defense-in-depth against malicious software rick claus / bruce cowper it pro advisors microsoft...
TRANSCRIPT
Defense-in-Depth Defense-in-Depth Against Malicious Against Malicious SoftwareSoftware
Rick Claus / Bruce CowperRick Claus / Bruce Cowper
IT Pro AdvisorsIT Pro Advisors
Microsoft CanadaMicrosoft Canada
Session PrerequisitesSession Prerequisites
Hands-on experience with Hands-on experience with Microsoft Windows Server and Microsoft Windows Server and Active DirectoryActive Directory
Basic understanding of Basic understanding of network security fundamentalsnetwork security fundamentals
Basic understanding of Basic understanding of concepts related to malicious concepts related to malicious softwaresoftware
Level 200
Session OverviewSession Overview
Understanding the Characteristics of Understanding the Characteristics of Malicious SoftwareMalicious Software
Malware Defense-in-DepthMalware Defense-in-Depth Malware Defense for Client ComputersMalware Defense for Client Computers Malware Defense for ServersMalware Defense for Servers Network-Based Malware DefenseNetwork-Based Malware Defense Malware Outbreak Control and Malware Outbreak Control and
RecoveryRecovery
Understanding the Characteristics Understanding the Characteristics of Malicious Softwareof Malicious Software
Understanding the Characteristics of Understanding the Characteristics of Malicious SoftwareMalicious Software
Malware Defense-in-DepthMalware Defense-in-Depth Malware Defense for Client ComputersMalware Defense for Client Computers Malware Defense for ServersMalware Defense for Servers Network-Based Malware DefenseNetwork-Based Malware Defense Malware Outbreak Control and Malware Outbreak Control and
RecoveryRecovery
Malicious Software: Identifying Malicious Software: Identifying Challenges to an OrganizationChallenges to an Organization
Malware: A collection of software developed to intentionally perform malicious tasks on a computer system Malware: A collection of software developed to intentionally perform malicious tasks on a computer system
Feedback from IT and security professionals includes:Feedback from IT and security professionals includes:
“The users executed the attachment from their e-mail even though we’ve told them again and again that they aren’t supposed to.”
“The antivirus software should have caught this, but the signature for this virus hadn’t been installed yet.”
“We didn’t know our servers needed to be updated.”
“This never should have made it through our firewall; we didn’t even realize those ports could be attacked.”
“The users executed the attachment from their e-mail even though we’ve told them again and again that they aren’t supposed to.”
“The antivirus software should have caught this, but the signature for this virus hadn’t been installed yet.”
“We didn’t know our servers needed to be updated.”
“This never should have made it through our firewall; we didn’t even realize those ports could be attacked.”
Understanding Malware Attack Understanding Malware Attack TechniquesTechniques
Common malware attack techniques include:Common malware attack techniques include:
Social engineering
Backdoor creation
E-mail address theft
Embedded e-mail engines
Exploiting product vulnerabilities
Exploiting new Internet technologies
Social engineering
Backdoor creation
E-mail address theft
Embedded e-mail engines
Exploiting product vulnerabilities
Exploiting new Internet technologies
Understanding the Vulnerability Understanding the Vulnerability TimelineTimeline
Product Product shippedshipped
VulnerabilityVulnerabilitydiscovereddiscovered
Update made Update made availableavailable
Update deployedUpdate deployedby customerby customer
VulnerabilityVulnerabilitydiscloseddisclosed
Most attacks occur here
Understanding the Exploit TimelineUnderstanding the Exploit Timeline
Product Product shippedshipped
VulnerabilityVulnerabilitydiscovereddiscovered
Update made Update made availableavailable
Update deployedUpdate deployedby customerby customer
VulnerabilityVulnerabilitydiscloseddisclosed
Exploit
Days between Days between update and exploit update and exploit
have decreasedhave decreased
Identifying Common Malware Identifying Common Malware Defense MethodsDefense Methods
Malware AttackMalware Attack Defense MethodDefense Method
MydoomMydoomBlock port 1034 Block port 1034 Update antivirus signatures Update antivirus signatures Implement application securityImplement application security
SasserSasser Block ports 445, 5554, and 9996Block ports 445, 5554, and 9996Install the latest security update Install the latest security update
