Protecting workgroup computers from dangers found in flash drives

[sram]

Okay. I've been asking too many questions about this workgroup network I just built. I want to make it perfect and there is no better place to get help from than my favorite forum [H].

I have disabled the use of flash drives on all computers except mine. I'm the admin, gene this decision. Of course many need to transfer files from the net bla blah blah and I what I do now is get it inside my pc and push it to them through the network. My pc is well protected and is being taken good care by me. This is a good control, butI still think there is a better way.

What do u suggest?

 

[/usr/home]

Huh?

 

[Monkey God]

I suggest trying to organize your thoughts in a coherent manner before shitting all over your keyboard, but thats just me.

 

[nry]

What do u suggest?

Less drugs?

 

[robvas]

What's the confusion? He disabled the use of flash drives on his network, so everyone has to take the drive to him to get the files off it. A lot like in the old days in the computer lab when every disk had to be virus scanned by the clueless assistant.

He just wants to know the best way to secure the computers from someone bringing a virus in via USB drives so they don't have to go through him.

 

[RocketTech]

Decent antivirus? MSE does a great job of this. If they need portability on the network, set aside a network share and be sure to scan it. Use SkyDrive. e-mail the files (you are using Forefront, right?).

 

[XOR != OR]

Make sure everyone is running as limited users, turn on windows firewall ( allowing exceptions for hosts and processes as you see fit ), run a decent AV. Done.

In the 10 years I've been maintaining one of my medium sized clients, they haven't had a serious virus outbreak yet following the prescribed above. Oh, they've had infections ( likely due to a website drive by ), but a simple nuking of the profile fixed them right up. Never had a machine level infection, and never had a network infection of any kind.

 

[Blackjack]

Disable Auto-Run, make sure nobody has admin rights on their workstation, and install/activate/update a good antivirus solution? I don't see a reason to completely disable flash drives enterprise-wide.

 

[sram]

Huh?

I suggest trying to organize your thoughts in a coherent manner before shitting all over your keyboard, but thats just me.

Less drugs?

Hmmmmm. I typed my OP using a smart phone before getting into an airplane. It was real quick. Yet, there were some people smarter than you who fully understood what I want.

Thanks.

 

[sram]

What's the confusion? He disabled the use of flash drives on his network, so everyone has to take the drive to him to get the files off it. A lot like in the old days in the computer lab when every disk had to be virus scanned by the clueless assistant.

He just wants to know the best way to secure the computers from someone bringing a virus in via USB drives so they don't have to go through him.

Thanks for making it clear buddy. In the past, one of my workgroups was hit by a very nasty virus which was a nightmare to get rid of. People want to keep working...this made it even harder.

I want to avoid that, hence this thread.

 

[sram]

Decent antivirus? MSE does a great job of this. If they need portability on the network, set aside a network share and be sure to scan it. Use SkyDrive. e-mail the files (you are using Forefront, right?).

All clients have antivirus software. The only obstacle here is that I need to update every now and then manually. Clients can't connect to the internet.

This skydrive idea looks ineteresting! Haven't read about it before. I'll go google it. Also, if you can expand, it is ganna be great.

Make sure everyone is running as limited users, turn on windows firewall ( allowing exceptions for hosts and processes as you see fit ), run a decent AV. Done.

In the 10 years I've been maintaining one of my medium sized clients, they haven't had a serious virus outbreak yet following the prescribed above. Oh, they've had infections ( likely due to a website drive by ), but a simple nuking of the profile fixed them right up. Never had a machine level infection, and never had a network infection of any kind.

Everybody has a standard user account and they can't access the admin account because they don't know the password. Is this what you meant?

Windows firewall is supposedly on, but do I need that really if the network is isolated from the internet? I don't see a reason. And like I said in my previous post, every machine has an antivirus. It is good to hear that it was working good for you.

Disable Auto-Run, make sure nobody has admin rights on their workstation, and install/activate/update a good antivirus solution? I don't see a reason to completely disable flash drives enterprise-wide.

