Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Chapter 7: Antivirus Protection
Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.
Previous chapters in this guidance have referred to the risks that viruses and other forms of malicious software or malware present to the servers at Trey Research, the company in the guide scenario. This chapter delves more deeply into the subject of malware and discusses how Trey can protect its Microsoft® Windows®-based clients and servers from this risk.
On This Page
In a relatively short period of time, viruses and other forms of malware have gone from being minor, infrequent nuisances to major security threats. Their proliferation has caused considerable damage on a global scale and even resulted in the demise of some companies that were caught unprepared. Protecting against these threats is therefore a critical issue for any organization, regardless of whether it runs older systems or the latest technology.
There are numerous paths that viruses and worms can follow to infect an organization's computing systems, and you must effectively protect each path to avoid penetration by malicious code. This chapter explores virus prevention and reaction steps that Trey should take to protect file, mail, and Web servers, workstations, and other network devices from these threats. It also examines the potential consequences of viruses and worms in order to provide rationale for implementation of broad scale solutions.
To develop an adequate defense against any threat requires that you first understand the nature of the threat. The better your understanding, the better equipped you will be to design and implement an effective response. Threats fall into three general categories: Trojan horses, viruses, and worms. It is critical that you understand how these threats differ from one another:
Trojan horse. A program that appears to be useful or harmless but that contains hidden code ("malicious payload") designed to exploit or damage the system on which it is run. Trojan horse programs are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function. Trojan horses are also called "Trojan code."
Worm. A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, even possibly causing denial of service (DoS) attacks. Some worms can execute and spread without user intervention, while others require users to directly execute the worm code in order to spread. Worms may also deliver a payload in addition to replicating themselves.
Virus. A virus uses code written with the express intention of replicating itself. Viruses attempt to spread from computer to computer by attaching themselves to host programs. They may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and sometimes delivering an additional payload.
Note For more background information on antivirus terminology and defensive strategies, see The Antivirus Defense-in-Depth Guide referenced in the “More Information” section at the end of this chapter.
Many organizations underestimate the destructive power of malware. Some have never been infected and therefore do not understand the potential consequences. Others have had only minimal exposure to the problem. However, even a virus with a relatively minor payload can have a tremendous overall impact. Possible damages are not limited to lost files or systems that must be restored or reinstalled. but also include:
Loss of timely access to data. If a network-wide infection occurs, documents, databases, e-mail messages, or other important data items could potentially be lost if no recent or usable backup is available. The result would likely be a significant investment in time to recreate the lost data, affecting production schedules and employee morale. Even the loss of one critical document can have a significant impact on a business. An engineer might make considerable progress on an analysis report in a day's time, only to have that effort be completely lost when a virus causes the document to be corrupted or destroyed.
Lost productivity. Recreating documents and other files that are lost through a malware attack can be a disaster for an organization. The most common circumstance in which a backup is found to be unusable is when an emergency restore is attempted. In some cases, just identifying what has been lost can be a major undertaking. Actually recreating files is just one aspect of the recovery. Invariably, deadlines must be delayed because users must concentrate on recreating data rather than handling their normal tasks. Recovery can also make it necessary to bring in temporary workers to rebuild the data. This lost productivity and added expense can easily put organizations out of business, particularly if they are working on small margins or in very competitive markets.
Exposure of proprietary or customer data. Loss of proprietary information such as source code, trade secrets, or even confidential memos can have dire consequences for an organization. In the case of Trey Research, much of the data gathered by its engineers has commercial value. In addition, some of the analysis methods and algorithms used to compute results from raw data are proprietary. Loss or exposure of this data can have serious financial consequences.
Contributory liability. In environments where legally or commercially sensitive data is in use, liability issues arise. For example, imagine that a company hired Trey to assess contamination at the site of a school. If that customer’s data were to be prematurely exposed, the customer might become liable — and either the plaintiff or the defendant in any resulting suit could decide to include Trey in its liability.
The chief technical issues for antivirus protection involve where and how files, e-mail messages, and network traffic is scanned to determine whether viruses are present. Consider the following strategies:
Server-based scanning should be implemented first. Before you consider any options for protection, however, you should take the time to evaluate — and, if necessary, improve — disaster recovery policies and procedures for each server. You should evaluate not only the existing capabilities for backup, but also the recovery procedures in terms of time to restore. Compare the amount of time that users will be idle with the cost of revamping your backup procedures with newer, faster hardware. In addition, you need to have a mechanism in place for performing selective test restores as part of your backup procedures. A backup that cannot be successfully restored is virtually worthless.
File servers should be protected with antivirus solutions on each server that actively monitor the file system. When existing files are modified or new files are added, the antivirus application scans the files and can quarantine or repair an infected file before the infection can spread.
