[转载]Making the Internet Safer For Your Employees
信息来源:[url]http://www.windowsecurity.com/articles/Internet-Safer-Employees.html[/url]文章备注:信息来源有图
The Internet is becoming such a hostile environment that some companies are starting to deny employees Web browsing and E-mail privileges in the interest of keeping the network safe. Rather than taking such extreme action though, there are other steps that you can take to help insure that those users connected to the Internet don抰 infect your network with spyware, viruses, or other parasites. In this article, I will explain some of these techniques to you.
If you asked me to describe the Internet in one sentence, I would have to describe it as the most hostile environment imaginable. Lately, I have been hearing of some companies who are revoking employee Internet access in the interest of protecting their network from spyware, adware, browser hijackers, viruses, and other types of Trojans.
While I can certainly understand the concern, the fact remains that the Internet is a tremendous business resource when used properly. The trick is to allow your employees to access the Internet, but to take steps that protect them, the network itself, and the company.
Unfortunately, there are so many things that you need protection against, that it would be absolutely impossible for me to address them all in a single article. For example, in addition to protecting your company against spyware, you must protect against the disclosure of sensitive information and against the possibility of law suites related to content that enters your company through the Internet. I抦 personally against any form of censorship, but in the United States you almost have to set up filters that block employees from accessing certain types of Web sites just to avoid lawsuits from an employee who is out to make a fast buck by claiming to be offended by something that they saw on someone抯 monitor.
As I said though, I don抰 have enough space to discuss such issues in detail, but these are issues that you must address in order to protect your company. What I want to focus this article on instead is protecting your employees from spyware, adware, browser hijackers, and all of the other nasty parasites that one can pick up through unsafe surfing habits.
You may have seen the article that I wrote last month regarding ways of fighting spyware. Although I fully stand behind the techniques that I discussed in that article, most of those techniques are focused on individual PCs and on cleaning up after an infection has already occurred. This article is in no way intended to replace the information found in that article. Good anti virus software and anti spyware software is absolutely essential. It has always been my philosophy though that anti virus software and anti spyware software should be your organization抯 last line of defense, not the first line of defense. After all, why depend on your anti virus / ant spyware software to detect, prevent, or clean an infection, when you could simply block the malicious code altogether?
The Firewall抯 Role
I recently cleaned a massive spyware infection off of a neighbor抯 computer. She was legitimately surprised that the infection was able to occur because she was running Windows Firewall. Generally speaking, a firewall won抰 prevent an infection, but it will help to limit the amount of damage that an infection can do.
To understand why this is the case, you need to understand the nature of the TCP/IP protocol. TCP/IP is made up of roughly 65,000 TCP and 65,000 UDP ports. The easiest way that I can think of to describe these ports is to compare them to channels on a radio. If TCP/IP were FM radio, then a TCP or a UDP port would represent a single channel on the FM band.
Various TCP and UDP ports have been reserved for specific functions, but the vast majority of the ports go unused. A firewall抯 job is to block all unused ports so that hackers and malicious software are unable to use them to attack your machine.
The problem with spyware is that most of it exists in the form of ASP or Java scripts that are embedded in a malicious Web page. When you access a Web page, the page is sent to your machine through TCP port 80. The problem is that if spyware code is embedded in a page, then it reaches your PC through the exact same firewall port as a legitimate Web page. There is no way to filter out spyware at the firewall level.
This doesn抰 mean that you shouldn抰 use a firewall though. Many types of spyware are designed to transmit information about your computer and the way that you use it to someone on the Web. These transmissions typically occur over some obscure TCP or UDP port. You can therefore prevent such spyware from 損honing home?by configuring your firewall so that it filters outbound as well as inbound traffic.
One thing to keep in mind though is that although I definitely recommend enabling the Windows firewall, it is incapable of filtering outbound traffic. You will have to either install a second firewall on each machine or filter outbound traffic through your corporate perimeter firewall.
Mail Security
One of the most important things that you can do to prevent malicious software from infesting your network is to implement some E-mail security. A lot of people assume that if an E-mail message doesn抰 include an attachment then the message is safe.
At one time this used to be true, but not anymore. E-mail messages can contain HTML code. This code can call external scripts that can wreck havoc on your machine. The sad part is that you don抰 even have to open a message in order to activate the script that it contains. Outlook contains a preview pane that allows you to view the contents of a message without actually opening it. If a malicious message is displayed through Outlook抯 preview pane, that is often enough to trigger the malicious code.
There are several things that you can do to prevent malicious code from reaching your users through E-mail. First, install the appropriate anti virus software on both the workstations and your mail server. Make sure that you use the standard server level anti virus protection, plus an anti virus package that抯 specially designed for your mail server. For example, in my own organization, I have the normal anti virus software installed on my mail server, but the server also contains anti virus software that抯 specifically designed for Exchange Server. This software analyzes every inbound message and removes E-mail based viruses before they ever reach a user抯 mailbox.
Doing that will keep viruses at bay, but you also need to protect users against spyware. Most spyware that comes through E-mail arrives attached to SPAM, so its important to install a good, server level, anti SPAM product that will keep SPAM out of the user抯 mailboxes.
Finally, you should install Outlook 2003 on the user抯 workstations. Outlook 2003 is specially designed not to execute potentially malicious code that may arrive in an E-mail message. Microsoft has also designed Outlook 2003 so that certain types of potentially malicious attachments can抰 be opened directly through Outlook.
Group Policies
The last thing that I want to talk about is how you can prevent spyware from infesting your network by making effective use of group policies. As you probably know, group policies are designed to configure the security settings of each workstation as it attaches to the network. What a lot of people don抰 realize is that you can control Internet Explorer抯 configuration directly through a group policy.
The Internet Explorer related group policy elements can be found by browsing through the group policy tree to User Configuration | Windows Settings | Internet Explorer Maintenance | Security, as shown in Figure A.
Figure A: You can configure Internet Explorer抯 security settings through a group policy.
If you double click on the Security Zones and Content Ratings option, you will see a screen that gives you the chance to customize the security and privacy settings. Select the Import the Current Security Zones and Privacy option, click the Modify Settings button, and you will see the familiar Internet Options properties sheet, shown in Figure B. The thing about this properties sheet though is that the settings that you enter will apply to every user that the group policy applies to (assuming that a higher level policy doesn抰 block the settings).
Figure B: The Internet options Properties Sheet can be used to configure Internet Explorer for all of your users.
The actual settings that you implement are up to you, but I recommend setting the Internet zone to Medium security, but also blocking any and all ActiveX controls. I recommend setting the Restricted Sites zone to High Security. I also recommend periodically adding known malicious sites to the Restricted Sites zone. There are a lot of places on the Internet where you can download lists of Web sites that are known to be malicious. I also like using a free utility called Spyware Blaster ([url]http://www.javacoolsoftware.com/spywareblaster.html[/url]) because it contains its own list of malicious sites. You can copy the list of malicious sites from Spyware Blaster into the Restricted Sites zone.
Conclusion
As you can see, there are numerous steps that you can use to make your corporate network a safer place for those users who routinely use the Internet. None of the tricks that I have shown you will solve the problem by themselves, but by combining these techniques with other good security practices, such as keeping all of your software up to date, you will have a good head start on Internet security.
页:
[1]