Pages

Saturday, March 24, 2012

Stop Conficker from spreading via Group Policy

* Please carefully read and understand the below instructions. If unsure seek help from a professional.  

* Read the notes below task 4 (Very important)

Task 1: Set a policy to remove write permissions to the following
registry subkey:
HKEY_LOCAL_MACHINE\Software\​Microsoft\Windows NT\CurrentVersion
\Svchost
This prevents the random named malware service from being created in
the netsvcs registry value.

To do this, follow these steps:
1. Open the Group Policy Management Console (GPMC).
2. Create a new Group Policy object (GPO). Give it any name that you
want.
3. Open the new GPO, and then move to the following folder:
Computer Configuration\Windows Settings\Security Settings\Registry
4. Right-click Registry, and then click Add Key.
5. In the Select Registry Key dialog box, expand Machine, and then
move to the following folder:
Software\Microsoft\Windows NT\CurrentVersion\Svchost
6. Click OK.
7. In the dialog box that opens, click to clear the Full Control check
box for both Administrators and System.
8. Click OK.
9. In the Add Object dialog box, click Replace existing permissions on
all subkeys with inheritable permissions.
10. Click OK.
Task 2. Set the policy to remove write permissions to the %windir%
\tasks folder. This prevents the Conficker malware from creating the
Scheduled Tasks that can re-infect the system.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to the following
folder:
Computer Configuration\Windows Settings\Security Settings\File System
2. Right-click File System, and then click Add File.
3. In the Add a file or folder dialog box, browse to the %windir%
\Tasks folder. Make sure that Tasks is highlighted and listed in the
Folder: dialog box.
4. Click OK.
5. In the dialog box that opens, click to clear the check boxes for
Full Control, Modify and Write for both Administrators and System.
6. Click OK.
7. In the Add Object dialog box, click Replace existing permissions on
all subkeys with inheritable permissions.
8. Click OK.

Task 3. Set AutoPlay (Autorun) features to disabled. This keeps the
Conficker malware from spreading by using the AutoPlay features that
are built into Windows.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to one of the
following folders:
* For a Windows Server 2003 domain, move to the following folder:
Computer Configuration\Administrative Templates\System
* For a Windows 2008 domain, move to the following folder:
Computer Configuration\Administrative Templates\Windows Components
\Autoplay Policies
2. Open the Turn off Autoplay policy.
3. In the Turn off Autoplay dialog box, click Enabled.
4. In the drop-down menu, click All drives.
5. Click OK.

Task 4. Disable the local administrator account. This blocks the
Conficker malware from using the brute force password attack against
the administrator account on the system.

Note DO NOT follow this step if you link the GPO to the domain
controller’s OU because you could disable the domain administrator
account. If you have to do this on the domain controllers, create a
separate GPO that does not link the GPO to the domain controller’s OU,
and then link the new separate GPO to the domain controller’s OU.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to the following
folder:
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options
2. Open Accounts: Administrator account status.
3. In the Accounts: Administrator account status dialog box, click to
select the Define this policy check box.
4. Click Disabled.
5. Click OK.
5. Close the Group Policy Management Console.
6. Link the newly created GPO to the location that you want it to
apply to.
7. Allow for enough time for Group Policy to update to all computers.
Generally, Group Policy replication takes five minutes to replicate to
each domain controller, and then 90 minutes to replicate to the rest
of the systems. A couple hours should be enough. However, more time
may be required, depending on the environment.
8. After the Group Policy has propagated, clean the systems of malware.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.