Incident Response: Managing Security at Microsoft

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 45

Incident Response

Managing Security at Microsoft


White Paper
Published: January 2003
CONTENTS
Executive Summary............................................................................4
Introduction.......................................................................................5
Risk Assessent !
Preventing Incidents..........................................................................8
Scanning "
Auditing "
#etecting $ntrusions "
%stablishing #efense in #epth&an %'aple (
Securing )lients for Reote *sers (
Incident Response Team
.........................................................................................................

)ore +ea ,,
%'tended +ea ,2
)hairs ,3
Incident Response P!an
.........................................................................................................
5
+rigger Phase ,!
%-aluate the Situation ,!
+ea Assebly. /otification. and %scalation Phase ,0
Response Phase ,0
#e1escalation Phase ,"
Post1incident Re-ie2 Phase ,(
"e#ending $gainst %a!&are
.........................................................................................................
'(
+ro3an 4orse and 5ackdoor +ro3an 4orse 20
Wor 20
6irus 22
Response to a 6irus at Microsoft 27
"e#ending $gainst ""oS $ttac)s
.........................................................................................................
'*
"e#ending $gainst Internet+,acing Server $ttac)s
.........................................................................................................
'-
"e#ending $gainst .naut/ori0ed Net&or) Intrusions
.........................................................................................................
'8
C!osing 1u!nera2i!ities in Products
.........................................................................................................
'3
4essons 4earned
.........................................................................................................
5(
8irst 9ayer of #efense: Secure the /et2ork Perieter 30
Second 9ayer of #efense: Secure the /et2ork $nterior 3,
Conc!usion
.........................................................................................................
54
,or %ore In#ormation
.........................................................................................................
55
$ppendix6 Examp!e Scripts #or 7orm Remova!
.........................................................................................................
5*
:roup Policy Shutdo2n Script;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;3!
E8EC.TI1E S.%%$R9
Security threats to coputer net2orks often coe fro attackers 2ho take ad-antage of
security fla2s. such as 2ell1kno2n configuration errors and published product -ulnerabilities;
Just like any enterprise. Microsoft is the target of coputer attacks; +hese attacks are often
discussed in ne2sgroups or chat roos. and the attack tools are fre<uently published on the
$nternet;
At one tie. Microsoft used a reacti-e approach: $f an e'ploit occurred. resources 2ere
deployed and narro2ly focused on that e'ploit only; +he process in-ol-ed deploying and
testing a patch on a single ser-er and then distributing the patch to other ser-ers at risk; +his
process 2as too tie consuing&and in-ol-ed too uch risk to resources&to address a
-ulnerability effecti-ely;
Accordingly. the $nforation Security =rgani>ation ?$nfoSec@ 2ithin the Microsoft $+ group
de-eloped a pre-entati-e approach to anaging coputer -ulnerabilities; #esigned to
reduce the occurrences and se-erity of attacks. the $nfoSec security ethodology includes
reducing open ports and -ulnerable systes and ser-ices. anaging user perissions.
regularly assessing risks. and regularly onitoring copliance 2ith security guidelines;
$nfoSec also de-eloped a consistent process for responding to incidents and reco-ering fro
disasters that do occur; +he priary ob3ecti-es of this process are to establish a clear
coand and control center. to rapidly itigate e'posure. to a'ii>e cooperation. and to
efficiently coordinate response acti-ities; All of these efforts are designed to eliinate net2ork
e'posure and restore confidence in all systes as <uickly as possible; +he sae o-erall
response plan process is used for both coputer incidents and other incidents. such as
natural disasters; +he focus of this paper is coputer incident response; Although the
approaches to all responses are siilar. the actual steps taken to address specific coputer
incidents can be different. depending on the nature of the incident;
+his paper is intended for enterprise1le-el technology de-elopent anagers ?+#Ms@ and
security anagers; Although this paper describes incident response and soe best practices
to follo2 for securing -arious technologies. it is not a procedural guide; %ach enterprise
en-ironent is uni<ue; 8or e'aple. end users at Microsoft can operate soe coputers at
an adinistrati-e le-el. 2hich is different fro the client structure of other coparably si>ed
enterprises; %ach organi>ation should therefore custoi>e the solutions described in this
paper to eet its specific needs;
Incident Response:%anaging Security at %icroso#t Page 4
INTRO".CTION
+he costs of incident response and reco-ery can be high; An e'ploit can result in a significant
loss of producti-ity and data; 8or e'aple. taking ser-ers offline and reo-ing infected files
can cause do2ntie; %'penditures can also include costs for conducting forensic
in-estigations. coordinating 2ith la2 enforceent. replacing daaged resources. and
anaging negati-e public relations; And after an e'ploit. the integrity of data can be in
<uestionA for e'aple. if an attacker 2as able to gain access to an accounting database. did
he or she change any dataB
A coordinated security copliance and reediation progra&one that cobines technology.
procedures. and proper use of personnel&reduces the nuber of -ulnerabilities that
attackers and alicious code use to access and coproise net2orks; A pre-entati-e
approach to2ard critical security issues is less e'pensi-e than correcting -ulnerabilities after
systes ha-e been coproised; 4o2e-er. enterprises ust still prepare for the occasional
attack that anages to penetrate the perieter;
Microsoft $+ o-ersees daily aintenance and strategic planning of the Microsoft corporate
net2ork. 2hich includes ore than ,0.000 ser-ers at se-eral regional data centers
2orld2ide; +he net2ork also includes ore than ,00.000 li-e nodes; About (7 percent of
these nodes consist of coputers. 2hich a-erages to ore than t2o coputers per
eployee ?including contingent staff@. 2ith ,001egabit s2itched connections to the desktop;
*sers of the Microsoft corporate net2ork send and recei-e appro'iately 0 illion e1ail
essages a day. 2ith o-er ,;C illion of those to and fro the $nternet;
As part of Microsoft $+. the $nforation Security group ?$nfoSec@ ust ake decisions based
on its responsibility to protect Microsoft assets. including inii>ing the ipact of attacks on
such a large net2ork; 4andling incidents that do occur can produce a positi-e outcoe for
both Microsoft and its custoers; 5enefits include ipro-ing products to pre-ent ore
occurrences. odifying Microsoft $+ procedures. and generating patches for custoer
systes;
+he o-erall security ethodology at Microsoft. sho2n in 8igure ,. consists of the people.
processes. and technology that 2ork together to keep the net2ork as secure as possible;
Incident Response:%anaging Security at %icroso#t Page 5
Figure 1. Security methodology at Microsoft
Ris) $ssessment
Assessing risks is part of the o-erall security ethodology at Microsoft; +he philosophy of
risk at Microsoft is as follo2s:
Risk is ackno2ledged as a fundaental part of operations that is neither good nor bad; A
risk is the possibility of a future loss. and although the loss itself ay be percei-ed as
bad. the risk as a 2hole is not;
Risk is soething to anage. not soething to fear; %nterprises deal 2ith risks by
acti-ely addressing each identified risk in ad-ance; $f a loss is one possible future
outcoe. other possible outcoes are gains. saller losses. or larger losses; Risk
anageent lets the enterprise change the situation to fa-or one outcoe o-er the
others;
+he goal is kno2ing that the enterprise is as prepared as it can be. and that it has a plan
for staying prepared;
+o ensure the ost efficient allocation of resources in case of an incident. an ongoing risk1
assessent process allo2s $nfoSec to deterine&and focus on&the areas at greatest risk;
Risk assessent in enterprise security generally in-ol-es the follo2ing tasks:
)reating a risk odel to identify potential risk areas and the probability and ipact of a
coproise to each area;
#eterining the approach to risk itigation; 5ecause soe assets are inherently ore
-aluable than others. it is iportant to deterine 2hat is 2orth risking and 2hat must be
fi'ed; 8or e'aple. people are ore -aluable than coputers; +aking no action is an
option if the risk probability or ipact of a threat is lo2;
*nderstanding the technologies used. the resources ?people and de-ices@ that ha-e
Incident Response:%anaging Security at %icroso#t Page *
access to those technologies. and the data and intellectual property that are at risk;
8igure 2 sho2s the risk odel that Microsoft $+ uses for security at Microsoft;
Figure 2. Risk model at Microsoft
At Microsoft. the risk le-el of a specific -ulnerability is based on an assessent of se-eral
factors. including the nuber of coputers affected. 2hether the e'ploit is reotely
e'ecutable. the access pri-ileges set up on a syste. 2hether the -ulnerability is e'ternally
published and 2ell kno2n. and 2hether the ethod of coproise is autoated by eans of
a script; +he risk le-el dictates ho2 $nfoSec proceeds 2ith its actions to secure assets and
en-ironents;
Incident Response:%anaging Security at %icroso#t Page -
PRE1ENTIN; INCI"ENTS
A key to pre-enting security incidents is to eliinate as any -ulnerabilities as possible; +he
sections that follo2 describe actions that are instruental in pre-enting incidents;
Scanning
5ecause ost attackers use ultiple tools to target an enterprise. the Monitoring and
)opliance group at Microsoft uses a -ariety of autoated scanning tools to identify and
reediate -ulnerabilities; Scanning tools include the Microsoft 5aseline Security Analy>er
?M5SA@ and 48/et)hk. in addition to internal applications; #ra2ing fro a constantly
updated DM9 database. these tools scan for issing patches and other -ulnerabilities in
coputers running MicrosoftE Windo2s /+E -ersion 7;0A Microsoft Windo2sE 2000 and
Windo2s DPA $nternet $nforation Ser-ices ?$$S@ -ersion 7;0 and $$S -ersion C;0A Microsoft
SF9 Ser-erG -ersion 0;0 and SF9 Ser-er 2000A Microsoft $nternet %'plorer -ersion C;0, and
laterA and Microsoft =ffice 2000 and =ffice DP;
Scanning is distributed. not centrali>ed; +hat is. ultiple scans run across the net2ork
siultaneously; #edicated 2orkstations scan thousands of hosts per 2eek; *sing dedicated
2orkstations allo2s efficient )P* utili>ation;
$nforation is reported by eans of a SF9 Ser-er 2000 database to aid in risk assessent.
