SECURING A SCHOOL NETWORK AND MAKING IT MALWAREFREE WITH LIMITED RESOURCES.
BASED ON MY EXPERIENCE IN MOUNTAINS OF THE MOON UNIVERSITY
PROMOTOR: MR. IVO DE PAUW
RESEARCH TOPIC CONDUCTED BY
DYLAN DECEULAER
TO ACHIEVE THE BACHELOR’S DEGREE IN
NEW MEDIA AND COMMUNICATION TECHNOLOGY
HOWEST | 2015-2016
SECURING A SCHOOL NETWORK AND MAKING IT MALWAREFREE WITH LIMITED RESOURCES.
BASED ON MY EXPERIENCE IN MOUNTAINS OF THE MOON UNIVERSITY
PROMOTOR: MR. IVO DE PAUW
RESEARCH TOPIC CONDUCTED BY
DYLAN DECEULAER
TO ACHIEVE THE BACHELOR’S DEGREE IN
NEW MEDIA AND COMMUNICATION TECHNOLOGY
HOWEST | 2015-2016
PREFACE
From February until May I was able to do an internship at Mountain of the Moon University
in Fort Portal, Uganda. It was a unique experience and I’m very grateful I got this chance.
During my internship I got to enjoy the very friendly people of Uganda, the breathtaking
sights and I got to work together with amazing colleagues. In this environment I was able
to research and write this paper.
I wouldn’t be able to do all of this without the help of others. First of all, I would like to
thank the province West-Vlaanderen and VLIR for their financial help, I really wouldn’t be
able to finance the trip on my own. Secondly, I would like to thank Howest and the
organizer, Ivo De Pauw, in particular for offering and organizing this internship. Without all
the help of organizing and planning this international experience, I wouldn’t have taken
the big step of doing an internship in Africa.
During my internship and during the research I did for this paper, I was helped by my
colleagues at Mountains of the Moon University, Madjiid Mugenyi and Donozio Mucunguzi.
To successfully complete my internship and my thesis, I received a lot of help from my
mentor, Ivo De Pauw and my technical mentor, Tom Decavele. And lastly, I want to thank
Wannes De Smet for his help during his visit at Mountain of the Moon University and the
help he offered with the technical content of this paper.
ABSTRACT
This paper covers the implementation of security within a school network and making it
malware free. This is accomplished with limited resources as this paper should offer an
alternative to all the expensive software on the market. This paper also covers what
dangers an unprotected network could face. And it gives an overview of all the different
malware with their respective characteristics. The network of the Saaka campus at
Mountains of the Moon University was used as a reference to base this research on.
This paper concludes that network security can be lacking because of the lack of correctly
configured network devices, flawed firewall configurations, the lack of good policies and
the lack of threat protection on appropriate devices. This paper points out that to achieve
a secure network environment and to keep it malware free, a solid security strategy is
needed throughout the network. A solid security solution can be realized by implementing
proper vulnerability and threat mitigation. With the help of open-source software and
companies offering their software for free to schools, this can be done with limited
resources.
TABLE OF CONTENTS
Introduction ...................................................................................................................................... 1
1.
The current state of network Security ..................................................................................... 2
1.1.
2.
3.
1.1.1.
The network .................................................................................................................. 2
1.1.2.
The servers .................................................................................................................... 2
1.1.3.
Other hardware ............................................................................................................ 3
1.2.
Overview of the current security ...................................................................................... 4
1.3.
Possible threats .................................................................................................................... 4
1.3.1.
The Network and hardware ........................................................................................ 5
1.3.2.
The servers .................................................................................................................... 5
1.3.3.
Windows Virtual Machines ......................................................................................... 5
1.3.4.
Linux Virtual Machines ................................................................................................ 6
1.3.5.
Malware on Windows .................................................................................................. 7
Detecting an infection............................................................................................................... 10
2.1.
Commercial software ........................................................................................................ 10
2.2.
Other Software................................................................................................................... 13
2.3.
The Follow up...................................................................................................................... 14
Securing the network environment ........................................................................................ 15
3.1.
Educating the users ........................................................................................................... 15
3.2.
Minimizing vulnerabilities ................................................................................................. 15
3.2.1.
The users...................................................................................................................... 15
3.2.2.
Least-privilege implementation .............................................................................. 16
3.2.3.
Network segmentation ............................................................................................. 19
3.2.4.
The Firewall ................................................................................................................. 21
3.2.5.
Patching ....................................................................................................................... 22
3.2.6.
A correct configuration ............................................................................................. 22
3.3.
Protecting against threats................................................................................................ 23
3.3.1.
Firewall Protection .................................................................................................... 23
3.3.2.
Server Protection ....................................................................................................... 24
3.3.3.
Client Protection ........................................................................................................ 27
3.4.
4.
Overview of the Infrastructure .......................................................................................... 2
Todo...................................................................................................................................... 28
Conclusion ................................................................................................................................... 29
TABLE OF FIGURES AND TABLES
Figure 1. Results of a malware removal software comparison performed in 2014. Source:
www.av-test.org ................................................................................................................................. 10
Figure 2. Results of a malware removal software comparison performed in 2015. Source:
www.av-test.org ................................................................................................................................. 11
Figure 3. Saaka’s active directory structure with an example of a user account. ................... 16
Figure 4.The prompt that shows when a user without administrative rights tries to install a
program. .............................................................................................................................................. 17
Figure 5. The implementation of restricted groups for LibraryAdmins ................................... 18
Figure 6. Enabling the “turn off autoplay” group policy ............................................................. 18
Figure 7. An example of the FTP server configuration. ............................................................... 19
Figure 8. A list of WLANs on the wireless controller ................................................................... 19
Figure 9. The access-list configuration on the Layer 3 switch that blocks access to
management addresses on the servers VLAN to every other VLAN except for the admin
VLAN..................................................................................................................................................... 20
Figure 10. The DMZ configuration restricting DMZ traffic to the WAN interface and the
internal network. By default all traffic is denied. The DMZ only has an ftp server, which is
accessible to the internal network. SSH and RDP is only accessible to the admin VLAN...... 21
Figure 11. The LAN configuration ................................................................................................... 21
Figure 12. Example of a blocked site. ............................................................................................. 22
Figure 13. The part of the SquidGuard GUI to add new entries. ................................................ 22
Figure 14. The Snort package allows you to choose different IPS security levels. These
settings are a tradeoff between security and the amount of false positives. ........................ 24
Figure 15. Enabling ClamAV in the Squid package ....................................................................... 24
Figure 16. vSphere Replication setting window ........................................................................... 27
Table 1. Source: http://www.av-comparatives.org/wpcontent/uploads/2015/10/avc_rem_2015_en.pdf.........................................................................10
Table 2. Comparison of enterprise antivirus software..................................................................24
GLOSSARY
AD: Active Directory
BYOD: Bring Your Own Device
Botnet: A collection of computers that is controlled by 1 entity, that’s usually used to
perform coordinated attacks.
DDOS: Distributed Denial Of Service, an attack performed by multiple computers, aimed to
disable a system.
DHCP: Dynamic Host Configuration Protocol, a protocol that distributes IP-addresses on a
network.
DNS: Domain Name System, a system that provides the association between domain
names and IP-addresses.
ESXI: A hypervisor by VMware. It is a piece of software that runs directly on hardware
which can run Virtual Machines.
GPO: Group Policy Object
IDS: Intrusion Detection System
IPS: Intrusion prevention System
Keylogger: This is a piece of software that captures the keystrokes of a user. The
information gained from a keylogger is usually used for malicious purposes.
LAN: Local Area Network, the internal network.
