Handling User Grown Machines on a Large Network?

matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"

forcefully

[OriginalSpaceMan]

Force them to login to an Active Directory domain and hand out updates...

Re:forcefully

[bob670]

Then who supports them when the latest Windows update hoses thier machine? It happens less than it used to, but I have one client who lets auto updates run, and one patch in paticular (810577) has brought network browsing to a crawl. We have done literally hundreds of test and narrowed it down to this patch, but neith the knowledge base, user community nor a direct (and expensive call) to MS support can fix his issue. Now he has users screaming about slow network browses to files and folders, time outs hitting their home-brewed data base and his phone never stops ringing. Now mulitply that by the body of a college campus?

You'll need something more reliable than Windows if your plan is to mandate that sort of thing.

Re:forcefully

Well it's a bit rediculous to think you can make everyone happy all the time. Maybe it's his hardware conflicting with something...guess what, his problem... Besides, if you are blocking the correct ports at the firewall then an insecure system is still safe to a degree and only a scan/clean would need to be scripted for login.

Re:forcefully

[bob670]

No flaw here, I totally don't trust MS, but as a support person I have no choice but to deal with them, as do most of us. Too bad the school can't mandate load out on each laptop, sell 'em pre-loaded at a discount.

Re:forcefully

[Samari711]

what about the seniors who are still running 98. then you also end up slowing down student machines and you get a bunch of unhappy students. micromanaging a few thousand computers who's specs are all over the board will cause more headaches than it solves

Re:forcefully

[sg_oneill]

As the systems admin who will test those patches in a test lab before rolling them out to people, you will make sure that will not happen if you valuie that paycheck. Blindly checking off security updates for addition to the network is studipity no matter what the platform, wther you use up2date or MS AutoUpdate. For MS systems, having a SUS server helps centralize this process since you check off what you authorize to get pushed to the network. Active Directory policies can enforce this. Those that don't want to play in the domain can piss off. If you want to keep them off the network, there is always 802.1x.

All of which assumes an SOE environment. All of which is irelevant when it comes to dealing with 'homegrown' environments. Why pray tell will your sysadmin know that the generalised patch on a mishmash of machine is statistically more likely to do x or y than microsofts rather large scale testing procedure. Seems really unlikely imho. Do you know if the client on the AD is really an XP, 2000 or Samba3 box for instance?

Re:forcefully

[bob670]

That sounds great in most cases, and it works perfectly in a controlled network. But in a school where students can carry in machines, where they can carry them offsite and connect to other networks, and where they can blindly apply upadtes without any testing, what your saying is just a good idea that won't happen.

My client with the network browse issue won't listen to my advice about setting up a testbed for each model machine he has (which he can easliy afford, and he does have spare machines) or at least testing on one machine before rolling it out. He has Windows Update on a nightly schedule and won't turn it off, even after this happened. Just yesterday he told me he was pushing some "suggested" update this weekend, without testing or justification of need. And his last sentence was "I have never been bitten by being completely up to date with Windows Update", as I turned away to continue working on his browse issues at a decent hourly rate. It's okay with me, job security, but his life could be easier and his wallet fatter if he would do exaclty what you say (and I have suggested). Now multiply that by the size of the student body.

Re:forcefully

[Samari711]

that might work fine for small colleges but it doesn't scale very well to medium and large schools. especially when the IT department want to do as little limiting of freedom as possible

Re:forcefully

[Snowspinner]

There are people (I was one of them) that would flatly reject that, and pick a different school over it.

Policies which decrease enrollment are generally to be avoided.

Re:forcefully

[rgriff59]

That's when you set forth the rules.

Yes, that is exactly why I am paying the tuition for my daughter's university experience, so she can learn to blindly accept policies without the bothersome need for critical thinking, with the ultimate goal of differentiating herself from the rest of the world by being just like everyone else. That is what I expect from an institution of higher learning.

There will be plenty of time for diversity later, right now you must conform.

PS: she is running Mandrake 9.1 (unsupported by her school) by choice (hers, not mine.) XP is on the baox, it just doesn't see much action.

Re:forcefully

[mentin]

What an amazingly simplisitic viewpoint, do you work for MS support? Your blaming hardware that worked fine before a patch ...

My NVidia card worked fine (under Windows) before I installed Linux, and still all Linux people blamed the hardware, saying there is some known problem with DVI support in old NVidia cards.

Obviously, if you are developing OS (whether it is Windows or Linux) and don't have the benefit of being able to blame Gates or Linus for your bugs, there is still last chance: blame hardware!

