Get a glimpse inside Roberta Bragg's new book "Hardening Windows systems" with this series of book excerpts. This excerpt from Chapter 1, "An immediate call to action," explains how simple it is for an infected computer to wreak havoc on a network. Click for the
Don't allow unprotected laptops and desktops to connect to the LAN
Even though network-wide patching and antivirus policies are enforced and stringently followed, an infection from some viruses and worms can be caused when users of laptop computers return them to the network. This is because these users may not have properly updated systems. If their systems become infected, they can infect others by simply connecting to the LAN. Likewise, desktop computers that have not been used for some time may lack proper patches and viral protection.
Users may bring systems from home, and contractors may also connect unmanaged, unprotected systems to the LAN. Your policies should ban these actions.
Instead of allowing these unsafe systems to connect to the LAN, establish a policy that requires their inspection and updating before their return. The policy may not be easy to enforce, as technical controls to manage connections are not widely deployed. Here are some options for managing network connections:
- Use authenticating switches. If a rogue computer (an unauthorized computer such as one that is brought in by an employee, a contractor or an attacker) attempts to connect to the network, it can not authenticate and so is prevented from connecting. If you properly manage authentication, you can also disable computers taken off the network from being inadvertently connected without being updated.
- Use network quarantines. Segment a portion of the network to be used by mobile systems. Deny access to the rest of the network until systems are properly updated and any existing infections cleaned.
Click for the next excerpt in this series: Use Runas or Su.
Click for book details or purchase the book.