I have a customer who's fed up with malware cleanups, and wants to lock down his computers to prevent installation of these apps. Currently its a combination of 2000/XP machines, Trend Micro AV Corporate.
My feeling is that tweaking security settings in IE will block only a fraction of these installs. So I wanted to throw this question out there: assuming we can tolerate a pretty tight configuration (by that, I mean blocking application installs altogether, no activeX, etc), what else would you recommend to implement on business desktops?
Here's my own stab at a list:
- Configure computer for automatic updates, reboot as necessary
- Set up local policies locking down IE and computer in general (something like this: http://www.markusjansson.net/exp.html
probably not as restrictive). Has anyone seen any other similar configs around?
- Set firefox as default browser (I'm not so sure about this - if I can't automatically manage firefox updates it may be as dangerous as a fully patched IE)
- Maintain antivirus
So - does anyone have an established policy set/apps (including server group policies) for their business?
Thanks - Joe