E-mail servers should use scanners that understand the proper way of scanning queues, transaction logs, and message databases. Antivirus programs that do not properly scan and disinfect these items can cause interruptions to e-mail service and data loss.
All clients should be protected with antivirus software. Whatever scanning tool is selected must provide proactive, real-time scanning of a client's file system to catch infections as they occur. Support for one-time and scheduled scans is less important if the application supports real-time scanning, but only if you force configuration of the clients to enable real-time scanning. Without real-time scanning, start-up scans and frequent-scheduled scans are a practical necessity.
The frequency of updates to antivirus scanner signatures is very important, because most vendors release signature updates quickly after new viruses are identified. An antivirus solution without an up-to-date antivirus signature database is only partially effective. Since new viruses are created every day, you must keep the antivirus signature database as current as possible to ensure effective scanning. When planning an antivirus strategy, give consideration to the accessibility of the antivirus updates and how frequently your servers will need to be updated.
How an antivirus solution reacts to a virus outbreak on the network and provides notification to administrators is crucial. Extended logging and notification by e-mail, pager, or other methods are very important features that can notify the administrative team quickly when an outbreak occurs.
Antivirus coverage is obviously a key part of security management and improvement. However, Trey faces several additional issues related to other parts of its security improvement plan:
Consistent attention to patch management will help reduce the likelihood of infection by many viruses and worms. Trey is moving aggressively to implement a patch management plan (as described in Chapter 6, “Patch Management”) to ensure that needed patches are quickly applied to vulnerable computers.
In addition to deploying antivirus scanners, it may be necessary to use intrusion detection or network monitoring software to catch anomalous network usage patterns that may indicate a newly emerging virus or worm.
In environments where Windows 2000 or Windows XP is the primary desktop operating system, it is possible to use Group Policy objects (GPO) to force the installation of antivirus software and to ensure that it remains active. There is no good way to do this in Microsoft Windows NT® or Windows 98.
Reducing the attack surface of clients may require additional measures, including upgrading the installed version of Microsoft Internet Explorer and using the Internet Explorer Administration Kit, Group Policies, or Windows NT system policies to set appropriate security policies for the browser.
The solution requirements for most antivirus deployments are fairly simple. In the case of Trey Research, the requirements are to:
Provide automatic, file-level scanning for all clients.
Provide automatic, file-level scanning for all file servers.
Provide automatic and on-demand scanning (using Microsoft Exchange-aware scanning tools) for all Exchange mailbox servers.
Receive automatic updates for scanning signatures for all scanners within 12 hours of vendor release.
Investigate restrictions on the use of removable media (floppy disks, CD-ROMs, USB thumb drives) to help prevent the spread of viruses.
Because of the current composition of the Trey network, several additional requirements have been explicitly postponed until the desktop environment is upgraded:
Automatic initial installation of antivirus software.
Enforcement of the Trey security policy that requires antivirus software to be installed and running at all times.
Use of a separate perimeter antivirus/anti-spam filter that screens e-mail before initial delivery to the Exchange servers.
The Trey IT director wanted quick deployment of an antivirus solution to help reduce the company's exposure to viruses and other forms of malware.
The Trey antivirus solution has two tiers: client-side protection and server-side protection. Trey purposefully chose scanners from two different vendors to maximize the likelihood that signatures would become available quickly during an outbreak.
There are no prerequisites for this solution.
The Trey antivirus solution has several components that must work together to deliver effective antivirus protection.
Virus protection is not a one-step process in which installation of a single application suddenly delivers instant and perfect security. The first step for Trey involved patching all of its servers to a solid baseline. Because many forms of malware exploit known vulnerabilities in the operating system, installing the latest service pack and any post-service pack patches should be your first step in protecting against threats. Microsoft Windows Server™ 2003 often allows updates without a server reboot, but earlier Windows versions usually do not. Upgrading a server, therefore, requires careful planning to ensure that the server is adequately backed up prior to initiating the upgrade and that the upgrade can be rolled back if the upgrade fails. Consideration must also be given to when the upgrade can best be accomplished to minimize downtime.
To minimize the amount of time required to update the server, the Trey IT administrators used QChain.exe, available from Microsoft Knowledge Base article 815062, "The correct file is not installed when you chain multiple hotfixes" at http://support.microsoft.com/?kbid=815062, to install multiple updates with a single reboot. Additional information about using QChain.exe is available in Microsoft Knowledge Base article 296861, “How to Install Multiple Windows Updates or Hotfixes with Only One Reboot” at http://support.microsoft.com/?id=296861. This patching was conducted during non-business hours.
Trey also enhanced its perimeter protection (as described in Chapter 3, ”Network Hardening and Security”) to provide additional security for computers inside the network.
