9/17/2003 -- If you’re an IT pro responsible for maintaining computer systems (or even if you’re not) you’ve undoubtedly been busy these last several weeks. I know I sure have. First, the various forms of the Blaster worm demanded my attention to servers and desktop machines alike. Then the Sobig virus did its best to bring down all my email systems.

The systems and networks that are under my care utilize industry standard tools for security protection. I’ve built most of them from the ground up, and have employed best practices in how I manage everything from desktop machines to file severs to routers to firewalls. I’ve been doing this for a long time, and am proud of a long track record of keeping my clients’ systems in good working order.

So why did I (and my tech staff) have to spend so much time keeping things under control in response to these virus attacks? Were our best practices not so good after all? Did we drop the ball somehow, maybe failing to update a virus pattern file or forgetting to patch a remote server?

The short answer is no. When our clients started reporting problems we checked our firewall traffic logs—not one attack from the outside. We also verified that any machines exposed to the Internet were properly patched and clean of viruses. They were. We then checked our email logs—as expected, there were several instances of the Sobig virus being quarantined by our faithful email scanning virus program.

Where did all this virus activity come from? We should have been the poster child for system security and management, yet our customers were definitely experiencing the impact of a virus attack.

So, we looked at the firewall logs again. This time, I told my techs to look at activity from inside our NATted, firewall-protected, private networks. “But the only way into our private networks is through public Internet gateways, and we’ve already ascertained that nothing came through any of our firewalls,” my senior tech pointed out.
I repeated my instructions.

He begrudgingly complied with my request. Later that day I get an e-mail from my tech. He tells me that he was able to narrow down where all this virus mayhem began—at one of our client sites (let’s refer to this client as “Bob”), from inside the private network. As I was contemplating how this could happen, how a virus could just appear in a private network without any trace of it coming through the firewall, I get another e-mail. This one is from “Bob,” my client.

At this point you should know that we provide our clients with comprehensive, thin client-based fully managed IT solutions. We supply, build, configure, manage and retain ownership of all computer systems used by our clients. They, in turn, agree to use our supplied systems exclusively. This arrangement is what makes it possible for us to provide, “Fortune 500-class IT solutions, without the Fortune 500 price tag,” as our marketing material proclaims. Because we use a server-based computing model with thin client workstations, the technical requirements for one of our IT solutions is quite different than those for a traditional office network environment. The gist of all this is that as long as our servers are secure, so are our clients—as long as they follow our guidelines.

Which brings us back to Bob’s e-mail. He tells me that he thinks his laptop computer is infected with a virus, and is asking me what to do about it. “What laptop computer?” I think to myself. We never sold or discussed a laptop computer with this client. I email him back. I tell him how to ascertain the MAC address of his NIC and ask him to provide me with this bit of information.

Sure enough, all our virus issues started with Bob’s laptop. He brought it into the office, plugged it into the network, and that was it. Our servers were undaunted. They were used to being buffeted with attacks. But our thin client workstations? They were never designed to be in a hostile environment. Their only purpose in life is to connect with a Remote Desktop Connection to a Terminal Server, all inside a private network.

The good news is that none of our clients experienced any significant downtime (a testament to our thin client architecture and server-based computing model). We simply re-imaged the compromised client machines and everything was back on track. No data was lost, either.

But Bob’s little laptop adventure did make us think about revamping our security procedures—and our contracts. From now on, we will be stricter in enforcing our policies, and making sure our clients are held accountable for following them.

“OK Kevin,” you may ask, “nice story and all, but what does this have to do with me?” Well, if you’re an IT pro responsible for maintaining computer systems (or even if you’re not), realize that you can’t just rely on technology to keep things running smoothly. This latest wave of viruses may not have caused you or your users any trouble, but eventually you’re going to have deal with a Bob of your own. And all the anti-virus software in the world won’t protect you. Are you ready for Bob?