Battling Malware without spending money

Question

Our environment consists of about 80 users running Windows 7. Previous to me showing up as a full time IT employee, the company had contracted an outsource IT solution. As part of their set up, they gave every user full administrative access to their local machine, disabled UAC (their reason: "because those pop up windows are annoying"), and disabled the Windows firewall on all the machines (their reason: "because we have a gateway firewall"). As you can guess, they were eventually fired.

All of our users' computers have Trend Micro OfficeScan for Virus and Malware protection, which is doing a terrible job even though they're all up do date with their definitions. Users are constantly getting infected with malware, which eventually leads to us spending time reimaging their machines.

My boss's solution to the problem is this: http://www.barracudanetworks.com/ns/products/web-filter-features.php. The system he wants, with licensing, will cost about $7000. However, we already have a SonicWall NSA device that boasts a lot of the same features that still isn't getting the job done.

So here's my question: Is tightening up the security on the machines going to be good enough to back me up when I talk my boss out of spending the money? My thoughts are we move everyone to non administrative accounts (they don't need admin privileges to carry out their jobs, so it should be a non issue), we turn on Windows firewall on each computer (If we were to get a self replicating virus or malware outbreak right now, we'd be screwed), and we turn on UAC (will this matter if they're non admin accounts?). I've recently implemented a WSUS server and we're keeping everyone up to date with security patches through it (I can't even count the number of computers that had updates turned off...). My plan is if people don't have admin privileges and their computers are up-to-date, we can greatly cut down the amount of malware.

I've still got lots to learn when it comes to protecting an entire network. So please, if I'm overlooking something or if I'm not on the right track or if I could change a few things, I would love your input. I just want to get them out of the awful habit of throwing money at problems and hoping it fixes it.

Update: I've marked an answer as complete, but I think it'd be of great benefit if people continued to share their insights and ideas. I now have a solid plan of action that'll keep me busy for a little bit.

Answer 1

The sad truth is that tightening your network will make you unpopular at your workplace. That said, many sys-admins would rather be unpopular knowing they have a safe(r) network than popular and spending all their time cleaning malware.

Some cheap and effective ways to eradicate malware

• take away local admin, like you're planning to do (I can't stress this enough)
• Update web browsers / Flash / Java / PDF Software via GPO and WSUS. Web browsers and PDF's are two big targets for malware.
• You could run No Script to avoid drive-by downloads if you wanted to
• Update your machines with WSUS (like you're currently doing)
• Block .exe / .bat / .vbs / .sh attachment file extensions from entering via e-mail
• Beef up your anti-spam on your mail server (if applicable - vamsoft ORF is a great MS Exchange anti-spam that costs about $160 USD)
• EDUCATE YOUR USERS - Conduct a few lunch and learns and let your users know what a suspicious e-mail looks like, that they shouldn't click links in e-mails from recipients they don't know, safe web browsing practices, etc
• Block any outgoing traffic on port 25 from every machine in your network except your mail server(s). This will prevent you from getting blacklisted.
• Stay up-to-date on malware and read RSS feeds to read up on malware. Stay pro-active and block outgoing traffic on any known ports used by malware in an attempt to block infected computers with communicating with C&C machines.

I hope these tips help. It's important to note that you'll inevitably get some malware that slips through the cracks (zero days are a bugger), but you'll find that good practice can go a long way toward keeping a clean network.

Answer 2

You've got good thoughts, and much good advice has been posted in this thread, but let me touch on two things I don't see being addressed:

1. Have you been able to determine infection vectors for the machines that are being compromised and re-imaged? If you can determine how people keep getting hit - email versus web browsing, for instance - it can help you focus on the measures that will more directly address the source of your pain today.
2. You seem to keep discouraging your boss from spending money. Nothing wrong with that per se, especially if his purchases are unlikely to deliver what they promise. But if you've got a boss with money, then you need to have a list of what you want to spend money on. There's no cure-all, but the right purchases can help incrementally improve your defenses, so be ready when the money gets waved in your face.

Answer 3

I am currently in your same situation as well. However, working in higher ed., our hands are tied behind our backs a bit. Removing admin rights for professors will never fly so we are going to limit user rights on administrative employees only. So far we've done the following;

• Setup Wsus (great move)

• Push(i know not the right term) updated group policy update to xp machines using Wsus
• Setup strict domain group policy rules for automatic windows updates
• Setup SCCM with Microsoft Forefront which works really well!
• Enabled windows firewall
• Block majority of ports from outside and setup openvpn for users

Currently working on

• making sure Flash, Java etc. stay updated at all times us SCCM
• Getting out of the business of cleaning infections and simply reformatting
• Getting everyone upgrade to Win 7 64 bit
• Upgrading our domain controllers
• Setting up packetfence which i believe will be a huge step in the right direction. I plan on limiting users that aren't updated from getting on the network and simply giving them access to Wsus and SCCM until they are patched.

