We have
used McAfee's anti-virus software for some years and the ePolicy
Orchestrator (ePO) since 2002 for virus protection. (See Network
Computing, Issue 33- September 2002 for details.) The
ePO is a network anti-virus policy management system which
has been used to push anti-virus software/virus signature
file to client PCs. With these tools and McAfee's change of
delivering virus signature files everyday (from Monday to
Friday), there are rare reported cases of virus infection.
Occasionally, a new and low-risk virus may invade a couple
of computers on campus. When we receive such report, we take
remedial action immediately by requesting the technical support
centre of McAfee to release an extra signature file to remove
the virus. So far so good, virus is not an issue on campus.
Maintaining
operating system and software product with their current patches
is critical to security. We deployed Microsoft's Software
Update Services (SUS) in late 2003 for patch management and
found very satisfactory results. (See Network Computing,
Issue 39 - March 2004 for details.) The number of computers
with missing patches keeps decreasing, making our campus network
more secure. Windows Server Update Services (WSUS) is Microsoft's
upcoming free patch management tool, replacing the SUS. WSUS
provides a number of new features, including targeting of
patches to specific groups of computers, support for more
products (for example, Microsoft Office and SQL Server), and
improved reporting. Now WSUS can produce reports on which
clients have and have not installed updates, and what updates
have been installed. We will soon replace SUS with WSUS to
take advantage of those new features. However, the ultimate
solution for patch management and desktop management is using
Microsoft's Systems Management Server (SMS). SMS 2003 provides
a comprehensive solution for change and configuration management.
We will deploy the SMS 2003 in the near future to safeguard
users from accidental changes and wrong configurations.
The deployment
of Windows XP Service Pack 2 (WinXP SP2) has further improved
the desktop security. We deferred the deployment of WinXP
SP2 to give our users more time for preparation and started
the deployment in January 2005. (See Network Computing,
Issue 41- September 2004 and Issue 43- March 2005
for details.) To cope with computer hardware upgrade, the
whole deployment project was completed smoothly in this summer.
As the Windows Firewall of all desktops belonging to the University
domain is governed by domain policy, some important parameters
are pre-configured and are centrally maintained so that general
users need not worry about their security settings or being
changed accidentally. This improved firewall helps protect
users from viruses and security threats that can spread over
the Internet, enabling users to enjoy safer browsing and communication.
Besides,
we have implemented network firewall, intrusion detection
and intrusion protection appliances which bar most of the
virus and attacks at the network side. We have also added
anti-virus and anti-spam features at the mail gateway to prevent
viruses, worms and alike from getting in from this source
to our user desktop environment.
Another
major area of security protection is the anti-spyware solution.
A centrally managed anti-spyware solution is our next target
to tackle. We have started the study and hope that the solution
can be launched soon. Anti-phishing solution will also be
picked up to study its feasibility.
The CSC
has spent tremendous effort on user awareness education, on
the prevention of viruses, worms, and software vulnerabilities,
on the network protection and on the centrally managed policies;
however, desktop security is still an issue due to human error.
Some careless users continue to inadvertently click email
attachments or embedded links from unknown sources, and download
programs from websites for use without checking their trustworthiness,
resulting in virus infection or hacker attack. How secure
is your computer? The answer can never be satisfactory without
your awareness and thoughtful participation. Technologies
and policies can help reducing the security risks, but only
users can make the solution complete.
References