Stopping Adware and Spyware on Windows w/ Citrix?

SilverDivan asks: "A fairly large non-profit charity organization recently asked me how they can permanently take care of the spyware and adware problem that is plaguing their computing environment. I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer. So, I am planning to make a recommendation to publish Internet Explorer on a Citrix Farm, and let the users use the IE published on Citrix instead of the locally installed IE This way they can lock down the IE to their heart's desire. Also publishing IE 'anonymously' on Citrix will further secure the environment, as the anonymous profiles can be deleted on a nightly basis. However one issue with 'anonymous' access to Citrix applications, is that the user can not maintain their preference or even their bookmarks. Another issue is that there is no tracking, and no way to hold someone accountable in case of abuse. Has anyone implemented a similar solution before? What was your experience? Will it work? How can you configure the Citrix environment to best handle a situation like this?"

Remove Microsoft :)

[tlacicer]

You could always run Win4Lin Terminal Services. Then you could run a linux server farm and still let users run their windows desktops. Then you could let them do what ever they want.

Once you remove Microsoft from the important job, it gets pretty easy :)

Re:Remove Microsoft :)

[arkanes]

Sweet holy jesus. Did you actually read anything or do you have a "Use linux" postbot? Win4Lin won't solve any of the problems mentioned, although it would be a lot cheaper than a Citrix farm.

A possibly better alternative would be to secure IE using AD policies (and migrate to AD if they aren't on one), and standardize on Firefox/Mozilla for everything except these specific applications. Use a proxy server if neccesary. You could do this with Citrix also but a Citrix farm is a huge chunk of change and I don't see why you'd want to spend that much just for this.

In fact, a good transparent proxy might be sufficent anyway - simply restrict anything with an IE user-agent to the specific IE only applications required.

Re:Remove Microsoft :)

[Dysan2k]

A good proxy coupled with something like Privoxy works wonders. I use privoxy at the office (believe me, it takes the beating and keeps moving) and I've been very happy with the results. Configuration is pretty easy once you grasp it, but you do have to know regexp's a bit. Drop this in front of the winders boxes, and you can block sites, block domains, crunch cookies, and help keep at least some of the crap out of the machines.

The largest problem desktop-wise that I've seen has been people taking laptops home and then coming back to connect them to the network. But when it's exec's, it's pretty much impossible to stop them from doing it. If you're stuck with IE, I usually suggest stripping the extras, ditching Outlook completely, and begging the site developers to revamp for Firefox. Sometimes it works.

Re:Remove Microsoft :)

[walt-sjc]

You use privoxy and are happy? I find it annoying... Not from the functionality aspect (where the filtering is awesome) but from the user experience. The proxy does not "forward" the HTML page until it has been 100% received by privoxy. The end result is that you sit there waiting and waiting for a long page to load in your browser and you don't even get a partial page until privoxy gets the whole thing. See the FAQ

This also means that no connections are opened to load images or CSS, etc. until your browser gets the main file from privoxy. While my connection is fast, many sites are not, so the impact is significant.

Re:Remove Microsoft :)

[shadowmas]

my experiance is that securing IE using policies is not really a solution. the worst spyware usually install themselves using vulnerabilities in IE so even browings at a high security level dont really help. installing the latest patches as soon as they come doesnt help either since cuz spyware writers are much faster at exploiting vulneratbilities than microsoft is at patching the browser/os.

Firefox Extension

[KilobyteKnight]

Make them use Firefox with this extension. Then they only use IE for the sites that require it. Those, one would hope, should be reasonably safe.

Re:Firefox Extension

[TopShelf]

To further that point, if he really wanted to do the Citrix thing to support IE use where absolutely necessary, he could set up the bookmarks and preferences to support just those sites and applications. Heck, he could even whitelist those sites so IE could ONLY be used at those sites. Firefox could then be the standard for all other web browsing.

Re:Firefox Extension

[rednip]

That's a good idea for a single user, or small close knit group. If you have a large group, sooner or later someone will 'let the cat out of the bag' and tell these outside orgs that you'all are using firefox; Then they'll blame any problems on the 'bad browser' and refuse to help until you start using the 'right browser'.

Personally, I would start my solution using the IEAK (last time I looked it was free from Microsoft) ,which would allow a very customized IE. Also using automatic updates (if XP), or force users to use a startup script, which checks a network share for an update script.

Lastly (just to be complete), I'd use a strong firwall (duh), with a proxy server to restrict sites. Which is pretty good advice for any group.