analysis. and reporting; 4o2e-er. technology alone does not create a solutionA both
processes and people ust be in place to accurately identify and act upon -ulnerabilities;
+hus. only a restricted group of personnel anages the data;
$uditing
*sing tools siilar to those applied in the scanning process. the Monitoring and )opliance
group conducts audits to ensure that correcti-e action is taken 2hen the le-el of
noncopliance surpasses the set tolerance le-el for -ulnerabilities on that part of the
net2ork; A priority is assigned to the noncoplying ites and a ser-ice re<uest is opened to
correct the proble; 6erifying that a proble has been fi'ed is a process of scanning.
re-ie2ing the scan report. and then entering a reediation loop that fi'es the proble or
creates a notification of the proble and then scans again; +he process continues repeatedly
until the proble is resol-ed; +he Monitoring and )opliance group plans for a certain
nuber of audits e-ery year. in addition to benchark audits conducted e-ery fe2 onths;
"etecting Intrusions
+he Monitoring and )opliance group uses a cobination of Microsoft tools and third1party
tools to detect intrusions inside the net2ork and on the perieter; +he group re-ie2s $nternet
Security and Acceleration Ser-er ?$SA@ logs and conducts reote access audits to ensure
that reote access accounts are being used only by the o2ners of those accounts; +he
group uses Microsoft =perations Manager ?M=M@ 2000 for e-ent collection and to diagnose
suspicious incidents; +he Microsoft Audit )ollection Syste coponent of M=M is useful for
collecting and analy>ing security e-ent logs;
5ecause deployent planning in an enterprise ust copleent the e'isting infrastructure.
Microsoft understood that its tools for intrusion detection needed to be able to log data fro
ultiple $SA and reote access ser-ers; +he process is autoated e'cept for the e-ent
-ie2ing. 2hich occurs on a regular basis or as necessary to address a specific concern;
+horough intrusion detection in-ol-es soe potential probles; +esting for a correlation of
Incident Response:%anaging Security at %icroso#t Page 8
e-ents 2ithin the net2ork traffic of a large organi>ation can produce false positi-es ?that is.
independent e-ents can appear to correlate by coincidence@ and creates additional analysis
2ork for personnel; 4o2e-er. the benefits generally out2eigh the potential probles;
Esta2!is/ing "e#ense in "ept/:an Examp!e
Attackers look for holes that they can use to gain access to net2orks; $t is ipossible to fill all
the holes on a large net2ork because soe of those holes are part of the correct functioning
of hard2are and soft2are; A large net2ork should therefore be configured as a series of
le-els. each of 2hich has a defense set up on it; +his ultilayered defense strategy. called
defense in depth. stops ore attacks than a single point of protection; 8or e'aple. it is
un2ise to rely on anti-irus soft2are alone to stop a -irus attack; A ultilayered defense
protects the perieter and then protects ser-ers and desktop coputers if a -irus penetrates
the perieter;
8or illustrati-e purposes. suppose the net2ork for an e1coerce copany consists of si'
le-els: routers. a fire2all. an $$S1based ser-er. progra code. the counications pipe
bet2een the $$S1based ser-er and SF9 Ser-erHbased ser-er. and the SF9 Ser-erHbased
ser-er itself; +he follo2ing table pro-ides e'aples of ade<uate defenses that can be set up
on each of these le-els;
4eve! "e#ense
Routers )onfigured to deny alicious traffic but ust lea-e
Port "0 and Port 773 open for basic Web traffic
8ire2all )onfigured to deny unusual Web re<uests
$$S1based ser-er )onfigured securely 2ith current patches. secure
pass2ords. *R9Scan ?see the I8or 8urther
$nforationJ section later in this paper@. and
iniu access pri-ileges
Progra code Written to pre-ent buffer o-erflo2 and cross1site
scriptingA or. a patch 2as applied to the progra
)ounications pipe bet2een the
$$S1based ser-er and the SF9
Ser-erHbased ser-er
Protected because each ser-er is dual hoed ?has
t2o net2ork interface cards@
SF9 Ser-erHbased ser-er Properly designed database. patched properly.
re<uires cople' pass2ords. contains encrypted
data
$n this e'aple. coplicated defenses discourage an attacker fro trying to penetrate
ultiple layers in search of data; %-en if the attacker is able to access the SF9 Ser-erHbased
ser-er. all of the ost sensiti-e data on that ser-er is encrypted; %ncryption affects
perforance. so encrypting an entire database ay not be practicalA an organi>ation ust
deterine ho2 to best balance encryption and perforance;
Securing C!ients #or Remote .sers
+o pre-ent an incident. reote users ust be instructed that reote connections to a
corporate net2ork are considered a 2eak link in guarding against -ulnerabilities; *sers ust
follo2 established security policies. including do2nloading patches and anti-irus soft2are; A
net2ork adinistrator can ensure that a user is follo2ing guidelines by scanning the userKs
syste and denying reote access if the user does not ha-e the correct patches. progras.
Incident Response:%anaging Security at %icroso#t Page 3
and security settings;
8or e'aple. at Microsoft. $nfoSec uses )onnection Manager to propt reote users to
do2nload patches through the Windo2s DP Auto*pdate tool; $f a user does not do2nload the
patches 2ithin a reasonable aount of tie. that user is denied access to the net2ork;
Microsoft also deploys to reote usersK coputers a host1based intrusion detection syste
?4$#S@ that reports to a central collector; $nfoSec uses the 4$#S to onitor probes and
attacks against these coputers that ight be a prelude to an attack on the corporate
net2ork;
Incident Response:%anaging Security at %icroso#t Page (
INCI"ENT RESPONSE TE$%
Regardless of incident type. the response plan at Microsoft reains consistent; +he incident
response tea consists of indi-idual teas that focus on security full tie ?including
personnel 2ho perfor -irus protection. in-estigations. counications. and onitoring and
copliance@ and those that for a I-irtual teaJ by becoing in-ol-ed in incident response
only 2hen a specific incident occurs; All ebers of the incident response tea aintain a
high le-el of counication 2ith each other to resol-e the situation in the <uickest and ost
orderly anner possible;
$n all cases. the core incident response tea consists of representati-es fro the Security
Ser-ices and Architecture. $n-estigations. and )ounications teas; %ach of these teas
akes operational assessents and allocates resources to eet urgent and eergency
needs for the protection of Microsoft assets; %ach tea is assigned an o-erall lead. or chair.
2ho is responsible for the acti-ities of that tea; #epending on the incident type. other
groups ay also becoe in-ol-ed;
8igure 3 sho2s the structure of the incident response tea at Microsoft;
Figure 3. Structure of incident response team
Core Team
+his section describes the roles of the teas that copose the core of the incident response
tea;
+he Security Ser-ices and Architecture tea:
#eterines the least in-asi-e eans of containing the outbreak. 2hich ay entail
disconnecting systes fro the net2ork;
Runs an iterati-e scan. locates infected systes. and assesses the risk to Microsoft
Incident Response:%anaging Security at %icroso#t Page
systes and products;
Analy>es coproised systes for configuration errors;
Re-ie2s syste logs and auditing results;
Ad3usts onitoring systes as appropriate to better detect any ongoing acti-ity;
8inds and fi'es any affected net2ork coponents;
+he $n-estigations tea:
:athers and aintains e-idence;
Pursues in-estigati-e leads;
)oordinates 2ith la2 enforceent;
)onducts forensic coputer e'ainations if appropriate;
Pro-ides a single source for e-idence collection;
+he )ounications tea:
Alerts the 6irus Attack )oand +ea ?6A)+@ in e-ent of a -irus attack;
%stablishes conference calls and other counication channels bet2een incident
response teas as appropriate;
$nstigates backup notification procedures;
Publishes status updates based on a predeterined schedule;
)oordinates counications 2ith )orporate Public Relations as appropriate;
/otifies key business units 2hen the signature is deployed and 2hen a patch is
released;
Extended Team
=ther teas ay becoe in-ol-ed in the incident response tea. depending on the type of
incident that occurs;
1irus $ttac)
+he 6A)+ is a collecti-e of affected organi>ations that responds only to -iruses. although the
indi-idual organi>ations that copose it often contribute to the responses to other types of
incidents; 8igure 7 sho2s the akeup of the 6A)+;
Figure 4. Makeup of the V!"
+he teas that participate in the 6A)+ include:
Incident Response:%anaging Security at %icroso#t Page '
InfoSec; 4andles -irus attack notification. escalation. and initial responseA pro-ides
anti-irus soft2are update notification and coordination;
Messaging; Manages response actions that in-ol-e e1ail. including internal Microsoft
%'changeHbased ser-ers and $nternet e1ail gate2ays;
Ser#er $perations; 4andles all updates and cleaning of infected file ser-ers and key
internal infrastructure ser-ers;
%et&ork $perations; 4andles all updates and cleaning of infected net2ork hard2are or
net2ork ser-ices. including reote access ser-ers;
'esktop Ser#ices; )ontrols end1user logon scriptsA handles sending of routine global e1
ail to end usersA pro-ides desktop anti-irus soft2are updates;
I" (elpdesk; 4andles all re<uests for assistance by end users 2hose coputers are
infected by the -irus;
""OS $ttac)
8or a distributed denial1of1ser-ice ?##oS@ attack. organi>ations outside the core incident
response tea ay be asked to perfor a -ariety of tasks. such as filtering spoofed packets
or changing router configurations to block illegitiate andLor destructi-e packets; Mey
contacts include #ata )enter =perations ?#)=ps@ and :lobal /et2ork =perations )enter
?:/=)@;
Internet+,acing Server $ttac)
8or an attack on ser-ers that are e'posed to the $nternet. organi>ations outside the core
incident response tea&such as #)=ps. :/=). )orporate Public Relations. and Microsoft
Security Research )enter ?MSR)@&ay be asked to pro-ide press releases. account
certification. pass2ord anageent. and auditing of any or all systes e'posed to the
$nternet; Another key contact is #irectory Ser-ices Manageent ?#SMan@. 2hich handles all
response actions that in-ol-e directory ser-ices and account anageent;
.naut/ori0ed Net&or) Intrusion
When an unauthori>ed net2ork intrusion occurs. organi>ations outside the core incident
response tea ay be asked to pro-ide assistance in account certification. pass2ord
anageent. and auditing of critical systes; +hese groups include #)=ps. :/=).
