So, you wanted some kind of protection from 0-day exploits… here it is.
Amazing work by F-Secure! http://www.f-secure.com/weblog/archives/00001607.html
From their website:
You may also remember that Microsoft patched MS08-078 around the same time. Multiple versions of Internet Explorer were affected on multiple versions of the Windows OS and exploit code was circulating at the time. Exploit Shield 0.5 was able to proactively protect against those exploits. (More …)
If you ever wanted to disable the use of USB storage devices at your organization, like USB flash drives or external hard drives, this article is for you.
Look no further. You can do it with the built-in tools you have in your Active Directory environment.
First, download the Group Policy Management Console here. Install it.
To prevent users from using usb drives, you will need USB block ADM file (687).
To prevent users from writing to usb drives, you will need USB write protect ADM (467).
(More …)
One more think I’ve found today, which works pretty well btw – http://www.nsa.gov/ia/_files/factsheets/I731-002R-2007.pdf
This is the second video on securing Windows XP for home use – for advanced users.
P.S. You may want to watch it in “full screen” mode.
Video: Secure Windows XP – tutorial that teaches you how to secure your home or business computer.
Please check back for more advanced guides.
P.S. You may want to watch it in “full screen” mode.
Well, I have searched long and wide, could not find better structured article on browser security.
Just head over at http://www.cert.org/tech_tips/securing_browser/ and do what Will Dormann and Jason Rafail tell you.
Best of luck!
Usually, when you install Windows(tm), after installation you’re granted with Admin rights – very convenient to install programs initially, and configure your system.
What people don’t do afterwards, is create a user with Guest priviledge and use it for their daily tasks!
So what you should do?
Once all your applications are installed and your system is fully configured with drivers etc, click on Start – > Run – > type lusrmgr.msc, press Enter, right-click on Users, create a new user, choose a nice password for it, Clear the check-box “User must change password at next log on” . OK. Next, right-click on the user you created, choose Properties, click on the Member of tab, remove Users group, click Add, type Guests in the box, click Ok.
Right-click on the Admistrative user you used until now – be it Administrator and/or other user you selected during installation – and set a long, nice, hard to guess password for it using “Reset Password”. Make up something like “thisisalongandeasytorememberpassword” – some sentence only you know and will never forget, but is impossible for others to guess.
Next time you log in to Windows, choose the Low-priv account you created, and use it for your daily tasks – browsing, working, etc – when you need to perform any administrative tasks, just right-click on an installation file or other executable, choose “Run As”, and type in your Administrative credentials.
Done!
We’ve seen multiple exploits, when the users visits a malicious web site, and next the whole organization is compromised, the data is leaked, business loses A LOT of money.
So, what are we going to do? Use Linux? Yeah, like there are no exploits for all Linux browsers, including the console based Lynx… yes, text only browsing is dangerous too!
Let’s imagine most our users are admins on their own machines. Or even Power users. Dangerous situation. What would I do? Run IE as… Guest! This is isolating internet explorer for safe browsing.
Here’s the How-To:
Start – > Run – > type lusrmgr.msc, press Enter, right-click on Users, create a new user, choose a nice password for it, Clear the check-box “User must change password at next log on” – this account will be used only for running your internet facing applications like Internet Explorer, Firefox, Outlook, etc.
Next, right-click on the user you created, choose Properties, click on the Member of tab, remove Users group, click Add, type Guests in the box, click Ok.
To create a shortcut on the Desktop for the new Internet Explorer instance, right-click on the Desktop, choose New -> Shortcut, in the field for the program paste this (where newuser is the username of the user you created previously):
runas /user:newuser “c:\Program Files\Internet Explorer\iexplore.exe”
Press Next, when it asks for a name for the new shortcut, type Inernet Explorer, press Next, done.
For Firefox: runas /user:newuser “c:\Program Files\Mozilla Firefox\firefox.exe”
The icon is not pretty, I know. Right-click on it, choose Properties, Change Icon, and choose a nice icon, maybe even the Internet Explorer one at the end of the list.
Update: This does not work with IE7 in Vista, so to run IE7 as Guest, you will need to login with your new user. That is actually much better, as it will protect you from other threats from internet facing programs you run.
MichaelRaby 5:16 pm on 3 October, 2008 Permalink |
Thanks for the tip.
If you don’t want to mess with hundreds of GPOs I can recommend you use scriptlogic’ desktop management system called desktop authority.
This way we limited access to unwanted usb devices in our company. The tool allows you to block only particular types of devices only for particular departments or particular users.
For example, we have the ability to block unwanted usb storage for the most of our users but allowing company issued usb keys (by their serial numbers) for special type of users.
admin 6:37 pm on 7 October, 2008 Permalink |
Glad you find it useful. Well, Desktop Authority seems really neat solution indeed.
Keep em locked down!