Ban 'em

[larien]

If you can track down where the traffic is coming from (which I believe you can with MSBLASTER, at least to the extent of IP address and from there, MAC address), block their port until they fix their machine. Once they've (a) patched up and (b) removed MSBLASTER, let them back on. Having an A4 sheet detailing where to get the patch and removal tool (possibly mirrored locally) would be a good idea too.

Re:Ban 'em

[SnowWolf2003]

If you block them, how are the supposed to patch their machine?

How about netsending them with a message saying their machine has been infected with a virus - please go to x website to download and install the patch. Also give them a helpdesk phone number so they can be walked through the process.
If they aren't tech savvy enough to be keeping their virus scanner up to date, they probably haven't turned off the messenger service either.

Re:Ban 'em

[Kevin+DeGraaf]

here at Oklahoma State University, the IT department gave all the RAs in all the dorms and apartments a fix-it CD, all users must run the software on the CD regardless of whether they don't think they have msblast/sobig, etc.

If that really happened, it would be the stupidest thing I've heard of in a while.

1. What if these patches introduce other problems/bugs? After all, this is M$ software we're talking about here. Has the IT department done exhaustive regression testing to make sure the patches won't cause other issues?

2. It would be stupid to pass around home-grown discs like this. What if someone in IT screwed up and included the wrong patches? Or, perhaps a bored, nefarious student working in IT included something like BackOrifice on the CD?

3. Obvious Slashdot objection -- what about those of us who don't run M$ shit? Are the RA's really clueful enough to realize this, or are they going to be stupid tools of the system and sit there and force you to attempt installation, and then accuse you of subversion when the Win32 binaries don't run on your *nix box?

These are just a few off-the-top examples of why this action was a Brain-Dead (TM) thing to do. The IT department has every right to implement network-level measures to stop the spread of malware. But their jurisdiction STOPS at the network jack in the wall!

Re:Ban 'em

[Knightmare]

Obviously you are well mis-informed as to the repercussions of not patching for this worm. You can get pissed at Microsoft if you wish, but not patching for this is not really an option. Non-authenticated remote administrator exploit with one of the 30 different variations of the exploit that are available to the public. People have even released DCOM exploit for dummies howto pages at this point. Unless you want random people traipsing around your hard drive with rights to read/write anything on the disk, then patch.

And if the RA was caught infecting everyones PCs with a new hole while passing around a disk to fix an old one, it wouldn't happen twice because they would be expelled. Just remember, not everyone is out to get you. Take off the tin hat sometime, leave your cave, smile and say hi to the people you meet on your trip around the real world. They are not all out to get you, if this sentence seems false, there is medication that can help you.

The wrong thing for you to do is to try and fight the man and tell them they can't do things to your PC because pretty soon your network jack will stop working and you will be packing up your PC. And if you enlist enough of your buddies to fight the fight with you, next thing you know they will institute a policy that part of enrollment is paying for a brand new Dell laptop that will be yours when you leave school, but will be administrated as the school asks till that happens. Just FYI thats the way several of the expensive universities do it.

Maybe give out some info to the people?

[TheWart]

Here at my school, for the last week, starting about a day before freshman move in, they have had flyers *everyewhere* telling people not to hook up the network until they install this patch provided by the IT dept. Of course, there are still the bozo's that don't pay heed to the warnings....but there are lots of them in the world anyways.

Re:You could just...

[Phleg]

Because I'm sure that they'd far rather spend sixty times the amount of support costs trying to get users acquainted with Linux, rather than have their network flooded with virii every now and then.

Now don't get me wrong--I'm just as much a die-hard Linux advocate as anyone, but it's just not feasible to tell every kid on a college campus to suddenly switch operating systems. They're going to need to figure out how, and you're going to be the ones to tell them. This is going to send your costs through the roof.

He's trying to solve problems for his university, not create new ones.

Re:responsibility

[gykh]

If you make them bear some financial responsibility for not checking their machines first this might help.

Are you sure about that? What are you going to fine for? Not having a secure enough computer? Everyone (i.e. /.) knows security holes appear every week, major ones every 4 months or so. Do you fine someone who just reinstalled windows and was just logging on to download patches and got hit? For getting a virus? How about we tax stupidity next?

Students go to university to learn and give back some knowledge, not to constantly maintain their tools.

Re:Easy solution:

[GeekDork]

This is so ridiculous that I'm still thinking you're joking. Either that or you haven't been in education for a long time.

