Which of the following practices should not be performed by the system administrator during first response?

The practice of directly powering down the computing systems during an ongoing attack is not advisable for a system administrator during the first response phase. When an attack is detected, the primary goal is to preserve evidence and understand the attack dynamics, which can be crucial for incident response and future prevention strategies. Powering down a system could potentially lead to the loss of volatile data that might be critical for investigating the breach, such as running processes, active connections, and other state information.

In contrast, isolating affected systems from the network is a standard practice to prevent the attack from spreading. Documenting user activity helps in understanding the timeline and actions taken during the incident, while maintaining a record of system configurations assists in evaluating the system's state before the incident and aids in recovery efforts. All of these practices support a systematic approach to incident handling, focusing on preserving evidence and system integrity while mitigating damage.