MinUWet Administration Guide

Test version: Jan 11, 2005

 

MinUWet is a tool used in conjunction with the Network Authentication Applicance (NAA) servers as part of a coherent plan to improve campus wired and wireless security.

 

MinUWet is considered an agent application, which means it executes on the user’s computer (typically laptops).  It detects the level of compliance with campus security standards (like recent operating system updates and antivirus definitions) and reports the results to the current NAA server.  The NAA then determines whether the client machine is a significant or acceptable security risk.

 

Basic Functioning

For this discussion, a working knowledge of the pre-MinUWet NAA is assumed.

 

When the NAA finds a new client, it can determine the client operating system using standard web technologies. 

 

Once the OS is classified (Linux, Mac, Windows, undetermined, etc.), the client is assigned a profile based on the OS.

 

The client profile for a PDA could conceivably be different from a Mac profile.  However, initially we will consider only the following profiles:

 

-         Windows Untrusted

-         Windows Trusted

-         Other OS - Trusted

 

If we create MinUWet agents for other operating systems, we would introduce similar “Trusted” versus “Untrusted” profile distinctions.  At present, Windows is the largest source of problems, so it is the one we will tackle first.

 

A newly discovered Windows computer is considered “Windows Untrusted”.  The user is free to continue with that designation – in which case the only protocols allowed after authentication will be HTTP and possibly a few others.  HTTP is essential because it is required for the client computer to get Windows and antivirus updates over the Internet.

 

If the user agrees to use MinUWet, and MinUWet’s results are positive, the user is upgraded to “Windows Trusted” status and is given premium network access to many otherwise denied protocols.

 

MinUWet not only checks for valid updates, it will proactively force the antivirus client to poll for updates if none were downloaded in the current day. 

 

The screen during this time is self explanatory:

 

The agent then shares the results with the server along with a cryptographic hash.  The hash ensures someone isn’t pretending to be MinUWet.  In the process, MinUWet also verifies that the server is who it claims – alerting the user to potential man-in-the-middle or other attacks aimed at identity theft.

 

The results of the MinUWet submission are returned from the server as a web page that MinUWet displays.  It appears similar to:

 

The content is actually produced by the PHP script running on the NAA.  Until production use, the script is running on a standard Engineering web server.  This content can be changed as needed, just like the NAA login and post-login pages.

 

Testing the System

The fully functional prototype is accessible via the web for testing right now.  The only missing pieces are:

-         It does not actually restrict your network traffic, that cannot be done until we move the PHP script to the NAA.  But the logic is all complete.

-         The code does not presently verify that the current web server is a valid NAA – again that doesn’t make sense until it is actually on an NAA

-         Only Symantec brands of AntiVirus have been tested (versions 9 and greater, enterprise and pri

 

Simply point your browser to:

http://www.eng.uwaterloo.ca/~erick/minuwet/classify.php

See also the minuwetd section below for additional instructions.

 

Getting the Agent to the Client

The agent can be delivered to the client using the Web. 

 

While users should be wary of downloading active content, MinUWet will be  digitally signed with the credentials: nexus.uwaterloo.ca.  I am currently working out the details for signing with Reg Quinton and Thawte.

 

Users must already trust active content from Microsoft.com and others, it’s reasonable to assume they will trust us.

 

For computers on a domain (eg. ADS or Nexus), we could pre-install a copy (via GPO), so the user never has to download dynamic content.

 

Notes on Prodding Antivirus Updates

MinUWet’s ability to update the antivirus definitions is no small feat, because only a power user or administrator can run Symatec’s utilities.  In other words, a well managed laptop with unprivileged user accounts would seem to be disadvantaged.

 

The solution is a three step effort based on the administration of the client computer:

  1. If the user is a power user or administrator, we simply spawn the antivirus update application.

  2. If the system a managed computer (eg. ADS, Nexus, etc.) and the user is unprivileged, we look for the presence of the system service named “minuwetd”, which can spawn the antivirus updates for the user.  Minuwetd cloaks the update application with system privileges.  The strategy is somewhat similar in principle (though vastly different in implementation) to a setuid solution in Unix.  Minuwetd can be distributed to computers at installation time or using a GPO for domain based computers.

  3. Failing the above automatic solutions, we simply ask the user for a valid userid/password capable of running the antivirus update application.

 

The net result is that #1 and #2 work automatically – and we expect that they will cover the majority of the cases. 

 

When #3 is used (the last resort), there is always the possibility the user cannot proceed if he does not know the password.  For this reason, the NAA should be tuned to relax the rules so that the definition of recent could be as liberal as “this last week”.

 

Figure 1 - Updating Antivirus Without Total Privilegs

 

 

Installing MinUWetD

If you want to test the optional daemon/service for unauthenticated, it can be downloaded from http://www.eng.uwaterloo.ca/~erick/minuwet/mindaemon.exe and must initially be run with /install to install, and optionally with /silent to indicate it should not pop up a message box.

 

The daemon or system process should be configured to always start at bootup.  The service does not consume any CPU cycles until MinUWet connects to it. 

 

For testing, you can turn it on or off with the Window commands:

net start minuwetd

and     net stop minuwetd