Antivirus Defense-in-Depth Guide

On This Page

	Introduction
	Malware Threat Vectors
	The Malware Defense Approach
	Client Defenses
	Server Defenses
	The Network Defense Layer
	Physical Security
	Polices, Procedures, and Awareness
	Summary

Introduction

All organizations should develop an antivirus solution that will provide a high level of protection. However, many organizations still become infected, even after installing antivirus software. This guide proposes a different approach to the malicious software, or malware, problem. As with network security design, Microsoft recommends a defense-in-depth approach to antivirus solution design in order to help ensure that the design safeguards your organization adopts will be reliably maintained.

Such an approach is vital to the computer security of your organization, because unfortunately, regardless of how many useful features or services a computer system provides, someone (for whatever reason) will try to find a vulnerability to exploit for malicious purposes.

Working with consultants and systems engineers who have implemented Microsoft Windows Server™ 2003, Windows XP Professional, and Windows 2000 in a variety of environments has helped to establish the latest best practices for securing clients and servers that run these operating systems against malware. This chapter provides you with this information.

This chapter also provides guidance to help you use a defense-in-depth approach when designing an antivirus security solution for your organization. The goal of this approach is to ensure that you understand each layer of the model and the specific threats that correspond to each layer so that you can use this information when implementing your antivirus defenses.

Note: Microsoft recommends including some of the steps in this guidance in your organization's general security procedures and policies. Where these occur, the guidance identifies them as a requirement for the security team in your organization to further define.

Important: If you suspect your organization is currently experiencing an attack, refer to Chapter 4, "Outbreak Control and Recovery," in this guide before reading this chapter.

If you are reading this guide after having experienced and recovered from a malware attack, the information provided is designed to help you prevent a recurrence and better understand how the previous attack took place.

Top of page

Malware Threat Vectors

There are a number of methods through which malware can compromise an organization. These methods are sometimes referred to as threat vectors and represent the areas that require the most attention in your environment when designing an effective antivirus solution. The following list includes the areas in typical organizations that are subject to the most risk for malware attack:

Top of page

The Malware Defense Approach

Before attempting to organize an effective defense against malware, it is essential to understand the various parts of the organization's infrastructure that are at risk and the extent of the risk to each part. Microsoft strongly recommends that you conduct a full security risk assessment before starting to design an antivirus solution. The information you need to optimize your solution design can only be obtained by completing a full security risk assessment.

For information and guidance on conducting a security risk assessment, see the Microsoft Solution for Securing Windows 2000 Server guide at:
http://www.microsoft.com/technet/security/prodtech/windows2000/secwin2k/default.mspx. This guide provides an introduction to the security risk management discipline (SRMD), which you can use to understand the nature of your organization's exposure to risk.

The Defense-in-Depth Security Model

Once you have discovered and documented the risks your organization faces, the next step is to examine and organize the defenses you will use to provide your antivirus solution. The defense-in-depth security model is an excellent starting point for this process. This model identifies seven levels of security defenses that are designed to ensure that attempts to compromise the security of an organization will be met by a robust set of defenses. Each set is capable of deflecting attacks at many different levels. If you are not familiar with the defense-in-depth security model, Microsoft recommends reviewing the Security Content Overview page on Microsoft TechNet at:
http://www.microsoft.com/technet/archive/security/bestprac/overview.mspx.

You can also find additional information and practical design examples for this process in the Security Architecture chapter of the Windows Server System Reference Architecture guidance on TechNet at:
http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/ArchitectureBlueprints/rbabsa.mspx.

The following figure illustrates the layers defined for the defense-in-depth security model:

Figure 3.1 The layers of the defense-in-depth security model
See full-sized image

The layers in the figure provide a view of each area in your environment you should consider when designing security defenses for your network.

You can modify the detailed definitions of each layer based on your organization's security priorities and requirements. For purposes of this guidance, the following simple definitions define the layers of the model:

Using the security layers of the model as the basis for your antivirus defense-in-depth approach allows you to refocus your view to optimize them into groupings for the antivirus defenses in your organization. How this optimization occurs in your organization is entirely dependent on the priorities of your organization and the specific defense applications it is using. The important point is to avoid an incomplete and weakened antivirus design by ensuring that none of the security layers are excluded from the defenses. The following figure shows a more focused antivirus defense-in-depth view:

Figure 3.2 Focused antivirus defense-in-depth view
See full-sized image

The Data, Application, and Host layers can be combined into two defense strategies to protect the organization's clients and servers. Although these defenses share a number of common strategies, the differences in implementing client and server defenses are enough to warrant a unique defense approach for each.

The Internal Network and Perimeter layers can also be combined into a common Network Defenses strategy, as the technologies involved are the same for both layers. The implementation details will differ in each layer, depending on the position of the devices and technologies in the organization's infrastructure.

Top of page

Client Defenses

When malware reaches a host computer, the defense systems must focus on protecting the host system and its data and stopping the spread of the infection. These defenses are no less important than the physical and network defenses in your environment. You should design your host defenses based on the assumption that the malware has found its way through all previous layers of defense. This approach is the best way to achieve the highest level of protection.

Client Antivirus Protection Steps

There are a number of approaches and technologies you can use for client antivirus configurations. The following sections provide details that Microsoft recommends for consideration.

Step 1: Reduce the Attack Surface

The first line of defense at the application layer is to reduce the attack surface of the computer. All unnecessary applications or services should be removed or disabled on the computer to minimize the number of ways an attacker could exploit the system.

You will find the default settings for Windows XP Professional services on the Default settings for services page of the Windows XP Professional Product Documentation on Microsoft.com at: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_default_settings.mspx.

Once the attack surface has been minimized without affecting the required functionality of the system, the primary defense to use at this layer is an antivirus scanner. The scanner's primary role is to detect and prevent an attack, and then to notify the user and perhaps the system administrators in your organization as well.

