
The web is just one big lunp of Swiss Cheese HOles!
A bumper Microsoft Patch Tuesday has rolled out 12 security bulletins that collectively address a hefty 57 vulnerabilities. Five of these bulletins reveal critical holes in the software giant's products: one bulletin (MS13-009) covers 13 bugs found in Internet Explorer, while another (MS13-016) tackles a privilege-escalation …
...I found this tidbit: a guide to Software Restriction Policies for the noob-to-intermediate Windows (XP/Vista/7/8) Pro user. He goes overboard perhaps, but the idea is sound: Anywhere a non-admin user can save files, deny execute permissions.
I tried doing this with file system permissions on non-pro editions. It's a lot more work than this solution, and some jokers who run ntfsundelete figured out how to modify permissions of a file in Javascript or something.
I'm a huge advocate of SRP's and have been for years, they complately prevent entire classes of attacks and do far better than anti virus in preventing infections. Your going about it the wrong way though, deny everything and then just allow program files. That blocks off removable media and network shares as well without having to specify every single path under the sun.
The problem with SRP's is that too few people use them for Microsoft to develop them properly. For instance, if you create a shortcut to a location that's denied and then run the shortcut from an allowed location (such as the desktop) then the program runs. Extremely lazy programming from the coder involved there!
Your going about it the wrong way though, deny everything and then just allow program files. That blocks off removable media and network shares as well without having to specify every single path under the sun.
Fair enough; this is why the example also sets the SRP policy to affect non-admins only. An admin could still install software from CD or USB devices. The shortcut file type (.lnk) is specified in the default SRP policy and the example instructs you to remove that particular one, or yes, personal shortcuts do stop working.
It's not my example and I want to flesh it out into a comprehensive how-to guide, but tossing it out there should get some brains thinking. I also want to run it against my software library to see what doesn't work, and then replace the broken garbage.
I've this on my two home PC's and have done so since XP but every I mention this to anyone at work, some of whom see them selves as being some king of IT related wunder being, mainly because they run a jailbroken iPhone or run copied game son their Xbox they look at me like I'm mad. So glad to see it get a mention here, but MS really need to make it more obvious during initial system setup, I'm very pro windows, but having your default login as an administrator account and not even hinting to the user the other account options is insane.
Another Patch Tuesday, more unnecessary work for the IT staff, just so some corporate beancounter gets to keep their chosen WindblowZE application. I truly feel for those who toil in shops that are infected with the WindblowZE virus, regardless of the specific strain (XP, Vista(ster), 7, 8; $DIETY forbid 95, 98, ME, NT3.x, NT4.x, 2k, etc.), all of that effort wasted in putting out fires.
Why don't you just get a firehose, and flush that shit down the drain?
</troll alert>
Icon, most appropriate for WindblowZE.
That is Heinz's new slogan for their new ketchup made with raw ingredients from a compromised food chain - it has 57 opportunities throughout the production process for horse-meat to find its way in!
Bloody Microsoft nicking other peoples ideas again! They'll be putting horses in Windows phones next just to get publicity!
Just curious about others experiences, but in our organization of about 12,000 machines, all of which are windows, we have had 0 issues with being hit with malware/viruses since about 2002 (that was Blaster IIRC, date might be off somewhat). We use SCCM to deploy patches now and it's been pretty good from what I can see. Still use WSUS on servers though, which is very good for what we need.
There is an addendum you missed:
we have had 0 issues with being hit with malware/viruses since about 2002... that you know of.
It's plausible that some are zombies but you haven't spotted them yet - if their traffic patterns aren't too far away from normal and the end user hasn't complained, how would you know?
The average end user won't complain until the computer is "running really slow", so could be devoting an entire CPU core to malware without noticing.
I recall doing a Malwarebytes sweep and finding half of Sales with possibly bad things installed.
(And nobody in technical roles, but that's self-selection for you)
And this: "...that you know of..." is paranoia. Lovely technique to sell security products. Not so lovely a technique to do actual security.
Understanding how Windows really works goes a long way to preventing exploits. I've said many times before that there's better security built into modern versions of Windows than any security product you can buy for it. Even a non-security product can prevent malware before so-called security products can; in that case, it was Microsoft word, which could stop Word macro viruses before anti-virus products could.
Give the fellow credit for doing something pro-active. If you really are trying to sell something, it's better than blasting them for not using the popular security-blanket-of-the-day.
Sorry, I should clarify.
No matter what you do or how much money you throw at security companies, as long as you have users or are connected to the Internet there will still be ways for malware to get in.
You can't sit on your laurels.
Excellent start, however constant vigilance is still required.
Vigilance, not just A N Other security tool.
Home systems will be set up with automatic updates. Corporate systems will be updated when the sysadmin pushes the big switch on the WSUS server. Similar options exist in Linux land.
Anyone out there who is still updating manually is doing it by choice.