1. Change your passwords
If you’re a sysadmin, you probably have long-set passwords for admin accounts, service accounts, probably even for your own account. When was the last time you changed your Gmail password? Take the time to update all your passwords.
2. Force others to do the same
You may not be able to make them change their bank password, but run a query to find all the users who haven’t changed their passwords in ages and have accounts set to never expire, and update them.
3. Find and remove stale accounts
While you’re running those scripts, look for accounts that haven’t authenticated in more than 30 days and disable them. Find the ones that haven’t authenticated in more than 90 days, and unless there’s a policy in place prohibiting this, delete them. Stale accounts are just sitting there waiting to be exploited.
4. Check group memberships
Users change roles, change jobs, and change responsibilities. They are added to groups to have the permissions they need, but far too often they are not removed from these groups when their needs change. Take time to review group memberships, including distribution lists, and remove stale entries.
5. Patch all your systems
This shouldn’t need to be a resolution, but odds are good at least some of you aren’t patching everything fully. Resolve to do better in 2015.
6. Patch all your apps
Here’s where even more sysadmins probably fall down. It’s much easier to patch operating systems than third-party apps, but it’s those third-party apps that can cause some of the worst issues. Time to invest in a patch management solution that can handle both operating systems and third-party applications.
7. Validate all your firewall rules
Just like unused user accounts and out-of-date group memberships need cleaning up, firewall rules need to be reviewed from time to time. Too many legacy rules have provided a way for an attacker to get in to a system that was either not updated or not configured properly. Review your firewall rules to ensure there are no unwanted pathways in to your network.
8. Validate all your DNS records
Check your zone files to ensure that there are no old records, unused network ranges, or invalid secondaries in place. You don’t want out-of-date information in your DNS, and you don’t want references to deprecated systems or legacy network ranges.
9. Update WHOIS and domain name registries
Check your WHOIS data and contact information in your domain registries to ensure contact information is up-to-date. Replace names with distribution lists, and ensure phone numbers are up to date too. That way, if there is a need to contact a responsible party, that information is correct, while reducing the chance the data can be used for phishing attempts.
10. Confirm antivirus is running on everything
You know you should have antivirus running on everything. Policy says it’s required. But go check all your servers and query all your workstations to be sure; 100% sure.
11. Start checking log files
Log files are good for figuring out what happened after the fact, but they are even more useful when used to spot trends before they become problems. Whether services start to register errors, disks start to flag events, or failed logon attempts show inappropriate access attempts, log files should be used proactively, not just reactively.
12. Enable encryption on everything
Laptops, desktops, servers, backup tapes, removable media, network protocols… if encryption is an option, turn it on. Protect yourself from theft, loss, and interception by using encryption everywhere you can. It’s a pretty easy way to reduce your risks, and it can help you meet compliance requirements.
13. Set your SPF to hard fail
The surest way to help others detect spoofing is to use SPF records in your domain and set hard fail. Then go the extra step and configure your mail system to reject any incoming messages that fail SPF checks.
14. Learn PowerShell
Windows admins need to know PowerShell. Every server app is based on it, and PowerShell makes both system administration and automation easier. Quite a few have tried to avoid the prompt for years, much to the amusement of their Linux loving peers. It’s time to start learning PowerShell.
15. Test and verify backups
Backups are great, until you need them and they fail. Take time now, and from now on, to verify your backups by restoring data regularly to ensure that you actually can should disaster strike.
16. Update your disaster recovery plan
Find the little red binder that includes your DR plan, blow the dust off of it, and start revising it. For starters, update the call list to make sure it doesn’t include employees who retired in the last decade, and update it to reflect your current environment. Wait until disaster strikes, and you’ll find that an out-of-date plan may be worse than no plan.
17. Run through a disaster recovery drill
With your updated DR plan good to go, take the time to run a DR drill to make sure your plans work. You really want to be sure you can restore functionality in the event a disaster strikes.
18. Eliminate legacy operating systems
XP is dead. Time to let it go. And yet, companies are reluctant to let go! Some also have mainframe applications from before Y2K was a thing, and they just don’t have any plan to get away from it. If you cannot patch it, you need to get rid of it.
19. Eliminate legacy applications
What may be even worse than legacy operating systems is legacy apps, including those that may be forcing you to use out-of-date and unsupported browsers. If your ERP system forces you to stay on IE8, it’s time to show it the door, since that browser is neither supported nor patched, and presents risks whenever your users try to surf the web.
20. Get rid of out-of-date data
How many TB of data do you have stored on your SAN, and which you’re backing up and scanning regularly? And how much of that data goes back to the late 90s and hasn’t been touched by a user in the past five years? Resolve to archive off old data to tape or optical, lock it away, and perform spring cleaning on all your network storage. Do you really need ISOs of SQL 2000 stored on the network?
21. Responsibly dispose of old hardware
Every sysadmin’s secret shame lies hiding in closets, cabinets, and the dark corners of the loading dock. All that ancient hardware that hasn’t powered on since the Bush administration, but that you just can’t bring yourself to get rid of has got to go. Use DBAN to wipe the drives, then get that gear recycled and out of your way.
If there’s not a single item on this list that you don’t need to do, congratulate yourself and drink a toast to your peers on New Year’s Eve. If a few are still pending, now’s the time to take action.
From all of us at GFI, Happy New Year!