Educause Security Discussion mailing list archives
Re: FW: Residence Hall Virus Solutions
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Thu, 28 Aug 2003 10:04:37 -0500
I hate it when I reread something a couple of times, and after I send it I see a significant error. In #1, the NAV client we put on the Security CD is set to automatically get new patterns, I think every two days, from Norton. As far as I know, the net.cfg has nothing to do with it. In #3, computers infected with Nachi/Welchia would NOT be seen as vulnerable to RPC DCOM in our scan and so would NOT be sent to the fix page. The fix page, by the way, also patches for Webdav (that is, both MS03-007 and MS03-026 are applied). Let me also say, as our colleague Jeff Schiller said on CNN: this stuff is getting old very quickly. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Associate Director, Center for Applied Cybersecurity Research (http://cacr.iu.edu <http://cacr.iu.edu/> ) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Bruhn, Mark S. Sent: Thursday, August 28, 2003 9:49 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FW: Residence Hall Virus Solutions I've noted that several of these are being done successfully elsewhere as well -- if there are other things people can add to this list, or good improvements to suggest for these, that would be outstanding: 1) we create a quarterly security CD, which contains NAV** and current (as of then) virus definitions, service packs, patches, ssh client, and other things. The net.cfg on this CD also configs the device to automatically get new virus definitions periodically. Students get this in their technology bag during move-in, and they can also buy it at any time from the Bookstore for $5. (But, we'd give it to a student free, if one asked any of us for it.) 2) this year we also created a "Run This CD First" CD. It automatically runs worm cleaner tools and applies missing patches. It also activates the XP firewall and blocks port 135. This CD is being handed to every student who moves into a dorm room, when they get their technology move in bag. 3) we've been registering student MAC addresses for several years. Students who plug their computers into ResNet have been redirected to a registration web page. (We do not use Regnet.) We added a scan to that process, and student machines found vulnerable to RPC DCOM are re-directed to a fix page before the registration page, that essentially does the same stuff as the "Run This CD First" CD, except it doesn't activate the firewall. We're expiring all registrations that were done before this new scan process was added, so those students have to re-register. Problem with this scan is that Nachi/Welchia patches the RPC DCOM vulnerability...so they could be infected and would be sent to the patch page. But, see #5. 4) we've had a hand-tag service program in residence halls for years also -- when students get their technololgy move in bag, they get a red hang tag. If they have technical trouble, they hang this on their door. We have a gang of student consultants assigned to various dorms, and they walk the halls periodically looking for these tags. They help the student with whatever their problem is, and at the same time make sure the student has executed the security CD. I shadowed one of these teams for a while yesterday, and this works very well. 5) we analyze netflow data for worm infections on Resnet and Greeknet, and an automatic report is generated daily and sent to our incident response team (part of my office). They use the student registration data to contact the student associated with the devices listed, and send them to the fix page. Given the things above, we've seen very few infections, with about 2/3 of the students moved in thus far. 6) we run daily vulnerability scans on Resnet and Greeknet daily, the results of which are also sent to our response team. They notify students who are vulnerable to RPC DCOM. We've had very few of these also. 7) we are filtering several protocols between ResNet and Greekent and the rest of campus. All of this is accomplished through a fairly broad partnership, generally coordinated by me, between my offices (ITPO and ITSO), network operations, residence hall IT services, the computer support center, and our messaging team (which manages email and dchp processes). And, we've augmented our normal response team with a few volunteers from the IT computing department -- these people interact (mostly via email) with students and others who have had their devices blocked, or who have been told they have something they need to fix. Have I said here before that partnerships are critical? :) **We renewed our NAV license under a consortium agreement within the CIC. We didn't pay as much as Tammy indicated. But, I can't say the exact amount. But, consider how many desktops we could offer up, in the Big Ten+Univ. of Chicago, even if only a few of us took advantage of the terms. And I think at least 7 campuses did. Campuses in a region (or in a conference, if it isn't only an athletic one) should be ganging up on some of these vendors. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Associate Director, Center for Applied Cybersecurity Research (http://cacr.iu.edu <http://cacr.iu.edu/> ) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Helms, Sandra [mailto:SANDY () BUMAIL BRADLEY EDU] Sent: Wednesday, August 27, 2003 5:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] FW: Residence Hall Virus Solutions Hi there - I am interested in quick summaries of how people are handling students bringing computers back to school with no virus protection. We do not have a policy in place to require virus protection software. Thank you very much. Sandra J. Helms Director of Academic Computing Bradley University 1501 W. Bradley Avenue Peoria, IL 61625 309.677.2808 sandy () bradley edu <mailto:sandy () bradley edu> ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- FW: Residence Hall Virus Solutions Helms, Sandra (Aug 27)
- <Possible follow-ups>
- Re: FW: Residence Hall Virus Solutions Tammy Clark (Aug 27)
- Re: FW: Residence Hall Virus Solutions Helms, Sandra (Aug 27)
- Re: FW: Residence Hall Virus Solutions Joe St Sauver (Aug 27)
- Re: FW: Residence Hall Virus Solutions Tammy Clark (Aug 27)
- Re: FW: Residence Hall Virus Solutions Tammy Clark (Aug 27)
- Re: FW: Residence Hall Virus Solutions Allen Chang (Aug 27)
- Re: FW: Residence Hall Virus Solutions Tammy Clark (Aug 28)
- Re: FW: Residence Hall Virus Solutions Bruhn, Mark S. (Aug 28)
- Re: FW: Residence Hall Virus Solutions Bruhn, Mark S. (Aug 28)
- Re: FW: Residence Hall Virus Solutions Bruhn, Mark S. (Aug 28)
- Re: FW: Residence Hall Virus Solutions Angel L Cruz (Aug 28)
- Re: FW: Residence Hall Virus Solutions Tammy Clark (Aug 28)
- Re: FW: Residence Hall Virus Solutions Gordon D. Wishon (Aug 28)
- Re: FW: Residence Hall Virus Solutions Dennis Meharchand, CEO Valt.x (Aug 28)
- Re: FW: Residence Hall Virus Solutions Jefferson, Ronnie V. (Aug 28)
- Re: FW: Residence Hall Virus Solutions Tammy Clark (Aug 28)
- Re: FW: Residence Hall Virus Solutions CONLEY, ANDREW (Aug 29)
- Re: FW: Residence Hall Virus Solutions Ariel Silverstone (Aug 29)
- Re: FW: Residence Hall Virus Solutions Tim St. Laurent (Aug 29)