Spyware/Adware Prevention In Large Deployments?

foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"

Webroot Spy Sweeper Enterprise and Lavasoft too

[erick99]

I took a look at enterprise antispyware software for a client and particularly liked Webroot's Spy Sweeper Enterprise product. It provides centralized management and automatic deployment though you can do it manually as well. Definition upgrades as well as version upgrades of the sofware is also automated. Take a look at this page from their website. Lavasoft also has an enterprise product that is pretty good though I think Webroot has a slight edge.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[SilentChris]

You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks. At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited. We haven't had a *single* noteworthy case of spyware, or viruses, because nothing can really get into the meat of the system (Windows\System32 directory, Program Files directory, etc). If anyone has a complaint, tough. They go through us if they want to install X program.

The only one that I've seen get through (and it's not really spyware) is changing a person's homepage. I'm not sure why IE even allows this. Fortunately, the main reason for switching someone's home page (slamming them with pop-up ads) is kind of diminished with SP2.

My feeling: the vast majority of administrators don't take advantage of the tools MS has provided. The one complaint I've heard ("We use programs that require special permissions, so we can't have staff run as limited users") is bollocks. Do what we do: take a few hours out during a deployment, contact the original software manufacturer (or figure it out in house) and set all the permissions correctly.

And it's not just unknown shops. I recently read an article where Kinko's reimages computers after guests pay to use them. This can take 5-10 minutes. What the hell? Just set a limited user and recreate that one folder. What are their administrators thinking?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[erick99]

I agree. When I worked at CellularOne every user was issued a W2K workstation that was locked down squeaky tight. You had to make a very good case to get access to the web and, even then, there was a hellish long list of sites that were blocked. I didn't see any spyware/malware ever. Users were not allowed to install software nor even printers. You go the application suite that your job required and you were mapped to a printer or two. It worked well and nobody was being deprived with the possible exception of folks that like to use their computer to screw off all day.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[Saeed+al-Sahaf]

You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks. At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited. We haven't had a *single* noteworthy case of spyware, or viruses, because nothing can really get into the meat of the system (Windows\System32 directory, Program Files directory, etc). If anyone has a complaint, tough. They go through us if they want to install X program.

This is so true. I work for the Air FOrce, and I have to agree. Very few spyware / virus issues. Most normal users simply don't need higher permissions, and really should not be installing their own software anyway. These are work machines for doing work. Whatever software that is on them has to be supported by IT. If they really need or want it, we look at it, and if they do get it, we install it. Everything. As yet in 5 years, no major spyware or virus issues.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[trick-knee]

proper permissions usage and implementation is really the best way to lock down a machine when you can't rely on the user to keep from inadvertantly installing junk.

and doesn't the great grandparent (first) poster read like astroturf?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[WoodstockJeff]

At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited.

Works great, until you run into something like Palm software, which won't cooperate with permissions. I've tried several methods to make it possible to sync a Palm Pilot with Outlook, and none work, if the user doesn't have administrator privileges on the computer. Apparently, some of the Palm conduits try to write to directories that aren't available to mere users, and I haven't been able to track all of them down.

And it's the executives that have the Palms, so not letting them work isn't a viable option...

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[plierhead]

I agree. When I worked at CellularOne every user was issued a W2K workstation that was locked down squeaky tight. You had to make a very good case to get access to the web and, even then, there was a hellish long list of sites that were blocked. I didn't see any spyware/malware ever. Users were not allowed to install software nor even printers. You go the application suite that your job required and you were mapped to a printer or two. It worked well and nobody was being deprived with the possible exception of folks that like to use their computer to screw off all day.

I hear completely where you're coming from, but you're only talking about the side that you see.

Locking people down, while it may well be a desirable solution because of the shite that is MS, very often leads directly to lost productivity that affects many more than just "folks that like to use their computer to screw off all day". In many cases, the problem is made worse by unresponsive IT departments who have an inbuilt superiority complex and think all users are jerks. Well, many users are jerks, but guess what - if they can't do their jobs, they cost their employer money, normally in a way that IS is utterly unaware of (and probably couldn't give a shit anyway).

Recent examples at our clients (we provide our system as an ASP, not least to avoid the claws of those freaking MS bastards, but as you can see we are still the victims):

1. Customer A needs to scan and OCR hard copy documents to upload them into our system. Of course they are not allowed to go down and buy a $200 HP scanner with this ability - instead they must wait for IS. IS has set up a $20,000 multi-fucntion scanner, but of course it does not do OCR. Of course there is an OCR program, but of course it is not certified for the current system image. 6 months on, over $30,000 in additional costs incurred - because IS can't provide OCR capability and won't allow a "renegade" install of a $200 HP scanner.
2. Customer B wants to use our system - its an ASP after all, no software to install - but their procedures for gaining web access are so cumbersome that it is simply impractical to give wide access throughout the business. More lost $$$, to us and them.
3. Customer C has their image locked down to Office 97 because of various (no doubt valid) MS problems. Users are unable to handle incoming documents written in later versions of Word. IS has no solution apart from waiting until 2006 for a company-wide upgrade. (Yet, strangely enough, the IT dude has Office 2003 on his OWN desktop)

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[permanentE]

The attitude of all you LAN Admins in here really pisses me off, "it's easy, lock 'em down, don't give 'em admin, take away all their PC privilages". It's easy for you to say, you have admin! You can install any software you need.

I wonder how much productivity you lock-'em-down admins are costing the economy as a whole. You wanna know something? LAN administration isn't the most important part of a company, you aren't making the company any money. Your job is to help us users be more productive in doing our job, it isn't to cause you the least hassle.

How does it help the company when everytime I need to install some software to do my job I have to call you up and waste a couple of days for it to get aproved by the all-mighty-admin? How does it help the company when I can't immediately respond to a customer!?

OK, so there are stupid users, but I don't care about them, they don't affect me, I'm just trying doing my job. Leave me alone god damnit!

/rant

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[Mod+Point+Sink]

Back in the mainframe days, they were a priesthood--users could only act with the data through the intercession of them and their terminals. The PC changed all that, and they've spent the last couple of decades stuffing the toothpaste back into the tube.

Microsoft has greased the wheels with its exploit ridden, high maintenance software, creating security problems of epic proportion that are helping justify the return to the "glass house" in the eyes of management, who worries about things like HIPAA, Sarbanes Oxley, EU privacy directives, Gramm Leach Bliley, and all that--and creating a class of well-paid overseers to manage it.

The users are mere pawns in the game.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[ralphus]

Different companies have different political environments and different requirements for user permissions. Not everyone can be as locked down as you are because of various business requirements. Business requirements always trump security requirements, political requirements (like CEO "needs" admin rights) often trump security requirements.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[m_pll]

You could write a startup script on the machine to reset the home and search pages to a default you specify.

Better yet, use group policy. Go to User Configuration\Administrative Templates\Windows Components\Internet Explorer and enable these policies:

Disable changing homepage settings
Search: disable search customization

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[Lord+Kano]

You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks.

Because not every company is employing a bunch of idiots. Some users actually NEED to do things that are out of the ordinary.

If anyone has a complaint, tough.

IT's job is to secure the computers, but not just for the sake of security. It's to secure them so that people can do work. If you only care about one part of your job, that's a really good way to lose the rest of it.

I recently read an article where Kinko's reimages computers after guests pay to use them. This can take 5-10 minutes. What the hell? Just set a limited user and recreate that one folder. What are their administrators thinking?

How about this? It's easier to write a script to automaticalls reimage the machines than it is to take support calls from thousands of offices for tens of thousands customers who cant get things done all because you wanted to be an asshole and ride a power trip to show people that you control the machines.

LK

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

What? I've got a bunch of people synching palms in windows 2000. They are domain users and don't even have accts on the local system. try adding the user to the administrators group for the first sync and then removing them.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[revividus]

Why is this moderated to zero? The anonymous coward is correct; if you add the user to the admin group, install the Palm Software, and then take user out of the admin group after the first sync, it will continue to work.

At least, this was my experience after many experiments.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[Dimensio]

Works great, until you run into something like Palm software, which won't cooperate with permissions.

This came up in a /. discussion months ago, and I asked my boyfriend -- who administrates WinXP and 2000 machines where he works -- if he had found a solution.

I'll look through my replies and repost it. He said that it's a bit tricky, but it can be done.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[erick99]

I didn't work in the IS department, I worked in marketing. I was one of the user's that got locked down. I am sorry if my post conveyed otherwise. The IS people were in Colorado and I was in a remote office in Frederick, MD. However, I am always curious about IS so I learned what I could by talking them over the phone.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[esbjerg]

I work in company where it has taken a while to get the CEO and others to understand the benefits of not having extended rights.
If you want to make them understand let them manage their own PC. They will get infested and crash a lot (usually). When they ask for help install a fresh version and run a virus check on their files. Do not waste time on restoring there program settings.
Instead tell them it's the best way to deal with the problem at hand (it is!).
After losing time on this the CEO will listen to arguments like: "We/you are wasting time and time is money."
He will ask you what can be done. Tell him he will lose his admin rights and you will manage his PC (add more arguments). When he agrees make sure his PC runs smooth for a long time and when there is a problem you fix it quickly. After a while he will appriciate that he get's his job done and the admin waste less time on reinstalling his PC.
When the CEO (replace with some head guy) understands why normal users shouldn't have extended rights you can tell him that you would like his backing to take away extended rights from the normal users.
This is a very short explanation on what to do. The point is to explain to the management why it's a benefit to give up their rights - time/money!

It is not allways easy to convince the CEO but it's worth the time. You will need the managements blessing to deploy tighter security. Most people don't get it the first time you explain why it's necessary and it will take forever to explain it to a 1000 users. That's why you need the CEO to tell them.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[irg1231491]

One of the things that honestly worries me these days is the fact that IT in general, and sysops in particular, have a tendency to assume their users are total bottom-feeding dumbass idiot morons, and do not give the user any credit for a working brain.

I agree that the default, starting account on most systems should be pretty locked down --- however, once you've been around for a while and you've proved to the world that you're not a complete dipshit, you should be allowed certain freedoms.

Example: On my Windows PC at home, I use LiteStep. As a shell, it pwns Explorer by an incredible margin. It's been a great boost to my productivity, especially with applications like Rainlendar to help with scheduling and planning.

However, if I were to ask any sysop with this type of mindset toward users, I would be shot down almost immediately. I understand that ITs have to deal with tons of idiots every day, but it is important to make the distinction that IT is there to aid the users in getting the job done. That's the reason the computers are there, that's the reason the sysops are there, that's the reason everyone is there.

Another reason that this is a bad idea is because, in large part, the default install at most workplaces sucks. IE for browsing, Microsoft Office for everything else. Period. I understand the necessity of using Microsoft Office, but there is absolutely no reason to force me to use IE on the job (excepting, of course, IE-dependent applications on-job). There are also a myriad of helper and (somewhat) luxury applications, like WinAmp, which could easily be allowed without hurting anything.