BlasterBlaster
Install the latest security update Install the latest security update Block TCP ports 135, 139, 445, and 593 and UDP ports Block TCP ports 135, 139, 445, and 593 and UDP ports 135, 137, and 138, and also block UDP ports 69 (TFTP) 135, 137, and 138, and also block UDP ports 69 (TFTP) and TCP 4444 for remote command shell. and TCP 4444 for remote command shell. Update antivirus signatures Update antivirus signatures
SQL SlammerSQL Slammer Install the latest security update Install the latest security update Block UDP port 1434 Block UDP port 1434
Download.JectDownload.JectInstall the latest security update Install the latest security update Increase security on the Local Machine zone in Internet Increase security on the Local Machine zone in Internet ExplorerExplorerClean any infections related to IIS Clean any infections related to IIS
Malware Defense: Best PracticesMalware Defense: Best Practices
Stay informedStay informed
Implement application security Implement application security
Restrict local administration rightsRestrict local administration rights
Implement security and antivirus update management Implement security and antivirus update management
Implement firewall protectionImplement firewall protection
Malware Defense-in-DepthMalware Defense-in-Depth
Understanding the Characteristics of Understanding the Characteristics of Malicious SoftwareMalicious Software
Malware Defense-in-DepthMalware Defense-in-Depth Malware Defense for Client ComputersMalware Defense for Client Computers Malware Defense for ServersMalware Defense for Servers Network-Based Malware DefenseNetwork-Based Malware Defense Malware Outbreak Control and Malware Outbreak Control and
RecoveryRecovery
What Is Defense-in-Depth?What Is Defense-in-Depth?
Using a layered approach:Using a layered approach:Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success
Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical securityPhysical security
Application hardeningApplication
OS hardening, authentication, update management, antivirus updates, auditing
Host
Network segments, IPSec, NIDSInternal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter
Strong passwords, ACLs, encryption, EFS, backup and restore strategy
Data
Applying Defense-in-Depth to Applying Defense-in-Depth to Malware DefenseMalware Defense
Policies, procedures, and awarenessPolicies, procedures, and awareness
Physical securityPhysical security
Perimeter
Internal network
Network defenses
Host
Application
Data
Client defenses
Server defenses
Host
Application
Data
Implementing Host Protection Implementing Host Protection Policies, Procedures, and AwarenessPolicies, Procedures, and Awareness
Recommended policies and procedures include:Recommended policies and procedures include:
Host protection defense policies: Scanning policy Signature update policy Allowed application policy
Host protection defense policies: Scanning policy Signature update policy Allowed application policy
Network defense policies: Change control Network monitoring Attack detection Home computer access Visitor access Wireless network policy
Network defense policies: Change control Network monitoring Attack detection Home computer access Visitor access Wireless network policy
Security update policy:1. Assess environment to
be updated2. Identify new updates3. Evaluate and plan
update deployment4. Deploy the updates
Security update policy:1. Assess environment to
be updated2. Identify new updates3. Evaluate and plan
update deployment4. Deploy the updates
Implementing Physical Security Implementing Physical Security and Antivirus Defenseand Antivirus Defense
Elements of an effective physical defense plan include:Elements of an effective physical defense plan include:
Server computers Server computers
Network access points Network access points
Premises security Premises security
Personnel security Personnel security
Mobile computers and devices Mobile computers and devices
Workstation computers Workstation computers
Malware Defense for Client Malware Defense for Client ComputersComputers
Understanding the Characteristics of Understanding the Characteristics of Malicious SoftwareMalicious Software
Malware Defense-in-DepthMalware Defense-in-Depth Malware Defense for Client ComputersMalware Defense for Client Computers Malware Defense for ServersMalware Defense for Servers Network-Based Malware DefenseNetwork-Based Malware Defense Malware Outbreak Control and Malware Outbreak Control and
