Title

Windows 2003 Services Monitoring Notifications are not configured with thresholds and actions. (Cat II impact)

Discussion

Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This setting allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to a selected Windows 2003 service being down. Exchange is dependent on certain Windows services being active: (Event Log, NT Lan Man (NTLM) Security Support Provider, Remote Procedure Call (RPC), Server, Workstation, Internet Information Service (IIS) Admin Services, and Hypertext Transfer Protocol (HTTP) Secure Sockets Layer (SSL). Failure in these services will cause Exchange to also fail in some way. Once all the above services have been added, the “When service is not running change state to” field should be set to Critical. The trigger should be “Critical” because, if any of the services that the core Exchange services depend on stop, this will require immediate attention. Notification choices include E-mail alert to an E-mail enabled account, (for example, an E-mail Administrator), or invoking a script to take other action (for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it).

Check Content

If Windows Services Monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then this is N/A. Review Windows Services Monitoring and Notification. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> [Windows 2003 Service] >> Details button The following Services should be monitored: Event Log NTLM Security Support Provider Remote Procedure Call Server Workstation IIS Admin Service HTTP SSL For each item, the "When Service is not Running, Change State to" should be "Critical" Minimum action should be an E-mail sent to an E-mail Administrator or to an Incident Response team account. Criteria: If, for each service the "When Service is not Running, Change State to" is"Critical", and the minimum action is to send an E-Mail to an Administrator or to an Incident Response Team account, this is not a finding.

Fix Text

Configure Windows Services Monitoring. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> [Windows 2003 Service] >> Details button 1) Add the monitor, if needed: Click ADD, select desired Windows 2003 Service. Add each service listed. Event Log NTLM Security Support Provider Remote Procedure Call Server Workstation IIS Admin Service HTTP SSL 2) Set the warning and critical thresholds for each service Set “When service is not running change state to” Critical. 3) Create the notifications for each service: Exchange System Manager >> Tools >> Monitoring and Status >> Notifications: Declare notifications and communication methods as required by the local organization policy. At minimum, send an E-mail to an on-call Exchange Administrator or Incident Response administrator.

Additional Identifiers

Rule ID: SV-20373r1_rule

Vulnerability ID: V-18716

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.