Title

CPU Monitoring Notifications are not configured with threshold and action. (Cat II impact)

Discussion

Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on CPU utilization. A good rule of thumb (default) is to issue warnings when CPU utilization exceeds 70% for a duration of 10 minutes and critical messages when it exceeds 80% for a duration of 10 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate that additional capacity is needed, or a network or other issue (such as inbound SPAMMER traffic) that directly impacts E-mail delivery. CPU availability should be monitored. If the server were ever to exceed the maximum CPU threshold, the server could effectively experience a denial of service (DOS) condition. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it.

Check Content

If CPU monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then this check is N/A. Review CPU utilization monitoring and notification. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> CPU Utilization Threshold >> Details button "Warning" should be set (for a sustained duration of 10 minutes) at a value not greater than 80%. "Critical" should be set for a value of value not greater than 90%. At minimum, actions should E-mail an on-call Exchange administrator or Incident Response administrator. Criteria: If CPU utilization monitoring "Warning" is set to (for a sustained duration of 10 minutes) 80% or less and "Critical" is set to 90% or less, with alert E-mail sent to an administrator, this is not a finding.

Fix Text

Ensure that CPU utilization monitoring and notification is enabled. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring Tab >> CPU Utilization Threshold >> Details button 1) Add the monitor, if needed: Click ADD, select CPU Utilization Threshold. 2) Set the duration, warning and critical thresholds Set (for a sustained duration of 10 minutes) Warning value not greater than 80% and Critical value not greater than 90%. 3) Create the notifications: Exchange System Manager >> Tools >> Monitoring and Status >> Notifications: Declare notifications and communication methods as required by local organization policy. At minimum, alert an on-call Exchange Administrator or Incident Response Administrator.

Additional Identifiers

Rule ID: SV-20367r1_rule

Vulnerability ID: V-18713

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.