Windows Incident Response
Ideally you are reading this document because you would like to protect your Windows servers from attack. The section of the document called Proactive Measures is for you. Before skipping to Proactive Measures a quick reading of section 2 will provide you with some insight on the difficulties that you can face responding to a hacked system. On the other hand you, if are trying to deal with an active incident the next section titled Reactive Measures is a good place to get oriented if you do not have a lot of experience in this area. This document is not a comprehensive presentation on the problem area. It attempts to provide basic guidelines and directs the reader to other material for in depth study. The scope of the document is limited to Windows 2000 servers and Microsoft's Internet Information Server (IIS).
I need help with a system that is hacked
When system is hacked number of concerns immediately come to mind:
- How do I prevent further damage? How do I restore normal operations? How do I assess the damage that has been done?
- How do I minimize the possibility that the system being hacked in the future?
In order to answer these questions it is necessary to have a good technical understanding of the operating system, the applications running on the server, the integrity requirements of the data and the nature of the business. In this document, we are assuming that you have a good technical background in Windows system administration. If you don't and your system is hacked our best recommendation is to engage someone that does have the experience.
I want to make my systems more secure Strengthening the security of a windows system requires us to work along several lines of attack.
- Developing and testing an effective disaster recovery plan (More Information). Establishing a set of procedures that routinely and frequently ensures that all the relevant patches and upgrades to the operating system and applications software are tested and installed. The operating system need to be enhanced with intrusion detection software.
- Best practices with respect to account and password management (More Information) need to be followed.
CNS security services Security is an important concern for CNS. In this section we identify the various initiatives that we undertake to secure the University systems. I am interested in how other administrators have responded to system hacks
Experience is the best teacher. Ideally we would like to learn from other people's experience. This section consists of incident reports prepared by various system administrators on campus.