Surprise! You have mystery PCs

Vulnerability scans uncover on the network unpatched, unprotected PCs that IT never even heard about

In my previous column, I talked about some computers on my company’s network that weren’t getting patched because they weren’t getting rebooted. The good news is that I was able to negotiate an agreement with the business unit managers to reboot those computers once a month, on Sundays. The bad news is that I found some more computers that haven’t been getting patched. And they aren’t running antivirus software either.

Our (Microsoft Windows) computer inventory tools, patching products and security software all rely on one thing: Active Directory. It’s the source of all the information we have about computers on our network, and it controls the security settings on those computers. We have software that installs patches on our computers, and it uses Active Directory to do what it does. Our antivirus product also relies on Active Directory to automatically install and update on our Windows computers. Active Directory is essentially our de facto inventory of Windows PCs. So what happens when we have a computer that’s not on our Active Directory domain? I found out last week.

As it turns out, we do have a few computers that are not joined to our Active Directory domain. This means that they are unmanaged and effectively invisible to our patching and antivirus tools. We discovered them from our vulnerability scans on all our network segments. These PCs were not in our inventory. That’s because one of the business units brought in a third-party vendor a few months ago, which installed them on our network without any of our technical staff being involved. It’s some kind of financial news service, and the PCs are there to show headlines and stock prices. The vendor just plugged them in and walked away.

So nobody except the business unit employees knew about these new computers until now, when they started showing up on our vulnerability reports. In their first month of service on our network, they were up to date on patches, so our vulnerability scans ignored them. In their second month, they started appearing on the vulnerability report, but with relatively low quantities of vulnerabilities. In the third month, they made it to the top 10. When I asked what these computers were, nobody knew. We tracked them down by tracing the network cables using their IP addresses, and that’s when we found out they are not on our domain.

I called the vendor and asked how its customers are expected to keep these PCs up to date. I was told that most of their customers actually do join the computers to the domain and install their own antivirus products. It just didn’t happen in our case because nobody from IT was involved, and the business unit employees have no idea about these things. So this was a fairly unusual situation.

We ended up joining the computers to our domain, updating their patches and setting them up with antivirus. We were fortunate that they didn’t contract malware while they were unprotected. But this incident has led me to believe that we should be scanning our entire network for unmanaged devices. That could take a really long time, given the large number of IP addresses in our network range. We’ll have to set up a special system that only does network scanning and let it run until it finishes — probably a few months to scan every IP address. Then we can compare what’s on the network with what’s in Active Directory to make sure there aren’t any more rogue computers lurking in the shadows.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about ClickMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts