Standards & Guidelines - Computer Compromise Remediation Checklist

The following checklist will assist with remediating a windows machine which has been compromised due to unauthorized access (hack), malicious code (virus/worm/trojan), or other types of vulnerabilities in which the integrity of the machine is questionable.

Some items on this list can also be used to proactively assist with prevention of unauthorized use, access or infection of a computer.

• Change passwords for each system that has been logged into from the infected machine (AD passwords, Netware, GroupWise, personal, etc.)
• Update current image
  • Patch all software (OS and other applications)
  • Update McAfee .dat files and virus engines
  • Install Windows Update
  • Disable services that are not needed (IIS, MS SQL, etc.)   Some desktop applications have these types of services installed as part of other programs.
• Re-image machine or re-install all software using the updated image
• Lower access of workstation users with administrator privileges to that of a "power user" or "user"
• Limit access privileges of lab computer users to that of a "user"
• Restrict the number of admin accounts on the machine to only those which are absolutely necessary
• Use strong passwords and, where possible, strongly encourage the use of strong passwords to your users.
• Eliminate accounts with null passwords
• Disable the guest accounts
• Manually run a virus scan
• Run Windows Update as a precaution to ensure that new patch releases have not been overlooked
• Turn off workstations at the end of the workday.