Whether you're trying to prevent a malware outbreak or contain a virus or worm that's already weaving its way through your Windows systems, site expert Kevin Beaver offers tips to help you get control of the problem in this two-part series. Part one outlined steps you can take to contain malware. Part two, below, explains how to prevent outbreaks from the get-go.
Prevent malware outbreaks
Remember that it's impossible to prevent a type of malware attack that's never occurred. However, if you focus on putting the following security measures in place now, you'll be your organization's saving grace the next time your Windows-based network is attacked in this way.
1. Document your action steps
Use an incident response plan. Such a plan doesn't have to be that fancy, especially when you're getting started. At least document steps for detection, investigation, containment, eradication and recovery. A great place to start with such a plan is NIST's Computer Security Incident Handling Guide.
2. Prevent access to NetBIOS and MSRPC ports
To keep automated attacks at bay and prying eyes off your systems, prevent access to TCP ports 135, 139 and 445 and UDP ports 135, 137 and 445. It sounds trivial, but I still see a lot of systems -- even publicly-accessible ones -- with this vulnerability.
3. Disable or limit Windows Script Host (WSH) and ActiveX
These controls should be disabled on servers and workstations. Just be sure to test your settings carefully with production applications to ensure no applications stop working as a result.
4. Implement Group Policy security
Group Policy or local security policy settings should be implemented to harden Windows from attack in the event that something does get through. A good starting point can be found at my previous tip.
5. Host-based protection is a must
Perimeter-based protection is good but you must use host-based protection to not only prevent but also contain malware that's downloaded via Web pages, e-mail attachments, etc. This is especially critical given that malware attacks can come in from any angle. Host protection can help block unneeded access to NetBIOS and MSRPC services, and prevent local software from talking to the outside world without the user's or (ideally) the administrator's permission. Windows Firewall won't help much here, but Microsoft's new AntiSpyware product does offer some protection in this area. Your best bet will probably be an all-out host-based IDS/IPS such as ZoneAlarm, Symantec Client Security, and my favorite BlackICE (or ISS enterprise products that utilize its technology).
6. Enable heuristics protection
Heuristics protection should be enabled in your antivirus software to help detect basic malware behavioral anomalies.
7. Don't discount antispyware software
You need to create a layered defense. When performing security assessments, I still see the majority of systems unprotected against spyware and its variants. Also consider other anomaly-based detection and prevention applications from companies such as Finjan and Sana Security.
8. Have network analyzer in place
Choose an analyzer that you feel comfortable with in order to monitor network traffic and see what malware is doing. The free Ethereal is great if you're comfortable using it. I've also found several commercial network analyzers to be very effective in this situation, especially given how easy most of them are to use. Look into tools such as CommView, EtherPeek and Sniffer Portable for wired networks and AiroPeek, AirMagnet Laptop Analyzer and Sniffer Wireless for wireless networks. You can find more on just how valuable a network analyzer can be in my webcasts Network analyzer tricks for monitoring and troubleshooting e-mail traffic (registration required) and The network analyzer: A security tool you can't do without.
I can't emphasize enough how an ounce of prevention is worth a ton of cure -- especially when it comes to malware outbreaks. Having some solid layered defenses using built-in Windows controls and third-party products combined with some basic documentation on what to do is all you have to do. It's all you can do.
About the author: Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC. He has over 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including "Hacking For Dummies" (Wiley), the brand new "Hacking Wireless Networks For Dummies," and "The Practical Guide to HIPAA Privacy and Security Compliance" (Auerbach). He can be reached at firstname.lastname@example.org.
More information from SearchWindowsSecurity.com
This was first published in July 2005