How to Completely and Utterly Lock Down a PC... (Well, maybe not completely...)

Discussion in 'Networking & Security' started by Orwick_Alefgard, Feb 27, 2012.

  1. Orwick_Alefgard

    Orwick_Alefgard [H]Lite

    Messages:
    83
    Joined:
    Dec 31, 2002
    Hey Everyone:

    I do support work for a medium sized company and we have been getting a rash of these "fake AV" malware/spyware/virus/whatever, and it is driving me bonkers!

    I need to know what I would need to do to completely lock down a PC to the point where this virus crap stops. Or at least lock things down to the point where the AV software (MS Forefront Endpoint Protection 2010) can do its job.

    These PC's are wide open. Local admin rights, no group policy, nothin. Assume that there is ZERO desktop management.

    I am (quite suprisingly) getting a lot of support from the VP of IT on this issue. He had agreed to support me in making whatever culture changes are needed to make this happen. He has asked that I tell him what I intend to change so that he can prep our associates accordingly and has given me access to any lab machines, equipment, software, etc. that I need to get started. Additionally, I have access to a team of developers who can assist in fixing whatever internal apps we have that might need adjustment to work under the new security settings.

    So the part that I am concerned with now is what to lock down on the client side. The problem that I am running into is that when googling, I am getting stuff like "remove local admin access", etc. But I can still easily manage to get the PC's infected in my lab.

    I think that the whole thing is bigger than just removing local admin access. I think the real issue is that I'm just not googling the right damn phrase!

    So any and all help is appreciated! Point me to any additional reading, tell me what to google, ask questions, whatever you guys need to help me out!
     
  2. Jay_2

    Jay_2 2[H]4U

    Messages:
    3,583
    Joined:
    Mar 20, 2006
    GPO is the way also keep your Java and Adobe upto date as this is how the fake A/V stuff is getting onto the box in the first place.
     
  3. adam30k

    adam30k Gawd

    Messages:
    710
    Joined:
    Aug 18, 2002
    Certainly it sounds like your going back to basics and need to start security square one.. users should not be logged in as admin, use UAC, put in good AV software.. Especially if you can get something that lets you monitor all of the computers from a dashboard.

    How big is your network and are you running a workgroup or a domain? This will affect the path that you take.
     
  4. Orwick_Alefgard

    Orwick_Alefgard [H]Lite

    Messages:
    83
    Joined:
    Dec 31, 2002
    Damn you guys are quick!

    @ Jay_oasis: We have ConfigMgr that is supposed to do the OS patching, along with Flash, Java, etc. Problem is that the guy who managed it quit a while back and the system has fallen by the wayside. I will get with the person who's lap it fell into to make sure that all of the patching is being done properly and that ConfigMgr is actually talking to all of the PCs.

    @ adam30k: Domain environment. ~450 workstations. And you are correct, starting from security square one.

    Keep the questions coming!

    *edited cause I can't spell..........
     
  5. PanzerBoxb

    PanzerBoxb 2[H]4U

    Messages:
    2,067
    Joined:
    Dec 12, 2004
    Do you have any perimeter content scanning going on? Having an inline or mandated proxy with the ability to scan the traffic could help reduce web-born attacks.
     
  6. /usr/home

    /usr/home [H]ardness Supreme

    Messages:
    6,164
    Joined:
    Mar 18, 2008
    ^ This. You need to filter out that traffic before it hits the machines. Something like a Barracuda and proxy it all. Only allow them access to what they need. If a legitimate site gets blocked, get them to contact IT to whitelist if they feel it's safe. That's what we do. Annoying? Sure. Do we ever get viruses? Maybe once a year among our 800+ machines.
     
  7. -Jess-

    -Jess- Limp Gawd

    Messages:
    291
    Joined:
    Nov 28, 2010
    I think I can pitch in a bit of advice here. Well, I hope :p

    Network security, like all other aspects of IT starts with some sort of plan, policy or at the very least some scribbled objectives. You should have a clear overview of what you want to accomplish for your network. If your starting from the ground up, I'd advise you do some R+D on the following documents:

    - Network Security Policy
    - Acceptable Use Policy

    If you have a clear map and you document your logic for making decision, it gives the security overhaul a great structure, accountability and provides business decision makers with an overview of what's being done.

    I know this might get me e-punched :eek: - but for some ideas into what's required of security, look into:
    NSA's Manageable Network Plan - http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf

    NSA's Network Security Plan (It's old, but it has a structured approach) - http://www.nsa.gov/ia/_files/support/I33-011R-2006.pdf

    SANS Institute (There a quite a few) - http://www.sans.org/reading_room/wh...ecurity-guide-small-mid-sized-businesses_1539

    Look to other vendors such as Cisco/Juniper/et cetera. Their respective websites have a good few whitepapers on security basics.

    -------------------

    Other points:

    Security is best with layered approach (thanks to YeOldStoneCat who mentioned this a good few times on this forum) - work your way back from the gateway to the end-user's PC. A good UTM appliance providing content filtering/antispyware/anti-virus/ad block such as Untangle/Sonicwall/Barracuda/Sophos-Astaro.

    Get your hands on a good AV solution for devices, ensure that scan times and set and adhered to.

    Local Admin Rights? 450 Users? WHAT!?
    If you're on a domain, I'd mirror Jay_oasis' comment and say GPO.

