Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
Endaar

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #1 
Hi All,

Just wondering what you are all doing to protect against Cryptolocker and other types of ransomware. We've never had a virus of any sort here in 11+ years (I'm in K-12) so I think our basic procedures are pretty good, but with all the publicity of major institutions getting hit, plus a few school districts in our area that did as well, I'm concerned.

Some of the below is long-standing policy, other items are specifically in response to the recent threats.

* All users have standard user accounts only.
* Domain admins have a separate non-privileged account for general use.
* All internet access is filtered, ads are blocked, and we whitelist sites that use Java as needed.
* We prohibit executables in user's networked home folders and shared folders.
* We prohibit running applications from removable drives.
* All systems have desktop A/V, either Kaspersky (which we're moving away from) or System Center Endpoint Protection.
* We have versioned backups on a non-Windows system.
* E-Mail is filtered for SPAM and viruses both in the cloud and on-premise.
* Office macros are disabled.
* Acrobat Reader is blocked from opening links.
* Software restriction policies are in place to prevent execution from local user profiles, start menu, etc.
* We stay current on Windows patches, Java, Flash, etc.

I would love to disable Flash but in K-12 that's just not doable, there's too many "educational" sites out there that require it.

Anything I'm missing?

Thanks,
James
0
downtime

Senior Member
Registered:
Posts: 108
Reply with quote  #2 
For me: 

All users have standard user accounts only.

Yes

* Domain admins have a separate non-privileged account for general use.

No. We use Windows 7 with UAC, so any admin task requires authentication.

* All internet access is filtered, ads are blocked, and we whitelist sites that use Java as needed.

We use Zscaler filtering service. It's pretty good.
Ads and Java NOT blocked.

* We prohibit executables in user's networked home folders and shared folders.

I don't.

* We prohibit running applications from removable drives.

We prevent access to all removable drives except authorised, encrypted company provided devices.

* All systems have desktop A/V, either Kaspersky (which we're moving away from) or System Center Endpoint Protection.

AV on all servers and desktops scanning all files types except when recommended not to do so (Exchange, SYSVOL, etc.).

* We have versioned backups on a non-Windows system.

No comment!

* E-Mail is filtered for SPAM and viruses both in the cloud and on-premise.

Use have multiple spam/virus filters.

* Office macros are disabled.

Same here.

* Acrobat Reader is blocked from opening links.

Is this easy to implement?

* Software restriction policies are in place to prevent execution from local user profiles, start menu, etc.

We have an extremely strict SRP in place.

* We stay current on Windows patches, Java, Flash, etc.

Same here. We have an aggressive testing and patching policy.
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #3 
It looks like you may have it covered but just to be sure, do your rule sets prevent users from accessing their personal email accounts?  In other words, any accounts other than the email assigned by the school?
0
downtime

Senior Member
Registered:
Posts: 108
Reply with quote  #4 
We prevent users accessing their personal email from work. We also prevent things like P2P, file transfer programs (FTP, Skype file transfer, dropbox, etc.)

Edit: I also run Microsoft's EMET 5.5 (Enhanced Mitigation Experience Toolkit) on all admin PCs. I added all executable files to EMET. This is quite a new install, so I'm testing/learning what this can/can't to. It's a free download though.
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #5 
Quote:
* All internet access is filtered, ads are blocked, and we whitelist sites that use Java as needed.


It probably won't happen but I'll ask anyway.  If  secure boot is not enabled & someone booted one of the computers with a Live CD, how many of those group policies would no longer be in effect, particularly the quoted policy?  At that point, only the router stands between the user & the outside world.
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 72
Reply with quote  #6 
My university got hit twice with cryptolocker on machines that were protected by McAfee enterprise.

The higher ups have failed to renew products that protected us....Sophos Endpoint, Barracuda web filter, Barracuda Mail filter, Avecto PrivilegeGuard, etc etc. I kinda hope it does hit a valuable target just so I can say I told you so. 
0
Endaar

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #7 
Re: Blocking Acrobat links

Yeah, not too bad. I think there's actually a GPO template from Adobe but we just grabbed the registry changes and pushed them with Group Policy. We did try also enabling "protected view" but that broke just about any PDF hosted on a secure (HTTPS) site and we had to roll the setting back.

