troubleshooting Question

Dedicated PCs for staff to access Internet (to contain malwares, ransomwares, etc)

Avatar of sunhux
sunhux asked on
SecurityOS SecurityNetwork SecurityActive DirectoryWindows OS
11 Comments8 Solutions153 ViewsLast Modified:
Despite having in place proxy (that blocks numerous categories of sites like
social networking, public emails gmail, yahoo etc, shopping, video sites) plus
url filtering by Proofpoint plus AV for emails, we are still getting ransomware
& phishing compromises.  Education did not help

In many cases, users click on attachments or links received via email.

So I suggest only 'commonly trusted' sites needed for work are permitted for
users to directly browse from their PCs but if they need to browse more or
do google search, they have to remote into a couple of 'dedicated PCs' to
browse the Internet : these few dedicated PCs will have hardening & possibly
IOCs (like those of OSSEC) & other protection but in the event of compromise,
it's only limited to these 'dedicated PCs'.

Drive sharing for these PCs to users regular PCs (which users use to
access our internal systems) are prohibited but files transfer is via say
TightVNC's files transfer method.

Q1:
What does anyone think of this?  Is it effective to stop ransomware?

It will be cumbersome but I guess this sort of "reverse jump host" could stop
the spread of compromises, ransomware etc.

Q2:
Or users Rdp to these dedicated PCs with encryption but local resources
options in Rdp disabled : to further stop data leaks etc

Q3:
If users download files, they will be made known that files can be wiped
out in the event there's infection, we'll need to reformat the PCs

Q4:
Should these PCs join the AD/domain or just standalone to further help
stop any infection spread?  I thought standalone is better.

Q5:
Is it more secure to create local accounts on these dedicated PCs or use
domain accounts (if integrated into AD)
SOLUTION
Dr. KlahnPrincipal Software Engineer

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 8 Answers and 11 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 8 Answers and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros