[unisog] UConn's Residential Network Beat the Worms

Arnold, Jamie harnold at binghamton.edu
Thu Sep 4 13:40:10 GMT 2003

With 6000 + incoming "living on campus" students, we chose to use ACLs
at the building master switch level to confine the bug traffic in the
resnet and a few ACLs on one of our core routers.  Our Rescons went out
equipped with all the tools necessary to patch, scan and update any
system in question.  Some of our helpdesk staff also went out to patch
machines, while the rest were at the helpdesk answering questions and
handing out CDs with the tools needed.

Bottom line is we did not have to shut the resnet off, the
administrative network stayed up with very few problems and we learned a

An interesting 3 days to be sure.


-----Original Message-----
From: Dan Jones [mailto:dan.jones at colorado.edu] 
Sent: Wednesday, September 03, 2003 10:47 AM
To: unisog at sans.org
Subject: Re: [unisog] UConn's Residential Network Beat the Worms

CU-Boulder had a similar approach although a much higher percentage of
student systems which were found to be vulnerable (46%).  I think
another difference is that we used an ActiveX component to determine the
patch level of the computer so that we were able to help automate the
patch process (although ActiveX components do have downsides).

I have published a summary document at
http://www.colorado.edu/its/security/MS02036/ for those who may be

In the future we will be looking at some solution to require a minimum
patch level for all campus desktops (i.e., faculty and staff).  This
could either be a similar modification to NetReg or a third party patch
management solution.  While an intensive communications effort helped
get faculty and staff to patch their computer in the long term my
assessment is that we need to require a minimum patch level before
gaining access to the network.  My short list of vendor solutions based
on minimal research at this point includes:

-Citadel Hercules
-HFNetChk Pro
-St. Bernard Update Expert
-Microsoft Software Update

I would be interested in hearing about experiences with these or other
products as well as experiences in requiring patch management for
faculty and staff.


Dan Jones

Dan Jones
Campus IT Security Coordinator - ITS
University of Colorado
303.735.6637 Phone

Phil.Rodrigues at uconn.edu wrote:
> Hi all,
>>From August 21-24, 2003 we had 11,500 students return to the residence
> halls.  9,100 students registered their computers through NetReg and 
> successfully connected to the campus network and the Internet, mostly 
> on Saturday and Sunday.  We automatically scanned and identified 2,500

> (27%) of those computers as vulnerable and redirected them to a page 
> where they downloaded and installed the patch.  That is 2,500 
> computers that were patched without staff intervention, and that were 
> not infected with the worm, and that did not generate a support
phone-call or visit.
> We have documented all the steps we took and linked to all of the code

> we used.  If your student population has not yet returned to campus, 
> and you were already using NetReg to register them, you should be able

> to implement all of these steps we took:
> http://www.security.uconn.edu/uconn_response.html
> We are very interested in making this page useful to as many 
> institutions as possible.  If you have a specific suggestion or 
> criticism please direct it to me or security at uconn.edu.
> Good luck!
> Phil
> =======================================
> Philip A. Rodrigues
> Network Analyst, UITS
> University of Connecticut
> email: phil.rodrigues at uconn.edu
> phone: 860.486.3743
> fax: 860.486.6580
> web: http://www.security.uconn.edu
> =======================================

More information about the unisog mailing list