RecoveryRecovery
Protecting Client Computers: Protecting Client Computers:
What Are the Challenges?What Are the Challenges?Challenges related to protecting client computers include:Challenges related to protecting client computers include:
• Implementing data storage policies• Implementing data security• Regulatory compliance
• Implementing data storage policies• Implementing data security• Regulatory compliance
Data challenges
• Controlling application usage• Secure application configuration settings• Maintaining application security updates
• Controlling application usage• Secure application configuration settings• Maintaining application security updates
Application challenges
• Maintaining security updates• Maintaining antivirus software• Implementing a personal firewall
• Maintaining security updates• Maintaining antivirus software• Implementing a personal firewall
Host challenges
Implementing Client-Based Implementing Client-Based Malware DefenseMalware Defense
Steps to implement a client-based defense include:Steps to implement a client-based defense include:
Reduce the attack surfaceReduce the attack surface11
Install antivirus softwareInstall antivirus software44
Enable a host-based firewall Enable a host-based firewall 33
Test with configuration scannersTest with configuration scanners55
Use least-privilege policiesUse least-privilege policies66
Apply security updatesApply security updates22
Restrict unauthorized applicationsRestrict unauthorized applications77
Choosing an Update Management Choosing an Update Management Solution for Malware DefenseSolution for Malware Defense
Customer Customer typetype ScenarioScenario SolutionSolution
ConsumerConsumer All scenariosAll scenarios Windows Windows UpdateUpdate
Small Small organizatiorganizationon
Has no Windows serversHas no Windows servers Windows Windows UpdateUpdate
At least one Windows 2000At least one Windows 2000or newer servers and one IT administratoror newer servers and one IT administrator
MBSA and MBSA and SUSSUS
Medium-Medium-sized or sized or large large enterpriseenterprise
Wants a update management solution Wants a update management solution with basic level of control that updates with basic level of control that updates Windows 2000 and newer versions of Windows 2000 and newer versions of WindowsWindows
MBSA and MBSA and SUSSUS
Wants a single flexible update Wants a single flexible update management solution with extended level management solution with extended level of control to update and distribute all of control to update and distribute all softwaresoftware
SMSSMS
Understanding the Benefits of Understanding the Benefits of Software Update ServicesSoftware Update Services
Gives administrators basic control over update management
Administrators can review, test, and approve updates before deployment
Simplifies and automates key aspects of the update management
processCan be used with Group
Policy, but Group Policy is not required to use SUS
Easy to implement Free tool from Microsoft
Gives administrators basic control over update management
Administrators can review, test, and approve updates before deployment
Simplifies and automates key aspects of the update management
processCan be used with Group
Policy, but Group Policy is not required to use SUS
Easy to implement Free tool from Microsoft
SUS—How It WorksSUS—How It Works
ParentSUS server
Windows update
Child SUS server
Internet
Client computers
Client computers
Internal Network10.10.0.0/16
Internet
London.nwtraders.msftDomain Controller
Exchange Server 2003IIS 6.0 Server
Software Update ServicesDNS Server
Enterprise CA Server10.10.0.2/16
Vancouver.nwtraders.msftISA Server 2004
10.10.0.1/16131.107.0.1/16
Denver.nwtraders.msftWindows XP SP2
Office 2003131.107.0.1/16
Glasgow.nwtraders.msftMIIS Server
ADAM Server10.10.0.3
131.107.0.8
Denver.nwtraders.msftWindows XP SP2
Office 200310.10.0.10/16
Brisbane.northwindtraders.msftDomain Controller
IIS 6.0 Server10.10.0.20
Demonstration 1: Configuring Demonstration 1: Configuring Software Update Services to Software Update Services to Deploy Security UpdatesDeploy Security Updates
Configure Software Configure Software Update Services to deploy Update Services to deploy security updatessecurity updates
Configuring Applications to Configuring Applications to Protect Client ComputersProtect Client Computers
Applications that may be malware targets include:Applications that may be malware targets include:
E-mail client applicationsE-mail client applications
Desktop applicationsDesktop applications
