How to Completely and Utterly Lock Down a PC... (Well, maybe not completely...)

O

Orwick_Alefgard

Weaksauce
Joined
Dec 31, 2002
Messages
83
Hey Everyone:

I do support work for a medium sized company and we have been getting a rash of these "fake AV" malware/spyware/virus/whatever, and it is driving me bonkers!

I need to know what I would need to do to completely lock down a PC to the point where this virus crap stops. Or at least lock things down to the point where the AV software (MS Forefront Endpoint Protection 2010) can do its job.

These PC's are wide open. Local admin rights, no group policy, nothin. Assume that there is ZERO desktop management.

I am (quite suprisingly) getting a lot of support from the VP of IT on this issue. He had agreed to support me in making whatever culture changes are needed to make this happen. He has asked that I tell him what I intend to change so that he can prep our associates accordingly and has given me access to any lab machines, equipment, software, etc. that I need to get started. Additionally, I have access to a team of developers who can assist in fixing whatever internal apps we have that might need adjustment to work under the new security settings.

So the part that I am concerned with now is what to lock down on the client side. The problem that I am running into is that when googling, I am getting stuff like "remove local admin access", etc. But I can still easily manage to get the PC's infected in my lab.

I think that the whole thing is bigger than just removing local admin access. I think the real issue is that I'm just not googling the right damn phrase!

So any and all help is appreciated! Point me to any additional reading, tell me what to google, ask questions, whatever you guys need to help me out!
 
GPO is the way also keep your Java and Adobe upto date as this is how the fake A/V stuff is getting onto the box in the first place.
 
Certainly it sounds like your going back to basics and need to start security square one.. users should not be logged in as admin, use UAC, put in good AV software.. Especially if you can get something that lets you monitor all of the computers from a dashboard.

How big is your network and are you running a workgroup or a domain? This will affect the path that you take.
 
Damn you guys are quick!

@ Jay_oasis: We have ConfigMgr that is supposed to do the OS patching, along with Flash, Java, etc. Problem is that the guy who managed it quit a while back and the system has fallen by the wayside. I will get with the person who's lap it fell into to make sure that all of the patching is being done properly and that ConfigMgr is actually talking to all of the PCs.

@ adam30k: Domain environment. ~450 workstations. And you are correct, starting from security square one.

Keep the questions coming!

*edited cause I can't spell..........
 
Do you have any perimeter content scanning going on? Having an inline or mandated proxy with the ability to scan the traffic could help reduce web-born attacks.
 
^ This. You need to filter out that traffic before it hits the machines. Something like a Barracuda and proxy it all. Only allow them access to what they need. If a legitimate site gets blocked, get them to contact IT to whitelist if they feel it's safe. That's what we do. Annoying? Sure. Do we ever get viruses? Maybe once a year among our 800+ machines.
 
I think I can pitch in a bit of advice here. Well, I hope :p

Network security, like all other aspects of IT starts with some sort of plan, policy or at the very least some scribbled objectives. You should have a clear overview of what you want to accomplish for your network. If your starting from the ground up, I'd advise you do some R+D on the following documents:

- Network Security Policy
- Acceptable Use Policy

If you have a clear map and you document your logic for making decision, it gives the security overhaul a great structure, accountability and provides business decision makers with an overview of what's being done.

I know this might get me e-punched :eek: - but for some ideas into what's required of security, look into:
NSA's Manageable Network Plan - http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf

NSA's Network Security Plan (It's old, but it has a structured approach) - http://www.nsa.gov/ia/_files/support/I33-011R-2006.pdf

SANS Institute (There a quite a few) - http://www.sans.org/reading_room/wh...ecurity-guide-small-mid-sized-businesses_1539

Look to other vendors such as Cisco/Juniper/et cetera. Their respective websites have a good few whitepapers on security basics.

-------------------

Other points:

Security is best with layered approach (thanks to YeOldStoneCat who mentioned this a good few times on this forum) - work your way back from the gateway to the end-user's PC. A good UTM appliance providing content filtering/antispyware/anti-virus/ad block such as Untangle/Sonicwall/Barracuda/Sophos-Astaro.

Get your hands on a good AV solution for devices, ensure that scan times and set and adhered to.

Local Admin Rights? 450 Users? WHAT!?
If you're on a domain, I'd mirror Jay_oasis' comment and say GPO.

An organization I worked for did some good with simple items - such as disabling USB interfaces for flash drives. Malware/Viruses dropped down severely. Perhaps the most effective was the UTM appliance.

End-user training is the biggest player though - What to do and What not to do. Users need to be continuously reminded that the workstations and connected resources do not belong to them.. and no, they can't do as they please. It's property of the company and it's managed by the IT function of the business.
 
