Title

Disk Space Monitoring is not Configured with Threshold and Action. (Cat II impact)

Discussion

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. If the server were ever to run out of disk space, the server could fail catastrophically, possibly with data loss. This field allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to low disk availability. A good rule of thumb is to issue warnings when free space falls under 15% and critical messages when it falls under 5% of total disk space. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it.

Check Content

If disk monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then using Exchange monitoring for disk space usage is an acceptable solution, and this check is N/A. Review disk space monitoring. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> Disk Space Threshold >> Details button For each disk, "Warning" should be 15% or more of available Disk Space, and "Critical" should be 5% or more of available Disk Space (not to exceed the "Critical" figure). At minimum, actions should include sending an E-mail alert an on-call Exchange Administrator or to an Incident Response Administrator. Criteria: If "Warning" is set to 15% or more of available disk space, and "Critical" is set to 5% or more of available disk space (not to exceed the "Critical" figure), and minimum, actions include sending an E-mail to an on-call Exchange Administrator or to an Incident Response Administrator, this is not a finding.

Fix Text

Configure disk space monitoring. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab 1) Add the monitor, if needed: Click ADD, select Free Disk Space. Add one monitor for each disk. 2) Set the warning and critical thresholds Set the warning value not less than 15% of available disk and critical value not less than 5% of available disk. 3) Create the notifications: Exchange System Manager >> Tools >> Monitoring and Status >> Notifications Specify E-mail to the E-mail Administrator or Incident Response Team account at minimum. Optionally, a script can be invoked to create a log message.

Additional Identifiers

Rule ID: SV-20612r1_rule

Vulnerability ID: V-18712

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.