4

We got nailed two weeks ago by Conficker, I ran through the 26 step checklist from Mircrosoft on my own computer, as well as on our domain server. It says near the end to reverse all the changes, but I kinda like the changes (Disables Autorun and some other settings).

Is there anything in that fix that'll come back to haunt me down the road?

Also, maybe the group policy never took effect, I couldn't quite tell. Do your policies have to be placed on computers or users (or does it matter?) for this fix?

nik
  • 7,040
  • 2
  • 24
  • 30
Peter Turner
  • 2,048
  • 9
  • 33
  • 45
  • I think the right name is Conficker: http://en.wikipedia.org/wiki/Conficker – splattne May 09 '09 at 06:35
  • Your users will hate you if you disable what (to them) are useful features - like AutoPlay for example. The first line of defence is to ensure that Auto-updates are enabled and enforced (this would have mitigated the Conficker vilnerability). – Tim Long May 09 '09 at 07:29
  • 1
    AutoPlay is a significant security risk. It should only be kept enabled if there is a legitimate reason. – Matthew Flaschen May 09 '09 at 19:11

5 Answers5

2

Can you scale back your protections against Conficker?

The article you linked has a lot of good practice, that in my humble opinion, you should keep. Isolating old hosts from the evil internet, having your boxes patched with up to date AV, and keeping AutoRun disabled are good ideas. Strong password rules with regular rotations is probably the most controversial change if you're not doing it already since it will require institutional changes. But auto-patching has been default behavior in Windows since WinXP SP2 and auto-run defaulting to off will be in Win7.

Whether it's time to deactivate the group policy is going to be based on whether you feel you still have potetially infected systems in your environment. If you rebuilt and patched everything, it might be time.

Bob
  • 2,559
  • 3
  • 25
  • 22
2

Yes, there are some group policies which help stop Conficker from spreading.

There is a Microsoft support article: Virus alert about the Win32/Conficker.B worm. Look for the "Prevention" section.

This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Conficker.b variant" section of this Knowledge Base article to manually remove the malware from the system.

splattne
  • 28,348
  • 19
  • 97
  • 147
1

If you want a good protection against Conficker, you can configure you computer or router to use OpenDNS. They maintain a list of site that spread conficker and block them right away.

You can also block many other things with it like a majority of spyware site, scam, phishing etc...

This is very useful and it add a major security layer on your network.

Marc-Andre R.
  • 2,189
  • 2
  • 21
  • 21
  • this is only very partial protection - all it does is stop already infected hosts from downloading updates. – Alnitak Jul 25 '09 at 08:41
  • Of course, I'm agree, It won't replace a well configured firewall and a good anti-virus software up-to-date. – Marc-Andre R. Aug 07 '09 at 15:27
0

The OU I work on within our company never got hit by Conficker, here's why:

  • Clients use Win2K and policies prohibit them from installing USB memory sticks
  • USB memory sticks that are to be installed are quickly done so by IT. Only IT provided USB sticks are used and users are educated not to use them outside company network / systems.
  • E-mail scanning takes place on a parent mail server. If our company got hit by Conficker, it stayed at the top level.

I can't think of any reason as why users would be allowed to install their own USB peripherals. So my advice is to leave the GPOs as you activated them during the Downadup/Conficker spread.

dadver
  • 183
  • 1
  • 11
0

Autoplay / Autorun is not required to be all or nothing solution.

We have a sensible solution that we allow autoplay / autorun on CD ROM drives but do not allow it from any writable media, hard disk.

This setting is available thru GPO.

KAPes
  • 994
  • 4
  • 12