Re:Firefox Extension

[jessecurry]

That's a good idea for a single user, or small close knit group. If you have a large group, sooner or later someone will 'let the cat out of the bag' and tell these outside orgs that you'all are using firefox; Then they'll blame any problems on the 'bad browser' and refuse to help until you start using the 'right browser'.

I doubt that the outside orgs will have anything to do with the troubleshooting process. They would probably only hear good things.
Having an attitude like this is what keeps Microsoft in business, too many people assume that if they use anything other than a Microsoft product that they will be chastised by the computing public.

Re:Firefox Extension

[rednip]

I doubt that the outside orgs will have anything to do with the troubleshooting process.

I work on web based applications which are used by client companies every day, and my company uses web based applications from other vendors. During the acceptance phase, we often hear comments like, this doesn't' look right, blah, blah, blah. The contract which are created between us and our client companies are often very specific about 'supported browsers', using a different browser would make us or them in violation of that agreement.

I doubt if you have ever worked in or used a corporate help desk, but they tend to be very specific about what software/configurations they are willing to support. For example, my company still uses Office '97 as the installed standard, but we pay for the latest version(I am told that it's because of different version of Access). I use a much newer version on my desktop, but I know that if there is a problem, it's likely that they will force me to downgrade before helping me fix it.

Also many companies are out sourcing IT support to specialized companies.

Personally, I use Firefox as my main browser even at work, but there is a few work related sites which I need to use IE. I don't like it, but it's not my choice. Personally, I check all of my interfaces in both IE (the corporate standard) and Firefox (the soon to be Internet standard), and I encourage 'the powers that be' to be inclusive of Firefox, when designing the browser standards.

[the help desk] would probably only hear good things.

You don't have to go any farther than Slashdot to see a site that doesn't render 'correctly' in Firefox. Yes, I do know th issues and even the patches, but for the average user this would represent a help desk call, and many wouldn't be very nice no matter who is responsible to field it.

Re:Firefox Extension

[jessecurry]

I doubt if you have ever worked in or used a corporate help desk, but they tend to be very specific about what software/configurations they are willing to support.

I have actually worked in a corporate help desk environment, as recently as 2 weeks ago.
We attempted to minimize losses from spyware/adware damage and also allow users the most freedom with their software selection. Admittedly, we were stuck using some Microsoft technology( mostly on the server side), but we actively encouraged users to switch to Firefox or Safari(for the apple users).
Although many sites didn't render correctly in Firefox, having 5000+ users we could often times persuade the content providers to make simple modifications.
In my understanding, a help desk is there to help the users accomplish their goals in a fast, efficient manner, not dictate what technologies they must use.

Re:Firefox Extension

[rednip]

My brother uses Ofoto to distribute photos of my niece, I decided to sign up and upload pics of my son, when I tried to use their online tools to correct red-eye, they were telling me that flash wasn't installed in my FireFox browser. I sent a question to the help desk. This is the reply the I got today...
(please not the "ensure security" part)

Hello Eric,

Thank you for contacting the Ofoto Customer Service Team.

If you are experiencing difficulty uploading, viewing, purchasing, or editing on Ofoto's web site, we'd suggest updating to the latest version of Internet Explorer.

Updating to the latest version of Internet Explorer will ensure security while viewing or purchasing online.

To download the latest version of Internet Explorer, follow the appropriate link:

Windows: http://www.microsoft.com/windows/ie/default.htm

Macintosh: http://www.microsoft.com/mac/download/default.asp? area=internet

If you have any further questions or concerns regarding your Ofoto account or the Ofoto service, please let us know.

Sincerely, Sally Lamus Ofoto Customer Service Team

Re:Firefox Extension

[jessecurry]

basically, it looks as if they are operating under the assumption that you are using internet explorer, but not the latest version.
This is most likely a form letter that they send out to cover 99% of complaints. When looking at the vulnerabilities that have been exposed to the general public upgrading to the latest version of IE does look a little more secure.
Just out of curiosity, how did you phrase your question?

Re:Firefox Extension

[rednip]

Question for Ofoto: You system won't let me edit photos with my firefox browser, It incorrectly finds that I am using Netscape 1.0 (which I am not).

I replied back saying:

Thank you very kindy for the form letter, my question wasn't about IE, it was about Firefox. It has Flash installed but the site will not load the flash tools, becuase the script is poorly written, and it insists that flash is not loaded on my browser. At no point does your website say that it is only written for IE. What's odd is that I wasn't having any problems with your site until I tried to correct a red-eye problem . My quess is that if you'all changed the script to allow for a non-IE user-agent Firefox would work correctly and your site would be accessable to those that cannot (due to using Linux as an OS), or will not (due to IE's consistant security problems) Microsoft's Internet Exploder.