Ultimately, I guess, the ITs need to get off their damn high horse. It's time to stop assuming that every worker is going to take every possible chance to slack off, or screw up the equipment, or whatever else you're afraid of. Seriously. ITs need to remember that, regardless of their personal opinion of the worker in question, they and the users are equals, and need to act accordingly. I have found that using a little respect and guidance works much better than trying to reduce the computer to a meaningless black box.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[omb]

I have also worked in a company set up like this

Ther results were
(a) a Project Plan needed by the CEO blocked

(b) An urgent software upgrade blocked

(c) A senior developer fired, then necessarily
re-hired as a contractor

(d) a new CIO

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[Kleedrac2]

1. Customer A needs to scan and OCR hard copy documents to upload them into our system. Of course they are not allowed to go down and buy a $200 HP scanner with this ability - instead they must wait for IS. IS has set up a $20,000 multi-fucntion scanner, but of course it does not do OCR. Of course there is an OCR program, but of course it is not certified for the current system image. 6 months on, over $30,000 in additional costs incurred - because IS can't provide OCR capability and won't allow a "renegade" install of a $200 HP scanner.

This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT.

2. Customer B wants to use our system - its an ASP after all, no software to install - but their procedures for gaining web access are so cumbersome that it is simply impractical to give wide access throughout the business. More lost $$$, to us and them.

Again bad IT practise ... think of an IT department run by intelligent IT guys not lazy management types like you're describing.

3. Customer C has their image locked down to Office 97 because of various (no doubt valid) MS problems. Users are unable to handle incoming documents written in later versions of Word. IS has no solution apart from waiting until 2006 for a company-wide upgrade. (Yet, strangely enough, the IT dude has Office 2003 on his OWN desktop)

And again, if there's a valid reason to upgrade office and it's showing up multiple times perhaps IT should either distribute a newer image w/ Office 2003 or perhaps OO.o, alternatively they could just have a copy of Acrobat on the IT network so any incoming Word documents can be sent to them for conversion to something that can be read by the current image.

I've administered networks as well as used rather locked-down networks. The problem with locked down networks in my experience happens only when the IT guys are too lazy or stupid to make changes. Any idiot can lock down windows. It takes someone with more intelligence to actually allow the useful while blocking the harmful. As long as the IT department is large/trained well enough for the number of seats it really shouldn't be a problem.

Kleedrac

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[estes_grover]

This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT...Again bad IT practise ... think of an IT department run by intelligent IT guys not lazy management types like you're describing.

These would be true statments should the company in question be small - several hundred employees. It's a whole different deal in a large company. In a large company (thousands or 10's of thousands of emplyees) IT policy is often designed such that the (inadvertant) end result is: slow. The overriding concerns in large-company shops are things like security, audit, documentation, repeatability. In an IT shop supporting a large user base, the CIO is often more of s business type than an IT type. Hence lots of compromises, negotiation, changes in direction. Couple that with in-house development efforts and one often gets re-work and that translates into slow.

It's darn near impossible to be large and nimble.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[shyster]

The attitude of all you LAN Admins in here really pisses me off, "it's easy, lock 'em down, don't give 'em admin, take away all their PC privilages". It's easy for you to say, you have admin! You can install any software you need.

That's because we know what we're doing. And, if we cause problems, we're the ones that have to fix it.

How does it help the company when everytime I need to install some software to do my job I have to call you up and waste a couple of days for it to get aproved by the all-mighty-admin? How does it help the company when I can't immediately respond to a customer!?

Who do you think is responsible for keeping track of the licenses for that software you want to install? Given admin access, how many users do you think will pirate software? (Answer: a lot). How many users will knowingly or unknowingly install spyware? (Answer: a majority) How many will get a virus? (Answer: A few. But those few will impact the entire company.) And, when they do all of this, and it takes 1-2 days to clean up their computer, how many users will understand that it's their fault and not blame the IT department? (Answer: None.)

Your job is to help us users be more productive in doing our job, it isn't to cause you the least hassle.

I suppose you feel the same way about your Purchasing Department (Why should I have to get a PO before ordering something? How does it help the company when I can't immediately order something I need?). Our job is not to help you be more productive in your job. It's to help the company be more productive. You're just a tiny little part of the equation.

OK, so there are stupid users, but I don't care about them, they don't affect me, I'm just trying doing my job.

If there truly is someone who is (a) knowledgeable of computers, (b) appropiately cautious of installing unknown or unlicensed programs, (c) reasonable enough to not blame IT for all of his computer woes, and (d) wants administrator access (and his manager doesn't care) - then I'll usually give it to them. In most cases, this guy also becomes my go-to guy for the department - which saves me from visiting for little issues.

If you truly can't do your job because of restrictive policies (note that installing WeatherBug and AIM does not constitute doing your job) then you should explain your situation to your admin, your manager, and your admin's manager. If nothing gets done, then noone thinks you need admin access to do your job. Live with it.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[shyster]

Customer A needs to scan and OCR hard copy documents to upload them into our system. Of course they are not allowed to go down and buy a $200 HP scanner with this ability - instead they must wait for IS. IS has set up a $20,000 multi-fucntion scanner, but of course it does not do OCR. Of course there is an OCR program, but of course it is not certified for the current system image. 6 months on, over $30,000 in additional costs incurred - because IS can't provide OCR capability and won't allow a "renegade" install of a $200 HP scanner.

Why wasn't IT involved in the requirements discussion of your ASP solution? Who did you think was going to be implementing the client side of the solution? A lot of issues could be solved easier if IT was asked for advice before a problem arises. Instead, departments make (sometimes) dumb IT-related decisions, and expect IT to implement them.

Customer B wants to use our system - its an ASP after all, no software to install - but their procedures for gaining web access are so cumbersome that it is simply impractical to give wide access throughout the business. More lost $$$, to us and them.

Sounds like a department or group of people within Customer B wanted to use your system. Once again, it doesn't sound like IT was involved at all. Nor does it sound like the company as a whole wanted it - or they would've worked with IT to get access to it.

Customer C has their image locked down to Office 97 because of various (no doubt valid) MS problems. Users are unable to handle incoming documents written in later versions of Word. IS has no solution apart from waiting until 2006 for a company-wide upgrade. (Yet, strangely enough, the IT dude has Office 2003 on his OWN desktop)

AFAIK, Word 97-2003 have the same file format. Excepting some possible formatting issues, reading the documents shouldn't be a problem. However, realize that an Office upgrade is a huge expense in terms of both time and money. Expecting IT to jump to fulfill your requirements on their existing budget is a bit unfair.

Just because you, understandably, see your solution as the greatest thing since sliced bread doesn't mean IT or the company as a whole does. It would seem that IT, and the executive management, were either not made aware of the business need of your solution, or felt it was not worth the impact on IT's budget and responsibilities. Perhaps involving IT in your next client discussion could point out these issues before the ink is dry.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[coats]

AFAIK, Word 97-2003 have the same file format. Excepting some possible formatting issues, reading the documents shouldn't be a problem...

Can you say, clueless!?

There are incompatibilities between the paragraph and character styles and the numbering mechanisms among the versions of Word you talk about (97/2000/XP), and going back and forth among them is a sure way to almost-irremediable document corruption. As a corporate-law attorney, my wife runs into this problem all the time.

Word can't deal with it; the commercial product for cleaning up the mess runs $5000/seat and many law firms consider it well worth the price. (Or you can use the industrial-strength .doc-parser found in abiword or OpenOffice.org:-) .)

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[jallen02]

I do believe that is the parent of your posts point. He is looking at it from a B2B perspective. Bad IT practice has directly hurt his company, even though it was not his company's bad practice.

Jeremy

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[RMH101]

bollocks. if you need it, it's already there: this is why we have a standard desktop client that's rocksolid-stable. just because you're pissed off because you can't install webshots, don't assume that there's not a valid and sound reason to lock down clients.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[RollingThunder]

The test is if the loss of productivity due to lockdowns is overall LESS than the loss of productivity due to virus/malware/spyware plus corporate danger due to piracy plus extra admin time to support all kinds of whacked-out PC's.

If having them locked down costs the company less, then guess what - you get to put in change requests for that software install.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[shyster]

Can you say, clueless!? There are incompatibilities between the paragraph and character styles and the numbering mechanisms among the versions of Word you talk about (97/2000/XP), and going back and forth among them is a sure way to almost-irremediable document corruption. As a corporate-law attorney, my wife runs into this problem all the time.

I admit to being somewhat clueless, being that Office 2003 is covered under our site license (which is dirt cheap, due to gov't status) and I don't use Word very often. However, the official line is exactly what I stated. Which is that, formatting issues aside, file formats shouldn't be a problem. If it is, then I think that qualifies as a bug - ask PSS about fixing it.

Of course, most law offices I've worked with use WordPerfect (and have for ages), so I suspect that may be part of your wife's problem.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[WoodstockJeff]

I've tried this in the past - as soon as I remove the users from the admin group, they stop being able to hotsync to Outlook.

This isn't to say they can't hotsync - Anything they put into the Palm software application works just fine, and the data they grabbed from Outlook on the earlier sync will be backed up, but they can no longer attach to their Outlook data, once their privilege level is reduced to "power user".

Note that even this proposed solution isn't that great - what if the user has something in their "run once" registry that installs malware, just waiting for them to be elevated to the point where it can do real damage? If you have to make someone an administrator for ANY reason after they've wandered into the wrong sites, you're still very mutch at risk.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[Billly+Gates]

Problem is many spyware and ad programs use buffer overflows to install themselves.

I found out I got my system reineffective just from watching a mpeg of porn.

The stream was infected and using buffer overflows to execute and install itself in the system registry.

No problem under FreeBSD since its mpeg libraries are safer with some of the holes fixed.

Its just insanse what these applets using javascript use to get themselves installed without the user knowing.

A policy will not prevent the overflows since they bypass NT security.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[GreyPoopon]

I don't think you are completely aware of what the budgeting process and political playing field are like for IT resources at most companies. It's generally not a question of laziness, but rather that management wants to reduce IT headcount while at the same time getting even more work out of the department. On the other hand, if you are directing your complaints against upper management (not IT), I'm all with you.

This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT.

Interesting. You attribute following policy to laziness. Since there aren't enough resources to go around installing HP scanners for everyone and supporting the associated software, the department has made the decision to support a single centralized scanning infrastructure. Unfortunately, they made this decision at a time when OCR wasn't an issue. Generally, the $200 HP scanner isn't going to be an isolated case. Once one is deployed, there need to be others. Now the IT department is forced to support several additional devices and new software. Oh, and while they are providing this additional support, the CFO is busy taking three more people out of their headcount. In a situation like this, the proper solution is for the IT department to follow policy and request that the person who has the need escalate through their management. If it's important enough, it will reach the CEO, who will tell IT they need to provide this service. At that point, they can force the CFO and the CEO to sit at the same table and decide whether its more important to provide this piece of hardware or to reduce the IT budget. Now, if IT hadn't locked down the system and employed this practice in the first place, guess what would have happened. The requesting department would go around IT to buy and install the scanner, and IT would have still ended up supporting the thing.

