Disaster Planning: Preparation for Recovery After an Attack
Disaster planning
should be a key part of your security strategy. The old saying “Hope
for the best and prepare for the worst” certainly applies to network
security. Murphy’s law predicts that if you don’t have a way to recover
from a network or security disaster, you’ll soon need one. If you’re prepared,
you can recover quickly and may even be able to learn something useful
from the experience. Here are some suggestions to help you prepare for
the worst:
Make permanent, archived “baseline” backups of exposed computers before they’re connected to the Internet and anytime system software is changed.
Make frequent backups once online.
Prepare written, thorough, and tested computer restore procedures.
Write and maintain documentation of your software and network configuration.
Prepare an incident plan.
A little planning now
will go a long way toward helping you through this situation. The key is
having a good backup of all critical software. Each of the points
discussed in the preceding list is covered in more detail in the
following sections.
Make a Baseline Backup Before You Go Online
You should make a
permanent “baseline” backup of your computer before you connect with the
Internet for the first time so that you know it doesn’t have any virus
infections. Make this backup onto a removable disk or tape that can be
kept separate from your computer, and keep this backup permanently. You
can use it as a starting point for recovery if your system is
compromised.
Make Frequent Backups When You’re Online
I hate to sound like a
broken record on this point, but you should have a backup plan and stick
to it. Make backups at some sensible interval and always after a
session of extensive or significant changes (for example, after
installing new software or adding users). In a business setting, you
might want to have your backup program schedule a backup every day
automatically. (You do
have to remember to change the backup media, even if the backups are
automatic.) In a business setting, backup media should be rotated
offsite to prevent against loss from theft or fire.
Write and Test Server Restore Procedures
I can tell you from personal
experience that the only feeling more sickening than losing your system
is finding out that the backups you’ve been diligently making are
unreadable. Whatever your backup scheme is, be sure it works!
This step is
difficult to take, but I urge you to try to completely rebuild a system
after an imaginary break-in or disk failure. Use a sacrificial computer,
of course, not your main computer, and allow yourself a whole day for
this exercise. Go through all the steps: Reformat hard disks, reinstall
Windows or use the Complete PC Restore feature, reinstall tape software
(if necessary), and restore the most recent backups. You will find this a
very enlightening experience, well worth the cost in time and effort.
Finding the problem with your system before you need the backups is much better than finding it afterward.
Also
be sure to document the whole restoration process so that you can
repeat it later. After a disaster, you’ll be under considerable stress,
so you might forget a step or make a mistake. Having a clear, written,
tested procedure goes a long way toward making the recovery process
easier and more likely to succeed.
Write and Maintain Documentation
It’s in your own best
interest to maintain a log of all software installed on your computers,
along with software settings, hardware types and settings, configuration
choices, network address information, and so on. (Do you vaguely
remember some sort of ordeal when you installed your wireless router
last year? How did you resolve that problem, anyway?)
Tip
Windows
has no utilities to print the configuration settings for software and
network systems. I use Alt+PrntScrn to record the configurations for
each program and network component, and then paste the images into
WordPad or Microsoft Word. |
In businesses, this
information is often part of the “oral tradition,” but a written record
is an important insurance policy against loss due to memory lapses or
personnel changes. Record all installation and configuration details.
Then print a copy of this documentation so you’ll be able to refer to it if your computer crashes.
Make a library of
software DVDs and CD-ROMs, repair disks, startup disks, utility disks,
backup disks, tapes, manuals, and notebooks that record your
configurations and observations. Keep them together in one place and
locked up, if possible.
Prepare an Incident Plan
A system crash, virus
infection, or network intrusion is a highly stressful event. A written
plan of action made now will help you keep a clear head when things go
wrong. The actual event probably won’t go as you imagined, but at least
you’ll have some good first steps to follow while you get your wits
about you.
If you know a break-in has
been successful, you must take immediate action. First, disconnect your
network from the Internet. Then find out what happened.
Unless you have an exact
understanding of what happened and can fix the problem, you should clean
out your system entirely. This means that you should reformat your hard
drive, install Windows and all applications from CDs/DVDs or pristine
disks, and make a clean start. Then you can look at recent backups to
see whether you have any you know aren’t compromised, restore them, and
then go on.
But most of all, have a plan. The following are some steps to include in your incident plan:
Write down exactly how to properly shut down computers and servers.
Make
a list of people to notify, including company officials, your computer
support staff, your ISP, an incident response team, your therapist, and
anyone else who will be involved in dealing with the aftermath.
If you had a hacker break-in, check www.first.org
to see whether you are eligible for assistance from one of the many
FIRST response teams around the world. The FIRST (Forum of Incident Response
and Security Teams) Secretariat can tell you which agencies might best
be able to help you in the event of a security incident; call
301-975-3359.