Thank you in advance for the pointless form letter you are about to send.

That was this afternoon.

Re:Firefox Extension

[jessecurry]

thank you for the clarification. Hopefully, OFoto takes the "proper" approach and attempts to help their customers get their work done on time using the tools that they find to be the most useable.

Re:Firefox Extension

[netdudeuk]

"In my understanding, a help desk is there to help the users accomplish their goals in a fast, efficient manner, not dictate what technologies they must use."

It depends on what you mean by 'help desk'. In the classic sense of there being a group of people simply taking calls and dealing with faults, I would say that they should not in any way be moving users onto alternatives (regarless of the vendor / source and licensing terms). There are people who have the official responsibility to drive IT strategy, considering all that is in place now and all that will be in place in the months and years (as well as they can !) to come.

There is no point having the help desk driving people down one route if in six months time, what they have will be replaced by something else or what they installed will not interoperate with something new. That's just the way to have downtime and increased help desk call volumes.

Also, I'm not convinced that pointing users to Firefox when 'many sites didn't render correctly' is a good idea. Things not working just brings in more user frustration. And giving users 'more freedom' is seldom required. They should only need single working applications - ie. no choice available or needed.

IT departments need to keep the number of supported applications at a managable level. They cannot be experts at dealing with everything.

Re:Firefox Extension

[jessecurry]

IT departments need to keep the number of supported applications at a managable level. They cannot be experts at dealing with everything.

Yes this is very true, but if given the choice between two pieces of software that the help desk staff is equally capable of supporting, one would tend to suggest the software that would cause the fewest number of problems. Our biggest problem at the time was malware, we found that the few sites FireFox had a problem rendering were much less of a problem than the 1000s of pieces of malware that would be installed on our systems.
We usually found that most users would visit the same group of sites every week and rarely changed their surfing habits(personal page view excepted). For the few users that frequented sites that FireFox did not handle well we typically took a policy of education, bringing the user up to speed on the threat of malware, and equipping the user with the tools to combat it.
I must definitely say that I do see your point, but I also think that a little extra time on each help desk call educating the users as to why something went wrong reduces the overall call volume in the future.

Re:Firefox Extension

Sad but true. The outside orgs typically are the ones with the piss poor tech support. The place where I work has to deal with companies that are the only source for the web services (private online databases) we need in order to work. They only support IE in many cases and as soon as they find out you are using some other browser, the DO tell you to use the "right" browser. However, the nice thing here is that I can use IE and prove to them at times that the browser is not the issue, but their shit application is. For the record, I work for a public library that subscribes to databases that are then offered to our public.

RTFA

[missing000]

Comeon man, it's on the front page.

"they access outside applications that only run in Internet Explorer"

If they need IE, they need IE. Removing windows won't help them access these sites at all.

Re:RTFA

[tlacicer]

Yeah, I know, I read the article. So let them run IE under the Win$lin TS. What is the worst that could happen that particular users windows session needs to be restored. under win4lin that would take all of a couple minutes. And if you did a nightly back up of their bookmarks and userfiles, you could restore them too.

I fail to see the problem here.

Firewall.

[Pig+Hogger]

Just firewall everything for port 80 EXCEPT the external application sites.

If they need to surf with no limits, put-up a Squid caching proxy and let them use Firefox.

Re:Firewall.

[ravenspear]

Firewalling port 80 is a horrible solution.

There are plenty of reasons why any business might need to access sites that aren't regularly used.

Re:Firewall.

That's what the squid caching proxy is for.

dumbass

Re:Firewall.

Just because you can troll as Anonymous COward doesnt mean you wont get a troll moderation. Enjoy the -1.

Re:Firewall.

[ScuzzMonkey]

Yeah; a better way to do it might be to install Firefox for default browsing and then point IE to a heavily locked down proxy only allowing access to the required business sites.

surely..

[gl4ss]

theres dozens of ways to maintain bookmarks.

offer them a customisiable startpage or something for instance.

del.icio.us for bookmarks

[TRS-80]

Set them up with del.icio.us accounts for their bookmarks, then have a bookmark for del.icio.us in the default profile.

Tell them to complain to their vendors

[kalidasa]

About writing IE only applications. It's the web, for heaven's sake - the idea is that it's not supposed to depend upon any given application.

Re:Tell them to complain to their vendors

[MyLongNickName]

And while you are at it, tell them to spit in the air while riding a bicycle.

Sites require IE?

My bet is the outside sites they access only say they require IE. Try changing the user agent string in firefox so it looks like IE (with prefbar extension for example), and the sites will likely work just fine. It's worth trying anyway.

Re:Sites require IE?

