Reply to post: Re: Opinion sought

Wannacry: Everything you still need to know because there were so many unanswered Qs

Anonymous Coward
Anonymous Coward

Re: Opinion sought

Start off with a default deny mindset. I configure all resources with their own resource groups. I then create role groups which are members of the appropriate resource groups. Until users are added to any of these roles they have access to nothing. They can't even log on. I can also see exactly what any user can access by just looking at the roles they are a member of. Use the AGDLP principle

Use minimum privilege for access to anything. Only grant the minimum required access for each role. This will limit any user can cause if that get malware.

If you can, implement applocker or some other application whitelisting solution. Use FSRM to watch for known crypto malware (see here:

If you have a firewall or webfilter that categorises websites, block access to uncategorised sites. This can stop phish mails that try to pull malware down from the web. Block executables in email using your mail filter.

It is all about putting as many layers in the way to stop the malware to minimise risk. At the end though assume you can't block everything so have tested backups and a recovery plan.

If possible have independent backup solutions backing up up to different media (Veeam to NAS, Arcserve to tape for example). That way if one fails or is compromised, you still have a backup. Better to have lots of backups you don't need than no backups that you do need.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020