    An organization I worked for did some good with simple items - such as disabling USB interfaces for flash drives. Malware/Viruses dropped down severely. Perhaps the most effective was the UTM appliance.

    End-user training is the biggest player though - What to do and What not to do. Users need to be continuously reminded that the workstations and connected resources do not belong to them.. and no, they can't do as they please. It's property of the company and it's managed by the IT function of the business.
     
  8. dbwillis

    dbwillis [H]ardness Supreme

    Messages:
    7,393
    Joined:
    Jul 9, 2002
    First off, maybe some sort of security appliance....Untangle or some others.
    I didnt see what your INternet connection was .... but Untangle would work for blocking alot of crap
     
  9. adam30k

    adam30k Gawd

    Messages:
    710
    Joined:
    Aug 18, 2002
    450 workstations requires centralized management, updating and AV reporting. Windows Server Update Services can help you control the updates and patches your computers receive. Also, the updates will come from your WSUS server rather then saturating your connection while all the computers download updates from the I. Patching and updating should be IT's responsibility, not the users. They have work to do and shouldn't be clicking OK on a Java update or rebooting so updates install.

    Microsoft System Center Configuration Manager can also help you better manage your computers but I do not have hands on experience with it. What are some of the managed AV products? Microsoft Forefront, Symantec Endpoint Protection and I believe Vipre offers one as well.

    Before you simply lock everything down you will need to look at your company needs. Is it practical or necessary to require banning of removable USB drives?

    End user training and understanding is going to be a big part but it also goes a long way if your users trust IT and know they can come to IT when they see something suspicious or out of the ordinary and won't be unnecessarily reprimanded or scolded. Think of people who report social engineering attempts. IT cares about them and they care about IT. Praise publicly, discipline privately so to speak.
     
  10. Angry_Birds

    Angry_Birds [H]Lite

    Messages:
    67
    Joined:
    Aug 16, 2011
    That whole environment sounds like a headache. I'd do the following:

    -Remove local admin rights
    -Update Java and Flash religiously
    -Unless IE is mission-critical for web apps, try a GPO-administered install of Chrome and add Adblock Plus
    -Create and enforce an acceptable use policy. I can say with almost 100% certainty that if users were only visiting work-related websites (maybe with a little Facebook or NYTimes.com sprinkled in) you wouldn't be dealing with this in the first place.
     
  11. adam30k

    adam30k Gawd

    Messages:
    710
    Joined:
    Aug 18, 2002
    On the topic of Java and Adobe, which drive me nuts, what do folks do to keep update notices out of the way of users and how do you deploy updates?

    Also since you'll be enabling UAC and removing rights for regular users, I would recommend an install account (username: install) that IT people can type in any time they need to run something for someone instead of typing in their own credentials. It also keeps anything from running unintentionally when they are logged in.
     
  12. Dan_D

    Dan_D [H]ard as it Gets

    Messages:
    53,451
    Joined:
    Feb 9, 2002
    Group policies are one thing that's a must. You don't need to give admin rights to run programs. Mostly what they need are specific file and registry permissions to make something work. This takes some work on your part, but it's actually pretty easy to do. Then there is a program called Deep Freeze which is your friend. Install this and you can pretty much fix anything (including removing a virus) with a simple reboot.
     
  13. KatalDT

    KatalDT 2[H]4U

    Messages:
    2,567
    Joined:
    Jul 28, 2010
    I was just coming on here to recommend Deep Freeze. I ESPECIALLY love this for people who VPN in, as I can pretty much never touch their PC until they need to update something.

    Anything wrong? Restart it.
     
  14. adam30k

    adam30k Gawd

    Messages:
    710
    Joined:
    Aug 18, 2002
    Deep Freeze is only appropriate for school lab computers or ones which are used by random people every day. It's a good program but I wouldn't say it's for regular office computers. Any program preferences you make or files you save will be undone, that's the point of the program.

    So far we're looking at..

    Multi-function firewall, along the lines of Untangle and the like
    Removal of local admin permissions and appropriate GPO
    Centralized antivirus software management
    Update enforcement through WSUS and/or GPO
     
  15. KatalDT

    KatalDT 2[H]4U

    Messages:
    2,567
    Joined:
    Jul 28, 2010
    You can have an unfrozen section, and direct your documents/settings to be stored there. It doesn't mean you can ignore antivirus, but it does mean a restart will fix 99/100 problems.
     
  16. Dan_D

    Dan_D [H]ard as it Gets

    Messages:
    53,451
    Joined:
    Feb 9, 2002
    You can setup Deep Freeze so that it leaves certain partitions untouched. Simply store the data files there.

    This.
     
  17. adam30k

    adam30k Gawd

    Messages:
    710
    Joined:
    Aug 18, 2002
    Yes my use of the word only was inappropriate.
     
  18. ciggwin

    ciggwin [H]ardness Supreme

    Messages:
    4,864
    Joined:
    May 30, 2006
    Also interested in how to manage Java/Adobe updates. I have SCCM but I know nothing about it. Is that the only way?
     
  19. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,890
    Joined:
    Jun 28, 2004
    It also helps to have a few simple scripts you can run for cleaning.

    This is one I offer all our users:


    IE and JAVA clean.bat

    ****************************************************
    Echo off
    Echo Now cleaning Internet Explorer Temp Files
    Echo off
    RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
    Echo Now Cleaning Java Cache
    Echo off
    javaws -Xclearcache -Xnosplash