15 January 2009

Conficker

This rather unfortunately-titled virus - ask anyone who speaks both French and German ;-) - seems to be "flavour of the month" at the moment.

There is a nice, readable summary of how this virus spreads here.

On our network, we installed the MS08-067 patch to every PC as soon as it became available, and we have Autorun disabled (of course).

That just leaves the problem of the worm, once it's on your LAN, spreading by logging in to the other PCs. I presume from the description that it does the equivalent of
  NET USE \\{pc}\ADMIN$ /USER:{pc}\Administrator {password}
for some set of passwords selected from a dictionary.

Well, as luck would have it, all of our PCs have unique, computer-generated(*) passwords on the local Administrator account. This was a decision we took 12 years ago when we first installed Windows NT 4.0. It was done so that if necessary we could keep any troublesome users from having Administrator privileges (we had decided that by default, Domain Users would be in the Administrators group, after discovering that this was necessary to install a patch for Office, and not being in the Administrators group didn't prevent them accidentally breaking NT anyway). In 12 years we've only had to do this once (and the guy was let go a couple of months later), and we've always wondered if it was really a sensible thing to do, since managing all those 8- or 9-letter random words is quite a bit of work. It looks like we may have found a good reason after all...


(*) Since you ask: we used SET PASSWORD /GENERATE on VAX/VMS.

3 comments:

  1. hi nick , sorry 4 the stupid question, but net use stuff works
    even on blank password administators account ??

    ReplyDelete
  2. Yes, then you need (if I remember correctly):

    NET USE \\{pc}\ADMIN$ /USER:{pc}\Administrator ""

    ReplyDelete
  3. but, by default on xp, you can only do local/interactive logins when password is empty

    ReplyDelete