In addition to providing scanning at the file server, you must also analyze the server's existing file system security to identify means of minimizing the server's exposure. First, the servers should all use the NTFS file system (NTFS), because FAT provides essentially no security. Using NTFS enables administrators to tune permissions to ensure that only the operating system itself has the capability to write to core directories and files; this helps restrict the damage that a virus can do if it does infect the servers.
Additionally, the Trey IT administrators reviewed all of the existing file server shares to eliminate unnecessary shares. They also added appropriate NTFS and share permissions to the shares to prevent anonymous access. These steps can protect against worms and viruses that exploit unprotected shares to propagate. In addition, you can use hidden shares to further reduce server exposure.
All file/print, application, and member servers are protected with the same scanning product. Exchange servers are protected with an Exchange-aware product from the same vendor. This approach allows all of the servers to be managed as a unit with the vendor’s enterprise management tools. Local administrators do not have the ability to configure scanning settings, although they can initiate manual scans.
Mail Server Protection
The most common entry point for malware in a network is the e-mail system, so in order to be effective, any protection scheme must include e-mail server protection. Although antivirus solutions that scan the file system can often catch viruses as they arrive in the e-mail system, a much better approach is to install an antivirus solution that actively and specifically scans messages and attachments. In networks in which Exchange Server is installed, you can choose from several antivirus solutions that are designed to work in conjunction with Exchange to proactively scan incoming and outgoing mail. These antivirus solutions typically use the antivirus application programming interface (API) built into Exchange Server to access and scan messages and attachments.
In situations in which other e-mail servers are used within the network, or where users connect to an external e-mail server, antivirus solutions that scan Simple Mail Transfer Protocol (SMTP) traffic at the gateway are an effective means of preventing infection from incoming messages, as well as preventing viruses from leaving the network in outgoing messages. Rather than integrating with the e-mail server software, these gateway-based solutions scan the SMTP traffic as it enters the network.
In some scenarios, using multiple antivirus engines can add an extra layer of protection. Some antivirus solutions such as GFI MailSecurity (available through the GFi Security and Messaging Software Web site at http://gfi.com) support multiple, concurrent antivirus engines from multiple antivirus vendors. Using multiple engines helps guard against the possibility that one particular engine will miss an infected message because the vendor has not yet provided an updated antivirus signature database file, or because a vendor's update site is down due to a DoS attack or network outage.
If you are not able to use multiple scanning engines, consider a combination of solutions. For example, you might deploy an Exchange Server-based solution to scan at the server with one or more antivirus engines, along with a gateway-based solution that uses one or more other antivirus engines.
Exploit detection is another important consideration when evaluating and deploying antivirus solutions for your e-mail system. Scanning for known viruses is essential, but scanning for e-mail exploits is equally important. An e-mail exploit is a script, an executable file, a malformed Multipurpose Internet Mail Extensions (MIME) header, or other mechanism that is used to exploit a vulnerability in the client e-mail application or operating system. The Nimda and BadTrans.B viruses are examples of viruses that used e-mail exploits to propagate and infect target systems.
An antivirus solution that provides e-mail exploit detection scans messages for methods that exploit the operating system or e-mail client. In effect, scanning for e-mail exploits enables the antivirus solution to scan for a broad category of potential threats. Although each virus has an individual signature and requires identification of that specific signature, a single exploit might be used by many viruses, including new viruses that attempt to take advantage of existing exploits. By blocking the exploit, you effectively block a range of viruses.
Whatever antivirus solutions you choose for your e-mail servers and network, there are two main reasons to consider scanning outgoing messages as well as incoming messages. First, the presence of an outgoing infected message is a sure indicator of an infected client system and can serve as early warning against a network outbreak. Scanning outgoing messages for e-mail exploits is important for the same reason. Second, outgoing viruses, even if they fail to have a major impact on your internal network, can have disastrous consequences for your organization's reputation and customer relationships. Customers whose own networks become infected by a virus sent from your e-mail server will have their confidence in your company shaken, which could very well damage the business relationship.
Even in the absence of an e-mail solution, you can take steps to reduce the likelihood of an e-mail-borne virus infection. You can implement an attachment-blocking scheme even if you have an e-mail scanning solution in place. Blocking attachments not only helps to eliminate virus infections by preventing users from receiving executables and other types of files most susceptible to infection, but it can also help block e-mail exploits that rely on scripts or other file types that enable the exploit.
Microsoft Knowledge Base article 235309, "Outlook E-Mail Attachment Security Update" at http://support.microsoft.com/?kbid=235309 provides information about enhanced security protection for Microsoft Outlook®, such as attachment blocking and other features to prevent specific types of attachments from being opened by users and thereby infecting the local system and eventually the network. The security update is also available for Outlook 98 and is incorporated into Outlook 2002 and later versions. Exchange Server administrators can configure attachment blocking and other e-mail security options at the server, including adding or removing specific file types from the blocked lists. The Outlook Security Features Administrative Package (AdminPak) is included on the Microsoft Office 2003 Resource Kit CD – ROM and is available from Microsoft Office Online at http://office.microsoft.com/officeupdate/. In addition to providing the means for Exchange Server administrators to configure attachment blocking options, the Administrative Package also enables administrators to configure which applications can access a user's address book, send messages programmatically, and perform other actions.