The
CERT-CC (Computer Emergency Response Team Coordination Center) might
also be able to help you, or at least get information from your break-in
to help protect others. Check www.cert.org. In an emergency, call 412-268-7090.
You can find a great deal of general information on effective incident response planning at www.cert.org. CERT offers training seminars, libraries, security (bug) advisories, and technical tips as well.
Specific Configuration Steps for Windows 7
The following
sections provide some specific instructions to tighten security on your
Windows 7 computer or LAN. These instructions are for a single Windows 7
computer or a workgroup without a Windows Server. Windows Server offers
more powerful and integrated security tools than are available with
Windows 7 alone (and happily for you, it’s the domain administrator’s
job to set it all up).
Windows 7’s Security Features
Right out of the box,
Windows 7 has better security tools built in than any previous version
of Windows. If you do nothing else but let these tools do their job,
you’ll be better off than most people, and certainly far better off than
anyone running Windows 98 or XP. These are the built-in security
features:
User Account Control—
UAC makes sure that programs don’t have the ability to change important
Windows settings without your giving your approval. This helps prevent
virus programs from taking over your computer and disabling your
computer’s other security features.
Protected Mode Internet Explorer—
Internet Explorer is the primary gateway for bad software to get into
your computer. You don’t even have to deliberately install the bad stuff
or go to shady websites to get it—hackers take over well-known,
legitimate websites and modify the sites’ pages so that just viewing
them pulls virus and Trojan horse software into your computer. This risk
is so great that Internet Explorer was modified to run with such low
privileges that these bad programs can’t do any damage.
Windows Firewall— Windows Firewall blocks other computers on the Internet from connecting to your computer.
Windows Defender—
Defender is an antispyware program that scans your hard disk and
monitors your Internet downloads for certain categories of malicious
software. It’s not a full antivirus program, but it does help.
These features are all good at their jobs. The best bit of security advice I can give you is this: Do not disable any of them.
In particular, don’t disable UAC. If you find that any of the security
features cause some problems with one of your applications, fix the
problem just for that application,
instead of disabling the security feature outright. For example, if you
have a program that doesn’t work well under UAC, use the Run As
Administrator setting on that application’s shortcut to let just that program bypass UAC.
If you just follow
that advice, you’ll be in pretty good shape. If you want to ratchet up
your defenses another notch or two, read on.
If You Have a Standalone Windows 7 Computer
If you have a
standalone system without a LAN, you need to take only a few steps to be
sure you’re safe when browsing the Internet:
Enable Macro Virus Protection in your Microsoft Office applications.
Be sure that Windows Defender is turned on and up-to-date. Or, install a third-party antivirus/antispyware program.
When you connect to the Internet, be sure to stay connected long enough for Windows Update to download needed updates.
Be
very wary of viruses and Trojan horses in email attachments and
downloaded software. Install a virus scan program, and discard
unsolicited email with attachments without opening it. If you use
Outlook or Windows Mail, you can disable the preview pane that
automatically displays email. Several viruses have exploited this
open-without-asking feature.
Note
Unfortunately,
the Windows Automatic Updates pop-up appears only when you are logged
in using a Computer Administrator account. Unless you’ve configured
Windows Automatic Updates to alllow all users to install updates, or to
automatically install the updates, you need to log on as an
administrator at least once every week or two to see if anything new has
been downloaded. |
Keep
your system up-to-date with Windows Update, service packs, application
software updates, and virus scanner updates. Check for updates every
couple weeks, at the very least.
If
you use Microsoft Office or other Microsoft applications, go to the
Windows Update web page and select Microsoft Update. This will let
Update automatically download updates and security fixes for Office as
well as Windows.
Make the Security Policy changes
Use strong passwords on each of your accounts, including the Administrator account. For all passwords, use uppercase letters and lowercase letters and numbers and punctuation; don’t use your name or other simple words.
Be absolutely certain that Windows Firewall is enabled on all network and dial-up connections to the Internet.
If You Have a LAN
If
your computer is connected to others through a LAN, follow the
suggestions from the list in the preceding section. Make the Security
Policy changes on each computer.
In addition, if you use a wireless network, you must
use encryption to protect your network. Otherwise, thanks to
passwordless file sharing, random people passing by could have the same
access to your shared files as you do. Use WPA2 encryption if all of
your computers and routers support it; otherwise, see whether you can
use WPA. Use WEP only if you have devices that don’t support WPA.
Keep Up-to-Date
New bugs in major
operating systems and applications software are found every week, and
patches and updates are issued almost as frequently. Even Microsoft’s
own public servers have been taken out by virus software.
