Anti-malware for 600 PC's?

If it's a corporation Linux is almost certainly not a solution (windows only software) - not to mention having to deal with support because A B and C is broken and users dont know how to open their browser or do the simplest things on a different OS.

And that's not going into having to deal with training users who are used to excel how to use the alternatives... and that's going to cost you. In the end there's a definitive cost for using Linux but a not so definitive cost for possibly getting malware.

Frankly, almost every business I've encountered handles security with policy, VPN, and an AV (often symantic.) If you're not dealing with the network and DMZ and all that I think it's simple.

http://www.darkreading.com/security...dding-new-users-and-subtracting-old-ones.html


Basically, you have Role-Based access and User-Based access. You say some users need admin rights? I assume those users are grouped in a specific position.

Let's say they're the janitors (b/c im lazy and dont want to come up with positions) so all of your Janitors need X rights - create an X policy that you can deploy for all of those guys.

And then your plumbers need Y rights, so give all of your plumbers Y policy, which is deployed.

Your plumber gets promoted to janitor? Simply move him to the predefined X rights.

And then you may need user specific rights. This plumber needs access to the internet, well give him X rights and then specify.

Force new and different passwords after 3-6 months. Force weekly scans.

I assume you're on IE? If so, lucky you, IE is built with enterprise group policy and deployment in mind. Check out some of Wat's threads for locking it down.

Tell your users that they're accountable - fear is a strong motivator. "This computer is not yours. This computer is the companies. Traffic is monitored, there are repercussions for breaking rules." This is standard - 33% of companies outright block social networking websites and many others will force computers through a proxy, which will log everything. Holding users accountable is a nice way to say "this is a privilege, don't abuse it."

 

Linux isn't an option, though of course we use it where it's the right tool for the job.

Forefront needs SCCM, and SCCM is a monster (well, it's certainly not something you deploy "quickly").

I will take a look into what could be done via Group Policy or Group Policy preferences to make Internet Explorer a little more robust.

 

Microsoft System Center Configuration Manager (SCCM) is not for the faint of heart.

Properly Administered, Microsoft System Center Configuration Manager provides the management infrastructure for
Microsoft Forefront Endpoint Protection, thus providing comprehensive cliect security, compliance enforcement,
remediation capabilities, compatability with existing infrastructures, and optimized for Microsoft Windows.
The Logical Solution to Effectively Manage Large Scale Desktop Environments.

Any Security that is Quickly Applied should Only Serve as an Temporary Patch.


HKEY1952

 

That's pretty much exactly the way my employer, of nearly 10,000 employees, does things.

 

I've been doing a little digging into Smartscreen filter, something which I have to admit I've never spent any time looking at until now.

Looks like an interesting complement to traditional A/V and URL filtering, so I've enabled it via GPO and we'll see how it goes.

 

From what I've experienced so far from it, it's an excellent complement to IE 8 & 9.

 

Thanks, that's good to know (just been reading your lengthy thread on locking down IE).

I'll also be looking at Microsoft's Security Compliance Manager which looks to be an excellent piece of software that will compare your existing GPO's to Microsoft's baseline recommendations - and they seem to include both "normal enterprise" and "high security" baselines.