James,
That's the answer I was hoping to see, GP is my prefered
choice as it lets me administer the entire domain without
having to touch each machine, it also prevents non-privledged
user from lowering the security settings.
For those that have answered with "use Mozilla/Firefox", It
would be the ideal solution but for a few concerns. I have
considered deployment and do use it on my own machines but
the drawbacks of distributing it across a domain are obvious:
-It cant be controlled in a group setting (like AD Group Policy).
-It cant be updated en-masse (as far as I know).
-It would require a hands-on for each work station to
install/patch, not the prefered option for overtaxed IT staff.
-The above could lead to another major issue if/when a
critical vuln/exploit for mozilla/firefox surfaces and you
have to reinstall/patch each client by hand (too time
consuming and no way too audit which versions are on which machines).
If any admin on the list has deployed and is managing a
different browser in an enterprise setting (complete with
auditing controls sufficient to satisfy security
requirements) I'd be very happy to hear it.
To clarify the environment here, this is an enterprise grade
environment with http content filtering, distributed AV
(Symantec v9 which catches "some" malware), edge firewalls
(so "drive by" portscans to the internal LAN are null). I
suspect most of the infections are happening through banner
ads on what would otherwise be "reputable"
websites.
James If you have any other specific information on your GP
setup it could save me some legwork during implementation.
All input is welcome as the issue of malware is long overdue
for a solution and the current trend of the stuff is that it
is becoming more and more damaging.
Thanks all,
massa
On Fri, 7 Jan 2005 13:12:22 -0500, James C Slora Jr
<Jim.Slora () phra com> wrote:
Illuminatus Master wrote Friday, January 07, 2005 12:37
My question is this, I'm batting around the idea of using Group
Policy in our Active Directory to try and choke IE down to the
point where such Malware has trouble installing itself.
Has anyone
here ever tried such as this with any degree of success?
Yes, GP settings have helped me quite a bit. "My Computer" zone
lockdown was the single most effective change. Killbitting
abused or
unnecessary ActiveX controls is also very helpful. Between
those two
thing, most of last year's IE exploits got stopped - and so
most adware also got stopped.
There is a whole world of other little things that can help, and GP
helps roll out a lot of them. It may take a good deal of
experimentation to come up with a GP configuration that is locks
things down as well as possible while allowing the things your org
cannot live without, and that gives you flexibility where
you need it.
GP has not been much help against social engineering
vectors that do
not depend on browser exploits, though.
Intro
