A virus is a malicious code that affects and infects files on a system. Numerous instances of the files are then recreated. Viruses usually lead to some sort of data loss, and/or system failure.
There are numerous methods by which a virus can get into a system:
Through infected floppy disks.
Through an e-mail attachment infected with the virus.
Through downloading software infected with the virus.
To Protect your network infrastructure against viruses:
Install virus protection software on systems.
Regularly update all installed virus protection software.
Regularly back up systems after they have been scanned for viruses, and are considered clean from virus infection.
Your users should be educated to not open any e-mail attachments which were sent from individuals they do not recognize.
A worm is an autonomous code that propagates over a network, targeting hard drive space and processor cycles. Worms not only infects files on one system but can propagate to other systems on the network. The purpose of a worm is to deplete available system resources. Hence the reason why a worm makes copies of itself over and over and over. Worms basically replicate until available memory is used, bandwidth is unavailable, and legitimate network users are no longer able to access network resources or services.
A Trojan horse is a file or e-mail attachment that is disguised as being a friendly, legitimate file. When executed though, the file corrupts data and can even install a backdoor which hackers can utilize to access the network.
A Trojan horse differs to a virus or worm in the following ways:
Trojan horses disguise themselves friendly programs. Viruses and worms are much more obvious in their actions.
Trojan horses do not replicate like worms and viruses do.
A few different types of Trojan horses are listed here:
Keystroke loggers monitor the keystrokes that a user types and then e-mails the information to the network attackers.
Password stealers are disguised as legitimate login screens which wait for users to provide their passwords so that they can be stolen by hackers. Password stealers are aimed at discovering and stealing system passwords for hackers.
Remote Administration tools (RATs) are used by hackers to gain control over the network from some remote location.
Zombies are typically used to initiate distributed denial of service(DDoS) attacks on the hosts within a network.
Planning an Antivirus Strategy
To secure and protect your Exchange Server 2003 messaging system from viruses, you need to plan and implement an effective antivirus strategy
Your antivirus strategy should include the following:
Install antivirus software on the necessary locations. You can install antivirus software on different locations:
Installing antivirus software on firewalls: When you install antivirus software on a firewall, the firewall scans incoming files, and then filters out any viruses prior to the files reaching the network. A firewall can also filter out viruses leaving the network.
You can configure antivirus software installed on a firewall to perform a number of functions:
Send email to an administrator when a virus is detected.
Remove attachments.
Keep a suspicious message in a queue so that it can be examined at a later stage.
Installing antivirus software on servers: It is recommended that you install antivirus software on each Exchang Server 2003 server deployed in the organization. This strategy assists in preventing viruses from reaching users that do not have client-side antivirus software installed.
Scan mailbox stores for viruses.
Scan public folder stores for viruses.
Scan transport.
Filter out viruses before it reaches the network.
Installing antivirus software on client computers: You should install antivirus software on each client that accesses the network. This should include remote clients as well. When installed on client computers, the antivirus software installs file system filters that scan files for the signatures of known viruses. When a client has antivirus software installed, the antivirus software becomes activated when a user opens an attachment that has a virus. The attachment is either immediately deleted, or it is copied to the local hard disk to clean the file.
You can configure antivirus software installed on a server to perform a number of functions:
Maintain the effectiveness of the antivirus software by ensuring that it is current.
Make users aware of viruses and the threat that they pose.
Educate users on the ensuring that their computers are updated with the latest signature files and security updates.
You can use either of these methods to inform and alert users on e-mail virus threats:
Through email messages.
Regularly inform users on current existing viruses. Educate users on the different ways that can be used to deal withthese viruses.
By educating users on the characteristics of attachments that should not be opened.
When deciding on which antivirus software to install, consider the following important factors:
Check whether the vendor is TruSecure International Customer Service Association (ICSA) Lab certified or CheckMark certified.
Determine whether the vendor that you select provides support for software that can be used with Exchange Server 2003.
