If you wanted to go for an all out prevention solution, there are applications like Deep Freeze. You configure the machine how you want it to be configured, "freeze" it, and no matter what is altered the machine reverts to the "frozen" state at reboot. In other words you can delete the Windows subdirectory and when you reboot the directory reappears.
This brings its own management overhead, though. You need to use the management tools to create a maintenance window assuming Windows Updates will work reliably for you , although with Windows 7's new way of installing certain things at reboot we've found this to be a bad idea. Otherwise you need to update the systems by hand. Antiviruses are tricky if you insist on running them on client machines since updated signatures are wiped at reboot, but on the other hand any infections in the system are wiped at reboot as well.
Basically the only applications they could install would be to their local profile or a mapped drive but changes that rely on sticking files into any Windows directory can be erased at startup. If they insist on installing software they'll find themselves re-installing it each time, usually, so it's just not worth it.
Oh, and with Deep Freeze, you'll need to disable the Active Directory setting that changes the workstation ID's periodically. Otherwise your workstations "fall off" the domain.
I'd also suggest reviewing what your users really need access to. Use the principle of least authority - if they don't need any access above ordinary user, don't give it to them.
Don't let people run as administrator. Whitelisting allowed executables is more drastic than Deep Freeze, in my opinion, unless you rarely, if ever, change what programs you're running.
There are programs like LanSweeper that will watch your network and give you lists of what software is registered as installed, so you can audit software that way. Sign up to join this community. The best answers are voted up and rise to the top. Active content is also often executed when simply browsing the Internet and can be installed without knowledge of the end user.
End users on government workstations should never be operating with administrative privileges by default and should not even have an option to elevate themselves to administrators unless required and properly audited.
Without administrative privileges, users can be prevented from running software installation packages or executing other binary content requiring registry modifications or other privileged actions. Access to administrative privileges allows adversaries to install malicious software, change system configurations to hide their activities and more easily exfiltrate data.
Potential damage of a system compromise is directly proportional to the level of user privilege obtained on the system, and adversaries with administrative privileges have everything they need. Depending on the size of an agency, it could take months or even years to get to a complete, current and manageable whitelist of approved software. This capability lets IT managers see the potential impact of application whitelisting and should be used to set expectations throughout an agency to minimize negative impacts.
As noted above, achieving effective application whitelisting across a large agency is neither trivial nor quick. Compiling a list of all the applications permitted within the enterprise from day one of the production capability is often not feasible. Instead, consider drawing a line in the sand with the current footprint of executable software.
Application whitelisting means that any software currently in use but not approved will be prevented from executing, and any business processes dependent on such software will also be disrupted. Therefore, full support from senior leadership is critical to make sure efforts to address unauthorized software continue while also forcing non-compliant business unit applications and processes to take appropriate remedial actions. Because of the potential for stopping certain business processes from functioning, it is critical to identify all stakeholders and engage them early and often.
Any actions that result in the blocking of some application or other communication previously permitted will almost certainly result in complaints or escalations if stakeholders were not engaged and given advance notice. A robust communications plan will help ensure stakeholders understand and support the efforts and are not surprised by any results. Good planning and communications go a long way, but there will always be exceptions where someone did not or could not plan appropriately, requiring execution of an unapproved application for a critical and time-sensitive business need.
A detailed plan is needed for such situations but this can vary depending on the level of senior leadership support and risk tolerance for an organization. Although the team responsible for maintaining an application whitelist should generally be engaged — even for emergency requests during non-business hours — resource constraints may limit this option. As an alternative, emergency firecall accounts and processes could be established to allow help desk or other personnel to provide temporary support of emergency requests if the risk to the agency is acceptable.
Following these recommendations should help agencies gain control of unauthorized software and realize the substantial benefits of an environment where malicious or unauthorized binaries are no longer able to wreak havoc. Particularly in large government environments, it is imperative to keep in mind that the details to address this issue within each organization are unique. One size does not fit all, and appropriate approaches and timelines can vary significantly based on organizational structures, maturity, existing processes and risk tolerance.
NIST drafts guide for checking. When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference.
You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.
For more information about the First and Third Party Cookies used please follow this link. No Form of Network Monitoring is Allowed. Check Out Our Latest Posts. PlexTrac, Inc. Twitter Youtube Linkedin. We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits.
Close Privacy Overview This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. Prepare for emergency requests. Whitelisting can take a long time and some applications that have yet to be approved may be required for a critical and time-sensitive case.
Being prepared for a situation like this can save time and could be crucial for an emergency case. Following these recommendations can help an agency monitor their network and prevent harmful software from entering.
Each agency is different and not one practice fit all. It is important to create a plan tailored to your company so unauthorized processes cannot wreak havoc on your software.
CCNY Tech has been in business since and has built many long term relationships with companies, universities and other organizations by providing great value and outstanding customer service.
Seven key guidelines to prevent unauthorized software: 1. Posted in Blog.
0コメント