[NetNifty]

Yes, that's possible (hell, it happened to me yesterday with a questionairre thing from Nokia, itsaid to "upgrade" to IE6 or Netscape, but changing the UserAgent fixed that), but a lot of corp "web-based" stuff is ActiveX and changing the UserAgent won't help that, although there was an ActiveX extension for Firefox, I think it's dead now as it says on the site it doesn't support Firefox 0.9 or 1.0.

Do They Really Need IE?

[rueger]

I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer.

Maybe this is an obvious question, but have they actually tested these applications on FF or Opera? I'm sure that somone in the company has told them that they only work on IE, but it seems quite possible that FF would handle them just fine.

Guys who design for IE generally don't have clue about other options.

Re:Do They Really Need IE?

[angle_slam]

There are sites that do not work on Firefox. For some reason, gmail crashes my Firefox about 1 out of every 3 times I log in. Annoying as hell, especially if I have multiple tabs open, because I lose all my tabs. It never crashes IE, so I don't know what is wrong.

Also, it seems that the Firefox pop-up blocker is too effective. Even if I allow it to do pop-ups, some sites still don't work. I just wish the web designers would stop relying on pop ups to display information. Annoying as hell. Also, flash apps don't always work well in Firefox, especially if it results in a pop-up.

I used to have problems with banking sites that wouldn't work on Firefox (MBNA, for one). Also, USAir used to only work on IE. Both of those have been fixed in recent months.

Re:Do They Really Need IE?

[exhilaration]

For some reason, gmail crashes my Firefox about 1 out of every 3 times I log in.

It's just you. I have a dozen friends and family members that have switched to Firefox and use it access Gmail - not one has a problem.

Many options. Depends on what you want.

[TheLink]

Use profiles, store the bookmarks elsewhere on a file server. You can then set the rights to stuff accordingly, and backup stuff regularly.

Better if you run the IE as a different user. e.g. normal user account = John_Doe. normal user's IE account = John_Doe-IE.

Then allow John_Doe to have access to John_Doe-IE's files, but not vice-versa.

Huh?

Tools -> internet options -> Security

For "internet zone", turn off everything, including activeX.

For your "access outside applications that only run in Internet Explorer" but them in the trusted sites, and nothing else.

Install firefox and let them use that for the "intar web".

Please let me know where I can send the bill.

Other possibilites

[mnmn]

There was a way to open a link in a new window without displaying the window's address bar. Couple that with putting up a link like so:
iexplore.exe http://site.com

And removing all links to iexplore.exe elsewhere...

And a better example:
enforce proxy servers (setup as admin in win2k, and leave the users unprivileged), setup a squid proxy server that only allows the site, and do not setup any proxies for firefox...

How about this one:
Hack a spyware and find out how they redirect people's URLs. use that and infect your own machines, so any address in IE takes them to that website. Use firefox for everywhere else.

And make sure you disable activex!!!

Re:Other possibilites

[technos]

That isn't really too hard.

Just add an entry to the registry declaring that any address http and ftp is now prefixed.

Here's a cheap and easy way to do this on 2K/XP (Mabye other Win32 OS, dunno about those)

Say you want your users only accessing the company web application hosted at www.server.com/webapp/ with IE.

Change the default in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rr entVersion\URL\DefaultPrefix

from "http://" to "http://www.server.com/webapp/"

and then change all the sub entries in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rr entVersion\URL\Prefixes

to something similar. (ftp, gopher, home, mosaic, www, etc, should all be changed to http://www.server.com/webapp/)

So now when a user punches "www.ebay.com" into IE, it will send them instead to the URL

"http://www.server.com/webapp/www.ebay.com"

instead, which your webserver will log as an invalid page request along with the requestor, so you can walk to their desk and tell them that IE is only to be used for the web application and nothing else.

Firefox doesn't depend on that registry entry, and will gleefully ignore it.

Some spyware vendors use these keys and then do server side redirection. Your browser loads "http://scumwareinc.com/redirect.cgi?www.ebay.com" in a blink, logs it, and you're loading eBay before you realize it even happened.

Amazing...

[MC6809]

I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer.

Despite the userbase growth of FireFox, it is still taking a long time to change the mindset of PHBs.

We are starting development on a very large web application. (primarily using C# and ASP.NET) During one of the design meetings I asked "we are going to develop this so that it is browser independent, right?"

A PHB replied "I see no reason to believe the customers will be using anything but Internet Explorer." Sheesh!

Group Policy

[Chester+K]

Can't they just "lock down IE to their heart's content" via Group Policy? Or perhaps an outbound proxy that only allows access to the specified pages when the user agent is IE's?