MMU: Mountains of the Moon University
PSK: Pre-Shared Key, a shared password to authenticate on a wireless network.
Phishing: It’s a social engineering practice. It’s the act of manipulating people to steal
sensitive information.
VLAN: Virtual LAN, a virtual network.
VMware vSphere: The virtualization platform of VMware. It’s a suite that contains
VMWare’s virtualization products.
WAN: Wide Area network, a network that spans a large distance, like the internet.
WLAN: Wireless LAN
WPA2-enterprise: A network standard that provides to ability to authenticate on a
network through username and password based on a RADIUS server.
INTRODUCTION
This paper is based on my experience of my internship at Mountains of the Moon
University in Uganda. My internship continued the work of two Howest interns that built
the current network infrastructure at MMU’s Saaka campus. While they did a very good job,
security was not a part of their assignment. And unfortunately security wasn’t part of our
internship assignment neither.
The security at school networks are often overlooked. But it is very important though.
According to Risk Based Security 14% of all the security breaches in 2015 happened at
educational facilities.1 A university in Uganda might not be the biggest target. But just like
most universities, Mountains of the Moon University is planning to automate most of the
administrative work. This includes storing sensitive information on their servers. When you
work with sensitive information of over 1000 students, it is best store this information
safely.
The reason I chose this subject was because I saw the security was seriously lacking in the
infrastructure we were working with. Antivirus warnings were common on devices
connected to the domain. Almost no countermeasures were taken to combat threats on
the servers and the clients. But the importance of this matter goes beyond this specific
case. According to a Websense Security Labs study, users in the education sector are twice
as likely to visit malicious websites. These users are also twice as likely to be impacted by
Spyware and Adware2.
Without thorough protection, malware could potentially cripple a school network. As
today’s schools are very integrated with IT, the potential for loss of data or denial of
service is high in a school environment. There have been cases of a school having to close
because of a severe malware attack3.
This paper will cover the importance of security in a school network, the possible threats a
school network can encounter and how to protect the network against external threats
like malware. For this case it is essential it can be done with limited resources as the
university has no budget for additional software licenses.
1
Risk Based Security. (2016, January). Data Breach QuickView 2015. Retrieved from
https://www.riskbasedsecurity.com/: https://www.riskbasedsecurity.com/2015-data-breachquickview/
2
Websense Security Labs. (2015, July 7). Today’s Lesson: End Users in the Education Sector Are Twice
as Likely to Visit Malicious Sites. Retrieved from Websense:
http://community.websense.com/blogs/securitylabs/archive/2015/07/07/the-company-you-keepmatters.aspx
3
Warfield, B. (2015, March 3). Malware Attack Cripples Cloquet Schools' Network. Retrieved from
wdio.com: http://www.wdio.com/news/cloquet-schools-closed-virus-malware-computerattack/4077895/
Page | 1
1.
THE CURRENT STATE OF NETWORK SECURITY
We continue the work of last year’s Howest interns. They built the complete network
infrastructure for Mountains of the Moon University’s Saaka campus from scratch. Next to
the network infrastructure they also installed a new server rack made up of 6 servers.
These servers host a complete VMware vSphere environment. This virtual environment
hosts multiple Windows and Linux servers. Each system has different potential
vulnerabilities. So in order to assess the potential threats we face we need to know which
systems we are working with.
1.1.
OVERVIEW OF THE INFRASTRUCTURE
In order to assess the potential risks the infrastructure can encounter we need a
comprehensive overview of the infrastructure.
1.1.1.
THE NETWORK
The backbone of the network in the business campus is the Layer 3 switch located in the
server room. This is a Cisco 3560-x switch. This switch connects all the network connected
equipment together. This managed switch enables the configuration and routing between
Virtual LANs. This is a virtual separation of networks. When configured correctly this can be
an essential security feature. In the case of our network, multiple VLANs were
implemented for easy management, but no additional security features were
implemented.
To connect the desktop computers in the computer lab, the computers in the library and
the access points to the network, layer 2 switches are connected to the layer 3 switch.
These Layer 2 switches are unmanaged switches. This means there isn’t very much to
configure in terms of security on a Layer 2 switch.
To provide wireless access to the network, wireless access points are used. These are
connected to a wireless controller. The wireless controller is a Cisco 5500 wireless
controller. The wireless controller provides the ability to broadcast multiple wireless
networks through the same access point. In our case, each wireless network is connected
to a VLAN. VLANs can provide security features, as discussed before.
The wireless controller had a separate student network but it was disabled. Instead the
students were connected to the staff network. This network was protected with PSK. This
means it is protected with just 1 password. And the password was happily shared with
everybody. The admin network is protected with WPA2-enterprise, which is a good way to
protect a network.
1.1.2.
THE SERVERS
The server rack is made up of 6 HP servers. Every server runs an ESXI installation. These
ESXI servers are managed by a vCenter Server installation. This vSphere environment hosts
multiple virtual machines that makes up the school network infrastructure. The setup of
this infrastructure is common in schools and businesses, either in a virtual environment or
as physical servers.
Page | 2
A windows server called DC1 acts as the domain controller. The domain controller is
responsible for authenticating and managing permissions for users and machines within
the domain. The domain controller uses an active directory. The active directory contains
all the users and machines and their respective rights and groups. This server provides the
authentication for a lot of other services within the network, so it’s a vital part of the
network. For safety there is a second domain controller that acts as a backup domain
controller. This server is called DC2. The AD in this server is in read-only mode. When data
gets modified in DC1, the changes are pushed to DC2. When DC1 fails, DC2 automatically
takes over. DC1 also acts as a DNS server and a DHCP server. DC2 also acts as a backup DNS
and DHCP server.
A pfSense installation is responsible for routing the LAN and WAN traffic. pfSense is a free
and open source router and firewall software based on FreeBSD. It has various extra
features, but on our installation it’s just used as a router and a firewall. A firewall is an
essential first line of defense within a network. The firewall is completely configurable
with rules. Our pfSense installation had nothing but the default rules configured. By
default it drops all the incoming connections at the WAN interface and allows all traffic at
the LAN interface. This is fine to stop some external threats, but a lot more can be done
with this.
File storage within the network is handled by 2 windows servers. One Windows server runs
Windows file server. This is mainly for personal file storage for users on the network. The
other Windows server runs an ftp server. The file server is used inside the network only.
Currently the ftp server is only used on the internal network, but in the future this should
be accessible on the internet too. There were no security measures taken on these 2
servers. There was no DMZ configured on the network to accommodate the external
access for the ftp server.
1.1.3.
OTHER HARDWARE
Aside from the network equipment and the servers there is another important part of the
network that can pose serious security risks, the clients. There are about 60 desktop
computers in the library and the computer lab. These all run Windows 7. The computers in
the library are used freely by students without guidance or supervision. The ones in the
computer lab are only used by students during classes. There is no thorough security
present on these computers. These computers showed the most visible signs of the lack of
security on the network. These computers used to freeze, files got corrupted, flash disks
got infected and files got tempered. But aside from these obvious signs, other malicious
software, like spyware, might be running without showing any obvious signs.
In response to these malware threats the IT team has implemented Deep Freeze on these
desktops. This was the only solution against the malware on the desktop computers, aside
from some policies. Deep Freeze is a utility that restores computers back to a predefined
state. So when a computer gets infected it can be restored to a previous state. This is a
good a way to protect computers when you don’t want to restricts students during labs for
example. But Deep Freeze lacks as an anti-malware solution. Usually the system gets
restored at the end of the day. This leaves the users of that computer vulnerable if the
computer gets infected during the day. There are also viruses that can manifest in the BIOS
of a system or in firmware. These viruses won’t be gone after a Deep Freeze restore.
