are an essential part of security policies

attack is discovered, the easier it is to stop

and (if it has managed to compromise the
system) minimize damage and bring the
system back to functionality

should be designed by the most

experienced administrator and tested by the
least experienced user in a company
 Network Load Balancing

improves the
availability and scalability of network services
like web servers, FTP servers, firewalls, proxy
servers and report servers

in this case is running

on more than one computer, meaning there is a
separate launched copy of the service in each
of the hosts

is a function
dividing incoming client requests between the
networked hosts. As a result, each of them
only processes a part of user requests
 Network Load Balancing
host may be calibrated (by
doing so you can increase the performance of the
service). Network Load Balancing can direct all
traffic to a single designated host

incoming requests are

automatically passed to the running computers.
Because of this, a single host failure will hurt the
performance of a service, but will keep it from
becoming unavailable

services that are

protected using NLB do not share data. Each host
has its own copy of the data. As a consequence, if
you want to allow users to modify it, it’s
necessary to sync the copies across the
computers
 Failover Clusters

å (either physical or virtual) is a computer in a cluster

å (like a database server) is only running in a single

active node. If the node becomes unavailable, the
service fails over to another (passive) node

å are necessary to ensure continuous availability:

one active and one passive node

å nodes are only needed if you have more services

running in the cluster
 requests and controls the access
to files kept in shared storage
Failover Clusters

and doesn’t have access to the files.

Its role is to monitor the availability of
the active node
 Failover Clusters
When you activate a cluster, the nodes in it communicate with each other over a
network. Because of this, setting changes in the active mode will be automatically
synced. Each node should have at least two NICs, with one card connected to a private
network, and the other connected to a public network

will only be used for inter-node communications The public network

like checking on the availability of the active node. allows clients to access
To do this, the active node sends a signal the protected service
(heartbeat) to the passive node at regular
intervals
 the operating system and the
data from a backup. If you service. If this is the option
you choose, you need to use
Ü
choose this option, consider
whether you can factor in a trusted media that you know
data loss of some kind. If the have not been maliciously
answer is yes, what amounts modified (with original files)
of data may be lost? Think
about whether you want to be
able to recover data from any
point in time. If you can only
afford a short service recovery
procedure, consider using or reset the service settings.
additional technologies like OS Restoring settings is the fastest, most
virtualization, array-based failproof solution and should be the
backups or doubling databases preferred option. To make it possible,
you should always have an up-to-date
service metadata (settings) copy on
tap
The security log may be set to record both failed and successful attempts by users to run some operations
The security log is not on by default in earlier versions of Windows
å
object access, specify the objects
to be audited and users whose
events should be logged in the
security log, as well as determine
the events to be audited

å
and newer systems you can
enable Global Object Access
Audit
 LogParser "SELECT
Log Parser, available at Microsoft Download, solves TimeGenerated,
both these problems at once. It will allow you to: Message
INTO [Link]
j data using SQL commands
FROM Security
WHERE EventID =
528 AND
j SID LIKE
from the logs as HTML reports '%Admistrator%'" -
resolveSIDs:ON
j and present output as charts
 The security log entries will allow you to:

Ñ
security policy external attacks an attack and prepare
breaches avidence
trying to access folders by
monitoring event 560. The data
you need to analyse failures
include the Object Name
attribute as well as Primary User
Name and Client User Name
changing Active Directory
controller restoring password. reported when someone tries to
You’ll find the name of the user change a user password. The name
who tried to make this change in of the modified account is the value
the User Name field, while the of Target Account Name, while to
IP address of this user’s see which user changed the
computer is under the
Workstation IP attribute Ü password, look for the Primary
Account Name attribute

logged in the case of resetting user

a modification of password using
local groups administrative tools

logged when a new these events are

account is created. You’ll logged in the case of
find the name of the user a modification of
account who performed global groups
this operation under
Primary User Name
An attacker may attempt to hide a security policy breach by diverting the attention of
the admin or by changes made to audit policy (turning off the auditing of some events)
or by a deletion of the security log file. You can discover these operations by auditing
the following events:

indicates that the log is full and new events cannot be audited. Increase
the size of the log file or copy its content and clear the log

occurs when the log is cleared. The Client User Name attribute gives you
the name of the user who performed this operation

a change of the system time. All events saved in logs come with the
time of occurrence, which is the local system time, so this event may mean
your auditing system is being cheated, for example to gain an alibi. You can
find the name of the user responsible for this under Client User Name

a system error that causes the log to fail to record new events
 (wrong username or
password)