Instant messaging applicationsInstant messaging applications
Web browsersWeb browsers
Peer-to-peer applicationsPeer-to-peer applications
Managing Internet Explorer Managing Internet Explorer Browser SecurityBrowser Security
Security FeatureSecurity Feature DescriptionDescription
MIME security MIME security improvementsimprovements
Consistency checksConsistency checks Stricter rulesStricter rules
Better security Better security managementmanagement
Add-on control and management featuresAdd-on control and management features Better promptsBetter prompts New script-initiated windows restrictionsNew script-initiated windows restrictions
Local Machine Local Machine zonezone
Ability to control security in the local Ability to control security in the local machine zone machine zone
Feature Control Feature Control Security Zone Security Zone settingssettings
MIME sniffingMIME sniffing Security elevationSecurity elevation Windows restrictionWindows restriction
Group Policy Group Policy settingssettings
Administrative control for feature control Administrative control for feature control security zones security zones
Internal Network10.10.0.0/16
Internet
London.nwtraders.msftDomain Controller
Exchange Server 2003IIS 6.0 Server
Software Update ServicesDNS Server
Enterprise CA Server10.10.0.2/16
Vancouver.nwtraders.msftISA Server 2004
10.10.0.1/16131.107.0.1/16
Denver.nwtraders.msftWindows XP SP2
Office 2003131.107.0.1/16
Glasgow.nwtraders.msftMIIS Server
ADAM Server10.10.0.3
131.107.0.8
Denver.nwtraders.msftWindows XP SP2
Office 200310.10.0.10/16
Brisbane.northwindtraders.msftDomain Controller
IIS 6.0 Server10.10.0.20
Demonstration 2: Demonstration 2: Configuring Client-Based Configuring Client-Based ApplicationsApplications
Configure client Configure client applications to defend applications to defend against malwareagainst malware
Blocking Unauthorized Applications Blocking Unauthorized Applications with Software Restriction Policieswith Software Restriction Policies
Software restriction policies:Software restriction policies:
Can be set to: Unrestricted
Disallowed
Can be set to: Unrestricted
Disallowed
Can be applied to the following rules:
Hash
Certificate
Path
Zone
Can be applied to the following rules:
Hash
Certificate
Path
Zone
Can be used to: Fight viruses
Control ActiveX downloads
Run only signed scripts
Ensure approved software is installed
Lock down a computer
Can be used to: Fight viruses
Control ActiveX downloads
Run only signed scripts
Ensure approved software is installed
Lock down a computer
New Security Features in New Security Features in Windows FirewallWindows Firewall
On by defaultOn by default
Boot-time securityBoot-time security
Global configuration and restore defaultsGlobal configuration and restore defaults
Local subnet restrictionsLocal subnet restrictions
Command-line supportCommand-line support
On with no exceptionsOn with no exceptions
Windows Firewall exceptions listWindows Firewall exceptions list
Multiple profilesMultiple profiles
RPC supportRPC support
Unattended setup supportUnattended setup support
Configuring Windows Firewall Configuring Windows Firewall for Antivirus Defensefor Antivirus Defense
Protecting Client Computers: Protecting Client Computers: Best PracticesBest Practices
Identify threats within the host, application, and data layers of the defense-in-depth strategyIdentify threats within the host, application, and data layers of the defense-in-depth strategy
Implement software restriction policies to control applications Implement software restriction policies to control applications
Implement an effective security update management policyImplement an effective security update management policy
Implement an effective antivirus management policy Implement an effective antivirus management policy
Use Active Directory Group Policy to manage application security requirementsUse Active Directory Group Policy to manage application security requirements
Malware Defense for ServersMalware Defense for Servers
Understanding the Characteristics of Understanding the Characteristics of Malicious SoftwareMalicious Software
Malware Defense-in-DepthMalware Defense-in-Depth Malware Defense for Client ComputersMalware Defense for Client Computers Malware Defense for ServersMalware Defense for Servers Network-Based Malware DefenseNetwork-Based Malware Defense Malware Outbreak Control and Malware Outbreak Control and
RecoveryRecovery
Protecting Servers: What Are the Protecting Servers: What Are the Challenges?Challenges?