Again bad IT practise ... think of an IT department run by intelligent IT guys not lazy management types like you're describing.

Again, you've attributed draconic procedures for gaining web access to laziness. What you are missing is that such decisions rarely come directly from IT, and are instead a direct response to a requirement from the CEO. Just like the previous situation, the issue would have to be escalated. The CEO will either approve, deny, or realize that he needs to change his requirements for IT.

And again, if there's a valid reason to upgrade office and it's showing up multiple times perhaps IT should either distribute a newer image w/ Office 2003 or perhaps OO.o, alternatively they could just have a copy of Acrobat on the IT network so any incoming Word documents can be sent to them for conversion to something that can be read by the current image.

Again, somebody has to support this, and most IT budgets are yielding their dollars up to the Marketing budget. Although, I like the idea of a copy of Acrobat because it would then possibly require only one resource within the IT department.

The problem with locked down networks in my experience happens only when the IT guys are too lazy or stupid to make changes.

No, most locked down networks happen when the IT department is afraid to make changes. Usually this is because the CEO or CFO puts very heavy restrictions on them. Remember that 80s and 90s buzzword, empowerment? Well, we all laughed back them because we knew it wasn't true. It's obviously not true today either.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[ananke]

If you have the power to hire an IT admin, you also have the power to fire this person. You do, right? If so, what's the problem? Hire somebody who will do the job as you would like them to. If not, then you can safely drop the 'I will not hire you' song. Nobody cares, seriously.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[TurboStar]

"This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT."

You seem to have a problem with ignorance and stupidity. I'm tired of hearing about lazy IT from the same assholes that think they can install anything on their computer in five minutes and everything will be just fine.

Here's a clue for you in the scenario of a 5000+ workstation network across several buildings.

1. User calls IT with need for OCR. Dispatcher enters a ticket. (10 mins)
2. IT contacts user and says they have a secure and approved solution but the research needs to be finished for OCR. (15 mins)
3. User says he needs it right away. IT rolls eyes and wonders if user's keyboard is broken. I mean, if it's that important user should be typing and not trying to convince IT his OCR problem is most important. (15 mins)
4. IT spends an hour with user finding a suitable, though insecure solution. Warns user that $99 OCR is nothing like the full solution they have in the works. (60 mins)
5. Fill out PO request (and double check everything, because accounting doesn't like mistakes) for HP scanner. (5 mins)
6. Receiving scanner and dispatching IT installer. (5 mins)
7. Installation of scanner, including 10 mins walking/travel time. Don't try and play off 5 mins here, you can't even unbox most stuff in less than 5 mins especially with an excited user nipping at your heels. Hell, if you need to reboot that's 5 mins in itself. And yes, many USB devices (especially HP's) seem to need a reboot for some reason. Plus you need to scan at least one page to make sure it works. (30 mins)
8. Training the end user how to use the scanner and OCR software. Because "IT is here, why should I RTFM?" (30-90 mins)
9. Documenting the one-off install. (5 mins)
10. Future support of scanner. Moving, helping new employees with it, repair, etc. (0-999 mins)

So realistically, we're talking two+ hours of work just for a relatively insecure install. That's more in labor that you can buy most scanners for. If there are firewall ports to unblock for updates or workstation permissions that need to be configured it'll take even longer.

Running an IT department is not like supporting your Mom's computer she uses for looking up recipes. If things in a business stop working the company loses money and potentially people lose jobs. If your Mom's PC goes down you get mac&cheese for dinner instead of lasagna. Big difference. IT needs to plan on keeping everything working at once, not most things most of the time.

When you get tired of IT people treating you like crap, stop the attitude and give them the respect they deserve. Maybe then you'll get your needs looked after instead of being tossed into the "he's a little shit" pile.

-turbo (who runs "four nines" -- trying for five)

you mean...

[maxdamage]

besides freezing them?

Don't let'em in.

[gustgr]

What about blocking or filtering the spywares and adwares at your proxy? If it don't get into the network, it will not affect your computers.

Re:Don't let'em in.

[ZorbaTHut]

Only half the solution - inevitably, someone will run across a new breed of spyware that the proxy doesn't yet catch. At that point, you need spyware protection on people's computers as well, so that it can be exterminated once the adware database is updated.

Yes, you could also filter outgoing packages, neatly making the spyware/adware useless, but I've seen spyware that killed a computer's internet connection if it couldn't communicate with its home system (on a user's computer in college, which was a problem since they had to authorize their computer - on a webpage - before they could connect to the outside world.)

Re:Don't let'em in.

[gustgr]

You may try to filter/block with squid. Try this sites:

http://www.squid-cache.org/related-software.html

http://sites.inka.de/sites/bigred/devel/squid-filt er.html

There is a proxy called Privoxy with some advanced filtering capabilities.

Re:Don't let'em in.

[hsidhu]

has been before and will say it again a community based /etc/hosts file such as this one work for me. No need to communicate with people that peddle crap.

Just ignore the crap out there.

the newer AV's do

[Nate+Fox]

I usually dont reccomend upgrading antivirus programs to my clients, but the latest round of 2005 versions basically have adware in with their virus defs. Not sure about the corporate level stuff, but almost all the major consumer AVs do.

Re:the newer AV's do

[IoN_PuLse]

And it's not very good. The open-source antivirus for windows (Clamwin) seems to detect more viruses and mal/spyware for me, recently.

Windows XP and Serice Pack 2

Seriously. I am not trolling. It works for me.

Ever since I have installed SP2, Ad-Aware from Lavasoft has not found one spyware program -- even after installing the worst offending sites - porn sites.

Re:Windows XP and Serice Pack 2

even after installing the worst offending sites - porn sites.

Thank you for taking the risk of testing that so that others won't have to.

Re:Windows XP and Serice Pack 2

[psyclo]

Sorry to shoot your idea out of the water, but I've had XP with SP2 for a while, and Ad-Aware comes up with plenty of hits, and I don't visit porn sites. I'm just running it now and it already recognized 6 new objects.

Ahh well, it was a nice theory while it lasted. :-)

Symantec

[cuteseal]

We use Symantec Antivirus and Desktop Firewall - seem to do the trick...

Re:Symantec

NAV 9 handles both viruses and spyware...

Easy and cheap

[Dancin_Santa]

I recommend just sticking a firewall up at the root of your network and blocking all traffic on port 80. It cuts down on web surfing and it puts to death all those stupid ad/spybots that already infest your network.

If someone needs to access a site, have a system where they can request a site to be opened for access. Of course they will need to have a valid reason and you (as network admin) have final say as to letting them have that access or not.

The www is something that can be surfed at home on personal time. Work is for work.

Re:Easy and cheap

...because some IS people just need to exercise every little bit of power they can.

Others realize that computers are tools and that disabling web access makes them worse tools. They know that their job is not to find ways to make their own jobs easier, it is to make other people's jobs easier.

Kudos to the story submitter for being one of the type that wants to do his job right.

Dancin Santa, fuck you and all others like you.

Re:Easy and cheap

And one Perl script to refuse them all.

It's a brilliant solution.

Re:Easy and cheap

[Frennzy]

I normally don't respond to AC, but...how the hell do you suppose you'll know when/how/what I'm doing? If a port is open, I can tunnel through it.

I am the company network engineer. And the Security Officer. If you know how to discern legitimate traffic from 'bad' traffic over an allowed port, please, do enlighten us all.

And do it as something other than AC. I know all about fingerprinting traffic patterns...but won't take any more crap from someone who says 'make my day', while hiding behind an AC moniker.

Re:Easy and cheap

[jayhawk88]

You are absolutely correct. And then, board your magical Unicorn for the Leprechan base on the Dark Side of the Moon, where you will eat naught but Space Wine and Space Cheese!

Re:Easy and cheap

[Frennzy]

Dammit...I had forgotten about the evil bit. Fire me now. Wait...if I promise to adhere to to the 'do not copy' bit, will I be allowed to attend re-education camp? ;)

Re:Easy and cheap

[gregmac]

The www is something that can be surfed at home on personal time. Work is for work.

Many other people have pointed out the value of being able to surf sites for work-related information (booking hotels, looking at competition, finding reference materials, finding suppliers/products, finding potential customers, posting job listings, ...).

There are other ways to prevent misuse as well, rather than blocking port 80 - block specific sites (ie, hotmail) and/or use content filtering to stop people from looking at pr0n while at work. Keep in mind that these can be detrimental - at a health care related job, for example, there will be legitimate reasons to look up legitimate sites that will be blocked by content filtering.

One thing that has been shown (I know I've read articles about this before, unfortunately I can't find referencse) is denying people "personal time" at works leads to an increase in sick days and other time off. Basically, if you don't let someone spend half an hour doing something personal while "at work", then they end up just taking an entire day off to get what they need done. This is my take on the matter, and I don't block any sites on our connection. (and no, I don't consider pr0n to be a legitmate "personal" use of time, but we're also a small company and no one really has much of a private office to use..)

Easy

Two words: Death penalty.

Get spyware, get shot in the head. After two or three pluggings in front of coworkers, NO ONE will get on the net period, or even check e-mail.

Harsh? Yes. Effective? HELL YES!

Obvious solution

[glomph]

Stop dedicating your life to subsidising Microsoft's hegemony. Move people to a good, maintained Linux Distro. Yes, it is possible.

Re:Obvious solution

[Frogbert]

No it is not. There is no Microsoft Word for Linux, Open Office comes close and I love it to death but its just not ready yet.

There is no god damned Access for Linux either. Heres a newsflash a lot of companies have database frontends that rely on Access, it may not be the best solution but it is the current system and to change it would cost thousands of dollars.

Like it or Loathe it Visual Basic is used throughout many companies. Please correct me if I am wrong but do any Linux office products work with Visual Basic?

These are just a few of the many examples why you couldn't just switch to Linux like that. Those are just the software factors too, forget user training, the cost of changing hardware that isn't supported to Linux etc.

What about thousands of pissed off users because they can't figure out why the hell the start button looks different or why text on the screen doesn't behave as expected.

I'm not trolling, I like Linux I think it is great for the home and for a hobby but its just not ready for the mainstream. Perhaps in a few years, but not today.

Re:Obvious solution

Shame on your company for buying into vendor lock-in. A competitor that didn't will eat your lunch while you're still running from desktop to desktop fixing IE infections.

Re:Obvious solution

[droleary]

No it is not. There is no Microsoft Word for Linux, Open Office comes close and I love it to death but its just not ready yet.

