Secure development: The way software has to be done.
1. Symptoms to help you determine if you are infected
· Account lockout policies are being tripped
· Domain Controllers are being hammered
· Network congestion
· Sluggish Client Behavior
2. Steps to help you recover
Patch and clean – apply MS08-067 and review this info on weak passwords
· Weak Password and Lockout policy info
What you should know about strong passwords: http://www.microsoft.com/technet/security/readiness/content/documents/password_tips_for_administrators.doc http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp Password Best Practices: http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp Accounts Passwords and Lockout Policies: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx Account Lockout and Management Tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en · Passgen is a tool that allows you to reset local passwords on large blocks of systems: http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx
What you should know about strong passwords: http://www.microsoft.com/technet/security/readiness/content/documents/password_tips_for_administrators.doc
http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx
http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp
Password Best Practices: http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp
Accounts Passwords and Lockout Policies: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
Account Lockout and Management Tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en
· Passgen is a tool that allows you to reset local passwords on large blocks of systems: http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx
3. Malware Removal
1. MSRT - The updated MSRT will be live Tuesday 13 January; however you must remember that conficker breaks automatic updates, so we will need to also reference these KBs for manual download information and alternate enterprise deployment steps:
KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/kb/890830
KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
http://support.microsoft.com/kb/891716
2. FCS/ OneCare
3. Competitive AV
4. Manual Cleanup - This template supplies the manual cleanup steps and a script. (in a separate post)
See these blog posts for additional resources http://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3aWin32%2fConficker.B
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx
No Comments