Software
manufacturers, including Microsoft, have recently become quite
forthcoming with information about security risks, bugs, and the like.
It wasn’t always the case; they mostly figured that if they kept the
problems a secret, fewer bad guys would find out about them, so their
customers would be better off (and it saved them the embarrassment of
admitting the seriousness of their bugs). Information is shared so
quickly among the bad guys now that it has become essential for
companies to inform users of security problems as soon as a defensive
strategy can be devised.
You can subscribe to the Microsoft Email Updates security bulletin service at www.microsoft.com/security. The following are some other places to check out:
www.sans.org
www.cert.org
www.first.org
www.cerias.purdue.edu/coast
www.greatcircle.com
Usenet newsgroups: comp.security.*, comp.risks
Some of these sites
point you toward security-related mailing lists. You should subscribe to
Microsoft Security Advisor Bulletins at least. Forewarned is forearmed.
Tightening Local Security Policy
You should set your
machine’s own (local) security policy whether you have a standalone
computer or are on a LAN. The Local Security Policy lets Windows enforce
some commonsense security rules, such as requiring a password of a
certain minimum length or requiring users to change their passwords
after a certain number of days.
Note
Local Security Policy settings are not available on Windows 7 Home versions. |
If your computer is part
of a Windows domain-type network, your Local Security Policy settings
will likely be superseded by policies set by your domain administrator,
but you should set them anyway so that you’re protected if your domain
administrator doesn’t specify a so-called global policy.
To
configure Local Security Policy, log in as a Computer Administrator and
choose Start, All Programs, Administrative Tools, Local Security
Policy. (If Administrative Tools doesn’t appear on the menu, the
Administrative Tools Control Panel applet can get you there. You can
also customize the Start menu to display Administrative Tools.)
A familiar Explorer view then appears, with several main security policy categories in the left pane, as shown in Figure 1. I list several policy items you might want to change.
To change the settings,
select the policy categories from the left pane and double-click one of
the policy names listed in the right pane. A Properties dialog box will
appear in which you can change the setting.
You don’t need to change all the policies; I list the important ones in the following sections.
Account Policies
Account policies can be
used to enforce long, difficult, frequently changed passwords and make
it hard for users to recycle the same passwords when forced to change.
You should lock out accounts that fail several login attempts, locally
or over the LAN. In the Local Security Policy window’s left pane, open
the list under Account Policy, then select Password Policy or Account
Policy to see the available settings. Table 1 shows the recommended altered Password Policy settings, and Table 32.4 shows the options at your disposal for locking out an account.
Table 1. Password Policy Settings
| Password Policy | Local Setting |
|---|
| Enforce password history | 10 passwords remembered |
| Maximum password age | 70 days |
| Minimum password age | 1 day |
| Minimum password length | 8 characters |
| Passwords must meet complexity requirements | Enabled |
| Store password using reversible encryption | Disabled |
Table 32.4. Account Lockout Policy Settings
| Account Lockout Policy | Local Setting |
|---|
| Account lockout duration | 30 minutes |
| Account lockout threshold | 5 invalid logon attempts |
| Reset account lockout counter after | 30 minutes |
Local Policies
You should have Windows make an entry in the Event Log whenever someone oversteps his or her bounds. Table 2 shows the recommended audit policy changes.
Table 2. Audit Policy Settings
| Audit Policy | Local Setting |
|---|
| Audit account logon events | Failure |
| Audit account management | Failure |
| Audit directory service access | Failure |
| Audit logon events | Failure |
| Audit policy change | Success, Failure |
| Audit system events | Failure |
No changes
are necessary in the User Rights assignments section, but you might want
to view these entries to see what sorts of permission restrictions
Windows uses.
Note
If
you’re interested in how Windows regulates the operation of your
computer, take a look at the settings under User Rights Assignment and
Security Options. You’ll probably never need to change any of these
settings, but these two sections are the heart of Windows’ security
controls. |
Finally, go through the security options, as listed in Table 3. Security options are used to restrict what users can do with system options.
Table 3. Security Options Settings
| Security Option | Local Setting |
|---|
| Interactive logon: Message text for users attempting to log on | You can display a sort of “Posted: No Trespassing” warning with this entry. |
| Devices: Prevent users from installing printer drivers | Disabled
by default. If you want to prevent users from installing potentially
untested printer and hardware drivers, check out the options for these
settings. |
| Audit: Shut down system immediately if unable to log security audits | A
common hacker trick is to fill up audit logs with junk messages and
then break in. If you want, you can have Windows shut down when the
Security Event Log fills. The downside is that it makes your security
system a denial-of-service risk. |
When you log out and back in, the new restrictive security policies will take effect.