If you do not use Exchange Server or prefer not to control security options at the server, you can configure Outlook locally to modify attachment blocking. Modifying a handful of registry settings for Outlook modifies the attachment blocking behavior. For information about modifying attachment blocking options for Outlook at the local level, see Microsoft Knowledge Base article 829982, “Cannot open attachments in Microsoft Outlook” at http://support.microsoft.com/?id=829982. If you use Outlook Express as an e-mail client, either in place of or in conjunction with Outlook (or another client), you need to patch Outlook Express to help secure against e-mail-borne viruses and exploits. The Outlook Express Security Patch provides many of the same attachment blocking features as the Outlook security update and also fixes other problems, including a buffer overflow exploit for Outlook Express mail headers.
All clients — Windows 98, Windows NT 4.0, Windows 2000, and Windows XP — are protected using the same scanning product. A Group Policy was configured to apply consistent settings to Windows 2000 and later clients, and the Windows NT system policy mechanism described in Chapter 4, “Hardening Windows NT 4.0,” was used to apply consistent settings to Windows NT and Windows 98 clients. Trey Research also updated its written security policy to require the use of antivirus software on all computers used to connect to the corporate network, including home computers used with the company’s virtual private networking (VPN) capability.
Antivirus solutions typically offer scheduling of dynamic updates, either directly from the vendor across the Internet or from a local network server where the updates have been posted. You can choose to have all servers pull their updates from the vendor across the Internet or to have a single server (or selection of servers) pull the updates from the vendor and have the remaining servers pull the updates from those local servers. The method that you choose depends on whether you want or need to minimize Internet traffic. If you do, pulling from a local server is a way to reduce that traffic.
The availability of updates is another factor that can influence your decision whether to choose a single-vendor or single-engine solution or to opt for a solution that integrates scanning engines from multiple vendors. A distributed DoS attack might succeed in taking down a single vendor for a period of time, and using solutions from multiple vendors can help avoid that potential problem.
Trey chose to set their servers to update virus definitions every two hours; clients update daily at 4:00 A.M. Eastern Time. This time was chosen to provide an opportunity to stop viruses whose propagation begins in Europe (a pattern that has held for several major outbreaks in the past).
How the Solution Works
In addition to implementing antivirus tools on clients, servers, and mail servers, Trey took some additional steps as part of its overall security modernization plan. These steps are relevant to virus protection because they strengthen the defense offered by antivirus tools alone.
Trey took the following additional measures, described elsewhere in this guidance:
Updated client and server operating systems with all updates and patches.
Updated Internet Explorer, Outlook Express, and Outlook with the latest versions and patches.
Developed and implemented programs to educate users about the methods of infection and steps they must take to limit the network's exposure.
Hardened servers and clients by removing or disabling unnecessary services that can be subjected to attack, removing shares, and locking down services such as IIS.
Physically secured servers to prevent access by unauthorized or untrained users.
Implemented perimeter protection with firewalls.
Deployed security options for Internet Explorer through the Internet Explorer Administration Kit (IEAK) available at http://www.microsoft.com/technet/prodtechnol/ie/ieak/default.mspx, system policies, or Group Policies to prevent install-on-demand, Microsoft ActiveX® scripting, and other potential threats.
Antivirus protection is a necessary part of any security effort that is targeted at networked computers. When you choose and deploy the right antivirus solution appropriately, it adds a valuable degree of protection to other security measures that are already in place.
This chapter has described the fundamentals of how Trey Research chose to implement antivirus protection. The Trey approach calls for client-based and server-based antivirus scanners from different vendors, coupled with aggressive scanning and signature update policies. This deployment is backed by changes to the security and computer use policy that require all users to use antivirus software at all times.
Additional information about Exchange Server and antivirus solutions is available in Microsoft Knowledge Base article 823166, "Overview of Exchange Server 2003 and antivirus software" at http://support.microsoft.com/?kbid=823166.
Additional information about the Outlook Express Security Patch is available in Microsoft Knowledge Base article 267580, "OLEXP: Information about the Outlook Express Security Patch" at http://support.microsoft.com/?kbid=267580.
The Antivirus Defense-in-Depth Guide from Microsoft provides comprehensive information about designing a defense-in-depth antivirus solution. The guide is available at http://go.microsoft.com/fwlink/?LinkId=28732
Solution Accelerator Notifications