Troubleshooting Workstation Security

Previous page
Table of content
Next page

If all your clients see the value in spending the money in the proactive security manner rather than the reactive manner, this chapter could end here. The reality is much different. Even if your clients do have a managed and controlled network, they will probably not have a well-working, well-functioning machine at home unless they are taking the same sort of steps of ensuring that antivirus, patching, and antispyware are in place, and restricting uneducated end users from running as administrator. The reality is that, probably more often than not, you will get asked about an ill-running machine or one inundated with pop-ups.

A workstation or standalone computer that is virus- and spyware-infected is typically an ill-running machine that just doesn't act as "peppy" as it once did. It could also be evidenced by the router showing a log of traffic patterns and activity. After you identify a machine, or a server for that matter, that has been infected and is possibly no longer your machine anymore, your first plan of attack should be to remove that computer from the location and isolate it to ensure that you limit the risk of exposure. Again, remember the illness analogy. If you have an extremely sick, infectious patient, you remove him and quarantine the patient during treatment. For a workstation, merely unplug the network connection from the back of the workstation. If you suspect the server, merely unplug the RJ45 network connection from the wall.

The typical security consultant keeps a jump bag or toolkit of security tools to help him deal with desktop issues. Recently, a post to the incidents.org website listed one consultant's recommended jump bag. Consider building one of your own for those tools that you regularly use to clean or deploy workstations. Many, if not all, of the tools on this list are freely available on the Web, and the links for each can be found in Appendix A, "SBS Resources." Build your own CD-ROM or USB thumbdrive toolkit and always keep a copy of the latest .dat file signatures on that thumbdrive to ensure that you can easily scan an infected machine. Table 10.8 lists some possible items for your security toolkit.

Table 10.8. Security Toolkit

Antivirus Tools

McAfee Stinger (updated routinely)

Symantec AV Corporate Edition (your antivirus solution)

Microsoft Malware Removal Tool (released monthly)

Current Symantec AV Intelligent Updater

Response Kit

NetCat (available now at SecurityFocus)

SysInternals AccessEnum

SysInternals AutoRuns

SysInternals Contig

SysInternals DiskView

SysInternals FileMon

SysInternals ListDLLs

SysInternals Page Defrag

SysInternals ProcessExplorer

SysInternals PS Tools

SysInternals RegMon

SysInternals Rootkit Revealer

SysInternals Sdelete

SysInternals ShareEnum

SysInternals Sync

SysInternals TCPView

SysInternals Miscellaneous tools

Heysoft LADS

myNetWatchman SecCheck

Inetcat.org NBTScan

FoundStone BinText

FoundStone Forensic Toolkit

FoundStone Fport

FoundStone Galleta

FoundStone Pasco

FoundStone Rifuti

FoundStone Vision

FoundStone ShoWin

FoundStone SuperScan

WinDump

Nmap

Tigerteam.se SBD (encrypted netcat)

GNU-based unxutils (from unixutils.sourceforge.net)

Good copies of Windows binaries (netstat, cmd, ipconfig, nbtstat)

Spyware Tools

AdAware (updated defs in same directory)

CWShredder

Hijack This

MS AntiSpyWare Beta

Spybot Search and Destroy (updated defs in same directory)

BHO Demon

Security Tools (this is my usual place to dump the .zip or .exe installers)

Heysoft LADS (list alternative data streams)

Inetcat.org NBTScan

MS Baseline Security Analyzer

MS IIS Lockdown Tool

Sam Spade

SSH Client (SSH.com or Putty)

SysInternals Tools

Foundstone Tools

BlackIce PC Protection

Kerio Personal Firewall

Zone Alarm Personal Firewall

WinPcap

WinDump

Ethereal Installer

Nmap for Windows (client version)

Utilities

Adobe Acrobat Reader Installer

CPU-Z

FireFox Installer

Macromedia Flash and ShockWave Installers

QuickTime Standalone Installer

VNC Installer

WinZip ISCAlert Installer

Service Packs ( on a 2nd CD )

Windows XP SP2

Windows 2000 SP4 (+rpc/lsass critical patches or SRP when released)

Windows 2003 Server SP1


To this list you could add the Administrator's NT password reset disk information located at http://home.eunet.no/~pnordahl/ntpasswd/ and WinPE or Bart's PE http://www.nu2.nu/pebuilder/. PEs are preinstallation or maintenance operating systems that allow the technician to boot from a safe operating system but still have tools to clean and disinfect the system safely. You can even have a bootable USB thumbdrive that can reset the local administrator's password, but don't forget, in a network, for devices still on the network, all you need to do is go to the user menu on the console and reset the password.

If you have a severely impacted machine, the only way you may be able to clean and clear severe malware is one of three methods:

  • Boot from safe mode and use antispyware tools to remove the unwanted software.

  • Boot with WinPE or Bart's PE. Keep in mind that for many small business consultants who are not system builders, you will not have access to Microsoft's WinPE and will have to rely on Bart's PE.

  • Remove the hard drive from the machine, attach it as a slave drive on another segregated test machine, and use antivirus/spyware to scan the drive.

Even after these three methods have been used, you may have situations where you cannot trust the system anymore. Especially in an office situation, you have to ask yourself, can you trust this system?

Best Practice: Flattening the Machine

There comes a point that you must ask yourself and the business owner, "How much time am I taking in cleaning this up?" versus "How much time will it take to rebuild this?" If the reason you are taking so much time to clean the workstation is that there is key data on that machine, you should have proactively fixed that problem first. There's no reason that a workstation should have key data with no backup. You should have no hesitation rebuilding a workstation. If you do, you have a bigger problem.


In most cases, security intrusions occur when the system is not properly maintained. The typical way that rootkits and other extreme forms of malware enter a system is through a weakness. Weak passwords, not patching, misconfigurationall these are chinks in your armor that could allow something to occur. If you suspect that a real intrusion has occurred, and you are not in an industry that requires regulatory investigation, your best method to determine whether something truly has occurred is to contact Microsoft Product Support Services (PSS) and request a security investigation. This investigation may use tools from PSS that perform an online analysis of your system. The goal of the analysis is to give you recommendations and guidance for preventing the issues in the future. Keep in mind that the recommended way to recover from an intrusion is to be formatted and reinstalled from known CD-ROM media, have all security patches installed, and then and only then be reattached to the network. More of this is discussed at http://www.cert.org/nav/recovering.html.



Previous page
Table of content
Next page
Microsoft Small Business Server 2003 Unleashed
Microsoft Small Business Server 2003 Unleashed
ISBN: 0672328054
EAN: 2147483647
Year: 2005
Pages: 253
Authors: Eriq Oliver Neale
BUY ON AMAZON
Snort Cookbook
Developing Tablet PC Applications (Charles River Media Programming)
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Mastering Delphi 7
Microsoft VBScript Professional Projects
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy