Identifying and Responding to Security Events

Previous page
Table of content
Next page
   

As a desktop support technician, you must be ready to identify and respond to security events. One of the most common types of security events you will encounter is a virus attack. Although some viruses cause little harm, some can bring down an entire system or network. In any case, you should be able to identify the signs that a computer has been infected by a virus, the steps to take in removing a virus, and ways to protect a computer or network from such attacks. These topics are discussed in the following sections.

Identifying Attacks

Unfortunately, viruses come in many different forms, with some being more harmful than others. New viruses are introduced daily. It is impossible to know everything about every virus. However, knowing the different categories of viruses and the ways they affect a computer can alert you to the signs that a computer may be infected with one. The three general categories of viruses are

  • Worms

  • Viruses

  • Trojan horses

Worms

A worm is a form of malicious software that makes copies of itself. For example, after the worm is received, it can copy itself from one hard drive to another or spread by attaching itself to email. One of the most common ways of acquiring and spreading a worm is through email attachments. However, with the growing popularity of Internet chat programs, they also are becoming a medium of transferring a worm to other computers. Worms are often referred to as viruses, which are discussed in the next section.

graphics/tip_icon.gif

A worm tends to consume resources. If you see a sudden decrease in computer or network performance, this change could be an indication that the computer or network has been infected with a worm. Worms are also known to delete data.


An example of a worm is W32/KLEZ. This worm was able to replicate itself to network shares, thereby affecting other computers on the network. It also mailed itself to email addresses within the Windows Address Book and other addresses extracted from the user 's computer.

Viruses

A virus is a program or malicious code that secretly replicates itself by attaching to a medium such as another program, the boot sector, a partition sector, or a document that contains macros.

graphics/note_icon.gif

Many viruses today are macro viruses. A macro is a piece of code that can be embedded into a document such as an Excel document. A macro virus therefore exists as a macro in a data file.


Trojan Horses

Unlike a virus or worm, a Trojan horse does not replicate nor make copies of itself. The main purpose of a Trojan horse is to compromise security such as stealing passwords. The Trojan horse tricks users into believing they are doing one thing when, in fact, they are doing something else.

To a user, a Trojan horse is difficult to identify because it may seem to be a legitimate program. However, the program may contain a hidden function designed to compromise security. For example, a user may receive email with a Trojan horse as an attachment. When the user runs what appears to be a legitimate program, a hidden function may steal passwords stored on the computer and email them to another recipient.

A Trojan horse does not cause any harm until the user runs the required program. After the program is run, code is usually added to the computer's startup functions so the virus is loaded each time the computer is restarted.

An example of a Trojan horse virus is BackOrifice. This Trojan horse allowed remote users to connect to a computer with the virus and have complete control over the computer.

Identifying Ways Viruses Affect a Computer

Now that you have a general idea of the different types of viruses, let's look at the ways a virus can affect a computer. Again, knowing the signs to look for can make it much simpler to identify when a computer has acquired a virus.

You may encounter these common signs that a computer is infected with a computer virus:

  • Applications do not function properly.

  • You cannot access your hard drive.

  • New icons appear on the desktop.

  • Unusual error messages appear.

  • Unusual sounds unexpectedly come from your speakers .

  • You experience a decrease in performance.

  • Your computer has an unusually high level of disk drive activity.

  • Data is missing.

  • Your antivirus software is disabled and cannot be restarted.

graphics/note_icon.gif

Some virus symptoms may resemble symptoms produced by Windowsfor example, if you attempt to start Windows but receive an error message that a critical system file is missing. Therefore, some viruses may be more difficult to detect than others.


Protecting Against Virus Attacks

Some viruses cause little damage or no damage at all. However, other viruses can cause serious damage, such as formatting your hard drive, resulting in a loss of data. Therefore, protecting against such attacks is extremely important. You can take a number of different steps to secure your computer against virus attacks:

  • Install antivirus software.

  • Keep signature files up to date.

  • Educate users about viruses.

  • Use an Internet firewall.

  • Install the latest critical updates.

  • Use Security features in Outlook Express.

graphics/alert_icon.gif

Microsoft recommends the following three steps to secure a computer and protect it from virus attacks: use an Internet firewall, keep your computer up to date with the latest critical updates, and use up-to-date antivirus software.


Antivirus Software

One of the most important measures you can take to prevent viruses from infecting your computer is to install antivirus software .

Antivirus software is a program designed specifically to detect and remove viruses. Two of the most popular programs are Norton Antivirus and McAfee Virusscan. After you install antivirus software, it scans your computer and deletes any viruses it finds.

Because new viruses are constantly being created, the makers of antivirus software have to constantly update their database with new fixes for detecting and removing them. So, installing antivirus software does not necessarily mean your system is secure. You have to make sure you update the signature files for the antivirus software so it can detect and remove new viruses. Generally, you can update the signature files over the Internet.

graphics/alert_icon.gif

Signature files contain the latest virus updates. Therefore, you need to keep the signature files up to date. You can do so by downloading the latest files from the vendor's Web site. Not keeping the signature files up to date defeats the purpose of installing antivirus software because your computer is not protected against the latest viruses.


Internet Firewall

A firewall is a piece of software that runs on a computer with an Internet connection and acts as a barrier between your computer and Internet users. It allows traffic from the local network or computer to pass through but blocks traffic initiated by Internet users. The benefit of using a firewall is that it can protect your computer from malicious users as well as computer viruses.

Windows XP has a built-in firewall component called the Internet Connection Firewall (ICF). You should enable this feature on any computer that has a direct Internet connection. Those computers that have Internet access through a shared connection do not need to have the firewall component enabled. You can enable the firewall component by using the following steps:

  1. Click Start and click the Control Panel option. If you are using the Classic Start menu, click Start, point to Settings and then click the Control Panel option.

  2. Open the Network Connections applet.

  3. Right-click the Internet connection and click Properties.

  4. Select the Advanced tab, as shown in Figure 9.1.

    Figure 9.1. Enabling the Internet Connection Firewall.

    graphics/09fig01.jpg


  5. Under Internet Connection Firewall, check the box beside the option named Protect My Computer and Network by Limiting or Preventing Access to This Computer from the Internet.

graphics/note_icon.gif

You can configure the Internet Connection Firewall component to allow certain types of traffic to pass through to the private network. For example, if you have an FTP server on the private network, you can make it accessible to Internet users by allowing FTP traffic.


Educating Users

Another way in which you can protect your network against virus attacks is to educate users. This includes educating them about how viruses can enter the network and how they are spread.

Viruses can be acquired in a number of different ways, including email attachments or programs downloaded from unknown Internet sources. For example, users can unknowingly introduce a virus onto their system and possibly a network by opening an email attachment. To prevent virus outbreaks, do the following:

  • Educate users about the different ways in which viruses can be spread.

  • Alert users to the common signs of viruses. These signs can include a decrease in system performance, unusual messages, or programs not behaving as they normally would.

  • Educate users to the dangers of bringing in floppy disks from outside sources. Many organizations discourage this practice. If it is allowed, users should be encouraged to scan all floppy disks for viruses before opening or copying any files onto their computer or a network share.

  • Emphasize the importance of using antivirus software and keeping the signature files up to date.

Understanding Outlook Express Security Features

As already mentioned, one of the most common ways in which viruses are spread is via email. Outlook Express 6, therefore, has some built-in security features to protect against viruses.

Security zones in Outlook Express determine whether active content can be run from within an HTML message. You can configure the security zone for Outlook Express by using the following steps:

  1. Click Start and select Outlook Express. Conversely, if you are using the Classic Start menu, click Start, point to Programs, and click Outlook Express.

  2. Within Outlook Express, click the Tools menu and click Options.

  3. From the Options dialog box, select the Security tab.

  4. Under Virus Protection, select Restricted Sites Zone (see Figure 9.2). This option should be selected by default in Outlook Express 6. Previous versions of Outlook Express used the Internet zone, which is less secure because it allows most active content to run.

    Figure 9.2. Configuring security zones in Outlook Express.

    graphics/09fig02.jpg


Outlook Express can also be configured to read all email messages in plain text. The benefit of this approach is that no active content contained within the message is run. The disadvantage is that some HTML emails are not displayed correctly in plain text. To enable Outlook Express to read all messages in plain text, repeat steps 1 and 2 from the preceding set of steps. Then, from the Options dialog box, select the Read tab and check the option Read All Messages in Plain Text (see Figure 9.3).

Figure 9.3. Configuring Outlook Express to read all messages in plain text.

graphics/09fig03.jpg


graphics/tip_icon.gif

Not all email clients support HTML. The result of sending an HTML message to a recipient using an email client that does not support this feature is a message that may appear in small print, a message that arrives as an attachment, or even a message with no text. So, using plain text not only increases security, but it may also increase functionality.


Some viruses are capable of exploiting your Outlook Express contact list. They can spread themselves by sending copies of email messages containing the viruses to all your Outlook Express contacts.

Outlook Express can be configured to notify you before another application can send an email message without your knowledge. You can configure Outlook Express to do so using the Security tab from the Options dialog box and selecting the option Warn Me When Other Applications Try to Send Mail as Me. This option is enabled by default in Outlook Express 6.

Many users are often unable to differentiate between those attachments that are safe and those that are potentially harmful. Outlook Express can be configured to block attachments with certain extensions. You can do so by selecting the option Do Not Allow Attachments to Be Saved or Opened That Could Potentially Be a Virus. With this option enabled, Outlook Express uses Internet Explorer's unsafe file list and the settings configured using the Folder Options applet to determine which attachments should be blocked. Typically, Internet Explorer considers any attachments containing script or code to be unsafe. You can configure which file types are unsafe by using the Folder Options applet within the Control Panel. When Outlook Express receives an email message with an attachment considered to be unsafe, a message appears notifying you that the attachment has been blocked.

Managing Critical Updates

Often after a vendor releases an operating system or application, security issues are identified and reported . Most vendors , including Microsoft, release updates that can normally be downloaded from their Web sites. These updates are released to fix known issues and security vulnerabilities with an operating system or software program. A critical update is one considered critical to the normal operation of your computer.

Windows XP Updates

Windows XP makes it relatively simple to identify any critical updates that should be installed on your computer. By using the Windows Update Web site, you can have your computer scanned to determine the critical updates that are missing.

You can easily access the Windows Update Web site by clicking Start, pointing to All Programs, and clicking Windows Update. You are immediately connected to the Windows Update Web site (see Figure 9.4).

Figure 9.4. Using the Windows Update Web site.
graphics/09fig04.jpg

To begin scanning your system for missing updates, select the Scan for Updates option (refer to Figure 9.4). When the scan is complete, you are notified whether any updates for your system were detected . Click the Review and Install Updates option (see Figure 9.5) to browse through the updates found.

Figure 9.5. Windows Update notifies you if updates are available for your system.
graphics/09fig05.jpg

Windows Update lists any critical updates you should install on your system. You can review the updates and click the Install Now button, shown in Figure 9.6, to begin downloading and installing the updates. You also have the option of selecting the specific updates you want to install.

Figure 9.6. Installing critical updates.
graphics/09fig06.jpg

graphics/tip_icon.gif

Windows Update alerts you to those updates critical to the normal operation of your system. Therefore, it is recommended that you download and install all those updates considered critical.


Office Application Updates

Not only does Microsoft release critical updates for the various versions of Windows, but it also releases critical updates for Office applications. Again, critical Office updates are designed to improve the stability and security of your applications.

You can access the Microsoft Office Update Web site by selecting the Check for Updates option available from the Help menu within an Office application. After you select this option, you are connected to the Office Update Web site, as shown in Figure 9.7.

Figure 9.7. Installing Office Updates.
graphics/09fig07.jpg

graphics/alert_icon.gif

Security is always a hot topic, especially when it comes to exam topics. Be sure you are familiar with the different ways of keeping a system up to date and secure. Securing your computer refers not only to the operating system but also to additional software components such as Microsoft Office.


Automatic Updates

You can configure Windows XP to keep your system up to date without your intervention by using the Automatic Updates feature. With Automatic Updates, you no longer need to search for critical updates pertinent to your computer. Instead, Windows detects when you have an Internet connection and uses the connection to automatically connect to the Windows Update site. If any updates are found, an icon is displayed in the notification area alerting you of the updates.

You do have the ability to control the Automatic Updates feature. For example, you can have Windows automatically download any updates it finds and install them on the schedule you specify. Conversely, you can configure Automatic Updates such that you are notified before any updates are downloaded.

To access and configure Automatic Updates, follow these steps:

  1. Click Start and select the Control Panel. If using the Classic Start menu, click Start, point to Settings, and click Control Panel.