)orporate Public Relations. #SMan. and $+ 4elpdesk;
Product 1u!nera2i!ity
When a -ulnerability is disco-ered in a product. organi>ations outside the core incident
response tea&such as #)=ps. :/=). )orporate Public Relations. MSR). and
$+ 4elpdesk&ay be asked for assistance; $n addition. the tea responsible for de-eloping
the product is alerted to the situation so that it can conduct a full -ulnerability re-ie2;
C/airs
+he chairs often selected for incident response are detailed in the sections that follo2;
4o2e-er. because the scope. se-erity. and type of incident deterine 2hat personnel
becoe in-ol-ed. not all chairs are in-ol-ed in e-ery incident;
Incident Command C/air
Responsibilities of the $ncident )oand )hair for each group include the follo2ing:
Managing central logistics
Incident Response:%anaging Security at %icroso#t Page 5
)oordinating a response strategy 2ith the necessary groups
%nsuring staffing at the =perations )enter as appropriate
$f 271hour1a1day operations are ongoing. ensuring the designation of shift leads
Ser-ing as a single point of counication for anageentLe'ecuti-e briefings
Maintaining a coprehensi-e record of e-ents
Pro-iding status reports as appropriate based on actions and inforation
+he $ncident )oand )hair also o-ersees the Monitoring =perations. 8ind and 8i'
=perations. and +ools and +echnology =perations groups;
+he responsibilities of the Monitoring =perations group include the follo2ing:
Managing all detection systes
#esigning and ipleenting case1specific onitoring acti-ities
)oordinating the collection of appropriate logs
Maintaining and analy>ing all logs
$dentifying net2ork threats and -ulnerabilities as they present thesel-es
+he responsibilities of the 8ind and 8i' =perations group include the follo2ing:
Preparing an incident threat assessent
$dentifying net2ork threats and -ulnerabilities as they present thesel-es
8inding and fi'ing security -ulnerabilities
+he responsibilities of the +ools and +echnology =perations group include the follo2ing:
5uilding specialty tools to ipro-e incident response
Refining e'isting tools to specifically target incident response
Running reports by using e'isting or custo tools
Communications C/air
+he responsibilities of the )ounications )hair include the follo2ing:
#rafting and subitting all proposed counication
)oordinating 2ith )orporate Public Relations on a regularly scheduled basis
Monitoring edia for press related to the incident and collecting aterial for reference
Maintaining an incident1specific eergency contact list
Investigations C/air
+he responsibilities of the $n-estigations )hair include the follo2ing:
Pursuing in-estigati-e leads
Perforing a forensics e'aination of coputer and inforation systes associated
2ith the incident
Ser-ing as a single source for e-idence preser-ation
)oordinating 2ith la2 enforceent officials as appropriate
Incident Response:%anaging Security at %icroso#t Page 4
INCI"ENT RESPONSE P4$N
Whate-er the -ariables in-ol-ed in an attack. the incident response tea as a 2hole applies
the follo2ing key procedures as a guide to ensure a successful response:
,; %-aluate the current state of the syste. the e'tent of penetrationLinfection. the type of
data at risk. the source or target of the attack. the resources that are kno2n to be
coproised. the resources that are suspected to be coproised. the ipact on
infrastructure. the cost of reco-ery. and other eleents that define the scope of the
proble;
2; %stablish the first course of action in a detailed response plan;
3; $solate and contain the threat. in an effort to disengage the threat and track and identify
the attacker;
7; Analy>e and respond to the incident;
C; Alert others according to the response strategy;
!; 5egin syste reediation and clean up issues that ay ha-e contributed to the security
breach;
8igure C illustrates ho2 these key procedures fit into the fi-e standard phases of the incident
response plan at Microsoft;
Incident Response:%anaging Security at %icroso#t Page 5
+he sections that follo2 describe the fi-e phases of the incident response plan and the
actions that each phase can entail; /ote. ho2e-er. that the actions that ust be perfored
for each incident depend on the specific circustances of that incident;
Trigger P/ase
When notified of a significant security incident or net2ork breach. core groups 2ithin the
$nfoSec group e-aluate the incident;
Eva!uate t/e Situation
As sho2n in the preceding 8igure C. 2hen an incident occurs. the follo2ing criteria are
applied to deterine the significance of the incident:
Se-erity of the e-ent
=-erall business ipact
Incident Response:%anaging Security at %icroso#t Page *
)riticality of -ulnerableLattacked assets
Public a-ailability of e'ploit inforation
Scope of e'posure
Public relations ipacts
%'tent of in-ol-eent for groups outside $nfoSec
+he incident response tea uses the appropriate resources to deterine the possible and
probable e'tent of the daage based on the nature of the incident; A sall 2orking group is
established. called the $ncident )oand +ea. for e-aluation of the incident; +echnical and
other specialty analyses are solicited on an as1needed basis; +he $ncident )oand +ea
bases all assessents on kno2n facts and reasonable supposition deri-ed fro those facts;
)are is used in forecasting 2orst1case scenarios; At this point. the $ncident )oand +ea
easures the follo2ing:
)urrent state of the syste
%'tent of the penetrationLinfection
+ype of data at risk. source or target of the attack
Resources that are kno2n to be coproised
Resources that are suspected to be coproised
$pact on infrastructure
)ost of reco-ery
=ther eleents that define the scope of the proble
Esta2!is/ t/e ,irst Course o# $ction
5ecause the approach to addressing an incident can -ary slightly depending on the nature of
the incident. it is critical to be a2are of the type of incident that has occurred before taking
action; 5ased on the aforeentioned e-aluation. the $ncident )oand +ea de-elops a
detailed response plan; All attacks substantiated by $nfoSec as high risk and that are
2idespread across the corporate net2ork re<uire notification. escalation. and eergency
response; $nfoSec selects an $ncident )oand 9ead to spearhead the incident response
plan; +he incident response plan follo2s the $nfoSec course of action by identifying and
prioriti>ing action ites. assigning areas of responsibility. and scheduling staff resources
accordingly;
Team $ssem2!y< Noti=cation< and Esca!ation P/ase
%ach affected organi>ation is iediately notified. and the $ncident )oand 9ead
designates representati-es fro each organi>ation as $ncident )oand )hairs. 2hich
copose the nucleus of the incident response tea; %ach $ncident )oand )hair
escalates and disseinates inforation 2ithin his or her organi>ation as appropriate;
)riteria are established to deterine 2hat 2ill cause the de-elopent. distribution. and
fre<uency of status reports; Status reports 2ill contain inforation about critical
de-elopents. general statistical inforation. action ites. and associated responsibilities;
Response P/ase
+he response phase consists of the core actions that rectify the incident;
Incident Response:%anaging Security at %icroso#t Page -
Iso!ate and Contain
$n general. the intruder or the alicious code should be pre-ented fro 2orking through the
net2ork; All attepts to contain the threat also take into account e-ery effort to inii>e the
ipact to business operations; Resources are shut do2n or disconnected only 2hen
absolutely necessary. and such action is coordinated 2ith the appropriate business units;
#uring the response phase. e-ery effort is ade to disengage the threat. track and identify
the offender. and close -ulnerabilities that ay ha-e contributed to the security breach;
$na!y0e and Respond
At this point. the -alue of teas that ha-e designated roles becoes ost apparent as the
incident response tea 2orks closely together to e'ecute assignents. to pro-ide regular
status updates on outstanding action ites. and to re-ise the response plan as necessary
based on ne2 inforation; +he $ncident )oand 9ead is the central collection point for the
receipt and distribution of ne2 inforation regarding the incident;
$!ert Ot/ers $s Re>uired
$n soe cases. alerting other teas ay be done in parallel 2ith other steps; 8or $nfoSec.
