On Tue, May 11, 2010 at 1:31 PM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: > Let's not ignore the first Conficker infection while we wait for the next. > CSA was the only thing that stopped it dead from day zero.
I would disagree with "only". Conficker attacked MS08-067 autorun, and open/weak-password network shares. We patch security vulnerabilities quickly, so we were protected on MS08-067. We disable autorun[1], so we were protected there. All our shares require AD authentication, and we protect against trivial passwords. Conficker was a non-incident for us. And even the "luser manually runs it off removable media" case can be countered with plain old Software Restriction Policies. Not saying CSA doesn't have value (totally unfamiliar with it myself), just disagreeing with "only". [1] This means actually disabling autorun, and not just following Microsoft's guidance on how to disable autorun. Microsoft got it wrong at least twice. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~