But there is a Microsoft Word for Mac OS X. Of course, you're really just side-stepping the real issue. Nobody really has a "We need to run Word" problem (except maybe when converting that legacy format to an open format); they have a "We need to create documents" problem. Just about every place I've been that had Word widely installed, 90% of the people used it as a glorified text editor.

There is no god damned Access for Linux either. Heres a newsflash a lot of companies have database frontends that rely on Access, it may not be the best solution but it is the current system and to change it would cost thousands of dollars.

The time to complain would have been when the picked Access as their solution, not when they finally figured out that they have vendor lock-in. There are tons of other database solution they could freely choose from. But, again, you're side-stepping. Malware, especially as described for this article, is mainly a user problem. If you have a server running Access, it's unlikely such garbage will be installed on it. This in no way forces you to keep Windows for desktop systems.

Like it or Loathe it Visual Basic is used throughout many companies. Please correct me if I am wrong but do any Linux office products work with Visual Basic?

Again, you're pushing a product instead of solving a problem. Please describe how VB is used for custom development that cannot be matched by other tools. Bonus points if you've figured out you can't name lock-in with MS products any further.

These are just a few of the many examples why you couldn't just switch to Linux like that. Those are just the software factors too, forget user training, the cost of changing hardware that isn't supported to Linux etc.

Bogus excuses. I've been in environments that had users sitting in front of old NeXT boxes to run in-house apps. Why? Because it got the job done quite well, and the users were more likely to be working than dinking around on the web or with some game they downloaded (or suffering with spyware/adware). MS is the hammer some companies use as their only tool, and it's stupid.

What about thousands of pissed off users because they can't figure out why the hell the start button looks different or why text on the screen doesn't behave as expected.

Fire them. If you have to go to the Start button as a major part of getting your work done, your system for doing business is screwed up beyond whatever kind of OS you run. And I'm not sure I even understand your text FUD. How about you describe specific use cases instead of trying to sound ominous while telling your tale of woe?

I'm not trolling, I like Linux I think it is great for the home and for a hobby but its just not ready for the mainstream. Perhaps in a few years, but not today.

Linux on the desktop is always seemingly a few years away. For a general desktop, yes, that is true; it's why many geeks have switched to Mac OS X. But for specific desktops, there is no good reason you can't run something other than Windows. I mean, seriously, if you have 200 people who are screwing around on non-work enough to cause you malware headaches, they're clearly people that need to be "refocussed", and Linux probably provides all the good they need to actually do their job without all the bad that comes with crufty ol' Windows.

Re:Obvious solution

[gd23ka]

No it is not. There is no Microsoft Word for Linux, Open Office comes close and I love it to death but its just not ready yet. There is no god dammed Access...

There is. It's just that these apps still need to be licensed if you absolutely can't switch to OpenOffice or Sun's commercial StarOffice. Many distroes, such as SuSE Linux Desktop use Crossover Office and that will run Microsoft Office.

With Codeweaver's Crossover Office you get to run:

Microsoft Office XP, 2000 and 97

Microsoft Word

Microsoft Excel

Microsoft PowerPoint

Microsoft Outlook

Microsoft Internet Explorer

Microsoft Access

Microsoft Project

Adobe Photoshop

Microsoft Visio

Lotus Notes 5.0 and 6.5.1

Quicken

Various Web Browser Plugins

QuickTime

Shockwave Director

Windows Media Player 6.4 though it probably illustrates the power of the API emulation I can't see the value in MSIE and the windows media player.

I will however admit that Crossover Office / Wine will not run _every_ custom Visual Basic app on the planet... but if you don't have them then there is no technical reason you could not switch to Linux.

... [don't] forget user training, the cost of changing hardware that isn't supported to Linux etc. ... Yes, it is true. Your users will need to adjust to the new desktop, but most products I've seen such as SuSE Linux Desktop make Windows users feel right at home.

I'm not trolling, I like Linux I think it is great for the home and for a hobby but its just not ready for the mainstream. Perhaps in a few years, but not today. I'm not shilling for SuSE or Codeweavers but they do have great products fully capable of blowing Windows off the corporate (and home!) desktop. Btw, you can download a 30 day trial of Crossover Office here. While you're at it, see if it will run your custom VB app too ...

Actually

[apoplectic]

but this doesn't prevent the computers from getting these programs

I believe Spybot does protect you ("immunize") from around 2000 different pieces of software, if you let it.

Some hints

* Don't let the users work with an admin account
* Use a proxy
* Use Firefox instead of IE

Re:Some hints

[Xaoswolf]

Well, Win9X doesn't have admin accounts, where I used to work, we had hundreds of PC's running 95, and this was in 2003.

Top bras simply did not want to pay to replace those computers.

As far as firewalls go, things still slip through, and once they do, what then?

And firefox only stops most automatic installs, it still won't keep Joe Idiot from downloading Bonzia Buddy...

I have it

[ryanmfw]

Ripoff Technologies-

We have all of the software you need! Just tell us what you want the software to do, give us the name of open source software that already does the task, and in three weeks we will have a brand new software package *just* for you, for the low low price of $50! Unfortunately, our website is down because of high traffic and hackers. Still, you can view videos of the as-of-yet-non-existant software here.

14" monitors

Every time a user finds spyware on their PC, replace the monitor with a smaller one.
When a user has to make a decision between h4rdc0r3 p0rn and a 6" monitor, they might be a little more proactive in preventing spyware!

Re:Easy solution

[coolsva]

Noble as your intentions are in spreading the word, Firefox will NOT solve the spyware/adware problems. Much of these malware re installed by the user implicitly by installing other shareware/freeware products. It just so happens that the IE monoculture is making these malware authors to target IE for some of their scripts (to automatically install). Once Firefox reaches a critical mass, it will too have these problems. Remember, malware along with spam is a socual problem, not a technological one, so the solution is also social. for

Re:Had to be said...

[wrinkledshirt]

Actually, it does have to be said from time to time. If the problem is a big enough priority, maybe the solution needs to be a bit creative?

I understand it's not a realistic option for everybody to switch OSes. Just something people might want to keep at the back of their mind, in case this month the problem is AdWare/Spyware, last month the problem was Viruses and Worms, the month before the problem was about software costs, etc.

Software Restriction Policy (Windows XP)

[yiangouk]

You can apply what is known as a Software Restriction Policy and enforce it strictly so that only approved software is installed on system computers

yeah

[UserChrisCanter4]

I'm not totally clear on what these machines are used for (custom web apps w/ heavy activeX use? Random surfing?), but assuming you haven't heavily focused on IE with custom software, Mozilla/Firefox plus a proper permissions system that denies access to IE and program installation should prevent 95% of the infections.

Top it off with a local DNS that nulls known ad sites and spyware supplies, and you should be good to go.

Sounds like the same problem we face

[willith]

Sounds like the same problem we face--4k client PCs in five locations--and we don't have too good of a solution.

We're currently taking a two-pronged approach. First, for the big baddies like Gator or Bonzi, we use Altiris Notification Server to find them and block their execution. This works tolerably well, but it's a reactive process--for me to block a spyware app, I have to know about it, and it has to be something of which I can deny exeuction (so, no browser helper objects).

Second prong is a managed install of Spybot S&D--we're enterprise licensed and maintain our own update server. We stick Spybot S&D in our base loads and force it to run on a schedule, automatically updating itself and running non-interactively. This catches lots, but can sometimes interfere with the users' work.

There is also an ongoing user education effort, consisting of mandatory training and constant reminders about how spyware works and how one gets infected, but that's about as hopeless as bailing the ocean with a kid's toy bucket. I'm long past the point of hoping that the general user population can learn about how not to get infected with spyware; I'm resigned to spending the rest of my days hearing about how someone in Marketing was hitting the gambling sites at lunch and picked up yet another malware app.

Re:Easy solution

[Awptimus+Prime]

Use FireFox instead of Internet Explorer. www.mozilla.org

Though this is a quick way to get a "+5 Informative", it is not a valid solution to most Adware/Spyware/Malware exploits. The majority of this software is installed as part of another application. For instance, the notorious "Internet Optimizer" and "Gator". Running FireFox does nothing to stop an ignorant user from falling for a snappy ad and installing something bad on their workstation.

I'm not defending IE, I'm just pointing out how it does not apply in this particular case and Mozilla will, by no means, be the end all of web-related tragedies.

Use a proxy

[dicepackage]

Users are not going to be smart enough to run Firefox and scan for spyware regularly. This stuff should be blocked at the proxy level. Doing it this way will allow for the spyware sites not to be able to communicate and therefor make it harder to install a lot of the spyware out there. If any spyware does get installed this will make it so it can't phone home and give away all your browsing habits. This can also save a considerable amount of bandwidth if done on a large scale.

Win2K or XP Pro, and Limited User Accounts

[gfecyk]

Proven on two medium-sized networks I maintain for clients. No spyware in two years and I don't even bother with up-to-the-minute patches. Just patch for serious problems or when a service pack comes out.

Limited User accounts also provide the best AV on Windows, second only to MS Office SP3 and later which block bad e-mail attachments, bad macros, etc by default.

Finally, stand-alone NAT routers that act as firewalls keep worms out.

Worried that your software won't work as a limited user? Harass the vendor. Go to their competition. Loosen up security on individual files and folders (hence, suggesting XP Pro instead of XP Home). Test, test, and test some more. You'll save hundreds if not thousands on annual AV subscriptions and catch new threats before the AV vendors (and Spybot / Ad-Aware) can.

Heretical advice???

[vudufixit]

I did some spyware experiments of my own one day, to "ferret out" where some of this stuff came from. I did a clean install of XP on a machine, and carefully documented what I did, and the resulting changes in cookies, commit charge, etc. The results were interesting - I visited a lot of adult porn sites - literally just combining verbs and adjectives, and got very little in the way of spyware. I went to a particularly vicious site - default-homepage-network.com, and instantly got hit with a bunch of popups and three items immediately went into add/remove programs. Then I installed the "standard" kazaa - installing spyware programs was part of the initial installation!!! Commit charge went from about 100 megs right after a bootup, to 212 after installing Kazaa. Then, I wiped the machine out and installed XP and then SP2. The first things I tried - porn sites and default-homepage-network, didn't do anything - only Kazaa resulted in spyware, because installing it yourself is part of the package. When I clean out clients' PCs, I do the following: 1. Safe mode, command prompt - delete everything I recognize as a spyware .dll or .exe, and I rename anything I believe may be a system file. 2. Normal mode, uninstall any program with "rebates" "shopping" "bargain" etc... 3. Install and run Adaware, Spybot, Hijack This, CW Shredder, and Spyware Blaster. 4. Install SP2 if it's a recent machine - SP2 tends to crush PCs that have been running for a while. 5. Scold them for downloading music, and remind them that not only will they have to pay me if their internet habits cause reinfection, but the greedy RIAA bastards may even come knocking one day. I agree that most 2004 and up versions of Symantec and McAfee include anti-spyware protection, as well. Not too impressed with Webroot Spysweeper - it's a rather ponderous product. Firefox is a damn good idea, too. And of course, stay away from "Spyware Stormer"

Ad-Aware Plus/Pro

[lwells-au]

The author mentions having Ad-Aware installed, but I assume the s/he is referring to the 'standard' (free) version?

If you go for the payed version it comes with an app called Ad-Watch which actively monitors your machine for spyware installs. See: http://www.lavasoft.de/software/adwatch/

Ad-Watch

[Takara]

With Ad-Aware 6 SE Plus and Professional, there is an application called Ad-watch. It provides realtime protection from registry changes, browser hijacks and blocks suspicious processes.

It's not free though

Re:Easy solution

[mrmagos]

As the security administrator of a small liberal arts college, this switch has probably made the largest impact on desktop support issues. Unfortunately, you can't fully remove IE, but removing shortcuts seems to be good enough to prevent most end users from using it. The other consideration is that many sites use IE-specific extensions, which breaks how Firefox renders the page. For example, we use Exchange with the Outlook web client for student email access and web access. The client is useable with Firefox, but some features, like the check name applet, does not work. A desktop url opened in IE is our workaround... I guess my point is that you really need to review which web apps and sites your users want to access to truly weigh the pros and cons. In our case, the benefits were greater, and we made the transition as gracefully as possible. I know the parent means well, but sometimes the solution isn't that easy.

FFox

[MadEmperor]

I love how all the FFox/Mozilla comments get a score of 1.

The truth of the matter is Mozilla does indeed prevent quite a bit of malware from entering your computer.

Oh well, I'm sure this will be modded 1 - Redundant

Re:Easy solution

[lessthanjakejohn]

You mean you found more cookies in Firefox because you use it more often?

Re:Easy solution

[Em+Ellel]

Why is a normal user allowed to install programs in the first place?

Because that computer thing is meant to be USEFUL

DeepFreeze = best. prog. EVER.

[Sven+The+Space+Monke]

Oh my god, I'm surprised it took that long to mention DeepFreeze. I LOVE DEEP FREEZE. I only manage 70 comps at a lan center, but if you think office drones are demanding, try gamers. We used to have the comps locked down as tight as possible (well, as tight as you can get with XP pro and still have games/punkbuster be functional), and we still had to do regular weekly maintenance (AV, spyware removal, etc). With DeepFreeze, you can set up a 2 gig thaw partition that allows people to save any files they might need, they can still save files to a network drive, but the C: drive (or any other fixed drive you want) have a persistant image resident. They can save any files they want, make any changes they want, delete anything they want, but on next boot, everything on a frozen drive is back to the way it was before. They can't permanently install any progs, but honestly, when should a user be installing anything anyway? The best part is, I can go about a month between issues that can't be solved by a reboot.

Re:DeepFreeze = best. prog. EVER.

[mindstrm]

A few caveats -

In an office environment:
- users will likely save documents where they shouldn't, and they will be erased on reboot.
- windows updates get to be a pain, especially with automated services.

A lan center in this respect is a lot less demanding than an office, where people DO have personalized machines.

Re:DeepFreeze = best. prog. EVER.

[drinkypoo]

Windows updates are easy: In the middle of the night, thaw the machine from the console (automated), run the updates (automated - you ARE using SMS right?) and then re-freeze it in the morning before they come in. The problem of users saving documents in the wrong location is still an issue but can be mitigated in many applications by the use of default document save paths.

A somewhat better way to handle the freeze/thaw thing is to run your updates weekly and cycle the machines on the weekend. If you're really worried about your users losing data you can search their machines (via administrative shares, in an automated fashion) for documents modified in the last week and shovel them into a separate folder on the permanently thawed drive.

Re:DeepFreeze = best. prog. EVER.

[hazem]

I once set up a similar system using a small linux installation.

1) set up windows on half the drive
2) install a small version of linux on the other partition
3) make an image of the windows drive that is stored on the linux side
3) I set up some rudimentary scripting that worked with lilo boot options.

Normal operation is to boot to Linux, then extract the windows image over the windows partition. It then reboots. You can feed lilo an option to override its default boot option and go directly into windows. On next reboot, you go back into linux.

I even set flags where you can turn off the auto-rebuilding, set it for daily rebuilding only (first boot of the day), or make it strictly manual "your computer is goofy? Okay, reboot, and select rebuild. Get some coffee and come back".

As another poster said, you do have to turn off all the auto-updates because they'll continually trigger. But it is so nice to not have to tend to the machines until you want to do those updates.

I don't have the setup on a website, but if you're interested, send an e-mail to username dfrakes at the new google email service. I'd be glad to send my scripts along along.

We had a lab of win98 boxes - all PII-300's or less that would rebuild their 1.5GB windows image in about 11 minutes. I used tar/gzip for the image, but it can work just as well with dd/gzip and may even go faster. In that case, the smaller your windows drive, the better your performance will be.

It was great in an academic computer lab where the users shouldn't be messing with things!

Re:DeepFreeze = best. prog. EVER.

[hazem]

I'm going to try posting this and hope the lameness filters don't get me.

I hope this helps! If you find any mistakes, please feel free to contact me. If you find it really useful, I'd love to hear about it.

I'd release this under the GPL, but darn, it just doesn't seem like there's enough there to bother. I mean... can you really GPL some config scripts?

I found it helpful to configure the Linux stuff on one computer, then using a bootable Linux CD (I didn't want the local box slowed down by unnecessary services like networking), I put it on a server, called lin.tgz. I then booted on another machine with the bootable cd, and applied it to the /dev/hda2. If that was mounted to /lin, you'd then need to do a "chroot /lin" and then run /sbin/lilo to get lilo installed.

Good luck!

Linux Rebuilder
By Dale Frakes
Write-up version 0.1, 19 October 2004, 4:17AM

This set of tools helps automate the process of keeping a Windows box with a consistent image. It works similarly to "Deep Freeze" by storing an image of the Windows system and all its software on a Linux partition. The computer boots into Linux, which restores this image to the Windows partition (overwriting whatever the user did before). It then reboots into Windows.

** Installing/Setup **
The scripts as I have written them use tar/gzip to make the image of the Windows partition. This is because I was working on Win98 boxes that use FAT32 (which Linux can easily read and write). Linux does not yet reliably write NTFS, so to use this on an NTFS based Windows system, such as Windows 2000, or Windows XP, the scripts will need to be rewritten using dd/gzip rather than tar/gzip.

Here are the basic steps:
1) Install Windows on your computer. If you are using one drive, partition that drive in half (or, if you know how much space you'll need, just a little more than that). Install all your applications and customize the Windows "image" so that it is exactly the way you want it to be each time you reboot.
2) Install some Linux version on the other half. Keep it small, since you won't need networking, X, or much else.
3) Create a /rebuilder directory and place the following files in that directory: getimage, putimage, rebuilder, win_reboot
4) Modify /etc/rc.local to point to /rebuilder/rebuilder
5) Modify /etc/lilo.conf to match the menu options in my lilo.conf. Run lilo.
6) Create a /images directory to store the image.

For FAT32 systems using tar/gzip, you'll need to add an entry to your /etc/fstab to mount /dev/hda1 to /win.

** Useful Points **
There are two main keys to why this thing works pretty well. First, lilo can invoke the same kernel with different options. The menu options I place in lilo.conf do this. The other key is contained in the win_reboot file. By invoking lilo with the -R option followed by a boot label, (eg. "lilo -R Windows"), lilo will override its default boot option on the next reboot.

There are two other nice features that work nicely. The first one is that while the kernel is loading, the keyboard cannot interrupt the process. This is great for keeping someone from hijacking the system. The second is that by putting the line "password=""" in lilo.conf will password protect the boot options that do not have a "bypass" in them. This allows the user to do some things, like boot directly into Windows, or even rebuild the Windows partition, but not make a new image of the Windows partition.

If you're going to do a dd/gzip option, you'll want to wipe your Windows partition's empty space. From the documentation for g4u, there is a link to a program called nulfile, which will fill up the empty space with 0's. http://www.feyrer.de/g4u/

(If you like imaging, check out g4

The layered onion approach...

[urlgrey]

Assuming you have to run Windows, first remember there are multiple steps that you'll likely have to take with no silver bullet. Consider these 10 steps as a spring board:

The first step is to put in place policies (where possible) on domain controllers that prohibit both the installation of BHOs and of other software by anyone other than Administrators. Given that many, many bits of spyware (I'll go out on a limb and say most) work as (so called) "browser helper objects", don't let people install them at all. Other software Administrators can install when needed. It's actually fairly easy to do.

Second, where possible, deploy W2K or XP, and...

Then, third, where possible, yank people's admin privs. In virtually all cases, with a bit of good ol' trial-and-error, you can successfully adjust users' permissions to take away admin from most folks. Let's face it, most people SHOULD NOT have the ability to have admin on their own machines.

Fourth, where possible, dump IE.

Fifth, do some short SMALL GROUP tutorials about the evils of spyware and how it works. (I found this to be surprisingly useful for teaching users about passwords.)

Sixth, where possible, dump IE.

Seventh, consider netbooting the workstations and storing users files on fileservers. That way the OS you give 'em is the OS they get and it's always the same every day. (Tell them to think of it as life imitating art as in "50 First Dates", where they get a fresh start every day....)

Eighth, where possible, dump IE.

Ninth, go with something many of the folks here have/will recommend in terms of enterprise-based anti-spyware/anti-virus/anti-?????? software. I used Norton Corporate Edition in a fairly recent gig, and while that particular version didn't check for sypware, there are a number of solutions others are proposing that will. (The Corporate Edition is critical to your sanity--you can manage the AV software on *all* desktops via a central console.)

Last, and not least: dump IE.

------

Re:Easy solution

[drumist]

You found spyware in Firefox? Maybe you shouldn't have installed that Firefox fr3E v|4GRa extension...

It's called Active Directory

[Digital+Dharma]

Active Directory allows an Administrator complete and total control over his/her domains, up to and including limiting the ability of other administrators to install/remove software. On my last assignment we used a combination of AD, RIS and scripting to monitor the computer states of those with local administrative rights (think executives here who incessantly whine about not being able to control their computers) so that any unauthorized changes to the allowed states were undone every 5 minutes. When I started the assignment the Cisco routers were reporting over a Gb of spyware-related traffic every day. We reduced that to less than 1Mb per month. MS SMS pretty much does the same thing, but if you know anything about scripting and batching you can accomplish just about everything that overpriced product does.

Re:Easy solution

[Frogbert]

Yes actualy it does. You see 9 out of 10 "Your computer is not optimised" ads are popups. Therefore Mozilla does a lot for it.

There are however more issues then this. For example firefox's cache is stored in the wrong directory in your user profile so if you have the standard 50 meg cache and log onto another computer you have to wait whilst it copies across.