Challenges to protecting servers include:Challenges to protecting servers include:
Maintaining reliability and performance
Maintaining security updates
Maintaining antivirus updates
Applying specialized defense solutions based upon server role
Maintaining reliability and performance
Maintaining security updates
Maintaining antivirus updates
Applying specialized defense solutions based upon server role
What Is Server-Based Malware What Is Server-Based Malware Defense?Defense?
Basic steps to defend servers against malware include:Basic steps to defend servers against malware include:
Reduce the attack surfaceReduce the attack surface
Analyze using configuration scannersAnalyze using configuration scanners
Enable a host-based firewall Enable a host-based firewall
Apply security updatesApply security updates
Analyze port informationAnalyze port information
Implementing Server-Based Implementing Server-Based Host Protection SoftwareHost Protection Software
Considerations when implementing server-based antivirus software include:Considerations when implementing server-based antivirus software include:
CPU utilization during scanning
Application reliability
Management overhead
Application interoperability
CPU utilization during scanning
Application reliability
Management overhead
Application interoperability
Protecting Server-Based ApplicationsProtecting Server-Based Applications
Applications that typically have specialized host protection implementations include:Applications that typically have specialized host protection implementations include:
ApplicationApplication ExampleExample
Web serversWeb servers Internet Information Internet Information Services (IIS)Services (IIS)
Messaging Messaging serversservers Microsoft Exchange 2003Microsoft Exchange 2003
Database Database serversservers Microsoft SQL Server 2000Microsoft SQL Server 2000
Collaboration Collaboration serversservers
Microsoft SharePoint Portal Microsoft SharePoint Portal Server 2003Server 2003
Internal Network10.10.0.0/16
Internet
London.nwtraders.msftDomain Controller
Exchange Server 2003IIS 6.0 ServerDNS Server
Enterprise CA Server10.10.0.2/16
Vancouver.nwtraders.msftISA Server 2004
10.10.0.1/16131.107.0.1/16
Denver.nwtraders.msftWindows XP SP2
Office 2003131.107.0.1/16
Glasgow.nwtraders.msftMIIS Server
ADAM Server10.10.0.3
131.107.0.8
Denver.nwtraders.msftWindows XP SP2
Office 200310.10.0.10/16
Brisbane.northwindtraders.msftDomain Controller
IIS 6.0 Server10.10.0.20
Demonstration 3: Demonstration 3: Using ISA Server 2004 SMTP Using ISA Server 2004 SMTP Message ScreenerMessage Screener
Implement the SMTP Implement the SMTP message screenermessage screener
Protecting Servers: Best PracticesProtecting Servers: Best Practices
Consider each server role implemented in your organization to implement specific host protection solutions
Consider each server role implemented in your organization to implement specific host protection solutions
Stage all updates through a test environment before releasing into production Stage all updates through a test environment before releasing into production
Deploy regular security and antivirus updates as requiredDeploy regular security and antivirus updates as required
Implement a self-managed host protection solution to decrease management costsImplement a self-managed host protection solution to decrease management costs
Network-Based Malware DefenseNetwork-Based Malware Defense
Understanding the Characteristics of Understanding the Characteristics of Malicious SoftwareMalicious Software
Malware Defense-in-DepthMalware Defense-in-Depth Malware Defense for Client ComputersMalware Defense for Client Computers Malware Defense for ServersMalware Defense for Servers Network-Based Malware DefenseNetwork-Based Malware Defense Malware Outbreak Control and Malware Outbreak Control and
RecoveryRecovery
Protecting the Network: Protecting the Network: What Are the Challenges?What Are the Challenges?
