Link to home
Create AccountLog in
Avatar of sunhux
sunhux

asked on

Dedicated PCs for staff to access Internet (to contain malwares, ransomwares, etc)

Despite having in place proxy (that blocks numerous categories of sites like
social networking, public emails gmail, yahoo etc, shopping, video sites) plus
url filtering by Proofpoint plus AV for emails, we are still getting ransomware
& phishing compromises.  Education did not help

In many cases, users click on attachments or links received via email.

So I suggest only 'commonly trusted' sites needed for work are permitted for
users to directly browse from their PCs but if they need to browse more or
do google search, they have to remote into a couple of 'dedicated PCs' to
browse the Internet : these few dedicated PCs will have hardening & possibly
IOCs (like those of OSSEC) & other protection but in the event of compromise,
it's only limited to these 'dedicated PCs'.

Drive sharing for these PCs to users regular PCs (which users use to
access our internal systems) are prohibited but files transfer is via say
TightVNC's files transfer method.

Q1:
What does anyone think of this?  Is it effective to stop ransomware?

It will be cumbersome but I guess this sort of "reverse jump host" could stop
the spread of compromises, ransomware etc.

Q2:
Or users Rdp to these dedicated PCs with encryption but local resources
options in Rdp disabled : to further stop data leaks etc

Q3:
If users download files, they will be made known that files can be wiped
out in the event there's infection, we'll need to reformat the PCs

Q4:
Should these PCs join the AD/domain or just standalone to further help
stop any infection spread?  I thought standalone is better.

Q5:
Is it more secure to create local accounts on these dedicated PCs or use
domain accounts (if integrated into AD)
Avatar of Geert G
Geert G
Flag of Belgium image

have you ever considered what can be done against internal malicious it staff ?
developers can be your best asset and your worst nightmare

there are always ways to work around security

when someone says their pc is protected against any cyberattack, by simply not connecting it to the internet, i often ask if it's coffee proof ...

pouring a coffee into a system nearly always brings it down

what will you do next ... prohibit coffee ?

consider letting the worst people help you in protect the system
even have them work with you for a day, they might see the light and what their actions cause
SOLUTION
Avatar of Member_2_406981
Member_2_406981

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of sunhux
sunhux

ASKER

Let's leave aside internal risks because so far, all our compromises are due to users
opening malicious emails or visiting unsafe sites: getting hundreds every month.

How do we disable macros & does it help specifically for ransomware/cryptolocker?

Btw, MS Rdp is limited to 2 sessions, so I guess have to use TightVNC etc
Avatar of sunhux

ASKER

Btw, which zipping/encryption tool does ransomware uses or they come with their
own flavors?  If Windows zipping is used, I'll consider disabling this Windows zipping
/encryption tool in those PCs used to access Internet
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account