Re:Easy solution

[civilizedINTENSITY]

I am so sick of hearing that "once [fill in the blank] reaches critical mass, it will have the same problems." That sidesteps the issue of design, as though all designs are created equal. This viewpoint only works if you view your computer as a magic (black) box with no discernable internal structure or parts.

Methinks it says much more about the people who utter the phrase than it does about the systems they suggest are inherently equal.

Re:Easy solution

[NoMoreNicksLeft]

But it's true. Apache eventually won out over IIS, and what happened? 10 apache worms a week, every week for the past 2 years. And don't even get me started on the local exploits. Apache, the worst httpd ever!

Oh wait. Never mind.

Did you pay for it?

[killjoe]

So you installed ad aware and spybot on most of 2000 systems. Did you pay the authors of those software any money? Maybe if you paid them some money they could help you roll out massive deployments or modify their software to suit you.

My guess is that like most companies you installed them without paying because you didn't have to fill out forms or break your budget. Now you are looking to pay somebody else for software after using their products for all this time.

Just doesn't seem fair.

Re:Easy solution

Does it magically prevent people from downloading "The Cute Puppy Screensaver" complete with free URL tracking and home page replacing features?

Now, no doubt, someone out there is saying "Yeah, just educate the users, and smack them hard when they do it." Good luck on your first round of job interviews once you get out of college, kiddo. Aside from those clueless users needing smacking quite often being your boss, or at least more likely to be on a first name friendly basis with oh, say the CIO or VP in charge of finance, when the spyware becomes an issue, it will be YOUR head on the chopping block if there isn't a "solution" from the IT department. After all, in most people's minds, the computers are YOUR responsibility, not Martha, the chatty legal assistant who likes to coupon collect and shop using "Super PiggySaver" during her lunch break.

So, by all means, educate users in proper computer use, post acceptable use policies, push for a more secure browser deployment, lock down the computers security policy to prevent as much as possible a user from installing random crap, but also prepare to install what tools you can to correct and deal with problems after they occur.

And, BTW, in the right (wrong) hands, even Firefox can be used to so load down a computer with crapware and spyware that it doesn't have a spare cycle to do any real work.

Now, if you don't mind, I just got an urgent support ticket from Martha to attend to.

Re: Consider removing IE completely

[Alwin+Henseler]

using tools like LitePC.

Many vulnerabilities in Windows aren't so much in Windows itself, but in IE (or Outlook, or ...). Some of those flaws can be avoided by not using IE, but some more may be avoided if you have IE not installed at all.

By default Windows doesn't allow IE to be uninstalled, and MS once claimed it would render Windows unusable. Tools found on above website prove otherwise. You can also use these to remove other unneeded Windows components.

Fully removing IE may have some drawbacks, but usuallly you can do fine without. If you have doubts, just try the preview version on a couple of boxes. There's a free utility for just removing IE from Windows 98 systems.

For best results, consider removing Windows as well...

Re:Easy solution

[civilizedINTENSITY]

Our library moved to firefox with similar positive results. In regard to a mail server, our university uses squirrelmail, which is

a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.

Is this a company?

[duffbeer703]

If it is, the solution is simple:

- Obnoxious, nazi-like filtering at the proxy level.

If people want to surf or play games, suggest they seek another job.

Re: Those are after the fact solutions.

[anakin357]

You need to stop them before they are able to install one peice of code on the system.

1). You can do a few things, namely locking the computers down using the Microsoft Policy Editor (as I am sure you are aware of it's existance).

2). Make sure that no user has administrative access, and that downloading / installing programs is not allowed - if they need programs, that is what their roaming profile is for.

3). Also keeping a image available of every system so that you can restore to a known good working point

4). Invest in a decent SAN and keep the roaming profiles there, ALL documents should be kept on the SAN / roaming profile so that re-imaging the computers when they do get things on them does not cause valuable work to be lost.

Perhaps suggest hiring a freelance IT guy who knows how to do such things if you do not, there are plenty here who need the work.

If you can get to the control panel, display settings, look in the C: drive, change IE options, etc, you're doing things wrong, it's not locked down enough.

Yes it's a pain for the users, but it does alleviate the potential of corporate espionage (don't beleive it doesn't exist, it most certainly does) and also spyware/adware/etc screwing up your computers.

These are just the basics but it's worked fine for the company I work for, after some user adjustments it's actually not that bad. The only thing you loose is the storage on the clients, and possibly a big investment in a SAN ranging from 1TB on up, which can be moderately expensive.

Lock 'em Down

[MBCook]

Yes, you can run ad-aware and whatnot, but there is a better way.

Do all the computers (or even most) really need to be able to install applications and such? Is that really neccessary? Lock them down! Lock them down TIGHT so the users can't install stuff. Lock out all internet access (through a proxy or something) for any computer/user that doesn't need it for their job. Use something like Ghost or DeepFreeze to restore computers nightly/weekly/whever there is a problem. That way, even if something DOES get installed, it will be gone when the computer is re-imaged over the LAN (overnight, perhaps).

And don't forget the users. Not only do they need to be educated, but put some kind of penalties on them for getting spyware installed. Give them one "warning", then after that start doing things. They lose internet (if possible), they get docked a little pay/vacation time/sick days, something. You'd obviously have to talk to a lawyer to make sure it's legal and such, but when it becomes the user's problem too, they'll care a lot more. Another great suggestion is this. Is there some kind of message of the day or builten board or something? Post the names of repeat offenders on it for a few days after each incedent. That kind of publicity can work too (again, make sure it's worded in a way that can't get you in trouble, check with the law guys).

Through removing unneccessary premissions, restoring the OS, and just plain old humiliation... you can make your spyware life easier.

Securing insecure systems?

[cpghost]

You can't a posteriori secure systems that have never been designed with security in mind. It's a lost battle, no matter what ingeneous ideas you or your AV vendors may come up with. Get over it.

Or at least move the more sensitive systems to a heavily firewalled environment within your net. This means: blocking ALL incoming (obvious) AND outgoing (spyware wants to phone, mail, ... home) traffic; effectively isolating the subnets from the rest of the net. It's not always necessary to be hooked to the outside world. If departments can connect to your data center or servers, that's all they need. Nothing more, nothing less.

... or switch to more secure operating systems, be they MacOS, *BSD/Linux, Solaris, ..., or whatever else can provide a decent desktop and office apps for your company.

Good luck!

Re:Securing insecure systems?

[forkazoo]

Regarding the choice of OS... I know this is gonna be a bandwagon comment, since this is slashdot, but I say this as a guy who makes his living fixing windows boxen, and is currently applying for an even better paying job fixing windows boxen... I'm typing this from my iBook.

Whether you choose Mac OS, Linux, BSD, Irix, Solaris, VMS, or the Amiga obviously depends on what sort of apps your users need, but most everything can be done without Windows.

Some people will tell you that Total Cost of Ownership is total bunk, and that Windows isn't more expensive to run. My paycheck *is* the Windows TCO.

Thin Clients

[fire-eyes]

If your users must have windows workstations, set them up with thin clients via PXES. Have them connect to MS terminal servers (2003 ent preferred).

Single point of control (at least per server). Save insane ammounts of money.

A combined approach works best

[davidwr]

Rather than answer your question, I'll address the problem.

You need to attack spyware and unwanted adware from multiple angles.

Before you begin: If possible, remove the IE icon and remove Outlook and Outlook express and install alternative products that are less of a target. Keep the Windows Update icon or automate this process.

Next, you need to educate your users. No, this won't stop them, but they'll at least have a clue when your anti-spyware software keeps their favorite new spyware-infested app from running.

Once your users are educated, you need prevention. This means perimeter firewalls that scan all traffic for known spyware. This might make for unacceptable performance, so this needs to be looked at carefully.
You need firewall software on each machine that will whitelist or blacklist certain activity, or raise alarms or lock the machine if things look suspicious.
You need network monitors that monitor internal traffic and raise alarms or isolate computers that are acting suspiciously.
If your network is of any size, partition it by department or other logical unit so if one person gets infected and it gets past the PC's firewall, the damage is contained to a department or group.

On each machine, run a realtime spyware-blocker program alongside your antivirus program.

Now for the cure. Sweep all your machines, particularly user-writable areas of servers, for infections on a regular basis. For volitile areas of servers and write-enabled network shares on workstations, hourly isn't too much, for other areas of servers and for workstations, daily or weekly may be enough. Have a ready-response plan in place in case anyone's computer is acting funky. Be ready to disconnect them from the network remotely or make sure they know how to pull the plug. Even better, if your routers and firewalls can do it, isolate the machine on its own "network" that just has access to "emergency tools" including all the software they need to disinfect their system and/or rebuild it.

Optionally, get legal involved and have a plan for collecting forensic data that you can turn over to the police. This is NOT optional if you are a bank, gambling site, or other likely target of organized criminals who will blackmail you.

Now, if you have a relatively small network behind a NAT firewall and block all unneeded external ports, and your users are well educated and don't use IE or Outlook or Outlook Express, these are probably overkill.

I didn't mention wireless networks and securing parts of networks used by guest users plugging in their laptops. If these apply to you, treat them as "outside the network" and make them come in through a VPN or something similar unless you are ABSOLUTELY certain no unfriendly users can connect. Speaking of VPNs, anyone coming in through a VPN is probably NOT running a box you manage, so they may already be infected. Treat them as such. Worse, they may be clean but be connected to other networks, and may become infected AFTER you've scanned them and found them clean.

xterm

[sPaKr]

You need central computing. One (or few) big servers that kept clean and well managed. Then make the remote clients dumb, locked down, and netbooted if possible. So basically what you want is xterminals. That run a local citirix client to access winblows apps and your done. This doesnt fix the sales departement laptops, but then again nothing will, its best to put those on a rotating plan where sales guys drop off the laptop ever few weeks for prevenetive maintaince (wipe the machines, and install the latest updates). Also make sure you rotate the laptops, this prevents people sticking their own crap on them. USB keys can work well for storing local stuff, if vpn protected netshares are not available. In the end you will spend man years protecting invididual machines, while protecting one machine is much more feasable. In the 80s we ran away from network computing becouse networks were very unstable, slow. Now that ethernet is more reliable, and 100Mb or faster is the norm, network computing makes much more sense.

Why Mozilla/Firefox is a good partial solution

[leereyno]

The reason why ignorant (I'm being kind) users are installing crapware in the first place is because they clicked on a pop-up window that led them to the crapware in the first place.

Because pop-ups can be disabled in Mozilla/Firefox, said users never see them and therefore are far less likely to install the crap.

Lets not forget the tradition of there being a new remote exploit discovered for IE every couple of weeks.

I do IT support in an academic environment and I've found that just hiding IE's presence on a system and replacing it with firefox means that I'm far less likely to have to deal with some security issue on that system again in the future.

