Home

How do I know that my computers are “safe”?

Fri, 05/15/2009 - 06:19 — Daniel

This came out of a discussion on the NLUG list about making sure that Windows boxes are not infected with malware. This goes beyond that and tries to look at what technologies are out there to protect and monitor your machines. It is somewhat Windows centered but the concepts are the same for any OS (OS X, Linux, *BSD etc). I’ll throw in here my regular comment about OS security. All operating systems have bugs. Some have less than others but any OS must be regularly patched or you will be vulnerable.

This is aimed toward the business market but many of the concepts still hold true for the home user.

How do I know that my computers are “safe”?

Security in depth is key to securing a single PC or a complex network. This article will review several individual elements that together will produce multiple levels of security.

On the computer itself:

  • CRITICAL: An antivirus package that can be remotely managed. Your end users will not consistently tell you when the AV warns them a virus was found or that an error condition such as signature updates failing has occurred. It is nice to be able to review a single screen/report that covers all your machines. The second half of this is you have to do something when errors are reported. This might be as simple as acknowledging that a virus was stopped or rebuilding a machine that the AV can’t clean.
  • CRITICAL: An anti-spyware that can be run manually to pick up things the AV missed. You may need multiple anti-spyware packages to get everything. The definition of spyware varies somewhat from vendor to vendor. Many AV packages will tag the worst spyware offenders but a dedicated package will almost certainly find more of the gray-ware that traditional AV companies don’t want to block for liability reasons.
  • CRITICAL: No one including admins get to log in with admin/root permissions for day to day work. Period. End of discussion. Seriously, no one. It is a little inconvenient but this will go a long way to keeping your systems clean. Using runas under Windows will allow most admin functions to be handled with minimal inconvenience.
  • VERY IMPORTANT: Turn on a host firewall. This will limit the damage that hosts inside the protected network can do to each other. Make sure you open the ports that need to be open for your management software and any legit peer traffic between systems. I use the built in Windows firewall for basic protection. This is another place where central reporting might be nice but you are starting to get into a fairly complex log aggregation package at that point and it’s my gut feeling that if you are large enough to need such a package you probably have too many machines to make it scalable for use on PCs. But it’s out there.  For portable machines the host firewall is critical.


At the perimeter:

  • CRITICAL: A port filtering firewall (aka and old fashioned firewall) must be at the perimeter of the network. Review the logs. They can tell you a lot. The firewall should have ingress and egress default deny rules. This will help to stop many malicious programs and make sure that you get a log entry every time something tries to enter or exit the network on an unexpected port. As an example of a sure sign of a problem, a PC that should send through your central mail server suddenly spewing mail (which should be getting blocked by the default deny rule) is a bad sign. It's also a bad sign when 20 GB of aggregate traffic per day become 30 GB if that extra traffic can't be explained. Really anything unusual should be considered if not fully investigated. Anything that does not have a logical explanation should be investigated.
  • EXTREMELY IMPORTANT: The traditional firewall is becoming less effective by the day as more malware simply hops across ports looking for an open port or uses ports that are almost always open (example: port 80 for HTTP). An IPS is a nice addition to the firewall and most modern Unified Threat Management (UTM) packages include at least some IPS functionality. This will help to block the vulnerabilities that come across a legitimate port and are therefore invisible to a traditional firewall. Don't forget to read the logs. Attacks that are coming from the outside can usually be ignored as long as it's getting blocked but anything coming from inside is worth investigating.
  • VERY IMPORTANT: Perimeter AV is available in many if not most modern UTM packages. Why let the virus get all the way to the desktop to hopefully block it? Inline AV can slow down network traffic if the hardware is not sized correctly so make sure you find a product that can support your current as well as future needs. If at all possible, use an AV package that is different from what you use on the desktop. Since AV packages are still reactive in that they use signatures this gives you two different vendors and two chances to catch any given new virus.


Slightly behind the perimeter:

  • IMPORTANT: An IDS is crucial if you are really worried about detecting what everything else missed. The IDS won't stop anything but hopefully it will allow you to see things missed by everything else and find hosts that already infected. Use an IDS product that you are not using on your firewall/IPS/UTM stack. This way you will hopefully have more chance of catching things they missed. Since the IDS does not actually block anything you can also turn up the detection a little more as long as you don't start getting too many false positives. Tuning is the bane of most IDS solutions.
  • NICE TO HAVE: Segmenting your internal network can add a level of security. By segmenting your network and then putting restrictive firewalls between subnets you assure that one infected machine is limited in the amount of damage that it can do to other machines on the network. There are a number of different levels that the network can be segmented at. First and really critical you need to have all of your publically (WAN) accessible servers in a separate DMZ network. Then you can start considering how to carve up the network beyond that. Moving the servers to their own subnet with a restrictive firewall between the servers and the PCs is a good first step. In a Windows Active Directory environment you will want to investigate forcing RPC over a limited number of ports before doing this or you will break your AD. In a larger organization you may want to start separating departments into their own subnets. The balancing act here is to add subnets as long as you are adding additional security and then stop before you are simply adding complexity.
  • NICE TO HAVE: Adding a log aggregation server that aggregates your security logs will help to give you an overall view of what attacks are going on in your network. Much like IDS the downside here is that you can easily get flooded with data.

I think this box is infected but I'm not sure by what:

  • Safest bet is format the hard drive and start over but sometimes that just isn't practical. I have used the Ultimate Boot CD for Windows with some success (and some failings) to get infected boxes cleaned up. The real problem these days is that you never know for sure if you get everything but UBCD4WIN will at least keep any malware from using the infected host to hide itself while you try to clean it so you have a better chance of getting everything. I'll repeat, if possible nuke the box and start over.