Challenges related to protecting the network layer include:Challenges related to protecting the network layer include:
Balance between security and usability
Lack of network-based detection or monitoring for attacks
Balance between security and usability
Lack of network-based detection or monitoring for attacks
Implementing Network-Based Implementing Network-Based Intrusion-Detection SystemsIntrusion-Detection Systems
Important points to note:Important points to note:
Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected
ISA Server 2004 provides network-based intrusion-detection abilities
Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected
ISA Server 2004 provides network-based intrusion-detection abilities
Provides rapid detection and reporting of external malware attacks
Provides rapid detection and reporting of external malware attacks
Network-based intrusion-detection system
Network-based intrusion-detection system
Implementing Application Layer Implementing Application Layer FilteringFiltering
Application layer filtering includes the following:Application layer filtering includes the following:
Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data
Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol
Internal Network10.10.0.0/16
Internet
London.nwtraders.msftDomain Controller
Exchange Server 2003IIS 6.0 ServerDNS Server
Enterprise CA Server10.10.0.2/16
Vancouver.nwtraders.msftISA Server 2004
10.10.0.1/16131.107.0.1/16
Denver.nwtraders.msftWindows XP SP2
Office 2003131.107.0.1/16
Glasgow.nwtraders.msftMIIS Server
ADAM Server10.10.0.3
131.107.0.8
Denver.nwtraders.msftWindows XP SP2
Office 200310.10.0.10/16
Brisbane.northwindtraders.msftDomain Controller
IIS 6.0 Server10.10.0.20
Demonstration 4: Demonstration 4: Implementing Filtering with ISA Implementing Filtering with ISA Server 2004Server 2004
Implement filtering with Implement filtering with ISA Server 2004ISA Server 2004
Understanding Quarantine Understanding Quarantine NetworksNetworks
Standard features of a quarantine network include:Standard features of a quarantine network include:
Typically restricted or blocked from gaining access to internal resources Typically restricted or blocked from gaining access to internal resources
Provides a level of connectivity that allows temporary visitors’ computers to work productively without risking the security of the internal network
Provides a level of connectivity that allows temporary visitors’ computers to work productively without risking the security of the internal network
Currently only available for VPN remote access solutionsCurrently only available for VPN remote access solutions
Protecting the Network: Best Protecting the Network: Best PracticesPractices
Have a proactive antivirus response team monitoring early warning sites such as antivirus vendor Web sites
Have a proactive antivirus response team monitoring early warning sites such as antivirus vendor Web sites
Have an incident response planHave an incident response plan
Implement automated monitoring and report policies Implement automated monitoring and report policies
Implement ISA Server 2004 to provide intrusion- detection capabilitiesImplement ISA Server 2004 to provide intrusion- detection capabilities
Malware Outbreak Control and Malware Outbreak Control and RecoveryRecovery
Understanding the Characteristics of Understanding the Characteristics of Malicious SoftwareMalicious Software
Malware Defense-in-DepthMalware Defense-in-Depth Malware Defense for Client ComputersMalware Defense for Client Computers Malware Defense for ServersMalware Defense for Servers Network-Based Malware DefenseNetwork-Based Malware Defense Malware Outbreak Control and Malware Outbreak Control and
RecoveryRecovery
How to Confirm the Malware How to Confirm the Malware OutbreakOutbreak
The process for infection confirmation includes:The process for infection confirmation includes:
Reporting unusual activity
Gathering the basic information
Evaluating the data
Gathering the details
Responding to unusual activity
False alarm?
Hoax?
Known infection?
New infection?
Reporting unusual activity
Gathering the basic information
Evaluating the data
Gathering the details
Responding to unusual activity
False alarm?
Hoax?
Known infection?
New infection?
