George Mason University logo
Information Technology Unit homepage
SysAdmin Security homepage

Best Practices

These steps should be taken by all system administrators, even if you do not have sensitive data stored on your computer. If you need assistance implementing these steps, please contact the ITU Support Center at (703) 993-8870.

Create strong, hard to break passwords, for administrative accounts.
  • Why? Answer here.
  • How? Answer here.
Do not use the same password for multiple devices.
  • Why? Answer here.
  • How? Answer here.
Limit your use of admin privileges, only use when necessary.
  • Why? Answer here.
  • How? Answer here.
Always begin with deny by default settings.
  • Why? Answer here.
  • How? Answer here.
Backup important data. Keep operating system and application disks handy.
  • Why? Answer here.
  • How? Answer here.
Always begin with deny by default settings.
  • Why? Answer here.
  • How? Answer here.
Turn on log files and monitor at least daily.
  • Why? If you don’t review your log files daily you won’t have a good understanding of what normal traffic looks like. This is imperative as the wily hacker is looking for deceptive ways to access your system. Know how your system is accessed. SANS has organized a consensus document reviewing the top 5 log reports that a system administrator should regularly look for. See http://www.sans.org/resources/
    top5_logreports.pdf    :
    1. Attempts to gain access through existing accounts.
    2. Failed file or resource access attempts.
    3. Unauthorized changes to users, groups, and services.
    4. Systems most vulnerable to attack.
    5. Suspicious or unauthorized network traffic patterns.
  • How?
    From SANS Window’s Intrusion Detection Checklist http://www.sans.org/score/checklists/
    ID_Windows.pdf    :
    • Look at logs, run the event viewer:
      From the Start menu, click on Run
      In the blank field type Eventvwr.msc
      Click “Ok
    • Look for suspicious events, for example: “Event log service was stopped.” “Windows File Protection is not active on this system.”
      “The MS Telnet Service has started successfully.”
    • Look for a large number of failed logon attempts or locked out accounts.

    From SANS Linux Intrusion Detection Checklist http://www.sans.org/score/checklists/
    ID_Linux.pdf    :
    • Look for examples of suspicious entries: Promiscuous mode
      “entered promiscuous mode”
    • Look for a large number of authentication or login failures from local or remote tools (e.g., telnetd, sshd, etc.)
    • Look for Remote Procedures Call (rpc) programs with a log entry that includes a large number (>20) or strange characters (-^PM-^PM-^PM-^PM-^PM-^PM-^PM)
    • Look for large number of Apache logs saying “error” on web servers.