Re: Compromised Windows Machine Remediation

[Theresa Semmens <Theresa.Semmens () NDSU NODAK EDU>]

At NDSU, we adopted a "two strikes" policy.  When a student owned machine
becomes infected or compromised, we allow the student to attempt to clean
and patch the machine. The helpdesk is available to give advice and how-to
points.  Once the student has done this, we re-instate them on the network.
If they become blocked a second time within 96 hours of being reinstated,
they must take the machine to a commerical establishment and bring the
receipt to the help desk before we will re-instate them on the network a
second time.  So far, it has worked quite well.  Our only problem is with
those establishments who only run a virus scan on the machines and do not
check for evidence of compromise. 

Theresa Semmens, CISA
NDSU IT Security Officer
North Dakota State University
Fargo, ND 58101
701.231.5870
Theresa.Semmens () ndsu nodak edu

Less than 6 seconds 
The time it takes to compromise a PC, according to Vincent Weafer, the
senior director of security response at Symantec Corp. 
Source: The Age 

This electronic mail message may contain privileged and confidential
information.  If the reader is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are hereby
notified that any use, disclosure, dissemination, distribution, or copying
of this communication and any attached files may be strictly prohibited.  If
you have received this communication in error, please immediately notify
Information Technology Services contact by telephone at 701-231-5870, or by
reply e-mail, and permanently delete the message from your system.  Receipt
by anyone other than the intended recipient is not a waiver of any privilege
or immunity. 
 


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Wiseman
Sent: Wednesday, October 06, 2004 11:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Compromised Windows Machine Remediation


Hello,

I am interested in hearing about experiences with 'cleaning' user-owned and
managed computers. When a student laptop/desktop has been blocked from the
network due to infection, what do they do? Do institutions provide a help
desk environment where the work is done? or do they provide resources for
the student for 'self-help'? Is the student on their own to resolve the
problems? Is anyone using 'fee-for-service'? If so, what is the user
guaranteed to receive?

All of the above are used to some extent by departments here. This
September, staff have been overloaded with repairing laptops. Also, with the
implementation of network registration and patch status checking, sometimes
the testing involved will fail on machines that are badly infected and we
want to direct the users appropriately.

Thanks,

Mike

Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.