Re: Power Users, AntiSpyware & CriticalUpdates

[David Glosser <david_glosser () yahoo com>]

> Power users are not really an improvement, as they still have far too
> many privileges to achieve actual security. Make your users normal
> users if possible. Otherwise don't bother. Making them power users isn't
> worth the time you'll spend on it.
If you have an app which doesn't work as a regular user, you can run 
utilities (I believe "regmon" and "filemon") to see what directories and 
registry entries need to be opened up.

> You could leave automatic updates pointing directly to Microsoft's
> update servers. A (W)SUS would enable you to test updates on a set of
> test boxes before approving them for automatic enrollment to your
> network, though, so having a (W)SUS usually is a good idea.

If you can wait a day or two before deploying updates, then a (W)SUS box is 
a good idea. Wait until day after patch tuesday. See if there any complaints 
about a patch. If not, then approve. Of course, you are waiting an extra day 
or two before you install an critical security patch.

> We will have Spybot installed.  I also want to install Microsoft 
> AntiSpyware, but it has so many poorly-worded, cryptic "warnings", that we 
> may not.  Is >there any decent articles on controlling AntiSpyware alerts, 
> or should we move on to something like CounterSpy?
I believe you need a license to use Spybot in a corporation.

> How about "move to not getting spyware installed in the first place"?
> Like don't make your users admins or power users and have them use a web
> browser that is not IE.
You can also run snort with the "bleeding malware rules" to catch machines 
already infected. Also you can run "Black-Hole DNS" on your internal server 
to loopback domains associated with malware to 127.0.0.1. This will prevent 
new infections and help neuter  existing ones.  www.bleedingsnort.com