[unisog] Server based scan for student computers

Paul Seward paul.seward at bristol.ac.uk
Tue May 17 16:14:25 GMT 2005

--On 13 May 2005 12:59 -0400 Andy Druda <adruda at wagner.edu> wrote:

> We are looking to setup a browser-based (at least the entry point) system
> which new student's computers will be directed to until they are
> registered.  We want to check for anti-virus software, updates for such,
> presence of: viruses, current patches and other security problems.

That sounds very much like what we do on our ResNet.  Currently we're
using a (very site specific and as such not generally fit for public
consumption) homebrew system.

The full process goes something like:
- machine is given a DHCP address on a registration vlan with very limited
access (they can get to the registration server and windowsupdate but
that's about it)

- They go through a series of webpages where we gather info about them
(username, address etc)

- If they're running windows, the registration system insists that they
register with IE, partly because without a working IE install windows
update isn't going to work, but partly so we can do the next bit.

- They then visit a page that runs an activex control that checks for
the presence of our site licensed AV product, XPSP2 and a couple of
recent security fixes (if they've got recent security fixes they're
most likely set up for windows update

- then their machine is scanned using a simple nmap scan looking for
a handful of ports that are open by default on windows (windows filesharing
etc) to make sure that they've got some form of firewall.

If they fail for any reason, they are pointed towards instructions that
tell them how to fix whatever they failed on.

If they pass the activex check and the nmap scan they get given a
real DHCP address and get moved into the live vlan and we keep an
eye on our snort box to catch them once they're infected.  We're
working on automating how we deal with infected users.

Now, all the above sounds very like various netreg/bradford systems that
are available elsewhere, but last time this came up on the UK-RESNET
mailing list people seemed very interested in the activex control
that we're using to detect anti-virus/patch levels so I ripped
the relevant chunk out of our registration system and it can be
downloaded from <http://www.resnet.bristol.ac.uk/public/activex.tgz>

To try it out, unzip it to a folder on a webserver of your choice,
add that webserver to the trusted sites zone in IE - and then point
IE at index.html

Personally though, I would have a read through the vbs file before
running it to make sure it's not doing anything nasty, and I would
try it on a development system rather than my desktop.

Not because I believe the code is unsafe, (it's not!) just that it
doesn't hurt to a bit paranoid about running things sent to you by
people on mailing lists ;-)

Anywho, it's written using the (terribly useful) AutoIT scripting
language which can be found at <http://www.hiddensoft.com/AutoIt/>
the rest of our registration is all apache/perl/oracle/snmp (to prod
switches to change vlans etc)

> We would rather not have the expense of a commercial product but we are
> not even sure what some of the commercial products actually do so they
> may even be worth some cost.
> Once certified as safe the student will then be led to a registration
> system which will place them in the normal resnet VLAN.

You may want to peruse the archives of the RESNET-L mailing list
if you haven't already, as this comes up regularly there and always
generates lots of discussion about what's considered to be the best
approach to take.

If I were doing it again from scratch, I don't think I'd go homebrew,
but if you were considering it, the above activex bits may be

PM Seward, ResNet Technical Support Officer
          University of Bristol
0117 928 7856  -  Paul.Seward at bristol.ac.uk

More information about the unisog mailing list