Citrix seems like a little overkill for this problem.

Some successful anecdotes

[eyeball]

I know of a guy who works in a real estate office, who has to access everything through citrix. All employees have individual logins, and are able to maintain their own preferences, email, and other stuff.

I used a similar setup where I work. We set up a win2k server box with terminal services (essentially citrix), so we could keep one stable desktop while we were constantly messing with our own desktops (or like in my case, I was using unix with rdesktop client).

Managing virus and malware on one common server would be preferable I think. The only issue you might face could be licensing costs, especially if you went the multi-user route.

Thin clients

[llefler]

If they are serious about going the Citrix/Terminal Services route, you might consider moving all of their applications to the server and migrating them to cheap thin clients on their desktop. From an administration perspective, managing the machines becomes a lot easier. They can't install anything on their local machines. Most don't need to have access to install anything to the server. No virus software needed for the clients. Actually, no client management at all. If one breaks, you just replace it because their customizations are all on the server. And while you might stretch a PC to 5 years, the only limitation on a thin client will be the display resolution.

The only drawback is political. You have to manage user egos when they find they can't do whatever they want with 'their' PC anymore.

Windows is like a high maintenance wife. Everything is nice to look at, but it cleans out your wallet and there is a lot of down time.

Re:Thin clients

Windows is like a high maintenance wife. ... there is a lot of down time.

Yeah, but with a wife a lot of "down time" can be a good thing :)

Too Obvious?

[rudy_wayne]

Maybe this is too simple and obvious, but how about, Don't go to websites that install spuware/adware!!

Re:Too Obvious?

[skinfitz]

Evidently you have never managed a network with average users. Seriously - I know it's that simple, you know it's that simple, and users will swear blind that they will follow your advice, yet they clearly won't.

For example, your users will tell you that they would never surf for pr0n and so on.

Your proxy logs WILL show that pr0n surfing has gone on.

Noone admits to it. Obviously the logs must be wrong huh?

Time and time again it is proven that asking users to do (or rather, not to do) things is a waste of time. A large chunk of being responsible for network security involves dealing with this problem.

Re:Too Obvious?

[Glonoinha]

Actually nobody where I work surfs for porn - well a few guys did last year and within minutes the stormtroopers walked up and grabbed them, escorted them out of the building while HR out-processed them on way out. Zero tolerance policy enforced by some fairly visible insta-firing a few people that didn't catch a clue early enough and ... no porn, no spyware, no adware.

It's actually pretty simply, and brutally effective - particularly in today's economic environment.

'Just say No' actually works, if applied correctly.

All of this is unnecessary….

[Saeed+al-Sahaf]

Virtually all the issues with spyware involve the ability of normal users to install executables themselves, and the solution is simple: Only allow people with Admin rights to install executables and change system settings. Please don't bleat about how developers and certain other groups need the ability to install and change things, we are not talking about developers, we are talking about average corporate users.

Where I work (US Air Force), this type of policy has not created any problems at all, and for the most part has prevented any significant invasion of spyware in the 5 years I've been at this facility. Why build some expensive and unnecessary additional infrastructure to solve a problem that can be controlled with permissions?

Re:All of this is unnecessary….

[El_Servas]

True.

At least in my company, not giving the average-corporate-user admin rights works wonders.

I know it's not the ultimate solution, but it helps a lot to keep the playground a lil' safer.

Re:All of this is unnecessary….

[bloo9298]

The parent post is the best so far. Windows has perfectly reasonable authorization mechanisms, and if folk don't use them, they deserve what they get. I would add that it would be worth using a group policy to prevent all but a white-listed set of executables from running (for the proletariat at least).

Re:All of this is unnecessary….

[Zorilla]

I'm in the Air Force as well, and only limiting a few people to having admin rights seems to cause only those admins to install spyware and prevent me from removing it. At least at the last base I worked, I could easily fix any problems where may have been, but here, I have to put up with unremovable desktop icons, startup items, being unable to defrag (wtf?), being unable to get better system drivers installed, etc.

Have you looked at all the alternatives?

[orangepeel]

Maybe something like Deep Freeze would solve your problem.

Each restart eradicates all changes and resets the computer to its original state, right down to the last byte.

There'd still be risks during a session of course. Then again, most of the truly evil stuff I see doesn't turn up until after the system has been rebooted and all the user-installed trash in registry gets launched.

Properly configure Windows NT/2000/XP for them!

As long as they run Windows NT, 2000, or XP just properly configure them and they should be fine. By this I mean have the users log in as regular users that don't have any sort of Administrator rights (local or domain). Don't even make them members of the Power Users group. Change permissions at the root of the C: and any other local drives because I think the defaults are incorrect and are writeable by everyone (be careful that you do this properly).