First off, maybe some sort of security appliance....Untangle or some others.
I didnt see what your INternet connection was .... but Untangle would work for blocking alot of crap
 
450 workstations requires centralized management, updating and AV reporting. Windows Server Update Services can help you control the updates and patches your computers receive. Also, the updates will come from your WSUS server rather then saturating your connection while all the computers download updates from the I. Patching and updating should be IT's responsibility, not the users. They have work to do and shouldn't be clicking OK on a Java update or rebooting so updates install.

Microsoft System Center Configuration Manager can also help you better manage your computers but I do not have hands on experience with it. What are some of the managed AV products? Microsoft Forefront, Symantec Endpoint Protection and I believe Vipre offers one as well.

Before you simply lock everything down you will need to look at your company needs. Is it practical or necessary to require banning of removable USB drives?

End user training and understanding is going to be a big part but it also goes a long way if your users trust IT and know they can come to IT when they see something suspicious or out of the ordinary and won't be unnecessarily reprimanded or scolded. Think of people who report social engineering attempts. IT cares about them and they care about IT. Praise publicly, discipline privately so to speak.
 
That whole environment sounds like a headache. I'd do the following:

-Remove local admin rights
-Update Java and Flash religiously
-Unless IE is mission-critical for web apps, try a GPO-administered install of Chrome and add Adblock Plus
-Create and enforce an acceptable use policy. I can say with almost 100% certainty that if users were only visiting work-related websites (maybe with a little Facebook or NYTimes.com sprinkled in) you wouldn't be dealing with this in the first place.
 
On the topic of Java and Adobe, which drive me nuts, what do folks do to keep update notices out of the way of users and how do you deploy updates?

Also since you'll be enabling UAC and removing rights for regular users, I would recommend an install account (username: install) that IT people can type in any time they need to run something for someone instead of typing in their own credentials. It also keeps anything from running unintentionally when they are logged in.
 
Group policies are one thing that's a must. You don't need to give admin rights to run programs. Mostly what they need are specific file and registry permissions to make something work. This takes some work on your part, but it's actually pretty easy to do. Then there is a program called Deep Freeze which is your friend. Install this and you can pretty much fix anything (including removing a virus) with a simple reboot.
 
Dan_D said:
Group policies are one thing that's a must. You don't need to give admin rights to run programs. Mostly what they need are specific file and registry permissions to make something work. This takes some work on your part, but it's actually pretty easy to do. Then there is a program called Deep Freeze which is your friend. Install this and you can pretty much fix anything (including removing a virus) with a simple reboot.
Click to expand...

I was just coming on here to recommend Deep Freeze. I ESPECIALLY love this for people who VPN in, as I can pretty much never touch their PC until they need to update something.

Anything wrong? Restart it.
 
Deep Freeze is only appropriate for school lab computers or ones which are used by random people every day. It's a good program but I wouldn't say it's for regular office computers. Any program preferences you make or files you save will be undone, that's the point of the program.

So far we're looking at..

Multi-function firewall, along the lines of Untangle and the like
Removal of local admin permissions and appropriate GPO
Centralized antivirus software management
Update enforcement through WSUS and/or GPO
 
adam30k said:
Deep Freeze is only appropriate for school lab computers or ones which are used by random people every day. It's a good program but I wouldn't say it's for regular office computers. Any program preferences you make or files you save will be undone, that's the point of the program.
Click to expand...

You can have an unfrozen section, and direct your documents/settings to be stored there. It doesn't mean you can ignore antivirus, but it does mean a restart will fix 99/100 problems.
 
adam30k said:
Deep Freeze is only appropriate for school lab computers or ones which are used by random people every day. It's a good program but I wouldn't say it's for regular office computers. Any program preferences you make or files you save will be undone, that's the point of the program.

So far we're looking at..

Multi-function firewall, along the lines of Untangle and the like
Removal of local admin permissions and appropriate GPO
Centralized antivirus software management
Update enforcement through WSUS and/or GPO
Click to expand...

You can setup Deep Freeze so that it leaves certain partitions untouched. Simply store the data files there.

KatalDT said:
You can have an unfrozen section, and direct your documents/settings to be stored there. It doesn't mean you can ignore antivirus, but it does mean a restart will fix 99/100 problems.
Click to expand...

This.
 
adam30k said:
On the topic of Java and Adobe, which drive me nuts, what do folks do to keep update notices out of the way of users and how do you deploy updates?

Also since you'll be enabling UAC and removing rights for regular users, I would recommend an install account (username: install) that IT people can type in any time they need to run something for someone instead of typing in their own credentials. It also keeps anything from running unintentionally when they are logged in.
Click to expand...

Also interested in how to manage Java/Adobe updates. I have SCCM but I know nothing about it. Is that the only way?
 
It also helps to have a few simple scripts you can run for cleaning.

This is one I offer all our users:


IE and JAVA clean.bat

****************************************************
Echo off
Echo Now cleaning Internet Explorer Temp Files
Echo off
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
Echo Now Cleaning Java Cache
Echo off
javaws -Xclearcache -Xnosplash
 
You must log in or register to reply here.
Back
Top