Quote:
Originally Posted by donoli
do your rule sets prevent users from accessing their personal email accounts?


I already have to dodge the pitchforks on the way in to work each morning. I could never get away with this. And yes, I know it's a threat vector but at least their e-mail is still content filtered through Websense.

Quote:
Originally Posted by donoli


It probably won't happen but I'll ask anyway.  If  secure boot is not enabled & someone booted one of the computers with a Live CD, how many of those group policies would no longer be in effect, particularly the quoted policy?  At that point, only the router stands between the user & the outside world.


We use an implicit (transparent) proxy to redirect traffic to our content filter, so they would still be getting filtered. I suppose there's some risk of them manually setting an IP that isn't proxied, but I'm not sure how much effort I should go through to protect against such an edge case.
0
jsclmedave

Administrator
Registered:
Posts: 482
Reply with quote  #8 
Yes I'm going to say it before Mark or James Summerland gives me a hard time.  AppLocker!  Create a White List...

The rest of it looks great!

We block outside email here as well but the work around is very easy to perform.  So its there, but...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
downtime

Senior Member
Registered:
Posts: 108
Reply with quote  #9 
AppLocker isn't available for Windows 7 Professional [frown]

(The original poster may use Enterprise Edition though.)
0
Wes

Senior Member
Registered:
Posts: 232
Reply with quote  #10 
Applocker.  Get Enterprise if you don't have it - well worth it!
0
Matt Thompson

Avatar / Picture

Still Checking the Forum Out
Registered:
Posts: 4
Reply with quote  #11 
In addition to the various policies and tools being listed, the two critical pieces of the puzzle yet to be mentioned are:

User awareness/training. Get this right and you'll reduce the attack surface considerably. Get it wrong and you'll numb your users to the dangers when they present themselves.

Incident response. How will your organisation respond prior to, during and post incident? If you don't have roles and responsibilities clearly defined, in addition to a tried and tested process, you'll find yourselves all running around like headless chickens. Tried and tested means running dummy incidents to ensure everybody knows what they are doing and to make continual improvements.
0
Wes

Senior Member
Registered:
Posts: 232
Reply with quote  #12 
Sorry meant applocker plus no admin rights of course!
0
Endaar

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #13 
Quote:
Originally Posted by Matt Thompson
User awareness/training. Get this right and you'll reduce the attack surface considerably. Get it wrong and you'll numb your users to the dangers when they present themselves.


Matt, by no means do I intend this as an attack against you, but I would love to see a situation where training is done, users are cooperative, and it's effective. I'll admit I'm a cynic, but I've seen zero indication from the overwhelming majority of my users that they even care if the network is compromised. Asking them to engage their brain before clicking links is a bridge too far, sadly. Which is why I spend so much time forcing security on them. 

Thanks for the feedback all. Crazy times we're dealing with these days.

James
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #14 
Quote:
I've seen zero indication from the overwhelming majority of my users that they even care if the network is compromised.


For the most part, they probably don't care since the don't look as management as a friend. They look at it as someone who always wants to get as much as they can for the least possible.  I only had one experience with it.  The Trend Micro dashboard reported a virus on a workstation. I went to the user & asked her if she opened personal emails, at work. She said yes. I requested that she waited until she went home, to read them & I said that we had to protect ourselves.  I think that I got a favorable response because I said 'ourselves' which included her. I didn't say "we have to protect the owner".
0
Mafervus

Grumpy Old Men
Registered:
Posts: 34
Reply with quote  #15 
On the original post have you used any of the .edu based java proxies. Are you currently blocking all proxy software. In my k_12 experience that is one of my toughest battles. Even had a parent try to justify using proxies.
__________________
The problem with troubleshooting is that trouble shoots back. ~Author Unknown
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.