My steps to securing an XP Box:

0) Optional: Install SP2 if possible/safe

1) Turn on the firewall
2) Set the system to auto-update
3) Install good AV software and set it to auto-update and scan the system each day
4) Get rid of IE
5) Get rid of MSN messenger
6) Cross your fingers
7) Pray

Optional:

8) Sacrifice Chicken

Lee

spywareblaster

[mpost4]

It selectivly breaks activeX to prevent spyware. I use it on my only windows box. Failling that, I have linux on 2 systems and Mac OS X on the other two. And on my work box which is dual boot I have spywareblaster on the windows part.

and back again to...

[Phucilage]

some kind of proxy helps prevent a lot. Proximitron is an easily configured proxy that helps cut down a LOT of the crap you run into.

that coupled with something like ad-aware + spybot + spysweeper (yes all three) works relatively well to keep most crap out. I recommend all three specifically because, having to remove spyware from 30ish computers a day as a Geek Squad Agent at Best Buy, I've discovered of the three, with the -1 day defintion updates, you still find things in each one that the other does not.

You might try finding some other spyware detection apps, NAV 2004/2005 detects and removes SOME (but to be quite honest, not as much as they claim), but the more the merrier. Easier? Less time consuming? Of course not, but removing as much as possible once a week usually leads to having to remove less daily (even in a corporate environment, this could be every 3 days instead of every single day, depending on how many porn/gambling addicts you guys have on your payroll ;>).

just my two scratched up green pennies.

Re:Had to be said...

[senatorpjt]

The problem is that Microsoft still hasn't gotten around to making the system usable without running it as Adminstrator. Even if it does get to the point where there is spyware, it can't do nearly as much if it can't read/write anywhere to the drive that it wants.

Re:re-imaging

[tomhudson]

Another thing you can do to make the whole restore process quicker is, before creating the original image, write a program to fill up the unused space on the source drive's file system with huge files containing just a bunch of 0x00s (nulls), then, when the file system is full, delete those files.

Now you're ready to do a dd if=/dev/source_partition of=my_image.img

When you zip the resultant img, it will compress much more because, instead of random data on the unused parts of the drive, it's just a bunch of nulls.

When you go to restore, it will also uncompress quicker because, again, the empty space is just a bunch of nulls, instead of random bits.

This means you could do a quick restore from a compressed image off a cd-rom, even with the cd-rom's lower data transfer rate.

you can still play the game

[Clover_Kicker]

If you want to play hardball, let them approve silly stuff. Make sure there is a paper trail of who approved what, and make sure they take the heat for whatever problems are caused.

You need the support of your own management, and a evil+political person to prepare the very thorough document describing all the problems caused by $stupid_app. Don't be afraid to estimate costs incurred by the incident.

If management finds their own nuts in the wringer because of a dumb decision, they might not sign off so quickly next time.

(If you don't have the support of your own management, of course you're fucked anyway.)

The companies with hard-ass policies didn't get that way overnight, you need to demonstrate the problem in a way that even senior management can understand.

Re:Easy solution

[tomhudson]

And, BTW, in the right (wrong) hands, even Firefox can be used to so load down a computer with crapware and spyware that it doesn't have a spare cycle to do any real work.

Just try downloading a pdf in firefox from a slashdotted site - the browser just locks up solid for minutes.

You also still have to exit and restart the browser every few days as it tends to get sluggish after a while.

easiest solution

[senatorpjt]

When someone's computer gets fucked up, just set a firewall on their IP so they can only access a list of websites, and block their email so they can't receive any executable attachments. That'll teach them.

There's no reason for most people to need access to the whole internet at work, other than work would really suck if I actually had to work instead of sitting around and reading Slashdot.

www.pestpatrol.com

[sid+crimson]

Pest Patrol. There is a 30 day / 25-user trial available online. Pest Patrol They were recently purchased by Computer Associates, and this product will be rolled into their Secure Content Manager package in a year or so.

-sid

Deny write access to the registry. Whitelist BHOs

[Wiseleo]

My solution is simple.

No user can write to the registry in the common spyware places. All access to write to the ares of the registry that is commonly attacked by spyware is removed by GPO. That is - no unapproved shell extensions, no BHO add access, no new Explorer bars, no ability to modify the Winsock32 stack, no install priveleges. All apps are deployed through GPOs. There is a white list of approved ActiveX in general and BHO controls.

Spyware usually requires BHO access to tap into IE. Removing that access is good. White list enables the ability to provide desirable BHOs, such as Google and Yahoo bars, as well as internally developed apps.

Prevent malware with DNS and other tools

[Derge]

First off, you are going to have to start off clean. That means spending time at each workstation. There is no magic wand that will get rid of everything your machines have gotten. You got to use the tools that are available to start clean and then focus on prevention. Cleaning: Have someone set down at each workstation. Install and update ad-aware and spybot and start them running, clear temp internet files and cookies. Prevention: You are running a DNS server on your network, right? Put this list domains in your dns pointing to the loopback address: http://mvps.org/winhelp2002/hosts.txt Or, you can install the file on individual machines as a hosts file (as was intended by the authors of the list above) and "lock" the file with this http://www.mvps.org/winhelp2002/lockhost.bat Install Spybot and during installation, install the updates and use the "immunize" feature. Increase Internet Explorer security settings. Install Mozilla Firefox, make Qute theme the default. Right click on the Firefox icon on the desktop and quick launch bar and change the icon to the famous blue e icon. Change shortcut name from "Mozilla Firefox" to "Web Browser". Install the flash plugin and put the stupid "go" button on the tool bar. Make firefox the default browser when asked and also go into the windows control panel and make it the default again. (Windows Update when lauched from the start menu will still launch in IE.) Tell users not to download and install anything from the internet because it will break their computer. If you don't tell them, they won't know. Good luck!

Re:Sacrifice Chicken

[Nf1nk]

I have found for most industrial/office application the chicken can be substituted with gas station fried chicken giblets. It is crucial they come from a gas station and not some repudable source for food. The source where you can find the best are along interstate highways in the rural south.
The optimum cerimony changes involve using the grease form the paper bag in leu of the standard chicken blood and doing all requisit latin chanting with a strong nasal drawl

Unfortunately it's not always possible

[Sycraft-fu]

Sometimes management is just clueless and will buckle to user's demands to allow them ot have admin access. Sometimes, they tun specialised programs that will not NOT run properly without admin. Espically in the case of engineering apps, there sometimes is no alternative, this is the only thing that does what it does.

I agree as a general princliple: Users should have the minimum amount of access they need to do their job. Unfortunately, that is sometimes full administrative access.

Re:Unfortunately it's not always possible

[nosfucious]

It's gotta be said here: but programmers love to operate, program, debug and test as QSECOFR/admin. I network admin, and I don't run as root on my linux box, have limited domain admin rights on XP normally (like password reset) and use a remote desktop to a domain controller for necessary tasks (about 10 minutes a day).

First thing that happens when we hire a new developer ... "What's the qsecofr password, what the Administrator password, I need ALLOBJ access, i've written the program using Active-X that needs to be run as an administrator on the local machine" (Pick one or all).

I'll quite happily give them admin on thier own machine if they need it, but they had better test thier damn program on a lockdown machine before they submit it for deployment.

Hell, some clueless developer said he was a web developer. The entire page was one giant Active-X control with about three lines of html.

I'm lucky that the culture of my organisation is slowly waking up to these idiot developers. (We do have some good ones too). Now they actually have to have a development plan that includes testing outside thier own machine. Many times a program doesn't need Admin access to run, but a few specific registry keys or folders need to be opened up, they just don't know or don't document them.

I'm not surprised that Microsoft has trouble with security, the programmer culture that Microsoft has supported does not lend itself to thinking about it. Where's their new talent pool? Predominately developers that grew up with the MS programming monoculture!

EnCase Enterprise

[funk49]

Depending on your budget, try Encase Enterprise by Guidance Software. EnCase is the forensic program/application used by the US Govt and also by most of local and foreign law enforcement investigators as well.

The Enterprise version takes forsensics a step further, utlizing a client listener app which runs on the desktop and after establishing a baseline of permitted apps, can be used to detect and counter malicious apps running on the LAN and WAN as well as imaging drives realtime for investigative purposes.

Investigations have been performed from halfway around the world with the click of a button. Another selling point to the PHB's is that it can be used for HR investigations as well, making it an easy ROI for most companies.

http://www.encase.com/

windows admins

[codepunk]

Most of the bright windows admins on here are going to tell you to use permissions to lock down the workstations and take machine admin rights from the users. Now you have to sit back and ask yourself is that really going to help? Yes it is probably going to help but they are really luring themselves into a false sense of security. Now ask yourself how many of the windows admins that you know use IE? That right most if not all of them use IE. So now ask yourself what does that got to do with anything? Well if IE can execute code easily at user level privs then what happens when that stupid windows admin browses to a page containing malicious code? That's right the worm, virus, trojan has full admin privs.

What do you do to avoid catching the flu? That's right you get a flu shot. So do yourself a favor and get a flu shot, install mozilla on the clients everyone will thank you for it anyhow.

More Prevention then detection?

[gofugu]

The best way is always prevention, 1. If they have to use IE we make the default ZONE setting for Internet High and Medium for everything else including local zone and trusted. We have yet to find (Business) applications that this breaks. Yet no pop-ups no spyware - works as well as firefox minus tabs. They will have to add banking and other ActiveX/Java/Download type application sites to the trusted zone. Any MS box I use this is the first thing I setup. (assumming I can't install Firefox) 2. Patch Management (Many Spyware and tojens use exploits to install.) Patchlink is good multi-platform choice. www.patchlink.com but there are many others. 3. Web Scanning solution. (e.g, ISS, Mcafee, others?) Scan for ActiveX and Java Exploits on Web traffic. 4. PestPatrol now has a solution that does not require a client. I asume others will have simular solutions soon if they already don't

Because people need to work....

[Belial6]

If businesses used your logic, there would be no PCs. We would still all be running green screens off of mainframes. It is those terrible users that found they could do thier job 5 times faster by going around IT and running apps on a 'toy' (PC) that has gotten us as far as we are. At least 2/3 of the Administrators that I have run into are not competent, and are simply not well versed enough in business or technology to determine what software is necessary and what is not. The comment about Kinko's is a perfect example. Remember the 'Shatter' attack? If you had access to the machine as any user, you could get admin access. The Kinko's Admins are probably thinking that they don't want the huge PR problem that happens the next time a similar hole is found, and some script kiddie grabs copies of confidential documents for weeks or months before the attack is made public and a fix is released. SNL's 'Nick Burns' is not far from reality.

Re:Yea you are really safe keep telling yourself t

[obeythefist]

Keep it civil! There's nothing to be gained by accusing people of being an MCSE.

Although you make a salient point - use of IE at all is a risk in any IT organisation.

To an extent locking down a workstation is effective when using IE - most (not all) spyware is derived from popups and click-here's that launch as a result of the very flawed design of MSIE. Locking down the WINNT or Windows folder will prevent these spyware articles from installing correctly. This does offer a good degree of protection from Bonzi Buddy.

