Security Incidents mailing list archives
RE: IE Malware / Spyware Control Methods
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Fri, 7 Jan 2005 20:04:47 -0500
MS KB833633 has details about how to accomplish the GP. Their policy does not go far enough IMO, but the technique is the same for whatever changes you wish to make. http://support.microsoft.com/default.aspx?scid=833633 http://seclists.org/lists/bugtraq/2004/Jul/0085.html Has relevant registry information to help create a My Computer lockdown policy template. I like to keep outdated ActiveX killbits set in GP even though current patches kill them - just in case a machine gets missed or they get unkilled through some means. Turning off WSH has also been good for me. As has setting Outlook to use its internal editor instead of MS Word. The Silent Runners site and script are excellent and updated sources for startup locations (many are GP-controllable). Locking these locations prevents many automatic startup vectors even if initial infection gets through. http://www.silentrunners.org You might choose to manage some settings through logon scripts instead of GP. This allows you to reset controversial lower-risk settings to safe defaults at login, but still allows users or applications to change the settings if necessary. Illuminatus Master wrote Friday, January 07, 2005 14:20
James, That's the answer I was hoping to see, GP is my prefered choice as it lets me administer the entire domain without having to touch each machine, it also prevents non-privledged user from lowering the security settings. For those that have answered with "use Mozilla/Firefox", It would be the ideal solution but for a few concerns. I have considered deployment and do use it on my own machines but the drawbacks of distributing it across a domain are obvious: -It cant be controlled in a group setting (like AD Group Policy). -It cant be updated en-masse (as far as I know). -It would require a hands-on for each work station to install/patch, not the prefered option for overtaxed IT staff. -The above could lead to another major issue if/when a critical vuln/exploit for mozilla/firefox surfaces and you have to reinstall/patch each client by hand (too time consuming and no way too audit which versions are on which machines). If any admin on the list has deployed and is managing a different browser in an enterprise setting (complete with auditing controls sufficient to satisfy security requirements) I'd be very happy to hear it. To clarify the environment here, this is an enterprise grade environment with http content filtering, distributed AV (Symantec v9 which catches "some" malware), edge firewalls (so "drive by" portscans to the internal LAN are null). I suspect most of the infections are happening through banner ads on what would otherwise be "reputable" websites. James If you have any other specific information on your GP setup it could save me some legwork during implementation. All input is welcome as the issue of malware is long overdue for a solution and the current trend of the stuff is that it is becoming more and more damaging. Thanks all, massa On Fri, 7 Jan 2005 13:12:22 -0500, James C Slora Jr <Jim.Slora () phra com> wrote:Illuminatus Master wrote Friday, January 07, 2005 12:37My question is this, I'm batting around the idea of using Group Policy in our Active Directory to try and choke IE down to the point where such Malware has trouble installing itself.Has anyonehere ever tried such as this with any degree of success?Yes, GP settings have helped me quite a bit. "My Computer" zone lockdown was the single most effective change. Killbittingabused orunnecessary ActiveX controls is also very helpful. Betweenthose twothing, most of last year's IE exploits got stopped - and somost adware also got stopped.There is a whole world of other little things that can help, and GP helps roll out a lot of them. It may take a good deal of experimentation to come up with a GP configuration that is locks things down as well as possible while allowing the things your org cannot live without, and that gives you flexibility whereyou need it.GP has not been much help against social engineeringvectors that donot depend on browser exploits, though.
Current thread:
- RE: IE Malware / Spyware Control Methods, (continued)
- RE: IE Malware / Spyware Control Methods Jose Nazario (Jan 07)
- Re: IE Malware / Spyware Control Methods Saad Kadhi (Jan 10)
- RE: IE Malware / Spyware Control Methods M. Shirk (Jan 10)
- RE: IE Malware / Spyware Control Methods Jeff Bryner (Jan 11)
- RE: IE Malware / Spyware Control Methods Bernie Cosell (Jan 12)
- RE: IE Malware / Spyware Control Methods Orlando Richards (Jan 12)
- RE: IE Malware / Spyware Control Methods Jose Nazario (Jan 07)
- RE: IE Malware / Spyware Control Methods David Gillett (Jan 10)
- Re: IE Malware / Spyware Control Methods gadgeteer (Jan 10)