Step 2: Apply Security Updates

The sheer number and variety of client machines that may be connected to an organization's networks can make it difficult to provision a fast and reliable security update management service. Microsoft and other software companies have developed a number of tools you can use to help manage this problem. The following patch management and security update tools are currently available from Microsoft:

Each of these Microsoft security update tools has specific strengths and goals. The best approach is likely to use one or more of them. To help you evaluate the security update solutions for your organization, see the features comparison provided on the Choosing a Security Update Management Solution page on Microsoft.com at:
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/compare.mspx.

Step 3: Enable a Host-based Firewall

The host-based or personal firewall represents an important layer of client defense that you should enable, especially on laptops that users may take outside your organization's usual physical and network defenses. These firewalls filter all data that is attempting to enter or leave a particular host computer.

Windows XP includes a simple personal firewall called the Internet Connection Firewall (ICF). Once enabled, the ICF monitors all communication aspects that pass through it. The ICF also inspects the source and destination address of each data packet it handles to ensure that each communication is allowed. For more information on ICF, see the Windows XP Help system and also the Use the Internet Connection Firewall page on Microsoft.com at:
http://www.microsoft.com/windowsxp/using/networking/learnmore/icf.mspx.

Windows XP Service Pack 2 enables the personal firewall by default and introduces a number of significant enhancements to that firewall (now called the Windows Firewall) as well as other security-oriented improvements. A service pack is a tested, cumulative set of all hotfixes, security updates, critical updates, and updates created for defects found internally since the release of a product. Service packs may also contain a limited number of customer-requested design changes or features. For information about this update for Windows XP, see the Windows XP Service Pack 2 page on Microsoft TechNet at:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx.

Versions of Windows before Windows XP did not come with a built-in firewall. Third-party host-based firewall solutions are available that can be installed to provide firewall services on earlier versions of Windows. For information about these firewall products see the Frequently Asked Questions About Internal Firewalls page on the Microsoft Protect Your PC Web site at:
http://www.microsoft.com/athome/security/protect/firewall.mspx.

Step 4: Install Antivirus Software

Many companies produce antivirus applications, each of which attempts to protect the host computer with minimal inconvenience to and interaction with end users. Most of these applications have become very effective in providing this protection, but they all require frequent updates to keep up with new malware. Any antivirus solution should provide a rapid and seamless mechanism to ensure that updates to the required signature files for dealing with new malware or variants are delivered as soon as possible. A signature file contains information that antivirus programs use to detect malware during a scan. Signature files are designed to be regularly updated by the antivirus application vendors and downloaded to the client computer.

Note: Such updates present their own security risk, because signature files are sent from the antivirus application's support site to the host application (usually via the Internet). For example, if the transfer mechanism uses File Transfer Protocol (FTP) to obtain the file, the organization's perimeter firewalls must allow this type of access to the required FTP server on the Internet. Ensure your antivirus risk assessment process reviews the update mechanism for your organization, and that this process is secure enough to meet your organization's security requirements.

Due to rapidly changing malware patterns and techniques, some organizations have adopted an approach that recommends requiring certain "high risk" users to run more than a single antivirus package on the same computer to help minimize the risk of malware going undetected. The following user types typically fall into this category:

It should be noted that running antivirus applications from a number of different application vendors on the same computer may cause problems due to interoperability issues between the antivirus applications. System issues that can result from running more than one antivirus application in your environment at the same time include:

For these reasons, the use of multiple antivirus applications on the same computer is not a recommended approach and should be avoided if possible.

An alternative approach to consider is to use antivirus software from different vendors for the client, server, and network defenses in the organization. This approach provides consistent scanning of these different areas of the infrastructure with different scanning engines, which should help reduce the risk to your overall antivirus defenses if a single vendor's product fails to detect an attack.

For more information about antivirus vendors, see the Microsoft Antivirus Partners on Microsoft.com at:
http://support.microsoft.com/kb/320724.

For more information about antivirus software designed for Windows XP, see the Microsoft Windows Catalog Antivirus page on Microsoft.com at: http://go.microsoft.com/fwlink/?LinkId=28506.

Step 5: Test with Vulnerability Scanners

Once you have configured a system, you should check it periodically to ensure that no security weaknesses have been left in place. To assist you with this process, a number of applications act as scanners to look for weaknesses that both malware and hackers may attempt to exploit. The best of these tools update their own scanning routines to defend your system against the latest weaknesses.

The Microsoft Baseline Security Analyzer (MBSA) is an example of a vulnerability scanner that is capable of checking for common security configuration issues. The scanner also checks to ensure that your host is configured with the latest security updates.

For more information about this free configuration tool, see the Microsoft Baseline Security Analyzer page on TechNet at: http://www.microsoft.com/technet/security/tools/mbsahome.mspx.

Step 6: Use Least Privileges Policies

Another area that should not be overlooked among your client defenses is the privileges assigned to users under normal operation. Microsoft recommends adopting a policy that provides the fewest privileges possible to help minimize the impact of malware that relies on exploiting user privileges when it executes. Such a policy is especially important for users who typically have local administrative privileges. Consider removing such privileges for daily operations, and instead using the RunAs command to launch the required administration tools when necessary.

For example, a user who needs to install an application that requires administrator privileges could run the following setup command at a command prompt to launch the setup program with appropriate privileges:

runas /user:mydomain\admin "setup.exe"

You can also access this feature directly from Microsoft Windows Explorer, in Windows 2000 or later systems, by performing the following steps:

To run a program with administrative privileges

Step 7: Restrict Unauthorized Applications

If an application is providing a service to the network, such as Microsoft Instant Messenger or a Web service, it could, in theory, become a target for a malware attack. As part of your antivirus solution, you may wish to consider producing a list of authorized applications for the organization. Attempts to install an unauthorized application on any of your client computers could expose all of them and the data they contain to a greater risk of malware attacks.

