Amazing work by F-Secure! http://www.f-secure.com/weblog/archives/00001607.html

From their website:

You may also remember that Microsoft patched MS08-078 around the same time. Multiple versions of Internet Explorer were affected on multiple versions of the Windows OS and exploit code was circulating at the time. Exploit Shield 0.5 was able to proactively protect against those exploits.

Exploit Shield is designed to shield Web browsers between the development of an exploit and the release of the vendor’s patch.

To sum up, Exploit Shield provides:

•  Zero Day Defense: Protects unpatched machines.
•  Patch-Equivalent Protection: Vulnerability “shield” updates.
•  Proactive Measures: Heuristic detection techniques.
•  Protects Against All Websites: Regardless if untrusted or trusted and malicious or hacked.
•  Automatic Feedback: detected exploit attempts are automatically reported to F-Secure.

Look no further. You can do it with the built-in tools you have in your Active Directory environment.
First, download the Group Policy Management Console here. Install it.

To prevent users from using usb drives, you will need USB block ADM file (764).

To prevent users from writing to usb drives, you will need USB write protect ADM (516).

An additional step that needs to be performed before the above tip will work has to do with modifying the file access permissions for 2 files. You need to remove the SYSTEM access permissions from the usbstor.sys and usbstor.inf files.

You can do so by right clicking these files > Properties, then going to the Security tab. There you need to remove the line for the SYSTEM account.

Note: Under some circumstances, the SYSTEM should have write access to these files during Service Pack installation. For example, when the SP is installed via GPO or SMS, the installation runs under the SYSTEM Account.

Service Pack needs to replace the files to a new version and without proper write access to the file, installation will fail… Therefore, before each SP deployment we need to allow access to the SYSTEM account for these files.

Adding .ADM files to the Administrative Templates in a GPO

In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps:

1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command.Note: GPMC is not a built-in part of Windows 2000/XP/2003, and needs to be separately installed, yet remember it can only be used effectively on Windows Server 2003-based Active Directory.
   If you do not have GPMC or cannot install it then you’ll need to edit the GPO via the regular means, i.e. from Active Directory Users and Computers management tool (dsa.msc).
2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.
3. Expand either the Computer settings or Users settings sections of the GPO. Go to the appropriate Administrative Templates section and right-click it. Select Add/Remove Templates.
4. In the Add/Remove Templates window click Add.
5. Browse to the location of the required .ADM file and click Open.
6. In the Add/Remove Templates window notice that the new .ADM file is listed, then click Close.
   Now re-open the Administrative Templates section and browse to the new settings location.

Disabling GPO settings filtering

Many custom Administrative Templates require you to remove the requirement to show policy settings that can be fully managed in the GPO editor. To do so follow the next steps:

1. After completing the above procedure, browse to the newly added Administrative Template section.
   Note that the section is indeed listed, however in the right-pane is empty.
2. Right-click an empty spot in the right pane and select View > Filtering.
3. In the Filtering window click to un-mark the “Only show policy settings that can be fully managed” option. Then click Ok.
   Notice how the available options are now displayed in the right pane.

You can now configure these options as you please.

Replicating the added .ADM files across the domain

When adding new .ADM files to any GPO you actually place new features in the Administrative Templates section for that GPO. These settings should be accessible from any DC, and should apply to any computer that is affected by that GPO.

However, if the .ADM files were added, for example, when sitting on DC1, how do you make sure they are also replicated to DC2, DC3 and so on?

Well, luckily for us, in most cases there are no additional configuration steps involved. When adding the new .ADM file it is automatically uploaded to the following location on the DC that was used to edit the GPO (usually – the PDC Emulator,

%SystemRoot%\SYSVOL\sysvol\domain name\Policies\{GPO GUID}\Adm

Because all of the SYSVOL folder is shared and automatically replicated all over the domain, the uploaded .ADM file will automatically replicated to all the GPO instances on all DCs in the domain.

However this might cause a problem when using too many templates and too many GPOs, especially on slow WAN links.

