We help IT Professionals succeed at work.
Get Started

Dedicated PCs for staff to access Internet (to contain malwares, ransomwares, etc)

152 Views
Last Modified: 2016-08-28
Despite having in place proxy (that blocks numerous categories of sites like
social networking, public emails gmail, yahoo etc, shopping, video sites) plus
url filtering by Proofpoint plus AV for emails, we are still getting ransomware
& phishing compromises.  Education did not help

In many cases, users click on attachments or links received via email.

So I suggest only 'commonly trusted' sites needed for work are permitted for
users to directly browse from their PCs but if they need to browse more or
do google search, they have to remote into a couple of 'dedicated PCs' to
browse the Internet : these few dedicated PCs will have hardening & possibly
IOCs (like those of OSSEC) & other protection but in the event of compromise,
it's only limited to these 'dedicated PCs'.

Drive sharing for these PCs to users regular PCs (which users use to
access our internal systems) are prohibited but files transfer is via say
TightVNC's files transfer method.

Q1:
What does anyone think of this?  Is it effective to stop ransomware?

It will be cumbersome but I guess this sort of "reverse jump host" could stop
the spread of compromises, ransomware etc.

Q2:
Or users Rdp to these dedicated PCs with encryption but local resources
options in Rdp disabled : to further stop data leaks etc

Q3:
If users download files, they will be made known that files can be wiped
out in the event there's infection, we'll need to reformat the PCs

Q4:
Should these PCs join the AD/domain or just standalone to further help
stop any infection spread?  I thought standalone is better.

Q5:
Is it more secure to create local accounts on these dedicated PCs or use
domain accounts (if integrated into AD)
Comment
Watch Question
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
Unlock 8 Answers and 11 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE