Well. I honestly didn’t expect to get traction on my post about getting infected with a virus, but I guess sending a politely worded complaint to the CEO and Chief Software Architect of Microsoft gets things done J
On Monday, I received a fascinating response from the CIO which was truly enlightening.
The bottom line is that I was infected because it’s not possible to keep a network as big as Microsoft’s 100% virus free.
There are 285,000 Windows machines running on the Microsoft network at any time. Microsoft runs constant scans and forces patches on all unpatched machines within a set timeline (24 hours for emergencies, 14 days for critical updates). Microsoft’s IT department gets patches to more than 99% of the machines on the corporate network within 8 days of the announcement of a critical vulnerability via either voluntary patches, SMS deployed patches, logon script patching or port shutdowns (if none of the previous things work).
The problem is that it’s impossible to get to 100% compliance. Machines get constantly added to the network from mobile employees (sales force, etc), contingent staff (temporary workers), new hires, etc. There’s also the problem of the machines in the conference rooms that run the projectors – they’re often turned off, which means that they don’t get updated. And when they’re brought online, they’re vulnerable until the vulnerability scanners pick them up.
Last week (when I was infected), Microsoft’s IT department detected 330 machines on the corporate network that were vulnerable to Sasser. 249 of them had their network ports shut off; the other machines were force-patched by one of the techniques above.
My problem was that Sasser propagates VERY quickly. Which means that during the time my machine was vulnerable, one (or more) of the 330 machines that was vulnerable also was infected. So even though 99.98% of the machines on Microsoft’s network weren’t vulnerable to the patch, enough were to cause me grief.
One of the key takeaways from Ron’s email was that the IT department strongly suggests that people use Remote Installation Service to upgrade their machines instead of using my technique of rebooting from the unpatched XP CD that they’ve been carrying around for years. The RIS images that OTG deploys have most of the patches deployed on them already, so if you reinstall via RIS, your machine won’t be vulnerable.
The truly frustrating thing for me is that I truly wish I had known that our RIS technology supported a non destructive reinstall option (as Saurabh Jain pointed out). If I had known about that, I would have tried the RIS option to reinstall XP SP1 without reformatting when I decided to back out the interim XP SP2 build.
One other fascinating tidbit in the email is that apparently there are some releases in the future that will render the network even more secure. Unfortunately I can’t talk about them L, because I don’t believe they’ve been announced yet but in the future vulnerable machines won’t even be allowed to get on our network.