Re: Windows Awareness Question

[Gary Flynn <flynngn () JMU EDU>]

James Moore wrote:

> During times of high worm activity (like now, and probably ...), I have
> had several reports of systems being compromised before they had
> finished windows update.  On campus we can use a SUS server to speed
> things up, but we have a large portion of our faculty and staff with
> home systems, and internet connections.
>
> What bothers me about the MS solution is that it allows a window of time
> for compromise, and I am not sure that window is short enough.
That is why the first recommendation is to turn a firewall
on before connecting to the network. XP and 2003 come with one.
The RPC stuff doesn't affect 9x/ME and if its a new system, the
entire hard drive isn't shared through netbios :)

That leaves Windows 2000. The windows 2000 "firewall" we
offer is just a set of scripts that use the Microsoft IPSEC
command line tools to configure IPSEC to block incoming HTTP,
RPC, Netbios, and similar services. No cost. They're wrapped in an
HTA to make an easy web GUI environment for users. I'm planning to
make it more versatile as part of the StartSafe effort but just put
that out there in its most simple form so users have the ability to
protect themselves on startup. Once they get the patches, they
can disable it if they want to run file sharing or a web server.
Its a single mouse click to enable or disable it.

Both the w2k IPSEC based solution and the present XP firewall
suffer from a 10 second window of opportunity as the computer
comes up. The XPsp2 firewall is not supposed to suffer from this
problem.

Its here if you want it:

Self-extracting executable:
http://www.jmu.edu/computing/security/info/firewall2000.exe

Zip:
http://www.jmu.edu/computing/security/info/fw2000.zip

BTW - There is a similar StartSafe component with a similar
user interface to set a computer up to use SUS at:

http://www.jmu.edu/computing/security/sus/sus.hta

Again, its easy-on, easy-off for a user not in a domain
where you could do it with policy.

The scripts associated with it are in the same directory
and freely downloadable if you follow the path inside
the script. I'll zip up the set if enough people are interested.

If I'm doing something gross in the code, let me know. I'm
learning. The idea is to create a single StartSafe app with
scripts to turn on SUS, the firewall, check AV, turn on
auditing, check admin password, check for latest MS update,
check for and remove virus of the week, etc. Like the CIS
benchmarks but all in script so its easy to customize according
to site and policy, update according to new threats and
policies,  and in HTA so all the code resides on a central
server where it can be maintained and provide the user with
a familiar browser interface. I'm just now trying to figure out
how to modularize it for best customization capability so if
anyone has any ideas, I'm all ears. I'm thinking it will have two
options at startup:

1) Make my computer safe where everything is just done
   but with a backout option of course.
2) Show me how to make my computer safe which will guide
   them step by step with a little more custom configuration capabilites
   in things like the firewall configuration.
3) Maybe an advanced option that will do things like save file
   fingerprints,  running processes with open network connections,
   startup programs, etc. Will store it locally with an option to store
  in on a central database for later comparison.

If anyone complains about using HTA and IE as the interface,
I'll just respond that its on everyone's computer anyway and
we may as well make it work for us instead of against us. :)

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.