I was hired as IT Support manager for a 200 user company. I have been in the positions for 3 months. Shortly after coming on board I discovered that there is not an AV network wide solution in place. The only protection is found with a server based front end email server and web filtering on a proxy server. The front email server and web filters are installed on a Linux server (RH). All the PCs are XP machines and are harden manually but not through a GPO (CDroms and floppy drive are removed; USB ports are not disabled, however.) The PC network is managed with AD and there are UNIX Software servers to run the legacy program for this company. (Users are not given local admin rights) I am in heavy discussions with the VP over this. He thinks this is a "safe network" protected by adequate virus protection. He reasons that email, web, removable media and unauthorized installation software are the only places where viruses can happen and that this network is protected with the above strategy in place. The cost of getting a network wide solution is about $9400. A multiyear contract would reduce that yearly total. I have very definite ideas about this, but I want to know what network administrators in EE think. All comments are welcome.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Hi,
This level of protection is not enough.
Imagin an infected USB-Drive is plugged in a PC. This would infect the whole network. Moreover, if new virus like Blackmal hit the network and disabled the front antivirus this will make your network at a major risk.
The only way ,I think , that the front antivirus is enough is to disable any way of getting files (USB, CD-ROM, disabling non-business PC network connections,...etc).
Regards,
As far as I understood from dwagner's description, there is already web and antivirus filtering from the main server...
Even then, since most malwares are assuming the user has admin rights, most common threats will even fail to install.
That said, if it were me, I would still install a free antivirus solution on all the computers of the network... while it can't compete with paid products both in terms of manageability and efficiency, it is still better than nothing...
of course these things will run... (although I don't think an user can install an ActiveX without having admin rights), but these can not do much damage to the computer because all the code require admin access.
Most of these install into windows or program files directories, which require admin rights and they would be hard pressed to do that if they run from a non-admin context.
That said, the landscape may well change in the next months/years since Vista runs accounts in a non-admin context by default and we know that malware writers will not give up as easily and will find ways to do their evil deeds even when ran on a non-admin context.
However, as I said above, a virus can potentially access everything to which the user has read/write on... like sending files to an unknown source (information/identity theft, which can be very bad for the company) or deleting the user files...
Of course, there is also a risk of priviledge escalation through 0-days exploits : for example, during the WMF breakout, our antivirus (NOD32) protected us very well against this exploit when there was still no official patch from MS available.
However, I have already seen viruses passing through antivirus, even generally ones like Trend.
Ironically, these viruses would have done less harm on a computer running in non-admin mode and without antivirus than it did on this computer with antivirus but where the users were local admins.
That said, I agree that it is a bit living on the edge, and I would by no mean accept this in most environments where users still run as admin on 2K/XP systems but according to the specs, it seems to be a rather secure network already (USB being still enabled notwithstanding and which has to be changed) and if there is indeed a web virus filtering on the servers' end.
That's why I recommand installing at least a free antivirus. I would also recommand installing Spybot Search and Destroy with its excellent immunization mode that takes no user ressources at all and proactively protects the computer.
Disable Autorun on all drives in addition to removing any removable drive : it is how these USB viruses run without interaction.
Enforce strong password policy on AD and make sure the admin passwords are not known from any user.
User education is probably required as well : no surfing to dangerous sites, no opening e-mails from strangers or even strange e-mails from known sources (ie. e-mail spoofing) and don't receive/participate to jokes e-mails.
All these things can be done for free and will improve the current security.
These malware software are not centrally manageable though but you get what you pay for (ie. nothing) and you can always administrate them all from scripts from then on.
Make also sure the backups are run everyday in a safe non-networked location.
I think that for dwagner's company, it is more a cost issue than anything else : most companies are not really keen on spending for IT... which is a shame, but most small/medium businesses need to invest their money on something that makes return on investment : I can understand dwagner not willing to enforce this on the CEO or anything else only after two months being there...
Business Accounts
Answer for Membership
by: VorenusPosted on 2007-10-16 at 15:42:32ID: 20089629
Well, if the users have no admin rights and have no way to get elevated access, it seriously limits the scope of damage an antivirus could do.
However, it could still touch everything to which the user has access like deleting files from his shares, but to be honest, you don't see this kind of viruses that often.
If you are worried but if cost is an issue, you can install a free antivirus like this : http://free.grisoft.com/
but of course it isn't centrally manageable at such a cost... ;-)
However, it seems that most vectors are indeed controlled already (however, USB is still an issue and many widespread viruses are ran that way), but they say it is always a mistake to be too confident about your security...
If you don't use an antivirus you need to be sure about how well these machines are patched and patch them asap since workstation antivirus won't save you in case you open a specially crafted PDF file for example (for example using a 0-day flaw not yet patched), but hopefully the antivirus on the e-mail server should stop this...
The bottom line is that virus ran by non-admin users won't do much harm, but everything they have read/write access to can be compromised, so if you do not install antivirus, review your shares permissions, ACL, etc, very carefully and make absolutely sure that they can't elevate or get to know an an administrator password somehow.