Determine the following additional important information on the vendor:
The frequency at which the vendor releases product updates. This becomes especially important when a virus manages to attack your system.
Determine whether the vendor provides any surety that it will update its software to scan for any new viruses.
Determine whether the antivirus software integrates with Exchange Server 2003 and all other services running in the environment.
Determine whether the antivirus software will negatively affect the performance of Exchange Server 2003.
Determine which of the following threats the antivirus software provides protection for:
Viruses
Worms
Trojan horses
Determine whether antivirus software that you want to use scans inbound email and outbound e-mail.
Determine whether the software provides for the scanning of viruses at the following locations:
Firewall
Server
Client computer
Transport
Check whether the antivirus software provides the same level of protection for local computers andremote systems.
Check whether the software includes support for automated updates.
Determine whether automated deployment of client-based software is supported.
Determine whether clients can be monitored from one single location.
Defining Virus-Clean Policies and Procedures
Because there may be instances where a virus manages to bypass your security measures and attack your system, you need to define virus-clean policies and procedures that will deal with these events.
Virus-clean policies and procedures should be carefully planned and defined so that they assist with he following:
Determine the source of the attack.
Determine the extent of the attack.
Gather information on the attack.
Provide for the continual operation of the organization.
Prevent the attack from causing more damage.
Protect mission-critical,sensitive data.
Protect networks
Protect systems.
Enable you to isolate all affected systems by taking them offline
Recover any virus infected system.
In cases where antivirus software does not manage to completely remove a virus from an affected system, you might need to perform the following activities:
Use a clean backup copy to restore the system to its original state.
Reinstall the operating system.
Reinstall all applications.
Security Updates and Exchange Server 2003
A software update is a file(s) that needs to be applied to a computer running a Windows operating system to correct an existing issue or problem, or to add enhancements and additional features. An update is also referred to as a patch. An update can only be applied to specific software which is installed already. All Microsoft updates are implemented in the form of an executable file that has an .exe extension, and each update is set to back up all files that they replace. While updates which are security-specific need to be deployed almost immediately, there are other updates that deal with reliability problems
Security updates eliminate known security vulnerabilities. Remember that if Windows Server 2003 has known security vulnerabilities, then Exchange Server 2003 also has security issues.
The characteristics of security updates are listed here:
Security updates are released by the Microsoft Security Response Center (MSRC) to address a specific security weakness or vulnerability.
Each specific security update includes a security bulletin and a Microsoft Knowledge Base article.
The security bulletin provides administrators with comprehensive information on the existing security issues and security vulnerabilities:
Who the security bulletin affects.
The level of severity of the security vulnerability.
The impact or risk associated with the security vulnerability.
The recommended response process for all parties who are affected by the security vulnerability.
The information contained within a security bulletin are listed here:
Title; the title of the security bulletin including the current year and the bulletin number for the specific year.
Summary; contains summary information on who the affected customers are, what the level of severity of the security vulnerability is, and the recommended response process.
Technical description; contains a thorough description of the security vulnerability and the instances that could lead to the security vulnerability being exploited.
Mitigating factors; includes technical factors which could reduce the vulnerability being exploited.
Severity rating; includes a rating for each specific software that could be affected by the vulnerability. The ratings are Critical, Important, Moderate, Low and None.
Vulnerability identifier; a link(s) to organizations which are external to Microsoft to identify the vulnerability.
Tested versions; contains all software which has been tested by Microsoft for the specific vulnerability.
Frequently asked questions; includes answers to any questions which Microsoft has identified as being expected for this particular security bulletin.
Update availability; indicates the locations from where the update can be downloaded.
Additional information; contains additional information on installation of the update.
The Knowledge Base article for a vulnerability is usually only issued after the security bulletin has been released. Knowledge Base articles contain more comprehensive information on the vulnerability.
