?
Solved

How can I secure the client-browsers of an Windows 2000 Advanced server ?

Posted on 2003-02-21
9
Medium Priority
?
232 Views
Last Modified: 2010-08-05
Hello,

I've got a LAN of 15 users and a windows 2000 advanced-server. I've got no control over the behavior of those users towards internet (they download malicious programs from the internet). How can I secure the browsers of my users so that they can't download nor execute malicious code like spyware from the internet ?
Can I centrally setup the security options of the client-browsers ? And which security-options do I have to set , in order of being maximally secured ?

Greetings
Geert
0
Comment
Question by:geertrobberechts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 13

Expert Comment

by:hstiles
ID: 7992958
What firewall or proxy are you using, if any?  That would be your first step.  Stop them from downloading malicious program.
0
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 100 total points
ID: 7993086
Here are some things you can do:

o Use a firewall and/or web-proxy that can block active content (JavaScript, Java, ActiveX, etc) except from trusted sites
o Use a web malware filter such as Finjan SurfinGate or TrendMicro Interscan AppTrap
o Use a web malware filter such as Finjan SurfinShield on each desktop
o Use  ActiveDirectory Group Policies to lock down the browsers (only works for IE) to have a specific security policy with respect to allowing ActiveX, JavaScript, Java, etc.
o Clean up spyware-infected machines with Ad-Aware (www.ad-aware.com)

You might also consider similar mechanisms for blocking email-based malware.
0
 

Assisted Solution

by:cbruce8
cbruce8 earned 100 total points
ID: 7993278
Well, you are not addressing the real problem, which is not just 'browsers' but the entire tcp/ip suite. There are a multitude of attacks that don't use port 80 (browser port).
I assume then, that the issue you are addressing is actually security for your lan. I would recommend PIX firewall to mitigate attacks from the outside.

Institute port address translation on your firewall. This will ensure that all communications to the outside are initiated from the inside.

If your user pc's are Win2k, enforce a policy of users
logging in via user accounts, rather than power user, or administrator. Then, even successful entrants to your network have a harder time of it.

Ensure that you have a good av package with automatic
virus definition file updates.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 2

Assisted Solution

by:NEOsporin
NEOsporin earned 100 total points
ID: 7996777
Right's management is the best way to keep them from installing software, it can also help you mitigate against viri, we have 3000+ users, and when ILUVU virus hit us, only 5 people's address book was raided, because they didn't have the right's.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsnetserver/proddocs/server/windows_security_default_settings.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsnetserver/proddocs/server/sag_SEconceptsBP.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/running_with_administrator_privileges.asp
http://www.experts-exchange.com/Security/Win_Security/Q_20515154.html
Restrict the registry, and or get a program that has signatures for software you wouldn't like on your user's PC's. Also, the IEAK can help, :http://www.microsoft.com/windows/ieak/default.asp
GL
-NEO
0
 
LVL 2

Assisted Solution

by:jimbb
jimbb earned 100 total points
ID: 8001186
Another option you might consider is setting up a "browsing host" which the users have to connect to and control remotely, and do not allow them to browse from their own client machines at all.

In other words, they connect to "browser.yourcorp.com" which is a dedicated, sacrificial machine for people to browse from; if it gets compromised, you simply re-install that one machine.  Might be more stringent than you want (or your users will tolerate), though.
0
 
LVL 3

Expert Comment

by:bjorndahlen
ID: 8003639
With regard to central management of browser settings:
Create home directories for the users on the server.
After you have set up the desired security settings for the user in IE. on a client machine, copy user.dat to the
server and rename it user.man.
On logon, user.man will be downloaded to the client and
overwrite whatever user.dat was there. Yuo can generally
use the same user.man for all machines.
Note however that this approach will centralize all
user settings, not only the ones dealing with internet security.

 
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9816051
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:
http://www.experts-exchange.com/help.jsp#hs5

zenlion420
EE Page Editor
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9872293
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Split: chris_calabrese {http:#7993086} & cbruce8 {http:#7993278} & NEOsporin {http:#7996777} & jimbb {http:#8001186}

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

zenlion420
EE Page Editor
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question