Rob Burton's network was eaten up by the Nimda virus. In fact, e-mail was down for a total of two entire work days. The silver lining in this dark cloud is that Burton, a network support specialist for Levick Strategic Communications, completed a successful recovery and is better prepared for the next attack.
Levick is a media relations firm, representing clients from around the world. Burton works at Levick's Washington, DC home office and administers remote locations in London, New York City, New Jersey and Virginia. In a distributed network, Levick runs Windows NT servers and Windows NT and Windows 2000 workstations. User data is stored on a central file server. The data is backed up daily via a Web-based backup solution from Framingham, MA-based Connected Corp.
In a searchWindowsManageability interview, Burton described his fight with Nimda and offered disaster recovery tips he gleaned from that battle.
|searchWindowsManageability:||What was your data recovery process after Nimda struck?|
I prioritized by what was absolutely necessary for us to do business. The primary way my people do business is via e-mail. So, getting the e-mail server cleaned and running was the first priority. As far as recovering lost data, there were packets that were lost in transit, and they're
| gone. That was something that we had to write off.
Unfortunately, with a virus like Nimda, we have to wait to get the definitions from the viral crisis experts first to figure out what it's doing and how to clean it. The first thing I did was shut down my network completely. Then I called people I knew in the industry to see if they'd heard anything. I also went to various Web sites to see if there were viral alerts or definitions available. So, the virus attacked us at 8 am. I didn't know until noon what it was. That evening at 8 pm, we finally had a definition from Symantec. Then I started repairing the e-mail system.
|searchWindowsManageability:||One way Nimda attacked was through attached e-mail files opened by users. How do you stop a user from opening those infected files?|
You can't stand behind all employees and tell them what they can and can't open. You obviously can't predict what's going to come along next. Nimda had various, random attachments and subject lines that it would put on its e-mail. So, it was very difficult. In large companies, you're playing Russian roulette. You can block certain attachments, and you can put out all the e-mails you want. In the end, however, it just comes down to dumb luck sometimes.
|searchWindowsManageability:||Could you offer some tips on disaster recovery based on what you learned with Nimda?|
One of the lessons I learned was to put my foot down earlier. I should have shut down the network and told everyone to go home. It's tough for a system administrator to tell the people he works for that we can't continue to work. With users at home, however, there's not the distraction of having them in the office. If I'd sent our users home immediately, I could have worked straight through to get it done.
Also, I learned to have a plan in advance. Know what you need to do before a disaster strikes.
|searchWindowsManageability:||Are there any disaster recovery issues that are special to Windows environments?|
An attack like Nimda is Windows-specific. A virus attack is a big danger now if you're running Internet Information Server (IIS). Clearly there are some very sophisticated people out there making viruses that attack Windows and IIS specifically. You're never ready for it. The next virus that comes along is going to get you. It's just the luck of the draw. Security holes are constantly being found in IIS. Microsoft patches them, but it's always after the fact. That's a big issue.
|searchWindowsManageability:||What are the benefits of Web-based backup, like the solution you run?|
All of our backup data is stored at Connected in Framingham, MA. If we have a crisis where a machine is destroyed, we have an entire picture, including the system, on the Web. We can literally rebuild the system completely on the Web. Even if we bought a newer server, or it's not an exact replica of the previous server, we can still download all the data. So, our data is completely safe. Even in the event where all the machines are completely destroyed, our data is on the Web and is safe.
See searchWebManagement's Featured Topic - When viruses attack (your Web server)
Discuss IIS security in our IIS Discussion Forum
This was first published in October 2001