Twenty-seven sheriff units were infected and the county's network bandwidth was eaten up by the worm, which offered to help users download and install security patches but instead hijacked PCs and increased network traffic.
"It brought the network down," said Robert Taylor, chief information officer for Fulton County in Georgia. "The jails couldn't release or admit prisoners. It took us a week to clean up," he said.
That wasn't all that needed cleaning up in the county. In 2004, the IT department did not have a stellar reputation for responsiveness, and that helped drive each county department to create its own domain under Active Directory, Taylor said.
Fulton County signs on as early NAP tester
To rein in the departments and regain its reputation, the IT department began shopping around for perimeter security software and came across a quarantine technology being developed by Microsoft called Network Access Protection. NAP would become part of Microsoft's Windows Longhorn Server, which is slated for release late this year, and Fulton County signed on to become an early tester of the quarantine technology as a member of Microsoft's Technology Adoption Program.
The IT team also began consolidating the eight domains into one controlled by the IT department. "We had all these fiefdoms with their own little domains," Taylor said. And the fiefdoms created eight different email domains. No one had a standard naming convention. Everyone had to guess what people's email addresses might be."
Consolidating domains wasn't easy. The IT department made it clear that each department would remain in charge of its own business processes, but network access would be monitored and controlled by IT.
"By bringing them all into one domain, we're now able to create templates and push them out so we have the right patches and security rights by department that we set using Active Directory," said Keith Dickie, assistant director of the county's network division.
In conjunction with NAP, the IT team will also be able to make sure the machines are in compliance and have the correct security rights before a user logs into the network.
NAP and IPsec combine for laptop lockdown
NAP also isolates vendors' laptops when they come in to pitch new products to IT. "With NAP combined with IPsec, [a vendor's] machine is quarantined and they can't see any of the resources out there on our network," Taylor said. "We had security in place before, but if people can see a target they'll chip away until they can get in."
NAP and IPsec were only part of the laptop lockdown. NAP also had to tie into two antivirus applications and Microsoft System Center Configuration Manager to remediate problems, Dickie said.
"You have to have this all set up to know exactly what to check for, to see what's not in compliance, get information from Symantec on the latest [virus] definition, then set up and create templates that can be pushed out, which we can do now from one domain," Dickie said. [Windows Longhorn] Beta 3 will give us that ability to create plug-ins with Symantec and Trend Micro too."
The next phase is pushing NAP out to the 800 PCs equipped with Internet access in the county's libraries. With that in place, people can come in off the street, unplug a library PC and plug in their own devices.
VPN has issues with NAP
NAP was also considered for remote users, but there was a problem with the VPN, Taylor said. NAP would completely block anyone trying to get in over the VPN, whether that user's machine was clean or not. "Microsoft came up with a way to give our home users a temporary user certificate that let them on the NOC [network operations center] after a health check but still quarantined the users if they were out of date," Taylor said.
As for the IT department's former beleaguered reputation -- the National Association of Counties named the IT department of Fulton County one of the top 10 departments for the last four years for the level of support it now provides.
"Because of the technologies we introduced, we were able to build a track record, and [the departments] were finally willing to give up their domains," Taylor said.