CPU Monitoring Notifications are not configured with threshold and action.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18713	EMG2-807 Exch2K3	SV-20367r1_rule	ECSC-1	Medium

Description
Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on CPU utilization. A good rule of thumb (default) is to issue warnings when CPU utilization exceeds 70% for a duration of 10 minutes and critical messages when it exceeds 80% for a duration of 10 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate that additional capacity is needed, or a network or other issue (such as inbound SPAMMER traffic) that directly impacts E-mail delivery. CPU availability should be monitored. If the server were ever to exceed the maximum CPU threshold, the server could effectively experience a denial of service (DOS) condition. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it.

Description

Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on CPU utilization. A good rule of thumb (default) is to issue warnings when CPU utilization exceeds 70% for a duration of 10 minutes and critical messages when it exceeds 80% for a duration of 10 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate that additional capacity is needed, or a network or other issue (such as inbound SPAMMER traffic) that directly impacts E-mail delivery. CPU availability should be monitored. If the server were ever to exceed the maximum CPU threshold, the server could effectively experience a denial of service (DOS) condition. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22431r1_chk )
If CPU monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then this check is N/A. Review CPU utilization monitoring and notification. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> CPU Utilization Threshold >> Details button "Warning" should be set (for a sustained duration of 10 minutes) at a value not greater than 80%. "Critical" should be set for a value of value not greater than 90%. At minimum, actions should E-mail an on-call Exchange administrator or Incident Response administrator. Criteria: If CPU utilization monitoring "Warning" is set to (for a sustained duration of 10 minutes) 80% or less and "Critical" is set to 90% or less, with alert E-mail sent to an administrator, this is not a finding.

Check Text ( C-22431r1_chk )

If CPU monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then this check is N/A.

Review CPU utilization monitoring and notification.

Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> CPU Utilization Threshold >> Details button

"Warning" should be set (for a sustained duration of 10 minutes) at a value not greater than 80%. "Critical" should be set for a value of value not greater than 90%. At minimum, actions should E-mail an on-call Exchange administrator or Incident Response administrator.

Criteria: If CPU utilization monitoring "Warning" is set to (for a sustained duration of 10 minutes) 80% or less and "Critical" is set to 90% or less, with alert E-mail sent to an administrator, this is not a finding.

Fix Text (F-19359r1_fix)
Ensure that CPU utilization monitoring and notification is enabled. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring Tab >> CPU Utilization Threshold >> Details button 1) Add the monitor, if needed: Click ADD, select CPU Utilization Threshold. 2) Set the duration, warning and critical thresholds Set (for a sustained duration of 10 minutes) Warning value not greater than 80% and Critical value not greater than 90%. 3) Create the notifications: Exchange System Manager >> Tools >> Monitoring and Status >> Notifications: Declare notifications and communication methods as required by local organization policy. At minimum, alert an on-call Exchange Administrator or Incident Response Administrator.

Fix Text (F-19359r1_fix)

Ensure that CPU utilization monitoring and notification is enabled.
Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring Tab >> CPU Utilization Threshold >> Details button

1) Add the monitor, if needed:
Click ADD, select CPU Utilization Threshold.

2) Set the duration, warning and critical thresholds
Set (for a sustained duration of 10 minutes) Warning value not greater than 80% and Critical value not greater than 90%.

3) Create the notifications:
Exchange System Manager >> Tools >> Monitoring and Status >> Notifications:
Declare notifications and communication methods as required by local organization policy. At minimum, alert an on-call Exchange Administrator or Incident Response Administrator.