(administrative
accounts)
Attempts to log into inactive (for example expired) or
blocked accounts will log these events:

8 failed attempts to log into a

blocked account. To see the
name of the account, check
Target Account Name. You’ll get
6 failed attempts
to log into
inactive accounts

the name of the computer from

which the logon was made under
Workstation Name
File Authenticity Check

integrity using SigCheck

checksums using ExactFile

forensics is to secure and
analyse the evidence of
computer crimes

from security logs, IDS logs or

images of drives on
compromised computers
Secure the evidence (usually done by
creating low-level hard disk copy)

Investigate and analyse

the duplicated data in detail

Have an expert evaluate the analysis

mode used and the evidence itself
 belongs to the self-
propagating breed of viruses that
don’t need user interaction

targeted Windows
systems. A month before the virus
was detected, Microsoft shared a
security update patching up a
discovered vulnerability (MS08-
067 was published October 2008)
After the pandemic broke out, Microsoft
shared a comprehensive guide to removing
the worm (KB960027) and offered a
reward (250,000 dollars) for help in
identifying the creators of Conficker

Also known as Downadup, the name

Conficker comes from the domain name
[Link] which computers
infected with version A of the virus
connected with:
 was discovered the
was launched in next month
November 2008

Ü
appeared a month Win32/Conficker. E
later crept into P2P
networks created by
version C, and several
days later version B
started updating itself
to version E
the B version
updated itself to
Win32/Conficker. C
It was an easy task with Conficker
Since infected machines would make 500 connections with
domains chosen randomly from a pool of 50,000 and
attempted to spread to the other hosts in a system, there were
obvious signs something was wrong:

• load rose significantly and

correlated with a significant drop in performance
• were automatically blocked (as
the virus attempted to crack user passwords)
• a noticeable decrease in performance in all
network applications

Moreover, if you remembered about updating antivirus scanners

regularly, the programs reported finding a virus
The next step is determining the
attack scale and preventing the
virus from spreading

To do this, you could:

• ,
for instance McAfee
Conficker Detection Tool

•
about the operation of the
worm to identify infected
computers on your own
The virus would modify the [Link] file to trick
users into starting the infected file

[autorun]
Action=Open folder to
[autorun] view files
Icon=%systemroot%\sy
shellexecute=S
stem32\[Link],4
ervers\splash.h Shellexecute=.\RECYC
ta *DVD* LER\S-5-3-42-
icon=Servers\a 2819952290-
[Link] 8240758988-
879315005-
3665\[Link],aha
ezedrn
 It would also save a hidden worm copy file on removable media

HKLM\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Virus File Location"

When you restarted your computer, the service would run automatically
 Spreading through Cracking Passwords

a popular password list to crack user passwords

, it used a simple mechanism to check if passwords are built

on usernames. For example, if the username was James, Conficker would
attempt to log into this account by trying james123, 123james, semaj and so
on

massive account lockouts as a single compromised host in

large systems could lock out even several thousand user accounts

to detect which machines were infected was simply

to see the IP addresses of computers responsible for the lockouts
logparser -i:textline
"SELECT SUBSTR(Text,
you could fall back on a free tool suite available at Microsoft
LAST_INDEX_OF(Text,
Download: Account Lockout and Management Tools. The suite included
'Address: ')) AS IPAddr
EventCombMT
INTO [Link]
FROM *.txt"
analyse the generated file using Log Parser to receive the
IP addresses of infected computers
Simultaneously to assessing the attack territory, you need to take steps
towards protecting the remaining computers

Blocking TCP port 445, which was used

by the virus to spread itself using SMB
network shares

Denying registry key

(HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\Svchost)
modification privileges using Group Policy (check
out the knowledge base article 962007 at
[Link]
tionsteps to see how to edit the policy)

Disabling the automatic run

of files on removable media
(tips found in the article
above)
In this case, you could use one of the several
freely available tools, like Microsoft’s malware
removal tool, EConfickerRemover (ESET), D
(Symantec), Stinger (MCAfee) or Kaspersky’s
Killer removal tool