|
|
|
|
|
Home • What to do if you suspect problems • Resources • FAQ • Policies • Team • Search |
|
The following recommendations are
valid for all computers you use, whether on MITnet, at home, or elsewhere.
Compromised computers often affect more colleagues than the machine's primary
user. Compromised computers are an inconvenience and oftentimes, avoidable.
Your assistance in minimizing the number of compromises on MITnet is greatly
appreciated. Please direct questions and comments to
security@mit.edu.
There are two things that are responsible for the majority of Windows compromised machines on campus
When a machine is compromised, the only safe recourse is to format the machine, reinstall the operating system and applications, apply respective patches, restore data from backup and change all the passwords on the system (if the computer is a domain controller, all of the accounts in the domain also need new passwords after a compromise). Experienced users with all the necessary software handy can do this in about four hours, however, the average downtime is more than three days. With a few easy steps, you can greatly reduce the chance your computer is compromised and save you the hassle of formatting, reinstalling, etc. In addition to the hassle of recovering from a compromise, there may be legal consequences for you and MIT.
The majority of compromised Windows machines on the MIT campus are the result of weak or blank passwords. Every account on each machine should have a strong password. See Guidelines for Choosing a Password for more information on what makes passwords strong.
Some examples of weak passwords are:
You should set a strong password for every account on each machine. If you need to write the password down on a piece of paper and store it in a safe place to remember it, do so. The majority of attacks these days are from hackers trying to guess your password over the network using automated scripts. You should still be careful to not share your password with others, or let them know where you store it.
If at all possible, you should configure the machine to require strong passwords. This can be set on a stand alone machine via the following methods. For a domain environment, this should be set as a domain policy. Be sure to set it for both the local and domain accounts.
Every machine has an Administrator account that has full control of the machine. It is critical that the Administrator account's password is strong because the Administrator account cannot be locked out, so hackers can continue to try passwords against the Administrator account even if you set the system policy to lock out accounts after x number of tries. One trick to help against the most basic attacks is to rename the Administrator account to something else. Also, no one should be regularly using the Administrator account.
A number of the compromises each year come from accounts which are not actively used, such as the account for that person who left the department 6 months ago. Unneeded accounts should be deactivated immediately, and not be allowed to exist over time and become inactive.
After guessing passwords, the next most common way for a machine to be compromised is through a vulnerability in an application or the operating system. Most of the compromises of this fashion that we see at MIT exploit vulnerabilities that have had patches available for months before the compromise. Some of the recent compromises we have seen are IIS, RPC, and IE.
There are three components to keeping your system up to date: patching the operating system, patching the applications, and keeping anti-virus software current.
The easiest way to update your Windows operating system is to go to the Microsoft Windows Update (requires Internet Explorer), scan your machine and apply all Critical Updates and Service Packs. You need Administrative privileges on Windows, so if you have a local expert, check with them about your DLC's policies on updates, as they may already be taking care of this. If you are administering lots of machines, be sure to test the patches on one machine before deploying them to the rest. Occasionally problems do occur with the patches.
You can have Windows inform you when new updates are available and even install them for you. If you are not going to pay attention to the updates, you should configure your machine to automatically download the updates, and install them on a weekly schedule. This way, your machine will not be compromised using a vulnerability in the operating system that was patched six months ago. If you are willing to pay more attention, then setting Automatic Updates to notify you when patches are available is the best solution, so that you get a chance to review the update and any possible known problems it may cause before applying.
Internet Explorer is included as part of the operating systems and will be updated via Automatic Updates or Windows Update.
If you are running Windows NT 4.0 Workstation, Windows 95, Windows 98 or Windows ME, you should upgrade to Windows 2000 or XP Professional. Windows 95, 98, & ME were not designed with security in mind. Information Systems discontinued support for Windows 95 and ME, and have discontinued support for Windows 98 and NT 4.0 Workstation as of June 30, 2003.
Applications must also be patched. The method for getting patches varies greatly by vendor, so check with the vendor for details on how to obtain and apply patches.
To update Microsoft Office, go to the Office Updates Page (requires Internet Explorer) and click on "Scan my computer to detect Office updates I need."
If you can avoid running IIS, you should,, as it requires a lot of care to do it correctly. If you must run IIS, you will need to turn off everything that you aren't using (ex: Front Page extensions), subscribe to Microsoft's security e-mail notification, and check once a week for patches (Thursday mornings are good). Yes, we know that is both difficult and a lot of work. Unfortunately, anything less and you will probably be reformatting your HD and spending the day restoring data from backups. New vulnerabilities in IIS are often announced and exploited in the same day. A few notorious examples are Code Red and Nimda.
Another common way for a Windows machine to be compromised is through infected e-mail attachments and downloads. The viruses often contain payloads that provide multiple back doors for hackers and other tools to help spread the virus. Code Red and Nimda also used e-mail to spread in addition to exploiting vulnerable IIS servers. To protect against these types of attacks, it is critical that you use anti-virus software on every PC that you use. Information Systems has licensed VirusScan Enterprise 7.0 from NAI for use on MIT-owned computers, and personal machines of MIT affiliated staff, students, and faculty. For more information on getting anti-virus software for use at MIT, see the VirusScan pages.
Because new viruses are being created every day, you must keep your anti-virus software up to date. The most recent distribution of VirusScan from Information Systems is configured to update itself every morning at around 4am and to scan the machine for viruses. You should periodically check that your anti-virus software is running (by verifying that the shield with a "V" on it is in the system tray) and that the virus definition files (DAT) are recent (by looking at Help -> About from the Console. Your DAT file should probably be dated within the last week or two.)
The items discussed on this page are just the basic things that everyone using a Windows machine on the network should do. They are not a comprehensive security lock down, and will not protect against every threat. These are intended for workstation type machines - servers should have at least these things addressed, and more. For more information on securing Windows 2000 & XP Professional, you will need to read a book. Here are a few good choices:
 |
Last Updated May 30, 2003 Copyright©2003 Massachusetts Institute of Technology Comments and questions to netsec-www@mit.edu |