• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

How can I secure the client-browsers of an Windows 2000 Advanced server ?


I've got a LAN of 15 users and a windows 2000 advanced-server. I've got no control over the behavior of those users towards internet (they download malicious programs from the internet). How can I secure the browsers of my users so that they can't download nor execute malicious code like spyware from the internet ?
Can I centrally setup the security options of the client-browsers ? And which security-options do I have to set , in order of being maximally secured ?

4 Solutions
What firewall or proxy are you using, if any?  That would be your first step.  Stop them from downloading malicious program.
Here are some things you can do:

o Use a firewall and/or web-proxy that can block active content (JavaScript, Java, ActiveX, etc) except from trusted sites
o Use a web malware filter such as Finjan SurfinGate or TrendMicro Interscan AppTrap
o Use a web malware filter such as Finjan SurfinShield on each desktop
o Use  ActiveDirectory Group Policies to lock down the browsers (only works for IE) to have a specific security policy with respect to allowing ActiveX, JavaScript, Java, etc.
o Clean up spyware-infected machines with Ad-Aware (www.ad-aware.com)

You might also consider similar mechanisms for blocking email-based malware.
Well, you are not addressing the real problem, which is not just 'browsers' but the entire tcp/ip suite. There are a multitude of attacks that don't use port 80 (browser port).
I assume then, that the issue you are addressing is actually security for your lan. I would recommend PIX firewall to mitigate attacks from the outside.

Institute port address translation on your firewall. This will ensure that all communications to the outside are initiated from the inside.

If your user pc's are Win2k, enforce a policy of users
logging in via user accounts, rather than power user, or administrator. Then, even successful entrants to your network have a harder time of it.

Ensure that you have a good av package with automatic
virus definition file updates.
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Right's management is the best way to keep them from installing software, it can also help you mitigate against viri, we have 3000+ users, and when ILUVU virus hit us, only 5 people's address book was raided, because they didn't have the right's.
Restrict the registry, and or get a program that has signatures for software you wouldn't like on your user's PC's. Also, the IEAK can help, :http://www.microsoft.com/windows/ieak/default.asp
Another option you might consider is setting up a "browsing host" which the users have to connect to and control remotely, and do not allow them to browse from their own client machines at all.

In other words, they connect to "browser.yourcorp.com" which is a dedicated, sacrificial machine for people to browse from; if it gets compromised, you simply re-install that one machine.  Might be more stringent than you want (or your users will tolerate), though.
With regard to central management of browser settings:
Create home directories for the users on the server.
After you have set up the desired security settings for the user in IE. on a client machine, copy user.dat to the
server and rename it user.man.
On logon, user.man will be downloaded to the client and
overwrite whatever user.dat was there. Yuo can generally
use the same user.man for all machines.
Note however that this approach will centralize all
user settings, not only the ones dealing with internet security.

This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:

EE Page Editor
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Split: chris_calabrese {http:#7993086} & cbruce8 {http:#7993278} & NEOsporin {http:#7996777} & jimbb {http:#8001186}

Please leave any comments here within the next seven days.

EE Page Editor

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now