Even large institutions not immune to Conficker

TalkBack 1 of 30:: Next »

Thread View
Flat View

Windows Software Update Service and NAP: WSUS is what larger corporations, enterprises
and larger institutions use to ensure
stability of their platform.

It basically lets the administrator decide
which patches to apply when. He can also set up
policies so that different patches are applied
to different sets of computers, depending on
their location, organizational unit, roles etc.

The catch is that IF you decide to go with WSUS
you just HAVE to be diligent with the patches.
If you don't let them through, they will not
reach the clients.

A clever admin will of course set up non-
mission critical machines (usually the
majority) to patch automatically using
windowsupdate.

He should also set up group policies which
switches on the firewall on all client
machines. Firewalls switched on would have
protected even an unpatched machine against
conficker and a host of other threats.

Network Access Protection is available by
default since Vista. It basically lets the
administrator define policies for access to the
network.

If your client machine cannot prove that it
meets certain administrator-defined
requirements (i.e. fully patches, protected by
a certain antivirus suite, holder of a given
certificate etc.) no protected server/service
on the network will talk to it. Until it has
been fixed. By setting up a special
download/fix page even this can be automated.

The thing is, these definitions can be set up
to be largely automatic. There's really no
excuse for an admin NOT to ensure that machines
on the network are protected and fully patched.

At least this goes for an institution such as a
hospital. A school/educational environment is
more tricky because it inherently need to be
more open. It can still be done without too
much effort, though.

One way is to define the "public" nets (open
WiFi and wired ethernets) as "potentially
hostile". Only a few http based services (such
as an intranet etc) should be open for
unauthenticated clients.

Clients with a valid certificate (can be set to
download automatically to machines which are
part of the domain) could be allowed access to
the protected part of the network, subject to
NAP.

I agree that the threats will never go away.
Admins should be educated to take advantage of
the extra lines of defenses which are already
offered them as part of their Windows network.

And no, switching to another OS infrastructure
will not solve the problem. No other OS
infrastructure offers the same combination of
openness and lock-down mechanisms. Not without
paying through your nose.; Posted by: honeymonster Posted on: 04/13/09 You are currently: a Guest | Members login | Terms of Use