On Tue, Sep 1, 2009 at 4:47 PM, Houghton,Andrew<[log in to unmask]> wrote: ... > > 4) Server compromised. Worst case scenario. They need to preserve all > the drives so they can analyze them and turn over information to > police. They are not going to trust the backup/image since they don't > know how long the server was compromised. So they are most likely > going to rebuild the server from scratch and insure that it has *all* > the latest security and application patches, in addition to doing (1). > There was nothing in the message they sent that leads me to believe this was the case. I can only go on what they say, and what they said was: "Since last Monday (August 24th), when the PURL server suffered a significant hardware failure, GPO staff has been working at the highest level of priority to re-establish server access." Thus I have to believe them that they did not have a compromised server and instead they had a hardware failure. I have no idea why they couldn't just restore from backup which would at least gotten them back to where they were from the last backup (which presumably was at most a week ago, if not someone should have a lot of explaining to do to someone). Having to recreate a week of work wouldn't take that long and presumably the system could have been used while that happened. I hope the provide a post mortem because I like to learn fro these types of things so I can be better prepared if something like this happens to a system I'm responsible. > Nothing is as simple as it seems... Well, sometimes it is easier, but yes, I understand that sometimes these are harder than one would think. This is why you have to make sure, and test, that you have an adequate backup and recovery plan. This is basic systems administration. 8+ days to recover from a hardware issue a service that the GPO has been encouraging large numbers of people to use, seems more than excessive. For whatever reason they were not adequately prepared for "a significant hardware failure" on this service. Incidentally, this is one of the reasons I am very keen on virtualization. Moving a VMware image (or what ever competitor you prefer) to new hardware is a lot less complicated than moving physical machines. Edward