If your organization wishes to restrict unauthorized applications, you can use Windows Group Policy to restrict users' ability to run unauthorized software. How to use Group Policy has already been extensively documented, you will find detailed information about it at the Windows Server 2003 Group Policy Technology Center on Microsoft.com at:
www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/.

The specific area of Group Policy that handles this feature is called the Software Restriction Policy, which you can access through the standard Group Policy MMC snap-in. The following figure displays a Group Policy MMC screen showing the path to where you can set Software Restriction Policies for both your computers and users:

Figure 3.3 The path to the Software Restriction Policies folders in the Group Policy MMC snap-in
See full-sized image

To access this snap-in directly from a Windows XP client, complete the following steps:

A detailed explanation of all the setting possibilities is beyond the scope of this guide. However, the article "Using Software Restriction Policies to Protect Against Unauthorized Software" on TechNet at:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx will provide you with step-by-step guidance on using this powerful feature of the Windows XP Professional operating system.

Warning: Group Policy is an extremely powerful technology that requires careful configuration and a detailed understanding to implement successfully. Do not attempt to change these settings directly until you are confident you are familiar with the policy settings and have tested the results on a non-production system.

Client Application Antivirus Settings

The following sections provide guidelines for configuring specific client applications that malware may target.

E-mail Clients

If malware does manage to make it past your antivirus defenses at the network and e-mail server levels, there may be a few settings that you can configure to provide additional protection for the e-mail client.

Generally, the ability of a user to open e-mail attachments directly from an e-mail message provides one of the major ways for malware to propagate on the client. If possible, consider restricting this ability in your organization's e-mail systems. If this is not possible, some e-mail clients allow you to configure additional steps that users will have to perform before they can open an attachment. For example, in Microsoft Outlook and Outlook Express you have the ability to:

For information on how to configure these features, see the Microsoft Knowledge Base article "291387 - OLEXP: Using Virus Protection features in Outlook Express 6" at:
http://support.microsoft.com/?kbid=291387.

Additionally Windows XP Service Pack 2 has added extra security focused functionality to Outlook Express. For information on how Windows XP Service Pack 2 has changed the functionality of Outlook Express, see the Changes to Functionality in Microsoft Windows XP Service Pack 2 Part 4: E-mail Handling Technologies page on TechNet at:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2email.mspx

Microsoft Outlook 2003 includes additional features to protect against malware and junk (or spam) e-mail messages. You will find information about configuring these features on the Customizing Outlook 2003 to Help Prevent Viruses page on Microsoft.com at:
www.microsoft.com/office/ork/2003/three/ch12/.

Desktop Applications

As desktop office applications have become more powerful they have also become targets for malware. Macro viruses use files created by the word processor, spreadsheet, or other macro-enabled applications to replicate themselves.

You should take steps wherever possible to ensure that the most appropriate security settings are enabled on all applications in your environment that handle these files. For information about securing Microsoft Office 2003 applications, see the Best practices for protection from viruses page on Microsoft.com at:
http://go.microsoft.com/fwlink/?LinkId=28509.

Instant Messaging Applications

The instant messaging phenomenon has helped improve user communications across the world. Unfortunately, it has also provided another application with the potential to allow malware to enter your system. Although text messages do not pose a direct malware threat, most instant messenger clients provide additional file transfer capabilities to enhance the users' communication abilities. Allowing file transfers provides a direct route into an organization's network for potential malware attacks.

Network firewalls can block these file transfers by simply filtering the ports used for this communication. For example, Microsoft Windows and MSN Messenger clients use a range of TCP ports between 6891 and 6900 for to transfer files, so if the perimeter firewall blocks these ports, file transfer via Instant Messenger cannot take place. However, mobile client computers will only be protected while they are on the organization's network. For this reason, you might want to configure the host-based firewall on your clients to block these ports, as well to provide protection for the mobile clients in your organization when they are outside of your network defenses.

If your organization cannot block these ports because other required applications use them or because file transfer is required, you should ensure all files are scanned for malware before being transferred. If your client workstations are not using a real-time antivirus scanner, you should configure the Instant Messaging application to automatically pass transferred files to an antivirus application for scanning as soon as the file has been received. For example, you can configure MSN Messenger to automatically scan transferred files. The following steps demonstrate how to enable this security feature:

Note: The Windows Messenger application that shipped with Windows XP does not support this feature. A real-time antivirus scanner should be used for this application.

To scan files transferred by MSN Messenger

Once you have completed these steps, your antivirus software will automatically scan all files received via MSN Messenger on the client.

Note: Your antivirus scanning tool may require additional setup steps. Check the instructions for with your antivirus scanning software for more information.

Web Browsers

Before you download or execute code from the Internet, you want to ensure that you know that it is from a known, reliable source. Your users should not just rely on site appearance or the address of the site because both Web pages and addresses can be faked.

There are a number of different techniques and technologies that have been developed to help a user's Web browser application determine the reliability of the Web site he or she is browsing. For example, Microsoft Internet Explorer uses Microsoft Authenticode technology to verify the identity of downloaded code. The Authenticode technology verifies that the code has a valid certificate, that the identity of the software publisher matches the certificate, and that the certificate is still valid. If all these tests pass, the chances of an attacker transferring malicious code to your system will be reduced.

Most major Web browser applications support the ability to restrict the level of automated access that is available to code that is executed from a Web server. Internet Explorer uses security zones to help restrict Web content from performing potentially damaging operations on the client. The security zones are based on the location (zone) of the Web content.

