-
October 27th, 2008, 02:36 PM
#11
You still did not quite cover MLF's questions
What was executed ...with administrator privledges...on a server?? and how?
What was the role of this server??
How did the lack of a AV cause an infection?? It is a reactive approach?
Both our servers are logged on with ADMINISTRATOR at all times. Dont ask my why. I believe it started duplicating files on a share that the marketing department uses and then just spread like wild fire.
There is no problem with leaving a server logged on as administrator, in fact it can prevent a console remote login by another user (although security policies should be preventing this anyway)..... In saying that, if the server is left unattended, the user should lock the computer, requiring to enter the password again to access.
Also, depending on software installed, it may need a user account logged on to work (Read: Application based feed Vs. Installed Service)
Last edited by CybertecOne; October 27th, 2008 at 02:39 PM.
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
October 27th, 2008, 03:01 PM
#12
Hi there,
Well my issue mainly with the Av on the server is that it did not pick it up.
Will reply fully when I get home.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 28th, 2008, 08:20 AM
#13
What is the specific AV Product?
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
October 28th, 2008, 11:54 AM
#14
Hey there guys
The specific AV product is Panda for Enterprise. Basically this is a proactive and a reactive product. The malware was not in our signature file however Pandas technologies such as "Truprevent" which is deep code scan for behavior analysis should have picked it up. This is my issue.
EDIT: The servers role is it hosts a number of applications expect our mail.
Last edited by Cider; October 28th, 2008 at 12:00 PM.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 28th, 2008, 03:00 PM
#15
if a shared directory on a server gets infected...there should be no way it affects the OS of the server unless the user\client that got infected had domain admin privledges...and still domain admin is not server admin.
My point is the server should not have gotten infected if security is set correctly and it is patched.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 28th, 2008, 03:10 PM
#16
MLF that is a very hard point to sell. For what ever reason the AntiVirus vendors have succeeded in scaring the hell out of companies. Even this latest RPC thing lends itself to the need for antivirus software. I still laugh at companies that spend 15k for antivirus licensing.
I haven't ran antivirus on a server (other than exchange) in like 7 years. Been running exchange without AV for the last two years.
Vendors constantly want to speak to "management" when they find this out. "Management" explains that we have experienced zero down time due to virus or malicious software in going on 10 years now.
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
October 28th, 2008, 03:15 PM
#17
It probably was a shared directory - yes. There are about 3 of us with domain admin rights.
Can you please explain to me how a shared directory on the server that got infected will not/cannot spread to the rest of data on that particular server? What is stopping a virus from spreading to a non shared folder or files?
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 28th, 2008, 03:19 PM
#18
Originally Posted by dinowuff
MLF that is a very hard point to sell. For what ever reason the AntiVirus vendors have succeeded in scaring the hell out of companies. Even this latest RPC thing lends itself to the need for antivirus software. I still laugh at companies that spend 15k for antivirus licensing.
I haven't ran antivirus on a server (other than exchange) in like 7 years. Been running exchange without AV for the last two years.
Vendors constantly want to speak to "management" when they find this out. "Management" explains that we have experienced zero down time due to virus or malicious software in going on 10 years now.
Hi there,
I am very intrigued by this comment/s of yours. Please explain to me in detail how the hell you are protecting your company with no AV packages running? Running exchange 2007 I presume. Please explain.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 28th, 2008, 04:06 PM
#19
You should really read this.
http://technet.microsoft.com/en-us/l.../cc163140.aspx
I have not had a realtime virus scanner on my server in years.....we do real time scan mail and clients. Absolutley 0 downtime due to a virus in 8 + years. Also our mailserver strips certain attachments.
No one runs as domain administrator on a day to day basis....if admin duties need to be performed ...the domain admin account is used...and then logged off and a relogged in a a domain user.
If a domain administrator account becomes compromised you risk your whole network!
Also...you can restrict access to shared folders through permissions. I am sure say production or sales users dont have access to finance folders or other users folders....or do they???
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 28th, 2008, 05:29 PM
#20
Originally Posted by Cider
Hi there,
I am very intrigued by this comment/s of yours. Please explain to me in detail how the hell you are protecting your company with no AV packages running? Running exchange 2007 I presume. Please explain.
WOW Now that's a request!
First off read the link MLF provided.
Second, I use CISCO products not ISA so there is a difference there.
Third MXLogic
Fourth Websense
Now I must say that I only patch things that I allow on my network. I DO NOT RANDOMLY PATCH EVERYTHING THAT COMES DOWN THE PIPE! Make that your #1 rule
I do not allow IMCP in or out of the network unless it's port 25. Which means I can't even do a tracert to you from my workstation (USE DNSSTUFF instead)
I deny all but email traffic. 80 and 8080 are on a seperate vlan Many CiOS rules there.
NO ONE has admin or power user rights. Many AD policies modified so users can still configure their bells and whistles.
If MXLogic is down or unavaliable, I do not recieve any email
If web sense is down NO INTERNET ACCESS for anyone
All end point devices (even remote users) must use MY equipment, and MY gateway. Again AD rules.
No bootable USB devices. Only administrators can boot from CD
Only the one mail server has a gateway. THERE ARE NO INTERNET GATEWAYS on my servers. Servers are locked with a domain account. And in a secure data center.
Layer 3 SNMP traps and mac filtering enterprise wide
The bottom line theroy is do all your scanning - filtering either off the network or on the other side of the gateway.
End point security and layer 3 threats are #1.
Don't allow remote access ssl or rdp to a server unless you are 100% sure security is set correctly. If remote control is not needed, uninstall the service. DO NOT DISABLE uninstall. A service or program cannot be exploited if it is not installed.
Research windows 2008 and M$ Virtual server.
DO NOT INSTALL VISTA ANYWHERE ON YOUR NETWORK
That's just the tip of the ice burg.
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
Similar Threads
-
By C:\Saw in forum Operating Systems
Replies: 5
Last Post: February 20th, 2008, 07:26 PM
-
By acdspit00 in forum AntiOnline's General Chit Chat
Replies: 25
Last Post: September 8th, 2006, 10:33 AM
-
By treanglin in forum Security News
Replies: 1
Last Post: August 17th, 2006, 02:59 PM
-
By muert0 in forum Operating Systems
Replies: 1
Last Post: August 27th, 2004, 03:14 AM
-
By tampabay420 in forum Programming Security
Replies: 2
Last Post: February 14th, 2003, 02:36 PM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|