the =perations )hair establishes an =perations )enter and reser-es pri-ate eeting space
for the $ncident )oand +ea; +he )ounications )hair opens and onitors a
conference bridge and other counication channels as appropriate. and each $ncident
)oand )hair escalates and disseinates inforation 2ithin his or her organi>ation as
appropriate;
?egin Remediation
%-ery effort is ade to restore confidence in the affected systes as <uickly as reasonably
possible; +hose efforts include steps to:
Sa-e the syste state by backing up as uch of the syste as necessary to further
diagnose the incident;
=btain forensic iages and preser-e original edia for la2 enforceent re-ie2 as
necessary;
Reo-e any hidden alicious progras or directories added by the intruder or deployed
by the alicious code. up to and including a syste12ide reo-al of all progras and
files;
*pdate -irus signatures;
%liinate the -ulnerability that allo2ed the e'ploit and ensure the syste is restored 2ith
an optial security configuration;
+rack hours and e'penses associated 2ith the incident response if deterined to be
appropriate;
$dentify and docuent tools and techni<ues that 2ould ipro-e future incident
responses;
"e+esca!ation P/ase
+he de1escalation phase indicates a return to noral business operations; $n general. the
aount of resources directed at the response to a particular incident diinishes o-er tie;
#e1escalation norally occurs 2hen none of the parties in-ol-ed in the incident are
identifying or reporting ne2 inforation; An incident ay also be closed e-en if ne2 reports
Incident Response:%anaging Security at %icroso#t Page 8
are anticipated but the action ites ha-e been transitioned to a ediu or long1 ter
reediation pro3ect;
Post+incident Revie& P/ase
Analysis and re-ie2 of a copleted incident response can result in a considerable
ipro-eent in systes and processes; +he $ncident )oand 9ead schedules a
post1incident re-ie2 eeting to debrief the key organi>ations and discuss the successes and
shortcoings of the incident response; +he eeting e-aluates. and akes recoendations
for any needed changes to. the follo2ing:
Security tools
Security resources
Security architecture
$nforation security policy
Standard operating procedures
$ncident response plan
=-erall security strategy
=utstanding contributions during the incident
Incident Response:%anaging Security at %icroso#t Page 3
"E,EN"IN; $;$INST %$47$RE
Malicious soft2are&often called malware&can take any fors. including 2ors. +ro3an
horses. and -iruses; +he $nternet. e1ail. and peer1to1peer net2orks are the ost coon
-ehicles for al2are; Peer1to1peer net2orks&often unprotected by anti-irus soft2are&are
especially -ulnerable because users 2ithin an organi>ation often consider the a trust2orthy
2ay to share files 2ith people outside the organi>ation;
Attackers often use social engineering to trick coputer users into opening al2are; 8or
e'aple. because -iruses often use e1ail address books to replicate. a user ay not
percei-e that an incoing essage contains a -irus because the sender and sub3ect line are
failiar and not suspicious;
+he sections that follo2 describe the ost coon types of al2are and an e'aple
incident response procedure at Microsoft;
Tro@an Aorse and ?ac)door Tro@an Aorse
A +ro3an horse is a progra that does soething ore than the user e'pects. and that e'tra
function is daaging; A +ro3an horse is often disguised as a gae. utility. or legitiate
application; +ro3an horses do not replicate by thesel-esA they rely on users to run the;
When run. a +ro3an horse daages the syste. and in the case of 2hat is kno2n as a
backdoor +ro3an horse. it coproises the security of the coputer 2hile appearing to do
soething useful; An e'aple of a backdoor +ro3an horse is a progra that beha-es like a
syste logon screen to retrie-e user naes and pass2ord inforation that the 2riters of the
+ro3an horse can later use to break into the syste;
7orm
A 2or is a progra that copies itself fro one disk dri-e to another; Wors use a -ariety of
eans to replicate. including ?but not liited to@ e1ail. instant essaging. and the $nternet;
Wors ay arri-e on a coputer in the for of a 3oke progra or soe type of soft2are;
Wors are often used to deli-er +ro3an horses that ay daage or coproise the security
of a coputer;
Many 2ors are designed to infect default configurations. so a step as siple as o-ing $$S
to a dri-e other than the default&for e'aple. dri-e %&ay be enough to interrupt a 2orKs
replication; $n addition. 2ors ha-e fingerprints. patterns of beha-ior on the net2ork; 8or
e'aple. the Spida 2or looks for a blank adinistrator pass2ord. puts the guest account
into the Adinistrators group. installs a pass2ord1cracking tool. and installs an e1ail tool
that sends syste inforation to the attacker;
When a ne2 2or is publici>ed. it is iportant to ad3ust net2ork scans to look for the
fingerprint of that 2or; $n the case of the Spida 2or. scans can look for such clues as the
presence of the pass2ord tool and the e1ail tool that the 2or introduces; Scanning for a
fingerprint can indicate ho2 2idespread an infection is; 4o2e-er. using updated anti-irus
soft2are continues to be the best ethod for eradicating kno2n 2ors;
Examp!e Emergency Response Strategy #or a 7orm
+he )ode Red 2or is a 2ell1kno2n e'aple of al2are that can cause daage on a
global scale; When it 2as released on July ,(. 200,. )ode Red infected ore than 2C0.000
systes around the 2orld in 3ust nine hours; +he 2or scans the $nternet. identifies
-ulnerable systes. and installs itself on these systes; %ach ne2ly installed 2or 3oins all
Incident Response:%anaging Security at %icroso#t Page '(
the others. causing the rate of scanning to gro2 rapidly; +his uncontrolled gro2th directly
decreases the speed of the $nternet and can cause sporadic but 2idespread outages aong
all types of systes;
+his section outlines se-eral ethods of deploying specific fi'es ?filters and scripts@ to the
)ode Red 2or. but the o-erall ethodology and procedures can also be applied to siilar
outbreaks; /ote. ho2e-er. that the te't in this section addresses only the )odeRed-, -ariant
of )ode RedA other -ersions ay re<uire additional clean1up;
Also note that the inforation that follo2s consists of e'aples only and does not represent
official Microsoft ad-ice;
Contain the Outbreak
8irst. liit the 2orKs spread and disconnect coproised systes fro the net2ork; 8or
e'aple. because the )ode Red 2or spreads itself through port "0. the Reote Access
Policy
,
?RAP@ policy on all $nforation Access Ser-ice ?$AS@ ser-ers for reote access
should be set to block port "0; +hrough router access control lists ?A)9s@. port "0 can also
be audited at the router; +his audit pro-ides the inforation needed to separate the internal
response fro the e'ternal response. 2hich pre-ents hoe users fro infecting the
corporate net2ork and pre-ents any corporate coputer fro infecting hoe systes;
Scan and Identify Affected and Vulnerable Systems
After the signature of the 2or is kno2n. se-eral ethods can be used to scan and identify
affected and -ulnerable systes; +he follo2ing paragraphs describe these ethods;
8irst and foreost. update anti-irus signatures; Although it takes longer to update anti-irus
signatures to the desktop counity. $+ professionals can <uickly update anti-irus signatures
at the gate2ay and perieter to inii>e the ipact iediately;
Set intrusion detection applications to onitor and alert for the signature acti-ityA in this case.
any syste scanning port "0. repeated characters that indicate a possible buffer o-erflo2
attept. or specific built1in signatures;
$n efficiently responding to this kind of incident. it is critically iportant to ha-e pre-iously
installed and to aintain an in-entory database of defined -ulnerable systes. such as 2ith
Systes Manageent Ser-er ?SMS@; $n this case. all in-entoried systes running Windo2s
/+ 7;0. Windo2s 2000 Ser-er. Windo2s 2000 Ad-anced Ser-er. or Windo2s 2000
Professional ?2ith $$S installed@ are at risk;
Set the /et2ork Monitor utility ?the -ersion included in SMS@ capture filters at key net2ork
boundary points to capture and report source systes that e'hibit the target beha-iorA in this
case. attepts by a source syste to infect other systes inside and outside the corporate
net2ork;
Perfor real1tie scanning and detection to pre-ent further infection; *se the /etcat utility to
scan an $nternet Protocol ?$P@ range for the e'istence of the signature file. in this case
Root;e'e. by using a IforJ loop in a batch file; Send the syste in <uestion a )*"
+%,--.ida. re<uest; $f the syste responds 2ith Ic:NinetpubN222rootN/*99;ida not foundJ or
soething siilar. the coputer is not patched; $f the syste responds 2ith I/*99;ida not
found.J the syste is patched and is not -ulnerable; %'aine the $$S log file for entries 2here
the re<uest starts 2ith OLdefault;idaBO or O:%+ Ldefault;idaBO 5y tracing the source $# back to
,
Re<uires Windo2s 2000 Acti-e #irectory /ati-e ode
Incident Response:%anaging Security at %icroso#t Page '
the affected syste. you can target that syste for the fi';
)reate a false target to lure affected systes for identification; $n this e'aple. 2hile other
$$S1based ser-ers are being patched and rebooted. an $$S1based ser-er 2ith hundreds of
Istra21anJ $P addresses can be set up and onitored for each syste attepting port "0
access;
Patch and Reboot Affected and Vulnerable Systems
8i'ing affected systes in this case re<uires a reboot to clear the 2or fro rando access
eory ?RAM@; +his task entails creating and applying a :roup Policy =b3ect that has three
coponents: a shutdo2n script. a startup script. and a user logon script; 8or e'aples of
these scripts. see the Appendi';
+he shutdo2n script is run during the shutdo2n of the coputer; +he script deterines
2hether the coputer has been patched for the 2or by checking the -ersion of the file
$d<;dll; $f the patch has not been applied. the script disables $$S to ensure that 2hen the
coputer restarts. it does not becoe infected before the patch can be applied;
+he startup script is run during the startup of the coputer; +his script deterines 2hether
the coputer is patched for the 2or; $f the patch is applied and if $$S 2as disabled by the
shutdo2n script. the script brings $$S back to the pre-ious kno2n state;
$f the coputer is not patched and if the coputer is running the *;S; %nglish -ersion of
Windo2s DP SP, or later. the patch is applied and the coputer is rebooted through a user
propt; 8or coputers that are not running the *;S; %nglish -ersion of Windo2s DP SP, or
later. $$S reains disabled to pre-ent reinfection through the World Wide Web )onsortiu
?W3)@ ser-ice. 2hich can occur regardless of 2hether the ser-ice is started or not;
*sing the results of scanning or other detection systes. reotely reboot -ulnerable and
infected systes so that the scripts doing the patching can take effect; +he personnel
perforing the reote shutdo2n tasks can be granted 8orce Shutdo2n fro Reote Syste
perissions through :roup Policy. 2hich allo2s the to perfor the necessary tasks 2ithout
being a local adinistrator; Personnel can accoplish reote shutdo2n by using the
shutdo2n utility in a batch 3ob or other reote shutdo2n tools;
Review Security Response and Communications
$n a si>able coputing en-ironent. it is unlikely that all potentially -ulnerable systes 2ill be
on and functioning at the sae tie; *sers across differing geographic sites 2ill encounter
-ulnerabilities at different ties. resulting in peaks and -alleys of acti-ity that should be
onitored and tracked; 9essons learned and ne2 inforation fro the eergency response
should be used in setting a long1ter response strategy;
1irus
Siply defined. a -irus is a progra that replicates itself; +he a3ority of -iruses do nothing
ore than replicate; $f running a progra negati-ely affects a coputer. that progra is
considered a -irus only if it replicates;
+here are any different categories of -iruses. such as script -iruses. boot sector -iruses.
