On Tue, Sep 1, 2009 at 4:47 PM, Houghton,Andrew<[log in to unmask]> wrote:

> 4) Server compromised.  Worst case scenario.  They need to preserve all
>   the drives so they can analyze them and turn over information to
>   police.  They are not going to trust the backup/image since they don't
>   know how long the server was compromised.  So they are most likely
>   going to rebuild the server from scratch and insure that it has *all*
>   the latest security and application patches, in addition to doing (1).

There was nothing in the message they sent that leads me to believe
this was the case. I can only go on what they say, and what they said

"Since last Monday (August 24th), when the PURL server suffered a
significant hardware failure, GPO staff has been working at the
highest level of priority to re-establish server access."

Thus I have to believe them that they did not have a compromised
server and instead they had a hardware failure. I have no idea why
they couldn't just restore from backup which would at least gotten
them back to where they were from the last backup (which presumably
was at most a week ago, if not someone should have a lot of explaining
to do to someone). Having to recreate a week of work wouldn't take
that long and presumably the system could have been used while that
happened. I hope the provide a post mortem because I like to learn fro
these types of things so I can be better prepared if something like
this happens to a system I'm responsible.

> Nothing is as simple as it seems...

Well, sometimes it is easier, but yes, I understand that sometimes
these are harder than one would think. This is why you have to make
sure, and test, that you have an adequate backup and recovery plan.
This is basic systems administration. 8+ days to recover from a
hardware issue a service that the GPO has been encouraging large
numbers of people to use, seems more than excessive. For whatever
reason they were not adequately prepared for "a significant hardware
failure" on this service.

Incidentally, this is one of the reasons I am very keen on
virtualization. Moving a VMware image (or what ever competitor you
prefer) to new hardware is a lot less complicated than moving physical