Of course, web browsing admins are quite often the cause of many disasters in I/T. I remember a helldesk employee of ours once went to a russian website and had our whole corporate link running a DOS attack on someone we didn't even know within hours.

Ban their certificates?

[inhalent]

I manage an active directory domain and I've taken care of the major offenders through group policy.

First, I attempt to download the spyware much like any user would. When I get the prompt asking me to approve this installation, I view the certificate that it was signed with and save the certicate to the file.

Next, I add that certificate to the list of banned certicates domain wide. It works great and fixes the problem of people installing spyware without knowing it.

Re:Ban their certificates?

[nytmare]

Isn't there a list of spyware certificates on some reputable web site that we all can download and add to the certificate "ban list" wholesale?

Well, I rather think it's simple.

[Tuxedo+Jack]

Install VNC over the network (or other comparable remote-control software; VNC is free and GPLed) and put HijackThis on a read-only network share.

If the user reports problems, VNC into the machine, run HijackThis as root, and remove what you need to.

Running as User or Power User will help, but it won't stop everything.

Try adding the MVP Hosts list to the firewall's shit-site blocker.

If you can, put SpywareBlaster into your image set for the machines you clone and force a once-a-year reclone with updates.

There's also the simple idea of not letting your users use IE. Force them to use Firefox, Opera - anything but IE.

Executive's Palm.

[jotaeleemeese]

That is the bulshitiest excuse in the history of mankind.

You explain to the suit that you can't install the software because that would make your network a virus/spyware testbed.

If the suit inisist have him put it in writting exhonerating you from any responsibility and financial damage the company may suffer .

It always amazes me the deference that some people have for somebody wearing a suit and with an important sounding job description.

Your job is to make that network safe, in spite of the owners of the company themselves if necessary.

Man...

[msimm]

I was with you right up until you said penalties. How many work environments will let the IT department waste time and valuable (well, sometimes) resources with petty penalties? I'm all for limiting what a user can do, after that its just them and god (and their boss of course). :)

Spyware Guard

[EvilGrin666]

SpywareGuard does exactly what you require. It scans software when you open it and stops it from mucking about with obvious spyware related registery keys.

LAN Admins don't make money??? Are U crazy?

[freedom_india]

LAN administration isn't the most important part of a company, you aren't making the company any money.

Wanna bet? Remember Blaster, Slammer / SQL Worm? How much did we lose? S.Korea was knocked off the 'Net.
Even a feather in the hands of a Dumb user is still dangerous ! He may tickle himself to death.

LAN Admins lock down systems BECAUSE they need to protect you from yourself. or better yet they need to protect the company investment in you from going waste because you installed some Anna.K screensaver and end up saying "Doh!"

As long as users like you are dumb and stupid, you will continue to be treated like kids: Childproof everything.

Re:LAN Admins don't make money??? Are U crazy?

[jridley]

That's not making money, that's "not losing money".

Exercise: Let's spin you off as a separate company. How long do you keep getting paychecks? What's your revenue stream? Don't have one? Then you're not MAKING money.

You are a SERVICE, and an EXPENSE. Certainly it's a necessary one, but if it weren't, you'd be on the street in a second.

Re:LAN Admins don't make money??? Are U crazy?

[Mattintosh]

Ok, let's assume this spinning-off thing happens...

You pay $100,000 per month for our services. We guarantee service will work no matter what, or you don't pay. Your regular package is a web server, some file servers, and 100 desktops. The desktops have access to the 'net and an office suite.

If some worm comes along and starts deleting the office suite and clogging the 'net connection, our revenue stream is on the line. Stupid users would then be cutting into our bottom line, and we'd have no choice but to deny them access, restrict their accounts, or, god forbid, unplug them in order to maintain order, peace, and food on the table.

Then we'd have to carefully reconstruct the house of cards, and this time we're gonna use a little glue. Now none of the users (since we don't know who messed it up the first time) get to access anything on the list of restricted sites. Yet, there are so many sites out there... we couldn't possibly block them all. And another user inflicts the same pain all over again. And we don't get paid... again.

This time, we're gluing these cards to bricks and rebuilding it the right way! Total lockdown. Yes, IT does make money. Yes users do need to be locked down. Yes we do own you. You're the worker bee. We're the beekeeper. You can sting us all you want, but we're just going to protect ourselves even more in the future.

Ok, maybe that was a little over-the-top and BOFH-ish, but the point is still valid. You're not seeing the whole picture because you're covering your eyes.

Technical solution useless w/o policy 2 back it up

[Media_Scumbag]

Any time you have to deal with a technical issue that involves user interaction as a component of success, you will need to propose to management, a policy that bolsters the behavioral aspect of the solution; Users need to be made, by management, to have some degree of awareness and culpability for virus and spyware infections.

"Frequent-fires" users will be compelled to learn some digital hygine.

Most large and medium-sized businesses operating today have some sort of policy on sexual harassment/hostile workplace/conflict of interest/Internet and PC usage policy, etc. Generally, users understand that these policies are for eveyone's protection - With ~2000 PCs in the mix... This is definately where you should start... Policy Covers Your Ass.

On the technical side:

1. Router logs, intrusion detection, and sniffing as trending tools to show your boss what's up with traffic.

2. Good, solid desktop images/ app pushes/ GPO's - harden the Registry, Security Policy, individual apps as necessary. Beyond that - when a machine is sufficiently infected, it should be replaced with a re-imaged one --- it can be faster than cleaning, and is a hell of a lot more complete. This also reinforces the notion of users not storing important things locally.

3. Helpdesk tracking software - What users/machines/network segments are continually having the same problems? Does Human Resources need to be the next step for some people?

4. Desktop management software - provide your boss with stats on just what kind of crap is showing up.

5. If you must use/develop software that may enable or even contain spyware, you have a particularly tricky problem that concerns both company policy and IT best practices.

Of course, you know your boss, I don't... How you implement these suggestions is different for everyone. To some, it may seem draconian, to others, quite lax.... To some, budgets will not allow the necessary attention - for others, this kind of focus could perhaps justify a budget increase.

Oh... And consider the broswer's role in the business - what is an acceptable $$ loss for a preventable issue? Have you already spent that?

My $.02

Qwik-Fix Pro protect against forced installs

[thorlarholm]

Qwik-Fix Pro from PivX Solutions (full disclosure: I created this) works to protect against forced installs of spyware.

http://pivx.com/qwikfix/

Qwik-Fix Pro is not a spyware killer but it is enterprise level and do protect against all of the browser based vulnerabilities (among others) that are being used to forcefully install spyware. It is a perfect combo together with a spyware killer such as The Cleaner from Moosoft (http://www.moosoft.com/) or Lavasoft Ad-Aware (http://www.lavasoftusa.com/).

The protection against IE vulnerabilities was implemented in September 2003 and has since protected against all command execution vulnerabilities discovered since then without a need for updates. These very improvements to IE were subsequently included by Microsoft in Windows XP Service Pack 2, though the implementation Microsoft choose failed to protect against several vulnerabilities discovered since then such as the Drag'n'Drop vulnerability which Qwik-Fix Pro protected against.

Blacklists to kill programs

[Afroplex]

Aside from individually going to each machine and cleaning them, we try killing the spyware installers and executables. First we installed on a box as much spyware and peer-2-peer apps as we possibly could, and also browsed executable lists on antispyware/malware sites. Then we made a monster list of these executables.

If we were running an XP only shop (this won't work in Win2000 or 98) we would use Microsoft's software restriction policies in active directory. We don't, so this is out of the question.

Novell Zenworks (versions >=4) rogue process management sounds like it may work, but when we tested it doesn't kill apps that start up before the user logs in. So any spyware services aren't killed, even after the user logs in.

Next up was Progkill, an application on Sourceforge.net. Seems to work well on Win95/98/2000 boxes if it starts up. Has a few bugs when starting up. I wish I had a Delphi development box else I would debug it. Bonus points to it for its gui interface.

Finally was roguept (rogue process terminator) on Sourceforge.net. Does the same thing as Progkill, but not as easy to setup. Extremely small though and fast. It is written in C++ and runs as a service so it kills Spyware from the getgo. This speeds up system bootup time.

Who made your stupidity MY problem??

[felis_panthera]

You're tired of IT "Nazis" who impose restrictive limitations upon you and your fellow plebes?? You're tired of being told how to operate your office computer (which, for the record, is COMPANY property)?? You're tired of being treated like an idiot everytime We have to descend from on high to come and fix something that (99 times out of a hundred) was YOUR FUCKING FAULT (the other 1 time, it was the guy in the office next to you, for the record)??

Here's what I'm tired of...
-------
15 hours spent tracking down the last vestige of a virus that got into the network because some dipshit user clicked on that gods damned "punch the monkey" banner. Did I get thanked for preserving the integrity of the company's data?? No, I get told to watch my ass or I'll be out on the street for daring to bill the company for those many hours at once...
-------
Removing the spyware which has crippled your machine causing it to "run too slowly" (the original reason you called me)... oh, and by the way, standing over my shoulder, pissing and moaning about lost productivity... that doesn't inspire me to work faster... especially not when the very next thing I see you doing (while en-route to another "emergency" call) is playing SOLITARE!! Real productive...
-------
Being told you have a virus and then coming into your office to find that you haven't bothered even to open the e-mail I sent out about a new CRITICAL SECURITY UPDATE that you really should install... by the way... it was in an e-mail because the last time, I spent a day visiting every - single - machine in the office and applying it myself, only to get flak for costing everyone 10 minutes of their precious time
-------
Having My lunch/smoke break/FUCKING WEEKEND interrupted because you or one of your shit-headded co-workers desperately need something installed/removed/hit with a stick... I don't need free time, what the hell would I do with it?? I live but to serve you my leige... you jerk-off...
-------
The rules and restrictions we place upon you are not out of spite. We are not fascist dictators making rules willy-nilly in the hopes of catching you with your pants down. These rules are in place to protect the sanctity and security of the network that we get paid to protect. The attitude that you see is the result of years of dealing with people who do everything they can to get around our rules. People who continue to open spam e-mail, who open attatchments on e-mails they have not verified, who wait until a computer problem gets so bad that the unit is no longer functional, who visit unsecured websites, who ignore critical updates (they're called critical for a fucking reason, plebe)... you're the problem, not us... Your right, I am paid to interface man with machine, to make the integration of technology and business as seamless as possible, and to keep the company data stored on the network safe from the outside world... I am not paid to babysit you, I am not paid to hold your hand, and above all else I am not paid to take your abuse... so here's the deal... when you follow the procedures we lay down (if you want to know why the rule is there, ask) so that the problems I have to fix aren't ones that have been caused by you, then you'll stop getting the brunt of my attitude... but so long as you act like a petulent child, demanding that everything run perfectly right now... now Now NOW... and continue blaming us for problems that are all totally preventable... I will treat you like a child...

so either start treating us like real people, or run your own damn network...