You can use the following utilities to help you in ensuring that your system security remains up to date:
Microsoft Systems Management Server (SMS): You can use SMS to install updates and service packs on SMS client computers from a network distribution share. Using SMS for deploying updates involves the following steps:
You have to create a SMS package that includes the location of the service pack source files and the package definition file (.pdf) for distributing the service pack. The package definition file includes the information that would be needed to create the SMS package. The SMS package includes command-line executables as well. These executables runs on the SMS client computers to manage how the SMS package executes.
You then have to distribute the SMS package to the distribution points that you have identified
Lastly, you have to create an SMS advertisement that will inform the SMS clients on the available service packs.
Software Update Services (SUS): SUS was introduced to control the features of Windows Update to a corporate server, by deploying or downloading the updates to a designated corporate server who then provides the updates to your internal client computers. As an Administrator, you can ensure that clients' systems are up to date with the latest updates through SUS, you can control what updates are deployed in the network, and you can test the updates that are deployed to clients.One SUS server would connect to the Microsoft servers for updates, and you would configure the client computers in your corporate network to connect to the internal SUS server for their updates. This also increases the security stance of your network because less internal clients are connecting over the WAN links. Administrators have greater control over what updates are deployed to the client computers. You can choose to either approve the updates or prevent a specific update from being deployed to the internal client computers. In addition to having greater central control within your environment on what updates are deployed, you can also control the synchronization of updates from the Windows Update Site. This can be done automatically, or manually. By using SUS, you can also deploy a SUS statistics server on the computer where the SUS server resides.This would enable you to verify what clients have installed updates.
Microsoft Baseline Security Analyzer (MBSA): You can use the Microsoft Baseline Security Analyzer (MBSA)to check for and scan computers for security weaknesses and missing security updates. The Microsoft Baseline Security Analyzer (MBSA) is a security assessment graphical tool that can be downloaded from the Microsoft Website, and then used to scan for common security errors on a single computer or multiple computers. The MBSA can be used to verify that the computer has the latest security updates. When MBSA is run from the GUI,it places reports in the Security Scans folder of the user profile that creates the reports. You can also use MBSA to check for missing security updates from the command-line.
The MBSA can scan for and detect a number security problems and shortfalls, including the following:
Check whether all the necessary security updates and service packs have been installed on the computer.
Check whether all disk drives on the computer are formatted using the NTFS file system.
For computers running Internet Information Services (IIS) or Microsoft SQL Server, MBSA can scan for a number of security vulnerabilities.
Check for a number of account weaknesses and vulnerabilities, including the following:
Whether Autologon is being used by the computer.
Whether ultiple accounts exist with Administrator privileges.
Whether the Guest account is enabled.
Whether anonymous users have been granted excessive access to the computer.
Checks the configuration of passwords:
Whether passwords are blank.
Whether passwords are weak.
Whether passwords have been set to expire.
For a computer to use MBSA, the requirements listed below have to be met:
The computer must be running Windows NT 4, Windows 2000, Windows XP or Windows Server 2003. Windows 95, Windows 98 and Windows Me are not supported by the MBSA tool.
The computer must be running Windows Explorer version 5.01 or higher.
The computer must have Client for Microsoft Networks installed.
An XML parser must be installed.
The Workstation and the Server service must be enabled.
How to install the SUS Server
You have to download the SUSsoftware, the sus10sp1.EXE file, from the Microsoft website. You can usethe following URL: http://go.Microsoft.com/fwlink/?linkid=6930.
When the SUS homepage opens, click Download SUS Server with Server Pack 1 (SP1).
The sus10sp1.EXE file should be copied to the server where you want to install SUS.
Double-click the sus10sp1.exe file.
The Welcome To The Microsoft Software Update Services Setup Wizard screen is displayed. Click Next.
The End User License Agreement Screen is displayed next. Read through the license agreement, and click I Accept The Terms In The License Agreement.Click Next.
The Choose Setup Type screen is then displayed. You can either choose a Typical installation or a Custom Installation. If you select Typical, SUS is installed with its default settings. If you select Custom, you can customize the settings of the SUS installation.
Select the Typical installation option.