Page | 3
Some malware, like worms, might also spread through the network in short notice. These
worms can spread to devices on the network that aren’t configured with Deep Freeze.
Lastly, another category of devices that can potentially pose a threat to the network are
the staff’s and students’ own devices. The concept of BYOD is known to give headaches to
network and system administrators. You have no control of the software running on these
devices. In our case, most of the staff have their own laptops and Android phones
connected to the network. As for the students, they usually don’t have their own laptops,
but most do have Android phones connected to the network. There were no policies in
place to manage these devices.
1.2. OVERVIEW OF THE CURRENT SECURITY
Currently there aren’t a lot of security measures implemented, as security wasn’t part of
last year’s interns. The pfSense firewall has no additional rules defined. Students are able
to surf and connect to any external server. While the network is segmented into different
VLANs, there are no additional security measures taken to benefit from the VLAN features.
The VLANs are currently only for easy management.
Nowhere on the servers or the clients is an antivirus installed. The clients in the library and
the computer lab all have Deep freeze installed. As discussed earlier it does not provide
full protection. It makes the clients act like a sandbox, as all changes are undone after a
reset. But the clients are not isolated. They are all connected to the same network and to
the Domain controller. So malware is still able to propagate through the network. Deep
freeze is a good way of keeping the clients clean, but it is insufficient as the only
countermeasure against malware.
Another countermeasure taken by the administrators was implementing group policies.
These can be used to restrict user actions within the domain on the desktop computers.
The policies currently implemented are: software restriction policy to prevent the
installation of software and a policy to prevent AutoRun execution. These policies provide
a simple solution against some malware.
1.3. POSSIBLE THREATS
The previous sections gave an overview of everything that makes up our network. In order
to secure these systems we need to know which potential threats we can face. The main
focus of this paper is securing against malware. But when you want to implement thorough
security against malware, you will find you first need to implement good general security
on the network. For example: When a user with an infected device has restricted access to
important networks, there is less chance that this user can infect important devices. So
implementing good general security will be the first step to secure our network.
A good guideline to tackle security is the CIA triad. CIA stands for Confidentiality, Integrity
and Availability. This is the heart of information security. When looking at potential risks a
system can face, it is a good idea to keep the CIA triad in mind.
Page | 4
1.3.1.
THE NETWORK AND HARDWARE
First of all it is important the hardware is secured physically. Exposed networking devices
like switches can pose potential threats like unauthorized access. When you have physical
access to a switch you are able to reset it and alter the configuration. The same goes for
access to machines with elevated rights, like management PCs or the laptops of
administrators. Access to these machines could provide access to important systems like
servers and switches. And it could either intentionally or unintentionally damage these
systems. Damage could be done unintentionally through malware on a memory stick for
example.
The network itself can be a treat to security in terms of spreading infections between
systems. The network also provides access to the internet through the router. The internet
is a major source of threats. Young students or students that aren’t very familiar with the
internet, like there are many in the universities here in Uganda, are more likely to access
unsafe sites, download malicious software or expose devices to malware. So providing
unrestricted access to the internet in a school environment is not a good idea.
Aside from restricting access to certain sites, it’s also important to only allow users access
to the networks they really need access to. For example, students don’t need access to the
management network. By not restricting this access, important systems, like ESXI servers
or management servers, are left vulnerable to unauthorized access or malware. A system
cannot infect another system it cannot reach.
And maybe even a bigger threat than the internal users are external users, users that
shouldn’t be on your network in the first place. Certainly in Uganda, where having access to
the internet isn’t very common, people might go lengths to get access to the network. As
this could be anyone, it’s hard to know what this person’s intentions are. As Wi-Fi signals
are not contained within the school’s border, securing the signal is important. The use of
pre-shared keys in a school environment is often ineffective, since students don’t have
anything to lose by sharing those.
1.3.2.
THE SERVERS
In our case, most servers run visualized in a vSphere environment. Access to these virtual
servers are centralized through the vCenter server, but the virtual servers can also be
accessed through their respective ESXI server. The lack of securing access to the vCenter
server or the ESXI servers can compromise the integrity of these virtual servers.
While the vSphere software itself is very well secured, the systems can be left venerable
due to misconfiguration. The lack of strong passwords, or worse, using the default
passwords for the root and administrator accounts leaves the system unprotected against
unauthorized access or malicious software. Just like any system, new vulnerabilities are
found from time to time. By not updating vSphere services you leave your systems open
for attackers and malicious software to exploit any new vulnerabilities.
1.3.3.
WINDOWS VIRTUAL MACHINES
In our case, a lot of important systems are running on Windows Server 2012. Just like
Windows for client computers, Windows Server struggles with a wide array of
Page | 5
vulnerabilities. Linux suffers from vulnerabilities as well. But misconfiguration can
potentially even be a bigger problem.
In our case, Windows Server is used as a Domain Controller, a DNS server, a DHCP server, a
file server and as an ftp server. Aside from all the different kinds of malware Windows can
face, which I will cover later, there are vulnerabilities that target specific kinds of servers.
Skeleton Key, for example, infects the domain controller and enables it to bypass
authentication within the domain. This makes that services that use the infected Domain
Controller’s Active Directory could get compromised too.
This is just a single example of which there are many. Malware like this can seriously cripple
a school or a business network. Some IT staff might be hesitant to install anti-malware
software on servers like a domain controller. This is because anti-malware software might
influence the stability or the performance of an operating system. If there is no antimalware software installed, good security practices might reduce the chance of an
infection. But in both cases a system is never a 100% safe. There is always a chance of
infection despite of the security measures taken. Without periodic scans, which will be
covered later on, a system might host malware without even being noticed.
1.3.4.
LINUX VIRTUAL MACHINES
A common misconception is that Linux machines are less venerable then their Windows
counterparts. It is true that there is less malware on Linux systems. This is due to the use of
signed packages on its repositories, its fast updates and the malware’s lack of root access.
But these systems often do suffer from vulnerabilities due to misconfiguration, the lack of
hardening, the lack of maintenance or outdated third-party applications4.
Misconfiguration of Linux systems often occur when a system administrator is not very
familiar with Linux systems or is more Windows-minded. While Linux systems are very
flexible, evident security measures might not always come right out of the box. A common
misconfiguration are the user rights on folders and files. For example, when installing a
webserver, the user rights of some folders might be changed to a less secure setting to
allow the software to have access. But these user rights could allow any user that has
access to the server to have read, write and execute rights on the files in this folder.
But even worse is an outdated system. Not periodically updating the Linux OS or the
applications that are running on that system, leaves the system vulnerable for inevitable
exploits. Certainly servers running network-based software like Apache, PHP or MySQL are
more prone to exploits when these applications aren’t updated. Some of these exploits
might grand elevated access to not just that specific application but also to the OS or other
applications5.
4
Beaver, K. (2009, february 1). Five common Linux security vulnerabilities you may be overlooking.
Retrieved from searchenterpriselinux.techtarget.com:
http://searchenterpriselinux.techtarget.com/tip/Five-common-Linux-security-vulnerabilities-youmay-be-overlooking
5
Gite, V. (2009, October 30). 20 Linux Server Hardening Security Tips. Retrieved from cyberciti.biz:
http://www.cyberciti.biz/tips/linux-security.html
Page | 6
1.3.5.
MALWARE ON WINDOWS
Malware on Windows is a big topic to cover. Malware comes in a lot of kinds and flavors.
Each kind of malware behaves differently, spreads in a different way and can harm in a
different way. So it doesn’t hurt to cover each kind of malware if you want to detect and
combat malware.
