An offering from ITS, is Microsoft server support and consultation. This service includes 2nd tier assistance for servers including troubleshooting, operating system installs and upgrades, security and hot fix application. In addition server analysis, resource planning and recommendations can be provided.

Requests for support or consultation

Windows Server Administration Checklists

Security Options for Windows based servers

Microsoft Windows Server Support - What we support
A number of academic departments in Arts, Sciences and Engineering have instituted the use of Microsoft Windows servers. Due to the complexity and variety of these systems, ITS must restrict the hardware and operating system software versions that it can support. The supported server vendor, hardware and operating system requirements are listed below. All departments operating Microsoft Windows servers are required to have operators and/or system administrators, 1st tier support, with a working knowledge of their operating system as well as familiarity with installed hardware and applications. In addition, local operators or administrators are expected to be familiar with the security implications of operating a multi-user, multitasking operating system.

PLEASE NOTE: Microsoft Windows Servers are general-purpose operating systems and therefore are often used to provide a range of network services to other systems. Examples include file and print services, web, application and email. ITS strongly suggests that wherever and whenever possible departments should avoid providing these services and to instead rely upon either ITS or UIT to provide them. Any one of the aforementioned services can greatly increase the administrative tasks and security implications associated with system maintenance, taking valuable machine and human resources away from the systems primary function.

Operating Systems
The Windows 2003 Server product is supported in its current release and service PAK revision. Future server products will be supported after sufficient time has been given for ITS to evaluate them upon their release. Additionally the hardware must be running on ITS approved Wintel hardware see requirements below. It is intended that the Microsoft Windows server product be used as a platform for distributed multi-user functions and not as a substitute for Windows XP or Vista running standard productivity and office applications. Since web, file and print services are provided centrally or by ITS, it is strongly suggested that departments avoid using their systems to replicate these services.

All Media/CD's and licenses for the operating system must be readily available. In addition it would be prudent to have all 3rd party application media and licenses available. These should be kept together in a secure location that is known by the local administrator and will be known by ITS. Additionally 3rd party installation guides and notes on specific installations should be kept and readily available if needed.

Hardware Requirements
Minimum Requirements for existing servers:

Intel Xeon 3.0 GHz CPU

at least 2 gigabytes of memory

For new hardware it is recommended that you contact ITS and we will work with you on configuring a server for your individual needs and budgetary considerations. Based on an analysis of the requirements of the server, ITS can configure a recommended solution and provide a quote from the hardware vendor.

Additionally, for new hardware to be supported, we are requiring that the vendor used be DELL. For supportability and dependability reasons we are standardizing servers on one hardware vendor's platforms. DELL has proved itself a cost effective and more importantly stable and reliable enterprise server manufacturer and one that we have standardized our own servers on.

Backups
In order for an existing server to be supported a backup schedule must be in place and the tapes readily available. New servers will be configured with a tape drive to be used for backup purposes.

Applications
Assistance will be provided in regards to 3rd party applications where possible. However application support is to come from a content knowledgeable application person within the department as well as the 3rd party.

Power Protection
Servers must be properly power protected. At a minimum the server must be attached to a surge protector. More ideal would be that the server be attached to a UPS, Uninterrupted Power Supply. This mitigates exposure to the server's hardware in the event of unintended power hits.

Firewall
It is required that any server on the Tufts network be placed behind an appliance level firewall. UIT and ITS both offer this service. New servers should have a firewall included as a part of the purchase. Owners of existing servers should seriously consider taking advantage of one of the service offerings and placing a firewall between the server and the network.

Requests for support or consultation
Requests for initial support or consultation are to be made by contacting the AS&E helpdesk at helpdesk@ase.tufts.edu. Information in the request should include the name of the person making the request, the name of the 1st tier server administrator, the type of assistance requested and any other pertinent information. ITS reserves the right not to provide support to a server based on its not meeting one or more ITS standards.

Windows Server Administration Checklists
The following lists are not all inclusive nor may they be ideal for your environment. However they are a good start to ensure that your servers are kept up to date and properly maintained.

Daily:

• Check event log of every server, fix/try to fix as needed.
• Creating new directories, shares, and security groups, new accounts, disabling/deleting old accounts, managing account policies.
• Make sure backup runs and verify the files.
• Check for free space on all servers, for file pollution and quotas.
• Ensure that all server services are running.
• Ensure that anti-virus definitions are up-to-date.
• Keep Service Pack and Hot fixes current.
• Check Print Queues.
• Keep a log of everything you have fixed or performed maintenance on.
• Permissions and files system management where appropriate.

Nightly:
Backups - ensure that backups are being performed nightly and verify their successful completion. The top 10 rules of system administration on any operating system are

• backups
• backups
• backups...

Weekly:

• Clean Servers, check for .tmp files, jetdb files, etc.
• Implement any new policy, permission, logon script, or scheduled server modification.
• Reboot Servers if needed.
• Keep up-to-date on IT news regarding networks and security.
• Evaluate software for System Admin purposes.
• Performance Monitoring/Capacity Planning- Budgeting for the future.
• Uptime/Downtime reports.
• Audit network for unauthorized changes.

Monthly:

• Change Service Account Passwords, this could be done quarterly.
• Extended testing backups with restores.
• Maintaining applicable Service Level Agreements.
• Managing off-site storage of backup tapes, whether you take them home or a service picks them up.
• Periodically reviewing all of the above, is documentation up to date?
• Has the Disaster Recovery Plan been updated to reflect changes in the environment?
• Periodically reviewing workload.
• Periodically review company technical environment. How can it be improved?
• Run defrag and chkdsk on all drives. Review audit policies, audit user rights and privileged local and global groups.

Initial or Occasionally:

• Test disaster recovery process to an alternate site, in case of emergency.
• Test the backup restore procedure.
• Get a performance baseline for things like %Processor Time, Pagefiling, Disk Queues.

Security Options for Microsoft Windows based server operating systems:
There is no panacea in regards to security in a Microsoft Windows environment. However, taking some prudent steps can help mitigate your exposure. Note that Microsoft, among others, changes their links periodically. At the time of writing these were up to date and viable.

There are numerous list servers that can provide you with up to date information on security issues. Each of the sites listed above have list services. It is recommended to join at least the Microsoft one and possibly one other. SANS and ntbugtraq are 2 that are highly informative.

Periodically run http://windowsupdate.microsoft.com. From within this area your server can be checked for the absence of hot fixes, service PAK's, etc. and make recommendations for addressing any discrepancy found. Be aware though that at this time windows update will not check on IIS hot fixes.

Virus Protection
This is mentioned in the System Administrators Checklist document but it is important to note it here. Ensure that you are running an enterprise server virus protection product as well as scheduling it to update and deploy pattern files on a daily basis. The University has a contract with Trend Micro and their Server Protect product. For assistance on installing and configuring this product please send a request to the ITS helpdesk at helpdesk@ase.tufts.edu.

There are many 3rd party products that can assist in proactively monitoring and managing security issues. Many can be found through the above mentioned sites and list servers.

There are also numerous courses and seminars offered outside of the University on the administration and securing of Windows Server 2003.