Disabling auto-run is a good tip. Thanks.

So, you don't see a need for disabling it?

You know, some people don't take care of their machines. They abuse them actually. I have seen many bad practices. The shared network drive is in my machine that is acting like a little server. I will take care of the network drive, and I think it is not wise to fully trust others.

 

[XOR != OR]

Everybody has a standard user account and they can't access the admin account because they don't know the password. Is this what you meant?

Windows firewall is supposedly on, but do I need that really if the network is isolated from the internet? I don't see a reason. And like I said in my previous post, every machine has an antivirus. It is good to hear that it was working good for you.

The idea behind workstation firewalls is to isolate the machines on the local network, so they can't intercommunicate. There should be no reason end user workstations need to communicate with each other directly, and it's an attack vector malware packages have exploited in the past, so I disable that capability. It doesn't have anything to do with the internet really.

And yes, standard user account is the same as limited user account. This goes a long way in protecting your network.

 

[-Dragon-]

Use group policy to disable execution from anywhere other than program files, program files (x86), and windows

 

[sram]

The idea behind workstation firewalls is to isolate the machines on the local network, so they can't intercommunicate. There should be no reason end user workstations need to communicate with each other directly, and it's an attack vector malware packages have exploited in the past, so I disable that capability. It doesn't have anything to do with the internet really.

And yes, standard user account is the same as limited user account. This goes a long way in protecting your network.

Okay, I see. It looks like disabling auto-run and enabling windows firewall(Although I know the users will never try to get into other computers) are the last two things I need to do to fully secure the network. I might consider enabling the use of flash drives.

Disabling autorun will have a great effect. All viruses that are transferred to PC's via USB disks use the autorun feature in windows to their advantage.

 

[sram]

Use group policy to disable execution from anywhere other than program files, program files (x86), and windows

Can that be done in a workgroup type network? If yes, please walk me through it please. I'll be really grateful.

Also(so that I fully understand) What will that prevent exactly? People will still be able to double click things(For example a powerpoint file) located in USB disks to open them by a program found in the program files, right?

Only exe files found originally in removable media will NOT be able to run if I do that, right?

Thanks.

 

[-Dragon-]

it can be done via local policy in a workgroup environment but you'd have to either edit each computer individually or find and export the keys the policy changes to a .reg file and load that onto each computer. Just be sure they don't have local admin rights otherwise they can circumvent them in a workgroup env. And yes documents aren't executed they're opened by something else that executes. If you restrict execution to the 3 directories I mentioned not only will they not be able to run stuff from media but they'll be unable to run anything they download to their document folder as well, basically as long as they don't have admin to be able to copy files to one of the locations that can execute, they wont be able to run anything you haven't installed to one of those 3 locations

 

[Parja]

Why not just remove the power cords? Sheesh, you've sure got those machines on lock-down. So what CAN they do?

 

[-Dragon-]

The work they're supposed to do and not fucking around?

 

[402blownstroker]

Pull out the chalk gun from the toolbox and give a nice squirt into each USB port.

 

[Innocence]

Why not just remove the power cords? Sheesh, you've sure got those machines on lock-down. So what CAN they do?

Remove the Power Chords? Then how the hell are they supposed to play Nu-metal?

What's next, tell them they can't tune to Drop D?

 

[sram]

it can be done via local policy in a workgroup environment but you'd have to either edit each computer individually or find and export the keys the policy changes to a .reg file and load that onto each computer. Just be sure they don't have local admin rights otherwise they can circumvent them in a workgroup env. And yes documents aren't executed they're opened by something else that executes. If you restrict execution to the 3 directories I mentioned not only will they not be able to run stuff from media but they'll be unable to run anything they download to their document folder as well, basically as long as they don't have admin to be able to copy files to one of the locations that can execute, they wont be able to run anything you haven't installed to one of those 3 locations

Thanks man. All clear. I'm at your debt.