and e'ecutable -iruses. to nae a fe2;
Script 1irus
8iles that contain script ?for e'aple. files created through Microsoft 6isual 5asicE
Incident Response:%anaging Security at %icroso#t Page ''
de-elopent syste. 4+M9. Acti-eDE. or Ja-a@ can soeties contain -iruses; Script
-iruses are often sent as attachents to e1ail essages and instant essages and o-e
<uickly fro syste to syste;
%aster ?oot RecordB?oot Sector and Executa2!e 1irus
A boot sector -irus infects the aster boot record on a hard dri-e and the boot sector on a
floppy disk; +he aster boot record and the boot sector pertain to the self1starting portion of
an operating syste; When the syste is rebooted. the -irus runs; +his type of -irus takes
control of the syste at a lo2 le-el by acti-ating bet2een the syste hard2are and the
operating syste; +hese -iruses are particularly serious because inforation in the boot
sector is loaded into eory before -irus protection code can be run;
An e'ecutable -irus is an e'ecutable progra ?a file that ends in ;e'e. ;co. ;bat. or ;shs.
aong others@. often sent as an attachent to an e1ail essage;
5oot sector and e'ecutable -iruses typically affect soe function of a coputer syste by
interrupting the noral e'ecution of progras or syste functions; +hese -iruses can cause
any of the follo2ing interruptions in the noral operation of a coputer:
$nability to boot
Syste and application crashes
A essage on the screen
#estruction of files
?ac)door
A backdoor is a feature built into a progra by its designer; +he backdoor allo2s the designer
to gain full or partial access to a coputer syste;
,i!e In#ector
A file infector is a -irus that attaches itself to. or associates itself 2ith. a file; 8ile infectors
usually append or prepend thesel-es to regular progra files or o-er2rite progra code;
+he file1infector class of -iruses is also used to refer to progras that do not physically attach
to files but associate thesel-es 2ith progra file naes;
%acro 1irus
A acro is a sa-ed set of instructions that users can create or edit to autoate tasks 2ithin
certain applications or systes; A acro -irus is a alicious acro that a user ay e'ecute
inad-ertently and that ay cause daage or at the -ery least replicate itself;
%u!ti+partite 1irus
A ulti1partite -irus infects aster boot records. boot sectors. and files;
Parasitic 1irus
A parasitic -irus re<uires a host to help it spread;
Po!ymorp/ic 1irus
A polyorphic -irus attepts to e-ade detection by changing its for&its internal structure
or its encryption techni<ues; Polyorphic -iruses change their for 2ith each infection to
a-oid detection by anti-irus soft2are that scans for signature fors;
Incident Response:%anaging Security at %icroso#t Page '5
Response to a 1irus at %icroso#t
A -irus attack is a significant threat; Past -iruses such as 9o-e 9etter and Melissa ha-e
forced any organi>ationsK systes offline for hours or e-en days; %ach corporation assigns
a different cost to each inute that its essential infrastructure ser-ices are offline. but e-ery
corporation should agree that the ipact is significant; +here is currently no 2ay to
copletely protect a corporation fro a -irus outbreak. but there are 2ays to significantly
reduce the risk of do2ntie caused by an outbreak;
:eneral guidelines for protection against -iruses include the follo2ing:
%ducate users about the 2ays they can a-oid introducing a -irus on the net2ork;
$pleent a ulti1layered anti-irus strategy;
$nstall anti-irus soft2are on gate2ays. ser-ers. and desktop coputers;
*se content scanners that 2ork 2ith gate2ay anti-irus soft2are; )ontent scanners can
be configured to stop alicious file types at the perieter;
%nsure that all users use strong pass2ords and ha-e up1to1date anti-irus soft2are and
patches installed on their coputers;
Patch ser-ers;
%nsure that $nternet1only coputers do not connect to the corporate net2ork;
4a-e an effecti-e incident response plan;
%ducating users in ad-ance is particularly iportantA users often feel in-ulnerable to attack
and try to a-oid security practices that are incon-enient; *sers ust be taught that it is
crucial to coply 2ith security policies because an attack can target anyoneKs syste;
*npatched or noncopliant coputers put all others at risk;
Although Microsoft has taken considerable easures to reduce -irus e'posure. ne2 and
eerging threats continue to challenge its defenses; $n addition. $nfoSec directs ongoing
efforts to eradicate e'isting -iruses by cleaning infected resources and responding to
recurring containations;
$n the e-ent of a a3or -irus attack at Microsoft. the incident response plan takes effect;
4o2e-er. the response is tailored to a -irus attack; +he o-erall incident response tea for a
-irus accoplishes the follo2ing:
%ngages the 6A)+
$dentifies the -irus type. the source of the -irus. and the ethod and rate of infection
Runs an iterati-e scan. locates infected systes. and assesses the risk to Microsoft
systes and products
)ollects a saple for analysis
#eterines the least in-asi-e eans of containing the outbreak. 2hich ay entail
disconnecting systes fro the net2ork
#eploys -irus signatures
Monitors systes for beha-ior associated 2ith the alicious code
#e-elops -irus attack notification. escalation. and initial response
Pro-ides anti-irus soft2are update notification and coordination
Manages response actions that in-ol-e e1ail. including internal %'change1based
Incident Response:%anaging Security at %icroso#t Page '4
ser-ers and $nternet e1ail gate2ays
#ocuents incident acti-ities
*pdates and cleans infected file ser-ers and key internal infrastructure ser-ers
$nteracts 2ith the edia regarding the -irus outbreak
)ounicates 2ith corporate anageent
$nstigates backup notification procedures
Publishes status updates by e1ail and on an internal Web page. based on a
predeterined schedule
/otifies key business units 2hen the signature is deployed
Pursues in-estigati-e leads. coordinates 2ith la2 enforceent. and conducts forensic
e'ainations if appropriate
Incident Response:%anaging Security at %icroso#t Page '5
"E,EN"IN; $;$INST ""OS $TT$CCS
$n a ##oS attack. an intruder breaks into a nuber of coputers and plants progras that lie
dorant until acti-ated by the attacker; +he coputers then send a steady strea of data
packets to a targeted Web site in an attept to crash a ser-ice ?or ser-er@. o-erload net2ork
links. or disrupt other ission1critical resources; ##oS attacks are po2erful because they
can be launched siultaneously fro hundreds of reotely controlled coputers. thereby
aplifying their reach; +he ob3ecti-e of a ##oS attack is to e'haust the resources of the
target until the underlying net2ork fails; +he tools for ##oS attacks are 2idely a-ailable and
can be found at nuerous hacker Web sites;
$n the e-ent of a ##oS attack against the Microsoft net2ork or other doain properties. the
incident response plan takes effect; 4o2e-er. the response is tailored to the ##oS type of
attack; +he o-erall incident response tea for a ##oS attack accoplishes the follo2ing:
)aptures net2ork packets
Ascertains the source of packets
/otifies the upstrea ser-ice pro-ider
5acktracks packets 2here-er possible and eliinates the ##oS traffic
Monitors the net2ork for spikes in band2idth consuption
)onducts intelligence gathering on the Web
#eterines the appropriate router configurations
Scans for denial1of1ser-ice progras installed on all net2ork hosts
Sets up conference calls and other counication channels bet2een the teas
in-ol-ed in the incident response teaA for e'aple. counicates 2ith the MSR) to
deterine 2hether a product -ulnerability facilitated or other2ise enabled the attack
8inds and fi'es any affected net2ork coponents
Posts end1user counications to an Microsoft $+ intranet site upon distribution
Publishes status updates based on a predeterined schedule
Pursues in-estigati-e leads
)oordinates 2ith la2 enforceent
8ilters spoofed packets
)hanges router configurations to block illegitiate andLor destructi-e packets
When syptos such as high )P* usage indicate a ##oS attack. it is iportant to
reeber that there ay be other causes of the syptos; /e2 content on a Web ser-er.
