Link to home
Create AccountLog in
Avatar of Pau Lo
Pau Lo

asked on

A new windows 7 thick client image

If you were asked to independantly review a new windows 7 client (laptop & desktop) design / baseline / image, what specific areas would you focus on from a control/best practice/risk perspective? Can you provide a list so we can task our auditors in reviewing the image adheres to good practice and mitigates the risks? Will be joined to a domain
ASKER CERTIFIED SOLUTION
Avatar of IanTh
IanTh
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Pau Lo
Pau Lo

ASKER

What aside from patch/service packs goes towards a gold build?
In terms of the content of your image, that is more up to you than your auditors. I did not touch on this because I do not know your needs.  You need Windows, Office and AntiVirus but the rest is up to you.

I should have added above and I think it be obvious, and that is:   Software should be licensed and you should have proper evidence of licensing. Your auditors will care about this.

... Thinkpads_User
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Pau Lo

ASKER

Thanks, re :

>>Do you have a remote monitoring application, and is it functioning.

Which do you use? Is it common to find they dont function and thus you cant centrally monitor? And what kind of issues are you monitoring for?
We use ready desk. It is our helpdesk system. We also use Audit Wizard. Audit wizard gives us detailed system info when it boots up and logs it. ReadyDesk gives us remote desktop connectivity through the web and livechat of our helpdesk. When i mentioned remote monitoring, i meant remote desktop or anything that you can use to view a users desktop. We looked at other solutions to give us more info on the systems, but the bosses decided on what we use. There are tons of other applications you can use to see the connected computers and states in real time.
SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Things like IE protected mode will not work second to the bottom

Mine seems to work

User generated image
User generated image
The setting above is too much like Vista for me. That was a mess and I turned it off. That is why I set it as I do. Perhaps the higher setting is better for Joe User. I never recommend turning UAC off in Windows 7.

..... Thinkpads_User
You did not read my link, did you? There I explain in detail why it does NOT work, although it says "hey, I still work". It's pretty useless that way. This has nothing to do with Joe-User type of users.
Edit: Will quote myself:


1. Protected mode for IE - a sandboxed browser
Is this still there in quiet mode? [edit: UAC tuned to "quiet mode" is just like having the slider set to the second step from the bottom]

Part wise. Protected mode is still on, but everything that triggers elevation (for example the installation of malicious plugins) is possible to be started through rouge websites without asking you that extra time. If the browser OR ANY PLUGIN in it has a vulnerability that will enable a malicious website to start "something" without asking, you're a dead duck at once (the latter part being just like admin@xp)
I read your link, but my IE and my UAC stops anything from being installed without my OK. Nothing HAS been installed without my knowledge (I know that for sure).

Now Java, Flash, Adobe, Microsoft all have holes and vulnerabilities. Even so, I have not been victim.

Perhaps my own common sense on these issues overrules the vulnerabilities.

The default settings would cause me to stop using computers entireley. They are so onerous that some silly users turn UAC off which I do not recommend.

... Thinkpads_User
...this has reached the point where I would like to see the thread starter tell us if he's even interested in UAC settings... pma111?

Thinkpads_User, I definitely recommend to rethink your UAC practice.
Not only that you neglect the other problems mentioned in my link (firewall manipulation by softwares like autoclicker for example or [not even mentioned yet] user level keyloggers - both would love to see your setting because the "dimming" mentioned works strongly against them...actually it's no dimming, it's an isolated user session]. Also, the definition of that level features nice scenarios like "If you choose this option, other apps might be able to interfere with the visual appearance of the UAC dialog box. This is a security risk, especially if there's malware on your PC." Nice, really.
Ah, one more about user level keyloggers. Imagine you as system admin are called by a user for  direct support and you need to enter the local admin (or even domain admin) password... This pw will get logged if a user level keylogger is active and UAC is down to your preferred step. Really, with UAC up ("dimming on"), keyloggers cannot intercept that as it is entered in the completely isolated user session called "secure desktop" that features a dimmed screenshot of the current session as wallpaper. [poor xp, did not even have that feature...]
I neglected nothing you wrote, so it is time to move on

pma111 - In order to keep the thread orderly, I have unsubscribed.

.  ... Thinkpads_User