In Windows Server 2003, the size of the Administrative Templates has grown when compared to the same .ADM files in Windows 2000. As a result, the entire set of Administrative Templates has grown to almost 1.75MB. When you multiply this size by each Policy that SYSVOL contains, you can see that much space is devoted to these templates.

For example, for a large corporation with 1200 GPOs in place, the entire SYSVOL folder (where the GPOs are located on each DC) can take up more than 1GB of hard disk space. Replicating such a folder over the WAN (especially when promoting a new DC) can be very problematic.

Removing .ADM files from an existing GPO

Whenever you do not need the added feature anymore you can simply reverse the process and instead of adding new .ADM files – removing them.

Before removing an Administrative Template, make sure you modify its policy settings and wait for Group Policy to refresh on all the computers that were supposed to be effected by the GPO. This is because removing an Administrative Template that was previously installed does not change or remove any Registry settings that the GPO deployed when Group Policy was last processed.

UPDATE: http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html is one good resource on locking the drives, too. Just run the exe’s from the bottom of the post and you should be fine.

P.S. You may want to watch it in “full screen” mode.

Please check back for more advanced guides.

P.S. You may want to watch it in “full screen” mode.

Just head over at http://www.cert.org/tech_tips/securing_browser/ and do what Will Dormann and Jason Rafail tell you.

Best of luck!

What people don’t do afterwards, is create a user with Guest priviledge and use it for their daily tasks!

So what you should do?

Once all your applications are installed and your system is fully configured with drivers etc, click on Start – > Run – > type lusrmgr.msc, press Enter, right-click on Users, create a new user, choose a nice password for it, Clear the check-box “User must change password at next log on” . OK. Next, right-click on the user you created, choose Properties, click on the Member of tab, remove Users group, click Add, type Guests in the box, click Ok.
Right-click on the Admistrative user you used until now – be it Administrator and/or other user you selected during installation – and set a long, nice, hard to guess password for it using “Reset Password”. Make up something like “thisisalongandeasytorememberpassword” – some sentence only you know and will never forget, but is impossible for others to guess.

Next time you log in to Windows, choose the Low-priv account you created, and use it for your daily tasks – browsing, working, etc – when you need to perform any administrative tasks, just right-click on an installation file or other executable, choose “Run As”, and type in your Administrative credentials.

Done!

So, what are we going to do? Use Linux? Yeah, like there are no exploits for all Linux browsers, including the console based Lynx… yes, text only browsing is dangerous too!

Let’s imagine most our users are admins on their own machines. Or even Power users. Dangerous situation. What would I do? Run IE as… Guest! This is isolating internet explorer for safe browsing.

Here’s the How-To:
Start – > Run – > type lusrmgr.msc, press Enter, right-click on Users, create a new user, choose a nice password for it, Clear the check-box “User must change password at next log on” – this account will be used only for running your internet facing applications like Internet Explorer, Firefox, Outlook, etc.

Next, right-click on the user you created, choose Properties, click on the Member of tab, remove Users group, click Add, type Guests in the box, click Ok.

To create a shortcut on the Desktop for the new Internet Explorer instance, right-click on the Desktop, choose New -> Shortcut, in the field for the program paste this (where newuser is the username of the user you created previously):
runas /user:newuser “c:\Program Files\Internet Explorer\iexplore.exe”
Press Next, when it asks for a name for the new shortcut, type Inernet Explorer, press Next, done.
For Firefox: runas /user:newuser “c:\Program Files\Mozilla Firefox\firefox.exe”

The icon is not pretty, I know. Right-click on it, choose Properties, Change Icon, and choose a nice icon, maybe even the Internet Explorer one at the end of the list.

Update: This does not work with IE7 in Vista, so to run IE7 as Guest, you will need to login with your new user. That is actually much better, as it will protect you from other threats from internet facing programs you run.

Wanted to bring to your attention a program I’m using for a long time on my personal computers and in my work – “Security and Privacy Complete”. I know, I know, name sounds like crappy shareware useless app, but it’s not.