ne2ly released products. or anything that ay generate abo-e1noral aounts of traffic ay
see like a ##oS attack;
Incident Response:%anaging Security at %icroso#t Page '*
"E,EN"IN; $;$INST INTERNET+,$CIN; SER1ER
$TT$CCS
/e2 e'ploits and security holes are disco-ered on an ongoing basis. and hacker Web sites
contain any e'isting tools for abusing $nternet1facing ser-ers and other resources; +here is
al2ays a threat that unauthori>ed users 2ill find a 2ay into publicly -isible systes;
Accordingly. the systes in the perieter net2ork are usually the first to be attacked;
$n the e-ent of an $nternet1facing ser-er attack against the Microsoft net2ork or other doain
properties. the incident response plan takes effect; 4o2e-er. the response is tailored to an
attack on an $nternet1facing ser-er; +he o-erall incident response tea for this type of attack
accoplishes the follo2ing:
Alerts affected business units
)oordinates all onitoring acti-ities
+ailors detection systes to target incident1specific traffic
Analy>es net2ork traffic
Pro-ides a technical assessent
#ocuents incident acti-ities
Analy>es coproised systes for configuration errors
Re-ie2s syste logs and auditing results
Runs -ulnerability assessent scans and audits on all $nternet1facing systes
)ounicates 2ith the MSR) to deterine 2hether a product -ulnerability facilitated or
other2ise contributed to the attack
Sets up conference calls and other counication channels bet2een the teas
in-ol-ed in the incident response teaA for e'aple. coordinates counications 2ith
)orporate Public Relations as appropriate
8inds and fi'es any affected net2ork coponents
$dentifies unnecessary ser-ices running on $nternet1facing systes
Publishes status updates based on a predeterined schedule
)reates a patch and ad-ises users about the a-ailability of a patch
Pursues in-estigati-e leads
)oordinates 2ith la2 enforceent
Pro-ides a single source for e-idence collection
)onducts forensic coputer e'ainations on coproised systes
)ertifies accounts and anages pass2ords on any or all $nternet1facing systes
Incident Response:%anaging Security at %icroso#t Page '-
"E,EN"IN; $;$INST .N$.TAORIDE" NET7ORC
INTR.SIONS
Attackers ha-e becoe increasingly capable of recogni>ing and e'ploiting syste
2eaknesses to gain access to net2orks; %nterprises can. ho2e-er. try to detect these
intrusion attepts so that iediate action can be taken to restore confidence in the net2ork
after a security breach;
An attacker 2ho gains unauthori>ed access to the net2ork ay try to attack the infrastructure
&for e'aple. routers. %'change1based ser-ers. and doain controllers; Attacks on the
Acti-e #irectoryE directory ser-ice are especially po2erfulA an attacker 2ho takes ad-antage
of a 2eak pass2ord and breaks into Acti-e #irectory can escalate user rights fro guest to
adinistrator and gain access to user naes and pass2ords on the net2ork;
$n the e-ent of a net2ork intrusion at Microsoft. the incident response plan takes effect;
4o2e-er. the response is tailored to a net2ork intrusion attack; +he o-erall incident response
tea for this type of attack accoplishes the follo2ing:
#ri-es the tactical response
)oordinates all onitoring acti-ities
Maintains and tailors all detection systes to target incident1specific traffic
Pro-ides technical incident1specific reports and docuents incident1specific acti-ities
:athers intelligence fro the Web
Analy>es coproised systes for configuration errors
Runs -ulnerability assessent scans and audits on the net2ork
Re-ie2s syste logs and auditing results
#eterines 2hether a product -ulnerability facilitated or other2ise contributed to the
attack
Sets up conference calls and other counication channels bet2een the teas
in-ol-ed in the incident response teaA for e'aple. coordinates counications 2ith
)orporate Public Relations as appropriate
8inds and fi'es any affected net2ork coponents
Publishes status updates based on a predeterined schedule
Pursues in-estigati-e leads
)oordinates 2ith la2 enforceent
Pro-ides a single source for e-idence collection
)onducts forensic coputer e'ainations on coproised systes
)ertifies accounts and anages pass2ords
Attackers soeties use a Isoke screenJ&an attack that attepts to di-ert attention fro
a ore stealthy net2ork intrusion; $t is therefore iportant not to focus all attention on an
initial attack. but to continue diligently looking for other attacks;
Incident Response:%anaging Security at %icroso#t Page '8
C4OSIN; 1.4NER$?I4ITIES IN PRO".CTS
When a security 2eakness is found in popular products. hackers scan the $nternet looking for
-ulnerable systes; Soe coputer security breaches are a conse<uence of syste
soft2are bugs. hard2are or soft2are failures. or incorrect syste adinistration procedures;
Soe product -ulnerabilities becoe apparent only 2hen the soft2are is run on a particular
coputer. under a particular operating syste. or in a specific configuration;
$f a a3or security -ulnerability is disco-ered in a Microsoft product. the incident response
plan takes effect; 4o2e-er. the response is tailored to the situation of a product -ulnerability.
so the specific steps in-ol-ed are soe2hat different fro the steps re<uired to handle an
attack; +he o-erall incident response tea for this type of -ulnerability accoplishes the
follo2ing:
Maintains and tailors detection systes to tightly onitor systes for unusual beha-ior
associated 2ith the -ulnerability
Prepares an interediary course of action for affected business units
Alerts affected business units to the -ulnerability and responds to intrusions
Pro-ides technical incident1specific reports and docuents incident1specific acti-ities
+racks the status of the <uick1fi' engineering ?F8%@ fi'
Runs an iterati-e scan. locates infected systes. and assesses the risk to Microsoft
systes
8inds and fi'es any affected net2ork coponents
Sets up conference calls and other counication channels bet2een the teas
in-ol-ed in the incident response teaA for e'aple. coordinates counications 2ith
)orporate Public Relations as appropriate
Publishes status updates based on a predeterined schedule
#isseinates inforation about the release of patches
Pursues in-estigati-e leads
)onducts forensic coputer e'ainations on coproised systes
)onducts a full -ulnerability re-ie2 of the product
Incident Response:%anaging Security at %icroso#t Page '3
4ESSONS 4E$RNE"
5efore $nfoSec launched the initiati-e that changed the Microsoft approach to net2ork
security fro firefighting to pre-ention and organi>ed incident response. $nfoSec identified the
ost coon coputer -ulnerabilities through scanning and auditing; %nterprises should
endea-or to e-aluate and reedy high1risk -ulnerabilities first. including:
Poor pass2ord anageent
Weak account anageent processes
*nsecured and unanaged reote coputers
Poorly configured and unpatched systes
Weak auditing and onitoring processes
$nade<uately restricted access to critical inforation
+he goal of the security initiati-e at Microsoft 2as to itigate risk to the infrastructure by
securing the net2ork perieter and securing the net2ork interior through a ultilayered
defense strategy ?defense in depth@; =ne key to this goal 2as enhanced onitoring and
auditing; :eneral best practice guidelines. based on Microsoft $+Ks e'perience in this area.
include the follo2ing:
*se autoated scanning tools. such as M5SA and 48/et)hk. to continually scan all
coputers for security -ulnerabilities;
Monitor coputers as broadly as possible; *se a logon script to audit clients;
*se M=M to check the integrity of ser-ers;
$nstitute a policy of aggressi-e copliance and reediation;
$n other 2ords. best practices include steps to pre-ent incidents as 2ell as steps to respond
to incidents; $t is iportant for organi>ations to classify risks according to the -alue of each
resource on the coputer net2ork. the likelihood of e'posure for each resource. and the
potential threat posed by the different kinds of attacks;
,irst 4ayer o# "e#ense6 Secure t/e Net&or) Perimeter
Securing the net2ork perieter&$nternet and e1ail gate2ays&blocks as any attacks as
possible before they can gain access to the net2ork; +he follo2ing sections describe
ethods for securing the net2ork perieter. including reote connections;
.se 8('.x to Secure 7ire!ess $ccess
A 2ireless net2ork that is based on a shared Wired %<ui-alent Pri-acy ?W%P@ key can be
coproised for unauthori>ed access to the corporate net2ork; +he solution at Microsoft
2as to:
#isable the shared W%P key globally;
*pgrade fir2are in e'isting access points to support the "02;,' specification;
*ni<uely authenticate each 2ireless user to the 2ireless net2ork;
*ni<uely authenticate each 2ireless de-ice to the 2ireless net2ork;
)reate a security policy that prohibits the use of IrogueJ access points;
.se a Perimeter %essaging ,ire&a!! on t/e Net&or)
#ual1hoed ser-ices. such as Microsoft =utlookE Web Access ?=WA@. Microsoft Mobile
Incident Response:%anaging Security at %icroso#t Page 5(
$nforation Ser-er ?M$S@. and $nternet Mail )onnectors ?$M)s@. are susceptible to net2ork
attacks and intrusion attepts; +he solution at Microsoft 2as to place hardened $SA fire2all
ser-ers in front of all =WA. M$S. and $M) ser-ers;
.se an EEective Net&or) Intrusion "etection System
$t is iportant to onitor and identify net2ork and host1based intrusions to be able to respond
to the efficiently and effecti-ely; $t is also iportant to gather and store e-idence to help
identify attackers and take action;
+he solution at Microsoft 2as to deploy a dual1layered intrusion detection syste that
consists of an e'ternal layer that onitors attacks fro outside the net2ork and an internal
layer that detects and alerts to an outer1shell breach; Scanning and auditing doain
controllers and re<uiring all users to use strong pass2ords also help ensure that -aluable
net2ork properties&such as Acti-e #irectory&are secure;
Secure Remote .ser Connections
A secure perieter ust include the coputers operated by reote users; *nanaged and
unsecured reote coputers that connect to the corporate net2ork can coproise o-erall
net2ork security; $n addition to ensuring that reote users use )onnection Manager to
connect to the corporate net2ork. Microsoft re<uires reote users to do the follo2ing;
Employ a Personal Firewall Application
A personal fire2all application&for e'aple. the $nternet )onnection 8ire2all feature of
Windo2s DP&pro-ides additional protection on all clients outside the corporate fire2all;
se Smart Cards
Pre-iously. reote access to the corporate net2ork re<uired only single1factor authentication:
user nae and pass2ord; With single1factor authentication. attackers can coproise
doain credentials to gain unauthori>ed access to resources on the net2ork; +he solution
2as to deploy sart cards for strong t2o1factor authentication;
!ownload the "atest Anti#irus Software and Patches
%nsure that reote users install the latest appro-ed anti-irus soft2are and soft2are patches;
At Microsoft. if autoated logon scans deterine that a userKs syste lacks the re<uired
soft2are or patch. $nfoSec uses )onnection Manager to continually propt the user until he
or she uses the Windo2s Auto*pdate tool to perfor the installation; A user 2ho does not
coply 2ith the re<uest is denied access to the net2ork;
"eny 1iruses at t/e Perimeter
#eploy anti-irus soft2are at the gate2ay to scan files do2nloaded fro the $nternet; $n
addition. perfor content scanning and filtering at $nternet1facing e1ail ser-ers; 5lock files
that ha-e potentially unsafe attachents. such as ;e'e files and files that contain script;
Another useful technology to protect pro'y ser-ers is sandboxing&the process of running a
progra or file in an isolated en-ironent to deterine 2hether it is al2are that is not yet
detected by anti-irus soft2are;
