I'll add one more little thing. Take admin access away from all end users including yourself. There is no good excuse to log into any box as admin/root unless you are doing maintenance. Period.
On Thu, May 7, 2009 at 7:21 AM, Daniel Owen <danielowe...@gmail.com> wrote: > Regardless of OS security in depth is key. > > On the box itself: > Some brand of AV that can be remotely managed. Your end users will not > consistently tell you when the AV warns them so it's nice to be able to get > a screen that covers all your machines. > Some sort of anti-spyware that can be run manually to pick up things > the AV missed. A few have already been mentioned. > Turn on a host firewall. This will limit the damage that hosts inside > the protected network can do to each other. Make sure you open the ports > that need to be open for your management software and any legit peer traffic > between systems. This is another place where a commercial software that can > do central reporting might be nice but I just use the build in Windows > firewall for basic protection. > > At the perimeter: > A firewall to filter ports. Look at the logs. They can tell you a lot. > As mentioned a PC that should send through your smart host suddenly spewing > mail (which should be getting blocked by the default deny rule) is a bad > sign. It's also a bad sign when 20Gb of aggregate traffic per day become > 30Gb if that extra traffic can't be explained. Really anything unusual > should be considered if not fully investigated. > An IPS is a nice addition to the firewall and most modern Unified > Threat Management (UTM) packages include at least some IPS functionality. > This will help to block the vulnerabilities that come across a legitimate > port and are therefore invisible to a traditional firewall. Don't forget to > read the logs. Attacks that are coming from the outside can usually be > ignored as long as it's getting blocked but anything coming from inside is > worth investigating. > Perimeter AV is available in many if not most modern UTM packages. Why > let the virus get all the way to the desktop to hopefully block it? Inline > AV can slow down network traffic if the hardware is not sized correctly. Oh > and try to use an AV package that is different from what you use on the > desktop. Since AV packages are still reactive in that they use signatures > this gives you two different vendors and two chances to catch any given new > virus. > > Slightly behind the perimeter: > An IDS is crucial if you are really worried about detecting what > everything else missed. The IDS won't stop anything but hopefully it will > allow you to see things missed by everything else. Like I said with AV > software go with another product that you are not using on your > firewall/IPS/UTM stack. This way you will hopefully have more chance of > catching things they missed. Since the IDS does not actually block anything > you can also turn up the detection a little more as long as you don't start > getting too many false positives. Tuning is the bane of most IDS solutions. > Since no one has mentioned IDS I'll plug Snort using BASE as a reporting > tool. It's a nice combination and the price is right. > > Oh crap I think this box is infected but I'm not sure by what: > Safest bet is nuke it but sometimes that just isn't practical. I have > used the Ultimate Boot CD for Windows with some success (and some failings) > to get infected boxes cleaned up. The real problem these days is that you > never know for sure if you get everything but UBCD4WIN will at least keep > any malware from using the infected host to hide itself so you have a better > chance. I'll repeat if possible nuke the box and start over. It's a Windows > box it'll be good for it anyway. > > With the exception of the AV and spyware notes this all holds equally true > for any network not just Windows. > > In the situation you describe if your employer doesn't mind spending some > money I'd take this as an opportunity to add another layer of security. But > that's just me and I'm paranoid. > > > On Wed, May 6, 2009 at 8:37 AM, Drew <cothar...@gmail.com> wrote: > >> Yeah, it's off topic. However, in my experience the amount of knowledge >> readily available on this list is huge, and I have a lot of respect for most >> of the opinions expressed in matters technical here. But lets suppose, that >> even though we've taken reasonable steps to ensure that windows machines on >> our network are not compromised, the powers that be still "want to make >> sure" that nothing has happened to any of them. Short of reinstalling >> machines just because, or getting rid of them and having everyone use linux, >> what's the best way to make certain a windows machine is not compromised? To >> rephrase, what is the best (free or otherwise) software package to use to >> check for spyware, malware, viruses, keyloggers, and other nefarious schemes >> to take over the world that may be brewing on a windows computer? Thanks for >> the feedback. >> >> >> >> > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -~----------~----~----~----~------~----~------~--~---