Other nice things to do are to not use roaming profiles so that all the junk that could be stored in the user profiles is not saved. Have a script run at startup to delete any profiles on the machine so that they get a fresh one every time the computer is restarted.

I do IT work for a high school district with 2500 students and over 1000 computers. We haven't had a single problem with viruses or spyware once this was configured like this. We also run Norton AntiVirus to help protect against viruses. We don't use Outlook either which I'm sure helps too.

I guess my whole point is that it isn't Citrix that is going to help you solve your problem... it's just configuring the OS properly. I guess the only way Citrix would help would be if all your clients were Windows 98 because then Citrix would allow you to run IE with properly set security.

all half-assed patches

[passthecrackpipe]

They are all half assed patches. I find, time and time again, that it is better, faster, and cheaper to remove the dependency on IE - like, re-write the app or use a vendor that actually supports decent, secure software.

Citrix?!? Just to run Internet Explorer?!? Absolute rubbish. Fix the real issue instead just doing a half assed patchjob like that. What's wrong with you whippersnappers....

Re:all half-assed patches

if they're external apps, how do you expect them to do that? "Hi, I'm Joe Blow from the ABCDE company, and we use your app and we'd like you to re-write it because we don't like IE. Hello? Hello?"

Reality Check

[klausner]

Deploying Citrix to an organization of the size you imply would be a HUGE expense. Doing so for a single application is absurd. If this charity is as big as you say, let them use their clout to have the IE sites updated.

Lock down Javascript

[AndroidCat]

If they have to use IE then they probably need Javascript switched on too. That seems to be a major entrance for malware, and with all the legal wrangling over Java with Sun, I doubt MS is giving it much priority. I always install Sun's Java engine/plug-in for IE, and in process it scrapes away MS's Javascript code (Java != Javascript, of course).

At one point in May-ish, with a fresh install, I brought everything up to date, set the security settings, but forgot to trash MS's Javascript .. and promptly picked up a bad case of CoolWeb. With the change, I was CoolWeb-immune. I forget Sun's URL for it, but installing Robocode is always a good start and a fun learning game!

Re:Lock down Javascript

[SkunkPussy]

Java != JavaScript

Sun's Java settlement has zero impact on M$'s implementation of ECMAScript.

Re:Lock down Javascript

[SkunkPussy]

ok I now see that you have addressed my main point word for word in your comment. :-P

ActiveX

[286]

I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer

Hehe. I am betting that the outside app. relies on ActiveX. Which would explane might acount for more spyware getting loaded up. ActiveX would be the only real show stoper for going with Mozilla/FireFox, as others have pointed out.

How to resolve with Citrix

[skinfitz]

Quite simple. Firstly you give your users Firefox to stop the spyware problem.

Now, for the external IE only applications, you create them as applications in Citrix and give each an icon on the user's desktop. If the user wants to use one of the external apps, they click the app icon which will launch a Citrix'ified IE window with the app in it. Obviously configure the Citrix IE to remove the address bar.

Two helpful steps

[mdielmann]

Let me preface this by saying that I'm not a Citrix administrator or a web site administrator, but here's two things that might make this simpler on many of the fronts you listed.

1. Make a custom home page for IE on the Citrix Server. Include links to where they enter all these custom IE applications so they can get to them in one click after starting IE.

2. Optional. Disable pretty much every domain but the ones these custom apps are on. A thorough test should verify if they will (currently) work in that configuration.

This might be a better option than using the anonymous option in Citrix, which will mean that they can still use bookmarks (but to what?) and preferences (good for all those passwords), and you will have abuse-tracking logs.

Re:Two helpful steps

[Ash-Fox]

I think the best method would be installing firefox, and for the special websites, to set them up as predefined sites in "Windows Management Console" and then save that configuration on the desktop. Should be no more problems.

Cold hard truth

[shade2600]

If it is a significant problem, they will be interested enough to learn how to avoid it. If it is not a big deal, they are not going to care. If you can't educate their users to avoid this problem, either your a bad teacher, or they don't really care about avoiding it. If their management is asking you to fix the problem, tell their management to point out the simple fact that these things are easily avoided. The answer is NOT always technical guys. Sometimes it is social. If you treat them like a bunch of monkeys banging on the keyboard, they are going to act that way. There will never be enough options in the world to lock everything down. If they can drive a car to work, they can avoid spyware on the internet. There will be mistakes, insurance will always be necessary, but for the most part education is the way.