Virus
The most famous kind of malware. The term virus is often used as a broad term to describe
malicious software instead of the correct term, malware. But technically a virus is defined
as a piece of malware that relies on executable code to infect a computer. A virus can hide
in seemingly innocent software and can infect other programs and files on the infected
machine. A virus spreads to other machines through unknowingly users executing copies of
infected software. The goal of a virus is usually to disable computer functions or to destroy
data. The presence of a virus can be noticed by the system being slowed down, system
functions not working properly or by data getting corrupted.
Macro virus
A macro virus is similar to a regular virus but instead of hiding in executables, it hides in
data files like Word documents or PDFs. A macro virus relies on the macro language
programming functionalities within certain text editors. This macro code gets executed
when the file gets opened. These infected files are often shared through email
attachments. Due to security improvements in Microsoft Office, like blocking macros by
default, macro viruses aren’t as prevalent anymore as they once were. But there are still
some micro viruses in the wild, which use different techniques now6.
Computer worm
A worm is similar to a virus but instead of attaching to other programs, it is a standalone
piece of malware. Usually a worm’s main goal is not to disrupt a single client but rather to
infect as much clients as possible. A worm does not rely on human interaction to propagate
but it uses a network to spread. Email, for example is often used to spread worms.
Some worms may carry a payload. A payload is an action by malware other than the act of
spreading itself. The payload of a worm can be similar to a virus, but usually it isn’t as
destructive, as it might hinder the ability to spread. A common payload is to install a
backdoor on the infected client to allow the author to control that client, which could be
used to create a botnet. As worms rely on a network to spread they can be potentially be
very dangerous to a school network if there is no proper security in place. Even when a
worm does not carry a payload it can still cause a lot of traffic and potentially cripple the
internal network.
Trojan horse
Similar to a virus, a Trojan horse requires executable code to infect a computer. A Trojan
infects a computer by disguising as genuine and useful software. It differs from a virus that
it generally doesn’t attempt to infect other files on the system. The purpose of a Trojan
horse can be anything. It can destroy or temper data, disable system functions, steal data,
6
Szappanos, G. (2014, July 02). VBA is not dead! Retrieved from www.virusbulletin.com:
https://www.virusbulletin.com/virusbulletin/2014/07/vba-not-dead
Page | 7
spy, ransom or spread malware on the network. Trojans can propagate through email
attachments or more often through shady download sites.
Spyware
Spyware is software that collects information of the user without the user’s knowledge or
consent. Spyware can come as a payload of the malware described above. But spyware can
also be bundled with genuine software. Some free software uses bundled spyware as a
way of income by mining the user’s data. As websites, and social media in particular, often
use the same tactic to make money, this practice is getting more common. But as a school
or a company you don’t want to share too much information. So it is good to be informed
about what software and sites are allowed to be used within the school environment.
Some spyware that is shipped with genuine software can sometimes not be flagged as
malicious by some antivirus software.
The information spyware can gather depends on the spyware. Most malicious spyware is
hard to detect as it tries to survive as long as possible. This malicious spyware can gather
private information through different means. Often a keylogger is used, this can gather
secret information like banking information or passwords by sending the keystrokes to the
spyware’s author. Some keyloggers can even send screenshots.
Some spyware can degrade the performance of the infected system or can cause
unwanted traffic on the network. While spyware often doesn’t cause any nuisance, it is
very unwanted within a school or company network and it should be seen as a serious
threat. And it should be clear that some spyware can only be detected through good
malware remove software.
Adware
Adware is a form of spyware that often displays unwanted advertisement. Adware can also
redirect web traffic or replace advertisement on websites. A computer can get infected by
adware through genuine free software or as a payload of the malware described above.
Usually it is quite obvious when a computer is infected by adware. Aside from being a
nuisance, adware can also seriously degrade a computer’s performance. Some genuine
companies exist by only providing adware. Zango for example, became a large company by
just spreading their adware.
Backdoor
While not malware itself, a backdoor can be the result of malware. A backdoor is a way to
gain remote access to a machine without authentication. A backdoor can be installed by
malware, but it can also be the result of misconfiguration, like the use of the default
password on a system for example. Some backdoors are provided by manufactures, like
backdoors that allow to reset the password. Backdoors can cause increased traffic, as the
infected client can be used as a zombie computer or used to send spam. If the infected
machine is used to send spam through the corporate email, it might lead to the mail server
being blacklisted by other mail providers.
Rootkit
A rootkit is a collection of software that can be installed by other malware or by an
attacker exploiting vulnerabilities in a system. The attacker might also have obtained
credentials through spyware or phishing and use that to gain access to deploy the rootkit.
The goal of the rootkit is to maintain privileged access while staying undetected by antiPage | 8
malware software. A rootkit manages to stay undetected by using the lower layers of the
operating system. Unlike normal malware that runs on top of the operating system, a
rootkit behaves more like a driver. This makes detection and removal by common antimalware software very difficult. A rootkit can use a whole arsenal of tricks to stay
undetected. Rootkits are notorious for being very difficult to completely remove from a
system.
Page | 9
2. DETECTING AN INFECTION
Even when a network has good security and the clients are provided with decent antimalware software, it is never a 100% safe. Some security aspects might have been
overlooked while securing a network. This could lead to unknown vulnerabilities in the
network. And an antivirus isn’t completely foolproof. Some antiviruses might lack certain
definitions or don’t consider some malware as a threat. New vulnerabilities in software are
always found, and it can take time before these are fixed, leaving the software vulnerable.
Malware infections or attacks by a person are always possible. The consequences of an
infection or an attack aren’t always as obvious. That’s why it is important to regularly scan
systems with malware scanning and removal software. Most antivirus software provides
this functionality. But if an antivirus allowed a system to get infected, there’s a chance it
won’t be able to find the infection by scanning it.
There is a lot of malware scanning and removal software on the market. Some of these
products are for free. Some products provide detection for all kinds of malware and some
are specialized for specific threats. This specialized software might be better to deal with a
grave situation, like a stubborn rootkit for example.
2.1. COMMERCIAL SOFTWARE
The following table shows the results of a comparison of commercial malware removal
software conducted by av-test.org.
Figure 1. Results of a malware removal software comparison performed in 2014. Source: www.av-test.org
According to the article7 these software packages have been thoroughly tested over a
period of 10 months. The test shows that most of this software is competent in removing
malware and cleaning up the threats. Two of the free solutions seem to be lacking. Avira
7
Selinger, M. ( 2014, July 29). 17 software packages in a repair performance test after malware
attacks. Retrieved from av-test.org: https://www.av-test.org/en/news/news-single-view/17software-packages-in-a-repair-performance-test-after-malware-attacks/
Page | 10
fails to detect a threat and so does Microsoft Security Essentials. The latter seems to do a
bad job at cleaning up the malware components too.
A more recent test from av-test.org shows similar results:
Figure 2. Results of a malware removal software comparison performed in 2015. Source: www.av-test.org
Unfortunately this test does not include Malwarebytes Anti-malware, which was the best
solution according the 2014 test. But it does show that Avira has made improvements.
Av-comparatives.org is another website that does antivirus comparison tests. They also
have a relatively recent test on malware removal tools:
Product name
Avast
AVG
Avira
Bitdefender
BullGuard
Emsisoft
eScan
ESET
F-Secure
Fortinet
Kaspersky
Lavasoft
Microsoft
Panda
Sophos
ThreatTrack
Removal failed
1
1
2
2
2
4
1
2
3
6
1
4
3
1
6
2
Malware
components
remaining
2
2
1
1
1
2
2
1
1
2
1
1
2
3
1
3
Some traces
remaining
5
7
7
4
17
9
12
10
11
6
0
7
5
11
10
11
Complete
removal
Number of
malware samples
27
25
25
28
15
20
20
22
20
21
33
23
25
20
18
14
35
35
35
35
35
35
35
35
35
35
35
35
35
35
35
35
Table 1. Source: http://www.av-comparatives.org/wp-content/uploads/2015/10/avc_rem_2015_en.pdf
Based on these test results, the best paid solutions seems to be either Kaspersky or
Bitdefender. But the focus of this paper is to find a cost effective solution. As there are
enough competent free solutions, the paid software will not be considered. The free
solutions will be covered in more detail.
