Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Surprise! You have mystery PCs

J.F. Rice | March 15, 2016
Vulnerability scans uncover on the network unpatched, unprotected PCs that IT never even heard about.

In my previous column, I talked about some computers on my company’s network that weren’t getting patched because they weren’t getting rebooted. The good news is that I was able to negotiate an agreement with the business unit managers to reboot those computers once a month, on Sundays. The bad news is that I found some more computers that haven’t been getting patched. And they aren’t running antivirus software either.

Our (Microsoft Windows) computer inventory tools, patching products and security software all rely on one thing: Active Directory. It’s the source of all the information we have about computers on our network, and it controls the security settings on those computers. We have software that installs patches on our computers, and it uses Active Directory to do what it does. Our antivirus product also relies on Active Directory to automatically install and update on our Windows computers. Active Directory is essentially our de facto inventory of Windows PCs. So what happens when we have a computer that’s not on our Active Directory domain? I found out last week.

As it turns out, we do have a few computers that are not joined to our Active Directory domain. This means that they are unmanaged and effectively invisible to our patching and antivirus tools. We discovered them from our vulnerability scans on all our network segments. These PCs were not in our inventory. That’s because one of the business units brought in a third-party vendor a few months ago, which installed them on our network without any of our technical staff being involved. It’s some kind of financial news service, and the PCs are there to show headlines and stock prices. The vendor just plugged them in and walked away.

So nobody except the business unit employees knew about these new computers until now, when they started showing up on our vulnerability reports. In their first month of service on our network, they were up to date on patches, so our vulnerability scans ignored them. In their second month, they started appearing on the vulnerability report, but with relatively low quantities of vulnerabilities. In the third month, they made it to the top 10. When I asked what these computers were, nobody knew. We tracked them down by tracing the network cables using their IP addresses, and that’s when we found out they are not on our domain.

I called the vendor and asked how its customers are expected to keep these PCs up to date. I was told that most of their customers actually do join the computers to the domain and install their own antivirus products. It just didn’t happen in our case because nobody from IT was involved, and the business unit employees have no idea about these things. So this was a fairly unusual situation.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.