SecurityGuy.org

If you ever wanted to disable the use of USB storage devices at your organization, like USB flash drives or external hard drives, this article is for you.

Look no further. You can do it with the built-in tools you have in your Active Directory environment.
First, download the Group Policy Management Console here. Install it.

To prevent users from using usb drives, you will need USB block ADM file (98).

To prevent users from writing to usb drives, you will need USB write protect ADM (77).
read more »

This is the second video on securing Windows XP for home use - for advanced users.

P.S. You may want to watch it in “full screen” mode.

Video: Secure Windows XP - tutorial that teaches you how to secure your home or business computer.

Please check back for more advanced guides.

P.S. You may want to watch it in “full screen” mode.

That’s right. Well, I don’t mean “hackers” in their real meaning - computer professionals, able to twist the computer doing whatever they wish, for a good cause. I will use the word “hacker” in it’s more popular meaning - computer criminal, again, able to twist your computer, but not for a good cause…

What are they like?
Well, they don’t like meeting obstacles. They hate beating their head against your firewall. They hate spending weeks and months in searching for a hole in your security systems - but hmm, if it’s worth it, they will. They will (and have done it with lots of companies) sometimes wait and search for YEARS, until they finally break your defenses.

The hacker society is just like water in a mountain - it builds it’s way slowly through the solid rock, builds whole caves - and nothing can stop it, if it is allowed to flow long enough. Eventually, they (we?) will get to you.

How can you protect your company? Buying new security systems could *probably* help. Against… some scriptkiddies.

Don’t allow the water flowing long enough to find a hole in your security.

Just change (enhance) your security frequently enough, so they would not be able to run at your speed. Change *all* passwords for critical systems every month. Change *all* user passwords every 6 months. Update your OS on client and server machines *immediately* after a patch is issued. Never run a service with higher privileges than it needs. If possible, separate your internet facing servers from your network.

Forget about DMZ. It just does NOT work.

You got it? Should I repeat? Forget about DMZ.  Separate your internet facing servers from your internal network Completely. Choose completely different passwords for your internet facing servers and for your intranet facing servers. In fact you shold not have the same password for more than 1 server! If your company has DMZ connected to your internal network, and one of the DMZ servers gets compromised, it’s gone. Game over. The theory behind DMZ is like swiss cheese - holes all over it’s logic. It will slow down the attacker, but it will help him tremendously if you use DMZ.

Well, I have searched long and wide, could not find better structured article on browser security.

Just head over at http://www.cert.org/tech_tips/securing_browser/ and do what Will Dormann and Jason Rafail tell you.

Best of luck!

Usually, when you install Windows(tm), after installation you’re granted with Admin rights - very convenient to install programs initially, and configure your system.

What people don’t do afterwards, is create a user with Guest priviledge and use it for their daily tasks!

So what you should do?

Once all your applications are installed and your system is fully configured with drivers etc, click on Start - > Run - > type lusrmgr.msc, press Enter, right-click on Users, create a new user, choose a nice password for it, Clear the check-box “User must change password at next log on” . OK. Next, right-click on the user you created, choose Properties, click on the Member of tab, remove Users group, click Add, type Guests in the box, click Ok.
Right-click on the Admistrative user you used until now - be it Administrator and/or other user you selected during installation - and set a long, nice, hard to guess password for it using “Reset Password”. Make up something like “thisisalongandeasytorememberpassword” - some sentence only you know and will never forget, but is impossible for others to guess.

Next time you log in to Windows, choose the Low-priv account you created, and use it for your daily tasks - browsing, working, etc - when you need to perform any administrative tasks, just right-click on an installation file or other executable, choose “Run As”, and type in your Administrative credentials.

Done!

We’ve seen multiple exploits, when the users visits a malicious web site, and next the whole organization is compromised, the data is leaked, business loses A LOT of money.

So, what are we going to do? Use Linux? Yeah, like there are no exploits for all Linux browsers, including the console based Lynx… yes, text only browsing is dangerous too!

Let’s imagine most our users are admins on their own machines. Or even Power users. Dangerous situation. What would I do? Run IE as… Guest! This is isolating internet explorer for safe browsing.

Here’s the How-To:
Start - > Run - > type lusrmgr.msc, press Enter, right-click on Users, create a new user, choose a nice password for it, Clear the check-box “User must change password at next log on” - this account will be used only for running your internet facing applications like Internet Explorer, Firefox, Outlook, etc.

Next, right-click on the user you created, choose Properties, click on the Member of tab, remove Users group, click Add, type Guests in the box, click Ok.

To create a shortcut on the Desktop for the new Internet Explorer instance, right-click on the Desktop, choose New -> Shortcut, in the field for the program paste this (where newuser is the username of the user you created previously):
runas /user:newuser “c:\Program Files\Internet Explorer\iexplore.exe”
Press Next, when it asks for a name for the new shortcut, type Inernet Explorer, press Next, done.
For Firefox: runas /user:newuser “c:\Program Files\Mozilla Firefox\firefox.exe”

The icon is not pretty, I know. Right-click on it, choose Properties, Change Icon, and choose a nice icon, maybe even the Internet Explorer one at the end of the list.

Update: This does not work with IE7 in Vista, so to run IE7 as Guest, you will need to login with your new user. That is actually much better, as it will protect you from other threats from internet facing programs you run.