jpresto
asked on
Desktop security policy
I have a customer who's fed up with malware cleanups, and wants to lock down his computers to prevent installation of these apps. Currently its a combination of 2000/XP machines, Trend Micro AV Corporate.
My feeling is that tweaking security settings in IE will block only a fraction of these installs. So I wanted to throw this question out there: assuming we can tolerate a pretty tight configuration (by that, I mean blocking application installs altogether, no activeX, etc), what else would you recommend to implement on business desktops?
Here's my own stab at a list:
- Configure computer for automatic updates, reboot as necessary
- Set up local policies locking down IE and computer in general (something like this: http://www.markusjansson.net/exp.html probably not as restrictive). Has anyone seen any other similar configs around?
- Set firefox as default browser (I'm not so sure about this - if I can't automatically manage firefox updates it may be as dangerous as a fully patched IE)
- Maintain antivirus
So - does anyone have an established policy set/apps (including server group policies) for their business?
Thanks - Joe
My feeling is that tweaking security settings in IE will block only a fraction of these installs. So I wanted to throw this question out there: assuming we can tolerate a pretty tight configuration (by that, I mean blocking application installs altogether, no activeX, etc), what else would you recommend to implement on business desktops?
Here's my own stab at a list:
- Configure computer for automatic updates, reboot as necessary
- Set up local policies locking down IE and computer in general (something like this: http://www.markusjansson.net/exp.html probably not as restrictive). Has anyone seen any other similar configs around?
- Set firefox as default browser (I'm not so sure about this - if I can't automatically manage firefox updates it may be as dangerous as a fully patched IE)
- Maintain antivirus
So - does anyone have an established policy set/apps (including server group policies) for their business?
Thanks - Joe
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer
We are using Group Policy and Internet restrictions (WebBlocker) on our firewall to accomplish this.
ASKER
Are there group policy settings you can export/share?
WebBlocker - haven't looked at filtering solutions, I'll investigate.
Thanks - Joe
WebBlocker - haven't looked at filtering solutions, I'll investigate.
Thanks - Joe
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Do you have personal experience with any of these? My opinion is that they tend to be more reactive, chatty, and bloated. I've used MS antispyware quite a bit, but if I have a good antivirus (NOD32) in place I'm confident enough to not use MSA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
[and prosecute]