Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Large scale recovery - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Large scale recovery

Scott emailed an interesting question the other day which I’m going to flick pass to you all. 

We all have workstations in our organisations.  They run AV products, encryption software, FW, management tools etc, a nice mix of products that we use to protect and manage workstations.  And they all play nice right?

Well what if they don’t?  For example, what if there is a nasty conflict between products, a patch messes one or more of the products up, a virus runs wild, or even something as simple as a group policy screws up.   But the fix, rather than a swift click on a button, means you have to go to each machine, boot it into safe mode, make a change, then reboot.  How do you recover your workstation environment? 

Now the answer is relatively simple if there are only a few machines involved, you might send junior on the road to fix all the machines, one by one.  It will keep him out of your hair for a bit.  But what if there are 100, 1000 or even 10,000+ machines to fix?  Even junior will need a white coat after a while. 

So here is a little scenario for you all to have a think about.   The company has 8000 workstations at several locations, some behind relatively slow lines.   A nasty little virus has slipped through and 4,000 machines have been infected.   Automated cleanups do not work and the only choice left is to manually inspect and clean the machine or reimage.  Luckily head office has nice clean images for all the hardware deployed.   

So what can we do?  Are local recovery partitions on workstations the go? Imaging servers, maybe one at each remote location? Bootable imaging DVDs, deployment products, packaging products?  Should we change the environment, use thin clients, PXE??

What do you do?  Send us your ideas on how you already cope or would cope with having to do a large scale recovery of workstations.   I’ll collate the responses and you never know your idea may save someone’s junior from wearing a white coat.

Mark

Mark

391 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!