  2. Within the Control Panel, open the System applet. The System Properties dialog box appears.

  3. Select the Automatic Updates tab, as shown in Figure 9.8.

    Figure 9.8. Configuring Windows XP for Automatic Updates.

    graphics/09fig08.jpg


As you can see in Figure 9.8, different options allow you to control the behavior of Automatic Updates. These options are summarized here:

  • Keep My Computer Up to Date Select this option to enable Automatic Updates on a computer. This option is selected by default.

  • Notify Me Before Downloading Updates and Notify Me Again Before Installing Them on My Computer If you select this option, Windows notifies you twice: once before downloading the updates from the Windows Update Web site and again before installing the updates.

  • Download the Updates Automatically and Notify Me When They Are Ready to Be Installed When you select this option, Windows automatically downloads any updates. You receive notification when the updates are ready to be installed.

  • Automatically Download the Updates, and Install Them on the Schedule That I Specify When you select this option, Windows automatically downloads any updates and installs them based on the schedule that you specify.

graphics/note_icon.gif

When it comes to deploying Automatic Updates, another technology you can use is Software Update Services. This free tool from Microsoft allows updates to be downloaded onto a server on your private network. You can then test the updates and approve them before deploying them to computers.


Microsoft Baseline Security Analyzer

Ensuring that a computer is up to date is crucial in protecting the system against any security attacks, including malicious software such as viruses and worms. Any misconfigurations with software can also leave a system vulnerable. Because identifying misconfigurations that may lead to security vulnerabilities can be difficult, an administrator can use a tool called the Microsoft Baseline Security Analyzer (MBSA) .

The Microsoft Baseline Security Analyzer tool, available from the Microsoft Web site, can be used to scan a computer to identify any misconfigurations with the operating system or software such as Office 2000 to identify any misconfigurations. The tool can be used to scan computers running Windows XP as well as other versions of Windows, including Windows NT 4.0, Windows 2000, and Windows Server 2003.

graphics/tip_icon.gif

You can use MBSA to scan remote computers. In other words, you can run MBSA on your computer and use it to scan other computers on the network.


After you download and install the Microsoft Baseline Security Analyzer, you can use it to scan a system for misconfigurations as well as determine which security updates are missing (see Figure 9.9).

Figure 9.9. Using the Microsoft Baseline Security Analyzer.
graphics/09fig09.jpg

By selecting the Scan a Computer option, you open a window in which you can specify which computer you want to scan. By default, the local computer is scanned (see Figure 9.10). When you are ready, you can select the Start Scan option.

Figure 9.10. Selecting a computer to scan.
graphics/09fig10.jpg

MBSA scans the operating system, Internet Explorer, and other desktop applications such as Microsoft Office (it also scans programs such as IIS and SQL). The results alert you to any critical updates that are missing as well as configuration changes that should be changed to increase security (see Figure 9.11).

Figure 9.11. Viewing the security report.
graphics/09fig11.jpg

Hfnetchk.exe Utility

You can use the Hfnetchk.exe utility to determine the hotfixes that might be required for your server. When the command-line utility is run, it scans the system to determine the operating system, service packs , and programs installed. It then determines the security patches available for your system based on the components running. Hfnetchk.exe displays the hotfixes that should be installed to bring the system up to date.

You can run Hfnetchk from Windows NT 4.0, Windows 2000, or Windows XP systems, and it scans either the local system or remote systems for patches available for the following products:

  • Windows NT 4.0, Windows 2000, Windows XP

  • Internet Information Server 4.0 and 5.0

  • SQL Server 7.0 and 2000 (including Microsoft Data Engine)

  • Internet Explorer 5.01 and later

The system requirements to run the utility are as follows :

  • Windows NT 4.0, Windows 2000, or Windows XP

  • Internet Explorer 5.0 or later (an XML parser is required and one is included with Internet Explorer 5.0)


Previous page
Table of content
Next page
MCDST 70-272 Exam Cram 2. Supporting Users & Troubleshooting Desktop Applications on a Windows XP Operating System (Exam Cram 2)
MCSA/MCSE 70-291 Exam Cram: Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (2nd Edition)
ISBN: 0789736187
EAN: 2147483647
Year: 2003
Pages: 119
Authors: Diana Huggins
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Java I/O
Adobe After Effects 7.0 Studio Techniques
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy