Desktop Security Management

by Joe Lee

Connecting to today's turbulent computing environment is not risk free. How can users survive from unknown virus infection, phishing attacks, software vulnerabilities and zero-day exploit?

We have used McAfee's anti-virus software for some years and the ePolicy Orchestrator (ePO) since 2002 for virus protection. (See Network Computing, Issue 33- September 2002 for details.) The ePO is a network anti-virus policy management system which has been used to push anti-virus software/virus signature file to client PCs. With these tools and McAfee's change of delivering virus signature files everyday (from Monday to Friday), there are rare reported cases of virus infection. Occasionally, a new and low-risk virus may invade a couple of computers on campus. When we receive such report, we take remedial action immediately by requesting the technical support centre of McAfee to release an extra signature file to remove the virus. So far so good, virus is not an issue on campus.

Maintaining operating system and software product with their current patches is critical to security. We deployed Microsoft's Software Update Services (SUS) in late 2003 for patch management and found very satisfactory results. (See Network Computing, Issue 39 - March 2004 for details.) The number of computers with missing patches keeps decreasing, making our campus network more secure. Windows Server Update Services (WSUS) is Microsoft's upcoming free patch management tool, replacing the SUS. WSUS provides a number of new features, including targeting of patches to specific groups of computers, support for more products (for example, Microsoft Office and SQL Server), and improved reporting. Now WSUS can produce reports on which clients have and have not installed updates, and what updates have been installed. We will soon replace SUS with WSUS to take advantage of those new features. However, the ultimate solution for patch management and desktop management is using Microsoft's Systems Management Server (SMS). SMS 2003 provides a comprehensive solution for change and configuration management. We will deploy the SMS 2003 in the near future to safeguard users from accidental changes and wrong configurations.

The deployment of Windows XP Service Pack 2 (WinXP SP2) has further improved the desktop security. We deferred the deployment of WinXP SP2 to give our users more time for preparation and started the deployment in January 2005. (See Network Computing, Issue 41- September 2004 and Issue 43- March 2005 for details.) To cope with computer hardware upgrade, the whole deployment project was completed smoothly in this summer. As the Windows Firewall of all desktops belonging to the University domain is governed by domain policy, some important parameters are pre-configured and are centrally maintained so that general users need not worry about their security settings or being changed accidentally. This improved firewall helps protect users from viruses and security threats that can spread over the Internet, enabling users to enjoy safer browsing and communication.

Besides, we have implemented network firewall, intrusion detection and intrusion protection appliances which bar most of the virus and attacks at the network side. We have also added anti-virus and anti-spam features at the mail gateway to prevent viruses, worms and alike from getting in from this source to our user desktop environment.

Another major area of security protection is the anti-spyware solution. A centrally managed anti-spyware solution is our next target to tackle. We have started the study and hope that the solution can be launched soon. Anti-phishing solution will also be picked up to study its feasibility.

The CSC has spent tremendous effort on user awareness education, on the prevention of viruses, worms, and software vulnerabilities, on the network protection and on the centrally managed policies; however, desktop security is still an issue due to human error. Some careless users continue to inadvertently click email attachments or embedded links from unknown sources, and download programs from websites for use without checking their trustworthiness, resulting in virus infection or hacker attack. How secure is your computer? The answer can never be satisfactory without your awareness and thoughtful participation. Technologies and policies can help reducing the security risks, but only users can make the solution complete.


  1. Mcafee ePolicy Orchestrator

  2. Microsoft Systems Management Server