Re:Cold hard truth

Spoken like someone who very obviously has never managed any network with more than two people.

What you describe is so hopelessly utopian, I'm actually wondering if I fell for a troll.

Don't waste your time

[fsck!]

Spyware can't screw up your computer for you when you don't even have the rights to screw it up yourself. Just take away administrative rights and stay on top of updates. Some institutions take this to the next level and run with all users as guests, and use logon scripts to build the user environment when needed. You will occasionally find software from sloppy vendors that don't do things in a clean way with respect to permissions, but if enough people come to their senses about admin rights, the few remaining vendors will get their shit together.

On the other hand, there was an interview recently with Microsoft's head of IT. It's shocking how they don't even try to use their own built-in security measures. They just give everyone admin rights and scan constantly. Since you probably aren't as big as Microsoft, you don't have that kind of luxury (or need for users to have that kind of flexibility). Just set permissions sensibly and relax.

If you don't give your users enough rope to hang themselves, they probably won't.

Accountability w/ Citrix?

[rocket+rancher]

Another issue is that there is no tracking, and no way to hold someone accountable in case of abuse.

I'm not sure you *can* maintain accountability using anon published apps in Citrix. If you want accountability, you need to know who was doing what, and when they were doing it. Citrix will log routine connection stuff like the host name and date/time of any client making an ICA connection to the farm, if you have logging enabled. But that really isn't granular enough to be useful for accountability. We had to solve a problem similar to yours when our corporate IT types decided to implement an IE-based solution for time accounting, not realizing that 20 percent of the engineers at our location have unix workstations, not PCs. We set up a Citrix farm, and published IE in a seamless window, and required authentication against our NT domain to use IE. Their IE session data (including favorites) is stored on their terminal services user profile path, which in our case is a directory on a separate server and is locked down with add+read NTFS permissions. This worked well for us and meets our very strict customer-mandated logging and auditing requirements.

Flex profiles

At my work, we use flex profiles for Citrix. This allows us to save specific information from a session and dump anything else we dont want to save. Plus we have local policies to remap things like the favorites folder to mapped drives (home directories). The rest is dictated (spelt?) by a manual policy. Loads much faster then roaming profiles.

Of course it does take a little while to get everything working as you want it to, but since you are exporting the registry keys you want, the flexability it there.

IE on Citrix/WTS

[MeanMF]

You do not have to use anonymous access to get to the server. Mandatory profiles may do the trick as well. That way they can use their normal user IDs to log in, but still get a clean copy of the profile every time. You can also set where bookmarks are stored using group policy or the IEAK so they can keep some degree of personal settings. You could either redirect it to a network share or back to the user's local computer.

Classic Security

[Bios_Hakr]

There is no reason to have spyware infected PCs in a corporate environment.

At home, everyone runs, by default, as administrator. But, at work, there is no reason to do this.

Try this:

1. Format a PC and reinstall with ALL the applications they absolutely need. Make sure you launch all the apps at least once so that they can finish writing everything that needs to be for setup to complete.

2. Create a group for all the users on that PC. If you are using AD or other Domain logins, you can skip this step on the PC. Just add the Group and Users on the Domain.

3. Open up Explorer. Set the permissions on the C:\ drive to 'read only' for the group you'll add the users to. Make sure that all the subdirectories inherit the permission change. Now, go to C:\Documents and Settings\. Set that directory to read/write.

4. Now, if not using a Domain, login as each user at least once. Most places will only have a few users per PC, so it shouldn't be too much trouble. Try launching the apps they use a few times. Some apps try to use c:\windows\temp or c:\temp or c:\program files\someapp\temp for temporary storage. If they need it, add read/write permissions to thoes directories.

5. Sit back and enjoy as spyware happily tries to write to wherever. If it tries anything outside the temp directories or the user's profile, it'll be denied. When users complain about not being able to install crapware, point them to a policy forbidding use of unauthorized software. Ask them to get permission from their supervisor before continuing. If it's something they *need*, you install it for them.

6. You may have to play with it a bit to ensure that users don't have permission to each other's directories.

7. One possible problem: if the spyware takes advantage of an exploit that bumps up the user's privelages, you can't defend agianst it.

8. Some additional steps: change the administrator user name. Change the guest user name. Make sure you set a password for both. Also, make sure guest is disabled.

Here is a doc with some more steps you can take:

http://nsa2.www.conxion.com/win2k/index.html

Or search google for 'win2k nsa hardening'.

anti-spam proxy

[Jjeff1]

Trend Micro makes IWSS, which is a proxy that has built in anti-virus, including filtering out assorted spyware/malware.