How to Respond to a Malware How to Respond to a Malware OutbreakOutbreak
Outbreak control mechanism tasks include:Outbreak control mechanism tasks include:Disconnect the compromised systems from the network
Isolate the network(s) containing the infected hosts
Disconnect the network from all external networks
Research outbreak control and cleanup techniques
Disconnect the compromised systems from the network
Isolate the network(s) containing the infected hosts
Disconnect the network from all external networks
Research outbreak control and cleanup techniques
Examples of recovery goals include:Examples of recovery goals include:Minimal disruption to the organization’s business
Fastest possible recovery time
The capture of information to support prosecution
The capture of information to allow for additional security measures to be developed
Prevention of further attacks of this type
Minimal disruption to the organization’s business
Fastest possible recovery time
The capture of information to support prosecution
The capture of information to allow for additional security measures to be developed
Prevention of further attacks of this type
How to Analyze the Malware How to Analyze the Malware OutbreakOutbreak
The following analysis tasks help you to understand the nature of the outbreak: The following analysis tasks help you to understand the nature of the outbreak:
Checking for active processes and services
Checking the startup folders
Checking for scheduled applications
Analyzing the local registry
Checking for corrupted files
Checking users and groups
Checking for shared folders
Checking for open network ports
Checking and exporting system event logs
Running MSCONFIG
Checking for active processes and services
Checking the startup folders
Checking for scheduled applications
Analyzing the local registry
Checking for corrupted files
Checking users and groups
Checking for shared folders
Checking for open network ports
Checking and exporting system event logs
Running MSCONFIG
How to Recover from a Malware How to Recover from a Malware OutbreakOutbreak
Use the following process to recover from a virus outbreak:Use the following process to recover from a virus outbreak:
Restore missing or corrupt dataRestore missing or corrupt data
Remove or clean infected filesRemove or clean infected files
Reconnect your computer systems to the network Reconnect your computer systems to the network
Confirm that your computer systems are free of malwareConfirm that your computer systems are free of malware
11
33
44
22
How to Perform a Postrecovery How to Perform a Postrecovery AnalysisAnalysis
Postrecovery analysis steps include the following:Postrecovery analysis steps include the following:
Postattack review meeting Postattack review meeting
Postattack updatesPostattack updates
Session SummarySession Summary
Understanding malware will help you to implement an effective defense against malware attacks Understanding malware will help you to implement an effective defense against malware attacks
Use a defense-in-depth approach to defend against malwareUse a defense-in-depth approach to defend against malware
Harden client computers by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy
Harden client computers by applying security updates, installing and maintaining an antivirus software strategy, and restricting computers using Group Policy
Stage all updates through a test server before implementing into production, in order to minimize disruption Stage all updates through a test server before implementing into production, in order to minimize disruption
ISA Server 2004 can be used to implement network defenses, such as application layer filtering, message screening, and network quarantine
ISA Server 2004 can be used to implement network defenses, such as application layer filtering, message screening, and network quarantine
An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption
An efficient response and recovery plan will ensure that if a malware attack occurs, your organization can quickly recover with minimal disruption
Next StepsNext Steps
Microsoft Technet CanadaMicrosoft Technet Canadahttp://www.microsoft.ca/technethttp://www.microsoft.ca/technet
Find additional security training events:Find additional security training events:http://www.microsoft.com/seminar/events/http://www.microsoft.com/seminar/events/security.mspxsecurity.mspx
Sign up for security communications:Sign up for security communications:http://www.microsoft.com/technet/security/signup/http://www.microsoft.com/technet/security/signup/default.mspxdefault.mspx
Order the Security Guidance Kit: Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/http://www.microsoft.com/security/guidance/order/default.mspxdefault.mspx
Get additional security tools and content:Get additional security tools and content:http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
Questions and AnswersQuestions and Answers
Team Blogs:Team Blogs:http://blogs.msdn.com/brucecowperhttp://blogs.msdn.com/brucecowper
http://blogs.msdn.com/rclaushttp://blogs.msdn.com/rclaus