I'm a CS student. We often have the choice of buying an outdated EUR 6 hardcopy of a lecture script (without TOC or index), printing some 200 pages (on a printer quota that's sufficient for 150) or viewing the constantly updated script on-screen with search functionality. This holds true for at least four courses per semester. Without PCs, we'd be royally screwed.

In most appartment buildings for students, the network is provided by the university over a 2MBit line with at least 10% packet loss, high lag and a 650MiB/month quota (traffic inside the uni network isn't counted). Bozos who don't get the rules get blocked at the inhouse switch.

If they'd try to ban PCs they'd get only one thing: open revolt. I mean the stuff with burning administration buildings. Literally. Plus it'd be mostly unenforceable in countries with things like individual freedom. Oh, there's also the need to at least quadruple the number of terminals across the campus.

Re:I'm actually wanting to know the same thing, bu

[Graff]

Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.

50 computers over 8 hours = 9.6 minutes per computer, average. This time includes knocking on doors, explanations, going back to get rooms which were closed for some reason, booting up computers and rebooting them, loading the patches on to the machine and installing them, and all the regular crap that goes with handling 50 different computers with 50 different setups. Honestly I would say that 10 minutes per computer is simply amazing. These guys must be supermen to get a whole dorm patched in a day, unless they come in with an army of a dozen techs.

What can a student do? Preach alternative systems. Wean people off of Microsoft Windows entirely. I run 2 labs of a dozen Macintosh machines running Mac OS X and I haven't had to lift a finger to do much of anything for more than a year. The machines run perfectly and just laughed at all of the viruses, worms, trojan horses, and other problems that Windows computers have had to deal with. The same, I'm sure, is true of BSD and Linux based operating systems.

Take a look at the history of the Irish potato famine. The main cause of this horrible piece of history was a simple fungus. It spread so suddenly and completely because to grow potatoes quickly you can simply cut up one potato and plant the pieces. Each new plant is a genetic clone of the original potato. Thus when a disease hits one plant it quickly spreads and hits them all, turning a simple disease into an epidemic. The same is true of computers. A monoculture of Windows machines are much more vulnerable to the spread of computer infections than a mix of operating systems. Having one operating system dominate over 90% of the market is simply not healthy.

Re:I'm actually wanting to know the same thing, bu

[hswoolve]

In the defense of the "incompetent dorm techs" they probably had to deal with:
- students who weren't in their rooms
- students who figured someone else touching *their* machine was an invasion or their privacy (especially the 50 gig of mp3's)
- students who were in their rooms and didn't want to be disturbed
- the 133t hAx0rZ who thought it was uB3R k3W1 to archive their old (infected) systems and reset the machine as soon as the techs had left.

Having been the "oh call her" person for a(n administrative) department at a university I know what students can get up to.

Re:Possible solution

[themassiah]

I was with you until this part: "drop their connection via MAC address and refuse to give them another DHCP lease". Here's a better idea. CALL THEM! If they're running Windows, send them a Messenger Service Message before you cut their connection, telling them to call IT or something. Don't just shut them off, it's bad for your department's image and it's a bad policy when dealing with people.

Re:I'm actually wanting to know the same thing, bu

[Omestes]

The guy I share a bathroom with at NAU got the blaster worm before coming here, then called on me, the resident geek to fix it. It took roughly five hours to talk him through using a virus scanner, and then talking him through the fix. I finally gave up and refered him to the IT people.

I know for Lovsan our school links you, before network registration, to a page with the fix. Then if you get infected they kill your access. Then send up a tech. Sad thing is the average user can't even figure out how to get to the patch even with a page linking to it.

Now before all the /.'rs get on the "install Linux on everyones box" rant, I'm going to highlight the main problem, the end users ignorance about computers. The average college student thinks of his/her computer as an applience. And thinks that Windows update as that pesky taskbar icon that keeps on screaming at them.

Also in a small office network administrating 20-100 people is an easy task, or EASIER, than handeling 5,000 students with no computer skills. In an office network you can set up the computers to use whatever software you want, like not allowing Outlook on work machines, or whatnot, but in a college network you have 5,000+ different configurations.

As for solutions, I have no clue, though. I guess the only way is to just blcok access of the infected, which kinda sucks since it HAS to be after the fact. Perhaps you could force people joining the netword to take a small online class, download your supported virus-scanner, and whatever fixes exist before registering their machine. Then as new threats come out, make new required online lessons needed to keep network access.

Re:responsibility

That gives the college an incentive to fuck over college students, most of who probably don't know if some obscure bug is hitting them or not. Some of these recent bugs are pretty easy to spot, but if a tech was able to find 100 people who don't know much about computers and tell them their computer has some virus on it, then that's $1500 per semester you're talking about, plus if the tech fixes the computer, he can say that he "erased all traces of the virus" or some such.

