Shulou(Shulou.com)06/02 Report--

If you are a domain network, because the domain can centrally distribute policies, you can respond quickly as follows. The main idea is to close the channels that may be infected as soon as possible, and then update the patch as soon as possible to solve the problem.

Of course, if you don't have a domain network, deploy it as soon as possible.

Description: this is an emergency response framework, not a comprehensive security solution, this framework is suitable for dealing with network viruses. In addition to disconnecting the poisoned computer, the other basic steps are as follows:

(1) cut off the external infection channel

If a corresponding * port is published to the public network, the published server may be infected, so it is recommended to temporarily disable this mapping rule on the gateway firewall, and then patch the published server before opening the mapping.

For example, in this TCP 445, although no company will release this port separately, it is possible that the firewall policy completely maps a certain external network IP to an internal IP (such as some video conferencing servers or similar services that need to publish large dynamic ports), which actually exposes TCP 445s.

(2) for client computers

The first step is to temporarily shut down a port through the domain group policy, because network viruses usually connect to a port to be successful. The second step is to patch. This is a fundamental measure, but because patching is not as fast as opening the firewall policy, so put it in the second step. The third step is that after the patch is updated, the port may still need to be open, such as this 445, which is very important in the domain network. after closing, client sharing cannot be used (including printer sharing). And many administrative operations will fail (such as remote management).

Group policies are refreshed in the background, so firewall policies are automatically applied without restarting the computer. The default refresh time is 90 minutes, and there is a random adjustment of 0-30 minutes, so it can usually be refreshed quickly. You can also change this refresh value through Group Policy.

(2) for server computers

For servers, if a port is *, especially this time, TCP 445, do not rush to shut down. Many windows services depend on it (such as AD, cluster, file server, etc.). If you shut down the corresponding services, it will stop, and even lead to a greater chain reaction, so for servers, for these servers that require port 445, the first step is to patch instead of shutting down the port.

Here are some specific instructions.

(1) Group Policy enables client firewall

The main note is that the firewall service of Windows 7 is different from that of windows XP, that is, the service is different. When enabling the firewall, pay attention to opening ICMP, and other ports to be used should also be open.

(2) Patch import on WSUS server

Automatic synchronization may be slow, so it is recommended to use the following method to quickly and manually import.

First of all, we need to find the corresponding patch number, such as the corresponding patch number of the blackmail virus. Different systems may have different KB numbers.

Then go to the WSUS console and select Import Update

Will open a Microsoft update website, enter the KB number to find out, and select ADD.

Choose view basket.

Select Import.

Approval is required after the import is completed.

To find the imported patch, you can sort the number by MSRC number (for example, MS17-010 is MSRC number) for easy approval. The client has permission to download and install only after approval.

(3) configure the group policy for automatic download, update and installation, as follows:

In order to speed up the installation of patches as much as possible, there are several strategies that need to be adjusted temporarily, such as rescheduling the installation of the automatic update schedule, setting the time to 1 minute, and a short prompt for restart after installation, so that users can restart as soon as possible.

Of course, remember to restore a regular value after the patch is updated.

Note that the client computer recommends automatic download and planned installation, and the server automatically downloads and installs manually.

(4) the client refreshes the group policy for testing (gpupdate / force)

Normally you will see an icon with a patch installed in the lower right corner of the screen within a few minutes.

Of course, there are other measures, such as configuring ACL list blocking through a central switch should also be faster, and more advanced processing through the network admission control system, etc. (although most companies don't have this).

The most important thing is to build this framework, such as the corresponding firewall policy, patch distribution policy, patch server, and ACL policy. When the situation occurs, you only need to modify the policy without testing, because testing will also take a lot of time, in violation of the principle of minimizing infection window. Although the part mentioned above is an emergency handling method, its basic framework should be normal (for example, both client firewall and server firewall should be enabled by default, and the policy allows editing exceptions). And an overall information security solution is also indispensable, for example, even if the blackmail virus data can be recovered, the next article will talk about it from an overall and macro point of view.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.