Page | 11
Malwarebytes Anti-malware
Malwarebytes Anti-malware is often recommended by IT sites and IT magazines. Also by
the community it is often praised as one of the best malware removal software solutions
around. The software shows very favorable results on the 2014 av-test.org tests.
Unfortunately Malwarebytes’ software does not feature in any of the more recent tests.
The on-demand scanning and removal component is completely free and does not differ
from the paid product. The only difference with the paid product is that the paid version
offers real-time protection. This makes Malwarebytes anti-malware a solid choice as a
malware removal tool.
AVG Antivirus Free
Next to its free real-time scanning component, it also offers competent free malware
scanning and removal software. It shows good results in the above comparisons.
According to av-comparatives’ false alarm test8, it does suffer from quite some false
positives. But according to another test9 by the same website it scores very well on
performance tests. A low impact can be important when you plan to run this software on
critical systems.
Avast Free Antivirus
Avast is, according to opswat.com, the most used antivirus on the market10 and according
to the av-comparatives test also a very good choice to use as a malware removal tool. The
av-comparatives performance test also shows very good results, with Avast being just
behind Avira at the top. But it performs as the worst antivirus software in the false
positives test. It has 17 false positives, while Avira has 9. A popular paid counterpart like
Kaspersky only has 3. This false positive rate shows that the software might be not very
reliable. As false positives could lead to data loss or system unavailability it is an important
factor to keep in mind. Certainly on critical systems within a network.
Avira Free Antivirus
Avira performs quite similar to AVG. It scores a bit better on the false alarm test and it has
the best result on av-comparatives’ performance test.
In conclusion: All of the free software mentioned above is sufficient to use as malware
detection and removal software. It is mainly a trade-off between the performance and the
amount of false positives.
8
av-comparatives. (2016, March). False-Alarm-Test March 2016. Retrieved from www.avcomparatives.org: http://www.av-comparatives.org/wpcontent/uploads/2016/04/avc_fps_201603_en.pdf
9
av-comparitives. (2015, October). Performance Tests. Retrieved from www.av-comparatives.org:
http://www.av-comparatives.org/wp-content/uploads/2015/11/avc_per_201510_en.pdf
10
OPSWAT . (2015, August). Anti-malware Vendor Market Share. Retrieved from www.opswat.com:
https://www.opswat.com/resources/reports/anti-malware-market-share-security-august-2015#antimalware-vendor-market-share
Page | 12
2.2. OTHER SOFTWARE
Next to the popular commercial programs discussed before, there are some less
conventional malware detection programs around. These tools might be useful when the
commercial software fails.
Conventional anti-malware software scans the computer and compares the files and
processes with a database containing the signatures of malicious files. This method can be
lacking. When a computer gets infected with new malware that is not consistent with
previously known threats, the database of the antivirus will not contain the signature of
this malware. And won’t be able to detect this as a threat. Some malware even prevents
internet connection, this could prevent the antivirus to update its database. The following
software uses different methods to detect threats.
Spybot - Search & Destroy
Spybot - Search & Destroy is community favorite. The free version can detect and remove
malware and repair the system if need be. It does not focus on the functions of a
traditional antivirus, as it was originally not intended to replace an antivirus. But now there
is a paid version which delivers a complete antivirus. The free version of Spybot-S&D
focuses on just detection and removal of Spyware and adware. It’s often used as a second
opinion after scanning with Malwarebytes.
ClamWin Free Antivirus
ClamWin is a free and open source virus and spyware scanner. It works like a traditional
antivirus as it detects threats through definitions. ClamWin uses the definition database of
ClamAV, which will be discussed in chapter 3, so it might not be very effective to use when
the network is already protected by ClamAV. This is one of the few free solutions that
natively supports Windows Server.
HitmanPro
HitmanPro provides free malware detection for all kinds of threats. The paid version also
offers removal and repair functions. HitmanPro analyzes suspicious files on its own servers
instead of analyzing it on the computer itself, this minimizes the performance impact. Next
to relying on malware definitions like conventional antivirus software, HitmanPro actively
looks for suspicious behavior to detect threats that are not defined in the databases.
HitmanPro is good software to use as a second option after scanning with conventional
antivirus software.
HijackThis
HijackThis is a free and open-source tool. This tool is mostly used to detect spyware and
adware. It is effective in detecting browser hijackers. The tool scans configurations, the
registry and the most common locations of malware, and it produces a log file. The result
shows both legitimate and unwanted files. It is up to the user to determine whether the
detected items pose a threat or not. There are tools to analyze the log file, but these are
not recommended as these detections can possibly be critical files for the operation
system. This tool should only be used as a last resort, or you should really know what you
are doing.
Page | 13
GMER
GMER rootkit detector and remover works in a similar way to HijackThis as it scans for
potential rootkits based on common locations and behavior and generate a log file. Just
like HijackThis the log needs to be analyzed to determine whether the result is a threat or
not. Removing entries that are not actual threats can potentially damage the system. Avast
Antivirus uses GMER to combat rootkits.
AdwCleaner
AdwCleaner is a free and lightweight utility that is used to remove adware, toolbars and
hijackers.
TDSSKiller - Rootkit Removal
TDSSKiller is a free and lightweight utility provided by Kaspersky. It is able to detect and
remove rootkits in under a minute. The tool is useful when a rootkit impedes the ability to
run conventional antivirus software.
2.3. THE FOLLOW UP
When you detect a system is infected, you have to consider whether it is actually useful to
try to remove the threat with malware removal software. As the tests have pointed out,
there’s always a chance harmful components will be left behind on the system. Some
malware, like adware for example, is often easy to remove. But some malware, like
rootkits, is almost impossible to remove. This means it would be necessary to reinstall the
system. Smart partitioning, like keeping the OS and user data separated, minimizes data
loss.
Reinstalling the system might be a viable solution for home users, but in a school or
company environment it is not desirable. Certainly when it is a critical system like the
domain controller or a file server. That’s where backups come in. Perhaps one of the best
solutions to recover from a grave malware infection. With a good backup policy, recovery
can be fast and data loss can be minimized. It is important that malware is not able to
affect the backup data.
An efficient backup rotation scheme is also important. A backup every month can lead to a
lot of data loss. Just retaining one backup of day before can be inefficient as it could take
multiple days before the infection is detected, making the backup useless. Keeping too
much backups can take up too much space. A good balance is key, and it’s useful to make it
work together with a malware scanning policy.
Page | 14
3. SECURING THE NETWORK ENVIRONMENT
The previous chapter covered how to detect infections and how to deal with them.
Malware attacks can always occur. But implementing thorough security on the network,
servers and clients can minimize the risk. Securing against malware goes further than just
installing antivirus software. An antivirus is never a 100% safe. And an antivirus does not
always protect against targeted attacks or unauthorized access.
3.1. EDUCATING THE USERS
Before going into technical details on how to secure a network, it’s useful to cover the
importance of educating users about proper usage of the computers and the internet. This
is for both the students and the staff. Young students lack experience and are more prone
to be subjected to sites that host malicious content. This is the same for older students
that lack computer experience because they don’t have a computer of their own.
It’s very important for the staff to be educated too. The staff usually has more privileges
on the network than the students do. This makes them favorable targets for phishing.
Phishing is getting ever more popular to breach systems. As systems are getting more
secure, manipulating users to get access to the systems is often more successful than
finding and exploiting vulnerabilities. When an attacker gains access through phishing, the
systems are vulnerable for a whole range of attacks.
Clear policies on how students should use school computers should be made. Students
should also be educated on how to protect their own devices against threats, as this could
be an entry point for malware within a network.
3.2. MINIMIZING VULNERABILITIES
Both malware and targeted attacks succeed in breaching systems by exploiting
vulnerabilities. A vulnerability can be misconfigured network equipment, a poorly
configured firewall, an outdated operating system or outdated applications. But the users
can also be a vulnerability. By minimizing the vulnerabilities within a network, the attack
surface gets reduced.
While it’s impossible to eliminate every single vulnerability within a network infrastructure,
it’s still important to have a solid strategy to mitigate as much vulnerabilities as possible.
When new vulnerabilities are found that can potentially affect your systems, like the
recent Heartbleed bug for example, appropriate steps should be taken to minimize the
potential harm the exploit could cause. These steps could be patching the systems or
disabling susceptible functionalities in anticipation of updates.
3.2.1.
THE USERS
The users of a network can be a vulnerability. Privileged users like the staff are a
vulnerability as they are a potential target for phishing. Other users can be a vulnerability
as their own devices might not be properly secured against threats. These unsafe devices
could spread infections through the network.
Page | 15
The first problem can be minimized through assigning proper privileges to the users. This is
the least-privilege principle. It means giving a user only those privileges the user needs to
perform its tasks on the network. This minimizes the potential damage that can be
inflicted when a user account gets compromised. Least-privilege also helps to dramatically
reduce the spread of malware11. In most cases malware relies on the user privileges to
propagate. By limiting user privileges you can limit the ability for malware to propagate.
3.2.2.
LEAST-PRIVILEGE IMPLEMENTATION
Windows domain is allows to implement the least-privilege principle within a domain.
Through active directory, users can be identified and authorized. For easy manageability
users can join groups to which privileges can be assigned. All staff should have their own
accounts. The staff should be divided into groups according to their respective functions.
Teachers, administrative staff, human resources and library personnel all have different
needs, require access to different resources and use different software.
Figure 3. Saaka’s active directory structure with an example of a user account.
In the above image, the left side shows grouping into organizational units. This improves
manageability, it's not for applying privileges. The right side shows the properties of a
single user. It shows that the user is a member of 3 groups. These groups can be used to
apply privileges and restrictions to the group’s members.
Some privileges, restrictions and roles can be applied to users and groups with Group
Policies. Services that use active directory to authenticate users should be properly
configured to give its users the appropriate privileges.
11
Magalhaes, R. M. (2014, June 11). Improving security through least-privilege practices. Retrieved
from windowsecurity.com: http://www.windowsecurity.com/articlestutorials/authentication_and_encryption/improving-security-through-least-privilege-practices.html
Page | 16
When they’re created, user accounts have limited permissions by default. The account
Windows users have on their personal computers usually run in Administrative mode. The
default user accounts used on the domain don’t have that. A lot of malware need
administrative rights to propagate. Without administrative rights a user cannot install new
software which could potentially be malicious. To give administrative rights to a domain
user account, this user account needs to be a member of the Administration group.
Figure 4.The prompt that shows when a user without administrative rights tries to install a program.
Group policies
Group policies can enforce a whole range of restrictions and rights. When a user needs
more privileges than what the default user account offers, they can be granted through
group policies.
The example in figure 3 is a member of LibraryAdmins. The members of this group should
only have administrative rights on the library computers. It would be easy to just make
them join the Administration group. But in line with the Least-privilege principle, it is better
to use the Restricted Groups group policy. This group policy allows you to grand
administrative rights to groups and users for certain groups or computers. In figure 5, the
members of the LibraryAdmins group will have the privileges of Administrators on the
computers that are a member of the LibraryComputers group.
Page | 17
Figure 5. The implementation of restricted groups for LibraryAdmins
In terms of restriction though group policies, is blocking AutoRun an essential group policy
to protect against malware. Some malware might use the AutoRun feature to trick users to
execute malicious files. The Conflicker worm for example, used the AutoRun feature to
propagate.
Figure 6. Enabling the “Turn off autoplay” GPO
Services
Some services within the domain use the Active Directory to authenticate the user. The
FTP server is one of them. Correct read, write and execute rights should be configured for
the appropriate groups and users. Administrators have the right to access everything. Staff
can access their own folder, the documentation folder and the student software folder, so
they are able to add software. Students only have read rights on the student software
folder.
Page | 18
Figure 7. An example of the FTP server configuration.
3.2.3.
NETWORK SEGMENTATION
The Active Directory can also be used to authenticate users on the network. Together with
a managed layer 3 switch and a wireless controller you can separate the networks.
Network segmentation improves the security and reduces congestion of network traffic. It
improves security by reducing the potential targets of malware that propagates through
the network, like worms for example. But also when a network gets breached, through
social engineering for example, the attacker will have limited access.
Figure 8. A list of WLANs on the wireless controller
The VLANs used for security purposes in Saaka are the staff network, the admin network
and the student network. The routing of these VLANs is done on the layer 3 switch. Access
between these VLANs are limited through the use of access-lists. Access-lists allows IPbased and port-based restrictions between VLANs. Routing between VLANs can also be
done through pfSense. In Saaka this feature was used to route the DMZ traffic. This is done
because the DMZ needs different rules to route to the WAN compared to the other VLANs.
Page | 19
Figure 9. The access-list configuration on the Layer 3 switch that blocks access to management addresses on the
servers VLAN to every other VLAN except for the admin VLAN.
The wireless controller can create a WLAN for every VLAN. Saaka’s configuration can be
seen on figure 8. The computerclass and the library WLAN are mainly for manageability. The
staff and admin VLANs are protected with WPA2-enterprise. WPA2-enterprise uses Active
Directory to authenticate the users. The student network is protected with PSK. This is a
shared password, which is not very secure. Such a network should be treated as a guest
network. Protecting the student network with WPA2-enterprise was not possible as not
every student has their own entry on the AD. It is planned to be implemented in the future.
Next to separating the user VLANs, it’s always good to have a (virtual) network to
accommodate servers that provide services for users outside of the local network. Like the
institution’s website or an FTP server. This network is the DMZ and it requires different
firewall rules than the other VLANS. These servers are also more prone to attacks. If they
wouldn’t be on a different network they could function as a gateway to infect the clients
on the internal network.
Page | 20
Figure 10. The DMZ configuration restricting DMZ traffic to the WAN interface and the internal network. By
default all traffic is denied. The DMZ only has an ftp server, which is accessible to the internal network. SSH and
RDP is only accessible to the admin VLAN
3.2.4.
THE FIREWALL
When students and staff bring their own device, they usually have administrative rights on
their own devices. This makes their devices more susceptible to malware compared to the
managed desktops of the university that use domain user accounts. As you cannot force
these users to install antivirus software and if they are free to surf wherever they like, they
are more likely to propagate malware through the network. A way to minimize this threat
is to educate the users about safe behavior on the internet. Next to this, it can be very
beneficial block access to certain websites that are known to distribute malicious software.
This is where the firewall configuration comes in.
The default rules of the pfSense firewall is to deny any incoming connections that aren’t
initiated from inside the network. This protects against a range of external threats. By
default, pfSense provides “allow all” rules for outbound connections. It is good practice to
use deny all traffic for outgoing connections as well and only allow traffic that is really
needed. This prevents the propagation of malware through services that aren’t used, thus
reducing the attack surface.
