Re: Power Users, AntiSpyware & CriticalUpdates
From: David Glosser (david_glosser_at_yahoo.com)
Date: 09/07/05
- Previous message: Hindle, Dallas: "RE: Computer forensics to uncover illegal internet use"
- In reply to: Ansgar -59cobalt- Wiechers: "Re: Power Users, AntiSpyware & CriticalUpdates"
- Next in thread: Ansgar -59cobalt- Wiechers: "Re: Power Users, AntiSpyware & CriticalUpdates"
- Reply: Ansgar -59cobalt- Wiechers: "Re: Power Users, AntiSpyware & CriticalUpdates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 06 Sep 2005 19:21:18 -0400 To: Ansgar -59cobalt- Wiechers <bugtraq@planetcobalt.net>, security-basics@securityfocus.com
> Power users are not really an improvement, as they still have far too
> many privileges to achieve actual security. Make your users normal
> users if possible. Otherwise don't bother. Making them power users isn't
> worth the time you'll spend on it.
>
If you have an app which doesn't work as a regular user, you can run
utilities (I believe "regmon" and "filemon") to see what directories and
registry entries need to be opened up.
> You could leave automatic updates pointing directly to Microsoft's
> update servers. A (W)SUS would enable you to test updates on a set of
> test boxes before approving them for automatic enrollment to your
> network, though, so having a (W)SUS usually is a good idea.
>
If you can wait a day or two before deploying updates, then a (W)SUS box is
a good idea. Wait until day after patch tuesday. See if there any complaints
about a patch. If not, then approve. Of course, you are waiting an extra day
or two before you install an critical security patch.
>We will have Spybot installed. I also want to install Microsoft
>AntiSpyware, but it has so many poorly-worded, cryptic "warnings", that we
>may not. Is >there any decent articles on controlling AntiSpyware alerts,
>or should we move on to something like CounterSpy?
I believe you need a license to use Spybot in a corporation.
> How about "move to not getting spyware installed in the first place"?
> Like don't make your users admins or power users and have them use a web
> browser that is not IE.
>
You can also run snort with the "bleeding malware rules" to catch machines
already infected. Also you can run "Black-Hole DNS" on your internal server
to loopback domains associated with malware to 127.0.0.1. This will prevent
new infections and help neuter existing ones. www.bleedingsnort.com
- Previous message: Hindle, Dallas: "RE: Computer forensics to uncover illegal internet use"
- In reply to: Ansgar -59cobalt- Wiechers: "Re: Power Users, AntiSpyware & CriticalUpdates"
- Next in thread: Ansgar -59cobalt- Wiechers: "Re: Power Users, AntiSpyware & CriticalUpdates"
- Reply: Ansgar -59cobalt- Wiechers: "Re: Power Users, AntiSpyware & CriticalUpdates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
