Re: Question Regarding Windows Security

From: Keith W. McCammon (km_at_km.com)
Date: 04/12/04 

Date: Mon, 12 Apr 2004 14:08:24 -0400

This is a long and complicated question, but hopefully this short answer
will suffice...

There are a number of reasons why this happens. You might call it the
"perfect storm" of improper application implementation (IE), poor
integration design (IE and underlying OS), etc. Stopping spyware if you're
using IE is tough, unless you can be *very* restrictive in your policies
(which sometimes isn't an option in a corporate environment).

Anyway, Microsoft is well aware of this, and is releasing Service Pack 2 for
Windows XP to address these specific issues (as well as a number of other
long-overdue corrections to the security implementation). Among other
things, it fixes pop-ups, misleading windows (I.e., web windows that look
like OS prompts--a common spyware entry point), as well as the ability of
web-based code to execute on the system at all, without confirmation.

This SP will be released later this year. In the meantime, you can get the
SP2 preview at http://www.microsoft.com/SP2Preview. It's a release
candidate, so I wouldn't push it out. But install it ona test box and give
it a run. It's already very stable, and very effective at reducing the
overall attack surface in XP.

"dln" <dnadon_nospm@hotmail.com> wrote in message
news:Obizw9IIEHA.2252@TK2MSFTNGP10.phx.gbl...
> Good day all. I've got a few questions regarding Windows security that
> perhaps someone can help me out with. We are running a Windows 2003
Domain
> with everybody's local workstations running Windows XP. Both client and
> server machines are always kept up to date with the latest OS patches and
> Symantec AV patches. One thing that we're beginning to see quite a bit of
> lately is spyware/addware/scumware being installed via MSN Messenger.
>
> There are two typical scenarios that we're seeing. The first is someone
in
> the organization gets an IM from another person they "trust" and the
message
> contains a URL which the individual clicks on. This in turn launches an
> installer that not only installs the addware onto the person's local
system,
> but then also sends out the same message to everybody in the individual's
> MSN contact list and the process repeats itself.
>
> The second scenario, is a person is conversing with another individual and
> all of a sudden software starts getting installed on the person's system
> without any prompting from the user (there was no URL to click on, like in
> scenario 1). Normally, I wouldn't have believed the user's claim that
they
> didn't do anything out of the ordinary, but I was looking over their
> shoulder while all this transpired. I'm also at a loss to explain how
this
> happened other than the user's system was already infected.
>
> Although I'm surprised at this behavior, I'm still trying to determine the
> best course of action to prevent our systems from being infected. The
first
> thing that crosses my mind is to remove administrative access for
everybody
> on their local boxes - something that I've suggested in the past, but was
> shot down due to the inconvenience of not being able to install software
as
> a non-admin user (which is exactly why I wanted to remove admin access).
>
> So now, onto the questions. First, will removing local administrative
> rights from everybody's machine prevent the installation of
addware/spyware?
> It seems to me that it might, I am reluctant to test this assumption.
>
> Secondly, I can publish managed software via an AD software policy and
this
> should solve most of everybody's software concerns since software
published
> via AD is installed under elevated privileges. However, the problem I run
> into there is that some of the software used at our site does not come in
> the form of an MSI package. Can anybody recommend a good software package
> that will convert an install.exe to an MSI package?
>
> Lastly, what impact will removing admin access have on our software
> developers? Most of the developers on-site do Java/Web development and a
> few use MS Developer Studio .Net. It seems to me that basic software
> development shouldn't be affected, but is there something that I haven't
> considered?
>
> Any assistance or input you could provide would be greatly appreciated.
>
> Regards.
>
>

Relevant Pages

  • Re: P4C800-DELUXE XP Install Problems --- Hanging
    ... Windows Install Guide by Mr Steveo from ABX Zone Website. ... Additionally, if you have a Springdale or Canterwood chipset motherboard, ... Install chipset INFs before any video or sound drivers. ...
    (alt.comp.periphs.mainboard.asus)
  • Re: Checking for the latest updates....
    ... It's a good idea to install them now and then check again, ... Microsoft Windows XP ... Windows XP Service Pack 1 ... Security Update for Windows XP ...
    (microsoft.public.windowsupdate)
  • RE: updates after format
    ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
    (microsoft.public.windows.mediacenter)
  • Re: Universal sound card?
    ... Decided to install within windows on a laptop. ... linux is not working, they just want it to work. ... Copied the cd to the hard drive and tried to install from there. ... computers that only had floppy drives, have you running all processes with ...
    (comp.os.linux.hardware)
  • Re: Files Gone???
    ... Cannot Open E-Mail Attachments in Outlook Express After You Install SP1 ... Turn off email scanning in your antivirus software. ... Windows 2000 and Windows XP. ... Windows XP Service Pack 2 Resources for IT Professionals ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)