Need help with old network! 1

[Hokie97VT]

We have recently inherited an old network that is just an utter mess. We have hundred of workstations, email and internet usage.

Can anyone provide guidance on what would be the best approach to clean up the security environment?

GPOs, domain users and DNS are a mess; virus, spam and trojans are rampant and is a monster that we cannot even determine how big of a problem it is. Exchange is a mess user wise. Security is non existent in the sense of GPOs and locking down workstations. We have no idea why GPOs were created nor who.

What is the best approach to cleaning up the mess? Is it to do one thing at a time, or just do it all at once. We have so many issues that it feels as though we are chasing out tail trying to resolve issues.

Where should we start?

 

[Noway2]

I think you are going to have to start by making a plan on paper. Figure out what resources you have available and what the logical groups and subnets will be. For example, organize the servers, printers, etc. Decide if you want to have the users in a DHCP range, etc. Determine what you think are acceptable usage policies, update practices, etc. Get it all written down, specified, and signed off. Then start implementing it. Stick to you plan, but try to remain flexible. For a while at least you will probably be putting out fires as they occur.

One of the first logistics I think I would try to tackle is the malware. The problem with malware is that it potentially compromises EVERYTHING and until you have a handle on that, you can have confidence in NOTHING.

Focus on the servers. Get them cleaned and hardened. Given where you are starting from, you might want to give them a wipe and re-install. Make sure they are current with updates, including the applications. Monitor your event and system logs for any signs of trouble. If you really have mal-ware trouble consider moving some of your servers to Linux, which is a lot more resilient and will at least be immune to Windows viruses. After you get them clean, install some security monitoring programs on them to watch them and watch what is happening on the network to keep them safe. Consider using an application such as Nessus to find vulnerabilities.

Next, I would probably focus on either the email, which can be a source of spreading junk and / or the Internet usage policy. It may be necessary to proxy and block some services, at least for a while. At a minimum, subscribe to a list of known "bad" sites and block those to help prevent infection of machines.

Get all the users updated, run scans on the systems and get them up to date. Set up a policy that runs scans on them and notifies you automatically if a problem is found. If necessary, format and re-install the OS to wipe out virus, etc.

Establish VLANs and proper share mappings, white listing authorized users as needed. Establish GOOD password policy and change them occassionally, but don't go overboard, otherwise you run the risk of users creating things like Password1234.

Move on to creating organized domains, and use a good authentication method. Consider an Active Directory structure with Kerberos.

Have patience and realize that it will take time.

 

[fisheromacse]

I don't really have anything to add to what Noway2 posted, except a little encouragement, as i have just recently seen the light at the end of the tunnel. When i started, every user from the newest hire to the executive officer all had the same password and the network was much as you describe...a MESS!! things are muuuuuuch better now.

 

[Hokie97VT]

THANK YOU Noway2!

Fisheromasce, do you have a plan that Noway2 references that you could share so I do not have to start from scratch.

 

[fisheromacse]

i do have a vague step by step plan, but it was written specifically to address the issues of our network, and each will be different.

We had one done in-house, 1 by a long-term local consultant, and 1 by an out-of-state 3rd party and they were all quite similar, if focused on slightly different portions of the problem, depending on the evaluators expertise...the in-house was 14 pages, the local consultant 8 pages and the 3rd party was a massive 58 pages...it went into the phone system and the overall network wiring of the building as well, which in my case, ended up being a huge part of the problem (we found 1 cat5 run that was over 330 feet long and had a hub on the end of it.

we started with a fresh server install, made a snapshot, and started making it secure.
We recreated the users, created fresh GPO groups and started with a clean, up-to-date domain that then received a number of basic, but essential functions..mostly on their own VMs...Windows update, A/V, File Server, Exchange server, DNS, etc.

Besides the 10,000 hoops that MS made us jump through (going from 2003SBS to 2008 was convoluted!) our biggest consumption of time and energy was explaining to users that, yes they did used to have access to the executive directors folder on the file share but do not now and will not in the future, continuing to explain that if there were files that they needed that were kept their we needed to find a new secure place to put them (ie: OfficeShare or FrontLineShare or MgmtShare, etc). It was a real superise to me how many staff were accessing things they had no reason to and because upset when that access was revoked.

At one point, i did have to physically visit every machine to run antivirus/spyware/etc from a CD as an infection kept re-occuring, but not necessarily on the same machine...as i discovered a few weeks later when the infection popped up again, a USB Flash drive and a roaming staff were the real culprits!

 

[Hokie97VT]

Thank you! Great help!

It may be that I have to put a real fire out before I can even start working on what you both have described, it seems we are getting hit with the Conficker virus.

Is there any way to tell which station the virus started on within my network? I want to know how it got in!

Thanks for your valuable help!

 

[stubnski]

I would also recommend a firewall


Stubnski