Second 4ayer o# "e#ense6 Secure t/e Net&or) Interior
+he follo2ing sections describe ethods for securing the ser-ers and desktop coputers
that copose the net2ork interior;
Incident Response:%anaging Security at %icroso#t Page 5
Contro! Programs $vai!a2!e to .sers
5ecause users can introduce -ulnerabilities 2hen they use or do2nload nonessential
applications. it is iportant to docuent changes on the net2ork and to control the progras
on usersK desktops; Microsoft practices a Iclosed by default. open by e'ceptionJ
ethodology. 2hereby users can do2nload only the progras that are re<uired for their 3obs;
+o pre-ent a potential security risk. a related best practice is to disable all unused syste
ser-ices and applications on usersK desktops by eans of :roup Policy;
Re>uire Pass&ord+Protected Screen Savers
+o help eliinate unauthori>ed access to idle e<uipent. re<uire all users to use screen
sa-ers that lock their coputers after a specified period of tie;
E!iminate 7ea) Pass&ords
Attepts to crack pass2ords are coon; Re<uire cople' pass2ords 2ith a liited -alidity
period and aintain a list of recently used. ineligible pass2ords; At Microsoft. recurring scans
systeatically identify 2eak and blank pass2ords so that such pass2ords can be changed
iediately; Microsoft has also enacted a ser-er configuration re<uireent that andates
strong pass2ord selection and use on ser-ers; +his initiati-e eliinated (( percent of total
pass2ord -ulnerabilities;
E!iminate S/ared "omain Service $ccounts
Ser-ices that use shared doain accounts are a a3or security risk; #oain accounts can be
coproised to gain unauthori>ed access to resources to the corporate net2ork;
+he solution at Microsoft 2as to:
*se coputer accounts for running ser-ices 2here-er possible;
Mitigate risk by grouping related coputers so that the coproise of one coputer in a
group liits the risk to only that group;
9iit the use of doain adinistrator accounts to high1security ser-ers. such as doain
controllers;
Conso!idate 4oca! $dministrator $ccounts
9ocal adinistrator account pass2ords shared bet2een coputers are a significant
-ulnerability; )oproise of one shared local adinistrator pass2ord leads to the
coproise of all coputers that use the sae pass2ord;
+he solution at Microsoft 2as to aintain a uni<ue local adinistrator account pass2ord for
each coputer and anage local adinistrator account pass2ords according to corporate
pass2ord policies; Re<uiring sart cards for adinistrator access pro-ides additional
security;
Secure "omain Contro!!ers
Prior to the security initiati-e launched by $nfoSec. there 2ere nuerous ser-ers that
consolidated infrastructure. end1user. and tools ser-ices in a single ser-er platfor
configuration; +he ore end users 2ith adinistrati-e rights on a doain controller. the
greater the risk that the doain controller 2ill be coproised;
+he solution at Microsoft 2as to:
9iit doain controllers to pro-iding only infrastructure ser-ices. thereby reducing the
Incident Response:%anaging Security at %icroso#t Page 5'
nuber of users that ha-e adinistrati-e rights on each doain controller;
Regularly audit doain controllers to confir configuration copliance;
%nsure that doain controllers are not configured 2ith $$S under any circustances;
Prohibit ser-ices that allo2 end users to place files on a ser-er that is enabled as a
doain controller;
En#orce $pp!ication o# $ntivirus So#t&are and So#t&are Patc/es
/et2ork clients that do not ha-e the latest appro-ed anti-irus soft2are and that ha-e
unpatched -ulnerabilities are a a3or security risk; /et2ork adinistrators should onitor
key. security1oriented Web sites for -ulnerability and ne2 patch alerts and ake patches and
anti-irus updates a-ailable to users in a tiely and consistent anner; Ser-ers ust be
patched as soon as an e'ploit is identified;
At Microsoft. the personnel responsible for anaging ser-ers patch the iediatelyA
ho2e-er. the speed at 2hich clients are patched depends soe2hat on users; #uring an
incident. posters and e1ail essages encourage users to patch their coputers; $f a scan
deterines that a client does not ha-e a re<uired patch. the Monitoring and )opliance
group uses :roup Policy to deploy a patch in the for of script that configures the Windo2s
Auto1update tool; *sers connecting to the net2ork are propted until they do2nload the
patch; +he essage cannot be disabled. and repeated failure to do2nload the patch causes
the user to be denied net2ork access;
Windo2s Auto1update helps ensure tiely and consistent patching of operating systes;
4o2e-er. it does not co-er Microsoft =ffice applications; $nfoSec uses SMS to propt users
to do2nload patches for =ffice; *sing SMS both for operating syste and =ffice patches. in
addition to using Acti-e #irectory policy control to autoate patching on all desktop
coputers 2orld2ide. ay be an effecti-e long1ter strategy;
.se Secure< Ro2ust Operating Systems #or C!ients and Servers
$t is a good practice to igrate fro Windo2s /+ 7;0 to a ore robust operating syste.
such as Windo2s 2000 or Windo2s DP; 8or e'aple. =utlook 2002 in Windo2s DP
autoatically blocks potentially unsafe attachents; Security updates help keep applications
secureA for e'aple. =utlook security updates can be installed for heightened default security
settings and e1ail attachent security; $n addition. accounts and coputers in Windo2s /+
7;0 doains cannot be anaged and secured unless those doains are igrated to Acti-e
#irectory;
Educate .sers
)ontinually reinforce beha-iors that pre-ent al2are infection; At Microsoft. Microsoft $+ has
learned that the ost effecti-e 2ay to educate users is to send a regular notice that lists the
necessary tips and tricks&for e'aple. iediately deleting e1ail essages that contain
suspicious attachents and disabling acros 2hen opening a docuent;
Incident Response:%anaging Security at %icroso#t Page 55
CONC4.SION
Pre-enting an incident is less costly than reacting to an incident that occurs; %nterprises
should de-elop a syste of security audits. syste scans. and reediation steps to reduce
the nuber of coputer -ulnerabilities that can be e'ploited; %nterprises should also educate
users about ho2 to protect their systes fro al2are;
)oputer resources. ho2e-er. cannot be ade copletely attack1proof; Risk is an inherent
part of net2orks; $t is therefore iportant to de-elop an incident response plan and to
practice enacting the plan to ake sure that it 2orks; 8le'ibility is also iportantA an
organi>ation should be ready to change onitoring and defensi-e strategies during an
incident as necessary to handle the distincti-e circustances of an indi-idual attack;
Whate-er the structure of an incident response tea. counication is critical; All groups
affected by the incident ust be notified of. and responsi-e to. ongoing efforts;
4a-ing a detailed. 2ell1rehearsed. and fle'ible incident response plan ensures that any
e'ploit that occurs can be handled in an orderly. effecti-e anner that inii>es the ipact
to systes;
Incident Response:%anaging Security at %icroso#t Page 54
,OR %ORE IN,OR%$TION
8or ore inforation about Microsoft products or ser-ices. call the Microsoft Sales
$nforation )enter at ?"00@ 72!1(700; $n )anada. call the Microsoft )anada inforation
)entre at ?"00@ C!31(07"; =utside the C0 *nited States and )anada. please contact your
local Microsoft subsidiary; +o access inforation -ia the World Wide Web. go to:
http:LL222;icrosoft;coL
http:LL222;icrosoft;coLtechnetLitsho2case
8or any <uestions. coents. or suggestions on this docuent. or to obtain additional
inforation about Microsoft $+ Sho2case. please send e1ail to:
sho2casePicrosoft;co
+he inforation contained in this docuent represents the current -ie2 of Microsoft )orporation on the issues
discussed as of the date of publication; 5ecause Microsoft ust respond to changing arket conditions. it
should not be interpreted to be a coitent on the part of Microsoft. and Microsoft cannot guarantee the
accuracy of any inforation presented after the date of publication;
+his White Paper is for inforational purposes only; M$)R=S=8+ MAM%S /= WARRA/+$%S. %DPR%SS.
$MP9$%# =R S+A+*+=RQ. AS += +4% $/8=RMA+$=/ $/ +4$S #=)*M%/+;
)oplying 2ith all applicable copyright la2s is the responsibility of the user; Microsoft grants you the right to
reproduce this White Paper. in 2hole or in part. specifically and solely for the purpose of personal education;
Microsoft ay ha-e patents. patent applications. tradearks. copyrights. or other intellectual property rights
co-ering sub3ect atter in this docuent; %'cept as e'pressly pro-ided in any 2ritten license agreeent fro
Microsoft. the furnishing of this docuent does not gi-e you any license to these patents. tradearks.
copyrights. or other intellectual property;
*nless other2ise noted. the e'aple copanies. organi>ations. products. doain naes. e1ail addresses.
logos. people. places and e-ents depicted herein are fictitious. and no association 2ith any real copany.
organi>ation. product. doain nae. eail address. logo. person. place or e-ent is intended or should be
inferred;
R 2003 Microsoft )orporation; All rights reser-ed;
Incident Response:%anaging Security at %icroso#t Page 55
$PPEN"I86 E8$%P4E SCRIPTS ,OR 7OR% RE%O1$4
+his appendi' consists of :roup Policy shutdo2n. startup. and logon scripts that can be
used as part of the process of reo-ing the )ode Red 2or; +he Microsoft 6isual
5asic. Scripting %dition ?65Script@. code pro-ided here is offered for e'aple purposes
only and is not specific ad-ice;
)roup /olicy Shutdo&n Script
S)hecking the id<;dll 8ile 6ersion
S if file -ersion of id<;dll T C;0;2,(C;3!7C
=n %rror Resue /e't
strfilenaeU ONid<;dllO
set WshShell U WScript;)reate=b3ect?OWScript;ShellO@
Wscript;%cho Oid<dll-er is O V WshShell;%'pand%n-ironentStrings?OWid<dll-erWO@
strid<dll-erUWshShell;%'pand%n-ironentStrings?OWid<dll-erWO@
if %rr;/uber TX 0 then
Wscript;Fuit?,@
end if
Wscript;%cho strid<dll-er
if ? str)op?OC;0;2,(C;3!7CO.strid<dll-er.0@ X 0 @ then
Wscript;echo Oid<;dll 2as not updated $$S Ser-ice 2ill be stoppedO
Set Ser-iceSet U :et=b3ect?O2ingts:O@;%'ecFuery?Oselect Y fro
Win32ZSer-ice 2here /aeUSW3S6)SO@
if Ser-iceSet;count X 0 then
for each ser-ice in Ser-iceSet
Sset the registry key
%rr;)lear
s>$$SState 1 WshShell;RegRead?O4M9MNSoft2areNiisdisabledO@
$f %rr;/uber TX 0 then
SMsg5o' ?O)ould /ot :et the initial $$S State :etting
current stateO@
s>$$SState U ser-ice;StartMode
%rr;)lear
end if
if Str)op?s>$$SState.OAutoO@ TX 0 then
Incident Response:%anaging Security at %icroso#t Page 5*
if Str)op?s>$$SState. OManualO@ TX 0 then
s>$$SStateUO#isabledO
end if
end if
Wscript;%cho s>$$SState
-alUWshShell;RegWrite?O4M9MNSoft2areN
NiisdiabledO.s>$$SState@
if %rr;/uber TX 0 then
Wscript;Fuit?,@
end if
2script;echo O#isabling Ser-iceO
ser-ice;)hangeStartMode?O#isabledO@
if %rr;/uber TX 0 then
Wscript;Fuit?,@
end if
ne't
end if
end if
Incident Response:%anaging Security at %icroso#t Page 5-
)roup /olicy Startup Script
'Checking the idq.dll File Version
' if file version of idq.dll < 5.0.2195.3645
n !rror "es#$e %e&t
strfilen'$e( )*idq.dll)
set +sh,hell ( +,cri-t.Cre'te./ect0)+,cri-t.,hell)1
+scri-t.!cho )idqdllver is ) 2 +sh,hell.!&-'nd!nviron$ent,trings0)3idqdllver
3)1
stridqdllver(+sh,hell.!&-'nd!nviron$ent,trings0)3idqdllver3)1
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
+scri-t.!cho stridqdllver
if 0 strCo$-0)5.0.2195.3645)6stridqdllver601 4 0 1 then
+scri-t.echo )idq.dll 7's not #-d'ted 88, ,ervice 7ill .e sto--ed)
,et ,ervice,et ( 9et./ect0)7in$g$ts:)1.!&ec5#er;0)select < fro$
+in32=,ervice 7here %'$e('+3,VC')1
if ,ervice,et.co#nt 4 0 then
for e'ch service in ,ervice,et
service.,to-,ervice01
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
ne&t
end if
end if
' Check for the re.oot reg ke;.