Furthermore, what is the appeals process? Does the sysadmin have to show proof that the user's computer is messing with the system?

No, your idea is a shitty one. Taking $15.00 from a couple hundred college students doesn't make Microsoft's software any less vulnerable.

Telling students what to do is not the solution

[Door-opening+Fascist]

My college, in response to Blaster, Nachi, etc., recently told students to download a copy of Vexira Anti-virus, for which we have a site license. One of my non-CS friends (yes, /. geeks can have non-CS friends) did just that and, since she (yes, a female, at that) had little computing experience, deleted every infected file. I'm only a UNIX admin with very little Windoze experience, so I'm not sure if deleting the infected files had something to with it, but XP Home refused to go past the login screen. She has been going through something of a family crisis, so I was up until about 1 in the morning getting her machine back into working order without losing any data. I succeeded, but it was still pretty stressful. She didn't really care about having a clean computer; she just wanted a working computer.

In short, just telling students to download and run a program they don't understand to clean up their computers isn't going to work. At best, no one's going to do it, and at worst, it's going to f*ck people's computers up, creating more of a support mess.

Think in the students' shoes

[cms7912]

From a Student Affairs prospective, I would offer that contacting the student is critical before shutting off their port.

Phone and leave a message with instructions how to get help, and provide how-to-fix-it guides at their hall's front desk. Give them a chance to fix it if you can, and tell them the timeline ("You have 24 hours before we will have to take you offline. Here's how you fix it:"). If you have to disconnect their port immediately, then you must contact and guide them to help.

Internet access is necessary today (preaching to the choir here!), and you should never disconnect someone and then wait for them to wander into your office to help them. Anyone who reads /. understands that.

Re:Post lists

[wik]

This works until you find a smart-ass who TRIES to get to the top of this list. It's a status symbol in some sick and twisted world. Remember, you're dealing with geeks here...

Re:Domain logons

[Daniel+Phillips]

I think that this is the perfect environment for an anti-worm. If the spread of such a worm was limited to the college's netblock, it could be easily controlled (luckily computer viruses don't spontaneously mutate) and it could be set to download all needed patches from a campus server, and destroy itself on command from the same server. Something like this could also be worthwhile on corporate networks. Why haven't antivirus companies caught on to this?

Once the machine is owned by a virus, patching it and pretending everything is ok is just plain stupid. You have no idea how many trojans the virus installed. Once an infected machine is found, it should be blocked from the net immediately, physically disconnected, shut down, and reinstalled from scratch, including all applications. Basically, the only safe approach is to boot from a CD and wipe the disk.

Even with all of the above, you're still not 100% safe, your BIOS may have been trojaned (i.e., reflashed). The best approach is prevention: just don't run an OS that leaves you wide open like that. The second time it happens to you, you might as well put Linux on the machine. You're obviously going to save time in the long run, not to mention keeping your valuable data safe from snooping or perhaps total loss.

Wonderful way to bring your network down...

[Kjella]

What do you think happens when *each* and everyone of them goes on KaZaA because they can't share anything? Not to mention how they'll whine about how they can't cooperate because no one can access the others' files (short of sending project documents back and forth via email or something).

I don't think that thought it so well thought out....

Kjella

Re:Domain logons

[slamb]

I think that this is the perfect environment for an anti-worm. If the spread of such a worm was limited to the college's netblock, it could be easily controlled (luckily computer viruses don't spontaneously mutate) and it could be set to download all needed patches from a campus server, and destroy itself on command from the same server

A worm has a bunch of properties that aren't desirable here:

• every machine probes all the others - this slows down the network, as we've all seen. Centralized machines with more coordination and such probing machines systematically would be more friendly to the network. (Worms do this to catch people when they cross network boundaries with a laptop and such (unnecessary), to catch stuff unreachable from earlier machines (unnecessary), and to make it hard to see where the attack came from (unnecessary).
• it lingers around on the machines (so that it can do the above) - undesirable. Once a machine is patched, it should go back to doing whatever it's doing rather than running worm code.
• opens the machines to new security flaws - downloading stuff from a centralized server? Do you check a cryptographic signature of the downloaded code? How do you keep the key secure? What if you screw up the logic?

Now, you might say that those problems are only temporary, but what if your screw up the code to make the worm destroy itself? Then you have no way to control the outbreak - you've already patched your only sure way to get in.