For example, if you are confident that anything downloaded within your organization's intranet is safe, you might set your clients' security settings for the local intranet zone to a low level to allow users to download content from your intranet with few or no restrictions. However, if the source of the download is in the Internet zone or the Restricted sites zone, you might want to configure the clients' security settings to a medium or high level. These settings will cause the client browsers to either prompt users with information about the content's certificate before they download it or prevent them from downloading it all.

Windows XP Service Pack 2 has added a significant number of security updated and enhancements to aid in the protection of the Web browsing experience for the user. For details of these updates, see the Changes to Functionality in Microsoft Windows XP Service Pack 2 Part 5: Enhanced Browsing Security page on TechNet at:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx

Peer-to-Peer Applications

The advent of Internet-wide peer-to-peer (P2P) applications has made it easier than ever to find and exchange files with other people. Unfortunately, this situation has led to a number of malware attacks that attempt to use these applications to replicate files to other users' computers. Worms such as W32.HLLW.Sanker have targeted P2P applications such as Kazaa for replication purposes. There are many more malware examples that attempt to use other peer-to-peer applications, such as Morpheus and Grokster.

The security issues surrounding P2P applications have little to do with the client programs themselves. These issues instead have much more to do with the ability of these applications to provide direct routes from one computer to another through which content can be transmitted without the proper security checks.

If possible, Microsoft recommends restricting the number of clients in your organization that use these applications. You can use Windows Software Restriction policies that were discussed earlier in this chapter to help block users from running peer-to-peer applications. If this is not possible in your environment, be sure your antivirus policies take into account the greater risk the clients in your environment are exposed to because of these applications.

Top of page

Server Defenses

The server defenses in your environment have a lot in common with your client defenses; both attempt to protect the same basic personal computer environment. The primary difference between the two is that there is generally a much higher expectation level placed on server defenses for reliability and performance. In addition, the dedicated roles that many servers play within an organization's infrastructure will often lead to a specialized defense solution. The information in the following sections focuses on the primary differences between server defenses and the previously discussed client defenses.

Server Antivirus Protection Steps

Server antivirus configurations vary greatly, depending on the role of the particular server and the services it is designed to provide. The process of minimizing a server's attack surface is often referred to as hardening. Excellent guidance is available on hardening Windows Server 2003 when it is used in various typical roles in an organization. For more information on this topic, see the Server Security Index page on Microsoft.com at:
http://www.microsoft.com/technet/security/guidance/ServerSecurity.mspx.

Four of the basic antivirus steps to defend the servers in your organization are the same as those for your clients.

In addition to these common antivirus steps, consider using the following server-specific software as part of your overall server antivirus defenses.

General Server Antivirus Software

The primary difference between antivirus applications that are designed for client environments (such as Windows XP) and those designed for server environments (such as Windows Server 2003) has been the level of integration between the server-based scanner and any server-based services, such as messaging or database services. Many server-based antivirus applications also offer remote management capabilities to minimize the need for physical access to the server console.

Additional important issues that you should take into account when evaluating antivirus software for your server environment include:

For a list of antivirus applications that have been certified to work on Windows Server 2003, click the Business Solutions, Security page of the Windows Server Catalog at http://go.microsoft.com/fwlink/?linkid=28510.

Role-Specific Antivirus Configurations and Software

There are a number of specialized antivirus configurations, tools and applications now available for specific server roles in the enterprise. Examples of server roles that can benefit from this type of specialized antivirus defense:

Application-specific antivirus solutions generally provide better protection and performance because they are designed to integrate with a specific service rather than try to function underneath the service at the file system level. All of the server roles discussed in this section are responsible for information that would not be accessible to an antivirus scanner working at the file system level. Information is also provided on each of these server roles, and how Microsoft recommends using specific antivirus configurations, tools, and applications with them.

Web Servers

Web servers in all types of organizations have been the target of security attacks for some time. Whether an attack comes from malware such as CodeRed or a hacker trying to deface an organization's Web site, it is important that the security settings on your Web servers are sufficiently configured to maximize your defenses against these attacks. Microsoft has produced guidance specifically for systems administrators tasked with protecting servers running IIS on the network in "Chapter 8 - Hardening IIS Servers" of the Windows Server 2003 Security Guide on Microsoft.com at:
/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx.

In addition to this guidance, there are some free tools you can download that will perform a number of security configurations automatically on IIS. For example, the IIS Lockdown Tool is available on Microsoft.com at:
http://www.microsoft.com/technet/security/tools/locktool.mspx.

This tool is used to tune the Web server to provide only those services required for its role, thereby reducing the attack surface of the server to any malware.

UrlScan is another security tool that restricts the types of HTTP requests that IIS will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the server. You can now cleanly install UrlScan 2.5 on servers running IIS 4.0 or later. For more information on UrlScan, see the UrlScan Security Tool page on Microsoft.com at:
http://www.microsoft.com/technet/security/tools/urlscan.mspx.

Messaging Servers

There are two goals to keep in mind when designing an effective antivirus solution for the e-mail servers in your organization. The first goal is to protect the servers themselves from malware. The second goal is to stop any malware from making its way through the e-mail system to the mailboxes of the users in your organization. It is important to ensure the antivirus solution you install on your e-mail servers is capable of achieving both these goals.

Generally speaking, standard file scanning antivirus solutions are not able to prevent an e-mail server from passing malware as attachments to clients. All but the most simple e-mail services store e-mail messages in a database of some type (sometimes referred to as the message store). A typical file scanning antivirus solution cannot access the content of such a database. In fact, a file scanning antivirus solution could possibly corrupt a message store if it is allowed to attempt scanning via a drive mapping (such as the M: drive on Exchange Server 5.5 and Exchange Server 2000).

