That’s right. Well, I don’t mean “hackers” in their real meaning - computer professionals, able to twist the computer doing whatever they wish, for a good cause. I will use the word “hacker” in it’s more popular meaning - computer criminal, again, able to twist your computer, but not for a good cause…
What are they like?
Well, they don’t like meeting obstacles. They hate beating their head against your firewall. They hate spending weeks and months in searching for a hole in your security systems - but hmm, if it’s worth it, they will. They will (and have done it with lots of companies) sometimes wait and search for YEARS, until they finally break your defenses.
The hacker society is just like water in a mountain - it builds it’s way slowly through the solid rock, builds whole caves - and nothing can stop it, if it is allowed to flow long enough. Eventually, they (we?) will get to you.
How can you protect your company? Buying new security systems could *probably* help. Against… some scriptkiddies.
Don’t allow the water flowing long enough to find a hole in your security.
Just change (enhance) your security frequently enough, so they would not be able to run at your speed. Change *all* passwords for critical systems every month. Change *all* user passwords every 6 months. Update your OS on client and server machines *immediately* after a patch is issued. Never run a service with higher privileges than it needs. If possible, separate your internet facing servers from your network.
Forget about DMZ. It just does NOT work.
You got it? Should I repeat? Forget about DMZ. Separate your internet facing servers from your internal network Completely. Choose completely different passwords for your internet facing servers and for your intranet facing servers. In fact you shold not have the same password for more than 1 server! If your company has DMZ connected to your internal network, and one of the DMZ servers gets compromised, it’s gone. Game over. The theory behind DMZ is like swiss cheese - holes all over it’s logic. It will slow down the attacker, but it will help him tremendously if you use DMZ.
Well, I have searched long and wide, could not find better structured article on browser security.
Just head over at http://www.cert.org/tech_tips/securing_browser/ and do what Will Dormann and Jason Rafail tell you.
Best of luck!
Usually, when you install Windows(tm), after installation you’re granted with Admin rights - very convenient to install programs initially, and configure your system.
What people don’t do afterwards, is create a user with Guest priviledge and use it for their daily tasks!
So what you should do?
Once all your applications are installed and your system is fully configured with drivers etc, click on Start - > Run - > type lusrmgr.msc, press Enter, right-click on Users, create a new user, choose a nice password for it, Clear the check-box “User must change password at next log on” . OK. Next, right-click on the user you created, choose Properties, click on the Member of tab, remove Users group, click Add, type Guests in the box, click Ok.
Right-click on the Admistrative user you used until now - be it Administrator and/or other user you selected during installation - and set a long, nice, hard to guess password for it using “Reset Password”. Make up something like “thisisalongandeasytorememberpassword” - some sentence only you know and will never forget, but is impossible for others to guess.
Next time you log in to Windows, choose the Low-priv account you created, and use it for your daily tasks - browsing, working, etc - when you need to perform any administrative tasks, just right-click on an installation file or other executable, choose “Run As”, and type in your Administrative credentials.
Done!
We’ve seen multiple exploits, when the users visits a malicious web site, and next the whole organization is compromised, the data is leaked, business loses A LOT of money.
So, what are we going to do? Use Linux? Yeah, like there are no exploits for all Linux browsers, including the console based Lynx… yes, text only browsing is dangerous too!
Let’s imagine most our users are admins on their own machines. Or even Power users. Dangerous situation. What would I do? Run IE as… Guest! This is isolating internet explorer for safe browsing.
Here’s the How-To:
Start - > Run - > type lusrmgr.msc, press Enter, right-click on Users, create a new user, choose a nice password for it, Clear the check-box “User must change password at next log on” - this account will be used only for running your internet facing applications like Internet Explorer, Firefox, Outlook, etc.
Next, right-click on the user you created, choose Properties, click on the Member of tab, remove Users group, click Add, type Guests in the box, click Ok.
To create a shortcut on the Desktop for the new Internet Explorer instance, right-click on the Desktop, choose New -> Shortcut, in the field for the program paste this (where newuser is the username of the user you created previously):
runas /user:newuser “c:\Program Files\Internet Explorer\iexplore.exe”
Press Next, when it asks for a name for the new shortcut, type Inernet Explorer, press Next, done.
For Firefox: runas /user:newuser “c:\Program Files\Mozilla Firefox\firefox.exe”
The icon is not pretty, I know. Right-click on it, choose Properties, Change Icon, and choose a nice icon, maybe even the Internet Explorer one at the end of the list.
Update: This does not work with IE7 in Vista, so to run IE7 as Guest, you will need to login with your new user. That is actually much better, as it will protect you from other threats from internet facing programs you run.
Well this one will be a short one.
Wanted to bring to your attention a program I’m using for a long time on my personal computers and in my work - “Security and Privacy Complete”. I know, I know, name sounds like crappy shareware useless app, but it’s not.
It is an opensource project hosted at SourceForge.net, http://sourceforge.net/projects/cmia/
Now, WARNING. If you are not sure about an option, do NOT check or uncheck it. I could show you the settings I use, but it is possible that in your situation you will need something else. Hover your mouse over the setting, read the balloon tip that shows up, if you understand it - decide on the setting. Google it if you don’t understand it.
First run: There is a button, Create a Backup. USE IT. You can restore from backup later, using the “Restore from backup” button. Do not change any settings before you have created a backup!
Direct download link: here
Settings explained:
http://cmia.backtrace.org/en_system.html
http://cmia.backtrace.org/en_sicherheit.html
http://cmia.backtrace.org/en_dienste.html
http://cmia.backtrace.org/en_media.html
http://cmia.backtrace.org/en_iex.html
http://cmia.backtrace.org/en_firefox.html