal which doesn't use security, all it takes to join that network is a couple of clicks of the mouse on the wireless network icon. This unauthorized user can piggyback on the unsecured wireless network and do anything from borrowing an Internet connection to reading email or collecting documents from a shared folder on the network. Wireless access points or routers are often easily configured through a browser. Check the manual for your unit to determine what internal IP address to use in your browser to start the configuration process. Network Infrastructure Having a network diagram enables you to explain your system to co-workers while working on the network since it contains the static IP address for your servers, etc. Additionally, a network diagram is a useful tool when identifying performance issues with colleagues. (i.e. 'If that Hub was to be replaced with a Switch we would have improved bandwidth distribution'). Backup Having an offsite backup is essential to protect against catastrophic loss. Disk images of PC's and servers are another useful tool to restore a machine quickly. Several third-party database systems, primarily key financial systems, do not back up properly to tape or disk and require that a manual backup be initiated from the administrative account while logged into the application. If you are fortunate enough to have a testing environment, it is recommended that simulated restorations from your backup media be performed from time to time to see what types of issues present themselves. Organizations that follow backup procedures properly and fervently often do not test the ability to restore from tapes or external drives. Having your key database fail to restore at three in the morning during an emergency is not the best way to learn that you have a problem with your backup procedures. Organizations who do not currently have a backup process in place and need an affordable solution should purchase two identical external hard drives. The cost of external drives has dropped significantly and a 200G drive often sells for $150 or less. A backup schedule can be saved on the server that identifies what files to back up. At regular intervals the drives can be swapped out (one remains offsite) while sharing the same power cord in your server room. You do have a server room, right? Server Room (Space) Policies Many organizations do not have the luxury of a true server room with temperature controls, adequate power supply and security. If you are building a network from scratch, it is generally the best policy to choose a cool, dry, well-ventilated small room (usually a utility closet) that can be locked. External Vendors If your organization is working solely with external vendor(s) to maintain your technology infrastructure, it is important to ensure that internal knowledge exists should something change in that relationship or if the vendor is simply unable to respond immediately. A good way to build internal knowledge is to have a technology committee that meets on a semi-regular basis and includes your vendors. Having conversations in a non-emergency setting allows known issues and vulnerabilities to be discussed in a setting that is calm and conducive to informed decision making. For small offices it is beneficial to create a culture in which informal conversations about the network take place. This will result in general knowledge growth for basic issues like what to do with a suspicious email attachment (delete it) or how to report a problem with an application. Taking a proactive rather than reactive approach to maintaining your network environment significantly strengthens your network and minimizes data loss and down time. |