I can't recommend the product too highly, it seems somewhat immature, though it does block the spyware/adware as advertised.

Install a Content filtering system

[dcrisp]

Why not install a content filtering system such as Webmarshal or another inbound web filtering program.

Use group policies to force the use of a proxy and make this machine the proxy machine.
Then you set the rules on the WebMarshal box to what you want. You can install a virus scanner and such.

I use webmarshal in my enviroment, and whilst its not the greatest. (It IS a big brother monitoring device), it keeps my systems clean and protected from viruses and trojans and other illicit content that enters a company through the web.

The cost of hardware and software is probably similar to or significantly less than the cost of a citrix server and licenses.

Don't use `traditional` bookmarks & menus.

[JPyObjC+Dude]

I hate suggesting things that support continued use of IE but since we are talking charity here it is:

You can probably wrap the browser session with a frame navigator (like ask jeeves...) where the controlling frame has all the navigation buttons and necessary menu items and even an address bar. When the browser starts up, hide all top menus and only show the buttons and menus you want them to see via DHTML. You could even create a bookmark based system using DHTML and some simple server side storage. The only difficulty is that you would need to put an authentication layer to resolve the current user although there may be a way to resolve this with an active-x plugin or even native.

Although you are looking at a bit of coding here, I know that you could use a citrix frame to navigate any IE based site in this way.

Good luck.

JsD

proxy IE

[smoon]

Since the "IE-only" sites are presumably known, set up a sqid proxy that only allows access to those specific sites. Set everyones IE to use the proxy server.

Then to allow access to the wider internet, set up firefox w/out a proxy, or (more secure) firewall off ports 80 and 443 and proxy firefox through a different squid server which allows more-or-less open access.

Note that it's virtually impossible to 'lock down' IE under citrix since you can hit the 'help' menu which has a link to 'web help' which gives you... -- try it and you'll see what I mean. All citrix would do for you is to crap out their entire iE install in one go when there's a problem.

McAffee needs IE!

The most insane thing I've seen is virus protection software (McAffee) that needed explorer (and I assume activeX) for its user interface. So if you lock down IE completely and install Firefox McAffee will choke.

To use IE for UI strikes me as an outlandishly moronic move by McAffee.

Mod parent up, it's 100% effective and 100% free!

[MarcQuadra]

Seriously, IE does have some security features, the default setup is abysmal, but you can tweak-up the security for the whole world, and put the outside app into the 'trusted sites' zone. Problem solved. I've done it and it works.

BTW, you still have to keep your boxes patched, but that's a no-brainer anyway.

Are you hard of reading?

You seemed to have missed the "take your business to a vendor that has a clue" part.

Great solution...

[vwjeff]

I work for the local school district's IT department and we use Deep Freeze in all of our labs. What can I say, it's great.

We use the Professional version. This allows the computer to maintain itself. The computers are set to shutdown each night at 4:30 except Friday. On Friday at 5:00, Deep Freeze turns itself off and locks the keyboard and mouse. Windows updates are performed, virus defs updated, and hard drive defragmented. Sure since Deep Freeze is installed we don't need to do all of this but we do just to be safe.

Citrix is out

Citrix has a nice solution for LARGE organizations (150+ desktop computers) but the costs of it are not balanced out by its functionality. Citrix had a leg up on microsoft when they sold Windows NT Terminal Server to Microsoft and made it basically broken, forcing people who wanted that functionality to buy Citrix for roughly two times the price. Now that MS has caught up with Citrix in terms of centralized management, there is no reason not to use AD and their policy editor.

On the other hand, there are ALOT of "mangling" HTTP proxies that can really cut down alot of the junk in web pages. Filterproxy and privoxy come to mind first. This kind of solution requires only one or two medium spec'ed boxes and some experimentation, not a $50,000 investment and the need for either training or consulting to get it up and running.

As said before, convincing them to pay you to install Citrix to lock down IE is nearly a scam! Then again, this is usually how businesses get ahead... by scamming people

Inevitable Bad Joke Time...

[One+Childish+N00b]

Windows is like a high maintenance wife. Everything is nice to look at, but it cleans out your wallet and there is a lot of down time.

I don't know about you, dude, but I'd be a happy man if my girlfriend went down as much as my Windows install does.

firewall / proxy and lockdown

citrix is a bit overkill

firewall/proxy access only to certain sites required for use.

use mozilla etc for everything else.

note you need to lock down windows.. alot of spyware is installed by the user because they simply don't care.. they just want access to the latest pic of britney or whatever even if it means running this or that or clicking ok to an active x control you can be sure they will.

and despite what the stats of these anti spyware companies say a cookie ain't spyware in my book.