Securing a network against MSBlast

[NullDevice]

Close TCP port 135 and also other NetBIOS ports (135-139, 445 and 593)
- Monitor all activities on TCP port 4444 and UDP port 69
- Download and apply Microsoft’s Patch
- Download and run the Blaster Removal Tool from Symantec to clean your system

===============

- Microsoft’s patch: http://www.microsoft.com/technet/tre...letin/MS03-026
- Blaster removal tool:
http://securityresponse.symantec.com...oval.tool.html
- Microsoft Security Bulletin – DCOM RPC Vulnerability: http://www.microsoft.com/technet/tre...n/MS03-026.asp
- Microsoft RPC Model: http://msdn.microsoft.com/library/de..._rpc_model.asp

Security Patches for M$BLAST
------------------------------------------
For Windows NT Server 4.0 and WorkStations

http://download.microsoft.com/downlo...a/Q823980i.EXE

Windows NT Server Terminal Service Editions

http://download.microsoft.com/downlo...9/Q823980i.EXE

Windows 2000(Server, Professional, DataCenter)

http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows XP(32 Bit)

http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows XP(64Bit.For Intel Itanium Based Systems)

http://download.microsoft.com/downlo...0-ia64-ENU.exe

Windows 2003(32 Bit.Server,Enterprise,DataCenter,Web)

http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows 2003(64 Bit.For Intel Itanium Based Systems)

http://download.microsoft.com/downlo...0-ia64-ENU.exe

Enable a Internet Connections FireWall in Windows XP Professional, Windows XP Home Editions and Windows 2003 (All Editions)

Windows XP Pro

http://www.microsoft.com/windowsxp/p...orking/icf.asp

Windows XP Home

http://www.microsoft.com/WindowsXP/h...omenet/icf.asp

Windows 2003 All Editions

http://www.microsoft.com/technet/tre...e_firewall.asp

[Palemoon]

Well between patches to those system I could and I started with the servers, I found the firewall settings at least mine only ports open were those that I know we use, and also pushing the latest anti virus updates to all systems that last week was covered. Been at it to long patches and anti virus pushed to every computer. Only thing I had to deal with were the pop ups saying an email Sobig.F was caught and people thinking oops I'm infected but it was placed in a harmless area and removed. Always remember security is as strong as your most lame user and usually it is one of the biggies of the company

[Maestr0]

Having dealt with the same crap as nebulus and TH13, I would reccomend the following:

Secure perimeter
Managed and up to date Anti-virus software
Centralized patch management and deployment


-Maestr0

I remebered to secure my VPN but missed a dial-up(Doh!), but was nearly up to date on all patches and most boxes so just had to play a little tag with Blaster and Welchia. It was still a pain in the ass.

[ccKid]

I think that if people just applied the patches for Windoze the blaster worm wouldn't have been so prolific. You must also have firewalls and AV applications.

JMO


ccKid

[r8devil]

up to date antivirus definitions and patch management are very important especially when you have lots of users who know nothing. lots of people tend to forget the patch management for the end users. patching the servers and making sure the antivirus is updated on servers and securin the firewall is useless once some idiot inside lets it loose on your network when lots of the end users are not protected on their own system.

Now with most users having notebooks and working from all over the place it gets almost unmanageable with remote tools to deploy patches and updates.

I have that problem trying to manage users systems even with the remote tools i have to push updates and patches to the users.

[gore]

Originally posted here by nebulus200



Welp, I have over 60000 users on my network with about 59500 of them being not the sharpest toosl in the shed, so you can imagine what I have had to deal with :/

/nebulus

A lil LART would help you out greatly. Make them FEAR calling you.

[viruss]

Hi guys,

If the network is affected by welchia worm & i use removal program from symentac, then after removing worm will it stop to send ICMP packets to other pcs/network or I have to do anything else??

Thanks
viruss

[c0bra]

well if you have a good antivirus that should pick it up if not, it is a good idea install the patch, an easier way of doing this is to put it in the logon script of a privelidged account like sysuser1 or something like that and log into all the machines. that I think would be the easiest way

hope I was of good help,

c0bra

[heatwave]

Originally posted here by viruss
Hi guys,

If the network is affected by welchia worm & i use removal program from symentac, then after removing worm will it stop to send ICMP packets to other pcs/network or I have to do anything else??

Thanks
viruss

virus removal it's not enough, if you didn't apply any patch for it, it'll keep on infecting your system, better be on a look out for patches etc,

as what others have said try to secure your point of entry, firewall/router, VPN servers and RAS servers. for cisco routers, you can go to cisco.com and check for access-list that will help ya thwart attacks, check microsoft for OS patches and check antivirus site for patches for OS vulnerabiliy as well

[infernon]

I haven't seen anyone mention Software Update Services yet, so here's a link ...
It's free, easy to set up and makes managing a crappy Windoze network so much easier.