It is important to match the antivirus solution to the e-mail solution in use. Many antivirus vendors now provide dedicated versions of their software for specific e-mail servers that are designed to scan the e-mail passing through the e-mail system for malware. Two basic types of e-mail antivirus solutions are generally available:

Microsoft Exchange provides a specific antivirus application programming interface (API) called the Virus API (VAPI), which is also referred to as the Antivirus API (AVAPI), or the Virus Scanning API (VSAPI). This API is used by specialized Exchange Server antivirus applications to help provide full messaging protection in a secure and reliable manner on Exchange e-mail servers. For more information on this API, see the Microsoft Knowledge Base article "328841 – XADM: Exchange and Antivirus Software" on Microsoft.com at:
http://support.microsoft.com/?kbid=328841.

Database Servers

There are four main elements to protect when considering the antivirus defenses for a database server:

As the data inside the data store is not directly executable, it is generally believed that the data stores themselves do not require scanning. There are currently no major antivirus applications written specifically for data stores. However, the host, database services, and data communications elements of the database server should be carefully considered for antivirus configurations.

Host placement and configuration should be reviewed specifically for malware threats. As a general rule, Microsoft does not recommend placing database servers in the perimeter network of an organization's infrastructure, especially if the servers store sensitive data. However, if you must locate such a database server in your perimeter network, ensure that it is configured to minimize the risk of a malware infection.

If your organization uses SQL Server, see the following guidance for more information on specific malware attack configuration guidelines:

The "Slammer" worm attack targeted SQL Server directly. This attack showed how important it is to protect your SQL Server database computers, regardless of whether they reside in your perimeter or internal network.

For information and software to help ensure your SQL Server systems are protected from the Slammer worm, see the Finding and Fixing Slammer Vulnerabilities page on Microsoft.com at:
http://www.microsoft.com/security/malwareremove/default.mspx.

Collaboration Servers

The very nature of collaboration servers makes them vulnerable to malware. When users copy files to and from the servers, they may expose the servers and other users on the network to a malware attack. Microsoft recommends protecting the collaboration servers in your environment (such as those running SharePoint Services and SharePoint Portal Server 2003) with an antivirus application that can scan all files copied to and from the collaboration store. For detailed step-by-step information on protecting these services, see the Configuring Antivirus Protection page of the Administrators Guide for Windows SharePoint Services on Microsoft.com at:
http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stse11.mspx.

For information about antivirus software specifically written to integrate with Windows SharePoint Services and SharePoint Portal Server 2003, see the Solutions Directory page on Microsoft Office Online at:
http://go.microsoft.com/fwlink/?linkid=13276.

Top of page

The Network Defense Layer

Attacks that are delivered across the network represent the largest number of recorded malware incidents. Typically, malware attacks will be launched to exploit weaknesses in network perimeter defenses to allow the malware to access host devices inside the organization's IT infrastructure. These devices could be clients, servers, routers, or even firewalls. One of the most difficult problems your antivirus defenses face at this layer is to balance the feature requirements of the IT systems' users with the limitations required to create an effective defense. For example, like many recent attacks, the MyDoom worm used an e-mail attachment to replicate itself. From an IT infrastructure perspective, blocking all incoming attachments is the simplest and most secure option. However, the requirements of your organization's e-mail users may not allow this to be a viable option. A compromise must be reached that will strike a balance between an organization's requirements and the level of risk it can accept.

Many organizations have adopted a multilayer approach to the design of their networks that uses both internal and external network structures. Microsoft recommends this approach because it directly conforms to the defense-in-depth security model.

Note: There is a growing trend to break the internal network into security zones to establish a perimeter for each one. Microsoft also recommends this approach because it helps reduce the overall exposure to a malware attack seeking to gain access to the internal network. However, for the purposes of this guide, only a single network defense is described. If you plan to use a perimeter and multiple internal networks, you can apply this guidance directly to each one.

The first network defenses for the organization are referred to as the perimeter network defenses. These defenses are designed to prevent malware from ever making it into the organization from an external attack. As discussed previously in this chapter, the typical malware attack focuses on copying files to a target computer. Accordingly, your antivirus defenses should work with the organization's general security measures to ensure that access to the organization's data is only available from properly authorized personnel in a secure manner (such as via an encrypted virtual private network (VPN) connection). For more information about creating a secure perimeter network design, see the Windows Server System Reference Architecture guidance on TechNet at:
http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx..

Note: You should also consider any wireless local area networks (LANs) and VPNs as perimeter networks. If your organization has these technologies in place, it is important to secure them. Failure to provide this security could allow an attacker to gain direct access to your internal network (bypassing the standard perimeter defenses) to mount an attack.

For more information about securing WLANs, see the following articles on TechNet:

For guidance on securing VPN networks, see the following Windows Server System Reference Architecture guide on Microsoft.com:

In this guide, it is assumed that the network security design provides the organization with the required level of identification, authorization, encryption, and protection to defend against a direct intrusion from an unauthorized attacker. However, at this point the antivirus defenses are not complete. The next step is to configure the network layer defenses to detect and filter malware attacks that use permitted network communications, such as e-mail, Web browsing, and instant messaging.

Network Antivirus Configuration

There are many configurations and technologies that are specifically designed to provide network security for organizations. Although these are vital parts of an organization's security design, this section will only focus on the areas that have a direct relationship with antivirus defense. Your network security and design teams should determine how each of the following techniques is used in your organization.

Network Intrusion Detection System

Because the perimeter network is a highly exposed part of the network, it is extremely important that your network management systems are able to detect and report an attack as soon as possible. The role of a network intrusion detection (NID) system is to provide just that: rapid detection and reporting of external attacks. Although a NID system is part of the overall system security design and not a specific antivirus tool, many of the first signs are common for both system and malware attacks. For example, some malware uses IP scanning to find available systems to infect. For this reason, the NID system should be configured to work with the organization's network management systems to deliver warnings of any unusual network behavior directly to the organization's security staff.

