Educause Security Discussion mailing list archives
Re: Windows Awareness Question
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 27 Feb 2004 10:50:40 -0500
James Moore wrote:
During times of high worm activity (like now, and probably ...), I have had several reports of systems being compromised before they had finished windows update. On campus we can use a SUS server to speed things up, but we have a large portion of our faculty and staff with home systems, and internet connections. What bothers me about the MS solution is that it allows a window of time for compromise, and I am not sure that window is short enough.
That is why the first recommendation is to turn a firewall on before connecting to the network. XP and 2003 come with one. The RPC stuff doesn't affect 9x/ME and if its a new system, the entire hard drive isn't shared through netbios :) That leaves Windows 2000. The windows 2000 "firewall" we offer is just a set of scripts that use the Microsoft IPSEC command line tools to configure IPSEC to block incoming HTTP, RPC, Netbios, and similar services. No cost. They're wrapped in an HTA to make an easy web GUI environment for users. I'm planning to make it more versatile as part of the StartSafe effort but just put that out there in its most simple form so users have the ability to protect themselves on startup. Once they get the patches, they can disable it if they want to run file sharing or a web server. Its a single mouse click to enable or disable it. Both the w2k IPSEC based solution and the present XP firewall suffer from a 10 second window of opportunity as the computer comes up. The XPsp2 firewall is not supposed to suffer from this problem. Its here if you want it: Self-extracting executable: http://www.jmu.edu/computing/security/info/firewall2000.exe Zip: http://www.jmu.edu/computing/security/info/fw2000.zip BTW - There is a similar StartSafe component with a similar user interface to set a computer up to use SUS at: http://www.jmu.edu/computing/security/sus/sus.hta Again, its easy-on, easy-off for a user not in a domain where you could do it with policy. The scripts associated with it are in the same directory and freely downloadable if you follow the path inside the script. I'll zip up the set if enough people are interested. If I'm doing something gross in the code, let me know. I'm learning. The idea is to create a single StartSafe app with scripts to turn on SUS, the firewall, check AV, turn on auditing, check admin password, check for latest MS update, check for and remove virus of the week, etc. Like the CIS benchmarks but all in script so its easy to customize according to site and policy, update according to new threats and policies, and in HTA so all the code resides on a central server where it can be maintained and provide the user with a familiar browser interface. I'm just now trying to figure out how to modularize it for best customization capability so if anyone has any ideas, I'm all ears. I'm thinking it will have two options at startup: 1) Make my computer safe where everything is just done but with a backout option of course. 2) Show me how to make my computer safe which will guide them step by step with a little more custom configuration capabilites in things like the firewall configuration. 3) Maybe an advanced option that will do things like save file fingerprints, running processes with open network connections, startup programs, etc. Will store it locally with an option to store in on a central database for later comparison. If anyone complains about using HTA and IE as the interface, I'll just respond that its on everyone's computer anyway and we may as well make it work for us instead of against us. :) ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Windows Awareness Question James Moore (Feb 26)
- <Possible follow-ups>
- Re: Windows Awareness Question Gary Flynn (Feb 26)
- Re: Windows Awareness Question Melissa Guenther (Feb 26)
- Re: Windows Awareness Question Tim McGuffin (Feb 26)
- Re: Windows Awareness Question Gary Flynn (Feb 26)
- Re: Windows Awareness Question Brian Reilly (Feb 26)
- Re: Windows Awareness Question James Moore (Feb 27)
- Re: Windows Awareness Question Gary Flynn (Feb 27)
- Re: Windows Awareness Question Sallie F Wright (Feb 27)
- Re: Windows Awareness Question Lawrence R. Rogers (Feb 27)
- Re: Windows Awareness Question Brian Kaye (Feb 27)