I am semi-ranting here because it hasn't been discussed on the list for a while :)
On Fri, Dec 9, 2011 at 2:27 PM, Matthew W. Ross <[email protected]>wrote: > > Yes, that is a bad habit. Browser exploits are a huge threat vector> > right now. And yes, "big name" sites get hit all the time, too --> often > through ad networks or other outsourced content providers.> Especially if > you're downloading updates, which implies you're not> current on patches. > > The implication is correct. Updates usually require reboots, and > administrators want reboots to be scheduled. I once did updates/reboots > during the weekend, thinking nobody would care... but a Journalism class > complained that they had a midnight deadline that I interrupted. It's like > I can't reboot _ever_. Forsake any real outage. See: > http://dilbert.com/strips/comic/1997-01-28/ > > So. That path has implictions as does the reasoning. We once catered to the users to an insane degree. That way lies chaos and poor service over time along with grumpy and paronoid administrators unpatched systems and randomly scheduled work which only increased workloads and unhappiness all over. The first suggestion I have for you is to BE CONSISTANT AND PREDICTABLE. I am serious here. Pick your time for maintenence. Make it yours. Absolutly yours. Nothing else other then mission critical business need can take it away. Announce it, remind people, regularly, keep it even if you don't use it that month. For example, in our case, production patching occurs primarily at 6pm on the Saturday following the second Tuesday and lasts until 2am. Period. You want an exception, you have to get approval from the CIO. In two years we haven't changed it (it's actually 3 time windows but we shall simplfiy the schedule for this rant, focus). This means the business can plan around this. It doesn't matter what your time is, but as an admin, you need it. You need to be able to plan and schedule your environment in such a way as to not negatively impact your life and still allow the customers to plan their business. The time was agreed on by both IT and the business partners. Both need reminding that the time is ours, not theirs, often. In order to do this you need to know when your customers work so you can more effectively tailor your notifications or methods of notifications so you need to have a communications channel to them. Whether it is through direct announcements or posting where people will see them when they log on. You mentioned students, so notifications to teachers, a posted maintenence schedule on the class calenders, etc. It doesn't matter if you have 5 servers or 5,000 servers, the only difference is scale and the SLA you are operating under. If you don' have an agreed upon SLA, you need to set one up. You can't plan out the costs for an appropriate level of service if you don't know the expectations and have the buy in of management and your customers. This stuff also helps in your year end reports/evalutions as it gives you measurable metrics you can point to meeting or exceeding with management justifying your employment/raise/bonus. My current manager is insane with documentation about what we do on his team and tracking all this stuff and produces a year end report about what everyone did (often with a dollar savings amount attached in implementation or prevention). Today, I watched another group lay several people off because they can't effectively measure what those people did. SLA's aren't just about customer expectations, they are about helping define and measure the level of work required to staff a competent, effective IT department/group. > > Also, if you find yourself going to the server room on a regular > > basis[1], you're doing something wrong. Even when my desk was in the > > same room as the server, I almost never touched the physical server > > console. Remote management tools and RDP are the way to go. > > I'll run up the server room if something goes down and won't come back up. > Otherwise, it's the same here. Happily, that's a rare occasion. > > > If that's your only option, then yes, that is absolutely what you > > should do. You're moving the threat off your mission-critical server > > and on to an ordinary workstation. > > I see where you are all coming from. It's probably different when you have > a large number of servers, even more so when they are all running/balancing > virtual machines. I have only a few, each doing different jobs > > > We have 1500 servers. Some doing dedicated jobs, some doing mixed roles in larger groupings. It doesn't matter. Mantaining good habits reduces accidents, note I do not say prevents, merely reduces because at 2am, things sometimes happen that we don't want to talk about. > > [1] With the possible exception of changing backup media. > > Hurray for Disk to Disk to Offsite Disk backups! Sm:)e. > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: Ben Scott > [mailto:[email protected]] > To: NT System Admin Issues > [mailto:[email protected]] > Sent: Fri, 09 Dec 2011 > 12:44:59 -0800 > Subject: Re: things to include in a vm template? > > > > On Fri, Dec 9, 2011 at 2:43 PM, Matthew W. Ross > > <[email protected]> wrote: > > > I have the bad habit of running to my server room, and using the > server to > > > download some update that is needed. > > > > Yes, that is a bad habit. Browser exploits are a huge threat vector > > right now. And yes, "big name" sites get hit all the time, too -- > > often through ad networks or other outsourced content providers. > > Especially if you're downloading updates, which implies you're not > > current on patches. > > > > Also, if you find yourself going to the server room on a regular > > basis[1], you're doing something wrong. Even when my desk was in the > > same room as the server, I almost never touched the physical server > > console. Remote management tools and RDP are the way to go. > > > > > So, should I RDP back to my desktop, download the file, then move it > > > back to the server? If this is the suggested practice, it is a > little... > > odd. Sm:)e. > > > > If that's your only option, then yes, that is absolutely what you > > should do. You're moving the threat off your mission-critical server > > and on to an ordinary workstation. > > > > -- Ben > > > > [1] With the possible exception of changing backup media. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
