Viruses, worms and other malware continue to be one of the greatest or at least most consistent threats that network and security administrators have to handle. Each year surpasses the last in total volume of new malware introduced -- and the malware writers just keep getting smarter. Not only do new threats show a fair amount of creativity and sometimes even programming genius, but different malicious groups have joined forces to create...
viruses that help spread spam, some of which distributes phishing attacks.
One of the biggest problems with antivirus programs is that they are almost universally reactive. They do a great job of guarding against known threats, but they are only as good as their last update. When a new threat emerges, there is a lag time between the threat beginning to spread on the Internet and the antivirus vendors updating their software to detect and protect against the new threat. Instead of relying on antivirus software, there are a few basic steps administrators can take to proactively defend and secure Windows 2000 and 2003 servers.
For starters, there are the common-sense steps of keeping critical servers segregated from the rest of the network, disabling unnecessary processes or applications, and implementing patches for vulnerabilities that pose a risk. Above and beyond that, here are three technical steps you can take to protect servers from worms and other malware.
Protect the registry
Malware often attempts to edit the Windows registry in some way. Modifying or adding keys to the registry also allows it to embed itself in the system, ensuring it starts when the system is rebooted while avoiding detection. You can protect the registry by restricting remote access to Administrators. Modify permissions on the HKLM\System\Control\CurrentControlSet\SecurePipeServers registry key to allow remote editing only by authorized users. It is also prudent to restrict registry-modification abilities by applying necessary permissions to different registry paths.
Restrict access to services
Many forms of malware evade being cleaned by creating a service with a Startup Type set to Automatic. When the system is rebooted, the service will start and re-initiate the virus or worm. You can protect your server from such modifications by setting the permissions on the services to restrict which users have the authority to do so. Under Security Settings within Properties for the service, select Edit Security and add or remove users or groups as needed to set the access rights for that service.
Disable unnecessary services
Windows services perform a number of useful and valuable tasks. But if you have no need for the task the service performs, having it enabled simply creates another potential avenue for malware to exploit the system. Security best practices dictate that only those services required for the operation of a server be enabled. For more information, refer to Windows services you should disable today and Top four services to disable – maybe by Roberta Bragg. Microsoft also provides a detailed listing of the services with explanations of what they do in their Threats and Countermeasures Guide.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet/Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions, visit Essential Computer Security.