It is an opensource project hosted at SourceForge.net, http://sourceforge.net/projects/cmia/

Now, WARNING. If you are not sure about an option, do NOT check or uncheck it. I could show you the settings I use, but it is possible that in your situation you will need something else. Hover your mouse over the setting, read the balloon tip that shows up, if you understand it – decide on the setting. Google it if you don’t understand it.

First run: There is a button, Create a Backup. USE IT. You can restore from backup later, using the “Restore from backup” button. Do not change any settings before you have created a backup!

Direct download link: here

Settings explained: 
http://cmia.backtrace.org/en_system.html  
http://cmia.backtrace.org/en_sicherheit.html 
http://cmia.backtrace.org/en_dienste.html
http://cmia.backtrace.org/en_media.html
http://cmia.backtrace.org/en_iex.html
http://cmia.backtrace.org/en_firefox.html

Seriously, I’ll try shortening this up. First, you need a *good* firewall. I don’t know about you, but I just don’t trust the built-in one. Don’t know anyone who knows what it is and trusts it, though…
The best firewall I’ve come to use is Comodo Firewall – it has a period of learning, let it know which apps are safe, you will be the mentor for a while – but it’s worth it. It’s rock solid.

Next thing in the list – windows update. Set it to Automatic (Click on Start – > Run – type services.msc – press Enter – find Automatic updates, doubleclick on the service, set it to Automatic and start it. Remember this site, bookmark it and visit it regularly to check for new updates – http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

Number 3: Security policy. You could do it automatically by downloading pre-configured security policies from NSA and follow the documentation, or if you prefer to know what you’re doing, and you are not in a domain network, click on Start, Run, type gpedit.msc, Enter. You will be presented with a tree view of settings, just go through them and set them to your preference.

gpedit.msc

I strongly suggest reading the documentation in the above NSA link, though.

Number 4: Users. Install your apps as Administrator, and create a regular user for everyday use.
Remove their membership from Users group, and make them members of Guests group.

Log in as Administrator only when needed to install or remove something. Why? Just do it, don’t ask questions. Set passwords for all users you create, including Administrator! How to create users? Click on Start, Run, type lusrmgr.msc (sounds crappy, I know, MS makes joke of us), press Enter,

users

Click on Users – right-click on Administrator – set password – and set a password for your admin account. Right click on Users, create the users you will be working daily with.

Number 5: Never, EVER download any cracks, game patches, online video players, screensavers, etc, just don’t because most of them are infected by viruses, spyware, malware or trojans. Think about it: who will ever spend time and money to create a crack, website, free screensaver, and give them to you for FREE, if the program is not opensourced? No free beer out there. YOU GONNA PAY BASTARD!

Number 6: This guide is short and helps secure your home pc to some acceptable level. You could check out the link I posted above with the NSA security configuration guide – if you really need deeper level of security for your XP box, implement it step-by-step.

Good luck!

or..

you could follow this guide. And download the Windows Vista Security Configuration gude, written by the security community in collaboration with Microsoft(tm), and BE secure.

Get it here (as in here), at MS or at NSA

You will need at least basic system administration knowledge to apply it, and.. don’t forget to make a backup of your system *before* you apply it. I would say “Read the documentation first, apply knowledge second”, but we all know you would like to apply first and read the documentation second so… In the folder “Security Templates” there are some .inf files. Copy them to c:\windows\security\templates, click on Start, Run – mmc – Add/remove snap in – Add “Security Configuration and Analysis” and “Security Templates” snap-ins.

You should see your new template in the list of the Security Templates snap-in. You can edit it’s settings from there, don’t forget to save it in the script original location, not only in C:\windows\security\templates.

To review the template compared to the current settings on the box, right-click on “Security Configuration and Analysis”, choose Open Database, type newsecurity in the file field, choose Open (this will create a new configuration database). Right-click on  “Security Configuration and Analysis” again, choose Import Template, and select your custom template. Right-click on “Security Configuration and Analysis” again, and choose Analyze Now.

You could change the settings you don’t like, and then instead of “Analyze Now” you would need to choose “Configure Now”, and your computer will be configured with the new security settings.