Re: RE: web browsing in production environment - a journey through comfort and security



I would hold yourself to keep group policies on for one good reason.
Accountabililty. With the system that you have set up, you can tell
who approved the trusted site, who is provided access to said site,
and CYA through that method.

On Thu, Jul 9, 2009 at 8:35 AM, <info@xxxxxxxxx> wrote:
beside of that, what would happen in worst case if we decide to set group
policy settings to default, which means that active content in untrusted
websites is allowed.

i spoke to many other it administrative persons, and nearly none of them
have a strict policie like us. they all got anti virus gateways/proxys and
thats it. but am i right that mostly none of the anti virus proxys detect
browser exploits? could we rely our security on such proxy servers instead
of cut off active content?

cheers




Von:
Marc Rivero López <mriverolopez@xxxxxxxxx>
An:
<info@xxxxxxxxx>, <security-basics@xxxxxxxxxxxxxxxxx>
Datum:
06.07.2009 22:03
Betreff:
RE: web browsing in production environment - a journey through comfort and
security




You have a very well staged. Even though there are vulnerabilities in the
structure.
For example an LDAP server misconfigured LDAP injection is sensitive to.
And what about turning off the Group Policies, I would say no. You must
have
a security policy and ceñirte it. You must make clear to users that is
important. Also if you're always the last in terms of upgrades I do not
think you have problems. Also look at any solution of type End Point
Security.

Marc Rivero López
http://www.seifreed.wordpress.com

-----Mensaje original-----
De: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] En
nombre de info@xxxxxxxxx
Enviado el: lunes, 06 de julio de 2009 13:45
Para: security-basics@xxxxxxxxxxxxxxxxx
Asunto: web browsing in production environment - a journey through comfort
and security



dear list,

actually i rack my brain about web browsing in a productive environment
and
the risks and the most comfortable way for users to browse the internet.
there are several ways to get most security but it always faces the
comfort.
i would like to show up our situation and explain where problems occur or
users lose convenience.

today we have a environment which is arranged as follows:

- a windows 2003 domain
- a citrix terminal server farm ( 6 servers, 120 employees )
- a astaro firewall appliance ( with web security - it uses its own proxy
service (astaro engineered) and anti virus modules - clam & avira )
- a squid proxy server (3.x) (it does authentication against domino ldap)
with trend micro web security suite and squidguard for some url filtering
(mainly pron) - the blacklists are updated once a day

* web browsing is only possible via the citrix sessions of the users ( no
local access from desktop or from somewhere else). unfortunately we need
to
use internet explorer (7) because most of the sites, which users reach
work
only with IE :-(
( i already tried to migrate firefox without success )

* we limit the active content of websites via microsoft group policies.
only websites which are registered as trusted sites in group policies can
show its active content ( java, active x, javascript etc)

* we have a chain of proxy servers. (see list of environment).

so if a user start its internet explorer in it's citrix session, the IE
passes its way through the proxy servers:

1. checks if the website is a trusted site in group policy or not and
starts active content or not

2. squid proxy server (located in demilitarised zone) -> authentication
against LDAP (and logs all requests with username, ip, etc.)

3. Checks SquidGuard if website is on  blacklist

4. passes traffic to trend micro web security suite ( anti virus engine
for
http(s) and ftp )

5. passes the traffic to the astaro (which is the parent proxy) which uses
its own scanners (clam and avira)


the main problem for the employees with that procedure is the group policy
configuration. users want to ( they dont know nothing about browser
exploits or else security risks ) surf the internet like they are at home,
and the it staff needs to make it as comfortable as possible and as secure
as possible.....
right now the employees need to get in touch with the management to
request
a site to set it to trusted and the management get in contact with the it
staff. ok, it's just half of the truth, we engineered a database in which
the request for a trusted site could be filled in and gves all reviewed
sites to the group policies, but just from an allowed persons, but it
sticks to it, the employees need to request a site.......the employees are
peeved and always ask why the hell this is needed...

another problem: if a website calls another domain (or ip address) in its
code the site is just half functional (because the other domain or ip isnt
registered in trusted sites).....some frames, etc. wont work (bling bling
active, you know what i mean?)

all that causes the employees to feel blue and bugging the management as
often as possible.

questions:

- what would happen in worst case, if we turn off the group policies and
set the internet explorer settings to default and someone runs into a
browser exploit
- are there different kinds of browser exploits on which we should be more
attentive
- i know most of the exploits try to implant viruses on the host, we have
3
anti virus engines, how high could be the impact?
- the firewall is configured with restrictive egress filtering - a
backdoor
to the outside shouldnt be able to reach the internet. are there tricks
used ( for example go through the proxy ) and are the backdoors
intelligent
enough.
- how do you guys rate the situation ( relating to turn off group policy )
- how do you guys handle web browsing within the productive network?
- i thought that anti virus proxys handle viruses / virus code in http/ftp
traffice but never detect exploits, is that true?
- do we increase the risk management immoderate if we switch off group
policies?
- maybe there is an appliance for detecting malicious code in active
content?

sorry for that much questions and text but its a sensitive theme from
which
i guess that a lot of persons are interested in.....i am thankful for any
hint or thoughts from you, belonging to this.

cheers,

Maik


HITCON AG
Maik Linnemann
Gartenstraße 208
48143 Münster
+49 (251) 2801-205 (Phone)
+49 (251) 2801-280 (Fax)
+49 (170) 6364-205 (Mobil)
mailto:info@xxxxxxxxx
http://www.hitcon.de

Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling
Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher

Sitz der Gesellschaft: Münster
Registergericht: Amtsgericht Münster, HRB 5177

member of http://www.grouplink.de
·


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and
how
your customers can tell if a site is secure. You will find out how to
test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727

d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1

------------------------------------------------------------------------







HITCON AG
Maik Linnemann
Gartenstraße 208
48143 Münster
+49 (251) 2801-205 (Phone)
+49 (251) 2801-280 (Fax)
+49 (170) 6364-205 (Mobil)
mailto:info@xxxxxxxxx
http://www.hitcon.de

Mitglieder des Vorstandes: Helmut Holtstiege, Tobias Helling
Vorsitzender des Aufsichtsrats: Hans-Hermann Schumacher

Sitz der Gesellschaft: Münster
Registergericht: Amtsgericht Münster, HRB 5177

member of http://www.grouplink.de
·

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





--
+=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_+
"Sometimes the correct tool for the job isn't the one in your hand,
but the one in your head... "

-- unknown

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • RE: adding another defence layer against viruses/worms
    ... Internal auditor - Information security ... which heuristic IPS would you suggest for this task? ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • RE: Healthcare Standards and Regulations
    ... Cisco Healthcare Security Perspectives: Protect Your Patients, ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • Re: response header fields
    ... suppressing Apache headers informations could be done by ... Can you tell me what response headers do I need to suppress in order to improve security? ... You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. ...
    (Security-Basics)
  • Re: What are the costs of an ISMS?
    ... Also consider what your security baselines and metrics would be. ... Securing Apache Web Server with thawte Digital Certificate In this guide ... we examine the importance of Apache-SSL and who needs an SSL certificate. ...
    (Security-Basics)
  • RE: Data Theft
    ... removable medias to read-only mode using group policies, ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)