C
Colin Chaplin
How about a little brain teaser that'll help me out.?
Scenario is thus:
You have a number of NT4 servers that require retiring. No-one is really
sure what they are or what they do. They think they may be in use but aren't
certain.
How do you begin to build a picture of what this server is doing?
Heres my list; if you can think of any more feel free to add
1.. Check Add/ Remove Programs
2.. PortScan machine to determine open IP ports
3.. View running Services and what permissions they run under
4.. Run Netstat periodically piped to file to view open ports
5.. use Ethereal on same segment/ on that server, filtered to the IP
address of the server Run over period of time (watch diskspace)
6.. Turn on File Access Auditing (Increase logfile size and monitor
diskspace)
7.. Use Sysinternals tool to list remote files in use
8.. Check lmhosts and hosts file on machine to determine what it may
reference
9.. Check for any static ROUTE entries on server
10.. Search for file changed within last week and month, and monitor
11.. (If possible) check all possible clients for entries for this server
in LMHOSTS/ HOSTS
12.. IF a DC use lastloggedin tool to check when user account last logged
in
13.. Check scheduled Jobs
14.. Check any back software for evidence of backups, what they are
called, etc
15.. Check for user/service accounts on the machine
16.. Physically inspect machines for labels, etc.
17.. Determine if IP address and network segment is relevant
18.. Check IIS event Logs
19.. Check Windows Event Logs
20.. Search for any file named .LOG and review
Scenario is thus:
You have a number of NT4 servers that require retiring. No-one is really
sure what they are or what they do. They think they may be in use but aren't
certain.
How do you begin to build a picture of what this server is doing?
Heres my list; if you can think of any more feel free to add
1.. Check Add/ Remove Programs
2.. PortScan machine to determine open IP ports
3.. View running Services and what permissions they run under
4.. Run Netstat periodically piped to file to view open ports
5.. use Ethereal on same segment/ on that server, filtered to the IP
address of the server Run over period of time (watch diskspace)
6.. Turn on File Access Auditing (Increase logfile size and monitor
diskspace)
7.. Use Sysinternals tool to list remote files in use
8.. Check lmhosts and hosts file on machine to determine what it may
reference
9.. Check for any static ROUTE entries on server
10.. Search for file changed within last week and month, and monitor
11.. (If possible) check all possible clients for entries for this server
in LMHOSTS/ HOSTS
12.. IF a DC use lastloggedin tool to check when user account last logged
in
13.. Check scheduled Jobs
14.. Check any back software for evidence of backups, what they are
called, etc
15.. Check for user/service accounts on the machine
16.. Physically inspect machines for labels, etc.
17.. Determine if IP address and network segment is relevant
18.. Check IIS event Logs
19.. Check Windows Event Logs
20.. Search for any file named .LOG and review