The Ready To Install screen is displayed, and shows the URL which will be used by clients to connect to this SUS server. The default URL is http://servername.
Click Install.
The Completing The Microsoft Software Update Services Setup Wizard screen is displayed. Click Finish.
The SUS administration Web site in your default Web browser will automatically open.
How to synchronize the SUS server with the public Windows Update servers
On the Software Update Services administration screen, select Synchronize Server.
The Synchronize Server screen is displayed.
You can select Synchronize Now from the Synchronize Server screen to manually synchronize the server, or you can alternatively select Synchronization Schedule if you want to configure a synchronization schedule for the SUS server.
If you selected Synchronization Schedule, the Schedule Synchronization Web Page screen is displayed. This is where you set the schedule for when your updates should occur. It is recommended to schedule updates for non-peak network hours, and at a time when the server is not being backed up.
After setting your synchronization schedule, it is recommended to manually synchronize the SUS server the first time. Click Synchronize Now to do this.
The SUS server configuration determines whether updates are automatically approved, or manually approved.
To examine the updates, select Approve updates from the navigation menu.
If you want to approve particular update(s), and have it applied to client computers, select the update(s), and then click the Approve button.
Click Yes to acknowledge the warning message that appears
If you are prompted to accept an End User License Agreement,choose Accept.
When the SUS server is done downloading the updates you have specified, you are presented with a message indicating that the updates are available for clients.
The SUS server shows the updates together with a message. The Messages that can be displayed are:
New, means that the update was downloaded and has not been approved. An update that has a New message is not available to client computers that query the SUS server to download updates.
Approved, means that the update has been approved and is available to client computers that query the SUS server to download updates.
Not Approved, means that the update has not been approved and is therefore not available to client computers that query the SUS server to download updates.
Updated, means that this particular update has since been modified during the SUS server synchronization process.
Temporarily Unavailable, means that the updates are stored locally on the server, and that a needed dependency is unavailable.
How to approve security updates for deployment to clients
Click Synchronize Server to synchronize the SUS server with the public Windows Update site.
Click Synchronize Now to immediately synchronize the SUS server and download updates
Click OK once the download is completed.
You will next be informed that the downloaded updates need to be approved and tested.
When you have thoroughly tested the updates, click the Approve Updates button to approve the updates that you want to deploy.
On the Approve Updates screen,select each update that should be approved, and click Approve.
Click Yes to continue.
Click Accept to accept the license agreement. The list of approved updates is now available to clients.
Click OK.
How to download and install the MBSA
First download the MBSA tool from the Microsoft website.
Double-click the mbasetup.msiinstaller.
Click Next when the wizard's welcome page opens.
Read and accept the end user license agreement, by clicking the I Accept the License Agreement option.Click Next.
On the User information page,enter the appropriate information in the Full Name and Organization textboxes.
If you want the settings to be installed for only the current user, click the Only for Me option.
If you want the settings installed for any user who utilizes the computer, click the Anyone who uses thiscomputer option. Click Next
Accept the default installation path, or specify another path on the Destination Folder page.
Clear any of the following checkboxes if you do not want the actions performed.
Place a Shortcut on the desktop.
Show Readme file after installation
Launch the application after installation
Click Next.
Select the options and features that you want to install on the local hard drive and then click Next.
Click Next to start installing the Microsoft Baseline Security Analyzer.
Click Finish.
How to use MBSA to scan a computer for missing security updates
Open the MBSA that you installed
Choose Scan a computer.
On the Pick a computer to scan page, select the computer you want to scan.
Select the scan options that you want to use:
Check For Windows Vulnerabilities
Check For Weak Passwords
Check For IIS Vulnerabilities
Check For SQL Vulnerabilities
Check For Security Updates
Click Start scan.
Click Yes to install theMSSecureXML file. This is the file which is updated each time Microsoft Issues new updates.
The MBSA tool displays the scan results after the scan is completed.
You can click Result Details if you want to view additional information.