A key issue to understand is that with any NID implementation, its protection is only as good as the process that is followed once an intrusion is detected. This process should trigger defenses that can be used to block an attack, and the defenses should be constantly monitored in real-time. Only then can the process be considered part of a defense strategy. Otherwise the NID system is really more of a tool for providing an audit trail after an attack has occurred.

There are a number of enterprise-class network intrusion detection systems available to network designers. These can be stand-alone devices or other systems that integrate into other network services, such as the firewall services of the organization. For example, the Microsoft Internet Security and Acceleration (ISA) Server 2000 and 2004 products contain NID system capabilities, as well as firewall and proxy services.

For a list of Microsoft ISA Server partners that offer additional NID services for ISA Server, see the Intrusion Detection page on Microsoft.com at:
http://www.microsoft.com/isaserver/partners/intrusiondetection.mspx.

Application Layer Filtering

Organizations are finding it not only useful but necessary to use Internet filtering technologies to monitor and screen network communications for illegitimate content, such as viruses. Traditionally, this filtering has been performed using the packet layer filtering provided by firewall services, which only allows filtering of network traffic based on a source or destination IP address, or a particular TCP or UDP network port. Application layer filtering (ALF) works at the application layer of the OSI networking model, so it allows the data to be examined and filtered based on its content. If ALF is used in addition to standard packet layer filtering, much greater security can be achieved. For example, using packet filtering may allow you to filter port 80 network traffic through your organization's firewall so that it can only pass to your Web servers. However, this approach may not provide sufficient security. Adding ALF to the solution would allow you to check all data passing to the Web servers on port 80 to ensure that it is valid and does not contain any suspicious code.

ISA Server can provide ALF on data packets as they pass through an organization's firewall. Web browsing and e-mail can be scanned to ensure that content specific to each does not contain suspicious data, such as spam or malware. The ALF capability in ISA Server enables deep content analysis, including the ability to detect, inspect, and validate traffic using any port and protocol. For a list of vendors who make filters to enhance the security and interoperability for different protocols and Web traffic, see the Partner Application Filters page on Microsoft.com at:
http://www.microsoft.com/isaserver/partners/applicationfilters.mspx.

For a detailed description of how ALF works in ISA Server 2000, see the Introducing the ISA Server 2000 Application Layer Filtering Kit page at:
www.isaserver.org/articles/spamalfkit.html.

Content Scanning

Content scanning is available as a feature in more advanced firewall solutions or as a component of a separate service, such as e-mail. Content scanning interrogates data that is being allowed to enter or leave an organization's network via valid data channels. If content scanning is performed on e-mail, it generally works with e-mail servers to check e-mail for particular characteristics, such as attachments. This technique can scan and identify malware content in real time as the data passes through the service. There are a number of partners who work with Microsoft to provide enhanced security features to both Microsoft Exchange Server and ISA Server, such as real-time antivirus content scanning.

For more details on partner antivirus products available for Microsoft Exchange Server 2003, see the Microsoft Knowledge Base article, "823166 "Overview of Exchange Server 2003 and Antivirus Software" on Microsoft.com at:
http://support.microsoft.com/?kbid=823166.

For a list of Microsoft partners who have developed content scanning products for ISA Server, see the Partners page on Microsoft.com at:
http://www.microsoft.com/isaserver/partners/.

URL Filtering

Another option that may be available to network administrators is URL filtering, which you can use to block problem Web sites. For example, you could use URL filtering to block known hacker Web sites, download servers, and personal HTTP e-mail services.

Note: The major HTTP e-mail service sites (such as Hotmail and Yahoo) provide antivirus scanning services, but there are many smaller sites that do not provide antivirus scanning at all. This is a serious problem for an organization's defenses, as such services provide a route directly from the Internet to clients.

Network administrators can use two basic approaches for URL filtering:

The first approach relies on an active process of identifying Web sites that may be a problem and adding them to the list. Because of the size and variable nature of the Internet, this approach requires either an automated solution or significant management overhead, and is generally only useful for blocking a small number of known problem sites instead of providing a comprehensive protection solution. The second approach provides greater protection because its restrictive nature makes it possible to control the sites available to users of the system. However, unless the correct research is done to identify all sites that users require, this approach may prove too restrictive for many organizations.

Microsoft ISA Server supports the manual creation of both of these lists using its Site and Content Rules. However, enhanced and automated solutions are available from Microsoft partners that work directly with ISA Server to ensure URLs can be blocked or allowed as required with a minimum of management overhead. A list of these solutions is available from the Microsoft Internet Security and Acceleration Server Partners URL Filtering page on Microsoft.com at: http://www.microsoft.com/isaserver/partners/accesscontrol.mspx.

Both these approaches will only provide protection while a client is inside the organization's defenses. This protection will not be available when a mobile client connects directly to the Internet while out of the office. which means your network will be susceptible to a possible attack. If a URL filter solution is required for mobile clients in your organization, you should consider using a client-based defense system. However, this approach can lead to a significant management overhead, especially in environments with large numbers of mobile clients.

Quarantine Networks

Another technique you can use to secure networks is to establish a quarantine network for computers that do not meet your organization's minimum security requirements.

Note: This technique should not be confused with the quarantine feature available in some antivirus applications, which moves an infected file to a safe area on the computer until it can be cleaned.

A quarantine network should restrict, or even block, internal access to your organization's resources, but provide a level of connectivity (including the Internet) that will allow temporary visitors' computers to work productively without risking the security of the internal network. If a laptop from a visitor is infected with malware and connects to the network, its ability to infect the other computers on the internal network is restricted by the quarantine network.

