Title

Virtual memory monitoring notifications are not configured with threshold and action. (Cat II impact)

Discussion

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on low virtual memory. A good rule of thumb (default) is to issue warnings when virtual memory is less than 25% for a duration of 3 minutes, and critical messages when less than 10% for a duration of 3 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate that additional capacity is needed, or a network or other issue (such as inbound SPAMMER traffic) that directly impacts e-mail delivery. Virtual Memory availability should be monitored. Frequent alerts on this counter could indicate that the server is nearing capacity and that load mitigation measures may be needed.

Check Content

If Virtual Memory Utilization monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then this check is N/A. Review virtual memory utilization monitoring and notification. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> Virtual Memory Threshold >> Details button "Warning" should be set (for a sustained duration of 3 minutes) to a value not less than 25%. "Critical" should be a value not less than 10%. Minimum Action should be E-mail to an on-call Exchange Administrator or to an Incident Response administrator. Criteria: If "Warning" is set (for a sustained duration of 3 minutes) to a value 25% or higher, and "Critical" is 10% or higher,and Action is an E-mail to an on-call Exchange Administrator, this is not a finding.

Fix Text

Configure Virtual Memory utilization monitoring and notification. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> Virtual Memory Threshold >> Details button 1) Add the monitor, if needed: Click ADD, select Virtual Memory Threshold. 2) Set the duration, warning and critical thresholds Set (for a sustained duration of 3 minutes) Warning value not less than 25% and Critical value not less than 10%. 3) Create the notifications: Exchange System Manager >> Tools >> Monitoring and Status >> Notifications: Declare notifications and communication methods as required by local organization policy. At minimum, E-mail an on-call Exchange administrator or an Incident Response administrator.

Additional Identifiers

Rule ID: SV-20369r1_rule

Vulnerability ID: V-18714

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.