Gilbert Wilson wrote: > All: > > My decade long winning streak with Symantec Corporate Edition has come > to an end. Restricting user access and SAV worked so well for so long > I began to take it for granted... > > Now, I'm working in environments that won't let me restrict user > access. With users running as Admins on their local machines and the > new generation of malware I need to look at new ways of protecting > machines so that I'm not spending all my time fixing registry entries > and/or re-imaging the same machines every other week. > > So, my question is, what do /you/ do to keep Windows XP functional and > malware free? What AV packages work well for you? Do you use more > than one? In my research it looks like /none/ of them are really more > than 90% successful at detecting a threat, and then it might even be > too late. What else do you do to keep the machine secure other than > keeping AV and security patches up to date? I.E. configure the > firewall to block certain ports? Restrict download file types? Web > proxies? Turn off administrative shares? > > Any and all ideas welcome.
First, stepping aside the debate about the future of AV ... If you're going to rely on antivirus software, you have to get on an 18 month upgrade cycle treadmill. Older versions of vendor AV, while still supported, will get eaten for breakfast by modern malware. My workplace's windows support team fell behind on Symantec, and we were getting plastered by basic malware exploits. Since upgrading to the current edition of Endpoint, our compromises from web-hosted malware have (apparently) fallen from 3 a week to about 1 every 2-3 months. I suspect that in about another 6 to 9 months, defeating this version of Symantec will become about as trivial as it did with the last ... That said ... If you can't take admin away, you have a problem. Can you do something like giving them basic user rights, and allowing them to escalate to admin using RunAs or maybe sudowin? Look into some sort of host-based security hardening metric. FDCC settings are a good start, but look at the settings and season for your environment. The default settings will effectively neuter Internet Explorer and Outlook Express, which goes a long way towards cutting down on attack vectors. Keep up on your third party patches and updates. Adobe products are really getting the snot kicked out of them right now, with active exploits for at least Acrobat, Flash and Air. Firewall off everything you can. :) While protecting a web surfer is hard enough, I can't imagine it if the bad guys had access to RPC, CIFS, LSASS, etc ... Can you put in a web proxy? Maybe even deny everything except a few external sites? Get an IDS/IPS/monitoring system, put it in, keep it current, and watch the logs! Don't laugh, but I've found attacks and residue from syslog processing, event log processing, ntop, netflow monitoring, and even mrtg back in the day. So, anything you can find, monitor and measure effectively for normal (and thus abnormal) behavior is a bonus. -- -- John E. Jasen ([email protected]) -- "Deserve Victory." -- Terry Goodkind, Naked Empire _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