An approach similar to this has been successfully applied to VPN-type remote connections for some time. VPN clients are diverted to a temporary quarantine network while system tests are performed. If the client passes the tests, for example by having the required security updates and antivirus signature files, they are granted access to the organization's internal network. If the client does not meet these requirements they are either disconnected or allowed access to the quarantine network, which can be used to obtain the necessary updates to pass the tests. Network designers are now looking at this technology to help improve security on internal networks.

For more information on this technique, see the Planning for Network Access Quarantine Control page of the Microsoft Windows Server 2003 Deployment Kit on Microsoft.com at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/depkit/CC2503A6-D2BF-4E82-BFD9-0CB7564A3879.mspx.

ISA Server Feature Pack

If your organization uses ISA Server 2000, Microsoft also recommends using the additional features provided in ISA Server Feature Pack 1. This free add-on provides additional security features that you can use to improve the security of communications (including e-mail) across the firewalls in your network defenses. The features that you can use to improve your antivirus network defenses include:

For more information about using these features to secure a perimeter ISA Server firewall, see the ISA Server Feature Pack 1 page on Microsoft.com at:
http://www.microsoft.com/downloads/details.aspx?familyid=2f92b02c-ac49-44df-af6c-5be084b345f9.

Top of page

Physical Security

Although physical security is more of a general security issue than a specific malware problem, it is impossible to protect against malware without an effective physical defense plan for all client, server, and network devices in your organization's infrastructure. There are a number of critical elements in an effective physical defense plan, including:

Each of these elements should be evaluated in a security risk assessment for your organization. If an attacker compromises any of these elements, there is an increased level of risk that malware could bypass the external and internal network defense boundaries to infect a host on your network.

Protecting access to your facilities and your computing systems should be a fundamental element of your organization's overall security strategy. A detailed explanation of these considerations is beyond the scope of this solution. However, information about the basic elements of a sound physical security plan is available in the "5-Minute Security Advisor - Basic Physical Security" article on Microsoft TechNet at:
http://www.microsoft.com/technet/archive/community/columns/security/5min/5min-203.mspx.

Top of page

Polices, Procedures, and Awareness

Client, server, and network operational policies and procedures are essential aspects of the antivirus defense layers in your organization. Microsoft recommends consideration of the following policies and procedures as part of your organization's antivirus defense in depth solution:

At a minimum, Microsoft recommends the following policies and procedures for all devices in your organization's network defense layer.

There are many more policies and procedures you could implement to improve the security of your network devices; the ones listed in this section should be considered as a good starting point. However, because additional policies provide general security settings rather than antivirus specific settings, they are outside the scope of this guide.

Security Update Policy

Client, server, and network defenses should all have some form of security update management system in place. Such a system could be provided as part of a wider enterprise patch management solution. The operating systems of hosts and devices should be checked for vendor-supplied updates on a regular basis. The security update policy should also provide the operating criteria for the process that is used to roll out security updates to your organization's systems. This process should consist of the following stages:

If the systems being updated in your environment do not require the testing phase of this list, your organization may wish to consider automating the entire process for its systems. For example, the Automated Updates option on the Microsoft Windows Update Web site makes it possible for your client computers to be notified and updated without user intervention. Using this option helps to ensure that your systems are running the latest security updates as soon as possible. However, this approach does not test the update before installing it. If this is a requirement for your organization, this option is not recommended.

Ensuring that your organization's systems are maintained with the latest security updates should become a routine part of your organization's system management.

Risk-based Policies

With so many clients, servers, and network devices connected at the perimeter and internal network layers of the antivirus defense-in-depth model, it can be difficult to create a single effective security policy to manage all of the requirements and configurations in your organization. One approach you can use to organize your policy is to group the hosts in your organization into categories based on their type and exposure to risk.

To help determine the level of risk to assign to a host or device, consider conducting a risk assessment on each of them. A detailed set of guidance on performing such risk assessments is available in "Chapter 3 - Understanding the Security Risk Management Discipline" of the Microsoft Solution for Securing Windows 2000 Server on TechNet at:
http://www.microsoft.com/technet/security/prodtech/windows2000/secwin2k/03secrsk.mspx.

Microsoft recommends consideration of the following configuration categories for your organization's client focused risk assessment policies:

Microsoft also recommends establishing risk categories for server roles, and the same risk assessment is recommended for servers as well as clients. As a starting point for your server policies, you could consider the following configuration categories:

The use of risk-based policies is ultimately the choice of the planning teams in your organization, and you can use the referenced configuration classifications as a basis for further development. Ultimately, the goal is to reduce the number of configurations your management systems must support. In general, a standardized approach is more likely to yield a secure configuration than configuring the security of each host in your environment independently.

Automated Monitoring and Reporting Policies

If your organization uses an automated monitoring system or an antivirus application that can report suspected malware infections to a central location, it is possible to automate this process so that any alert will automatically inform all of the users in your organization's IT infrastructure. An automated alert system will minimize the delay between an initial alert and users being aware of the malware threat, but the problem with this approach is that it can generate many "false positive" alerts. If no one is screening the alerts and reviewing an unusual activity reporting checklist, it is likely that alerts will warn of malware that is not present. This situation can lead to complacency, as users will quickly become desensitized to alerts that are generated too frequently.

Microsoft recommends assigning members of the network administration team the responsibility of receiving all automated malware alerts from all system monitoring software or antivirus packages that your organization uses. The team can then filter out the false positive alerts from the automated systems before issuing alerts to users. For this approach to be successful, the team needs to monitor for alerts 24 hours a day, 7 days a week to ensure all alerts are checked and, if required, released to network users.