Figure 11 contains the LAN configuration. By default all incoming connections are blocked.
Ports 80 and 443 are opened to allow web traffic. DNS traffic is only allowed from the
internal network. With this rule, users cannot use external DNS servers. This allows the
administrator to have full control over the DNS traffic. The other DNS rule allows DNS
traffic from the server VLAN to the external network. This way the DNS server can forward
DNS traffic. The other rules allow services like email, ftp traffic and management traffic.
Figure 11. The LAN configuration
As said before, it can be beneficial to block unsafe websites. Blocking websites can be done
for free through a pfSense package called SquidGuard. With SquidGuard you can use
predefined lists like Shallalist, URLBlacklist or the Toulouse university blacklist. These offer
big lists of sites that that contain unsafe or indecent content. These blacklists come in
Page | 21
categories, so you can fine-tune which categories to allow or to deny. URLBlacklist’s
blacklist is currently the most complete list and still gets updated regularly.
Figure 12. Example of a blocked site.
SquidGuard also allows you to define your own filters to whitelist sites that are blocked by
the predefined blacklist. And you can also add extra blacklist entries.
Figure 13. The part of the SquidGuard GUI to add new entries.
3.2.5.
PATCHING
Patching is a very important way of protecting systems against vulnerabilities. There are
always new vulnerabilities found in applications and operating systems. Some
vulnerabilities may take some time before they are patched. If there is a vulnerability which
hasn’t been patched yet and is a candidate to be exploited by malware, measures should
be taken to prevent an infection. This can be done by disabling the vulnerable service or by
isolating the service from unsafe sources, like the internet. When there is a critical
vulnerability, a patch might be carried out faster. These patches might not always be as
stable as a patch that has been thoroughly tested. But even when a patch has been
thoroughly tested, it might still cause instability. That’s why it’s advised to wait before
installing new patches and to first look for information about possible bugs or test the
patch on non-critical systems.
Nevertheless is keeping software up-to-date one of the best ways to protect against
malware and other attacks.
3.2.6.
A CORRECT CONFIGURATION
It’s very important for network equipment to be configured correctly. Incorrect or badly
configured equipment can leave gaps in the security. The best way to ensure that the
configuration is done well, is to consult the documentation delivered by the manufacturer.
A second opinion of the configuration by a coworker might also eliminate overlooked
misconfigurations.
Page | 22
Certainly for Linux machines is a solid configuration important. Man pages and online
documentation should be consulted to ensure a good configuration. Community websites
often have good examples, but these have to be used with care, as they might not always
be as reliable.
3.3. PROTECTING AGAINST THREATS
Even with good vulnerability mitigation, there will always be vulnerabilities that can be
exploited by malware. These are the threats. Next to good vulnerability mitigation, a
network should have protection against threats. As the network has already been
protected against known vulnerabilities, these treats will likely exploit unknown
vulnerabilities. So the protection against these threats should be handled by specialized
software. This protection typically comes in the form of an antivirus. An antivirus is the
best last defense.
Typically, antivirus software is used to protect clients. This is good to protect the managed
desktop computers. But users using their own devices cannot be forced to install an
antivirus. To protect the network against the propagation of malware through infected
devices, network devices and servers can be fitted with specialized antivirus software.
3.3.1.
FIREWALL PROTECTION
Next to good firewall rules and blocking malicious websites, a firewall can be equipped
with some extra tools to protect against malware and attacks. The downside of running
extra services on the firewall is that traffic might start to pass through slowly which
creates extra latency. So it’s important to make sure the system can handle the extra load.
In our case, pfSense is installed on a virtual machine, extra resources can be appointed
when the firewall starts to run slowly.
Intrusion prevention system or intrusion detection system
An intrusion prevention system analyzes packets and blocks them when it identifies the
packet as a threat. It detects threats by analyzing the data of the packet and through
behavioral characteristics or data signatures it decides whether the content is malicious or
not. A firewall will only analyze the packet header and it enforces the defined policies,
namely the firewall rules. So the IPS is an extra layer of protection on top of the firewall.
An intrusion detection system does the same as an IPS but it only notifies about threats
instead of blocking packages. With the reports the IDS delivers, the administrator can
implement extra security features. The benefit of an IDS over an IPS is that an IPS might
block legitimate content, while an IDS doesn’t block anything.
An IPS or IDS can be implemented on pfSense for free with the Snort package.
Page | 23
Figure 14. The Snort package allows you to choose different IPS security levels. These settings are a tradeoff
between security and the amount of false positives.
Gateway antivirus
A gateway antivirus is similar to an IPS. A gateway antivirus focuses on blocking malicious
software from being downloaded while an IPS generally protects against threats like
malware attacks, targeted attacks, DDOS attacks, and others. But the line between the
two terms is blurry and it usually just comes down to marketing.
There is a free solution for pfSense which identifies itself as a gateway antivirus, called
ClamAV. This service is included with the Squid3 package and it can be easily enabled by
checking a checkbox when Squid3 is installed.
Figure 15. Enabling ClamAV in the Squid package
3.3.2.
SERVER PROTECTION
Antivirus Software
It’s common to install antivirus software on client computers. But servers, and certainly file
servers, can get infected by malware too. These servers can also be used to propagate
malware through the network. In our case, at MMU, a worm had spread on the Domain
controller’s file server storage. Every client that connected to the Domain controller got
infected by this worm.
Next to all the security implementations discussed earlier, can an antivirus on the servers
be beneficial too. But the problem with server antivirus software is that it might influence
the stability of the server. So the necessity of a real-time antivirus scanner depends from
Page | 24
system to system. The software solutions covered in chapter 2 are used to detect and to
remove malware. This can be sufficient to protect systems, if they are scanned daily, which
should be done during downtimes.
If these scans show that infections on the servers are common, it might be beneficial to
install real-time anti-virus scanners. But in the case that infections are not common it might
not be worth jeopardizing the stability of the systems and to spend resources on this.
If it is the case that these systems can benefit from a real-time antivirus scanner, it is a
good idea to first test the antivirus on less critical systems or copies of critical systems,
when working in a virtual environment. This to ensure the antivirus software does not
cause instability.
The Supply
An important element of this paper is to provide security with limited resources. Most of
the solutions in this paper have been free. For this part however, it’s not that easy. A lot of
the antivirus software for clients is for free, but this is not the case for server antivirus
software. As with most software, the business versions are not for free. However, most
antivirus companies offer discounts for educational facilities. And most of them have trial
versions, so the software can be tested on the infrastructure first.
Comparing the different products that are available is not very easy. There is a lack of tests
about enterprise antivirus software on Windows Servers. So to compare the available
software you either have to rely on the manufacturer’s claims or on tests performed on
client computers. These tests might not show how stable the software runs on Windows
Servers, but it does show the quality of the product. The following table gives an overview
of the popular software currently available. The scores are based on a recent real-world
test conducted by av-test.org.
Page | 25
Usability12
Price
Protection12
Performance12
Score out of 6
Score out of 6
Antivirus for
Endpoint
Antivirus server
5.5
6.0
6.0
AVG Antivirus Business
5.5
5.0
6.0
Bitdefender
Endpoint Security
6.0
6.0
6.0
G Data
AntiVirus Business
5.5
5.0
6.0
~95.67
McAfee Endpoint
Security
For file
Kaspersky
Servers
Endpoint
For virtual
Security
Servers
Sophos Endpoint
Security and Control
3.5
4.5
6.0
150.41
Name
Avira
Symantec
Endpoint Protection
Score out of 6
Discount
Per 3 in €
for schools?
