For the past few months, I've been writing more hands-on pieces about Exchange Server features and gewgaws. But this week, I'm going back to the land of process and policy. Why? One word: Blaster. There's so much differing information surrounding Microsoft's security policy and the things that you should be doing to protect yourself that I feel duty-bound to add my 2 cents.
First, let's talk about the patch. Microsoft released security bulletin 03-026 on July 16. That means we all had about a month to install the patch before Blaster reared its ugly head. Blaster has the unique and annoying habit of infecting desktop systems as well as servers. Therefore, the people least likely to patch---your grandmother, for example---were at equal risk with patch-savvy administrators at major corporations. Unfortunately, despite Microsoft's educational efforts (for an example, check out TechNet's "5-Minute Security Advisor" columns at the URL below), most home users didn't take any of the steps that could have protected them. They didn't install the patch, they didn't turn on Automatic Update, and they didn't use a firewall. Of course, lots of companies were infected too for exactly the same reasons. I'll get back to these points in a minute.
Second, let's talk about the patch gap. The time between the date that Microsoft released the patch closing the vulnerability that Blaster exploits and the date that Blaster was identified in the wild was much shorter than the 6-month gap between the patch that Microsoft issued for the vulnerability that Slammer exploited and that worm's release; in turn, the Slammer-patch gap was shorter than the Nimda- and CodeRed-patch gaps. Clearly, the time interval between identification of a new vulnerability and the release of code that exploits that vulnerability is shrinking. Fearless prediction: Sometime in the next 9 months, we'll see a "0-day" exploit that's released when (or perhaps before) the vulnerability becomes publicly known. At that point, people who haven't protected themselves are going to be in a world of trouble, especially if the attack does something destructive.
Is patching alone sufficient? No; to borrow a term from my calculus classes in college, it's necessary but not sufficient. Microsoft's Jim Allchin sent out an internal email that encouraged Microsoft employees to help friends and family members secure their machines by following three simple steps. These same steps can be generalized to cover networks of any size.
Step 1: Apply patches when they become available. Most users should use the Automatic Updates client, available with Windows Server 2003, Windows XP, and Windows 2000 Service Pack 3 (SP3) and later. Several large Microsoft customers reported stellar results after using Microsoft Systems Management Server (SMS) to patch multiple systems simultaneously one company patched 96 percent of its machines overnight. (Of course, if the company had applied the patch when it came out instead of waiting, that kind of fire drill wouldn't have been necessary.)
Step 2: Use a firewall. Firewalls protect your network from unwanted inbound traffic, and they can prevent an infected machine from sending packets to other machines on your network. Recently, Microsoft announced that it was going to turn on the XP Internet Connection Firewall (ICF) by default. ICF is a solid, free solution, but others exist, including BlackIce and Norton Internet Security. It doesn't really matter which of these products you use, as long as you use one. Of course, those of you whose networks are protected by corporate firewalls aren't excused from ensuring that the laptops and home machines that connect to your network are protected by some type of firewall software.
Step 3: Use antivirus software. Sometimes, despite our best efforts, bad code sneaks in. Using an effective desktop antivirus solution will help clean up the resulting mess. Antivirus software seems to be necessary in inverse proportion to users' sophistication. My theory is that less-sophisticated users are most likely to run unknown programs and to fail to apply necessary patches, both of which increase the risk of infection.
These measures seem straightforward enough, but a fourth step is necessary: for IT professionals to take a little responsibility. Is your mom's computer secure? What about the one down in your kids' playroom? How about your nontechnical next-door neighbor's PC? The extra time that you and I take to help secure these systems can benefit all of us by helping to prevent widespread Internet attacks such as Blaster. Now (to paraphrase "The Untouchables")--lets get out there and do some good!
5 Minute Security Advisor