I am setting up an offlice network and I would like some advice regarding endpoint security.

Because we refuse to pay Microsoft almost a thousand pounds for a 2008 licence with 5 cals, I will be using a Ubuntu Server 10.4 LTS, with Samba acting as a primary domain controller. The endpoints are however Vista Business.

I plan on installing Squid as a proxy server with the DansGuardian plugin. The server will rely on Comodo's Secure DNS to block any malware at DNS level which will be my first line of defence. DansGuardian will then use a database from urlblacklist.com to block malicious and unwanted sites, such as porn. DansGuardian will be set to block these file types from being downloaded: .exe .dll .scr .bat .com .cmd. Finally, it will scan all downloads passing through the proxy with ClamAV. If you know any other file types I need to block, please let me know. This will hopefully stop 99% of malware from even getting to the endpoints.

On the Vista Business endpoints I will be running restricted user accounts, and DEP will be enabled. My choice of protection is already McAfee SaaS Total Protection, although I can hopefully upgrade this to SaaS Total Protection Advanced. I plan on running FireFox as the browser as this seems to be the best browser for blocking malware sites. From my experience IE and Chrome aren't very good at doing this. I plan on using a browser addon such as WOT or McAfee SiteAdvisor. Any suggestions as to which one?

As for other sources of infection... We use Google Apps email which automatically blocks executable file types and malware from emails. We receive around 30,000 spam/phishing/malicious emails a week. Apart from the odd one or two all these emails are filtered by Google. Plus, to date we have not received any virus infected emails.

USB storage devices have been majour problem in the past. Due to the nature of the business staff take USB storage devices all over the country to clients. A number of times these USB devices have come back with Worms, as you can imagine before long the whole network is infected. Several months ago I introduced a USB policy where only authorised USB devices were permitted. These authorised devices had been run through Panda USB Vaccine first to ensure no AutoRun file could be dumped into the device. This seems to have solved the Worm issue completely, touch wood.

The server will use a custom made backup script which will copy the user's profile onto a secondary drive. This will be run weekly by cron and up to 6 weeks worth of backups will be kept on-site. For off-site backup we will be looking at DropBox. DropBox will update files daily and will also keep previous file versions.

If all else fails, Comodo Time Machine will be on hand to perform a quick system restore. The user files can be pulled quickly from the server without any hassle.


Summary of Internet Protection
1. Comodo Secure DNS
2. Proxy Server With URL Filter
3. Block File Types: exe dll bat com cmd scr
4. Scan Downloads At Server Level With ClamAV
5. Restricted User Accounts & DEP
6. FireFox Site Filter
7. McAfee SiteAdvisor / WOT Browser Addon
8. McAfee SaaS Total Protection Advanced
9. Everything Failed, Comodo Time Machine
10. On-Site & Off-Site Data Backups

Does this look like a good setup?
I maybe being naive here, but wouldn't this setup stop 99.999% of attacks?

*Bump*

How about .msi and .vbs for starters?

Do your OS versions have group policy? Outside of the proxy and filtering you are doing, I should think most could be handled with a good group policy.

Sul.

msi and vbs added with thanks :)

I can add group policies yes although I haven't really looked into it. I suppose disabling Auto Run and Active X would be a good starting point :)

There is much more than just activeX. Perhaps you could find a few .pdfs or something on the topic. You could utilize SRP on those workstations, create a few groups with special permissions. There are a lot of things in a corporate type environment that you can do if you are allowed to dictate the "law of the land".

I find it is when you can't have the leverage to make the laws, you have to compromise the security. A business machine, IMO, should be restricted except for what is needed.

Sul.

I don't suppose there are any pre-made policies I can download :P

As for the setup, you think everything looks good?

-{ Quote: "Summary of Internet Protection
1. Comodo Secure DNS
2. Proxy Server With URL Filter
3. Block File Types: exe dll bat com cmd scr
4. Scan Downloads At Server Level With ClamAV
5. Restricted User Accounts & DEP
6. FireFox Site Filter
7. McAfee SiteAdvisor / WOT Browser Addon
8. McAfee SaaS Total Protection Advanced
9. Everything Failed, Comodo Time Machine
10. On-Site & Off-Site Data Backups?" }-

Well, from a practical standpoint, I like the idea of a gateway like you have done. It relieves the burden to keep each workstation up to snuff with the company policies in network access filtering areas.

My feelings are that a system admin (such as yourself?) has to leverage security against functionality. If you have the authority, you could use group policy settings that could rival the tools you are using.

For example, if you implemented SRP to create a default deny policy, then the workstations would only be able to run what you choose. If you take tighter control over URLs that are allowed, you remove the need for WOT.

Understandably in many cases this is impractical, and tools such as those in your list might be needed.

I would say that first you should determine just what the workstations really need to do. Then calculate how much you can restrict with a group policy. Then apply the group policy. If every user is a member of the group you are managing, then rollout is very easy for you.

When you have to allow your users unfettered access to something like the internet you have to cover a lot of bases. If the user can only execute a known list of items, the possible issues involving the internet start to be reduced.

I don't know of a shortcut to determining what the users "need" to do. Lazy admins (not you, just a generic term) can resort to a tool on each machine to take care of it for them rather than using the tools that are designed for such purposes. The problem I have with tools on each workstation is that if one workstation becomes compromised, you have to know about it and be able to repair it before it an effect other machines.

Sorry, I don't have specifics for you. I have applied group policies in the past. It takes some understanding of where you find the policy options, what those options mean. But, without knowing what you want/need to do with those policies, they are not of much use.

Sul.

Thanks for the advice sul! To answer your previous question the users will mainly be using Word, Excel, Access, and Publisher. The email is powered by Google Apps, and internet explorer is used quite a lot for general surfing. I'll go have a read up on group policies and come back when I know more.

Just one question... We have already been using McAfee SaaS Total Protection for a few months now and everything seems good. I was just wondering how effective is this at 0day malware & drive-bys?