User and Support Team Awareness

Team awareness and training should target the administration and support teams in your organization. Training for key IT professionals is a fundamental requirement in all areas of IT, but for antivirus defense it is especially important because the nature of malware attacks and defenses may change on a regular basis. A new malware attack can compromise an effective defense system almost overnight, and your organization's defenses could be at risk. If the support personnel for these defenses are not trained in how to spot and react to new malware threats, it is only a matter of time before a serious breach in the antivirus defense system occurs.

User Awareness

User education is often one of the last considerations an organization makes when designing its antivirus defense. Helping users understand some of the risks associated with malware attacks is an important part of mitigating such risks, because everyone in the organization who uses IT resources plays a role in the security of the network. For this reason, it is important to educate your users about the more common risks that they can mitigate, such as:

As malware techniques change, antivirus defenses have to be updated. Regardless of whether an antivirus program's signature file or the program itself needs updating, it takes time to create and deploy updates. The amount of time it takes to create updates has been dramatically reduced over the last few years, and these updates are generally available in a matter of hours. However, in rarer cases, it can still take days from the time a new malware attack is released to make an effective antivirus defense available.

During this time the best defense your organization may have is users who are aware of malware and its risks. Providing your users with basic antivirus guidelines and training can help prevent a new malware strain that makes it past your IT defenses from propagating throughout your environment.

Training users does not have to be a complex process. Basic antivirus guidelines are largely based on common sense principles, but ensuring such guidelines are enforced and communicated clearly can be more of a challenge. The Windows XP Baseline Security Checklists available on Microsoft TechNet at:
http://www.microsoft.com/technet/archive/security/chklist/xpcl.mspx can help you identify common antivirus and security related issues to communicate to your users.

Users responsible for mobile devices are likely to require additional training to help them understand the risks associated with taking a device outside of the organization's physical and network defenses. It is likely that additional defenses will be required specifically to safeguard these mobile devices. For this reason, you may need to require additional configuration and training for users who manage these devices.

Note: There is some useful end user configuration information provided in the Protect your PC guidance on Microsoft.com at:
www.microsoft.com/security/protect/. This site is a good information resource that can help your users educate themselves on how to secure their home computers and networks.

Support Team Awareness

The IT professionals responsible for the configuration and support of the servers, clients, and network devices of the organization will need antivirus training to help them ensure that their systems are optimally configured and maintained to stop malware attacks. Errors in the configuration of any of these computers or devices can open a route for a malware attack. For example, if a poorly trained firewall administrator opens all the network ports by default on a perimeter firewall device, a serious security and malware risk would be created. Administrators who are responsible for the devices that connect to your organization's perimeter network should receive specific security training to help them understand the range of attacks that can affect the network devices.

Many events, hands-on labs, and Webcasts on security topics are available directly from Microsoft. For more information about these topics, see Your Security Program Guide on Microsoft.com at:
http://www.microsoft.com/seminar/events/security.mspx.

Security training and books are also available from Microsoft Learning. For more information about these publications, see the Microsoft Learning Security Resources page on Microsoft.com at:
http://www.microsoft.com/learning/centers/security.mspx.

Obtaining User Feedback

Malware-aware users can provide an excellent early warning system if they are presented with a simple and effective mechanism to report unusual behavior on the systems they use. Such a mechanism can take the form of a telephone hotline number, e-mail alias, or a rapid escalation process from the organization's Helpdesk.

Proactive Internal Communications

If possible, members of the IT department should create a proactive antivirus response team that is responsible for monitoring external malware alert sites for early warnings of malware attacks. Good examples of such sites include:

Regular checking of reference sites like these should enable support staff to notify systems administrators and users of current malware threats before they penetrate your organization's network. The timing of these checks is crucial. Ensuring that system users receive a proactive warning before checking their morning e-mail can make the difference between managing the removal of a few suspicious e-mails and trying to contain a malware outbreak. If the majority of your system's users log on at 9 A.M., establishing a way to communicate new malware threats before this time would be considered best practice.

Internal Malware Alerts

Finding the most effective mechanism to inform all users of the potential for a malware attack in a timely and comprehensive way is crucial. Available communications systems vary greatly depending on the organization's infrastructure, and it is impossible to provide a malware alert system that will work for all organizations. However, this section provides the following examples of mechanisms that your organization may wish to consider for this purpose:

Top of page

Summary

Antivirus defense is no longer a matter of installing an application. The most recent malware attacks have proven that a more comprehensive defensive approach is required. This chapter has focused on how you can apply the defense-in-depth security model to form the basis of a defense-in-depth approach to create an effective antivirus solution for your organization. It is important to understand that malware writers are continually updating their methods to attack new IT technologies that your organization may be using, and that antivirus technologies are constantly evolving to mitigate these new threats.

The antivirus defense-in-depth approach should help ensure that your IT infrastructure will address all possible malware attack vectors. Using this layered approach makes it easier to recognize any weak points in the entire system, from the perimeter network to the individuals working at their computers throughout your environment. Failure to address any of the layers described in the antivirus defense-in-depth approach could leave your systems open to attack.

You should constantly review your antivirus solution so that you can update it whenever needed. All aspects of antivirus protection are important, from simple automated virus signature downloads to complete changes in operational policy.

Similarly, because the information provided in this guide is subject to updates, it is important to continually monitor the Microsoft Security Antivirus Information Web site on Microsoft.com at http://www.microsoft.com/security/antivirus/ to receive the latest antivirus information and guidance.

Microsoft recognizes how disruptive and costly malware can be, and has invested a great deal of effort into making it more difficult for those who create and distribute malware. Microsoft is also working to make it easier for network designers, IT professionals, and end users to configure systems to meet their security requirements with minimal impact to their business operations.

Although it may not be possible to completely eradicate malicious code, focusing consistent attention on the areas highlighted in this antivirus defense-in-depth approach will help minimize the effect a malware attack can have on your organization's business operations.

Top of page

4 of 6