A better way would be for your machines (ones you control without having to infect) to scan machines and send code that exploits the vulnerability and patches it. Nothing else. But even this would never fly; see below.

Why haven't antivirus companies caught on to this? They could sell customized anti-worms to small-to-medium size network owners. The problems of releasing an anti-worm on the Internet at large don't apply to smaller networks. You can get the permission of all the network admins before releasing the worm, and a central server can be used to control the infection, keeping track of which computers are patched and shutting down the worm when it has done its job.

Trust. They may be able to get the permission of all the network admins, but they'd never get the permission of all the owners of the machines. If someone were trying to break into my machine, I'd throw a fit, even if I believed their intent. They could screw up, opening my machine to new vulnerabilities. The correct thing to do when you notice someone else's machine is vulnerable is to TELL THEM they have a problem and TEACH THEM how to fix it.

Re:You could just...

[moonbender]

Granted I never did that well in Latin ...

Yes, well, so much is obvious. If you had done well, you'd probably have argued, incorrectly, that the plural for virus is viri (-us to -i, as in fungus to fungi). Virii is just BS, where would the second -i come from? Anyway, viruses is definitely the correct plural form as recognised by many dictionaries. For more information do a search and read something like this.

So tired of this joke...

[JaredOfEuropa]

You never played the lottery? Let me ask you another question.

Do you have any kind of insurance?

But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.

I know I know, it's just a joke. Well, I just had to get this off my chest.

Re:Post lists

> This works until you find a smart-ass who TRIES to get to the top of this list. It's a status symbol in some sick and twisted world.

Desiring being at the top of a list whose members are subject to real-world social embarrassment or harm seems like a self-correcting problem. Not very much 'status' left after the first very unpleasant confrontation with the ...enforcement... committee.

jurisdiction (Re:Ban 'em)

But their jurisdiction STOPS at the network jack in the wall!

Says who?

It's the university's network. If they wanted to, they could mandate that the only systems that are allowed to be connected to the Internet are the public labs maintained by the IT department.

Who are you to dictate policy to them?

Re:Public humiliation

[RandomCoil]

Publish in the most visibile place in the dorm buildings weekly compilations with the names of the "Most inept computer users in this dorm". Maybe you can spice it up with an introductory text that gives the impression that when you're saying "most inept" you actually mean "dumb as a door-knob"

I don't think that's going to have the effect you're looking for. The board is going to filled with a weird combination of the wholly computer illiterate (who could care less about their picture being up on some wall) and the computer-literate, attention-starved miscreants (who would be actively trying to turn _one_ of their computers into the 'typhoid Mary' of the dorm).

Re:Simple...

[mistermund]

At Carnegie Mellon, unregistered boxes are automatically routed to a web page that allows them to do temporary or permanent registration based based on MAC address. Once you register, your machine can access the network and DHCP. This allows for easy monitoring, notification, and disconnection of zombies.

It's called AuthBridge and runs on a Linux machine with ethernet bridging and real time packet filtering based on the MAC address. See the link for technical descriptions, diagrams, and further details.

Seems to work quite seamlessly as an end user, IMHO.

Re:morons

[skinfitz]

one word to solve all your problems: Linux

These would be the problems that don't involve 6 months of pissing around with software with literally ZERO documentation trying to get it to work right?

Ok .. lets talk hypothetically. Everyone switches to Linux. So now people write worms for Linux. Yeah that REALLY solved all the problems didn't it. The actual problem is that people write malware regardless of what platform it runs on. They are going to target the most prevalent OS whatever that may be. If the whole world used Macs we would see Mac worms. etc etc.

You've missed the point - it's not the technology

You have made the classic techo mistake - you have assumed that the problem is technical in nature and requires a technical fix.
The problem is actually and administrative (read people) issue, and should be addressed as such.
Build a register of MAC addresses to students, and filter all access from student computers based on (that not permitted is denied).
Then establish a policy whereby students are informed that access to the campus network is a privilege and not a right. Require an 'administration deposit' to cover cleanups in case of viruses/etc - but refund it when they take their equipment and leave.Furthermore, inform them that should work be required by campus staff to fixup outbreaks they may be held liable for costs incurred in cleaning up (you can identify them by the source MAC address) and that their equipment may be confiscated if deemed warranted. Publish policies and guidelines showing best practice (ie patch/update your computer regularly.
You have just created an environment where best practice is required. You have also created a marketplace for people (other students) to assist the less skilled to maintain their systems, and hopefully explain the 'hard' way to everyone that a good security posture is founded on practices and not technology.
IT people make the mistake that the lights and wires are where the job is - rather than the actual objective.