Re: Mandating format/reinstall after compromise

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

How many of you *require* a computer be reformatted and
reinstalled after a compromise?

> > Most times, yes.

Does a computer running malware that includes an IRCBOT
or remote control trojan meet your definition of a
compromise requiring a reformat/re-install? Do you have
to have proof that it was taken advantage of or is its
mere existence sufficient?

> Yes.  Generally, we tell the user or the technician that if one Bad
Thing was found, many other Bad Things could very well be on there, some
just waiting to eat their HR database or their thesis.

Do you do the format/reinstall yourself? If not, how do
you check for compliance with this policy?

> > They can do it themselves, or take it to a shop off campus, or we
provide a walk-in, for-fee service that they can use.  If our technician
does it for them, that person can then verify it has been done, and they
can even directly unblock computers that have been blocked because of a
security issue.  Cost to the user is a minimum $30, and usually it's
$60.

> > Individuals who bring their computers to this service sign a document
waiving any claims against IU for damages, etc.

> > If our walk-in support technician doesn't do it, most times we take
the word of the device owner that it has been done.  We do require that
they answer 6 specific questions.  Sometimes you can tell by their
answers that they didn't do what you require, and we just tell them
their response wasn't good enough.

> > My aim is that at some point we will REQUIRE students who have
subsequent problems to take their computers to our own for-fee service.
The service can't handle that load yet, but I'm encouraging additional
capacity be added, so we can do this.

Who is responsible for backups before the format
process?

> > If our technician does it, they take the backup to a server they have
for this purpose.

What do you do if the student does not have recovery
media? (OS, applications, backup capability, etc.)

> > We'll reinstall applications that are available from media (CDs or
online) that we provide generally.  The student is responsible for
reinstalling other stuff they need (which, as we know, might very well
mean they're back getting crap cleaned off again soon thereafter!)

Do you alter the affected computer's network connectivity
until the format/reinstall is done? Do you disconnect
entirely or just reduce connectivity? What is the process
to regain full connectivity?

> > Misbehaving student machines, depending on the malbehavior, are
usually isolated from the network.  They are told they won't get their
connection back until they take care of the problem.  They can get clean
media and patches on CDs from our bookstores.

Are any of you in a situation where you've "sublet" a portion
of your network (connectivity, topology, and IP address space)
to a third party contractor providing connectivity to
off-campus students? How does this affect your policies?

> > No.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.