' if reg ke; is set log det'ils 'nd do not re.oot.
' if reg ke; is not set
' set the reg ke;
Incident Response:%anaging Security at %icroso#t Page 58
' re.oot
' if the reg ke; is set
' log the infor$'tion
' q#it.
v'l ( 0
v'l ( +sh,hell."eg"e'd0)>?@A*,oft7're*idqre.oot)1
if !rr.%#$.er <4 0 then
!rr.cle'r
v'l(+sh,hell."eg+rite0)>?@A*,oft7're*idqre.oot)606)"!9=B+"B)1
8f !rr.%#$.er <4 0 then
+scri-t.echo )do the logging)
+scri-t.q#it011
end if
end if
v'l ( +sh,hell."eg"e'd0)>?@A*,oft7're*idqre.oot)1
+scri-t.echo v'l
if v'l ( 1 then
+scri-t.echo )registr; ke; fo#nd6 c'nnot re.oot)
+scri-t.echo )logging into file for reference)
else
v'l(+sh,hell."eg+rite0)>?@A*,oft7're*idqre.oot)616)"!9=B+"B)1
+scri-t.echo )Cle'se "e.oot ;o#r $'chine)
,et -,;s,et ( 9et./ect0)7in$g$ts:
D0,h#tdo7n1EFF.FrootFci$v2)1.!&ec5#er;0)select < fro$
+in32=-er'ting,;ste$ 7here Cri$'r;(tr#e)1
if !rr.%#$.er <4 0 then
+scri-t.echo )!rror in +$i)
Incident Response:%anaging Security at %icroso#t Page 53
v'l(+sh,hell."eg+rite0)>?@A*,oft7're*idqre.oot)606)"!9=B+"B)1
+scri-t.5#it011
end if
for e'ch -,;s in -,;s,et
-,;s."e.oot01
ne&t
+scri-t.5#it011
end if
Incident Response:%anaging Security at %icroso#t Page 4(
)roup /olicy -ogon Script
'if 88, is inst'lled
',t'rt if
n !rror "es#$e %e&t
.88,8nst'lled ( 0 ' v'ri'.le to check if 88, is inst'lled.
."e.oot ( 0
,et -,;s,et ( 9et./ect0)7in$g$ts:
D0,h#tdo7n1EFF.FrootFci$v2)1.!&ec5#er;0)select < fro$
+in32=-er'ting,;ste$ 7here Cri$'r;(tr#e)1
for e'ch -,;s in -,;s,et
s-A'/orVersion ( -,;s.,erviceC'ckA'/orVersion
ne&t
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
'Cre'ting ,hell ./ect
set +sh,hell ( +,cri-t.Cre'te./ect0)+,cri-t.,hell)1
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
'+,cri-t.!cho )+inBir is ) 2 +sh,hell.!&-'nd!nviron$ent,trings0)3+inBir3)1
'9etting the c#rrent s;ste$ director;
str,;ste$Birector; ( +sh,hell.!&-'nd!nviron$ent,trings0)3+inBir3)1 2
)*s;ste$32)
+scri-t.echo str,;ste$Birector;
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
Incident Response:%anaging Security at %icroso#t Page 4
'Checking if 88, ,ervice is inst'lled
,et ,ervice,et ( 9et./ect0)7in$g$ts:)1.!&ec5#er;0)select < fro$
+in32=,ervice 7here %'$e('+3,VC')1
+scri-t.echo ,ervice,et.co#nt
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
if ,ervice,et.co#nt 4 0 then
.88,8nst'lled ( 1
+scri-t.echo )iis is inst'lled)
else
.88,8nst'lled ( 0
+scri-t.echo )iis is not inst'lled)
end if
if .88,8nst'lled then
'Checking the idq.dll File Version
' if file version of idq.dll < 5.0.2195.3645
strfilen'$e( )*idq.dll)
'7sh,hell."#n )setidqdll..'t)6 16 Gr#e
'7sh,hell."#n )9etFileVer..'t ) 2 str,;ste$Birector; 2 strFile%'$e '6 16
Gr#e
+scri-t.!cho )idqdllver is ) 2
+sh,hell.!&-'nd!nviron$ent,trings0)3idqdllver3)1
stridqdllver(+sh,hell.!&-'nd!nviron$ent,trings0)3idqdllver3)1
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
'7sh,hell."#n )setidqdll..'t)6 16 Gr#e
Incident Response:%anaging Security at %icroso#t Page 4'
'+scri-t.!cho 0+sh,hell."eg"e'd 0)>?@A*,FG+H"!*Aicrosoft*+indo7s
%G*C#rrentVersion*++*.oot.descri-tion*l'ng#'ge.dll)11
+scri-t.!cho stridqdllver
'if 1 then ' for testing -#r-ose
if 0 strCo$-0)5.0.2195.3645)6stridqdllver601 4 0 1 then
+scri-t.echo )idq.dll needs to .e #-d'ted)
'if os l'ng#'ge is not english
str@'ng ( +sh,hell."eg"e'd
0)>?@A*,FG+H"!*Aicrosoft*+indo7s
%G*C#rrentVersion*++*.oot.descri-tion*l'ng#'ge.dll)1
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
'if 001 then 'for testing -#r-ose'
if0strCo$-0str@'ng6)!nglish 0H$eric'n1)1 ( 0 'nd s-A'/orVersion
4( 11 then
' if H$eric'n !nglish Version let the c'lling -rogr'$ do
the #-d'te +scri-t.!cho )H$eric'n !nglish 'nd ,ervice C'ck is 't le'st 1)
+scri-t.5#it001
else
+scri-t.!cho )%ot H$eric'n !nglish or ,ervice C'ck is
less th'n 1)
,et ,ervice,et (
9et./ect0)7in$g$ts:)1.!&ec5#er;0)select < fro$ +in32=,ervice 7here
%'$e('+3,VC')1
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
if ,ervice,et.co#nt 4 0 then
.,erviceHv'il ( 0
for e'ch service in ,ervice,et
if strco$-0service.st'rtAode6)Bis'.led)1
( 0 then
Incident Response:%anaging Security at %icroso#t Page 45
+scri-t.!cho ),ervice is
Bis'.led)
' dis'.led service /#st q#it
if s-AH/orVersion < 1 then
AsgIo& )Jo#r $'chine is
v#lner'.le to the Code "ed 7or$. 88, is dis'.led.) 2 Chr0131 2 Chr0101 2
)8nst'll +indo7s 2000 ,ervice C'ck 1 or gre'ter fro$) 2 Chr0131 2 Chr0101 2
)htt-:FF777.7indo7s#-d'te.co$ )6v.,;ste$Aod'l
else
AsgIo& )Jo#r $'chine is
v#lner'.le to the Code "ed 7or$. 88, is dis'.led.) 2 Chr0131 2 Chr0101 2
)8nst'll the -'tch for the Code "ed 7or$ fro$) 2 Chr0131 2 Chr0101 2
)htt-:FF777.$icrosoft.co$F7indo7s2000Fdo7nlo'dsFcritic'lFq3009K2)6v.,;ste$
Aod'l
end if
else
7scri-t.echo )Bis'.ling ,ervice)
service.Ch'nge,t'rtAode0)Bis'.led)1
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
AsgIo& )Jo#r $'chine is
v#lner'.le to the Code "ed 7or$.) 2 Chr0131 2 Chr0101 2 )88, h's .een
dis'.led.) 2 Chr0131 2 Chr0101 2 )Click ? to re.oot.)6v.,;ste$Aod'l
."e.oot ( 1
end if
ne&t
end if
end if
else
+scri-t.echo )idq.dll need not .e #-d'ted)
Incident Response:%anaging Security at %icroso#t Page 44
+scri-t.5#it011
end if
if ."e.oot ( 1 then
+scri-t.!cho )Cle'se "e.oot ;o#r $'chine)
,et -,;s,et ( 9et./ect0)7in$g$ts:
D0,h#tdo7n1EFF.FrootFci$v2)1.!&ec5#er;0)select < fro$
+in32=-er'ting,;ste$ 7here Cri$'r;(tr#e)1
if !rr.%#$.er <4 0 then
+scri-t.5#it011
end if
for e'ch -,;s in -,;s,et
-,;s."e.oot01
ne&t
+scri-t.5#it011
end if
end if
endscri-t:
+scri-t.5#it011
Incident Response:%anaging Security at %icroso#t Page 45

You might also like