109.00
Yes, up to
80%
453.69
96.65
(1 Year)
68.65
(1 Year)
(1 Year)
(1 Year)
Yes
Comments
Endpoint
version is for
file servers
The file server
only version is:
€ 43.21
No
Yes, special
offer for big
volume
No
330.00
(For 10 pc.)
6.0
4.5
6.0
6.0
4.0
6.0
167.38
5.5
143.95
6.0
6.0
252.00
(1 Year)
(1 Year)
No
No
No
Symantec does
offer a flexible
service for
schools.
Table 2. Comparison of enterprise antivirus software.
The table shows that this software can be costly. Most of the software in the table is only
intended for workstations or file servers. These are not made for critical servers like the
domain controller. Avira and Kaspersky do offer antivirus software targeted at critical
servers. But there are no test results for these specific products. The manufacturers claim
that this software has a minimal performance impact, which should justify the higher price.
Again, whether it is justified to buy this software or not, depends on the situation. If
infections are common on the servers, a real-time antivirus scanner can be beneficial. If
infections aren’t common, regular scanning with malware detection and removal software
can be enough.
Backups
When something does go wrong, it’s important to have a backup strategy. Without
backups servers and files are in constant danger. No security implementation is a 100%
fool proof. When working in a vSphere environment, vSphere Replication is a good
solution. As it is included in the vSphere license, there are no additional costs to it.
Replication allows you to backup any virtual machine. An interval can be configured of
when to take a backup copy. And it supports point-in-time retention. This means it can
keep up to 24 snapshots over a configurable timespan. This is an essential feature to make
it viable backup solution. Multiple point-in-time instances can help with minimizing data
loss and the ability to recover to a clean state. For example, if system got infected 3 days
ago and the backup solution only keeps the latest state from a day ago, it cannot be
recovered to a clean state.
12
av-test. (2016, April The best antivirus software for Windows Client Business User). Retrieved
from av-test.org: https://www.av-test.org/en/antivirus/business-windows-client/windows-10/
Page | 26
Figure 16. vSphere Replication setting window
3.3.3.
CLIENT PROTECTION
As discussed in chapter 1, the client computers used at MMU are already equipped with
Deep Freeze. Which will recover the computers to working state at every restart. But these
computers also have shared storage space for students to store their files. If there is
malicious software on this storage space, it could infect the computer every time the
system is recovered.
Giving each student their own storage space through domain user accounts and a Windows
fileserver is a good solution to combat this problem. At MMU this will be implemented in
the future. But chapter 1 also covered how Deep Freeze alone is not sufficient to combat
all malware. An infected client computer could spread malware to other devices on the
network or on USB devices. That’s why antivirus software is still needed next to all the
preventive measures.
Most real-time antivirus software is commercial software. Unlike the malware detection
software covered in chapter 2, there are no open source real-time antivirus scanners for
client computer. A lot of companies offer their antivirus products for free, but only for
personal use. Legally these free versions cannot be used on school computers. Personal
computers of staff and students can use these free versions, but the computers in the
library or the computer lab cannot.
Some companies provide discounts for educational facilities, like an 80% discount on all
Avira products. But luckily a few even offer free software for schools.
Avast has a free for education program. Avast provides free enterprise grade antivirus
software for educational facilities. Avast has good scores on av-test.org’s recent tests13.
There is no other free antivirus software for educational institutions available with the
same quality. So Avast is the best choice to secure school computers.
13
av-test. (2016, April). The best antivirus software for Windows Home User. Retrieved from avtest.org: https://www.av-test.org/en/antivirus/home-windows/windows-7
Page | 27
3.4. TODO
There are still some things to be done on Saaka’s network. A lot of the research has been
done in Uganda, but all the implementations of this research haven’t been done yet.
The biggest problems at Saaka today are the pfSense firewall and the client computers.
The firewall currently lacks a good configuration. Another problem are the computers in
the library and the computerlab, as they lack antivirus software. The biggest problems with
the configuration of the network devices has been fixed already, like the configuration of
the layer 3 switch and the wireless controller. A backup solution for the servers has also
been implemented.
The firewall still needs some better configuration. The configuration of the DMZ has been
done already, but the rules for the LAN network are still the default rules. These should be
changed as described in point 3.2.4. Next to this should SquidGuard be installed to block
some unsafe sites. The pfSense also currently lacks an IPS, so Snort should be installed.
However, the impact of Snort has to be monitored whether the systems can handle it or
not.
The client computers can really use an antivirus. So Avast should be contacted to arrange
free antivirus software for the devices in the library and the computerlab. Lastly, the IT
staff should make a habit out of scanning the servers for malware at least once a week at
the end of a day.
Page | 28
4. CONCLUSION
The objective of this paper was to find a solution to secure a school network and to make it
malware-free with limited resources. The network infrastructure of the Saaka campus at
Mountains of the Moon University was used as a reference. This infrastructure lacked
proper security which made it vulnerable for targeted attacks, malware and phishing
attacks. This was due to the lack of a secure configuration of network devices like the
managed switch, the firewall and the wireless controller. But also because of the lack of
vulnerability mitigation methods like a proper patch management and a correct leastprivilege principle implementation. And lastly, almost no measures were taken to protect
against threats. The lack of security became apparent as the systems showed signs of
malware infections which impeded the systems to function well.
The importance of good network security and the protection against malware is clear.
Without it, important data is at risk to be compromised or to be damaged. A lot of
malicious software is at large. Each kind of malware propagates in a different way and
poses a different risk to certain systems. Some malware is easier to detect and to remove
than others. But as malware gets smarter and starts to incorporate social manipulation to
spread and infect, it’s clear an antivirus alone is not sufficient to protect devices against
malware.
In order to properly secure a network, its servers and its users, it’s important to have a
solid security strategy all over the network. Every part of the network should be assessed
for potential vulnerabilities and these vulnerabilities should be minimized. This is
accomplished by educating the students and the staff about proper usage of the network.
Next to this should users only get those privileges that correspond with their role within
the network. This through using Active Directory services, Group Policies and through the
correct configuration of the devices that use these services. But most important, should all
of the software be kept up to date through a good patch management.
As there will always be vulnerabilities left, there will be threats that can exploit these
vulnerabilities. Systems should therefore be protected against these threats. This
protection should be implemented on different levels within the network. A good firewall
configuration is key to protect the network from external threats. A good principle to use
is to deny all the traffic by default and only to allow the traffic that’s really needed. A
firewall like pfSense can be equipped with free features to provide extra protection: Snort
can provide a free IPS that blocks malicious traffic by deep inspection, ClamAV provides a
gateway antivirus solution that prevents users from downloading malicious files and
SquidGuard prevents users from visiting malicious sites.
Servers should be scanned regularly by malware detection and removal software to
protect them against malware and to remove malicious files from their storage. Software
like Malwarebytes should be used to detect general threats while specialized software like
HitmanPro should be used as a second opinion. Real-time antivirus software should only be
used when malware infections on the servers are common, as this software can impede the
performance of the servers. A backup solution like vSpere Replication should be used to
recover systems when they are damaged beyond repair. Client computers do need to be
protected with real-time antivirus software like Avast.
Page | 29
While businesses, big schools and universities have the resources to spend on high-end and
expensive software solutions to protect them against malware and security breaches, a lot
of educational institutions don’t have these resources. But for almost every expensive
software solution, there is a free counterpart available. Either through open-source
initiatives like pfSense or by companies offering their software for free to schools like
Avast does. This free software in combination with a good security strategy makes it very
possible to secure a school network with limited resources.
Page | 30