RE: IE Malware / Spyware Control Methods

["James C Slora Jr" <Jim.Slora () phra com>]

MS KB833633 has details about how to accomplish the GP. Their policy does
not go far enough IMO, but the technique is the same for whatever changes
you wish to make.
http://support.microsoft.com/default.aspx?scid=833633
 
http://seclists.org/lists/bugtraq/2004/Jul/0085.html
Has relevant registry information to help create a My Computer lockdown
policy template. 

I like to keep outdated ActiveX killbits set in GP even though current
patches kill them - just in case a machine gets missed or they get unkilled
through some means.

Turning off WSH has also been good for me.
As has setting Outlook to use its internal editor instead of MS Word.

The Silent Runners site and script are excellent and updated sources for
startup locations (many are GP-controllable). Locking these locations
prevents many automatic startup vectors even if initial infection gets
through.
http://www.silentrunners.org

You might choose to manage some settings through logon scripts instead of
GP. This allows you to reset controversial lower-risk settings to safe
defaults at login, but still allows users or applications to change the
settings if necessary.

Illuminatus Master wrote Friday, January 07, 2005 14:20

> James,
> That's the answer I was hoping to see, GP is my prefered 
> choice as it lets me administer the entire domain without 
> having to touch each machine, it also prevents non-privledged 
> user from lowering the security settings.
>
> For those that have answered with "use Mozilla/Firefox", It 
> would be the ideal solution but for a few concerns. I have 
> considered deployment and do use it on my own machines but 
> the drawbacks of distributing it across a domain are obvious:
> -It cant be controlled in a group setting (like AD Group Policy).
> -It cant be updated en-masse (as far as I know).
> -It would require a hands-on for each work station to 
> install/patch, not the prefered option for overtaxed IT staff.
> -The above could lead to another major issue if/when a 
> critical vuln/exploit for mozilla/firefox surfaces and you 
> have to reinstall/patch each client by hand (too time 
> consuming and no way too audit which versions are on which machines).
>
> If any admin on the list has deployed and is managing a 
> different browser in an enterprise setting (complete with 
> auditing controls sufficient to satisfy security 
> requirements) I'd be very happy to hear it.
>
> To clarify the environment here, this is an enterprise grade 
> environment with http content filtering, distributed AV 
> (Symantec v9 which catches "some" malware), edge firewalls 
> (so "drive by" portscans to the internal LAN are null). I 
> suspect most of the infections are happening through banner 
> ads on what would otherwise be "reputable"
> websites.
>
> James If you have any other specific information on your GP 
> setup it could save me some legwork during implementation.
>
> All input is welcome as the issue of malware is long overdue 
> for a solution and the current trend of the stuff is that it 
> is becoming more and more damaging.
>
> Thanks all,
> massa
>
> On Fri, 7 Jan 2005 13:12:22 -0500, James C Slora Jr 
> <Jim.Slora () phra com> wrote:
> > Illuminatus Master wrote Friday, January 07, 2005 12:37
> >
> > > My question is this, I'm batting around the idea of using Group 
> > > Policy in our Active Directory to  try and choke IE down to the 
> > > point where such Malware has trouble installing itself. 
> Has anyone 
> > > here ever tried such as this with any degree of success?
> >
> > Yes, GP settings have helped me quite a bit. "My Computer" zone 
> > lockdown was the single most effective change. Killbitting 
> abused or 
> > unnecessary ActiveX controls is also very helpful. Between 
> those two 
> > thing, most of last year's IE exploits got stopped - and so 
> most adware also got stopped.
> > There is a whole world of other little things that can help, and GP 
> > helps roll out a lot of them. It may take a good deal of 
> > experimentation to come up with a GP configuration that is locks 
> > things down as well as possible while allowing the things your org 
> > cannot live without, and that gives you flexibility where 
> you need it.
> > GP has not been much help against social engineering 
> vectors that do 
> > not depend on browser exploits, though.