Answer 4

Well...okay. So I may be a little biased here. My current work status is contractor for AV Bypass on the sharp end of the stick(hopefully everyone that told me they were pen-testing and showed a website containing the same wasn't social engineering...).

1) AV doesn't help(much). If you don't believe me, tell me what AV solution you're using and I'll blow your mind.
2) UAC definitely does. Firewall definitely does(third party is way better than windows FW in my opinion).
3) Running as admin == bad idea.
4) Persuading mgmt is often harder than it should be. If you want to show them the why you're right, let me know and I'll send you a video that actively shows the pain points.

Answer 5

I think your on the right track as far as updates and limiting user's privileges. One thing that I would highly recommend is some sort of web content filtering. While it will definitely make you very unpopular at work, in my opinion it's one of easier things you can do to to get a fairly big impact (1 device that impacts all users).

I know a lot of people who use Fortigate devices for UTM (Firewall,IDS/IPS,WCF,AV,etc). However for my example I want to focus on their WCF capabilities. It allows you to block on categories and then do various overrides for specific websites. You can also integrate it into your AD/LDAP infrastructure if you want. But you can also go more open source/linux solution since your environment is fairly small. Another solution that is even easier and cheaper, but less overall control is using a DNS solution that allows you to block on categories (Ex. OpenDNS). You could do this as a trial run to see how you like it and then go to a more localized solution later if need be.

I'm definitely not saying this is the end all be all solution. But it's another layer that can have a pretty big impact. My main advice about this is if there are any unrated categories, definitely block them as newer malicious sites come up they get categorized as that. With this solution you can also start blocking larger domains such as .ru if you believe your users should never go to Russian websites.

Answer 6

On a budget this is what I have found effective:

1. It all starts with a policy. Without a policy you cannot enforce anything. Create an IT security policy and make sure there is executive buy-in. Take a look here to get you started: http://www.sans.org/security-resources/policies/

2. Make sure Trend is configured properly. Trend out of the box is worthless. Trend needs the following turned on to be effective: Web Reputation, Behavior Monitoring->Event Monitoring, Device Control->Read and Write Only (Where possible).

3. Pass all of your client traffic through a linux box with Snort & Squid. Define the business need for egress traffic and only allow what is defined. Force all web browsing traffic through the proxy either by hijacking it or configuring the clients to use a proxy. Configure the proxy to block all of the following TLDs: .cc, .ms, .cm, .vg, .be, .tv, .cc. Setup snort for inline blocking using emerging threats rules (this will take the most tweaking).

4. WSUS is good step in the right direction. Use spiceworks to inventory all of your systems. Keep tabs on out of date software on your network (pay attention to all adobe products and java). Use AD to push out 3rd party software updates.

Answer 7

Ok let me chime in here because I have experienced these issues this original thread was trying to address.

1. Giving your users full admin rights to their machines is a major part of the problem. Unfortunately where I am now at this can't be helped.

2. I used TrendMicro at my previous company at first I wasn't happy with the product, but as the updates came along it has become a robust product for us. People were getting infected like the bubonic plauge. We were previously using Symantec and every 3 months it would crash my exchange 2003 server. Needless to say I got rid of Symantec.

3. The current company I am working at now is using Microsoft Forefront and from what I can see so far I am not impressed with it. Now that statement might be subjective. The reason being is because all our users have full admin rights. However we have a lot of people who work offsite and thier machines do not connect back to the mother ship. I am not sure if I can get Forefront to push to external users. The infection rate is about 5 people per week. I am highly upset because we have to have the users ship the laptop to us and then reimage and then reship out.

Answer 8

I'm in a university-style environment. Here is what my organization does:

• We mandate that everyone has anti-virus turned on. We provide free anti-virus to everyone.

• We mandate that everyone use automatic updates and keep their machines updated.

• A weak firewall is in place to block incoming traffic to a few key ports. However, any user can request that one or more of these ports be opened for incoming traffic to their internal machine.

• Mobile devices (e.g., laptops) get transparently placed on a separate network. This network is firewalled off more strictly from some of our critical internal resources. The idea is that if someone takes their laptop on a trip, gets infected by a worm, and comes back to our local network, we don't want that worm to spread to all our internal systems -- or at least, we'd like to limit the damage.

• If a person's machine gets infected, it is automatically disconnected from the network. They must wipe, reformat, and re-install afresh before they'll be allowed to connect to the network again. No trying to clean up an infected machine; you have to wipe it.

• We run a network intrusion detection system (Bro) to detect compromises.

• We do allow users to have administrator-level access on their local machines.

• We have more restrictive policies governing systems that are used for higher-risk activities, like storing credit card numbers, social security numbers, payroll information, grade databases, and so on.

I think this strikes a reasonable balance. It seems to work reasonably well for us, at least.

I think the other things you could consider would be: Look at your backup solution, to make sure data is regularly and reliably backed up. Work to make sure people are on the most recent version of their web browser. Consider moving people over to Chrome. Make sure everyone has auto-update enabled.